Professional Documents
Culture Documents
Wireless Security
Yan Zhang
Simula Research Laboratory, Norway
Jun Zheng
City University of New York, USA
Miao Ma
Hong Kong University of Science and Technology, Hong Kong
Volume I
Copyright © 2008 by IGI Global. All rights reserved. No part of this publication may be reproduced, stored or distributed in any form or by
any means, electronic or mechanical, including photocopying, without written permission from the publisher.
Product or company names used in this set are for identification purposes only. Inclusion of the names of the products or companies does
not indicate a claim of ownership by IGI Global of the trademark or registered trademark.
Handbook of research on wireless security / Yan Zhang, Jun Zheng, and Miao Ma, editors.
p. cm.
Summary: “This book combines research from esteemed experts on security issues in various wireless communications, recent advances
in wireless security, the wireless security model, and future directions in wireless security. As an innovative reference source for students,
educators, faculty members, researchers, engineers in the field of wireless security, it will make an invaluable addition to any library
collection”--Provided by publisher.
1. Wireless communication systems--Security measures. I. Zhang, Yan, 1962- II. Zheng, Jun, Ph.D. III. Ma, Miao. IV. Title.
TK5102.85.H35 2008
005.8--dc22
2007036301
All work contributed to this book set is original material. The views expressed in this book are those of the authors, but not necessarily of
the publisher.
Hsiao-Hwa Chen
National Sun Yat-Sen University, Taiwan
Ibrahim Habib
City University of New York, USA
Javier Barria
Imperial College, UK
Jie Wu
Florida Atlantic University, USA
Mieso Denko
University of Guelph, Canada
Laurence T. Yang
St. Francis Xavier University, Canada
Shahram Latifi
University of Nevada, USA
Paolo Bellavista
DEIS - Università degli Studi di Bologna, Italy
Section I
Security Fundamentals
Chapter I
Malicious Software in Mobile Devices................................................................................................... 1
Thomas M. Chen, Southern Methodist University, USA
Cyrus Peikari, Airscanner Mobile Security Corporation, USA
Chapter II
Secure Service Discovery ..................................................................................................................... 11
Sheikh I. Ahamed, Marquette University, USA
John F. Buford, Avaya Labs, USA
Moushumi Sharmin, Marquette University, USA
Munirul M. Haque, Marquette University, USA
Nilothpal Talukder, Marquette University, USA
Chapter III
Security of Mobile Code ....................................................................................................................... 28
Zbigniew Kotulski, Polish Academy of Sciences, Warsaw, Poland
Warsaw University of Technology, Poland
Aneta Zwierko, Warsaw University of Technology, Poland
Chapter IV
Identity Management ............................................................................................................................ 44
Kumbesan Sandrasegaran, University of Technology, Sydney, Australia
Mo Li, University of Technology, Sydney, Australia
Chapter V
Wireless Wardriving.............................................................................................................................. 61
Luca Caviglione, Institute of Intelligent Systems for Automation (ISSIA)—Genoa Branch, Italian
National Research Council, Italy
Chapter VI
Intrusion and Anomaly Detection in Wireless Networks ...................................................................... 78
Amel Meddeb Makhlouf, University of the 7th of November at Carthage, Tunisia
Noureddine Boudriga, University of the 7th of November at Carthage, Tunisia
Chapter VII
Peer-to-Peer (P2P) Network Security: Firewall Issues ......................................................................... 95
Lu Yan, University College London, UK
Chapter VIII
Identity Management for Wireless Service Access ............................................................................. 104
Mohammad M.R. Chowdhury, University Graduate Center – UniK, Norway
Josef Noll, University Graduate Center – UniK, Norway
Chapter IX
Privacy Enhancing Techniques: A Survey and Classification ............................................................. 115
Peter Langendörfer, IHP, Germany
Michael Masser, IHP, Germany
Krzysztof Piotrowski, IHP, Germany
Steffen Peter, IHP, Germany
Chapter X
Vulnerability Analysis and Defenses in Wireless Networks ............................................................... 129
Lawan A. Mohammad, King Fahd University of Petroleum and Minerals, Saudi Arabia
Biju Issac, Swinburne University of Technology – Sarawak Campus, Malaysia
Chapter XI
Key Distribution and Management for Mobile Applications ............................................................. 145
György Kálmán, University Graduate Center – UniK, Norway
Josef Noll, University Graduate Center – UniK, Norway
Chapter XII
Architecture and Protocols for Authentications, Authorization, and Accounting (AAA)
in the Future Wireless Communications Networks ............................................................................ 158
Said Zaghloul, Technical University Carolo-Wilhelmina – Braunschweig, Germany
Admela Jukan, Technical University Carolo-Wilhelmina – Braunschweig, Germany
Chapter XIII
Authentication, Authorisation, and Access Control in Mobile Systems ............................................. 176
Josef Noll, University Graduate Center – UniK, Norway
György Kálmán, University Graduate Center – UniK, Norway
Chapter XIV
Trustworthy Networks, Authentication, Privacy, and Security Models .............................................. 189
Yacine Djemaiel, University of the 7th of November at Carthage, Tunisia
Slim Rekhis, University of the 7th of November at Carthage, Tunisia
Noureddine Boudriga, University of the 7th of November at Carthage, Tunisia
Chapter XV
The Provably Secure Formal Methods for Authentication and Key Agreement Protocols ................ 210
Jianfeng Ma, Xidian University, China
Xinghua Li, Xidian University, China
Chapter XVI
Multimedia Encryption and Watermarking in Wireless Environment ................................................ 236
Shiguo Lian, France Telecom R&D Beijing, China
Chapter XVII
System-on-Chip Design of the Whirlpool Hash Function .................................................................. 256
Paris Kitsos, Hellenic Open University (HOU), Patras, Greece
Section II
Security in 3G/B3G/4G
Chapter XVIII
Security in 4G ..................................................................................................................................... 272
Artur Hecker, Ecole Nationale Supérieure des Télécommunications (ENST), France
Mohamad Badra, National Center for Scientific Research, France
Chapter XIX
Security Architectures for B3G Mobile Networks............................................................................. .297
Christoforos Ntantogian, University of Athens, Greece
Christos Xenakis, University of Piraeus, Greece
Chapter XX
Security in UMTS 3G Mobile Networks ............................................................................................ 318
Christos Xenakis, University of Piraeus, Greece
Chapter XXI
Access Security in UMTS and IMS .................................................................................................... 339
Yan Zhang, Simula Research Laboratory, Norway
Yifan Chen, University of Greenwich, UK
Rong Yu, South China University of Technology, China
Supeng Leng, University of Electronic Science and Technology of China, China
Huansheng Ning, Beihang University, China
Tao Jiang, Huazhong University of Science and Technology, China
Chapter XXII
Security in 2.5G Mobile Systems ....................................................................................................... 351
Christos Xenakis, University of Piraeus, Greece
Chapter XXIII
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies ............................ 364
Sasan Adibi, University of Waterloo, Canada
Gordon B. Agnew, University of Waterloo, Canada
Chapter XXIV
Generic Application Security in Current and Future Networks .......................................................... 379
Silke Holtmanns, Nokia Research Center, Finland
Pekka Laitinen, Nokia Research Center, Finland
Chapter XXV
Authentication, Authorization, and Accounting (AAA) Framework in Network
Mobility (NEMO) Environments........................................................................................................ 395
Sangheon Pack, Korea University, South Korea
Sungmin Baek, Seoul National University, South Korea
Taekyoung Kwon, Seoul National University, South Korea
Yanghee Choi, Seoul National University, South Korea
Section III
Security in Ad Hoc and Sensor Networks
Chapter XXVI
Security in Mobile Ad Hoc Networks ................................................................................................. 413
Bin Lu, West Chester University, USA
Chapter XXVII
Privacy and Anonymity in Mobile Ad Hoc Networks ........................................................................ 431
Christer Andersson, Combitech, Sweden
Leonardo A. Martucci, Karlstad University, Sweden
Simone Fischer-Hübner, Karlstad University, Sweden
Chapter XXVIII
Secure Routing with Reputation in MANET ...................................................................................... 449
Tomasz Ciszkowski, Warsaw University, Poland
Zbigniew Kotulski, Warsaw University, Poland
Chapter XXIX
Trust Management and Context-Driven Access Control .................................................................... 461
Paolo Bellavista, University of Bologna, Italy
Rebecca Montanari, University of Bologna, Italy
Daniela Tibaldi, University of Bologna, Italy
Alessandra Toninelli, University of Bologna, Italy
Chapter XXX
A Survey of Key Management in Mobile Ad Hoc Networks ............................................................. 479
Bing Wu, Fayetteville State University, USA
Jie Wu, Florida Atlantic University, USA
Mihaela Cardei, Florida Atlantic University, USA
Chapter XXXI
Security Measures for Mobile Ad-Hoc Networks (MANETs) ........................................................... 500
Sasan Adibi, University of Waterloo, Canada
Gordon B. Agnew, University of Waterloo, Canada
Chapter XXXII
A Novel Secure Video Surveillance System Over Wireless Ad-Hoc Networks ................................. 515
Hao Yin, Tsinghua University, China
Chuang Lin, Tsinghua University, China
Zhijia Chen, Tsinghua University, China
Geyong Min, University of Bradford, UK
Chapter XXXIII
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks .................................. 531
John Felix Charles Joseph, Nanyang Technological University, Singapore
Amitabha Das, Nanyang Technological University, Singapore
Boot-Chong Seet, Auckland Univerisity of Technology, New Zealand
Bu-Sung Lee, Nanyang Technological University, Singapore
Chapter XXXIV
Security in Wireless Sensor Networks ................................................................................................ 547
Luis E. Palafox, CICESE Research Center, Mexico
J. Antonio Garcia-Macias, CICESE Research Center, Mexico
Chapter XXXV
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions ................................. 565
Mohamed Hamdi, University of November 7th at Carthage, Tunisia
Noreddine Boudriga, University of November 7th at Carthage, Tunisia
Chapter XXXVI
Routing Security in Wireless Sensor Networks .................................................................................. 582
A.R. Naseer, King Fahd University of Petroleum & Minerials, Dhahran
Ismat K. Maarouf, King Fahd University of Petroleum & Minerials, Dhahran
Ashraf S. Hasan, King Fahd University of Petroleum & Minerials, Dhahran
Chapter XXXVII
Localization Security in Wireless Sensor Networks ........................................................................... 617
Yawen Wei, Iowa State University, USA
Zhen Yu, Iowa State University, USA
Yong Guan, Iowa State University, USA
Chapter XXXVIII
Resilience Against False Data Injection Attack in Wireless Sensor Networks ................................... 628
Miao Ma, The Hong Kong University of Science and Technology, Hong Kong
Chapter XXXIX
Survivability of Sensors with Key and Trust Management ................................................................ 636
Jean-Marc Seigneur, University of Genev, Switzerland
Luminita Moraru, University of Genev, Switzerland
Olivier Powell, University of Patras, Greece
Chapter XL
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks ................................................... 652
Yu Wang, University of North Carolina at Charlotte, USA
Section IV
Security in Wireless PAN/LAN/MAN Networks
Chapter XLI
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections .............. 666
Georgios Kambourakis, University of the Aegean, Greece
Angelos Rouskas, University of the Aegean, Greece
Stefanos Gritzalis, University of the Aegean, Greece
Chapter XLII
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring ......................................................... 681
Miguel A. Ruiz, University of Alcala, Spain
Felipe Espinosa, University of Alcala, Spain
David Sanguino, University of Alcala, Spain
AbdelBaset M.H. Awawdeh, University of Alcala, Spain
Chapter XLIII
Security in WLAN .............................................................................................................................. 695
Mohamad Badra, Bât ISIMA, France
Artur Hecker, INFRES-ENST, France
Chapter XLIV
Access Control in Wireless Local Area Networks: Fast Authentication Schemes ............................. 710
Jahan Hassan, The University of Sydney, Australia
Björn Landfeldt, The University of Sydney, Australia
Albert Y. Zomaya, The University of Sydney, Australia
Chapter XLV
Security and Privacy in RFID Based Wireless Networks ................................................................... 723
Denis Trček, University of Ljubljana, Slovenia
Chapter XLVI
Security and Privacy Approaches for Wireless Local and Metropolitan
Area Networks (LANs & MANS) ...................................................................................................... 732
Giorgos Kostopoulos, University of Patras, Greece
Nicolas Sklavos, Technological Educational Institute of Mesolonghi, Greece
Odysseas Koufopavlou, University of Patras, Greece
Chapter XLVII
End-to-End (E2E) Security Approach in WiMAX:
A Security Technical Overview for Corporate Multimedia Applications ........................................... 747
Sasan Adibi, University of Waterloo, Canada
Gordon B. Agnew, University of Waterloo, Canada
Tom Tofigh, WiMAX Forum, USA
Chapter XLVIII
Evaluation of Security Architectures for Mobile Broadband Access ................................................. 759
Symeon Chatzinotas, University of Surrey, UK
Jonny Karlsson, Arcada University of Applied Sciences, Finland
Göran Pulkkis, Arcada University of Applied Sciences, Finland
Kaj Grahn, Arcada University of Applied Sciences, Finland
Chapter XLIX
Extensible Authentication (EAP) Protocol Integrations in the Next
Generation Cellular Networks ............................................................................................................ 776
Sasan Adibi, University of Waterloo, Canada
Gordon B. Agnew, University of Waterloo, Canada
Section I
Security Fundamentals
Chapter I
Malicious Software in Mobile Devices................................................................................................... 1
Thomas M. Chen, Southern Methodist University, USA
Cyrus Peikari, Airscanner Mobile Security Corporation, USA
This chapter examines the scope of malicious software (malware) threats to mobile devices. The stakes
for the wireless industry are high. While malware is rampant among one billion PCs, approximately
twice as many mobile users currently enjoy a malware-free experience. However, since the appearance
of the Cabir worm in 2004, malware for mobile devices has evolved relatively quickly, targeted mostly
at the popular Symbian smartphone platform. Significant highlights in malware evolution are pointed
out which suggest that mobile devices are attracting more sophisticated malware attacks. Fortunately,
a range of host-based and network-based defenses have been developed from decades of experience
with PC malware. Activities are underway to improve protection of mobile devices before the malware
problem becomes catastrophic, but developers are limited by the capabilities of handheld devices.
Chapter II
Secure Service Discovery ..................................................................................................................... 11
Sheikh I. Ahamed, Marquette University, USA
John F. Buford, Avaya Labs, USA
Moushumi Sharmin, Marquette University, USA
Munirul M. Haque, Marquette University, USA
Nilothpal Talukder, Marquette University, USA
In broadband wireless networks, mobile devices will be equipped to directly share resources using service
discovery mechanisms without relying upon centralized servers or infrastructure support. The network
environment will frequently be ad hoc or will cross administrative boundaries. There are many challenges
to enabling secure and private service discovery in these environments, including the dynamic popula-
tion of participants, the lack of a universal trust mechanism, and the limited capabilities of the devices.
To ensure secure service discovery while addressing privacy issues, trust-based models are inevitable.
We survey secure service discovery in the broadband wireless environment. We include case studies of
two protocols which include a trust mechanism, and we summarize future research directions.
Chapter III
Security of Mobile Code ....................................................................................................................... 28
Zbigniew Kotulski, Polish Academy of Sciences, Warsaw, Poland
Warsaw University of Technology, Poland
Aneta Zwierko, Warsaw University of Technology, Poland
The recent developments in the mobile technology (mobile phones, middleware, wireless networks,
etc.) created a need for new methods of protecting the code transmitted through the network. The oldest
and the simplest mechanisms concentrate more on the integrity of the code itself and on the detection
of unauthorized manipulation. The newer solutions not only secure the compiled program, but also the
data that can be gathered during its “journey,” and even the execution state. Some other approaches
are based on prevention rather than detection. In the chapter we present a new idea of securing mobile
agents. The proposed method protects all components of an agent: the code, the data, and the execution
state. The proposal is based on a zero-knowledge proof system and a secure secret sharing scheme, two
powerful cryptographic primitives. Next, the chapter includes security analysis of the new method and
its comparison to other currently most widespread solutions. Finally, we propose a new direction of
securing mobile agents by straightening the methods of protecting integrity of the mobile code with risk
analysis and a reputation system that helps avoiding a high-risk behavior.
Chapter IV
Identity Management ............................................................................................................................ 44
Kumbesan Sandrasegaran, University of Technology, Sydney, Australia
Mo Li, University of Technology, Sydney, Australia
The broad aim of identity management (IdM) is to manage the resources of an organization (such as files,
records, data and communication infrastructure, and services) and to control and manage access to those
resources in an efficient and accurate way. Consequently, identity management is both a technical and
process orientated concept. The concept of IdM has begun to be applied in identities related applications
in enterprises, governments, and Web services since 2002. As the integration of heterogeneous wireless
networks becomes a key issue in towards the next generation (NG) networks, IdM will be crucial to the
success of NG wireless networks. A number of issues, such as mobility management, multioperator,
and securities require the corresponding solutions in terms of user authentication, access control, and
so forth. IdM in NG wireless networks is about managing the digital identity of a user and ensuring
that users have fast, reliable, and secure access to distributed resources and services of an NGN and the
associated service providers, across multiple systems and business contexts.
Chapter V
Wireless Wardriving.............................................................................................................................. 61
Luca Caviglione, Institute of Intelligent Systems for Automation (ISSIA)—Genoa Branch, Italian
National Research Council, Italy
Wardriving is the practice of searching wireless networks while moving. Originally, it was explicitly
referred to people searching for wireless signals by driving on vans, but nowadays it generally identi-
fies people searching for wireless accesses while moving. Despite the legal aspects, this “quest for
connectivity” spawned a quite productive underground community, which developed powerful tools,
relying on cheap and standard hardware. The knowledge of these tools and techniques has many useful
aspects. First, when designing the security framework of a wireless LAN (WLAN), the knowledge of
the vulnerabilities exploited at the basis of wardriving is a mandatory step, both to avoid penetration
issues and to detect whether attacks are ongoing. Second, hardware and software developers can design
better devices by avoiding common mistakes and using an effective suite for conducting security tests.
Lastly, people who are interested in gaining a deeper understanding of wireless standards can conduct
experiments by simply downloading software running on cost effective hardware. With such preamble,
in this chapter we will analyze the theory, the techniques, and the tools commonly used for wardriving
IEEE 802.11-based wireless networks.
Chapter VI
Intrusion and Anomaly Detection in Wireless Networks ...................................................................... 78
Amel Meddeb Makhlouf, University of the 7th of November at Carthage, Tunisia
Noureddine Boudriga, University of the 7th of November at Carthage, Tunisia
The broadcast nature of wireless networks and the mobility features created new kinds of intrusions and
anomalies taking profit of wireless vulnerabilities. Because of the radio links and the mobile equipment
features of wireless networks, wireless intrusions are more complex because they add to the intrusions
developed for wired networks, a large spectrum of complex attacks targeting wireless environment. These
intrusions include rogue or unauthorized access point (AP), AP MAC spoofing, and wireless denial-of-
service and require adding new techniques and mechanisms to those approaches detecting intrusions
targeting wired networks. To face this challenge, some researchers focused on extending the deployed
approaches for wired networks while others worked to develop techniques suitable for detecting wire-
less intrusions. The efforts have mainly addressed (a) the development of theories to allow reasoning
about detection, wireless cooperation, and response to incidents, and (b) the development of wireless
intrusion and anomaly detection systems that incorporate wireless detection, preventive mechanisms,
and tolerance functions. This chapter aims at discussing the major theories, models, and mechanisms
developed for the protection of wireless networks/systems against threats, intrusions, and anomalous
behaviors. The objectives of this chapter are to (a) discuss security problems in wireless environment,
(b) to present the current research activities, (c) study the important results already developed by re-
searchers, and (d) to discuss
Chapter VII
Peer-to-Peer (P2P) Network Security: Firewall Issues ......................................................................... 95
Lu Yan, University College London, UK
A lot of networks today are behind firewalls. In peer-to-peer networking, firewall-protected peers may
have to communicate with peers outside the firewall. This chapter shows how to design peer-to-peer
systems to work with different kinds of firewalls within the object-oriented action systems framework
by combining formal and informal methods. We present our approach via a case study of extending a
Gnutella-like peer-to-peer system (Yan et al, 2003) to provide connectivity through firewalls.
Chapter VIII
Identity Management for Wireless Service Access ............................................................................. 104
Mohammad M.R. Chowdhury, University Graduate Center – UniK, Norway
Josef Noll, University Graduate Center – UniK, Norway
An ubiquitous access and pervasive computing concept is almost intrinsically tied to wireless com-
munications. Emerging next-generation wireless networks enable innovative service access in every
situation. Apart from many remote services, proximity services will also be widely available. People
currently rely on numerous forms of identities to access these services. The inconvenience of possessing
and using these identities creates significant security vulnerability, especially from network and device
point of view in wireless service access. After explaining the current identity solutions scenarios, the
chapter illustrates the on-going efforts by various organizations and the requirements and frameworks to
develop an innovative, easy-to-use identity management mechanism to access the future diverse service
worlds. The chapter also conveys various possibilities, challenges, and research questions evolving in
these areas.
Chapter IX
Privacy Enhancing Techniques: A Survey and Classification ............................................................. 115
Peter Langendörfer, IHP, Germany
Michael Masser, IHP, Germany
Krzysztof Piotrowski, IHP, Germany
Steffen Peter, IHP, Germany
This chapter provides a survey of privacy enhancing techniques and discusses their effect using a scenario
in which a charged location-based service is used. We introduce four protection levels and discuss an
assessment of privacy enhancing techniques according to these protection levels.
Chapter X
Vulnerability Analysis and Defenses in Wireless Networks ............................................................... 129
Lawan A. Mohammad, King Fahd University of Petroleum and Minerals, Saudi Arabia
Biju Issac, Swinburne University of Technology – Sarawak Campus, Malaysia
This chapter shows that the security challenges posed by the 802.11 wireless networks are manifold
and it is therefore important to explore the various vulnerabilities that are present with such networks.
Along with other security vulnerabilities, defense against denial-of-service attacks is a critical com-
ponent of any security system. Unlike in wired networks where denial-of-service attacks have been
extensively studied, there is a lack of research for preventing such attacks in wireless networks. In ad-
dition to various vulnerabilities, some factors leading to different types of denial-of-service attacks and
some defense mechanisms are discussed in this chapter. This can help to better understand the wireless
network vulnerabilities and subsequently more techniques and procedures to combat these attacks may
be developed by researchers.
Chapter XI
Key Distribution and Management for Mobile Applications ............................................................. 145
György Kálmán, University Graduate Center – UniK, Norway
Josef Noll, University Graduate Center – UniK, Norway
This chapter deals with challenges raised by securing transport, service access, user privacy, and ac-
counting in wireless environments. Key generation, delivery, and revocation possibilities are discussed
and recent solutions are shown. Special focus is on efficiency and adaptation to a mobile environment.
Device domains in personal area networks and home networks are introduced to provide personal digital
rights management (DRM) solutions. The value of smartcards and other security tokens are shown and
a secure and convenient transmission method is recommended based on the mobile phone and near field
communication technology.
Chapter XII
Architecture and Protocols for Authentications, Authorization, and Accounting (AAA)
in the Future Wireless Communications Networks ............................................................................ 158
Said Zaghloul, Technical University Carolo-Wilhelmina – Braunschweig, Germany
Admela Jukan, Technical University Carolo-Wilhelmina – Braunschweig, Germany
Architecture and protocols for authentication, authorization, and accounting (AAA) are one of the most
important design considerations in 3G/4G telecommunication networks. Many advances have been
made to exploit the benefits of the current systems based on the protocol RADIUS, and the evolution to
migrate into the more secure, robust, and scalable protocol DIAMETER. DIAMETER is the protocol
of choice for the IP multimedia subsystem (IMS) architecture, the core technology for the next gen-
eration networks. It is envisioned that DIAMETER will be widely used in various wired and wireless
systems to facilitate robust and seamless authentication, authorization, and accounting. In this chapter,
we provide an overview of the major AAA protocols of RADIUS and DIAMETER, and we discuss their
roles in practical 1xEV-DO network architectures in the three major network tiers: access, distribution,
and core. We conclude the chapter with a short summary of the current and future trends related to the
DIAMETER-based AAA systems.
Chapter XIII
Authentication, Authorisation, and Access Control in Mobile Systems ............................................. 176
Josef Noll, University Graduate Center – UniK, Norway
György Kálmán, University Graduate Center – UniK, Norway
Converging networks and mobility raise new challenges towards the existing authentication, authorisa-
tion, and accounting (AAA) systems. Focus of the research is towards integrated solutions for seamless
service access of mobile users. Interworking issues between mobile and wireless networks are the basis
for detailed research on handover delay, multidevice roaming, mobile networks, security, ease-of-use,
and anonymity of the user. This chapter provides an overview over state-of-the-art in authentication for
mobile systems, and suggests extending AAA-mechanisms to home and community networks, taking
into account security and privacy of the users.
Chapter XIV
Trustworthy Networks, Authentication, Privacy, and Security Models .............................................. 189
Yacine Djemaiel, University of the 7th of November at Carthage, Tunisia
Slim Rekhis, University of the 7th of November at Carthage, Tunisia
Noureddine Boudriga, University of the 7th of November at Carthage, Tunisia
Wireless networks are gaining popularity that comes with the occurrence of several networking tech-
nologies raising from personal to wide area, from centralized to distributed, and from infrastructure-
based to infrastructure-less. Wireless data link characteristics such as openness of transmission media
make these networks vulnerable to a novel set of security attacks, despite those that they inherit from
wired networks. In order to ensure the protection of mobile nodes that are interconnected using wireless
protocols and standards, it is essential to provide an in-depth study of a set of mechanisms and security
models. In this chapter, we present the research studies and proposed solutions related to the authentica-
tion, privacy, trust establishment, and management in wireless networks. Moreover, we introduce and
discuss the major security models used in a wireless environment.
Chapter XV
The Provably Secure Formal Methods for Authentication and Key Agreement Protocols ................ 210
Jianfeng Ma, Xidian University, China
Xinghua Li, Xidian University, China
In the design and analysis of authentication and key agreement protocols, provable secure formal
methods play a very important role, among which the Canetti-Krawczyk(CK) model and the universal
composable(UC) security model are very popular at present. This chapter focuses on these two models
and consists mainly of three parts. (1) There is an introduction to the CK model and the UC model. (2)
There is also a study of these two models, which includes an analysis of the CK model and an extension
of the UC security model. The analysis of the CK model presents its security analysis, advantages, and
disadvantages, and a bridge between this formal method and the informal method (heuristic method) is
established; an extension of the UC security model gives a universally composable anonymous hash cer-
tification model. (3) The applications of these two models are also presented. With these two models, the
four-way handshake protocols in 802.11i and Chinese WLAN security standard WAPI are analyzed.
Chapter XVI
Multimedia Encryption and Watermarking in Wireless Environment ................................................ 236
Shiguo Lian, France Telecom R&D Beijing, China
In a wireless environment, multimedia transmission is often affected by the error rate, delaying, terminal’s
power or bandwidth, and so forth, which brings difficulties to multimedia content protection. In the past
decade, wireless multimedia protection technologies have been attracting more and more researchers.
Among them, wireless multimedia encryption and watermarking are two typical topics. Wireless multi-
media encryption protects multimedia content’s confidentiality in wireless networks, which emphasizes
improving the encryption efficiency and channel friendliness. Some means have been proposed, such as
the format-independent encryption algorithms that are time efficient compared with traditional ciphers,
the partial encryption algorithms that reduce the encrypted data volumes by leaving some information
unchanged, the hardware-implemented algorithms that are more efficient than software based ones, the
scalable encryption algorithms that are compliant with bandwidth changes, and the robust encryption al-
gorithms that are compliant with error channels. Compared with wireless multimedia encryption, wireless
multimedia watermarking is widely used in ownership protection, traitor tracing, content authentication,
and so forth. To keep costs low, a mobile agent is used to partition some of the watermarking tasks. To
counter transmission errors, some channel encoding methods are proposed to encode the watermark.
To keep robust, some means are proposed to embed a watermark into media data of low bit rate. Based
on both watermarking and encryption algorithms, some applications arise, such as secure multimedia
sharing or secure multimedia distribution. In this chapter, the existing wireless multimedia encryption
and watermarking algorithms are summarized according to the functionality and multimedia type, their
performances are analyzed and compared, the related applications are presented, and some open issues
are proposed.
Chapter XVII
System-on-Chip Design of the Whirlpool Hash Function .................................................................. 256
Paris Kitsos, Hellenic Open University (HOU), Patras, Greece
In this chapter, a system-on-chip design of the newest powerful standard in the hash families, named
Whirlpool, is presented. With more details, an architecture and two VLSI implementations are presented.
The first implementation is suitable for high-speed applications while the second one is suitable for appli-
cations with constrained silicon area resources. The architecture permits a wide variety of implementation
tradeoffs. Different implementations have been introduced and each specific application can choose the
appropriate speed-area trade-off implementation. The implementations are examined and compared in
the security level and in the performance by using hardware terms. Whirlpool with RIPEMD, SHA-1,
and SHA-2 hash functions are adopted by the International Organization for Standardization (ISO/IEC)
10118-3 standard. The Whirlpool implementations allow fast execution and effective substitution of any
previous hash families’ implementations in any cryptography application.
Section II
Security in 3G/B3G/4G
Chapter XVIII
Security in 4G ..................................................................................................................................... 272
Artur Hecker, Ecole Nationale Supérieure des Télécommunications (ENST), France
Mohamad Badra, National Center for Scientific Research, France
The fourth generation of mobile networks (4G) will be a technology-opportunistic and user-centric
system combining the economic and technological advantages of different transmission technologies to
provide a context-aware and adaptive service access anywhere and at any time. Security turns out to be
one of the major problems that arise at different interfaces when trying to realize such a heterogeneous
system by integrating the existing wireless and mobile systems. Indeed, current wireless systems use
very different and difficult to combine proprietary security mechanisms, typically relying on the associ-
ated user and infrastructure management means. It is generally impossible to apply a security policy to
a system consisting of different heterogeneous subsystems. In this chapter, we first briefly present the
security of candidate 4G access systems, such as 2/3G, WLAN, WiMax and so forth. In the next step,
we discuss the arising security issues of the system interconnection. We namely define a logical access
problem in heterogeneous systems and show that both the technology-bound low-layer and the overlaid
high-layer access architectures exhibit clear shortcomings. We present and discuss several proposed ap-
proaches aimed at achieving an adaptive, scalable, rapid, easy-to-manage, and secure 4G service access
independently of the used operator and infrastructure. We then define general requirements on candidate
systems to support such 4G security.
Chapter XIX
Security Architectures for B3G Mobile Networks............................................................................. .297
Christoforos Ntantogian, University of Athens, Greece
Christos Xenakis, University of Piraeus, Greece
The integration of heterogeneous mobile/wireless networks using an IP-based core network material-
izes the beyond 3G (B3G) mobile networks. Along with a variety of new perspectives, the new network
model raises new security concerns, mainly because of the complexity of the deployed architecture and
the heterogeneity of the employed technologies. In this chapter, we examine and analyze the security
architectures and the related security protocols, which are employed in B3G networks focusing on their
functionality and the supported security services. The objectives of these protocols are to protect the
involved parties and the data exchanged among them. To achieve these, they employ mechanisms that
provide mutual authentication as well as ensure the confidentiality and integrity of the data transferred
over the wireless interface and specific parts of the core network. Finally, based on the analysis of the
security mechanisms, we present a comparison of them that aims at highlighting the deployment advan-
tages of each one and classifies the latter in terms of (a) security, (b) mobility, and (c) reliability.
Chapter XX
Security in UMTS 3G Mobile Networks ............................................................................................ 318
Christos Xenakis, University of Piraeus, Greece
This chapter analyzes the security architecture designed for the protection of the universal mobile tele-
communication system (UMTS). This architecture is built on the security principles of 2G systems with
improvements and enhancements in certain points in order to provide advanced security services. The
main objective of the 3G security architecture is to ensure that all information generated by or relating
to a user, as well as the resources and services provided by the serving network and the home environ-
ment, are adequately protected against misuse or misappropriation. Based on the carried analysis, the
critical points of the 3G security architecture, which might cause network and service vulnerability, are
identified. In addition, the current research on the UMTS security and the proposed enhancements that
aim at improving the UMTS security architecture are briefly presented and analyzed.
Chapter XXI
Access Security in UMTS and IMS .................................................................................................... 339
Yan Zhang, Simula Research Laboratory, Norway
Yifan Chen, University of Greenwich, UK
Rong Yu, South China University of Technology, China
Supeng Leng, University of Electronic Science and Technology of China, China
Huansheng Ning, Beihang University, China
Tao Jiang, Huazhong University of Science and Technology, China
Motivated by the requirements for higher data rate, richer multimedia services, and broader radio range,
wireless mobile networks are currently in the stage evolving from the second-generation (2G), for example,
global system for mobile communications (GSM), into the era of third-generation (3G) or beyond 3G or
fourth-generation (4G). Universal mobile telecommunications system (UMTS) is the natural successor
of the current popular GSM. Code division multiple access 2000 (CDMA2000) is the next generation
version for the CDMA-95, which is predominantly deployed in the North America and North Korea.
Time division-sychrononous CDMA (TD-SCDMA) is in the framework of 3GPP2 and is expected to
be one of the principle wireless technologies employed in China in the future. It is envisioned that each
of three standards in the framework of international mobile telecommunications-2000 (IMT-2000) will
play a significant role in the future due to the backward compatibility, investment, maintenance cost,
and even politics. In all of the potential standards, access security is one of the primary demands as
well as challenges to resolve the deficiency existing in the second generation wireless mobile networks
such as GSM, in which only one-way authentication is performed for the core network part to verify
the user equipment (UE). Such access security may lead to the “man-in-middle” problem, which is a
type of attack that can take place when two clients that are communicating remotely exchange public
keys in order to initialize secure communications. If both of the public keys are intercepted in the route
by someone, that someone can act as a conduit and send in the messages with a fake public key. As a
result, the secure communication is eavesdropped on by a third party.
Chapter XXII
Security in 2.5G Mobile Systems ....................................................................................................... 351
Christos Xenakis, University of Piraeus, Greece
The global system for mobile communications (GSM) is the most popular standard that implements sec-
ond generation (2G) cellular systems. 2G systems combined with general packet radio services (GPRS)
are often described as 2.5G, that is, a technology between the 2G and third (3G) generation of mobile
systems. GPRS is a service that provides packet radio access for GSM users. This chapter presents the
security architecture employed in 2.5G mobile systems, focusing on GPRS. More specifically, the security
measures applied to protect the mobile users, the radio access network, the fixed part of the network, and
the related data of GPRS, are presented and analyzed in details. This analysis reveals the security weak-
nesses of the applied measures that may lead to the realization of security attacks by adversaries. These
attacks threaten network operation and data transfer through it, compromising end-users and network
security. To defeat the identified risks, current research activities on the GPRS security propose a set of
security improvements to the existing GPRS security architecture.
Chapter XXIII
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies ............................ 364
Sasan Adibi, University of Waterloo, Canada
Gordon B. Agnew, University of Waterloo, Canada
Security measures of mobile infrastructures have always been important from the early days of the
creation of cellular networks. Nowadays, however, the traditional security schemes require a more
fundamental approach to cover the entire path from the mobile user to the server. This fundamental
approach is so-called end-to-end (E2E) security coverage. The main focus of this chapter is to discuss
such architectures for IEEE 802.16e (Mobile-WiMAX) and major 3G cellular networks. The end-to-end
implementations usually contain a complete set of algorithms and protocol enhancements (e.g., mutual
identification, authentications, and authorization), including the VLSI implementations. This chapter
discusses various proposals at the protocol level.
Chapter XXIV
Generic Application Security in Current and Future Networks .......................................................... 379
Silke Holtmanns, Nokia Research Center, Finland
Pekka Laitinen, Nokia Research Center, Finland
This chapter outlines how cellular authentication can be utilized for generic application security. It
describes the basic concept of the generic bootstrapping architecture that was defined by the 3rd gen-
eration partnership project (3GPP) for current networks and outlines the latest developments for future
networks.The chapter will provide an overview of the latest technology trends in the area of generic
application security.
Chapter XXV
Authentication, Authorization, and Accounting (AAA) Framework in Network
Mobility (NEMO) Environments........................................................................................................ 395
Sangheon Pack, Korea University, South Korea
Sungmin Baek, Seoul National University, South Korea
Taekyoung Kwon, Seoul National University, South Korea
Yanghee Choi, Seoul National University, South Korea
Network mobility (NEMO) enables seamless and ubiquitous Internet access while on board vehicles. Even
though the Internet Engineering Task Force (IETF) has standardized the NEMO basic support protocol
as a network layer mobility solution, few studies have been conducted in the area of the authentication,
authorization, and accounting (AAA) framework that is a key technology for successful deployment.
In this chapter, we first review the existing AAA protocols and analyze their suitability in NEMO envi-
ronments. After that, we propose a localized AAA framework to retain the mobility transparency as the
NEMO basic support protocol and to reduce the signaling cost incurred in the AAA procedures. The
proposed AAA framework supports mutual authentication and prevents various threats such as replay
attack, man-in-the-middle attack, and key exposure. Performance analysis on the AAA signaling cost
is carried out. Numerical results demonstrate that the proposed AAA framework is efficient under dif-
ferent NEMO environments.
Section III
Security in Ad Hoc and Sensor Networks
Chapter XXVI
Security in Mobile Ad Hoc Networks ................................................................................................. 413
Bin Lu, West Chester University, USA
Chapter XXVII
Privacy and Anonymity in Mobile Ad Hoc Networks ........................................................................ 431
Christer Andersson, Combitech, Sweden
Leonardo A. Martucci, Karlstad University, Sweden
Simone Fischer-Hübner, Karlstad University, Sweden
Providing privacy is often considered a keystone factor for the ultimate take up and success of mobile ad
hoc networking. Privacy can best be protected by enabling anonymous communication and, therefore,
this chapter surveys existing anonymous communication mechanisms for mobile ad hoc networks. On
the basis of the survey, we conclude that many open research challenges remain regarding anonymity
provisioning in mobile ad hoc networks. Finally, we also discuss the notorious Sybil attack in the context
of anonymous communication and mobile ad hoc networks.
Chapter XXVIII
Secure Routing with Reputation in MANET ...................................................................................... 449
Tomasz Ciszkowski, Warsaw University, Poland
Zbigniew Kotulski, Warsaw University, Poland
The pervasiveness of wireless communication recently gave mobile ad hoc networks (MANET) sig-
nificant researchers’ attention, due to its innate capabilities of instant communication in many time and
mission critical applications. However, its natural advantages of networking in civilian and military
environments make it vulnerable to security threats. Support for anonymity in MANET is orthogonal
to a critical security challenge we faced in this chapter. We propose a new anonymous authentication
protocol for mobile ad hoc networks enhanced with a distributed reputation system. The main objective
is to provide mechanisms concealing a real identity of communicating nodes with an ability of resistance
to known attacks. The distributed reputation system is incorporated for a trust management and mali-
cious behavior detection in the network.
Chapter XXIX
Trust Management and Context-Driven Access Control .................................................................... 461
Paolo Bellavista, University of Bologna, Italy
Rebecca Montanari, University of Bologna, Italy
Daniela Tibaldi, University of Bologna, Italy
Alessandra Toninelli, University of Bologna, Italy
The increasing diffusion of wireless portable devices and the emergence of mobile ad hoc networks
promote anytime and anywhere opportunistic resource sharing. However, the fear of exposure to risky
interactions is currently limiting the widespread uptake of ad hoc collaborations. This chapter introduces
to the challenge of identifying and validating novel security models/systems for securing ad hoc col-
laborations by taking into account the high unpredictability, heterogeneity, and dynamicity of envisioned
wireless environments. We claim that the concept of trust management should become a primary engi-
neering design principle, to associate with the subsequent trust refinement into effective authorization
policies, thus calling for original and innovative access control models. The chapter overviews the state-
of-the-art solutions for trust management and access control in wireless environments, by pointing out
both the need for their tight integration and the related emerging design guidelines (e.g., exploitation of
context awareness and adoption of semantic technologies).
Chapter XXX
A Survey of Key Management in Mobile Ad Hoc Networks ............................................................. 479
Bing Wu, Fayetteville State University, USA
Jie Wu, Florida Atlantic University, USA
Mihaela Cardei, Florida Atlantic University, USA
Security has become a primary concern in mobile ad hoc networks (MANETs). The characteristics of
MANETs pose both challenges and opportunities in achieving security goals, such as confidentiality,
authentication, integrity, availability, access control, and nonrepudiation. Cryptographic techniques are
widely used for secure communications in wired and wireless networks. Most cryptographic mecha-
nisms, such as symmetric and asymmetric cryptography, often involve the use of cryptographic keys.
However, all cryptographic techniques will be ineffective if the key management is weak. Key manage-
ment is also a central component in MANET security. The purpose of key management is to provide
secure procedures for handling cryptographic keying materials. The tasks of key management include
key generation, key distribution, and key maintenance. Key maintenance includes the procedures for
key storage, key update, key revocation, key archiving, and so forth. In MANETs, the computational
load and complexity for key management are strongly subject to restriction by the node’s available re-
sources and the dynamic nature of network topology. A number of key management schemes have been
proposed for MANETs. In this chapter, we present a survey of the research work on key management
in MANETs according to recent literature.
Chapter XXXI
Security Measures for Mobile Ad-Hoc Networks (MANETs) ........................................................... 500
Sasan Adibi, University of Waterloo, Canada
Gordon B. Agnew, University of Waterloo, Canada
Mobile-IP ad hoc networks (MANETs) have gained popularity in the past few years with the creation
of a variety of ad hoc protocols that specifically offer quality of service (QoS) for various multimedia
traffic between mobile stations (MSs) and base stations (BSs). The lack of proper end-to-end security
coverage, on the other hand, is a challenging issue as the nature of such networks with no specific infra-
structure is prone to relatively more attacks, in a variety of forms. The focus of this chapter is to discuss
a number of attack scenarios and their remedies in MANETs including the introduction of two entities,
ad hoc key distribution center (AKDC) and decentralize key generation and distribution (DKGD), which
serve as key management schemes.
Chapter XXXII
A Novel Secure Video Surveillance System Over Wireless Ad-Hoc Networks ................................. 515
Hao Yin, Tsinghua University, China
Chuang Lin, Tsinghua University, China
Zhijia Chen, Tsinghua University, China
Geyong Min, University of Bradford, UK
The integration of wireless communication and embedded video systems is a demanding and interesting
topic which has attracted significant research efforts from the community of telecommunication. This
chapter discusses the challenging issues in wireless video surveillance and presents the detailed design
for a novel highly-secure video surveillance system over ad hoc wireless networks. To this end, we ex-
plore the state-of-the-art in the cross domains of wireless communication, video processing, embedded
systems, and security. Moreover, a new media-dependent video encryption scheme, including a reliable
data embedding technique and real-time video encryption algorithm, is proposed and implemented to en-
able the system to work properly and efficiently in an open and insecure wireless environment. Extensive
experiments are conducted to demonstrate the advantages of the new systems, including high security
guarantee and robustness. The chapter would serve as a good reference for solving the challenging is-
sues in wireless multimedia and bring new insights on the interaction of different technologies within
the cross application domain.
Chapter XXXIII
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks .................................. 531
John Felix Charles Joseph, Nanyang Technological University, Singapore
Amitabha Das, Nanyang Technological University, Singapore
Boot-Chong Seet, Auckland Univerisity of Technology, New Zealand
Bu-Sung Lee, Nanyang Technological University, Singapore
Intrusion detection in ad hoc networks is a challenge because of the inherent characteristics of these
networks, such as, the absence of centralized nodes, the lack of infrastructure, and so forth. Furthermore,
in addition to application-based attacks, ad hoc networks are prone to attacks targeting routing protocols,
which is a novel problem. Issues in intrusion detection in ad hoc networks are addressed by numerous
research proposals in literature. In this chapter, we first enumerate the properties of ad hoc networks
which hinder intrusion detection systems. Second, significant intrusion detection system (IDS) archi-
tectures and methodologies proposed in the literature are elucidated. Strengths and weaknesses of these
works are then studied and explained. Finally, the future directions, which will lead to the successful
deployment of intrusion detection in ad hoc networks, are discussed.
Chapter XXXIV
Security in Wireless Sensor Networks ................................................................................................ 547
Luis E. Palafox, CICESE Research Center, Mexico
J. Antonio Garcia-Macias, CICESE Research Center, Mexico
In this chapter we present the growing challenges related to security in wireless sensor networks. We
show possible attack scenarios and evidence the ease of perpetrating several types of attacks due to the
extreme resource limitations that wireless sensor networks are subjected to. Nevertheless, we show that
security is a feasible goal in this resource-limited environment. To prove that security is possible we
survey several proposed sensor network security protocols targeted to different layers in the protocol
stack. The work surveyed in this chapter enable several protection mechanisms vs. well documented
network attacks. Finally, we summarize the work that has been done in the area and present a series of
ongoing challenges for future work.
Chapter XXXV
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions ................................. 565
Mohamed Hamdi, University of November 7th at Carthage, Tunisia
Noreddine Boudriga, University of November 7th at Carthage, Tunisia
The applications of wireless sensor networks (WSNs) are continuously expanding. Recently, consistent
research and development activities have been associated to this field. Security ranks at the top of the is-
sues that should be discussed when deploying a WSN. This is basically due to the fact that WSNs are, by
nature, mission-critical. Their applications mainly include battlefield control, emergency response (when
a natural disaster occurs), and healthcare. This chapter reviews recent research results in the field of WSN
security.
Chapter XXXVI
Routing Security in Wireless Sensor Networks .................................................................................. 582
A.R. Naseer, King Fahd University of Petroleum & Minerials, Dhahran
Ismat K. Maarouf, King Fahd University of Petroleum & Minerials, Dhahran
Ashraf S. Hasan, King Fahd University of Petroleum & Minerials, Dhahran
Since routing is a fundamental operation in all types of networks, ensuring routing security is a necessary
requirement to guarantee the success of routing operations. A securing routing task gets more challenging
as the target network lacks an infrastructure-based routing operation. This infrastructure-less nature that
invites a multihop routing operation is one of the main features of wireless sensor networks that raises the
importance of secure routing problem in these networks. Moreover, the risky environment, application
criticality, and resources limitations and scarcity exhibited by wireless sensor networks make the task of
secure routing much more challenging. All these factors motivate researchers to find novel solutions and
approaches that would be different from the usual approaches adopted in other types of networks. The
purpose of this chapter is to provide a comprehensive treatment of the routing security problem in wireless
sensor networks. The discussion flow of the problem in this chapter begins with an overview on wireless
sensor networks that focuses on routing aspects to indicate the special characteristics of wireless sensor
networks from routing perspective. The chapter then introduces the problem of secure routing in wireless
sensor networks and illustrates how crucial the problem is to different networking aspects. This is followed
by a detailed analysis of routing threats and attacks that are more specific to routing operations in wireless
sensor networks. A research-guiding approach is then presented to the reader that analyzes and criticizes
different techniques and solution directions for the secure routing problem in wireless sensor networks.
This is supported by state-of-the-art and familiar examples from the literature. The chapter finally concludes
with a summary and future research directions in this field.
Chapter XXXVII
Localization Security in Wireless Sensor Networks ........................................................................... 617
Yawen Wei, Iowa State University, USA
Zhen Yu, Iowa State University, USA
Yong Guan, Iowa State University, USA
Localization of sensor nodes is very important for many applications proposed for wireless sensor networks
(WSN), such as environment monitoring, geographical routing, and target tracking. Because sensor networks
may be deployed in hostile environments, localization approaches can be compromised by many malicious
attacks. The adversaries can broadcast corrupted location information and they can jam or modify the trans-
mitting signals between sensors to mislead them to obtain incorrect distance measurements or nonexistent
connectivity links. All these malicious attacks will cause sensors to not be able to, or wrongly, estimate
their locations. In this chapter, we summarize the threat models and provide a comprehensive survey and
taxonomy of existing secure localization and verification schemes for wireless sensor networks.
Chapter XXXVIII
Resilience Against False Data Injection Attack in Wireless Sensor Networks ................................... 628
Miao Ma, The Hong Kong University of Science and Technology, Hong Kong
One of severe security threats in wireless sensor network is false data injection attack, that is, the com-
promised sensors forge the events that do not occur. To defend against false data injection attacks, six
en-route filtering schemes in a homogeneous sensor network are described. Furthermore, a one sink
filtering scheme in a heterogeneous sensor network is also presented. We find that deploying heteroge-
neous nodes in a sensor network is an attractive approach because of its potential to increase network
lifetime, reliability, and resiliency.
Chapter XXXIX
Survivability of Sensors with Key and Trust Management ................................................................ 636
Jean-Marc Seigneur, University of Genev, Switzerland
Luminita Moraru, University of Genev, Switzerland
Olivier Powell, University of Patras, Greece
Weiser envisioned ubiquitous computing with computing and communicating entities woven into the
fabrics of every day life. This chapter deals with the survivability of ambient resource-constrained wire-
less computing nodes, from fixed sensor network nodes to small devices carried out by roaming entities,
for example, as part of a personal area network of a moving person. First, we review the assets that need
to be protected, especially the energy of these unplugged devices. There are also a number of specific
attacks that are described; for example, direct physical attacks are facilitated by the disappearing security
perimeter. Finally, we survey the protection mechanisms that have been proposed with an emphasis on
cryptographic keying material and trust management.
Chapter XL
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks ................................................... 652
Yu Wang, University of North Carolina at Charlotte, USA
Fault tolerance is one of the premier system design desiderata in wireless ad hoc and sensor networks.
It is crucial to have a certain level of fault tolerance in most ad hoc and sensor applications, especially
for those used in surveillance, security, and disaster relief. In addition, several network security schemes
require that the underlying topology provide fault tolerance. In this chapter, we will review various fault
tolerant techniques used in topology design for ad hoc and sensor networks, including those for power
control, topology control, and sensor coverage.
Section IV
Security in Wireless PAN/LAN/MAN Networks
Chapter XLI
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections .............. 666
Georgios Kambourakis, University of the Aegean, Greece
Angelos Rouskas, University of the Aegean, Greece
Stefanos Gritzalis, University of the Aegean, Greece
Security is always an important factor in wireless connections. As with all other existing radio technolo-
gies, the Bluetooth standard is often cited to suffer from various vulnerabilities and security inefficiencies,
while attempting to optimize the trade-off between performance and complementary services including
security. On the other hand, security protocols like IP secure (IPsec) and secure shell (SSH) provide
strong, flexible, low cost, and easy to implement solutions for exchanging data over insecure communi-
cation links. However, the employment of such robust security mechanisms in wireless realms enjoins
additional research efforts due to several limitations of the radio-based connections, for example link
bandwidth and unreliability. This chapter will evaluate several Bluetooth personal area network (PAN)
parameters, including absolute transfer times, link capacity, throughput, and goodput. Experiments
shall employ both Bluetooth native security mechanisms, as well as the two aforementioned protocols.
Through a plethora of scenarios, utilizing both laptops and palmtops, we offer a comprehensive in-depth
comparative analysis of each of the aforementioned security mechanisms when deployed over Bluetooth
communication links.
Chapter XLII
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring ......................................................... 681
Miguel A. Ruiz, University of Alcala, Spain
Felipe Espinosa, University of Alcala, Spain
David Sanguino, University of Alcala, Spain
AbdelBaset M.H. Awawdeh, University of Alcala, Spain
The electromagnetic energy source used by wireless communication devices in a vehicle can cause
electromagnetic compatibility problems with the electrical and electronic equipment on board. This
work is focused on the radiated susceptibility – EMS – issue and proposes a method for quantifying the
electromagnetic influence of wireless RF transmitters on board vehicles. The key to the analysis is the
evaluation of the relation between the electrical field emitted by a typical Bluetooth device operating
close to the automobile’s electrical and electronic systems and the field level specified by the EMC di-
rective 2004/104/EC for radiated susceptibility tests. The chapter includes the model of a closed circuit
structure emulating an automobile’s electric wire system and the simulation of its behavior under elec-
tromagnetic fields’ action. According to this a physical structure is designed and implemented, which is
used for laboratory tests. Finally, simulated and experimental results are compared and the conclusions
obtained are discussed.
Chapter XLIII
Security in WLAN .............................................................................................................................. 695
Mohamad Badra, Bât ISIMA, France
Artur Hecker, INFRES-ENST, France
The great promise of wireless LAN will never be realized unless there is an an appropriate security
level. From this point of view, various security protocols have been proposed to handle WLAN security
problems that are mostly due to the lack of physical protection in WLAN or because of the transmission
on the radio link. The purpose of this chapter is (1) to provide the reader with a sample background in
WLAN technologies and standards, (2) to give the reader a solid grounding in common security concepts
and technologies, and (3) to identify the threats and vulnerabilities of WLAN communications.
Chapter XLIV
Access Control in Wireless Local Area Networks: Fast Authentication Schemes ............................. 710
Jahan Hassan, The University of Sydney, Australia
Björn Landfeldt, The University of Sydney, Australia
Albert Y. Zomaya, The University of Sydney, Australia
Wireless local area networks (WLAN) are rapidly becoming a core part of network access. Supporting
user mobility, more specifically, session continuation in changing network access points, is becoming
an integral part of wireless network services. This is because of the popularity of emerging real-time
streaming applications that can be commonly used when the user is mobile, such as voice-over-IP and
Internet radio. However, mobility introduces a new set of problems in wireless environments because of
handoffs between network access points (APs). The IEEE 802.11i security standard imposes an authen-
tication delay long enough to hamper real-time applications. This chapter will provide a comprehensive
study on fast authentication solutions found in the literature as well as the industry that address this
problem. These proposals focus on solving the mentioned problem for intradomain handoff scenarios
where the access points belong to the same administrative domain or provider. Interdomain roaming is
also becoming common-place for wireless access. We need fast authentication solutions for these en-
vironments that are managed by independent administrative authorities. We detail such a solution that
explores the use of local trust relationships to foster fast authentication.
Chapter XLV
Security and Privacy in RFID Based Wireless Networks ................................................................... 723
Denis Trček, University of Ljubljana, Slovenia
Mass deployment of radio-frequency identification (RFID) technology is now becoming feasible for
a wide variety of applications ranging from medical to supply chain and retail environments. Its main
draw-back until recently was high production costs, which are now becoming lower and acceptable. But
due to inherent constraints of RFID technology (in terms of limited power and computational resources)
these devices are the subject of intensive research on how to support and improve increasing demands for
security and privacy. This chapter therefore focuses on security and privacy issues by giving a general
overview of the field, the principles, the current state of the art, and future trends. An improvement in the
field of security and privacy solutions for this kind of wireless communications is described as well.
Chapter XLVI
Security and Privacy Approaches for Wireless Local and Metropolitan
Area Networks (LANs & MANS) ...................................................................................................... 732
Giorgos Kostopoulos, University of Patras, Greece
Nicolas Sklavos, Technological Educational Institute of Mesolonghi, Greece
Odysseas Koufopavlou, University of Patras, Greece
Wireless communications are becoming ubiquitous in homes, offices, and enterprises with the popular
IEEE 802.11 wireless LAN technology and the up-and-coming IEEE 802.16 wireless MAN technology.
The wireless nature of communications defined in these standards makes it possible for an attacker to
snoop on confidential communications or modify them to gain access to home or enterprise networks
much more easily than with wired networks. Wireless devices generally try to reduce computation
overhead to conserve power and communication overhead to conserve spectrum and battery power. Due
to these considerations, the original security designs in wireless LANs and MANs used smaller keys,
weak message integrity protocols, weak or one-way authentication protocols, and so forth. As wireless
networks became popular, the security threats were also highlighted to caution users. A security protocol
redesign followed first in wireless LANs and then in wireless MANs. This chapter discusses the security
threats and requirements in wireless LANs and wireless MANs, with a discussion on what the original
designs missed and how they were corrected in the new protocols. It highlights the features of the cur-
rent wireless LAN and MAN security protocols and explains the caveats and discusses open issues. Our
aim is to provide the reader with a single source of information on security threats and requirements,
authentication technologies, security encapsulation, and key management protocols relevant to wireless
LANs and MANs.
Chapter XLVII
End-to-End (E2E) Security Approach in WiMAX:
A Security Technical Overview for Corporate Multimedia Applications ........................................... 747
Sasan Adibi, University of Waterloo, Canada
Gordon B. Agnew, University of Waterloo, Canada
Tom Tofigh, WiMAX Forum, USA
An overview of the technical and business aspects is given for the corporate deployment of services over
WiMAX. WiMAX is considered to be a strong candidate for the next generation of broadband wireless
access; therefore its security is critical. This chapter provides an overview of the inherent and comple-
mentary benefits of broadband deployment over a long haul wireless pipe, such as WiMAX. In addition,
we explore end-to-end (E2E) security structures necessary to launch secure business and consumer class
services. The main focus of this chapter is to look for the best security practice to achieve E2E security
in both vertical and horizontal markets. The E2E security practices will ensure complete coverage of the
entire link from the client (user) to the server. This is also applicable to wireless virtual private network
(VPN) applications where the tunneling mechanism between the client and the server ensures complete
privacy and security for all users. The same idea for E2E security is applied to client-server-based mul-
timedia applications, such as in IP multimedia subsystem (IMS) and voice over IP (VoIP), where secure
client/server communication is required. In general, we believe that WiMAX provides the opportunity
for a new class of high data rate symmetric services. Such services will require E2E security schemes
to ensure risk-free high data-rate uploads and downloads of multimedia applications. WiMAX provides
the capability for embedded security functions through the 802.16 security architecture standards. IEEE
802.16 is further subcategorized as 802.16d (fixed-WiMAX) and 802.16e (mobile-WiMAX). Due to
the mobility and roaming capabilities in 802.16e and the fact that the medium of signal transmission
is accessible to everyone, there are a few extra security considerations applied to 802.16e. These extra
features include PKMv2, PKM-EAP authentication method, AES encryption wrapping, and so forth. The
common security features of 802.16d and 802.16e are discussed in this chapter, as well as the highlights
of the security comparisons between other broadband access, 3G technologies, and WiMAX.
Chapter XLVIII
Evaluation of Security Architectures for Mobile Broadband Access ................................................. 759
Symeon Chatzinotas, University of Surrey, UK
Jonny Karlsson, Arcada University of Applied Sciences, Finland
Göran Pulkkis, Arcada University of Applied Sciences, Finland
Kaj Grahn, Arcada University of Applied Sciences, Finland
During the last few years, mobile broadband access has been a popular concept in the context of fourth
generation (4G) cellular systems. After the wide acceptance and deployment of the wired broadband
connections, such as DSL, the research community in conjunction with the industry have tried to develop
and deploy viable mobile architectures for broadband connectivity. The dominant architectures which
have already been proposed are Wi-Fi, UMTS, WiMax, and flash-OFDM. In this chapter, we analyze
these protocols with respect to their security mechanisms. First, a detailed description of the authentica-
tion, confidentiality, and integrity mechanisms is provided in order to highlight the major security gaps
and threats. Subsequently, each threat is evaluated based on three factors: likelihood, impact, and risk.
The technologies are then compared taking their security evaluation into account. Flash-OFDM is not
included in this comparison since its security specifications have not been released in public. Finally,
future trends of mobile broadband access, such as the evolution of WiMax, mobile broadband wireless
access (MBWA), and 4G are discussed.
Chapter XLIX
Extensible Authentication (EAP) Protocol Integrations in the Next
Generation Cellular Networks ............................................................................................................ 776
Sasan Adibi, University of Waterloo, Canada
Gordon B. Agnew, University of Waterloo, Canada
Authentication is an important part of the authentication, authorization, and accounting (AAA) schemes,
and the extensible authentication protocol (EAP) is a universally accepted framework for authentication
commonly used in wireless networks and point-to-point protocol (PPP) connections. The main focus
of this chapter is the technical details to examine how EAP is integrated into the architecture of next
generation networks (NGN), such as in worldwide interoperability for microwave access (WiMAX),
which is defined in the IEEE 802.16d and IEEE 802.16e standards and in current wireless protocols,
such as IEEE 802.11i. This focus includes an overview of the integration of EAP with IEEE 802.1x,
remote authentication dial in user service (RADIUS), DIAMETER, and pair-wise master key version
(2PKv2).
Preface
Wireless networks have been seen unprecedented growth in the past few years. Wireless technologies
provide users with a variety of benefits like portability, flexibility, increased productivity, and lower
installation costs. Various wireless technologies, from wireless local area network (WLAN) and Blue-
tooth to WiMAX and third generation (3G) have been developed. Each of these technologies has its
own unique applications and characteristics. For example, a WLAN can provide the wireless users with
high bandwidth data communication in a restricted and dense area (hotpot). Ad hoc networks, like those
enabled by Bluetooth, allow data synchronization with network systems and application sharing between
devices. WiMAX can provide high-speed, high bandwidth efficiency, and high-capacity multimedia
services for residential as well as enterprise applications.
However, any wireless technology is inherently risky. It has the same risks as the wired networks as
well as new risks brought by the wireless connectivity. There have been many reports of security weak-
nesses and problems related to different wireless technologies, which make wireless security quite a hot
research topic recently, both in the academia and industry.
Wireless security is a very broad area as there are so many different wireless technologies existing.
Each wireless technology has its own architecture, algorithms, and protocols. Different wireless tech-
nologies have their own application areas and different security concerns, requirements, and solutions.
To this end, we want to bring up the Handbook of Research on Wireless Security to serve as a single
comprehensive reference in the field of wireless security.
In this book, the basic concepts, terms, protocols, systems, architectures, and case studies in the wire-
less security are provided. It identifies the fundamental problems, key challenges, and future directions in
designing secure wireless systems. It covers a wide spectrum of topics in a variety of wireless networks,
including attacks, secure routing, encryption, decryption, confidentiality, integrity, key management,
identity management, and also security protocols in standards.
The chapters of this book are authoritatively contributed by a group of internationally renowned
experts on wireless security. They are organized in four sections:
Section I introduces the basic concepts and fundamental mechanisms of wireless security. This sec-
tion is able to provide the necessary background for readers and introduce all the fundamental issues on
wireless security without previous knowledge on this area. Section II discusses all the security aspects
in 3G/B3G/4G. It is well known that 3G mobile systems offer mobile users content rich services, wire-
xxxiii
less broadband access to Internet, and worldwide roaming. Future 4G mobile communication networks
are expected to provide all IP-based services for heterogeneous wireless access technologies, assisted
by mobile IP to provide seamless Internet access for mobile users. However the broadcast nature of the
wireless communication and increased popularity of wireless devices introduce serious security vul-
nerabilities. A variety of security issues regarding 3G/B3g/4G will be introduced and addressed with
effective solutions (e.g., identity management, confidentiality and integrity mechanisms, evaluation
of the current 3G/B3G/4G security protocols, analysis of the impact of security deployment upon the
network performance, etc.). Section III explores the security in ad hoc and sensor networks. In recent
years, tremendous technological advances have been made in the areas of wireless ad hoc and sensor
networks. Such networks have a significant impact on a variety of applications including scientific,
military, medical, industrial, office, home, and personal domains. However, these networks introduce
new security challenges due to their dynamic topology, severe resource constraints, and absence of a
trusted infrastructure. Many aspects of security issues regarding the ad hoc and sensor networks will be
covered, including key management, cryptographic protocols, authentication and access control, intru-
sion detection and tolerance, secure location services, privacy and anonymity, secure routing, resilience
against different types of attacks, and so forth. Section IV exploits the security problems in wireless
PAN/LAN/MAN. Nowadays we have continuously growing markets for the wireless PANs, wireless
LANs, and wireless MANs, but there is a big black hole in the security of this kind of network. Diverse
aspects of the security issues on these types of networks will be introduced. For instance, the threats and
vulnerabilities in wireless LANs, access control in wireless LANs, evaluating security mechanisms in
wireless PANs, the protocols and mechanisms to enhance the security of wireless LANs/MANs, security
issues in WiMAX, and so forth are discussed. Practical examples will also be introduced to enhance
the understanding.
This book can serve as an essential and useful reference for undergraduate and graduate students,
educators, scientists, researchers, engineers, and research strategists in the field of wireless security.
We hope that by reading this book the reader can not only learn the basic concepts of wireless security
but also get a good insight into some of the key research works in securing the wireless networks. Our
goal is to provide an informed and detailed snapshot of this fast moving field. If you have any feedback
or suggestion, please contact the editors.
Acknowledgment
The editors would like to acknowledge the help of all involved in the collation and review process of
the handbook, without whose support the project could not have been successfully completed.
Deep appreciation and gratitude is first due to Editorial Advisory Board, whose suggestions and
comments have greatly enhanced the quality of the book. Most of the authors of the chapters included
in this handbook also served as referees for chapters written by other authors. We would like to thank
them for their time, valuable comments, and hard work in reviewing the peers’ work. Thanks also go to
all the external reviewers who provided constructive and comprehensive reviews. Their critical sugges-
tions and comments ensure the quality of the book.
Special thanks also go to the publishing team at IGI Global Inc., whose contributions throughout the
whole process from inception of the initial idea to final publication have been invaluable. In particular
to Kristin Roth, who continuously prodded via e-mail for keeping the project on schedule, to Jessica
Thompson, whose support, patience, and professionalism during this project, and to Nicole Dean, for
enhancing the book marketability. We are grateful for the staffs for the great efforts during the typesetting
period. Last but not least, a special thank to the families and friends for their constant encouragement,
patience, and understanding throughout this project.
In closing, we wish to thank all of the authors for their insights, excellent contributions, and profes-
sional cooperation to this handbook.
May 2007
Section I
Security Fundamentals
Chapter I
Malicious Software in
Mobile Devices
Thomas M. Chen
Southern Methodist University, USA
Cyrus Peikari
Airscanner Mobile Security Corporation, USA
AbstrAct
This chapter examines the scope of malicious software (malware) threats to mobile devices. The stakes
for the wireless industry are high. While malware is rampant among 1 billion PCs, approximately twice
as many mobile users currently enjoy a malware-free experience. However, since the appearance of the
Cabir worm in 2004, malware for mobile devices has evolved relatively quickly, targeted mostly at the
popular Symbian smartphone platform. Significant highlights in malware evolution are pointed out that
suggest that mobile devices are attracting more sophisticated malware attacks. Fortunately, a range
of host-based and network-based defenses have been developed from decades of experience with PC
malware. Activities are underway to improve protection of mobile devices before the malware problem
becomes catastrophic, but developers are limited by the capabilities of handheld devices.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Malicious Software in Mobile Devices
but they differ in their methods (Nazario, 2004; herder” constitute a bot net. Bot nets are often
Szor, 2005). A virus is a piece of software code used for spam, data theft, and distributed denial
(set of instructions but not a complete program) of service attacks. Spyware collects personal user
attached to a normal program or file. The virus information from a victim computer and transmits
depends on the execution of the host program. the data across the network, often for advertising
At some point in the execution, the virus code purposes but possibly for data theft. Spyware is
hijacks control of the program execution to make often bundled with shareware or installed covertly
copies of itself and attach these copies to more through social engineering.
programs or files. In contrast, a worm is a stand- Since 2004, malware has been observed to
alone automated program that seeks vulnerable spread among smartphones and other mobile
computers through a network and copies itself to devices through wireless networks. According to
compromised victims. F-Secure, the number of malware known to target
Non-replicating malware typically hide their smartphones is approximately 100 (Hypponen,
presence on a computer or at least hide their ma- 2006). However, some believe that malware will
licious function. Malware that hides a malicious inevitably grow into a serious problem (Dagon,
function but not necessarily its presence is called Martin, & Starner, 2004). There have already
a Trojan horse (Skoudis, 2004). Typically, Trojan been complex, blended malware threats on mobile
horses pose as a legitimate program (such as a devices. Within a few years, mobile viruses have
game or device driver) and generally rely on social grown in sophistication in a way reminiscent of
engineering (deception) because they are not able 20 years of PC malware evolution. Unfortunately,
to self-replicate. Trojan horses are used for various mobile devices were not designed for security, and
purposes, often theft of confidential data, destruc- they have limited defenses against continually
tion, backdoor for remote access, or installation of evolving attacks.
other malware. Besides Trojan horses, many types If the current trend continues, malware spread-
of non-replicating malware hide their presence in ing through wireless networks could consume
order to carry out a malicious function on a victim valuable radio resources and substantially degrade
host without detection and removal by the user. the experience of wireless subscribers. In the worst
Common examples include bots and spyware. Bots case, malware could become as commonplace in
are covertly installed software that secretly listen wireless networks as in the Internet with all its at-
for remote commands, usually sent through Internet tendant risks of data loss, identity theft, and worse.
relay chat (IRC) channels, and execute them on The wireless market is growing quickly, but nega-
compromised computers. A group of compromised tive experiences with malware on mobile devices
computers under remote control of a single “bot could discourage subscribers and inhibit market
growth. The concern is serious because wireless
services are currently bound to accounting and
charging mechanisms; usage of wireless services,
Figure 1. A taxonomy of malicious software whether for legitimate purposes or malware, will
result in subscriber charges. Thus, a victimized
Malware subscriber will not only suffer the experience
of malware but may also get billed extra service
charges. This usage-based charging arrangement
Self-replicating Not self-replicating contrasts with PCs which typically have flat charges
for Internet communications.
This chapter examines historical examples of
Standalone Parasitic Hide Hide malware and the current environment for mobile
(worm) (virus) malicious presence
function (various
devices. Potential infection vectors are explored.
(Trojan horse) types) Finally, existing defenses are identified and de-
scribed.
Malicious Software in Mobile Devices
Malicious Software in Mobile Devices
ware is intended to spread by Bluetooth, Bluetooth descs/vapor.shtml). When executed, it changes the
connections are short range. Moreover, Bluetooth file attributes of other applications, making them
devices can be turned off or put into hidden mode. invisible (but not actually deleting them). It does
Third, there is a diversity of mobile device platforms, not self-replicate.
in contrast to PCs that are dominated by Windows. In July 2004, Duts was a proof-of-concept
Some have argued that the Windows monoculture virus, the first to target Windows Pocket PCs. It
in PCs has made PCs more vulnerable to malware. asks the user for permission to install. If installed,
To reach a majority of mobile devices, malware it attempts to infect all EXE files larger than 4096
writers must create separate pieces of malware code bytes in the current directory.
for different platforms (Leavitt, 2005). Later in 2004, Brador was a backdoor for Pocket
PCs (www.f-secure.com/v-descs/brador.shtml). It
installs the file “svchost.exe” in the Startup directory
EvolutIon of MAlwArE so that it will automatically start during the device
bootup. Then it will read the local host IP address
Malware has already appeared on mobile devices and e-mail that to the author. After e-mailing its IP
over the past few years (Peikari & Fogie, 2003). address, the backdoor opens a TCP port and starts
While the number is still small compared to the listening for commands. The backdoor is capable
malware families known for PCs, an examination of of uploading and downloading files, executing
prominent examples shows that malware is evolving arbitrary commands, and displaying messages to
steadily. The intention here is not to exhaustively the PDA user.
list all examples of known malware but to highlight The Cabir worm discovered in June 2004 was
how malware has been developing. a milestone marking the trend away from PDAs
Palm Pilots and Windows Pocket PCs were com- and towards smartphones running the Symbian
mon before smartphones, and malware appeared operating system. Cabir was a proof-of-concept
first for the Palm operating system. Liberty Crack worm, the first for Symbian, written by a member
was a Trojan horse related to Liberty, a program of a virus writing group 29A (www.f-secure.com/
emulating the Nintendo Game Boy on the Palm, v-descs/cabir.shtml). The worm is carried in a file
reported in August 2000 (Foley & Dumigan, 2001). “caribe.sis” (Caribe is Spanish for the Caribbean).
As a Trojan, it did not spread by self-replication but The SIS file contains autostart settings that will
depended on being installed from a PC that had the automatically execute the worm after the SIS file
“liberty_1_1_crack.prc” file. Once installed on a is installed. When the Cabir worm is activated, it
Palm, it appears on the display as an application, will start looking for other (discoverable) Bluetooth
Crack. When executed, it deletes all applications devices within range. Upon finding another device,
from the Palm (www.f-secure.com/v-descs/lib_ it will try to send the caribe.sis file. Reception and
palm.shtml). installation of the file requires user approval after a
Discovered in September 2000, Phage was notification message is displayed. It does not cause
the first virus to target Palm PDAs (Peikari & any damage.
Fogie, 2003). When executed, the virus infects Cabir was not only one of the first malware
all third-party applications by overwriting them for Symbian, but it was also one of the first to use
(http://www.f-secure.com/v-descs/phage.shtml). Bluetooth (Gostev, 2006). Malware is more com-
When a program’s icon is selected, the display turns monly spread by e-mail. The choice of Bluetooth
gray and the selected program exits. The virus can meant that Cabir would spread slowly in the wild.
spread directly to other Palms by infrared beaming An infected smartphone would have to discover
or indirectly through PC synchronization. another smartphone within Bluetooth range and
Another Trojan horse discovered around the the target’s user would have to willingly accept the
same time, Vapor is installed on a Palm as the transmission of the worm file while the devices are
application “vapor.prc” (www.f-secure.com/v- within range of each other.
Malicious Software in Mobile Devices
In August 2004, the first Trojan horse for non-functional copies of the bootloaders used by
smartphones was discovered. It appeared to be a Simworks Antivirus and Kaspersky Symbian An-
cracked version of a Symbian game Mosquitos. tivirus, preventing these programs from loading
The Trojan made infected phones send SMS text automatically during the phone bootup.
messages to phone numbers resulting in charges In April 2005, the Mabir worm was similar to
to the phones’ owners. Cabir in its ability to spread by Bluetooth. It had
In November 2004, the Trojan horse— the additional capability to spread by MMS mes-
Skuller—was found to infect Symbian Series 60 saging. It listens for any arriving MMS or SMS
smartphones (www.f-secure.com/v-descs/skulls. message and will respond with a copy of itself in
shtml). The Trojan is a file named “Extended a file named “info.sis.”
theme.SIS,” a theme manager for Nokia 7610 Found in September 2005, the Cardtrap Trojan
smartphones. If executed, it disables all applica- horse targeted Symbian 60 smartphones and was
tions on the phone and replaces their icons with one of the first examples of smartphone malware
a skull and crossbones. The phone can be used to capable of infecting a PC (www.f-secure.com/v-
make calls and answer calls. However, all system descs/cardtrap_a.shtml). When it is installed on
applications such as SMS, MMS, Web browsing, the smartphone, it disables several applications
and camera do not work. by overwriting their main executable files. More
In December 2004, Skuller and Cabir were interestingly, it also installs two Windows worms,
merged to form Metal Gear, a Trojan horse that Padobot.Z and Rays, to the phone’s memory card.
masquerades as the game of the same name. Metal An autorun file is copied with the Padobot.Z worm,
Gear uses Skulls to deactivate a device’s antivirus. so that if the memory card is inserted into a PC,
This was the first malware to attack antivirus on the autorun file will attempt to execute the Padobot
Symbian smartphones. The malware also drops a worm. The Rays worm is a file named “system.
file “SEXXXY.SIS,” an installer that adds code exe” which has the same icon as the system folder
to disable the handset menu button. It then uses in the memory card. The evident intention was to
Cabir to send itself to other devices. trick a user reading the contents of the card on a
Locknut was a Trojan horse discovered in PC into executing the Rays worm.
February 2005 that pretended to be a patch for Crossover was a proof-of-concept Trojan horse
Symbian Series 60 phones. When installed, it found in February 2006. It was reportedly the first
drops a program that will crash a critical system malware capable of spreading from a PC to a Win-
service component, preventing any application dows Mobile Pocket PC by means of ActiveSync.
from launching. On the PC, the Trojan checks the version of the
In March 2005, ComWar or CommWarrior was host operating system. If it is not Windows CE or
the first worm to spread by MMS among Symbian Windows Mobile, the virus makes a copy of itself
Series 60 smartphones. Like Cabir, it was also ca- on the PC and adds a registry entry to execute
pable of spreading by Bluetooth. Infected phones the virus during PC rebooting. A new virus copy
will search for discoverable Bluetooth devices is made with a random file name at each reboot.
within range; if found, the infected phone will try When executed, the Trojan waits for an ActiveSync
to send the worm in a randomly named SIS file. But connection, when it copies itself to the handheld,
Bluetooth is limited to devices within 10 meters documents on the handheld will be deleted.
or so. MMS messages can be sent to anywhere in In August 2006, the Mobler worm for Windows
the world. The worm tries to spread by MMS mes- PCs was discovered (www.f-secure.com/v-descs/
saging to other phone owners found in the victim’s mobler.shtml). It is not a real threat but is suggestive
address book. MMS has the unfortunate side effect of how future malware might evolve. When a PC is
of incurring charges for the phone owner. infected, the worm copies itself to different folders
Drever was a Trojan horse that attacked anti- on local hard drives and writable media (such as
virus software on Symbian smartphones. It drops a memory card). Among its various actions, the
Malicious Software in Mobile Devices
worm creates a SIS archiver program “makesis. a microbrowser designed to render Web content
exe” and a copy of itself named “system.exe” in the on the small displays of mobile devices. Current
Windows system folder. It also creates a Symbian microbrowsers are similar in features to regular
installation package named “Black_Symbian.SIS.” Web browsers, capable of HTML, WML, CSS,
It is believed to be capable of spreading from a PC Ajax, and plug-ins. Although e-mail and the Web
to smartphone, another example of cross-platform are common vectors for PC malware, they have
malware. not been used as vectors to infect mobile devices
At the current time, it is unknown whether thus far.
Crossover and Mobler signal the start of a new trend SMS/MMS messaging: Commonly called text
towards cross-platform malware that spread equally messaging, SMS is available on most mobile phones
well among PCs and mobile devices. The combined and Pocket PCs. It is most popular in Europe, Asia
potential target population would be nearly 3 bil- (excluding Japan), Australia, and New Zealand,
lion. The trend is not obvious yet but Crossover but has not been as popular in the U.S. as other
and Mobler suggest that cross-platform malware types of messaging. Text messaging is often used
could become possible in the near future. to interact with automated systems, for example
to order products or services or participate in
contests. Short messages are limited to 140 bytes
InfEctIon vEctors of data, but longer content can be segmented and
sent in multiple messages. The receiving phone is
Infection vectors for PC malware have changed responsible for reassembling the complete mes-
over the years as PC technology evolved. Viruses sage. Short messages can also be used to send
initially spread by floppy disks. After floppy disks binary content such as ringtones or logos. While
disappeared and Internet connectivity became SMS is largely limited to text, MMS is a more
ubiquitous, worms spread by mass e-mailing. Simi- advanced messaging service allowing transmis-
larly, infection vectors used by malware for mobile sion of multimedia objects—video, images, audio,
devices have changed over the past few years. and rich text. The ComWar worm was the first to
Synchronization: Palm and Windows PDAs spread by MMS (among Symbian Series 60 smart-
were popular before smartphones. PDAs install phones). MMS has the potential to spread quickly.
software by synchronization with PCs (Foley & ComWar increased its chances by targeting other
Dumigan, 2001). For example, Palm applications phone owners found in the victim’s address book.
are packaged as Palm resource (PRC) files installed By appearing to come from an acquaintance, an
from PCs. As seen earlier, Palm malware usually incoming message is more likely to be accepted
relied on social engineering to get installed. This by a recipient. MMS will likely continue to be an
is a slow infection vector for malware to spread infection vector in the future.
between PDAs because it requires synchronization Bluetooth: Bluetooth is a short-range radio com-
with a PC and then contact with another PC that munication protocol that allows Bluetooth-enabled
synchronizes with another PDA. Much faster infec- devices (which could be mobile or stationary)
tion vectors became possible when PDAs and then within 10-100 meters to discover and talk with each
smartphones started to feature communications other. Up to eight devices can communicate with
directly between mobile devices without having each other in a piconet, where one device works
to go through PCs. in the role of “master” and the others in the role of
E-mail and Web: Internet access from mobile “slaves.” The master takes turns to communicate
devices allows users away from their desktops to with each slave by round robin. The roles of master
use the most common Internet applications, e-mail and slaves can be changed at any time.
and the World Wide Web. Most mobile devices Each Bluetooth device has a unique and per-
can send and receive e-mail with attachments. manent 48-bit address as well as a user-chosen
In addition, many can access the Web through Bluetooth name. Any device can search for other
Malicious Software in Mobile Devices
nearby devices, and devices configured to respond defenses against malware have been developed
will give their name, class, list of services, and from decades of experience with PC malware. A
technical details (e.g., manufacturer, device fea- taxonomy of malware defenses is shown in Figure
tures). If a device inquires directly at a device’s 2. Defenses can be first categorized as preventive
address, it will always respond with the requested or reactive (defensive). Preventive techniques help
information. avoid malware infections through identification
In May 2006, F-Secure and Secure Networks and remediation of vulnerabilities, strengthening
conducted a survey of discoverable Bluetooth security policies, patching operating systems and
devices in a variety of places in Italy. They found applications, updating antivirus signatures, and
on average 29 to 154 Bluetooth devices per hour even educating users about best practices (in this
in discoverable mode in the different places. In case, for example, turning off Bluetooth except
discoverable mode, the devices are potentially open when needed, rejecting installation of unknown
to attacks. About 24% were found to have visible software, and blocking SMS/MMS messages from
OBEX push service. This service is normally used untrusted parties). At this time, simple preventive
for transfer of electronic business cards or similar techniques are likely to be very effective because
information, but is known to be vulnerable to a there are relatively few threats that really spread
BlueSnarf attack. This attack allows connections to in the wild. In particular, education to raise user
a cellular phone and access to the phone book and awareness would be effective against social engi-
agenda without authorization. Another vulnerabil- neering, one of the main infection vectors used by
ity is BlueBug, discovered in March 2004, allowing malware for mobile devices so far.
access to the ASCII Terminal (AT) commands of
a cell phone. These set of commands are common Host-based defenses
for configuration and control of telecommunica-
tions devices, and give high-level control over call Even with the best practices to avoid infections,
control and SMS messaging. In effect, these can reactive defenses are still needed to protect mobile
allow an attacker to use the phone services without devices from actual malware threats. Reactive
the victim’s knowledge. This includes incoming defenses can operate in hosts (mobile devices) or
and outgoing phone calls and SMS messages. within the network. Host-based defenses make
The Cabir worm was the first to use Bluetooth sense because protection will be close to the
as a vector. Bluetooth is expected to be a slow targets. However, host-based processes (e.g., an-
infection vector. An infected smartphone would tivirus programs) consume processing and power
have to discover another smartphone within a 10- resources that are more critical on mobile devices
meter range, and the target’s user would have to than desktop PCs. Also, the approach is difficult
willingly accept the transmission of the worm file to scale to large populations if software must be
while the devices are within range of each other. installed, managed, and maintained on every
Moreover, although phones are usually shipped mobile device. Network-based defenses are more
with Bluetooth in discoverable mode, it is simple scalable in the sense that one router or firewall
to change devices to invisible mode. This simple may protect a group of hosts. Another reason for
precaution would make it much more difficult for network-based defenses is the possibility that the
malware. network might be able to block malware before it
actually reaches a targeted device, which is not
possible with host-based defenses. Host-based
MAlwArE dEfEnsEs defenses take effect after contact with the host.
In practice, host-based and network-based de-
Practical security depends on multiple layers of fenses are both used in combination to realize their
protection instead of a single (hopefully perfect) complementary benefits.
defense (Skoudis, 2004). Fortunately, various
Malicious Software in Mobile Devices
The most obvious host-based defense is anti- of attention has focused on the vulnerabilities of
virus software (Szor, 2005). Antivirus does auto- that operating system. It might be argued that the
matic analysis of files, communicated messages, system has a low level of application security. For
and system activities. All commercial antivirus example, Symbian allows any system application
programs depend mainly on malware signatures to be rewritten without requiring user consent.
which are sets of unique characteristics associ- Also, after an application is installed, it has total
ated with each known piece of malware. The control over all functions. In short, applications
main advantage of signature-based detection is are totally trusted.
its accuracy in malware identification. If a sig- Although Windows CE has not been as popular
nature is matched, then the malware is identified a target, it has similar vulnerabilities. There are
exactly and perhaps sufficiently for disinfection. no restrictions on applications; once launched, an
Unfortunately, signature-based detection has two application has full access to any system function
drawbacks. First, antivirus signatures must be including sending/receiving files, phone functions,
regularly updated. Second, there will always be multimedia functions, and so forth. Moreover,
the possibility that new malware could escape Windows CE is an open platform and application
detection if it does not have a matching signature. development is relatively easy.
For that case, antivirus programs often include Symbian OS version 9 added the feature of code
heuristic anomaly detection which detects unusual signing. Currently all software must be manually
behavior or activities. Anomaly detection does not installed. The installation process warns the user
usually identify malware exactly, only the suspi- if an application has not been signed. Digital sign-
cion of the presence of malware and the need for ing makes software traceable to the developer and
further investigation. For that reason, signatures verifies that an application has not been changed
will continue to be the preferred antivirus method since it left the developer. Developers can apply to
for the foreseeable future. have their software signed via the Symbian Signed
Several antivirus products are available for program (www.symbiansigned.com). Developers
smartphones and PDAs. In October 2005, Nokia also have the option of self-signing their programs.
and Symantec arranged for Nokia to offer the op- Any signed application will install on a Symbian
tion of preloading Symbian Series 60 smartphones OS phone without showing a security warning.
with Symantec Mobile Security Antivirus. Other An unsigned application can be installed with user
commercial antivirus packages can be installed consent, but the operating system will prevent it
on Symbian or Windows Mobile smartphones from doing potentially damaging things by denying
and PDAs. access to key system functions and data storage
In recognition that nearly all smartphone mal- of other applications.
ware has targeted Symbian devices, a great amount
network-based defenses
Malicious Software in Mobile Devices
Traffic filtering is done by configuring firewall include software patching, updating antivirus, or
and ACL policies. any other changes to bring the host into compliance
An example is Sprint’s Mobile Security ser- with security policies.
vice announced in September 2006. This is a set
of managed security services for mobile devices
from handhelds to laptops. The service includes futurE trEnds
protection against malware attacks. The service can
scan mobile devices and remove detected malware It is easy to see that mobile phones are increas-
automatically without requiring user action. ingly attractive as malware targets. The number of
In the longer term, mobile device security may smartphones and their percentage of overall mobile
be driven by one or more vendor groups working devices is growing quickly. Smartphones will
to improve the security of wireless systems. For continue to increase in functionalities and complex-
instance, the Trusted Computing Group (TCG) ity. Symbian has been the primary target, a trend
(www.trustedcomputinggroup.org) is an organiza- that will continue as long as it is the predominant
tion of more than 100 component manufacturers, smartphone platform. If another platform arises,
software developers, networking companies, and that will attract the attention of malware writers
service providers formed in 2003. One subgroup who want to make the biggest impact.
is working on a set of specifications for mobile The review of malware evolution suggests a
phone security (TCG, 2006a). Their approach worrisome trend. Since the first worm, Cabir, only
is to develop a Mobile Trusted Module (MTM) three years ago, malware has advanced steadily
specification for hardware to support features to more infection vectors, first Bluetooth and
similar to those of the Trusted Platform Module then MMS. Recently malware has shown signs of
(TPM) chip used in computers but with additional becoming cross-platform, moving easily between
functions specifically for mobile devices. The TPM mobile devices and PCs.
is a tamper-proof chip embedded at the PC board Fortunately, mobile security has already drawn
level, serving as the “root of trust” for all system the activities of the TCG and other industry orga-
activities. The MTM specification will integrate nizations. Unlike the malware situation with PCs,
security into smartphones’ core operations instead the telecommunications industry has decades of
of adding as applications. experience to apply to wireless networks, and
Another subgroup is working on specifications there is time to fortify defenses before malware
for Trusted Network Connect (TCG, 2006b). All multiplies into a global epidemic.
hosts including mobile devices run TNC client
software, which collects information about that
host’s current state of security such as antivirus conclusIon
signature updates, software patching level, results
of last security scan, firewall configuration, and Malware is a low risk threat for mobile devices
any other active security processes. The security today, but the situation is unlikely to stay that
state information is sent to a TNC server to check way for long. It is evident from this review that
against policies set by network administrators. The mobile phones are starting to attract the attention
server makes a decision to grant or deny access to of malware writers, a trend that will only get worse.
the network. This ensures that hosts are properly At this point, most defenses are common sense
configured and protected before connecting to the practices. The wireless industry realizes that the
network. It is important to verify that hosts are not stakes are high. Two billion mobile users currently
vulnerable to threats from the network and do not enjoy a malware-free experience, but negative
pose a threat to other hosts. Otherwise, they will experiences with new malware could have a di-
be effectively quarantined from the network until sastrous effect. Fortunately, a range of host-based
their security state is remedied. Remedies can and network-based defenses have been developed
Malicious Software in Mobile Devices
from experience with PC malware. Activities are Trusted Computing Group (TCG). (2006b). TCG
underway in the industry to improve protection trusted network connect TNC architecture for
of mobile devices before the malware problem interoperability. Retrieved from https://www.
becomes catastrophic. trustedcomputinggroup.org/groups/network/
rEfErEncEs
kEy tErMs
Dagon, D., Martin, T., & Starner, T. (2004). Mobile
Antivirus Software: Antivirus software is
phones as computing devices: The viruses are com-
designed to detect and remove computer viruses
ing! IEEE Pervasive Computing, 3(4), 11-15.
and worms and prevent their reoccurrence.
Foley, S., & Dumigan, R. (2001). Are handheld
Exploit Software: Exploit software is written
viruses a significant threat? Communications of
to attack and take advantage of a specific vulner-
the ACM, 44(1), 105-107.
ability.
Gostev, A. (2006). Mobile malware evolution: An
Malware Software: Malware software is any
overview. Retrieved from http://www.viruslist.
type of software with malicious function, includ-
com/en/analysis?pubid=200119916
ing for example, viruses, worms, Trojan horses,
Hypponen, M. (2006). Malware goes mobile. and spyware.
Scientific American, 295(5), 70-77.
Smartphone: Smartphones are devices with
Leavitt, N. (2005). Mobile phones: The next frontier the combined functions of cell phones and PDAs,
for hackers? Computer, 38(4), 20-23. typically running an operating system such as
Symbian OS.
Nazario, J. (2004). Defense and detection strat-
egies against Internet worms. Norwood, MA: Social Engineering: Social engineering is
Artech House. an attack method taking advantage of human
nature.
Peikari, C., & Fogie, S. (2003). Maximum wireless
security. Indianapolis, IN: Sams Publishing. Trojan Horse: A Trojan horse is any software
program containing a covert malicious function.
Skoudis, E. (2004). Malware: Fighting malicious
code. Upper Saddle River, NJ: Prentice Hall. Virus: A virus is a piece of a software pro-
gram that attaches to a normal program or file
Szor, P. (2005). The art of computer virus research
and depends on execution of the host program to
and defense. Reading, MA: Addison-Wesley.
self-replicate and infect more programs or files.
Trusted Computing Group (TCG). (2006a). Mo-
Vulnerability: Vulnerability is a security flaw
bile trusted module specification. Retrieved from
in operating systems or applications that could be
https://www.trustedcomputinggroup.org/specs/
exploited to attack the host.
mobilephone/
Worm: A worm is a stand-alone malicious
program that is capable of automated self-repli-
cation.
0
Chapter II
Secure Service Discovery
Sheikh I. Ahamed Munirul M. Haque
Marquette University, USA Marquette University, USA
Moushumi Sharmin
Marquette University, USA
AbstrAct
In broadband wireless networks, mobile devices will be equipped to directly share resources using service
discovery mechanisms without relying upon centralized servers or infrastructure support. The network
environment will frequently be ad hoc or will cross administrative boundaries. There are many challenges
to enabling secure and private service discovery in these environments including the dynamic population
of participants, the lack of a universal trust mechanism, and the limited capabilities of the devices. To
ensure secure service discovery while addressing privacy issues, trust-based models are inevitable. We
survey secure service discovery in the broadband wireless environment. We include case studies of two
protocols that include a trust mechanism, and we summarize future research directions.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Secure Service Discovery
Figure 1. Different types of networks in a pervasive computing environment. (a) Ad hoc network in a
pervasive environment with powerful device support. (b) Ad hoc network in a pervasive environment
without powerful device support.
(a) (b)
interest in security mechanisms that do not require context-aware sensor networks (Robinson, Vogt,
centralized enforcement and validation. & Wagealla, 2005).
We present the current state of secure service The different kinds of networks in pervasive
discovery. Leading designs for secure service dis- computing environments impact the design of
covery are surveyed including industry standards secure service discovery mechanisms. On one end,
and research systems. The types of security issues there are smart spaces, or intelligent environments
we are concerned with include: protecting the pri- that provide devices with a variety of support for
vacy of service advertisements and descriptions; user awareness and context management, while at
authentication of service advertisements; secure the other end there are networks that provide open
distribution and updating of keys for service in- network connectivity.
vocation; providing trust in service composition; Figure 1 depicts two ad hoc networks in a
and limiting vulnerability to attacks effecting the pervasive computing environment. In Figure 1a,
service discovery mechanism. the devices communicate among themselves with
Pervasive computing environment focuses the support of fixed, more powerful devices. These
(Weiser, 1991, 1993) has evolved over the past devices act as servers or proxies for the mobile
few years with the availability of portable low- devices. In Figure 1b, an ad hoc network is formed
cost devices (such as PDAs, cell phones, smart by mobile devices. There is no fixed infrastructure
phones, laptops, and sensors) and the emergence of support. The devices communicate with each
short-range and low-power wireless communica- other directly or via another mobile device, and
tion networks. Pervasive computing environments are responsible for performing computations by
focus on integrating computing and communica- themselves.
tions with the surrounding physical environment to In service discovery (Kindberg & Fox, 2002;
make computing and communication transparent Lee & Helal, 2002), a device searches for another
to the users in everyday contexts. In a broad sense, device capable of offering a specific service or
pervasive computing combines mobile computing, resource. An important trend is the adoption of
wireless networks, embedded computing, and a service-oriented architecture for resource dis-
covery, not just for server systems accessed by
Secure Service Discovery
mobile devices, but also for sharing of resources content sharing, communication, and gam-
between devices. There are four elements found ing.
in the service-oriented approach: (1) service de-
scription, which provides an interchangeable way Due to these trends, richer models of discovery
for devices to describe the service and its use; (2) are being considered such as federated discovery,
service registration or advertisement on behalf of meta discovery, and semantic discovery (Buford,
the service provider; (3) service discovery by de- Brown, & Kolberg, 2006; Buford, Celebi, &
vices seeking a service; and (4) service invocation, Frankl, 2006).
which is a protocol by which a service requester Consequently, it is important for wireless de-
and service provider coordinate to deliver a service. vices to securely participate in service discovery
Propagation of service advertisements can be using with other devices that are outside the immediate
pull (query), push (announcement), or a combina- administrative security domain. Further, these
tion of pull and push. In addition, the ability to devices interact with other devices in an ad hoc
dynamically discover and combine component manner, and lack of fixed infrastructure support
services to form new services is referred to as leads to the dependency on other devices for re-
service composition. sources. The nature of devices, communication
Broadband wireless technologies such as patterns, and dependency on other devices in turn
WiMax, UWB, and 802.11n are bringing broad- causes security vulnerabilities. Due to the ad hoc
band connectivity to mobile CE devices. These connectivity and dynamic nature of the population
devices will be able to switch between different of devices, access to specific devices may be inter-
network access technologies. This has the following mittent and short-lived. Moreover, multiple devices
consequences for service discovery in pervasive may concurrently request one specific resource.
computing: These aspects demand a scalable, efficient, and
responsive service discovery model.
• Due to broadband connectivity, devices Thus far, we have discussed the general view
will be able to participate in media-rich and of and motivation for service discovery for mobile
sophisticated resource sharing. devices. The rest of the chapter is organized as
• Wide-area service discovery and location- follows: The next section summarizes the security
based discovery will grow in importance due goals for service discovery and presents a model
to the combination of increased connectivity for service discovery in pervasive computing. The
and wide-area roaming. third section surveys present unsecured service
• The ability to act as multi-homed devices discovery models. The fourth section surveys ex-
means that devices will have increased isting secure service discovery models, organized
connectivity but also an increased rate of into three different categories. Two case studies
transitions due to roaming between different of service discovery protocols that incorporate
networks. trust-based mechanisms are described in the
• Devices will be able to simultaneously par- Examples Using Trust Models section. The final
ticipate in a personal area network (PAN), sections summarize important research issues and
home networks, and wireless area networks conclusions.
(WANs) with different security and trust
properties. In PANs and home networks, security goals in service discovery,
mediation of service discovery between Invocation, and composition
networks is needed, in which devices such
as gateways proxy or intermediate service The significance of security during service dis-
discovery between network domains. covery is well established (Matsumiya et al., 2004;
• Device-to-device interaction will grow in Stajano, 2002; Stajano & Anderson, 2002). Privacy,
importance to users for applications such as security, and trust issues in service discovery in the
Secure Service Discovery
pervasive computing area are of utmost importance crossing administrative boundaries, or without
(Robinson et al., 2005). Thus, the service discovery infrastructure support, other mechanisms are
process demands models that ensure the privacy needed.
and security of the user. In particular, this privacy Further, traditional security mechanisms do
and security should encompass: not work well in this environment because the
devices are computationally limited and the no-
• Authentication: Does the user and device tion of physical security is not applicable (Kagal,
actually have the indicated identity? Finin, & Joshi, 2001). Then, considering the choices
• Authorization: Does the user have access of totally sacrificing security versus imposing a
rights for issuing service advertisements, full-fledged security structure similar to desktops
requesting services, and invoking services? and laptops, the question is whether there is any
• Trust: Are the participating user and device middle ground. Ensuring varying levels of security
trusted? Are the service and its components for various services is a research challenge. The
trusted? insufficiency of user/device identity for trust is
• Privacy: Is only the approved information another concern in designing a discovery model,
shared between the given users/devices dur- and techniques for peer trust and risk assessment
ing service discovery, advertisement and (Chen, Jensen, Gray, Cahill, & Seigneur, 2003)
invocation (SDAI) operations? Is disclosure are important tools to address this.
to unauthorized users prevented? Desired characteristics of a secure and private
• Vulnerability to attack and misuse: Are service discovery model are summarized next.
the SDAI operations protected from attacks
such as denial-of-service, spoofing, replay, • Adaptive: The trust value and security level
and man-in-the-middle? Are the SDAI opera- should be adaptable depending on the service
tions protected from misuse in enabling such itself, the service provider, and the service
attacks on other network components? requester.
• Trust reliant: The model should consider
An important question is what security, privacy, trust relationships among devices. Where
and trust mechanisms are provided by the wireless no prior information is available, reputa-
network. IEEE 802.11i, also known as WiFi Pro- tion, recommendation, or trust negotiation
tected Access 2 (WPA2), replaced Wired Equiva- schemes can be used. If these are unsuitable,
lent Privacy (WEP) with stronger encryption and then risk assessment can be used.
a new authentication mechanism incorporating an • Infrastructure independence: No infra-
authentication server such as remote authentication structure support (e.g., powerful servers,
dial in user service (RADIUS). This mechanism proxies) should be required. Then the model
while suitable for enterprise deployment has had should work independently without any
limited use in home networks because of complex external support, but be able to leverage
administration and in public hot spots due to dif- infrastructure where it exists.
ficulty administering shared keys. Thus, in the best • Lightweight: The model should be light-
case, a set of devices are authenticated in a single weight in terms of executable file size.
administrative domain, and the authentication • Service oriented: To control service security
server can be used to support authorization poli- modularly, service discovery models should
cies including policies related to service discovery be service oriented.
and use. Network packets between authenticated • Graceful performance degradation: The
users are encrypted, providing communication model should not put much overhead on the
privacy from non-authenticated parties. However, performance of the device, and performance
these security capabilities cover only a subset of should degrade gracefully for more advanced
the aforementioned security goals and are limited security features.
to single administrative domains. For interactions
Secure Service Discovery
• Energy efficient: Service discovery models of local services. After receiving a broadcast, each
should be energy conserving, for example, node updates its service list with information about
avoiding continuous broadcasting or polling. the other nodes’ services. This service information
is included in that node’s subsequent broadcast.
A classification and detailed survey of service Each node is a broadcaster and DEAPSpace uses
discovery models can be found in Zhu, Mutka, and contention timers at each node so that a node will
Ni (2002). Service-oriented architectures (SOA) randomly delay its broadcast after another broad-
and their security are discussed in Cotroneo, cast is received. DEAPSpace can reduce service
Graziano, and Russo (2004). We classify existing discovery time at the cost of increased bandwidth
service discovery models into two broad categories. and power consumption.
First are service discovery models that do not ad- INS (Winoto et al., 1999) supports both pull
dress security issues (Balazinska, Balakrishnan, and push delivery of service advertisements. It also
& Karger, 2002; Microsoft, 2000; Miller, Nixon, supports unicast, anycast, and broadcast methods.
Tai, & Wood, 2001; Nidd, 2001; Winoto, Schwartz, It offers the best-match resource information and
Balakrishnan, & Lilley, 1999). Second, there also provides facilities for limited support of
are models that consider a full-fledged security context information. In INS each device requests
mechanism with the help of infrastructure sup- a central name resolver for the type of services
port (Czerwinski, Zhao, Hodes, Joseph, & Katz, it requires, and the resolver replies with the best
1999; Zhu, Mutka, & Ni, 2003, 2004). The next matched device address.
two sections discuss examples of these cases, and
Table 1 compares the key features of the surveyed secure service discovery Models
systems.
Most contemporary service discovery models
fall into this category. There are some models
sErvIcE dIscovEry ModEls that include full-fledged security mechanisms,
wItHout InHErEnt sEcurIty while others rely on simple algorithms for limited
security. This category can be subdivided into
We describe several designs that do not address infrastructure based, infrastructureless, hardware
security requirements. Nevertheless these mod- based, and smart-space-oriented security mecha-
els are important either because the systems are nisms. In the following subsections we discuss
widely used, are representative approaches, or each of these categories.
could be secured by additional mechanisms in
a secure network. The designs we discuss are Infrastructure-based security
Bluetooth, DEAPSpace, and Intentional Naming
System (INS). UPnP is a specification for connecting multiple
Bluetooth (Bluetooth Special Interest Group devices on a home network so that these devices
[SIG], 2001a, 2001b) is a pull protocol. Device can invoke services of each other. UPnP defines a
information, services, and the characteristics of set of protocols and a service description format.
the services are queried and connections between In addition, UPnP standardizes various service
two or more Bluetooth devices are established. interfaces. UPnP relies on administratively scoped
This facilitates user selection, scope-awareness, multicast IP address for service discovery, service
and both unicast and broadcast communication. advertisement, and event delivery. Each UPnP
A Bluetooth device returns all matched resource device broadcasts its advertisements when it first
information. connects to the network. Thereafter, a UPnP device
Nidd (2001) developed the DEAPSpace service broadcasts advertisements in response to queries
discovery method for ad hoc and mobile device ap- from other devices. These queries may be for all
plications. Each node broadcasts its advertisement services on the network or a specific service on
Secure Service Discovery
Table 1. Comparison of secure service discovery models (SSDS): SSDS (Czerwinski et al., 1999), Ninja
(Goldberg, Gribble, Wagner, & Brewer, 1999; Gribble et al., 2001), UPnP (Miller et al., 2001), SPDP
(Almenarez & Campo, 2003), Progressive Exposure (Zhu et al., 2004; Zhu, Mutka, & Ni, 2006), Splendor
(Kagal, Korolev, Chen, Joshi, & Finin, 2001), Jini (Sun Microsystems, 2001), CSAS (Minami & Kotz,
2005), CSM (Brezillon & Mostefaoui, 2004), AVCM (Shankar & Arbaugh, 2002), CSRA (Tripathi, Ahmed,
Kulkarni, Kumar, & Kashiramka, 2004), TRAC (Basu & Callaghan, 2005), SME (Kopp, Lucke, & Ta-
vangarian, 2005), HCA (Pearson, 2005), SSRD (Sharmin, Ahmed, & Ahamed, 2006a), SSRD+ (Sharmin,
Ahmed, & Ahamed, 2006b), Centaurus2 (Undercoffer, Perich, Cedilnik, Kagal, & Joshi, 2003), SLP
(Barbeau, 1999; Guttman, Perkins, Veizades, & Day, 1999), Sleeper (Buford, Celebi, et al., 2006)
Infrastructure smart
service- trust Privacy context
Model Adaptive support lightweight space
oriented Aware Aware Aware
needed needed
SSDS No Yes No No N/A N/A N/A No
Ninja No Yes No No N/A N/A N/A No
UPnP No N/A No No No Yes No Limited
SPDP No No Yes No Yes N/A No No
Progressive
No Yes No No No Yes Limited No
Exposure
Splendor No Yes No No Yes Yes N/A No
Jini No N/A No No N/A Yes N/A Limited
CSAS No No Yes No N/A N/A Yes No
CSM Yes No Yes No N/A N/A Yes No
AVCM Limited No Yes No Yes Yes Yes No
CSRA No Yes No No N/A N/A Yes Yes
TRAC No N/A No No Yes Yes N/A Yes
SME Yes N/A N/A Yes N/A Yes No N/A
HCA No N/A Yes No No Yes No N/A
SSRD Yes No Yes Yes Yes Yes Limited No
SSRD+ Yes No Yes Yes Yes Limited Yes No
Centaurus Yes Yes No No No N/A Yes No
SLP No Yes Yes Yes No No No No
Sleeper Yes No Yes Yes Yes Yes No No
the network. UPnP Device Security specification heterogeneous network domains. The system uses a
defines security mechanisms for simple object ac- local certificate authority (CA) and each entity must
cess protocol (SOAP)-based service invocation, but be pre-registered in the system. The CA issues a
does not address simple service discovery protocol certificate to each identified and verified entity. The
(SSDP) security. design of Centaurus2 includes four components,
As an extension of project Centaurus (Kagal, and each component has a separate private key
Korolev, Avancha, et al., 2001; Kagal, Korolev, which is stored at the client using PKCS #11:
Chen, et al., 2001), Centaurus2 (Undercoffer et al.,
2003) provides a secure mechanism for service dis- 1. The local CA is responsible for issuing digital
covery and enables users to access services across certificates and for validating these digital
certificates.
Secure Service Discovery
2. The communication manager mediates com- access or denial respectively. This approach fa-
munication between clients and networked cilitates confidentiality, integrity, and scalability.
services. To authorize access, CSAS uses previously stored
3. Group membership(s) is maintained and information, which may be difficult to collect for
stored by the capability manager. users in an ad hoc network.
4. Each client is registered to a specific service Splendor (Zhu et al., 2003) is a secure, private,
manager that ensures security, access rights, and location-aware service discovery protocol.
and mediates between user client and service Splendor adapts depending on the network en-
client. Service managers maintain a service vironment to use either a client-service model or
registry. client-service-directory model. Proxies are used to
offload workload for mobile services. Mobile ser-
Each domain has a root service manager. Static vices authenticate with proxies and proxies handle
bridges are configured between service managers registration. In these situations, proxies are consid-
in different domains. Then clients in separate do- ered to be trusted servers. However, if no trusted
mains can access services across domains using server is available in an environment, then there
the root service manager as the context. is no agent to handle the registration. Its security
In SSDS (Czerwinski et al., 1999), both service model is based on mutual authentication.
advertisement pull (query) and push (announce- Progressive Exposure (Zhu et al., 2004, 2006)
ment) are supported. Service advertisements are is a secure service discovery approach. It ad-
stored in a hierarchy of servers. SSDS provides dresses privacy issues using a mutual matching
capability-based access control. All information technique. Progressive exposure addresses security
passed between clients and servers is encrypted. and fairness by not exposing too much informa-
A single copy of the resource information is stored tion. In each round of message exchange between
and accessed, which makes the system vulner- communicating parties, it tries to find whether
able to single point failure. Subsequently, the any mismatch occurs. In case of a mismatch, the
Ninja project (Goldberg et al., 1999; Gribble et al., communication stops. It uses one-time code words
2001) added the concept of secure identification and a hash-based message authentication code. It
of service through SSDS. In Ninja, the CA issues considers the presence of one user and one service
valid certificates and the capability manager au- provider, but it does not address situations in which
thorizes user access to a particular resource. The many users and many service providers are present.
service providers can also prescribe the conditions When a service provider leaves the network, the
(capabilities) that are needed by a user in order to process of provider lookup and the authentication
discover a particular service. phase is restarted. It provides privacy for service
The context-sensitive authorization scheme information, requests, domain identity, and user
(CSAS) (Minami & Kotz, 2005) provides authoriza- credentials, and is based on the client-service-
tion without a central server or CA. When a CSAS directory model.
user wants to access a service from a resource,
the associated server issues a logical authentica- Infrastructure-less security
tion query and sends it to the host of the resource.
Each host has a knowledge domain with which it SPDP (Almenarez & Campo, 2003) is a secure
attempts to prove the authorization query. If it fails, service discovery protocol based on the PTM
it distributes several portions of the proof to multiple (Almenarez, Marin, Campo, & Garcia, 2004; Al-
hosts. Through this distribution CSAS reduces the menarez, Marin, Dyaz, & Sanchez, 2006) model.
computational overhead on any single node. After The need for a centralized server is avoided by
collecting the sub-proofs from the other hosts, the having each device act as its own CA. For a service
host of the resource can declare the result of the request, this model uses broadcast messaging. The
query to be true or false, thus indicating grant of requesting device updates its cache after getting a
Secure Service Discovery
reply from the devices (if any reply). It then stores language (WSDL) and resource description frame-
the device identities that it believes trustworthy. work (RDF) conditions for security, and policies for
The devices’ user agents continually listen for the binding protocol. The binding protocol specifies
messages, which in turn means continual energy whether the binding of a resource is “shared” or
consumption. “private,” and whether the binding is “permanent”
Narendar Sarkar et al. (Shankar & Arbaugh, or “context-based.”
2002) propose an attribute vector calculus (AVCM) Basu and Callaghan (2005) present a TRAC
for modeling trust. Their model describes both for increasing security and user confidence in
identity-based trust and context-based trust and is pervasive computing systems. They use trust and
one of the first models that discusses the importance role-based access control for ensuring security and
of trust in a ubiquitous environment. Brezillion privacy. However their model is aimed at an intel-
and Mostefaoui (2004) present a context-based ligent environment (IE) only. This policy-based
security model (CSM) and they discuss the need for model allows users to define policies for themselves
adaptive security based on the particular situation. and thus gives users control to define their own
Thomas and Sandhu (2004) present the challenges security level. This model works in an IE because
and research issues for secure pervasive computing. every user is known beforehand. However, in a
They express the need for a dynamic trust model truly pervasive environment it is not possible to
as the pervasive computing environment poses have prior information about every user and thus,
new kinds of security challenges due to its diverse this model is not applicable.
nature. They present a socio-technical view.
A smart space provides devices with complex com- We next describe two service discovery protocols,
putational support that supports context-awareness Sleeper and SSRD, which incorporate trust models
and collaboration. Components of the smart space for infrastructure-less security.
can offload secure discovery tasks and relate them
to other activities in the space. Examples include sleeper
context-based secure resource access (CSRA)
(Tripathi et al., 2004) and trust-based architecture Sleeper (Buford, Celebi, et al., 2006) is an en-
(TRAC) (Basu & Callaghan, 2005). ergy-preserving service discovery protocol which
CSRA (Tripathi et al., 2004) focuses on context- features dynamic proxy selection for advertise-
aware discovery of resources and how to access ment and discovery so that nodes can go to power
resources in a secure and unobtrusive manner. In standby while the proxy advertises on their behalf.
a pervasive computing environment the rules and The basic node states and transitions for Sleeper
limitations imposed by the user, system, and the are shown in Figure 2. An off-line or disconnected
collaborative activity scenario have to be combined node moves to an online state and broadcasts a
dynamically at runtime. CSRA uses a namespace join message that includes its advertisements and
related to each user and domain. These namespaces their popularity metrics. The current proxy caches
collect resources, services, and activities. The these advertisements. Any proxy-candidate node
binding protocol defines the association of a user may also cache these advertisements. An online
to a specific resource in the space. The binding node may broadcast a leave message prior to go-
changes based on the contextual information of ing off-line; if a leave message is not transmitted,
the user including the location, activity, and role. advertisements may be purged from the proxy and
A descriptor is associated with each namespace other online nodes’ cache by expiration. Transi-
that combines functional attributes collected from tions to/from standby state may also be indicated
resource descriptions in Web services description by broadcast messages.
Secure Service Discovery
An online node can be in one of four states et al., 2001). In this design, access control policies
(Figure 2). Every node initially goes online as a determine which credentials, services, and policies
non-proxy node. A proxy-capable node becomes should be disclosed during a negotiation. Policies
a proxy-candidate. There may be more than one and credentials are secured locally at each node
proxy-candidate at any time. When no proxy is but are disclosed during negotiation to the remote
detected, for example by absence of a service ad- party. Sleeper nodes establish mutual trust using
vertisement broadcast or at the exit of a proxy, the the trust negotiation mechanism defined in Buford,
first proxy-candidate to issue the proxy bootstrap Park, and Perkins (2006). Assuming that each peer
becomes the proxy. A vacating proxy may transfer caches public keys for certificate issuers that are
its cache to the new proxy, or the new proxy may relevant to its peer trust policies, then peer trust
collect advertisements from online nodes through establishment can be performed without a central-
the bootstrap. Nodes which are in standby state ized authority. A service discovery mechanism
during the proxy change may be polled by the is privacy preserving, if a peer can discover the
new proxy after the standby node transitions to service description using the mechanism only if the
online. peer satisfies the criteria C. Thus a mechanism that
Sleeper uses property-based peer trust to secure only distributes service descriptions to peers which
service discovery operations. In property-based or are members of group G with criteria C is privacy
credential-based trust (Hess et al., 2002; Seamons, preserving. Sleeper uses trust negotiation to create
Winslett, & Yu, 2001), each party has a set of certi- groups of peers that satisfy membership criteria C.
fied attributes (e.g., credit card numbers, employee Group management is provided by a group service
ID) that are exchanged to establish mutual trust. (GS) that is available at every peer. The GS caches
The typical components of a mechanism to provide private service descriptions for each group and
property-based trust include: allows only group members to retrieve them. The
GS publishes encrypted service descriptions that
• Trust negotiation protocol can only be decrypted by members of G. These
• Trust negotiation policies encrypted service descriptions are broadcasted to
• Credentials all connected peers, but can only be decrypted by
group members.
A method for trust negotiation has been defined The secure agent technology (Buford, Park, et
for client-server context (Hess et al., 2002; Seamons al., 2006) used in Sleeper for trust negotiation can
also be used for enabling trust in service composi-
tion (Buford, Kumar, & Perkins, 2006).
Figure 2. Sleeper node states and state transitions;
online nodes can be in one of four states (Buford ssrd
et al., 2006)
With a view to ensure enhanced security through
a lightweight solution for resource discovery in
pervasive environment, simple and secure re-
source discovery (SSRD) has been proposed by
the researchers in Sharmin et al. (2006a). The
fundamental part of the solution is a trust–based,
service-oriented adaptive security mechanism built
on middleware adaptability for resource discovery,
knowledge usability, and self-healing (MARKS), a
middleware and framework developed for resource
constrained pervasive devices for pervasive appli-
cations (Sharmin et al., 2006b). The SSRD unit of
Secure Service Discovery
Figure 3. Sleeper groups in broadcast of advertise- Figure 4. Resource discovery model (Sharmin et
ments; symmetric keys are broadcast with public al., 2006a)
key encryption (Buford, Celebi, et al., 2006)
0
Secure Service Discovery
that is unobtrusive to the user and makes it possible trust formation, evolution, and exploitation. In
to securely provide and discover the services avail- general, trust is formed by experience through
able for the user in a transparent manner. Some earlier interactions, verifiable properties of each
of the open issues regarding challenges in secure party, recommendations from trusted entities, and
and private service discovery are highlighted in reputation in a community. The challenges faced
this section. during trust establishment are due to the absence
of a global trust framework, the large number of
Privacy autonomous and anonymous entities, the large
number of domains, and different trust require-
Although contextual information plays a pivotal ments for large number of application contexts.
role in dynamic pervasive environments, it may Recent context-aware trust models focus on
also expose private information. When granting dynamic trust values, which are updated over time
access to a service, a person’s context information and distance and incorporate behavioral models for
like location, time, and activity can be exposed. evolution of trust. Risk analysis maps each action
Further, policies and constraints are themselves to possible outcomes associated with a cost/ben-
subject to privacy protection. Private information efit. Decisions consider the likelihood of the risk
management, such as the recursive constraint and cost. Unresolved issues in trust establishment
based security model in Hengartner and Steen- include detecting and prevent collusion, manag-
kiste (2006), is one approach to prevent direct ing the trade-off between privacy and property
information leakage. However, such mechanisms disclosure, and efficient trust mechanisms in large
are generally susceptible to attacks involving col- communities.
lusion and inference.
In a context- and location-sensitive medical Multi-Protocol Environments
application, researchers developed a system for
practitioners to easily share context in their work The combination of multi-homed mobile devices
tasks. Subsequently, questions of privacy led the and multiple service discovery protocols means that
designers to limit access to this information. As service access may cross not only administrative
another example, the Gaia project has shown a pri- boundaries but also different service discovery
vacy preserving hop by hop routing algorithm that domains with varying security properties. As an
carries information about the location of the user example, a mobile device may include protocol
but does not reveal the exact location or identity support for Bluetooth, SLP, and UPnP. Then the
of the user. Thus the privacy level and willing- device can easily discover services in different
ness of disclosure of personal information varies domains that it roams to, if these domains use dif-
depending on information type, collection method, ferent service discovery protocols. As a multi-home
time, and other factors. In some scenarios users device, it may simultaneously connect to domains
are reluctant to disclose identity information but do with different service discovery protocols.
not care about location information. The situation As a second example, a single user may have a
might be reversed in other cases. Formulation of set of personal mobile devices configured in a PAN.
policies that are understood and can be managed These devices can use the PAN security mechanism
by users is an important goal. for security and privacy control, and identity-based
authentication for mutual trust. The PAN may sup-
trust port a specific service discovery protocol. One or
more of the devices in the PAN may also connect to
As discussed earlier, a key element for secure outside networks with different service discovery
service discovery in ad hoc environments is the protocols and security mechanisms.
ability to establish a level of trust betweens peers. These types of scenarios indicate that future
The trust life cycle can be narrated in short as mobile devices may need to operate in multiple
Secure Service Discovery
security contexts. In these cases there is the po- services that may be created from different service
tential for conflicting access policies and unantici- sources. Composition trust bindings (Buford, Ku-
pated information flows between different regions. mar, et al., 2006) are one approach for providing
Further, there are challenges in managing groups trust in both control and data paths in peer-to-peer
across domains and mapping service semantics service composition.
and identities between different domains.
Secure Service Discovery
cases, and when the devices/users are not a priori Workshop on Intelligent Environments 2005 (IE05)
mutually authenticated. Consequently, we do not (pp. 223-229).
expect that improvements in the security of wire-
Bluetooth Special Interest Group. (2001a). Speci-
less networks, while important, will be sufficient
fication of the Bluetooth system—Core [Version
to address all the requirements identified here for
1.1].
secure service discovery.
Toward this end, after surveying a variety of Bluetooth Special Interest Group. (2001b). Speci-
approaches to secure service discovery today, fication of the Bluetooth system—Core [Version
we presented case studies of two recent service 1.1.]. SDP specification (Vol. 1 part E).
discovery protocols, which include trust establish-
ment mechanisms to enable trust between a priori Brezillon, P., & Mostefaoui, G. (2004). Context-
untrusted devices and peers. We also provided a based security policies: A new modeling approach.
summary of future research directions. In Second IEEE International Conference on
Pervasive Computing and Communications-work-
shops (pp. 154-158).
rEfErEncEs Buford, J., Brown, A., & Kolberg, M. (2006). Meta
service discovery. In Proceedings of the Fourth
Almenarez, F., & Campo, C. (2003). SPDP: A secure IEEE Conference on Pervasive Computing and
service discovery protocol for ad-hoc networks. In Communications Workshops, Workshop on Mobile
Ninth Open European Summer School and IFIP Peer-to-peer (pp. 124-129).
Workshop on Next Generation Networks (EUNICE
2003) (pp. 213-218). Buford, J., Burg, B., Celebi, E., & Frankl, P. (2006).
Sleeper: A power-conserving service discovery
Almenarez, F., Marin, A., Campo, C., & Garcia, C. protocol. In Third Annual International Conference
(2004). PTM: A pervasive trust management model on Mobile and Ubiquitous Systems, Networking,
for dynamic open environments. In Pervasive and Services (Mobiquitous 2006) (pp. 1-10).
Security, Privacy, and Trust (PSPT 2004).
Buford, J., Celebi, E., & Frankl, P. (2006). Property-
Almenarez, F., Marin, A., Dyaz, D., & Sanchez, based peer trust in the sleeper service discovery pro-
J. (2006). Developing a model for trust manage- tocol. In 30th Annual International Computer Soft-
ment in pervasive devices. In Fourth Annual IEEE ware and Applications Conference (COMPSAC ’06),
International Conference on Pervasive Computing Workshop on Security, Privacy, and Trust for
and Communications Workshops (PERCOMW’06) Pervasive Applications (SPTPA 2006 ) (Vol. 2, pp.
(pp. 267-271). 209-214).
Balazinska, M., Balakrishnan, H., & Karger, D. Buford, J., Kumar, R., & Perkins, G. (2006). Com-
(2002). INS/Twine: A scalable peer-to-peer ar- position trust bindings in pervasive computing
chitecture for intentional resource discovery. In service composition. In Proceedings of the Fourth
International Conference on Pervasive Computing IEEE Conference on Pervasive Computing and
(pp. 195-210). Communications Workshops, Workshop on Per-
vasive Computing and Communication Security
Barbeau, M. (1999). Service discovery in a mobile
(PerSec) (pp. 261-266).
agent API using SLP. In Global Telecommunica-
tions Conference (GLOBECOM ’99) (Vol. 1a, pp. Buford, J., Park, I., & Perkins, G. (2006). Social
391-395). certificates and trust negotiation. In Third IEEE
Consumer Communications and Networking
Basu, J., & Callaghan, V. (2005). Towards a trust
Conference (CCNC 2006) (pp. 615-619).
based approach to security and user confidence in
pervasive computing systems. In IEE International
Secure Service Discovery
Chen, Y., Jensen, C., Gray, E., Cahill, V., & Sei- Hess, A., Jacobson, J., Mills, H., Wamsley, R.,
gneur, J. (2003). A general risk assessment of Seamons, K., & Smith, B. (2002). Advanced cli-
security in pervasive computing (Tech. Rep. No. ent/server authentication in TLS. In Network and
TCD-CS-2003-45). The University of Dublin, Trin- Distributed System Security Symposium.
ity College, Department of Computer Science.
Joseph, A., Katz, R., Mao, Z., Ross, S., & Zhao, B.
Cotroneo, D., Graziano, A., & Russo, S. (2004). (2001). The Ninja architecture for robust Internet-
Security requirements in service oriented architec- scale systems and services. Computer Networks,
tures for ubiquitous computing. In Proceedings of 35(4), 473-497.
the Second Workshop on Middleware for Pervasive
Kagal, L., Finin, T., & Joshi, A. (2001). Trust-based
and Ad-hoc Computing (pp. 172-177).
security in pervasive computing environments.
Czerwinski, S., Zhao, B., Hodes, T., Joseph, A., & IEEE Computer, 34(12), 154-157.
Katz, R. (1999). An architecture for a secure service
Kagal, L., Finin, T., Joshi, A., & Greenspan, S.
discovery service. In Fifth Annual International
(2006). Security and privacy challenges in open
Conference on Mobile Computing and Networks
and dynamic environments. IEEE Computer,
(MobiCom ’99) (pp. 24-35).
39(6), 89-91.
Ganu, S., Krishnakumar, A., & Krishnan, P. (2004).
Kagal, L., Korolev, V., Avancha, S., Joshi, A.,
Infrastructure-based location estimation in WLAN
Finin, T., & Yesha, Y. (2001). Highly adaptable
networks. In IEEE Wireless Communications and
infrastructure for service discovery and manage-
Networking Conference (WCNC) (pp. 465-470).
ment in ubiquitous computing (Tech. Rep. No. TR
Garlan, D., Siewiorek, D., Smailagic, A., & Steen- CS-01-06). Baltimore: University of Maryland,
kiste, P. (2002). Project Aura: Towards distrac- Department of Computer Science and Electrical
tion-free pervasive computing. IEEE Pervasive Engineering.
Computing, 1(2), 22-31.
Kagal, L., Korolev, V., Chen, H., Joshi, A., &
Goldberg, I., Gribble, S., Wagner, D., & Brewer, E. Finin, T. (2001). Project Centaurus: A framework
(1999). The Ninja jukebox. In Proceedings of the for intelligent services in a mobile environment. In
Second USENIX Symposium on Internet Technolo- International Workshop of Smart Appliances and
gies and Systems (USITS-99) (pp. 37-46). Wearable Computing, International Conference of
Distributed Computing Systems (pp. 195-201).
Gribble, S., Welsh, M., Von Behren, R., Brewer,
E., Culler, D., Borisov, N., et al. (1999). Service Kindberg, T., & Fox, A. (2002). System software
location protocol version 2 (RFC 2608). Retrieved for ubiquitous computing. IEEE Pervasive Com-
from http://www.faqs.org/rfcs/rfc2608.html puting, 1(1), 70-81.
He, R., Niu, J., Yuan, M., & Hu, J. (2004). A novel Kopp, H., Lucke, U., & Tavangarian, D. (2005).
cloud-based trust model for pervasive comput- Security architecture for service-based mobile
ing. In The Fourth International Conference on environment. In Proceedings of the Third IEEE
Computer and Information Technology (CIT ’04) Conference on Pervasive Computing and Com-
(pp. 693-700). munications Workshops (pp. 199-203).
Hengartner, U., & Steenkiste, P. (2006). Avoiding Lee, C., & Helal, S. (2002). Protocols for service
privacy violations caused by context-sensitive discovery in dynamic and mobile networks. In-
services. In Proceedings of the Fourth Annual ternational Journal of Computer Research, 11(1),
IEEE International Conference on Pervasive 1-12.
Computer and Communications (PerCom 2006)
Matsumiya, K., Tamaru, S., Suzuki, G., Nakazawa,
(pp. 222-233).
J., Takashio, K., & Tokuda, H. (2004). Improving
Secure Service Discovery
security for ubiquitous campus applications. In Sharmin, M., Ahmed, S., & Ahamed, S. (2006a).
Symposium on Applications and the Internet- MARKS (middleware adaptability for resource
Workshops (SAINT 2004) (pp. 417-422). discovery, knowledge usability, and self healing)
in pervasive computing environments. In Third
Microsoft Corporation. (2000). Universal plug and
International Conference on Information Technol-
play device architecture, Version 1.0.
ogy: New Generations (pp. 306-313).
Miller, B., Nixon, T., Tai, C., & Wood, M. (2001).
Sharmin, M., Ahmed, S., & Ahamed, S. (2006b). An
Home networking with universal plug and play.
adaptive lightweight trust reliant secure resource
IEEE Communications Magazine, 39(12), 104-
discovery for pervasive computing environments.
109.
In Proceedings of the fourth annual IEEE inter-
Minami, K., & Kotz, D. (2005). Secure context- national conference on pervasive computer and
sensitive authorization. In Proceedings of the Third communications (PerCom 2006) (pp. 258-263).
International Conference on Pervasive Computing
Sharmin, M., Ahmed, S., & Ahamed, S. (2006c).
and Communications Workshops (PerCom 2005)
SSRD+: A privacy-aware trust and security model
(pp. 257-268).
for resource discovery in pervasive computing
Nidd, M. (2001). Service discovery in DEAPspace. environment. In 30th Annual International Com-
IEEE Personal Communications, 8(4), 39-45. puter Software and Applications Conference
(COMPSAC 2006) (pp. 67-70).
Pearson, S. (2005). How trusted computers can
enhance privacy preserving mobile applications. Smith, B., Seamons, K., & Jones, M. (2004). Re-
In Proceedings of the Sixth International IEEE sponding to policies at runtime in TrustBuilder. In
Symposium on a World of Wireless Mobile and Fifth International Workshop on Policies for Dis-
Multimedia Networks (WoWMoM’05) (pp. 609- tributed Systems and Networks (POLICY 2004).
613).
Stajano, F. (2002). Security for ubiquitous com-
Robinson, P., Vogt, H., & Wagealla, W. (Eds.). puting. West Sussex, England: John Wiley and
(2005). Privacy, security and trust within the con- Sons.
text of pervasive computing. Heidelberg, Germany:
Stajano, F., & Anderson, R. (2002). The resur-
Springer-Verlag.
recting duckling: Security issues for ubiquitous
Saha, S., Chaudhuri, K., Sanghi, D., & Bhagwat, computing. IEEE Computer, 35(4), 22-26.
P. (2003). Location determination of a mobile de-
Sun Microsystems. (2001). Jini™ technology core
vice using IEEE 802.11b access point signals. In
platform specification, version 1.2.
IEEE Wireless Communications and Networking
Conference (WCNC) (pp. 1987-1992). Thomas, R., & Sandhu, R. (2004). Models, pro-
tocols, and architectures for secure pervasive
Satyanarayanan, M. (1996). Fundamental chal-
computing: challenges and research directions. In
lenges in mobile computing. In Fifteenth ACM
Second IEEE International Conference on Perva-
Symposium on Principles of Distributed Comput-
sive Computing and Communications—Workshops
ing (pp. 1-7).
(PerCom 2004) (pp. 164-168).
Seamons, K., Winslett, M., & Yu, T. (2001). Limit-
Tripathi, A., Ahmed, T., Kulkarni, D., Kumar,
ing the disclosure of access control policies dur-
R., & Kashiramka, K. (2004). Context-based
ing automated trust negotiation. In Network and
secure resource access in pervasive computing
Distributed System Security Symposium.
environments. In Second IEEE Annual Confer-
Shankar, N., & Arbaugh, W. (2002). On trust for ence on Pervasive Computing and Communica-
ubiquitous computing. Workshop on security in tions—Workshops. (p. 159).
ubiquitous computing (UBICOMP 2002).
Secure Service Discovery
Undercoffer, J., Perich, F., Cedilnik, A., Kagal, Zhu, F., Mutka, M., & Ni, L. (2003). Splendor:
L., & Joshi, A. (2003). A secure infrastructure A secure, private, and location-aware service
for service discovery and access in pervasive discovery protocol supporting mobile services.
computing. Mobile Networks and Applications, In Proceedings of the First IEEE Conference on
8(2), 113-125. Pervasive Computing and Communications (Per-
Com 2003) (pp. 235-242).
Want, R., & Pering, T. (2005). System challenges
for ubiquitous and pervasive computing. In Twenty- Zhu, F., Mutka, M., & Ni, L. (2004). PrudentExpo-
seventh International Conference on Software sure: A private and user-centric service discovery
Engineering (ICSE 2005) (pp. 9-14). protocol. In Proceedings of the Second IEEE
Conference on Pervasive Computing and Com-
Weiser, M. (1991). The computer for the twenty-first
munications (PerCom 2004) (pp. 329-340).
century. Scientific American, 265(3), 94-104.
Zhu, F., Mutka, M., & Ni, L. (2005). Expose or
Weiser, M. (1993). Some computer science prob-
not? A progressive exposure approach for service
lems in ubiquitous computing. Communications
discovery in pervasive computing environments.
of the ACM, 36(7), 75-84.
In Proceedings of the Third IEEE Conference
Winoto, W., Schwartz, E., Balakrishnan, H., & on Pervasive Computing and Communications
Lilley, J. (1999). The design and implementation of (PerCom 2005) (pp. 225-234).
an intentional naming system. In 17th ACM Sym-
Zhu, F., Mutka, M., & Ni, L. (2006). A private, se-
posium on Operating Systems Principles (SOSP
cure, and user-centric information exposure model
’99) (pp. 186-201).
for service discovery protocols. IEEE Transactions
Winslett, M. (2003). An introduction to automated on Mobile Computing, 5(4), 418-429.
trust establishment. First international conference
Zimmermann, P. (1995). PGP source code and
on trust management.
internals. Cambridge, MA: MIT Press.
Wu, C., Fu, L., & Lian, F. (2004). WLAN loca-
tion determination in e-home via support vector
classification. In IEEE Conference on Networking,
kEy tErMs
Sensing & Control (pp. 1026-1031).
Context: Context is the location, time, and
Youssef, M., Agrawala, A., & Udaya, A. (2003). activity state of the user when performing a service-
WLAN location determination via clustering and related operation such as discovery, advertisement,
probability distributions. In Proceedings of the or invocation.
First Annual IEEE International Conference on
Federated Discovery: Federated discovery
Pervasive Computer and Communications (Per-
is a service discovery mechanism that incorpo-
Com 2003) (pp. 143-150).
rates two or more different service advertisement
Yu, T., & Winslett, M. (2003). A unified scheme mechanisms.
for resource protection in automated trust negotia-
Meta Discovery: Meta discovery is the dis-
tion. In IEEE Symposium on Security and Privacy
covery of a service discovery mechanism by using
(pp. 110-122).
meta information about that mechanism (Buford,
Zhu, F., Mutka, M., & Ni, L., (2002). Classifica- Brown et al., 2006).
tion of service discovery in pervasive computing
Peer Trust: Peer trust is the degree to which
environments (Tech. Rep. No. MSU-CSE-02-24).
a peer device is willing to disclose information or
East Lansing: Michigan State University.
provide access to resources to another peer, and
Secure Service Discovery
which may be determined by experience through and security policies of the devices participating
earlier interactions, verifiable properties of each in the service location process.
party, recommendations from trusted entities, and
Service Composition: Service composition is
reputation in a community.
the ability to dynamically discover and combine
Pervasive Computing: Pervasive computing component services to form new services.
is the evolution of distributed computing in which
Service Discovery: Service discovery occurs
networked computing devices are integrated
when device resources and functions are packaged
throughout the personal and work environments
as services, in a networked environment, and a
in a connected way, also referred to as ubiquitous
device finds another device capable of offering a
computing.
specific service or resource.
Secure Service Discovery: Secure service
discovery is service discovery that enforces privacy
Chapter III
Security of Mobile Code
Zbigniew Kotulski
Polish Academy of Sciences, Warsaw, Poland
Warsaw University of Technology, Poland
Aneta Zwierko
Warsaw University of Technology, Poland
AbstrAct
The recent development in the mobile technology (mobile phones, middleware, wireless networks, etc.)
created a need for new methods of protecting the code transmitted through the network. The oldest
and the simplest mechanisms concentrate more on integrity of the code itself and on the detection of
unauthorized manipulation. The newer solutions not only secure the compiled program, but also the
data, that can be gathered during its “journey,” and even the execution state. Some other approaches
are based on prevention rather than detection. In this chapter we present a new idea of securing mobile
agents. The proposed method protects all components of an agent: the code, the data, and the execution
state. The proposal is based on a zero-knowledge proof system and a secure secret sharing scheme, two
powerful cryptographic primitives. Next, the chapter includes security analysis of the new method and
its comparison to other currently more widespread solutions. Finally, we propose a new direction of
securing mobile agents by straightening the methods of protecting integrity of the mobile code with risk
analysis and a reputation system that helps avoiding a high-risk behavior.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security of Mobile Code
The mobile agent systems offer new possibili- • Weakly mobile: Only the code is migrating;
ties for the e-commerce applications: creating new no execution state is sent along with an agent
types of electronic ventures from e-shops and e- program
auctions to virtual enterprises and e-marketplaces. • Strong mobile: A running program is mov-
Utilizing the agent system helps to automate many ing to another execution location (along with
e-commerce tasks. Beyond simple information its particular state)
gathering tasks, mobile agents can take over all
tasks of commercial transactions, namely, price The protection of the integrity of the mobile
negotiation, contract signing, and delivery of agent is the most crucial requirement for the agent
(electronic) goods and services. Such systems are system. The agent’s code and internal data autono-
developed for diverse business areas, for example, mously migrate between hosts and can be easily
contract negotiations, service brokering, stock changed during the transmission or at a malicious
trading, and many others (Corradi, Cremonini, host site. A malicious platform may make subtle
Montanari, & Stefanelli, 1999; Jansen & Karygi- changes in the execution flow of the agent’s code;
annis, 1999; Kulesza & Kotulski, 2003). Mobile thus, the changes in the computed results are dif-
agents can also be utilized in code-on-demand ficult to detect. The agent cannot itself prevent this,
applications (Wang, Guan, & Chan, 2002). Mobile but different countermeasures can be utilized in
agent systems have advantages even over grid order to detect any manipulation made by an un-
computing environments: authorized party. They can be integrated directly
into the agent system, or only into the design of an
• Require less network bandwidth agent to extend the capabilities of the underlying
• Increase asynchrony among clients and serv- agent system. However, the balance between the
ers security level and solution implementation’s cost,
• Dynamically update server interfaces as well as performance impact, has to be preserved.
• Introduce concurrency Sometimes, some restrictions of agent’s mobility
may be necessary.
The benefits from utilizing the mobile agents Accountability is also essential for the proper
in various business areas are great. However, this functioning of the agent system and establishing
technology brings some serious security risks; trust between the parties. Even an authenticated
one of the most important is the possibility of agent is still able to exhibit malicious behavior to the
tampering with an agent. In mobile agent systems platform if such a behavior cannot later be detected
the agent’s code and internal data autonomously and proved. Accountability is usually realized by
migrate between hosts and can be easily changed maintaining an audit log of security-relevant events.
during the transmission or at a malicious host site. Those logs must be protected from unauthorized
The agent cannot itself prevent this, but different access and modification. Also the non-repudiability
countermeasures can be utilized in order to detect of logs is a huge concern. An important factor of
any manipulation made by an unauthorized party. accountability is authentication. Agents must be
They can be integrated directly into the agent sys- able to authenticate to platforms and other agents
tem, or only into the design of an agent to extend and vice versa. An agent may require different
the capabilities of the underlying agent system. degrees of authentication depending on the level
Several degrees of agent’s mobility exist, cor- of sensitivity of the data.
responding to possibilities of relocating code and The accountability requirement needs also to
state information, including the values of instance be balanced with an agent’s need for privacy. The
variables, the program counter, execution stack, platform may be able to keep the agent’s identity
and so forth. The mobile agent technologies can secret from other agents and still maintain a form
be divided in to two groups: of revocable anonymity where it can determine
the agent’s identity if necessary and legal. The
Security of Mobile Code
security policies of agent platforms and their audit- method to provide such an environment is special
ing requirements must be carefully balanced with tamper-resistant hardware, but the cost of such a
agent’s privacy requirements. solution is usually very high.
Threats to security generally fall into three main The second group of methods provides the
classes: (1) disclosure of information, (2) denial of agents’ manager with tools to detect that the agent’s
service, and (3) corruption of information (Jansen, data or code has been modified, or an agent with a
1999). Threats in agent system can be categorized mechanism that prevents a successful, unauthor-
with regard to agents and platform relations (e.g., ized manipulation. In this chapter we concentrate
agent attacking an agent, etc.). Another taxonomy on the “built-in” solutions because they enable
of attacks in agent system was proposed in Man an agent to stay mobile in the strong sense and,
and Wei (2001). The article describes two main moreover, provide the agent with mechanisms to
categories of attacks: purposeful and frivolous. detect or prevent tampering. Detection means that
The first kind is carefully planned and designed the technique is aimed at discovering unauthorized
and can be further classified by the nature of attack modification of the code or the state information.
(read or non-read) and number of attackers (solo or Prevention means that the technique is aimed at
collaborative). During the second kind of attacks, preventing changes of the code and the state infor-
the attacker may not know the effect of his/her mation in any way. To be effective, detection tech-
actions or gain an advantage. These attacks can niques are more likely than prevention techniques
be random or total. Another category of attacks is to depend on legal or other social framework. The
connected with traffic analysis (Kulesza, Kotul- distinction between detection and prevention can
ski, & Kulesza, 2006) or called blocking attacks be sometimes arbitrary, since prevention often
(when a malicious platform refuses to migrate the involves detection (Jansen, 2000).
agent), as described by Shao and Zhou (2006). In
this chapter we will focus on the threats from an
agent’s perspective. bAckground
Among the mentioned threats, the most impor-
tant are connected with the agent platform since Many authors proposed methods for protecting
the most difficult to ensure is the agent’s code/state integrity of the mobile code. The most interesting
integrity. There are two main concepts for protect- of them are presented in this section.
ing mobile agent’s integrity:
time limited black-box security and
• Providing trusted environment for agent’s obfuscated code
execution
• Detection or prevention of tampering These methods are based on a black-box approach.
The main idea of the black-box is to generate ex-
The first group of methods is more concentrated ecutable code from a given agent’s specification
on the whole agent system than on an agent in that cannot be attacked by read (disclosure) or
particular. These seem to be easier to design and modification attacks. An agent is considered to be
implement but, as presented in Oppliger (2000), black-box if at any time the agent code cannot be
mostly lead to some problems. The assumption that attacked in the previous sense, and if only its input
an agent works only with a group of trusted hosts and output can be observed by the attacker. Since
makes the agent less mobile than it was previously it is not possible to implement it today, the relax-
assumed. Also an agent may need different levels ation of this notion was introduced Hohl (1998): it
of trust (some information should be revealed to is not assumed that the black-box protection holds
host while in another situation it should be kept forever, but only for a certain known time. Accord-
secret). Sometimes, it is not clear in advance that ing to this definition, an agent has the time-limited
the current host can be considered as trusted. A black-box property if for a certain known time it
0
Security of Mobile Code
Security of Mobile Code
Security of Mobile Code
Security of Mobile Code
Possible attacks against this method include: agent place, which receives an agent to verify that
it has not been compromised. This saves computing
• Eavesdropping: If the data are not protected power because if an agent has indeed been com-
in any way (e.g., not encrypted) it can be read promised, the agent place can reasonably refuse
by every host. to execute the compromised agent.
• Manipulation: The malicious host can try to
manipulate either the agent’s code or data to Environmental key generation
change the results and still keep the proper
mark. This scheme allows an agent to take a predefined
• Collusion: Colluding hosts cannot extract action when some environmental condition is true
any information about the mark comparing (Riordan & Schneier, 1998). The approach centers
their data or results, because every host has a on constructing agents in such a way that upon
different input data and a different embedded encountering an environmental condition (e.g., via
mark. a matched search string), a key is generated, which
is then used to cryptographically unlock some
The difference between mobile agent water- executable code. The environmental condition is
marking and fingerprinting is the fact that in the hidden through either a one-way hash or public
second case it is possible to detect collusion attacks key encryption of the environmental trigger. This
performed by a group of dishonest hosts. technique ensures that a platform or an observer
of the agent cannot uncover the triggering mes-
Publicly Verifiable Chained digital sage or response action by directly reading the
signatures agent’s code.
This protocol, proposed by Karjoth (1998) allows Itinerary recording with replication
verification of the agent’s chain of partial results and voting
not only by the originator, but also by every agent
place. However, it is still vulnerable to interleaving A faulty agent platform can behave similarly to a
attacks. This protocol makes it possible for every malicious one. Therefore, applying fault tolerant
Security of Mobile Code
capabilities to this environment should help coun- • If we have x1 and f(x1) then it is computationally
ter the effects of malicious platforms (Schneider, infeasible to find such x2 that f(x1) = f(x2)
1997). One such technique for ensuring that a
mobile agent arrives safely at its destination is If the secret is kept within an agent, then also
through the use of replication and voting. Rather the host can use the zero-knowledge protocol to
than using a single copy of an agent to perform a verify it. Every authorized change of agent’s state
computation, multiple copies are used. Although results in such a change of the secret that the secret
a malicious platform may corrupt a few copies of remains valid. On the other hand, every unauthor-
the agent, enough replicas avoid the encounter to ized change leads to loosing the secret, so at the
successfully complete the computation. A slightly moment of verification by host or manager, the
different method based on multiple copies of agent agent is not able to prove possession of a valid
was proposed by Benachenhou and Pierre (2006). secret. Since the host can monitor all agent’s com-
In this proposal, the copy of agent is executed on putations, the secret should not only change with
a trusted platform to validate results obtained on agent’s execution state, but should also be different
other platforms. for different hosts, so one host could only validate
the secret prepared for operations that should be
executed at this platform. In our system the host can
A MEtHod bAsEd on sEcrEts tamper the agent and try to make such changes that
And Proofs so that he/she will be still able to obtain the proper
secret, but the characteristics of function f will not
In the proposed system we assume that there exist allow doing this. Some possible candidates for the
at least three parties: function f can be a hash function. Our approach is
a detection rather than prevention (see Zwierko &
• A manager Kotulski, 2007).
• An agent
• A host Specification of the Method
Security of Mobile Code
agent is in a proper execution state, it is able only from this state. Additionally, some internal
to obtain from its code/state variables the cor- variables that differ for each host should be utilized
rect shares. Since the agent is nothing more to obtain different secrets for each host. Thus, to
than a computer program, it can be described create agent’s shares, f j, ci ∈ Σ, and the code should
as a finite state machine (FSM). Assume, we be used.
have the agent of the form <Σ, S, SI, SF, δ>, In other cases, where the pair f j and ci is not
where: unique for each host, the previous states or other
data should be used. It should be possible to obtain
• Σ is the input alphabet the proper shares for current host based on appropri-
• S = {f 0, …, fn} is a set of all possible ate execution state and internal variables. If there
states is more than one unique combination of ( f j, ci) for
• SI is a subset of S with all initial states one host, then for each of them the host should
• SF is a subset of S with all finishing states, obtain an ID and a share. The agent’s code (in a
possibly empty certain form) should be a part of the data that are
• δ: Σ × S → S is a state transition func- required to recreate the secret to enable detection
tion. of every unauthorized manipulation, which could
be performed by previous host.
Figure 4 shows an example of agent’s FSM. It To create the shares from the mentioned data,
is obvious that only some execution states should the hash function or an encryption function with
be observed during the computation at the host the manager’s public key can be used.
platform (e.g., the ones connected with gathering
and storing the data). If the state f j is the first state The Validation Phase
of the agent’s computations at the host platform,
then it is natural that the shares should be generated 1. The host, which wants to verify an agent’s
integrity, sends its share to the agent.
Security of Mobile Code
2. The agent creates the rest of the shares from Definition 2 (Karjoth et al., 1999; Yee, 1999). The
its code and the execution state. It recreates agent posses the weak forward integrity feature if
the secret. The agent computes the secret σ the integrity of each partial result m0, …, mn-1 is
and uses it for the rest of the scheme, which provided when in is the first malicious agent place
is a zero-knowledge identification protocol. on the itinerary.
3. The agent and the host execute the selected
zero-knowledge protocol, so that the host can Weak forward integrity is conceptually not
confirm the correctness of σ. resistant to cooperating malicious hosts and agent
places that are visited twice. To really protect the
The manager can compute many identities, which integrity of partial result, we need a definition
may be used with different execution states. In that without constraints.
situation the agent should first inform host which
identity should be used, or the host can simply check Definition 3 [strong forward integrity (Karjoth
the correctness of σ for all possible identities. et al., 1999)]. The agent system preserves strong
forward integrity of the agent if none of the agent’s
encapsulated messages mk, with k < n, can be
sEcurIty And scAlAbIlIty modified without notifying the manager.
Security of Mobile Code
stay the same. But the host does not know other Medium: The method has been imple-
secrets that are composed into the agents; also mented, with much effort
he/she does not know more shares to recreate those Easy: The method is widely used and
secrets, so, any manipulation would be detected has been implemented for different
by the next host. purposes
The protocol is not able to prevent any attacks and what elements of an agent it protects:
that are aimed at destroying the agent’s data or • Theoretical evaluation: If the method satis-
code, meaning that a malicious host can “invali- fies the security definitions from the Defini-
date” any agent’s data. But this is always a risk, tions and Notions section.
since the host can simply delete an agent.
The theoretical evaluation is quite hard, because
• Weak forward integrity: The proposed some methods that have the black-box property do
method posses the weak forward integrity not “fit” other definitions. If the code or data cannot
property: the malicious host cannot efficiently be read or manipulated (the ideal case), then how
modify previously generated results. we can discuss if it can be verifiable, or, if it fulfills
• Strong forward integrity: The protocol the forward integrity.
provides the agent also with strong forward As for evaluation of the black-box property, it is
integrity, because the host cannot change very hard to provide the code that cannot be read. In
previously stored results (without knowledge all cases, marked by *, (see Table 2) the adversary
of secrets created for other hosts). He/she can modify the agent but not in a way that owner
cannot also modify the agent in a way that or other host would not notice. This means that no
could be undetectable by the next host on the efficient manipulation attack can be made, so one
itinerary or by the owner. part of the black-box property is satisfied.
• Publicly verifiable forward integrity: Each In # case the publicly verifiable forward integrity
host can only verify if the agent’s code or the is satisfied only partially, because the agent’s code
execution state has not been changed. They can be verified but the data cannot.
cannot check wherever the data obtained on
other platforms has not been modified. The scalability
agent’s owner, who created all secrets, can
only do this. The initialization phase. The first phase is similar
• Black-box security: The proposed system to the bootstrap phase of the system. The hosts and
is not resistant to read attacks. A malicious the manager create a static network. It is typical
host can modify the code or data, but it is for agents’ systems that the manager or the owner
detectable by agent’s owner, so it is resistant of an agent knows all hosts, so distribution of all
to manipulation attack. The system does not IDs and shares is efficient. We can compare this to
have full black-box property. sending a single routing update for entire network
as in OSPF protocol (the flooding). Whenever a new
comparison with other Methods agent is added to the system, the same amount of
information to all hosts has to be sent. Since the
It is a difficult task to compare systems based on messages are not long (a single share and few IDs)
such different approaches as presented here. We and are generated only during creating a new agent,
decided to split comparison into two categories: that amount of information should not be a problem.
The sizes of parameters (keys lengths, number of
• Practical evaluation: If the method is hard puzzles, and number of shares) are appropriately
or easy to implement: adjusted to the agents’ network size.
Hard: No practical implementation ex- The operating phase. During the validation
ists at the moment phase no additional communication between the
manager and the hosts is required.
Security of Mobile Code
Security of Mobile Code
the agents’ security can be significantly increased rity. The data unavailable is useless for a potential
by avoiding risky behavior, especially visiting suspi- user. Also, the data illegally defected or falsified is a
cious hosts. This can be done by using mechanisms worthless source of information. No other protection
built into individual agents or by distributed solu- has sense if the data’s content is destroyed. In the
tions based on cooperation of agents and hosts. The case of executables we face analogous problems.
most promising solutions for improvement of the Except others, the executables must be available and
mobile code security can be based on risk analysis protected against falsification (that is unauthorized
or on reputation systems. The first one needs some changes of the designed functioning, internal state
built-in analysis tools while the second one requires and the carried data). The problem of availability
trust management infrastructure. has been successfully solved by a concept of mobile
Risk analysis is one of the most powerful tools agents that simply go to the destination place and
used in economics, industry, and software engi- work in there. However, this solution made the
neering (Tixier, Dusserre, Salvi, & Gaston, 2002). problem of integrity of the mobile code or mobile
Most of the business enterprises carry out such an agent even more important than in the case of the
analysis for all transactions. The multi-agent or stored data. The falsified mobile agent is not only
mobile agent system can be easily compared with useless. It can be even harmful as an active party
such an economic-like scenario: There are a lot making some unplanned actions. Therefore, pre-
of parties making transactions with other parties. serving agents’ integrity is a fundamental condition
The risk analysis could be utilized to estimate how of their proper functioning.
high is the probability that selected agent platform In this chapter we made an overview of the
is going to harm the agent. The biggest advantage existing protocols and methods for preserving the
of this solution is lack of any form of cooperation agent’s integrity. The basic definitions and notions
between different managers: Everyone can make its were introduced. The most important mechanisms
own analysis based on gathered knowledge. How- were presented and discussed. We also proposed a
ever, the cooperation between different managers new concept for detection of the tempering of an
can benefit in better analysis. agent, based on a zero-knowledge proof system.
Reputation systems (Sabater & Sierra, 2005; The proposed scheme secures both, an agent’s
Zacharia & Maes, 2000) are well known and execution state and the internal data along with its
utilized in different applications, especially in code. For the practical implementation the system
peer-to-peer environments. They enable the detec- requires some additional research and development
tion of malicious parties based on their previous work, but it looks to be a promising solution to
behavior, registered, valuated, and published. We the problem of providing an agent with effective
can imagine an agent system where managers and and strong countermeasures against attacks on its
owners of agents would also rate agent platforms integrity.
based on their previous actions towards the agents.
Of course, such a system still requires some in-
tegrity protection mechanisms, which could be rEfErEncEs
used to verify if results obtained by the agent are
correct. However, the applied mechanism can be Alves-Foss, J., Harrison, S., & Lee, H. (2004,
rather simple, not as complicated as some presented January 5-8). The use of encrypted functions for
methods, for example, EFs. mobile agent security. In Proceedings of the 37th
Hawaii International Conference on System Sci-
ences—Track 9 (pp. 90297b). US: IEEE Computer
concludIng rEMArks Society Press.
Benachenhou, L., & Pierre, S. (2006). Protection
Among security services for stored data protection
of a mobile agent with a reference clone. Computer
two are the most important: availability and integ-
communications, 29(2), 268-278.
0
Security of Mobile Code
Burmester, M., Chrissikopoulos, V., & Kotzaniko- Kulesza, K., & Kotulski, Z. (2003). Decision systems
laou, P. (2000). Secure transactions with mobile in distributed environments: Mobile agents and
agents in hostile environments. In E. Dawson, A. their role in modern e-commerce. In A. Lapinska
Clark, & C. Boyd (Eds.), Information security and (Ed.), Proceedings of the Conference “Information
privacy. Proceedings of the 5th Australasian Con- in XXI Century Society” (pp. 271-282). Olsztyn:
ference ACISP (LNCS 1841, pp. 289-297). Berlin, Warmia-Mazury University Publishing.
Germany: Springer.
Kulesza, K., Kotulski, Z., & Kulesza, K. (2006).
Coilberg, Ch., Thomborson, C., & Low, D. (1997). On mobile agents resistant to traffic analysis.
A taxonomy of obfuscating transformations (Tech. Electronic Notes in Theoretical Computer Science,
Rep. No. 148). Australia: The University of Auck- 142, 181-193.
land.
Low, D. (1998). Protecting Java code via code
Corradi, A., Cremonini, M., Montanari, R., & obfuscation. Crossroads, 4(3), 21-23.
Stefanelli, C. (1999). Mobile agents integrity for
Man, C., & Wei, V. (2001). A taxonomy for attacks
electronic commerce applications. Information
on mobile agent. In Proceedings of the Interna-
Systems, 24(6), 519-533.
tional Conference on Trends in Communications,
Esparza, O., Fernandez, M., Soriano, M., Munoz, J. EUROCON’2001 (pp. 385-388). IEEE Computer
L., & Forne, J. (2003). Mobile agents watermarking Society Press.
and fingerprinting: Tracing malicious hosts. In V.
Oppliger, R. (2000). Security technologies for the
Maŕík, W. Retschitzegger, & O. Štĕpánková (Eds.),
World Wide Web. Computer Security Series. Nor-
Proceedings of the Database and Expert Systems
wood, MA: Artech House Publishers.
Applications (DEXA 2003) (LNCS 2736, pp. 927-
936). Berlin, Germany: Springer. Pieprzyk, J., Hardjono, T., & Seberry, J. (2003).
Fundamentals of computer security. Berlin, Ger-
Goldreich, O. (2002). Zero-knowledge twenty
many: Springer.
years after its invention (E-print 186/2002). E-
print, IACR. Riordan, J., & Schneier, B. (1998). Environmental
key generation towards clueless agents. In G. Vinga
Hohl, F. (1998). Time limited blackbox security:
(Ed.), Mobile agents and security (pp. 15-24). Berlin,
Protecting mobile agents from malicious hosts. In
Germany: Springer.
G. Vigna (Ed.), Mobile agents and security (LNCS
1419, pp. 92-113). Berlin, Germany: Springer. Sabater, J., & Sierra, C. (2005). Review on com-
putational trust and reputation models. Artificial
Jansen, W. A. (2000). Countermeasures for mobile
Intelligence Review, 24 (1), 33-60.
agent security. [Special issue]. Computer Commu-
nications, 23(17), 1667-1676. Sander, T., & Tschudin, Ch. F. (1998, May 3-6).
Towards mobile cryptography. In Proceedings of
Jansen, W. A., & Karygiannis, T. (1999). Mobile
the 1998 IEEE Symposium on Security and Privacy
agents security (NIST Special Publication 800-19).
(pp. 215-224). IEEE Computer Society Press.
Gaithersburg, MD: National Institute of Standards
and Technology. Schneider, F. B. (1997). Towards fault-tolerant and
secure agentry. In M. Mavronicolas (Ed.), Proceed-
Karjoth, G., Asokan, N., & Gulcu, C. (1999). Protect-
ings 11th International Workshop on Distributed Al-
ing the computation results of free-roaming agents.
gorithms (pp. 1-14). Berlin, Germany: Springer.
In K. Rothermel & F. Hohl (Eds.), Proceedings
of the Second International Workshop on Mobile Shao, M., & Zhou, J. (2006). Protecting mobile-agent
Agents (MA ’98) (LNCS 1477, pp. 195-207). Berlin, data collection against blocking attacks. Computer
Germany: Springer. Standards & Interfaces, 28(5), 600-611.
Security of Mobile Code
Tixier, J., Dusserre, G., Salvi, O., & Gaston, D. executed. The software agent cannot perform its
(2002). Review of 62 risk analysis methodologies actions outside hosts. The host protects agents
of industrial plants. Journal of Loss Prevention in against external attacks.
the Process Industries, 15(4), 291-303.
Cryptographic Protocol: Cryptographic pro-
Vigna, G. (1997). Protecting mobile agents through tocol is a sequence of steps performed by two or
tracing. In Proceedings of the 3rd ECOOP Workshop more parties to obtain a goal precisely according to
on Mobile Object Systems. Jyvälskylä, Finland. assumed rules. To assure this purpose the parties
use cryptographic services and techniques. They
Vigna, G. (1998). Cryptographic traces for mobile
realize the protocol exchanging tokens.
agents. In G. Vigna (Ed.), Mobile agents and secu-
rity (LNCS 1419, pp. 137-153). Berlin, Germany: Intelligent Software Agent: Intelligent soft-
Springer. ware agent is an agent that uses artificial intelligence
in the pursuit of its goals in contacts with hosts
Wang, T., Guan, S., & Chan, T. (2002). Integrity
and other agents.
protection for code-on-demand mobile agents in
e-commerce. Journal of Systems and Software, Mobile Agent: Mobile agent is an agent that
60(3), 211-221. can move among different platforms (hosts) at
different times while the stationary agent resides
Yee, B. S. (1999). A sanctuary for mobile agents.
permanently at a single platform (host).
In J. Vitek & C. D. Jensen (Eds.), Secure Internet
programming: Security issues for mobile and dis- Security Services: Security services guarantee
tributed objects (LNCS 1603, pp. 261-273). Berlin, protecting agents against attacks. During agent’s
Germany: Springer. transportation the code is protected as a usual file.
At the host site, the agent is open for modifications
Zacharia, G., & Maes, P. (2000). Trust management
and very specific methods must be applied for
through reputation mechanisms. Applied Artificial
protection. For the agent’s protection the following
Intelligence, 14(9), 881-907.
security services can be utilized:
Zwierko, A., & Kotulski, Z. (2005). Mobile agents:
• Confidentiality: Confidentiality is any
Preserving privacy and anonymity. In L. Bolc, Z.
private data stored on a platform or carried
Michalewicz, & T. Nishida (Eds.), Proceedings of
by an agent that must remain confidential.
IMTCI2004, International Workshop on Intelligent
Mobile agents also need to keep their present
Media Technology for Communicative Intelligence
location and the whole route confidential.
(LNAI 3490, pp. 246-258). Berlin, Germany:
• Integrity: Integrity exists when the agent
Springer.
platform protects agents from unauthorized
Zwierko, A., & Kotulski, Z. (2007). Integrity of mo- modification of their code, state, and data
bile agents: A new approach. International Journal and ensure that only authorized agents or
of Network Security, 2(4), 201-211. processes carry out any modification of the
shared data.
Zwierko, A., & Kotulski, Z. (2007). A lightweight • Accountability: Accountability exists when
e-voting system with distributed trust. Electronic each agent on a given platform must be held
Notes in Theoretical Computer Science, 168, 109- accountable for its actions: must be uniquely
126. identified, authenticated, and audited.
• Availability: Availability exists when every
kEy tErMs agent (local, remote) is able to access data
and services on an agent platform, which
Agent Platform (Host): Agent platform is a responsible to provide them.
computer where an agent’s code or program is
Security of Mobile Code
Chapter IV
Identity Management
Kumbesan Sandrasegaran
University of Technology, Sydney, Australia
Mo Li
University of Technology, Sydney, Australia
AbstrAct
The broad aim of identity management (IdM) is to manage the resources of an organization (such as files,
records, data, and communication infrastructure and services) and to control and manage access to those
resources in an efficient and accurate way. Consequently, identity management is both a technical and
process-orientated concept. The concept of IdM has begun to be applied in identities-related applications
in enterprises, governments, and Web services since 2002. As the integration of heterogeneous wireless
networks becomes a key issue in towards the next generation (NG) networks, IdM will be crucial to the
success of NG wireless networks. A number of issues, such as mobility management, multi-provider and
securities require the corresponding solutions in terms of user authentication, access control, and so
forth. IdM in NG wireless networks is about managing the digital identity of a user and ensuring that
users have fast, reliable, and secure access to distributed resources and services of an next generation
network (NGN) and the associated service providers, across multiple systems and business contexts.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Identity Management
IdM in NG wireless networks is about man- • It should define the identity of an entity (a
aging the digital identity of a user and ensuring person, place, or thing).
that users have fast, reliable, and secure access to • It should store relevant information about
distributed resources and services of NG wireless entities, such as names and credentials, in
networks and associated service providers across a secure, flexible, customisable store.
multiple systems and business contexts. • It should make the information accessible
through a set of standard interfaces.
Definition • It should provide a resilient, distributed, and
high performance infrastructure for identity
Given the open and currently non-standardised management.
nature of IdM, there are varying views as to the • It should help to manage relationships be-
exact definition of IdM. These include: tween the enterprise and the resources and
other entities in a defined context.
By HP (Clercq & Rouault, 2004)
Identity Management can be defined as the set of Main Aspects
processes, tools and social contracts surround-
ing the creation, maintenance, utilization and Authentication
termination of a digital identity for people or,
more generally, for systems and services to enable Authentication is the process by which an entity
secure access to an expanding set of systems and provides its identity to another party, for example,
applications. by showing photo ID to a bank teller or entering
a password on a computer system. This process
By Reed (2002) is broken down into several methods which may
The essence of Identity Management as a solu- involve something the user knows (e.g., password),
tion is to provide a combination of processes and something the user has (e.g., card), or something
technologies to manage and secure access to the the user is (e.g., fingerprint, iris, etc.). Authentica-
information and resources of an organisation tion can take many forms, and may even utilise
while also protecting users’ profiles. combinations of these methods.
Identity Management
Identity Management
applications, for example, bank transactions and Pros And cons of IdEntIty
governmental functions, more information is usu- MAnAgEMEnt
ally required (e.g., birth certificates, credit card
numbers, and the like). Benefits of Identity Management
The digital identity of an individual user
forms the main focus of security threats to any Reduce Total Cost Ownership (TCO) for All
IdM system. As such, there are typical measures Systems
that must be taken to ensure that digital identities Cost reduction by IdM usually is a result of more
are kept securely. efficient use of personnel and resources, especially
with regards to the following administrative bu-
usage of digital Identity reaucracy. Examples include (Courion, 2005):
Digital identity can be used for authentication. • Reducing the costs of auditing by providing
It is where an entity must “prove” digitally that real-time verification of user access rights
it is the one that it claims to be. It is at this stage and policy awareness enforcement
that the credentials of digital identity are used. • Eliminating account administration such as
The simplest form of authentication is the use of account add/move/change and calls to infor-
a username and corresponding password. This is mation security staff for digital certificate
known as “single factor” authentication, since only registration
a single attribute is used to determine the identity. • Eliminating calls of password reset (the #1
Stronger authentication is usually obtained by not support call) to internal or outsourced help
only increasing the number of attributes that are desks
used, but also by including different types. To add • Streamlining IT operations for more effi-
to the previous example scheme, in addition to the cient management and reallocation to more
password, an entity could also be called upon to strategic projects
have a particular piece of hardware plugged in, • Reducing management overhead (Reed,
providing a “two factor” scheme (DIGITALID- 2002)
WORLD, 2005).
Once an entity is authenticated, a digital Competitive Advantage Through Streamlining
identity is used to determine what that entity is and Automation of Business Processes
authorised to do. This is where the profile of a This competitive advantage is delivered by cut-
digital identity is required. As an example, au- ting down costs in areas with a high need for
thorisation can be seen as the difference between unnecessary support and being able to:
an “administrator” and a “user” who share the
same resource (for example, a computer). Both • Offer users a fast, secure way to access to
may be authenticated to use the computer, but the revenue-generating systems, applications,
actions that each may do with that resource are and Web portals (Courion, 2005)
determined by the authorisation. Authentication • Provide faster response to “password reset”
attempts to establish a level of confidence that a and “insufficient access” user lockouts,
certain thing holds true, authorisation decides thus increasing system and data availability
what the user is allowed to do. (Courion, 2005)
Accounting provides an organisation with the • Provide 24x7x365, unassisted self-service
ability of tracking unauthorised access when it for the most common of help desk calls
occurs. Accounting involves the recording and (Courion, 2005)
logging of entities and their activities within the • Improve customer and employee service;
context of a particular organisation, Web site, maintain confidentiality and control of
and so forth. customers, suppliers, and employees (Reed,
2002)
Identity Management
• Reduce time for new employees to gain ac- pliers, contractors, clients) assets. It also presents a
cess to required resources for work (Reed, method of ensuring that policies are enforced away
2002) from human effort and decision making (where
often the process breaks down or is ignored). In
Increase Data Security summary, it can:
Data security includes the typical protection of
data from unauthorised users as well as ensuring • Demonstrate policy enforcement
that the data being used is kept up to date across • Proactively verify the access right of a
the organisation and is safe from inadvertent user
or intentional tampering by unauthorised users • Enable policy awareness testing
within the organisation. • Eliminate orphaned accounts systemati-
cally
•
Minimise the “security gap” that exists • Increase protected data privacy
between the time when employees leave a
company and their accounts are disabled Additional benefits, mainly business centric,
(Courion, 2005) are described in more detail by Fujitsu (Locke &
•
Reduce the intrusion risk due to orphaned McCarthy, 2002):
or dormant accounts (by ex-employees or
those posing as ex employees) (Courion, • Know who everyone is in the organisa-
2005) tions: Applied to the larger scale of the NG
•
Enforce the policies of consistent account wireless networks, this prevents any user
provisioning to make sure that only those from “slipping through the cracks” whether
who need access get access (Courion, they are employees or subscribers. Typically,
2005) telecommunications providers are adept at
• Enforce consistent password policies for keeping customer records, but suffer the
stronger authentication (Courion, 2005) same problems with keeping track of staff.
•
Reduce security threats (e.g., human error) An IdM system will enable the organisation
through policy based automation (Courion, to keep stock of all their users.
2005) • Accurate and consistent people data in
•
Ensure accurate audit trails for intrusion all systems: This is particularly relevant
prevention and security reporting (Courion, to the existing telecommunications provid-
2005) ers. Although services vary, the majority of
•
Provide faster response to account access providers have some lag between the time a
requests or password reset, thus reducing the record is changed, compared to when that
need of proliferating “superuser” privileges change is made into the records that the com-
(Courion, 2005) pany keeps. Typically, this results in undue
•
Increase the opportunity of adopting the delays when an existing or new subscriber
Public Key Infrastructure by removing the wishes to get access to their new services.
biggest barrier (Courion, 2005) By speeding up the process by which data on
•
Reduce risk of incorrect information being users can be updated, this reduces the delay
used (Reed, 2002) in service provisioning and offers a more
significant level of quality of service.
Support Legal Initiatives and Demonstrate • Single source of data input/storage: This
Compliance (Courion, 2005; Reed, 2002) feature has already been explored as one of
In the case of legal initiatives, IdM can be used the benefits of an IdM system. Although a
successfully to demonstrate a systematic and ef- distributed system must spread the location
fective approach to safeguarding an organisation’s and access points for the data that it stores,
assets and its business partners’ (customers, sup- by having one central system for organising
Identity Management
it, any additional processing that needs to be staff, introducing new equipments and the
done, particularly when bridging between like. It will also increase the reluctance and
two different types of systems or depart- reduce the enthusiasm of the organisation
ments, is avoided. to adopt the new IdM system.
• Specific needs depending on the organi-
In general, IdM is used to provide an efficient sation: IdM systems generally need to be
system that covers all users within an organisation. customised for each particular organisation
It promotes a single system that does the entire that intends to use one. This is particularly
task rather than several systems that conflict or true for the areas where an IdM system
compete with each other. must support the business processes that an
organisation has set up. These are usually
drawbacks of Identity Management unique to the organisation. Other areas that
would require customisation from system
IdM, while bringing several advantages to an to system include hardware requirements,
organisation, may have several applicable draw- the nature of the organisations’ distributed
backs. These include: systems, and so on.
• Extensive planning, designing, and imple-
• Single point of vulnerability: A feature that mentation required: An IdM system must
brings both advantages and disadvantages be extremely well planned, designed, and
to IdM is the central system that is used. executed if it is to avoid the disadvantages
A central IdM system is used to avoid the that it is trying to overcome over existing
vulnerabilities associated with competing or approaches to enterprise management. Due
incompatible systems, as well as reducing to the all-encompassing and authoritative
the maintenance costs involved in running control that an IdM system will have over
different types of systems. However, the flip an organisation, it is important that any
side to this approach is that it represents a such system caters or close to the exact
single point of vulnerability that, if compro- specifications, outlined by the organisation.
mised, can lead to the easy breach of all the Otherwise, the system may be used incor-
data that the system is protecting. To counter rectly, resulting in the same inefficiencies
this, IdM systems generally recommend that from non-IdM systems.
the additional resources that are saved by •
Relatively new concept, lack of uniform
the organisation employing the IdM system standard: IdM as a standardised concept and
are re-invested into providing more effec- solution is yet to be finalised. This increases
tive security measures. This will result in a the likelihood of IdM systems to still be in
system that is, overall, more secure than the various stages of development, and more
existing mixture of systems that individu- importantly, different levels of effectiveness.
ally, are not as secure. This may lead to increased maintenance or
• Migration from legacy systems and tran- upgrades in the near future, or lead to flawed
sition costs: IdM systems are generally at development and implementation for the
odds with existing systems that manage and early adopters of IdM systems. Both these
secure users and resources. The concept of alternatives result in an inefficient outcome
IdM systems involves the replacing of exist- compared to IdM’s claims.
ing systems with a single IdM system. For
larger organisations with staff and hardware
that are selected based upon a preference stAndArds And solutIons
for an existing system or systems, this
represents a significant along with all the A number of IdM technologies and standards have
associated costs of replacing or retraining emerged for enterprise networks, government,
Identity Management
and Web services. The two main standard bodies Web Services
to date are from the Liberty Alliance Project and Web services support IdM systems across private
the Web-Services (WS) Federation. However, the and public networks. They are aimed, as such,
specifications produced by these organisations are to connect heterogeneous systems. Several well
mainly motivated by user profile management, known protocols, such as TCP/IP, belong here. The
single sign-on, and personalised services and ones that have specific applications in IdM are:
do not address the requirements of NG wireless
networks. • SOAP (W3C, formerly Microsoft): For
transporting XML messages/remote pro-
relevant standard bodies cedure calls
• WSDL (W3C): Used to express the pro-
The standards organisations listed in Table 1 gramming interface and location of a ser-
are involved in the development of standards vice
for IdM. • Universal Description, Discovery and In-
tegration (UDDI): Used to find and publish
IdM standards services
0
Identity Management
• Liberty Alliance Project: An organisation organisations closer than in the current telecom-
working mainly towards a solution/standard, munications environment.
they focus on the single sign on concept com- IdM in NG wireless networks will be more com-
bined with federated identity. plex than enterprise and Web service solutions. It
• Microsoft .NET Passport: Primarily an involves consolidation, management and exchange
organisational solution rather than standard. of identity information of users to ensure the users
This provides a Microsoft managed authenti- have fast, reliable, and secure access to distributed
cation service for other web services/corpora- network resources across multiple service provid-
tions. ers. Furthermore, NG wireless networks have to
provide seamless and ubiquitous support to various
Workflow services in a heterogeneous environment.
Workflow standards include: Carefully planned and deployed, IdM solutions
in NG wireless networks can prevent fraud, improve
• Business Process Execution Language user experience, assist in the rapid deployment of
(BPEL): Allows business processes (tasks) new services, and provide better privacy and na-
to be described by a combination of Web tional security. Conversely if it is not well planned
services and internal message exchanges. and deployed, it can lead to identity theft, fraud, lack
of privacy, and risk national security. In Australia,
Provisioning the cost of identity theft alone was estimated to be
Provisioning standards are hinted at from workflow around $1.1 billion during 2001-2002 according to
standards (which ensure a process is followed by some 2003 SIRCA Research.
provisioning), but are otherwise not well covered, The digital identity information in NG wireless
with one exception: networks will be more complex because it has to
cater to a number of mobility scenarios, access
• Service Provisioning Markup Language networks, and services. User identity could include
(SPML) (OASIS) a combination of names, unique user identifiers,
terminal identifiers, addresses, user credentials,
SLA parameters, personal profiles, and so forth.
IdM In ng wIrElEss nEtworks The digital identity information has to be ex-
changed between various entities in the networks
Motivation for the purpose of authentication, authorisation,
personalised online configuration, access control,
IdM issues were not critical in traditional telecom- accountability, and so forth. IdM in NG wireless
munication networks, because networks, applica- networks is expected to provide a mechanism for
tions, and billing for different services were not controlling multiple robust identities in an electronic
integrated. For example, if a service provider offers world, which is a crucial issue in developing the
telephone, Internet access, and cable TV then all of next generation of distributed services (Buell &
these services are treated separately. Each service Sandhu, 2003).
has its own subscriber database containing sub- Let us have a look at a typical access scenario
scriber records and identity information. in traditional networks (shown in Figure 1). In
IdM, in both concept and practice, has pro- these networks, one organisation is often isolated
vided an effective alternative and complements from another since each organisation is running
to the existing security measures in enterprise and providing its services independently. Each
networks. The NG wireless networks can be seen customer has a number of identity credentials and
as a collective of organisations in addition to their each credential can only be used to access services
customers. Considering its integrated nature, an from one subscribed organisation.
IdM framework for NG wireless networks brings An expected access scenario in NG wireless
networks is illustrated as Figure 2. The NG wire-
Identity Management
Organization A
Customer Key
not allowed to
Organization B
Key
less network subscriber is expected to use the same 2. Service delivery can be improved, for example,
credential to access multiple organisations. Without the time required to get new subscriber access
a well designed IdM solution, it will not be possible is reduced.
to cater to the following: (1) accessing the subscribed 3. It supports flexible user requirements and
organisations frequently, (2) increased frequency personalisation.
of handoff between multiple organisations in NG 4. As with enterprise networks, there are numer-
wireless networks, and (3) mutual authentication ous benefits such as reduction in the cost of new
between subscriber and service provider, or between service launch, operation and maintenance
various service providers. A security breach on (O&M) and increased return on investment
any component of the NG wireless networks will (ROI) for NG wireless network operators and
result in more severe consequences for all the other service providers.
business partners. Therefore, in order to maintain a 5. IdM is expected to support distributed network
similar level of trust, reliability and profitability for architectures where entities communicate
the NG wireless networks, integrated IdM measures through open but secure interfaces.
in NG wireless networks must be taken. 6. It is necessary for seamless user mobility
across networks and terminals.
Benefits in NG Wireless Networks 7. A carefully researched and implemented IdM
solution improves the security of the NG wire-
A carefully researched IdM framework for NG less networks and the user confidence in the
wireless networks has a number of benefits for NG use of the services.
wireless networks users, operators, and service 8. IdM will assist in the efficient implementa-
providers. tion of current and new legal and compliance
initiatives about user data, behaviour and
1. User experience is often improved as users privacy.
can ubiquitously access services and applica- 9. IdM is expected to support number and service
tions of their choice over a number of service portability of users in an NG wireless network
providers without going through separate environment.
logins and avoiding the need to remember
multiple usernames and passwords or use However, introducing an IdM solution can bring
multiple tokens. new forms of security issues and threats. As you
Identity Management
Organization B
consolidate the identity-related information, you • Network operator: Network operator is de-
create a new target for security attacks. But the fined as a legal entity that operates, deploys,
advantage of implementing IdM is that you do not and maintains network infrastructure. In NG
have to worry about protecting disparate solutions. wireless networks, the networks provided by
Now you are able to consolidate your defences to network operator become the intermediary
one point. broker between services and subscribers.
• Service: Besides the traditional legacy ser-
requirements for IdM in ng wireless vices, like telephony voice and data, the NG
networks wireless networks can also offer new value-
added services to accommodate increasing
In this section, an analysis of the requirements for multimedia demands, for example, video
IdM in NG wireless networks is presented. The conferencing.
analysis will be undertaken from three perspectives: • Service provider: The services in NG wire-
user, network, and service. The requirement analy- less networks can be provided by different
sis is expected to cater to the needs of end users, service providers using a single network
network operators, and service providers in terms platform or separate network platforms of-
of some of NG wireless networks’ key functional fered by a network operator.
classifications such as operation, mobility, security,
personalisation, and so forth. End user requirements
Before we get started, a definition of various
terms used in NG wireless networks is given: Unique Identity for User and Terminal
• User: A user refers to a person or entity with A unique universal identity will have to be as-
authorised access (The Health Insurance signed to each individual user of the NG wireless
Portability and Accountability Act (HIPAA), networks and to each user terminal that a user may
2005). In describing NG wireless networks, use to access services of the NG wireless networks.
the term end user is often used to refer to a Examples of such identity in Global System for
person or entity that uses network resources Mobile Communications (GSM)/Universal Mobile
or services. Telecommunications System (UMTS) networks
• User terminal: The user terminal is the include the International Mobile Subscriber Iden-
device that is used by an end user to access tity (IMSI) and International Mobile Equipment
the services provided by the NG wireless Identity (IMEI). Users should have a single identity
networks. It can be a mobile station (MS) or regardless of the access technology or network
a laptop. being used.
Identity Management
The user identity must possess sufficient features transmit the real identity of a user through radio
that enable it to be used in a variety of end user or other public transmission mediums, like the
terminals (computer, mobile phone, landline phone). Internet, or exchange it directly with unauthorised
Additionally, the unique identity may be required parties. Special measures must be taken to ensure
to be compatible across several IdM systems. that user identity is not disclosed during the ex-
changing process. One possibility to overcome this
Storage of User Information problem is to use a temporary user identity that is
derived from the unique user identity and is valid
User identity information may be stored in many for a fixed period of time. Once the validity of the
locations: user card, home network, visited network, temporary identifier is expired, a new temporary
service providers, and so forth. Sometimes, the identity is generated. This way the real identity of
stored user information can be used as a credential a user is never compromised.
for fast authentication, for example, HTTP cookies
are adopted to facilitate quick access to protected Self-Service
Web sites. However, such kind of convenience
can have a security risk as the security at user end Self-service is the ability of a user to actively man-
is more likely to be compromised. NG wireless age part of his or her records without requiring the
networks designers have to carefully decide how intervention of help desk or support staff (Reed,
much information needs to be securely stored at 2002). This is an important requirement in all IdM
user end. Any identity-related information stored systems. All NG wireless networks users should
at the user end has to be secure. be able to securely manage some of their own
identity information such as changing passwords,
Exchange of User Identity subscription status, choosing their mobility status,
changing roaming authorisation, modifying user
The unique identity allocated to a user should be profiles, enabling location based services, and so
treated confidentially. Sometimes, it is a risk to forth. Users should also be able to modify content
Identity Management
filtering options for upstream and downstream cost, location, and so forth. The user should be able
traffic. to move between the different access technolo-
Users should be able to view their up-to-date gies with minimum configuration change and get
billing records and service usage patterns. To access consistently to their services according to
increase trust, users should be able to view their their user profiles.
self-service activity journal, which displays all the
self-service activities performed by a user. Mobility
An IdM system should be able to cater to situ-
ations where a user wants to delegate self-service Mobility across heterogeneous environments re-
privileges to another user such as maintaining quires service adaptation for terminal mobility as
accounts of family members. well as personal mobility (France Telecom, 2002).
In the event of service difficulty during mobility,
Single Sign-On users should receive user friendly notification with
choices of actions to restore the service without the
An important user requirement of NG wireless need to contact support staff.
networks is single sign-on. This means that once Another related implication is that a user, who is
a user is authenticated, the user should have access changing access networks during a session, should
to the entirety of their subscribed services without be able to continue to access the same service
having to repeat the authentication process for each without repeated authentication. For example, a
subscribed service. mobile user should be continuously attached to a
network when there is a handover from a UMTS
Security and Privacy network to a wireless LAN (WLAN).
Identity Management
Identities exchanging
Identity Requirements occurs at adjacent operator A
networks.
trusted third Party
The NG wireless networks operator should be able
to maintain a unique identity for each user, termi-
nal, network element, location area, and so forth,
regardless of service and technologies used.
geographically distributed IdM servers in order to
If the user is using faulty or dubious terminal
increase performance efficiency by load sharing and
equipment, it should be possible to bar services
providing high availability. It should also maintain
to the user.
integrity and consistency of identity data across
The digital identity stored in a network should
distributed identity information stores.
cater to various types of user identity information
and data structures.
As in enterprise networks, proper implementa- Mobility Management
tion of account lifecycle management is required,
that is, administrators should be able to manage NG wireless networks should be able to cater to
the state of a user account for the complete span the mobility requirements of users. This could in-
of that account. Even if an account is deleted or clude personal and/or terminal mobility, roaming,
disabled, an audit history of the account should or nomadism. Mobility management may require
be maintained. a combination of identification, authentication,
If necessary, the network operator should be able access control, location management, IP address
to remove self-service privilege of some users. allocation and management, user environment
The IdM system should support open standards management, and user profile management func-
in order to interact with multi-vendor terminals and tions. The network should cater for both foreign
network elements. It should be compatible with ex- network IP address and home network IP address
isting legacy systems and be able to adapt to emerg- allocation scheme.
ing technologies, methods, and procedures.
Security
Scalability and Performance
Security requirements for NG wireless network
The IdM system should be able to store, retrieve, operators should cover privacy, confidentiality,
and exchange billions of identity information in integrity, authenticity, non-repudiation, availabil-
a highly seamless, scalable, quick, and efficient ity, intrusion detection, and maintenance of audit
manner to facilitate multiple real-time service records as described later on.
requests from users. Users and terminals should be reliably authen-
It should achieve a high level of availability ticated by the network operator using a nominated
by incorporating fault-tolerant redundant system set of authentication credentials such as passwords,
implementation. Furthermore, it should implement smart cards, biometrics, and other industry standard
Identity Management
methods. All the identity data should be kept in a The IdM and related systems should support
very secure and scalable manner. Unauthorised open standards with choices of number of technolo-
access to identity data should be prevented. gies in order to interoperate with other entities.
Intrusion detection is required to detect and
prevent security breaches with the network operator. Interface to Other Service Providers
This can also be done to minimise the fraudulent
use of resources in a network. Users may subscribe to the services offered by dif-
Network administrators should be granted dif- ferent service providers. Thus, the interoperability
ferent levels of access according to their authority among service providers is important. User identity
within the organisation. For accountability and se- information may be exchanged between a group of
curity reasons, consistent and reliable audit records service providers in order to improve “transparent
of administrative activities must be kept. user experience.” This also requires trust to be
In order to apply user and data security such established between these service providers.
as confidentiality, integrity, and authenticity, the
IdM system should securely store and exchange Interface to Network Operator
relevant encryption keys.
A well-defined, open interface needs to be provided
Billing to the network operator at the service provider
end. This would give service provider the neces-
Up-to-date, accurate, and detailed billing informa- sary authentication, authorization and accounting
tion should be maintained by the network operator. (AAA) to access network resources offered by
When there is more than one source sending billing network operator.
data, the network operator has to consolidate this
information from various sources. Interface to Trusted Third Party
Furthermore, when a subscriber is roaming
in a foreign network, charging records from that An interface to trusted third party would give
foreign network has to be authenticated to prevent service provider an opportunity to use external
fraudulent usage of services. AAA services. By doing so, the complexity of
The network operator should be able to sup- implementation of services would be reduced. The
port a number of charging mechanisms such as authentication of users can be centralised.
charging based on usage, access networks, time,
geographical area, and so forth. All of these dif- Mobility Management
ferent charging mechanisms should be compatible
with the IdM system. Some services require information about the current
location and connectivity of subscribers. These are
service Provider requirements referred to as location-dependent or location-aware
services. To provide such services to end users, a
A user may require services from a number of ser- service provider must be able to access mobility-
vice providers. In this scenario, the home operator management-related information maintained by
and the service provider(s) should support secure network operators. Subscribers have to consent
access and exchange of user identity and billing to the release of this sensitive private information
information. to service providers. Furthermore, when there are
The identity of each user should be uniquely updates to location or mobility management data in
and reliably identified by a service provider. The the network operator, the update have to be passed
service providers may have to rely on third party to the subscriber.
IdM providers where the user has already estab-
lished an account.
Identity Management
Identity Management
2001). Legal interception of subscriber data should Locke, M., & McCarthy, M. (2002). Realising the
be possible whichever network or service a sub- business benefits of identity management: FUJITSU
scriber is using. SERVICES.
Pato, J., & Rouault, J. (2003, August). Identity
management: The drive to federation. Retrieved
rEfErEncEs 2006, from http://devresource.hp.com/drc/techni-
cal_white_papers/id_mgmt/index.jsp
Buell, D. A., & Sandhu, R. (2003). Identity manage-
ment. IEEE Internet Computing, 7(6), 26-28. Reed, A. (2002). The definitive guide to identity
management (e-Book). Retrieved from http://www.
Cisco Systems. (2005). Trust and identity manage-
rainbow.com/insights/ebooks.asp
ment solutions. Retrieved 2005, from http://www.
cisco.com/en/US/netsol/ns463/networking_solu- Titterington, G. (2005, July). Identity management:
tions_package.html Time for action. Ovum’s Research Store.
Clercq, J. D., & Rouault, J. (2004, June). An intro-
duction to identity management. Retrieved 2005, kEy tErMs
from http://devresource.hp.com/drc/resources/id-
mgt_intro/index.jsp Access Control: Access control is used to
determine what a user can or cannot do in a par-
Council of Europe. (2001). ETS No. 185—Conven-
ticular context.
tion on cybercrime. Article 21, European Treaty
Series (ETS). Retrieved 2005, from http://conven- Auditing and Reporting: Auditing and report-
tions.coe.int/Treaty/en/Treaties/Html/185.htm ing involves the creation and keeping of records,
whether for business reasons (e.g., customer transac-
Courion. (2005). Courion products over-
tions), but also for providing a “trail” in the event
view: Enterprise provisioning. Retrieved 2005,
that the system is compromised or found faulty.
from http://www.courion.com/products/benefits.
asp?Node=SuiteOverview_Benefits Authentication: Authentication is the process
by which an entity provides its identity to another
DIGITALIDWORLD. (2005). What is digital
party, for example, by showing photo ID to a bank
identity? Retrieved July 2005, from http://www.
teller or entering a password on a computer sys-
digitalidworld.com/local.php?op=view&file=abo
tem.
utdid_detail
Authorization: Authorisation is the process of
France Telecom. (2002). Inter-network mobility
granting access to a service or information based
requirements considerations in NGN environ-
on a user’s role in an organisation.
ments. Study Group 13—Delayed Contribution
322, Telecommunication Standardization Sector Context: Context can refer to the type of trans-
(WP 2/13) Retrieved 2004. action or organisation that the entity is identifying
itself as well as the manner that the transaction is
The Health Insurance Portability and Account-
made.
ability Act (HIPAA). (2005). Glossary of HIPAA
terms. Retrieved 2005, from http://hipaa.wustl. Digital Identity: Digital identity is the means
edu/Glossary.htm that an entity can use to identify themselves in
a digital world (i.e., data that can be transferred
International Telecommunication Union-Telecom-
digitally, over a network, file, etc.).
munication Standardization Sector (ITU-T). (2004).
NGN-related recommendations. Study Group 13 Identity: The identity of an individual is the set
NGN-WD-87. of information known about that person.
Identity Management
Network Operator: Network operator is de- User: A user refers to a person or entity with
fined as a legal entity that operates, deploys, and authorised access.
maintains network infrastructure.
User Terminal: The user terminal is the device
Profile: A profile consists of data needed to that is used by an end user to access the services
provide services to users once their identity has provided by the NG wireless networks.
been verified.
0
Chapter V
Wireless Wardriving
Luca Caviglione
Institute of Intelligent Systems for Automation (ISSIA)—Genoa Branch, Italian National Research
Council, Italy
AbstrAct
Wardriving is the practice of searching wireless networks while moving. Originally, it was explicitly
referred to as people searching for wireless signals by driving in vans, but nowadays it generally iden-
tifies people searching for wireless accesses while moving. Despite the legal aspects, this “quest for
connectivity” spawned a quite productive underground community, which developed powerful tools,
relying on cheap and standard hardware. The knowledge of these tools and techniques has many useful
aspects. Firstly, when designing the security framework of a wireless LAN (WLAN), the knowledge of
the vulnerabilities exploited at the basis of wardriving is a mandatory step, both to avoid penetration
issues and to detect whether attacks are ongoing. Secondly, hardware and software developers can design
better devices by avoiding common mistakes and using an effective suite for conducting security tests.
Lastly, people who are interested in gaining a deeper understanding of wireless standards can conduct
experiments by simply downloading software running on cost effective hardware. With such preamble,
in this chapter we will analyze the theory, the techniques, and the tools commonly used for wardriving
IEEE 802.11-based wireless networks.
tHE (Art of) wArdrIvIng nowadays it implies three basic steps: (1) finding
a WLAN, (2) defining precisely its geographical
Owing to the absence of physicals barriers, the coordinates by using GPS devices, and (3) publish-
wireless medium, and consequently wireless ing the location in specialized Web sites to enrich
(WLANs) are accessible in a seamless manner. the wardriving community.
Thus, checking for the presence of some kind of With the increasing diffusion of WLANs,
wireless connectivity is quite a natural instinct; it is especially those based on the cost effective IEEE
sufficient to enable the wireless interface and wait. 802.11 technologies, searching for wireless signals
This action is a very basic form of wardriving, a is a quite amusing and cheap activity. However,
term originally coined by Shipley (2000) to refer to the IEEE 802.11 family originally relied (and still
the activity of “driving around, looking for wire- relies) on weak security mechanisms. In addition,
less networks.” This activity rapidly evolved, and many users unconsciously operate their wireless
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Wireless Wardriving
networks without activating any confidentiality, Nevertheless, many wardrivers do prefer a Personal
integrity, and availability (CIA) mechanisms: Computer Memory Card International Association
opportunity makes the thief. Then, wardriving (PCMCIA) wireless card that is capable to connect
becomes a less noble hobby, since many wardrivers with an external antenna to sense a wider area. With
try also to gain access to the discovered networks; this basic setup you should be able to enable the
many of them are only interested in cracking the wireless interface and start scanning the air. But,
network, while a portion will steal someone else’s in order to conduct more sophisticated actions, a
bandwidth. In this perspective, another basic step deeper understanding of aspects related to hard-
has been introduced: (4) trying to gain access to ware and software should be gained. A detailed
the WLAN. breakdown follows.
It is also interesting that wardriving is becoming
part of the urban culture. For instance, it spawned wireless Interfaces
a strange fashion called warchalking, that is, the
drawing of symbols in public places to advertise Each model of wireless interface differs in some
wireless networks, as defined by Matt Jones (as way. Regardless of different power consumption,
cited in Pollard, 2000). better antennas, and so on, two major aspects
must be taken into account: the chipset and the
Then, why is it important to know about wardriv- availability of ad hoc drivers. The chipset roughly
ing? represents the soul of a wireless interface and it is
mostly responsible of its capability. For instance,
Firstly, because you must become conscious some chipsets do not allow assembling ad hoc
that an active WLAN can trigger “recreational frames, preventing from exploiting particular
activities,” even if it is solely employed to share a attacks. The reasons are different: the chipset
printer. Secondly, the coordinated effort of many could lack the logic to deal with raw packets or
people highlighted several security flaws in the its specification is not known, discouraging tool
IEEE 802.11 standards and produced effective tools developers to exploit such functionalities. At the
to test (well, actually, to compromise) the security of time of this writing, cards based on the Prism
access points (APs). Thirdly, while performing their chipset are the most studied and documented, re-
“raids,” wardrivers discovered flaws in the devices; sulting in a variety of pre-made tools for preparing
consequently, this is a valuable knowledge that packets.1 Lastly, being the interfaces engineered for
could be used to avoid further errors. Lastly, trying providing connectivity and not such kind of tasks,
to be a wardriver is an instructive activity that will manufacturers often change the internal chipset,
help to better understand WLANs technologies, even if maintaining the model or the brand name.
develop your own auditing tools and procedures, This is why not all wireless cards are the same,
and prevent, or at least, recognize attacks. and you should check their specifications carefully
if you plan to use them for wardriving.
Wireless Wardriving
The importance of drivers becomes evident the properties of the belonging kext. The “hack”
when you scan the air for a network. About the consists in a simple operation (i.e., changing a
totality of the bundled drivers does not allow to string) but it took time to discover.
perform the so called passive scan. Passive scan Firstly, the proper Info.plist must be located.
implies that your interface operates in passive In a console type:
mode, often called radio frequency monitoring
(rfmon) mode. While you operate in rfmon, you Mud:Luca$ cd /System/Library/Extensions/AppleAirPort.
kext/Contents/
can scan APs and remain undetectable, since your
card does not send any probe packets.
Hence, you can see the content of the kext upon
Conversely, when acting in active mode, which
simply typing:
is the standard configuration, as soon as you start
looking for an AP, you will be revealed. The ability of Mud:Luca$ ls
switching from active to passive mode and vice versa Info.plist MacOS version.plist
is provided by the drivers. Many drivers do not provide
this functionality, while others have this functionality Then, it is possible to modify the Info.plist
hidden and must be reverse engineered.
For the most popular chipsets, alternative driv- Mud:Luca$ vim Info.plist
ers that allow the user to put the card in rfmon are
available. If you plan to do undercover works, you The key responsible of enabling the rfmon fol-
should check the driver availability. lows, in boldface:
However, the active mode is faster than the
passive mode. While operating in passive mode, <key>IOKitPersonalities</key>
the average time needed for scanning a channel <dict>
<key>Broadcom PCI</key>
is about 50 ms. Obviously, multiple channels scan <dict>
requires n • 50 ms. Conversely, when performing <key>APMonitorMode</key>
scanning operations in active mode, the needed <false/>
time is lower. In fact, the operations required are:
transmitting a probe request + waiting for a DCF Switching the dictionary entry <false/> to <true/>
IFS interval + transmitting a probe response. The enables the AirPort Extreme card in rfmon.
overall time needed per channel is roughly equal However, such a task could be performed pro-
to 0.45 ms. Again, scanning n channels increases grammatically.
the needed time accordingly (Ferro, 2005). This is the approach taken in KisMAC, which is
popular among wardrivers. As an example, in the
An Example of Driver Hacking following, the Objective-C code snippet checking
whether or not the wireless interface is rfmon is
As said, the ability of enabling an air interface depicted in Snippet 1.
in rfmon could be available in the driver, but not Roughly, the steps presented in Snippet 1 allow
documented. This is the case of the driver for the the user to: (1) obtain a handler to the proper Info.
AirPort Extreme wireless adapters bundled with plist file; (2) prepare a dictionary for parsing the
MacOS X. This example is introduced for didacti- Info.plist; and (3) check if the <APMonitorMode>
cal purposes, stressing how a simple “hack” can key is <false/> or <true/>.
transform a partially closed platform in an excellent
wardriving configuration. the operating system and other
In a nutshell, OSX drivers are implemented via Matters
kernel extensions (kexts) that are similar to Linux’s
modules. Every kext is bundled with a kind of Needles to say, the operating system (OS) plays
configuration file called Info.plist. The Info.plist is a role. For instance, when processing data for
a XML file containing a dictionary that describes
Wireless Wardriving
bruteforcing an encrypted flow, a good symmetric Concerning the CRC32, it is employed to check
multi process (SMP) support is a must (as well as data and to assure integrity. It has not the crypto-
a good multi-threaded implementation). graphic strength of other hashing algorithms, such
In addition, many APs can reject data from un- as the MD5 and the SHA1 (Schneier, 1996). The
recognized MAC addresses: for this reason, having CRC32 employed in the wired equivalent privacy
an OS that allows the user to change the MAC ad- (WEP) algorithm has two major properties, as
dress of active interfaces is important. Lastly, many presented in Table 2.
tools only run on *nix operating system. However,
the traffic collection phase could be decoupled by
the processing, hence allowing the user to collect About tHE sEcurIty of IEEE
data on a machine and process it on another. As a 802.11
consequence, simple devices (e.g., with low com-
putational power) could be employed to collect The IEEE 802.11 security framework has changed
data and discover APs (e.g., PDAs and portable during the years: from the flawed WEP, to the
gaming devices), while a standard PC could be wireless protected access (WPA) introduced by
used for processing the collected traffic. the Wi-Fi alliance in late 2002. However, since
mid-2004, the IEEE 802.11i Working Group (WG)
xor Arithmetic and crc32 in a introduced a framework based on the 802.1X and
nutshell the extensible authentication protocol (EAP), to
bring the wireless security to the next level; such
In order to understand the security mechanisms, effort is known as WPA2.
and possible attacks, a little remark about eXclu- Even if highly criticized, the security mecha-
sive OR (XOR) arithmetic and the properties of nisms proposed by different WGs have developed
CRC32 functions, employed for data checking, are having in mind different operative contexts. For
presented. Basically, the XOR operator respects instance, the WEP (as the name suggests) has
the properties presented in Table 1. been developed to prevent simple connection at-
tempts, while WPA has been developed to offer
Table 1. Basic XOR arithmetic (⊕ represents the an adequate resistance to well-planned attacks.
XOR operator) Currently, an average wardriver can: surely con-
nect to an unprotected AP, spend 10 minutes to 1
Operation Result
hour to break the WEP, and crack a WPA-protected
0⊕0 0 AP in some of its weak variants and well-suited
1⊕0 1 circumstances. In order to understand the common
1⊕1 0 technique employed by wardrivers, the commonly
(A ⊕ B) ⊕ A B adopted security countermeasure will be briefly
(A ⊕ B) ⊕ B A explained.
Wireless Wardriving
Property Application
Linearity CRC32(A⊕ B) = CRC32(A) ⊕ CRC32(B)
Independence of WEP Key It is possible to flip bits without being recognized by the WEP
Wireless Wardriving
M’
Seed
points, let us summarize its basic functionalities. Splitting the Seed in two sub parts (the IV
The WEP performs the encryption per packet; let a and the WEP key) is one of the major flaws of the
given packet M represent a message in clear form procedure. However, the reason is rooted both in
to be sent. Hence, the following steps happen: the nature of the RC4 and wireless channels. The
RC4 has been used in the WEP since it is widely
A 32-bit cyclic redundancy check (CRC) algo- adopted and well studied. But its application over
rithm is applied to M in order to produce a check- wireless channels poses some drawbacks. In fact,
sum. Then: CSum = CRC32(M). Basically, a CRC wireless channels frequently drop packets, thus
is introduced to assure message integrity. However, maintaining a proper synchronization in the stream
the use of CRC-like codes in this kind of environ- to allow the decryption operations is a challenging
ment has been proven to be very dangerous. task. Consequently, to overcome the possibility of
packet loss and stream de-syncing, each encrypted
Let us define as M’ the message actually pro- packet is sent along with the IV that generates its
cessed by the WEP algorithm, hence to be really sent keystream. This represents another weakness in
over the channel. M’ is depicted in Figure 1. the algorithm, since it allows a wardriver (attacker)
Then M’ is encrypted by using the RC4 al- to seamlessly collect IVs.
gorithm, that relies on a stream cipher approach. Concluding, the ciphered text C is provided
Thus, the actual Seed used by the WEP is the by:
combination of a 24-bit initialization vector (IV)
and the WEP key, as depicted in Figure 2. C = M’ ⊕ RC4Key
Referring to Figure 2, two different WEP keys
are available: 40-bit long keys adopted in the where, ⊕ represents the XOR operator, and RC4Key
standard implementation, or 104-bit long keys is the keystream generated by the RC4 algorithm
adopted in the extended implementation, which by feeding it with Seed. Figure 3 depicts a WEP-
has been introduced to prevent brute force at- encrypted packet that could be collected and ex-
tacks. Here comes the marketing: a “64 bit WEP ploited by a wardriver. Needles to say, IVs convey
secured network” actually relies only on 40-bit precious information, and in the following, we
long keys, since 24-bits represent the IVs. For the show how standard tools can exploit this.
same reason, a “128-bit WEP secured network”
only relies on 104-bit keys.
Wireless Wardriving
IV (24 bit) C
Many APs allow changing the power employed for As discussed in the Understanding the effective
transmitting data. However, many users keep the strength of the WEP section, WEP offers different
default values or use more power than required. alternatives to be attacked and cracked. In this sec-
Despite the waste of energy, this raises also some tion, we will introduce the most popular attacks,
security risks. For instance, if there is the need of and then we will present some practical examples.
covering a conference room, it is harmful to ir- Besides, attacks could be roughly grouped in two
Wireless Wardriving
categories: passive and active. A passive attack range. Usually, the user must insert a pass phrase,
solely relies on the traffic collected, while an active something like: “Ken sent me” and the wizard will
attack consists also in injecting some additional automatically generate a WEP key. However, many
traffic in the network. For instance, active attacks generators appear to be flawed. He discovered that
are employed to stimulate the traffic to collect if two steps in the generation process reduce the
there are not any clients connected to an AP at a “strength” of the key; specifically:
given time. The latter techniques will be presented
when needed, then in the Example section. 1. The ASCII mapping reduces the entropy:
usually ASCII strings are mapped to 32 bit
bruteforce Attacks value and the XOR operation guarantees
four zero bits. In addition, the highest order
Every security algorithm is exposed to bruteforce bit of each character is equal to zero. Then,
attacks. The key point is if a bruteforce attack is only seeds from 00:00:00:00 e 7f:7f:7f:7f can
feasible. As said, WEP exists in two variants. occur.
Concerning the 40 bit standard implementation, 2. The use of Pseudo Random Number Genera-
a bruteforce attack could be feasible. Probably, an tion (PNRG) reduces the entropy: for each
occasional attacker will have a machine allowing 32bit output, only a portion of the available
to check 10,000 to 15,000 keys/second; hence, it binary word is considered (e.g., bits 16 through
is not sure that he/she will complete the attack (on 23). Besides, the generator has the properties
an average laptop, 200 days are required). But an of generating bits with different degrees of
organization or a professional attacker can try “randomness.” For instance, a bit in position
to successfully bruteforce the WEP in the 40-bit k has a cycle length of 2k. Then, Newsham
variant. Nevertheless, nowadays there are several noticed that the produced bytes have a cycle
software libraries for parallelizing computations, length of 224, thus reflecting in seeds ranging
as well as software tools for building clusters (e.g., from 00:00:00:00 and ff:ff:ff:ff.
Beowulf or Mosix for the Linux platform and XGrid
for MacOS X). Owing to the availability of the In order to discover the key, it is sufficient to
source code of bruteforcing tools, porting them consider seeds ranging from 00:00:00:00 through
on such frameworks could be possible. Actually, 00:7f:7f:7f with zero highest order bits, hence
bruteforce is never employed, since it is possible reducing the space and only analyzing 221 words.
to successfully crack the WEP in simpler and As a consequence, it is possible to bruteforce such
quicker ways. flawed implementations in minutes. The most
Conversely, the 104-bit long key available in the popular implementation of Newsham’s 21-bit at-
WEP extended implementation is immune against tack is available in the KisMAC tool. According
bruteforce attacks (with a standard gear, about 1019 to KisMAC documentation, Linksys and D-link
years are needed). devices appear, at the moment, the most vulner-
able to this attack.
the tim newsham’s 21-bit Attack
weak Ivs
Tim Newsham is a well-known security expert and
consultant. Among wardrivers he is very popular This attack relies on how the RC4 is used to pro-
for inventing the 21-bit attack (Newsham, 2003), duce a WEP-encrypted stream. Basically, some
allowing to bruteforce some WEP implementa- IVs can reveal some information about the secret
tions in minutes. key embedded in the first byte of the keystream.
Basically, Newsham noticed that several ven- Then it is enough to collect a sufficient number of
dors generate WEP keys from text, in order to make weak IVs and, if the first byte of the keystream is
easy-to-use products and cover a wider market known, it is possible to retrieve the key.
Wireless Wardriving
Regarding the collection of the first byte of This kind of attack relies on relation (1). How-
the keystream, the IEEE 802 standard gives some ever, the operations in (1) are possible since both
useful hints. In fact, IEEE 802.11 frames always messages have been encrypted with the same Seed.
begin with the SNAP field, which most of the time To overcome this, IVs have been introduced, being
is set to 0xAA. Then it is sufficient to collect weak them the only portion of the Seed that varies. Alas,
IVs that come in the form of: IVs are only 24-bit long, hence it is likely that the
same Seed will be sent over the network again.
(Y+3, 256, X)
the oracle
where Y is the portion of the key under attack,
the second value is 256, since RC4 works on a In order to recover a relevant amount of known
modulo-256 arithmetic, and X can be any value. plaintext, the AP could be used as an Oracle, a
Fluhrer, Martin, and Shamir (FMS) have devel- device that unconsciously encrypts well-crafted
oped an efficient attack available in different tools. packets for the attacker.
However, the core of the attack is out of the scope Figure 4 depicts the basic operations performed
of this chapter. to conduct the attack. This attack is nowadays un-
As a concluding remark, new devices tend to likely, since as explained, there are several faster
avoid weak IVs’ generation. In fact, hardware de- and simpler ways to crack the WEP. Basically, the
velopers better engineer their devices, increasing attacker exploits an active connection targeting
attention to the IVs’ generation mechanism. the victim. Then he/she sends (e.g., via General
Packet Radio Service [GPRS], or Universal Mobile
keystream reuse Telecommunications System [ UMTS], or similar)
known packets that will be encrypted by the AP
Suppose to be in the following scenario: two dif- before transmission over the WLAN.
ferent cleartext messages, M’1 and M’2 must be It becomes clear that this attack exploits the fact
transferred over the channel. Let us assume that that an AP could be used to connect a network to
both messages share the same keystream. Then: the Internet without any further protection mecha-
nism (e.g., a firewall or a virtual private network
C1 = M’1 ⊕ RC4Key(Seed) [VPN] support). For completeness, in early days
C2 = M’2 ⊕ RC4Key(Seed) when GPRS was expensive, usually the attack was
performed by cooperating with another wardriver,
C1 and C2 are the two WEP encrypted mes- usually at home, with an active Internet connection
sages, and Seed is the one employed for the RC4, remotely injecting packets to the AP.
as depicted in Figure 2 of the Understanding the
effective strength of the WEP section. Then, it is decryption dictionary
possible to perform the following operation:
This kind of technique is no longer employed, and
C1 ⊕ C2 = (M’1 ⊕ RC4Key(Seed)) ⊕ there are not any proofs that it has ever been ex-
(M’2 ⊕ RC4Key(Seed)) = M’1 ⊕ M’2 (1) ploited in its basic form. However, it is interesting
that this attack allows (at least theoretically) the
As a consequence, knowing M’1 (or M’2), allows user to decrypt all the traffic without knowing the
to recover M’2 (or M’1). One might argue that the WEP key. Basically, it is sufficient to build a table
knowledge of a message M’x is a tight hypothesis. of the intercepted keystreams. Then, it is possible
However, being messages packets generated by to compile a table of all the possible values (and
some well-known protocol, it is possible to craft also skip the RC4 phase). The drawback, prevent-
packets and send them via the Internet to a target ing its proficient exploitation, is the space required
host on the WLAN. Hence, the AP will encrypt for this kind of attack. In fact, the encrypted
the data for the attacker.
Wireless Wardriving
AP Internet
Target Known
Encrypted
Packet
Wardriver
WLAN
stream is 1,500 bytes long at maximum, owing to dictionary attacks in the section devoted to WPA.
the maximum MTU available, and the adoption Such concepts could be straightforwardly extended
of a 24-bit IV produces 16,777,216 (224) possible also to WEP.
streams. Hence, the required space is 16,777,216
• 1500 = 23.4 Gbytes. WEP Attack via KisMAC
With the advent of PCMCIA cards, and their
poor implementation of the policies to generate IVs, Let us show an attack performed to a WEP-secured
the adoption of a dictionary-based attack became network. Firstly, we show how to crack a network
feasible. In fact, many PCMCIA wireless cards reset with KisMAC. This gives an idea of how simple it
the IV to 0 each time they are re-initialized. Re- might be. After launching KisMAC, one can start
initialization happens each time they are activated the scanning. If supported, one can select whether
(e.g., typically once a day in many circumstances). or not to adopt passive or active scanning. Figure
Then it is sufficient to build a dictionary only for 5 depicts the result of a scan.
the very first values of IVs, in order to decrypt Then, if there is the need of cracking the WEP,
most of the flowing traffic. different actions could be performed. Firstly, one
can try the Newsham’s 21-bit attack, or try to
Examples bruteforce the WEP, but owing to the “informa-
tion” conveyed by the IVs, quicker solutions could
In this section, we will present briefly some pos- be adopted.
sible attacks against a WEP-secured network. Two things may happen: (1) the network is
Firstly, we will show how to attack a network by experiencing a huge amount of traffic, hence pro-
using KisMAC, a tool running on MacOSX with ducing a huge amount of IVs. In this perspective,
a simple GUI. Then we will show how to use stan- an attacker must only wait to collect a sufficient
dard terminal-based tools commonly available for number of IVs to perform a suitable attack; or (2)
different Unix flavors. As a remark, we will not the network is under a low load, hence the time
spend too much time on explaining bruteforce or needed to collect a sufficient amount of IVs is
dictionary attacks. In fact, WEP could be cracked non-negligible. Then, it is possible to stimulate
in a more elegant way; conversely, owing to its traffic by using the de-authentication attack or
better security, we will explain bruteforcing and injecting well-crafted packets; Figure 6 depicts
0
Wireless Wardriving
Figure 7. The network has been attacked with an authentication flood. Notice the random-generated
MAC addresses.
Wireless Wardriving
possible attacks to stimulate traffic, while Figure networks. The needed number of IVs varies: if your
7 depicts the “fake” stations that populate the at- traffic dump is blessed, collecting 100,000 IVs
tacked wireless network. suffices. Usually, the needed number of IVs ranges
from 250,000 to 500,000. However, some advanced
WEP Attack via Terminal-Based Tools APs have algorithms that avoid the generation of
weak IVs, hence reflecting in a huge number of
Firstly, let us start searching a network. For do- needed IVs (in the order of several millions).
ing this, let us use airodump. Airodump allows to If there is not enough traffic on the network,
collect traffic from a wireless interface. It could collecting IVs could be a tedious (or at least time
be possible that you have airodump-ng instead, consuming) task. Moreover, if a sophisticated AP
since it represents the evolution of the aircrack is employed, collecting 5,000,000 IVs with a traffic
wireless suite. We will refer to the classical tool, of few packets per second could be impossible.
since it could be possible that you already have it, Then, it is possible to stimulate traffic on the
especially if your configuration is not up-to-date; WLAN, in order to increase the number of packets
however, the concepts, as well as its usage, are sent, hence speeding up the collection of IVs.
the same. For instance, by using the aircrack suite, it is
Supposing the tool properly installed, it is suf- possible to exploit the so-called address resolu-
ficient to type in a terminal: tion protocol (ARP) replay.2 Roughly, ARP relies
on broadcasting a request (an ARP Request) for
Mud:Luca$ ./airodump cardName theTrafficFile 0 log- an IP address, in order to discover the matching
gingMode between L2 and L3 addressing. The device that
recognizes its IP address sends back a query di-
Here, ./airodump launches the tool, cardName rectly to the original requestor. Alas, WEP does
is the name of the card used to monitor the air, not assure protection against replay attacks. So you
theTrafficFile is the output file collecting data. The can inject well-crafted ARP packets and generate
parameter 0 specifies that we want to hop chan- answers containing valid IVs. Needles to say, the
nels, while loggingMode allows to switch between more aggressive your ARP generation strategy is,
logging all traffic or only IVs. the more packets you will collect (thus, reducing
If we have collected enough IVs, we can try to the time needed to collect a certain x amount of
crack the WEP by using aircrack. Some couple of valid IVs).
remarks: (1) the traffic collection and the crack- To perform an ARP replay attack you can use
ing phases are decoupled. Then you can perform the tool as follows (notice, that you must have also
an attack off-line (not hidden in a parking lot); a sniffer running in order to capture replies).
(2) it is possible to collect data with well-known
sniffers, such as Wireshark (formerly known as Mud: Luca$ ./aireplay-ng --arpreplay -b MACAP -h TMAC
Ethereal). For instance, under Linux it is possible Interface
to use airmon-ng to configure the wireless card,
then using Wireshark to collect traffic. By using ./aireplay-nglaunches the tool, the flag --arpreplay
ivstool from the aircrack-ng suite you can convert specifies to perform the ARP replay attack, -b
IVs from .pcap format to aircrack one. MACAP specifies the MAC address of the AP and
Then, you can crack a network by typing: -h TMAC specifies the MAC of the target (victim)
host. Lastly, Interface tells the program which
Mud:Luca$ ./aircrack -b MAC theTrafficFile wireless interface must be used.
If everything is correct, the attack starts gen-
Here, -b MAC specifies the MAC address (or erating more traffic.
the BSSID) of the target network. In fact, your
dump could have collected traffic from different
Wireless Wardriving
Wireless Wardriving
Wireless Wardriving
a smart step could be to investigate sites customer). Besides, studying the tools and collect-
publishing WLANs, in order to discover if ing the traces is mandatory to discover possible
yours has been detected and cracked. attacks, for instance by recognizing unusual probes
2. Check for (almost weekly) security bulletins or excessive de-association requests.
(e.g., BugTraq). Gears are composed not
only by hardware, but also software (e.g., the do not rely on weak Passwords
firmware) that could have vulnerabilities. For
instance, one of the most famous was related As explained in previous section, bruteforcing
to an AP that upon receiving a broadcast a WLAN will be always possible. WEP makes
user datagram protocol (UDP) packet on bruteforcing to be useless (owing to its flaws), but
port 27155 containing the string “getsearch” WPA-PSK can be only exploited by using a dic-
returned (in clear) the WEP keys, the MAC tionary attack. Hence, the strength of your WLAN
filtering database and the admin password (a depends on the password. Use a good policy to
big prize, indeed). create and distribute passwords and change them
3. Periodically download and try the tools. It is often. Do not forget that hundreds of people col-
useful, funny, and gives an idea of the activity laborate to produce dictionaries with most popular
of the underground community. passwords, also the most disparate ones (and also
in leet variant – l33t v4r1aNt).
Avoid Default Configurations
(Always)
tools
It is widely known that default configurations are
most of the time fine for normal users, but not NetStumbler (www.netstumbler.com): NetStum-
particularly tweaked for security. For instance, bler is a program for the Windows™ operating
in the Wireless power section we discussed some system allowing to detect WLANs. It is a quite
possible risks arising when too much transmis- handy tool for locating WLANs but it has not all
sion power is employed. Besides, another threat the features and the flexibility of the Aircrack-ng
relies in default names for the SSID, which can suite.
be employed to uncloak a hidden network, even if Kismet (www.kismetwireless.net): Kismet al-
without special tools. For instance, it is well known lows monitoring and sniffing traffic over a WLAN.
that many Cisco AP use “tsunami” as default SSID, In addition, it can also be adopted as an intrusion
and that Linksys uses “linksys.” Nevertheless, it is detection system. Kismet is able to identify net-
possible to retrieve them by performing a simple works both in active and passive mode. Besides,
Web search (moreover it is possible to retrieve it also offers many other features, such as BSSID
SSID naming schemas for hotels, retailers, and uncloaking. Kismet supports many wireless cards
popular Internet cafès…). Lastly, a good sugges- and many OSs, as well as many CPUs (e.g., x86,
tion is to change also the default password of your ARM, PPC, and X-Scale); however, some features
gear, since a malicious attacker (that normally is are only available on the Linux-x86 version.
not a wardriver, but a vandal) can try to alter the KisMAC (http://KisMAC.de/): KisMAC is
AP configuration. the counterpart of Kismet, but it runs natively on
MacOSX and it is easy to use, owing to its simple
browse the source and use the tools GUI.
Aircrack-ng (http://www.aircrack-ng.org):
Owing to the availability of the tools, it is a better Aircrack-ng is a comprehensive suite of tools,
idea to try to be a wardriver sometimes, in order to ranging from analyzers, sniffers, and cracking
test your own set-up, as well as the configuration tools. Sources and scripts are available, promoting
made by your users (e.g., students, colleagues, or aircrack-ng as one of the best tools and a starting
Wireless Wardriving
Attack
Security
- Skills Needed WLAN Affected Countermeasures
Risk
Detected Anomaly
None. Automatically done in
SSID uncloack ALL 1 None at this level.
several software
point for developing automated (e.g., cron-drived) comprehensive table. In addition, we will also
or tweaked wardriving tools. introduce some “security risks” in order to better
calibrate the needed countermeasures. Security
risks have been quantified on a range varying from
suMMAry tAblE About 0 (none) to 10 (severe). However, the more security
wArdrIvIng AttAcks is employed in the WLAN, the better. But, being
wardriving tightly mixed with people habits and
In this section, we summarize many security threats urban culture, the exposures to risks may vary
deriving from wardrivers’ activity, by offering a according where the WLAN is placed. Table 3
contains the summary.
Wireless Wardriving
In this chapter we introduced the concept of war- Active Mode: Active mode is an operative
driving, and practices related to cracking wireless mode where scanning is done via probe packets.
networks. As explained, cracking a WLAN is not As a consequence, the scanner does not remain
a complex task: then, for your security you should undetected.
rely on other techniques (e.g., RADIUS). In addi-
MAC Address Filtering: MAC address fil-
tion, by using examples, it is possible to produce
tering is a technique that allows/denies network
your own penetration tests, as well as exercises
accesses only for a predefined MAC address.
to show some real world attack to students and
engineers. MAC Spoofing: MAC spoofing is changing the
MAC of the L2 interface. Typically it is employed
to by-pass MAC address filtering.
AcknowlEdgMEnt
Packet Injection: Packet injection is the activity
of inserting a packet in a network for some purpose.
The author wishes to thank Prof. Franco Davoli
For instance, when attacking a WEP-protected
for the technical suggestions and the thorough
network, to stimulate the traffic production to gain
review, and Eng. Sergio Bellisario for the techni-
more data to be analyzed.
cal review.
rfmon: rfmon is an operative mode of IEEE
802.11-based air interfaces, allowing to scan for
rEfErEncEs access points while remaining undetectable, since
the card does not send any probe packets.
Ferro, E., & Potortì, F. (2005, February). Bluetooth
Wardriving: Wardriving is the activity of “driv-
and Wi-Fi wireless protocols: A survey and a com-
ing around, looking for wireless networks.”
parison. IEEE Wireless Communications, 12-26.
Wired Equivalent Privacy (WEP): WEP is an
Newsham, T. (2003). Applying known techniques
encryption mechanism with many security flaws.
to WEP keys. Retrieved December 12, 2006, from
Recognized as a real security issue, it has been
http://www.lava.net/~newsham/wlan/WEP_pass-
replaced by wireless protected access (WPA).
word_cracker.pdf
Pollard, D. (2002). Write here, Right now. Retrieved
December 12, 2006, from http://news.bbc.co.uk/1/ EndnotEs
hi/in_depth/sci_tech/2000/dot_life/2070176.stm
Schneier, B. (1996). Applied cryptography: Proto- 1
However, if raw frames are supported by the
cols, algorithms, and source code (2nd ed.). John internal chipset, you can always build your
Wiley & Sons. own tools and enabling drivers by investigat-
Shipley, P. M. (2000). Peter M. Shipley personal ing the data-sheets.
homepage. Retrieved December 12, 2006, from
2
Many OSes or firmware clear the ARP cache
http://www.dis.org/shipley/ upon disconnection. Then, it could be useful
to use a more “aggressive” strategy, as sug-
gested in aircrack documentation.
Chapter VI
Intrusion and Anomaly
Detection in Wireless Networks
Amel Meddeb Makhlouf
University of the 7th of November at Carthage, Tunisia
Noureddine Boudriga
University of the 7th of November at Carthage, Tunisia
AbstrAct
The broadcast nature of wireless networks and the mobility features created new kinds of intrusions and
anomalies taking profit of wireless vulnerabilities. Because of the radio links and the mobile equipment
features of wireless networks, wireless intrusions are more complex because they add to the intrusions
developed for wired networks, a large spectrum of complex attacks targeting wireless environment. These
intrusions include rogue or unauthorized access point (AP), AP MAC spoofing, and wireless denial of
service and require adding new techniques and mechanisms to those approaches detecting intrusions
targeting wired networks. To face this challenge, some researchers focused on extending the deployed
approaches for wired networks while others worked to develop techniques suitable for detecting wireless
intrusions. The efforts have mainly addressed: (1) the development of theories to allow reasoning about
detection, wireless cooperation, and response to incidents; and (2) the development of wireless intrusion
and anomaly detection systems that incorporate wireless detection, preventive mechanisms and tolerance
functions. This chapter aims at discussing the major theories, models, and mechanisms developed for
the protection of wireless networks/systems against threats, intrusions, and anomalous behaviors. The
objectives of this chapter are to: (1) discuss security problems in a wireless environment; (2) present
the current research activities; (3) study the important results already developed by researchers; and (4)
discuss the validation methods proposed for the protection of wireless networks against attacks.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Intrusion and Anomaly Detection in Wireless Networks
can belong to two categories of attacks. The first tion. The seventh section discusses mechanisms
category targets the fixed part of the wireless of prevention and tolerance provided to enhance
network, such as MAC spoofing, IP spoofing, and the wireless intrusion detection. Finally, the last
denial of service (DoS); and the second category section concludes the chapter.
of these attacks targets the radio part of the wire-
less network, such as the access point (AP) rogue,
noise flooding, and wireless network sniffing. The vulnErAbIlItIEs, tHrEAts, And
latter attacks are more complex because they are AttAcks In wIrElEss nEtworks
hard to detect and to trace-back.
To detect such complex attacks, the WIDS To present vulnerabilities, threats, and attacks
deploys approaches and techniques provided targeting wireless networks, we have to discuss
by intrusion detection systems (IDS) protecting first the security requirements of wireless systems,
wired networks. Among these approaches, one including those concerning security policy. This
can find the signature-based and anomaly based section presents the concepts of wireless intrusion,
approaches. The first approach consists in match- anomaly, and attack scenario in wireless networks,
ing user’s patterns with stored attack’s patterns (or in order to highlight intrusion and anomaly detec-
signatures). The second approach aims at detect- tion requirements. In particular, it discusses some
ing any deviation of the “normal” behavior of the attacks and attack classification that make security
network entities. The deployment of the afore- in wireless systems very special.
mentioned approaches in a wireless environment
requires some modifications. The signature-based security requirements in wireless
approach in wireless networks may require the
Environments
use of a knowledge base containing the wireless
attack signatures while an anomaly based ap-
Securing a communication channel should satisfy
proach requires the definition of profiles specific to
at least the following set of requirements: integ-
wireless entities (mobile users and AP). Recently,
rity, confidentiality, and availability. Moreover,
efforts have focused on wireless intrusion detec-
wireless communications require authentication
tion to increase the efficiency of WIDS. Based on
of the sender or/and the receiver and techniques
these efforts, models and architectures have been
that guarantee non-repudiation. In the following,
discussed in several research works.
we discuss technical security and security policy
The objective of this chapter is to discuss the
requirements which help reducing vulnerabilities
major research developments in wireless intru-
and attack damages.
sion detection techniques, models, and proposed
Because of their technical architecture, mobile
architectures. Mainly, the chapter will: (1) discuss
communications are targets for a large set of threats
security problems in wireless environments;
and attacks that occur in wired networks, such as
(2) present current research activities; (3) study
identity spoofing, authorization violations, data
important results already developed; and (4)
loss, modified and falsified data units, and repu-
discuss validation methods proposed for WIDS.
diation of communication processes. Additionally,
The remaining part is organized as follows: The
new security requirements and additional measures
next section discusses vulnerabilities, threats, and
for wireless networks have to be added to the se-
attacks in wireless networks. The third section
curity requirements of wired networks (Schäfer,
presents wireless intrusion and anomaly detection
2003). Vulnerabilities, threats, and attacks, existing
approaches. The fourth section introduces models
in wireless networks represent a greater potential
proposed for detecting wireless intrusions. The fifth
risk for wireless networks. One among technical
section presents WIDS architectures, proposed by
requirements is the enforcement of security of
researches papers. The sixth section presents the
the wireless links, because of the ease of gaining
wireless distributed schemes for intrusion detec-
direct physical accesses. Moreover, new difficulties
Intrusion and Anomaly Detection in Wireless Networks
can arise in providing wireless security services. given perimeter. Consequently, the AP’s
For example, the authentication of a mobile de- placement and signal strength have to be
vice has to be verified by (or for) all AP (or base adapted to make sure that the transmitting
station [BS]) under which the mobile changes its coverage is just enough to cover the correct
localization. Because of the handover, respective area.
entities cannot be determined in advance, so the key • Physical security of an authorized AP:
management process is more complicated. Also, Because most APs are mounted by default,
the difference with wired networks, in terms of their placement is critical. An AP has to be
confidentiality of mobile device location, reveals a correctly placed in order to avoid accidental
number of threats against mobile communications. damage, such as direct access to the physical
This appears because of the following conflict: network cable. To protect physically the ac-
In one hand, each mobile should be reachable for cess to the AP, many solutions were proposed;
incoming communication requests while, on the but all of them require a mandatory policy.
other hand, any network entity should be able to • Rogue AP: This vulnerability is a sort of man-
get the current location of a mobile device in the in-the middle attack, where an attacker can
network (Schäfer, 2003). place an unauthorized (or rogue) AP on the
network and configure it to look legitimate to
wireless vulnerabilities and threats gain access to wireless user’s sensitive data.
This can be done because user’s devices need
A vulnerability is a weakness (or fault) in the to be connected to the strongest available AP
communication medium or a protocol that al- signal.
lows compromising the security of the network • The easy installation and use of an AP: In
component. Most of the existing vulnerabilities in order to use the advantages of internal net-
the wireless medium are caused by the medium. works, employees can introduce an unauthor-
Because transmissions are broadcast, they are ized wireless network. The easy installation
easily available to anyone who has the appropri- and configuration of the AP make this feasible
ate equipment. Particular threats of the wireless for legitimate or illegitimate users.
communication are device theft, malicious hacker, • The AP configuration: If the AP is poorly
malicious code, theft of service, and espionage configured or unauthorized, then it can pro-
(Boncella, 2006). There are numerous of wire- vide an open door to hackers. This is caused
less vulnerabilities and threats that are studied in by using a default configuration that anni-
the literature, for the purpose of detecting attacks hilates the security controls and encryption
exploiting them. In the following, we distinguish mechanisms.
two categories of vulnerabilities and threats: those • Protocol weaknesses and capacity limits
existing in a LAN-like wireless networks (WLAN) on authorized AP’s: These limitations can
and those existing in cellular-like wireless networks cause DoS from hackers using unauthorized
(Hutchison, 2004). AP’s when they can flood authorized AP
with traffic forcing them to reboot or deny
WLAN Vulnerabilities and Threats accesses.
The following are typical vulnerabilities existing in Some of the attacks, exploiting the aforemen-
the main component of WLAN, which is the AP. tioned vulnerabilities are discussed in the following
section of this chapter.
• Signal range of an authorized AP: This
vulnerability is about the possibility of the
extension of AP signal strength beyond a
0
Intrusion and Anomaly Detection in Wireless Networks
Detecting a large set of attacks by a WIDS requires • Probing and network discovery: This attack
studying and developing the attacker’s methods aims to identify various wireless targets. It
and strategies. We discuss in this subsection the uses two forms of probing: active and passive.
typical attacks and malicious events that can be Active probing involves the attacker actively
detected by a WIDS (Hiltunen, 2004; Vladimirov, sending probe requests with no identification
Gavrilenko, & Mikhailovsky, 2004). using the SSID configured in order to solicit
a probe response with SSID information and
Intrusion and Anomaly Detection in Wireless Networks
other information from any active AP. When down to create a “difficult to connect” scenario.
an attacker uses passive probing, he is listen- Second, the attacker must setup an alternate rogue
ing on all channels for all wireless packets, AP with the same credentials as the original for
thus the detection capability is not limited purposes of allowing the client to connect to it. Two
by the transmission power (Low, 2005). main forms of the MITM exist: the eavesdropping
• Inspection: The attacker can inspect network and manipulation. Eavesdropping can be done by
information using tools like Kismet and receiving radio waves on the wireless network,
Airodump (Low, 2005). He could identify which may require sensitive antenna. Manipula-
MAC addresses, IP address ranges, and tion requires not only having the ability to receive
gateways. the victim’s data but then be able to retransmit the
data after changing it.
Wireless Spoofing
Denial of Service Attacks
Spoofing purpose is to modify identification pa-
rameters in data packets. New values of selected DoS attacks can target different network layers as
parameters can be collected by sniffing. Typical explained in the following:
spoofing attacks include:
• Application layer: DoS occurs when a large
• MAC address spoofing: MAC spoofing aims
amount of legitimate requests are sent. It
at changing the attacker’s MAC address by
aims to prevent other users from accessing
the legitimate MAC address. This attack is
the service by forcing the server to respond
made easy to launch because some client-side
to a large number of request’s transactions.
software allows the user to view their MAC
• Transport layer: DoS is performed when
addresses.
many connection requests are sent. It targets
• IP spoofing: IP spoofing attempts to change
the operating system of the victim’s computer.
source or destination IP addresses by talking
The typical attack in this case is a SYN flood-
directly with the network device. IP spoof-
ing.
ing is used by many attacks. For example,
• Network layer: DoS succeeds, if the network
an attacker can spoof the IP address of host
allows to associate clients. In this case, an
A by sending a spoofed packet to host B an-
attacker can flood the network with traffic
nouncing the window size equal to 0; though,
to deny access to other devices. This attack
it originated from B (Mateli, 2006).
could consist of the following tasks:
• Frame spoofing: The attacker injects frames
The malicious node participates in a
having the 802.11 specification with spoofed
route but simply drops several data
containing. Due to the lack of authentication,
packets. This causes the deterioration of
spoofed frames cannot be detected.
the connection (Gupta, Krishnamurthy,
& Faloutsos, 2002).
Man in the Middle Attacks The malicious node transmits falsified
route updates or replays stale updates.
This attack attempts to insert the attacker in the These might cause route failures thereby
middle (man in the middle [MITM]) of a communi- deteriorating performance.
cation for purposes of intercepting client’s data and The malicious node reduces the time-
modifying them before discarding them or sending to-live (TTL) field in the IP header so
them out to the real destination. To perform this that packets never reach destinations.
attack, two steps have to be accomplished. First, the • Data link layer: DoS targeting the link layer
legitimate AP serving the client must be brought can be performed as follows:
Intrusion and Anomaly Detection in Wireless Networks
Since we assume that there is a single on using in the same system the two approaches
channel that is reused, keeping the simultaneously. To be efficient, intrusion detec-
channel busy in the node leads to a DoS tion approaches has to be run online and in real
attack at that node. time. Otherwise, the use of intrusion detection
By using a particular node to continually technique is useful for audit or postmortem digital
relay spurious data, the battery life of investigation and it will not prevent an attack on
that node may be drained. An end-to-end time. Real-time intrusion detection has to be able
authentication may prevent these attacks to collect data from the network in order to store,
from being launched. analyze and correlate them, which can decrease
• Physical layer: This kind of DoS can be network performance (Hutchison, 2004).
executed by emitting a very strong RF inter-
ference on the operating channel. This will wireless detection Approaches
cause interference to all wireless networks
that are operating at or near that channel. The main objective of wireless detection is to pro-
tect the wireless network by detecting any deviation
with respect to the security policy. This can be done
wIrElEss IntrusIon And by monitoring the active components of the wire-
AnoMAly dEtEctIon less network, such as the APs (Hutchison, 2004).
Generally, the WIDS is designed to monitor and
This section discusses the major security solutions report on network activities between communicat-
provided for wireless networks. In particular, the ing devices. To do this, the WIDS has to capture
cases of WLAN and ad hoc networks will be ad- and decode wireless network traffic. While some
dressed. The discussed methods include the radio WIDSs can only capture and store wireless traf-
frequency fingerprinting, cluster-based detection, fic, other WIDSs can analyze traffic and generate
mobile devices monitoring, and mobile profile reports. Other WIDSs are able to analyze signal
construction. fingerprints, which can be useful in detecting and
tracking rogue AP attack. As it is done for wired
basic techniques for detection networks, the following classifications of IDSs can
be distinguished according to several dimensions:
Wireless intrusion detection protects wireless the approach (signature based/anomaly based); the
networks against attacks, by monitoring traffic monitored system (network-based/host-based); and
and generating alerts. Two ways of detection are the way of response (active/passive).
distinguished: signature based and anomaly based.
The first category aims at detecting known attacks Mobile Profiles Construction
by looking for their signatures. The main disad-
vantage of such approaches is that they detect only The main objectives when using the anomaly
known attacks. The anomaly based approaches are based approach are to define user mobility profiles
not often implemented, mostly because of the high (UMPs) and design an appropriate system that
amount of false alarms that have to be managed permits the detection of any deviation with respect
loosing a large amount of time. Anomaly based to UMP. The intrusion detection process begins
detection develops a baseline of the way of con- with the data collection processing. Once the user
sidering normal traffic. When an abnormal traffic location coordinates (LCs) are determined, a high-
is detected, an alert is generated. The advantage level mapping (HLM) is applied. The objective
of such approach is that it can capture unknown of the HLM is to decrease the granularity of the
attacks. data in order to accommodate minor deviations or
To take from the advantages of the previous intra-user variability between successive location
two approaches, the hybrid approach consists broadcasts. LCs features are extracted from each
Intrusion and Anomaly Detection in Wireless Networks
broadcast during feature extraction. A set of these client within this list trying to access the
chronologically ordered LCs are subsequently network would be automatically denied and
concatenated to define a mobility sequence (Hall, an alert can be sent off.
Barbeau, & Kranakis, 2005). This process contin- • All wireless clients with an “illegal” MAC
ues until the creation of the mobility sequences. address (MAC address ranges, which have
The training patterns from the first four of the six not been allocated) are automatically denied
data set partitions are stored in the UMP, along with access and an alert is sent off.
other user-related information. During the classifi- • A wireless client that just sends out probe re-
cation phase, a set of user mobility sequences are quests or special distinguishable data packets
observed and compared to the training patterns in after the initial probe request has not been
the user’s profile to evaluate the similarity measure authenticated can be flagged out as potential
to profile (SMP) parameter. If the average of the network discovery attack.
SMP value exceeds predefined thresholds, then the • Usually, when impersonation attacks are on-
mobility sequences are considered abnormal and going, the attacker will take on the MAC/IP
an alert is generated (Hall et al., 2005). address of the victim, but it will not be able
The following parameters are defined for the to continue with the SN used previously by
mobility profiles: (1) the identifier representing the victim. Thus, by monitoring the SN in
the user identification; (2) the training patterns these packets, potential impersonators could
characterizing the user mobility behavior; (3) the be identified.
window size representing the mobility sequence
numbers (SN). Radio Frequency Fingerprinting (RFF)
Intrusion and Anomaly Detection in Wireless Networks
performed by the classifier component. To decide amplitude, phase and frequency, amplitude
about the status of the transceiverprint, the Bayesian variance, and deviations of normalized in-
filter is applied. This process requires extracting phase data and normalized quadrate data.
predefined transceiver’s profiles, which is detailed
in the following sub-section. cluster-based detection in Ad Hoc
networks
• Feature extractor: In this step, amplitude
and phase components are obtained using Due to the distributed nature of wireless networks,
respectively, equations (1) and (2). especially ad hoc networks are vulnerable to at-
tacks. In this case, intrusion detection provides
a (t ) = i 2 (t ) + q 2 (t ) (1) audit and monitoring capabilities that offer local
security to a node and helps to perceive specific
q (t ) trust levels of other nodes (Ahmed, Samad, &
(t ) = tan −1[ ] (2)
i (t ) Mahmood, 2006; Samad, Ahmed, & Mahmood,
2005). Clustering protocols can be taken as an ad-
Frequency extraction is done by applying ditional advantage in these processing constrained
the discrete wavelet transform (DWT), for networks to collaboratively detect intrusions with
example. less power usage and minimal overhead. Because
• Classifier: To classify a signal as anomalous, of their relation with routes, existing clustering
the probability of match has to be determined protocols are not suitable for intrusion detection.
for each transceiver profile. Therefore, a sta- The route establishment and route renewal and route
tistical classifier using neural networks can renewal affect clusters. Consequently, processing
be used, where the set of extracted features and traffic overhead increase, due to instability
represent a vector and the outputs are a set of clusters. Ad hoc networks present battery and
of matching probabilities. power constraint. Therefore, the monitoring node
• Bayesian filter: To decide whether match- should be available to detect and respond against
ing probabilities exceed threshold values, intrusions in time. This can be achieved only if
a Bayesian filter is applied because of the clusters are stable for a long time period. If clusters
noise and interference, which are special are regularly changed due to routes, the intrusion
characteristics of wireless environment. The detection will not be efficient. Therefore, a general-
Bayesian filter has to estimate the state of a ized clustering algorithm, detailed in Ahmed et al.
system from noisy observations. (2006) has been discussed. It is also useful to detect
• Feature selection/profile definition: Before collaborative intrusions (Samad et al., 2005).
applying the detection process, the definition
of transceiver’s profiles has to be made. To Cluster Formation
do so, features that have low intra-transceiver
variability and high inter-transceiver vari- Clusters are formed to divide the network into
ability are selected. Examples of selected manageable entities for efficient monitoring and
features include: deviations of normalized low processing. Clustering schemes result in a
Intrusion and Anomaly Detection in Wireless Networks
special type of node, called the cluster head (CH) performs its own audit and analysis; however, it
to monitor traffic within its cluster. It not only performs partial analysis immediately after becom-
manages its own cluster, but also communicates ing a CH or MN. Intrusion detection techniques
with other clusters for cooperative detection can be anomaly based or signature based.
and response. It maintains information of every The host-based IDS (HIDS) observes traffic
member node (MN) and neighbor clusters. The at individual hosts, while network-based IDS
cluster management responsibility is rotated (NIDS) are often located at various points along
among the cluster members for load balancing and the network. Since centralized audit points are not
fault tolerance and must be fair and secure. This available in ad hoc networks, NIDSs cannot be used.
can be achieved by conducting regular elections Alternatively, if every host starts monitoring intru-
(Samad et al., 2005). Every node in the cluster sions individually such as in HIDS, lot of memory
must participate in the election process by casting and processing will be involved. Therefore, a dis-
their vote showing their willingness to become the tributed approach is used to perform monitoring,
CH. The node showing the highest willingness, by where both CH and MN collect audit data.
proving the set of criteria, becomes the CH until A flow model of intrusion detection architecture
the next timeout period. of cluster-based intrusion detection (CBID) is illus-
trated by Figure 2, which consists of four modules.
Intrusion Detection Architecture Information collected during the training phase in
the logging module is transferred to the intrusion
Because ad hoc networks lack in centralized audit information module to perceive a threshold value
points, it is necessary to use the IDS in a distributed for the normal traffic. If it is the case, an alert is
manner. This also helps reducing computation generated by the intrusion response module.
and memory overhead on nodes. The proposed
clustering algorithm in Samad et al. (2005) can • Logging: The CH captures and logs all the
be related to the intrusion detection process as traffic transferred through its radio range.
partial analysis of the incoming traffic is done at It keeps the necessary fields and the data
the CH and the rest of the analysis is done at the related to traffic such as number of packets
destination node. Traffic analysis at the CH and sent, received, forwarded, or dropped in a
packet analysis at the MN is helpful in reducing database. The traffic can either be data traffic
processing at each node. If a malicious activity or control traffic. These logs can be helpful
is found by the CH, it informs its members and for the detection of many attacks, such as
the neighboring clusters to take a set of actions. blackhole, wormhole, sleep deprivation,
It is the responsibility of CH to obtain help from malicious flooding, packet dropping, and so
and/or inform the MNs and neighboring clusters forth.
for a particular intrusion. Undecided node (UD) • Intrusion information: If signature-based
detection is used, every node must maintain
Intrusion and Anomaly Detection in Wireless Networks
a database that contains all the intrusion MANET nodes have WAN connectivity,
signatures. For anomaly based detection, the node can initiate download requests to
the anomalous behaviors must also be well obtain the latest model from the server; and
defined. (2) without WAN connectivity, MANET
• Intrusion detection: By this module, the nodes can be initialized before deployment,
node detects intrusions by analyzing and where the default model is used.
comparing the traffic patterns with the normal • Another model consists in deploying a more
behavior. If anomaly is found, the CH gener- powerful MANET node with sufficient
ates an alarm and increases the monitoring processing and battery power to perform
level and analyzes the traffic in more detail anomaly training. The node would listen
to find out the attack type and identity of the promiscuously to all visible traffics on the
attacker. MANET, generate anomalies, and distribute
• Intrusion response: To inform about de- them to the peers.
tected intrusions, nodes generate alerts. They • Use a pre-computed anomaly model. This
also can provide responses to react against scenario is worst case, but can be practical
them. in situations where the MANET’s behavior is
well-defined and follows a standard protocol
definition.
dEtEctIon ModEls
Model Aggregation/Profiling
To enhance IDS efficiency, theories and models
have been developed to cope with intrusion cor- The aggregation model was previously used in
relation; action tracking and packet marking; digital MANETs for alerts demonstrated that, by integrat-
investigation using evidences based on alerts; and ing security-related information at the protocol
attack reconstruction in wireless environments. level from a wider area, the false positive rate
The evidence is defined as a set of relevant informa- and the detection rate can be improved (Cretu et
tion about the network state (Aime, Calandriello, al., 2006).
& Lioy, 2006). In addition, model aggregation enables peers
to determine whether or not to communicate with
Intrusion and Anomaly detection a particular node n1. If the peers’ models are very
Model Exchange similar to those used by n1, it suggests that the
node is performing similar tasks. A node with a
This section discusses the anomaly model used dissimilar model is considered as suspicious and
in mobile ad hoc networks (MANET). It is based has a malicious content. For example, a node send-
on the model distribution and model profiling and ing out worm packets will generate a substantially
aggregation. different content distribution. This can be done via
comparison (Cretu et al., 2006).
Model Distribution
Anomaly based detection Models
Due to the lack of battery power or computation
ability, MANET’s model is required. Depending on In this section, we discuss how to build anomaly
the node location performing intrusion detection, detection models for wireless networks. Detection
the following distribution models can be adopted based on different kinds of activities may differ in
(Cretu, Parekh, Wang, & Stolfo, 2006): the format and the amount of available audit data
as well as the modeling algorithms. However, we
• In the case of generating anomalies, training admit that the principle behind the approaches will
can be done by MANET nodes: (1) if the be the same. Therefore, we discuss in this section
Intrusion and Anomaly Detection in Wireless Networks
only one of these approaches, which is based on a (PCH), and the percentage of newly added routes
routing protocol (Zhang, Lee, & Huang, 2003): (Zhang et al., 2003). These measurements are used
because of the dynamic nature of mobile networks.
Building an Anomaly Detection Model The normal profile on the trace data specifies the
correlation of physical movements of the node and
This method uses information-theoretic measures, the changes in the routing table.
namely, entropy and conditional entropy, to de- Classification rules for PCR and PCH describe
scribe normal information flows and use classifica- normal conditions of the routing table. These rules
tion algorithms to build anomaly detection models. can be used as normal profiles. Checking an ob-
When constructing a classifier, features with high served trace data record with the profile involves
information gain or reduced entropy are needed. applying the classification rules to the record.
Therefore, a classifier needs feature value tests Therefore, repeated trials may be needed before a
to partition the original dataset into low entropy good anomaly detection model is produced.
subsets. Using this framework, the following pro-
cedure for anomaly detection is applied (Zhang et Detecting Abnormal Activities in Other
al., 2003): (1) select audit data so that the normal Layers
dataset has low entropy; (2) perform appropriate
data transformation according to the entropy mea- Detecting anomalies for other entities of the wire-
sures; (3) compute classifier using training data; (4) less networks such as MAC protocols, or entities
apply the classifier to test data; and (5) post-process provided by the network (applications and services)
alarms to produce intrusion reports. follows a similar approach as in the physical layer.
For example, the trace data for MAC protocols can
Detecting Abnormal Updates to Routing contain the following features: for the past s sec-
Tables onds, the total number of channel requests, the total
number of nodes making the requests, the largest,
The main requirement of an anomaly detection the mean, and the smallest of all the requests. The
model used by IDSs is a low false positive rate, class can be the range of the current requests by a
calculated as the percentage of legitimate behavior node. A classifier on this trace data describes the
variations detected as anomalies. Since the main normal context of a request. An anomaly detec-
concern for ad hoc routing protocols is that the false tion model can then be computed, as a classifier or
routing information generated by a compromised clusters, from the deviation data. Similarly, at the
node will be disseminated to and used by the other mobile application layer, the trace data can use the
nodes, the trace data can be designed for each node. service as the class (Zhang et al., 2003).
A routing table contains, at the minimum, the next
hop and the distance in hop number. A legitimate
change in the routing table can be caused by the wIrElEss IntrusIon dEtEctIon
physical node movement or network membership systEM ArcHItEcturEs
changes. For a node, its own movement and the
change in its own routing table are the only reli- This section discusses the proposed models,
able and trustable information. Hence, used data architectures, and methods to validate the used
exist on the node’s physical movements and the approaches.
corresponding change in its routing table as the
basis of the trace data. The physical movement is wireless Intrusion tracking system
measured mainly by distance and velocity. The
routing table change is measured mainly by the The wireless intrusion tracking system (WITS)
percentage of changed routes (PCR), the percent- deploys the Linksys WRT54G AP, Linux and other
age of changes in the sum of hops of all the routes open source tools in order to track wireless intruders
Intrusion and Anomaly Detection in Wireless Networks
in a wireless cell. A WITS is designed to minimize and intelligent routing of intrusion data throughout
the effect of the attacks against wireless networks. the network.
It combines technologies to produce a system that
allows real-time tracking of intruders and extensive Modular IDS Architecture
forensic data gathering (Valli, 2004).
The proposed IDS is built on a mobile agent
• Sacrificial access points (SAP): WITS uses
framework. It employs several sensor types that
the concept of SAPs, which acts as a wireless
perform specific functions, such as:
honeypot and forensic logging device. The
used SAP has conventional wired Ethernet
• Network monitoring: Only certain nodes
capability. Its functionality is severely limited
will have sensor agents for network monitor-
for deployment as a honeypot device. How-
ing, in order to preserve the total computa-
ever, it permits the installation of customized
tional power and the battery power of mobile
firmware, which allows the reduction of
hosts.
installed facilities used as part of the routing
• Host monitoring: Every node on the ad
and AP functionality for the WRT54G. The
hoc network will be monitored internally
firmware can be upgraded to patch any new
by a host-monitoring agent. This includes
vulnerabilities or weaknesses. To be success-
monitoring system-level and application-level
ful, the system must retain large, extensive
operations.
and multiple log files that contain system
• Decision-making: Every node will decide
statistics and sufficient network related data
on the intrusion threat level on a host-level
for forensic reconstruction of any traffic. The
basis. Specific nodes will collect intrusion
used data are data located in honeypot log
information and make collective decisions
files, snort data, and data provided by traffic
about intrusion level.
analysis. The data in honeypot logfiles will
• Reacting: Every node can react in order to
indicate the level of probing and malicious
protect the host against detected attacks.
activity. Traffic analysis provides an extensive
Reactions can be predefined at that node.
analysis of the intruder activity.
• Tracking the intruder: Wireless intruders
have the ability to be mobile and are not con- To minimize power consumption and IDS-re-
strained to use predefined channels, which lated processing time, the IDS must be distributed.
make them difficult to track. Furthermore, A hierarchy of agents can be used to this end. A
wireless attackers can manipulate layer 1 and hierarchy of agents is composed of three agent
layer 2 of the OSI model to mask activities classes, which are the monitoring agents, decision-
and subsequent detection. WITS uses GPS making agents, and action agents. Some are present
techniques to locate and track intruders on all mobile hosts, while others are distributed
within the wireless cell. The resultant GPS to only selected nodes (Kachirski & Guha, 2003).
data will be stored for later analysis or used Cluster heads, for example, are the typical nodes
by an immediate location process of the at- implementing the monitoring agents. The node
tacking device. selection is naturally dependent on the security
requirements imposed to the mobile nodes.
Agent-based Ids for Ad Hoc wireless
networks Intrusion Response
This section introduces a multi-sensor IDS that The nature of an intrusion response for ad hoc
employs a cooperative detection algorithm. A networks depends on the intrusion type and
mobile agent implementation is chosen to support the network protocols and applications types.
the wireless IDS features such as sensor mobility Examples of responses can be:
Intrusion and Anomaly Detection in Wireless Networks
0
Intrusion and Anomaly Detection in Wireless Networks
Significant aspects of intrusion tolerance include: Only the BS is allowed to broadcast (Deng et al.,
(1) the ability to adapt to changes in environmental 2003). It proposes a BS authentication using a hash
and operational conditions for surviving intru- function. To prevent DoS/distributed denial of
sions; (2) the coordination and management of service (DDoS) broadcast attacks, unicast packets
adaptation of changes in service provision; (3) must first traverse through the BS. Second, the
the awareness of resource statuses to respond to control routing information has to be authenticated
attack symptoms effectively; and (4) the manage- and encrypted by using symmetric cryptography.
ment of resource redundancy. The following are To address the notion of compromised nodes, re-
two approaches that deploy intrusion tolerance to dundant multipath routing is built into INSENS to
prevent wireless attacks. achieve secure routing.
INSENS proceeds through two phases, route
Intrusion tolerance based on discovery and data forwarding. The first phase
Multiple base stations redundancy discovers the sensor network topology, while the
second deals with forwarding data from sensor
To provide fault tolerance, this research discusses nodes to the BS, and vice versa. Route discovery
a redundancy in the form of multiple base stations is performed in three rounds:
(BSs). Since an adversary can disallow delivery
of sensor data that is routed over only one path to • During the first round, the BS floods a request
a given BS, a multi-path routing redundancy to message to all the reachable sensor nodes in
improve intrusion tolerance of wireless nodes is the network. The BS broadcasts a request
introduced (Deng, Han, & Mishra, 2004). message that is received by all its neighbors.
The simplest way to set up multiple paths for A sensor, receiving a request message for the
each node to multiple BSs is to use a flooding mes- first time, records the identity of the sender in
sage: each BS broadcasts a unique request message, its neighbor set and then broadcasts a request
called REQ. Upon the reception of REQ from a message. Two mechanisms are used to counter
BS, it records the packet sender as its parent node attacks. The first one identifies the request
for that BS, and re-broadcasts REQ to its neighbor message initiated by the BS using hash. The
and child nodes. The node then ignores all copies second mechanism configures sensors with
of the same REQ that it receives later. In this way, separate pre-shared keys by applying a keyed
the REQ generated by a BS will be able to flood MAC algorithm to the complete path (Deng
the entire network, even though the network nodes et al., 2005).
forward that message only once. If one BS broad- • During the second round, the sensor nodes
cast its own REQ, every sensor node will have one send their local information using a feedback
path for it. However, this scheme cannot prevent a message to the BS. After a node has forwarded
malicious compromised node from BS spoofing by its request message, it waits a time period
sending forged REQ. Every node will think that before generating a feedback message.
the forged message is generated by the legitimate • In the third round, forwarding tables are com-
BS and will forward the forged REQ. To defend puted by the BS for each sensor node based
against such attack, each BS can authenticate the on the information received in the second
sent REQ (Deng et al., 2004). round. Then, it sends them to the respective
nodes using a routing update message and
InsEns: Intrusion-tolerant routing waits for a certain period to collect the con-
nectivity information received via feedback
in wireless sensor networks
messages in order to compute possible paths
to each other node. The BS then updates
INSENS (Deng, Han, & Mishra, 2003, 2005) can
the forwarding tables using entries of the
be used to prevent DoS attacks, where individual
form:
nodes are not allowed to broadcast routing data.
Intrusion and Anomaly Detection in Wireless Networks
(destination, source, and immediate sender). Barbeau, M., Hall, J., & Kranakis, E. (2006, Octo-
ber 4-6). Detection of rogue devices in Bluetooth
Destination is the node ID of the destina- networks using radio frequency fingerprinting.
tion node, source is the node ID of the node In Proceedings of the 3rd IASTED International
that created this data packet, and immediate Conference on Communications and Computer
sender is the ID of the node that just forwarded Networks. Lima, Peru.
this packet. Once the data packet is received,
Boncella, R. J. (2006). Wireless threats and attacks.
a node searches for a matching entry in its
In H. Bidgoli (Ed.), Handbook of information se-
forwarding table. If it finds a match, then
curity (pp. 165-175). John Wiley & Sons.
it forwards the data packet (Deng et al.,
2005). Cretu, G. F., Parekh, J. J., Wang, K., & Stolfo, S.
J. (2006, January 10-12). Intrusion and anomaly
detection model exchange for mobile ad-hoc net-
conclusIon works. In The third IEEE Consumer Communica-
tions & Networking Conference (CCNC).
We have shown in this chapter that WIDSs have an
Deng, J., Han, R., & Mishra, S. (2003, May).
important role in securing the network by protect-
INSENS: Intrusion-tolerant routing in wireless
ing its entities against intrusions and misuse. The
sensor networks. In The 23rd IEEE International
protection is performed based on models capable
Conference on Distributed Computing Systems
of providing a framework for the description and
(ICDCS). Providence.
correlation of attacks. Research works have focused
on the development of techniques, approaches, Deng, J., Han, R., & Mishra, S. (2004, June 28-
and mechanisms, and WIDS architectures. Archi- July 1). Intrusion tolerance and anti-traffic analysis
tectures include radio frequency fingerprinting, strategies for wireless sensor networks. In Pro-
cluster-based detection, mobile devices monitoring, ceedings of the 2004 International Conference
and mobile profile construction. Wireless intru- on Dependable Systems and Networks (DSN’04)
sion prevention and tolerance are also discussed (pp. 637- 646). Italy.
in this chapter; and systems such as INSENS are
developed. In addition, we have shown that several Deng, J., Han, R., & Mishra, S. (2005). INSENS:
challenges need to be addressed to enhance the Intrusion-tolerant routing for wireless sensor net-
efficiency of WIDSs. works. [Special issue]. Computer Communications
Journal, 29(2), 216-230.
Farshchi, J. (2003). Wireless policy development
rEfErEncEs (part 1 & 2), Security focus. Retrieved from
http://www.securityfocus.com/print/infocus/1732
Ahmed, E., Samad, K., & Mahmood, W. (2006). Retrieved from http://www.securityfocus.com/
Cluster-based intrusion detection (CBID) architec- print/infocus/1735
ture for mobile ad hoc networks. In Proceedings
of AusCERT Asia Pacific Information Technology Gupta, V., Krishnamurthy, S., & Faloutsos, M.
Security Conference (AusCERT), Asia. (2002, October). Denial of service attacks at the
MAC layer in wireless ad hoc networks. Anaheim,
Aime, M. D., Calandriello, G., & Lioy, A. (2006, CA: MILCOM—Network Security.
June 26-29). A wireless distributed intrusion
detection system and a new attack model. In Pro- Hall, J., Barbeau, M., & Kranakis, E. (2005, Fe-
ceeding of the 11th Symposium in Computers and bruary 3-4). Using mobility profiles for anomaly-
Communications (pp. 35- 40). Italy. based intrusion detection in mobile networks.
Paper presented at the 12th Annual Network and
Intrusion and Anomaly Detection in Wireless Networks
Distributed System Security Symposium, San Zhang, Y., Lee, W., & Huang, Y. (2003). Intrusion
Diego, CA. detection techniques for mobile wireless networks.
Wireless Networks Journal, 9(5), 545-556.
Hutchison, K. (2004). Wireless intrusion detec-
tion systems. Retrieved October 18, 2004 from
http://www.sans.org/reading_room/whitepapers/ kEy tErMs
wireless/
Kachirski, O., & Guha, R. (2003, January 6-9). Ef- Access Point (AP): Access point in the base
fective intrusion detection using multiple sensors station in a wireless LAN. APs are typically stand-
in wireless ad hoc networks. In Proceedings of the alone devices that plug into an Ethernet hub or
36th Hawaii International Conference on System switch. Like a cellular phone system, users can
Sciences (HICSS’03). Hawaii. roam around with their mobile devices and be
handed off from one AP to the other.
Low, C. (2005). Understanding wireless attacks &
detection. Retrieved April 2005, from http://www. Ad Hoc Networks: Ad hoc networks are local
hackerscenter.com/public/Library/782_wireat- area networks or other small networks, especially
tacks.pdf ones with wireless or temporary plug-in connec-
tions, in which some of the network devices are
Mateli, P. (2006). Hacking techniques in wireless
part of the network only for the duration of a com-
networks. In H. Bidgoli (Ed.), Handbook of infor-
munications session or, in the case of mobile or
mation security (pp. 83-93). John Wiley& Sons.
portable devices, while in some close proximity
Nichols, R. K., & Lekkas, P. C. (2002). Telephone to the rest of the network.
system vulnerabilities. McGraw-Hill.
Intrusion Prevention System (IPS): IPS is the
Phifer, L. (2006). Wireless attacks, A to Z. Retrieved software that prevents an attack on a network or
April 10, 2006, from http://searchsecurity.techtar- computer system. An IPS is a significant step be-
get.com/generic/0,295582,sid14_gci1167611,00. yond an intrusion detection system (IDS), because
html it stops the attack from damaging or retrieving
data. Whereas, an IDS passively monitors traffic
Samad, K., Ahmed, E., & Mahmood, W. (2005, by sniffing packets off a switch port, an IPS resides
September 15-17). Simplified clustering approach inline like a firewall, intercepting and forwarding
for intrusion detection in mobile ad hoc networks. packets. It can thus block attacks in real time.
In 13th International Conference on Software,
Telecommunications and Computer Networks Intrusion Tolerance: Intrusion tolerance is
(SoftCOM 2005). Split, Croatia. the ability to continue delivering a service when
an intrusion occurs.
Schäfer, G. (2003). Security in fixed and wireless
networks, An introduction to securing data commu- Wireless Attack: A wireless attack is a mali-
nications. John Wiley and Sons. cious action against wireless system information
or wireless networks; examples can be denial of
Valli, C. (2004, June 28-29). WITS—Wireless in- service attacks, penetration, and sabotage.
trusion tracking system. 3rd European Conference
on Information Warfare and Security. UK. Wireless Intrusion Detection System
(WIDS): The WIDS is the software that detects
Vladimirov, A. A., Gavrilenko, K. V., & Mikhai- an attack on a wireless network or wireless system.
lovsky, A. A. (2004). Counterintelligence: Wireless A network IDS (NIDS) is designed to support
IDS systems. In WI-Foo: The secrets of wireless multiple hosts, whereas a host IDS (HIDS) is set
hacking (pp. 435-456). Pearson/Addison-Wesley. up to detect illegal actions within the host. Most
Intrusion and Anomaly Detection in Wireless Networks
IDS programs typically use signatures of known traffic pattern. An intrusion detection system (IDS)
cracker attempts to signal an alert. Others look for may look for unusual traffic activities. Wireless
deviations of the normal routine as indications of traffic anomalies can be used to identify unknown
an attack. Intrusion detection is very tricky. attacks and DoS floods.
Wireless Sensors Networks (WSN): WSN is Wireless Vulnerability: Wireless vulnerability
a network of RF transceivers, sensors, machine is a security exposure in wireless components. Be-
controllers, microcontrollers, and user interface fore the Internet became mainstream and exposed
devices with at least two nodes communicating every organization in the world to every attacker
by means of wireless transmissions. on the planet, vulnerabilities surely existed, but
were not as often exploited.
Wireless Traffic Anomaly: Wireless traffic
anomaly is a deviation from the normal wireless
Chapter VII
Peer-to-Peer (P2P)
Network Security:
Firewall Issues
Lu Yan
University College London, UK
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
P2P Network Security
in the formalism. An action system is an iterative will in turn announce to all its neighbors C, D,
composition of actions. The action systems frame- E, and F that A is alive. Those computers will
work is used as a specification language and for the recursively continue this pattern and announce
correct development of distributed systems. to their neighbors that computer A is alive. Once
Object-oriented (OO)-action system is an ex- computer A has announced that it is alive to the
tension to the action system framework with OO rest of the members of the P2P network, it can
support. An OO-action system consists of a finite then search the contents of the shared directories
set of classes, each class specifying the behavior of of the P2P network.
objects that are dynamically created and executed Search requests are transmitted over the
in parallel. The formal nature of OO-action systems Gnutella network in a decentralized manner. One
makes it a good tool to build reliable and robust computer sends a search request to its neighbors,
systems. Meanwhile, the OO aspect of OO-action which in turn pass that request along to their neigh-
systems helps to build systems in an extendable bors, and so on. Figure 2 illustrates this model. The
way, which will generally ease and accelerate search request from computer A will be transmitted
the design and implementation of new services to all members of the P2P network, starting with
or functionalities. Furthermore, the final set of computer B, then to C, D, E, F, which will in turn
classes in the OO-action system specification is send the request to their neighbors, and so forth.
easy to be implemented in popular OO languages If one of the computers in the P2P network, for
like Java, C++ or C#. example, computer F, has a match, it transmits the
In this chapter, however, we skip the details of file information (name, location, etc.) back through
semantics of action systems (Back & Sere, 1996) all the computers in the pathway towards A (via
and its OO extension (Bonsangue, Kok, & Sere, computer B in this case). Computer A will then
1998). be able to open a direct connection with computer
F and will be able to download that file directly
from computer F.
gnutEllA nEtwork
P2P Network Security
These corporate firewalls examine the packets If this direct connection cannot be established, the
of information sent at the transport level to deter- servent attempting the file download may request
mine whether a particular packet should be blocked. that the servent sharing the file push the file instead.
Each packet is either forwarded or blocked based That is, A servent may send a Push descriptor if it
on a set of rules defined by the firewall administra- receives a QueryHit descriptor from a servent that
tor. With packet-filtering rules, firewalls can easily does not support incoming connections.
track the direction in which a TCP connection is Intuitively, Push descriptors may only be sent
initiated. The first packets of the TCP three-way along the same path that carried the incoming
handshake are uniquely identified by the flags they QueryHit descriptors as illustrated in Figure 4.
contain, and firewall rules can use this information A servent that receives a Push descriptor with
to ensure that certain connections are initiated in ServentID = n, but has not seen a QueryHit de-
only one direction. A common configuration for scriptor with ServentID = n should remove the
these firewalls is to allow all connections initiated Push descriptor from the network. This ensures
by computers inside the firewall, and restrict all that only those servents that routed the QueryHit
connections from computers outside the firewall. descriptors will see the Push descriptor.
For example, firewall rules might specify that users We extend our original system specification
can browse from their computers to a web server (Yan & Sere, 2003) to adopt unidirectional firewalls
on Internet, but an outside user on Internet cannot by adding a Push router Rf, which is a new action
browse to the protected user’s computer. system modeling Push routing rules as shown
In order to traverse this kind of firewall, we in Table 1. We compose it with the previous two
introduce a Push descriptor and routing rules action systems (Yan & Sere, 2003) Rc modeling
for servents: Once a servent receives a QueryHit Ping-Pong routing rules and Rl modeling Query-
descriptor, it may initiate a direct download, but QueryHit routing rules together, to derive a new
it is impossible to establish the direct connection specification of router
if the servent is behind a firewall that does not
permit incoming connections to its Gnutella port. R = |[ Rc // Rl // Rf ]|
P2P Network Security
where on the higher level, we have components Push request, and filename is the requested file
of a new router information. In this way, the initial TCP/IP connec-
tion becomes an outbound one, which is allowed
{<Router, R>, <PingPongRouter, Rc>, <Que- by unidirectional firewalls. Receiving the HTTP
ryRouter, Rl>, <PushRouter, Rf>}. GIV request, the target servent should extract
the requestIP and filename information, and then
A servent can request a file push by routing construct an HTTP GET request with the above
a Push request back to the servent that sent the information. After that, the file download process
QueryHit descriptor describing the target file. The is identical to the normal file download process
servent that is the target of the Push request should, without firewalls. We summarize the sequence of
upon receipt of the Push descriptor, attempt to es- a Push session in Figure 5.
tablish a new TCP/IP connection to the requesting
servent. As specified in the refined file repository in
Table 2, when the direct connection is established, Port-blockIng fIrEwAlls
the firewalled servent should immediately send a
HTTP GIV request with requestIP, filename and In corporate networks, other kinds of common
destinationIP information, where requestIP and firewalls are port-blocking firewalls, which usu-
destinationIP are IP address information of the ally do not grant long-time and trusted privileges
firewalled servent and the target servent for the to ports and protocols other than port 80 and
P2P Network Security
P2P Network Security
00
P2P Network Security
0
P2P Network Security
Table 3. Specification of SOCKS proxy presented our solution to traverse firewalls for
P2P systems. We have extended a Gnutella-style
P2P system to adopt unidirectional firewalls and
port-blocking firewalls using OO-action systems.
S = |[ attr listenPort := GnutellaPort;
During the extending work, our experiences show
DestinationPort := 80 that the OO aspect of OO-action systems helps to
obj ProxySocket : Socket; build systems with a reusable, composable, and
HTTPSocket : Socket; extendable architecture. The modular architecture
imsg : Msg; omsg : Msg of our system makes it easy to incorporate new
init ProxySocket = new(Socket(listenPort)); services and functionalities without great changes
HTTPSocket = to its original design.
new(Socket(destinationPort))
do
IncomingRequest null rEfErEncEs
imsg := EncodeSOCK(DecodeHTTP
(HTTPSocket.Read( ))); Back, R. J. R., & Sere, K. (1996). From action
IncomingMessage := systems to modular systems. Software Concepts
ProxySocket.Write(imsg) and Tools.
[] OutgoingRequest null Bonsangue, M., Kok, J. N., & Sere, K. (1998). An
omsg := EncodeHTTP(DecodeSOCK approach to object-orientation in action systems. In
(ProxySocket.Read( ))); Proceedings of Mathematics of Program Construc-
OutgoingMessage := tion (MPC’98) (LNCS 1422). Springer-Verlag.
HTTPSocket.Write(omsg)
Borella, M., & Montenegro, G. (2000). RSIP:
od
Address sharing with end-to-end security. In Pro-
]|
ceedings of the Special Workshop on Intelligence
at the Network Edge, CA.
0
P2P Network Security
0
0
Chapter VIII
Identity Management for
Wireless Service Access
Mohammad M. R. Chowdhury
University Graduate Center – UniK, Norway
Josef Noll
University Graduate Center – UniK, Norway
AbstrAct
Ubiquitous access and pervasive computing concept is almost intrinsically tied to wireless communica-
tions. Emerging next-generation wireless networks enable innovative service access in every situation.
Apart from many remote services, proximity services will also be widely available. People currently rely
on numerous forms of identities to access these services. The inconvenience of possessing and using these
identities creates significant security vulnerability, especially from network and device point of view in
wireless service access. After explaining the current identity solutions scenarios, the chapter illustrates
the on-going efforts by various organizations, the requirements and frameworks to develop an innovative,
easy-to-use identity management mechanism to access the future diverse service worlds. The chapter
also conveys various possibilities, challenges, and research questions evolving in these areas.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Identity Management
0
Identity Management
device is often used to store his/her identity in- In general, common identity deployment archi-
formation. To protect unauthorized service access, tectures can be broadly classified into three types:
users also need to be authenticated before accessing Silo, Walled Garden, and Federation (Altmann &
such devices. It is evident that a user is burdened Sampath, 2006, p. 496). Current identity manage-
with too many identities to access many remote ment in the service world is mostly silo-based.
and proximity services. An integrated approach is Silo is a simple architecture, which requires each
required to manage all those identities to access service provider to maintain a unique ID for each
all these services. user. This approach is simpler from a service
Wireless service access results in more com- provider’s point of view but it is not only labori-
plexity to manage identities prior to accessing the ous but also problematic for the user. Moreover,
services. Besides device authentications, users need it results in a huge waste of resources due to the
to authenticate themselves before accessing the possession of redundant identity information in the
wireless networks. In addition to this, because of service world. As studies show, users who register
the size limitations, mobile devices are equipped with several service providers routinely forget
with smaller screens and limited data entry capa- their passwords for less frequently used accounts.
bilities using small keypads. For wireless services This has a significant financial effect. On average,
to succeed, it is critical that the mobile users are $45 is spent on password reset each time a user
able to get convenient and immediate access to the forgets a password (Altmann & Sampath, 2006,
information and services they need without going p. 496). Walled Garden is a centralized identity
through long menus and having to enter various management approach where all service providers
usernames and passwords. can typically rely on one singe identity provider to
In the future, one of the key issues of identity manage the user’s identity. The user is benefited
management in the wireless domain will be who through managing only a single set of credentials.
the identity providers will be to the users and who Its inherent weakness is, once the significant bar-
will own/manage the subscriber identity module rier of protection is compromised, a malicious user
(SIM/USIM). It is because, currently, almost every enjoys unbridled access to all resources. Lastly, in
service provider is also an identity provider for identity federation management a group of service
users to access that specific service. SIM card is providers forms a federation. Here, each service
in fact a smart card with processing and informa- provider recognizes the identifiers of other service
tion storage capabilities. With the development of providers and thereby, consider a user who has
powerful, sophisticated as well as secure smart been authenticated by another service provider to
cards, it is now considered as the storage place be authenticated as well. However, the real dis-
for user’s identity information. In current cellular tinction between Walled Garden and Federation
models, the operator provides not only the wireless approach is that here service providers have their
access but also owns and manages SIM/USIM. In own unique identifiers and credentials. Though
this case, the user has little control over his/her this approach is widely accepted considering the
identity. A user is having a SIM/USIM as his/her heterogeneity of service providers, many possible
identity but is not allowed to modify or update it service interaction scenarios and the requirements
so that he/she cannot subscribe to new wireless of several levels of security make such a system
providers or to whatever service providers he/she far more complex.
likes. A collaborative operator model has been
thought where such identity module belongs to
the user (Kuroda, Yoshida, Ono, Kiyomoto, & IdEntIty MAnAgEMEnt for
Tanaka, 2004, pp. 165-166). A third party can wIrElEss sErvIcE AccEss
provide the infrastructure to manage such identity.
This approach leads towards user-centric identity Designing an identity management mechanism to
management and provides the user with flexibility access both remote and proximity services, without
in choosing wireless providers.
0
Identity Management
0
Identity Management
Apart from possessing numerous usernames/ identity management systems, is a debatable issue.
passwords/PIN codes for remote (Web) service Liberty Alliance (Miller et al., 2004) believes that
access, the user is also carrying many physical mobile operators are in a good position to become
identities for proximity service access. These in- the most favored identity providers, because they
clude credit card, bank card, home/office access possess valuable static and dynamic user informa-
cards, and so forth. Many researchers working tion which can be transmitted to third parties in
in these areas are proposing the smart cards, like a controlled manner through open standard Web
SIM/USIM currently used in mobile phones, as the service interface. Mobile operators also have the
secure storage place for the user’s identity informa- ability to seamlessly authenticate users with the
tion because it can be revoked, users nowadays can phone number on behalf of the service provid-
rarely be found without a mobile phone and there ers (SP). Many contradict such roles of mobile
are possibilities of security enhancements. Custom operators. Instead a more trusted third party, like
made SIMs/USIMs having enough computational financial institutes and governments are also well
power and storage space can be used to manage positioned to become preferred identity providers.
users’ identification information and multi-factor They might provide identity services for their
authentication mechanisms. Gemalto, a company specific market and services that need stronger
providing digital security, is involved in developing user identities. When a user wants to subscribe to
sophisticated smart cards (e.g., SIM/USIM) based a new wireless network, he/she asks the third party
online or off-line identity management with associ- identity provider to add new identification data into
ated software, middleware, and server-based solu- his/her phone. In such a situation, it is possible
tions. NXP, a semiconductor company (formerly a that a third party can even manage SIM/USIM,
division of Philips), is also offering identification which is currently done by cellular operators. It is
products in areas like government, banking, ac- expected that the next-generation wireless network
cess control, and so forth using secure innovative will have such flexibility.
contactless smart cards and chips. Credit card
companies are running various trials for providing components of user Identities
user’s payment identity handling solutions using
mobile phones and NFC technology. Tap N Go is Identity management in wireless service access
the name of a contactless payment trial powered needs to address device-level security, network-lev-
by MasterCard PayPass (2007) in the U.S. started el security, and service-level security (Kuroda et al.,
in 2006. In the same year, Visa completed contact- 2004, p. 169). Therefore, the over-all user identity
less-based mobile pilots in Malaysia and the United comprises device, network, and service identities.
States, using NFC-enabled phones, complementing The user’s device is divided into two components,
existing programs in Japan and Korea. In February a personal smart card (e.g., SIM/USIM) and mobile
2007, Visa International and SK Telecom of South devices with wireless access capabilities. The smart
Korea announced the world’s first contactless pay- card includes user identification data that contains
ment application on a universal SIM card which is user’s public or shared-secret keys, certificates for
personalized over-the-air based on Visa’s recently network operators, and service providers. The card
introduced mobile platform (“Visa’s mobile plat- and the device need to be mutually authenticated in
form initiative,” 2007). the initial setup phase because both devices have
Identity providers issue identities to each user. built no relationship of trust to exchange security
They have a very important central role in the information from the very beginning. Afterwards,
identity management business. The identity pro- the user identifies him/herself to the card, since
vider manages users’ identities and their access it stores sensitive personal information, which is
rights to various services securely. It provides the used for network- and service-level authentication.
authentication and authorization services to the The user can identify through PIN, password, or
users. Who can be the identity providers in future biometrics. After these authentication procedures,
0
Identity Management
Figure 1. User identifications to ensure device-, card/code, and so forth. According to Dick Hardt
network-, and service-level security (keynote speech at OSCON 2005 conference),
founder and CEO of SXIP Identity, individual’s
interests, fondness, preferences, or tastes are also
part of his/her identity. These roles can be dealt with
by user’s SIDs. Some of these identities are having
very sensitive user information therefore very strict
authentication requirements have to be met. Some
others require less secure infrastructure as they
possess not so sensitive user information.
Considering all these aspects, instead of storing
user’s vast identity information into a single place
(a user device), these can be distributed into two
places. The less sensitive user identity information,
especially his/her SIDs can be stored in a secure
network identity space. The most sensitive iden-
the card delegates user identity information to tity information like user’s PIDs will be stored in
the mobile device to authenticate wireless access user’s personal device. The mobile phone (more
and thereby, service access. The user expects to correctly the SIM card) has been proposed as the
use services without being concerned about the user’s personal device (Chowdhury & Noll, 2006).
individual characteristics of each wireless access. When the user subscribes to the identity services,
Network-level authentication verifies that the user the identity provider (IDP) issues a certificate to
is a subscriber and has wireless access to the right him/her. It will be stored in the device. At the same
network. Service-level authentication verifies that time, a secure identity space in the network will
the user is a subscribed user to the right services. be allocated for the user too. The device identifies
In each case, service or network providers and user and authenticates the user to access his/her network
device mutually authenticate each other. Figure identity space. When the user authenticates to the
1 depicts the overview of device-, service-, and device and the network, he/she can also gain ac-
network-level identifications to ensure the security cess to the network identity space (if it requires,
of user-device, network, and services for wireless an optional password can also protect such access).
service access. The user device holds the most sensitive user
identity information. Depending on the security
Integrated Identity Management requirements of the services, the possession-based
Mechanism authentication (e.g., having a personal device) can
be enhanced by a knowledge factor (e.g., PIN code).
Every human being is playing numerous roles in An additional knowledge-based authentication
life to live. To organize the user identities in a more mechanism can be used here to grant access to
structured way, all user identities can be broadly sensitive PIDs stored in the device. This is how
categorized into three areas based on the roles user identities can be stored in a distributed manner
he/she exercises in real life (Chowdhury & Noll, and multi-factor authentication mechanisms can
2006). These are personal identity (PID), corporate protect the security of user’s identities.
identity (CID), and social identity (SID). PIDs can In future service access scenarios, the user
be used to identify a user in his/her very personal expects a hassle-free use of identities. In this re-
and commercial service interactions. CIDs and gard an approach is expected to integrate all user’s
SIDs can be used in professional and social, in- identities to access every remote and proximity
terpersonal interactions respectively. For example, services into a single mechanism. The distributed
PIDs include bank/credit card, home/office access identity infrastructure just being described can also
0
Identity Management
Figure 2. A generic diagram for integrated identity mechanism and service access
provide an integrated mechanism to handle the (Siddiqui et al., 2005). Users are expected to ac-
use of identities for every possible service access cess countless services seamlessly over the wire-
over the wireless network. For example, by using less network. Hence, secure identity information
public key infrastructure (PKI) built in SIM card handling is a crucial issue in wireless service
user can access services of banks remotely; with access. In the mobile domain, the security of 3G
the NFC capable mobile phone user, can access mobile systems has already been strengthened by
home premises transferring the stored admittance introducing longer cipher keys; mutual (network,
key from user device. This is how a proximity ser- user) authentication; signaling and data traffic
vice access can also be handled. Figure 2 shows a integrity; and the extension of ciphering back into
generic diagram for integrated identity mechanism the network (Boman, Horn, Howard, & Niemi,
to handle remote and proximity service access. 2002, pp. 192-200). WLAN security has been
In a significant move towards providing secure improved significantly with the adoption of IEEE
ubiquitous digital credentials management; the 802.11i. It was created in response to several serious
banking industry of Norway with a partnership weaknesses researchers had found in the previous
of a mobile operator initiated PKI-based BankID system, wired equivalent privacy (WEP). There
(Cybertrust Case Studies Library, 2005) for iden- have been discussions to accomodate both 3G
tification and signing agreement on the move. and WLAN security frameworks on the IP layer
BankID for mobile phones will initially be used or based on 3rd Generation Partnership Project
in four areas: (1) logging on to Internet banks, (2) (3GPP), but the resulting solution does not offer
mobile banking, (3) electronic service for business fast vertical handover which is critical for session
and the public sector, and (4) account-based pay- continuity (Kuroda et al., 2004, p. 166). EAP-TLS
ment service for the Internet and mobiles. and EAP-AKA have been proposed to provide
strong end-to-end security and authentication to
security Infrastructure in Identity the user in such integrated network environment
Management systems (Kambourakis, Rouskas, & Gritzalis, 2004, pp.
287-296). Due to the various weaknesses of Blue-
The wireless network along with the user device tooth/Infrared communications, NFC is considered
(mobile phone) can serve as the underlying se- as the secure technology to transfer user identity
cure infrastructure for exchanging user identity information between a user’s mobile phone and
information and authentication messages. The the devices at service points. Its short range should
next generation network will integrate 3G and mitigate the risk of eavesdropping by other reader
WLAN to offer subscribers high-speed wireless devices. It is practically impossible to do man-
data services as well as ubiquitous connectivity in-the-middle attack on NFC link (Haselsteiner
0
Identity Management
& Breitfuss, 2006). Moreover, a secure channel role of an identity provider will be very critical.
can be established using cryptographic protocol The key issue will be who can be the identity
between the two NFC devices. provider? Whoever will be the identity provider,
Identity management and associated security the user SIM/USIM card is in a good position to
infrastructure will play a vital role for seamless become a secure storage place for user identity
service interaction in the next generation wireless information. Researchers are working to develop
network. There are several important requirements high capacity sophisticated smart cards to meet
of a successful identity management system. Such such demand in various service access scenarios.
a system should be user centric rather than service In this regard, it is very important to decide who
centric. The user expects an integrated identity will be the owner of such a user identity device
management mechanism that can handle identi- (e.g., SIM/USIM). For acceptability of a SIM card
ties for both remote and proximity service access. as a secure identity storage place and to develop a
Security of the underlying infrastructure is also a user-centric identity management mechanism, the
crucial issue in wireless service access. This section user should have rights to update or modify the SIM
has discussed all these aspects in brief. card. It is expected that the business model of the
next generation network will have such flexibility.
Mobile networks or other wireless access networks
futurE trEnds will play a vital role to ensure security for identity
information exchange. Therefore, numerous efforts
3G networks are covering a wide service area and are going on to enhance the security infrastructure
providing ubiquitous connectivity to mobile users of access network’s air interface and provide strong
with low-speed data rates which is sufficient for end-to-end protection for secure service access.
most real-time communications. WLAN/Wi-Fi Introduction of NFC adds intelligence and
networks cover smaller areas and provide high networking capabilities to the phone and creates
data rates to static users. There exists a strong need many new opportunities to add product and service
for integrating WLANs/Wi-Fis with 3G networks capabilities to handset-like digital transactions
to develop a hybrid of data networks capable of in very good proximities. It can make the mobile
ubiquitous data services and very high data rates phone an ideal device for payments and gaining
at strategic locations called “hotspots.” The future access. Financial institutes like credit card com-
wireless network is expected to attain this goal panies and mobile manufacturers are running
and thereby, seamless service access. Next genera- various trials with NFC-enabled mobile phoned in
tion wireless network architectures envisaged to service access scenarios like admittance and pay-
constitute of an IP-based core network, whereas ment. User identities for admittance and payment
the access network can be based on a variety of services are very sensitive in nature. Therefore,
heterogeneous wireless technologies depending on an integrated identity mechanism is expected to
the nature of the access cell. In this environment, deal with these proximity services and as well as
people can access many new innovative services remote services.
from anywhere and anytime. Service intake will Currently, the user expects and technology
be increased significantly. Instead of current demands service personalization, including ad-
identity provisions, a new identity management aptation to personal preferences, terminal, and
mechanism is expected, especially in wireless network capabilities. Rule-based personalization
service access. algorithms become too complex when handling
People no longer use many usernames and user context and preferences, thus asking for new
passwords for remote service access. Instead SSO mechanisms allowing dynamic adaptability of
will become popular with the provisions of addi- services. Semantic descriptions of user preferences
tional authentication levels to meet higher security and user relations with the combination of cur-
requirements. In future identity management, the rent developments in security and privacy issues
Identity Management
can create more dynamic service provisions and in terms of user identity information storage and
personalization. Semantic Web is seen as the next providing secure network and service authentica-
generation of the Internet where information has tion. With strong encryption, privacy, and data
machine-readable and machine-understandable integrity mechanisms, mobile networks have
semantics. the capability to provide the underlying security
infrastructure for sensitive identity information
exchange for mobile users. Mobile phones equipped
conclusIon with custom-made high capacity SIM cards can
act as a secure user identity storage place. New
Current reporting from the World Factbook states developments in security mechanisms to protect
1.5 to two times as many mobile users as Internet mishandling of user identities over the air inter-
users for developed countries like UK, France, phase as well as over the IP-based core network
and Germany and roughly three times as many can make the identity management for wireless
mobile users as Internet users in China (The service access secure enough.
World Factbook, 2006). Taking into account that
mobile users are available 24/7 as compared to
an average PC usage of 137.3 min/day for male rEfErEncEs
(134.2 min/day for female) shows the importance
of mobile service access. The emerging next gen- Altmann, J., & Sampath, R. (2006, April). UNIQuE:
eration network is expecting to integrate various A user-centric framework for network identity man-
access networks including 3G and WLAN/Wi-Fi agement. In Proceedings of IEEE/IFIP Network
networks. Ubiquitous access for seamless service Operations and Management Symposium, NOMS
interaction will be a reality soon. 2006 (pp. 495-506). Vancouver, Canada.
The current identity provisions will not allow
Boman, K., Horn, G., Howard, P., & Niemi, V.
this to happen. Users possess many identities in
(2002, October). UMTS security. Electronics
various forms and identity information is stored
and Communication Engineering Journal, 14(5),
in a scattered way in networks. Most of the recent
191-204.
developments are focused towards identity manage-
ment in Internet domain to access remote services. Cameron, K. (2005). The laws of identity. Retrieved
However, some efforts also target service access December 29, 2006, from http://identityblog.
located in the proximity of users. The success of com/
future service access asks for an integrated identity
mechanism to deal with both remote and proximity Chowdhury, M. M. R., & Noll, J. (2006, November).
service access. The creation of a user’s role-based Service interaction through role based Identity.
identity in a dynamic way and use of Semantic Paper presented at Wireless World Research Forum
Web technology will enhance user experience in Meeting 17, Heidelberg, Germany.
service interaction. Such a dynamic and integrated Chowdhury, M. M. R., & Noll, J. (2007, March).
identity mechanism together with mobile, sensor Distributed identity for secure service interaction.
networks, and NFC-enabled mobile terminal can In Proceedings of the Third International Confer-
improve the healthcare system for better handling ence on Wireless and Mobile Communications,
of patients, especially elderly and disabled people. ICWMC’07, Guadeloupe, French Caribbean.
Semantic descriptions of user preferences and rela-
tions can also improve user experience in social Cybertrust Case Studies Library. (2005). BankID:
interactions. Delivering bank-common trust for Web-based
The user personal wireless device along with transactions. Retrieved November 15, 2006,
a sophisticated smart card will play a key role for from https://www.cybertrust.com/intelligence/
identity management for wireless service access case_studies/
Identity Management
Damiani, E., De Capitani di Vimercati, S., & phone short messages. Paper presented at the
Samarati, P. (2003, November). Managing multiple International Conf. on Wireless and Mobile Com-
and dependable identities. IEEE Internet Comput- munications ICWMC’06, Bucharest, Romania.
ing, 7(6), 29-37.
Park, D.-G., & Lee, Y.-R. (2003). The RBAC
Haselsteiner, E. & Breitfuss, K. (2006). Security based privilege management for authorization of
in near field communication (NFC) strengths and wireless networks. In G. Dong et al. (Eds.), WAIM
weaknesses. Paper presented at the Workshop on 2003, Berlin/Heidelberg, Germany (LNCS 2762,
RFID Security—RFIDSec 06, Graz, Austria. pp. 314-326). Springer-Verlag.
Jøsang, A., Fabre, J., Hay, B., Dalziel, J., & Pope, Siddiqui, F., Zeadally, S., & Yaprak, E. (2005).
S. (2005). Trust requirements in identity manage- Design architecture for 3G and IEEE802.11 WLAN
ment. In Proceedings of the Australasian Informa- Integration. In P. Lorenz & P. Dini (Eds.), ICN 2005
tion Security Workshop (AISW’05), Newcastle, (LNCS 3421, pp. 1047-1054). Berlin/Heidelberg,
Australia. Germany: Springer.
Kambourakis, G., Rouskas, A., & Gritzalis, D. The SXIP 2.0 Overview. In specifications of SXIP
(2004). Performance evaluation of certificate based 2.0 protocol. (n.d.). Retrieved December 15, 2006,
authentication in integrated emerging 3G and Wi-Fi from http://sxip.net/Specs
network. In S. K. Katsikas et al. (Eds.), EuroPKI
Visa’s mobile platform initiative. (2007). Pay-
2004 (LNCS 3093, pp. 287-296). Berlin/Heidelberg,
ment news. Retrieved April 27, 2007, from http://
Germany: Springer.
www.paymentsnews.com/2007/02/visas_mo-
Kuroda, M., Yoshida, M., Ono, R., Kiyomoto, S., bile_pl.html
& Tanaka, T. (2004). Secure service and network
framework for mobile Ethernet. Wireless Personal
Communication, 29, 161-190. kEy tErMs
Li, M., Sandrasegaran, K., & Huang, X. (2005,
July). Identity management in vertical handovers Authentication: Authentication is to prove as
for UMTS-WLAN networks. In Proceedings of genuine.
the Internationl Conference on Mobile Business, Biometrics: Biometrics is the biological iden-
ICMB’05 (pp. 479-484). Washington DC: IEEE tification of a person which may include charac-
Communication Society. teristics of structure and of action such as iris and
Mastercard PayPass. (n.d.). The NYC mobile trial. retinal patterns; hand geometry; fingerprints; voice
Retrieved February 09, 2007, from http://www. response to challenges; the dynamics of hand-writ-
mastercard.com/us/paypass/mobile/ ten signatures, and so forth.
Miller, P. et al. (Eds.). (2004). Tier 2 business Circle of Trust: Circle of trust is a trust rela-
guidelines: Mobile deployments. Retrieved No- tionship through agreement among various service
vember 1, 2006, from http://www.projectliberty. providers.
org/liberty/resource_center/papers EAP-TLS and EAP-AKA: EAP-TLS and
Noll, J., Carlsen, U., & Kalman, G. (2006, August EAP-AKA are authentication frameworks fre-
7-10). License transfer mechanisms through seam- quently used in wireless networks.
less SIM authentication. Paper presented at the Federation: Federation is the joining together
International Conference on Wireless Information to form a union through agreement.
Systems, Winsys 2006, Setubal, Portugal.
IDP: Identity providers.
Noll, J., Lopez Calvet, J. C., & Myksvoll, K. (2006,
July 29-31). Admittance services through mobile
Identity Management
Life Cycle: Life cycle is the progression through Revocation of Identity: Revocation of identity
a series of different stages of development. is the act of recalling or annulling the identity.
PIN: Personal identification number. SP: Service providers.
Personalization: Personalization is when Single Sign-On (SSO): SSO on is the abil-
something is customized or tailored for the ity for users to log on once to a network and be
user, taking into consideration that person’s able to access all authorized resources within the
habits and preferences. domain.
Pervasive Computing: Pervasive computing Smart Card: Smart card is a card containing
is the use of computing devices everywhere and a computer chip that enables the holder to perform
these devices communicate with each other over various operations requiring data stored on chip.
wireless networks without any interactions required
Ubiquitous: Ubiquitous is being or seeming
by the user.
to be everywhere at the same time.
Proximity Service: Proximity services are
those available close to the users.
Chapter IX
Privacy-Enhancing Technique:
A Survey and Classification
Peter Langendörfer
IHP, Germany
Michael Maaser
IHP, Germany
Krzysztof Piotrowski
IHP, Germany
Steffen Peter
IHP, Germany
AbstrAct
This chapter provides a survey of privacy-enhancing techniques and discusses their effect using a sce-
nario in which a charged location-based service is used. We introduce four protection levels and discuss
an assessment of privacy-enhancing techniques according to these protection levels.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Privacy-Enhancing Technique
disclosed while using a location-based service from tion at application level is much more difficult to
a mobile device. In addition, an assessment of the achieve than protection at the network level. Here
protection level that can be achieved by applying some information has to be revealed in order to get
the introduced means is provided. Thus, this chapter a useful service, that is, data has to be given away
helps scientists to understand what is going on in and therefore it has to be protected somehow. At
the privacy research area so they can identify new the application level two dimensions have to be
research topics more easily. In addition, it enables considered to prevent detailed profiling: time and
practitioners to find approaches that allow them to location (in the sense of data gathering entity).
build a privacy-preserving system. The time dimension hinders service providers to
The rest of this chapter is structured as follows. construct a relationship between different service
We first discuss privacy protection goals and pro- uses executed by the same individual but at different
vide an example that outlines which information points in time. The location dimension provides
can be gathered while using a charged service. separation of information between several service
In the third section we explain privacy-enhanc- providers so that each one of them knows only data
ing technologies. A discussion of the protection of a specific type.
level achieved by individual means is given in In the following subsection we discuss a service
the fourth section. The chapter concludes with an scenario in which the current position of the user
investigation of the currently reached deployment is requested by the service provider, who is also
of privacy-enhancing techniques and a discussion charging for the service. We use this scenario to
of new research challenges. show which data is known by which party of the
whole system. We will also refer to this scenario
later on to illustrate the effect of the privacy-en-
PrIvAcy ProtEctIon goAls hancing techniques discussed in the following
section.
While browsing the Web or doing e- or m-com-
merce every user exposes information about Example
his/her interests, personal data, and so forth to
one or several of the following service provid- In this section we present a charged location-based
ers: network service provider, for example, telco service scenario that shows privacy issues in detail.
company; Internet service provider, for example, It shows the information flow between the involved
online book store; context service provider, for parties and the resulting dependencies that may
example, location handling system; and payment cause privacy flaws.
service provider, for example, his/her bank. Perfect The service provides its mobile user with in-
privacy can be achieved if and only if the user formation that is dependent on the location of the
reveals no information at all. Since this excludes user. Additionally, the user pays for the information
the user from all benefits online services provide using a payment protocol. As shown in Figure 1
it is not a reasonable choice. The most valuable there are five parties, besides the user, involved
alternative is to disclose as little information as in this scenario.
possible and only to the service provider who es-
sentially needs this information. 1. Positioning system is used to sense the cur-
In order to achieve a reasonable good separation rent location of the user. Depending on the
of information, personal data and communication kind of the system the location information
habits have to be protected at network as well as is sent to the location handling subsystem
at application level. The former is an essential either direct from the positioning system
prerequisite of the latter, that is, protection at the or is forwarded by the user. In the first case
application level does not make any sense as long the role of the user in location information
as no protection at the network level is used. Protec- forwarding is passive, in the latter active.
Privacy-Enhancing Technique
location handling
subsystem
location query
location
forwarding service
positioning provider
system payment
location refund
sensing information
withdrawal payment
network provider
user
2. The location handling subsystem combines that the user communicated with or paid a specific
the location information together with the user service provider causes privacy flaws. Table 1
identity. This subsystem may be a part of the shows that in this scenario a detailed profiling of
service, or it may be a part of the positioning the user is possible if he/she always provides the
system with passive user role. Of course, it same identifier to the individual service providers.
may also be a stand-alone infrastructure So, almost every party in the scenario can create a
part that manages the location information kind of profile. The situation becomes even worse
for multiple users and provides it to multiple if the service providers are collaborating to get a
services. more detailed profile of the user.
3. The payment provider transfers money in
order to allow the user to pay the service for
the information. dIscussIon of PrIvAcy-
4. The service provides the user with informa- EnHAncIng tEcHnIquEs
tion based on the current location of the user
received from the location handling subsys- In this section we provide an overview on privacy
tem. enhancing techniques but do not discuss basic
5. An additional, but virtual party is the network. technologies such as cipher means. Throughout
It may be a local network or the Internet. It this section we assume that all messages are en-
may introduce parties that, generally, can be crypted in order to avoid eavesdropping and easy
considered as eavesdroppers. observation of user activities by third parties. We
start with the discussion of network level protec-
Each party of the scenario has some of the user tion means, before we describe application level
data. In other words they have a kind of knowledge. approaches.
Table 1 shows the distribution of knowledge be-
tween these parties. Additionally, if not protected network level Privacy Protection
by means of cryptography the user data is available
to eavesdroppers. An often used approach intended to increase the
The habits of the user are reflected in his/her security is the application of a proxy chain, which
location and purchase history. Even if the content provides better security than use of a single proxy.
of the purchased information is not known, the fact
Privacy-Enhancing Technique
Table 1. Distribution of the knowledge about the user in the scenario. Information in brackets can also
be available to the corresponding parties depending on the setup.
- (Location)
Positioning system - (Identity)
- Location
Location handling - Identity
subsystem - Kind of purchased information
- Identity
- Purchased information
Service
- Location
- Identity
Payment provider - Kind of purchased information
By this means the messages are forwarded from In 1981 Chaum proposed mix networks as solu-
one proxy to another and eventually to the desti- tion that solves the open issues. Mix networks are
nation. Without additional security mechanisms a combination of proxy chains and asymmetric
this approach cannot be recommended since every cryptography. Instead of forwarding the plain mes-
proxy has access to data and at least the destina- sage, every packet is encrypted using pubic-key
tion address, so that no protection improvement is cryptography (PKC). PKC allows every sender to
achieved. An improvement of the proxy chain idea encrypt the message with the publicly known public
is the crowds approach (Reiter & Rubin, 1998). Each key of the proxy. Only the specific proxy is able to
user runs a program called Jondo. This program is decrypt the message with the corresponding private
the local access of the user to the proxy network key. The idea of mix networks is to encrypt the
and also a proxy for other users in the network. If a actual message with the public keys of a set of proxy
Jondo proxy receives a packet it randomly decides servers (also called stages or mixes). Encryption is
whether to forward the packet to another Jondo or performed cascaded in reverse order of the mixes
to send it to its destination. The receiver and also that will receive the packet. Additionally to the mes-
an external eavesdropper cannot decide whether sage, each encryption layer contains the address of
the packet was originally sent by the direct peer the next mix in the chain or the final receiver. That
or by another computer in the crowd, because the is, first the sender encrypts the message together
encrypted packets will be re-encrypted on every with the address of the receiver using the public
proxy. However, since every proxy still has access key of the last mix in the chain, while this cipher
to content and destination address, the crowds ap- text is encrypted together with the address of the
proach still has security and privacy flaws. last mix using the key of the second last mix, and
Privacy-Enhancing Technique
so on. Every mix only knows the previous and the corresponding mixes. Both input and output mix
next computer in the chain. No mix but the first change from connection to connection. In contrast
knows the sender, and no mix but the last has in- the Java Anon Proxy (JAP) (Project: AN.ON, n.d.)
formation about the receiver. A single proxy is not uses fixed routes, termed mix cascades. The mixes
able to disclose sender or receiver. Only with the are administrated by independent, well-reputed
private keys of every mix in the network it is pos- partners. Though JAP is more reliable and more
sible to reconstruct the path from the sender to the trustworthy than a P2P network, it shows a weak-
receiver. Such alliance is unlikely if individuals or ness with respect to privacy for the user. If the last
organizations with different interests administrate mix detects illegal content, all mixes in the cascade
the mixes on the route. As long as one mix on the work together and log the incident together with
route does not cooperate in order to reconstruct the subjects.
the route the anonymity is preserved. Indeed, it Mix networks are probably the best way to
is required that many users use the mix network. protect privacy on the network level. On this level
In order to strengthen the privacy every mix can they are a means that provide provable perfect
delay and reorder messages. Due to the successive security. However, the gain of privacy can turn
decryption on every mix recognition of forwarded useless if privacy is not additionally protected on
packets is prevented. the application layer.
Though mix networks have been matured, are
available, and very safe, they also have some prob-
lems. First, the effective transfer speed is limited. Application layer Privacy Protection
While for mail applications it is not a problem and
for the Web mostly acceptable, for example, real- Location Protection
time video streams are hardly possible. A survey
on mix networks available in Sampigethaya & In Gruteser and Grunwald (2003) an approach is
Poovendran (2006) provides insight into both the presented that reduces the accuracy of location
design and weaknesses of existing solutions. information in order to prevent re-identification of
Similar approaches such as onion routing objects using location-based services. Two dimen-
(Reed, Syverson, & Goldschlag, 1998), crowds sions, that is, space and time can be modified by the
(Reiter & Rubin, 1998), and Web mixes (Berthold system. So, instead of a single position a region is
& Köhntopp, 2000) have been reported in the past. reported to the location-based service, or instead of
The first two are in contrast to the original mix a single point in time an interval in which the user
approach vulnerable to traffic analysis attacks, but was at a certain position is reported. The fuzzifica-
they are more efficient. The Web mixes provide tion of the data is done at a trusted server which also
the same level of privacy as mix networks, but are extracts the user identity and network address. The
optimized for real-time traffic such as browsing communication between the user and the trusted
the Web. The comparison of these approaches server is protected by cryptographic means and
discussed in Berthold and Köhntopp clearly shows use of mix networks. The major drawback of this
that better protection of user privacy comes at the approach is that the trusted server knows almost
cost of less efficiency. everything about the user, that is, his/her identity,
Several projects have realized implementations network address, when he/she was where, as well
of mix networks. The Tor-network (“Tor: Over- as which services he/she used.
view,” n.d.) is a freely available open peer-to-peer Another approach, which was not actually
(P2P) solution of a mix network. Every Internet designed for privacy on the first hand, releases
user may open a mix server that can be part of ran- position information only in case they may be actu-
domly selected routes through the network. Before ally needed (Treu & Küpper, 2005). For proximity
transmitting a packet the sender selects a route and detection of two objects that actively report their
encrypts the message with the public keys of the location, location updates are not necessary as
Privacy-Enhancing Technique
long as either of them remains in a certain circular to link pseudonyms, if the system acts as a proxy
surrounding. Consider two moving objects A and for its users as described in Jia et al.. In case of
B that report their location to the infrastructure. systems that still require direct interaction between
There is a registration for a proximity event between their users and potential service provides such as
A and B of equal or less than 1 km. Their current Koch and Wörndl this benefit is no longer there.
positions are at 101 km distance. Both objects are On the other hand, centralized systems provide
notified about a logical circular region with 50 km means to identify individual users if necessary,
radius around their current position. These circles that is, after incorrect behaviour was detected.
do not intersect and have a minimum distance of This may help to increased acceptance of such
1 km. That is, while either objects moves only systems on the service provider site. Decentral-
within the given circle there is no chance that ized approaches such as the one by Jendricke and
the objects are closer than 1 km. Hence neither Gerd tom Markotten allow each user to define
of them needs to report its actual location to the pseudonyms himself/herself, so that there is no
infrastructure, so the location server only knows other entity, which has complete knowledge of
that a certain region within the user is moving real identity, and cyber world behaviour. The open
and thus no detailed location tracking is possible. issue that network addresses can be used to link
Since the system was not designed originally for pseudonyms together can be solved by additionally
privacy protection purposes, no means to withhold using mix networks.
the user’s identity from the server or protection of Pseudonyms are also used to realize anonymous
the communication between the location server e-cash systems, which are explained in the next
and the user are investigated. paragraph.
The idea of pseudonyms is to hide the real identity In an electronic payment scheme there are at least
of a user by using a bogus identity. Nicknames three parties. Let us describe the minimum setup.
used in chat rooms are widely known pseudonyms. The shop or service provider delivers goods or ser-
Pseudonyms prevent service providers from link- vices to the user in return of a monetary equivalent
ing an isolated transaction to a certain user. There by means of payment provider. Figure 2 shows
are several approaches that propose the use of the flow of the virtual money in this setup. The
pseudonyms in order to protect user privacy (Ber- payment provider issues some kind of electronic
thold & Köhntopp, 2000; Jendricke & Gerd tom money the user uses to pay the service provider
Markotten, 2000; Jia, Brebner, & D’Uriage, 2004; for its services. There can be multiple instances
Koch & Wörndl, 2001). The fundamental differ- of aforementioned parties, but to simplify the de-
ence between those approaches is that Jendricke scription only the presented flow of virtual money
and Gerd tom Markotten and Berthold manage is assumed.
the different user pseudonyms at the user’s own But besides the flow of the money there is also
device, whereas Koch and Wörndl and Jia et al. flow of information about the user. If the payment
propose the use of a centralized pseudonym ser- provider can recognize the electronic money tokens
vice. The major drawback of systems relying on it issued for the user it can create a history of the
a centralized pseudonym management is that they service providers the user prefers. On the other
still know the user’s real identity, which services hand, if the service provider can recognize the user
the user required and so forth, that is, they have a each time the user uses the service then the history
detailed user profile. Thus, such solutions provide of user purchases can be created. By combining
only limited privacy to their users. The positive the knowledge of these two parties a complete
aspect of these systems is that information such as profile of the user can be created. To avoid the
network addresses cannot be used by third parties possibility of profiling the user, that is, to improve
0
Privacy-Enhancing Technique
Figure 2. The flow of the virtual money in an elec- form that allows to reveal the user identity only
tronic payment scheme in case of user misbehaviour.
To avoid the user profiling by the service pro-
vider, there is a need to remove any link between
any two transactions or sets of transactions, de-
pending on the desired granularity. To allow this,
the electronic payment scheme tokens shall not
user contain any clue that might lead to linking any two
payment provider
tokens or sets of tokens that belong to the same
user. Additionally, if any identification is needed,
the user shall use pseudonyms while talking to
the service provider. Changing the pseudonym
service provider frequent enough helps to remove the links between
transactions.
Privacy-Enhancing Technique
lature and self-regulatory programs in helping to (4) rule holder. For appropriate interaction between
enforce Web site policies. those three interfaces are defined, including a pub-
APPEL (World Wide Web Consortium [W3C], lication interface and a notification interface.
2002) can be used to express what a user expects GEOPRIV specifies that a “using protocol” is
to find in a privacy policy. P3P and APPEL merely employed to transport location objects from one
provide a mechanism to describe the intentions of place to another. Location recipients may request
both sides than means to protect user data after a location server to retrieve GEOPRIV location
agreeing to use the service. information concerning a particular target. The
There are several privacy-related tools that are location generator publishes location information
based on P3P and APPEL specifications. AT&T’s to a location server. Such information can then be
(n.d.) Privacy Bird is a free plug-in for Microsoft® distributed to location recipients in coordination
Internet Explorer. It allows users to specify privacy with policies set by the rule maker, for example,
preferences regarding how a Web site stores and the user whose position is stored.
collects data about them. If the user visits a Web A using protocol must provide some mecha-
site, the Privacy Bird analyzes the policy provided nism allowing location recipients to subscribe
and indicates whether or not the policy fits to persistently in order to receive regular notification
the users preferences. The Microsoft® Internet of the geographical location of the target as its
Explorer 6 (Microsoft, n.d.) and Netscape® 7 location changes over time. Location generators
(Netscape, n.d.) embed a similar behaviour. They must be enabled to publish location information
allow the user to set some options regarding cookies to a location server that applies further policies
and are capable of displaying the privacy policy for distribution.
in human readable format. All these tools are a One of the benefits of this architecture is that
valuable step into the right direction, but they the privacy rules are stored as part of the location
still lack means to personalize privacy policies. object (Cuellar et al., 2004). Thus, nobody can
Steps towards personalized privacy policies are claim that he/she did not know that access to the
discussed by Maaser and Langendoerfer (2005) location information was restricted. But misuse is
and Preibusch (2005). In Preibusch a fine-grained still possible and it is still not hindered by techni-
choice from a set of offered policies is proposed cal means.
whereas a form of a bargaining in which neither
party fully publishes all its options is proposed in Server Side Means
Maaser and Langendoefer.
Privacy policies allow for “opting-out” of or In order to ensure privacy after agreeing to a
“opting-in” to certain data or data uses. But they certain privacy policy or privacy contract suitable
do not provide a technical protection means. The means on the data gathering side are needed. Such
user has no control on the actual abidance of the could be hippocratic databases (Agrawal, Kiernan,
policy but still has to trust that his/her personal Srikant, & Xu, 2002), HP Select Access (Casassa,
data is processed in accordance to the stated P3P Thyne, Chan, & Bramhall, 2005), Carnival (Arne-
policy only. Enforcement of the policy abidance sen, Danielsson, & Nordlund, 2004), PrivGuard
could be done by hippocratic databases or other (Lategan & Olivier, 2002). All these systems check
means. whether an agreed individual privacy policy allows
access to certain data for the stated purpose and
2. IETFs GeoPriv by the requiring entity.
There are several approaches that try to protect
GEOPRIV is a framework (Cuellar, Morris, Mul- privacy in location-aware middleware platforms
ligan, Peterson, & Polk, 2004) that defines four (Bennicke & Langendörfer, 2003; Gruteser &
primary network entities: (1) a location generator, Grunwald, 2003; Langendörfer & Kraemer, 2002;
(2) a location server, (3) a location recipient, and a Synnes, Nord, & Parnes, 2003; Wagealla, Terzis,
Privacy-Enhancing Technique
& English, 2003). In Langendörfer and Kraemer; linking individual transactions by using un-altered
Bennicke and Langendörfer; and Wagealla et al. pseudonyms. Along these lines, the use of identity
means are discussed that enable the user to declare management systems becomes essential in order
how much information he/she is willing to reveal. to ensure that all pseudonyms are used correctly,
In Synnes et al. the authors discuss a middleware when interacting with service providers. In addi-
that uses user-defined rules, which describe who tion, support for the generation of pseudonyms can
may access the user’s position information and be of help in order to guarantee a minimal level of
under which circumstances. The approach inves- pseudonym quality.
tigated in Gruteser and Grunwald intentionally In Table 2 we have not included descriptive
reduces the accuracy of the position information in and server-side approaches. With the former data
order to protect privacy. All these approaches lack gathered depends on user preferences and the latter
means to enforce access to user data according to provides protection against misuse only after the
the access policy defined by users. A combination fact, that is, it has no influence on the data accu-
of the location-aware middleware platforms with mulated in a certain service provider’s database.
protection means sketched previously would clearly
improve user privacy. A first step in this direction Protection level
was reported in Langendörfer, Piotrowski, and
Maaser (2006) where users are enabled to generate In order to asses the protection a certain PET can
Kerberos tokens on their own device and where provide we use a classification with four protec-
the platform checks these tokens before granting tion levels:
access to user data.
• High: Technical means are given to ensure
that the amount of data that can be gathered
AssEssMEnt of PrIvAcy- by a service provider is restricted to a mini-
EnHAncIng tEcHnIquEs mum or matches the user’s requirements. So,
no detailed information can be deduced from
In this section we discuss the protection level that gathered data. The downside is that no value-
can be achieved by applying privacy-enhancing added services can be provided or a service
techniques. In order to clarify how different classes may not be provided at all.
of approaches effect user privacy we resume our • Medium: The data that are gathered can not
example from the Privacy Protection Goals sec- only be determined by the user, but he/she
tion and show which data is protected by which keeps somewhat control over them. This
means. Thereafter we identify the protection level control might be either an active data con-
achieved by each class of protection means. trol, that is, an obeyed request for deletion,
or passive control that specifies certain rules
Evaluation of Presented techniques on how these data shall be dealt with in the
future or for certain purposes.
For the evaluation of the privacy-enhancing tech- • Low: The user can determine which of
niques we resume our example. Table 2 shows that his/her data is gathered. Especially if there
each class of privacy-enhancing techniques has its is no proven technical means to protect the
own merit and is applicable for a specific type of data, it is the task of the service provider
information. The fact that all techniques have been to ensure the security of the gathered data.
designed to protect specific information allows The drawbacks for service providers could
easy combination of several approaches to improve be that users are hesitant to use their service
user privacy. In the case of e-cash with revocable if they cannot prove the security/privacy of
anonymity the use of different pseudonyms is es- the data.
sential in order to prevent service providers from
Privacy-Enhancing Technique
Table 2. The sets of user data each party can link per transaction. The positing system can get informa-
tion only if the user role is passive, that is, the system tracks the user.
• None: The user, respectively, the owner of the ample, anonymous e-cash schemes provide a high
data, has no influence on the kind of data that level of protection since they prevent the user’s
is gathered, which information gets inferred bank from learning about the users online purchase
or derived. In addition, the service provider habits as well as the service provider from reveal-
or data collector respectively applies no ap- ing the users identity. But if the anonymous e-cash
propriate means to protect the information scheme is used by a single customer of the bank
or privacy. In this case we cannot speak of only, the protection provided by the anonymous
privacy at all. Such an environment enables e-cash scheme collapses to the protection against
service providers or others to gather as much the service provider, since the bank can easily link
and almost any data they want. Besides the the e-coins to the user’s identity.
drawback for service users having no privacy Table 3 shows the protection level of all pre-
at all is it most likely diminishes the trust of sented classes of privacy-enhancing techniques
the users or potential customers respectively such as mix networks and so forth. Here we did
into such services. not consider individual differences in a class since
weighting individual the drawbacks of similar ap-
In the classification of the PET according to proaches depends much on personal preferences
protection levels we are focussing on the strength and technical differences are already discussed in
of the classes of mechanism and neglect the side the Discussion of Privacy-Enhancing Techniques
effects. We are aware of the fact that real system section.
properties such as the number of participants have
significant impact on the protection level. For ex-
Privacy-Enhancing Technique
Table 3. Protection level of the individual privacy-enhancing techniques at network and application
level
Descriptive
Anonymous DA + server side Location
Mix networks Pseudonyms approaches
e-cash technologies protection
(DA)
Application low -
none medium High low medium
level medium
Network level high none None none none none
Privacy-Enhancing Technique
search community in recent years. A first attempt Brands, S. (1993). Untraceable off-line cash in wal-
is made by the SWAMI project (http://swami.jrc. lets with observers. In Proceedings of Crypto ’93
es), which focused on AMI projects, legal aspects, (LNCS 773, pp. 302-318). Springer-Verlag.
scenarios, and available PET.
Casassa Mont, M., Thyne, R., Chan, K., & Bram-
The workshop series “Privacy Enhancing
hall, P. (2005). Extending HP identity manage-
Technologies” published in Springer’s LNCS series
ment solutions to enforce privacy policies and ob-
(2482, 2760, 3856, 3424, 4258) provides a great
ligations for regulatory compliance by enterprises.
variety of publications dealing with technological,
HPL-2005-110. Retrieved January 1, 2007, from
social, and legal aspects of privacy.
http://www.hpl.hp.com/techreports/2005/HPL-
2005-110.html
rEfErEncEs Chaum, D. (1981). Untraceable electronic mail,
return addresses, and digital pseudonyms.
Agrawal, R., Kiernan, J., Srikant, R., & Xu, Y. Communications of the ACM, 24(2).
(2002, August 20-23). Hippocratic databases. In
Chaum, D. (1985). Security without identification:
Proceedings of the 28th International Conference
Transaction systems to make big brother
on Very Large Data Bases. Hong Kong, China.
obsolete. Communications of the ACM, 28(10),
Anton, A. I., He, Q., & Baumer, D. L. (2004). 1030-1044.
Inside JetBlue’s privacy policy violations. IEEE
Cranor, L. F. (2000). Beyond concern: Under-
Security & Privacy.
standing net users’ attitudes about online
Arnesen, R. R., Danielsson, J., & Nordlund, B. privacy. In I. Vogelsang & B. M. Compaine (Eds.),
(2004, November 4-5). Carnival: An application The Internet upheaval: Raising questions, seeking
framework for enforcement of privacy policies. answers in communications policy (pp. 47-70).
Paper presented at the 9th Nordic Workshop on Cambridge, MA: The MIT Press.
Secure IT-systems. Helsinki, Finland.
Cranor, L., Langheinrich, M., Marchiori, M., Pres-
AT&T Corporation. (n.d.). AT&T privacy bird. ler-Marshall, M., & Reagle, J. (2002, April 16).
Retrieved January 1, 2007, from http://privacy- The platform for privacy preferences 1.0 (P3P1.0)
bird.com Specification. Retrieved January 1, 2007, from
http://www.w3.org/TR/P3P/
Barbaro, M., & Zeller, Jr., T., (2006, August 9). A
face is exposed for AOL searcher no. 4417749. New Cuellar, J., Morris, J., Mulligan, D., Peterson, J.,
York Times. Retrieved from http://www.nytimes. & Polk, J. (2004). GEOPRIV requirements
com/2006/08/09/technology/09aol.html?ex=11674 (RFC 3693). Retrieved from http://www.rfc-ar-
54800&en=f448108fbc40931e&ei=5070 chive.org/getrfc.php?rfc=3693
Bennicke, M., & Langendörfer, P. (2003). Towards Federal Trade Commission (FTC). (1999). The
automatic negotiation of privacy contracts for FTC’s first five years: Protecting consumers online.
Internet services. In Proceeding of the 11th IEEE Retrieved from http://www.ftc.org
Conference on Networks (ICON 2003). IEEE
Gruteser, M., & Grunwald, D. (2003, May 5-8).
Society Press.
Anonymous usage of location-based services
Berthold, O., & Köhntopp, M. (2000, July 25-26). through spatial and temporal cloaking. Paper
Identity management based on P3P. In Proceedings presented at the ACM/USENIX International
of the Workshop on Design Issues in Anonymity Conference on Mobile Systems, Applications, and
and Unobservability. Berkeley, CA. Services (MobiSys). San Francisco, CA.
Privacy-Enhancing Technique
Jendricke, U., & Gerd tom Markotten, D. (2000). Peterson, J. (2005). A presence architecture for
Usability meets security—The identity-manager the distribution of GEOPRIV location objects
as your personal security assistant for the Internet. (RFC 4079). Retrieved from http://www.ietf.
In Proceedings of the Computer Security Applica- org/rfc/rfc4079.txt
tions, 2000, ACSAC’00, 16th Annual Conference,
Preibusch, S. (2005, July 19-22). Implementing
New Orleans, LA (pp. 344-353).
privacy negotiation techniques in e-commerce. In
Jia, G., Brebner, G., & D’Uriage, M. (2004). Privacy Proceedings of the 7th IEEE International Confer-
protection system and method. U.S. Patent: ence on ECommerce Technology, IEEE CEC 2005,
US 2004/0181683 A1. Technische Universität München, Germany.
Koch, M., & Wörndl, W. (2001). Community sup- Project: AN.ON—Anonymity.Online. (n.d.).
port and identity management. In Proceedings Protection of privacy on the Internet. Retrieved
of the European Conference on Computer Sup- January 1, 2007, from http://anon.inf.tu-dresden.
ported Cooperative Work (ECSCW 2001), Bonn, de/index_en.html
Germany.
Rao, J. R., & Rohatgi, P. (2000). Can pseudonymity
Langendörfer, P., & Kraemer, R. (2002). Towards really guarantee privacy? In Proceedings of the
user defined privacy in location-aware platforms. Ninth USENIX Security Symposium.
In Proceeding of the 3rd international Conference
Reed, M., Syverson, P., & Goldschlag, D. (1998).
on Internet computing. CSREA Press.
Anonymous connections and onion routing. IEEE
Langendörfer, P., Piotrowski, K., & Maaser, M. Journal on Selected Areas in Communications,
(2006). A distributed privacy enforcement archi- 16(4).
tecture based on Kerberos. WSEAS Transactions
Reiter, M., & Rubin, A. (1998). Crowds: Anonym-
on Communications, 5(2), 231-238.
ity for Web transactions. ACM Transactions on
Lategan, F. A., & Olivier, M. S. (2002). PrivGuard: Information and System Security, 1(1), 66-92.
A model to protect private information based on
Sampigethaya, K., & Poovendran, R. (2006). A
its usage. South African Computer Journal, 29,
survey on mix networks and their secure applica-
58-68.
tions. Proceedings of the IEEE, 94(12).
Maaser, M., & Langendoerfer, P. (2005, July 26-28).
Synnes, K., Nord, J., & Parnes, P. (2003, January).
Automated negotiation of privacy contracts. Paper
Location privacy in the Alipes platform. In Pro-
presented at the Computer Software and Applica-
ceedings of the Hawaii International Conference
tions Conference, Edinburgh, Great Britain.
on System Sciences (HICSS-36), Big Island, HI.
Microsoft. (n.d.). Microsoft announces privacy
Tor: Overview. (n.d.). Retrieved January 1, 2007,
enhancements for Windows, Internet Explorer.
from http://tor.eff.org/overview.html
Retrieved January 1, 2007, from http://www.micro-
soft.com/presspass/press/2000/Jun00/P3Ppr.asp Treu, G., & Küpper, A. (2005). Efficient proximity
detection for location based services. In Proceed-
Netscape. (n.d.). Netscape 7.0—7.2 release notes.
ings of the 2nd Workshop on Positioning, Naviga-
Retrieved January 1, 2007, from http://wp.netscape.
tion and Communication 2005 (WPNC05), Han-
com/eng/mozilla/ns7/relnotes/7.html#psm
nover, Germany: SHAKER-Publishing.
Novak, J., Raghavan, P., & Tomkins, A. (2004).
Wagealla, W., Terzis, S., & English, C. (2003).
AntiAliasing on the Web. In Proceedings of the
Trust-based model for privacy control in context-
13th international conference on World Wide Web,
aware systems. In Proceedings of the 2nd Workshop
New York.
on Security in Ubiquitous Computing, Ubicomp.
Privacy-Enhancing Technique
kEy tErMs
Chapter X
Vulnerability Analysis and
Defenses in Wireless Networks
Lawan A. Mohammed
King Fahd University of Petroleum and Minerals, Saudi Arabia
Biju Issac
Swinburne University of Technology – Sarawak Campus, Malaysia
AbstrAct
This chapter shows that the security challenges posed by the 802.11 wireless networks are manifold
and it is therefore important to explore the various vulnerabilities that are present with such networks.
Along with other security vulnerabilities, defense against denial of service attacks is a critical compo-
nent of any security system. Unlike wired networks where denial of service attacks has been extensively
studied, there is a lack of research for preventing such attacks in wireless networks. In addition to
various vulnerabilities, some factors leading to different types of denial of service (DoS) attacks and
some defense mechanisms are discussed in this chapter. This can help to better understand the wireless
network vulnerabilities and subsequently more techniques and procedures to combat these attacks may
be developed by researchers.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Vulnerability Analysis
typical wireless networks are defenseless against points (APs) come from the manufacturers in open
individuals who can find unsecured networks. The access mode with all security features turned off
wireless server dutifully grants the unauthorized by default. Therefore, insecure wireless devices
computer or mobile device an IP address, and the such as APs and user stations, can seriously com-
attacker is able to launch a variety of attacks such promise wireless networks, making them popular
as breaking into specific servers, eavesdropping on targets for hackers.
network packets, unleashing a worm, and denial Securing wireless networks requires at least
of service (DoS) or distributed denial of service three actions to be taken: first, authenticating users
(DDoS) attacks, and so forth. In this chapter, we to ensure only legitimate users have access to the
discuss some security threats along with DoS at- network; second, protecting the transmitted data by
tacks in a typical wireless networks and survey means of encryption; and third, preventing unau-
some counter measures. thorized connections by eliminating unauthorized
transmitter or receiver. This emphasizes the need
for a security framework with strong encryption
ovErvIEw of sEcurIty and mutual authentication as explained later.
cHAllEngEs In wIrElEss
nEtworks Specific Challenges and Key Issues
Security has traditionally consisted of ensuring The security challenges in wireless networks can
confidentiality of data, the complete integrity of be roughly divided into two main categories, based
the data, and the availability of the data when ever on their scope and impact. The first category in-
needed—where service is not denied. Generally volves attacks targeting the entire network and its
speaking, both wired and wireless network environ- infrastructure. This may include the following:
ments are complicated. Security solutions are most
effective when they can be customized to a specific • Channel jamming: This involves jamming
installation. Unfortunately, a high percentage of the wireless channel in the physical layer thus
individuals involved in building and maintain- denying network access to legitimate users.
ing inter-networks and infrastructures for these Typical example is the DoS attack.
environments have little knowledge of security • Unauthorized access: This involves gaining
protocols. As a result, many of today’s systems free access to the network and also using
are vulnerable. Recent reports indicated that the the AP to bypass the firewall and access the
wireless networks are becoming more popular. As internal network. Once an attacker has ac-
these networks deployments increase, so does the cess to the network, he/she can then launch
challenge to provide these networks with security. additional attacks or just enjoy free network
Wireless networks face more security challenges use. Although free network usage may not
than their wired counterparts. This is partly due be a significant threat to many networks,
to the nature of the wireless medium as transmit- however network access is a key step in
ted signals can travel through the walls, ceilings, address resolution protocol (ARP)-based
and windows of buildings up to thousands of feet man-in-the-middle (MITM) attacks.
outside of the building walls. Moreover, since the • Traffic analysis: This attack enables gaining
wireless medium is airwaves, it is a shared medium information about data transmission and net-
that allows any one within certain distance or work activity by monitoring and intercepting
proximity to intrude into the network and sniff the patterns of wireless communication. This
traffic. Further, the risks of using a shared medium involves analyzing the overhead wireless
is increasing with the advent of available hacking traffic to obtain useful information. There are
tools that can be found freely from hacker’s Web three forms of information that an attacker can
sites. Additionally, some default wireless access obtain. First, he/she can identify that there is
0
Vulnerability Analysis
activity on the network. Secondly, he/she can message, then release the modified message
find information about the location of APs in to the target destination. This can be done
the surrounding area. This is because unless by setting a rogue AP as described in Lynn
turned off, APs broadcast their service set and Baird (2002).
identifiers (SSIDs) for identification. Thirdly, • Message forgery: In this attack, as the wire-
he/she may learn the type of protocols being less link is not protected for message integrity,
used in the transmission. an attacker can inject forged messages into
both directions of the communication.
The second category involves attacks against • Session hijacking: In this attack, an attacker
the communication between the stations and the causes the user to lose his/her connection, and
AP. This may include the following: he/she assumes his/her identity and privileges
for a period. It is an attack against the integ-
• Faking/replay attack: This involves the rity of a session. The target knows that it no
ability to guess the structure of transmitted longer has access to the session but may not
information (even if it is encrypted) and be aware that the session has been taken over
replace the legitimate message with one by an attacker. The target may attribute the
which has the correct structure but that has session loss to a normal malfunction of the
altered fields. This is known as faking. A WLAN.
simple form of faking, and one that absolutely
must be protected against, is that of replay. Analysis of wired Equivalent Privacy
In this, an attacker simply records and then (wEP) Protocol
replays a message from one legitimate party
to another. A new form of replay attack is Wired equivalent privacy (WEP) has been part of
known as wormhole attack. In this attack, the 802.11 standard since its initial ratification in
the attacker records packets or individual bits September 1999. It is designed for data privacy and
from a packet at one location in the network, encryption to protect messages form unauthorized
tunnels them to another location, and replays viewing in case they are intercepted in the air. Its
it there as described in Yih-Chun (2006). goals are to provide integrity, availability, and
• Eavesdropping: This implies the interception confidentiality to the wireless networks. However,
of information/data being transmitted over the notable security research findings have shown de-
wireless network. When the wireless link is ficiencies and flaws in the design of WEP (Fluhrer,
not encrypted, an attacker can eavesdrop the Mantin, & Shamir, 2001; Gast, 2002, pp. 93-96).
communication even from some few miles
away. The attacker can gain two types of war driving and Its variants
information from this attack; he/she can read
the data transmitted in the session and can also The process of identifying and categorizing the
gather information indirectly by examining wireless networks by using pre-configured laptops
the packets in the session, specifically their from within a moving vehicle is called war driving.
source, destination, size, number, and time War drivers use laptops and some special software
of transmission. Eavesdropping can also be to identify wireless networks and let them under-
active; in this case the attacker not only listens stand the security associated with any particular
to the wireless connection, but also actively wireless network that they have recorded. They
injects messages into the communication also upload their war driving results to a Web site
medium. where others who have access will be able to see
• Man-in-the-middle attack (MITM): In this exactly where these unsecured wireless networks
attack, the attacker resides between the station are located. The use of GPS has aided this objec-
and the AP, and can intercept and modify the tive even further.
Vulnerability Analysis
War driving Web site http://www.worldwideward- Temporary Key Integrity Protocol (TKIP)
rive.org has done the data collection during four
rounds of war driving world wide from 2002 to Wi-Fi protected access (WPA) was designed to
2004. Their first worldwide war driving started replace WEP with the combination of the TKIP,
on August 31 and finished on September 7, 2002. which provides data confidentiality through en-
During this time, 9,374 APs were located and in cryption, and a new cryptographic message integ-
only 30.13% had WEP encryption enabled. The rity code called MIC or Michael, which provides
second drive lasted from October 26 to November data integrity. TKIP comprises the same encryp-
2, 2002 when they tracked 24,958 APs, with only tion engine and RC4 algorithm defined for WEP.
27.2% having WEP enabled. During the third drive However, unlike WEP the TKIP uses a 128 bits key
which happened from June 28 to July 5, 2003, for encryption and 64 bits key for authentication.
88,122 APs were located with only 32.26% WEP This solves the problem of a shorter WEP key.
enabled. The fourth drive started in June 2004 for TKIP also added a per-packet key mixing func-
some months, located 228,537 APs and the total tion to de-correlate the public initialization vectors
number of wireless networks running WEP was (IVs) from weak keys. Furthermore, TKIP also
found to be 38.3%. provides a rekeying mechanism to provide fresh
encryption and integrity keys by giving each user
security Enhancements a unique shared key per session and by using IV as
a counter. It discards any IV value received out of
In the context of the aforementioned deficiencies, sequence. If the IV space is exhausted, a new key
an IEEE 802.11i or IEEE 802.11 Task Groupi (TGi) is negotiated. This makes TKIP protected networks
developed a new set of WLAN security protocols more resistant to cryptanalytic attacks involving
to form the future IEEE 802.11i standard. The key reuse. TKIP provides better security than the
new security standard, 802.11i, which was con- WEP by adding four new algorithms:
firmed and ratified in June 2004, eliminates all the
weaknesses of WEP. It is divided into three main • It provides a nonlinear hash function (Mi-
categories (Strand, 2004) and these enhancements chael) that produces a 64 bit output. Unlike
are described as follows: CRC used in WEP, Michael is keyed. Only
those who know the secret key can compute
1. Temporary key integrity protocol (TKIP): a valid hash.
This is essentially a short term solution that • It provides a new IV sequencing discipline
fixes all WEP weaknesses. It would be com- to remove replay attacks from the attacker’s
patible with old 802.11 devices and it provides arsenal.
integrity and confidentiality. • It also has a per-packet key mixing function to
2. Counter mode with cipher block chain- de-correlate the public IVs from weak keys.
ing-message authentication code protocol • Finally, it provides a rekeying mechanism, to
(CCMP): This is a new protocol designed provide fresh encryption and integrity keys,
with planning, based on RFC 2610 which undoing the threat of attacks stemming from
uses Advanced Encryption Standard (AES) key reuse.
as cryptographic algorithm. Since this is more
CPU intensive than RC4 (used in WEP and Table 1 shows how WPA uses TKIP and Michael
TKIP), new and improved 802.11 hardware to address the cryptographic weaknesses of WEP
may be required. It provides integrity and (Cable, 2004).
confidentiality.
3. Extensible authentication protocol (EAP): Counter CBC-MAC Mode
EAP is a general protocol for point-to-point
(PPP) authentication that supports multiple Counter with cipher block chaining-message
authentication mechanisms. authentication code or simply (CCM) is a mode
Vulnerability Analysis
of operation for a symmetric key block cipher with the CCM, confidentiality and authentication
algorithm. CCM may be used to provide assur- are provided by the counter mode (CM) and the
ance of the confidentiality and the authenticity of cipher block chaining message authentication code
computer data by combining the techniques of the (CBC-MAC).
counter (CTR) mode and the cipher block chain- CCMP addresses all known WEP deficiencies,
ing-message authentication code (CBC-MAC) but without the restrictions of the already-deployed
algorithm. CCM is based on an approved sym- hardware. The protocol has many properties in
metric key block cipher algorithm whose block common with TKIP (Cam-Winget et al., 2003).
size is 128 bits, such as the AES. CCM consists WEP, TKIP, and CCMP can be compared as in
of two related processes: generation-encryption Table 2.
and decryption-verification, which combine two
cryptographic primitives: counter mode encryption 0.x/EAP Authentication
and cipher block chaining based authentication.
Only the forward cipher function of the block IEEE 802.1x was created for authentication in PPP.
cipher algorithm is used within these primitives. It ties a protocol called EAP, which can be applied
In generation-encryption, cipher block chaining is to both the wired and wireless networks. It also
applied to the payload, the associated data, and a supports multiple authentication methods, such
nonce to generate a message authentication code as EAP-Message Digest (EAP-MD5), EAP-One
(MAC); then, counter mode encryption is applied Time Password (EAP-OTP), EAP-Transport Layer
to the MAC and the payload to transform them into Security (EAP-TLS), EAP-Tunneled TLS (EAP-
a ciphertext. Thus, CCM generation-encryption TTLS), EAP-Generic Token Card (EAP-GTC),
expands the size of the payload by the size of the Microsoft CHAP version 2 (EAP-MSCHAPv2),
MAC. In decryption-verification, counter mode and EAP-FAST (Blunk & Vollbrecht, 1998).
decryption is applied to the purported ciphertext to In 802.1x EAP authentication process, a client
recover the MAC and the corresponding payload; attempts to connect with an authenticator (AP). The
then, cipher block chaining is applied to the payload, AP responds by enabling a port for passing only
the received associated data, and the received nonce EAP packets from the client to an authentication
to verify the correctness of the MAC. Successful server located on the wired side of the AP. The
verification provides assurance that the payload AP blocks all other traffic, such as HTTP, DHCP,
and the associated data originated from a source and POP3 packets, until the AP can verify the
with access to the key (Dworkin, 2004). client’s identity using an authentication server (e.g.,
CCMP is the preferred encryption protocol RADIUS). Once authenticated, the AP opens the
in the 802.11i standard. CCMP is based upon the client’s port for other types of traffic. The summary
CCM mode of the AES encryption algorithm. Thus, of the process is as shown in Figure 1.
CCMP utilizes 128-bit keys, with a 48-bit IV. As
Vulnerability Analysis
Table 2. WEP, TKIP, and CCMP comparison (Cam-Winget, Housley, Wagner, & Walker, 2003)
WEP TKIP CCMP
Vulnerability Analysis
Association Request
Association Response
EAP Start
EAP Request / ID
Vulnerability Analysis
Message 1 : [Anonce]
Create PTK from
ANonce and SNonce
Message 2 : [snonce, MIc]
Create PTK from
ANonce and SNonce
and supply GTK
second, third and fourth messages have a message done. For decryption process, the encrypted text is
integrity code (MIC). The MIC is generated by XOR-ed with the key to get the plaintext. Firstly, the
hashing a specified portion of the message and then known plaintext attack is done when the attacker
encrypting that hash with the PTK. This four-way knows two things: cleartext and the encrypted
handshake occurs whenever someone connects to text of a message communication. Having both
a WLAN using WPA. It also occurs thereafter, the encrypted and unencrypted form of the same
whenever the AP decides to refresh the transient information allows one to perform this attack and
keys (Phifer, 2007). to retrieve the encryption key. The attacker needs
to XOR cleartext and encrypted text to get the
Attack on Michael MIC key. Secondly, to carryout the double encryption
attack, a frame must be captured and the attacker
Michael MIC was introduced to prevent attacks must change the frame header destination MAC
through message modification. It uses a feature address to that of the attacker’s wireless client.
known as TKIP countermeasure procedure, which After this subtle change, the attacker must wait
works by disabling the AP if it receives two MIC for the IV to reset to one minus the original IV
failures within one second. After exactly one min- (of the modified frame), so that he/she can replay
ute, the AP comes back to life and would need all the captured frame into the air. When the AP sees
its past and current users to re-key to gain access the frame with the expected IV, it will encrypt the
to the network. An attacker could send corrupt frame, actually being fooled into decrypting the
packets to the AP which can pass the frame CRC frame instead of encrypting it. After doing the un-
check, but would trigger the TKIP countermeasure knowing decryption process, the AP will forward
eventually shutting down the AP, especially after the cleartext frame across the air to the forged
repeated corrupt traffic. MAC address specified by the attacker. Thirdly,
to achieve the message modification attack, the
Encryption Attacks on Known Plaintext, attacker must capture an encrypted packet that is
Double Encryption, and Message going to another subnet, modify a single bit, and
attempt to resend it. The modification will offset the
Modification
IC and the packet will be rejected. After trying a
number of times, the bits that are flipped will make
For WEP encryption process, an XOR operation
the IC correct again, although the packet would
of message (or plaintext) with encryption key is
be malformed. The attacker can do this numerous
Vulnerability Analysis
times without any logging or alerts from the AP. 6. Positioning and shielding of the antenna can
Once the packet passes the AP’s IC check, it will help to direct the radio waves to a limited
reach the route. The router will observe that the space.
packet is malformed and would send a response 7. Enabling of accounting and logging can help
that contains the cleartext and associated encrypted to locate and trace back some mischief that
text packet to the initial sender. This will give could be going on in the network. Preven-
the attacker the ingredients to perform cleartext tive measures can then be taken after the
cryptanalysis. A solution is to encrypt the 802.11 preliminary analysis of the log file. Allow
frames within a layer 3 (network layer) wrapper, regular analysis of log files captured to trace
so that any tampering cannot go undetected. any illegal access or network activity.
8. Using intrusion detection software to moni-
general wlAn security Measures tor the network activity in real time and to
inform alerts.
General security measures to minimize some of 9. Using honey pots or fake APs in the regular
the mention flaws are listed as follows (Held, 2003; network to confuse the intruder so that he/she
Hurton & Mugge, 2003; Issac. Jacob, & Moham- gets hooked to that fake AP without achieving
med, 2005): anything.
10. Turn off the network during extended periods
1. Encrypt the network traffic. WPA with TKIP/ of non-use or inactivity.
AES options can be enabled. Upgrade the 11. Use file sharing with caution. If the user does
firmware on AP to prevent the use of weak not need to share directories and files over
IV WEP keys. the network, file sharing should be disabled
2. Ensuring mutual authentication through IEEE on his/her computers.
802.1x protocol. Client and AP should both 12. Do not auto-connect to open Wi-Fi (wireless
authenticate to each other. Implementing fidelity) networks.
IEEE 802.1x port-based authentication with 13. Connect using a VPN as it allows connecting
RADIUS server (with PEAP/MS-CHAPv2) securely. VPNs encrypt connections at the
would be a good choice. sending and receiving ends through secure
3. Make the wireless network invisible by dis- tunnels.
abling identifier broadcasting. Turning off the 14. Use firewalls in between wireless and wired
SSID broadcast by AP and configure the AP network segments and implement filters.
not to respond to probe requests with SSID 15. Generally avoid dictionary words for pass
“any,” by setting your own SSID. Meaning, phrase in any authentication. Also make
rename the wireless network and change the the pass phrase more than 20 characters,
default name. especially if WPA-Pre Shared Key security
4. Changing the default WEP key settings, if is employed.
any. Changing the default IP address in the
AP to a different one. Change administrator’s
password from the default password. If the tyPEs of dEnIAl of sErvIcE
wireless network does not have a default AttAcks And PrEvEntIvE MEA-
password, create one and use it to protect the surEs
network.
5. Enabling the MAC filtering in AP level or DoS simply means the inability of a user, process,
in RADIUS server or in both can tighten the or system to get the service that it needs or wants.
security more, as there is a restriction in the Common DoS attacks on networks include direct
use of MAC addresses (this step in itself, can attacks, remote controlled attacks, reflective at-
be defeated through MAC spoofing). tacks, and attacks with worms and viruses.
Vulnerability Analysis
DoS attacks are quite effective against wire- The OS level DoS attacks rely on the ways
less networks. The wireless management frames operating systems implement protocols. A typi-
which are transmitted in cleartext in a wireless cal example is the ping of death attack in which
network, informs the clients that they can connect Internet control message protocol (ICMP) echo
or disconnect. The de-authentication frame will requests having total data sizes greater than the
disassociate a wireless end device from an AP. maximum IP standard size to be sent to the targeted
Since they are sent in cleartext, they can easily be victim. This attack often has the effect of crashing
forged to force legitimate users out of the network. the victim’s machine.
This can be accomplished by replaying a previous In application-based attacks, machine or a ser-
disassociation frame with a wireless sniffer. An vice are compromised and set out of order either
attack on 802.11b with 802.11g mixed network by taking advantage of specific bugs in network
mode can affect the clear channel assessment (CCA) applications that are running on the target host or
process that brings down the probability that two by using such applications to drain the resources
wireless nodes will transmit on the same frequency of their victim. It is also possible that the attacker
simultaneously. This attack can cause all nodes in may have found points of high algorithmic com-
range to shut down until the attacker stops injecting plexity and exploits them in order to consume all
the malicious frame. A layer 2 encryption would available resources on a remote host.
be the only solution to this. The EAP-DoS attack In data flooding attacks, an attacker uses all
involves injecting a number of EAP stat frames network bandwidth or any other device bandwidth
to an AP and if the AP cannot properly process by sending massive quantities of data and so caus-
all these frames, there is the chance that it might ing it to process extremely large amounts of data.
become inoperable. Another attack against the For instance, the attacker bombards the targeted
AP involves sending malformed EAP messages. victim with normal, but meaningless packets with
One of the recent attacks against the AP involves spoofed source addresses.
filling up the EAP identifier space that allows 255 DoS attacks based on protocol features take
ID tags to keep track of each client instance. If an advantage of certain standard protocol features
attacker can flood the AP with a large number of such as IP and MAC source addresses. Typically,
client connection instances, using up this counter, the attacker spoofs these features. Several types of
a DoS attack can be achieved (Earle, 2006). DoS attacks have focused on domain name systems
Different researchers have categorized DoS and (DNSs), and many of these involve attacking DNS
DDoS from different perspectives. As documented cache on name servers. An attacker who owns a
in Christos and Aikaterini (2003), DoS attacks can name server may coerce a victim name server into
be classified into five different categories, namely: caching false records by querying the victim about
(1) network device level attack, (2) operating system the attackers own site. A vulnerable victim name
(OS), level attack, (3) application level attack, (4) server would then refer to the rogue server and
data flood attack, and (4) protocol attack. cache the answer (Davidowicz, 1999).
Network device level attack includes attacks Other researchers such as Papadimitratos and
that might be caused either by taking advantage of Hass (2002) and Marti, Giuli, Lai, and Baker (2001)
bugs or weaknesses in driver software or by try- describe DoS attacks in relation to routing layer
ing to exhaust the hardware resources of network and those at the link or MAC layer.
devices. Network level attacks may also involve Attacks at the routing layer could consist of the
compromising a series of computers and placing following: (1) the attacker participates in routing
an application or agent on the computers. The and simply drops a certain number of the data
computer then listens for commands from a central packets. This causes the quality of the connections
control computer. The compromise of computers to deteriorate and further ramifications on the per-
can either be done manually or automatically formance if TCP is the transport layer protocol that
through a worm or virus. is used; (2) the attacker transmits falsified route
Vulnerability Analysis
updates. The effects could lead to frequent route address he/she wants to spoof. An attacker can
failures thereby deteriorating performance; (3) the learn the MAC address of the valid user by captur-
attacker could potentially replay stale updates. This ing wireless packets using any packet capturing
might again lead to false routes and degradation software by passively or actively observing the
in performance; and (4) reduce the time-to-live traffic. Web spoofing permits an attacker to observe
(TTL) field in the IP header so that the packet and change all the Web traffic sent to the victim’s
never reaches the destination. Routing attacks machine and capture all data entered into the Web
are usually directed at dynamic routing protocols page forms (if any) by the victim. The attack can be
such as border gateway protocol (BGP), open done using Web plug-ins and JavaScript segments.
shortest path first (OSPF), and enhanced interior The attack, once implemented, is started when
gateway routing protocol (EIGRP). Direct DoS or the victim visits a malicious Web page through a
DDoS attacks against routing protocols can lead to Web link in a malicious e-mail message sent by
regional outages. Another form of routing attack the attacker. DNS spoofing is where the attacker
is called route injection, which can lead to traffic makes a DNS entry to point to another IP address
redirection, prefix hijacking, and so forth. Attacks than it would be generally pointing to. It works
at the MAC layer are described next. through stealth by unknowingly forcing a victim
to generate a request to the attacker’s server, and
Flooding and Spoofing Attacks then spoofing the response from that server. IP
spoofing is a process used to gain unauthorized
Flooding attack, as the name implies, involves the access to computers, whereby the attacker sends
generation of spurious messages to increase traffic packets to a computer with spoofed IP address
on the network. While spoofing attacks involves implying that the message is coming from a trusted
the creation of packets with spoofed (i.e., forged) and genuine host.
source IP addresses and other credentials.
In smurf attack, an attacker sends a large amount ddos Attack
of ICMP echo traffic to a set of IP broadcast ad-
dresses, multiplying the traffic by the number of DDoS attacks usually refer to an attack by use of
hosts responding. ICMP flooding attack uses public multiple sources that are distributed throughout
sites that respond to ICMP echo request packets the network. In this attack, an attacker installs the
within an IP network to flood the victim’s site. It DDoS software controls on a network of computers,
involves flooding the buffer of the target computer mostly through security compromise. This allows
with unwanted ICMP packets. SYN flood attack the attacker to remotely control compromised
is also known as the transmission control protocol computers, thereby making it handlers and agents.
(TCP) SYN attack and is based on exploiting the From a “master” device, the attacker can control the
standard TCP three-way handshake. In this case, slave devices and direct the attack on a particular
an attacker sends SYN packet to initiate connec- victim. Thousands of machines can be controlled
tion. The victim responds with the second packet from a single point of contact as shown in Figure
back to the source address with SYN-ACK bit set. 3. There are several types of DDoS attacks, but
The attacker never responds to the reply packet. In their methods are very similar in that they rely on
this case, the victim’s TCP receive queues would a large group of previously compromised systems
be filled up, denying new TCP connections. An- to direct a coordinated distributed flood attack
other variant of this attack is called user datagram against a particular target.
protocol (UDP) flooding attack (Craig, 2000). Christos and Aikaterini (2003) classified DDoS
This attack is based on UDP echo and character based on the degree of the attack automation.
generator services provided by most computers on These classifications are manual, semi-automatic,
a network. In MAC spoofing attack, an attacker and automatic DDoS attacks. The manual attack
spoofs his/her original MAC address to the MAC involves manual scanning of remote machines for
Vulnerability Analysis
Attacker
Control traffic to
handlers
Control traffic to
agents/zombies
Flooding traffic to
victim computer
victim
vulnerabilities, then the attacker breaks into anyone example, an image-based challenge may be used
of them to install attack codes. Semi-automatic at- to determine whether the client is a real human
tacks are partially manual and partially automatic. being or an automated script. A similar approach
In this case, the attacker scans and compromises based on capabilities was proposed in Agarwal,
handlers and agents by using automated scripts. Dawson, and Tryfonas (2003), and the method
He/she then types the victims address manually generally relies on clients having to ask the server
and the onset of the attack is specified by the for permission to send packets. If the server decides
handler machines. In automatic DDoS attacks to allow the connection, it replies with a capabil-
the communication between attacker and agent ity token, which the client includes in subsequent
machines is completely avoided. In most cases packets and which the network polices.
the attack phase is limited to a single command Greenhalgh, Handley, and Huici (2005) de-
through the attack code file. All the features of the scribed an approach consisted of diverting traffic
attack, for example the attack type, the duration, going to protected servers so that it traverses control
and the victims address are preprogrammed in the points. These control points would encapsulate the
attack code. This way, the possibility of revealing traffic, sending it to a decapsulator near the server.
the attacker’s identity or source is very minimal. The server could then tell which control point a
A number of DDoS tools that are available from malicious flow had traversed, and request it be
the Internet have been identified by the Internet shut down at this boundary. Signature-based and
Security Systems (ISS) (www.iss.net). anomaly based detection techniques are proposed
in Park and Lee (2001) and Shields (2002). Some
defense Mechanisms Against dos solutions involve the use of strong digital signature
Attacks based transport level authentication mechanisms as
recently proposed in Dierks and Allen (2006).
Several techniques to counter DoS and DDoS
attacks have been proposed by researchers, and Mechanisms Against Spoofing
we briefly discuss some of these techniques. A
challenge based mechanisms was proposed by Attackers launching spoofing usually hide the
Kandula, Katabi, Jacob, and Berger (2005). For identity of machines they used to carry out an
0
Vulnerability Analysis
attack by falsifying the source address of the possibility is to divert traffic based on IP protocol
network communication. This makes it more dif- to different servers or even route it differently.
ficult to identify the sources of attack traffic. It is Thus, for a Web server it might be possible to
therefore important to use network switches that route ICMP and UDP traffic bound for the Web
have MAC binding features that store the first MAC server somewhere else entirely, or even block it
address that appears on a port and do not allow at the router, so that only TCP-based floods will
this mapping to be altered without authentication. succeed. This at least narrows the scope of attacks
To prevent IP spoofing, disable source routing on that can be made.
all internal routers and use ingress filtering. Web Another filtering technique is called ingress
spoofing depends mainly upon social engineering filtering. This filtering prevents spoofed attacks
tricks and it is thus important to educate users and from entering the network by putting rules on
to be generally aware of the address window in a point-of-entry routers that restrict source addresses
browser that displays the Web address that they to a known valid range.
are directed to. That can help if some suspicious Filtering can also be based on channel control.
Web site address comes up. DNS spoofing can be This method is known as channel control filtering
prevented by securing the DNS servers and by and can be achieved by filtering out DDoS control
implementing anti-IP address spoofing measures messages; this prevents the attacker from causing
(Paul, Ben, & Steven, 2003). Some vendors have the attack servers to begin the attack. This can also
added access control lists (ACL), implemented be accomplished using a signature-based packet
through MAC address filtering, to increase secu- filter. If we can develop signatures for most control
rity. MAC address filtering amounts to allowing channel packets, we can simply reject them at the
predetermined clients with specific MAC addresses control channel packet filter, and they will disap-
to authenticate and associate. While the addition of pear from the network.
MAC address filtering increases security, it is not a
perfect solution given that MAC addresses can be
spoofed. Also, the process of manually maintaining futurE trEnds
a list of all MAC addresses can be time consuming
and error prone. Therefore MAC address filtering Due to the rapid changes in treat level and attack-
is probably best left for only small and fairly static ing techniques, existing defense mechanisms may
networks (Mohammed & Issac, 2005). not be adequate to counter the threats of the future
attacks. Therefore, it is important for researchers
Filtering Techniques to continue analyzing different threats as they
emerge and develop more effective and efficient
Filtering requires being able to filter the flood defense mechanisms. For instance, detecting
packets. This can be achieved with a signature- distributed and automated attacks still remains
based packet filter. If one can create signatures a challenge. Due to the drawback of some of the
for typical flood packets (TCP packets with zero exiting solutions or defense mechanisms as well as
data size for example, or unusually large ICMP the emergence of new attack tools, further study is
packets), and filter out those packets, one can then needed to combine well-known security drawbacks
filter the flood packets while allowing “normal” with defense techniques that are already mature
traffic to proceed. and very effective. Moreover, it is also important
Another filtering option is to reject the first to look into the developing of DoS management
IP packet from any IP address. This works with framework for protecting, detecting, and reacting
many current generations of attack tools because to attacks when they occur. The following sum-
they tend to use a flat distribution random number marizes expected future trends in DoS and DDoS
generator to generate spoofed source addresses, and attacks—attacks on emerging technologies; attacks
they only use each random address once. Another against anti-DoS infrastructure; attacks with the
Vulnerability Analysis
aid of malware, adware, or spyware; recursive Craig, A. H. (2000). The latest in denial of service
DNS attacks or the use of DNS server for DoS attacks: Smurfing description and information to
attack; and attacks against OpenEdge WebSpeed minimize effects. Retrieved May 17, 2006, from
platforms, and so forth. http://www.pentics.net/denial-of-service/white-
papers/smurf.cgi
Davidowicz, D. (1999). Domain name system
conclusIon (DNS) security. Retrieved June 23, 2006, from
http://compsec101.antibozo.net/ papers/dnssec/
This chapter explores some of the security vulner-
dnssec.html
abilities associated with 802.11 wireless networks.
Here basic issues with WEP and better protocols Dierks, T., & Allen, C. (2006). The TLS protocol
like TKIP and CCMP were discussed with some (RFC 2246). Retrieved December 7, 2006, from
advice on security precautions. Later emphasis http://www.ietf.org/rfc/rfc2246.txt
was given on DoS and DDoS attacks to show
Dworkin, M. (2004). Recommendation for block
how complicated and varied they are in nature.
cipher modes of operation: The CCM mode of
DoS attacks are done quite effectively against
authentication and confidentiality. Retrieved No-
wired and wireless networks and it costs much in
vember 17, 2006, from http://csrc.nist.gov/publica-
terms of the damages done. Defense mechanisms
tions/nistpubs/800-38C/SP800-38C.pdf
against such attacks are still not perfect and the
chapter eventually reviews and explains some sets Earle, A. E. (2006). Wireless security handbook.
of defense mechanisms that could help against Auerbach Publications, Taylor & Francis Group.
such attacks.
Fluhrer, S., Mantin, I., & Shamir, A. (2001). Weak-
nesses in the key scheduling algorithm of RC4.
Retrieved July 25, 2005, from http://downloads.
rEfErEncEs
securityfocus.com/ library/rc4_ksaproc.pdf
Agarwal, S., Dawson, T., & Tryfonas, C. (2003). Fontana, J. (2007). Network World. Retrieved
DDoS mitigation via regional cleaning centers April 5, 2007, from http://www.networkworld.
(Tech. Rep. No. RR04-ATL-013177). Sprint ATL com/news/2007/011907-microsoft-secure-vpn-
Research Report. tunneling-protocol.html
Blunk, L., & Vollbrecht, J. (1998). PPP extensible Gast, M. (2002). 802.11 wireless networks—The
authentication protocol (EAP) (RFC 2284). Re- definitive guide. CA: O’Reilly Media.
trieved December 25, 2006, from http://www.ietf.
org/rfc/rfc2284.txt Greenhalgh, A., Handley, M., & Huici, F. (2005).
Using routing and tunneling to combat DoS attacks.
Cable, G. (2004). Wi-Fi protected access data In Proceedings of the 2005 Workshop on Steps to
encryption and integrity. Retrieved December Reducing Unwanted Traffic on the Internet.
17, 2006, from http://www.microsoft.com/technet/
community/columns /cableguy/cg1104.mspx Held, G. (2003). Securing wireless LAN. Sussex,
England: John Wiley & Sons.
Cam-Winget, N., Housley, R., Wagner, D., &
Walker, J. (2003). Security flaws in 802.11 data link Hurton, M., & Mugge, C. (2003). Hack notes—Net-
protocols. Communications of the ACM, 35-39. work security portable reference. CA: McGraw-
Hill/Osborne.
Christos, D., & Aikaterini, K. (2003). DoS attacks
and defense mechanism: Classifications and state- In-Stat. (2006). In-stat market survey. Retrieved
of-the-art. Computer Networks, 44, 643-666. May 11, 2007, from http://www.in-stat.com
Vulnerability Analysis
Vulnerability Analysis
Chapter XI
Key Distribution and
Management for
Mobile Applications
György Kálmán
University Graduate Center – UniK, Norway
Josef Noll
University Graduate Center – UniK, Norway
AbstrAct
This chapter deals with challenges raised by securing transport, service access, user privacy, and ac-
counting in wireless environments. Key generation, delivery, and revocation possibilities are discussed
and recent solutions are shown. Special focus is on efficiency and adaptation to the mobile environment.
Device domains in personal area networks and home networks are introduced to provide personal digital
rights management (DRM) solutions. The value of smart cards and other security tokens are shown and
a secure and convenient transmission method is recommended based on the mobile phone and near-field
communication technology.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Key Distribution and Management for Mobile Applications
Protecting user data is of key importance for is authenticated, the user has to trust the network
all communications, and especially for wireless unconditionally. In universal mobile telecommu-
communications, where eavesdropping, man-in- nications system (UMTS), strong encryption is
the-middle, and other attacks are much easier. applied on the radio part of the transmission and
With a simple wireless LAN (WLAN) card and provides adequate security for current demands,
corresponding software it is possible to catch, but does not secure the transmission over the
analyse, and potentially decrypt wireless traffic. backbone. UTMS provides mutual authentication
The implementation of the first WLAN encryp- through an advanced mechanism for authentication
tion standard wired equivalent privacy (WEP) and session key distribution, named authentication
had serious weaknesses. Encryption keys can be and key agreement (AKA).
obtained through a laptop in promiscuous mode
in less than a minute, and this can happen through
a hidden attacker somewhere in the surrounding. A long wAy to sEcurE
Data protection is even worse in places with public coMMunIcAtIon
access and on factory default WLAN access points
without activated encryption. Standard Internet Applying some kind of cryptography does not im-
protocols as simple mail transport protocol (SMTP) ply a secured access. Communicating parties must
messages are not encoded, thus all user data are negotiate the key used for encrypting the data. It
transmitted in plaintext. Thus, sending an e-mail should be obvious that the encryption key used for
over an open access point has the same effect as the communication session (session key) cannot be
broadcasting the content. With default firewall sent over the air in plaintext (see Figure 1).
settings an intruder has access to local files, since In order to enable encryption even for the first
the local subnet is usually placed inside the trusted message, several solutions exist. The simplest
zone. These examples emphasise that wireless links one, as used in cellular networks is a preshared
need some kind of traffic encryption. key supplied to the mobile terminal on forehand.
When the first widespread digital cellular net- This key can be used later for initialising of the
work was developed around 1985, standardisation security infrastructure and can act as a master key
of the global system for mobile communication in future authentications.
(GSM) introduced the A5 cryptographic algo- In more dynamic systems the use of preshared
rithms, which can nowadays be cracked in real-time keys can be cumbersome. Most of WLAN encryp-
(A5/2) or near real-time (A5/1). A further security tion methods support this kind of key distribution.
threat is the lack of mutual authentication between The key is taken to the new unit with some kind of
the terminal and the network. Only the terminal out of band method, for example with an external
unit, as indicated in Figure 2. Practically all pri-
vate and many corporate WLANs use static keys,
allowing an eavesdropper to catch huge amounts
Figure 1. A basic problem of broadcast environ- of traffic and thus enable easy decryption of the
ment content. This implies that a system with just a se-
cured access medium can be easily compromised.
Non-aging keys can compromise even the strongest
encryption, thus it is recommended to renew the
keys from time to time.
Outside the telecom world it is harder to distrib-
ute keys on forehand, so key exchange protocols
emerged, which offer protection from the first
message and do not need any preshared secret.
The most widespread protocol is the Diffie-Hell-
Key Distribution and Management for Mobile Applications
Figure 2. (a) Diffie-Hellmann key exchange and (b) out-of-band key delivery
(a) (b)
man (DH) key exchange of Figure 2, which allows Two keys, a public and a private are generated.
two parties that have no prior knowledge of each The public key can be sent in plaintext, because
other to jointly establish a shared secret key over messages encrypted with the public key can only
an insecure communications channel. be decoded by the private key and vice versa. The
This protocol does not authenticate the nodes to two way nature of public keys makes it possible to
each other, but enables the exchange data, which authenticate users to each other, since signatures
can be decoded only by the two parties. Malicious generated with the public key can be checked with
attackers may start a man-in-the-middle attack the public key. Message authenticity can be guar-
(see Figure 4). Since this problem is well-known, anteed. Still, the identity of the node is not proven.
several modifications enable identity based DH, for The signature proves only that the message was
example Boneh, Goh, and Boyen (2005) showed encoded by the node, which has a public key of the
a hierarchical identity based encryption method, entity we may want to communicate with.
which is operating in fact as a public key system, Identity can be ensured by using certificates.
where the public key is a used chosen string. Certificate authorities (CA) store public keys and
Public key infrastructure (PKI) can help de- after checking the owner’s identity out of band,
fending corresponding parties against man-in-the- prove their identity by signing the public key
middle attacks. Public key cryptography is based and user information with their own keys. This
on the non polynomial (NP) time problems, for method is required for financial transactions and
example of factorisation or elliptic curves. business and government operations. Without a
Key Distribution and Management for Mobile Applications
Key Distribution and Management for Mobile Applications
Figure 4. TLS key negotiation data transferred over the radio interface beside the
high computing power needs.
In environments with limited resources, au-
thentication and identity management based on
preshared keys is still the most effective solution.
Badra and Hajjeh (2006) propose an extension to
TLS, which enables the use of preshared secrets
instead the use of asymmetric encryption. This is
in line with the efforts to keep resource needs at
the required minimum level in mobile devices. A
preshared key solution was also proposed by the
3rd Generation Partnership Projects (3GPP, 2004)
and (3GPP2, 2007) as an authentication method
for wireless LAN interworking. The problem with
the proposed solution is preshared keys does not
provide adequate secrecy nor identity protection in
Internet connections. To deal with this problem, the
Figure 5. TLS-KEM key negotiation TLS-key exchange method (TLS-KEM) provides
identity protection, minimal resource need, and
full compatibility with the original protocol suite
as seen in Figure 6.
In direct comparison, the public key based
TLS needs a lot more computing, data traffic, and
deployment effort.
In UMTS networks, an array of authentication
keys is sent to the mobile in authentication vec-
tors. In the computer world a good solution would
be using hash functions to calculate new session
keys, as these consume low power and require
little computing.
A moving terminal can experience a commu-
nication problem, as the overhead caused by key
negotiation might extend the connection time to a
network node. A preserved session key for use in
the new network is a potential solution in a mobile
least fixed environment, computational cost of key environment, as it speeds up the node’s authentica-
negotiations is usually neglected. For example TLS tion. Lee and Chung (2006) recommend a scheme,
is using several public key operations to negotiate which enables to reuse of session keys. Based on
a session key. This can be a problem for mobile the AAA infrastructure, it is possible to forward
devices, since computational cost is much higher the key to the new corresponding AAA server on
in asymmetric encryption. The standard TLS suite a protected network and use it for authentication
uses lots of cryptographic operations and gener- without compromising system security. This can
ates a too large message load on wireless links reduce the delay for connecting, and also reduces
(see Figure 5). the possibility of authentication failure. Since the
If a mobile device wants to execute mutual old session key can be used for authenticating the
authentication with a service provider, with cer- node towards the new AAA server, connection
tificate exchanges, it can lead to big amounts of to the home AAA is not needed any more. The
Key Distribution and Management for Mobile Applications
messages are exchanged as follows (Lee & Chung, mances for public key based mechanisms (Lim,
2006): when sending the authorisation request to Lim, & Chung, 2006). Mobile IPv4 uses symmet-
the new network, the node also includes the old ric keys and hashes by default. Since symmetric
network address it had. The foreign agent connects keys are hard to manage, a certificate-based key
to the new local AAA server and sends an authen- exchange was recommended, but this demands
tication request. The new AAA server connects more resources. To lower the resource demand, a
to the old one sending a message to identify the composite architecture was recommended (Sufa-
user. The old AAA authenticates the message by trio, 1999). The procedure uses certificates only
checking the hash value included, and generates a in places where the terminal does not require
nonce for the terminal and the foreign agent. The processing of the public key algorithm and does
server composes an AAA-terminal answer, which not require storage of the certificate.
is composed from a plain nonce, an encrypted nonce The result of the comparison shows that hash
using the key shared between the old foreign agent is by far the most efficient method in terms of key
and the terminal. Then the whole message is signed generation, but suffers from management difficul-
and encrypted with the key used between the two ties. Lim et al. (2006) also demonstrates that a pure
AAA servers. When the new AAA receives it, certificate-based authentication is unsuitable for
decrypts and sends the message to the new foreign mobile environments. Partial use of certificates and
agent. Based on the plain nonce, the agent generates identity-based authentication with extensive use of
the key and sends down the reply, which includes hash functions can be a potential way ahead.
also the nonce encrypted by the old AAA. After
the authentication of the user towards the network,
the user can start using services. AutHEntIcAtIon of dEvIcE
Key distribution and efficiency in e-com- grouPs
merce applications is another important aspect.
The network’s AAA usually does not exchange In a ubiquitous environment, moving networks
information with third parties or can not use the appear. PANs and ad hoc connections based on
authentication data of the network access because various preferences emerge and fall apart. These
of privacy issues. Current security demands require devices communicate with each other and have
mutual identification of communicating parties in usually very limited capabilities in terms of
an e-commerce application. This can easily lead computing power and energy reserves. In order
to compromising the customer to companies (for to provide secure communication between any
example in a GSM network, the user has to trust part of the network, hierarchical key management
the network unconditionally). If the user can also methods emerged (Kim, Ahn, & Oh, 2006). Here
check the identity of the service provider, at least a single trusted server is used to manage the group
man-in-the-middle attacks are locked out. key. These entities are usually storing the keys in
When a user starts a new session with a service a binary tree, where nodes are the leaves.
provider, this session should be based on a new Public key operations are usually required
key set. The session key has to be independent when a terminal wants to connect to a group for
from the previous one in means of traceability the first time. A group management system needs
and user identity should not be deductible from frequent key generation rounds, because it has to
the session key, thus ensuring user privacy. For ensure forward and backward secrecy. Strict key
mutual identification, a key exchange method is management policies ensure that no new node is
proposed by Kwak, Oh, and Won (2006), which capable of decoding former traffic and none of the
uses hash values to reduce resource need. The key old nodes have the possibility to decrypt current
calculation is based on random values generated traffic. To adjust resource usage to mobile environ-
by the parties, which ensures key freshness. ment, a management scheme which uses mainly
The use of hash functions is recommended in simple operations like XOR and hash is advisable
mobile environments, providing better perfor- (Kim et al., 2006). As the key in the root of the
0
Key Distribution and Management for Mobile Applications
Key Distribution and Management for Mobile Applications
is presented in order to visualise the requirements Kálmán and Noll (2006) recommend a phone-
of this market. Apple’s FairPlay enables making based solution. This represents a good trade-off
backup copies of audio tracks, which is permitted between user experience and content protection.
by law in several European countries, and copy The phone is practically always online, most of
of content between the user’s iPod players. This them have Bluetooth or other short range radio
solution is considered being to open for some transmitters, so licenses can be transmitted on
content providers, and the distribution is limited demand. Since the phone has a screen and a
to a server-client infrastructure. For HD content keyboard, it is possible to request authorisation
with high bandwidth needs such a server-client from the user before every significant message
infrastructure is not advisable, both from a server exchange, so the user can control the way licenses
and network point of view. The ever growing size are distributes.
of P2P networks form a perfect infrastructure to If we look aside the issues related to busi-
deliver content with high bandwidth need practi- ness aspects, computational issues still remain.
cally without substantial transmission costs. P2P Highly secure DRM entities will use asymmetric
networks are usually run without any DRM support. encryption and certificates. Sur and Rhee (2006)
An additional infrastructure supporting DRM in a recommend a device authentication architecture,
P2P network used to transmit content will enable which eliminates traditional public key operations
high volume distribution of digital content (Pfeifer, except the ones on the coordinator device. This is
Savage, Brazil, & Downes, 2006). If seamless achieved by using hash chains including the permis-
license delivery and user privacy could be guar- sion, for example, a device can get keys to play a
anteed, such a network could be the foundation of designated audio track ten times or permission to
a low cost content delivery scheme. use five daily permits on demand. Such schemes
While the usage of P2P networks is an excel- allow end devices to be simpler and lower network
lent idea, the recommended solution proposed by communication overhead.
Nützel and Beyer (2006) is similar to the Sony’s If a central device is not appreciated, a com-
rootkit solution: It bypasses the user control and posite key management scheme may be used. The
is thus not acceptable. While the primary goal is parties in the PAN will form a web of trust like in
to secure content, the software used in such solu- a confidentiality scheme, for example, pretty good
tions acts like hidden Trojans and opens backdoors privacy (PGP). In this web, the main key is split
not only for the content providers, but also other between nodes and cooperation is needed for sig-
hackers. nificant operations. This means that if the scheme
Content usage across platforms is not supported is operating on a (k, n) basis, k-1 nodes can be lost
yet, as a common standard does not exist. Pfeifer before the system needs to be generate a new key.
et al. (2006) suggests a common management Fu, He, and Li (2006) mention the problem of the
platform for DRM keys with an XML-based, PAN’s ad hoc nature as the biggest problem. Since
standard MPEG-REL framework. Users will also this scheme selects n nodes randomly, the ones
produce content with digital protection, in order to that are moving between networks fast can cause
ensure that personal pictures cannot be distributed instability in the system. Also, the resource need of
electronically. Social networks and groups of inter- this proposal is quite high on all nodes present.
est, as well as distribution of content in PANs is a When a scheme is enabling off-line use of
challenge for DRM development. Zou, Thukral, license keys, attention should be given to prob-
and Ramamurthy (2006) and Popescu, Crispo, lems arising from leaving or compromised nodes.
Tanenbaum, and Kamperman (2004) propose a Identity-based schemes become popular recently
key delivery architecture for device groups, which because of their efficiency in key distribution.
could be extended by a local license manager. The main drawback is that these proposals do not
The central key management unit could distribute provide a solution for revocation and key renewal.
licenses seamlessly to the device, which wants to Hoeper and Gong (2006) propose a solution based
get access, without invading user experience. on a heuristic (z, m) method. The solution is similar
Key Distribution and Management for Mobile Applications
to the threshold scheme shown before, but enables and SIM cards with enhanced encryption ca-
key revocation. If z nodes are accusing one node pabilities. The SIM and USIM modules used in
to be compromised, based on their own opinion, GSM/UMTS are quite capable smart cards. They
the node is forced to negotiate a new key. If a node offer protected storage with the possibility of over
reaches a threshold in number of regenerations in a the air key management, good user interface, and
time period, it could be locked out, since most likely standard architecture. Danzeisen, Braun, Rodel-
an intruder is trying to get into the system or the lar, and Winiker (2006) shows the possible use
internal security of the node is not good enough. of the mobile operator as trusted third party for
The assumptions about the system are strongly exchanging encryption keys out of band for other
limiting the effectiveness of the solution. The most networks.
stringent assumption is that they require to nodes to Delivery of the mobile phone key to a differ-
be in promiscuous mode. This can lead to serious ent device can be problematic, since most devices
energy problems. Another requirement is that there do not have a SIM reader, or it is inconvenient
has to be a unit for out-of-band key distribution. to move the SIM card from the mobile phone to
This unit could be the cellular phone. another device. New developments in near field
communication may overcome this and enable
short range secure key transfer.
sMArt cArds And cEllulAr
oPErAtors
brEAkIng tHE lAst cEntIMEtrE
The use of smart cards has its roots in the basic prob- boundAry
lem of security infrastructures: even the most well
designed system is vulnerable to weak passwords. Frequency of authentication request is a key factor
A card, which represents a physical entity, can be in user acceptance. If a system asks permanently for
much easier protected compared to a theoretical new passwords or new values from the smart card
possession of a password. Smart cards integrate hash chain, it will not be accepted by the user. On
tamper resistant storage and cryptographic func- the other hand, if a device gets stolen and it asks
tions. They are usually initialised with a preshared for a password only when it is switched on, then
key and creating a hash chain, where values can a malicious person can impersonate the user for a
be used as authentication tokens. long time. A potential solution is to create a wear-
The remote authentication server is using the able token with some kind of wireless transmission
same function to calculate the next member. The technology and define the device behaviour such
encryption key is the selection of a collision resis- that if the token is not accessible, it should disable
tant hash function. While the tokens they provide itself in the very moment of notification.
are quite secure, a problem with smart cards is that Since the main challenge is not securing data
they represent a new unit that has to be present in transfer between the terminal and the network, but
order to enable secure communication, and user to authenticate the current user of the terminal, a
terminals must be equipped with suitable read- personal token has to be presented. As proposed
ers. The additional hardware does not only cause by Kálmán and Noll (2007), the mobile phone
interoperability problems, but is usually slow, as a can be a perfect personal authentication token
measurement conducted shows (Badra & Hajjeh, if it is extended by a wireless protocol for key
2006). This becomes eminent when high traffic is distribution.
associated with asymmetric encryption; sending With the capabilities of user interaction,
a “hello” message with standard TLS to the smart network control of the mobile phone, it can be
card needed 10 seconds. In contrast, the modified ensured that critical operations will need user
TLS-KEM needed 1.5 s. presence by requiring PINs or passwords. Pos-
A user-friendly, seamless key delivery system sible candidates for key exchange are Bluetooth
can be created with the help of cellular operators
Key Distribution and Management for Mobile Applications
(BT), radio frequency identification (RFID), and phones and a public key connected to that one.
Near Field Communications (NFC). NFC is a Based on this, DH key exchange would be possible
successor of RFID technology in very short range between terminals and the phone using the cellular
transmissions. BT is close to the usability limit, network as a gateway. An NFC-enabled phone could
since its transmit range reaches several meters. be the central element of a home DRM service, as
But the two later ones are promising candidates. it is online, capable of over the air downloads, and
Depending on the frequency, general RFID has still able to ensure user control.
a range of several meters while NFC operates in
the 0-10 cm range. NFC is recommended, as the
range alone limits the possibilities of eavesdroppers on tHE dAwn on PErsonAl
and intruders who want to impersonate the token contEnt MAnAgEMEnt
while it is absent. The use of repeaters in the case
of NFC, a so-called wormhole attack as described From the viewpoint of secure data transmission
by Nicholson, Corner, and Noble (2006), looks and user authentication, access and distribution of
not feasible because of the tight net of repeaters digital content can be ensured. Open issues remain
required. Also, the capability of user interaction for moving PANs and devices with limited capa-
provides an additional level of security. bility. Focus nowadays is on protecting the user’s
Mobile phones with integrated NFC functional- privacy. As usage of digital devices with personal
ity are already available and serve as user authen- information was limited, user privacy was not of
tication devices. To use these devices as tokens for primary concern for a long time. Since PANs and
other terminals, they have to be placed very close home networks hold a large amount of critical
to each other. This prevents accidental use in most personal data, this has to change (Jeong, Chung,
cases. To check presence of the token, heartbeat & Choo, 2006; Ren, Lou, Kim, & Deng, 2006).
messages might be introduced. By design, this In a ubiquitous environment users want to ac-
solution is very capable of distributing preshared cess their content wherever they are. This has to
keys for other devices out of band. Meaning, the be enabled in a secure manner. With upcoming
phone can get the keys from the cellular network social services, also fine grained access control
from an identity provider and send it down to the methods have to be deployed inside the personal
appropriate device by asking the user to put the infrastructure. The focus of DRM research has to
devices close to each other for a second or two. shift towards the end user, who will also require the
Transmission of the key must be done only right to protect himself/herself and his/her content
when needed, so the programmable chip on the with the same strength as companies do.
phones has to be in a secured state by default and Extending the phone’s functions may be prob-
only activated by the user’s interaction. Protection lematic because of energy consumption and limited
of RFID tags is shown by Rieback, Gaydadjiev, computing power. This could be easily solved by
Crispo, Hofman, and Tanenbaum (2006), where a the technology itself, since a new generation of
proprietary hardware solution is presented. In case mobile terminals is arriving every half year. The
of a phone-based NFC key transmission, additional capacity and functionalities of the SIM cards will
active devices might be unnecessary to use, but be extended, the newest 3GPP proposals are pre-
for general privacy protection, IDs with RFID dicting high capacity and extended cryptographic
extensions must be treated with care. possibilities.
Transmission of certificates would not need ad- Regarding legal aspects, extending the SIM
ditional encryption over the NFC interface, while possibilities may cause some concern, since the
other keys may require a preshared key between SIM cards are currently owned by the network
the phone and the terminals, which can be done operators.
via a wired method or by the phone provider. Most
providers have at least one secret key stored on
Key Distribution and Management for Mobile Applications
Key Distribution and Management for Mobile Applications
a ubiquitous computing environment. In Com- the 4th ACM workshop on Digital rights manage-
putational Science and Its Applications—ICCSA ment, Washington, DC.
2006 (LNCS 3983).
Ren, K., Lou, W., Kim, K., & Deng, R. (2006).
Kwak, J., Oh, S., & Won, D. (2006). Efficient key A novel privacy preserving authentication and
distribution protocol for electronic commerce access control scheme for pervasive computing
in mobile communications. In Applied Parallel environments. IEEE Transactions on Vehicular
Computing (LNCS 3732). Technology, 55(4), 1373-1384.
Lee, J.-H., & Chung, T.-M. (2006). Session key Rieback, M. R., Gaydadjiev, G. N., Crispo, B.,
forwarding scheme based on AAA architecture Hofman, R. F. H., & Tanenbaum, A. S. (2006,
in wireless networks. In Parallel and Distributed December 3-8). A platform for RFID security and
Processing and Applications (LNCS 4330). privacy administration. Paper presented at the
20th USENIX/SAGE Large Installation System
Lim, J.-M., Lim, H.-J., & Chung, T.-M. (2006).
Administration Conference—LISA 2006, Wash-
Performance evaluation of public key based
ington, DC.
mechanisms for mobile IPv4 authentication in
AAA environments. In Information Networking. Sufatrio, K. Y. L. (1999, June 23-25). Registra-
Advances in Data Communications and Wireless tion protocol: A security attack and new secure
Networks (LNCS 3961). mini-mal public-key based authentication. Paper
presented at the International Symposium on
Nicholson, A. J., Corner, M. D., & Noble, B. D.
Parallel Architectures, Algorithms and Networks,
(2006). Mobile device security using transient
ISPAN’99. Fremantle, Australia.
authentication. IEEE Transactions on Mobile
Computing, 5(11), 1489-1502. Sur, C., & Rhee, K. H. (2006). An efficient authen-
tication and simplified certificate status manage-
Noll, J., Ribeiro, V., & Thorsteinsson, S. E. (2005).
ment for personal area networks. In Management
Telecom perspective on scenarios and business in
of Convergence Networks and Services (LNCS
home services. In Proceedings of the Eurescom
4238).
Summit 2005 (pp 249-257).
Zou, X., Thukral, A., & Ramamurthy, B. (2006).
Nützel, J., & Beyer, A. (2006). How to increase
An authenticated key agreement protocol for mobile
the security of digital rights management systems
ad hoc networks. In Mobile Ad-hoc and Sensor
without affecting consumer’s security, In Emerg-
Networks (LNCS 4325).
ing Trends in Information and Communication
Security (LNCS 3995).
Pfeifer, T., Savage, P., Brazil, J., & Downes, B.
kEy tErMs
(2006). VidShare: A management platform for
Diffie-Hellman Key Exchange: Diffie-Hell-
peer-to-peer multimedia asset distribution across
man key exchange is a procedure, which allows
heterogeneous access networks with intellectual
negotiating a secure session key between parties,
property management. In Autonomic Management
who do not have any former information about
of Mobile Multimedia Services (LNCS 4267).
each other. The negotiation messages are in band,
Phillips, T., Karygiannis, T., & Kuhn, R. (2005). but because of the non-polynomial (NP) problem
Security standards for the RFID market. IEEE used in the procedure, adversaries are not able to
Security & Privacy Magazine, 3(6), 85-89. compromise it.
Popescu, B. C., Crispo, B., Tanenbaum, A. S., & Mutual Authentication: Mutual authentica-
Kamperman, F. L. A. J. (2004). A DRM security tion occurs when the communicating parties can
architecture for home networks. In Proceedings of mutually check each others identity, thus reducing
Key Distribution and Management for Mobile Applications
Chapter XII
Architecture and Protocols for
Authentication, Authorization,
and Accounting in the Future
Wireless Communications
Networks
Said Zaghloul
Technical University Carolo-Wilhelmina – Braunschweig, Germany
Admela Jukan
Technical University Carolo-Wilhelmina – Braunschweig, Germany
AbstrAct
The architecture, and protocols for authentication, authorization, and accounting (AAA) are one of the
most important design considerations in third generation (3G)/fourth generation (4G) telecommunica-
tion networks. Many advances have been made to exploit the benefits of the current systems based on
the protocol remote authentication dial in user service (RADIUS)protocol, and the evolution to migrate
into the more secure, robust, and scalable protocol Diameter. Diameter is the protocol of choice for the
IP multimedia subsystem (IMS) architecture, the core technology for the next generation networks. It is
envisioned that Diameter will be widely used in various wired and wireless systems to facilitate robust
and seamless AAA. In this chapter, we provide an overview of the major AAA protocols RADIUS and
Diameter, and we discuss their roles in practical 1xEV-DO network architectures in the three major
network tiers: access, distribution, and core. We conclude the chapter with a short summary of the cur-
rent and future trends related to the Diameter-based AAA systems.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Architecture and Protocols for AAA
Architecture and Protocols for AAA
Acronyms diameter
bts: Base Transceiver Station
rnc: Radio Network Controller A10/A11
An/AAA: Access Network AAA
Pdsn: Packet Data Serving Node Primary PDSN MIP
MIP: Mobile IP
RNC HA
link (FA) tunnel
fA: Foreign Agent
HA: Home Agent A12
diameter
tA An/AAA
fail
tA: Diameter Translation Agent
IMs: IP Multimedia Subsystem
ove
sftP: Secure File Transfer Protocol
sq
ora net 2
r li
sql: Structured Query Language
sftP
l*
cle
nk
Billing users IMs Internet
Internet
bts 1 System IMs
t1 circuits db
bts 3 Multimedia domain (MMd)
bts 2
bts 5
bts 4 tA An/AAA
A12 PDSN
bts 6 RNC HA
(rAdIus) (FA)
1xEv-do radio Access network (rAn)
based on the MN-AAA shared secret and responds of Diameter at all the three major network tiers in
to the PDSN. In case of successful authentication, the wireless network, including access, distribu-
the PDSN proceeds with the MobileIP registration tion, and core. Finally, we summarize the chapter
process with the HA and establishes a MobileIP and discuss open issues and future work.
tunnel to serve the user’s traffic. At this point, the
PDSN starts to generate accounting towards the
AAA server to reflect the subscriber’s usage. Ac- bAckground
counting data is reformatted and is communicated
to the upstream billing systems for further process- the rAdIus Protocol
ing. Here, we assume simple secure FTP (SFTP)
communication. Note that the PDSN also connects AAA systems received significant attention from
to multiple AAA’s for redundancy purposes. In our network service providers throughout the past
illustrative architecture, the PDSN implements the decade. The need for a standardized, simple, and
Diameter MobileIP application and thus needs no scalable protocol that accomplishes the required
translation functionality. AAA functionality was the main motivation for
In this illustrative reference architecture, RA- the introduction of the (RADIUS) protocol (Ri-
DIUS is deployed in the access tier and translation gney, 2000; Rigney Willens, Rubens, & Simpson,
agents were utilized to convert between RADIUS 2000; RFC2866). In 1998, RADIUS was the only
and Diameter, while Diameter applications at protocol that seemed to satisfy the IETF NASREQ
the distribution and network tiers were natively working group’s requirements for authentication
supported. Following this example, we organize and authorization (Rigney, 1998). Due to its wide
the chapter as follows. First, we present the AAA implementation by many networking equipment
concept and quickly survey RADIUS and its cur- vendors, its simplicity and scalability, it became
rent deployment features. Then, we discuss the the protocol of choice for many service providers.
evolution from RADIUS to Diameter and shortly RADIUS was quickly extended to support various
review the current Diameter standard. Afterwards, networking protocols such as MobileIP (Perkins,
we illustrate a prospective end-to-end application 2002), IP security (IPsec) (Kent & Seo, 2005), and
the IEEE 802.1x authentication.
0
Architecture and Protocols for AAA
nAs
Internet PPP
Pstn PPP
Internet
RADIUS Traffic
& Authorization
Authentication
Accounting
sql, ldAP s/ftP, sql
db
users’ database
AAA server billing systems
In RADIUS, after the user is granted access, the granted access, the NAS generates accounting
network access server (NAS) generates accounting messages based on user’s activity (connection time,
messages based on the user’s activity. The NAS is total bytes used, etc).
usually the gateway to the IP network. Routers, The RADIUS message format is shown in Fig-
WiFi access points (APs), PDSNs, and gateway ure 3. It consists of a 20 octet header followed by
general packet radio service (GPRS) support nodes multiple AVPs. AVPs include standardized types
(GGSN) in GPRS networks, are typical examples of and values. For example, the username is passed to
NASs in telecom networks. As shown in Figure 2, the AAA server using the User-Name attribute. To
a user tries to access the Internet through a dialup allow expandability, the AVP type 26 is reserved
modem connection. The PPP protocol is mainly for vendor-specific AVPs (VSAs). Thus, a vendor
used to establish the communication between the requests a Vendor ID from the Internet Assigned
user and the NAS, that is, the router in this example. Numbers Authority (IANA) to be able to define
The NAS attempts to authenticate the user either specific attributes for his equipment. The following
through the password authentication protocol (PAP) are sample vendor ID values: Cisco (9), Nortel (2637),
or the challenge handshake authentication protocol 3GPP (10415), and 3GPP2 (5535). Usually, AAA
(CHAP). Upon obtaining the responses from the implementations include dictionary files that define
client, the NAS generates an Access-Request and the AVP type and the expected values, for example
sends it to the RADIUS server in order to validate refer to Braunöder (2003). RADIUS accounting
the user’s responses. Typically, the RADIUS server is composed of three primary message types: (1)
is connected to an external database that contains the Accounting-Start, (2) Accounting-Interim, and (3)
user’s credentials and authorized services. Thus, the Accounting-Stop. Accounting messages usually
RADIUS server returns an Access-Accept message carry the user’s session information. For example,
if the user credentials are valid, otherwise it returns in CDMA2000-based systems accounting messages
an Access-Reject. The Access-Accept message may may contain the user’s assigned IP address; user’s
contain authorization information. For example, sent and received byte counts; user’s electronic
an Access-Accept message may contain: filters to serial number; calling and called station numbers;
grant the user access to internal networks, specific accounting session ID; BS ID; and so forth, (3GPP2
routing instructions to the NAS, quality of service A.S0008-B, 2006; 3GPP2 X.S0011-005-C, 2006).
(QoS) settings, and so forth. This authorization set Note that the electronic serial number and the BS
is returned as a group of attribute value pairs (AVP) ID attributes are 3GPP2 VSAs augmented to the
in the Access-Accept message.2 Once the user is standard RADIUS AVPs.
Architecture and Protocols for AAA
Code
Code ID
ID Length
Length Authenticator
Authenticator Multiple AVPs
AVPs
rAdIus Header (20 octets)
notes
The authenticator field is a random nonce in the requests while in
the responses it is a MD hash calculated using the shared secret
between the NAS and the AAA server and the random nonce from
the corresponding requests
An Access -Challenge is usually used when multiple round trips are
needed for authentication, for example RADIUS extensions for EAP
Accounting requests are identified by the value of the
Acct -Status --Type attribute (AVP 0) {=Start, =Stop, =Interim}
RADIUS offers reliability over the intrinsically the request to another RADIUS server. Such poli-
unreliable user datagram protocol (UDP)3 by requir- cies are occasionally based on the domain in the
ing a response for each request. If a response is user’s network access identifier (NAI). Standards
not received within a predefined time period (TO), (Aboba & Vollbrecht, 1999) refer to this setup as
the request times out. It is then up to the requestor the proxy-chain configuration. For instance, in a
(RADIUS client) to either retry the same server, roaming scenario the host AAA is usually config-
another RADIUS server, or even drop the request. ured to forward AAA requests from the hosting
The timeout value and the maximum number of NAS to the home AAA. Note that multiple proxies
allowed retransmissions are configurable param- maybe traversed along the path to the home AAA
eters at the client. It is noteworthy to mention that server as shown in Figure 4.
the failover mechanism was not standardized in
RADIUS and often raised interoperability issues Evolution from rAdIus to diameter
due to the inherent differences in the AAA imple-
mentations (Calhoun, Loughney, Guttman, Zorn, Diameter Protocol Overview
& Arkko, 2003).
RADIUS follows a client/server model where As network architectures evolved and with the
clients maybe NASs or other RADIUS servers. tremendous growth in the wireless data infrastruc-
RADIUS clients and servers share a common secret tures, secure inter-domain communication among
to secure their communications. This method is various AAA servers to exchange subscribers’
weak and is only intended to secure communica- credentials, profiles, and accounting informa-
tion within a trusted network.4 Sometimes an AAA tion became an absolute necessity. Despite its
server serves as a RADIUS client/proxy when it is tremendous success, RADIUS inherent security
provisioned with a policy instructing it to forward vulnerabilities, its questionable transport reli-
Architecture and Protocols for AAA
access-request access-request
visited Home
rAdIus Host rAdIus rAdIus
network’s rAdIus
nAs AAA Proxy 1 Proxy 2
AAA server
access-accept access-accept
4-bits
R P E T Reserved
request = Proxiable = Error = Potentially Retransmitted =
Answer = 0 Local Only = 0
v : Vendor Specific
V M P Reserved M : Mandatory
P : Requires End-to-End Security
ability, and its limited redundancy support were by standardized failover and failback (recovery)
the primary reasons for the introduction of the mechanisms.
Diameter protocol (Calhoun et al., 2003) as a sub- Diameter RFC reused many of the RADIUS
stitute protocol. Diameter was carefully designed message codes and attributes and extended them.
to address security and reliability while thoroughly Figure 5 shows Diameter’s header format. The
exploiting the benefits of RADIUS. Thus, secure framed fields in Figure 5 are those carried over
transmission mechanisms using a choice of IPsec from RADIUS. In contrast to RADIUS, note the
or transport layer security (TLS) protocols were introduction of the Version, Command Flags, Ap-
integrated into Diameter, while reliable transport plication ID, Hop-By-Hop ID, and End-to-End ID
was enhanced by designing Diameter to run over fields in Diameter. Also note the increase in size of
either stream control transmission protocol (SCTP) the message length field (from 2 octets in RADIUS
or transmission control protocol (TCP) supported to 3 in Diameter). Note also that the authenticator
Architecture and Protocols for AAA
field is no longer present as security is guaranteed the request from prior to forwarding it. The reader
by the integrated IPsec and TLS protocols. Com- is encouraged to refer to Calhoun et al. (2003) for
mand codes in Diameter start from 257 to maintain more information on routing AVPs and their usage.
compatibility with RADIUS. Unlike in RADIUS, Finally redirect agents, as their name implies, are
the requests and answers have the same command used to refer clients to alternative AAAs. Redirect
codes in Diameter, for example, the accounting agents may act as proxies or end servers for other
request (ACR) and answer (ACA) commands have requests. For example, an AAA server may handle
the command-code of 271. Diameter nodes can the Diameter base accounting messages while
recognize message types (e.g., whether it is ACA or redirecting requests that require Diameter server
ACR) based on the “R” flag in the command flags support for MobileIP. Figure 6 summarizes the
shown in Figure 5. The “P” flag instructs nodes functionality of Diameter agents and illustrates the
whether a message must be processed locally and message flow in order of transmission. In Figure
should not be forwarded. The “E” flag along with 6a, the relay agent only forwards the Diameter
the result-code AVP is used to indicate errors (and Authentication and Authorization Request (AAR)
possibly redirection as we will see later). Finally, to Provider’s B Diameter server. In Figure 6b, the
the “T” flag is used to indicate a possible duplica- proxy agent has an outbound policy for AAR to
tion in case of retransmissions after a failover. add or override the session Idle-Timeout attribute
Figure 5 also shows Diameter’s AVP structure. to 4,000 seconds and maximum link MTU to 1,300
The most significant addition is the inclusion of bytes. It is also configured with an inbound policy
the flags field. for the Authentication and Authorization Answers
(AAA) to remove any instructions for compression.
Diameter Agents Figure 6c shows the translation agent’s role. Note
that a translation agent may at the same time act
To facilitate migration from the current RADIUS as a proxy, that is, add, modify, or remove AVPs
infrastructure, Diameter offers indirect backward while converting between RADIUS and Diameter.
compatibility by introducing translation agents to Finally, as shown in Figure 6d, the Diameter client
convert RADIUS messages into Diameter mes- issues an AAR towards the redirect agent. Once
sages and vice versa. Besides the main incentive received, the redirect agent sends back an AAA
of reusing as much of the RADIUS codes and with the “E” flag set with the result-code AVP
attributes as possible for simpler migration, such set to DIAMETER_REDIRECT_INDICATION
reuse is also beneficial in reducing the amount of instructing the Diameter client to contact dest.com
processing on the translation agents. Diameter by using the Redirect-Host AVP. A redirect agent
supports a broader definition of scalability to suite may also provide indication on the usage of the
roaming scenarios by including relay and redirect redirect instruction, that is, whether its response
agents while still maintaining the RADIUS proxy is meant for all realms or simply restricted for the
agent model, therefore allowing the deployment of request’s realm, whether the redirection policy
different architectures. should be cached at the requestor (Client), and for
A proxy agent is used to forward Diameter traf- how long, and so forth.
fic to another Diameter peer in order to handle the
request. The decision to forward requests is policy Server Initiated Messages in Diameter
based as in RADIUS. Proxy agents may modify
packets and may originate rejection messages in Unlike RADIUS, Diameter is a peer-to-peer pro-
case of policy violation, for example, in case of tocol where any Diameter node may act as a client
receiving requests from unknown realms. On the or server at any time. Peers are simply the next hop
other hand, relay agents only forward requests with- nodes that a Diameter node communicates with.
out modifying any of the non-routing attributes. A significant improvement over RADIUS is that
Relays and proxies are required to append the route- Diameter has mandatory support of server-initiated
record AVP with the identity of the peer it received messages to allow operations like re-authentication
Architecture and Protocols for AAA
4 AAA 3 AAA
4 AAA 3 AAA
Add/override (AAr)
Idle-Timeout = 000
no change to any non-routing attributes Framed-MTU = 00
remove (AAA)
Framed-Compression
AcronyMs the proxy modifies diameter messages
Diameter by introducing the concept of Diameter the Diameter credit control application but
applications. does not depend on it. Moreover, Diameter
It is important to understand that RFC 3588 SIP allows locating SIP servers when a SIP
defines the minimum prerequisites for a Diameter agent requests routing information. Finally,
node implementation and maybe used by itself it provides a mechanism for pushing updated
only for accounting. In case of authentication and user profiles to the serving SIP server in case
authorization, a Diameter node must implement a the profile is (administratively) updated.
specific application. The most common applications
are Diameter NAS (Calhoun, Zorn, Spence, & Mit- Finally, it is extremely important to understand
ton, 2005) and MobileIPv4 (Calhoun, Johansson, that Diameter applications need to be defined only
Perkins, Hiller, & McCann, 2005). The Diameter when none of the existing Diameter applications
NAS application defines NAS-related requirements can support the required message flow without
where PPP-based authentication/authorization is major modifications. Such major changes include
needed. Diameter MobileIPv4 application defines adding new mandatory AVPs, commands requiring
AAA functionality in scenarios where users roam different message flows from any of the currently
into foreign provider networks. The concept of defined applications, or requiring support for new
Diameter applications was employed in many authentication methods with new AVPs (Fajardo
areas, and the following is a summary of three & Ohba, 2006).
major Diameter applications,
Protocol Mechanisms
• Diameter credit control application (Hakala,
Mattila, Koskinen, Stura, & Loughney, 2005) Diameter Peer Discovery
is proposed to handle online billing for prepaid
solutions. Prepaid billing implies real-time Diameter offers three primary means to discover
rating for the requested service, user’s bal- Diameter peers: static, Service Location Protocol
ance validation, and service suspension once Version 2 (SLPv2) queries, and domain name sys-
the user’s account is exhausted. Debiting and tem. Thus, a peer table entry is created after peer
crediting are also supported for some appli- discovery is executed. Note that peer discovery
cations such as gaming. Note that Diameter maybe triggered upon the reception of a CER. In
accounting defined in Calhoun et al. (2003) some cases, policies may allow establishing con-
is mostly suitable for postpaid services where nections with unknown peers. In this case, the
off-line processing of accounting records is peer table entry is built from the peer’s identity in
performed. the CER and expires as soon as the connection is
• Diameter EAP (Eronen, Hiller, & Zorn, 2005) closed. In most of the cases, peer table entries for
is used to support end-to-end authentication in known peers are created along with their advertised
dial-up, 802.1x, 802.11i, and in IPsec IKEv2. applications. Thus, only requests for advertised
It eliminates the possibility of man-in-the- applications are forwarded to these peers.
middle attacks if node is compromised within
a proxy chain. Diameter Policies
• The Diameter Session Initiation Protocol (SIP)
application (Garcia-Martin, Belinchon, Pal- Routing tables provide guidance to the Diameter
lares-Lopez, Canales-Valenzuela, & Tammi, node on how to process a received request. Figure
2006) supports HTTP digest authentication 7 illustrates an example realm routing table for
(RFC2617) mandated by SIP (Rosenberg et Relay/Proxy Agent. Note that a policy includes
al., 2002) to allow SIP user agents and proxies a realm, an application identifier, and an action.
to authenticate and authorize user’s requests When forwarding is needed, the next hop server
to access certain resources. This application is given and whether the route entry was statically
does not depend on the Diameter NAS nor or dynamically discovered (through a redirect,
MobileIPv4 applications, where as it supports for example), along with its expiration time. The
Architecture and Protocols for AAA
RealmName=myMIPdomain.com, ApplicationID=MobileIPv4,
Action=REDIRECT, Next-Hop=ServerMIP.com,
Dynamic:ExpirationTime=900
RealmName=myMIPdomain.com, ApplicationID=DiameterNAS,
Action=PROXY, Next-Hop=ServerACT.com, Static, Proxy_Policy =
{outbound[Idle-Timeout=400],inbound[remove framed-compression]}
default policy in case no route is available is to a primary server and multiple secondary servers
return an error message with the DIAMETER_UN- for redundancy. When a communication problem
ABLE_TO_DELIVER result code. is detected, a secondary server is promoted to
primary and the primary is suspended. Notice that
Diameter Request Routing this is important to guarantee consistent failover
for all requests.
Diameter request routing refers to the process The link is considered responsive as long as
needed when originating, sending, and receiving acknowledgements arrive. If the link is idle for
requests. When originating a request, the Diameter “tw” seconds then a device watchdog request
node sets the Application-ID, the Origin-Host and (DWR) is sent. If no device watchdog answer
Origin-Realm AVPs along with the Destination- (DWA) arrives in “tw” seconds, the primary is
Host and/or realm. When receiving a message, the suspended, the secondary server is promoted,
node checks the route-record AVP to make sure that and all subsequent communication is sent to the
there are no routing loops.6 It also checks whether promoted server. Note that outstanding messages
it is the ultimate destination of the message. If maybe sent on the failover link and in this case the
not, the node acts as an agent and according to its “T” flag is set in each message to indicate (to the
policy it relays, proxies, or redirects the message. end server) that such messages maybe duplicates.
Each forwarded (i.e., proxied7 or relayed) message If another “tw” seconds pass without receiving
is updated with a locally generated hop-by-hop the DWA on the suspended primary link, then
identifier. This field is used to match requests the transport connection is closed. The connec-
and answers. Answers are routed opposite to tion may be retried periodically, but for reopened
how requests are routed and using the hop-by- connections, a connection validation procedure
hop identifiers the expected answers at each hop must be initiated. In this case, three watch-dog
are recognized. Using the hop-by-hop identifier messages must be answered before failing back to
and the saved sender’s information, the answer the original primary link (Aboba & Wood, 2003;
is forwarded back to the previous node with the Calhoun et al., 2003).
hop-by-hop identifier restored to its original value.
This process ends once a node finds its identity in A Summary of Diameter’s Session
the origin-host. Management and Accounting
Architecture and Protocols for AAA
trigger re-authentication, it needs to maintain the A12 interface (3GPP2 A.S0008-B, 2006). The AN-
session state. This implies that session management AAA returns the subscriber’s International Mobile
is application specific. For example, a Diameter Subscriber Identity (IMSI) in the Callback-ID AVP
accounting server maybe configured to keep to the RNC in the RADIUS access-accept mes-
track of accounting messages such that it is able sage. Note that since the 1xEV-DO standard does
to eliminate duplicates and fraudulent messages not support Diameter yet, operators may utilize
(e.g., a unique Accounting-Start message should Diameter TAs to convert between RADIUS and
not arrive before an Accounting Stop message Diameter queries. The TA maybe collocated with
for an opened session). In cases where the server the AN-AAA as shown in Figure 1. Note that RNCs
is stateful, a Diameter client must always send a maybe configured to failover to another AN-AAA
session-termination-request (STR) to the server for redundancy. Here, the reader should be aware
so that the server frees its allocated resources for that such failover is RADIUS based and is not based
the session. on the Diameter failover mechanisms.
RFC3588 (Calhoun et al., 2003) and RFC4005
(Calhoun, Zorn, et al., 2005) outline the accounting At the distribution layer:
process. Similar to RADIUS, Diameter accounting diameter MobileIPv4
requests (ACR) are sent and answers (ACA) are
received from servers. A new accounting type, The PDSN is considered the first IP gateway in
Event record, has been introduced to be used for 1xEV-DO networks. In MobileIPv4 architectures,
short connections where accounting Start and Stop MNs are expected to move from one PDSN region
records may arrive during very short time periods into another resulting in MobileIP handovers (HO).
(e.g., for push-to-talk services). Accounting Event The HA represents the home network to which the
records are also used to indicate accounting prob- MN’s IP address (Home Address) belongs. Here,
lems. For long connections (e.g., VoIP conferenc- we assume that the PDSN/FA and the HA natively
ing and file downloads), Start, Interim, and Stop support the Diameter MobileIPv4 application (i.e.,
records are used. It is noteworthy to state that in no translation is involved). When the MN moves
case of reauthorization, an accounting Interim may into a foreign network, it attaches through a FA that
be sent to summarize the pervious state. In case tunnels its traffic back to its home agent enabling it
connection details are modified considerably, an to maintain its IP address while moving (Perkins,
accounting Stop followed by an accounting Start 2002; Perkins & Calhoun, 2005).
message are sent. The later is case is widely used In 1xEV-DO architectures, the PDSN normally
in practice. plays the FA role (as well as the NAS role for
Diameter) and tunnels the MN’s traffic to its HA.
The MN establishes a PPP tunnel to the PDSN
dIAMEtEr-bAsEd ArcHItEcturEs and broadcasts a registration request (RRQ).
Upon receiving the RRQ, the PDSN forwards it
As we have seen in the introduction section, there towards the AAA for authentication in a Diameter
are three network tiers: access, distribution, and AA-mobile-node-request (AMR) which includes:
core (see Figure 1). In this section, we analyze a Session-ID, MN Home Address, Home Agent
selected Diameter application in each tier. identity, and MN NAI (Calhoun, Johansson, et
al., 2005). Note that such authentication is needed
At the Access layer: 1xEv-do with a as the RAN may be operated by a different entity
translation agent from the Internet Service Provider (ISP) who owns
the PDSN, HA, and so forth. Thus, upon receiving
Figure 1 shows a simplified 1xEV-DO network the Diameter AA-mobile-node-answer (AMA)
where radio network controllers (RNCs) authen- from the AAA server, the PDSN/FA establishes
ticate the mobile call through the RADIUS based a MobileIP tunnel with the HA to serve the MN’s
Architecture and Protocols for AAA
traffic and starts sending accounting requests to HA extracts the MN-HA session key and reformats
the AAA server. the nonces generated by the HAAA according to
We know when a mobile node roams into a for- the MobileIP standard and encapsulates them in
eign network, the foreign network’s AAA usually the home-agent-MIP-answer (HAA) (Steps 5, 6).
acts as a proxy and forwards the Diameter requests The HAAA then creates an AMA which includes
pertaining to the roaming mobile node to its home the MN-FA session key as well as the reformatted
AAA (HAAA) server. Foreign mobile nodes are nonces from the HAA and forwards it towards the
simply recognized by the domains in their NAIs. PDSN. The PDSN eventually extracts the session
In these cases, the mobile node needs to establish key and sends a registration reply towards the MN
security associations with HA and/or FA. The (Steps 7-9). The mobile node derives the session
HAAA is an attractive element to assist a key keys using the provided nonces and the MN-AAA
distribution mechanism. The Diameter MobileIPv4 shared key. Afterwards, the PDSN generates ac-
application focuses on the role of the AAA as the counting requests (ACRs) reflecting the user’s
key distribution element. As shown in Figure 8, activity (Steps 10-13). The HAAA may be further
the MN-AAA shared secret8 is used to generate used to maintain session information such that the
the MN-HA and MN-FA secrets. The FA adver- same session-ID is used after handovers (Calhoun,
tises itself and includes a random challenge and Johansson, et al., 2005).
the mobile node replies to the challenge using its
MN-AAA shared secret and formulates a registra- At the core: IP Multimedia
tion request (Steps 1, 2). The registration request subsystem (IMs) Interfaces
triggers an AMR at the PDSN to be eventually
forwarded to the HAAA (Steps 3, 4). The HAAA In the last few years, convergent networking
validates the request and derives the session keys architectures were widely discussed. The IMS
based on a combination of nonces and the MN- was proposed as a radio access agnostic core
AAA shared secret, then forwards the keys in a infrastructure that allows heterogeneous radio
home-agent-MIP-request (HAR) to the HA. The networks (e.g., WiMAX, 1xEV-DO, UMTS, WiFi)
registration
2
Mobile request & Mn-AAA Pdsn Mobile IP Home
node registration tunnel Agent
fA
reply (HA)
Including:
Mn-fA nonce 9
Mn-HA nonce
AMr
10 session- HAr
Id=1234
8 13 fA challenge
Mn-HA-key
6
Mn Answer
Acr
HAA
AcA
AMA 3 5 MIP-reg-reply
4 AMr
Home diameter
visited network 11 Acr
AAA with
diameter AAA AcA 12
AMA
MobileIPv4
Mn-fA key
7
MIP-reg-reply
Architecture and Protocols for AAA
to communicate. As such, IMS offers unified processing and may perform various functions in
services and enables seamless connectivity to the security, compression, and policy enforcement
application servers (AS). In this section, we outline over the SIP messages. The Interrogating CSCF
the role of Diameter in an IMS-based network. In (I-CSCF) is used to facilitate the communication
IMS-based architectures users are granted a private among different operators. Operators have the
identifier like (nai@operatorA.com) and multiple I-CSCF addresses listed in their DNS servers to
public identifiers (e.g., john.smith@corporate.com, allow their I-CSCF to communicate with their
smith_family@home.com), offering users the peer I-CSCF in the other operator’s networks. The
capability of sharing business and personal con- I-CSCF normally proxies all SIP messages to the
tact information, for instance. The users’ profiles user’s Serving CSCF (S-CSCF). The S-CSCF is
are stored in the Home Subscriber Server (HSS). the element that inspects all user’s requests and
Note that the HSS here plays an authentication confirms that they abide by access rights specified
and authorization role (AA) and this immediately for that user. It also acts as a SIP router where it
implies the use of Diameter interfaces. determines whether the SIP message needs to be
Let us assume that user 1 roams into provider sent to one or more ASs before granting service
Y’s network and wishes to access a game service (Camarillo & García-Martín, 2004). Note that
located in his/her home network. For that, user 1 first CSCFs communicate over the SIP-based Mw in-
needs to register with the home network through terface and that only I-CSCFs and S-CSCFs com-
operator Y’s infrastructure. As shown in Figure 9, municate with the HSS over the Cx interface (see
the first point of entry to the IMS network is the Table 1 for the Cx Diameter commands). The Cx
so-called Proxy Call Session Control Function (P- interface enables the S-CSCF to download users’
CSCF). The P-CSCF is responsible for SIP message profiles from the HSS.
Hss1 11/sh Af
Hssn rf
12/Isc
rf
ccf
note that neither the slf 16/cx
nor the dx interface are s-cscf
clearly mentioned in the dx
3gPP2 IMs standards slf*
rf
Mw
dx
I-cscf
Mw
Acronyms
HA P-cscf IMs: IP Multimedia Subsystem
Af: Application Function
slf: Subscription Locator Function
ccf: Charging Collection Function
Hss: Home Subscriber Server
visited network (operator y) HA: Home Agent
P-cscf: Proxy-Call/Session Control Function
I-cscf: Interrogating-Call/Session Control Function
s-cscf: Serving-Call/Session Control Function
0
Architecture and Protocols for AAA
The Dx interface, shown in Figure 9, is essen- In Figure 10, we utilize a subset of the Cx inter-
tially the same as the Cx interface. When an I-CSCF face commands to illustrate the IMS registration
wishes to locate the appropriate HSS that holds the process for a roaming user. Once IP connectivity
user’s profile (in order to contact the right S-CSCF is established through the MobileIP procedures,
for the user’s request), it communicates with the the MN commonly referred to as the user agent
subscription location function (SLF). The SLF is (UA) in IMS initiates a registration request towards
simply a Diameter redirect agent, which refers the the P-CSCF. The P-CSCF recognizes that the user
I-CSCF to the right HSS. Although this interface belongs to operator X, performs a DNS lookup for
is not clearly mentioned in (3GPP2 X.S0013-000- Operator X’s I-CSCF, and forwards the request
A, 2005), it can be simply viewed as a Diameter to the I-CSCF (Steps 1, 2). When the correspond-
redirect for a Cx request. ing I-CSCF receives the registration request, it
The Sh interface between the HSS and the AS contacts the HSS over Diameter using the UAR
servers facilitates retrieving the application specific command. Since, the REGISTER request usually
user’s data, updating it, and receiving notifications carries both the user’s public and private identi-
when it is changed on the HSS. S-CSCF and AF ties, the HSS validates that a roaming agreement
may generate accounting records and in this case exists with Operator Y and that the requestor is
such accounting records are sent over the Diameter- a valid user and returns a UAA to the I-CSCF
based Rf interface towards the charging collection (Steps 3, 4). The I-CSCF uses the information in
function (CCF). The CCF may reformat the billing the UAA to locate an S-CSCF and forwards the
records in the charging data record (CDR) format for registration request to it (Step 5). Upon receiving
further processing in the upstream billing system. the request, the S-CSCF issues a MAR towards the
It is noteworthy to mention that 3GPP2 X.S0013- HSS to obtain appropriate authentication vectors
000-A (2005) includes a 3GPP2 assigned interface to authenticate the user. The S-CSCF formats the
name or number of each interface, for example, response into a SIP response (401 Unauthorized)
16/Cx, along with the original IMS interface names. that carries a challenge (Steps 6, 7). Once the
However, the use of interface numbering seems to UA receives the response including a challenge
be inconsistent in 3GPP2 standards as in most of (Step 10), it immediately responds with another
the cases original names are only used (e.g., Cx registration message carrying a response for the
not 16/Cx).
Architecture and Protocols for AAA
3 uAr
uAA 4
rEgIstEr 5
MAr 6
7 MAA
401 unAutHorIzEd / 8
challenge
401 unAutHorIzEd 9
401 unAutHorIzEd / challenge
/ challenge
10
11 rEgIstEr
/ response 12 rEgIstEr
/ response
13 uAr
uAA 14
15 rEgIstEr / response
sAr 16
17 sAA
200 ok 18
200 ok 19
200 ok 20
supplied challenge (Step 12). Note that the I-CSCF short IMS registration walkthrough as well as from
may perform another UAR to obtain the assigned the previous sections, Diameter is envisioned to be
S-CSCF (Steps 13, 14) either because it is stateless one of the fundamental protocols used in the future
or it is another I-CSCF selected due to DNS load 3G/4G telecommunication infrastructures.
balancing. When S-CSCF receives the second
registration request, it validates the user’s response
(Step 15) and if successful, it issues SAR to HSS IssuEs And futurE trEnds
requesting its assignment for the user’s session and
requesting the user’s profile. The HSS assigns the Many standardization and research efforts are un-
S-CSCF for the user’s session and sends the user’s derway to upgrade and enhance the current AAA
profile back to it (step 16, 17). At this point (step architectures to exploit the security and the scal-
18), the S-CSCF issues a SIP 200 OK message to ability benefits of Diameter in the areas of session
the UA and once received (Step 20), the registra- management, mobility support, distributed online
tion process is complete. and off-line accounting, and QoS assurance for user
For registered users, when the I-CSCF receives services over heterogeneous wireless networks.
a SIP INVITE request, it queries the HSS for the For instance, Eyermann, Racz, Stiller, Schaefer,
assigned S-CSCF using the LIR command. If the and Walter (2006) discuss possible enhancements
user’s profile is updated, the HSS informs the to maintain consistent accounting reporting in
serving S-CSCF of this change by sending a PPR. heterogeneous multi-operator environments by
The HSS may terminate the user’s session by issu- introducing a new Diameter accounting applica-
ing a RTR message towards the S-CSCF (3GPP2 tion including new commands and AVPs to allow
X.S0013-005-A, 2005). As we can see from this sharing session context information. Moreover,
Architecture and Protocols for AAA
efforts to attain seamless translation between choice for the IMS architecture, but it also plays
RADIUS and Diameter are ongoing especially an increasingly important role in the three major
in the areas of matching requirements between network tiers, that is, access, distribution, and
RADIUS and Diameter and in the translation of core. We demonstrated the role of Diameter in
VSAs (Mitton, 2006). each tier by means of sample call flows in practical
As the future telecommunication networks are 1xEV-DO network architectures. We concluded
expected to be based on IPv6, Diameter implemen- the chapter with a short summary of the current
tations over IPv6 were tested and some issues were and future trends related to the Diameter-based
identified (Lopez, Perez, & Skarmeta, 2005). The AAA systems.
tests were conducted based on the Open Diameter10
implementation. Integrating Diameter with Mo-
bileIPv6 is also an active area in both IETF and rEfErEncEs
research. For example 3GPP2 X.P0047-0 (2006)
discusses possible enhancements for MobileIPv6 3rd Generation Partnership Project 2 (3GPP2)
to exploit the security features of the Diameter X.S0013-000-A. (2005). All-IP core network multi-
applications for MobileIPv6 tunnel setup. It also media domain—Overview (Ver. 1) (3GPP2: TSG X
proposes enhancing MobileIPv6 by using Diameter Series). Retrieved from http://www.3gpp2.com/Pub-
for dynamic selection of home agents.11 lic_html/specs/X.S0013-000-A_v1.0_051103.pdf
Finally, continuous efforts are being made to
establish a standardized framework for end-to-end 3rd Generation Partnership Project 2 (3GPP2)
QoS for services starting from the calling user at X.S0013-005-A. (2005). All-IP core network
the RAN and ending at the called party whether multimedia domain—IP multimedia subsystem
it is located on the Internet or on another cellular Cx interface signaling flows and message con-
network. 3GPP2 addresses such architectures in tents (Ver. 1) (3GPP2: TSG X Series). Retrieved
the service based bearer control draft document from http://www.3gpp2.com/Public_html/specs/
(3GPP2 X.S0013-012-0, 2006). It is noteworthy X.S0013-005-A_v1.0_051103.pdf
to mention that Diameter is quickly being consid- 3rd Generation Partnership Project 2 (3GPP2)
ered to support many services. For instance Kim A.S0008-B v1.0. (2006). Interoperability specifica-
and Afifi (2003) discuss the integration of GSM tion (IOS) for high rate packet data (HRPD) radio
SIM-based authentication with the AAA over access network interfaces with session control in
Diameter-EAP application. Moreover, 3GPP2 has the access network (3GPP2: TSG A Series). Re-
adopted Diameter architectures to support simple trieved from http://www.3gpp2.org/Public_html/
and multimedia messaging services (SMS and specs/A.S0008-B_v1.0_061019.pdf
MMS) in (3GPP2 X.S0016-101-0, 2006).
3rd Generation Partnership Project 2 (3GPP2).
X.P0047-0 v1.0. (2006). Mobile IPv6 enhancement.
suMMAry (3GPP2:Draft). Retrieved from http://www.3gpp2.
org/Public_html/Misc/X.P0047-0v0.5_VV_Due_
In this chapter we presented and discussed archi- 08_January-2007.pdf
tecture and protocols for AAA as one of the most 3rd Generation Partnership Project 2 (3GPP2)
important design considerations in 3G/4G telecom- X.S0011-005-C. (2006). cdma2000 wireless IP
munication networks. While many advances have network standard; Accounting services and 3GPP2
been made to exploit the benefits of the current RADIUS VSAs (3GPP2: TSG X Series). Retrieved
systems based on the RADIUS protocol, we il- from http://www.3gpp2.org/public_html/specs/
lustrated its inherent security vulnerabilities. We X.S0011-005-C_v3.0_061030.pdf
then surveyed the details of the Diameter proto-
col and some of its applications. We showed that 3rd Generation Partnership Project 2 (3GPP2)
the Diameter protocol is not only the protocol of X.S0013-012-0. (2006). All-IP core network
Architecture and Protocols for AAA
multimedia domain—Service based bearer con- Camarillo, G., & García-Martín, M. (2004). The
trol—Stage 2 (3GPP2:Draft). Retrieved from http:// 3G IP multimedia subsystem (IMS): Merging the
www.3gpp2.org/Public_html/Misc/X.P0013- Internet and the cellular worlds. John Wiley &
012_SBBC_Stage-2_VV_Due_11_Sept-2006.pdf Sons.
3rd Generation Partnership Project 2 (3GPP2) Eronen, P., Hiller, T., & Zorn, G. (2005). Diameter
X.S0016-101-0. (2006). Multimedia messaging ser- extensible authentication protocol (EAP) applica-
vice; MM10 interface based on diameter protocol tion (RFC 4072). Retrieved from http://www.ietf.
(3GPP2:Draft). Retrieved from http://www.3gpp2. org/rfc/rfc4072.txt
org/Public_html/SC/X.S0016-101-0_v1.0_060124.
Eyermann, F., Racz, P., Stiller, B., Schaefer, C.,
pdf
& Walter, T. (2006). Diameter-based accounting
Aboba, B. (2005). Re: End-to-end security in management for wireless services. In IEEE Wire-
RFC 3588. IETF Mail Archive, Message#01185. less Communications and Networking Conference
Retrieved from http://www1.ietf.org/mail-archive/ (WCNC’06) (Vol. 4, pp. 2305-2311).
web/aaa/current/msg01185.html
Fajardo, V., & Ohba, Y. (2006). Diameter base
Aboba, B., & Vollbrecht, J. (1999). Proxy chain- protocol details. In The 67th IETF meeting. San
ing and policy implementation in roaming (RFC Diego, CA. Retrieved from http://www3.ietf.org/
2607). Retrieved from http://www.ietf.org/rfc/ proceedings/06nov/slides/dime-3/dime-3.ppt
rfc2607.txt
Garcia-Martin, M., Ed., Belinchon, M., Pallares-
Aboba, B., & Wood, J. (2003). Authentication, Lopez, M., Canales-Valenzuela, C., & Tammi,
authorization and accounting (AAA) transport K. (2006). Diameter session initiation protocol
profile (RFC 3539). Retrieved from http://www. (SIP) application (RFC:4740). Retrieved from
ietf.org/rfc/rfc3539.txt http://www.ietf.org/rfc/rfc4740.txt
Braunöder, M. (2003). Plug and phone software. Hakala, H., Mattila, L., Koskinen, J.-P., Stura, M.,
Retrieved from http://samuel.labs.nic.at/at43/dic- & Loughney, J. (2005). Diameter credit-control ap-
tionary plication (RFC 4006). Retrieved from http://www.
ietf.org/rfc/rfc4006.txt
Calhoun, P., Bulley, W., & Farrell, S. (2002).
Diameter CMS security application. IETF: Kent, S., & Seo, K. (2005). Security architecture
DRAFT. Retrieved from http://www3.ietf.org/ for the Internet protocol (RFC 4301). Retrieved
proceedings/02mar/I-D/draft-ietf-aaa-diameter- from http://www.ietf.org/rfc/rfc4301.txt
cms-sec-04.txt
Kim, H., & Afifi, H. (2003). Improving mobile
Calhoun, P., Johansson, T., Perkins, C., Hiller, T., authentication with new AAA protocols. In IEEE
& McCann, P. (2005). Diameter mobile IPv4 ap- International Conference on Communications
plication (RFC 4004). Retrieved from http://www. (ICC ’03) (Vol. 1, pp. 497-501).
ietf.org/rfc/rfc4004.txt
Lopez, M., Perez, G., & Skarmeta, A. (2005). Im-
Calhoun, P., Loughney, J., Guttman, E., Zorn, plementing RADIUS and diameter AAA systems
G., & Arkko, J. (2003). Diameter base protocol in IPv6-based scenarios. In IEEE Proceedings of
(RFC 3588). Retrieved from http://www.ietf.org/ the 19th International Conference on Advanced
rfc/rfc3588.txt Networking and Applications (AINA’05) (Vol. 2,
pp. 851-855).
Calhoun, P., Zorn, G., Spence, D., & Mitton, D.
(2005). Diameter network access server applica- Mitton, D. (2006). Diameter/RADIUS vendor
tion (RFC 4005). Retrieved from http://www.ietf. specific AVP translation. IETF:DRAFT. Retrieved
org/rfc/rfc4005.txt from http://internet-drafts.osmirror.nl/draft-mit-
ton-diameter-radius-vsas-01.txt
Architecture and Protocols for AAA
Perkins, C. (2002). IP mobility support for IPv4 Remote Access Dial In User Service (RA-
(RFC 3344). Retrieved from http://www.ietf.org/ DIUS): RADIUS is an AAA protocol defined in
rfc/rfc3344.txt RFCs 2865 and 2866.
Perkins, C., & Calhoun, P. (2005). Authentication,
authorization, and accounting (AAA) registration
keys for mobile IP (RFC 3957). Retrieved from EndnotEs
http://www.ietf.org/rfc/rfc4301.txt 1
MMD is defined in all-IP core network
Rigney, C. (1998). 2.4.10 Remote authentication dial- standards (TSG X series) found at http://
in user service (radius). Snapshot of the 41st IETF www.3gpp2.org/.
meeting. In Proceedings of the IETF March 1998. 2
Notice that the authentication and the au-
Retrieved from http://www3.ietf.org/proceedings/ thorization operations are not separated in
98mar/98mar-edited-79.htm RADIUS. In other words, to obtain a user’s
authorization set, user must be successfully
Rigney, C. (2000). RADIUS accounting (RFC 2866).
authenticated.
Retrieved from http://www.ietf.org/rfc/rfc2865.txt 3
UDP ports 1812 and 1813 are the standard ports
Rigney, C., Willats, W., & Calhoun, P. (2000). assigned for authentication and accounting
RADIUS extensions (RFC 2869). Retrieved from respectively.
http://www.ietf.org/rfc/rfc2869.txt 4
Inter-domain AAA traffic crossing untrusted
networks such as in roaming scenarios is usu-
Rigney, C., Willens, S., Rubens, A., & Simpson, W.
ally secured by dedicated VPNs.
(2000). Remote authentication dial in user service 5
According to (Aboba, 2005, message 01185)
(RADIUS) (RFC 2865). Retrieved from http://www.
end-to-end security through Diameter CMS
ietf.org/rfc/rfc2865.txt
(Calhoun, 2002) mentioned in the standard
Rosenberg, J., Schulzrinne, H., Camarillo, G., John- (Calhoun, 2003, RFC 3588) has been aban-
ston, A., Peterson, J., Sparks, R., et al. (2002). SIP: doned and resolved by the introduction of the
Session initiation protocol (RFC 3261). Retrieved Diameter EAP application defined in (Eronen,
from http://www.ietf.org/rfc/rfc3261.txt 2005, RFC4702).
6
If a loop exists, the message is rejected with
Wikipedia. (n.d.). RADIUS. Retrieved from http:// a DIAMETER_LOOP_DETECTED error
en.wikipedia.org/wiki/RADIUS message
7
More complex procedures may apply in case
kEy tErMs of translation.
8
Loosely speaking the user’s password
9
Diameter: Diameter is a new AAA protocol These commands are based on the Diameter
presented in RFC 3588 to replace RADIUS. Cx Application (Application-ID = 16777216),
more details can be found in (3GPP2 X.S0013-
IP Multimedia Subsystem (IMS): IP multi- 005-A, 2005; 3GPP2 X.S0013-006-A,
media subsystem is an access agnostic architecture 2005).
proposed as a core technology for the next genera- 10
The Open Diameter project, located at [http://
tion services. www.opendiameter.org/], offers open source
C++ implementation of the Diameter base
One Carrier Evolution Data Only (1xEV-
protocol.
DO): 1xEV-DO is a CDMA2000 based cellular 11
Dynamic Home Agent (DHA) selection is
access technology proposed to support high rate
a method used to dynamically select home
data services.
agent based on the geographic location of the
user such that the network backhaul delay is
minimized.
Chapter XIII
Authentication, Authorisation,
and Access Control in
Mobile Systems
Josef Noll
University Graduate Center – UniK, Norway
György Kálmán
University Graduate Center – UniK, Norway
AbstrAct
Converging networks and mobility raise new challenges towards the existing authentication, authorisa-
tion, and accounting (AAA) systems. Focus of the research is towards integrated solutions for seamless
service access of mobile users. Interworking issues between mobile and wireless networks are the basis
for detailed research on handover delay, multi-device roaming, mobile networks, security, ease-of-use,
and anonymity of the user. This chapter provides an overview over the state of the art in authentication
for mobile systems and suggests extending AAA mechanisms to home and community networks, taking
into account security and privacy of the users.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Authentication, Authorisation, and Access Control in Mobile Systems
players demonstrate early examples, research in family. Development efforts of the Internet and
the AAA area focuses on providing a backplane telecommunication world were united on EAP.
for the upcoming ubiquitous services run over This protocol family has the potential for becoming
converged networks. the future common platform for user authentica-
tion over converged networks. EAP is a universal
authentication framework standardised by IETF,
bAckground which includes the authentication and key agree-
ment (AKA) and Subscriber Identity Module (SIM)
The AAA methods employed in current networks methods. EAP-AKA is the standard authentication
were developed for a single type of network, result- method of UMTS networks.
ing in two different systems, one for telecommu- Beside the fundamental differences of com-
nication services and one for computer networks. munication and computer networks, mobility is
This chapter addresses AAA in global system for the key issue for both. Network services should
mobil communications (GSM) and UMTS and not only be accessible from mobile terminals, but
computer network solutions based on Internet they should be adapted to the quality of service
Engineering Task Force (IETF) standards. (QoS) requirements of a mobile/wireless link. Im-
The computer networks provide a unified AAA provements of AAA methods are of fundamental
access, and research focuses on extending the exist- importance for mobility, providing fast handover,
ing methods to be suitable for telecommunication reliable and secure communications on a user-
services. Extensions for Remote Authentication friendly and privacy protecting basis.
Dial In User Service (RADIUS) and Diameter are
proposed. RADIUS is the current de facto standard subscriber Authentication in current
for remote user authentication. It uses Universal networks
Datagram Protocol (UDP) as transport. Authen-
tication requests are protected by a shared secret In GSM networks, the integrated AAA is used for
between the server and the client, and the client any type of user traffic. The authentication is just
uses hash values calculated from this secret. The one way the user has to authenticate himself/herself
requests are sent in plaintext except for the user towards the network.
password attribute. The Diameter protocol provides To be more precise, the user is authenticated
an upgrade possibility as compared to RADIUS. with a PIN code towards the SIM in the mobile
While enhancing the security through supervised phone, then the device authenticates itself towards
packet transmission using the transmission control the network. Device authentication instead of user
protocol (TCP) and transport layer encryption authentication can hinder the upcoming person-
for reducing man-in-the-middle attacks, it lacks alised services because it is hiding the user behind
backward compatibility. the device. In UMTS, the authentication of the
Both methods have a different background. device is two-way. A device can also check the
The computer networks targeted the person using authenticity of the network with the help of keys
a computer in a fixed network environment, while stored on the SIM.
mobile systems addressed a personal device in a Integration of the mobile authentication with
mobile network. Thus a challenge for telcos is to different external services is not widespread. The
enhance seamless network authentication towards telecom providers have some internal services,
user authentication for service access. Most com- which can authenticate the subscriber based on
panies are also Internet service providers (ISPs), the data coming from the network. Credentials
this would be a natural unification of their AAA could be basically the CallerID, the Temporary
systems. International Mobile Subscriber Identity (TIMSI)
A generic approach is taken by extension of or other data transformed with a hash function. Ac-
the Extensible Authentication Protocol (EAP) cess control and authorisation is more an internal
Authentication, Authorisation, and Access Control in Mobile Systems
Cellular WLAN
Coverage Country-wide Local
Security Strong Depends on setup
Transmission rate Low High
Deployment cost High Low
License fee Very high No need
Construction Difficult Easy
Mobility support High Poor
Authentication, Authorisation, and Access Control in Mobile Systems
the EAP family, especially transport layer security The use of the IEEE 802.1x standard allows
(TLS) and SIM. seamless authentication, since preshared certifi-
Most cellular operators are now providing cates and key negotiation are provided to the cellular
WLAN services using the Universal Access Meth- network, where the user is already authenticated.
od (UAM) for authentication. UAM uses a layer With the use of digital certificates, the system is
3 authentication method, typically a Web browser getting closer to the preferred view of pervasive
to identify the client for access to the WLAN. systems, where the user and the service provid-
This raises the problem of mutual authentication, ers are mutually identified. Since these systems
which has been a problem also in GSM networks. authenticate the user towards several services,
By extending to EAP-SIM it would be possible to privacy is a primary concern. A possible solu-
enable SIM-based authentication in these environ- tion, recommended by Ren, Lou, Kim, and Deng
ments for SIM-enabled devices. (2006) has a secure authentication scheme while
Roaming between access providers is a sec- preserving user privacy.
ond issue. Since data between access points are In pervasive environments a user connected will
carried over an IP backbone, it is natural to use a experience seamless authentication to all services
network-based protocol such as Radius, suggested when connected through a SSO service. Malicious
by Leu et al. (2006). Transport encryption inside tracking of his/her behaviour or eavesdropping of
the backbone is indifferent from normal wired authentication messages can compromise the user
practice, hence out of scope for this chapter. In credentials. The SSO service has to be extremely
a converged network, where users can switch prudent when sending user-related information.
between mobile networks and WLAN services, Keeping a reasonable level of privacy, the system
a common AAA system has to be operational to should deal with questions in location privacy,
ensure correct operation. A unified billing scheme connection anonymity, and confidentiality (Ren
is proposed by Janevski et al. (2006), suggesting to et al., 2006). The recommendations are based on
use 802.1x on the WLAN side as shown on Figure blind signatures and hash chains. Using hash is
2. The mobile networks WLAN connection is sug- highly recommended, since a good hash function
gested through the RADIUS server used also for can provide good foundation for anonymous access
access control in 802.1x. and its resource needs are not too high for the cur-
rent mobile devices, as sometimes blind signatures
Authentication, Authorisation, and Access Control in Mobile Systems
based on Rivest-Shamir-Adleman (RSA) scheme environment. Khara, Mistra, and Saha (2006) sug-
may be. In certain environments, the GSM inte- gest including a new node, called Serving GPRS
grated functions may also be used. Access Router. This entity acts as a gateway for
The user retains full control over authentica- the WLAN traffic to enter the general packet ra-
tion credentials when composing and generating dio services (GPRS) backbone and enable GPRS
authentication tokens like the identities suggested signalling to control WLAN. The new protocol set
by Chowdhury and Noll (2007). Initial service ac- eliminates the need of Signalling System 7 (SS7)
cess can be achieved showing one of these tokens in addition to the IP backbone. Khara et al. claim
after mutual identification between the service and that this solution is superior in terms of speed and
the user. Based on these tokens, no user data can overhead compared to the RADIUS-based methods
be retrieved nor traced back. If all of the initial suggested previously. The main drawback is the
identification steps succeed, the exchange of the need of special dual mode devices with a split IP
required credentials can proceed using a freshly layer, a solution which might not be practical hav-
negotiated session key. ing in mind the basis of 2.5 billion mobile phones
The base of most authentication techniques is available in the market.
a preshared key, delivered to the user device out- For mobile devices limited computational
of-band. Authentication can be done for example resources and battery power require an effective
in mobile phones by inserting a master private key AAA mechanism. Extension of the GPRS/UMTS
on the SIM at the activation of the card (Kálmán network could be potentially more expensive than
& Noll, 2006). deploying RADIUS authentication. Handover de-
A different approach is to extend the current lay caused by terminal mobility is an issue which
mobile network with additional elements to en- might favour GPRS/UMTS protocols.
able network integrated AAA also in an Internet
0
Authentication, Authorisation, and Access Control in Mobile Systems
Authentication, Authorisation, and Access Control in Mobile Systems
revised in order to achieve reasonably fast mobil- was enabled by embedding the BU message into
ity support. The basic challenge is that currently the AAA request message and so optimising the
AAA and MIPv6 are operated independently. This route while authenticating. This solution can solve
means that the terminal has to negotiate with two MIPv6’s basic problem of supporting different
different entities in order to get access to the new administrative domains and enable scalable large
network. scale deployment.
In MobileIPv6, the terminal is allowed to keep Lee, Huh, Kim, and Lee (2006) define a novel
connections to a home agent (HA) and a cor- communication approach to enable communica-
respondent node (CN), even when the terminal tion between the visited AAA servers for a faster
changes point of attachment to that network. The and more efficient authentication mechanism. If a
terminal has two addresses, the home address terminal visits a remote network, the AAA must
(HoA) and the care-of address (CoA). The HoA be done by the remote system. IETF recommends
is fixed, but the CoA is generated by the visited integrating Diameter-based authentication into
network. The mobile IP protocol binds these two the MIPv6 system. But, when the user is using
addresses together. To ensure an optimal rout- services on the remote network, the remote AAA
ing in the network, the terminals switch to route has to keep a connection with the home AAA.
optimalisation mode after joining a new network. The proposed new approach of Lee, Huh, et al.
Then it executes a return routability procedure suggests enabling faster authentication when the
and a binding update (BU) to communicate to the terminal moves between subnets inside a domain
correspondent node directly. The return routabil- by exchanging authentication data between visited
ity procedure consists of several messages, which AAA servers without the need of renegotiation
together induce a long delay. with the HA. Connection to the HA is needed
The handover between networks implies even only after the authentication when the terminal
more steps and consumes more time: movement executes a BU.
detection, address configuration, home BU, return One other aspect is shown by Li, Ye, and Tian
routability procedure, and a BU to the correspon- (2006) suggesting a topology-aware AAA overlay
dent node. The terminal cannot communicate with network. This additional network could help MIPv6
the CN before the end of the procedure. to make more effective decisions and to prepare for
Fast handover capability is a major research handovers and other changes in network configura-
item in IETF for MIPv6, including the standards tion. Based on the AAA servers and connections
FMIPv6 and HMIPv6. In addition to these schemes, between, a logical AAA backbone can be created,
Ryu and Mun (2006) introduce an optimisation in which can serve as administration backbone for the
order to lower the amount of signalling required and whole network. Signals delivered over this network
thus lower the handover delay between domains. are topologically aware, so the optimal route can
In an IPv6 system, the IP mobility and AAA are easily be selected and signalling messages can be
handled by different entities. This architecture transmitted over the best route. In exchange to
implies unnecessary delays. Several solutions are the build cost of this backbone network and some
proposed to enable the mobile terminal to build additional bandwidth consumed, MIPv6’s security
a security association between the mobile node and performance can be enhanced.
and the HA. This enables home BU during the As the route of the service access is secured,
AAA procedure. Route optimisation is a key topic optimised and delay reduced, one basic problem
in efficient mobility service provision. MIPv6 still remains: how to ensure that the user is the
optimises the route with the use of the return one, the network thinks he/she is. Lee, Park, and
routability procedure. In wireless environments, Jun (2006) suggest using smart cards to support
the generated signalling messages represent a con- interdomain roaming. The use of the SIM might
siderable part of the whole overhead. Moving route be preferable because of its widespread use and
optimisation into the AAA procedure can reduce cryptographic capabilities (Kálmán & Noll, 2006).
the delay by nearly 50% (Ryu & Mun, 2006). This The problem of having multiple devices is also
Authentication, Authorisation, and Access Control in Mobile Systems
raised here, since a system based on the SIM as manent subscriber identity and location data, which
smart card will require SIM readers in every de- will only be discoverable by the home register.
vice—if a secure key exchange method between The main drawback of the suggested protocol is
the devices is not in place. its higher computing requirements as compared to
Lee, Park, et al. (2006) suggest an entity called EAP-AKA, potentially limiting the applicability.
roaming coordinator ensuring seamless roaming
services in the converged network. This additional security and computing Power
node provides context management services and
enables seamless movement between the third A security protocol in a wireless environment
generation (3G) network and WLAN to enforce should be fast and secure, and it has to be effec-
security in converged networks. In order to provide tive in terms of computing power and low data
good user experience in a pervasive environment, transfer need. In low power environments an
additional intelligence needs to be added to the authentication scheme with high security and
traditional AAA systems to ensure that the terminal low computing power is advised. One solution is
selects the most appropriate connection method. based on hash functions and smart cards, allow-
This method has to be based on the context and ing minimised network traffic and short message
has to be supported in all networks. A smart-card- rounds used for authentication. Anonymity can
based secure roaming management framework be ensured through one-time passwords. While
enables the transfer of the terminals context with- accepting the advantages of a system with smart
out renegotiating the whole security protocol set. cards, the use of extra hardware like a card reader
When the terminal moves into a new network, the is not advisable, due to compatibility issues and
roaming coordinator, AAA servers, and proxies power requirements.
take charge of the authentication process. The Software-based solutions have an advantage, as
coordinator, having received a roaming request, they only require computing power. Showing the
evaluates the available networks and chooses the importance of power consumption, a comparison
best available one, and then triggers the context of cryptographic protocols is presented by Lee,
transfer between the corresponding AAA servers. Hwang, and Liao (2006) and Potlapally, Ravi,
When transferring whole user contexts, the system Raghunathan, and Jha (2006) showing, that twice
has to consider privacy requirements of the user’s of the transmit energy of one bit is needed to run
identity and his/her profile. asymmetric encryption on that piece of informa-
tion. Symmetric encryption needs, in contrast,
Anonymity and Identity around one half of the transmit energy. Most over-
head is generated by session initialisation, meaning
In pervasive environments, privacy is of key im- longer sessions induce lower overhead. There is
portance. With computers all around, gathering a trade-off between security and session length.
information about traffic, movements, service While negotiation overhead is getting lower with
access, or physical environment, customer privacy long sessions, security risks are getting higher.
must be protected. Køien (in press) suggests a This overhead can be lowered by special hard-
protocol, which is able to provide better protection ware or software solutions. Hardware needs some
for the user’s privacy than the normal 3G network. power and bigger silicon, while software requires a
Changes in the EAP-AKA protocol are suggested faster CPU. Hash functions have an energy require-
to use only random generated user authentication ment of around half a percent compared to PKI in
values. He defines three user contexts implying generating session keys (Potlapally et al., 2006).
different key management and authentication Key exchange protocols using elliptic curve Diffie-
schemes, like existing keys for short-term and Hellman (DH) come out much more energy efficient
fresh keys for medium-term access. Identity-based as compared to the same traditional strength DH.
encryption is recommended to enable a flexible The DH calculations demonstrate the trade-off
binding of the security context to protect the per- between power consumption and security. In order
Authentication, Authorisation, and Access Control in Mobile Systems
to have an efficient operation, the security protocol example Kerberos or RADIUS. A special aspect
needs to have the possibility to adapt encryption to of resource access over the home LAN is that
the needs of the current application. Authentication specific privileges are given to selected programs.
token generation can be problematic for devices The AAA server maintains an access control list
with limited computing capabilities. Personal area to ensure correct privilege distribution.
networks (PAN) with multiple devices raise this To build the initial trust relationships some
problem by their very nature. kind of user interaction is needed. The key should
initially be distributed out-of-band, for example
security in Personal Area and Home on an USB stick, or by using short range wireless
networks technology, Near Field Communication (NFC), for
example (Noll, Lopez Calvet, & Myksvoll, 2006).
Efficient authentication and certificate management On home networks, where power consumption is
ensures better usability of PAN devices. By using not a problem, PKI may be used for negotiating ses-
efficient security protocols, content-adaptive en- sion keys between devices, since key management
cryption, efficient key and certificate management, in a PKI is simpler than in symmetric encryption
considerably longer battery operation is achievable. and the delay caused by checking certificates and
To enable key management in a PAN a personal so forth will not be noticeable in this environment.
certificate authority (CA) entity is suggested (Sur Users authenticated towards the AAA infrastruc-
& Rhee, 2006; Sur, Yang, and Rhee, 2006), which ture can access the resources seamlessly. Initial
will be responsible for generating certificates for authentication is done with PKI. In case of mobile
all mobile devices within the PAN or home device devices, also the home AAA can use previously
domain (Popescu, Crispo, Tanenbaum, & Kam- calculated hash values in chain to lower compu-
perman, 2004). Because of the context of use, the tational cost. These AAA infrastructures can be
authentication protocol is focused on efficiency by connected to a providers AAA, for example to
reducing computational overheads for generating use in digital rights management (DRM) or home
and verifying signatures. service access from a remote network (Popescu
Main focus is on reducing PKI operations, et al., 2004).
which have been proven to be energy consuming. A user moving with his/her devices to the
Instead, it proposes to use hash chains to lower com- home raises another AAA challenge, the mobile
munication and computational costs for checking nodes.
certificates. Former research suggested hash trees
in order to authenticate a large number of one-time Mobile nodes (network Mobility)
signatures. By extending these with fractal-based
traversal, it has been proven that these trees provide Movement of whole networks like PANs or net-
fast signature times with low signature sizes and works deployed on a vehicle, introduce a new
storage requirements. The personal CA has to be level of AAA issues. In a conventional network a
a unique trusted third party in the PAN. It needs standard mobility support does not describe route
to have a screen, a simple input device, and has to optimisation. Several procedures are suggested to
always be available for the members of the network. provide this functionality for mobile nodes, like
A cell phone with the SIM is a perfect candidate to Recursive Binding Update Plus (RBU+), where
be a personal CA (Kálmán & Noll, 2006). route optimisation is operated by MIPv6 instead
In home environments, basically two types of of the network mobility (NEMO) architecture. This
authentication are distinguished: (1) user authenti- means, that every node has to execute its own BU
cation, and (2) device authentication (Jeong, 2006). with the corresponding HAs. To solve problems
Mutual authentication has to be used in order to with pinball routing, it uses the binding cache in
prevent impersonation attacks (identity theft). This the CN. When a new BU message arrives, the
requires an SSO infrastructure, which can be for RBU+ has to execute a recursive search, which
Authentication, Authorisation, and Access Control in Mobile Systems
leads to serious delays with a growing cache size. After these technical issues of authentication
One potential route optimisation is presented by the next chapter will deal with authentication from
Jeong (2006). the user viewpoint.
A designated member of the network, called a
mobile router is elected to deal with mobility tasks customer Ergonomics
to reduce network overhead. The AAA protocol
for this environment defines a handover scheme There is always a trade-off between user security
and tree-based accounting to enable efficient opti- and ease of use. If the system is prompting for a
misation. They recommend using dual BU (DBU) password for every transaction, it can assume with
procedure instead of the existing procedures like quite high probability, that the access is enabled
RBU+ as a solution for the reverse routing problem just for the correct user. But, that is unacceptable
raised by mobility. DBU operates with additional for most of the users in private environments,
information placed into the messages sent in a BU where convenience is more valued than security.
process. This is the CoA of the top level mobile In corporate networks, policies are just enforced
router (TLMR). By monitoring the messages, the and users have to accept it. It would however be
CNs in the subnet can keep optimal route towards problematic if the credentials were only asked once
the TLMR. at start-up or connecting to the network, since
Moving subnets are the subject of eavesdrop- mobile devices are threatened by theft, loss, and
ping and possible leakage of the stored secrets. A other dangers by their nature of use.
secure AAA is proposed for network mobility over Smart cards could be a solution to have a good
wireless links, which deals with these problems trade-off between the usability and security. Since
(Fathi et al., 2006). Secret leakage can be caused the user will have a token, which he/she has to care
by malicious eavesdroppers, viruses, or Trojans. A of, and exchange keys generated by it, at least it
possibility is to store the keys in tamper resistant could be secured that the user who is accessing a
modules, like smart cards, the SIM, or trusted specified service holds the authentication token.
hardware modules. Deploying additional modules The mobile phone with the integrated smart card,
can be problematic and expensive. Fathi et al. pro- the SIM, is a potential tool for this purpose. As
pose a protocol based on a short secret, which can indicated by Leu et al. (2006) the requirement of
be remembered by humans and used in a secure carrying a SIM reader or equipping all the equip-
protocol called Leakage-resilient authenticated ment with SIM cards is neither convenient nor cost
key exchange protocol (LR-AKE). This protocol effective. The possibility of secure key exchange
is used for AAA to reduce NEMO latency under between user equipment shall be provided.
300 ms in order to provide session continuity, for The cell phone can act as a key negotiator,
example in VoIP applications, which is important with its tamper resistant cryptographic functions
in keeping a good user experience. However, short integrated into the SIM and then exchange the
passwords as proposed with LR-AKE are not advis- session keys with other terminals with the use of
able. If complex, they will be noted down by the a short range wireless solution. Currently, most of
user, and if weak, they are easy to guess. the security problems, besides the user behaviour,
As network mobility has considerable security are coming from security holes in the software.
issues, it may be not the way to go. Functionality Having the capability to download new software
of a mobile network might be achieved by using over the air to the phone ensures the use of recent
a dedicated device as a gateway of the PAN. Only updates and eliminates this type of security threat
this device will show up in the wireless network, (Kálmán & Noll, 2006). Compared to a security
and all traffic originating and arriving to the PAN token, it may be better to use the phone, since the
will go through this device and its HA. SIM card can be locked by the provider, so if the
device gets lost, the authentication credentials can
be withdrawn within short time.
Authentication, Authorisation, and Access Control in Mobile Systems
Authentication, Authorisation, and Access Control in Mobile Systems
Fathi, H., Shin, S., Kobara, K., Chakraborty, S. Lee, S.-Y., Huh, E.-N., Kim, Y.-W., & Lee, K.
S., Imai, H., & Prasad, R. (2006). LR-AKE-based (2006). An efficient authentication mechanism
AAA for network mobility (NEMO) over wireless for fast mobility service in MIPv6. In Computa-
links. IEEE Journal on Selected Areas in Com- tional Science and Its Applications—ICCSA 2006
munications, 24(9), 1725-1737. (LNCS 3981).
Janevski, T., Tudzarov, A., Janevska, M., Stojanovs- Leu, J.-S., Lai, R.-H., Lin, H.-I., & Shih, W.-K.
ki, P., Temkov, D., Kantardziev, D., et al. (2006). (2006). Running cellular/PWLAN services:
Unified billing system solution for interworking Practical considerations for cellular/PWLAN ar-
of mobile networks and wireless LANs. In Pro- chitecture supporting interoperator roaming. IEEE
ceedings of the IEEE Electrotechnical Conference Communications Magazine, 44(2), 73-84.
MELECON 2006 (pp. 717-720).
Li, J., Ye, X.-M., & Tian, Y. (2006). Topologi-
Jeong, J., Chung, M. Y., & Choo, H. (2006). Secure cally-aware AAA overlay network in mobile IPv6
user authentication mechanism in digital home net- environment. In Networking 2006 (LNCS 3976).
work environments. In Embedded and Ubiquitous
Long, M., & Wu, C.-H. (2006). Energy-efficient
Computing (LNCS 4096).
and intrusion-resilient authentication for ubiquitous
Jeong, K. C., Lee, T.-J., Lee, S., & Choo, H. (2006). access to factory floor information. IEEE Transac-
Route optimization with AAA in network mobil- tions on Industrial Informatics, 2(1), 40-47.
ity. In Computational Science and Its Applica-
Noll, J., Lopez Calvet, J. C., & Myksvoll, K. (2006).
tions—ICCSA 2006 (LNCS 3981).
Admittance services through mobile phone short
Kálmán, Gy., Chowdhury, M. M. R., & Noll, J. messages. In Proceedings of the International
(2007). Security for ambient wireless services. In Conference on Wireless and Mobile Communica-
Proceedings of the 65th IEEE Vehicular Technol- tions ICWMC’06.
ogy Conference (VTC2007).
Popescu, B. C., Crispo, B., Tanenbaum, A. S., &
Kálmán, Gy., & Noll, J. (2006). SIM as a key of Kamperman, F. L. A. J. (2004). A DRM security
user identification: Enabling seamless user iden- architecture for home networks. In Proceedings
tity management in communication networks. In of the 4th ACM Workshop on Digital Rights Man-
Proceedings of the WWRF meeting #17. agement.
Khara, S., Mistra, I. S., & Saha, D. (2006). An alter- Potlapally, N. R., Ravi, S., Raghunathan, A., & Jha,
native architecture for WLAN/GPRS integration. N. K. (2006). A study of the energy consumption
In Proceedings of the IEEE Vehicular Technology characteristics of cryptographic algorithms and
Conference, 2006, VTC 2006 (pp. 37-41). security protocols. IEEE Transactions on Mobile
Computing, 5(2), 128-143.
Køien, G. M. (in press). Privacy enhanced mobile
authentication. Wireless Personal Communica- Ren, K., Lou, W., Kim, K., & Deng, R. (2006).
tions. A novel privacy preserving authentication and
access control scheme for pervasive computing
Lee, C.-C., Hwang, M.-S., & Liao, I.-E. (2006).
environments. IEEE Transactions on Vehicular
Security enhancement on a new authentication
Technology, 55(4), 1373-1384.
scheme with anonymity for wireless environments.
IEEE Transactions on Industrial Electronics, 53(5), Ryu, S., & Mun, Y. (2006). An optimized scheme
1683-1687. for mobile IPv6 handover between domains based
on AAA. In Embedded and Ubiquitous Computing
Lee, M., Park, S., & Jun, S. (2006). A security
(LNCS 4096).
management framework with roaming coordinator
for pervasive services. In Autonomic and Trusted Sur, C., & Rhee, K.-H. (2006). An efficient authen-
Computing (LNCS 4158). tication and simplified certificate status manage-
Authentication, Authorisation, and Access Control in Mobile Systems
ment for personal area networks. In Management tion with digital media provider companies, but in
of Convergence Networks and Services (LNCS pervasive environments, users may also require a
4238). way to have a fine-grained security infrastructure
in order to control access to own content.
Sur, C., Yang, J.-P., & Rhee, K.-H. (2006). A new
efficient protocol for authentication and certificate Extensible Authentication Protocol (EAP):
status management in personal area networks. In EAP, a flexible protocol family, which includes
Computer and Information Sciences—ISCIS 2006 TLS, IKE protocols, and also the default authen-
(LNCS 4263). tication method of UMTS, EAP-AKA.
Zhang, Y., & Fujise, M. (2006). An improvement International Mobile Subscriber Identity
for authentication protocol in third-generation (IMSI), Temporary-IMSI (TMSI): IMSI and
wireless networks. IEEE Transactions on Wireless TIMSI is the unique identity number used in
Communications, 5(9), 2348-2352. UMTS to indentify a subscriber. The temporary
one is renewed from time to time, and that is the
only one that is used over the air interface.
kEy tErMs Public Key Infrastructure (PKI): PKI is a
service that acts as a trusted third party, manages
Authentication, Authorisation, and Ac- public keys, and binds users to a public key.
counting (AAA): AAA is a system that handles
all users of the system to ensure appropriate right Remote Authentication Dial in User Ser-
management and billing. vice (RADIUS): RADIUS is the de facto remote
authentication standard over the Internet. It uses
Converged Network: Converged network is UDP as a transport method and is supported by
a network carrying various types of traffic. Such software and hardware manufacturers. Privacy
a network is providing services to different ter- problems may arise when used on wireless links,
minals, which can access and exchange content since only the user password is protected by an
regardless of the current networking technology MD5 hash.
they are using.
Rivest-Shamir-Adleman (RSA): RSA is the
Diameter: Diameter is a proposed successor de facto standard of public key encryption.
of RADIUS. It uses TCP as a transport method
and provides the possibility to secure transmis- Smart Card: Smart card is a tamper resistant
sions with TLS. It is not backward compatible pocket sized card, which contains tamper resistant
with RADIUS. non-volatile storage and security logic.
Digital Rights Management (DRM): DRM Subscriber Identity Module (SIM): SIM is the
is a software solution that gives the power for the smart card used in GSM and UMTS (as USIM) net-
content creator to keep control over use and redis- works to identify the subscribers. It has integrated
tribution of the material. Used mostly in connec- secure storage and cryptographic functions.
Chapter XIV
Trustworthy Networks,
Authentication, Privacy,
and Security Models
Yacine Djemaiel
University of the 7th of November at Carthage, Tunisia
Slim Rekhis
University of the 7th of November at Carthage, Tunisia
Noureddine Boudriga
University of the 7th of November at Carthage, Tunisia
AbstrAct
Wireless networks are gaining popularity that comes with the occurrence of several networking technolo-
gies raising from personal to wide area, from centralized to distributed, and from infrastructure-based
to infrastructure-less. Wireless data link characteristics such as openness of transmission media, makes
these networks vulnerable to a novel set of security attacks, despite those that they inherit from wired
networks. In order to ensure the protection of mobile nodes that are interconnected using wireless pro-
tocols and standards, it is essential to provide a depth study of a set of mechanisms and security models.
In this chapter, we present the research studies and proposed solutions related to the authentication,
privacy, trust establishment, and management in wireless networks. Moreover, we introduce and discuss
the major security models used in a wireless environment.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Trustworthy Networks
been provided. The solutions were made to cope makes trust management a challenging problem
with the features of the wireless environment and to address.
the mobile nodes. In this chapter, we present the
research work and security solutions related to trust Establishment basis
authentication, privacy, and trust management.
Moreover, we introduce and discuss the major Trust describes a set of relations among entities
security models used in a wireless environment. engaged in various protocols, which are established
The first section of this chapter takes interest based on a body of assurance evidence. A trust is
to the concept of trust, which can be defined as established between two different entities further
the firm belief in the competence of an entity to to the application of an evaluation metric to trust
act dependably, securely and reliably within a evidence. The established relations may be com-
specified context. Starting from this definition, it is posed with other trust relations to generate new
significant that trust implies a level of uncertainty relations. Trust may influence decisions including
and judgment. This may depend on many factors access control. To clarify the process of trust es-
due to risks associated to wireless networks. In this tablishment, we consider the following example.
section, we define the trust in wireless context and Assume two trust relations A and B. Relation A
discuss its models. states that “a certification authority CA1 accepts
The second section discusses the authentication, entity X’s authentication evidences” and is estab-
which is a crucial mechanism that ensures that a lished off-line upon delivery of some evidences
resource is used by the appropriate entities. Actors, (e.g., identity, employment card) by X to B. Upon
architecture, and issues related to authentication the establishment of A, the certification authority
in wireless environment are discussed. CA1 issues a certificate binding a public key to
The third section discusses authentication X. Then, it stores the relation in its trust database
models and protocols in wireless LAN (WLAN), registering X with its certificate. Relation B states
cellular, ad hoc, wireless mobile access networks that “a certification authority CA2 accepts CA1’s
(WMAN) networks. As Mobile IP is becoming authentication of any entity registered by CA1”.
a unifying technology for wireless networks, To establish B, certification authority CA2 may ask
allowing mobile nodes to change their point of CA1 to deliver some evidences such as: (1) CA1’s
attachment without loosing their connections, a authentication of entities is done using satisfac-
particular interest is also given to authentication tory mechanism and policy; and (2) certification
in Mobile IP. authority CA1’s trust database is protected using
The fourth section of this chapter discusses satisfactory security mechanisms and policies.
privacy regarding location and transaction in wire- The establishment of such trust relation leads to
less environment. The fifth section presents two the publication of a certificate signed by CA2,
aspects regarding security modeling in wireless associating CA1’s public key. The relation is then
environments. The first is related to the specifi- stored in CA2’s trust database. The composition
cation of trust, modeling, and verification. The of the two trust relations leads to the acceptance
second addresses the specification and verification of CA1’s authentication of X by CA2.
of security policies that take into consideration One of the main properties that need to be
wireless threats. handled during trust establishment techniques is
transitivity. To decide whether a trust relation is
transitive or not, evidences used to establish trust
trust MAnAgEMEnt should ensure (1) availability, meaning that evi-
dences can be evaluated at any time by the entities
Trust management represents the skeleton of any wishing to establish trust; (2) uniformity, meaning
network security framework. The absence of a that evidences satisfy the same global metrics of
centralized entity, for example, in ad hoc networks adequacy, (3) stability, which means that authen-
0
Trustworthy Networks
tication mechanism cannot change accidentally or establish trust. Therefore, trust relations should
intentionally, and (4) log-term existence, meaning be established using incomplete or uncertain trust
that evidences last as long as the time used to gather evidences, based on the incomplete amount of
and evaluate it. information that each node holds.
When nodes plan to communicate, they must
need for trust Management in Mobile initially interact with each other and establish a
networks certain level of trust. The change of such level
may be triggered further to interaction between
While there are extensive research works that neighboring nodes or further to a recommenda-
contributed to the management of trust in complex tion from a third party. As a node in the MANET
systems, the great majority of them was set up for has only a partial view of the whole network, ad-
fixed infrastructures; assumed long-term avail- ditional mechanisms should be designed to allow
ability and validation of evidences; and generated these nodes identifying valid trust evidences and
lengthy validation process. Several characteristics prevent intruders from altering them or modify-
of wireless networks including unreliable transmis- ing the trust value of other nodes. To clarify this
sion range and topology changes made trust man- issue, Figure 1 depicts two networks. In the first
agement a challenging task. The focus on ad hoc network, users User1x need to communicate very
networks was based on the fact that these networks often with server Server1. In the second network,
are self-organized and barely suppose the existence users User2x need to communicate very often
of trustworthy nodes. In infrastructure-based wire- with server Server2. Different trust relations can
less networks such as cellular networks and WLAN, be established. Nodes in network 1 and 2 trust
the base stations (BSs) (or access points [APs]) are each other based on identity certificates which are
considered trustworthy. Three main requirements registered by certification authority CA1 and CA2,
need to be fulfilled by trust establishment process respectively. In this scenario, User12 has lost com-
in wireless ad hoc networks. First, trust should be munication with server 1 and User11, because it
established in a distributed manner without a pre- moved out of the coverage. Some among User2x can
established trust infrastructure. In fact, connectiv- be found under the communication range of User12.
ity to certification authorities’ directory servers in To reach Server1, User12 has to authenticate itself
the node’s home domain cannot be guaranteed in to any User2x and get access to the second ad hoc
mobile ad hoc network (MANET) when needed. network. To do so, User12 provides its certificate
As a consequence, trust establishment in MANET (as signed by CA1) to User21. User21 has to decide
must support peer-to-peer trust relations. whether to accept such trust evidence. Assume now
Second, trust establishment should be per- that the access policy requires that any node that
formed online and trust relations should have wants to access the ad hoc network should provide
short-life period. This is mainly due to the fact that a valid identity certificate from a trusted authority.
in MANET, when a node moves randomly from a Thus, User21 should contact its trusted certifica-
location to another, its security context may change. tion authority (CA2) and get the CA1 certificate
For instance, when a node moves to a location in signed by CA2. After that, User21 will be able to
which its compromise becomes possible, any trust valid the certificate of User12. Transitivity of the
relation that involves such node should be with- trust relation is thus established.
drawn. Such behavior should not affect network
connectivity and new trust evidences should be recent Advances in trust
gathered as a consequence. Third, trust establish- Management
ment should be tolerant to incomplete evidence or
unavailable trust relations. In fact, in MANET, it Former trust establishment solutions focused
becomes unfair to suppose that all evidences are mainly on procedures to locate the communicating
available to all nodes when they are required to peer’s certificate in order to determine the cryp-
Trustworthy Networks
CA CA
Server
Server
User User
User
User
Ad-hoc network User
Broken link
Communication link
Ad-hoc network
Trust relation
tographic key. In this context, Balfanz, Smetters, contains the signature on the selected binding
Stewart, and Wong (2002) base its solution on from the received secret list. These certificates
using a location-limited channel to allow nodes will therefore be stored locally. The value of k is
performing pre-authentication of each other. As chosen so that there is a sufficient trust relationship
the propagation of the channel is limited, intrud- in the network and the distribution scheme should
ers have an outside chance to mount a successful ensure the certainty of being able to establish a
passive attack. While pre-authentication does not trust chain between any two nodes.
require a heavy bandwidth, the existence of loca- After the system bootstrapping phase is fin-
tion-limited channel represents a very restrictive ished, there is no need for the secret dealer to
assumption. The approach proposed in Ren et al. continue existing. To accommodate the dynamic
(2004) assumes a minimum storage requirement changing of the network structure, every node is
to establish trust in mobile ad hoc networks. A assumed to be able to establish independent trust
centralized secret dealer is introduced into the relationship with at least two nodes.
network during the system bootstrapping phase When a node leaves the network properly, it
and is supposed to be trusted by all nodes. Every broadcasts information about its departure and
node is assumed to have a pair of public/private signs them. Consequently, the receiving nodes
key where the public key is known by the secret revoke the certificate that was issued to that leav-
dealer. ing node. One major advantage of this solution
In the first part of bootstrapping, every network lies in the fact that (1) it decreases the length of
node receives a pre-computed short list, say SL, the trust path, and (2) it is slightly affected by the
from the secret dealer. SL represents k tuples bind- dynamic nature of the ad hoc network. However,
ing node identifiers to related public keys. These guaranteeing that sufficient trust relationships
bindings are distributed symmetrically, meaning exist in the network requires a large care during
that if node j receives the node identifier of i and the selection of value of k.
its corresponding public key, then node i will also On one hand, the work in Baras and Jiang
receives node i identifier and its public key. In the (2004) proposed to investigate the stability of trust
second part of the bootstrapping phase, each node establishment by modeling a MANET as an indirect
generates k certificates, one certificate for every graph where edges represent pre-trust relations.
received binding, assuming that every certificate The two authors cast the problem of trust com-
Trustworthy Networks
putation and evaluation by every individual node etc.). Finally, a TTP is an entity that is mutually
as a cooperative game and base it on elementary trusted by the supplicant and the authenticator and
voting methods. In Theodorakopoulos and Baras facilitating mutual authentication between the two
(2004), the process of trust relation establishment parties (Aboudagga, Refaei, Eltoweissy, DaSilva,
is formulated as a path problem on a weighted & Quisquater, 2005). An authentication process is
directed graph. The vertices in the graph represent made up of a set of messages that are exchanged
the entities and a weighted edge (i, j) represents between these actors (as e illustrated by Figure
the opinion that entity i has about entity j. Such 2). Authentication includes four components as
opinion consists of two numbers: the trust value follows: (1) “S” denotes the supplicant; (2) “D”
and the confidence value. The trust value is an denotes the destination mobile node; (3) “As” de-
estimate of the trustworthiness of the target, while notes the authenticator; and (4) “Ad” denotes the
the confidence value corresponds to the accuracy destination authentication server. Adding a TTP
related to the assignment of the trust value. Using to this model introduces additional exchanged
the formal theory of semirings, one can show how messages in order to establish trust between the
two nodes can establish an indirect trust relation different interacting nodes.
without previous direct interaction. For that case,
two operators were developed allowing to combine Authentication Management
trust opinions along different paths and compute the Architecture
trust-confidence value between pair of nodes.
An authentication system is based on an authenti-
cation protocol that fixes the interaction between
gEnErAl ModEls for the different components described previously.
AutHEntIcAtIon In wIrElEss The interaction is made using a set of messages
nEtworks between system components. In a wireless environ-
ment, node mobility offers many advantages, but
In addition to authentication solutions applied to at the same time it may affect the overall system
specific wireless technologies, some general models efficiency. Consequently, deploying an authenti-
are introduced in wireless networks. This section cation system in a wireless environment needs to
discusses these models. consider several aspects including authenticators’
number and placements. The choice made on the
Actors in an Authentication system placement of these servers has an effect on the
time spent to authenticate a mobile node and the
Basically, an authentication system is composed of packet loss ratio. Typically, two strategies may
three actors: (1) a supplicant, (2) an authenticator, be adopted concerning the authentication servers
and (3) a trusted third party (TTP). The supplicant is placement. The former aims at placing authentica-
an entity that requests access to network resources. tion servers on the same network within mobile
It may be a person, or an application running on nodes. This solution leads to route the two traffics
a mobile node. The access to protected resources (exchanged data and authentication traffic) within
is gained only if the credentials provided by the the same network. Consequently, the contention
supplicant are validated by the authenticator. In an and the packet loss ratio are increased. However,
authentication system, a credential is an identifier the time spent during authentication is reduced
that is used by an authenticator to check whether compared with the second solution that aims to
the supplicant is authorized. It may be symmetric place authentication servers outside of the net-
key, a public/private key pair, a generated hash, work and thus forwarding authentication traffic
or some contextual information such as physi- outwards. The latter solution reduces the packet
cal characteristic that uniquely identifies a sup- loss ratio and liberates the network bandwidth for
plicant (e.g., GPS location, signal to noise ratio, useful traffic.
Trustworthy Networks
Trustworthy Networks
one held by the server) are taken, vary consider- techniques to protect stored credentials. Some se-
ably over time since they are taken under different curity protocols are used to secure credentials. As
working conditions. Therefore, two samples of the an example of techniques that fulfil these needs, we
same object, such as a fingerprint, generated by mention the proposed scheme in I-En, Cheng-Chi,
two different sensors are most likely not identical. and Min-Shiang (2006) that supports the Diffie-
Cryptographic hash functions however, do not Hellman key agreement protocol over insecure
usually preserve distances and hence two samples networks and function according to three phases:
of the same object may result in different digests registration, phase, and authentication.
at different conditions. This scheme employs basic concepts, such as
Introducing sampling in the authentication one-way hash function and discrete logarithm
process may be a solution to reduce bandwidth and problem. During the registration phase, the
power requirements in a wireless environment. As server assigns smart cards to the users requesting
an example of schemes that follow this principle, registration. The registration phase is performed
LAWN is a remote authentication protocol that only when a new user needs to join the system.
enables repetitive remote authentication with large However, the login and authentication phases are
keys (Arnab, Rajnish, & Umakishore, 2005). This performed at each user login attempt. During
approach is motivated by the concept of a holo- registration, the user chooses an identifier (ID)
graphic proof (Polishchuk & Spielman, 1994; Spiel- and a password (PW), it computes h(PW) using a
man, 1995). A holographic proof is a proof of some one-way function h. ID and h(PW) are sent to the
fact, so constructed. To verify the proof, one does server through a secure channel. After receiving
not need to scan through its entire length (Arnab the registration message, the server calculates
et al., 2005). The verification process is limited to B=g
h ( x ID ) + h ( PW )
mod p , where p is a large prime
the examination of small parts randomly selected. number initially selected by the server, and g is
According to this technique, a small sample of the a primitive number in GF(p). After computing
authentication token is prepared, which can be used B, the server issues a smart card holding ID, B,
at the remote end to perform authentication with p, g and delivers it to the user securely. During
high probability of correctness. This technique login, the user inserts the smart card to a termi-
allows saving bandwidth and power, since if the nal and introduces his/her ID and PW. Then, the
length of the original authentication token is n, then terminal generates a login request message based
the selected sample is only O(logn). As samples on introduced information then it sends it to the
may be different, a function that computes the dif- server. At the server side, B " = g h ( x ID ) R mod p is
ference between the patterns is needed. This may computed, where x is the server’s secret key, ID
be achieved by computing the Hamming distance is the user’s identity, and R is a random number
that gives as a result the number of bit positions generated by the server. After that, the server
where two strings differ in. calculates h(B'') and sends it in addition to R to
In the following, several general authentication the user. When received at the user side, the user’s
techniques are detailed. smart card computes B ' = ( Bg − h ( PW ) ) R mod p and
the validity of the server is checked by comparing
Password Authentication h(B') and h(B'').
If the server is considered valid, the user’s
Password authentication is among the solutions module computes C = h(T B ' ) , where T is the
that are frequently required in wireless networks. timestamp associated to the current login, other-
Implementations according to this principle are wise the server is considered invalid and the user
vulnerable to multiple attacks that generally have moves again to the login phase. At this step, the
targeted stored passwords or passwords sent user’s module sends (ID, C, T) to the server. Af-
across the network. As a solution to these threats, ter receiving the request, the server performs the
a proposed scheme should include cryptography checks to determine whether the user is allowed
Trustworthy Networks
to login. It starts by checking if the format of ID However, some vulnerabilities and weaknesses can
is correct. If that is the case, the server compares be found including:
T with T'; otherwise, it rejects the login request.
T' is the time when the server receives the login • Lack of per-packet authentication for ac-
request and DT is an acceptable time interval with cess-request packets. A request authenticator
respect to the transmission delay (needed for protec- (RA) that is a 128-bit pseudorandom number
tion against replaying attack). If T ' − T ≥ DT , the is included in the access request message.
user’s request is rejected; otherwise, it computes This value is used to hide the user password
C ' = h(T B " ) and compares C to C'. If the two and does not really provide authentication of
values are equal, the login request is considered access-request messages. As a solution to this
valid; otherwise it is rejected. problem, it is possible to use RADIUS over
IP security (IPsec).
the rAdIus Protocol • Off-line dictionary attacks on the shared
secret. Several implementations of RADIUS
The remote authentication dial-in user service (RA- allow only the use of shared secrets that are
DIUS) is an authentication protocol that has wide ASCII characters and having lengths that
deployment in dial-up Internet services (Rigney, do not exceed 16 characters. Consequently,
Rubens, Simpson, & Willens, 1997). RADIUS is these secrets have low entropy. Based on this
a stateless transaction-based protocol; it runs over weakness, an attacker may collect access-
user diagram protocol (UDP). Using this protocol requests and access-response packets and
implies that at the end point RADIUS entities launch off-line dictionary attacks.
must integrate their own reliability mechanisms to
handle lost packets. A simple reliability mechanism Authentication between
that is used by the most RADIUS implementations Heterogeneous wireless
is the retransmission of lost packets. Environments
RADIUS protocol is a client-server model,
where authentication messages are exchanged When integrating heterogeneous networks, such
between the RADIUS client and the RADIUS as WLAN access networks and mobile cellular
server, through one or more RADIUS proxies. networks, many issues should be handled espe-
This protocol is used for dial-up services; therefore cially for authentication and roaming. For global
the client is typically the network access server system for mobile communications (GSM)/gen-
(NAS) that is in general connected to the remote eral packet radio service (GPRS) networks, the
access server (RAS), which represents the end subscriber identity module (SIM) card is used for
point of the dial-up connection. The authenticator user identification, authentication, and message
according to the RADIUS protocol is the RADIUS encryption. Therefore, it is feasible to authenticate
server that is responsible for receiving user con- the subscribers in WLAN via exchanging the au-
nection requests and authentication. Moreover, thentication information between mobile cellular
RADIUS offers functionalities such as the support networks and subscribers’ SIM cards (Yuh-Ren
for authentication, authorization, and accounting & Cheng-Ju, 2006). It is assumed that the WLAN
(AAA). The use of plaintext passwords, the hash of access networks and the GSM/GPRS networks can
passwords, and the keyed hash mechanism based interoperate and exchange system information via
on a shared secret are the basic authentication the GSM-MAP (Mobile Application Part) interface
approaches that are used by RADIUS. These ap- based on Signaling System 7 (SS7). In this context,
proaches are integrated in the two authentication a proposed protocol in Yuh-Ren and Cheng-Ju
protocols most used by RADIUS—they are PAP is used to authenticate a GSM/GPRS subscriber
(Lloyd & Simpson, 1992) and challenge-handshake in a WLAN access network via the GSM/GPRS
authentication protocol (CHAP) (Simpson, 1996). SIM card. This goal is achieved by exchanging
Trustworthy Networks
some information to verify that the client and the is not appropriate since the key may be easily
GSM/GPRS have the same secret. The SIM-based eavesdropped during distribution. To address the
authentication mechanism is divided into two issues, recently, several key distribution schemes
phases: Temporary IP Address Acquisition Phase were proposed which are based on pre-distributed
and Subscriber Identity Verification Phase. In Tem- keys or keying materials for key generation. The
porary IP Address Acquisition Phase, the mobile issue comes down to finding an efficient way for
station (MS) attaches to the WLAN access network distributing key segments and materials before
and discovers the DHCP Server to acquire the IP deployment of nodes.
network configuration parameters. Subsequently, In sensor networks, key distribution solutions
in the Subscriber Identity Verification Phase, the can be classified into random, deterministic, and
MS exchanges the authentication information with hybrid ones. For additional information, the reader
the WLAN Authentication Server to manifest the is refereed to Camtepe and Yener (2004) where
subscriber’s identity (Yuh-Ren & Cheng-Ju). For a survey on key distribution in sensor networks
Universal Mobile Telecommunications System is provided. For peer-to-peer wireless sensor
(UMTS), the UMTS subscriber identity module networks, where no infrastructure exists and
is used for authentication. nodes are randomly deployed, Eschenauer and
Gligor (2002) proposed a random approach that
is based on probabilistic key sharing among sen-
AutHEntIcAtIon APProAcHEs sors and relies on a shared key discovery protocol
for cEllulAr And MEsH for distribution and revocation of keys. The key
nEtworks distribution scheme has three phases: (1) the key
pre-distribution, (2) shared-key discovery, and (3)
In this section, we introduce authentication solu- path-key establishment. The key pre-distribution
tions for cellular and mesh networks. is preformed off-line before sensor nodes deploy-
ment. It consists of distributing a set of keys (key
ring) from a large key pool. Shared-key discovery
key Management in wireless sensor
takes place during the initialization of the network.
networks
Each node broadcasts the list of identifiers of keys
on their key ring. Consequently, every node in the
The wireless sensor network (WSN) represents a
network will discover the list of neighbors with
promising technology whose key idea lies in the
which it shares a key. A routing link will exist
scattering of tiny devices which are endowed with
between two nodes only if they share a key. As
sensing, processing power, and wireless commu-
nodes give trust to each other, the same key can
nication capability. These devices are intended to
be shared by more than a pair of nodes. During the
be deployed in a specific geographic area to sense
last phase, a path-key is assigned between a pair
change of some parameters (e.g., temperature,
of sensor nodes that do not share the same key by
object movement, and noise) for several purposes
relying on the set of intermediate secured links
including target tracking, environmental monitor-
established at the second phase.
ing, and surveillance.
Du, Deng, Han, Chen, and Varshney (2003)
A large set of security issues and challenges
exploit the knowledge of the node deployment
in WSN networks are described in Pathan, Lee,
to pre-distribute keys. A pair-wise key is distrib-
and Hong (2006) and Karlof and Wanger (2003).
uted between each pair of neighboring nodes by
Due to the known resources constraints in sensor
exploiting the knowledge about the nodes that are
nodes, it is not feasible to use the traditional pair-
likely to be neighbors of a sensor node. However,
wise key establishment techniques such as public
as the number of neighbors can be huge, a sensor
key cryptography, which are too computationally
may not be able to store all the related secret keys.
intensive to ensure authentication and privacy. On
To alleviate the problem, the use the random key
the other hand, symmetric cryptography in WSN
Trustworthy Networks
The Web-based approach for authentication is The use of IPsec virtual private networks (VPNs)
adopted due to the simplicity of the approach and provides an interesting mean to ensure confiden-
the possible use of this technique without the need, tiality for data across the air interface. Thus, it
at the user side, of special software or hardware. is possible to use it to perform authentication for
The simplicity of this technique is based on the mobile nodes. In this model, the supplicant software
use of secure socket layer (SSL). A Web server establishes an IPsec VPN with a VPN server, which
intercepts the user’s HTTP traffic and redirects may be the AP or another device behind the AP.
the user to the authenticator Web interface. The All data traffic generated by the client is tunnelled
user provides his/her identity and password. The through the established VPN. According to this
transmission of these credentials is protected by scheme, failure in the authentication process means
the SSL session, which encrypts the traffic between that the IPsec VPN fails to be established and the
the mobile node browser’s and the Web server. This supplicant’s IP address is de-allocated. In this case,
method is simple to implement but does not result a threshold associated to the number of allowable
in a negotiated encryption key at the WLAN frame failures by the supplicant may be fixed.
layer that is used by algorithms such as temporal
key integrity protocol (TKIP). Consequently, after Authentication Protocols for gsM
the accomplishment of the login phase, traffic at
the MAC layer may remain unencrypted. Authentication protocols are considered among the
main components of the GSM architecture. Several
protocols proposed in this context have presented
Trustworthy Networks
several drawbacks such as bandwidth consump- tion. After that, the set of parameters composed of
tion between the Visitor Location Register (VLR) R, R1, T and CERT_VLR is passed to the MS. Then
and the Home Location Register (HLR), storage the MS checks first the validity of T. If it is valid,
overhead in VLR and other insufficiencies such as it computes CERT_VLR' and compares it with the
bandwidth consumption if the MS moves frequently received CERT_VLR. The authentication process
and requests several VLRs in a short period. The will be halted if the two values are not equivalent;
Authentication Center (AuC) is in charge of per- otherwise, MS computes KT = A3(R, Ki) and SRES'
forming authentication in the GSM. It keeps the = A5(R1, KT). Then, the computed SRES' is sent
secret key Ki shared with the subscriber and gen- back by MS to VLR. The latter compares it with
erates the set of security parameters for requests the SRES stored in its database to decide whether
associated to the authentication protocol of HLR. the request is considered valid; otherwise, it is
Subscriber’s secret key is hold in the SIM card of rejected.
the MS. When the subscriber registers for the first As long as the MS stays in the service area of
time, it gets a unique identity and an International the same visiting VLR, the latter does not need to
mobile subscriber identity (IMSI) from the AuC. request HLR for another authentication parameters
Among the solutions to improve such protocols, but it generates only the random number, called
the authentication protocol proposed in Chang, Rj, at each jth communication (where j > 1 and
Lee, and Chang (2005) provides mutual authen- j∈1). This random number is used to compute
tication between VLR and the MS. According to SRESj = A5(Rj, KT) that will be stored in the VLR
this protocol, the HLR makes the visiting VLR database then Rj will be sent to the MS. The latter
and MS share a temporary secret key KT, which will compute and send SRES'j = A5(Rj, KT) to VLR
is computed by HLR using the algorithm A3and that checks whether the two values are equal or
having as input both Ki (the secret key shared not. In the case of repetitive communications that
between MS and HLR) and R (a random number are performed by the MS at the same area of the
generated by HLR). visiting VLR, mutual authentication is not ensured
Moreover, HLR computes the certificate since only MS is authenticated, not the VLR.
CERT_VLR = A3(T, Ki) for the visiting VLR of To overcome this drawback, an improvement
MS, where T is the timestamp sent by MS. This providing mutual authentication to the previous
certificate is used to authenticate the validity of authentication scheme, is proposed in Chang et
VLR. According to this authentication process, al. (2005). According to this scheme and while
an authentication request including the temporary MS asks for the jth communication, VLR uses
mobile subscriber identity (TMSI), the location area both KT and Tj as inputs for the A3 algorithm to
identity (LAI) and T is sent to VLR when the MS generate the certificate CERT_VLRj, where Tj is
enters a new visiting area and asks for new com- the timestamp generated by MS and included in
munication services. After receiving the request, the authentication request. This certificate is the
the new VLR uses the received TMSI to get the means that will be used by the MS to authenticate
IMSI from the old VLR that will be sent with its the VLR. This check will be performed by the MS
identification Dv and T to the HLR through a secure when it receives the CERT_VLRj and proceeds to
channel. The HLR checks the validity of the Dv the computation of CERT_VLR'j = A3(Tj, KT). If
and T. If they are valid, it computes CERT_VLR the two certificates are equivalent then the VLR
= A3(T, Ki) and KT = A3(R, Ki) then it transmits is authenticated successfully.
the computed results and R to the visiting VLR. To enhance authentication in addition to ensur-
Otherwise, the HLR will terminate the authentica- ing mutual authentication, some modifications
tion process. Receiving this information, the VLR were proposed in Chang et al. (2005) including
computes SRES = A5(R1, KT) and stores it in its basically two phases: (1) the first authentication
database, where R1 is a random number generated in the visiting VLR; and (2) the jth authentication
by the same component for the current communica- between the same visiting VLR and the MS. The
Trustworthy Networks
main idea of the first phase is to use ( R T1 ) instead complexity and low bandwidth consumption. In
of R1 to compute. The second phase handles re- Tsai and Wang (2007), two authentication mecha-
petitive communication between the visiting VLR nisms have been proposed to ensure cluster and
and MS, the signed result SRESj is computed by individual authentication. The first authentication
using T j −1 T j and KT as the inputs of A5 algorithm, mechanism aims to verify whether the mobile
where Tj–1 is the timestamp associated to the ( j–1)th node belongs to the same group or whether the
authentication and Tj is the timestamp generated message came from a node in this group. During
by the MS for the jth authentication. Moreover, the authentication process, the originator sends the
the certificate CERT_VLRj of VLR is computed original message and the cluster signature. The
by using KT and Tj using A3. cluster signature is generated using the timestamp
and the original message. At the destination node,
the cluster signature is verified to determine if the
kerberos based Authentication
received packet is valid or belongs to an attack traf-
schemes for Ad Hoc networks fic. The output packet, PKTM, sent by the source
is the following:
Several authentication solutions that have been
proposed at first for wired networks may be used PKTM = {MACT , Tstamp , EKs ( MACM , Tstamp , M )},
in wireless environment by introducing some en-
hancements. Among these schemes, we mention
where MACT = H(KC, Tstamp) is generated using the
Kerberos that has been implemented and tested in
timestamp and the common secret key, KC that is
multiple production environments. In this context,
used if there is not an available session key, denoted
a Kerberos assisted authentication in MANETs,
KS. This key will be generated only if the individual
known as Kaman, is proposed in Mcdonald and
authentication is performed successfully and is used
Pirzada (2004). This scheme adapts the Kerberos
to calculate MACM using the expression: MACM =
standard version to the wireless environment
H(KS, Tstamp, M). If the output packet is received
constraints. According to this scheme, secret keys
by an intermediate node, the latter performs the
or passwords are only known by users whereas
following checks:
the servers know a cryptographic hash of these
passwords. Moreover, All Kaman servers share
1. It computes MACT = H(KC, Tstamp)
a secret key. These servers periodically, or on-
2. It checks if Tstamp is within a reasonable time
demand, replicate their databases with each other
delay range.
in order to avoid a single-point-of-failure issue.
Kaman uses a modified version of the Kerberos 5
If these two conditions are satisfied, the in-
protocol for authentication in ad hoc networks that
termediate node forwards the packet to the next
eliminates the use of a ticket granting server (TGS).
node; else it will be discarded. If the next node
The adopted authentication protocol is described
is the destination, it performs the two tasks in a
in Mcdonald and Pirzada . In addition to the basic
similar way to an intermediate node, then it de-
authentication steps, the proposed protocol details
crypts EKs(MACM, Tstamp, M) and checks MACM by
key revocation operations, server elections and the
computing H(KS, Tstamp, M). After that, it verifies
replication of repository strategy.
if the decrypted Tstamp is the same as the one that
is added to the packet without encryption. If all
Authentication in Mobile Ad Hoc these checks are performed successfully and all
networks (MAnEts) conditions are satisfied, the packet is considered
valid; otherwise, it is discarded.
According to the various constraints that charac- The second authentication process, called
terize a mobile ad hoc network, an authentication individual authentication for unicast, allows the
mechanism should present low computational verification of the identity of a user or a node in a
00
Trustworthy Networks
group or the verification of the message originator. tion of this packet by S, it computes the session
Since public-key cryptosystems are unsuitable for key V as follows: V = ga0 mod p. Then, it compares
mobile ad hoc networks due to their high compu- the received AUTHRS with EV (RANDS). If the two
tational complexity, a low-power-consumption parameters are equal, a common session key is
authentication procedure, based on secret sharing, obtained KS = V = ga0 mod p. After performing all
is proposed. As mentioned in cluster authentica- these steps, S transmits the data packets via the
tion, individual authentication is required before secure routing path to D. The first packet should
generating the session key, which is shared between contain AUTHR D that is needed by D to verify the
the source and the destination contrary to the identity of S.
common key that is shared between all the group
nodes. The individual authentication mechanism Authentication in 802.16 wMAns
is performed as follows: the source node S initiates
a route discovery process to deduce a routing path As described by Figure 4, the 802.16 protocol layer
from S to the destination node D. Next, S generates consists of the physical layer and the MAC layer
a random number, called a0 and a random challenge that is divided into three sublayers that are: (1)
number RANDS. the security sublayer (or MAC privacy sublayer),
S uses the function f1(x) = a1 x + a0 (mod p – 1). (2) the MAC common-part sublayer, and (3) the
Based on this function, it generates a secret shadow MAC convergence sublayer. The MAC security
associated with S and D, using an identity number sublayer supports security mechanisms such as
of D (IDS) that has the following expression: KS,W authentication, key exchange, and also encryp-
= f1(DS). The parameter a1 is computed by S by tion. An 802.16 network or cell consists of one
satisfying the following expression: (or more) BSs and multiple subscriber stations
(SSs). In addition to these components, it may be
K S ,W = f1 ( IDS ) mod( p − 1) = (a1 ⋅ IDS + a0 ) mod( p − 1) . also additional entities within the network, such
a
as repeater stations (RSs) and routers, ensuring
After that, S generates the session key g 0 mod p connectivity of the network to core or backbone
that is recovered at D. Γ is computed by S using networks. An SS must perform a number of tasks
f1(x = 1) as follows: Γ = g f1 (1) mod p . Since these that include authentication before gaining access
operations are performed, S sends the authenti- to the network. During this phase, the SS must
cation packet that includes Γ and RANDS to D be authenticated by the BS, using the privacy key
through the routing path deduced at the starting management (PKM) protocol that is detailed in
of the authentication process. At destination node, Hardjono and Dondeti (2006). In such networks,
ZD is computed that is the inverse of (DD – 1) on each SS has an X.509 digital certificate (Housley,
modulo p – 1 which satisfies the following relation: Polk, Ford, & Solo, 2002), which is integrated into
(DD – 1) × Zi ≡ 1(mod p – 1). D uses the received the device hardware at manufacturing. The private
Γ and a set of secret parameters called, ΛD,S (ΛD,S key that is assigned to the certificate is embedded
= (gKD,S) mod p) to compute KS according to the in the hardware in a way that is unfeasible for an
following expression: intruder to read or modify it.
According to the IEEE 802.16 standard, only
K S = (Γ
IDD xZ D
Λ D ,S
) mod p . the SS is assigned a certificate and not the BS.
Consequently, the mutual authentication is not
Using this key, the destination encrypts the received ensured since the BS does not authenticate itself
challenge, RANDS, and obtains the authentication to the SS.
reply code AUTHRS defined by EKS (RANDS). The The PKM protocol first establishes a secret
generated AUTHRS and a regenerated RANDD are symmetric shared key between the SS and the BS
included into a confirmation packet that is for- that is called authorization key (AK).This key is
warded to S via the routing path. Upon the recep- used to ensure the exchange of the traffic encryp-
0
Trustworthy Networks
Figure 4. The 802.16 protocol layers properties of the primary SA and the set of static
SAs, if there exist, for which the SS is authorized
to obtain keying information.
0
Trustworthy Networks
0
Trustworthy Networks
tion of random silent period for each node may be trust representation, Modeling, and
a solution to ensure privacy. During this period, Verification
the node does not forward or transmits any pack-
ets. This technique is not supported by all kind of Trust management systems represent a generaliza-
applications. Voice over IP is among applications tion of the traditional security mechanisms such as
where latency is not tolerated. authentication and privacy by adding heterogeneity
In addition, information about the occurrence and distribution. Several trust management systems
of a transaction should be protected to prevent at- were proposed including Policymaker, Keynote
tacks that are executed at the completion of a given trust management system, and Relational-based
transaction. For example, an intruder may need to formalism of trust.
determine the occurrence time of a transaction in A number of trust management systems were
order to capture the transaction output that may developed including X.509 (Arsenault & Turner,
hold a set of information that helps compromis- 2002) model, SPKI (Ellison et al., 1999) and PGP
ing the system or collecting information about trust model. The X509 is centralized bringing a
it. Ensuring time privacy may be achieved using hierarchical certificate management model with
several techniques that are mostly integrated in a tree structure and a root. In the context of wire-
transaction-based systems. A random behavior less networks where the trust management should
may be another solution that prevents intruder be distributed, the X509 model cannot fit. SPKI
from learning the transaction occurrence time. provides flexibility for trust management by allow-
For example, it is possible that the execution of a ing delegation. However, there is no restriction to
transaction delivers only a partial output and the control the delegated signature chain or allow the
remaining results are provided when needed by issuer to update the trust value of each delegated
requesting them or by informing the service pro- certificate. The PGP trust model supports trust
vider node about this need. This technique ensures management in distributed networks. It uses a
time privacy since the completion time associated trust model that has no centralized or hierarchical
to the execution of a transaction is based in some relationship between certification authorities as in
cases on the reception of the complete output that X.509. The underlying assumption is that trustees
may be variable in time. Another technique that may validate digital certificates from other enti-
may be adopted is a dynamic scheme that order ties or trust a third party to validate certificates.
transactions following a priority order that takes However, entities are fully trusted and there is a
into consideration multiple parameters such as need for a mechanism to compute trustworthiness
outputs needed for next transactions, available of every trusted or signed key. A degree of trust
resources (storage, processing) for processing such as completely trusted, marginally trusted, or
nodes, and so forth. untrusted, should be supported.
Following the previous works, a number of au-
tomated trust management systems were proposed
sEcurIty ModEls including PolicyMaker (Blaze, Feigengaum, &
Strauss, 1998a) and KeyNote (Blaze, Feigenbaum,
This section takes interest into three aspects in & Keromytis, 1998b). The PolicyMaker provides an
modeling security. The first aspect is related to application independent framework for construct-
theories of trust representation, modeling, and ing and validating the security policies. In fact, the
verification. The second aspect is related to security security policy is specified by the system, whereby
policy specification and verification. the applications can create their own actions and
policies but are not required to do the security
0
Trustworthy Networks
verification themselves. The system is then used Y, called the conformance checking relation, where
to verify whether an action is consistent with a lo- X+ denote the set of non-empty chains in X. This
cal policy. This system takes as input a set of local relation denotes all pairs of the form (C,y) where C
policy statements, a collection of credentials, and is an input chain and y is the related response.
a string describing the actions to be performed. It For complex situations, Guemara-ElFatmi et
evaluates these policies and credentials by verify- al. (2004) proposed a deductive system denoted
ing whether an action is consistent with the local by Δ=(Axiom, Rule, W) where W include formula
policy. The output, which is made by a compliance of the first order logic interpreted over X+ and
checker, is a positive or a negative response or even Y and formula of the form “(C, y) ∈ R”. An ele-
a set of additional requirements to be fulfilled to ment in Axiom denotes a formula in the form of
let the actions be permissible. (C , y ) ∈ R ∧ (C ) ∧ p ( y ) where p and p represent
KeyNote, which is the successor of PolicyMaker, predicates interpreted over X+ and Y, respectively.
uses the same design principle of assertions and y stands for the response at time t for an input chain
queries. However, it brings an additional enhance- denoted by C. Elements of Rule have equivalence
ment in the trust management engine and supports between certificate chains and have the following
special language for assertion which allows a form:
simple integration with the compliance checker.
Note that the signature verification is performed (C ' , y ) ∈ R
in the keynote engine making it well-suited for (C , C ' )
trust management in public-key infrastructure.
KeyNote evaluation is performed after receiving (C , y ) ∈ R
a set of local security assertions, a collection of
credential assertions, which may represent certifi- The previous rule states that if y is a response
cates signed by entities delegating the trust, and to chain C' and if C is related to C' through p then
a collection of attributes defining an action envi- y is the response to chain C. As a consequence,
ronment and containing all information relevant a pair (C, y) is in R, at time t, if and only if the
to the request. formula (C, y) ∈ R is a theorem in D. The form of
Guemara-ElFatmi, Boudriga, and Obaidat the axiom denoted previously allows the charac-
(2004) proposed a trust management scheme based terization and computation of R as a least fixpoint
on the use of the relational calculus, which allows of a function. The trust management model takes
proving and verifying compliance of communi- into consideration several issues including security
cation protocols with security policy in the case policy representation, compliance correctness,
where the system is based on of use of public key and system state determination. The system state
certificates (PKC). The proposed trust manage- determination issue, for instance, shows how to
ment scheme integrates (1) a relational language reduce the complexity of online checks by letting
for modeling entities (e.g., certificates, security the server not to remember its past inputs but rather
policy) and actions (e.g., delegations); (2) a relational to just remember a summary of past input history.
calculus for performing proofs; (3) a mechanism The aforementioned trust management model
for identifying users; and (4) a compliance engine was validated using three case studies which are
which allows to decide whether an action, which is anonymous payment system, clinical information
performed by a principal can be granted or not. The system, and distributed firewall system.
model of trust management uses (1) a set of cer-
tificates/request, say X, denoting requests sent for Security Policy Specification
online checks and operations; (2) a set of response
returned by online checks, say Y, to represent the To effectively protect themselves from security
acceptance and rejections of requests; and (3) a threats, organizations should define a security
binary relation from X+ (the set of words in X) to policy, which according to the ISO 17799 represents
0
Trustworthy Networks
a document that provides management direction validation. In fact, a security policy is validated
and support for information security. A security by comparing the behavior of the related ESP to
policy can be seen as a specification for security what is specified in it. The methodology is based
solutions and form a conceptual model of them on defining the security policy in natural language
as the specifications do for software. Improving then translating it to algebraic specification. After,
correctness of security policies is thus essential in the algebraic specification is then analyzed for
order to guarantee the security level required by syntactic verification purpose, it is translated to
the secured system. Several formal methods can an executable language (e.g., S-TLA+ [Rekhis &
be used to validate whether a security requirement Boudriga, 2005]) following a set of rules that have
for systems or components are complete, correct, to present some properties including completeness
and can be met by the security policy. Examples and termination. At this level, the executable secu-
include model checking, theorem proving, and rity policy is run to detect vulnerabilities.
executable specifications. To validate the security policy, the behavior
In model checking technique, the security policy of the executable security policy can be checked
may be specified using temporal logic formulas using the model checking technique. The satisfac-
which describe how the permissible system tran- tion of the set of invariants in the security policy
sitions may occur and what modification do they can be verified during the generation of potential
introduce to the system. By adding a description scenarios by the model checker.
of the initial system state, and the set of security
properties that should be followed by the security
policy (e.g., all users are authenticated within the conclusIon
system), the model checking technique can be used
to verify whether the model satisfies the expressed Ensuring security for wireless networks signifies
properties. To do so a graph is generated where several goals to achieve including the security of
nodes represent the system states through which connected mobiles nodes, the security of services
the system progresses while edge represent possible provided by wireless nodes and that are acces-
transitions which may alter these states. The main sible from public networks, and the security of
drawback of the model checking technique lies in exchanged data between wireless nodes. All these
the state explosion problem that must be addressed goals may be achieved through the use of a set of
to cope with non-finite sate specification. Several mechanisms and models that have been the subject
approaches can be used to defeat such a problem of this chapter. Authentication, privacy protection,
including the use of binary decision diagrams, trust, and security models are the concepts that
partial order reduction to reduce the number of are detailed in this chapter showing the possible
interleaving of non-concurrent processes, and solutions that may be adopted to prevent a set of
abstraction to prove properties on a system after attacks that represent a potential threat for wire-
simplifying it. In theorem proving, specification is less networks.
based on using formalisms such as first-order logic
and higher-order logic. To prove that properties are
met by the specification, proof techniques such as rEfErEncEs
induction, rewriting, simplification, and decision
procedure using can be followed. Aboudagga, N., Refaei, M. T., Eltoweissy, M.,
The executable security policy (ESP) specifica- DaSilva, L. A., & Quisquater, J.-J. (2005). Authen-
tion, which is defined by: “a specification whereby tication protocols for ad hoc networks: Taxonomy
security policy is executed on a computer simulat- and research issues. In Proceedings of the 1st ACM
ing its behavior when interacting with its environ- International Workshop on QoS & Security in
ment,” is a recent technique for security policy Wireless and Mobile Networks (pp. 96-104).
0
Trustworthy Networks
Arnab, P., Rajnish, K., & Umakishore, R. (2005). Ellison, C., Frantz, B., Lampson, B., Rivest, R.,
LAWN: A protocol for remote authentication intro- Thomas, B., & Ylonen, T. (1999, September). SPKI
duced over wireless networks. In the Fourth IEEE certificate theory (RFC 2693). Retrieved January
International Symposium on Network Computing 2, 2007, from http://www.ietf.org/rfc/rfc2693.txt
and Applications (NCA), Cambridge, MA.
Eschenauer, L., & Gligor, V. D. (2002, November
Arsenault, A., & Turner, S. (2002, July). Internet 18-22). A key management scheme for distributed
X.509 public key infrastructure: Roadmap. Re- sensor networks. In Proceedings of the 9th ACM
trieved January 2, 2007, from http://www1.tools. Conference on Computer and Communications
ietf.org/html/draft-ietf-pkix-roadmap-09.txt Security, Washington, DC.
Balfanz, D., Smetters, D. K., Stewart, P., & Wong, Guemara-ElFatmi, S., Boudriga, N., & Obaidat,
H. C. (2002, February). Talking to strangers: M. (2004, July). Relational-based calculus for trust
Authentication in ad-hoc wireless networks. In management in networked services. Journal of
Symposium on Network and Distributed Systems Computer Communications. 27(12), 1206-1219.
Security (NDSS ’02), San Diego, CA.
Hardjono, T., & Dondeti, L. R. (Eds.). (2006).
Baras, J., & Jiang, T. (2004). Cooperative games. Security in wireless LANs and MANs. Norwood,
Phase transitions on graphs and distributed trust MA: Artech Press.
in MANET. In Proceedings of the 43rd IEEE
Housley, R., Polk, W., Ford, W., & Solo, D.
Conference on Decision and Control, Nassau,
(2002). Internet X.509 public key infrastructure
Bahamas.
certificate and certificate revocation list (CRL)
Blaze, M., Feigenbaum, J., & Strauss, M. (1998a). profile (RFC 3280). Retrieved from http://www.
Compliance checking in the policymaker trust ietf.org/rfc/rfc3280.txt
management system. In 2nd International Confer-
I-En, L., Cheng-Chi, L., & Min-Shiang, H. (2006).
ence on Financial Cryptography, London, (LNCS
A password authentication scheme over insecure
1465, pp. 254-274).
networks. Journal of Computer and System Sci-
Blaze, M., Feigenbaum, J., & Keromytis, A. (1998b, ences, 72, 727-740.
April). Keynote: Trust management for public-key
Johnson, D., Perkins, C., & Arkko, J. (2004).
infrastructures. In the 1998 Security Protocols
Mobility support in IPv6 (RFC 3775). Retrieved
International Workshop, Cambridge, England
from http://www.ietf.org/rfc/rfc3775.txt
(LNCS 1550, pp. 59-63).
Karlof, C., & Wagner, D. (2003, May). Secure
Camtepe, S. A., & Yener, B. (2004). Key distribu-
routing in wireless sensor networks: Attacks and
tion mechanisms for wireless sensor networks; A
countermeasures. In Proceedings of the First
survey. (LNCS 3193).
IEEE International Workshop on Sensor Network
Chang, C., Lee, J., & Chang, Y. (2005). Efficient Protocols and Applications (pp. 113-127).
authentication protocols of GSM. Computer Com-
Lloyd, B., & Simpson, W. (1992). PPP authen-
munications, 28(8), 921-928.
tication protocols (RFC 1334). Retrieved from
Du, W., Deng, J., Han, Y. S., Chen, S., & Varsh- http://www.ietf.org/rfc/rfc1334.txt
ney, P. K. (2003, July). A key management scheme
Mcdonald, C. S., & Pirzada, A. A. (2004). Ker-
for wireless sensor networks using deployment
beros assisted authentication in mobile ad-hoc
knowledge (Tech. Rep.), New York: Syracuse
networks. In Proceedings of the 27th Australasian
University. Retrieved from http://www.cis.syr.
Computer Science Conference (ACSC’04) (Vol.
edu/#wedu/Research/paper/ ddhcv03.pdf
26, pp. 41-46).
0
Trustworthy Networks
Patel, A., Leung, K., Khalil, M., Akhtar, H., & Spielman, D. (1995). Computationally efficient
Chowdhury, K. (2005). Mobile node identifier op- error correcting codes and holographic proofs.
tion for mobile IPv6 (RFC 4283). Retrieved from Unpublished doctoral thesis. Retrieved from
http://www.ietf.org/rfc/rfc4283.txt http://www–math.mit.edu/ spielman/PAPERS/
thesis.pdf
Patel, A., Leung, K., Khalil, M., Akhtar, H., &
Chowdhury, K. (2006). Authentication protocol Theodorakopoulos, G., & Baras, J. (2004). Trust
for mobile IPv6 (RFC 4285). Retrieved from evaluation in adhoc networks. In Proceedings of
http://tools.ietf.org/html/rfc4285 the 2004 ACM workshop on Wireless security,
Philadelphia (pp. 1-10).
Pathan, A. K., Lee, H. W., & Hong, C. S. (2006,
February 20-22). Security in wireless sensor Tsai, Y., & Wang, S. (2007). Two-tier authentica-
networks: Issues and challenges. In Proceedings tion for cluster and individual sets in mobile ad hoc
of the 8th International Conference on Advanced networks. Computer Networks, 51(3), 883-900.
Communication Technology (ICACT 2006) (pp.
Wei, L., & Wenye, W. (2005). On performance
1043-1048).
analysis of challenge/response based authentica-
Polishchuk, A., & Spielman, D. A. (1994). Nearly- tion in wireless networks. Computer Networks,
linear size holographic proofs. In Proceedings of 48, 267-288.
the 26th ACM Symposium on Theory of Computa-
YihChun, H., & Helen, J. W. (2005). 2A frame-
tion (STOC) (pp. 194-203).
work for location privacy in wireless networks. In
Rekhis, S., & Boudriga, N. (2005, September). A Proceedings of the ACM Special Interest Group on
temporal logic-based model for forensic investiga- Data Communication (SIGCOMM) Applications,
tion in networked system security. In the 3rd In- Technologies, Architectures, and Protocols for
ternational Workshop on Mathematical Methods, Computer Communications, Asia Workshop.
Models and Architectures for Computer Networks
Yuh-Ren, T., & Cheng-Ju, C. (2006). SIM-based
Security (MMM-ACNS-05), St. Petersburg, Russia
subscriber authentication mechanism for wireless
(LNCS 3685, pp. 325-338).
local area networks. Computer Communications:
Ren, K., Li, T., Wan, Z., Bao, F., Deng, R., & Kim, Monitoring and Measurements of IP Networks,
K. (2004). Highly reliable trust establishment 29(10), 1744-1753.
scheme in ad-hoc networks. Computer Networks:
Zhou, Z., & Yow, K. C. Anonymizing geographic
The International Journal of Computer and Tele-
ad hoc routing for preserving location privacy. In
communications Networking, 45(6), 687-699.
Proceedings of the 3rd International Workshop on
Rigney, C., Rubens, A., Simpson, W., & Willens, S. Mobile Distributed Computing (MDC’05), IEEE
(1997). Remote authentication dial in user service ICDCS.
(RADIUS) (RFC 2058). Retrieved from http://tools.
ietf.org/html/rfc2058
kEy tErMs
Simpson, W. (1996). PPP challenge handshake
authentication protocol (CHAP) (RFC 1994). Re- Authentication: Authentication is the process
trieved from http://www.ietf.org/rfc/rfc1994.txt of attempting to verify the digital identity of the
sender of a communication such as a request to
Singelee, D., & Preneel, B. (2006). Location privacy
log in. The sender being authenticated may be a
in wireless personal area networks. In Proceed-
person using a computer, a computer itself, or a
ings of The 7th International Conference on Web
computer program.
Information Systems Engineering (WiSe’06).
0
Trustworthy Networks
0
0
Chapter XV
The Provably Secure Formal
Methods for Authentication
and Key Agreement Protocols
Jianfeng Ma
Xidian University, China
Xinghua Li
Xidian University, China
AbstrAct
In the design and analysis of authentication and key agreement protocols, provably secure formal methods
play a very important role, among which the Canetti-Krawczyk (CK) model and universal composable
(UC) security model are very popular at present. This chapter focuses on these two models and consists
mainly of three parts: (1) an introduction to CK model and UC models; (2) A study of these two models,
which includes an analysis of CK model and an extension of UC security model. The analysis of CK
model presents its security analysis, advantages, and disadvantages, and a bridge between this formal
method and the informal method (heuristic method) is established; an extension of UC security model
gives a universally composable anonymous hash certification model. (3) The applications of these two
models. With these two models, the four-way handshake protocols in 802.11i and Chinese wireless LAN
(WLAN) security standard WLAN authentication and privacy infrastructure (WAPI) are analyzed.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
The Provably Secure Formal Method
The design and analysis of secure key agree- Concurrent composition is a fact of life of real
ments protocols has proved to be a non-trivial task, network settings. Protocols that are proven secure
with a large body of work written on the topic. in the stand-alone model are not necessarily secure
Among the methods for the design and analysis under composition. Therefore, it does not suffice
of key agreement protocols, formal methods have to prove that a protocol is secure in the stand-alone
always been a focused problem in the international model. UC security model proposed by Canetti in
investigation of cryptography. Over the years, 2001 (Birgit & Michael, 2001) is for representing
two distinct views of formal methods, symbolic and analyzing cryptographic protocols under con-
logic method and computational complexity current circumstance (Yeluda, 2003). The salient
method, have developed in two mostly separate property of definitions of security in this framework
communities (Martin & Phillip, 2002). The sym- is that they guarantee security even when the given
bolic logic method relies on a simple but effective protocol is running in an arbitrary and unknown
symbolic formal expression approach, in which multi-party environment. An approach taken in
cryptographic operations are seen as functions this framework is to use definitions that treat
on a space of symbolic formal expressions (e.g., the protocol as stand-alone but guarantee secure
BAN, communicating sequential processes [CSP], composition. Security in complex settings (where a
NRL) (Wenbo, 2004). The other one, computational protocol instance may run concurrently with many
complexity method, relies on a detailed computa- other protocol instances, or arbitrary inputs and in
tional model that considers issues of complexity an adversary controlled way) is guaranteed via a
and probability of successful attacks, in which general composition theorem. On top of simplifying
cryptographic operations are seen as functions the process of formulating a definition and analyz-
on strings of bits. ing protocols, this approach guarantees security in
Provably secure formal method, which is based arbitrary protocol environments, even unpredict-
on the computational complexity method, is a very able ones that have not been explicitly considered.
hot research point at present. Its salient property The abstract level of UC security goes far beyond
is that the security protocols designed by them other security models, therefore, it tends to be
are provably secure. Among the provably secure more restrictive than other definitions of security.
formal methods, CK model and UC security model The most outstanding nature of UC framework is
are very popular. its modular design concept: may alone design a
In 2001, Canetti and Krawczyk presented the protocol, so long as the protocol satisfies the UC
CK model for the formal analysis of key-exchange security, it can be guaranteed secure while runs
(KE) protocols. A session-key security definition concurrently with other protocols.
and a simple modular methodology to prove a This chapter focuses mainly on the introduction,
KE protocol with this definition are introduced analysis, and applications of these two provably
in this model. One central goal of the CK model secure formal methods. The rest of this chapter
is to simplify the usability of the definition via a is organized as follows. The next section, the CK
modular approach to the design and analysis of model and the UC security model are introduced.
KE protocols. It adopts the indistinguishability In the third section, we analyze the security of the
approach (Bellare, Canetti, & Krawczyk, 1998) to CK model. A bridge between this formal method
define security: A KE protocol is called secure if and the informal method (heuristic method) is
under the allowed adversarial actions it is infeasible established. What is more, the advantages and
for the attacker to distinguish the value of a key disadvantages of the CK model are given. In
generated by the protocol from an independent the Universally Composable Anonymous Hash
random value. The security guarantees that result Certification Model section, an extension of the
from the proof by the CK model are substantial as UC security model is presented. The UC security
they capture many of the security concerns in the model fails to characterize the special security
real communications setting. requirements of anonymous authentication with
The Provably Secure Formal Method
other kind of certificates. Therefore the UC security exists) is said to be matching to the session (A, B,
model is extended, and a new model—Universally X, Y). Matching sessions play a fundamental role
Composable anonymous hash certification model in the definition of security (Canetti & Krawczyk,
is presented. In this model, an anonymous hash 2001).
certification ideal function is introduced, which
fulfills the identity authentication by binding Attacker Model
the identity to special hash values. In addition, a
more universal certificate CA model is presented, The attacker is modeled to capture realistic attack
which can issue the certificate with specific form capabilities in open networks, including the control
(for example hash value). In the fifth section, we of communication links and the access to some
analyze the four-way handshake protocol in 802.11i of the secret information used or generated in the
with the CK model and UC security model. In protocol. The attacker, denoted M, is an active
sixth section, first, the authentication modules in “man-in-the-middle” adversary with full control
the Chinese WLAN national standard WAPI and of the communication links between parties. M
its implementation plan are analyzed with the CK can intercept and modify messages sent over these
model. Then we point out that how the implemen- links, it can delay or prevent their delivery, inject
tation plan overcomes the security weaknesses in its own messages, interleave messages from dif-
the original WAPI. The last two sectionscontain ferent sessions, and so forth. (Formally, it is M to
the future trends and conclusions. whom parties hand their outgoing messages for
delivery.) M also schedules all session activations
and session-message delivery. In addition, in order
bAckground ovErvIEw to model potential disclosure of secret information,
the attacker is allowed access to secret information
Definition 1: Key-agreement protocol via session exposure attacks (a.k.a. known-key
(Menezes, Van Oorschot, & Vanstone, 1996). attacks) of three types: state-reveal queries, ses-
A key-agreement protocol or mechanism is a key sion-key queries, and party corruption.
establishment technique in which a shared secret
is derived by two (or more) parties as a function • State-reveal query: A state-reveal query
of information contributed by, or associated with, is directed at a single session while still in-
each of these, (ideally) such that no party can pre- complete (i.e., before outputting the session
determine the resulting value. key) and its result is that the attacker learns
The CK model and UC security model are very the session state for that particular session
popular provably secure formal methods for key- (which may include, for example, the secret
agreement protocols at present. In this section, these exponent of an ephemeral Diffie-Hellman
two security models are introduced respectively, algorithm (DH) value but not the long-term
and the relationship between the security defini- private key used across all sessions at the
tions in these two models is also given. party).
• Session-key query: A session-key query can
the canetti-krawczyk Model be performed against an individual session
after completion and the result is that the
A KE protocol is run in a network of interconnected attacker learns the corresponding session
parties where each party can be activated to run key.
an instance of the protocol called a session. A KE • Party corruption: Party corruption means
session is a quadruple (A, B, X, Y) where A is the that the attacker learns all information in
identity of the holder of the session, B the peer, X the memory of that party (including the
the outgoing messages in the session, and Y the long-term private key of the party as well
incoming messages. The session (B, A, Y, X) (if it all session states and session keys stored
The Provably Secure Formal Method
at the party); in addition, from the moment generated by protocol p. The attacker M is not al-
a party is corrupted all its actions may be lowed state-reveal queries, session-key queries, or
controlled by the attacker. Indeed, note that party corruption on the test-session or its matching
the knowledge of the private key allows the session. At the end of its run, M outputs a bit b'
attacker to impersonate the party at will. (as its guess for b).
An attacker that is allowed test-session queries
Three Components in CK Model is referred to as a KE-adversary.
Definition 2: Session-key security. A KE
• The unauthenticated–links adversarial protocol p is called session-key secure (or SK-
model (UM): UM is the real network environ- secure) if the following properties hold for any
ment, the attacker in this model is an active KE-adversary M:
one. It has all the attack ability mentioned
previously. 1. Protocol p satisfies the property that if two
• The authenticated-links models (AM): uncorrupted parties complete matching ses-
The adversarial model called AM is defined sions then they both output the same key;
in a way that is identical to the UM with and
one fundamental difference: The attacker is 2. The probability that M guesses correctly the
restricted to only delivering messages truly bit b (i.e., outputs b' = b) is no more than 1/2
generated by the parties without any change plus a negligible fraction e in the security
or addition to them. parameter. e is called “advantage.”
• Authenticators: Authenticators are special
algorithms which act as automatic “compli- the universal composable Model
ers” that translate protocols in the AM into
equivalent (or “as secure as”) protocols in Universally composable security is a framework
the UM. Now there are two kinds of au- for defining the security of cryptographic protocols
thenticators, one is based on the public key (Canetti, 2001). In this framework, an uncorrupt-
digital signature, the other one is based on able ideal functionality F which can provide a
~
the message authentication code (Bellare et certain service, a set of dummy parties P and an
al., 1998). ideal adversary S are defined respectively. Only
~
the dummy parties P and ideal adversary S can
With the CK model, one can firstly design and access ideal functionality F, each dummy party
analyze a protocol in AM, then transforms these can not communicate directly with the others, and
protocols and their security assurance to the real- the ideal adversary can corrupt any dummy party
istic UM by using an authenticator. at any time. The ideal adversary S is informed of
when a message is sent, but not of the content, it is
Definition of Session-Key Security allowed to delay the delivery of such a message, but
not change its content. On the other hand, an actual
In addition to the regular actions of the attacker protocol p that can achieve the special service, a
M against a KE protocol p, he/she can perform set of real parties P, and a real-world adversary A
a test session query. That is, at any time during are correspondingly defined. Each real party can
its run, M is able to choose, a test-session among communicate with the others directly and the real-
the sessions that are completed, unexpired, and world adversary A can control all communications
unexposed at the time. Let k be the value of the among them, meaning that A can read or alter all
corresponding session key. We toss a coin b, b messages among the real parties, what is more, A
←
R
{0,1}. If b = 0 we provide M with the value can also corrupt any real party at any time. An
k. Otherwise we provide M with a value r randomly environment Z is defined in the UC framework
chosen from the probability distribution of keys that can simulate the whole external environment;
The Provably Secure Formal Method
The Provably Secure Formal Method
HYBFp, A, ≈ F
, HYBp A,Z , I
entities, is called an authentication and key-agree-
ment (AKA) protocol.
Definition 8: Key confirmation (Menezes
Protocol p is said to have the ACK property if
et al., 1996). Key confirmation is the property
there exists a good internal state simulator for p.
whereby one party is assured that a second (pos-
sibly unidentified) party actually has possession
• Theorem 1: Let p be a KE protocol that has
of a particular secret key.
the ACK property and is SK-secure; then p
Definition 9: Explicit key authentication
is UC-secure (Canetti & Krawczyk, 2002).
(Menezes et al., 1996). Explicit key authentication
is the property obtained when both (implicit) key
authentication and key confirmation hold.
sEcurIty AnAlysIs of tHE A key-agreement protocol which provides
cAnEttI-krAwczyk ModEl explicit key authentication to both participating
entities is called authenticated key agreement
In the past 20 years, researchers have made a lot with key confirmation (AKC) protocol (Menezes
of efforts in designing and analyzing KE protocols et al., 1996).
(Diffie & Hellman, 1976; Diffie, Van Oorschot, & A secure key-agreement protocol should be
Wiener, 1992; Krawczyk, 1996; Shoup, 1999), they able to withstand both passive attacks and active
realize that the potential impact of the compromise attacks. In addition to implicit key authentication
of various types of keying material in a key-agree- and key confirmation, a number of desirable se-
ment protocol should be considered, even if such curity attributes of key-agreement protocols have
compromise is not normally expected (Menezes been identified (Law, Menezes, Qu, Solinas, &
et al., 1996). So some desirable security proper- Vanstone, 1998).
ties that a key-agreement protocol should have are
identified. Such security properties include perfect 1. (Perfect) forward secrecy: If long-term
forward security (PFS), loss of information, known- private keys of one or more entities are com-
key security, key-compromise impersonation, promised, the secrecy of previous session keys
unknown-key share, key control, and so on. established by honest entities is not affected
The main goal of the CK model is to design (Menezes et al., 1996).
and analyze key-agreement protocols. Then what 2. Loss of information: Compromise of other
is the relationship between the CK model and the information that would not ordinarily be
desirable security attributes for a key-agreement available to an adversary does not affect the
protocol? This is the main motivation of this sec- security of the protocol. For example, in Dif-
tion. fie-Hellman type protocols, security is not
ss
comprised by loss of i j (where Si represents
Properties of key-Agreement entity i’s long-term secret value) (Blake-Wil-
Protocols son, Johnson, & Menezes, 1997).
3. Known-key security: A protocol is said
Definition 7: (Implicit) key authentication to be vulnerable to a known-key attack if
(Menezes et al., 1996). Key authentication is the compromise of past session keys allows either
property whereby one party is assured that no a passive adversary to compromise future
other party aside from a specifically identified session keys, or impersonation by an active
second party (and possibly additional identified adversary in the future (Law et al., 1998).
trusted parties) may gain access to a particular 4. Key compromise impersonation: Suppose
secret key. A’s long-term private key is disclosed. Clearly
A key-agreement protocol, which provides an adversary that knows this value can now
implicit key authentication to both participating impersonate A, since it is precisely this value
The Provably Secure Formal Method
that identifies A. However, it may be desirable to investigate the security properties of PFS and
that this loss does not enable an adversary to known-key security.
impersonate other entities to A (Law et al.,
1998). Advantages and disadvantages of
5. Unknown key-share: Entity A cannot be co- the ck Mode
erced into sharing a key with entity B without
A’s knowledge, that is, when A believes the Advantages of the CK Model
key is shared with some entity C ≠ B, and B
(correctly) believes the key is shared with A Why is the CK Model Applicable for Designing
(Law et al., 1998). and Analyzing Key-Agreement Protocols?
6. Key control: Neither entity should be able to First, the indistinguishability between the session
force the session key to a preselected value key and a random number is used to achieve the
(Law et al., 1998). SK-security of a key-agreement protocol in the AM.
If an attacker can distinguish the session key from
the relationship between the a random number with a non-negligible advantage,
ck Model and the desirable secure a mathematics hard problem will be resolved. Ac-
Attributes cording to the reduction to absurdity, a conclusion
can be gotten: no matter what methods are used
• Theorem 2: A key-agreement protocol designed by the attacker (except party corruption, session
and proved secure by the CK model offers state reveal and session key query), he/she cannot
almost all the desirable security properties distinguish the session key from a random number
mentioned above except key control (Li, Ma, with a non-negligible advantage. So the protocol
& Moon, 2005). designed and proved secure by the CK model can
resist known and even unknown attacks.
The Relationship Between the Security Second, the CK model employs authenticators
Attributes and the Two Requirements of to achieve the indistinguishability between the
SK-Security protocol in the AM and the corresponding one in
the UM. Through this method, the consistency
In the CK model, some security attributes can be requirement of SK-security is satisfied.
ensured by the first requirement of SK-security, From the previous analysis, it can be seen that
while others by the second requirement. In the fol- this model is a modular approach to provably
lowing, Theorem 3 and Theorem 4 are presented secure protocols. With this model, we can easily
for a detailed explanation: get a provably secure protocol which can offer
almost all the desirable security attributes. And
• Theorem 3. The first requirement of SK-secu- the CK model has the composable characteristic
rity guarantees a protocol to resist imperson- and can be used as an engineering approach (Bel-
ation attacks and unknown key-share attacks lare & Rogaway, 1993; Mitchell, Ward, & Wilson,
(Li et al., 2005). 1998). Therefore, it is possible to use this approach
without a detailed knowledge of the formal models
• Theorem 4. The second requirement of SK- and proofs, and is very efficient and suitable for
security guarantees a protocol to offer PFS, applications by practitioners.
known-key security (Li et al., 2005).
Disadvantages of the CK Model
It should be noticed that the first requirement
is the precondition of SK-security. Only under Though the CK model is suitable for the design
the consistency condition, does it make sense and analysis of key-agreement protocols, it still
has some weaknesses as follows:
The Provably Secure Formal Method
1. The CK model cannot detect security weak- protocol. But this model still has weaknesses. So
nesses that exist in key-agreement protocols, when the CK model is employed to design a key-
however some other formal methods have this agreement protocol, we should pay attention to the
ability, such as the method based on logic possible flaws in the protocol that may result from
(Burrows, Abadi, & Needham, 1990) and the weaknesses of CK model.
the method based on state machines (Tin,
Boyd, & Nieto, 2003). But the CK model
can confirm the known attacks, that is, this A unIvErsAlly coMPosAblE
model can prove that a protocol that has been AnonyMous HAsH cErtIfIcAtIon
found flaws is not SK-secure. ModEl
2. In the aspect of the forward secrecy, the CK
model cannot guarantee that a key-agreement The essence and difficulty of UC security protocol
protocol offers forward secrecy with respect design lays in the formalization and abstraction
to compromise of both parties’ private keys; of a perfect ideal functionality which can be real-
it can only guarantee the forward secrecy of ized securely. We consider the special security
a protocol with respect to one party. In ad- requirements for ideal anonymous authentication,
dition, in ID-based systems this model lacks define the security notions for them, and realize an
the ability to guarantee the key generation anonymous hash certification ideal functionality
center (KGC) forward secrecy because it does FCred in a universally composable security sense,
not fully consider the attacker’s capabilities and present a more universal certificate CA model
(Canetti & Krawczyk, 2002). FHCA (Canetti, 2004), which can issue anonymous
3. From Theorem 2, we know that protocols hash certificates.
which are designed and proved secure by the
CK model cannot resist key control, which
Anonymous Hash Certification Ideal
is not fully consistent with the definition of
functionality FCred
key agreement (Blake-Wilson et al., 1997).
4. A key-agreement protocol designed and
We use Merkle tree to build the hash chain, which
proved secure by the CK model cannot be
is constructed from each leaf up to the root of
guaranteed to resist denial-of-service (DoS)
the tree. For each unit of the chain, it contains a
attacks. However DoS attacks have become a
value and an order bit which identities whether
common threat in the present Internet, which
the given value should be concatenated from the
have brought researchers’ attention (Burrows
left or the right.
et al., 1990; Meadows, 1996).
A hash chain is said to be valid under a
5. Some proofs of the protocols with the CK
collision-free hash function H if h0 = ho' and
model are not very credible because of the
hd' −1 = v , hi'−1 = H (hi || hi' ) / H (hi' || hi ) for o i = l/r,
subtleness of this model. For example, the
where i=d-1,d-2,…,1. It is written as isvalid(h)
Bellare-Rogaway three-party key-distribu-
= 1. We also define several other functions,
tion (3PKD) protocol (Bellare & Rogaway,
for instance, root(h) is to choose the root of a
1995) claimed proofs of security, but it is
hash chain, leaf(h) is to return the value of a
subsequently found flaws (Choo & Hitchcock,
leaf node of path h, buildtree H (C) is to build
2005).
a Merkle tree with the values of set C, and
getchainT (e) is to capture the path of node e.
We know that a protocol designed and proved
secure by the CK model can offer almost all the
security attributes, and this model has the modular Security Requirements of FCred
and composable characteristics, so it is very practi-
cal and efficient for the design of a key-agreement Definition 10. Let k be a security parameter
and e(k) be a negligible function on k. Let s be a
The Provably Secure Formal Method
signature key, v be a verification key. We say that c is the encrypted real identity of the subscriber, Pi
an anonymous hash certification protocol satisfies is the owner identity of the credential, k is the secret
the security requirements if the following proper- information, that is, the hash pre-images, with its
ties hold: length is k2, h is the Merkle hash chain path of this
credential. The value of this credential is defined
Completeness. For any valid credential (c, pi, as valH (ci ) = c || H (k1 ) || H (k2 ) || || H (kk 2 ) .
k, h), A counter t that is initialized to 0 and is used to
Prob[( s, v) ← gen(1k );0 ← Verify index credential ci that has been issued in period i.
Credential (c, z , k , p j , h, , v)] < (k ) , A set of credential C = È ci and a set of credential
where σ is the signature of root(h). to be used Tprepared are initialized to f.
then return
The Provably Secure Formal Method
3. Signature verification
(Verify Credential , ps , c, p j , invalid )
i
(Check Reuse, ps , c, yes ) 1. If q' = q and there exists the record (m, , ,1) ,
to ps. (end) set f = 1.
2. If q' = q, P has not yet been corrupted by S,
construction of uc-secure and there exists no record such that (m, ' , ,1)
Anonymous Hash Certification for ∀σ', set f = 0.
Protocol 3. If q' ≠ q and there exists the record (m, , ' , f ' ) ,
set f = f '.
In this section, we present a simple protocol 4. Else, set f = f, then records (m, , ' , ) .
that realizes FCred given FSIG, with the aid of ide-
ally authenticated communication with a “trusted • Hands (Verified, P, m, f ) to V. (end)
anonymous hash certificate authority.” This set-up
assumption is formalized as an ideal functional- Then the anonymous hash certificate authority
ity FHCA . Functionality FHCA is presented as follows.
Firstly we modify the definition of FSIG (Canetti,
2004; Michael & Dennis, 2004) as follows. 1. Key generation
Upon reception of the message (GenerateKey)
1. Key generation from ASU, send (KeyGen, ASU) to the adver-
sary S, upon receiving (Verification Key, ASU,
Upon reception of (KeyGen, P) from P: encryption key, k) from S, records (ASU, v, k)
and return (Verification Key, ASU, v).
• Sends (KeyGen, P) to the adversary S. 2. Identity Encryption
• After receiving the message (Verifica- Upon reception of the message (Identity encryp-
tionKey, P, q) from S, records (P, q) and tion, pi) from pi, proceed as follows:
sends (VerificationKey, P, q) to P. 1. Verify that pi is in the member list. If
not, return (Not A Member, pi) and quit.
2. Signature generation 2. Else, send (Identity encryption, pi) to the
adversary S, receive the encryption
Upon reception of (Sign, P, m) from P: identity c of pi, return (Encrypted identity,
pi, c).
• Sends (Sign, P, m) to S. 3. Credential generation
• After receiving the message Upon reception of the message (Credential
(Signature, P, m, σ) from S, looks for generation, pi, (c, pi, k, z)) from pi, send this
the record (m, , , 0 ). If it is found, sends message to the adversary, and wait for an OK
an error message to P and halts. Else, sends from the adversary. Then, Store credential e =
( Signature, P, m, ) to P and then records (c, pi, k, f) into set Ct, return (S, New Credential,
(m, , , 0 ). pi) and (pi, New Credential, c, z) to S.
The Provably Secure Formal Method
8. Reveal ID (c, z , k1 , k2 , h, , p j1 , p j2 ) ,
Upon reception of the message (Reveal ID, ASU, 2. It executes
c) from ASU, find a credential (c, p, ., .) in set ~
0
The Provably Secure Formal Method
S
Z’
~ P1 ~
P0 P0 P1
S
A
FCr ed
The Provably Secure Formal Method
The Provably Secure Formal Method
algorithm used by the supplicant and not involves SPA} || Max{AA, SPA} || Min{ANonce, SNonce}
the protocol itself. || Max{ANonce, SNonce}), and divided into Key
In this section, we give a formal analysis of the Confirmation Key (KCK), Key Encryption Key
four-way handshake. The results show that four- (KEK), and Temporary Key (TK). Note that the
way handshake protocol is secure not only in the MIC is actually calculated with KCK, which is
CK model, but also in the UC security model. So only part of PTK.
it can be securely used as the basic model of the
authentication and key agreement of WLAN. the security Analysis of four-way
Handshake Protocol
the four-way Handshake Protocol in
802.11i According to the thought of CK model, we extract
the protocols 4WHSAM in AM and the authentica-
In 802.11i, once a shared pairwise master key tor λ prf. We can further analyze that whether the
(PMK) is agreed upon between the authenticator protocol 4WHSAM is SK-secure in the AM λ prf. or
and the supplicant, the authenticator may begin a the protocolis an effective MT-authenticator or not,
four-way handshake by itself or upon request from thus we can draw the conclusion that whether four-
the supplicant. The message exchange is shown, at way handshake protocol can satisfy the definition
an abstract level, in Figure 3. S represents the Sup- of SK-security in the UM or not.
plicant and A represents the Authenticator; SPA and
AA, SNonce and ANonce, represent the message Protocol 4wHsAM
authentication code (MAC) address and nonces of
the supplicant and authenticator, respectively; sn is This protocol is described as follows:
the sequence number; msg1, 2, 3, 4 are indicators 1. Both players pre-share a key kij.
of different message types; MICPTK{} represents 2. The initiator pi, on input (pi, pj, s), chooses
the message integrity code (MIC) calculated for the ri ←R
{0,1}kand sends (pi, s, ri) to pj;
contents inside the bracket with the fresh pairwise
transient key (PTK). While MAC is commonly 3. Upon receipt of (pi, s, ri), the responder pj
used in cryptography to refer to a MAC, the term {0,1} , where rj ≠ri, and sends
k
chooses rj ← R
MIC is used instead in connection with 802.11i (pj, s, rj, tj) to pi. Then pj outputs session key
because MAC has another standard meaning, prf kij (ri, rj).
medium access control, in networking.
The fresh PTK is derived from the shared 4. Upon receipt of (pj,s, rj) player pj outputs
PMK through a pseudo random function with session key prf kij (ri, rj).
output length X (PRF-X), say, PTK = PRF-
X(PMK, “Pairwise key expansion” || Min{AA,
The Provably Secure Formal Method
The Provably Secure Formal Method
Since the first case happens with probability Proof. To prove the ACK property for 4WHS
1
, we construct the following internal state simula-
L
tor I. Recall that before 4WHS actually generates
while the second case happens with probability output, the local state of the first party (pi in the
1- 1 , aforementioned description) consists of (k1, k2,s,
L
pi, pj). The internal state of the other party (pj in
the overall probability of D to guess correctly is the aforementioned description) is identical (its
1
internal state, like k0, has been erased). The output
1
PR= (0.5+δ) + + 0.5 × (1- )= 0.5+ L of I, given (k1, s, pi, pj) will be l pi=l pj=(k1, rI, s,pi,
L L
pj), where rI is a random value of the same length
Thus D succeeds in distinguishingfromwith as k2. (Consequently, when the internal states of
non-negligible advantage, which is conflict to pi and pj are replaced with l pi and lpj respectively,
the Assumption that the pseudorandom function the added protocol message will be computed and
is secure. So the protocol 4WHSAM satisfies the verified as MACRI (s, ri) rather than MACK 2 (s,
property 2 of Definition SK-security. ri). Next we proof that I is a good internal state
Thus the protocol 4WHSAM is SK-secure without simulator.
PFS in the AM. # Le F be an ideal functionality which can se-
curely realize key exchange and A be an adversary.
Authenticator λprf If I is not a good internal state simulator, then
the environment Z can distinguish between an
Theorem 7. Assume that the pseudorandom func- interaction with A and 4WHS and an interaction
tion and MAC in use are secure against chosen with A and the above transformed protocol(replace
message attacks. Then protocol λ prf emulates the internal states of pi and pj with the outputs of
protocol MT in unauthenticated networks. (Fan I) with a non-negligible advantage . The only
et al., 2007). difference between the protocol resultant from
the aforementioned transformation and 4WHS is
the security Analysis of four-way the replacement of k2 with rI. So if I is not a good
Handshake Protocol in the uM internal state simulator, then Z can distinguish
between rI and k2 with a non-negligible advantage.
We have proved that the protocol 4WHSAM is SK- If the adversary can distinguish between k2and a
Secure without PFS in the AM, and the protocol random value with a non-negligible advantage,
λ prf is a MT-Authenticator, thus we get the result where k2=sec ond n2(k0), then he/she can distinguish
of security analysis of 4WHS in the UM. between k0 and a random value with a non-negli-
Theorem 8. If the pseudorandom function and gible advantage. As we have proved that 4WHS is
MAC function in use are secure against chosen SK-secure, thus the adversary cannot distinguish
message attacks, protocol four-way handshake is between k1 (k1= firstn1 (k0) ) and a random value
SK-Secure in the UM. with a non-negligible advantage, well then he/she
cannot distinguish between k0 and a random value
with a non-negligible advantage, which reaches a
the four-way Handshake Protocol is
contradiction. So the environment Z cannot distin-
uc-secure
guish between an interaction with (A, 4WHS) and
(A, the transformed protocol) with a non-negligible
We have proved that 4WHS is SK-secure. Accord-
advantage, thus we have
ing to Definition 6, now we prove that it has the
HYB F ,A,Z ≈ HYB F ,A,Z,I and I is a good internal
ACK property, thus also satisfies the definition of
state simulator for 4WHS. According to Definition
UC-secure.
6 and theorem 1, we know that 4WHS has the ACK
Theorem 9. The protocol 4WHS has the ACK
property and is UC-secure. #
property.
The Provably Secure Formal Method
According to Theorems 8, 9, and 1, we get security is undoubtedly the focus. But as far as
Theorem 10. we know, up to now, there are no articles that
systemically analyze the security of WAPI and
• Theorem 10: If the pseudorandom func- its implementation plan, which is imperfect for a
tion and MAC function in use are secure national standard. This contribution discusses the
against chosen message attacks, proto- security of WAPI and its implementation plan with
col four-way handshake is UC-Secure. the CK model. It has three contributions: (1) the
# security weaknesses of WAI in WAPI are given;
(2) the WAI module in the implementation plan
is proved secure in the CK model; and (3) how
tHE sEcurIty AnAlysIs of the implementation plan overcomes the security
cHInEsE wlAn sEcurIty weaknesses of the original WAPI is pointed out.
stAndArd wAPI wItH tHE ck The analysis results can help us understand the
necessity of the implementation plan and enhance
ModEl
the confidence of it. At the same time, as a case
study, their analysis is helpful for the design of a
The Chinese WLAN standard WAPI (GB 15629.11-
secure key-agreement protocol.
2003) (National Standard of the People’s Republic
of China, 2003), the first issued Chinese standard in
the field of WLAN, has been formally implemented wAIs in wAPI and its Implementation
since November 1, 2003. WAPI is composed of two Plan
parts: WAI and wireless privacy infrastructure
(WPI). They realize the identity authentication and WAI adopts port-based authentication architecture
data encryption, respectively. In March of 2004, that is identical with IEEE 802.1X. The whole sys-
China IT Standardization Technical Committee tem is composed of mobile guest STA, access point
drafted out a new version, WAPI implementation (AP), and authentication service unit (ASU).
plan (National Standard of the People’s Republic of
China, 2004), which improves the original standard WAI in WAPI
WAPI. Compared with the original standard, the
greatest change the implementation plan made lies The interaction procedure of WAI in the original
in the WAI module. national standard WAPI is shown in Figure 4.
As a national standard which is about to be From this figure, we can see that WAI is composed
deployed and implemented on a large scale, its of two parts: certificate authentication and key
agreement.
A uthentication A ctivation
The Provably Secure Formal Method
1. Certificate authentication. In this process, 1. In the implementation plan, the key agreement
station (STA) sends its public key certificate request has to be initiated by AP. At the same
and access request time to the access point time, the secure parameter index SPI, AP’s
(AP) in the access authentication request. signature on the encrypted random value and
AP sends its certificate, STA’s certificate, SPI are included in this request. The signature
STA’s access request time, and its signature algorithm is ECDSA.
on them to authentication service unit (ASU) 2. In the key agreement response, SPI and the
in certificate authentication request. After STA’s MAC on encrypted random and SPI
ASU validates AP’s signature and the two are included. The MAC is computed through
certificates, it sends the certificates validation HMAC-SHA256 algorithm.
result, STA’s access request time, and ASU’s 3. The keys derivation method is different. STA
signature on them to STA and AP. and AP first calculate the host key k= r11⊕r2,
2. Key agreement. then extend k with KD-HMAC-SHA256
algorithm to get the session key kd, the
Figure 5. The key agreement in the WAI of WAPI authentication key ka and integration check
key.
The Provably Secure Formal Method
SPI=the MAC of the STA||the BSSID of the AP||the time of authentication request
Let us analyze this attack in the CK model. In to get r2 . Then he/she can get the session key of
the previous attack, the KE-adversary chooses the test session: k=r1 ⊕ r2. Thus the attacker can
the session in STA as the test session and expose impersonate AP to STA. According to Definition
the session in AP (because these two sessions are 2, this protocol is not SK-secure.
not matching sessions, the session in AP can be
exposed). Because STA and AP get a same session 3. It does not realize the explicit identity
key, the KE-adversary can completely get the ses- authentication of STA and perhaps lead
sion key of the test session. According to Definition to the faulty charge.
2, this protocol is not SK-secure. And Diffie et al.
(1992) can be referred to for the consequences of From the WAI process, we can see that it does
this attack. not realize the explicit identity authentication of
STA to AP. An attacker can pass the certificate
2. Its key agreement protocol cannot resist authentication and access the networks only if
key-compromise impersonation (KCI) he/she gets a legal user’s certificate, which will
attack. lead to the faulty charge if the networks charge
the fee according to the access time.
Let us analyze this attack in the CK model.
First, we assume that STA’s private key is com- the security Analysis of wAI in the
promised and the attacker chooses the session in Implementation Plan
STA as the test session after STA complete the
matching sessions with AP. The attacker can first In the certificate authentication, AP makes signa-
corrupt another mobile guest STA’ and imperson- ture in the certificate authentication request, and
ates him/her to send message ENC(PK AP, r1) to ASU makes signature in the certificate authentica-
AP. We denote the session between STA’ and AP tion response. Both these signatures include STA’s
as SID’. When AP receives this message from access request time which ensures the freshness
STA’, he/she chooses another random value r3 of the signatures. Therefore ASU can authenticate
and responds with ENC(PKSTA’, r3). AP computes AP’s identity and STA can authenticate ASU’s
its session key of SID’ k’= r1 ⊕ r3. The attacker identity. In addition, STA trusts ASU. So STA can
can expose this session and get k’ (this session is authenticate the identity of AP after the certificate
not the matching session of the test session). In authentication. At the same time, AP authenticates
addition, the attacker can decrypt ENC(PKSTA’, r3) the certificate provided by STA.
to get r3. Thus he/she can get r1= k’ ⊕ r3. In addi- The key-agreement protocol in WAI of imple-
tion, the attacker can also decrypt ENC(PKSTA, r2) mentation plan is denoted by π. In the following,
The Provably Secure Formal Method
The Provably Secure Formal Method
that the attacker can forge an acknowledgment a random value with a non-negligible advantage.
message with a non-negligible probability dur- Based on this ability, B also can distinguish k '' =
ing the run of the protocol π. That is, he/she can r1 ⊕ r from a random value with a non-negligible
choose a random value (say r3) and forge a message advantage. This is because r in the k '' is selected
authentication code that AP can validate. Then B by the attacker himself, which makes the difficulty
takes advantage of this ability to run the game that he/she distinguishes k '' from a random value
above. In Phase 1, he/she also chooses r3 as the no bigger than that he/she distinguishes k from a
random value r in the triple, while selects c and t random value. It is assumed that the advantage
randomly. Then, in Phase 2, he/she can work out that B distinguishes k" from a random value is η2,
HMAC-SHA256k '' (t * )because this value is same as then η2 ≥η1. And because ka'' = last(KD-HMAC-
a ''
the forged message authentication code in the key SHA256( k '' ), B can get ka . Further, he/she can work
agreement acknowledgment. Therefore the attacker out HMAC-SHA256k '' (t * ) with a non-negligible
a
can distinguish HMAC-SHA256k '' (t * ) from s* and probability, which enables the attacker to win
a
guess correctly b in Phase 4, thus wins the game, the encryption game. That means the encryption
which indicates that the encryption scheme is not scheme is not secure against CCA2 attack. This
CCA2-secure. This contradicts with the presup- contradicts the presupposition. So the attacker B
position. So during the run of the protocol π, the can not get k with a non-negligible probability.
attacker cannot forge a key agreement acknowledg- Then this method is not practical.
ment with a non-negligible probability. As for the second method, there are two strate-
Therefore STA and AP will complete matching gies that the attacker can take. (1) After STA and
sessions and get a same session key at the end of AP complete the matching sessions, the attacker B
protocol π, if ENC is CCA2-secure. # establishes a new session with AP or STA. But the
Lemma 2. If the encryption scheme ENC is session key of this session will not be kd, because
secure against the CCA2 attack, the attacker can- the encrypted random value is chosen randomly
not distinguish the session key kd from a random by AP or STA. (2) When AP and STA perform
value with a non-negligible advantage. the key agreement, B intervenes this negations
Proof. It is assumed that the attacker B can and makes them get a same session key without
distinguish the session key kd from a random the completion of the matching sessions. That is,
value with a non-negligible advantage 1 . In the STA and AP get a same session key but they do not
CK model, the KE-attacker is not permitted to complete matching sessions. Then the attacker can
corrupt the test session or its matching session, get the test session key by breaking the unmatching
so the attacker B cannot directly get the session session that has the same session key. But from
key kd from the attack of π. While kd =first(KD- Lemma 1, we know that if the encryption scheme
HMAC-SHA256(k)) (The first( ) is a function that ENC is secure against the CCA2 attack, B cannot
extracts out the first sixteen bytes from a bit string), succeed in this intervention. So this method is not
so the attacker B has only two possible methods feasible either.
to distinguish kd from a random value. The first Let us sum up the previous analysis. The attacker
one: B learns k. The second one: B succeeds in B neither can get the host key k, nor can he/she
forcing the establishment of a session (other than force to establish a new session with STA or AP
the test session or its matching session) that has that has the same session key as the test session.
the same key as the test session. In this case B can So the attacker cannot distinguish the session key
learn the test session key by simply querying the kd from the random value with a non-negligible
session with the same key, and without having to advantage. #
learn the value k. In the following, we prove that
neither of these two methods is feasible. Theorem 11. If the encryption scheme ENC
The first method means that, from the attack adopted is secure against CCA2 attack, then π is
of π, the attacker can distinguish k"= r1 ⊕ r from SK-secure without PFS.
0
The Provably Secure Formal Method
Proof. According to Lemma 1 and Lemma 2, plan can resist the UKS attack are that: (1) the
we know that STA and AP will get a same ses- implementation plan requires that the key agree-
sion key after the key agreement and the attacker ment request be sent from AP; (2) AP’s signature
cannot distinguish the session key from a random includes SPI which includes the destination entity’s
value with a non-negligible advantage. Then in address.
accordance with Definition 2, the protocol π is 2. The key-agreement protocol in the WAI of
SK-secure. the implementation plan can resist the KCI
In addition, if the private keys of STA and AP attack. KCI attacks for the protocol π have two
are compromised, the attacker can get the random manners. The first one is that AP’s private key is
values exchanged and can work out all the ses- compromised and the attacker can impersonate
sion keys that have been agreed about. Thus this STA to AP. The second one is that STA’s private
protocol cannot provide PFS. So we can get that key is compromised and the attacker can imperson-
the key-agreement protocol is SK-secure without ate AP to STA. In the following, we will discuss
PFS. # these two cases respectively.
If AP’s private key is compromised, the attacker
the Implementation Plan overcomes can decrypt ENC(PK AP, r2) to get r2. In order to
the weaknesses of the original wAPI get r1, he/she just has two possible methods: (1)
attacks the encryption algorithm ENC; and (2)
We know that WAI in the original WAPI has some impersonates other entity to establish another ses-
security weaknesses. But WAI in the implementa- sion with STA, and sends ENC(PKSTA,r1) to STA,
tion plan is secure in the CK model, and according then the attacker exposes this session and gets r1
to Li et al. (2005), we get that the WAI module of through some computations. But neither of these
the implementation plan can resist KCI attack and two methods is feasible. For the first method, we
UKS attack. In the following, we will analyze how know that if the encryption algorithm ENC is
the implementation plan overcomes the security CCA2 secure, the attacker cannot get r1 from the
weaknesses in the original WAPI. attack of this algorithm directly. As for the second
1. The key-agreement protocol in the imple- method, the implementation plan requires the key
mentation plan can resist UKS attack. In the agreement request be sent by AP, and the attacker
implementation plan, even though the attacker cannot forge AP’s signature, so the attacker can-
B gets a certificate in which his/her public key is not impersonate other entity to establish another
the same as STA’s or AP’s, he/she cannot launch session with STA. Therefore the attacker cannot
the UKS attack. Because the implementation plan get r1. Then he/she still cannot get the host key k
requires that the key agreement request be sent and session key kd .
by AP, STA just accepts the request from AP. So, If STA’s private key is compromised, the at-
B can just launch the UKS attack against the AP tacker can decrypt ENC(PKSTA,r1) to get r1. In order
(i.e., AP thinks that he/she agrees upon a key with to get session key r2, he/she just has two possible
B, but in fact he/she negotiates a key with STA, methods: (1) attacks the encryption algorithm ENC
while STA correctly thinks that he/she negotiates directly to get r2; and (2) impersonates another
a key with AP), that is, B just can forward the mobile guest STA’ to establish a new session with
key agreement request message for him/her to AP and sends it ENC(PK AP, r2) in the key agreement
STA. But in this request, AP’s signature includes acknowledgement. From the previous analysis we
SPI which includes the MAC address of the B , so get that the first method is infeasible. As for the
STA will not accept this request forwarded from second method, because r2 and the host key k are
B. Therefore the key-agreement protocol in WAI of just the ephemeral values, we assume that they are
implementation plan can resist the UKS attack. not the session states of AP. Therefore, the session
From the previous analysis, we can see that the states of the new session in AP are just the session
*
essential reasons that WAI in the implementation key kd*, the message authentication key ka and the
The Provably Secure Formal Method
The Provably Secure Formal Method
Blake-Wilson, S., Johnson, D., & Menezes, A. Choo, K. K. R, & Hitchcock, Y. (2005). Security
(1997). Key agreement protocols and their se- requirement for key establishment proof models:
curity analysis. In Proceedings of the sixth IMA Revisiting Bellare-Rogaway and Jeong-Katz-Lee
international Conference on Cryptography and protocols. In Proceedings of the 10th Australasian
Coding. Conference on Information Security and Pri-
vacy—ACISP.
Borisov, N., Goldberg, I., & Wagner, D. (2001).
Intercepting mobile communications: The inse- Diffie, W., & Hellman, M. (1976). New directions
curity of 802.11. In Proceedings of the 7th Annual in cryptography. IEEE Transactions on Information
International Conference on Mobile Computing Theory, 22, 644-654.
and Networking, Italy.
Diffie, W., Van Oorschot, P., & Wiener, M. (1992).
Brown, D. R. L. (2001). The exact security of Authentication and authenticated key exchanges.
ECDSA (IEEE 1363). Designs, Codes and Cryptography, 2, 107-125.
Burrows, M., Abadi, M., & Needham, R. M. (1990). Fan, Z., JianFeng, M., & Moon, S. (2007). A
A logic of authentication. ACM Transactions on universally composable anonymous hash certifi-
Computer Systems, 8(1), 122-133. cation model. Science in China (F serial) 50(3),
440-445.
Burton, S., & Kaliski, J. R. (2001). An unknown
key-share attack on the MQV key agreement Güther, C. G. (1990). An identity-based key-ex-
protocol. ACM transactions on Information and change protocol. In Advances in Cryptology-EU-
System Security, 4(3), 275-288. ROCRYPT’89 (LNCS 434, pp. 29-37). Springer-
Verlag.
Canetti, R. (2001). Universally composable secu-
rity: A new paradigm for cryptographic protocols. IEEE 802.1X-2001. (2001). IEEE standard for lo-
In Proceedings of the 42th IEEE Annual Sympo- cal and metropolitan area networks—Port-based
sium on Foundations of Computer Science (pp. network access control.
136-145).
IEEE P802.11i D3.0. (2002). Specification for
Canetti, R. (2004). Universally composable signa- enhanced security.
ture, certification, and authentication. In Proceed-
Krawczyk, H. (1996, February). SKEME: A
ings of 17th IEEE computer security foundations
versatile secure key exchange mechanism for In-
workshop (CSFW) (pp. 219-245). IEEE Computer
ternet. In Proceeding of the 1996 Internet Society
Society Press.
Symposium on Network and Distributed System
Canetti, R., & Krawczyk, H. (2001). Analysis of Security (pp. 114-127).
key exchange protocols and their use for building
Krawczyk, H. (2005). HMQV: A high-performance
secure channels. In B. Pfitzmann (Ed.), Advances
secure Diffie-Hellman protocol. In Advances in
in cryptology—EUROCRYPT 2001 (LNCS 2045,
Cryptology–CRYPTO 2005: 25th Annual Inter-
pp. 453-474) Berlin, Germany: Springer-Verlag.
national Cryptology Conference (LNCS 3621, pp.
Canetti, R., & Krawczyk, H. (2002). Universally 546-566). Springer-Verlag.
composable notions of key exchange and secure
Law, L., Menezes, A., Qu, M., Solinas, J., &
channels. In Proceedings of Eurocrypt 2002.
Vanstone, S. (1998). An efficient protocol for
Changhua, H., & Mitchell, C. J. (2004, October 1). authenticated key agreement (Tech. Rep. CORR
Analysis of the 802.11i 4-way handshake. In Pro- 98-05). Ontario, Canada: University of Waterloo,
ceedings of ACM Workshop on Wireless Security, Department of Combinatorics & Optimization.
WiSe’04, Philadelphia, PA.
The Provably Secure Formal Method
Li, X., Ma, J., & Moon, S. (2005). On the security Rigney, C., Willens, S., Rubens, A., & Simpson,
of Canetti-Krawczyk model. (LNAI 3802, pp. 356- W. (2000). Remote authentication dial in user
363). Springer-Verlag. service (RADIUS) (RFC 2865). Retrieved from
http://www.ietf.org/rfc/rfc2865.txt
Martin, A., & Phillip, R. (2002). Reconciling two
views of cryptography. Journal of Cryptology, Shoup, V. (1999). On formal models for se-
15(2), 103-127. cure key exchange. Theory of Cryptography
Library. Retrieved from http://citeseer.ist.psu.
Meadows, C. (1996). Formal verification of crypto-
edu/cache/papers/cs2/769/http:zSzzSzeprint.iacr.
graphic protocols: A survey. In Proceedings of the
orgzSz1999zSz012.pdf/shoup99formal.pdf
Advances in Cryptology, Asiacrypt’96 (LNCS1163,
pp. 135-150). Springer-Verlag. Tin, Y. S. T., Boyd, C., & Nieto, J. G. (2003).
Provably secure key exchange: An engineering
Menezes, A., Van Oorschot, P., & Vanstone, S.
approach. In Australasian Information Security
(1996). Handbook of applied cryptography. In
Workshop 2003(AISW 2003) (pp. 97-104).
chapter 12. CRC Press.
Wenbo, M. (2004). Modern cryptography: Theory
Michael, B., & Dennis, H. (2004). How to break
and practice. Prentice-Hall, PTR.
and repair a universally composable signature func-
tionality. In Information security conference—ISC Yehuda, L. (2003). Composition of secure multi-
2004 (LNCS 3225, pp. 61-74). party protocols—A comprehensive study (LNCS,
2815). Springer-Verlag.
Mitchell C. J., Ward M., & Wilson, P. (1998). Key
control in key agreement protocols. Electronics
Letters, 34, 980-981.
National Standard of the People’s Republic of
kEy tErMs
China. (2003). Information technology—Telecom-
Acknowledgment (ACK) property: Let F an
munications and information exchange between
ideal functionality and let π be an SK-secure KE
systems—Local and metropolitan area networks—
protocol in the F -hybrid model. An algorithm I is
Specific requirements—Part 11: Wireless LAN
said to be an internal state simulator for π if for
medium access control (MAC) and physical layer
any environment machine Z and any adversary A
(PHY) specifications (GB 15629.11-2003).
we have HYB F π,A,Z ≈HYB F ,A,Z,I
National Standard of the People’s Republic of
Protocol π is said to have the ACK property if
China. (2004). Guide for GB 15629.11-2003 In-
there exists a good internal state simulator for π.
formation technology—Telecommunications and
information exchange between systems—Lo- Composition Theorem: The key advantage of
cal and metropolitan area networks—Specific UC security is that we can create a complex protocol
requirements—Part 11: Wireless LAN medium from already designed sub-protocols that securely
access control (MAC) and physical layer (PHY) achieves the given local tasks. This is very impor-
specifications.and GB 15629.1102-2003 Infor- tant since complex systems are usually divided
mation technology—Telecommunications and into several sub-systems, each one performing a
information exchange between systems—Local specific task securely. Canetti presented this feature
and metropolitan area networks—Specific require- as the composition theorem (Canetti, 2001). This
ments—Part 11: Wireless LAN medium access theorem assures that we can generally construct
control (MAC) and physical layer (PHY) specifi- a large size “UC-secure” cryptographic protocol
cations: Higher-speed physical layer extension in by using sub-protocols which is proven as secure
the 2.4 GHz band. in UC-secure manner.
The Provably Secure Formal Method
Chapter XVI
Multimedia Encryption and
Watermarking in
Wireless Environment
Shiguo Lian
France Telecom R&D Beijing, China
AbstrAct
In a wireless environment, multimedia transmission is often affected by the error rate; delaying; terminal’s
power or bandwidth; and so forth, which brings difficulties to multimedia content protection. In the past
decade, wireless multimedia protection technologies have been attracting more and more researchers.
Among them, wireless multimedia encryption and watermarking are two typical topics. Wireless multi-
media encryption protects multimedia content’s confidentiality in wireless networks, which emphasizes
on improving the encryption efficiency and channel friendliness. Some means have been proposed,
such as the format-independent encryption algorithms that are time efficient compared with traditional
ciphers; the partial encryption algorithms that reduce the encrypted data volumes by leaving some
information unchanged; the hardware-implemented algorithms that are more efficient than software
based ones; the scalable encryption algorithms that are compliant with bandwidth changes; and the
robust encryption algorithms that are compliant with error channels. Compared with wireless multimedia
encryption, wireless multimedia watermarking is widely used in ownership protection, traitor tracing,
content authentication, and so forth. To keep low cost, a mobile agent is used to partitioning some of
the watermarking tasks. To counter transmission errors, some channel encoding methods are proposed
to encode the watermark. To keep robust, some means are proposed to embed a watermark into media
data of low bit rate. Based on both watermarking and encryption algorithms, some applications arise,
such as secure multimedia sharing or secure multimedia distribution. In this chapter, the existing wireless
multimedia encryption and watermarking algorithms are summarized according to the functionality and
multimedia type; their performances are analyzed and compared; the related applications are presented;
and some open issues are proposed.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Multimedia Encryption
Multimedia Encryption
open issues in the sixth section. Finally, in the last be adopted to improve time efficiency, that is, the
section, some conclusions are drawn. first one is to reduce the encrypted data volumes,
and the second one is to adopt fast encryption
algorithms. Additionally, to adapt the energy-con-
gEnErAl rEquIrEMEnts of straint devices, such as mobile terminals, handset,
MultIMEdIA contEnt handheld, and so forth, the lightweight encryption
ProtEctIon algorithms are preferred to decrease the energy-
consumption.
Compression ratio. Multimedia data are often
requirements of Multimedia
compressed in order to reduce the storage space
Encryption
or transmission bandwidth. In this case, multime-
dia encryption algorithms should not change the
Multimedia data are often of high redundancy,
compression ratio.
large volumes, real time operations, and the com-
Format compliance. In multimedia data, the
pressed data are of certain format. These proper-
format information, such as file header, frame
ties require that wireless multimedia encryption
header, file tail, and so forth will be used by the
algorithms should satisfy some requirements (Furht
decoder to realize synchronization. Encrypting
& Kirovski, 2006), such as content security, time
multimedia data except the format information
efficiency, format compliance, and so forth. All of
will keep the encrypted data stream format-com-
them are presented in detail as follows.
pliant. Thus, the encrypted data can be previewed
Security. In multimedia encryption, the secu-
directly. Additionally, the format information can
rity refers to content security. It is composed of
be used to resynchronize the transmission process
two aspects, that is, cryptographic security and
in error environment.
perceptual security. The former one refers to the
Communication compliance. In wireless or
security against such cryptographic attacks as
mobile environment, transmission errors often
brute-force attack, ciphertext-only attack, known-
happened, such as, channel error, loss, delay, or
plaintext attack, and so forth. The latter one refers
jitter. The good multimedia encryption algorithms
to the intelligibility of the encrypted multimedia
should not cause error propagation. Thus, the
content. Generally, for multimedia encryption, an
error conditions will also be considered when
encryption algorithm is regarded as secure if the
designing a wireless/mobile multimedia encryp-
cost for breaking it is no smaller than the one paid
tion algorithm.
for the multimedia content’s authorization. For
Direct operation. If the encrypted multimedia
example, in broadcasting, the news may be of no
data can be operated directly, the decryption-op-
value after an hour. Thus, if the attacker can not
eration-encryption triples can be avoided, and the
break the encryption algorithm during an hour, then
efficiency can also be improved. A typical example
the encryption algorithm may be regarded as secure
is to support direct bit rate conversion, that is, the
in this application. Thus, according to this case,
encrypted data stream can be cut off directly in
encrypting only significant parts of multimedia data
order to adapt the channel bandwidth. This property
may be reasonable if the cryptographic security
brings convenience to the applications in wireless
and perceptual security are both confirmed, which
or mobile environment.
will decrease the encrypted data volumes.
Efficiency. The efficiency refers to both time ef-
ficiency and energy-consumption efficiency. Since
requirements of Multimedia
real-time transmission or access is often required watermarking
by multimedia-related applications, multimedia
encryption algorithms should be time efficient so For multimedia watermarking algorithms, some
that they do not delay the transmission or access performances are required, such as security, ro-
operations. Generally, two kinds of method can bustness, transparency, oblivious, vindicability,
Multimedia Encryption
and efficiency (Cox et al., 2002). Here, only the original copy. It is also named blind detection. On
ones related to wireless/mobile environment are the contrary, non-blind detection means that the
emphasized. original copy is required by the detection process. In
Security. Similar to an encryption algorithm, practical applications, especially in wireless/mobile
the construction of a watermarking algorithm environment, memory is limited, and thus blind
should consider the security against various at- or oblivious detection is preferred.
tacks (Kutter, Volosphynovskiy, & Herrigel, 2000;
Linnartz & Dijk, 1998; Petitcolas, Anderson, &
Kuhn, 1999). According to the attacker’s ability, tHE EncryPtIon AlgorItHMs
the attacks can be classified into several types: for wIrElEss MultIMEdIA
attack under the condition of knowing nothing
about the watermarking system, attack knowing Some encryption algorithms have been proposed
some watermarked copies, attack knowing the with respect to image, audio, speech, or video in
embedding algorithm, and the attack knowing wireless environment. These algorithms adopt
the watermark detector. Generally, some encryp- some means to meet wireless communication
tion operations are introduced to watermarking requirements. According to the functionality,
algorithms in order to keep secure. the encryption algorithms are classified into four
Imperceptibility. Imperceptibility means that types: (1) format independent encryption, (2)
the watermarked media data have no difference format compliant encryption, (3) communication
with the original ones in perception. It is also compliant encryption, and (4) direct-operation
named transparency or fidelity. This makes sure supported encryption. The first type supports
that the watermarked copy is still of high quality the media data of arbitrary format, the second
and suitable for practical applications. one combines the encryption operation with the
Robustness. Multimedia data are often pro- compression process, the third one considers the
cessed during transmission process, and some of transmission errors, and the fourth one supports
the processing operations are acceptable. Thus, some direct operations on the encrypted multimedia
the watermark should still be detected after these data. In the following content, they are introduced
operations. Generally, the robustness refers to the and analyzed in detail.
ability for the watermark to survive such opera-
tions including general signal processing opera- format Independent Encryption
tions (filtering, noising, A/D, D/A, re-sampling,
recompression, etc.) and geometric attacks (rota- Format independent encryption algorithms regard
tion, scaling, shifting, transformation, etc.). For multimedia data as binary data and encrypt multi-
wireless/mobile multimedia, transmission errors media data without considering of the file format.
should also be considered, such as loss, delay, jit- Traditional ciphers (Mollin, 2006), such as DES,
ter, and so forth. IDEA, AES, RSA, and so forth, encrypt text or
Efficiency. Efficiency refers to both time ef- binary data directly without considering of the file
ficiency and energy-consumption efficiency. The format. These ciphers have been included in the
watermarking algorithm with high time efficiency protocols, IP security (IPsec) and secure socket
is more suitable for real time applications, such layer (SSL), and the package CryptoAPI, and these
as video-on-demand, broadcasting, per-per-view, protocols are also included in a multilayer security
and so forth. For some energy-limited devices, the framework (Dutta, Das, Li, & Auley, 2004). The
lightweight watermarking algorithm is preferred, energy requirements of most of the encryption
which costs less power and is more efficient in algorithms are analyzed in Potlapally, Raghuna-
implementation. than, and Jha (2003), some of which are suitable
Oblivious detection. Oblivious detection for wireless applications. However, for wireless
means that the detection process needs not the multimedia, some means should be made to im-
Multimedia Encryption
prove the efficiency. One solution is to implement such as WEP, IWEP, RC2, RC4, RC5, and so forth.
the algorithms in hardware, and another one is to Experiments are done in Ganz, Park, and Ganz
design lightweight algorithms. (1998) to test the software efficiency of RC2, RC4,
Hardware implementation. To improve the and RSA. It is shown that software implementa-
encryption algorithms’ efficiency, hardware imple- tion of these ciphers can meet the requirements of
mentation is a suitable solution. The security pro- such wireless applications as multimedia e-mail,
cessing architectures are proposed in Raghunathan, multimedia notes, telephone-quality audio, video
Ravi, Hattangady, and Quisquater (2003), which conferencing or MPEG video interaction, and so
include an embedded processor, a cryptographic forth. The disadvantage is that their performance
hardware accelerator, and a programmable security is limited by the computer system configuration.
protocol engine. For the core encryption algorithms, Besides the experiments, some design guidelines
some experiments are done to show their suit- (Ganz, Park, & Ganz, 1999) are proposed for
ability. For example, hardware implementation of real-time software encryption, which considers
triple data encryption standard (3DES) is proposed the WLAN throughput, quality of service (QoS)
in Hamalainen, Hannikainen, Hamalainen, and requirements, encryption throughput determined
Saarinen (2001). The experiments show that 3DES by computer configuration, and additional process-
implementations with small area and reasonable ing overhead incurred by other protocol layers.
throughput can be realized even though 3DES turns Generally, the algorithms with higher security
out to be quite large and resource-demanding. It are often of higher computing complexity. In tra-
is suitable for some applications in wireless LAN ditional applications, an encryption algorithm is
(WLAN). Compared with such block cipher as evaluated in a one-or-nothing manner, for example,
3DES, stream ciphers have some good properties, secure or insecure (Ong, Nahrstedt, & Yuan, 2003).
such as immunity to error propagation, increased In pervasive environments, it is insufficient, be-
flexibility, and greater efficiency. The Linear cause the limited computing resources may limit the
Feedback Shift Register (LFSR)-based stream security requirement. Thus, a quality of protection
ciphers are implemented in hardware (Goodman (QoP) framework (Ong et al.) is proposed, which
& Chandrakasan, 1998), which are shown ideally evaluates an encryption algorithm in an adaptive
suited to low power wireless communications as manner. That is, the security level can be tuned in
they can be constructed from very simple and order to meet some other performances suitable
power-efficient hardware. Additionally, some for wireless/mobile applications. For example, the
wireless suitable stream ciphers, for example, QoP metadata may be <content type, interval of
wired equivalent privacy (WEP), improved wired security, encryption algorithm, encryption key
equivalent privacy (IWEP), and Ron’s cipher #4 length, encryption block size>. By tuning these
(RC4) are implemented in hardware and tested in parameters in the metadata, the suitable perfor-
WLAN (Tikkanen, Hannikainen, Hamalainen, mances can be obtained. This framework has the
& Saarinen, 2000). Among them, IWEP is more following properties: (1) it can tune the quality of
suitable for hardware and of lower cost than protection, (2) it gets a balance between security
RC4 although it is of lower security than RC4. and performance requirement, and (3) it is flexible
Generally, hardware implementation improves and upgradable to support latest cryptographic
the computing efficiency, but it also brings some standards. However, before using this scheme, some
problems, for example, the high cost to upgrade problems should be solved, for example, how and
the algorithms. where to store or transmit the metadata.
Lightweight encryption algorithms. Com-
pared with hardware implementation, software format compliant Encryption
implementation is cheaper and more flexible for
upgrades. For wireless applications, some light- For multimedia data, partial encryption (Furht
weight encryption algorithms have been proposed, & Kirovski, 2006) can be used to reduce the en-
0
Multimedia Encryption
Data part
Encrypt
0
Data part
N-1
crypted data volumes, which keeps the file format proposed to encrypt telephone-bandwidth speech.
unchanged. Additionally, the left format informa- This algorithm partitions the code stream into
tion can be used to synchronize the transmission two classes, for example, the most perceptually
process, especially in wireless/mobile environment relevant one, and the other one. Among them, the
where transmission errors often happen. The core former one is encrypted while the other one is left.
of partial encryption is encrypting only the signifi- It is reported that encrypting about 45% of the
cant parameters in multimedia data while leaving bitstream achieves content protection equivalent
other ones unchanged. Figure 1 gives an example to full encryption. In another method (Sridharan,
for partial encryption, in which, media data are Dawson, & Goldburg, 1991), speech data are en-
partitioned into N data parts, only the first data part crypted by encrypting only the parameters of Fast
is encrypted, while other parts are left unencrypted. Fourier Transformation during speech encoding,
The data part may be a block or region of the im- and the correct parameters are used to recover the
age, a frame of the video sequence, a bit-plane of encrypted data in decryption. For MP3 (Gang,
the image pixels, a parameter of the compression Akansu, Ramkumar, & Xie, 2001; Servetti, Testa,
codec, a segment of the compressed data stream, Carlos, & Martin, 2003) music, only the sensitive
and so forth. The encrypted data part (Data part parameters of MP3 stream are encrypted, such as
0) and the other data parts are then combined to- the bit allocation information, which saves much
gether to generate the encrypted media data. The time or energy cost.
significance of the encrypted data part determines Partial image encryption. Some means are
the security of the encryption scheme. proposed to encrypt images partially or selectively.
For multimedia data are often compressed For raw images, only some of the most significant
before stored or transmitted, partial encryption bit-planes are encrypted for secure transmission
often combines with compression codecs (Liu & of image data in mobile environments (Podesser,
Eskicioglu, 2003). That is, for different multimedia Schmidt, & Uhl, 2002). Another image encryption
encoding codec, different partial encryption algo- algorithm (Scopigno & Belfiore, 2004) is proposed,
rithm will be designed. During the past decade, which encrypts only the edge information in the
some partial encryption algorithms have been image decomposition that produces three separate
proposed, which are classified and analyzed as components: (1) edge location, (2) gray-tone or color
follows according to the type of multimedia data inside the edges, and (3) residuum “smooth” im-
and the codecs. age. For JPEG images, some significant bit-planes
Partial audio encryption. Based on audio or of discrete cosine transform (DCT)coefficients in
speech codecs, some partial encryption algorithms JBIG are encrypted (Pfarrhofer & Uhl, 2005), and
have been proposed. For example, an algorithm only DCT blocks are permuted and DCT coef-
based on G.729 (Servetti & Martin, 2002a, 2002b) is ficients’ signs are encrypted in JPEG encoding
Multimedia Encryption
(Lian, Sun, & Wang, 2004a). These algorithms more popular. Combined with them, some video
obtain high perceptual security and encryption encryption algorithms have been proposed, which
efficiency. In JPEG2000 image encryption, only saves time cost by encrypting the compressed video
the significant streams in the encoded data stream data selectively or partially.
are encrypted (Ando, Watanabe, & Kiya, 2001, In MPEG1/2 codec, the signs of DCT coef-
2002; Lian, Sun, & Zhang, 2004b; Norcen & Uhl, ficients are encrypted with the video encryption
2003; Pommer & Uhl, 2003), which is selected algorithm (VEA) (Shi & Bhargava, 1998a), the
according to the scalability in space or frequency signs of direct current coefficients (DCs) and mo-
domain. These algorithms often keep secure in tion vectors are encrypted with a secret key (Shi &
perception. Figure 2 gives the encryption result Bhargava, 1998b), the base layer is encrypted while
of the algorithm proposed in Lian et al., 2004b). the enhancement layer is left unencrypted (Tosun
As can be seen, the encrypted image is unintel- & Feng, 2001a), the DCT coefficients are permuted
ligible. Additionally, in these algorithms, no more (Lian, Wang, & Sun, 2004c; Tang, 1996), or the
than 20% of the data stream is encrypted, which variable length coding (VLC) tables are modified
obtains high efficiency. by rearranging, random bit-flipping, or random
Partial video encryption. Compared with bit-insertion (Wu & Kuo, 2000, 2001).
images or audios, videos are often of higher re- In MPEG4 codec, the Minimal Cost Encryption
dundancy, which are compressed in order to save Scheme (Kim, Shin, & Shin, 2005) is proposed
the transmission bandwidth. Among the video to encrypt only the first 8 bytes in the macro-
codecs, MPEG1/2, MPEG4, and H.264/AVC are blocks (MBs) of a video object plane (VOP). It
(a) Original (b) Encrypted (Ahn et al., 2004) (c) Encrypted (Lian et al., 2005a)
Multimedia Encryption
is implemented and proved suitable for wireless sion errors are often spread out due to encryption
terminals. A format-compliant configurable en- algorithms’ ciphertext-sensitivity (Mollin, 2006).
cryption framework (Wen, Severa, Zeng, Luttrell, In wireless/mobile applications, some means should
& Weiyin, 2002) is proposed for MPEG4 video be taken to reduce the error propagation.
encryption, which can be reconfigured for a given Constructing the encryption algorithms based
application scenario including wireless multimedia on error correction code may be a solution. For
communication. example, the encryption algorithm based on
In H.264/AVC codec, the intra-prediction mode forward error correction (FEC) code is proposed
of each block is permuted with the control of the key in Tosun & Feng, 2001b), which permutes the
(Ahn, Shim, Jeon, & Choi, 2004), which makes the information-bits and complements a subset of
video data degraded greatly. Some other algorithms the bits. The encryption algorithm can preserve
(Lian, Liu, & Ren, 2005a; Lian, Liu, Ren, & Wang, the error robustness of the encrypted multimedia
2006a) encrypt the DCT coefficients and motion data, that is, the encrypted data stream can realize
vectors with sign encryption. For these algorithm error correction itself. Additionally, the encryption
encrypt both the texture information and motion algorithm is implemented very efficiently because
information, they often obtain high security in of the simple encryption operations. Thus, it has
human perception. Figure 3 shows the results of some desirable properties suitable for wireless
the algorithm proposed in Ahn et al. (2004) and multimedia transmission. However, the disad-
the one proposed in Lian et al. (2005a). As can be vantage is also clear that it is not secure against
seen, the video encrypted by the former algorithm known-plaintext attacks.
is still intelligible, while the video encrypted by Another solution is to change the block length
the latter algorithm is unintelligible. Thus, for in data encryption. Generally, the block length is in
high security, the latter encryption algorithm is close relation with the error propagation property.
preferred. Taking stream cipher and block cipher for examples,
the former one is of low error propagation, while
communication compliant the latter one is often of high error propagation.
Encryption Generally, the bigger the block length is, the higher
the error propagation is. Due to this case, a robust
Multimedia data are often encrypted before being encryption scheme for secure image transmission
transmitted. In the encrypted data stream, transmis- over wireless channels is proposed in Nanjunda,
Video
K
...
Frame 0 Frame 1 Frame N-1
K0 K1 KN-1
...
Slice 0 Slice 1 Slice M-1 Slice 0 Slice 1 Slice M-1 Slice 0 Slice 1 Slice M-1
K0 K0 K0 K1 K1 K1 KN-1 KN-1 KN-1
Multimedia Encryption
Encryption Cut
Multimedia Encryption
Figure 5, which encrypts only the base layer and trary, the watermarking algorithms with lost cost
middle layer in the three layers (base layer, middle are often of low security or robustness. This con-
layer, and enhancement layer) of an MPEG2 video tradiction becomes a problem in wireless/mobile
stream. In this algorithm, the enhancement layer environment when the limited energy or computing
is left unencrypted, which can be cut off directly. capability is provided. Experiments have been done
Wee and Apostolopoulos (2001, 2003) and Zhu, to analyze the energy consumption, complexity
Yuan, Wang, and Li (2005) proposed the algorithms and security level of multimedia watermarking
for secure scalable streaming enabling transcod- on mobile handheld devices (Kejariwal, Nicolau,
ing without decryption. Generally, the stream is Dutt, & Gupta, 2005). And some conclusions are
partitioned into segments according to the cipher’s drawn: (1) the security level often contradicts with
code length. To change the bit-rate, some segments energy consumption, (2) watermark extraction/
at the end of the stream are cut off directly. detection may be of higher cost than watermark
embedding, and (3) image resolution affects the
energy consumption. To conquer these problems,
tHE wAtErMArkIng AlgorItHMs some proposals are presented, for example, intro-
for wIrElEss MultIMEdIA duce the tunable parameter to obtain trade-offs
between security level, energy consumption, and
Watermarking algorithms (Barni & Bartolini, other performances, or move some computationally
2004; Cox et al., 2002) are generally composed expensive tasks to mobile proxies.
of two parts, that is, watermark embedding and
watermark extraction/detection. Generally, wa- Mobile Agent based task Partitioning
termarking algorithms should be robust to some
operations, such as recompression, A/D or D/A Mobile agents use the proxies as agents that can
conversion, noise, filtering, and so forth and can connect to a range of heterogeneous mobile ter-
survive such attacks as geometric attack, collusion minals. Using mobile agents to reduce the load of
attack, copy attack, and so forth. Similar to encryp- the server or terminals has been widely studied
tion algorithms, some watermarking algorithms (Burnside et al., 2002; Rao, Chang, Chen, & Chen,
may be of high security and robustness, but they 2001). If the mobile agent can implement water-
are also of high time or energy cost. On the con- mark embedding or extraction/detection, then the
terminals’ computing load will be greatly reduced.
Multimedia Encryption
Watermark
Watermark
The scheme proposed in Liu and Jiang (2005), as typical ones are shown in Figure 7. The first one,
shown in Figure 6, uses mobile agent to replace as shown in Figure 7a, uses fast transformations
terminals to realize watermark detection, which to reduce the cost of converting media data into
decreases the server and network’s load during frequency domain. The second one, as shown in
detecting watermarks. In another scheme (Keja- Figure 7b, embeds the watermark into the com-
riwal, Gupta, Nicolau, Dutt, & Gupta, 2004), the pressed media data according to the following steps:
watermark embedding and detection tasks are both (1) reconstruct the coefficients partially from the
partitioned and moved to mobile proxies completely compressed data stream, (2) embed the watermark
or partially. For example, to keep secure, only some into the selected coefficients, and (3) re-encode the
tasks not sensitive to the security are moved out, watermarked coefficients. In the following content,
such as image transformation, bit decomposition, some lightweight watermarking algorithms are
plane alignment, and so forth. The partitioning introduced and analyzed.
schemes make watermarking applications more A scalable watermarking algorithm is proposed
practical in mobile environment. to mark the audio data encoded with Advanced
Audio Zip (AAZ) (Li, Sun, & Lian, 2005). In
lightweight watermarking this algorithm, the watermark is embedded into
Algorithms the quantized modified discrete cosine transform
(MDCT) coefficients in the core layer adaptively,
Using mobile agents to implement some watermark- and detected by computing the correlation between
ing related tasks can reduce the load of the server the spreading sequence and the bitstream. A speech
or terminals in some extent. However, frequent watermarking scheme is proposed in Arora and
interaction between mobile agent and terminals Emmanuel (2003), which is designed based on the
are still costly. To reduce the cost of the server or adaptive modulation of spread spectrum sequences
terminals, improving the efficiency of watermark- and is robust against some removal or impairment
ing embedding, or extraction/detection algorithms attacks. The experiments in global system for
is a key problem. Considering that the watermark mobile communications (GSM) cellular commu-
is often embedded into the transformation domain, nications show that the algorithm is suitable for
some lightweight algorithms are proposed to imple- mobile applications.
ment transformation domain watermarking. Two
Multimedia Encryption
For images, an efficient steganography scheme robust video watermarking algorithm (Alattar,
(Pal, Saxena, & Muttoo, 2004) is proposed for Lin, & Celik, 2003) is proposed for low bit rate
resources constrained wireless networks. In this MPEG4 videos. In this algorithm, the watermark
scheme, the coefficients in Hadamard transform- is composed of both the synchronization template
domain are manipulated to contain some hidden and the watermark content combined with the
information. The Discrete Hadamard Transform template, and the watermark is embedded into
can be implemented using fast algorithms, which the alternative current (AC) coefficients of the
makes the scheme computationally efficient and luminance plane of the VOPs. The template can
practical in mobile communications. survive geometric attacks, such as transcoding,
For videos, a spread spectrum watermarking cropping, scaling, rotation, noise, and so forth.
algorithm (Petrescu, Mitrea, & Preteux, 2005) Experiments on various videos are done, which
is proposed to protect low rate videos. In this show good performances for the video rate ranging
algorithm, the DCT or wavelet coefficients of from 128kbit/s to 768kbit/s.
transformed video data are watermarked with
spread spectrum sequences. Experiments are communication compliant
done for the videos varying from 64kbit/s to 256 Algorithms
kbit/s, and suitable transparency or robustness is
obtained. Furthermore, a more efficient algorithm In wireless/mobile communication, transmission
(Checcacci, Barni, Bartolini, & Basagni, 2000) is errors often happen, which may reduce the wa-
proposed to mark MPEG4 videos. In this algorithm, termark detection rate. Generally, several means
only the Luma macroblocks are watermarked by may be adopted to improve the watermarking
adjusting the coefficients’ value in each coefficient algorithm’s robustness against transmission errors.
pair. It is proved efficient in implementation and The first one, as shown in Figure 8a, is applying
robust to transmission errors. Additionally, a more
Media data
Watermark
MDC
Encode
MDC
Decode
Extracted
watermark
Multimedia Encryption
Media
Server
Content
Access Right
Multimedia Encryption
watermarked files are encrypted then distributed multimedia data should be decrypted before being
over p2p networks. The customer can access the watermarked. In some applications, if the operation
encrypted music files, while must apply for the triple decryption-watermarking-encryption can be
right from the server before he can decrypt the avoided, the operation cost will be reduced greatly.
files. The watermark extracted from the music file In this case, the encrypted multimedia data can
can prove the legality of the music. be watermarked directly without decryption, and
the watermark can be extracted directly from the
secure Multimedia distribution encrypted or decrypted multimedia data. This kind
of watermarking-encryption pair is named com-
In secure multimedia distribution, multimedia mutative watermarking and encryption (CWE). A
data are transmitted from the server to customers practical scheme is proposed in Lian, Liu, Ren, and
in a secure way. In this case, the confidentiality Wang (2006c), which is based on partial encryption.
can be protected, and the illegal distributor who In this scheme, multimedia data are partitioned into
redistributes his/her copy to other customers can two parts, that is, the perception significant part
be traced. Generally, both encryption and water- and the robust part, among which, the perception
marking technology are used. Till now, three kinds significant part is encrypted, while the robust part
of schemes have been proposed, which embed is watermarked. Thus, the encryption and water-
watermarks at the server side, in the router or at marking are independent of each other, and they
the client side, respectively. In the first kind of support the commutative operations.
scheme, the customer information is embedded
into multimedia data at the server side before mul-
timedia encryption. This scheme is more suitable oPEn IssuEs
for unicast than for multicast or broadcast because
it is difficult for the server to assign different cop- contradiction between format
ies to different customers simultaneously. In the Independence and format
second kind of scheme, the customer information compliance
is embedded by the routers in lower level (Brown,
Perkins, & Crowcroft, 1999), which distributes To keep low cost, partial encryption scheme is used
the server’s loading to the routers. This scheme to encrypt multimedia data, which keeps format
reduces the server’s loading, but also changes the compliant. Thus, for different multimedia data or
network protocols. In the third kind of scheme, the different codec, the encryption algorithms are often
customer information is embedded at the customer different. If various multimedia data are included in
side (Bloom, 2003). This scheme is time efficient, an application, then various encryption algorithms
but the security is a problem because of the isola- should be used, and some extra information is re-
tion between decryption and watermarking. Some quired to tell which encryption algorithm has been
means (Anderson & Manifavas, 1997; Kundur & used. Compared with format compliant encryption,
Karthik, 2004; Lian, Liu, Ren, & Wang, 2006b) format independent encryption regards multimedia
have been proposed to improve the security, which data as binary data and is easy to support various
combine decryption with watermark embedding. data. Thus, for the applications with versatile data,
These combined methods improve the system’s format independent encryption is more suitable.
security at the same time of keeping low cost. For example, in such DRM systems as internet
streaming media alliance (ISMA), advanced access
commutative watermarking and content system (AACS), or open mobile alliance
Encryption (OMA) (Kundur et al., 2004), the algorithms,
advanced encryption standard (AES) and data
Generally, watermarking operation and encryp- encryption standard (DES), are recommended to
tion operation are separate. That is, the encrypted encrypt multimedia data not considering the file
Multimedia Encryption
format. Thus, for practical applications, the trade- key Management in Mobile
off between computational cost and convenience Applications
is to be made, which determines which kind of
algorithm should be used. Multimedia encryption and watermarking can
both be controlled by the keys; key management
standardization of watermarking needs to be investigated. For example, whether
Algorithms the encryption key should be independent of the
watermarking key, and how to assign different
Compared with encryption algorithms that have decryption keys to different customers in mul-
been standardized to some extent, watermarking timedia distribution? Additionally, for multicast
algorithms are still in study. For the diversity of or p2p networks, key generation and distribution
multimedia content, the difficulty in multimedia (Cherukuri, 2004; Eskicioglu, 2002) are important
understanding and the variety of applications, it topics not only in fixed networks but also in mobile
is difficult to standardize multimedia watermark- environments.
ing algorithms. Generally, they have different
performances in security, efficiency, robustness,
capacity, and so forth. Using which watermarking conclusIon
algorithm depends on the performances required
by the applications. Defining suitable watermark- In this chapter, mobile/wireless multimedia encryp-
ing algorithms will provide more convenience to tion and watermarking algorithms are introduced
wireless/mobile applications. and analyzed, including the general requirements,
various multimedia encryption algorithms, some
fingerprint Algorithms Against watermarking algorithms, the combination be-
collusion Attacks tween encryption and watermarking, and some
open issues. Among them, the multimedia encryp-
In secure multimedia distribution, collusion attack tion algorithms are classified and analyzed accord-
(Zhao, Wang, & Liu, 2005) threatens the system. ing to the functionalities, and the watermarking
That is, different customers combine their copies algorithms with low cost are emphasized. The
together through averaging, substitution, and so combination between encryption and watermark-
forth, which produces a copy without any customer ing brings up some new research topics, for ex-
information. To counter this attack, some finger- ample, fingerprint or commutative watermarking
print encoding methods (Boneh & James, 1998; Wu, and encryption. And some open issues are also
Trappe, Wang, & Liu, 2004) have been proposed. presented, including the contradiction between
These methods generate different fingerprint codes format compliance and format independence, the
for different customers, and the colluded copy can standardization of watermarking algorithms, the
still tell one or more of the colluders. However, fingerprint algorithms resisting collusion attacks,
there is still a trade-off between the watermark and the key management in mobile applications.
capacity and the supported customers, and some
new attacks are still not predicted, such as the linear
combination collusion attack (LCCA) attack (Wu, rEfErEncEs
2005). Thus, better fingerprint encoding methods
with good efficiency are expected. Ahn, J., Shim, H., Jeon, B., & Choi, I. (2004). Digital
video scrambling method using intra prediction
mode. In Pacific Rim Conference on Multimedia,
PCM2004 (LNCS 3333, 386-393). Springer.
0
Multimedia Encryption
Alattar, A., Lin, E., & Celik, M. (2003). Digital wa- Brown, I., Perkins, C., & Crowcroft, J. (1999). Wa-
termarking of low bit-rate advanced simple profile tercasting: Distributed watermarking for multicast
MPEG-4 compressed video. IEEE Transactions media. In Proceedings of the First International
on Circuits and Systems for Video Technology, Workshop on Networked Group Communication
13, 787-800. (LNCS 1736, pp. 286-300). Springer-Verlag.
Ambroze, A., Wade, G., Serdean, C., Tomlinson, Burnside, M., Clarke, D., Mills, T., Maywah, A.,
M., Stander, J., & Borda, M. (2001). Turbo code Devadas, S., & Rivest, R. (2002). Proxy-based
protection of video watermark channel. IEE Pro- security protocols in networked mobile devices.
ceedings of Vision and Image Signal Processing, In Proceedings of the 2002 ACM symposium on
148, 54-58. Applied Computing (pp. 265-272).
Anderson, R., & Manifavas, C. (1997). Cham- Chang, Y., Han, R., Li, C., & Smith, J. R. (2004).
leon—A new kind of stream cipher. In Fast Soft- Secure transcoding of Internet content. In Pro-
ware Encryption (LNCS, vol. 1267, pp. 107-113). ceedings of International Workshop on Intelligent
Springer-Verlag. Multimedia Computing and Networking (IMMCN)
(pp. 940-943).
Ando, K., Watanabe, O., & Kiya, H. (2001). Partial-
scrambling of still images based on JPEG2000. Checcacci, N., Barni, M., Bartolini, F., & Basagni,
In Proceedings of the International Conference S. (2000). Robust video watermarking for wireless
on Information, Communications, and Signal multimedia communications. In Proceedings of the
Processing, Singapore. 2000 IEEE Conference on Wireless Communica-
tions and Networking (pp. 1530-1535).
Ando, K., Watanabe, O., & Kiya, H. (2002). Par-
tial-scrambling of images encoded by JPEG2000. Cherukuri, S. (2004). An adaptive scheme to man-
IEICE Transactions, J85-D-11(2), 282-290. age mobility for secure multicasting in wireless
local area networks. Unpublished masters thesis,
Arora, S., & Emmanuel, S. (2003). Real-time
Arizona State University, Tempe.
adaptive speech watermarking scheme for mobile
applications. In Proceedings of the International Chu, S., Hsin, Y., Huang, H., Huang, K., & Pan, J.
Conference on Information, Communications & (2005). Multiple description watermarking for lossy
Signal processing (ICICS)—IEEE Pacific-rim Con- network. IEEE Computer Society,4, 3990-3993.
ference on Multimedia (PCM) (pp. 850-853).
Cox, I., Miller, M., & Bloom, J. (2002). Digital wa-
Ashourian, M., & Ho, Y. (2003). Multiple descrip- termarking. San Francisco: Morgan Kaufmann.
tion coding for image data hiding jointly in the
Desset, C., Macq, B., & Vandendorpe, L. (2002).
spatial and DCT domains. In ICICS 2003 (LNCS
Block error-correcting codes for systems with a
2836, 179-190).
very high BER: Theoretical analysis and application
Barni, M., & Bartolini, F. (2004). Watermark to the protection of watermarks. Signal Processing:
systems engineering. Marcel Dekker. Image Communication, 17, 409-421.
Bloom, J. (2003). Security and rights management Dutta, A., Das, S., Li, P., & Auley, A. (2004).
in digital cinema. Proceedings of IEEE Interna- Secured mobile multimedia communication for
tional Conference on Acoustic, Speech and Signal wireless Internet. In Proceedings of 2004 IEEE
Processing, 4, 712-715. International Conference on Networking, Sensing
& Control (pp. 181-186).
Boneh, D., & James, S. (1998). Collusion-secure
fingerprinting for digital data. IEEE Transactions Eskicioglu, A. (2002). Multimedia security in group
on Information Theory, 44(5), 1897-1905. communications: Recent progress in wired and
wireless networks. In Proceedings of the IASTED
Multimedia Encryption
Multimedia Encryption
Lian, S., Liu, Z., Ren, Z., & Wang, H. (2006c). Mollin, R. (2006). An introduction to cryptogra-
Commutative watermarking and encryption for phy. CRC Press.
media data. International Journal of Optical En-
Nanjunda, C., Haleem, M., & Chandramouli, R.
gineering, 45(8), 0805101-0805103.
(2005). Robust encryption for secure image trans-
Lian, S., Liu, Z., Ren, Z., & Wang, Z. (2005b). Se- mission over wireless channels. In Proceedings of
lective video encryption based on advanced video the IEEE International Conference on Communi-
coding. In Proceedings of Pacific-Rim Conference cations (ICC) (pp. 1287-1291).
on Multimedia (PCM2005) (pp. 281-290).
Norcen, R., & Uhl, A. (2003). Selective encryption
Lian, S., Liu, Z., Ren, Z., & Wang, H. (2006a). of the JPEG2000 bitstream. In IFIP International
Secure advanced video coding based on selective Federation for Information Processing (LNCS
encryption algorithms. IEEE Transactions on 2828, 194-204).
Consumer Electronics, 52(2), 621-629.
Ong, C., Nahrstedt, K., & Yuan, W. (2003). Quality
Lian, S., Sun, J., & Wang, Z. (2004a). A novel image of protection for mobile multimedia applications.
encryption scheme based-on JPEG encoding. In In Proceedings of the IEEE International Con-
Proceedings of International Conference on Infor- ference on Multimedia and Expo (ICME2003),
mation Visualization (IV 2004) (pp. 217-220). Baltimore, MD.
Lian, S., Sun, J., Zhang, D., & Wang, Z. (2004b). Pal, S., Saxena, P., & Muttoo, S. (2004). Image
A selective image encryption scheme based on steganography for wireless networks using the
JPEG2000 codec. In Proceedings of 2004 Pacific- hadamard transform. In Proceedings of the 2004
Rim Conference on Multimedia (PCM2004) (LNCS International Conference on Signal Processing
3332, pp. 65-72). Springer. and Communications (pp. 131-135).
Lian, S., Wang, Z., & Sun, J. (2004c). A fast video Pan, J., Hsin, Y., Huang, H., & Huang, K. (2004).
encryption scheme suitable for network applica- Robust image watermarking based on multiple
tions. In Proceedings of International Conference description vector quantization. Electronics Let-
on Communications, Circuits and Systems, 1, ters, 40(22), 1409-1410.
566-570.
Petitcolas, F., Anderson, R., & Kuhn, M. (1999).
Linnartz, J., & Dijk, M. (1998, April 15-17). Analy- Information hiding—A survey. Proceedings of
sis of the sensitivity attack against electronic water- IEEE,87(7), 1062-1078.
marks in images. Paper presented at the Workshop
Petrescu, M., Mitrea, M., & Preteux, F. (2005). Low
on Information Hiding, Portland, OR.
rate video protection: The opportunity of spread
Liu, Q., & Jiang, X. (2005). Applications of mobile spectrum watermarking. WSEAS Transactions on
agent and digital watermarking technologies in Communications, 7(4), 478-485.
mobile communication network. In Proceedings
Pfarrhofer, R., & Uhl, A. (2005). Selective image
of the 2005 International Conference on Wireless
encryption using JBIG. In Proceedings of the
Communications, Networking and Mobile Comput-
IFIP TC-6 TC-11 international conference on
ing (pp. 1168-1170).
communications and multimedia security (CMS
Liu, X., & Eskicioglu, A. (2003). Selective encryp- 2005) (pp. 98-107).
tion of multimedia content in distribution networks:
Podesser, M., Schmidt, H., & Uhl, A. (2002). Selec-
Challenges and new directions. In Proceedings of
tive bitplane encryption for secure transmission of
the IASTED International Conference on Com-
image data in mobile environments. In CD-ROM
munications, Internet and Information Technology
Proceedings of the 5th IEEE Nordic Signal Pro-
(CIIT 2003). Scottsdale, AZ: ACTA Press.
cessing Symposium (NORSIG 2002).
Multimedia Encryption
Pommer, A., & Uhl, A. (2003). Selective en- Shi, J., & Bhargava, B. (1998b). An efficient MPEG
cryption of wavelet-packet encoded image data: video encryption algorithm. In Proceedings of the
Efficiency and security. In Proceedings of the 6th ACM International Multimedia Conference,
Communications and Multimedia Security 2003 Bristol, UK (pp. 381-386).
(pp. 194-204).
Song, G., Kim, S., Lee, W., & Kim, J. (2002).
Potlapally, N., Raghunathan, A., & Jha, N. (2003). Meta-fragile watermarking for wireless networks.
Analyzing the energy consumption of security In Proceedings of the International Conference of
protocols. In Proceedings of the 2003 International Communications, Circuits, and Systems.
Symposium on Low Power Electronics and Design,
Sridharan, S., Dawson, E., & Goldburg, B. (1991).
Seoul, Korea (pp. 30-35).
Fast Fourier transform based speech encryption
Raghunathan, A., Ravi, S., Hattangady, S., & Quis- system. IEE Proceedings of Communications,
quater, J. (2003). Securing mobile appliances: New Speech and Vision, 138(3), 215-223.
challenges for the system designer. In Proceedings
Tang, L. (1996). Methods for encrypting and de-
of the 2003 Europe Conference and Exibition in
crypting MPEG video data efficiently. In Proceed-
Design, Automation and Test (pp. 176-181).
ings of the Fourth ACM International Multimedia
Rao, H., Chang, D., Chen, Y., & Chen, M. (2001). Conference (ACM Multimedia’96), Boston, MA
iMobile: A proxy-based platform for mobile (pp. 219-230).
services. In Proceedings of the Wireless Mobile
Tikkanen, K., Hannikainen, M., Hamalainen, T., &
Internet (pp. 3-10).
Saarinen, J. (2000). Hardware implementation of
Salkintzis, A., & Passas, N. (2005). Emerging the improved WEP and RC4 encryption algorithms
wireless multimedia: Services and technologies. for wireless terminals. In Proceedings of European
John Wiley & Sons. Signal Processing Conference (pp. 2289-2292).
Scopigno, R., & Belfiore, S. (2004). Image de- Tosun, A., & Feng, W. (2000). Efficient multi-layer
composition for selective encryption and flexible coding and encryption of MPEG video streams.
network services. In Proceedings of the IEEE IEEE International Conference on Multimedia
Globecom 2004, Dallas, TX. and Expo, 1, 119-122.
Servetti, A., & Martin, J. (2002a). Perception-based Tosun, A., & Feng, W. (2001a). Lightweight secu-
selective encryption of G. 729 speech. Proceedings rity mechanisms for wireless video transmission.
of IEEE ICASSP, 1, 621-624. In Proceedings of International Conference on
Information Technology: Coding and Computing,
Servetti, A., & Martin, J. (2002b). Perception-based
Las Vegas, NV (pp. 157-161).
selective encryption of compressed speech. IEEE
Transactions on Speech and Audio Processing, Tosun, A., & Feng, W. (2001b). On error preserving
10(8), 637-643. encryption algorithms for wireless video transmis-
sion. In Proceedings of the ACM International
Servetti, A., Testa, C., Carlos, J., & Martin, D.
Multimedia Conference and Exhibition. Ottawa,
(2003). Frequency-selective partial encryption of
Ontario, Canada (pp. 302-308). Elsevier Engineer-
compressed audio. Paper presented at the Inter-
ing Information Inc.
national Conference on Audio, Speech and Signal
Processing, Hong Kong. Wee, S., & Apostolopoulos, J. (2001). Secure scal-
able video streaming for wireless networks. In
Shi, C., & Bhargava, B. (1998a). A fast MPEG
Proceedings of the IEEE International Conference
video encryption algorithm. In Proceedings of the
on Acoustics, Speech, and Signal Processing, 4,
6th ACM International Multimedia Conference,
2049-2052.
Bristol, UK (pp. 81-88).
Multimedia Encryption
Chapter XVII
System-on-Chip Design of
the Whirlpool Hash Function
Paris Kitsos
Hellenic Open University (HOU), Patras, Greece
AbstrAct
In this chapter, a system-on-chip design of the newest powerful standard in the hash families, named
Whirlpool, is presented. With more details an architecture and two very large-scale integration (VLSI)
implementations are presented. The first implementation is suitable for high speed applications while
the second one is suitable for applications with constrained silicon area resources. The architecture
permits a wide variety of implementation tradeoffs. Different implementations have been introduced and
each specific application can choose the appropriate speed-area, trade-off implementation. The imple-
mentations are examined and compared in the security level and in the performance by using hardware
terms. Whirlpool with RIPEMD, SHA-1, and SHA-2 hash functions are adopted by the International
Organization for Standardization (ISO/IEC, 2003) 10118-3 standard. The Whirlpool implementations
allow fast execution and effective substitution of any previous hash families’ implementations in any
cryptography application.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
System-on-Chip Design of the Whirlpool Hash Function
respectively). In August 2002, NIST announced the hardware architectures have been also presented.
updated Federal Information Processing Standard The first one (McLoone & McCanny, 2002) is a
(FIPS 180-2), which has introduced another three high speed hardware architecture and the second
new hash functions referred to as SHA-2 (256, 384, one (Pramstaller, Rechberger, & Rijmen, 2006) is
512). In addition, the new European schemes for a compact field-programmable gate array (FPGA)
signatures, integrity, and encryption (NESSIE) architecture and implementation of Whirlpool.
(2004), was responsible to introduce a hash func- Both architectures are efficient for specific appli-
tion with high security level. In February 2003, cations; analytical comparisons with the proposed
it was announced that the hash function included implementations will be given in the rest of this
in the NESSIE portfolio is Whirlpool (Barreto chapter. In addition, comparisons with other hash
& Rijmen, 2003). Finally, the most known hash families’ implementations (Ahmad & Shoba Das,
function is the secure hash algorithm-1 (SHA-1) 2005; Deepakumara, Heys, & Venkatesam, 2001;
(NIST, 1995=http://itl.nist.gov/fipspub/fip180- Dominikus, 2002; Grembowski et al., 2002;
1.htm). However, some security problems have McLoone, McIvor, & Savage, 2005; Sklavos &
been raised as it has already (see Wang, Yin, & Koufopavlou, 2003, 2005; Yiakoumis, Papadoniko-
Yu, 2005) shown. This collision of SHA-1 can be lakis, Michail, Kakarountas, & Goutis, 2005); are
found with complexity less than 269 hash operations. provided. From the comparison results it is proven
This is the first attack on the full 80-step SHA-1 that the proposed implementation performs better
with complexity less than the 280 theoretical bound. and composes an effective substitution of any pre-
A collision in SHA-1 would cast doubt over the vious hash families’ such as MD5, RIPEMD-160,
future viability of any system that relies on SHA-1. SHA-1, SHA-2, and so forth, in all the cases.
The result will cause a significant confusion and The organization of the chapter is the follow-
it will create reengineering of many systems, and ing: In the second section, fundamental for hash
incompatibility between new systems and old. In functions families, is presented. So, the (ISO/IEC)
addition, the National Security Agency (NSA) did 10118-3 standard first is briefly described and sec-
not disclose the SHA-2 design criteria and also its ondly the Whirlpool hash function specifications
design philosophy is similar to the design of SHA-1 are defined. In the third section, the proposed
function. So, the attack against SHA-1 probably architecture and VLSI implementations are pre-
will have affected to the SHA-2 function. Also, sented. Implementation results and discussion
this issue stands for RIPEMD hash families. On (comparison with other works) are reported in the
the other hand, the internal structure of Whirlpool fourth section. Finally, the fifth section concludes
is different from the structure of all the aforemen- this chapter.
tioned hash functions. So, Whirlpool function does
not suffer for that kind of problems and makes it a
very good choice for electronics applications. fundAMEntAls for HAsH
All the afore-mentioned hash functions are functIons
adopted by the International Organization for
Standardization (ISO, 2003) 10118-3 standard. In this section a brief description of the ISO/IEC
In this chapter, an architecture and two VLSI 10118-3 standard is presented. This standard speci-
implementations of the new hash function, Whirl- fies dedicated hash functions. The hash functions
pool, are proposed. The first implementation is suit- are based on the iterative use of a round-function.
able for high speed applications while the second Seven distinct round functions are specified, giving
one is suitable for applications with constrained rise to distinct dedicated hash-functions. Six of
silicon area resources. them are briefly described and at last, Whirlpool
The architecture and the implementations is described in details.
presented here were the first in scientific literature
(Kitsos & Koufopavlou, 2004). Until then, two
System-on-Chip Design of the Whirlpool Hash Function
X0 X1 X2 X3 X4
(befor e r o u n d i )
fi
5 +
S
Zi
S30 +
Ci
W
(after r o u n d i )
X0 X1 X2 X3 X4
X0 X1 X2 X3 X4 X5 X6 X7
e 2 or d 2 e 1 or d 1 e 3 or d 3 +
Zi
e 0 or d 0 +
Ci
+
W1
W2
+
X0 X1 X2 X3 X4 X5 X6 X7
System-on-Chip Design of the Whirlpool Hash Function
the preprocessing stage, the message is padded, Τhe round-function of RIPEMD-160 is de-
parsed into m-bit blocks and initialization values are scribed in terms of operations on 32-bit words. A
been set in order to hash computation. A message sequence of functions g0, g1, ., g79 is used in this
scheduler divides the m-bit block into 16 words and round-function, where each function gi, 0 ≤ i ≤
prepares a message schedule by passing one word 79, takes three words X1, X2 and X3 as input and
at a time. A series of hash values are generated produces a single word as output. Two sequences of
iteratively from functions, constants, and word constant words C0, C1, ., C79 and C’0, C’1, ., C’79 are
operations and the final hash value is the message used in this round-function. Besides, two sequences
digest. SHA-256 requires 64 transformation steps of 80 shift-values are used in this round-function,
(round-functions) while SHA-512 requires 80 round where each shift-value is between 5 and 15. The
function transformations. diagram of the RIPEMD-160 round function is
SHA-384 uses exactly the same round func- illustrated in Figure 3.
tion as SHA-512 and requires 80 round function As Figure 4 shows, the round-function of
transformations. Only the initialization values are RIPEMD-128 is described in terms of operations
different. The 384-bit message digest is obtained on 32-bit words. A sequence of functions g0, g1,
by truncating the SHA-512-based hash output to ., g63 is used in this round-function, where each
its left-most 384-bit. function gi, 0 ≤ i ≤ 63, takes three words X1, X2 and
RIPEMD-160 and RIPEMD-128 replaces the X3 as input and produces a single word as output.
previous published version of RIPEMD and over- Two sequences of constant words C0, C1, ., C63 and
comes the security problems that they have raised C’0, C’1, ., C’63 are used in this round-function.
(see Dobbertin, 1997). The main design principle of Two sequences of 64 shift-values are also used
both hash functions is to maximize the confidence in this round-function, where each shift-value is
gained by RIPEMD, but with as few changes as between 5 and 15.
possible to the original structure. The produced
message digest, ranges in length from 128- to 160- whirlpool Hash function
bit, depending on the selected hash function each Specifications
time. These hash functions enable the determina-
tion of a message’s integrity. Any change to the Whirlpool is a one-way, collision resistant 512-bit
message will, with a very high probability, result hash function operating on messages less than 2256
in a different produced message digest. bits in length. It consists of the iterated application
X0 X1 X2 X3 X4
(befor e r o u n d i)
gi
Sti S10
+
W
(after r o u n d i )
X0 X1 X2 X3 X4
System-on-Chip Design of the Whirlpool Hash Function
X0 X1 X2 X3
(befor e r o u n d i)
gi
Zai
+
Ci
S ti
W
X0 X1 X2 X 3 (after r o u n d i)
of a compression function, based on an underlying The key addition σ[k], consists of the bitwise
dedicated 512-bit block cipher that uses a 512-bit addition (XOR) of a key matrix k such as:
key. The Whirlpool is a Merkle hash function
(Menezes, Van Oorschot, & Vastone, 1997) based
[k ](a ) = b ⇔ bij = a ij ⊕ k ij , 0 ≤ i, j ≤ 7
on a 512-bit block cipher, W, using a chained 512-
bit key state, both derived from the input data. (2)
The round function, of the W, is operating in the
Miyaguchi-Preneel mode (Menezes et al.) as shown This mapping is also used to introduce round
in Figure 5. constants in the key schedule. The input data
As Figure 5 shows, a 512-bit data block, mi, (hash state) is internally viewed as a 8x8 matrix
with a 512-bit key, hi-1, is used for the operation over GF(28). Therefore, 512-bit data string must
of W block cipher. The output of the block cipher be mapped to and from this matrix format. This
with the original input data block and also with can be done by function μ such as:
the input key are all together XORed in order to
produce the hash value, hi. This hash value is used (a) = b ⇔ bij = a 8i + j , 0 ≤ i, j ≤ 7 (3)
as a key in the next input data block.
In the rest of this chapter, the round function of The first transformation of the hash state is
the block cipher, W, is defined. The block diagram through the non-linear layer γ, which consists of the
of the W block cipher basic round is depicted in parallel application of a non-linear substitution S-
Figure 6. The round function, ρ[k], is based on Box to all bytes of the argument individually. After,
combined operations from three algebraic func- the hash state is passed through the permutation
tions. These functions are the non-linear layer γ, π that cyclical shifts each column of its argument
the cyclical permutation π, and the linear diffusion independently, so that column j is shifted down-
layer θ. So, the round function is the composite wards by j positions. The final transformation is
mapping ρ[k], parameterized by the key matrix k, the linear diffusion layer θ, which the hash state is
and given by the following equation. multiplied with a generator matrix. The effect of θ
is the mix of the bytes in each state row.
[k ] ≡ [k ] (1) So, the dedicated 512-bit block cipher W[K],
parameterized by the 512-bit cipher key K, is
defined as:
Symbol “ ” denotes the sequential opera-
tion of each algebraic function where the right
function is executed first.
W [K ] = (O 1
r=R
)
[Κ r ] [Κ 0 ]
(4)
0
System-on-Chip Design of the Whirlpool Hash Function
h i-1
512
W block cipher So, the Whirlpool iterates the Miyaguachi-
Preneel hashing scheme over the t padded blocks
512 mi, 1 ≤ i ≤ t , using the dedicated 512-bit block
cipher W:
XOR
512 ni = (mi ),
hi H 0 = ( IV ),
H i = W [ H i −1 ](ni ) ⊕ H i −1 ⊕ ni , 1 ≤ i ≤ t
where, the round keys K0,…, K R are derived from (7)
K by the key schedule. The default number of
rounds is R=10. The key schedule expands the where, IV (the Initialization Vector) is a string of
512-bit cipher key K onto a sequence of round 512 0-bits.
keys K0,…, K R as: As Equations 4 and 5 show the internal block
cipher W, comprises of a data randomizing part
and a key schedule part. These parts consist of the
K0 = K same round function.
K r = [c r ]( K r −1 ), r > 0 (5) Before being subjected to the hashing operation,
a message M of bit length L<2256 is padded with a
The round constant for the r-th round, r>0, is a 1-bit, then as few 0-bits as necessary to obtain a
matrix cr defined by substitution box (S-Box) as: bit string whose length is an odd multiple of 256,
Figure 6. Block diagram of the W basic round with algebraic functions transformations
Input
I n p u t S tate O u tp u t S tate
512
s 0, 0 s 0, 1 s 0, 6 s 0, 7 s ’0, 0 s ’0, 1 s ’0, 6 s ’0, 7
s 1, 0 s 1, 7 s ’1, 0 s ’1, 7
non-linear layer
s 6, 0 s 6, 7 s ’6, 0 s ’6, 7
I n p u t S tate O u tp u t S tate s 7, 0 s 7, 1 s 7, 6 s 7, 7 s ’7, 0 s ’7, 1 s ’7, 6 s ’7, 7
512
s 0, 0 s 0, 1 s 0, 6 s 0, 7 s 0, 0 s 7, 1 s 2, 6 s 1, 7
s 1, 0 s 1, 7 s 1, 0 s 2, 7
permutation
s 6, 0 s 6, 7 s 6, 0 s 7, 7
s 7, 0 s 7, 1 s 7, 6 s 7, 7 s 7, 0 s 6 , 1 s 1, 6 s 0, 7
I n p u t S tate O u tp u t S tate
512
s 0, 0 s 0, 1 s 0, 6 s 0, 7 s ’0, 0 s ’0, 1 s ’0, 6 s ’0, 7
s 1, 0 s 1, 7 s ’1, 0 s ’1, 7
diffusion layer
s 6, 0 s 6, 7 s ’6, 0 s ’6, 7
I n p u t S tate O u tp u t S tate
512 s 7, 0 s 7, 1 s 7, 6 s 7, 7 s ’7, 0 s ’7, 1 s ’7, 6 s ’7, 7
O u tp u t
k 7, 0 k 7, 1 k 7, 2 k 7, 3 k 7, 4 k 7, 5 k 7, 6 k 7, 7
System-on-Chip Design of the Whirlpool Hash Function
Figure 7. Whirlpool hash function architecture function is shown in Figure 7. The Pad Component
pads the input data and converts them to n-bit
M essage n padded message. In the proposed architecture an
256 interface with 256-bit input for Message is con-
sidered. The input n, specifies the total length of
P ad C om pone nt
the message. The padded message is partitioned
mi
512 H t-1 into a sequence of t 512-bit blocks m1, m2, … , mt.
This sequence is then used in order to generate a
new sequence of 512-bit string, H1, H2, … , Ht in
W
the following way. mi is processed with Hi-1 as key,
and the resulting string is XORed with mi in order
to produce the Hi. H0 is a string of 512 0-bits and
W o ut
Ht is the hash value.
XOR
The block cipher W, is mainly consists of the
512
round function ρ. The implementation of the round
Ht function ρ is illustrated in Figure 8.
The non-linear layer γ, is composed of 64 sub-
stitution tables (S-Boxes). The internal structure of
the S-Box is shown in Figure 8. It consists of five
and finally with the 256-bit right-justified binary 4-bit mini boxes E, E-1, and R. These mini boxes
representation of L, resulting in the padded message can be implemented either by using look-ip-tables
m, partitioned in t blocks m1, m2, ... , mt. (LUTs) or Boolean expressions. Next, the cyclical
permutation π, is implemented by using combina-
tional shifters. These shifters are cyclically shift (in
wHIrlPool ArcHItEcturEs And downwards) each matrix column by a fixed number
vlsI IMPlEMEntAtIons (equal to j), in one clock cycle. The linear diffusion
layer θ, is a matrix multiplication between the hash
In this paragraph the proposed architecture and state and a generator matrix. In Barreto and Rijmen
implementations are explained in detail of the (2003) an efficient method is provided in order to
hash function Whirlpool. A general diagram of implement the matrix multiplication. However, in
the architecture that performs the Whirlpool hash this chapter an alternative way is proposed which
Equation 8.
bi 0 = ai 0 ⊕ ai1 ⊕ ai 3 ⊕ ai 5 ⊕ ai 7 ⊕ X [ai 2 ] ⊕ X 2 [ai 3 ⊕ ai 6 ] ⊕ X 3[ai1 ⊕ ai 4 ]
bi1 = ai 0 ⊕ ai1 ⊕ ai 2 ⊕ ai 4 ⊕ ai 6 ⊕ X [ai 3 ] ⊕ X 2 [ai 4 ⊕ ai 7 ] ⊕ X 3[ai 2 ⊕ ai 5 ]
bi 2 = ai1 ⊕ ai 2 ⊕ ai3 ⊕ ai 5 ⊕ ai 7 ⊕ X [ai 4 ] ⊕ X 2 [ai5 ⊕ ai 0 ] ⊕ X 3[ai3 ⊕ ai 6 ]
bi 3 = ai 0 ⊕ ai 2 ⊕ ai 3 ⊕ ai 4 ⊕ ai 6 ⊕ X [ai5 ] ⊕ X 2 [ai 6 ⊕ ai1 ] ⊕ X 3[ai 4 ⊕ ai 7 ]
bi 4 = ai1 ⊕ ai3 ⊕ ai 4 ⊕ ai 5 ⊕ ai 7 ⊕ X [ai 6 ] ⊕ X 2 [ai 7 ⊕ ai 2 ] ⊕ X 3[ai 5 ⊕ ai 0 ]
bi 5 = ai 0 ⊕ ai 2 ⊕ ai 4 ⊕ ai 5 ⊕ ai 6 ⊕ X [ai 7 ] ⊕ X 2 [ai 0 ⊕ ai 3 ] ⊕ X 3[ai 6 ⊕ ai1 ]
bi 6 = ai1 ⊕ ai 3 ⊕ ai 5 ⊕ ai 6 ⊕ ai 7 ⊕ X [ai 0 ] ⊕ X 2 [ai1 ⊕ ai 4 ] ⊕ X 3[ai 7 ⊕ ai 2 ]
bi 7 = ai 0 ⊕ ai 2 ⊕ ai 4 ⊕ ai 6 ⊕ ai 7 ⊕ X [ai1 ] ⊕ X 2 [ai 2 ⊕ ai 5 ] ⊕ X 3[ai 0 ⊕ ai 3 ]
System-on-Chip Design of the Whirlpool Hash Function
E E -1
In p u t
512
R
S S S
64
512
E E -1
X3 X2 X
R ou n d 512
K ey
xo r [k ] b i0
512
512
O u tp u t
is suitable for hardware implementation. The bitwise XORed with the cr constant. A round key
transformation expressions of the diffusion layer is produced, on the fly, in one clock cycle. Each
are given next. (See Equation 8.) produced round key is used in the next clock cycle
Bytes bi0, bi1, bi2,… , bi7 represent the eight (through the multiplexer) for the production of the
bytes of the i row of the output of the layer θ hash next round key. In the data randomizing data path,
state. Table X implements the multiplication by the hash state of the θ layer is bitwise XORed with
the polynomial g(x)=x modulo (x8+x4+x3+x2+1) the appropriate round key. After, the intermediate
in GF(28). Table X2 is defined as X 2 ≡ X X feedback data are used as input to the next round
and X3 as X 3 ≡ X X X . In Figure 8, the (through the multiplexer). After 10 execution rounds
implementation of the output byte bi0 is depicted the Output Register latches the temp value. This
in details. The other bytes are implemented in a is bitwise XORed with the Hi-1 value in order to
similar way. The key addition (σ[k]) consists of compute the Wout.
eight 2-input XOR gates for any byte of the hash In a clock cycle, one execution round is executed
state. Every bit of the round key is XORed with and, simultaneously, the appropriate round key
the appropriate bit of the hash state. is calculated. The system needs 10 clock cycles
The first implementation is depicted in Figure 9. per block. If another block mi+1 is required to be
This implementation has two similar parallel data transformed, the previous process is repeated (by
paths, the data randomizing and the key schedule. using as cipher key the Hi value). So, for t blocks
The implementation details of the non-linear layer the execution time is 10*t clock cycles.
γ, the cyclical permutation π, and the linear dif- The second implementation of the W block
fusion layer θ are shown in Figure 8. The input cipher architecture is shown in Figure 10. This
block mi is set to the Input data simultaneously implementation is suitable for applications with
with the initial vector (IV) to the Key. In the key constrained silicon area resources. The appropri-
schedule data path, the output data of the θ layer is ate key schedule part is integrated with the data
System-on-Chip Design of the Whirlpool Hash Function
Figure 9. The implementation of the W block cipher suitable for high speed applications
In p u t d ata K ey
512 512
512 512
M ux M ux
In p u t In p u t
R eg ister R eg ister
[k ] XOR [k ] XOR
ROM
(c r )
512 512
512
512
feed b ack d ata
feed b ack d ata
r
O u tp u t 1 < = r< = 1 0
R eg ister
te m p
XOR H i-1
512
512
W o ut
randomizing part in order to reduce the required key, which is stored in the RAM. After 10 execution
hardware resources. The execution of the W block rounds the Output Register latches the temp result.
cipher on this implementation is performed in two This result is bitwise XORed with the Hi-1 value (in
phases. In the first phase, the round keys are pro- this case is equal to the IV) in order to compute the
duced and stored in the RAM. In the second phase, Wout. The Wout is XORed with the mi (see figure 7),
the hash value is computed. The algorithm specifies so the final, hash value Hi, is computed.
10 rounds for the hash state. The Input data is the If another block mi+1 is required to be trans-
initialization vector (IV), in order to produce the formed, the previous process is repeated (by using
round keys (first phase). The Input Register is used as cipher key the Hi value). So, for t blocks the
for buffering the algorithm Input data. The output execution time is 20*t clock cycles. This has a
data of the θ layer is bitwise XORed with the cr result the total throughput of this implementation
constant. Each execution round lasts one clock is half than the first implementation; however it
cycle. After the first execution round, the first round needs almost half silicon area.
key is stored in the RAM. It is used as input in the
second execution round, through the multiplexer
(feedback data), for the production of the second IMPlEMEntAtIon rEsults And
round key. This process is repeated 10 times (10 dIscussIon
execution rounds) and lasts 10 clock cycles. The
cr constants are predefined and stored in the ROM. The VIRTEX FPGA device used in order to evalu-
The multiplexer selects during the first phase the cr ate the performance of the proposed implementa-
constants, and during the second phase the round tions. Especially the XC4VLX100 device is used;
keys. The computation of the hash value is taking this device belongs to a new family manufactured
place during the second phase. In this phase, the in 1.2 volts, 90nm triple-oxide technology and
Input data is the mi block. The output data of the θ offers twice the performance, twice the density,
layer is bitwise XORed with the appropriate round and less than one-half the power consumption of
System-on-Chip Design of the Whirlpool Hash Function
Figure 10. The implementation of the W block clock management, and digital signal process-
cipher suitable for applications with con- ing. In Figure 11 the DSP48 slice architecture is
strained silicon area resources depicted. The Virtex-4 DSP slices are organized
as vertical DSP columns. Within the DSP column,
In p u t d ata
two vertical DSP slices are combined with extra
512
512 logic and routing to form a DSP tile. The DSP tile
M ux is four CLBs tall. Each DSP48 slice has a two-input
multiplier followed by multiplexers and a three-
In p u t
R eg ister
input adder/subtractor. The multiplier accepts two
18-bit, two’s complement operands producing a
36-bit, two’s complement result. The result is a
sign extended to 48 bits that can optionally be fed
to the adder/subtractor. The adder/subtractor ac-
cepts three 48-bit, two’s complement operands, and
ROM
M 512
(c r ) produces a 48-bit two’s complement result. Higher
[k ] XOR u level DSP functions are supported by cascading
512 x
512 512 individual DSP48 slices in a DSP48 column. One
RAM
feed b ack d ata input (cascade B input bus) and the DSP48 slice
512
r
output (cascade P output bus) provide the cascade
O u tp u t
R eg ister
capability.
te m p The XC4VLX100 device used in this chapter
XOR H i-1 contains 96 DSP48 slices.
512
512 Each one of the proposed implementations was
W o ut
captured by using VHSIC hardware description
language (VHDL), with structural description
logic. Both implementations were simulated to
previous-generation devices. The basic building operating correctly by using the test vectors which
block of these devices is the DSP48 slice (see are provided by the NESSIE submission package
Xilinx, 2006). The purpose of this module is to (NESSIE, 2004), and the ISO/IEC 10118-3 standard
deliver off-the-shelf programmable devices with (ISO, 2003). Parts of the proposed implementations
the best mix of logic, memory, I/O, processors, were designed by using two alternative techniques.
18
36 48
18 36
x
48
18
A c In
72
x
18 36
b 48
48 y +/- P
z Er o 48
s ubtrAct
48
c 48
z
48 18
48
48
b c In w ire s hift r ight b y 1 7 -bit
Pc In
c a s c a de In from P re v ious s lic e
System-on-Chip Design of the Whirlpool Hash Function
The 4-bit mini boxes (E, E-1, and R) were designed the LB implementation throughput is 17.2 Gbps at
by using LUTs and Boolean expressions. The usage 337 MHz. The 2nd implementation was designed
of FPGA-LUTs does not increase the algorithm in order to support applications with area restrict
execution latency. Besides, the LUTs are imple- requirements. It demands 20 clock cycles for each
mented by using function generators. So, for the data block and requires less hardware resources.
implementation of the Whirlpool hash function The BB implementation throughput is 7 Gbps at 275
four alternative solutions are proposed. MHz clock frequency and the LB implementation
Two performance metrics are considered: throughput is 8 Gb/s at 313 MHz.
the area utilized and the throughput achieved by In McLoone et al. (2005) two Whirlpool hash
the implementations. The measurements of the hardware implementations are presented. In the
performance analysis are shown in Table 1. And first one, two rounds of the block cipher W are
also, comparisons with other Whirlpool hash unrolled and during one clock cycle two rounds
hardware implementations (McLoone et al., 2005; are performed. This method reduces the overall
Pramstaller et al., 2006) are given. We symbolized latency of the design, but it will also result in a
as Boolean expressions based (BB) the mini boxes reduction in frequency. In order to compute the
implementations by using Boolean expressions, and final hash output needs to be iterated five times.
as LUT based (LB) the mini boxes implementations This implementation achieves a throughput equal to
by using FPGA-LUTs. 4896 Mbps at 47.8 MHz. The second one is iterative
Both implementations (1st and 2nd) were implementations with algorithmic latency equal to
realized by the same FPGA device. The algo- 10 clock cycles. The major difference with previous
rithm constants (cr) are stored in a ROM which is and also with author implementations is that use
implemented by using LUT. The 2nd implementa- BRAM in order to implement the S-boxes. The
tion uses a 10x512-bit RAM in order to store the throughput of this implementation is 4790 Mbps
necessary round keys. This RAM is mapped to at 144 MHz. An 68 BRAM is also used.
the 5K bits distributed RAM, and furthermore, In Pramstaller et al. (2006) a very compact
none of the proposed implementations use block Whirlpool hash hardware implementation is dis-
RAM (BRAM). cussed. This design has different philosophy than
The 1st implementation requires 10 clock cycles the implementations in this chapter and uses an
for each block. So, the BB implementation through- innovative state representation that makes it pos-
put is 12 Gbps at 236 MHz clock frequency, and sible to reduce the required hardware resources
System-on-Chip Design of the Whirlpool Hash Function
remarkably. The complete implementation into tions in McLoone et al., to the FPGA character-
XC2VP40 VIRTEX FPGA requires 1456 CLB- istics (due to the high throughput per slice ratio).
slices and no BRAMs. It achieves a throughput The design in Pramstaller et al. (2006) achieves a
equal to 382 Mbps at a clock frequency equal to throughput equal to 382 Mbps at 131 MHz slower
131 MHz. by a factor range from 18 to 45 compared with the
As Table 1 shows that the author’s proposed implementations in this chapter. Although, as I
hardware implementations of the Whirlpool have already mentioned, this design has different
hash function clearly outperforms all the others philosophy and requires only a small amount of
implementations. The proposed implementations hardware resources.
are faster by a factor range from 1.5 to 45 times. Besides, comparisons with some other hash
Especially comparing with implementations in families’ implementations (Ahmad & Shoba Das,
McLoone et al. (2005) some important results can 2005; Deepakumara et al., 2001; Dominikus, 2002;
be extracted. Firstly, the two implementations in Grembowski et al. 2002; McLoone & McCanny,
McLoone et al., use the same FPGA device with 2002; Sklavos & Koufopavlou, 2003, 2005; Yiak-
the proposed implementations reported in this oumis et al., 2005) (the faster implementations of
chapter. So, any comparisons are absolutely fair other hash families’ are collected) are given in Table
and accurate. Secondly, by using FPGA-LUTs 2 in order to have a fair and detailed comparison
much better results are achieved in both time with the proposed implementations.
performance and area requirements. Finally, about From Table 2, it is obvious that the Whirlpool
the ratio throughput per slice, that measures the implementation performs much better in terms of
hardware resource cost associated with the imple- throughput, comparing to all the previous hash fam-
mentation resulting throughput and it is proven ilies published implementations (Ahmad & Shoba
that the proposed implementations in this chapter Das, 2005; Deepakumara et al., 2001; Dominikus,
philosophy matches better than the implementa- 2002; Grembowski et al., 2002; McLoone & Mc-
System-on-Chip Design of the Whirlpool Hash Function
System-on-Chip Design of the Whirlpool Hash Function
Kitsos, P., & Koufopavlou, O. (2004). Efficient 384, 512) hash functions. In IEEE International
architecture and hardware implementation of the Symposium on Circuits and Systems (ISCAS 2003)
whirlpool hash function. IEEE Transactions on (Vol. V, pp. 153-156).
Consumer Electronics, 50(1), 208-213.
Sklavos, N., & Koufopavlou, O. (2005). On the
McLoone, M., & McCanny, J. V. (2002). Efficient hardware implementation of RIPEMD processor:
single-chip implementation of SHA-384 & SHA- Networking high speed hashing, up to 2 Gbps. Com-
512. In IEEE International Conference on Field- puters and Electrical Engineering, 31, 361-379.
Programmable Technology (FPT) (pp. 311-314).
Wang, X., Yin, Y. L., & Yu, H. (2005). Finding col-
McLoone, M., McIvor, C., & Savage, A. (2005). lisions in the full SHA-1. In Advances in cryptology,
High-speed hardware architectures of the whirlpool 25th Annual International Cryptology Conference
hash function. In IEEE International Conference (LNCS 3621, Santa Barbara, CA pp. 17-36).
on Field-Programmable Technology (FPT) (pp.
Xilinx Incorporated. (2006). Silicon solutions—
13-18).
Virtex series FPGAs. Retrieved October 10, 2006,
Menezes, A. J., Van Oorschot, P. C., & Vastone, from http://www.xilinx.com/products/
S. A. (1997). Handbook of applied cryptography.
Yiakoumis, I., Papadonikolakis, M., Michail, H.,
CRC Press.
Kakarountas, A. P., & Goutis, C. E. (2005). Ef-
National Institute of Standards and Technology ficient small-sized implementation of the keyed-
(NIST). (1995, April 17). SHA-1 standard, secure hash message authentication code. In IEEE 2005
hash standard (FIPS PUB 180-1). Retrieved April International Conference on “Computer as a tool”
17, 1995, from http://www.itl.nist.gov/fipspubs/ (EUROCON) (pp. 1875-1878).
fip180-1.htm
National Institute of Standards and Technology
(NIST). (2002, August 1). SHA-2 standard, secure kEy tErMs
hash standard (FIPS PUB 180-2). Retrieved August
1, 2002, from http://csrc.nist.gov/publications/fips/ Cryptography: In modern times, cryptography
fips180-2/fips180-2.pdf has become a branch of information theory, as the
mathematical study of information and especially
National Institute of Standards and Technology
its transmission from place to place. Cryptography
(NIST). (2005, December). SP800-77, Guide to
is central to the techniques used in computer and
IPSec VPN’s. Retrieved December 2005, from
network security for such things as access control
http://csrc.nist.gov/publications/nistpubs/800-77/
and information confidentiality.
sp800-77.pdf
DSP48 Slice: DSP48 slice is the basic building
New European scheme for signatures, integrity,
block of XILINX VIRTEX-4 FPGAs.
and encryption (NESSIE). (2004). Retrieved March
2004, from https://www.cosic.esat.kuleuven. Field-Programmable Gate Array (FPGA)
ac.be/nessie Device: FPGA device is a semiconductor device
used to process digital information, similar to a
Pramstaller, N., Rechberger, C., & Rijmen, V.
microprocessor. It uses gate array technology that
(2006). A compact FPGA implementation of the
can be reprogrammed after it is manufactured,
hash function whirlpool. In 14th ACM/SIGDA In-
rather than having its programming fixed during the
ternational Symposium on Field-Programmable
manufacturing—a programmable logic device.
Gate Arrays - FPGA (pp. 159-166). ACM Press.
Sklavos, N., & Koufopavlou, O. (2003). On the
hardware implementation of the SHA-2 (256,
System-on-Chip Design of the Whirlpool Hash Function
0
Section II
Security in 3G/B3G/4G
Chapter XVIII
Security in 4G
Artur Hecker
Ecole Nationale Supérieure des Télécommunications (ENST), France
Mohamad Badra
National Center for Scientific Research, France
AbstrAct
The fourth generation (4G) of mobile networks will be a technology-opportunistic and user-centric
system combining the economic and technological advantages of different transmission technologies to
provide a context-aware and adaptive service access anywhere and at any time. Security turns out to be
one of the major problems that arise at different interfaces when trying to realize such a heterogeneous
system by integrating the existing wireless and mobile systems. Indeed, current wireless systems use
very different and difficult to combine proprietary security mechanisms, typically relying on the associ-
ated user and infrastructure management means. It is generally impossible to apply a security policy
to a system consisting of different heterogeneous subsystems. In this chapter, we first briefly present the
security of candidate 4G access systems, such as 2/3G, wireless LAN (WLAN), WiMax, and so forth. In
the next step, we discuss the arising security issues of the system interconnection. We namely define a
logical access problem in heterogeneous systems and show that both the technology-bound, low-layer
and the overlaid high-layer access architectures exhibit clear shortcomings. We present and discuss
several proposed approaches aimed at achieving an adaptive, scalable, rapid, easy-to-manage, and
secure 4G service access independently of the used operator and infrastructure. We then define general
requirements on candidate systems to support such 4G security.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security in 4G
Table 1. Ten years cycles in the mobile networks (from a European view)
Year Milestone Cycles
1981 Commercial deployment of NMT: 1G start
1982 Creation of Groupe Spécial Mobile at CEPT
1G to 2G: 10 years
Security in 4G
wide-range (GSM 900) and dense-area (GSM Table 1 summarizes the history of the PLMN
1800/1900) deployments respectively. The first development from the European point of view as
commercial GSM services were launched in the presented in Pereira (2000). In particular, it illus-
middle of 1991, thus marking the start of the second trates the repeating approximate 10-year cycles
generation (2G) era. both in the conception phases and in the genera-
GSM was the first completely digital PLMN. tion lifetimes.
It is thus naturally a revolutionary approach, as
compared to its analog predecessors. GSM defines the third generation of PlMn
a series of improvements and innovations com-
pared to previous cellular networks; aiming for The 3G of mobiles was expected to be the future
an efficient use of the available spectrum; secure global standard for the integrated voice and data
transmissions; an improvement in voice quality; communications. 3G was designed in the last de-
a reduction in the cost of handsets (using very cade of the 20th century with the goal to provide
large-scale integration [VLSI]); infrastructure and enhanced wide-range voice and data services. But
management; an ability to support new services; it turns out that it changes little in the actual user
and a full compatibility with Integrated Services experience.
Digital Network (ISDN) and with other data trans- Technically, 3G design mainly aimed at the im-
mission networks. Another basic characteristic of provement of the radio link performance in the 2G
the system is called international roaming, that is, scope. Although the developed standard features
the possibility for the mobile user to access GSM drastically improved data rates as compared to
service even when he/she finds himself/herself 2G, from the point of view of the data services the
physically outside the coverage area for which practically offered data rates can be still considered
he/she is subscribed, registering as a “visitor.” scarce. This can be observed in a direct compari-
Provided that the necessary business contracts son to the development of the wired technologies
exist, the roaming is completely automatic. In ad- providing home Internet access. From 1994 until
dition to roaming, GSM offers new user services, 2004, the phone-line Internet access technologies
including data transmission, fax service, and short have evolved from V.34 modems (28.8 kbps) over
message service (SMS). V.90 (56 kbps) to cable (1-2 Mbps shared) and ADSL
Thus, in Europe one completely new standard (originally 500 kbps, 2004 up to 10 Mbps). This
has replaced different existing ones. Almost the means an almost 350-fold increase in 10 years. In
contrary happened in the U.S.: the quasi unique the same period, the data rate of the wireless cel-
AMPS has been replaced by a variety of (at least lular access has not been able to keep up the pace.
partially) incompatible, (partially) digital systems: From the original GSM CSD service introduced in
N-AMPS, D-AMPS (IS-54, IS-136), PCS (IS-95), 1994 and providing 9.6 kbps, the cellular systems
GSM 1900, Omnipoint, and PACS. evolved over General Packet Radio Service (GPRS)
The variety of incompatible networks and the (about 64 kbps in practice) to EDGE/cdma2000
increasing popularity of data services have moti- RTT-1X (typically about 100-130 kbps). The 3G
vated and much influenced the work on the third (e.g., UMTS) provides about 300 kbps in practice.
generation (3G) of mobiles. In 1992, at the same time This corresponds to a 30-50 fold increase in the
as the commercial deployment of first 2G networks same decade. Moreover, the provided data rates
started, the International Telecommunications highly depend on the network operator’s overall
Union (ITU) allocated frequency ranges for the capacity, the number of users in the cell and the
next generation of PLMN (then called FPLMTS) distance to the base station.
thus providing an international common base for However, the relatively limited data rate is not
the 3G. Finally, in 2002 the first commercial 3G the only problem of the 3G data service. Because
networks were commercially deployed in Japan. of the vast, national-scope infrastructure, and
many intermediate nodes, the user experiences
Security in 4G
high network latency (e.g., from the point of view ms in order to provide a fair chance of winning
of IP, the whole 3G infrastructure is one link). and a good game experience.
GRPS and EDGE often exhibit network round Furthermore, by its design 3G targets telecom-
trip times (RTT) of 600 ms and more. UMTS munications providers. Like 2G, 3G uses a license
links are expected to be better, but they still have model to prevent random medium access by non-
RTT of about 200-250 ms. The wideband code authorized parties. Since the licenses are expensive
division multiple access (W-CDMA)/high speed (Van Damme, 2002), in reality this implies a major
downlink packet access (HSDPA) service, defined telecom operator with a mammoth infrastructure
in the fifth release, is expected to have more than behind every 3G RAN. To fulfill the requirements
100 ms RTT, that is, almost an Internet-level RTT. of such an authority, the 3G RANs are designed
Such high network latencies are inappropriate for to be reliable and manageable and to support dif-
certain application classes: interactive applica- ferent qualities of service. This justifies the high
tions imply latency constraints that typically lie cost of the 3G equipment. At the same time, this
under the 300-400 ms overall RTT proposed by limits the competition on the market to few license
3G (the end system is not necessarily within the holders who not only have invested a lot in the
UMTS backbone and thus the typical Internet infrastructure but also have paid a high price for
RTT of about 100-200 ms has to be added to the the license. The operators have to amortize this
3G latency). For example, voice over IP (VoIP) fixed cost and the current variable maintenance and
and similar applications (videoconferencing, management cost over the user services provided
etc.) require an RTT to be under 250 ms; in some by the infrastructure. Thus, 3G RAN access is
existing popular interactive online games (e.g., id likely to remain costly. It is unclear if attractive
Software’s Quake, etc.), the maximal acceptable unlimited flat-line pricing models (like in xDSL)
RTT to the game server is required to be under 100 are applicable to such infrastructures. Current per
Security in 4G
byte (or even per minute!) pricing seems hardly cated thoughts about beyond 3G (B3G) and 4G
suitable for the always-on paradigm. systems appeared in the international research
A consequent national-scope investment is press about 2000-2001 (Bria et al., 2001; Evans
needed for 3G advantages to materialize (both for & Baughan, 2000; Pereira, 2000; Raivio, 2001;
users and for providers). This is however difficult Varshney & Jain, 2001), that is, just before the first
to afford, especially in developing countries where commercial 3G networks were deployed in Japan.
big investments are particularly risky. In a focused In 2000, the WRC allocated 3G extension bands,
coverage, 3G comes at a very high cost per bit which were to be used in the B3G scope. All this
compared to other, more data-centric technologies corresponds to the 10-year cycles illustrated in
like local or metropolitan area networks. That is one Table 1.
of the reasons why the 3G systems had a difficult Continuing along this line, the concrete shapes
start. They are primarily being deployed in Japan, of 4G should be clarified by the end of 2007 and
South Korea, Taiwan, Hong Kong, Indonesia, a few the active 4G vision refinement should start about
countries of South America, Australia, New Zea- 2007-2008. This should be finished roughly by
land, western Europe, and North America (CDMA 2010, with several detail issues being addressed in
Development Group, n.d.; GSM Association, n.d.). the following years. The first commercial systems
Figure 1 (GSM Association, n.d.) summarizes the could then be operational by 2012. However, this
actual and planned commercial launches of the presumes that no additional delays occur.
3G system from the 2004 European point of view
(W-CDMA/UMTS). It shows that the developed Possible delays
countries prevail.
Although the slow 2G-3G transition process At least in Europe and in the U.S., the 3G deploy-
started in 2003-2004, so far the 3G systems do ment seems to be delayed. Indeed, by the end of
not seem suitable to provide a broadband data 2004, not all western European countries started
access service deployment. In the developed the 3G deployment. Also, the deployment process
world, these are often considered technologically is starting quite slowly, often being limited to some
inadequate (users perceive it as a better 2G). For few centers. The critics of 3G claim that the rea-
the developing world, the technology needs major sons for this could be in the developed technology
investments. Thus, a new, more flexible technology itself. Indeed, one could argue that 3G (in Europe:
is necessary, allowing new usage scenarios and UMTS) is too complicated and too costly to become
business models. successful. One could also criticize the fact that
the original goal of creating one common global
the Anticipated 3g to 4g transition standard has not been achieved since different con-
current versions of 3G are being standardized and
In regards to 3G, the observed 10-year cycles seems deployed, in some extreme cases within the same
to continue. The first research concepts aiming country (e.g., Japan has deployed both cdma2000
at 3G appeared about 1989. The spectrum was and W-CDMA). However, the deployment of the
reserved by ITU-R’s World Radiocommunication alternative technologies (like e.g., 802.11 hotspots
Conference (ITU-R Radiocommunication Confer- or WiMax) also lags behind the expectations that
ence, 1992), that is, at the same time as the first 2G have predicted a WiFi-boom and hotspot number
networks were deployed. The active technological explosions by 2005, which so far have failed to
development of 3G started with the creation of the become true. There is no doubt about the popular-
UMTS task force in 1996 and culminated in the ity of WiFi. However it is not booming, it is being
UMTS decision in 1999. The largest parts of the carefully developed. The real reasons thus could
standards were accomplished by then. be either of a social (e.g., a simple current disinter-
Consequently, the first projects naming fourth est in mobile data) or of an economic nature (too
generation (4G) started in 1999 and the first dedi- costly in deployment, too risky for operators; too
costly, too complicated for users, etc.).
Security in 4G
Security in 4G
The obviously challenging scenario is to provide Big telcos will try to reduce their service cost by
users with a bidirectional communications possi- integrating alternative transmission technologies
bility to their personal Intranets independently of as radio access networks (RAN) into their 3G
their location (anywhere), thus combining the two infrastructure (e.g. UMA-like). However, this
topics discussed previously. These WAN/MAN/ integration will still be much more complicated
LAN/PAN spanning communication sessions have and costly than a new deployment possible for a
to be secure, reliable, and economically reasonable. small wireless internet service provider (WISP).
Also, communications become ubiquitous. The At the same time, the small WISPs will encounter
used technology needs to be able to reply to this increasing management problems with the grow-
challenge, providing the best available connection ing user basis and the user traffic. It will hardly
anytime, any place. Existing standards do not al- be reasonable to add a 3G infrastructure upon the
low for this usage. existing one as the control plane. Given the lack of
However, it is not a matter of contention between standardized methods, the alternative infrastruc-
these existing standards. They are more and more tures are thus likely to be managed in a proprietary
understood as complementary. Indeed, the WLANs way, requiring specific access methods. This will
can easily provide a true LAN experience in limited produce the demand for standardization.
areas at a low cost while 3Gs RANs are designed Because of the true need for mobile broadband
to provide true mobility, quality of services and data access and the scarce spectrum of 2G, the 3G
vast coverage. The idea to try to integrate both will be eventually deployed in the business centers
technologies is thus straightforward. of the developed countries despite the currently
Taking into account the previously observed observed delays. In Europe, this process could be
cycles and the current delays, we could try to com- further promoted by governmental policy in some
pile a prognosis on the B3G and 4G development countries planning to partly reimburse some license
in the next decade. The current situation and our fees. However, the delays and the high license fee
forecast are illustrated in Table 2. (Van Damme, 2002) have already motivated the
The convergence between the different in- development of and the investments in the alterna-
frastructures will start because of the economic tive transmission technologies, for example, IEEE
and technological limits of the used technologies. 802.11 and IEEE 802.16.
Table
Table 2.
1. Possible 3Gdevelopment
Possible 3G developmentin in
thethe
nextnext years
years
Year Milestone Cycles
2003 European 3G start
Until
Different 4G visions and early 4G research projects
2005
2006 3G deployment in all business areas in the developed world
3G to 4G: 10 years
Security in 4G
This development, if commercially success- (e.g., 4G forum) that will be given the task of 4G
ful, will lead to a situation with several parallel system standard development. Based on the situ-
infrastructures installed in the European centers ation and the previously accomplished research, it
by 2008-2009. While the 3G infrastructures will could produce mature system drafts by 2012 and
be homogeneous, they are likely to remain more the first commercial 4G deployments could start
expensive. The alternative offerings will be cheaper about 2014.
but are not likely to provide neither the same service
quality nor the same coverage. Because of the re- our 4g vision
quired spectrum licenses, the same national-scope
operators will own the 3G systems. The alternative Our vision is motivated by the previous work and
technologies are license-free and thus enable a free the ongoing development of the global telecommu-
network deployment. These can be owned by both nications networks, in particular of the Internet. It
global big telcos and small local WISPs. respects the fact of the proliferation of the Internet
Users will buy newer products equipped with technology in all telecommunications branches
further wireless technologies. Deploying these and is similar to the All-IP approach when used
products at home, users will be interested in access- for data transport.
ing the combined service offers. Different devices Learning from 2G and 3G experiences, 4G
will be capable of several access methods (e.g., a envisages an architecture that allows the maxi-
wireless ADSL router). Users will be incited to mum possible infrastructure reuse. The idea is to
open their hotspots for the usage by the others. For minimize a risky engagement with a particular
instance, a major French telecom provider proposes technology and to guarantee the long-term flexibil-
a reimbursement plan for its ADSL users if they ity for the involved authorities. We believe that the
provide WLAN access to its cellular customers over versatility here can provide an enhanced flexibility
such devices. At the same time, alternative technol- both technologically and from the business point
ogy operators are forming roaming organizations of view. This ultimately market-driven solution
and user communities, aiming for the same results should be capable of providing any service in any
(see WeROAM, Fon communities, etc.) manner, restricted solely by user’s demand and not
Meanwhile, the research will push towards uni- by any technological factors.
fied and concrete B3G and 4G views. To protect the
investments, the deployed alternative infrastruc- From Service-Centric to Data-Centric
tures are likely to be given the necessary attention Approaches, from Technology-Centric to
in this development process. The result will likely
User-Centric Approaches
be a system providing for a convergence between
the different technologies.
The classic telecommunications industry ap-
While the new 4G architecture is being con-
proach dominated by the national-scope telecom
ceived and is maturing technologically, 3.5G sys-
operators with the well-managed infrastructures
tems are likely to appear on the market by 2010 at
currently cannot provide a cost-effective focused
the latest, filling the gap between LAN-experience
access to Internet services. This is particularly true
and manageable. These updates of the radio link
for the developing countries where neither new
and of the backbone infrastructure could provide
installations nor massive updates of the existing
the basis for the later expected 4G much in the
infrastructure can be afforded.
same manner as GPRS/EDGE (2.5G) have required
In its initial collaborative work, the telecom-
and accomplished the necessary infrastructural
munications industry was much influenced by
changes for the transition process from 2G to 3G.
the dominating demand for the voice telecom-
The commercial and technological convergence
munications. The 1G and 2G systems were origi-
and the available B3G systems will provide the
nally designed to provide one single service: the
drivers for the establishment of an industry group
mobile voice telephony. Their system design was
Security in 4G
service-oriented. As a result, the conceived core available service. Choice, as the driving factor for
infrastructure is circuit-oriented and the wireless the competition, plays a crucial role in this scope
link’s capacity is tailored to the voice-implied since it results in better and cheaper technology.
bandwidth requirements. Due to these properties, From the system’s point of view, the resulting
2G currently provides a reliable voice service; it is overall architecture delivers very different ser-
however quite difficult to reuse this infrastructure vices through completely heterogeneous access
for other purposes. However, deploying a new networks (ANs). User-oriented design has to cope
infrastructure for every service is not scalable with the question how to manage the system and
and financially impossible. Especially with the how to provide user services with an expected
modern digital technologies, it is much more quality. The management is important because a
efficient to reuse the same infrastructure for dif- good management reduces the operational costs.
ferent services. The provision of the expected quality is the main
3G development is an example of a network- factor for the user satisfaction.
oriented design process (sometimes also called Such architecture could help to achieve more
operator-oriented design). It is a step ahead from infrastructural and architectural flexibility provid-
the service-oriented design of the 2G system since ing a free technology choice for the local operators
it explicitly provides for infrastructure reuse for and thus, in the final run, reducing the costs and
various services. Principally aiming at opera- offering more choices for the users. By featuring
tors and networks, such design tries to respond more flexibility, this step to further diversifica-
to operator’s management requirements. It thus tion gives new opportunities and could help, for
specifies parts of the network core, producing example, to reduce the cost or to mitigate some
homogeneous technologies comprising everything aspects of the digital divide problem.
the operator has requested. According to this design At the same time, this task is not technologi-
paradigm, the 3G technologies deliver voice and cally simple. As could be seen from the previous
data within the same infrastructure. In presence examples, the service-oriented design approach is
of an existing voice-oriented 2G infrastructure a straightforward technological way to conceive a
this renders the only added service—the mobile network dedicated to the needs of one single ser-
broadband data—quite expensive in itself. The vice. Provision of more services within the same
operators have to amortize the network deployment infrastructure makes it more difficult to assure
and the license cost over the new service. Thus, that every service individually is provided in a
from the user’s point of view, this new service is satisfactory way. We can generally allege that the
often perceived as too expensive. QoS in the multi-services network is more difficult
To be able to provide cost-effective data ser- to maintain because very different requirements
vices at any chosen place in the world we need have to be fulfilled by the same infrastructure.
more user-oriented and data-centric approaches Yet, owing to this common homogeneous infra-
than what 2G and 3G paradigms deliver. At least structure, with the network-oriented design it is
in the mid-term, the hope here lies in a more op- still relatively easy to conceive systems enabling a
portunistic approach from the technological point comprehensive network management. The neces-
of view. Indeed, the user typically does not care sary dynamic infrastructure-to-service adaptation
about who provides a particular service and how. (e.g., for QoS) can then be achieved using the
The user cares about the availability of services, integrated management functions.
their performance (throughput, latency, etc.), the The step to the user-oriented design potentially
quality of service (QoS) (i.e. the performance implies a broad diversification of data transport
and the variation of the performance factors), the technologies providing different services. Thus,
ease of use, and service prices. Accordingly, the the resulting systems inherit the problems of the
user-oriented design tries to respond to these user dynamic per-service QoS provision. Additionally,
wishes assuring the possibility to freely choose an we run into difficulties trying to consolidate all
0
Security in 4G
these different technologies and make them do what It is composed of a panoply of service provider
the operator wants. This applies to the network networks (SPNs) connected by an IP-based core
management in general. In particular, it concerns network for any global data exchanges. SPNs
the mentioned QoS provision problematic and also principally support different wireless ANs. AN
raises diverse security considerations, both of the technology can range from personal to wide area
operators (infrastructure control and protection, networks.
resource usage control, accounting and billing) Each provider may, but is not required to, have
and of users (data confidentiality, location privacy, its own users and propose multiple services over
flawless billing). different ANs. Users are defined as logical system
Hence, the user-oriented design opens new pos- identities subject to the service contract between
sibilities but potentially results in a heterogeneous two legal bodies, one representing the provider
environment. To be deployed and maintained by and the other representing the served user. This
the operators, this environment needs to be un- definition implies that every user corresponds
derstandable, manageable, flexible, and secure. to a service contract with exactly one provider.2
To be used, it needs to be user-friendly, reliable, Note that this contract requirement does not imply
and fair. In particular, users should be able to use any price models or restrictions. Since every user
different services over different infrastructures in corresponds to one legal body, we use these terms
the same, familiar manner. interchangeably in the rest of the document unless
Thus, we need to develop more flexible infra- explicitly distinguished.
structures and more sophisticated mechanisms for The service contract provides the trust relation-
infrastructure access incorporating but hiding the ship and the set of authorizations. From the user’s
whole technological complexity. These mecha- point of view, the provider from the corresponding
nisms should provide adaptability to both users and service contract is called home provider. If a user
contents. Here we concentrate on heterogeneous uses a provider only for user identification, autho-
network access mechanisms and the necessary cor- rization, and billing services, we call this provider
responding network management functions in the a virtual operator3 (Zhang, Li, Weinstein, & Tu,
scope of the future integrated environments. 2002). Virtual operators (VOs) can but do not need
to have their own infrastructures. Typical VOs are,
Multi-Provider Network Environment for example, 2G or 3G providers (because of their
existent user database), miscellaneous resellers
For 4G, the accent lies on users and the requested but also credit card issuers, banks, public remote
services (Pereira, 2000). For the flexibility and authentication services, and so forth.4
cost reasons, the 4G architecture has to be able to Providers may (but are not required to) serve us-
integrate different technologies to provide services ers for whom they are not home providers. Providers
to users. Services are divers offerings, commercial may propose access to services in their own and in
or free, ranging from a basic connectivity (e.g., to other infrastructures (e.g., in the Internet or in user’s
the Internet) to more sophisticated services such as home network). The necessary network intercon-
voice calls or instant messaging (IM). To provide nection can be based upon private infrastructure
more complex services, some providers can use interconnections of several providers or it can be
services proposed by other providers. based on a public backbone like the Internet. This
We see 4G as a potentially open, heterogeneous, and other definitions, for example, service level
user-oriented architecture, consisting of different agreements, price agreements, mutual agreements
service and ANs. These networks are operated on user authorization in visited networks, and so
by different authorities. We call such authorities forth are subjects of so-called roaming agreements
service providers1 if access to services is possible signed between the legal bodies representing the
over their respective infrastructures or networks. providers. Using these roaming agreements, pro-
The global 4G architecture is shown in Figure 0-1. viders can verify identities and profiles of visiting
users whom we call visitors.
Security in 4G
SPN A SPN B
IP backbone
PDP
SPN C SPN D
PDP
PSTN
WLAN C or LAN
Legend
Data traffic
Control traffic
PEP PDP PDP
SPN C Service Provider Network C
The users who do not have any verifiable service SPNs are supposed to be trusted, non-public
contracts may be treated as guests. Guests are us- networks with appropriate protection measures.
ers with special authorizations (profiles), locally User traffic is to be strictly separated from the
and freely defined by any operator. These are thus management traffic. The internal communications
local users and will not be treated differently in are IP-based. Inter-SPN management traffic can be
the following. protected by IP security (IPsec) (Kent & Atkinson,
1998), or by using dedicated protected links (L2
SPN Organization and Management virtual private network [VPN] services, trusted
sub-infrastructures, etc.)
Management tasks in the SPN are carried out Internal SPN architectures are deliberately left
by the SPN owner, that is, the provider. The ac- open. The protocols and mechanisms regarding
tions are based on the management policies that PEP, PDP, measurements, and so forth do not need
reflect provider and user requirements. For this to be defined at the system level, because this com-
purpose, providers deploy policy decision points plexity can be hidden within the SPN entity. Our
(PDP), that is, logical entities capable of taking main concern is to define architectures that do not
completely automated or assisted decisions based impose any specific solutions. In a heterogeneous
on the observed network situation and the defined 4G system with its different providers (in terms of
policy. Policy enforcement points (PEP) are in- size, available resources, locality, services, capi-
stalled in the control equipment to enforce made tal, etc.), this is an additional degree of freedom.
decisions. In particular, PEPs are installed in the Different approaches are principally suitable for
edge equipment.
Security in 4G
management purposes such as proprietary console the overlay access module that will implement
or Web-based management, SNMP (Case, Fedor, 4G signaling, 4G management, 4G security, 4G
Schoffstall, & Davin, 1990), COPS (Durham et transport, and so forth functions. An example for
al., 2000), GMPLS, and so forth. such architecture would be the well-known All-IP
approach discussed in the following sections.
Possible Approaches to 4g
Common Access Protocol
On a high abstraction level, three approaches to
4G are theoretically possible 4G (Varshney & The third possibility is to unify the access protocols
Jain, 2001). of the wireless networks, thus enabling users to
access the 4G network by some standard means.
Multimode Devices This possibility implies separation of the transport
and the control planes. Further, it is necessary to
Multimode devices (which already exist on the identify technology-specific functions that are
market, e.g., GSM/WiFi phones, PDAs with 802.11 part of the control plane. These functions have
WLAN, Bluetooth and GSM access modules, to be externalized and reflected by an abstraction
smartphones with Bluetooth capabilities, etc.) eas- layer/abstraction application program interface
ily expand the effective coverage area managing the (API) that could then implement this common
cooperation issues by the installed software. This access protocol.
concept pushes the 4G connection management Note that this list is exhaustive (meaning that
complexity to the terminals, that is, it does not there are no other possible approaches to an in-
require any additional complexity in the wireless tegrated 4G system in the sense of the previous
networks. However, the terminal equipment has section). However, the mentioned alternative ap-
to integrate operational logics including not only proaches are not necessarily mutually exclusive. It
every technology-specific treatment but also the is imaginable to have some combinations of these
translation of quite different technological param- general high-level approaches in a final solution.
eters to be able to make decisions. It is not clear In the following, we present some of the proposed
if this can be done in an economically reasonable 4G architectures classifying these according to the
fashion for multiple, very different technologies, in previous scheme.
particular taking into account the vertical (in the
sense of the ISO/OSI model) complexity of QoS, related work
security, and mobility management.
Related Work on G Architectures
Overlay Networks
In Raivio (2001) the author discusses the currently
Another possibility is the installation of an overlay most popular approach to 4G. This approach is
network of 4G access points situated above the based on a common Internet core for different
actually available wireless networks. Note that in networks, unifying everything over IP and the
this approach the devices will still need to have related Internet Engineering Task Force (IETF)
several network interfaces to be able to access technologies. With respect to this so-called All-IP
the entire infrastructure. The distinction lies in (sometimes Full-IP) approach, the author briefly
the additional complexity, which is completely discusses the possibilities and the deficiencies in
shifted to the overlay. The requirements on the the concerned IETF protocols including the authen-
underlying technology are minimal. The overlay tication, authorization, and accounting framework
has to define the necessary signaling and transport (AAA), Mobile IP, IPv6, IPsec, and SIP. The author
functions. Besides the physical access to the used points out that this approach is straightforward but
technology, the wireless device has to implement also problematic in terms of QoS, security, and
mobility management.
Security in 4G
The presented All-IP idea is the current state same quality as is the case in 3G. The authors
of the art approach in the high-level 4G research. claim that the networks beyond IMT20005 should
In the classification given in the previous section, be much more location-registration oriented and
All-IP represents an overlay network approach. should identify the location registration manage-
The IP network is used as an overlay that integrates ment as a study topic. For instance, hierarchical
different technologies. IP technologies are used for or concatenated location registration techniques
both control and transport planes. IP base stations have to be studied. Then they discuss handover
are used as access points in that 4G vision. issues distinguishing local handovers and overall
In Otsu, Okajima, Umeda, and Yamao (2001) network handovers and identify this feature as a
the authors research a possible core network design further study object.
for 4G systems. Describing the current situation Trying to provide an infrastructure-independent
of the telecommunications and the predominance access to services and applications for highly mo-
of IP-based applications, they give an outlook bile users, Kellerer, Vögel, and Steinberg (2002)
on estimated traffic in the future generation of present a solution based on a communication gate-
wireless systems. Then they discuss possible way. Originally driven by an automobile environ-
wireless transmission characteristics in terms of ment, the basic idea is to install an intermediate
transmission bit rate, spectrum, area coverage, and element between the actual user equipment and
hierarchical service area and define such network the serving networks. From the network point of
requirements as seamless connections, reduction view, such a communication gateway thus resides
in the number of control messages, short delay at within the end-system. Including caching and
handover, reduction of cost per bit, service integra- switching units, the gateway provides a general
tion based on IP, and movable network support. middleware interface to the applications. Thus,
The network architecture is then defined as a core this approach pushes the intelligence towards the
network (CN) connecting different ANs like a end-systems, trying to map user requests at their
future, yet-to-be-defined 4G-RAN, and already origin to available networks and services. In our
existing WLAN, 3G, and PSTN to the Internet. classification, this proposal represents the multi-
CN and 4G-RAN are completely IP-based. The mode device approach.
terminals have IP-addresses assigned. The CN is Becchetti, Priscoli, Inzerillli, Mähönen, and
directly connected to 4G-RANs and the Internet Muñoz (2001) take a slightly different approach.
and uses gateways to connect to the public switched Mainly dealing with QoS support over differ-
telephone network (PSTN) and 3G. Mobility man- ent wireless infrastructures, they define a new
agement is done by using the hierarchical Mobile intermediate layer between the IP and the second
IPv6 approach. Additionally, the article discusses layers. This wireless application layer (WAL) then
some issues in the 4G-RAN configuration. In provides a QoS-generic interface for IP featuring
other words, this proposal is an instantiation of uniform guaranteed link reliability and traffic
the All-IP approach. control. The position of WAL in the ISO/OSI
Another All-IP proposal is discussed in Yu- model implies a hop-by-hop QoS agreement
miba, Imai, and Yabusaki (2001). The recognized logic. The details on the modular architecture of
requirements here are huge (IP-) multimedia traffic WAL, its class and association based QoS provi-
handling, advanced mobility management (MM), sion, Snoop TCP method to avoid congestions in
diversified radio access support, seamless service, the TCP layer can be found in the paper. In our
and application service support. The authors then classification this proposal is an overlay proposal,
discuss possible solutions for MM and seamless since WAL instances have to be integrated in the
services and name Mobile IP, Cellular IP, and terminals and in the access points. IP is used as
similar techniques. However, they recognize the a general transport in the All-IP manner, but the
deficiencies of such systems since they are hardly technological heterogeneity is hidden within the
suited to provide a mobility management of the WAL, which acts as a convergence sub-layer. WAL
Security in 4G
instances rely on SNMP to build the necessary authentication has to be completely restarted at the
decision bases and so forth. next visited PAA (even within the same network).
Such mechanisms could be a L3 (i.e., in the 4G
Related Work on G Security scope typically IP) context transfer protocol that
would allow arbitrary context transfers between
The user verification and network access in het- different PAAs. IETF will shortly publish its con-
erogeneous environments represents one of the text transfer protocol (CTP) specification (Nakhjiri,
major 4G problems. This is discussed later in Perkins, & Koodli, 2004) as an experimental
detail. One of the problems is the access protocol standard. However, the payload formats for CTP
but there are only some open questions concerning have to be specified too.
the back-end trust architectures and multi-domain, The work on the public access wireless networks
multi-party AAA. (PAWNs) can be interesting in the 4G scope since
An interesting related work seems to be Zhang it has to practically resolve several problems very
et al. (2002). Introducing the concept of a so-called similar to the anticipated 4G problems. PAWNs are
virtual operator, the authors describe how an typically implemented with IEEE 802.11 technol-
authentication service reachable over the Internet ogy. Since the integrated 802.11 mechanisms are
could authenticate its users in a foreign hot spot insufficient for almost all typical PAWN areas
environment using AAA. As potential virtual (per user quality of service, system-wide mobility,
operators the authors see ISPs, content providers, security, user network access, etc.), the solutions
cellular operators, or pre-paid card issuers. To proposed for PAWNs are typically completely
reduce the number of necessary trust relationships decoupled from the underlying technology. Hence,
between potentially numerous hot spot operators the practical experiences gained in such installa-
and diverse virtual operators, the authors propose tions are of tremendous importance for the 4G
a commonly trusted broker entity. research.
IETF currently works on the protocol for car- An approach for WLAN hot spots providing
rying authentication for network access (Forsber, a secure wireless Internet access in public places
Ohba, Pati, Tschofenig, & Yegin, 2003) in its PANA is Microsoft’s CHOICE (Bahl, Balachandran, &
working group. PANA specifies an architecture Venkatachary, 2001). The authors build a network
very similar to the IEEE 802.1X architecture used that globally authenticates users and then securely
in this work for LAN/WLAN access. PANA is connects them to the Internet via a serving 802.11
link layer agnostic transporting authentication WLAN. A reasonable argumentation against IPsec
information between the PANA client and PANA for this purpose can be found in the publication.
authentication agent at higher layers. Since it is Introducing a new software module (PANS) instead
principally capable of identifying users, PANA of IPsec, the architecture promises authorization,
could thus be used as a common access proto- access control, privacy, security, last hop quality
col to heterogeneous networks. However, since of services, and accounting. However, this soft-
PANA has to access a higher level element, the ware (responsible for packet marking on mobile
L2 mostly remains unprotected. Also, after the hosts) has to be installed on all mobile terminals,
(unprotected) L2 establishment, the local PANA effectively modifying protocol stacks. The WLAN
client needs to discover its network’s pendant, the itself is open but does not allow any connections
PANA authentication agent (PAA). This involves to any other networks, except for HTTPS con-
discovery broadcasts and round trips. PANA here nections to the global authenticator (global MS
nicely illustrates the problems inherent to higher Passport service) and HTTP to the local Web
layer network access: questionable security, holes server where, for example, the software module
in the access controllers, broadcasting in the access can be downloaded. Network’s PANS authorizer
phase, and high network access latency. module obtains key information from the global
Besides, PANA does not optimally support authenticator after successful user authentication.
mobility: Without additional mechanisms, the The authorizer can also install all required policies.
Security in 4G
It then reroutes the traffic to a PANS verifier. The provider network organization. The latter point is
latter actively processes every packet checking the not discussed in the following.
mark/tag added by the PANS module running on
the mobile and providing, for example, per user 4g vulnerabilities
access control and accounting.
Mobility support for public WLANs is presented Vulnerabilities of Wireless Networks
in Friday et al. (2001). Using a similar packet tagging
approach as in CHOICE, the authors describe their Wireless networks are generally more vulnerable
GUIDE/GUIDE II systems. Originally meant for than their wired equivalents. Wireless security is
a metropolitan scale access using modified client a difficult problem that has to take into account
protocol stacks, GUIDE offers ordinary citizens the vulnerable medium per se (unclear network
secure and accountable Internet access over the perimeter, shared medium, naturally broadcast,
deployed 802.11 WLAN-infrastructure. GUIDE invisible/virtual network access), performance (se-
II adds handover management using Mobile IPv6. curity overhead, group communications), limited
IPv6 datagrams are tagged by clients using the handset capabilities (human-machine interface,
modified MobileIPv6 stack. Programmable access CPU, and memory), battery constraints (sleep
routers ensure that only packets containing valid management, on/off behavior), and different user
access tokens get to the trusted core network. services (roaming, mobility, localization). These
Over an access router, users authenticate at an problems have been discussed in this work per
AAA authentication server. The latter distributes wireless technology in the (Hecker, 2005) per
session keys to the access router group and the wireless technology.
mobile terminal. User payload encryption is op- Heterogeneousness adds a new dimension to
tionally possible between the router and the user this discussion. It multiplies the number of avail-
equipment. able mechanisms and, from the point of view of
attacker, caters to more opportunities to attack
the overall system (weakest link). New attack
4g sEcurIty rEquIrEMEnts scenarios are conceivable: an attacker could use
a weakness within one access network and the
4G security measures have to provide protection systemic interdependencies to gain access to an-
for 4G users and 4G providers. other access network. Terminals can be attacked
There is no particular and evident reason why 4G over several available interfaces at the same time.
security could be easier to achieve than 3G or 2G The services have to be provided over several
security. On the contrary, there are several reasons interfaces, thus resulting in tighter performance
why it could be indeed more difficult, some of which constraints and complexity. A typical example is
are discussed in the 4G Vulnerabilities section. One a handover between two different technologies
of the obvious reasons is the heterogeneity of the (called vertical handover), but the same has to be
4G system. Other reasons are provider inequality considered for sleep management (paging) and
and the envisioned connection ubiquity. generally for signaling.
Main security considerations in our 4G vision
refer to the open system interfaces. One of the Vulnerabilities of Service Provider
security targets is thus provider-provider interface. Networks
However, the most important and 4G-characteristic
target is the user-network interface (including the A 4G system encompassing different technologies
user-service interface6). In the following sections has to support complex management mechanisms
we discuss these topics, specifically dealing with (control systems, signaling, etc.), which consider-
the user-network interface. ably add to the system complexity and thus repre-
Important, but not necessarily new, security sent a major vulnerability per se. This is especially
provisions must be considered in the internal true for a multi-provider and thus multi-authority
Security in 4G
environment where a mutual preliminary user- come an important accessory and manufacturers
network trust does not necessarily exist and must are doing their best to render them more portable
be established by some means (typically involving and more powerful at the same time. It is obvious
management subsystems and signaling before the that these devices have become an interesting
user identity can be verified). target for thieves. Thus, physical device security
The serving network protection is one of the is an important but insufficient subject. Mobile
critical points to ensure service continuity and handsets can store important personal user data
investment in new infrastructures. From the secure (address books, access codes, professional data,
mobility discussions (such as Mobile IP security), personal medical information). Remote device
we know that visited networks are often overex- deactivation, blocking, and erasure seem important
posed to resource consumption and denial of ser- future security features.
vice. In our 4G vision, an SPN has to be protected A 4G user needs a particular protection to
from the users on the user-network interface and ensure his/her anonymity and an offer-consistent
from the outer world on its backbone interface(s), and verifiable billing. Without any protection, in
including protection from other providers. an international multi-provider 4G environment,
a user can be an easy target for both price fraud
User Vulnerabilities (charging wrong prices, charging incorrect usage)
and user tracking.
As a wireless user is vulnerable to unauthorized
data access, traps/impostors, and desinformation, Heterogeneous security
the user must be protected from abuse by third
parties and from the part of the serving SPNs. Current wireless technologies have different se-
Given a rising part of the M2M communications curity considerations and provide corresponding
and the wish for infrastructureless communica- security definitions in the standards. The latter are
tions, the user device is also vulnerable to attacks naturally dedicated to the respective link layer and
by other devices involved in the provision of the thus concentrate on the implementation within the
consumed services (impostors, data modifications, network interface cards, adapters, and so forth. In
data sniffing, man-in-the-middle) and by devices 4G, different link layer technologies are likely to
consuming services provided by the user device coexist for the reasons explained in the previous
(denial of service, abuse). sections. Also, the focus changes: in the personal
Connected to multiple interfaces over several communications the security focus should be on
providers the device is naturally multi-homed. It users, not on network devices.
is potentially exposed to all attacks over the es- The problem with the characteristic 4G secu-
tablished connections, including malicious code rity is twofold. On the one hand, there are very
intrusion (viruses, spyware, and worms). basic open questions that have to be answered
User vulnerability includes headset vulner- by the ongoing research by weighing practical
ability. A typical 4G headset featuring several constraints against the required security level.
active interfaces is naturally exposed to different What is security in 4G if we do not know what
kinds of attacks, such as attacks on device drivers 4G looks like, what services it is supposed to
of the communication interfaces, attacks against provide, and in which environments it is going
the transport and signaling communication stacks, to operate? The system architecture is crucial for
and attacks against all services potentially provided the security considerations. Additionally, we need
or assisted by the headset itself (e.g., file sharing, trust and threat models. What are the capabilities
localization, auto-update). An important and of- of potential attackers? Which ANs will be used
ten forgotten point is device theft. Today, mobile and how? Trust models should correspond to the
devices are trendy and, having a rich and versatile probable usage scenarios. For instance, if users are
feature set, can be quite expensive. They have be- not “owned” by providers (Pereira, 2000), how can
Security in 4G
trust be established and to whom? With all that, a protection and revenue guarantees. Moreover, the
consistent security policy has to be defined along L2 security measures are often implemented in the
with the security architecture, identifying technol- network interface hardware. Their design includes
ogy-independent subjects, objects, relationships, power consumption and computational resource
authorizations, threats, and protective measures. considerations. A higher level solution would be
This is however difficult and defines a problem implemented in the device control logics, that is,
known as heterogeneous security). typically software. Given the constraints with the
On the other hand, there are practical problems 4G terminals (wireless security processing gap), it
concerning the technical applicability of solutions. would be wise to use the hardwired security solu-
The security solutions proposed by the wireless tions in the network adapter. Furthermore, in the
technologies are limited to the identified needs. OSI logic, multiple links could lie between the user
They are thus different from technology to tech- and the used L3 device (router), but only one link is
nology reflecting its expected usage. Very often, possible between the user and any used L2 device.
they fail to fulfill the security requirements, typi- Thus, the L2 security measures are guaranteed
cally because of conceptual or implementational to be implemented in the first network entity (the
flaws. But even if their implementation is correct, access device), that is, next to the user, at the very
their scope is naturally wrong: as access security, edge of the network. That brings the security as
they aim to provide link security, but ultimately close to the user as possible and thus guarantees
providers need service access security and users physical infrastructure protection. Moreover, it
need personal data security. potentially scales better since the access devices
How can the defined security policy for the are designed to support a fixed number of connec-
entire system be applied and enforced to all system tions, including the connection properties to be
entities given that the available solutions are differ- enforced. Another point is that higher level security
ent, potentially flawed, and limited to system parts? solutions cannot achieve the same user privacy. For
For instance, if the security policy identifies link instance, user location privacy is in danger since
encryption as a necessary confidentiality imple- lower layer addresses (such as world-wide unique
mentation, how can this be universally activated MAC addresses) cannot be hidden by higher layer
and with which keys and properties? How can we security measures.7
guarantee an adequate, comparable strength of the For reasons stated previously, we think that L2
different encryption mechanisms? What to do with security is indispensable in 4G. This is by the way
the technologies that do not provide link encryp- also the most characteristic point of 4G: whatever
tion? The security policy must consider these cases the 4G vision, everybody seems to agree that 4G
and provide answers to such questions. will be technology-opportunistic, incorporating
different wireless ANs in one system. The network
4g security layer access security is thus one of the major challenges,
typical and characteristic for 4G.
The aforementioned practical problems with the 4G
security can be avoided if the technology-depen- nEtwork AccEss sEcurIty
dent security measures are not used. Instead, all
security measures could be applied in the overlaid A particular security problem is bound to the user
technology. However, it is often insecure or at network access. The 4G user has a terminal with
least inefficient to enforce security in the overlay. multiple network interfaces. The security measures
For example, 2G/3G network providers rely on for each interface have been designed according
L2 security measures for network access control, to an initial security analysis during the technol-
frame integrity and link encryption. While the ogy standardization phase. Since the technologies
link encryption is not important for the provider, are meant for different purposes, the risks and the
the access control is primordial for infrastructure defined security functions are likely to be different.
Security in 4G
The security mechanisms are definitely different. vice set identification (SSID) naming in the 802.11
Thus, every interface has different requirements on WLANs. Besides, in a dynamic 4G environment
credentials in terms of identities, expiration poli- with the very different proposed services, over
cies, initial trust representation, and so forth. These different technologies and with different prices,
requirements have to be fulfilled since otherwise it is difficult to believe that a network identifier
the interface could be unusable or the access by alone is a sufficient base for a reasonable network
the means of this interface impossible. If the user selection decision.
definition in the system is consistent, then the 4G In a user-centric environment, the network
user cannot be expected to use multiple identities: selection decision should be made based on
in 4G, every network provider needs to be able to physically available networks and channel quali-
identify any given user correctly, in particular in ties, user identity and user service authorizations
the different ANs, which the user might be using within the encountered networks, and on offered
simultaneously. That is important for the authori- service prices. Especially price display for a
zations defined in the security policy. It is equally given user appears as one of the critical issues in
an important requirement for a consistent billing. a multi-provider environment characterized by
Network access can thus be divided into various continuous roaming between several different
sub-problems that are treated in more details in (big/small, national/local, etc.) providers. Indeed,
following. even in 2G with a typical limitation to a handful
of providers per location (2-8), users traveling to
Network Selection foreign countries have been known to feel badly
informed about pricing of out- and incoming calls.
In the outlined 4G vision, a free service choice is an In 4G with multiple-interface terminals and pos-
important design criterion. To provide that choice, sibly new business models, several providers can
users must be able to collect information on the be used at the same time, possibly offering similar
ANs of all available providers. Most importantly, services at prices depending on dynamic factors
this is required for the decision of which network such as current network usage (per-session price
the user should connect to. For instance, it cannot determination).
be generally assumed that every network is acces- The involvement in such rather complex pre-
sible for every user (e.g., because the user’s home authenticated (Hecker & Labiod, 2004) user-
provider does not have any roaming agreement network signaling represents major risks for both
with the provider of the detected network). network operators (infrastructure intelligence,
Network selection is a problem since some unpaid resource consumption, denial of service)
preliminary network access is necessary prior to and users (localization, tracking). Additionally,
authentication, which however should be limited optimizations are necessary to that recurrent
so as not to contradict the security policy. Net- process, which in 4G can be repeated in-session,
work selection thus represents a security-usability since it can have an important impact on mobility
compromise. performance (vertical handover).
In a dynamic multi-provider multi-technol-
ogy 4G environment, active exchanges (through User-Network Authentication
signaling, like network discovery) are necessary
since the existence of system-wide coherent net- A user-network authentication is necessary from
work identifiers do cannot be relied upon. These network provider’s point of view to be able to
identifiers have very different meanings in differ- enforce a reliable access control to its resources
ent technologies. For instance, if a 2G provider and to authorize requested service sessions in its
wants to deploy a supplementary data service infrastructure or at least a transport (connectivity
over an 802.11 WLANs, what should be used as a service) over its infrastructure. It is also required
network identifier? There is no regulation on ser- by the user’s home provider for authorization and
billing.
Security in 4G
From the user’s point of view, network authen- (notably the 802.11i introducing a different security
tication permits to verify the received network model). Nevertheless, this situation exemplifies
identity information, guarantees access to the the normality of a heterogeneous 4G: the secu-
correct environment, and thus permits to establish rity models, the trust presumed relationships, the
trust to the serving provider. It helps to eliminate technical possibilities and the vulnerabilities are
impostors and to protect against man-in-the-middle very different from technology to technology. The
attacks. resolution of this problem must not lead per se to
After the service information collection, some security problems. Thus, if the L2 authentication
networks can be eliminated by policy or user is to be used in the 4G scope, every technology
wish (e.g., a pre-configuration of the type “never has to fulfill a minimal common requirement set.
use provider X” or rules like “always choose the Otherwise, higher level security has to be used and
cheapest available service”, etc.) Now, the user can the associated higher level access controllers have
actually access the required services over available to be collocated with the L2 access devices. If that
networks. A reliable user-network authentication cannot be guaranteed, this technology should be
is required at this moment at latest. considered unsuitable for 4G.
The L2 user-network authentication is a prob- From today’s perspective, the requirements on
lem in 4G since the logical and technological the L2 authentication are cryptographic strength,
requirements are very different from technology mutuality, and dynamic key material negotiation
to technology. We illustrate this on an arbitrary for the subsequent session protection. The key ma-
example, comparing UMTS and standard 802.11 terial negotiation should provide perfect forward
security. secrecy (PFS), that is, a successful attack on the
UMTS uses an external module (USIM) that produced key material should not give any clues on
hides the actual authentication method from the the long-term secret such as the used credentials.
used device and the visited network. The authenti- User location privacy should be supported, that is,
cated logical entities are the USIM and the visited if possible, any user-specific identifiers should be
network, represented by the authentication center unreadable for a third party.
(AuC). USIM is supposed to grant network access Note that we do not formulate any requirements
to the device (i.e., also to the user). The USIM on the authentication logic (how many parties
is capable of key derivation after a successful involved and how), used protocols, implementa-
authentication. tion, method placement, or on the used trust rep-
IEEE 802.11 defines a handshake procedure resentation. However, authentication methods are
based on credentials existing between the net- generally hard to conceive and represent one of the
work (the access point) and the user. The whole most vulnerable parts of modern cryptosystems.
procedure (i.e., the authentication method, the Due to the flaws typically found in the authentica-
exchanges, the cryptographic functions and the tion methods during their lifetime, and given the
success conditions) is hardwired in the network number of different authentication methods in 4G,
interfaces. The only authenticated entity is the we additionally require that the authentication
network interface of the user device (i.e., the ac- method be easily updateable.
cess point is not authenticated). The authentication Whatever the actual mechanisms is, it has to
does not derive any key material. Moreover, the correspond to the performance requirements in
procedures are almost useless because of several terms of possible vertical and horizontal mobility.
concept errors. Fast re-authentication (less RTT) and particularly
As can be seen, the provided services are very pre-authentication (over the same or a different
different in terms of capabilities and the achieved interface) seem useful in the 4G context.
security level. However, the purpose of this example
is not to blame WLAN security. Today, other secu-
rity models and methods are available for WLANs
0
Security in 4G
Security in 4G
Security in 4G
base for future 4G security. Basically, such stan- More specifically, in this chapter, we present
dardization efforts should apply to new definitions the development process from 1G to 4G discussing
and adapt the existing technologies, so these could telecommunications landscape changes and time
be used in the future 4G landscape. scales. We then introduce the current state of the
In 4G, standardization is one of the central 4G discussion and present our vision of 4G as a
discussions. Not everything can be standard, technology-opportunistic, user-centric mobile
since otherwise we migrate back from the tech- services system built of multi-interface terminals
nology-opportunistic vision to a monolithic one- and heterogeneous ANs, bound by a decent man-
technology-vision. On the other hand, without any agement subsystem. Given that 4G shape, conform
standards, hardly any communication is possible. to the main trend in the current 4G research, we
The compromise between what we standardize in introduce main system interfaces, its links and
the 4G scope and what we leave to the respective entities to discuss its vulnerabilities.
technology is the most critical design decision. We then introduce 4G security requirements,
The standardization should respect the three justifying the special character of and insisting on
introduced interfaces, differentiating user-network, the network access phase. Finally, we propose sev-
provider-provider, and internal SPN interfaces eral high level approaches to 4G security, including
(mainly management plane). virtualization, adaptation and standardization.
Virtualization plays an important role for 4G
standardization. We can learn from the former
experiences that specifying what and how sepa- rEfErEncEs
rately is more flexible. To provide adaptation, we
need at least a common signaling standard. This 3rd Generation Partnership Project (3GGP) TS
represents a seemingly viable alternative approach 33.102 Release 99. (n.d.). 3GPP: Technical specifi-
to the current pure overlay solutions such as All- cation group (TSG), 3G security: Security architec-
IP. We could standardize a common 4G signaling ture. Sophia Antipolis Cedex, France: Author.
protocol, including virtual definitions for network
access and data protection phases, and then use the Al-Muhtadi, I., Mickunas, D., & Campbell, R.
access technologies as is, without any additional (2002, April). A lightweight reconfigurable secu-
changes, as a pure data transport. rity mechanism for 3G/4G mobile devices. IEEE
Wireless Communications, 9(2), 60-65.
Bahl, P., Balachandran, A., & Venkatachary, S.
conclusIon (2001, June). Secure wireless Internet access in
public places. In Proceedings of the IEEE Inter-
The 4G reflections started about 2000-2001 are not national Conference on Communications (IEEE
yet mature enough to present a sound overview of ICC 2001), Finland.
the 4G security. At the current state, there is no
common 4G vision and what will eventually be Becchetti, L., Priscoli, F. D., Inzerillli, T., Mähönen,
called 4G is an open question. P., & Muñoz, L. (2001, August). Enhancing IP
Independent of that, we believe that the tech- service provision over heterogeneous wireless
nology-opportunistic system as the one presented networks: A path towards 4G. IEEE Communica-
in this chapter will eventually be built. That is the tions Magazine, 39(8), 74-81.
reason why the new security problems related to Blake, S., Black, D., Carlson, M., Davies, E., Wang,
the high system heterogeneity and the new usage Z., & Weiss, W. (1998, June). An architecture for
scenarios and presented in this chapter seem to differentiated services (RFC 2475). Retrieved from
be of major importance for the understanding of http://www.ietf.org/rfc/rfc2475.txt
the vulnerabilities and design of future telecom
systems.
Security in 4G
Braden, R., Clark, D., & Shenker, S. (1994, June). access infrastructure for supporting mobile con-
Integrated services in the Internet architecture: An text-aware IPv6 applications. In Proceedings of the
overview (RFC 1633). Retrieved from http://tools. ACM 1st Workshop on Wireless Mobile Internet,
ietf.org/html/rfc1633 Rome, Italy (pp. 11-18).
Bria, A., Gessler, F., Queseth, O., Stridh, R., Ginzboorg, P. (2000, November). Seven comments
Unbehaun, M., & Wu, J. (2001, December). 4th- on charging and billing. Communications of the
generation wireless infrastructures: Scenarios and ACM, 43(11), 89-92.
research challenges. IEEE Personal Communica-
Global System for Mobile Communications (GSM)
tions, 8(6), 25-31.
11.11 (n.d.). Digital cellular telecommunication
Case, J. D., Fedor, M., Schoffstall, M. L., & Davin, J. system (Phase 2+), specification of the subscriber
(1990, May). Simple network management protocol identity module—Mobile equipment (SIM-ME)
(SNMP) (RFC 1157). Retrieved from http://www. interface. Author.
ietf.org/rfc/rfc1157.txt
Global System for Mobile Communications (GSM)
Code Division Multiple Access (CDMA) Develop- Association. (n.d.). 3GSM platform. Retrieved from
ment Group. (n.d.). Technology: 3G—cdma2000. http://www.gsmworld.com/technology/3g/index.
Retrieved from http://www.cdg.org/technology/3g. shtml
asp
Gupta, V., & Gupta, S. (2002, March). KSSL:
Dell’Uomo, L., & Scarrone, E. (2001, September). Experiments in wireless Internet security. In
The mobility management and authentication/ Proceedings of the Wireless Communications and
authorization mechanisms in mobile networks Networking Conference (pp. 860-864).
beyond 3G. IEEE Personal, Indoor and Mobile
Hecker, A. (2005, March 16). On logical network
Radio Communications, 1, C44-C48.
access control and the associated user and net-
Dierks, T., & Allen, C. (1999, June). The TLS work management in future heterogeneous 4G
protocol version 1.0 (RFC 2246). Retrieved from wireless systems. Computer Science and Networ-
http://www.ietf.org/rfc/rfc2246.txt ing Department, Ecole Nationale Supérieure des
Télécommunications (ENST), Paris, France.
Durham, D. (Ed.), Boyle, J., Cohen, R., Herzog,
S., Rajan, R. & Sastry, A. (2000, January). The Hecker, A., & Labiod, H. (2004). Pre-authenticated
COPS (common open policy service) protocol signaling in wireless LANs using 802.1X access
(RFC 2748). Retrieved from http://www.rfc-editor. control. In Proceedings of the IEEE GLOBECOM
org/rfc/rfc2748.txt 2004, Dallas, TX.
Emmerich, W. (2000, June). Engineering distrib- IEEE Draft 802.11e. (2003, February). Draft supple-
uted objects. John Wiley & Sons. ment to standard for telecommunications and infor-
mation exchange between systems—LAN/MAN
Evans, B. G., & Baughan, K. (2000, December).
specific requirements—Part 11: Wireless medium
4G visions. IEEE Electronics & Communications
access control (MAC) and physical layer (PHY)
Engineering Journal, 12(6), 293-303.
specifications: Medium access control (MAC) en-
Forsber, D., Ohba, Y., Pati, B., Tschofenig, H., & hancements for quality of service (QoS). Author.
Yegin, A. (2003, March). Protocol for carrying
IEEE Draft 802.11i. (n.d.). Draft supplement to
authentication for network access. IETF PANA
IEEE Std 802.11. Part 11: Specifications for en-
Working Group Draft, work in progress. Internet
hanced security. Author.
Engineering Task Force.
IEEE Standard 802.11F. (2003, July). Trial-use
Friday, A., Wu, M., Schmid, S., Finney, J., Cheverst,
recommended practice for multi-vendor access
K., & Davies, N. (2001, July). A wireless public
Security in 4G
point interoperability via an inter-access point bile Communication Technologies (pp. 346-350).
protocol across distribution systems supporting
Raychaudhuri, D. (2002, September). 4G network
IEEE 802.11 operation. Author.
architectures: WLAN hot-spots, infostations and
IEEE Standard 802.1X. (2001, June). Port-based beyond... In IEEE PIMRC 2002 Keynote Talk,
network access control. Author. Lisbon, Portugal.
International Telecommunication Union-Radio Rosen, E., Viswanathan, A., & Callon, R. (2001,
Communication Sector (ITU-R) World Radio- January). Multiprotocol label switching architec-
communication Conference, Retrieved from ture (RFC 3031). Retrieved from http://tools.ietf.
http://www.itu.int/ITU-R/index.asp?category=co org/html/rfc3031
nferences&link=wrc&lang=en
Schulzrinne, H., & Wedlund, E. (2000, July). Ap-
Kellerer, W., Vögel, H.-J., & Steinberg, K.-E. (2002, plication-layer mobility using SIP. ACM Mobile
March). A communication gateway for infrastruc- Computing and Communications Review, 4(3),
ture-independent 4G wireless access. IEEE Com- 47-57.
munications Magazine, 40(3), 126-131.
Tsao, S.-L., & Lin, C.-C. (2002, September).
Kent, S., & Atkinson, R. (1998, November). Design and evaluation of UMTS-WLAN inter-
Security architecture for the Internet protocol working strategies. In Proceedings of the IEEE
(RFC 2401). Retrieved from http://www.ietf.org/ 56th Vehicular Technology Conference (VTC),
rfc/rfc2401.txt Vancouver, Canada.
Misra, A., Das, S., Dutta, A., McAuley, A., & Das, Van Damme, E. (2002, May 4-5). The European
S. K. (2002, March). IDMP-based fast handoffs UMTS-auctions. European Economic Review,
and paging in IP-based 4G mobile networks. IEEE 46, 846-858.
Communications Magazine, 40(3), 138-145.
Varshney, U., & Jain, R. (2001, June). Issues in
Nakhjiri, M., Perkins, C., & Koodli, R. (2004, emerging 4G wireless networks. IEEE Computer,
August). Context transfer protocol. In J. Loughney 34(6), 94-96.
(Ed.), Approved IETF draft, work in progress.
Yahalom, R., Klein, B., & Beth, Th. (1993, May).
Internet Engineering Task Force.
Trust relationships in secure systems—A distrib-
Otsu, T., Okajima, I., Umeda, N., & Yamao, Y. uted authentication perspective. In Proceedings of
(2001, October). Network architecture for mobile the IEEE ComSoc Symposium on Research in Se-
communications systems beyond IMT-2000. curity and Privacy, Oakland, CA (pp. 150-164).
IEEE Personal Communications Magazine, 8(5),
Yumiba, H., Imai, K., & Yabusaki, M. (2001, Oc-
31-37.
tober). IP-based IMT network platform. IEEE Per-
Peirce, M. (2000, October). Multi-party electronic sonal Communications Magazine, 8(5), 18-23.
payments for mobile communications. Unpublished
Zhang, T., & Agrawal, P., & Chen, J.-C. (2001,
PhD thesis, Department of Computer Science,
October). IP-based base stations and soft handoff
University of Dublin, Trinity College.
in all-IP wireless networks. IEEE Personal Com-
Pereira, J. M. (2000, September). Fourth generation: munications Magazine, 8(5), 24-30.
Now, it is personal! In Proceedings of the IEEE
Zhang, J., Li, J., Weinstein, S., & Tu, N. (2002,
International Symposium on Personal, Indoor and
July). Virtual operator based AAA in wireless
Mobile Radio Communications (PIMRC) London
LAN hot spots with ad-hoc networking support.
(Vol. 2, 1009-1016).
ACM Mobile Computing and Communications
Raivio, Y. (2001, March). 4G—Hype or reality Review, 6(3), 10-21.
(Conference Publication No. 477). In IEE 3G Mo-
Security in 4G
5
EndnotEs International Mobile Telecommunications
2000, ITU’s common name for different 3G
1
Since users are the main focus of our variants.
6
work, we prefer this term to the synonymic Note that generally these two problems are
not equivalent. However, in our 4G vision we
operator, which refers to the infrastruc-
suppose that SPNs are organized as integrated
ture. transport and services networks run by the
2
This is not limiting since any legal body same authority. In that view, the difference
can have multiple user assignments. between the two is of a very technical nature;
3
This is used consistently to the original it is merely limited to and by the internal SPN
definition given in Zhang et al. (2002). organization.
However, since in this special case no in- 7
Although the lower layer address and the
frastructure exists, the actually “operated” user identity are two completely different
entity is the user. This term is thus also identifiers, one initial passive network
consistent with our strictly user-oriented observation in the proximity of a victim
view. allows an establishment of a direct rela-
4
That underlines the fact that our model mainly tionship.
requires the service contract as a means for
a reliable user identification. Indeed, without
any pre-established trust, no reliable billing
is possible.
Chapter XIX
Security Architectures for B3G
Mobile Networks
Christoforos Ntantogian
University of Athens, Greece
Christos Xenakis
University of Piraeus, Greece
AbstrAct
The integration of heterogeneous mobile/wireless networks using an IP-based core network materializes
the beyond third generation (B3G) mobile networks. Along with a variety of new perspectives, the new
network model raises new security concerns, mainly, because of the complexity of the deployed archi-
tecture and the heterogeneity of the employed technologies. In this chapter, we examine and analyze the
security architectures and the related security protocols, which are employed in B3G networks focusing
on their functionality and the supported security services. The objectives of these protocols are to protect
the involved parties and the data exchanged among them. To achieve these, they employ mechanisms that
provide mutual authentication as well as ensure the confidentiality and integrity of the data transferred
over the wireless interface and specific parts of the core network. Finally, based on the analysis of the
security mechanisms, we present a comparison of them that aims at highlighting the deployment advan-
tages of each one and classifies the latter in terms of: (1) security, (2) mobility, and (3) reliability.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security Architectures for B3G Mobile Networks
(WLAN-AN), while the second allows a user to Access and the 3GPP IP Access scenarios. The
connect to packet switch (PS) based services (such third section elaborates on the B3G security archi-
as wireless application protocol [WAP], mobile tectures analyzing the related security protocols
multimedia services [MMS], location-based ser- for each scenario. The fourth section compares the
vices [LBS] etc.) or to the public Internet, through security architectures and consequently, the two
the 3G public land mobile network (PLMN). access scenarios. Finally, the fifth section contains
Along with a variety of new perspectives, the the conclusions.
new network model (3G-WLAN) raises new secu-
rity concerns, mainly, because of the complexity
of the deployed architecture and the heterogeneity bAckground
of the employed technologies. In addition, new
security vulnerabilities are emerging, which might
the b3g network Architecture
be exploited by adversaries to perform malicious
actions that result in fraud attacks, inappropriate
As shown in Figure 1, the B3G network archi-
resource management, and loss of revenue. Thus,
tecture includes three individual networks: (I)
the proper design and a comprehensive evaluation
the WLAN-AN, (II) the visited 3G PLMN, and
of the security mechanisms used in the 3G-WLAN
(III) the home 3G PLMN. Note that Figure 1 il-
network architecture is of vital importance for the
lustrates the architecture for a general case where
effective integration of the different technologies
the WLAN is not directly connected to the user’s
in a secure manner.
home 3G PLMN. The WLAN-AN includes the
In this chapter we examine and analyze the
wireless access points (APs), the network access
security architectures and the related security
servers (NAS), the authentication, authorization,
protocols, which are employed in B3G, focusing
accounting (AAA) proxy (Laat, Gross, Gommans,
on their functionality and the supported security
Vollbrecht, & Spence, 2000), and the WLAN-ac-
services for both WLAN Direct IP Access and
cess gateway (WLAN-AG). The wireless APs
3GPP IP Access scenarios. Each access scenario
provide connectivity to mobile users and act like
(i.e., WLAN Direct Access and WLAN 3GPP IP
AAA clients, which communicate with an AAA
Access) in B3G networks incorporates a specific
proxy via the Diameter (Calhoun, Loughney, Gutt-
security architecture, which aims at protecting the
man, Zorn, & Arkko, 2003) or the Radius (Rigney,
involved parties (i.e., the mobile users, the WLAN,
Rubens, Simpson, & Willens, 1997) protocol to
and the 3G network) and the data exchanged
convey user subscription and authentication infor-
among them. We elaborate on the various secu-
mation. The AAA proxy relays AAA information
rity protocols of the B3G security architectures
between the WLAN and the home 3G PLMN. The
that provide mutual authentication (i.e., user and
NAS allows only legitimate users to have access
network authentication) as well as confidentiality
to the public Internet, and finally, the WLAN-AG
and integrity services to the data transferred over
is a gateway to 3G PLMN networks. It is assumed
the air interface of the deployed WLANs and
that WLAN is based on the IEEE 802.11 standard
specific parts of the core network. Finally, based
(IEEE std 802.11, 1999).
on the analysis of the two access scenarios and the
On the other hand, the visited 3G PLMN in-
security architecture that each one employs, we
cludes an AAA proxy that forwards AAA informa-
present a comparison of them. This comparison
tion to the AAA server (located in the home 3G
aims at highlighting the deployment advantages
PLMN), and a wireless access gateway (WAG),
of each scenario and classifying them in terms of:
which is a data gateway that routes users’ data to
(1) security, (2) mobility, and (3) reliability.
the home 3G PLMN. On the other hand, the home
The rest of this chapter is organized as fol-
3G PLMN includes the AAA server, the packed
lows. The next section outlines the B3G network
data gateway (PDG) and the core network elements
architectures and presents the WLAN Direct IP
Security Architectures for B3G Mobile Networks
of the universal mobile telecommunications system public Internet or to an intranet via the WLAN-AN.
(UMTS), such as the home subscriber service (HSS) In this scenario both the user and the network are
or the home location register (HLR), the Gateway authenticated to each other using the extensible
GPRS support node (GGSN) and the Serving GPRS authentication protocol method for GSM sub-
support node (SGSN). The AAA server retrieves scriber identity modules (EAP-SIM) (Haverinen
authentication information from the HSS/HLR and & Saloway, 2006) or the Extensible Authentica-
validates authentication credentials provided by tion Protocol-Authentication and Key Agreement
users. The PDG routes user data traffic between (EAP-AKA) (Arkko & Haverinen, 2006) protocol.
a user and an external packet data network, which Moreover, in this scenario, the confidentiality and
is selected based on the 3G PS-services requested integrity of users data transferred over the air inter-
by the user. The latter identifies these services by face is ensured by the 802.11i security framework
means of a WLAN-access point name (W-APN), (IEEE std 802.11i, 2004). On the other hand, the
which represents a reference point to the external WLAN 3GPP IP Access scenario allows a WLAN
IP network that supports the PS services to be user to connect to the PS services (like WAP, MMS,
accessed by the user. LBS, etc.) or to the public Internet through the 3G
As mentioned previously, the integrated ar- PLMN. In this scenario, the user is authenticated
chitecture of B3G networks specifies two different to the 3G PLMN using the EAP-SIM or alterna-
network access scenarios: (1) the WLAN direct IP tively the EAP-AKA protocol encapsulated within
access and (2) the WLAN 3GPP IP Access. The IKEv2 (Kaufman, 2005) messages. The execution
first scenario provides to a user connection to the of IKEv2 is also used for the establishment of an
Security Architectures for B3G Mobile Networks
00
Security Architectures for B3G Mobile Networks
load), the user identity and other context-related is analyzed next. Note that the user communicates
information in order to generate the master key with the wireless AP via the EAP over LAN
(MK) of the EAP-SIM protocol, as shown in the (EAPOL) protocol (IEEE std 802.1X, 2004).
following formula:
• First, the user associates with the wireless AP
MK= SHA1(Identity| n*Kc| NONCE| Version List| and the latter sends an EAP-Request/Identity
Selected Version)1, (1) message to the user asking for his/her iden-
tity.
where SHA1 is a hash function (Eastlake & • The user responds with a message (EAP-Re-
Jones, 2001). In the sequel, the produced key MK sponse/Identity) that includes his/her identity
is fed into a pseudo random function (prf) that in the format of network access identifier
generates other keys used in EAP-SIM. From these (NAI) (Aboba & Beadles, 1999). This iden-
keys the most important are: (1) the master session tity can be either the International Mobile
key (MSK), which is used in 802.11i to generate Subscriber Identity (IMSI), or a temporary
the encryption keys, as described later on, and (2) identity (i.e., pseudonym).
the K_auth key, which is used in EAP-SIM for the • Knowing the user’s identity, the AAA server
generation of keyed message authentication codes issues an EAP-Request/SIM/Start message,
(MACs) for authentication purposes. which actually starts the authentication pro-
Figure 2 shows the message exchange of EAP- cedure.
SIM between the user and the AAA server, which • The user sends back an EAP-Response/SIM/
Start message that includes a nonce parameter
0
Security Architectures for B3G Mobile Networks
0
Security Architectures for B3G Mobile Networks
0
Security Architectures for B3G Mobile Networks
0
Security Architectures for B3G Mobile Networks
MSK of EAP-SIM or
GMK
EAP-AKA
prf
prf
PTK
bits
user’s address, the AP’s address, the Snonce Information Element (RSN IE) payload,
value, and the Anonce value, as follows: which denotes the set of authentication and
cipher algorithms that the user supports, and
PTK=prf (MSK, “Pairwise key expansion”, Min(AP a message integrity code (MIC), which is a
address, user’s address) | Max(AP address, cryptographic digest used to provide integ-
user’s address) | Min(Anonce , Snonce) | Max(Anonce rity services to the messages of the four-way
, Snonce)), handshake and it is computed as follows:
(7)
MIC= HASHKCK (EAPOL-Key message), (8)
where prf is a pseudo random function, “Pair-
wise key expansion” is a set of characters, and, where HASHKCK denotes a hash function (i.e.,
finally, the Min and Max functions provide the HMAC-MD5 or HMAC-SHA-128) that uses the
minimum and maximum value, respectively, be- KCK key to generate the cryptographic hash value
tween two inputs. In the sequel, the generated PTK over the second EAPOL-Key message.
key is partitioned to derive three other keys: (1) a • Upon receiving this message, the AP calcu-
128-bits key confirmation key (KCK) that provides lates the key PTK and the related keys (i.e.,
integrity services to EAPOL-Key messages, (2) a KCK, KEK, and TK keys), (the same with the
128-bits key encryption key (KEK) used to encrypt user), and, then, verifies the integrity of the
the GTK key as described next, and, (3) a 128-bits message (producing the MIC value). Next,
temporal key (TK) used for user’s data encryption it generates the 128-bits GTK key from the
(see Figure 4). GMK key as follows:
• After the calculation of these keys, the user
forwards to the AP the second EAPOL-Key GTK=prf(GMK, “Group key expansion”| AP ad-
message (step 2-Figure 5) that includes the dress| Gnonce), (9)
Snonce, the user’s Robust Security Network
0
Security Architectures for B3G Mobile Networks
where Gnonce is a random number generated user decrypts the GTK key using the KEK key
from the AP to derive the GTK key and sends to the AP the last message of the
• In the sequel, the AP replies to the user by four-way handshake (step 4), which includes
sending the third EAPOL-Key message (step an MIC payload over the fourth EAPOL-Key
3), which includes the Anonce value (the same message, to acknowledge to the AP that he/she
with the first EAPOL-Key message), an MIC has installed the PTK key and the related keys
over the third EAPOL-Key message, the AP’s (i.e., KEK, KCK, and TK keys), as well as the
RSN IE, and the GTK key, which is used to GTK key.
protect the broadcast/multicast messages and • Once the AP receives the fourth EAPOL-Key
it is conveyed encrypted using the KEK key, message, it verifies the MIC as previously. If
as follows: this final check is successful, the four-way
handshake is completed successfully, and
Encrypted GTK= ENCKEK (GTK), (10) both the user and the AP share: (1) the TK
key to encrypt/decrypt unicast messages,
where ENCKEK denotes the encryption al- and (2) the GTK key to encrypt/decrypt
gorithm (i.e., AES or RC4), which uses the broadcast/multicast messages.
KEK key to encrypt the GTK key.
• By receiving this message, the user checks In case that the AP wants to provide a new GTK
whether the MIC is valid and compares his/ key to the connected users, it executes the group
her RSN IE with the AP’s RSN IE ensuring key handshake, as shown in Figure 5.
that they support the same cryptographic
algorithms. If all these checks are correct, the
0
Security Architectures for B3G Mobile Networks
• The AP first generates a fresh GTK key from CCMP Protocol. 802.11i incorporates the CCMP
the GMK key and sends an EAPOL-Key protocol to provide confidentiality and integrity
message that includes an MIC value and the services to users’ data conveyed over the radio
new GTK key to the users. Note that MIC is interface of WLANs. The CCMP protocol com-
computed over the body of this EAPOL-Key bines the AES encryption algorithm in CounTeR
message using the KCK key, and the GTK mode (CTR-AES) to provide data confidentiality
key is conveyed encrypted using the KEK and the Cipher Block Chaining Message Authen-
key. Recall that both the user and the AP tication Code (CBC-MAC) protocol to compute
share the KEK and KCK keys, which were an MIC over the transmitted user’s data that
generated in the four-way handshake. provides message integrity (Whiting, Housley, &
• Upon receiving the previous message, the user Ferguson, 2003).
employs the KCK key to verify whether the The operation of the CCMP protocol can be
MIC is valid and then, he/she decrypts the divided into three distinct phases. In phase 1, the
GTK key using the KEK key. Finally, he/she CCMP protocol constructs an additional authen-
replies to the AP with an EAPOL-Key mes- tication data (AAD) value from constant fields
sage, which includes an MIC that acknowl- of the 802.11 frame header (IEEE std 802.11,
edges to the AP that he/she has installed the 1999). In addition, it creates a nonce value from
GTK key. the priority field of the 802.11 frame header and
• Once the AP receives this message, it verifies from the packet number (PN) parameter, which
the MIC. If this final verification is successful, is a 48-bit counter incremented for each 802.11i
then, the group key handshake is completed protected frame. In phase 2, the CCMP protocol
successfully and the user can encrypt broad- computes an MIC value over the 802.11 frame
cast/multicast messages using the new GTK header, the AAD, the nonce, and the 802.11 frame
key. payload using the CBC-MAC algorithm and the
TK key (or the GTK key for broadcast/mulitcast
0
Security Architectures for B3G Mobile Networks
0
Security Architectures for B3G Mobile Networks
0
Security Architectures for B3G Mobile Networks
0
Security Architectures for B3G Mobile Networks
text of WLAN 3GPP IP Access scenario, the user that he/she supports, the KEi that is the Dif-
and the PDG execute IKEv2. The authentication fie-Hellman value, and an Ni value that rep-
of the user is based on EAP-SIM or EAP-AKA, resents the nonce. The nonce (i.e., a random
while the authentication of the PDG is based on number at least 128 bits) is used as input to
certificates. the cryptographic functions employed by
The IKEv2 protocol is executed in two sequen- IKEv2 to ensure liveliness of the keying
tial phases (i.e., phase 1 and phase 2). In phase 1, material and protect against replay attacks.
the user and the PDG establish two distinct SAs: • The PDG answers with a message that con-
(1) a bidirectional IKE_SA that protects the mes- tains its choice from the set of cryptographic
sages of phase 2, and (2) an one-way IPsec_SA algorithms for the IKE SA (SAr1), its value to
that protects user’s data. During phase 2, the complete the Diffie-Hellman exchange (KEr)
user and the PDG using the established IKE_SA and its nonce (Nr). At this point, both the user
can securely negotiate a second IPsec_SA that is and the PDG can calculate the SKEYSEED
employed for the establishment of a bidirectional value as follows:
IPsec based VPN tunnel between them.
SKEYSEED = prf (( Ni | Nr ), g ^ ir ) ,
4
The IKEv2 phase 1 negotiation between the (11)
user and the PDG is executed in two sub-phases:
(1) the IKE_SA_INIT, and (2) the IKE_AUTH where prf is the pseudo random function
exchange, as shown in Figure 9. The IKE_SA_INIT negotiated in the previous messages, and g^ir
exchange (noted as step 1 in Figure 9) consists of a is the shared secret key that derives from the
single request and reply messages, which negoti- Diffie-Hellman exchange. The SKEYSEED
ate cryptographic algorithms, exchange nonces, value is used to calculate various secret keys.
and do a Diffie-Hellman exchange. In the context The most important are: the SK_d used for
of this sub-phase, four cryptographic algorithms providing the keying material for the IPsec
are negotiated: (1) an encryption algorithm, (2) an SA; SK_ei and SK_ai used for encrypting
integrity protection algorithm, (3) a Diffie-Hellman and providing integrity services, respectively,
group, and (4) a prf. The latter prf is employed for to the IKEv2 messages from the user to the
the construction of keying material for all of the PDG (IKE_SA); and, finally, SK_er and
cryptographic algorithms used. After the execution SK_ar that provide security services in the
of the IKE_SA_INIT, an IKE_SA is established opposite direction (IKE_SA).
that protects the IKE_AUTH exchange. The sec-
ond sub-phase (i.e., IKE_AUTH) authenticates Finalizing the IKE_SA_INIT exchange, the
the previous messages; exchanges identities and IKE_AUTH exchange can start. It is worth not-
certificates; encapsulates EAP-SIM or alternatively ing that from this point all the payloads of the
EAP-AKA messages; and establishes an IPsec_SA following IKEv2 messages, excluding the mes-
(step 2-5 in Figure 9). All the messages of IKEv2 sage header (HDR payload), are encrypted and
include a header payload (HDR), which contains a integrity protected using the IKE_SA (see step 2
security parameter index (SPI), a version number, in Figure 9).
and security-related flags. The SPI is a value cho-
sen by the user and the PDG to identify a unique • The IKE_AUTH exchange of messages starts
SA. In the following, the IKEv2 negotiation is when the user sends to the PDG a message
analyzed: that includes his/her identity (IDi), which
could be in an NAI format, the CERTREQ
• At the beginning of the IKEv2 negotiation payload (optionally), which is a list of the
(step 1 in Figure 9), the user sends to the certificate authorities (CA) whose public keys
PDG the SAi1, which denotes the set of the user trusts, and the traffic selectors (TSi
cryptographic algorithms for the IKE_SA and TSr), which allow the peers to identify
Security Architectures for B3G Mobile Networks
the packet flows that require processing by thenticate the PDG. Similarly to the previous
IPsec. In addition, in the same message the messages, the payload of this IKEv2 message,
user must include the Configuration Payload except for the message header, is encrypted
Request (CP-Request), which is used to obtain using the IKE_SA.
a remote IP address from the PDG and get • Upon receiving the EAP-AKA (SIM) pay-
access to the 3G-PLMN. load, the user verifies the AUTHr field by
• After receiving this information, the PDG using the public key of the PDG included in
forwards to the AAA server the user identity the certificate field (CERT), and answers by
(IDi) including a parameter, which indicates sending an EAP-AKA (SIM) response mes-
that the authentication is being performed sage encapsulated again within an IKEv2
for VPN (tunnel) establishment. This will message. From this point, the IKEv2 messages
facilitate the AAA server to distinguish contain only EAP-AKA (SIM) payloads,
between authentications for WLAN access which are encrypted and integrity protected
and authentications for VPN setup. as described previously.
• Upon receiving the IDi, the AAA server • The EAP-SIM or EAP-AKA exchange con-
fetches the user’s profile and authentication tinues, normally, until an EAP-SUCCESS
credentials (GSM triplets if authentication is message (or an EAP-FAILURE in case of
based on EAP-SIM, or 3G authentication vec- a failure) is sent from the AAA server to
tors if authentication is based on EAP-AKA) the PDG, which ends the EAP-AKA or the
from HSS/HLR (if these are not available in EAP-SIM dialogue. Together with the EAP-
the AAA server in advance). SUCCESS message, the key MSK is sent from
• Based on the user’s profile, the AAA server the AAA server to the PDG via the AAA
initiates an EAP-AKA (if the user possesses protocol, as shown in Figure 9 (step 4).
a USIM card) or an EAP-SIM authentication • After finishing the EAP-AKA or EAP-SIM
(if the user possesses a GSM/GPRS SIM dialogue, the last step (step 5) of IKEv2 re-
card) by sending to the PDG the first mes- authenticates the peers, in order to establish
sage of the related procedure (i.e., EAP-SIM an IPsec_SA. This authentication step is
or EAP-AKA) included in a AAA protocol necessary in order defeat man-in-the-middle
(i.e., Radius or Diameter) (step 3 in Figure attacks, which might take place because the
9). Note that since there is no functional authentication protocol (e.g., EAP-SIM or
difference between the EAP-SIM and the EAP-AKA) runs inside the secure protocol
EAP-AKA authentication when these proto- (e.g., IKEv2). This combination creates a
cols are encapsulated in IKEv2, we present security hole since the initiator and the re-
them in a generic way. Thus, we introduce sponder have no way to verify that their peer
the EAP-AKA (SIM) payload notation (see in the authentication procedure is the entity at
Figure 9) to indicate that this payload can be the other end of the outer protocol (Asokan,
an EAP-SIM or an EAP-AKA message. Niemi, & Nyberg, 2002). Thus, in order to
• Upon receiving the first EAP-AKA (SIM) prevent possible attacks against IKEv2 (i.e.,
message, the PDG encapsulate it within an man-in-the-middle attacks), both the user and
IKEv2 message and forwards the encap- the PDG have to calculate the AUTHi and the
sulated message to the user. Except for the AUTHr payloads, respectively, using the MSK
EAP-AKA (SIM) payload, this message also key that was generated from the EAP-SIM
includes the PDG’s identity, which identifies or EAP-AKA protocol. Then, both the user
the provided 3G services (W-APN) (see the and the PDG send each other the AUTHi and
Background section), the PDG’s certificate AUTHr payloads to achieve a security bind-
(CERT), and the AUTHr field. The latter ing between the inner protocol (EAP-SIM or
contains signed data used by the user to au- EAP-AKA) and the outer protocol (IKEv2).
Security Architectures for B3G Mobile Networks
Note that the PDG together with the AUTHr established between these two nodes. This pair
payload sends also its traffic selector payloads deploys a bidirectional VPN between them that
(TSi and TSr), the SAr2 payload, which con- allows for secure data exchange over the underlying
tains the chosen cryptographic suit for the network path. At the same time, the user has been
IPsec_SA and the assigned user’s remote IP subscribed to the 3G PLMN network for charging
address in the Configuration Payload Reply and billing purposes using either the EAP-AKA
(CP-REPLY) payload. or EAP-SIM protocol.
After the establishment of the IPsec_SA the The deployed VPN runs on top of the wireless
keying material (KEYMAT) for this SA is link and extends from the user’s computer to the
calculated as follows: PDG, which is located in the user’s home 3G PLMN
(see Figure 1 and 10). It is based on IPsec (Kent &
KEYMAT = prf ( SK _ d , Ni | Nr ), (12) Atkinson, 1998a), which is a developing standard
for providing security at the network layer. IPsec
where Ni and Nr are the nonces from the provides two choices of security service through
IKE_SA_INIT exchange, and SK_d is the two distinct security protocols: the Authentication
key that is calculated from the SKEYSEED Header (AH) protocol (Kent & Atkinson, 1998c),
value (see eq. 11). The KEYMAT is used to and the encapsulating security payload (ESP) pro-
extract the keys that the IPsec protocol uses tocol (Kent & Atkinson, 1998b). The AH protocol
for security purposes. Note that the deployed provides support for connectionless integrity,
IPsec_SA protects the one-way communica- data origin authentication, and protection against
tion between the user and the PDG. For bi- replays, but it does not support confidentiality.
directional secure communication, one more The ESP protocol supports confidentiality, con-
SA needs to be established between them (the nectionless integrity, anti-replay protection, and
user and the PDG) by executing the IKEv2 optional data origin authentication. Both AH and
phase 2 over the established IKE_SA. ESP support two modes of operation: transport and
tunnel. The transport mode of operation provides
Data Protection end-to-end protection between the communicating
end points by encrypting the IP packet payload.
After the completion of the authentication pro- The tunnel mode encrypts the entire IP packet
cedure and the execution of IKEv2 between the (both IP header and payload) and encapsulates
PDG and the user, a pair of IPsec_SAs has been the encrypted original IP packet in the payload of
a new IP packet.
Security Architectures for B3G Mobile Networks
In the deployed VPN of the WLAN 3GPP IP tioned protocols (i.e., EAP-SIM and EAP-AKA)
Access scenario, IPsec employs the ESP protocol with IKEv2. Specifically, the PDG is authenticated
and is configured to operate in the tunnel mode. using its certificate, and the user is authenticated
Thus, VPN provides confidentiality, integrity, data using EAP-SIM or EAP-AKA. It is worth noting
origin authentication, and anti-reply protection that since the EAP-SIM and EAP-AKA messages
services protecting the payload and the header are encapsulated in protected IKEv2 messages,
of the exchanged IP packets. From the two IP the identified security weaknesses associated with
addresses (i.e., transport and remote IP address) them are eliminated.
of each authenticated user, the remote IP address Regarding confidentiality and data integrity
serves as the inner IP address, which is protected services, both scenarios protect sensitive data
by IPsec, and the transport IP address serves as the conveyed over the air interface. More specifi-
IP address of the new packets, which encapsulate cally, in the WLAN Direct IP Access scenario,
the original IP packets and carry them between high level security services are provided only in
the user and the PDG (see Figure 10). Thus, an cases that the CCMP security protocol is applied,
adversary can not disclose, fabricate unnoticed, since it incorporates the strong AES encryption
or perform traffic analysis to the data exchanged algorithm. A downside of applying CCMP is that
between the user and the PDG. Finally, IPsec can it requires hardware changes to the wireless APs,
use different cryptographic algorithms (i.e., DES, which might be replaced. In the WLAN 3GPP
3DES, AES, etc.) depending on the level of security IP Access scenario, data encryption is applied
required by the two peers and the data that they at the layer 2 (using WEP, TKIP, or CCMP) and
exchange. layer 3 (using IPsec), simultaneously (see Figure
10). This duplicate encryption provides advanced
security services to the data conveyed over the
coMPArIson of tHE scEnArIos WLAN radio interface, but at the same time it may
cause bandwidth consumption, longer delays, and
Based on the presentation of the two access sce- energy consumption issues at the level of mobile
narios (i.e., WLAN Direct IP Access and 3GPP devices.
IP Access) that integrate B3G networks and the Another deployment feature, which can be used
analysis of the security measures that each one for comparing the two scenarios, has to do with
employs, this section provides a brief comparison mobility. The WLAN Direct IP Access scenario
of them. The comparison aims at highlighting the may support user mobility by employing one of the
deployment advantages of each scenario and clas- mobility protocols, proposed for seamless mobility
sifies them in terms of: (1) security, (2) mobility, in wireless networks (Saha, Mukherjee, Misra,
and (3) reliability. & Chakraborty, 2004). On the other hand, in the
Regarding the provided security services, both WLAN 3GPP IP Access scenario, the established
scenarios support mutual authentication. In the VPN between a user and the PDG adds an extra layer
WLAN Direct IP Access scenario, the authen- of complexity to the associated mobility manage-
tication procedure employs either EAP-SIM or ment protocols of this scenario. This complexity
EAP-AKA, depending on the user’s subscription. arises from the fact that as the mobile user moves
However, both protocols present the same security from one access network to another and his/her
weaknesses, which can be exploited by adversaries IP address changes, the mobility protocols must
to perform several attacks such as identity spoofing, incorporate mechanisms that maintain, dynami-
denial of service (DoS) attacks, replay attacks, and cally, the established VPN, enabling the notion of
so forth (Arkko & Haverinen, 2006; Haverinen & mobile VPN. An attempt to address this problem
Saloway, 2006). On the other hand, the authenti- can be found in Dutta et al., 2004) that designs
cation procedure of the 3GPP IP Access scenario and implements a secure universal mobility ar-
is more secured, since it combines the aforemen- chitecture, which incorporates standard mobility
Security Architectures for B3G Mobile Networks
management protocols, such as mobile IP for tiality and integrity services to the data exchanged
achieving mobile VPN deployment. between them.
Finally, the deployed IPsec-based VPNs be-
tween the users and the PDG in the 3GPP IP Access
scenario may raise reliability issues. Reliability AcknowlEdgMEnt
is perceived as the ability to use VPN services at
all times, and it is highly related to the network Work supported by the project CASCADAS
connectivity and the capacity of the underlying (IST-027807) funded by the FET Program of the
technology to provide VPN services. In the 3GPP European Commission.
IP Access scenario, all data traffic passes through
the VPN tunnels that are extend from the users to
the PDG. The number of the deployed VPNs can rEfErEncEs
grow significantly, due to the fact that each user can
establish multiple VPNs at the same time to access 3rd Generation Partnership Project (3GPP) TS
different services. Thus, the PDG must be able to 22.100. (v3.7.0). (2001). UMTS Phase 1 Release
support a large number of simultaneous VPNs in ’99. Sophia Antipolis Cedex, France: Author.
order to provide reliable security services.
3rd Generation Partnership Project (3GPP) TS 0.3.6.
(V7.9.0). (2002). GPRS service description, Stage
conclusIon 2. Sophia Antipolis Cedex, France: Author.
3rd Generation Partnership Project (3GPP) TS
This chapter has analyzed the security architectures 23.234 (v7.3.0). (2006). 3GPP system to WLAN
employed in the interworking model that integrates interworking. System description. Release 7. So-
3G and WLANs, materializing B3G networks. The phia Antipolis Cedex, France: Author.
integrated architecture of B3G networks specifies
two different network access scenarios: (1) the 3rd Generation Partnership Project (3GPP) TS
WLAN Direct IP Access, and (2) the WLAN 3GPP 33.234 (v7.2.0). (2006). 3G security and WLAN
IP Access. The first scenario provides to a user interworking security. System description. Release
connection to the public Internet or to an intranet 7. Sophia Antipolis Cedex, France: Author.
via the WLAN-AN. In this scenario both the user Aboba, B., & Beadles, M. (1999). The network
and the network are authenticated to each other access identifier (RFC 2486). Retrieved from
using EAP-SIM or EAP-AKA, depending on the http://tools.ietf.org/html/rfc2486
user’s subscription. Moreover, the confidentiality
and integrity of the user’s data transferred over the Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J.,
air interface are ensured by the 802.11i security & Levkowetz, H. (2004). The extensible authen-
framework. On the other hand, the WLAN 3GPP tication protocol (RFC 3748). Retrieved from
IP Access scenario allows a user to connect to http://www.ietf.org/rfc/rfc3748.txt
the PS services (like WAP, MMS, LBS, etc.) or
Arkko, J., & Haverinen, H. (2006). EAP-AKA
to the public Internet through the 3G PLMN. In
authentication (RFC 4187). Retrieved from http://
this scenario, the user is authenticated to the 3G
www.rfc-editor.org/rfc/rfc4187.txt
PLMN using EAP-SIM or alternatively EAP-AKA
encapsulated within IKEv2, while the network is Asokan, N., Niemi, V., & Nyberg, K. (2002). Man-
authenticated to the user using its certificate. In in-the-middle in tunneled authentication protocols.
addition, the execution of IKEv2 is used for the Cryptology ePrint Archive, Report 2002/163. Re-
establishment of an IPsec-based VPN between the trieved from http://eprint.iacr.org/2002/163
user and the network that provides extra confiden-
Security Architectures for B3G Mobile Networks
Borisov, N., Goldberg, I., & Wagner, D. (2001, Kaufman, C. (2005). The Internet key exchange
July). Intercepting mobile communications: The (IKEv2) protocol (RFC 4306). Retrieved from
insecurity of 802.11. Paper presented at the 7th http://www.rfc-editor.org/rfc/rfc4306.txt
ACM/IEEE International Conference on Mobile
Kent, S., & Atkinson, R. (1998a). Security archi-
Computing and Networking (MOBICOM), Rome,
tecture for Internet protocol (RFC 2401). Retrieved
Italy.
from http://www.faqs.org/rfcs/rfc2401.html
Calhoun, P., Loughney, J., Guttman, E., Zorn,
Kent, S., & Atkinson, R. (1998b). IP encapsulating
G., & Arkko, J. (2003). Diameter base protocol
security payload (ESP) (RFC 2406). Retrieved
(RFC 3588). Retrieved from http://www.rfc-editor.
from http://www.faqs.org/rfcs/rfc2406.html
org/rfc/rfc3588.txt
Kent, S., & Atkinson, R. (1998c). IP authentication
Dutta, A., Zhang, T., Madhani, S., Taniuchi, K.,
header (RFC 2402). Retrieved from http://www.
Fujimoto, K., Katsube, Y., et al. (2004, October).
rfc-editor.org/rfc/rfc2402.txt
Secure universal mobility for wireless Internet. In
Proceedings of the 2nd ACM international work- Kivinen, T., & Tschofenig, H. (2006). Design of
shop on Wireless mobile applications and services the Mobike protocol (RFC 4621). Retrieved from
on WLAN hotspots (WMASH), Philadelphia, PA. http://www.ietf.org/rfc/rfc4621.txt
Eastlake, D., & Jones, P. (2001). US secure hash Krawczyk, H., Bellare, M., & Canetti, R. (1997).
algorithm 1 (SHA1) (RFC 3174). Retrieved from HMAC: Keyed-hashing for message authentica-
http://www.ietf.org/rfc/rfc3174.txt tion (RFC 2104). Retrieved from http://www.faqs.
org/rfcs/rfc2104.html
Eronen, P. (2006). IKEv2 mobility and multihoming
protocol (MOBIKE) (RFC 4555). Retrieved from Laat, C., Gross, G., Gommans, L., Vollbrecht, J.,
http://www.ietf.org/rfc/rfc4555.txt & Spence, D. (2000). Generic AAA architecture
(RFC 2903). Retrieved from http://isc.faqs.org/
European Telecommunications Standards Institute
rfcs/rfc2903.html
(ETSI) TS 100 922 (v7.1.1). (1999). Subscriber iden-
tity modules (SIM) functional characteristics. Rigney, C., Rubens, A., Simpson, W., & Willens, S.
(1997). Remote authentication dial in user services
Harkins, D., & Carrel, D. (1998). The Internet
(RADIUS) (RFC 2138). Retrieved from http://tools.
key exchange (IKE) (RFC 2409). Retrieved from
ietf.org/html/rfc2138
http://faqs.org/rfcs/rfc2409.html
Saha, D., Mukherjee, A., Misra, I. S., &
Haverinen, H., & Saloway, J. (2006). EAP-SIM
Chakraborty, M. (2004). Mobility support in IP:
authentication (RFC 4186). Retrieved from http://
A survey of related protocols. IEEE Network,
www.ietf.org/rfc/rfc4186.txt
18(6), 34-40.
IEEE std 802.11 (1999). Wireless LAN medium
Whiting, D., Housley, R., & Ferguson, N. (2003).
access control (MAC) and physical layer (PHY)
Counter with CBC MAC (CCM) (RFC 3610). Re-
specifications.
trieved from http://www.ietf.org/rfc/rfc3610.txt
IEEE std 802.11i. (2004). Wireless medium access
Xenakis, C., & Merakos, L. (2004). Security in
control (MAC) and physical layer (PHY) specifi-
third generation mobile networks. Computer Com-
cations: Medium access control (MAC) security
munications, 27(7), 638-650.
enhancements.
IEEE std 802.1X. (2004). Port based access
control.
Security Architectures for B3G Mobile Networks
Chapter XX
Security in UMTS 3G Mobile
Networks
Christos Xenakis
University of Piraeus, Greece
AbstrAct
This chapter analyzes the security architecture designed for the protection of the universal mobile tele-
communication system (UMTS). This architecture is built on the security principles of second genera-
tion (2G) systems with improvements and enhancements in certain points in order to provide advanced
security services. The main objective of the third generation (3G) security architecture is to ensure that
all information generated by or relating to a user, as well as the resources and services provided by
the serving network and the home environment are adequately protected against misuse or misappro-
priation. Based on the carried analysis the critical points of the 3G security architecture, which might
cause network and service vulnerability are identified. In addition, the current research on the UMTS
security and the proposed enhancements that aim at improving the UMTS security architecture are
briefly presented and analyzed.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security in UMTS 3G Mobile Networks
mobility implies higher security risks compared to serving network (SN) and the home environment
those encountered in fixed networks. The advanced (HE) are adequately protected against misuse or
wireless and wired network infrastructure, which misappropriation. Based on the carried analysis the
supports higher access rates, and the complex critical points of the 3G security architecture, which
network topologies, which enable “anywhere- might cause network and service vulnerability are
anytime” connectivity, may increase the number identified. In addition, the current research on the
and the ferocity of potential attacks. Furthermore, UMTS security and the proposed enhancements
the potential intruders are able to launch malicious that aim at improving the UMTS security archi-
attacks from mobile devices with enhanced pro- tecture are briefly presented and analyzed.
cessing capabilities, which are difficult to trace. The rest of this chapter is organized as follows.
To defeat the possible vulnerable points, UMTS The next section outlines the UMTS network ar-
has incorporated a specific security architecture chitecture and the 3G security architecture. The
named as 3G security architecture. third section elaborates on the network access
This chapter analyzes the security architecture security features, and the fourth section examines
designed for the protection of UMTS. This archi- the network domain security. The fifth section
tecture is built on the security principles of second presents the user domain security, the application
generation (2G) systems with improvements and domain security, the visibility of security op-
enhancements in certain points in order to provide eration and configurability, and the network-wide
advanced security services. The main objective of confidentiality option. The sixth section analyzes
the 3G security architecture is to ensure that all potential weaknesses concerning the 3G security
information generated by or relating to a user, as architecture and the seventh section presents the
well as the resources and services provided by the current research on the UMTS security. Finally,
the last section contains the conclusions.
Security in UMTS 3G Mobile Networks
0
Security in UMTS 3G Mobile Networks
the contemporary fixed and mobile networks. The TMSI in the packet switched (PS) domain has a
security features have been adequately standard- local significance only in the location area or the
ized in order to ensure worldwide availability, routing area, in which the user is registered. The
interoperability, and roaming between differ- association between the permanent and temporary
ent SNs. Furthermore, 3G security features and user identities is stored in the VLR or the SGSN
mechanisms can be extended and enhanced as (VLR/SGSN). If the mobile user arrives into a new
required by new threats and services (Xenakis & area, then the association between the permanent
Merakos, 2004b). and the temporary identity can be fetched from the
Figure 2 gives an overview of the 3G security old location or routing area. If the address of the
architecture, illustrating five major security classes old area is not known or the connection cannot be
(3GPP TS 33.102, 2002): established, then, the permanent identity must be
requested from the mobile user.
• Network access security (I) To avoid user traceability, which may lead to the
• Network domain security (II) compromise of user identity confidentiality as well
• User domain security (III) as to user location tracking, the user should not be
• Application domain security (IV) identified for a long period by means of the same
• Visibility and configurability of security temporary identity. Additionally, any signaling or
(V) user data that might reveal the user’s identity are
ciphered on the radio access link.
Network access security is a key component in Authentication and key agreement mechanism
the 3G security architecture. This class deals achieves mutual authentication between the mobile
with the set of security mechanisms that provide user and the SN showing knowledge of a secret
users with secure access to 3G services, as well key (K), as well derives ciphering and integrity
as protect against attacks on the radio interface. keys. The authentication method is composed of
Such mechanisms include: (1) user identity confi- a challenge/response protocol (see Figure 3) and
dentiality, (2) authentication and key agreement, (3) was chosen in such a way as to achieve maximum
data confidentiality, and (4) integrity protection of compatibility with the GSM/GPRS security archi-
signaling messages. Network access security takes tecture facilitating the migration from GSM/GPRS
place independently in each service domain. to UMTS. Furthermore, the user service identity
module (USIM) (3GPP TS 22.100, 2001) and the HE
User Identity Confidentiality keep track of counters SQNMS and SQNHE, respec-
tively, to support the network authentication. The
User identity confidentiality allows the identifica- sequence number SQNHE is an individual counter
tion of a user on the radio access link by means for each user, while the SQNMS denotes the high-
of a temporary mobile subscriber identity (TMSI). est sequence number that the USIM has accepted.
This implies that confidentiality of the user identity Whenever the SQNHE is not in the correct range,
is protected almost always against passive eaves- the mobile station decides that a synchronization
droppers. Initial registration is an exceptional case failure has occurred in the HE and consequently
where a temporary identity cannot be used, since initiates a resynchronization to the HE.
the network does not yet know the permanent Upon receipt of a request from the VLR/SGSN,
identity of the user. the HE authentication center (HE/AuC) forwards
The allocated temporary identity is transferred an ordered array of authentication vectors (AV)
to the user once the encryption is turned on. A to the VLR/SGSN. Each AV, which is used in
TMSI in the circuit switched (CS) domain or P- the authentication and key agreement procedure
Security in UMTS 3G Mobile Networks
Generate RAND
SQN
RAND
AMF
f1 f2 f3 f4 f5
MAC XRES CK IK AK
between the VLR/SGSN and the USIM consists of • The Message Authentication Code (MAC)
a random number (RAND), an expected response = f1k (SQN ||1 RAND || AMF), where f1 is
(XRES), a cipher key (CK), an integrity key (IK), a message authentication function and the
and an authentication token (AUTN). authentication and key management field
Figure 4 shows an AV generation by the HE/ (AMF) is used to fine tune the performance
AuC. The HE/AuC starts with generating a fresh or bring a mew authentication key stored in
sequence number (SQN), which proves to the user the USIM into use.
that the generated AV has not been used before and • The expected response XRES = f2k (RAND)
an unpredictable challenge RAND. Then, using where f2 is a (possibly truncated) message
the secret key (K) it computes: authentication function.
• The cipher key CK = f3k (RAND),
Security in UMTS 3G Mobile Networks
CK f8 CK f8
KEYSTREAM KEYSTREAM
BLOCK BLOCK
Sender Receiver
UE or RNC RNC or UE
Security in UMTS 3G Mobile Networks
RNC on the network side. The f8 is a symmetric that MACs for two frames with identical content
synchronous stream cipher algorithm that is used are different, are a 32-bit value COUNT, a 32-bit
to encrypt frames of variable length. The main value FRESH, and an 1-bit value DIRECTION.
input to the f8 is a 128-bit secret cipher key CK. In the UMTS R99, the f9 is based on the Kasumi
Additional inputs, which are used to ensure that two algorithm (3GPP TR 33.908, 2000).
frames are encrypted using different keystreams
are a 32-bit value COUNT, a 5-bit value BEARER,
and a 1-bit value DIRECTION (see Figure 5). The nEtwork doMAIn sEcurIty
output is a sequence of bits (the “keystream”) of the
same length as the frame. The frame is encrypted Network domain security (NDS) features ensure
by XORing the data with the keystream. For UMTS that signaling exchanges within the UMTS core
R99, f8 is based on the Kasumi algorithm (3GPP as well as in the whole wireline network are pro-
TR 33.908, 2000). tected. Various protocols and interfaces are used
for the control plane signaling inside, and between
Integrity Protection of signaling core networks, such as the mobile application
Messages part (MAP) and the GPRS tunneling protocol
(GTP) protocols, and the Iu (IuPS, IuCS) and Iur
The radio interface in 3G mobile systems has also interfaces (3GPP TS 23.002, 2002). These will be
been designed to support integrity protection on protected by standard procedures based on the
the signaling channels. This enables the receiv- existing cryptographic techniques. Specifically, the
ing entity to be able to verify that the signaling IP-based protocols shall be protected at network
data have not been modified in an unauthorized level by means of IP security (IPsec) (Kent & At-
way since they were sent. Furthermore, it ensures kinson, 1998), while the realization of protection
that the origin of the received signaling data is for the signaling system 7 (SS7)-based protocols
indeed the one claimed. The integrity protection and the lu and Iur interfaces shall be accomplished
mechanism is not applied for the user plane due at the application layer. In the following, the NDS
to performance reasons. context for IP-based (3GPP TS 33.210, 2002) and
The function (f9) is used to authenticate the SS7-based (3GPP TS 33.200, 2002) protocols is
integrity and the origin of signaling data between presented. Moreover, the employment of tradi-
the MS and the RNC in UMTS. It computes a tional security technologies, originally designed
32-bit MAC (see Figure 6), which is appended for fixed networking, such as firewalls and static
to the frame and is checked by the receiver. The virtual private networks (VPNs) are examined.
main inputs to the algorithm are a 128-bit secret The application of these technologies safeguards
IK and the variable-length frame content MES- the UMTS core network from external attacks and
SAGE. Additional inputs, which are used to ensure protects users’ data when are conveyed over the
public Internet.
IK f9 IK f9
MAC -I XMAC -I
Sender Receiver
UE or RNC RNC or UE
Security in UMTS 3G Mobile Networks
Security in UMTS 3G Mobile Networks
transport is based only on IP, then security may to various external threats. Moreover, inter-network
be provided either at the network layer exclusively communications are based on the public Internet,
using IPsec or in a combination of the application which enables IP spoofing to any malicious third
and network layer. For signaling protection at the party who gets access to it. In order to defeat
application layer the necessary SAs will be network- these vulnerable points, the mobile operators can
wide and they are negotiated by KAC similarly to use two complementary technologies: firewalls
the IP-based architecture (see Figure 8). End-to-end and VPNs (Gleeson, Lin, Heinanen, Armitage, &
protected signaling will be indistinguishable to Malis, 2000).
unprotected signaling traffic to all parties, except Firewalls can be characterized as a technology
for the sending and receiving sides. providing a set of mechanisms to enforce a security
It is worth noting that in Rel-4 the only protocol policy on data from and to a corporate network.
that is to be protected is the MAP. The complete They are established at the borders of the core
set of enhancements and extensions that facilitate network allowing traffic originating from specific
the MAP security is termed MAPsec (3GPP TS foreign IP addresses. Thus, firewalls protect the
33.200, 2002). The MAPsec covers the security UMTS backbone from unauthorized penetration.
management procedures, as well as the security Furthermore, application firewalls prevent direct
of the transport protocol including data integrity, access through the use of proxies for services,
data origin authentication, anti-reply protection, which analyze application commands, perform
and confidentiality. Finally, for IKE adaptation a authentication, and keeps logs.
specific Domain of Interpretation is required. Since firewalls do not provide privacy and
confidentiality, VPNs have to complement them
traditional network security features to protect data in transit. VPN establishes a secure
tunnel between two points, encapsulates and en-
Besides the security features that are included in crypts data, and authenticates and authorizes user
the 3G security architecture, the mobile network access of the corporate resources on the network.
operators can apply traditional security technolo- Thus, they extend dedicated connections between
gies used in terrestrial networking to safeguard the remote branches or remote access to mobile us-
UMTS core network as well as the inter-network ers, over a shared infrastructure. Implementing a
communications. User data in the UMTS backbone VPN makes security issues such as confidentiality,
network are conveyed in clear-text exposing them integrity, and authentication paramount. There is a
Security in UMTS 3G Mobile Networks
two-fold benefit that arises from VPN deployment: share a secret (e.g., a PIN). The user gets access
the low cost and security. to the USIM only if he/she proves knowledge of
The border gateway is an element that resides at the secret. Furthermore, access to a terminal or
the border of the UMTS core network and provides to other user equipment can be restricted to an
the appropriate level of security policy (e.g., fire- authorized USIM. To this end, the USIM and the
wall), as well as maintaining static pre-configured terminal must also share a secret. If a USIM fails
security tunnels (e.g., IPsec tunnels) granting VPN to prove its knowledge of the secret then access
services to specific peers. It serves as a gateway to the terminal is denied.
between the PS domain and an external IP network
that is used to provide connectivity with other PS Application domain security
domains located in other core networks.
Application domain security (3GPP TS 33.102,
2002) deals with secure messaging between the
usEr And APPlIcAtIon doMAIn MS and the SN or the SP over the network with a
sEcurIty fEAturEs level of security chosen by the network operator
or the application provider. A remote application
user domain security should authenticate a user before allowing him/her
to utilize the application services and it could also
User domain security (3GPP TS 33.102, 2002) provide for application-level data confidentiality.
ensures secure access to the MS. It is based on a Application-level security mechanisms are needed
physical device called UMTS integrated circuit because the lower layers’ functionality may not
card (UICC), which can be easily inserted and guarantee end-to-end security provision. The lack
removed from terminal equipment, containing of end-to-end security could be envisioned when
security applications such as the USIM (3GPP TS for instance the remote party is accessible through
22.100, 2001). The USIM represents and identifies the Internet.
a user and his/her association to an HE. It is re- USIM application toolkit (3GPP TS 33.111,
sponsible for performing subscriber and network 2001) provides the capability for operators or third
authentication, as well as key agreement when 3G party providers to create applications that are resi-
services are accessed. It may also contain a copy dent on the USIM. To assure secure transactions
of the user’s profile. between the MS and the SN or the service provider
The USIM access is restricted to an authorized (SP), a number of basic security mechanisms such
user or to a number of authorized users. To ac- as entity authentication, message authentication,
complish this feature, the user and the USIM must replay detection, sequence integrity, confidentiality
assurance, and proof of receipt have been specified
and integrated in the USIM Application Toolkit.
Figure 9a. WAP 1.2.1 architecture Figure 9b. WAP 2.0 architecture
Security in UMTS 3G Mobile Networks
Wireless Application Protocol (WAP) is a suite (2) indication of network wide encryption; and (3)
of standards for delivery and presentation of In- indication of the level of security (e.g., when a user
ternet services on wireless terminals, taking into moves from 3G to 2G).
account the limited bandwidth of mobile networks Configurability enables the mobile user and
as well as the limited processing capabilities of the HE to configure whether a service provision
mobile devices. It separates the network in two should depend on the activation of certain security
domains (i.e., the wireless and the Internet domain) features. A service can only be used when all the
and introduces a WAP gateway that translates the relevant security features are in operation. The
protocols used in each domain. The WAP archi- configurability features that are suggested include:
tecture has been standardized in two releases (ver. (1) enabling/disabling user-USIM authentication for
1.2.1 and ver. 2.0) (Wireless Application Forum, certain services; (2) accepting/rejecting incoming
n.d.). non-ciphered calls; (3) setting up or not setting up
In WAP 1.2.1 (see Figure 9a), security is ap- non-ciphered calls; and (4) accepting/rejecting the
plied by using the wireless transport layer security use of certain ciphering algorithms.
(WTLS) protocol (wireless application forum, n.d.)
over the wireless domain and the transport layer network-wide user data
security (TLS) protocol over the Internet domain. Confidentiality
WTLS, which is based on TLS, provides peers
authentication, data integrity, data privacy, and Network-wide confidentiality is an option that
protection against denial-of-service in an optimized provides a protected mode of transmission of user
way for use over narrow-band communication data across the entire network. It protects data
channels. However, WAP 1.2.1 does not support against eavesdropping on every link within the
end-to-end security, since the conveyed data are network and not only on the vulnerable radio links.
protected by two separate security channels (i.e., Whenever network-wide confidentiality is applied,
WTLS security channel and TLS security chan- access link confidentiality on user data between the
nel). MS and the RNC is disabled to avoid replication.
On the other hand, WAP 2.0 (see Figure 9b) However, access link confidentiality for signaling
introduces the Internet protocol stack into the information as well as user identity confidentiality
WAP environment. It allows a range of different are retained to facilitate the establishment of the
gateways, which enable conversion between the encryption process. In Figure 10, the network-wide
two protocol stacks anywhere from the top to the encryption deployment is depicted.
bottom of the stack. A TCP-level gateway allows Network-wide confidentiality uses a syn-
for two versions of TCP, one for the wired and chronous stream cipher algorithm similar to that
another for the wireless network domain. On the employed in the access link encryption. Initially,
top of the TCP layer, TLS can establish a secure a data channel is established between the com-
channel all the way from the MS to the remote municating peers indicating also the intention
server. Thus, the availability of a wireless profile for network-wide encryption. VLRa and VLRb
for TLS enables end-to-end security allowing exchange cipher keys (Ka and Kb) for users a and
interoperability for secure transactions. b, respectively, using cross boundaries signaling
protection, and then, pass them to the MSs over
Security Visibility and Configurability protected signaling channels. When each MS has
received the other party’s key, the end-to-end
Although the security measures provided by the session key, Ks, is calculated as a function of Ka
SN should be transparent to the end user, visibility and Kb. Alternatively, VLRs can mutually agree
of the security operations as well as the supported on the Ks using an appropriate key agreement
security features should be provided. This may in- protocol. Both key management schemes satisfy
clude: (1) indication of access network encryption; the lawful interception requirement, since Ks can
be generated by the VLRs.
Security in UMTS 3G Mobile Networks
Security in UMTS 3G Mobile Networks
was generated by the HE. On the other hand, he/she because of the static configuration of firewalls
cannot determine if an authentication vector was may potentially lead to discontinuity of service
requested by the SN, since the authentication vector connectivity for the mobile user. Moreover, the
could have been requested by any SN. Thus, the firewalls security value is limited because they
adversary owing a false base/mobile station device allow direct connection to ports and cannot dis-
(i.e., a device that emulates a base station and a tinguish services.
mobile station) can impersonate as a genuine base Similarly to firewalls, the VPN technology fails
station and entices a legitimate user to camp on to provide the necessary flexibility required by
the radio channels of the false base station. The typical mobile users. Currently, VPNs for UMTS
adversary can also impersonate as a legitimate subscribers are established in a static manner
mobile station and establishes connection with a between the border gateway of a UMTS network
genuine base station. This fact allows the adversary and a remote security gateway of a corporate
to relay messages in between a legitimate mobile private network. This fact allows the realization
station and a genuine base station realizing the of VPNs only between a security gateway of a
redirection attack. This attack represents a real large organization and a mobile operator, when
threat since the security levels provided by different a considerable amount of traffic requires protec-
networks are not always the same. In addition, it tion. Thus, this scheme can provide VPN services
could cause billing problems as the service rates neither to individual mobile users that may require
offered by different networks are not always the on demand VPN establishment, nor to enterprise
same, either. users that may roam internationally. In addition,
The second security flaw that is related to the static VPNs have to be reconfigured every time the
UMTS authentication (Zhang & Fang, 2005) al- VPN topology or VPN parameters change.
lows an adversary to use the authentication vec- On the other hand, if a mobile user uses the
tors corrupted from one network to impersonate WAP architecture (ver. 1.2.1), data privacy is not
other networks. When a network is corrupted, an guaranteed. Although encryption is used, the WAP
adversary could forge an authentication data request gateway constitutes a security hole since inside
from the corrupted network to obtain authentica- the gateway data are transmitted un-encrypted.
tion vectors for any user, independent of the actual WTLS is only used between the mobile device
location of the user. Then, the adversary could use and the gateway, while TLS can be used between
the obtained authentication vectors to impersonate the gateway and the Web server. From a security
uncorrupted networks and to mount false base sta- point of view, the gateway should be considered
tion attack against legitimate users. Therefore, the as an entity-in-the-middle. This means that
corruption of one network may jeopardize the entire data exchanged may be available to people with
system. For this reason, it is critical that security privileged access to the WAP gateway and thus,
measures are in place in every network. the privacy of the data depends on the gateway’s
The application of firewalls in 3G systems internal security policy.
presents some weaknesses since they were origi- WAP 2.0 does address the “gap” in security
nally conceived to address security issues for fixed caused by protocol translation at the WAP gateway
networks. Firewalls attempt to protect the clear- of the previous version (ver. 1.2.1). However, the
text transmitted data in the UMTS backbone from mobile phone would have to use an IP protocol
external attacks, but they are inadequate against stack at the expense of larger latency and band-
attacks that originate from other mobile network width consumption. Although TLS can be used
malicious subscribers, as well as from network to secure the communication of any application,
operator personnel or any other third party that it must be integrated into the application and thus,
gets access to the UMTS core network. Mobility to a large extent it is used for Web-based applica-
may imply roaming between networks and opera- tions. Interaction with the end user is needed, for
tors possibly changing the source address, which example, to check with whom a secure session has
0
Security in UMTS 3G Mobile Networks
been established or to explicitly request the client porary identities will reside at the SN (TMSIALT),
to authenticate with the server. TLS is generally and the second one at the home network of the
a resource consuming protocol for deployment mobile user (TMSIHE). When the VLR of the SN
in mobile devices with limited processing capa- fail to page a mobile user using the current TMSI,
bilities and low bandwidth/high latency wireless it can try to page him/her using the alternative
networks. Moreover, the operation overhead may temporary identity (TMSIALT), which also resides
be increased by complex key-exchange procedures in the VLR. In case of a VLR database failure or a
in case the protected service contains cross-refer- corruption of the temporary identities (i.e., TMSI
ences to other services. and TMSIALT) that resides in the VLR, the VLR
Finally, the network-wide encryption may also requests the temporary identity (i.e., TMSIHE) from
encounter problems when transcoding is used. the home network by which it can page the mobile
Voice calls may need to be transcoded when they user. This identity resides in the user’s home net-
cross network borders, meaning that voice data work in order to avoid a possible corruption after
may have to undergo change such as bit-rate change a database (VLR) failure. In case that none of the
or some other transformation. It is not possible to TMSI is valid or all of them are corrupted, the user
apply such transformation on an encrypted signal, is not attached to the network.
which implies that the signal has to be decrypted Both the additional temporary identities (i.e.,
before transcoding. Furthermore, the network-wide TMSIALT and TMSIHE) derive from the current
confidentiality lacks flexibility and it is not ap- TMSI. The latter consists of four octets and its
plicable to all types of service in different mobile generation procedure is chosen by the mobile opera-
scenarios. Specifically, it is limited to protecting tor. However, some general guidelines are applied
the communication between mobile subscribers. in all implementations in order to avoid double al-
location of TMSIs, after a restart of the allocating
node (i.e., VLR or SGSN). For this reason, some
currEnt rEsEArcH on uMts part of the TMSI may be related to the time when
sEcurIty it was allocated or contained a bit field, which is
changed when the allocating node has recovered
The weak points of the UMTS security architecture from the restart. After the generation of a TMSI,
may lead to compromises of end users and network the allocating node applies two individual hash
security of the UMTS system. These compromises functions (i.e., HASHALT and HASHHE), which
may influence the system deployment and the produce the corresponding TMSIALT and TMSIHE,
users’ trend to utilize UMTS for the provision of respectively. Then, the allocating node forwards
advanced multimedia services, which realizes the the three temporary identities to the involved
concept of mobile Internet. In the following, the mobile user and the TMSIHE to its home network.
current research on the UMTS security and the In cases that the home and the SN are the same,
proposed enhancements that aim at improving the the TMSIHE can be stored in HLR, which is not
UMTS security architecture are briefly presented affected by the reasons that corrupt the other
and analyzed. two temporary identities. Finally, each time that
the current TMSI is renewed, the two additional
Identity Confidentiality temporary identities change in order to eliminate
the possibility of an adversary to link them to the
permanent user’s identity.
To limit the exposure of the permanent identities
(IMSI) of mobile users over the vulnerable radio
interface, the additional usage of two complemen- Authentication and key Agreement
tary temporary identities for each mobile subscriber
that is attached to the network has been proposed To address the security issues involved with the
(Xenakis & Merakos, 2004b). One of these tem- authentication and key agreement procedure Zhang
Security in UMTS 3G Mobile Networks
and Fang (2005) have proposed an adaptive proto- user data security
col for mobile authentication and key agreement,
called AP-AKA. The proposed protocol can defeat Another weakness of the current UMTS security
the redirection attack and may drastically lower architecture that can be overcome is related to
the impact of network corruption. An overview of the lack of effective protection of user data in the
AP-AKA is shown in Figure 11. fixed part of the UMTS network. To address this
The AP-AKA protocol retains the framework problem, two alternative security solutions, which
of the legacy authentication and key agreement, but are based on existing security technologies, can
eliminates the synchronization required between be used: (1) the application layer security, and (2)
the mobile station and its home network (i.e., SQNMS the establishment of mobile VPNs, dynamically,
and SQNHE). In AP-AKA, each mobile station and that satisfy users’ needs.
its home network share an authentication key K and Application layer security solutions integrate
three cryptographic algorithms F, G, and H, where security into applications at the level of end us-
F and H are MACs and G is a key generation func- ers. The most prominent protocol that provides
tion. In practice, the authentication key is usually security at this layer for the Internet technology
generated by the home network and programmed is the Secure Sockets Layer (SSL) protocol (Gupta
into the mobile station during service provisioning. & Gupta, 2001). SSL supports server authentica-
Unlike the legacy authentication and key agreement, tion using certificates, data confidentiality, and
the home network in AP-AKA does not maintain message integrity. Since SSL is relatively “heavy”
a dynamic state, for example, the counter, for each for implementations on mobile devices, which are
individual subscriber. The mobile station can verify characterized by limited processing capabilities,
whether an AV was indeed requested by a SN and a lightweight version of SSL named “KiloByte”
was not used before by the SN. The AP-AKA SSL (KSSL) has been proposed (Gupta & Gupta,
protocol specifies a sequence of six flows. Each 2001). This SSL implementation (KSSL) provides
flow defines a message type and format sent or an advantage by enabling mobile devices (UMTS
received by an entity. Depending on the execution MS) to communicate directly and securely with a
environment, entities have the flexibility of adap- considerable number of Internet Web servers that
tively selecting flows for execution, and thus the support SSL.
AP-AKA is called an adaptive protocol.
Security in UMTS 3G Mobile Networks
An alternative approach to the previous solu- & Merakos, 2004a), (2) the network-wide (Xenakis
tions that employ security at the application layer & Merakos, 2006), and (3) the border-based (Xe-
pertains to these that employ security at the network nakis, Loukas, & Merakos 2006). These schemes
layer. The most prominent technique for provid- mainly differ in the position where the security
ing security at the network layer is IPsec (Kent functionality is placed within the UMTS network
& Atkinson, 1998). As a network layer security architecture (MS, RNC, and GGSN), and whether
mechanism, IPsec protects traffic on a per con- data in transit are ever in cleartext or available to
nection basis and thus, is independent from the be tapped by outsiders.
applications that run above it. In addition, IPsec The end-to-end security scheme integrates the
is used for implementation of VPNs (Gleeson et VPN functionality into the communicating peers,
al., 2000). An IPsec-based VPN is used for the which negotiate and apply security. More specifi-
authentication and the authorization of user ac- cally, an MS and a remote security gateway (SG)
cess to corporate resources, the establishment of of a corporate private network establish a pair of
secure tunnels between the communicating parties IPsec SAs between them, which are extended over
and the encapsulation and protection of the data the entire multi-nature communication path, as
transmitted by the network. On-demand VPNs shown in Figure 12. Thus, sensitive data are secured
that are tailored to specific security needs are as they leave the originator site (MS or SG) and
especially useful for UMTS users, which require remain protected while they are conveyed over the
any-to-any connectivity in an ad hoc fashion. Re- radio interface, the GPRS backbone network, and
garding the deployment of VPNs over the UMTS the public Internet eliminating the possibilities of
infrastructure, three alternative security schemes being intercepted or to be altered by anyone.
have been proposed: (1) the end-to-end (Xenakis The deployed end-to-end VPN has no inter-
relation with the underlying network operation
Security in UMTS 3G Mobile Networks
and the provided network connectivity. It operates the border-based (Xenakis et al., 2006) schemes
above the network layer and thus, the security integrate the VPN functionality into the UMTS net-
parameters, which are contained within the IPsec work infrastructure following a network-assisted
SA, are not affected by the MS movement. For this security model. In both schemes a MS initiates a
reason the MS may freely move within the UMTS VPN that is negotiated and established by the net-
coverage area maintaining network connectivity work infrastructure thus minimizing the impact to
and VPN service provision. The UMTS mobility end users and their devices. The network operators
management procedures keep track of the user provide the security aggregation facilities, which
location and therefore, the incoming packets are are shared among the network subscribers, as a
routed to the MS. On the other hand, the end-to- complementary service, granting-added value.
end security scheme is not compatible with the They have solid network management expertise
legal interception option or any other application and more resources to effectively create, deploy,
that requires access to the traversing data within and manage VPN services originating from mobile
the mobile network. The enforcement of network subscribers.
security policy, traditionally performed by border For the deployment of both security schemes
firewalls, is devolved to end hosts, which establish (i.e., network-wide and border-based) the MS must
VPN overlays. Despite this, the border firewalls be enhanced with a security client (SecC) and the
remain to perform packet filtering and counteract UMTS core network should incorporate a security
against denial of service attacks. server (SecS). The SecC is employed by the user
Contrary to the end-to-end security scheme, to request for VPN services and express his pref-
the network-wide (Xenakis & Merakos, 2006) and erences. It is a lightweight module that does not
Security in UMTS 3G Mobile Networks
entail considerable processing and memory capa- tire network route between the originator and the
bilities and thus, it can be easily integrated in any recipient. In order to achieve VPN continuity as a
type of mobile device causing minor performance mobile user moves and roams, the standard UMTS
overhead. On the other side, the SecS establishes, mobility management procedures needs to be
controls, and manages VPNs between itself and enhanced. The enhancements include the transfer
remote SGs at corporate LANs on behalf of the of the related context (named as security context),
mobile users. The SecS comprises an IPsec imple- which contains the details of the deployed security
mentation modified to adapt to the client-initiated associations that pertain to the moving user, to the
VPN scheme and the security service provision new visited access point. This transfer enables
in a mobile UMTS environment. It can be readily the reconstruction of the security associations of
integrated in the existing network infrastructure the moving user to the new visited access point,
and thus, both schemes can be employed as add-on when the user connects to it, providing continu-
features of UMTS. ous VPN services from the end-user perspective.
The network-wide scheme (see Figure 13) The network-wide scheme is compatible with legal
integrates the SecS into the RNC of the UMTS interception; however, User Datagram Protocol
network infrastructure. This scheme provides (UDP) encapsulation is applied for Network Ad-
maximal security services to the communicating dress Translation (NAT) traversal. Finally, the
peers by employing the existing UMTS ciphering network security policy is enforced by the SGSN,
over the radio interface and extending a VPN over which incorporates the SecS.
the UMTS backbone and the public Internet. Thus, By placing the SecS in the GGSN, the border-
sensitive user data remains encrypted for the en- based VPN deployment scheme is realized (see
Security in UMTS 3G Mobile Networks
Security in UMTS 3G Mobile Networks
3rd Generation Partnership Project (3GPP) TS Xenakis, C., Loukas, N., & Merakos, L. (2006,
33.200 (v4.3.0). (2002). 3G security; Network April). A secure mobile VPN scheme for UMTS.
domain security; MAP application layer secu- In Proceedings of European Wireless 2006, Ath-
rity. Sophia-Antipolis Cedex, France: Author. ens, Greece.
Retrieved from ftp://ftp.3gpp.org/specs/2006-12/
Xenakis, C., & Merakos, L. (2004a). IPsec-based
Rel-4/33_series
end-to-end VPN deployment over UMTS. Com-
3rd Generation Partnership Project (3GPP) TS puter Communications, 27(17), 1693-1708.
33.210 (v5.1.0). (2002). 3G security; Network do-
Xenakis, C., & Merakos, L. (2004b). Security in
main security: IP network layer security. Sophia-
third generation mobile networks. Computer Com-
Antipolis Cedex, France: Author. Retrieved from
munications, 27(7), 638-650.
ftp://ftp.3gpp.org/specs/2006-12/Rel-5/33_series
Xenakis, C., & Merakos, L. (2006). Alternative
3rd Generation Partnership Project (3GPP) TR
schemes for dynamic secure VPN deployment
33.908 (v3.0.0). (2000). 3G security; General re-
over UMTS. Wireless Personal Communications,
port on the design, specification and evaluation
36(2), 163-194.
of 3GPP standards confidentiality and integrity
algorithms. Sophia-Antipolis Cedex, France: Au- Zhang, M., & Fang, Y. (2005). Security analysis
thor. Retrieved from ftp://ftp.3gpp.org/specs/2006- and enhancements of 3GPP authentication and key
12/R1999/33_series agreement protocol. IEEE Transactions on Wireless
Communications, 4(2), 734-742.
3rd Generation Partnership Project (3GPP) TS
35.205 (v3.0.0). (2001). 3G security; Specification
of the MILENAGE set: An example algorithm set
for the 3GPP authentication and key generation kEy tErMs
functions f1, f1*, f2, f3, f4, f5, and f5*. Sophia-
Antipolis Cedex, France: Author. Retrieved from International mobile subscriber identity
ftp://ftp.3gpp.org/specs/2006-12/Rel-4/35_series (IMSI): IMSI is a unique number associated
Gleeson, B., Lin, A., Heinanen, J., Armitage, G., with all UMTS network mobile phone users.
& Malis, A. (2000). A framework for IP based Internet key exchange (IKE): IKE is a
virtual private networks (RFC 2764). Retrieved protocol used to set up a security association
from http://tools.ietf.org/html/rfc2764 (SA) in the IPsec protocol suite.
Gupta, V., & Gupta, S. (2001). Securing the wire- IP security (IPsec): IPsec is a suite of
less Internet. IEEE Communications Magazine, protocols for securing IP communications by
39(12), 68-74. authenticating and/or encrypting each IP packet
Harkins, D., & Carrel, D. (1998). The Internet in a data stream.
key exchange (IKE) (RFC 2409). Retrieved from Temporary mobile subscriber identity
http://www.ietf.org/rfc/rfc2409.txt (TMSI): TMSI is a randomly allocated num-
Kent, S., & Atkinson, R. (1998). Security architec- ber that is given to the mobile the moment it is
ture for the Internet Protocol (RFC 2401). Retrieved switched on and serves as a temporary identity
from http://www.ietf.org/rfc/rfc2401.txt between the mobile and the network.
Wireless Application Forum (WAP). (n.d.). WAP Third generation (3G): 3G is a technology
specifications. Retrieved from http://www.wapfo- in the context of mobile phone standards. The
rum.org/what/technical.htm services associated with 3G include wide-area
wireless voice telephony and broadband wire-
less data, all in a mobile environment.
Security in UMTS 3G Mobile Networks
Chapter XXI
Access Security in UMTS
and IMS
Yan Zhang
Simula Research Laboratory, Norway
Yifan Chen
University of Greenwich, UK
Rong Yu
South China University of Technology, China
Supeng Leng
University of Electronic Science and Technology of China, China
Huansheng Ning
Beihang University, China
Tao Jiang
Huazhong University of Science and Technology, China
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Access Security in UMTS and IMS
to resolve the deficiency existing in the second gen- 2005). To ensure the secure communication in a
eration wireless mobile networks such as GSM, in multimedia session, an efficient access security
which only one-way authentication is performed for mechanism shall be also provided.
the core network part to verify the user equipment In this chapter, we make an introduction to the
(UE) (3G TS 24.008). Such access security may access security in the next generation wireless
lead to the “man-in-middle” problem, which is a mobile networks, including the mechanisms in
type of attack that can take place when two clients the circuited-switched domain, packet-switched
are communicating remotely and exchange public domain, and also the emerging IMS domain.
keys in order to initialize secure communications.
If both of the two public keys are intercepted in
the route by someone, he/she can act as a conduit bAckground ovErvIEw
and send in the messages with his/her own faked
public key. As a result, the secure communication Figure 1 shows the UMTS network architecture
is eavesdropped by a third party. with most related components in security man-
Multimedia service provisioning is one of the agement (3G TS 29.002; 3G TS 33.102). User
primary demands and motivations for the next terminal (UE) utilizes the circuited-switched or
generation wireless networks. To achieve this goal, packet-switched service through the radio interface
the IP multimedia subsystem (IMS) is added as the between base station (BS) and itself. BS locates in
core network in UMTS providing the multimedia the center of a cell which coveres a radio range.
service, for example, voice telephony, video con- BS provides the wireless access point for UEs to
ference, real-time streaming media, interactive the core network. Radio network controller (RNC)
game, voice over IP, picture, HTTP, and instant monitors and supervises the activities of several
messaging (3G TS 33.203). The multimedia session BS under its management. Radio access network
management, initialization, and termination are (RAN) consists of the RNC and the associated
specified and implemented in the session initia- BS under the RNC. Home location register (HLR)
tion protocol (SIP) (3G TS 29.228; Zhang & Fang, stores the permanent information for the subscrib-
0
Access Security in UMTS and IMS
The authentication protocol is based on a perma- means of the authentication function f1-f5, where
nent secret key K (128-bit) that is shared between for instance the function f1 is employed to compute
the UE and HLR/AuC. The AKA mechanism can XRES, the function f2 is used to compute RES,
be divided into two phases: the distribution of au- and the function f3 is used to compute CK ( 3G
thentication vector (DAV) from the HLR/AuC to the TS 33.105; 3G TS 35.205; 3G TS 35.206). After
SGSN as shown in Figure 3, and the authentication successfully generating n AVs, AuC sends back
and key establishment between the UE and the the AV array to SGSNn via the message authen-
core network as illustrated in Figure 4. tication data response, and SGSNn saves these n
AVs for the particular UE. It is noteworthy that
distribution of Authentication vector this phase executes not only upon UE entering a
new SGSN area, but also when there are no AVs
When a UE leaves an old SGSN (SGSNo) and available upon an action arrival which requires
moves into the coverage of a new SGSN (SGSNn), authentication.
SGSNn has no corresponding record for the UE,
which makes it necessary to authenticate the UE Authentication and key
prior to the subsequent behavior. SGSNn will Establishment
delivery the message authentication data request
(ADR) to the HLR/AuC with the UE’s unique For each activity triggering authentication request
IMSI. Based on the received IMSI, AuC can find such as call origination, paging, or location update
the associated record in its database and hence the the SGSN initiates the challenge user authentica-
according master key K for this particular UE. tion request (UAR) message to the UE with the
Then, HLR/AuC generates the number of n AV parameters RAND and AUTN, which is retrieved
instead of single one AV for the sake of saving from the ith (i = 1,2,…n) AV in the first-in-first-
signaling overhead. The AV structure is comprised out (FIFO) manner. Upon receiving the AV, the
of five components: (1) a random number RAND, UE checks the validity of AUTN. For this goal,
(2) an expected authentication response XRES, (3) the UE retrieves SQN component from AUTN
a cipher key CK, (4) an integrity key IK, and (5) and calculates expected message authentication
a network authentication token AUTN ( 3G TS code for authentication (XMAC-A). The UE then
23.060). In each generation, an AV is calculated by compares X-MAC-A and message authentication
Access Security in UMTS and IMS
code for authentication (MAC-A) component in tion, the subscriber identification, location, user
AUTN, if they are equal to each other, then the data, and signaling data should be encrypted.
network is verified. Otherwise, the UE rejects the
UAR and hence the network. After the network
is identified, UE checks the SQN freshness, that AccEss sEcurIty In IMs
is, the SQN has never been used before. When
the network succeeds, the UE then computes the There are three entities relevant to the IMS security
authentication response RES from the received architecture (see Figure 5). A proxy call session
RAND value and sends it in a user authentication control function (P-CSCF) locates in the serving
response message to the SGSN. If RES equals network of a UE and acts as the first access point
the expected response XRES, then the UE is in the serving network. P-CSCF is responsible for
successfully authenticated. Since there are n AVs forwarding SIP messages of an UE to the home
generated and recorded in SGSNn during each network. A serving call session control function
operation of DAV while only one AV is used dur- (S-CSCF) locates in the home network to provide
ing an authentication event, the signaling between session control of multimedia services and acts
SGSN and HLR/AuC during DAV is not needed as SIP registrar or SIP proxy server. The S-CSCF
for every authentication event. sends messages toward the home subscriber server
It is believed that, after the AKA procedure, all (HSS) and the AuC to receive subscriber data and
messages are claimed integrity protection, and the authentication information. An interrogating call
signaling data as well as user data are confidential- session control function (I-CSCF) locates in the
ity protection. In the sense of integrity protection, home network and acts as a SIP proxy toward the
the content of signaling messages should not be home network. I-CSCF is responsible for selecting
manipulated. With regard to confidentiality protec- an appropriate S-CSCF for the UE and forwarding
SIP requests/responses toward the S-CSCF.
Access Security in UMTS and IMS
Different from the one-pass authentication pro- subscriber profile to S-CSCF. We will discuss the
cedure in AKA illustrated in Figure 2, the security GPRS authentication and IMS authentication in
in IMS is a two-pass authentication procedure, the following two subsections. The discussion of
including general packet radio servcie (GPRS) either GPRS registration or PDP context activation
authentication and IMS authentication (3G TS is out of the scope and the readers are suggested
29.229). Before utilizing the IMS service, a UE to refer to the related technical specifications (3G
should first setup a data connection to know the IP TS 33.102).
address of P-CSCF and to carry the SIP signaling
messages through the P-CSCF. The data connec-
tion establishment is comprised of two steps, that gPrs AutHEntIcAtIon
is, attach and packet data protocol (PDP) context
activation. The first phase attach is used to establish GPRS authentication is performed in the framework
mobility management context between the UE and of GPRS mobility management (GMM) (http://
SGSN. During this procedure, the UE should per- www.3gpp2.org; 3G TS 33.102). Figure 6 shows
form GPRS authentication and GPRS registration the messages sequence in GPRS authentication.
to verify its validness and retrieve the subscriber In particular, the steps include:
profile including subscribed services, quality of
service (QoS) profile, IP address, and so on. Once 1. The UE sends GMM Attach Request
the UE is attached, the second step PDP context (IMSI) to the SGSN with the unique identity
activation is followed to activate a PDP address and IMSI.
build the association between the SGSN and GGSN. 2. If the SGSN has at least one AV for the UE,
Only after attached and PDP context activation, an then step 2 and 3 are skipped. Otherwise,
UE can access IMS services through registration the SGSN has to obtain AVs from the entity
process. The registration is necessary to inform HSS/AuC. SGSN triggers the procedure DAV
the HSS the location, authenticate and download by sending a MAP-SEND-AUTHENTICA-
Access Security in UMTS and IMS
TION-INFO Request (IMSI) message to the in Figure 7 (CWTS TSM 03.20; 3G TS 29.229).
HLR/AuC with the parameter IMSI uniquely This procedure includes the IMS authentication
identifying the UE. and the IMS registration. In particular, the steps
3. Upon receiving the authentication request, include:
the HSS/AuC searches the according record
in the database on the basis of IMSI. Then, 1. To start registration, the UE sends a SIP
HSS/AuC generates an ordered array of n REGISTER (IMPI, IMPU) message to
AVs for the specific UE. Each AV consists the P-CSCF in the serving network. On the
of the following components: a random num- receipt, the P-CSCF forwards the registration
ber RAND, an expected response XRES, a request to the I-CSCF of the home network.
cipher key CK, an integrity key IK, and an I-CSCF then delivers the message to a chosen
authentication token AUTN. The HSS/AuC S-CSCF.
then sends back the message MAP-SEND- 2. If the S-CSCF has at least one AV for the UE,
AUTHENTICATION-INFO Response to then steps 2 and 3 are skipped. Otherwise,
SGSN with the AV array as parameters. the S-CSCF has to obtain AVs from the entity
4. SGSN stores these n AVs for the particular HSS/AuC. S-CSCF triggers the procedure
UE and shall choose the next unused AV DAV by sending a Cx-AV-Req(IMPI, n)
in the ordered AV array. Subsequently, the message to the HSS/AuC with the parameter
SGSN shall challenge the UE and sends mes- IMPI uniquely identifying the UE and the
sage GMM Authentication and Ciphering number of n AVs wanted.
Request with parameters RAND and AUTN 3. Upon receipt of a request from the S-CSCF,
populated from the selected AV. the HSS/AuC searches the database on the
5. The UE checks the validness of the received basis of the unique IMPI, obtains the sub-
AUTN. In case it is acceptable, the UE shall scriber profile, and generates an ordered
calculate a response RES and send back array of n AVs for the specific UE. Each AV
to the SGSN through the message GMM consists of the following components: a ran-
Authentication and Ciphering Response. dom number RAND, an expected response
The SGSN retrieves the expected response XRES, a cipher key CK, an integrity key
XRES from the selected AV and compares IK, and an authentication token AUTN. Each
XRES with the received response RES. If AV is good for only one authentication and
they match, the authentication and key agree- key agreement between the IMS subscriber
ment is successfully completed and the keys and the S-CSCF. The HSS/AuC then sends
CK and IK are retrieved for the following back the message Cx-AV-Req-Resp(IMPI,
signaling confidentiality and integrity protec- RAND1||AUTN1||XRES1||CK1||IK1,…,
tion. RANDn||AUTNn||XRESn||CKn||IKn) to
6. The SGSN sends a GMM Attach Accept the S-CSCF with the array of AV as param-
message to the UE to indicate the completion eters.
of the successful attach procedure. 4. The S-CSCF chooses the first unused AV in
the array of AVs based on FIFO policy. From
the selected AV, the items RAND, AUTN,
IMs AutHEntIcAtIon IK, and CK are populated. The S-CSCF
sends the message SIP 4xx-Auth-Challenge
After the procedures of GPRS authentication, (IMPI, RAND, AUTN, IK, CK) to the I-
GPRS registration and PDP context activation, the CSCF, which then forwards the message to
UE has the IP address of the P-CSCF and is able P-CSCF. Upon the receipt, the P-CSCF shall
to access the IMS services through the registration store the two keys IK and CK and remove
procedure using SIP and Cx commands as shown the key information and finally forward the
Access Security in UMTS and IMS
rest of the message SIP 4xx-Auth-Challenge subscriber profile to the S-CSCF. HSS
(IMPI, RAND, AUTN) to the UE. shall send a Cx-Pull Response to the
5. The UE verifies the freshness of the received S-CSCF with the indicated information.
AUTN and calculates a response RES. This 8. The S-CSCF sends SIP 200 OK mes-
result RES is sent back from the UE to the P- sage to the UE through the I-CSCF and
CSCF through the message SIP REGISTER P-CSCF. After this step, a security as-
(IMPI, RES). After receiving the request, sociate (SA) is active for the protection
the P-CSCF forwards it to the I-CSCF, which of subsequent SIP messages between the
further forwards the authentication response UE and the P-CSCF.
to the S-CSCF. The S-CSCF retrieves the
expected response XRES and compares
XRES and the received response RES. If they futurE trEnds
match, the authentication and key agreement
is successfully completed. Next three steps security Management in
perform registration. Heterogeneous network
6. The S-CSCF sends a Cx-Put message to
the HSS/AuC with the UE identity. The The next generation wireless mobile networks
HSS shall store the S-CSCF name, which are characterized as the co-existent of the variety
is presently serving the UE, and then sends of network architectures, protocols, and applica-
the Cx-Put Response for acknowledge- tions due to the diverse requirements for data rate,
ment. radio coverage, deployment cost, and multimedia
7. Next, the S-CSCF sends a Cx-Pull to the service. The 3GPP is actively specifying the roam-
HSS/AuC with the UE identity in order to ing mechanism in the integrated wireless LAN
download the related information in the (WLAN)/UMTS networks. It should be noted
Access Security in UMTS and IMS
that this scenario is only a specific heterogeneous the security and QoS. The authors introduced the
network. The IEEE 802.16 standard is an emerging system model based on the widely used challenge/
broadband wireless access system specified for response mechanism. Then, a concept of security
wireless metropolitan area networks (WMAN) level is introduced to describe the different level
with the aim to bridge the last mile, replacing of communication protection with regard to the
costly wireline and also providing high speed nature of security, that is, information secrecy, data
multimedia services in fast moving transportation. integrity, and resource availability. By taking traffic
The recently amended 802.16e adds a mobility and mobility patterns into account, the technique
component for WMAN and defines both physical establishes a quantitative connection between the
and MAC layers for combined fixed and mobile security and QoS through the authentication and
operations in licensed bands. It is envisaged that the facilitates the evaluation of overall system perfor-
future generation wireless networks is the flexible mance under diverse security levels, mobility and
and seamless integration of the three technologies traffic processes.
WLAN, WMAN, and wireless wide area network Generally, a UE is powered by battery and
(WWAN), where WLAN (e.g., IEEE 802.11 Wi-Fi) hence the mechanism in efficiently utilizing the
serves as the hot-spot access area for short-range limited energy is becoming very important. In
and very high speed; WMAN (e.g., IEEE 802.16 case of more frequent authentication to increase
WiMAX) serves as the metropolitan-wide access the security, the UE will consume more energy.
network with high data rate and WWAN (e.g., With fewer authentications incurring potential
UMTS) provides the national-wide network with vulnerability, the UE is able to enlarge its life-
relatively low data rate. The substantial technical time before re-charging. As a consequence, there
challenge is to design and implement the security is a trade-off between the security and energy
architectures and protocols across such heteroge- management. Potlapally, Ravi, Raghunathan,
neous networks taking into account the seamless and Jha (2003) provided energy consumption
mobility, scalability, and performance efficiency. empirical measurements for a variety of ciphers,
hash functions, and signature algorithms. Based
security-Mobility Management on the observations, the study presented some
Interaction and security-Energy reasoning about the energy-security trade-offs in
tradeoff determining key length. However, no analytical
models have been proposed to evaluate the energy-
The performance of security management has a security trade-offs or make the intelligent decision
close interaction with the framework of mobility on trade-off.
management. Mobility management includes two
components: location management and handoff Higher security Protocols
management (http:www.3gpp2.org). There are two
operations in the location management: updating Although AKA has been standardized, the proto-
the UE location and paging the UE. In UMTS, col has two significant weaknesses: (1) HLR/AuC
SGSN shall authenticate a UE when the SGSN does not verify whether the information sent from
receives an “Initial L3 message” sent from UE. the visiting location register (VLR)/SGSN is valid
This message is triggered by the actions, includ- or not. That is, AKA has assumed that the link
ing location update request, connection manage- between VLR/SGSN and HLR/AuC is adequately
ment request, routing area update request, attach reliable; and (2) for the UMTS integrity protection
request, and paging response. It is clear that all mechanism, integrity key is transmitted without
these events are closely relevant to the user’s mo- encryption and the user data are not protected.
bility management architecture and mechanism. New strategies shall be designed to address these
Liang and Wang (2005) constructed an analytical issues.
model to evaluate the impact of authentication on
Access Security in UMTS and IMS
Harn and Hsin (2003) identified and discussed before all AVs are used up. Comparing with the
the inefficiency and complexity in keeping and original 3GPP Technical Specification TS33.102
managing the sequence number during the network (2000), the proposed strategy is able to achieve
authentication. Based on the combination of hash very low probability in waiting for an available
chaining and keyed-hash message authentication AV with negligible increased signaling overhead
code techniques, an enhanced scheme is proposed and low storage cost. The study in Al-Saraireh
to simplify the protocol implementation and si- and Yousef (2006) also analyzes the transmission
multaneously provide strong periodically mutual overhead during the procedure of AKA. It is pro-
authentication. posed that security protocols performance should
Zhang and Fang (2005) showed that the 3GPP be evaluated from the security perspective and
AKA protocol is vulnerable to a variant of the fake also from the signaling overhead point of view.
BS attack. The vulnerability allows an adversary New security protocols should consider to combat
to redirect user traffic from one network to another potential vulnerability as well as to introduce low
and to re-use corrupted AVs from one network additional signaling cost.
to all other networks. To address such security
problems in the current 3GPP AKA, the authors
presented a new authentication and key agreement conclusIon
protocol AP-AKA which defeats redirection at-
tack and drastically lowers the impact of network This chapter gives an overview on the security man-
corruption. agement in the next generation wireless networks.
The AKA process is described and its extension
security Protocols Performance in GPRS authentication and IMS authentication
are further discussed in detail. The identified
Security architecture and protocol are normally research challenges shall serve as the guidance
evaluated to guarantee the security, confidentiality, for the further study to propose more efficient
and integrity requirement. Recently, a few studies security protocols taking into account the network
have appeared to investigate the authentication architecture heterogeneity, the energy-security
signaling traffic performance due to the rapidly trade-offs, the mobility-security interaction, and
increasing number of subscribers and consequently comprehensive performance evaluation.
potentially high authentication requests and heavy
burden on the signaling networks. Lin and Chen
(2003) argue the disadvantages in fetching the rEfErEncEs
constant number of AV from HLR/AuC. Based
on the observations of the mobility pattern, the 3rd Generation Partnership Project (3GPP) (1999).
authors proposed an adaptive scheme to generate Technical specification core network; Mobile
an optimal number of AV array, which is able to application part (MAP) specification. Technical
significantly reduce the authentication signaling Specification 3G TS 29.002 V3.7.0 (2000-12).
traffic and hence save the limited bandwidth utiliza- Sophia Antipolis Cedex, France: Author.
tion. Zhang and Fujise (2006) argue the long delay
problem and proposed a mechanism to address the 3rd Generation Partnership Project (3GPP). Techni-
issue. In particular, when the two entities SGSN cal Specification Group Core Network; Mobile Ra-
and HLR/AuC locate far away from each other, the dio Interface Layer 3 Specification; Core Network
response for an available AV may be potentially Protocols Stage 3 for Release 1999, 2000. 3G TS
very long. The consequence of long delay includes 24.008 version 3.6.0 (2000-12). Sophia Antipolis
call blocking and location update failure, and hence Cedex, France: Author.
degraded QoS. To address this problem, the study 3rd Generation Partnership Project (3GPP). Tech-
proposed an enhanced scheme to fetch AV earlier nical Specification Group Services and Systems
Access Security in UMTS and IMS
Aspects; 3G Security; Security Architecture, 2000, aspects; 3G security; Access security for IP-based
Technical Specification 3G TS 33.102 V3.7.0 (2000- services, Tech. Spec. 3G TS 33.203 V5.5.0 (2003-
12). Sophia Antipolis Cedex, France: Author. 03).
3rd Generation Partnership Project (3GPP). Tech- 3rd Generation Partnership Project (3GPP). (2003).
nical Specification Group Services and Systems Technical specification group services and systems
Aspects; General Packet Radio Service (GPRS); aspects; IP Multimedia subsystem stage 2, Tech.
Service Description; Stage 2, 2000, Technical Spec. 3G TS 23.228 version 6.2.0 (2003-06).
Specification 3G TS 23.060 version 3.6.0 (2001-01).
Al-Saraireh, J., & Yousef, S. (2006). Authentication
Sophia Antipolis Cedex, France: Author.
transmission overhead between entities in mobile
3G TS 33.105, 3G Security; Cryptographic Algo- networks. International Journal of Computer Sci-
rithm Requirements. ence and Network Security, 6(3B), 150-154.
3G TS 35.205, 3G Security; Specification of the Harn, L., & Hsin, W. (2003). On the security of
MILENAGE Algorithm Set: An Example Algorithm wireless networks access with enhancements. In
Set for the 3GPP Authentication and Key Gen- Proceedings of Web Information Systems Engi-
eration Functions f1, f1*, f2, f3, f4, f5, and f5*; neering (WiSE’03) (pp. 88-95).
Document 1: General.
Liang, W., & Wang, W. (2005). A quantitative study
3G TS 35.206, 3G Security; Specification of the of authentication and QoS in wireless IP networks.
MILENAGE Algorithm Set: An Example Algorithm In Proceedings of IEEE INFOCOM’05, 2005.
Set for the 3GPP Authentication and Key Gen-
Lin, Y., & Chen, Y. (2003). Reducing authentica-
eration Functions f1, f1*, f2, f3, f4, f5, and f5*;
tion signaling traffic in third-generation mobile
Document 2: Algorithm Specification.
network. IEEE Transactions on Wireless Com-
China Wireless Telecommunication Standard; munication, 2(3), 493-501.
3G digital cellular telecommunications system;
Potlapally, N. R., Ravi, S., Raghunathan, A., & Jha,
Security related network functions (Release 3);
N. K. (2003). Analyzing the energy consumption of
CWTS TSM 03.20 V3.0.0 (2002-08).
security protocols. In Proceedings of the interna-
3rd Generation Partnership Project (3GPP). (2003). tional symposium on Low power electronics and
Technical specification core network; Cx and Dx design (pp. 30-35). ACM Press.
interfaces based on the diameter protocol; Pro-
Rosenberg, J., Schulzrinne, H., Camarillo, G., John-
tocol details, Tech. Spec. 3G TS 29.229 V5.3.0
ston, A., Peterson, J., Sparks, R., et al. (2002). SIP:
(2003-03).
Session initiation protocol (RFC 3261). Retrieved
3rd Generation Partnership Project (3GPP). (2003). from http://www.ietf.org/rfc/rfc3261.txt
Technical specification core network; IP multime-
Zhang, M., & Fang, Y. (2005). Security analysis
dia subsystem Cx and Dx interfaces; Signaling
and enhancements of 3GPP authentication and
flows and message contents (Release 5), Tech.
key agreement protocol. IEEE Transactions on
Spec. 3G TS 29.228 V5.4.0 (2003-06).
Wireless Communication, 4(2), 734-742.
3rd Generation Partnership Project (3GPP). (2003).
Zhang, Y., & Fujise, M. (2006). An Improvement
Technical specification group core network; Sig-
for Authentication Protocol in Third-Generation
naling flows for the IP multimedia call control
Wireless Networks. IEEE Transactions on Wireless
based on SIP and SDP; Stage 3, version 5.5.0
Communications. 5 (9), 2348-2352.
(2003-06). 3GPP TS 24.228.
3rd Generation Partnership Project (3GPP). (2003).
Technical specification group services and systems
Access Security in UMTS and IMS
0
Chapter XXII
Security in 2.5G Mobile Systems
Christos Xenakis
University of Piraeus, Greece
AbstrAct
The global system for mobile communications (GSM) is the most popular standard that implements sec-
ond generation (2G) cellular systems. 2G systems combined with general packet radio services (GPRS)
are often described as 2.5G, that is, a technology between the 2G and third generation (3G) of mobile
systems. GPRS is a service that provides packet radio access for GSM users. This chapter presents the
security architecture employed in 2.5G mobile systems focusing on GPRS. More specifically, the security
measures applied to protect the mobile users, the radio access network, the fixed part of the network,
and the related data of GPRS are presented and analyzed in detail. This analysis reveals the security
weaknesses of the applied measures that may lead to the realization of security attacks by adversaries.
These attacks threaten network operation and data transfer through it, compromising end users and
network security. To defeat the identified risks, current research activities on the GPRS security propose
a set of security improvements to the existing GPRS security architecture.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security in 2.5G Mobile Systems
For the successful implementation of the new describes briefly the GPRS network architecture.
emerging applications and services over GPRS, The third section presents the security architecture
security is considered as a vital factor. This is be- applied to GPRS and the fourth section analyzes its
cause of the fact that wireless access is inherently security weaknesses. The fifth section elaborates on
less secure and the radio transmission is by nature the current research activities on the GPRS security
more susceptible to eavesdropping and fraud in and the sixth section presents the conclusions.
use than wire-line transmission. In addition, users’
mobility and the universal access to the network
imply higher security risks compared to those gPrs nEtwork ArcHItEcturE
encountered in fixed networks. In order to meet
security objectives, GPRS uses a specific security The network architecture of GPRS (3GPP TS 03.6,
architecture, which aims at protecting the network 2002) is presented in Figure 1. A GPRS user owns
against unauthorized access and the privacy of a mobile station (MS) that provides access to the
users. This architecture is mainly based on the wireless network. From the network side, the base
security measures applied in GSM, since the GPRS station subsystem (BSS) is a network part that is
system is built on the GSM infrastructure. responsible for the control of the radio path. BSS
Based on the aforementioned consideration, consists of two types of nodes: the base station
the majority of the existing literature on security controller (BSC) and the base transceiver station
in 2.5G systems refers to GSM (Mitchell, 2001; (BTS). BTS is responsible for the radio coverage
Pagliusi, 2002). However, GPRS differs from of a given geographical area, while BSC maintains
GSM in certain operational and service points, radio connections towards MSs and terrestrial
which require a different security analysis. This connections towards the fixed part of the network
is because GPRS is based on IP, which is an open (core network).
and wide deployed technology that presents many The GPRS core network (CN) uses the network
vulnerable points. Similarly to IP networks, intrud- elements of GSM such as the home location regis-
ers to the GPRS system may attempt to breach ter (HLR), the visitor location register (VLR), the
the confidentiality, integrity, or availability, or authentication centre (AuC) and the equipment
otherwise attempt to abuse the system in order to identity register (EIR). HLR is a database used
compromise services, defraud users, or any part for the management of permanent data of mobile
of it. Thus, the GPRS system is more exposed to users. VLR is a database of the service area visited
intruders compared to GSM. by an MS and contains all the related information
This chapter presents the security architecture required for the MS service handling. AuC main-
employed in 2.5G mobile systems focusing on tains security information related to subscribers
GPRS. More specifically, the security measures identity, while EIR maintains information related
applied to protect the mobile users, the radio ac- to mobile equipments’ identity. Finally, the mobile
cess network, the fixed part of the network, and the service switching centre (MSC) is a network ele-
related data of GPRS are presented and analyzed ment responsible for circuit-switched services (e.g.,
in details. This analysis reveals the security weak- voice call) (3GPP TS 03.6, 2002).
nesses of the applied measures that may lead to As presented previously, GPRS reuses the ma-
the realization of security attacks by adversaries. jority of the GSM network infrastructure. However,
These attacks threaten network operation and data in order to build a packet-oriented mobile network
transfer through it, compromising end users and some new network elements (nodes) are required,
network security. To defeat the identified risks, which handle packet-based traffic. The new class
current research activities on the GPRS security of nodes, called GPRS support nodes (GSN), is
propose a set of security improvements to the ex- responsible for the delivery and routing of data
isting GPRS security architecture. The rest of this packets between an MS and an external packet
chapter is organized as follows. The next section data network (PDN). More specifically, a serving
Security in 2.5G Mobile Systems
cn
gi
Auc
ggsn
Pstn H
gc
d Hlr gr gn
g Msc
f EIr gf sgsn gp
E vlr
A gb
bss
bsc
Abis Abis
bts bts
um
Ms
GSN (SGSN) is responsible for the delivery of data gPrs sEcurIty ArcHItEcturE
packets from, and to, an MS within its service area.
Its tasks include packet routing and transfer, mo- In order to meet security objectives, GPRS em-
bility management, logical link management, and ploys a set of security mechanisms that constitutes
authentication and charging functions. A gateway the GPRS security architecture. Most of these
GSN (GGSN) acts as an interface between the mechanisms have been originally designed for
GPRS backbone and an external PDN. It converts GSM, but they have been modified to adapt to
the GPRS packets coming from the SGSN into the packet-oriented traffic nature and the GPRS
the appropriate packet data protocol (PDP) format network components. The GPRS security archi-
(e.g., IP), and forwards them to the corresponding tecture, mainly, aims at two goals: (1) to protect
PDN. Similar is the functionality of GGSN in the the network against unauthorized access, and (2)
opposite direction. The communication between to protect the privacy of users. It includes the fol-
GSNs (i.e., SGSN and GGSN) is based on IP tunnels lowing components (GSM 03.20, 1999):
through the use of the GPRS tunneling protocol
(GTP) (3GPP TS 09.60, 2002). • Subscriber identity module (SIM)
• Subscriber identity confidentiality
• Subscriber identity authentication
Security in 2.5G Mobile Systems
• User data and signaling confidentiality be- The subscriber identity confidentiality is mainly
tween the MS and the SGSN achieved by using a temporary mobile subscriber
• GPRS backbone security identity (TMSI) (3GPP TS 03.03, 2003; GSM
03.20, 1999), which identifies the mobile user in
subscriber Identity Module (sIM) both the wireless and wired network segments. The
TMSI has a local significance and thus it must be
The subscription of a mobile user to a network is accompanied by the routing area identity (RAI) in
personalized through the use of a smart card named order to avoid confusions. The MS and the serving
SIM (ETSI TS 100 922, 1999). Each SIM card is VLR and SGSN only know the relation between
unique and related to a user. It has a microcom- the active TMSI and the IMSI. The allocation of
puter with a processor, ROM, persistent EPROM a new TMSI corresponds implicitly for the MS to
memory, volatile RAM, and an I/O interface. the de-allocation of the previous one. When a new
Its software consists of an operating system, file TMSI is allocated to the MS, it is transmitted to
system, and application programs (e.g., SIM ap- it in a ciphered mode. The MS stores the current
plication toolkit). The SIM card is responsible for TMSI and the associated RAI in a non-volatile
the authentication of the user by prompting for a memory, so that these data are not lost when the
code (PIN), the identification of the user to a net- MS is switched off.
work through keys, and the protection of user data Further to the TMSI, a temporary logical link
through cryptography. To achieve these functions identity (TLLI) (3GPP TS 03.03, 2003) identifies
it contains a set of security objects including: also a GPRS user on the radio interface of a rout-
ing area. Since the TLLI has a local significance,
• A (4-digit) PIN code, which is used to lock when it is exchanged between the MS and the
the card preventing misuse; SGSN, it should be accompanied by the RAI. The
• A unique permanent identity of the mobile TLLI is either derived from the TMSI allocated by
user, named international mobile subscriber the SGSN or built by the MS randomly and thus,
identity (IMSI) (3GPP TS 03.03, 2003); provides identity confidentiality. The relationship
• A secret key, Ki, (128 bit) that is used for between the TLLI and the IMSI is only known in
authentication; and the MS and in the SGSN.
• An authentication algorithm (A3) and an
algorithm that generates encryption keys subscriber Identity Authentication
(A8) (GSM 03.20, 1999).
A mobile user that attempts to access the network
Since the SIM card of a GSM/GPRS subscriber must first prove his/her identity to it. User authen-
contains security critical information, it should tication (3GPP TS 03.6, 2002) protects against
be manufactured, provisioned, distributed, and fraudulent use and ensures correct billing. GPRS
managed in trusted environments. uses the authentication procedure already defined
in GSM with the same algorithms for authentication
Subscriber Identity Confidentiality and generation of encryption key, and the same
secret key, Ki, (see Figure 2). However, from the
The subscriber identity confidentiality deals with network side, the whole procedure is executed by
the privacy of the IMSI and the location of a mobile the SGSN (instead of the BS) and employs a dif-
user. It includes mechanisms for the protection of ferent random number (GPRS-RAND) and thus,
the permanent identity (IMSI) when it is trans- it produces a different signed response (GPRS-
ferred in signaling messages, as well as measures SRES) and encryption key (GPRS-Kc) than the
that preclude the possibility to derive it indirectly GSM voice counterpart.
from listening to specific information, such as To achieve authentication of a mobile user,
addresses, at the radio path. the serving SGSN must possess security-related
Security in 2.5G Mobile Systems
ki ki
A3 A3
Authentication response (GPRS-SRES) ? check
ki
A8 A8
ki
sIM
gPrs-kc
gPrs-kc
data
A5 Protected data A5
data
fixed network of a
gPrs operator
information for the specific user. This information ing algorithm (GPRS-A5) (3GPP TS 01.61, 2001),
is obtained by requesting the HLR/AuC of the which is also referred to as GPRS encryption
home network that the mobile user is subscribed. algorithm (GEA) and is similar to the GSM A5.
It includes a set of authentication vectors, each Currently, there are three versions of this algo-
of which includes a random challenge (GPRS- rithm: GEA1, GEA2, and GEA3 (that is actually
RAND), the related signed response (GPRS-SRES), A5/3), which are not publicly known and thus, it
and the encryption key (GPRS-Kc) for the specific is difficult to perform attacks on them. The MS
subscriber. The authentication vectors are produced device (not the SIM-card) performs GEA using
by the home HLR/AuC using the secret key Ki of the encryption key (GPRS-Kc), since it is a strong
the mobile subscriber. algorithm that requires relatively high processing
During authentication the SGSN of the serv- capabilities. From the network side, the serving
ing network sends the random challenge (GPRS- SGSN performs the ciphering/deciphering func-
RAND) of a chosen authentication vector to the tionality protecting signaling and user data over
MS. The latter encrypts the GPRS-RAND by using the Um, Abis, and Gb interfaces.
the A3 hash algorithm, which is implemented in During authentication the MS indicates which
the SIM card, and the secret key, Ki. The first 32 version(s) of the GEA supports and the network
bits of the A3 output are used as a signed response (SGSN) decides on a mutually acceptable version
(GPRS-SRES) to the challenge (GPRS-RAND) and that will be used. If there is not a commonly accept-
are sent back to the network. The SGSN checks ed algorithm, the network (SGSN) may decide to
if the MS has the correct key, Ki, and, then, the release the connection. Both the MS and the SGSN
mobile subscriber is recognized as an authorized must cooperate in order to initiate the ciphering
user. Otherwise, the serving network (SN) rejects over the radio access network. More specifically,
the subscriber’s access to the system. The remaining the SGSN indicates whether ciphering should be
64 bits of the A3 output together with the secret used or not (which is also a possible option) in
key, Ki, are used as input to the A8 algorithm that the Authentication Request message, and the MS
produces the GPRS encryption key (GPRS-Kc). starts ciphering after sending the Authentication
Response message (see Figure 2).
data and signalling Protection GEA is a symmetric stream cipher algorithm
(see Figure 3) that uses three input parameters
User data and signaling protection over the GPRS (GPRS-Kc, INPUT, and DIRECTION) and pro-
radio access network is based on the GPRS cipher- duces an OUTPUT string, which varies between 5
Security in 2.5G Mobile Systems
GPRS-Kc GPRS-Kc
CIPHER CIPHER
ALGORITHM ALGORITHM
OUTPUT OUTPUT
SGSN/MS MS/SGSN
and 1,600 bytes. GPRS-Kc (64 bits) is the encryp- signaling exchange in GPRS is mainly based on
tion key generated by the GPRS authentication the signaling system 7 (SS7) technology (3GPP TS
procedure and is never transmitted over the radio 09.02, 2004), which does not support any security
interface. The input (INPUT) parameter (32 bits) measure for the GPRS deployment. Similarly, the
is used as an additional input so that each frame GTP protocol that is employed for communication
is ciphered with a different output string. This between GSNs does not support security. Thus,
parameter is calculated from the logical link con- user data and signaling information in the GPRS
trol (LLC) frame number, a frame counter, and a backbone network are conveyed in cleartext expos-
value supplied by the SGSN called the input offset ing them to various security threats. In addition,
value (IOV). The IOV is set up during the negotia- inter-network communications (between different
tion of LLC and layer 3 parameters. Finally, the operators) are based on the public Internet, which
direction bit (DIRECTION) specifies whether the enables IP spoofing to any malicious third party
output string is used for upstream or downstream who gets access to it. In the sequel, the security
communication. measures applied to the GPRS backbone network
After the initiation of ciphering, the sender (MS are presented.
or SGSN) processes (bit-wise XOR) the OUTPUT The responsibility for security protection of
string with the payload (PLAIN TEXT) to produce the GPRS backbone as well as inter-network com-
the CIPHERED TEXT, which is sent over the radio munications belongs to mobile operators. They
interface. In the receiving entity (SGSN or MS), utilize private IP addressing and network address
the original PLAIN TEXT is obtained by bit-wise translation (NAT) (Srisuresh & Holdrege, 1999) to
XORed the OUTPUT string with the CIPHERED restrict unauthorized access to the GPRS backbone.
TEXT. When the MS changes SGSN, the encryp- They may also apply firewalls at the borders of the
tion parameters (e.g., GPRS-Kc, INPUT) are GPRS backbone network in order to protect it from
transferred from the old SGSN to the new SGSN, unauthorized penetrations. Firewalls protect the
through the (inter) routing area update procedure network by enforcing security policies (e.g., user
in order to guarantee service continuity. traffic addressed to a network element is discarded).
Using security policies the GPRS operator may
gPrs backbone security ensure that only traffic initiated from the MS and
not from the Internet should pass through a firewall.
The GPRS backbone network includes the fixed This is done for two reasons: (1) to restrict traffic in
network elements and their physical connections order to protect the MS and the network elements
that convey user data and signaling information. from external attacks; and (2) to protect the MS
Security in 2.5G Mobile Systems
Security in 2.5G Mobile Systems
inputs and produces a hash output of 12 bytes (96 the involved end users (humans) are not informed
bits). While the actual specification of COMP128 whether their sessions are encrypted or not.
was never made public, the algorithm has been As encryption over the radio interface is op-
reverse engineered and cryptanalyzed (Barkan, tional, the network indicates to the MS whether
Biham, & Neller, 2003). Thus, knowing the secret and which type(s) of encryption it supports in
key, Ki, it is feasible for a third party to clone a the authentication request message, during the
GSM/GPRS SIM-card, since its specifications are GPRS authentication procedure. If encryption is
widely available (ETSI TS 100 922, 1999). activated, the MS start ciphering after sending the
Τhe last weakness of the GPRS authentication authentication response message and the SGSN
procedure is related to the network ability of re- starts ciphering/deciphering when it receives a
using authentication triplets. Each authentication valid authentication response message from the
triplet should be used only in one authentication MS. However, since these two messages are not
procedure in order to avoid man-in-the-middle protected by confidentiality and integrity mecha-
and replay attacks. However, this depends on the nisms (data integrity is not provided in the GPRS
mobile network operator (home and serving) and radio interface except for traditional non-crypto-
cannot be checked by mobile users. When the VLR graphic link layer checksums), an adversary may
of a serving network has used an authentication mediate in the exchange of authentication messages.
triplet to authenticate an MS, it shall delete the The results of this mediation might be either the
triplet or mark it as used. Thus, each time that the modification of the network and the MS capabili-
VLR needs to use an authentication triplet, it shall ties regarding encryption, or the suppression of
use an unmarked one, in preference to a marked. encryption over the radio interface.
If there is no unmarked triplet, then the VLR shall
request fresh triplets from the home HLR. If fresh gPrs backbone
triplets cannot be obtained, because of a system
failure, the VLR may reuse a marked triplet. Thus, Based on the analysis of the GPRS security archi-
if a single triplet is compromised, a false BS can tecture (see the GPRS security architecture section)
impersonate a genuine GPRS network to the MS. it can be perceived that the GPRS security does
Moreover, as the false BS has the encryption key, not aim at the GPRS backbone and the wire-line
Kc, it will not be necessary for the false BS to connections, but merely at the radio access net-
suppress encryption on the air interface. As long work and the wireless path. Thus, user data and
as the genuine SGSN is using the compromised signaling information conveyed over the GPRS
authentication triplet, an attacker could also im- backbone may experience security threats, which
personate the MS and obtain session calls that are degrade the level of security supported by GPRS.
paid by the legitimate subscriber. In the following, the security weaknesses of the
GPRS security architecture that are related to the
data and signalling Protection GPRS backbone network for both signaling and
data plane are presented and analyzed.
An important weakness of the GPRS security
architecture is related to the fact that the encryp- Signaling Plane
tion of signalling and user data over the highly
exposed radio interface is not mandatory. Some As mentioned previously, the SS7 technology used
GPRS operators, in certain countries, never switch for signaling exchange in GPRS does not support
on encryption in their networks, since the legal security protection. Until recently, this was not
framework in these countries do not permit that. perceived to be a problem since SS7 networks
Hence, in these cases signaling and data traffic are belonged to a small number of large institutions
conveyed in cleartext over the radio path. This situ- (telecom operator). However, the rapid deploy-
ation is becoming even more risky from the fact that ment of mobile systems and the liberalization of
Security in 2.5G Mobile Systems
the telecommunication market have dramatically protection of users’ data in the fixed segment of the
increased the number of operators (for both fixed GPRS network mainly relies on two independent
and mobile networks) that are interconnected and complementary technologies, which are not
through the SS7 technology. This fact provokes a undertaken by GPRS but from the network opera-
significant threat to the GPRS network security, tors. These technologies include: (1) firewalls that
since it increases the probability of an adversary to enforce security policies to a GPRS core network
get access to the network or a legitimate operator that belongs to an operator; and (2) pre-configured
to act maliciously. VPNs that protect specific network connections.
The lack of security measures in the SS7 tech- However, firewalls were originally conceived to
nology used in GPRS results also in the unprotected address security issues for fixed networks and thus
exchange of signaling messages between a VLR are not seamlessly applicable in mobile networks.
and a VLR/HLR, or a VLR and other fixed net- They attempt to protect the cleartext transmit-
work nodes. Although these messages may include ted data in the GPRS backbone from external
critical information for the mobile subscribers attacks, but they are inadequate against attacks
and the networks operation like ciphering keys, that originate from malicious mobile subscribers
authentication data (e.g., authentication triplets), as well as from network operator personnel or
user subscription data (e.g., IMSI), user billing data, any other third party that gets access to the GPRS
network billing data, and so forth, they are conveyed core network. Another vital issue regarding the
in a cleartext within the serving network as well as deployment of firewalls in GPRS has to do with
between the home network and the serving network. the consequences of mobility. The mobility of a
For example, the VLR of a serving network may user may imply roaming between networks and
use the IMSI to request authentication data for a operators, which possibly results in the changing
single user from its home network, and the latter of the user address. This fact in conjunction with
forwards them to the requesting VLR without any the static configuration of firewalls may poten-
security measure. Thus, the exchanges of signaling tially lead to discontinuity of service connectivity
messages, which are based on SS7, may disclose for the mobile user. Moreover, in some cases the
sensitive data of mobile subscribers and networks, security value of firewalls is considered limited
since they are conveyed over insecure network as they allow direct connection to ports without
connections without security precautions. distinguishing services.
Similarly to firewalls, the VPN technology fails
Data Plane to provide the necessary flexibility required by
typical mobile users. Currently, VPNs for GPRS
Similarly to the signaling plane, the data plane of subscribers are established in a static manner
the GPRS backbone presents significant security between the border gateway of a GPRS network
weaknesses, since the introduction of IP technology and a remote security gateway of a corporate
in the GPRS core shifts towards open and easily private network. This fact allows the realization
accessible network architectures. In addition, the of VPNs only between a security gateway of a
data encryption mechanism employed in GPRS large organization and a mobile operator, when
does not extend far enough towards the core net- a considerable amount of traffic requires protec-
work, also resulting in a cleartext transmission of tion. Thus, this scheme can provide VPN services
user data in it. Thus, a malicious user, which gains neither to individual mobile users that may require
access to the network, may either obtain access to on demand VPN establishment, nor to enterprise
sensitive data traffic or provide unauthorized/in- users that may roam internationally. In addition,
correct information to mobile users and network static VPNs have to be reconfigured every time the
components. As presented previously, the security VPN topology or VPN parameters change.
Security in 2.5G Mobile Systems
0
Security in 2.5G Mobile Systems
the incorporation of the network domain security the realization of security attacks that threaten net-
(NDS) features (Xenakis, 2006; Xenakis & Mera- work operations and data transfer through it. These
kos, 2004) into the GPRS security architecture. weaknesses are related to: (1) the compromise of the
NDS features, which have been designed for the confidentiality of subscriber’s identity, since it may
latter version of UMTS, ensure that signaling ex- be conveyed unprotected over the radio interface;
changes in the backbone network as well as in the (2) the inability of the authentication mechanism to
whole wire-line network are protected. For signal- perform network authentication; (3) the possibil-
ing transmission in GPRS the SS7 and IP protocol ity of using COMP128 algorithm (which has been
architectures are employed, which incorporate the cryptoanalyzed) for A3 and A8 implementations;
mobile application part (MAP) (3GPP TS 09.02, (4) the ability of reusing authentication triplets;
2004) and the GTP protocol (3GPP TS 09.60, (5) the possibility of suppressing encryption over
2002), respectively. In NDS both architectures are the radio access network or modifying encryption
designed to be protected by standard procedures parameters; and (5) the lack of effective security
based on existing cryptographic techniques. Spe- measures that are able to protect signaling and
cifically, the IP-based signaling communications user data transferred over the GPRS backbone
will be protected at the network level by means network. To defeat some of these risks, a set of se-
of the well-known IPsec suite (Kent & Atkinson, curity improvements to the existing GPRS security
1998). On the other hand, the realization of pro- architecture may be incorporated. Additionally,
tection for the SS7-based communications will be some complementary security measures, which
accomplished at the application layer by employing have been originally designed for fixed network
specific security protocols (Xenakis & Merakos, and aim at enhancing the level of security that
2004). However, until now only the MAP protocol GPRS supports, may be applied.
from the SS7 architecture is designed to be pro-
tected by a new security protocol named MAPsec
(3GPP TS 33.200 2002). AcknowlEdgMEnt
Security in 2.5G Mobile Systems
Security in 2.5G Mobile Systems
Second Generation (2G): 2G is a short for sec- Subscriber Identity Module (SIM): SIM is a
ond-generation wireless telephone technology. removable smart card for mobile phones that stores
network specific information used to authenticate
Second and a Half Generation (2.5G): 2.5G
and identify subscribers on the network.
is used to describe 2G systems that have imple-
mented a packet-switched domain in addition to Temporary Mobile Subscriber Identity
the circuit-switched domain. (TMSI): TMSI is a randomly allocated number
that is given to the mobile the moment it is switched
Signaling System 7 (SS7): SS7 is a set of te-
on and serves as a temporary identity between the
lephony signaling protocols which are used to set
mobile and the network.
up the vast majority of the world’s public switched
telephone network telephone calls.
Chapter XXIII
End-to-End Security
Comparisons Between IEEE
802.16e and 3G Technologies
Sasan Adibi
University of Waterloo, Canada
Gordon B. Agnew
University of Waterloo, Canada
AbstrAct
Security measures of mobile infrastructures have always been important from the early days of the
creation of cellular networks. Nowadays, however, the traditional security schemes require a more
fundamental approach to cover the entire path from the mobile user to the server. This fundamental ap-
proach is so-called end-to-end (E2E) security coverage. The main focus of this chapter is to discuss such
architectures for IEEE 802.16e (Mobile-WiMAX) and major third generation (3G) cellular networks.
The E2E implementations usually contain a complete set of algorithms, protocol enhancements (mutual
identification, authentications, and authorization), including the very large-scale integration (VLSI)
implementations. This chapter discusses various proposals at the protocol level.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
The management of the sections is as fol- • Data integrity: This guarantees that the
lows: the next section will discuss details about data received has not been altered by an un-
the ultimate security features attributed to 3G authorized entity. One method of doing this
technologies. The GSM section will discuss the is through the application of a hash function
security weakness in GSM’s initial draft and the to the data stream
E2E solution to overcome its weakness. The fourth • Security between networks: Networks are
and fifth sections talk about GPRS and CDMA interconnected using secure wired links,
respectively. The Mobile-WiMAX section opens mainly using IPSec tunneling mechanism.
the discussion on 802.16e, the candidate for the • Secure international mobile subscriber
4G wireless systems, which contains the security identity (IMSI) usage: The first-time user
weakness of 802.16e’s initial draft and the E2E is assigned an initial IMSI number by the
solution. A thorough comparison and references home network.
will be given in the last two sections. • Stronger security scope: Security is based
within the radio network controller (RNC)
objEctIvEs of sEcurIty rather than the base station (BS). An RNC
fEAturEs for 3g/MobIlE-wIMAx is responsible for controlling and managing
the multiple BSs including the utilization of
Before discussing security weaknesses of indi- radio network services.
vidual 3G technologies, we briefly discuss the • User- and mobile-station authentication
objective of 3G security features. These features schemes: Both user and mobile station share
are (Campbell, Mckunas, Myagmar, Gupta, & a secret common key, which is called the PIN.
Briley, 2002): This is used for authentication.
• Secure services: These services protect
• Mutual authentication: Authentication is the infrastructure against usage and access
a method to verify that the claimed identity misuses.
of an entity is genuine. Authentication is • Security in applications: This is critical for
a fundamental security service and other mobile-based application security.
necessary services often depend on proper • Fraud detection: Mechanisms to detect and
authentication. Many protocols offer a one- combat fraud in roaming situations.
way authentication. That is, only the client • Flexibility: As technologies evolve, secu-
has to authenticate itself to the server and the rity features are extended and enhanced as
server is not required to authenticate itself to required by new services and threats.
the client. A one-way authentication is prone • Service availability and configurability:
to an attack, so-called; impersonation, in Users are to be notified whether security is
which an illegitimate entity could pose as a on and the available level of security.
legitimate one and start a new communica- • Multiple cipher and integrity algorithms:
tion with another legitimate entity or take The mobile user and the network negotiate
control an already started conversation. A and agree on the best available cipher and
two-way authentication scheme (mutual integrity algorithms (e.g., KASUMI).
authentication) resolves impersonation at- • Lawful interception: Mechanisms should be
tack. An E2E security scheme uses a bal- provided to authorize agencies with certain
anced mutual authentication technique. A necessary information about subscribers.
balanced technique requires equal effort by • GSM compatibility: GSM subscribers
both entities for authenticate themselves to should be able to roam in 3G networks and
other entities. This decreases the chance of cope with the extended security needed via
attacker’s success GSM security context.
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
Figure 2: GSM authentication, cipher key generation, and encryption (Adapted from Pagliusi, 2002)
Figure 3. Authentication and encryption in GSM system (Adapted from Pagliusi, 2002)
In this section, the weaknesses associated to GSM Figure 1 shows the GSM system overview. The
security systems (Pagliusi, 2002) are discussed and principles behind GSM security scheme are:
the E2E security proposals are considered.
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
• Subscriber identity confidentiality scheme, camera flashbulb. These types of attacks are
• Subscriber identity authentication scheme called optical fault induction. Another type
(Figure 2), of attack, which is performed on the execu-
• Stream ciphering of user traffic and user- tion of COMP128 table lookups is called
related control data schemes; and partitioning attacks.
• Using subscriber identity module (SIM) as a • False BS: GSM provides a unilateral authen-
security module scheme. tication (one-way). Because of the unbalanced
nature, this allows attacks (such as man-in-
Figure 2 shows the GSM authentication scheme the-middle (MITM) attack) where a malicious
in which three algorithms (A3, A5, and A8) are third party masquerades as a BS to one or
used for authentication, key generation, and encryp- more mobile stations.
tion. The detailed authentication and encryption
schemes for GSM are shown in Figure 3, where E2E scheme for gsM
A3 (authentication algorithm), A8 (stream cipher),
and A5 (key agreement algorithm) are performed The security concerns for GSM could be addressed
in the mobile station and the key is verified in the in an E2E fashion. There are two major concerns
public land mobile network (PLMN). in the current GSM structure that prevent the
E2E communication, one is the fact that authen-
gsM security Attacks tication is one way (A3/A8) and the fact that data
is exposed and unprotected in certain areas. To
The security attacks associated to GSM architec- prevent these flaws and pave the path to go E2E,
ture are (Pagliusi, 2002): a strong user authentication along with complete
path encryption are proposed (Aydemir & Selcuk,
• SIM/Mobile Equipment (ME) interface: 2005; Mynttinen, 2000).
The SIM/ME interface is unprotected and can
be tapped using an unauthorized device. strong user Authentication
• Attacks on the algorithms A3/A8/(A5/1):
Both A3 and A8 heavily reply on the A strong authentication protocol is achieved
COMP128 authentication algorithm, which through user-based rather than device-based. The
have been cryptanalyzed allowing the recov- GSM authentication algorithm contains three fun-
ery of shared master key leading to device damental entities in a session (Pagliusi, 2002):
cloning. A5/1 has also been attacked by
Biryukov and Shamir (Pagliusi, 2002). • The mobile subscriber (MS)
• One-way authentication: A3 is a one way • The visiting location register (VLR)
operator-dependent stream-cipher function. • The home location register (HLR)
Therefore its functionality suffers from being
unbalanced The initial draft of GSM states for the authen-
• Unprotected signaling: Though nearly all tication scheme to use a cryptographic authentica-
communications between the MS and the tion key embedded in the SIM card of the device.
BS are encrypted, however in the fixed net- Through the GSM user authentication protocol
works and between GSM central networks, (GUAP) approach (Aydemir & Selcuk, 2005), the
all the communications and signaling are not user can authenticate himself/herself through a
protected as they are in plaintext most of the password instead of the embedded hard-coded
time key, which breaks the dependency of the SIM
• Attack on SIM card: Interruption could card during authentication. The GUAP is based
occur on the operation of the smart card’s on three entities and in many cases the third entity
microprocessor by exposing it to an electronic is a trusted server whose public key is known by
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
Figure 4. The GUAP scheme (Adapted from Aydemir & Selcuk, 2005)
1. MS → VLR: IMSI
2. VLR → MS: RAND
3. MS → VLR: {n1, n2, n3, {RAND}Π }K HLR, ra
4. VLR → HLR: {n1, n2, n3, {RAND}Π }K HLR, {RAND} KVLR
5. HLR → VLR: {k} KVLR, {n1, n2 ⊕ k}Π
6. VLR → MS: {n1, n2 ⊕ k}Π, {ra}k, rb
7. MS → VLR: {rb}k
all parties. GSM doesn't include synchronized mechanism, such as; TLS, can be used to provide
clocks, therefore authentication timestamps are the required protection. Therefore it is fair to say
not allowed. This can be remedied through the that the required confidentiality and integrity can
usage of random nonces. According to Figure 4, be guaranteed. However, non-repudiation prop-
through VLR, MS is being authenticated to HLR erty cannot be achieved using this solution. The
through the usage of the Π password. The HLR remedy to this problem, a digital signature can be
public key, K HLR, is known to all parties, and KVLR used in the transaction data, which is able to sup-
is the symmetric encryption key shared among the port integrity and non-repudiation functions. All
VLR and the HLR. The GUAP protocol is being WAP clients need to have access to digital keys
depicted in Figure 4. for this to work.
In regards to GSM authentication, the GUAP's
main goal is to break SIM card's dependency for gPrs
added user flexibility. The GUAP's design includes
considerations of the MS's computational restric- GPRS is a data-network-based architecture, which
tions. It also includes provisioning of the VLR is designed in such a way to integrate well with
authentication to both MS and HLR. existing GSM offering MSs “always connected”
packet-switched data services. This includes con-
E2E security of Mobile data in gsM nections to corporate networks and to the Internet.
Figure 5 shows a MS logically attached to a serv-
In this approach, the E2E security scheme of ing GPRS support node (SGSN) (“GPRS Security
mobile data in GSM is considered. It focuses on Threats and Solutions,” 2002).The SGSN's main
wireless application protocol (WAP) security, functionality is to provide data services to the MS.
which can be broken. The data path protection Through the GPRS tunneling protocol (GTP), the
in WAP is especially important for voice over SGSN can logically be connected to the gateway
IP (VoIP) applications. For this purpose, WAP GPRS support node (GGSN). The GTP provides
Transport Layer E2E Security is proposed. The logical connection among the roaming partners of
E2E security for WAP transport layer is a speci- SGSN and GGSN.
fication provided by WapForum for supporting GPRS was introduced as a packet service,
WAP E2E security by allowing the WAP clients to which provides E2E IP connectivity with similar
establish a straight wireless transport layer security security options as in GSM. GPRS uses the same
(WTLS) connection with the WAP-based gateway. A3/A8 algorithms, which is used in GSM but the
This gateway no longer encrypts and decrypts the randomization function is slightly different. The
traffic meant for the content-provider's 3rd party. three GPRS encryption algorithms are GEA1,
Thus a malicious node is not able to cause prob- GEA2, and GEA3, which is A5/3.
lems for the data's confidentiality and integrity. A
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
Figure 5. GPRS architecture (Adapted from “GPRS Security Threats and Solutions,” 2002)
Security services provided by GPRS are protec- Before one can discuss the details about security,
tions against attacks and providing the following it is necessary to discuss the entities related in the
assurances: data path. There are two main interfaces used in
GPRS; Gp and Gi. Gp interface is a logical con-
• Integrity: Integrity is an assurance that data nection among PLMNs. The protocols that deal
is not altered in an unauthorized manner. directly with Gp are:
• Confidentiality: Confidentiality is protecting
data from disclosure to third parties. • GTP: The logical connection among the
• Authentication: Authentication provides roaming partners of SGSN and GGSN.
assurance that all communication parties are • Boarder gateway protocol (BGP): BGP
really the ones who they claim to be. provides routing for between interfaces.
• Authorization: Authorization is a service, • Dynamic name system (DNS): DNS is a
which ensures that only legitimate entities service that translates Internet domain names
are allowed to take part in any communica- and computer hostnames to IP addresses.
tions.
• Availability: Availability means that com- The GTP provides logical connection among
munication parties and data services are the roaming partners of SGSN and GGSN. If this
available and usable by any other parties in connection is within the same PLMN, this is called
wireless range. the Gn interface. If the connection is between
two different PLMNs, then it is known as the Gp
interface. The Gp and the Gi interfaces are the
initial and fundamental points of interconnection
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
between the operator’s main network and untrusted rithm is implemented in the ME. Figure 6 (Kitsos,
external networks. Sklavos, & Koufopavlou, 2004), shows the block
diagram of the GPRS security in the MS. The key
threats in gPrs Ki is 128 bits long.
Figure 6. GPRS security block diagram (Adapted from Kitsos, Sklavos, & Koufopavlou, 2004)
0
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
customer authentication; and secure remote access server. Users are authenticated through the usage
with IP Security Protocol (IPSec). Specific steps of the challenge handshake authentication protocol
in the E2E security follow. (CHAP) via the packet data serving node-authen-
tication authorization accounting (PDSN-AAA)
subscriber Authentication server. CHAP is a strong Internet authentication
protocol that is leveraged in the wireless network
The key feature control mechanism is to protect to verify identity.
the infrastructure and to prevent unauthorized
access to network resources. The CDMA’s access Packet core
authentication is performed via an 18-bit authen-
tication signature, which is verified via the user In CDMA architecture, the packet data network
information of the network’s database, the HLR supports:
and authentication center. CDMA is equipped with
over the air service provisioning (OTASP), which is • Subscriber stateful firewall (SSF):
the ability of the signal’s carrier to add new types SSF protects both subscriber or
of services to a customer’s handset and provision operator’s infrastructure traffic
it via wireless network instead of requiring the • Ingress anti-spoofing (IAS): IAS
customer to bring the phone to a carrier’s location prevents any malicious entity from
for reprogramming. The 1xEV-DO uses the same launching attacks based on forged
512-bit algorithm in OTASP for exchanging keys source IP addresses.
among the mobile device and the access node-au- • Filters and virus protection
thentication authorization accounting (AN-AAA) services: Protects servers from viral
infections.
Figure 8. Nortel’s threat protection system (TPS) (Adapted from “CDMA end-to-end security; Position-
ing paper,” 2005)
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
• Layered protection: TCP/IP layer to packets are analyzed to pin-point threats. This is
application layer deep packet filtering done at the Defense Center and rules updates are
and inspection. automatically transmitted real-time to firewalls for
• On-board lawful intercept: For blocking new detected threat. The Defense Center
meeting regulatory security requirements provides threat analysis along with policy manage-
• Traffic steering: Services, such as; content ment and control. It also includes: traps and trace
filtering and server protections against mali- capabilities, reports, and event database. It also
cious software. supports a centralized management for hierarchi-
• Deep packet inspection: Including applica- cal sensors grouping.
tion layers down to TCP/IP layer.
End Point compliance
Transport Security (Protecting Traffic End points, either MS, BS, or the management
in transit) consoles could be potential sources of threats.
These end-points may be infected with viruses or
This is for protecting the MS or in a layered-se- worms, which in case they are allowed to connect
curity defense mechanism. This offers coverage to the wireless network, may become the source of
on virtual private network (VPN) protocols, an attack. Unprotected end points can carry DoS
IPSec, and secure socket layer (SSL). IPSec VPN or distributed DoS attacks. Nortel VPN Tunnel
provides encryption, authentication protection at Guard is said to provide a security solution capable
the IP layer, which protects all IP application/data of enforcing on both managed (IPSec/SSL) and
traffic. SSL VPN provides secure communications unmanaged SSL endpoints.
for the Web application. Nortel Networks claims to
be the first vendor to offer support for both VPN
technologies in a single and unique platform. SSL MobIlE-wIMAx (IEEE 802.16E)
VPNs provide security above the TCP/IP layer, thus
ensuring compatibility with existing network ad- Mobile-WiMAX was introduced in 2004 and it
dress translation (NAT) services and other firewall is designed to cover a 10-mile range for a data
configurations and proxy settings. bandwidth of up to 15 MBps. Mobile-WiMAX’s
security mechanisms claim to have covered the
Perimeter security (Ps) holes in Wi-Fi. These security measures include
(“Part 16: Air Interface for Fixed and Mobile
According to Figure 8, Nortel Networks claims to Broadband Wireless Access Systems,” 2004):
have introduced the threat protection system (TPS)
using Snort-basedTM intrusion detection system, • Data over cable service interface specifica-
which is complex but easy to use. This is based tion for baseline privacy +interface (DOC-
on the Perimeter security systems, which have SIS BPI+) for the interoperability equipment
been around for quite some time and are generally certification and device data privacy
referred to as a firewall. • Privacy key management for extensible
A rule-based, deep-packet inspection method authentication protocol (PKM-EAP),
is the heart of the TPS Intrusion Sensor, which which is one of the requirements for an E2E
examines the protocol and data fields on the incom- authentication using TLS.
ing packets and checks for possible attack patterns. • Counter mode with cipher block chain-
The sensors are capable of detecting anomalies ing message authentication code protocol
such as: IP stack fingerprinting, port scan, denial (CCMP): Used for encryption using Ad-
of service (DoS) attack and address resolution vanced Encryption Standard (AES) and 3
protocol (ARP) spoofing. The incoming back Data Encryption Standard (DES).
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
Through PKM-EAP, a mechanism is provided to the other node. If authorized and authenticated,
by which both BS and MSS (Mobile Subscriber the ACK (acknowledgement) signal is sent back
Station) can mutually be authenticated and can and they are allowed to communicate. Together
establish a shared secret, which is called the with the ACK, the authorizing node provides the
"AAA-key". For completing the EAP-based au- node with the information of security associations
thentication integration into the 802.16e's protocol, (SAs) in which the node is authorized to access.
the following terms have to be defined ("Secure This suffers from variety of attacks, which are
Association Establishment for PKM-EAP" 2004), : described shortly.
(1) PKM authorization key (AK) establishment and To correct this issue, PKMv2 is deployed. This
installation, (2) MSS static Security Association has been shown in Figure 9 (Johnston, 2003). The
provisioning,and, (3) Ciphersuite signalling. issues with a one-way authentication are (Puthen-
kulam, Mandin, 2003) :
E2E security Enhancements
• It is prone to false BS attacks (base imper-
The heart of the authentication protocol for Mo- sonation).
bile-WiMAX is around the PKMv1. The only • It is also prone to MITM attacks.
issue about PKMv1 is that it offers a one-way • It only works when providers control all the
authentication. The PKMv1 protocol integrates devices.
AK and traffic encryption Key (TEK) exchange Other security enhancements required for an
processes. Two nodes perform authorization pro- E2E scheme are:
cess with one another in a one-way fashion, that
is, one node only sends the authorization signal • Bi-directional certification exchange: In
order to achieve an E2E security scheme, a
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
bi-directional certificate exchange for mutual thentication framework and the AES-CCM
authorization is required. This is achieved cipher suit will solve the problem.
by Rivest-Shamir-Adleman (RSA)-based • Security improvements suggestions: As a
mutual authorization based on PKMv2. summary, the following security improve-
• Support of key hierarchy: To support key ments are suggested for Mobile-WiMAX (as
hierarchy, Temporary Key Integrity Protocol well as 802.16d):
(TKIP) is used through utilization of the
master key (MK) and the pairwise master PKM requires mutual authentication
key (PMK) schemes. (PKMv2), necessary protections
• PKM and EAP messages protections: EAP against reply and a stronger than
has been known to cure security vulner- DES-CBC cipher suite.
abilities, such as in the lack of user identity Deployment models should include
protection and MITM attack. This requires additional security features for
enabling encryption and utilizing PKM EAP performance related issues (fast
messages for user authentication. To fix the roaming, etc).
previous problems, PKM messages should The current security models and
be bi-directional and EAP messages should solutions are not able to fully utilize
use a four-way handshaking scheme the core network AAA infra
• Weakness in the X.509 certificates: X.509 structures due to the very low PKI
certificate has the following issues: support.
A single X.509 credential has
Is restricted to certain business model limitations. To overcome this, it's
and flexibility is a major issue. recommended to use a flexible
Does not support user-based identity protocol, such as EAP, which
authentication, due to the fact that supports multiple user credentials.
devices and services are greatly A scalable security solution is
coupled, and required to be deployed into the
Trusting a certificate authority (CA) existing architecture and infrastruc-
could become a source of a new ture for 802.16e requirements.
attack.
• Poor IV construction: Initialization vectors E2E security Architecture
(IVs) often use similar and repetitive struc-
tures. Through traffic pattern analysis, IVs Figure 10 conceptually displays a client-server-
can easily be known and broken. to remedy based (i.e., VoIP) E2E AAA on 802.16 networks
this, more complex IV structures with high offering portability and fully mobile operations.
key-bits (at least 128-bites) is the remedy to The architecture is built around the three-party
this problem. protocol (PKM v2), as defined in 802.16e (Agis
• 802.16 key exchange issues: A 2-key 3DES et al., 2004).
based key wrap is currently the standard of Figure 10 shows that the over-the-air security
the initial draft for TEK exchange, which is association (authentication and encryption) is es-
not as strong (82bits) as the TEK keys (128 tablished through the PKM-EAP protocol. This is a
bits) it carries. There should be a mechanism complete client/server architecture, where EAP car-
to ensure that TEKs do not repeat for frequent ries the AAA backend connectivity using Radius
exchange of TEKs. This could suffer from or Diameter. EAP offers a strong support for key-
replay attacks, since there is no liveliness in driven cipher mechanisms (i.e., EAP-MSCHAPv2
the key exchange protocol and it also suffers and EAP-AKA). It is also recommended to use an
from MITM attacks. Adding EAP-TLS au- E2E tunneling protocol such as protected EAP
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
Pairwise Master Key (PMK): PMK is used in Virtual Private Network (VPN): VPN is a
peer-to-peer communication schemes for sharing a communications tunnel uses a pre-existing (and
master key that would last the entire session. This often unsecure, such as the Internet) network to
is mainly used for data encryption and integrity. connect a remote user to a corporate network. The
information is tunneled, encapsulated, and en-
Privacy Key Management (PKM): PKM is
crypted when passes through the unsecure network.
a private key scheme used with EAP and TLS
Once the information reaches the destination, it is
for providing E2E security schemes for wireless
decapsulated and decrypted.
technologies.
Worldwide Interoperability for Microwave
Third and Fourth Generation (3G/4G):
Access (WiMAX): WiMAX, which has been
3G/4G cellular networks are used in the context of
defined by the WiMAX Forum, formed in 2001.
mobile standards. The services associated with 3G
WiMAX is also known as IEEE 802.16 standard,
are capable of transferring both voice and non-voice
officially titled; WirelessMAN and is an alternative
data simultaneously. Though not official yet, the 4G,
to DSL (802.16d) and cellular access (802.16e).
however, will be fully IP-based converging wired
and wireless access technologies. It is expected to
reach bandwidth within a few hundred mega bit EndnotE
per second offering E2E QoS.1
1
Transport Layer Security (TLS): TLS is used Kim, Y. K., & Prasad, R. 4G roadmap and
mostly in client/server applications, which require emerging communication technologies.
endpoint authentication and communications pri- Artech House.
vacy, particularly over the Internet. This is mostly
done using cryptographic measures.
Chapter XXIV
Generic Application Security in
Current and Future Networks
Silke Holtmanns
Nokia Research Center, Finland
Pekka Laitinen
Nokia Research Center, Finland
AbstrAct
This chapter outlines how cellular authentication can be utilized for generic application security. It
describes the basic concept of the generic bootstrapping architecture (GBA) that was defined by the
3rd generation partnership project (3GPP) for current networks and outlines the latest developments
for future networks.The chapter will provide an overview of the latest technology trends in the area of
generic application security.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Generic Application Security in Current and Future Networks
0
Generic Application Security in Current and Future Networks
any kind of service and obtain revenue. The considered, that is, why spend a lot of money, if it
availability and reliability requirements for will not be used. This subsection describes how
mobile network nodes are very high. application security is often managed today and
• Scalability: Scalability of mobile networks how it was managed in the past and what are the
security solutions is a critical factor. Solu- problems related to it:
tions are standardized on a global level, for
example, for small local operators, as well • Voice: The terminal authenticates to the
as for large international operators. Hence, network utilizing a shared secret stored in
solutions have to work also for millions of the smart card and the operator’s subscriber
people at the same time and it must be possible database. For application security needs, the
to extend them gradually depending on the authentication vectors (AVs) are distributed
growing subscriber basis. Usage scenarios to the corresponding nodes.
and scalability requirements, where a whole • Early IP multimedia subsystem security
full soccer arena at once requests one service (IMS): The 3GPP early IMS security solu-
server and still the service should work and tion of Release 6 (3GPP, TR33.978, Release
start on time, are not unusual. 6) uses IP address binding, that is, the IP ad-
• Convergence: For operators that run both dress assigned by the gateway GPRS support
fixed and mobile networks the issue of con- node (GGSN) is used for subsequent user
vergence gains importance, since it allows a authentication to the IMS service.
more flexible re-use of the network backend • IMS: The IMS security is bound to the cre-
servers and functions. dentials of the IMS SIM (ISIM) application on
When the first mobile applications started after the universal integrated circuit card (UICC)
voice and SMS the requirements for a more generic smart card and these credentials are used by
application security were not clear. This resulted the mobile terminal for authentication to the
in a fast to roll-out, but with less generic approach IMS network. This is outlined by 3GPP (TS
as will be explained next. 33.203,Release 6). The user authentication
is delegated from the operator’s subscriber
Historic Approaches to Application database towards the IMS network (i.e., the
security serving call-session-control-function [S-
CSCF]).
Application nodes in mobile networks in the past
tend to have a monolithic security solution that is The first mobile application was voice and
highly customized to the individual application. few people envisioned the further usage mobile
This has to do with the fact, that operators like to networks would get and were surprised by the
buy their equipment from various vendors, and popularity of SMS. 3GPP IMS with its wide range
re-usage and extensions of existing infrastructure of service possibilities has security wise two fla-
requires standardized interfaces. This standard- vors: (1) IP address binding, which comes quite
ization takes quite some time and that backward inexpensive to mobile operators, and (2) the full
compatibility and integration with the existing IMS security, which requires that the subscriber
nodes is a big challenge. Another argument for is equipped with a new smart card that contains
having customized security solution was that an ISIM application on it. The early IMS security
there were not that many new applications were solution has its cost-wise advantages and allows
not expected to come with a fast pace. For applica- a roll-out and provisioning of the service also to
tion security the return of investment was also an subscribers with “old” smart cards, but the usage
important consideration. The system had first to of monolithic and application specific security
attract some subscribers and be accepted, before solutions cause some problems. Additionally, the
an expensive security solution of higher quality is direct usage of AVs in applications causes some
Generic Application Security in Current and Future Networks
general problems that require a more generic ap- cal factor, the modification of well-running
proach. The specific and general issues are listed systems is a very sensitive issue.
as follows:
There were some early non-standardized ap-
• Fraud potential: With the convergence of proaches to re-use the existing authentication
networks IP address spoofing may become a infrastructure of an operator for general applica-
threat for application specific solutions that tion specific security (Gerstenberger, Lahaije, &
utilize IP address binding. Schuba, 2004). The aforementioned issues lead
• Scalability: The IP address binding solution in 3GPP and 3GPP2 to the standardization of the
is not very well scalable for large networks and GBA.
large amounts of simultaneous service-users.
It is difficult to scale for many application generic bootstrapping Architecture
scenarios in diverse future networks, where (gbA)
users may roam between network types.
• Performance and dependability: The back- We will now introduce the GBA nodes, the provided
bone subscriber database, that is, the home functionality, and the interworking. The main goal
subscriber server (HSS) or the home location of GBA is to provide a common shared secret to
register-authentication center (HLR-AuC) an application server and a mobile terminal based
should not be contacted too often to obtain on the cellular authentication, the details of this
fresh user credentials, since these databases protocol are described in the 3GPP technical speci-
are very large and if this database is going fication (3GPP TS 33.220, Release 6) and we will
down due to overload requests from applica- focus on this aspect.
tion servers, then the operator can not even The application. The basic setting is that we
offer simple voice calls. have an application server that offers services to
• Synchronization problems: If a new appli- the user. The application service does not need
cation utilizes the smart card based authen- necessarily to be part of the operator’s network.
tication, then they consume AVs from the There is a general trend to outsource the appli-
HSS/HLR-AuC. This can lead to sequence cation services to external parties and just take
number synchronization problems, which selected services into the “operator portal.” This
becomes more severe when the number of service should now be secured using the mobile
services increases. smart card credentials and hence the existing trust
• User experience: Different user authentica- relationship between the user and the operator. For
tion methods often result in bad user experi- this purpose, the service provider needs to have
ence and difficulties for the help-desk if the an agreement with the home operator of the user.
authentication fails for unknown reasons. This application server has two subcomponents,
• Combined networks: If an operator has one that takes care of fetching credentials from
broadband fixed network access and mobile the user’s home network and is called network
networks, then the broadband subscriber may application function (NAF) in GBA and then the
not have the ISIM or the IP address assigned actual application itself that uses the credentials
from the GGSN. to secure the communication with the mobile ter-
• Future proof: New applications need new minal, which we call application service.
security solutions. If the network is struc- The terminal. A 3GPP terminal is called user
tured in separate monolithic pillars, then the equipment (UE). In strict 3GPP terms it has two
re-usage of the existing infrastructure for components, the smart card (UICC) and the mo-
security is very difficult without modifying bile equipment (ME). We will refine this model
the already deployed infrastructure. Since slightly, by also distinguishing between the device
in telecommunication availability is a criti- platform and the application in the terminal. The
Generic Application Security in Current and Future Networks
HSS
NAF
Client Ua: Application
protocol
User Equipment
UE can authenticate with the network using cellular including the counterpart of the credentials (i.e.,
second generation (2G) or 3G-based authentication master key) stored in the smart card that is handed
protocols. The intention is to reuse the authentica- out to the user and resides in the mobile terminal.
tion mechanism for the application communication This database provides the basic key material
security. Hence, we have a security module (see (i.e., authentication vector) to the BSF that is un-
Figure 1) that communicates with the smart card der mobile network operator control. This server
and the so-called bootstrapping server function can be seen as a credential server. Once the user
(BSF). Then there is the actual client application is properly authenticated the BSF generates the
(NAF client) that communicates with the applica- application specific keys which are handed out to
tion server (NAF server) in the network, and uses the application server, that is, the NAF.
the application specific keys. The GBA system entities need to interact
The smart card. 3GPP Release 6 and Release with each other to provision the application in the
7 GBA assume the existence of a UICC. The UICC terminal and the application server with a shared
contains an ISIM and/or USIM application. If the secret that can then be utilized for various security
operator wishes that the application is really closely purposes:
bound with the smart card, then he/she can utilize
the so-called GBA aware smart card (GBA_U), • Bootstrapping interface (Ub): The mobile
where the application specific key generation and terminal contacts the BSF and authenticates
part of the storage is performed in the UICC. GBA via authentication and key agreement (AKA)
can be used also with SIM cards. This 2G GBA and triggers the key generation in the BSF.
was introduced in Release 7 in the 3GPP techni- This interface is called Ub interface and
cal report (3GPP TR 33.920, Release 7) due to the defined in the 3GPP technical specification
large market need to allow operators to utilize the (3GPP TS 24.109, Release 6).
existing smart card infrastructure without being • Credential fetching interface (Zh): The
forced to hand out immediately new smart cards application specific credentials are based on
to the user to use GBA-based services. the mobile credentials stored in the subscriber
The network. The heart of the network is the database HSS of the operator. Therefore the
operators subscriber database the HSS, respec- BSF needs to obtain the AV to be able to
tively the HLR with accompanied AuC. This establish an authentication session between
huge database is used to store the subscriber data the mobile terminal and the BSF and derive
Generic Application Security in Current and Future Networks
further application specific keys. Also, some 1. The user wishes to use a service. The applica-
operator policies in the form of GBA user tion server wishes to utilize GBA to secure
security settings (GUSS) can be stored in the the communication to the terminal. Hence,
HSS and passed to the BSF over this interface. the terminal is requested to use GBA. This
The GUSS can contain application specific information (i.e., whether GBA needs to be
USSs and additionally BSF-specific guidance used) can be pre-configured to the NAF client,
information, like user-specific key lifetimes, or the application server may indicate over
and UICC type of the user. The credential in- Ua interface that GBA should be used.
terface is defined as Zh interface and specified 2. The NAF client triggers the security module
in the 3GPP technical specification (3GPP TS in the terminal to bootstrap with the BSF
29.109, Release 6). This interface is opera- utilizing AKA over the Ub bootstrapping
tor internal and specified as being Diameter interface.
based (Calhoun, Loughney, Guttman, Zorn, 3. The BSF then utilizes the Zh interface to
& Arkko, 2003) by the Internet Engineering fetch the needed data for the creation of the
Task Force (IETF), but since many operators master session key. The BSF derives the
have highly customized HLR/HSS it can be master session key. Based on this master
expected that operator-specific adjustments session key NAF specific application keys
will be made (but likely not standardized). are derived when a specific NAF requests
• Key distribution interface (Zn): The appli- it over Zn interface later on. (Depending on
cation server has a library or a “plug-in” that the GBA type used, one or two application
requests the application-specific credentials, specific keys are derived.)
credential-related data, and USS from the 4. The resulting master session key and transac-
credential server (BSF). This key distribu- tion ID are stored in BSF server. The security
tion interface in 3GPP Release 6 Diameter module in terminal also derives the master
based and called Zn interface. In Release 7, session key by contacting the smart card.
an alternative method was specified to sup- The master session key and the transaction
port Web services (WS)-based protocol as ID are stored in the security module. Note,
this makes it easier for application developers that here are small differences between the
to communicate with the credential server. different GBA types. Based on this master
Both implementations of the Zn interface are session key, NAF-specific application keys
defined in the 3GPP technical specification are derived. The application-specific key is
(3GPP TS 29.109, Release 7). handed out to the NAF client application in
• Application interface (Ua): The applica- the terminal as response to the initial trigger
tion-specific interface is called Ua interface made in step 2. The application-specific key
and specified in (3GPP TS 24.109, 2006). The is used to secure the communication with the
details of the actual protocol used in the Ua application server.
interface depend on the actual use case, for 5. The NAF client in the terminal sends transac-
example, browsing, streaming, and so forth. tion identifier to NAF server in the application
The derived application-specific credentials server over Ua application interface. This
will be used to secure the communication of transaction ID is needed, so that the NAF can
this interface, how this is done, is application contact the BSF and fetch the correct keys.
specific and defined in the application-specific 6. The NAF server in the application server
specifications, for example, 3GPP multimedia contacts the BSF to obtain the application-
broadcast/multicast service (MBMS) techni- specific session keys from BSF using trans-
cal specification (3GPP TS 33.246, Release action identifier over Zn key distribution
6). interface.
The actual application-specific key generation 7. The NAF server in the application server
consists of the following basic steps: and the client in the terminal now share
Generic Application Security in Current and Future Networks
Figure 2. HTTP based service request using GBA_ME (and GBA-unaware USIM)
application-specific key(s) that they can use • GBA_U: GBA_U is a GBA type that requires
for authentication or other ways to secure a special smart card that supports GBA and
the communication between terminal and is “GBA aware.” The motivation for this was
application server. the cryptographic key generation is bound
In 3GPP there are basically three different ways then very closely to the smart card and the
to generate application-specific credentials in GBA. issuing operator. The master key and the
The previous basic steps are the same for all three application-specific keys (Ks_ext_NAF
types and should be seen as the basic GBA schemes. and Ks_int_NAF) are derived in the GBA
The variations were caused by different security aware USIM application in an UICC. Only
requirements, business models, and market needs. the Ks_ext_NAF application-specific session
The three GBA types are: key is handed out to the terminal. A second
application-specific session key Ks_int_NAF
• GBA_ME: This is the terminal-based GBA. is not handed out and is stored and used only
It requires a 3GPP UICC smart card, but in the UICC. Figure 3 outlines the message
the smart card does not need to be specially flow for GBA_U. GBA_U is defined in (3GPP
configured to support GBA_ME. The UICC TS 33.220, Release 6). It should be noted, that
can contain either an ISIM or a USIM appli- the BSF modifies the AV received from the
cation that can be used by GBA. The master HSS. This gives an indication to the GBA-
session key and the application-specific keys aware USIM, and the USIM returns just the
are derived in the terminal. GBA_ME is also RES and not the secret CK and IK keys to the
sometimes referred to as “normal GBA”. Fig- terminal. The details on how those keys are
ure 2 outlines the message flow for GBA_ME. used are defined by the application-specific
GBA_ME is defined in the 3GPP technical documents, like MBMS (3GPP TS 33.246,
specification (3GPP TS 33.220, Release 6). 2006), HTTPS (3GPP TS 33.222, 2006) or
Generic Application Security in Current and Future Networks
RAND, AUTN
Bo
Bootstrapping challenge (RAND, AUTN)
o t st
RES
r ap p
ing
Bootstrapping response (RES used as passw ord)
NAF_ID, IMPI
Ks_ext_NAF
B-TID, Ks_ext_NAF, key lifetime
HTTP request that utilizes Ks_ext_NAF as outlined by application specification e.g. MBMS, HTPPS, etc)
B-TID, NAF_ID, GBA_U_flag, [GSID*]
Secured Data
Communication secured w ith Ks_int_NAF
the OMA broadcast (BCAST) smart card In all, these three bootstrapping types have in
profile. common the basic steps outlined previously, and
• 2G GBA: The 2G GBA or legacy GBA is a only the key generation and storage varies slightly.
recent 3GPP GBA feature and defined in the For the application server the usage of GBA_ME
technical report (3GPP TR 33.920, 2006) as an and 2G GBA is transparent. The convergence of
early implementation feature for Release 7. It fixed and mobile networks is, at the time of this
outlines the usage of the SIM card for GBA. writing, raising new GBA variants that will be dis-
It should be noted, that it does not describe cussed later in this chapter under Future Trends.
the usage of a legacy network nodes with The specification family related to GBA has
GBA. The large deployment range of SIM grown substantially due to new application re-
cards created the need for a GBA credential quirements, further use cases, and new security
generation solution that is based on legacy enablers that were added. This will be outlined
SIM cards and does not require immediate in the next section. The GBA can also be utilized
handing out of new UICC smart cards to to provision a user with a subscriber certificate
the used. To obtain a similar security level and also trusted root certificate provisioning for
than GBA_ME, the BSF node in the net- public key infrastructure (PKI) systems. These
work is authenticated via a transport layer are outlined in the 3GPP technical specification
security (TLS) tunnel. The key derivation (3GGP TS 33.221, Release 6).
differs slightly, but the key usage is similar The term GBA refers typically to the core of
to GBA_ME. Figure 4 outlines the message GBA, where a master key is established between
flow for 2G GBA. the mobile terminal (UE), and the network (BSF).
The notation for the Figures 2, 3, and 4 is that Generic authentication architecture (GAA) on the
the * denotes an optional element. other hand refers typically to the actual usage of
the service specific keys that have been derived
Generic Application Security in Current and Future Networks
RAND
Bo o t st
Bootstrapping challenge (RAND, AUTN)
r ap p
Kc, RES
ing
Bootstrapping response (RES used as passw ord)
gbA gAA
HSS
HSS
User
User NAF
Equipm
Equipment
Client
ent Client Ua: Application
(UE)
(UE) Protocol
Generic Application Security in Current and Future Networks
from the master key. Thus, GBA refers to the core Mobile networks Applications using
functionality and GAA to the actual usage of GBA gbA
in use cases, as depicted in Figure 5, but often it is
not necessary to differentiate strictly. GBA was initiated by 3GPP; hence the first ap-
GAA and GBA are not only evolving in 3GPP, plications that utilize GBA were also from 3GPP
but also in the American counterpart standardiza- in their Release 6 and 7. The first service to
tion organization the 3GPP2 (http://www.3gpp2. mandate the usage of GBA is the 3GPP mobile
org/). 3GPP2 utilizes the removable user identity broadcast/multicast service (MBMS) (3GPP TS
module (R-UIM) as a security baseline for their 33.246, Release 6). The broadcast scenario poses
dialect of GBA. 3GPP2 GBA supports the 3GPP2 some very special requirements on a key derivation
legacy algorithms Cellular Authentication and and management system, that is, a content provider
Voice Encryption (CAVE) algorithm, which is used specific key that can be linked to a mobile user
in the American CDMA1x, standard and challenge identity stored on the smart card, protection of the
handshake authentication protocol (CHAP), which content protection keys (key confidentiality during
is used in American code division multiple access transport), and the baseline security key should
(CDMA) 1xEvDo (evolution data only), but also not be transported over the air. This resulted in
AKA for the user authentication. For further de- the fact that MBMS has a quite sophisticated four
tails on 3GPP2 GBA, please consult the relevant layer key hierarchy, where the user-specific keys
specification (3GPP2 TS S.S0109-0, 2006). are established using GBA.
Another use case is general authenticated Web
browsing. A user browses to a Web page that needs
APPlIcAtIon sEcurIty bAsEd on authentication. This is a quite common occurrence
tHE gEnErIc bootstrAPPIng in the Internet and there a user typically then has
ArcHItEcturE to provide a username/password combination. In-
serting a password on a mobile key pad is not very
In the beginning, GBA was developed to securely user friendly and would likely result in non-secure
provide the user with subscriber certificates where passwords, that is, without special characters, very
the initial registration of the user to public key short, no upper/lower case combinations. Many
interface (PKI) system is authenticated using security solutions ignore the usability aspect and
cellular authentication. The function to provide try to force the user, which usually results in more
an application-specific shared secret based on the or less expensive password recovery systems. In
mobile credentials to a terminal and a network the mobile environment, with a small key pad,
node evolved to a generic enabler for many use inserting long, secure passwords with special
cases and service. In this context, terminal refers characters is not user friendly. The integration of
to 3GPP or 3GPP2 mobile phone. an automatic scheme that provides automatically
GBA is not only used for a large range of ap- an application-specific username/password pair to
plications that reside in a mobile network, but also the browser request is therefore desirable for the
for fixed broadband access security and their access mobile environment. From a user perspective, the
devices (e.g. PC or laptop). The work on GBA for authentication would either be seamless (i.e., the
the next 3GPP Release 8 and the integration of user does not even notice that this is ongoing) or
GBA into future networks B3G will be discussed it would be very similar to the user experience,
in the next section. In this section we outline the where the password is stored by the browser. The
different existing applications that use GBA as a technical side of the procedure runs as follows:
security enabler. We will not go into the details of
each application, but focus on the usage of GBA. 1. User contacts a service that requires HTTP
digest authentication.
Generic Application Security in Current and Future Networks
2. The service triggers the terminal to generate application servers, depending on the request.
an application-specific shared secret. This is The AP may add an assertion of identity of the
then established using GBA without further subscriber for use by the application server, when
user interaction. the AP forwards the request from the terminal to
3. The transaction ID are put into the username the application server.
field and the shared application-specific secret Operators can also utilize GBA for device
is put into the password field. management. For this use case, a device manage-
4. The data is validated and the user can access ment server takes the role of a NAF and establishes
the service. a HTTPS tunnel to the UICC as outlined in the
The details of this procedure can be found in 3GPP technical report (3GPP TR 33.918, Release
the 3GPP specifications (3GPP TS 33.220, Release 7). Through this secure tunnel the device manage-
6) and (3GPP TS 33.222, Release 6). ment information is then sent.
Web sites that request confidential data are The European Telecommunications Standards
often secured using TLS 1.0 or Secure Socket Institute (ETSI) has a Smart Card Platform Group
Layer (SSL) 3.0, which can be considered equiva- that has defined some use cases, like mobile bank-
lent. GBA was integrated into the usage of TLS ing and digital rights management (DRM), which
between a mobile terminal and an application server require the existence of a secure channel between
in 3GPP Release 6 (3GPP TS 33.222, Release 6). the terminal and the UICC smart card. They asked
At the end of 2005 the Internet Engineering Task 3GPP to define the key management for this func-
Force specified the usage of Pre-Shared Key TLS tionality. This was done based on GBA in the 3GPP
in the IETF (RFC 4279) (Eronen & Tschofenig, technical specification (3GPP TS 33.110, Release
2005). 3GPP integrated the PSK TLS, since pre- 7) and is expected to be part of 3GPP Release 7. It
shared key computations are very suitable for low remains to be seen which of the use cases defined
capability devices like mobile phones (3GPP TS by the smart card group will be implemented.
33.222, Release 6). It should also be noted, that
PSK TLS can also be used with IETF Datagram network Agnostic usage of gbA
TLS (Rescorla & Modadugu, 2006).
A user may access a service directly or through GBA is also used outside of the classical mobile
an authentication proxy (AP), that takes care of environment of 3GPP. The OMA defines bearer
the authentication-related tasks on behalf of the agnostic functionalities and services. Since au-
actual application server. If an operator offers thentication is in most cases bound to the bearer
many services, then he/she may wish to deploy some specifications integrate the authentication
such an authentication proxy to centralize the of the underlying bearer and provide additional
user authentication task in one node. An AP is an functionality for the case that another access type
HTTP reverse proxy which takes the role of the is used. GBA is used by the following OMA ap-
GBA NAF node (the application server) for the plications:
terminal. The AP handles the TLS security relation
with the terminal and is the TLS end point. GBA • OMA broadcast smart card profile
is used to ensure for the application server that (BCAST) (2007) defines the usage of a smart
the service request is coming from an authorized card profile for content protection using a four-
user. The AP has the Zn interface towards the BSF layer key hierarchy based on GBA (similar
and the Ua interface towards the terminal. When to MBMS key hierarchy.
a HTTPS request is sent from the terminal to the • In OMA presence and availability working
application server that resides behind an AP, then Group (PAG) (2006) the content server relies
the AP terminates the TLS tunnel and performs on external authentication and authorization
the terminal authentication. The AP proxies the done for the presence sources that may reside
HTTP requests received from UE to one or many
Generic Application Security in Current and Future Networks
on the mobile terminal, and watcher nodes. where a shared secret between a terminal and a
For this authentication and authorization GBA network server is needed.
as defined in 3GPP technical specification
(3GPP TS 33.222, Release 6) can be used for fixed—Mobile convergence and gbA
that purpose, acting as an AP.
• OMA secure user plane location (SUPL) The term converging networks has become a key
(2006) defines the usage of how the terminal phrase in latest network evolution work. The trend
can acquire the location of itself from the to merge mobile and fixed network backend systems
network, and this messaging between the is caused by several factors:
terminal and the network can be optionally
protected by GBA. • Fewer and larger operators: There is a
• OMA XML document management (XDM) general consolidation trend in the industry,
and OMA aggregation proxy were specified which results in large, often international,
by the OMA presence and availability work- operators. These operators often have a fixed
ing group (PAG) (2006). These specifications network and a mobile network. For them it
define mechanisms how terminals can man- is important that they can use one backend
age XML documents in the network servers. to serve both access types.
The authentication can be optionally by based • New players: The boundaries between
on GBA, and the authenticating node in the technologies are vanishing, as voice over IP
network can be either the XDM server itself, shows us. These new players appear and want
or it can be centralized using aggregation to utilize the existing technology, but on the
proxy, where all traffic to XDM servers is other hand want to preserve the investments
routed through the proxy. into infrastructure. Especially, for fixed
• OMA common security functions (CSF) networks the investments are substantial.
(OMA Security Working Group, 2005) Multi-network devices are no longer future,
defines a generic GBA Profile (GBAProfile) but commercially available. This results in
that acts as an enabler and that other OMA extensions to the existing “pure” mobile
applications and enablers can use when they specific standards to integrate the new re-
are defining the usage of GBA in them. quirements and network types.
Another important standardization body, where • Seamless services: The general mobility
GBA fits in is the Liberty Alliance Project. The trend creates high user expectations, when
Liberty Alliance Project enables identity federation something works with a fixed network, then
(alias single sign-on) and Web service security. It it is also expected that is works seamlessly
is a non-mobile centric consortium that uses the in a mobile environment. This can only be
provided user authentication, but does not specify provided with a unified backend service
the actual means of authentication and its context. system.
This is left to the standardization bodies, which The fixed mobile convergence is focused around
define the actual authentication method. 3GPP the IP multimedia subsystem (IMS), but GBA as
integrated their GBA to be used seamlessly with a general security enabler for applications moved
the Liberty Alliance Project Identity Federation quickly into the scene. The most prominent drivers
Framework and the Web Service Framework. The of mobile and fixed convergence outside of 3GPP
details of this interworking are specified in 3GPP are TISPAN and CableLabs.
technical report (3GPP TR 33.980, Release 6). The telecoms & Internet converged services
These are only some examples of the possible & protocols for advanced networks (TISPAN) is
usage of GBA outside of 3GPP, many non-stan- a standardization body of the ETSI (n.d.). TISPAN
dardized use cases are also enablers. GBA could focuses on fixed networks and migration from
be utilized for enterprise access or other use cases
0
Generic Application Security in Current and Future Networks
Generic Application Security in Current and Future Networks
can be expected with the progress of the work. On secret can then be used for many purposes, like
a high level, the basic trust relationship between username/password authentication, certificate
the Mobile IP communication partners defines the enrollment, DRM, and so forth. GBA was origi-
needed security associations independently of the nally designed by the 3GPP, but has recently been
actual protocol version used. taken up for long term evolution networks, fixed
There is the trust relationship between the ter- broadband access, and cable networks.
minal and the 3GPP authentication, authorization
and accounting (AAA) server that resides in the
user’s home network and is in charge of the user AcknowlEdgMEnt
authentication (e.g., using AKA) and authorization.
This trust relationship is founded on the user’s Part of this work has been performed in the frame-
subscription to his/her home network and secured work of the IST project System Engineering for
via a shared secret that can be assumed to be long- Security and Dependability SERENITY and the
lived. The mobile IP authentication is independent Service Platform for Innovative Communication
of the access authentication, which is analogous to Environment (SPICE) project. The authors would
the case, where a user uses a service and requires like to acknowledge the contributions and review
authentication there. Hence, GBA could be could of their colleagues from Nokia Corporation.
be used for mobile IP key provisioning.
The second trust relationship is between the
3GPP Mobile IP (MIP) HA and the user’s terminal, rEfErEncEs
so that the HA can act on behalf of the terminal
for the tasks related to mobility. The relationship 3rd Generation Partnership Project 2 (3GPP2) TS
between these two entities is established dynami- S.S0109-0. (2006). Generic bootstrapping archi-
cally (in the sense that there is no pre-provisioned tecture (GBA) framework, version 1.0. Retrieved
shared secret) so the integrity of the MIP signaling from http://www.3gpp2.org/Public_html/specs/
can be ensured and depends on the actual mobile S.S0109-0_v1.0_060331.pdf
IP version used, that is, Mobile IP4 or Mobile IP6
(or DS-MIPv6). 3GPP has at the point of writing 3rd Generation Partnership Project (3GPP) Work
only made the decision for Mobile IP4. The deci- Item Description S3-060764. (2006, November).
sions if MIPv6 or DS-MIPv6 will be used are not IMS enhancements for security requirements in
yet taken in 3GPP (status December 2006). support of cable deployments. Retrieved from
The third trust relationship is between the http://www.3gpp.org/ftp/tsg_sa/WG3_Security/
3GPP MIP HA and the 3GPP AAA server. The TSGS3_45_Ashburn/Docs/
trust between those nodes is high, since they are 3rd Generation Partnership Project (3GPP) TS
part of the same network for non-roaming case. 24.109. (Release 6). Bootstrapping interface (Ub)
For non-roaming cases there exist interoperator and network application function interface (Ua);
security protocols, like network domain security Protocol details. Retrieved from http://www.3gpp.
(NDS)/IP securityor IPsec. This trust relation- org/ftp/Specs/html-info/24109.htm
ship does not require GBA, since there is no user
involvement. 3rd Generation Partnership Project (3GPP) TS
29.109. (Release 6). Generic authentication ar-
chitecture (GAA); Zh and Zn interfaces based on
conclusIon the Diameter protocol; Stage 3. Retrieved from
http://www.3gpp.org/ftp/Specs/html-info/29109.
The GBA allows secure provisioning of a shared htm
secret to a mobile terminal and an application 3rd Generation Partnership Project (3GPP) TS
server based on cellular authentication. This shared 33.110. (Release 8). Key establishment between
Generic Application Security in Current and Future Networks
UICC and a terminal. Retrieved from http:// 3rd Generation Partnership Project (3GPP) TR
www.3gpp.org/ftp/Specs/html-info/33110.htm 33.920. (Release 7). SIM card based generic boot-
strapping architecture (GBA); Early implementa-
3rd Generation Partnership Project (3GPP) TS
tion feature. Retrieved from http://www.3gpp.
33.203. (Release 7). 3G security; Access secu-
org/ftp/Specs/html-info/33920.htm
rity for IP-based services. Retrieved from http://
www.3gpp.org/ftp/Specs/html-info/33203.htm 3rd Generation Partnership Project (3GPP) TR
33.978. (Release 6). Security aspects of early
3rd Generation Partnership Project (3GPP) TS
IP multimedia subsystems (IMS), version 6.5.0.
33.220. (Release 6). Generic authentication archi-
Retrieved from http://www.3gpp.org/ftp/Specs/
tecture (GAA); Generic bootstrapping architecture.
html-info/33978.htm
Retrieved from http://www.3gpp.org/ftp/Specs/
html-info/33220.htm Calhoun, P., Loughney, J., Guttman, E., Zorn,
G., & Arkko, J. (2003). Diameter base protocol
3rd Generation Partnership Project (3GPP) TS
(RFC 3588). Retrieved from http://www.ietf.
33.221. (Release 6). Generic authentication archi-
org/rfc/rfc3588.txt
tecture (GAA); Support for subscriber certificates.
Retrieved from http://www.3gpp.org/ftp/Specs/ Eronen, P., & Tschofenig, H. (Eds). (2005). Pre-
html-info/33221.htm shared key ciphersuites for transport layer security
(TLS) (RFC 4279). Retrieved from http://www.ietf.
3rd Generation Partnership Project (3GPP) TS
org/rfc/rfc4279.txt
33.222. (Release 6). Generic authentication ar-
chitecture (GAA); Access to network application European Telecommunications Standards Institute
functions using hypertext transfer protocol over (ETSI). Telecoms & Internet converged services
transport layer security (HTTPS). Retrieved from & protocols for advanced networks (TISPAN).
http://www.3gpp.org/ftp/Specs/html-info/33222. Retrieved from http://www.etsi.org/tispan
htm
European Telecommunications Standards Institute
3rd Generation Partnership Project (3GPP) TS (ETSI) TS 187 003. (2006). Telecoms & Internet
33.223. (Release 8). Generic authentication converged services & protocols for advanced
architecture (GAA); Generic bootstrapping ar- networks (TISPAN). NGN security—Security
chitecture (GBA) push function. Retrieved from architecture, version 1.1.1. Retrieved from http://
http://www.3gpp.org/ftp/Specs/html-info/33223. www.etsi.org/tispan
htm
Gerstenberger, V., Lahaije, P., & Schuba, M.
3rd Generation Partnership Project (3GPP) TS (2004). Internet ID—Flexible re-use of mobile
33.246. (Release 6). 3G security, security of mul- phone authentication security for service access.
timedia broadcast/multicast service (MBMS). In Proceedings of the 9th (NordSec), Helsinki,
Retrieved from http://www.3gpp.org/ftp/Specs/ Finland (pp. 58-64).
html-info/33246.htm
Open Mobile Alliance (OMA) BCAST Working
3rd Generation Partnership Project (3GPP) TR Group. (2006). Broadcast service and content
33.918. (Release 7). Generic authentication archi- protection for mobile broadcast services, version
tecture (GAA); Early implementation of hypertext 1.0. Retrieved from http://www.openmobileal-
transfer protocol over transport layer security liance.org/
(HTTPS) connection between a universal integrat-
Open Mobile Alliance (OMA) Location Work-
ed circuit card (UICC) and a network application
ing Group. (2006). Secure user plane location
function (NAF). Retrieved from http://www.3gpp.
architecture (SUPL), version 3.0. Retrieved from
org/ftp/Specs/html-info/33918.htm
http://www.openmobilealliance.org/
Generic Application Security in Current and Future Networks
Open Mobile Alliance (OMA) Presence and Avail- Cellular Authentication: Cellular authentica-
ability Working Group (PAG). (2006). Presence tion is the authentication process that is used when
SIMPLE architecture, version 2.0. Retrieved from a mobile phone is attached to a network (e.g., GSM
http://www.openmobilealliance.org/ or UMTS network). This authentication is based on
a smart card that is inserted in the mobile phone.
Open Mobile Alliance (OMA) Presence and
Availability Working Group (PAG). (2006). XML Generic Authentication Architecture (GAA):
document management architecture (XDM), ver- GAA is an architecture that is built on top of GBA
sion 1.0. Retrieved from http://www.openmobile- that utilizes the shared secret to gain access to
alliance.org/ service.
Open Mobile Alliance (OMA) Security Work-
Generic Bootstrapping Architecture (GBA):
ing Group. (2005). OMA GBA profile, version 1.0.
GBA is an architecture where cellular authentica-
Retrieved from http://www.openmobilealliance.
tion is used to bootstrap a shared secret between
org/
a mobile phone and a network node.
Rescorla, E., & Modadugu, N. (2006). Data-
gram transport layer security (RFC 4347). Re- Mobile Application: Mobile application is
trieved from http://www.ietf.org/rfc/rfc4347.txt an application that resides on a server and can be
accessed or consumed by a mobile device. The ap-
plication may require a dedicated software element
kEy tErMs in the mobile terminal (e.g., for mobile TV).
Second Generation Generic Bootstrapping
Application Security: Application security
Architecture (2G GBA): 2G GBA describes the
encompasses a large range of measures taken to
usage of the GBA with legacy SIM smart cards. It
prevent incidents with respect to the security policy
does not contain the integration of legacy network
of an application or the underlying framework.
nodes.
Application security is realized through design
and deployment of the application. Universal Integraged Circuit Card (UICC):
UICC is the smart card (e.g., SIM card) used in
Authentication And Key Agreement (AKA):
mobile terminals in GSM and UMTS networks.
AKA is a mechanism where a mobile device and
mobile network operator authenticate and distrib-
ute shared key(s) to be used between them. This
process is based on a long-term shared secret that
is in the mobile terminal (namely in UICC, e.g.,
SIM card), and mobile network operators databases
(e.g., Home Location Register [HLR]). GBA is
based on this process.
Authentication: Authentication is the attempt
to verify the digital identity of the sender of an
authentication request.
Chapter XXV
Authentication,
Authorization, and Accounting
(AAA) Framework in Network
Mobility (NEMO) Environments
Sangheon Pack
Korea University, South Korea
Sungmin Baek
Seoul National University, South Korea
Taekyoung Kwon
Seoul National University, South Korea
Yanghee Choi
Seoul National University, South Korea
AbstrAct
Network mobility (NEMO) enables seamless and ubiquitous Internet access while on-board vehicles.
Even though the Internet Engineering Task Force (IETF) has standardized the NEMO basic support
protocol as a network layer mobility solution, little studies have been conducted in the area of authenti-
cation, authorization, and accounting (AAA) framework that is a key technology for successful deploy-
ment. In this article, we first review the existing AAA protocols and analyze their suitability in NEMO
environments. After that, we propose a localized AAA framework to retain the mobility transparency as
the NEMO basic support protocol and to reduce the signaling cost incurred in the AAA procedures. The
proposed AAA framework supports mutual authentication and prevents various threats such as replay
attack, man-in-the-middle attack, and key exposure. Performance analysis on the AAA signaling cost is
carried out. Numerical results demonstrate that the proposed AAA framework is efficient under different
NEMO environments.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
HA
AAAh
Internet (IPv6)
Home network
AAAv
Ar Ar
foreign link 1 foreign link 2
foreign network
Mobile node
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
1999), which is globally unique. An MN and its receipt of the HOR message, the HA creates a key to
AAAh have a long-term key, and communication establish a security association (SA) with the MN,
between the AAAv and AAAh is secure. and replies with a Home-Agent-MIPv6-Answer
The message flow in the Diameter extension for Command (HOA) message to the AAAh. Then,
Mobile IPv6 is illustrated in Figure 2. When enter- the AAAh constructs the AA-Registration-Answer
ing a new network or at power up, an MN listens Command (ARA) message that has an authen-
to an AR’s router advertisement (RA) message tication result and sends it to the AAAv. When
which has a local challenge and a visited network receiving the ARA message from the AAAh, the
identifier. Then, the MN sends an authentication AAAv stores the authentication result locally and
request (AReq) message to the AAA client (i.e., AR) then forwards the message to the AAA client. The
based on the security key shared with its AAAh. AAA client converts the ARA message into the
When the AAA client receives the AReq message, authentication reply (ARep) message, in order to
it creates an AA-Registration-Request Command inform the MN of the authentication result from
(ARR) message and sends it to the AAAv. Then, the AAAh and deliver the established key (for the
the AAAv relays it to the AAAh of the MN. When SA) to the MN.
receiving the ARR message from the AAAv, the
AAAh authenticates the MN by means of the
NAI and sends a Home-Agent-MIPv6-Request
Command (HOR) message to the MN’s HA. Upon
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
locAlIzEd AAA frAMEwork In When the MONET changes its point of attach-
nEMo EnvIronMEnts ment, the MR needs to be authenticated and autho-
rized before it accesses a new domain in the same
system Architecture foreign network (i.e., intra-domain handoff) or a
new foreign network (i.e., inter-domain handoff).
In this section, the AAA architecture in NEMO To accomplish this, the MR and AR authenticate
environments is introduced with basic assumptions each other through a mutual authentication pro-
and concepts (e.g., SA and challenge/response cedure that involves both the AAAH server of the
authentication). Figure 3 illustrates the reference MR and the AAAL server of the AR. An attendant
AAA architecture in NEMO environments based (which is the same as an AAA client) is an entity
on the Diameter protocol. that triggers authentication procedures to the AAA
The AAA architecture consists of multiple system. In Mobile IPv6 networks, ARs normally
autonomous wireless networks, each of which is act as the attendants for an MN. In the proposed
called a domain. Each domain has an AAAH server AAA protocol, the AR serves as an attendant for
and/or an AAAL server in order to authenticate any the MR’s authentication, whereas the MR serves
node in a Diameter-compliant manner. The AAAH as an attendant for VMN’s authentication. In the
server of the MR has the profile of the MR and latter case, the MR broadcasts attendant advertise-
it shares a long-term key with the MR. Likewise, ment messages and receives authentication request
the AAAH server of the VMN shares a long-term messages from VMNs within a MONET. In other
key with the VMN. The AAAL server is in charge words, an attendant (an AR or MR) requests the
of an AAA procedure for a visiting MONET (i.e., AAAL server to authenticate the MONET (the
VMNs and MRs). The trust relationship between MR or VMN). When the AAAL server receives
the MR’s AAAH server and the AAAL server the authentication request, it verifies the identity
in the visited network is maintained through the of the MONET by cooperating with an AAAH
Diameter protocol. server. In terms of SAs, we assume that the MR’s
AAAH server and the VMN’s AAAH server have
HA HA home link of Mr
home link of vMn
AAAHvMn AAAHMr
Internet (IPv6)
AAAl
Ar
foreign link 3
Ar
foreign link 1
Ar
Ar foreign link 4
foreign link 2
Mr
nEMo
Mnn Mnn
: movement of MonEt
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
a pre-established SA. In addition, it is assumed that for dynamic keys K LOCAL and K HOME, and their sizes
the MR and LFNs have already authenticated each are 32 bytes. Note that a dynamic key is used to
other by a mechanism, which is beyond scope of establish a dynamic SA while a long-term key is
this chapter. to establish a long-term SA. Other notations will
Notations used in this chapter are summarized be elaborated later.
in Table 1. A local challenge (LC) is a random In the proposed AAA protocol, we define two
number for authentication procedures. An MR or Internet Control Message Protocol (ICMP) mes-
VMN encrypts the LC using a pre-defined SA with sages (Conta & Deering, 1998), Attendant Solicit
its AAAH server. The encrypted value is called a and Attendant Advertisement messages, which are
credential (CR), which is used to authenticate an similar to Router Solicit and Router Advertisement
MR that creates it. MRs and VMNs are identified messages, respectively. In these messages, we
by their NAIs and a replay protection indicator introduce a new Attendant advertisement option
(RPI), which is used to protect from a replay at- and it is used for the authentication of VMNs for an
tack. Either a timestamp or a random number can intra-domain handoff. In addition, several Diameter
be used as an RPI. The size of the K AAA field is messages, for examples, AA-Mobile-Router-Re-
128 bytes by assuming a public key cryptography quest and AA-Mobile-Router-Answer, are defined.
algorithm. We adopt a symmetric key cryptography Their functions will be described later.
Typical Length
Field Meaning
(bytes)
LC local challenge 8
MC mobile challenge 8
H@ home address 16
00
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
0
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
0
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
visiting Mobile node (vMn) to the MR’s AAAH server (AAAHMR) through a
Authentication secured bi-directional tunnel. When the AAAHMR
receives the AMR message, it sends the AMR mes-
A VMN is a visiting MN that accesses the Internet sage to the AAAHVMN that has a shared SA and
through an MR in a MONET. According to the requests the AAA procedure for the VMN. Then,
NEMO basic support protocol, the VMN does not the AAAHVMN authenticates the VMN. During
need to know whether its attached router is the these steps, K HOME, K LOCAL, SPHOME, and SPLOCAL
AR or the MR. Therefore, the AAA protocol for are created, which is similar to the inter-domain
VMNs should be consistent with this requirement. AAA procedure of the MR. After completion of
The VMN in a MONET uses the home network AAA procedures, the VMN registers its CoA
prefix of the MR as its IPv6 network prefix. Ac- (configured using the MNP) with its HA.
cordingly, the VMN will deem it to be in the MR’s After the initial authentication and binding
home network. For VMN authentication, the MR update procedures, VMNs within a MONET do
serves as an attendant for VMNs and the MR’s not need to know whether the MONET changes
AAAH server serves as an AAAL server. its point of attachment or not. Thus, VMNs do
Figure 6 illustrates message flows for the AAA not have to register their locations to their HAs
procedure when a VMN is attached to a MONET. even though the MONET hands off. This mobility
As mentioned previously, the MR acts as an at- transparency is the key advantage of the NEMO
tendant. Hence, the MR broadcasts Attendant Ad- basic support protocol. However, if the mobility
vertisement messages periodically or responds to transparency is strictly provided, the AAAL server
an Attendant Solicit message from the VMN with in the foreign network cannot detect the existence
an Attendant Advertisement message. The VMN of VMNs. In other words, the mobility transpar-
creates a CR using a pre-shared SA with its AAAH ency is beneficial to reduce the binding update
server (AAAHVMN) and sends an AReq message to traffic, however, it makes the accounting/billing
the MR. Then, the MR converts the AReq message of VMNs’ network usages hard. To address this
into a Diameter message, AMR, and then sends it problem, in our protocol, the AAAL server in the
0
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
foreign domain accounts the total network usage MR sends an Attendant Advertisement message
of the MONET (not individual VMNs) and then with a set R bit when the foreign domain has a
this collective accounting/billing information is different policy and thus a new AAA procedure
delivered to the MR’s AAAH server. At the same is required. Hence, from the Attendant Advertise-
time, the MR’s AAAH server maintains the ac- ment message, the VMN determines whether it
counting/billing information for the MR as well should perform a new AAA procedure or not. We
as individual VMNs.1 Consequently, the MR’s assume that each network domain can have different
AAAH server can differentiate the accounting/bill- policies, so that the VMN performs a new AAA
ing information for MRs and VMNs. In addition, procedure for each inter-domain handoff.
we assume that the MR’s AAAH server and the
VMN’s AAAH server have a trust relationship
and a shared SA. Therefore, the accounting/billing sEcurIty AnAlysIs
information collected at the MR’s AAAH server is
securely transferred to the VMN’s AAAH server In this section, we analyze the proposed AAA
for suitable billing. protocol in terms of mutual authentication and
In addition, the mobility transparency causes security attacks (e.g., key exposure, replay attack,
another problem, that is, how to authorize VMNs and man-in-the-middle attack).
when the MONET moves to a foreign domain with
a different billing policy. To solve this problem, an
0
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
0
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
between two parties without either party knowing sIgnAlIng cost AnAlysIs
that the link between them has been compromised.
In NEMO environments, we can imagine an attack Reducing the AAA traffic is an important require-
that a malicious MR relays authentication messages ment in NEMO environments where a MONET
and it intends to use network resource illegally. moves with a high velocity and AAA procedures
Figure 7 illustrates the man-in–the-middle attack are frequently performed (e.g., train or car). There-
by a malicious MR for the inter-domain authentica- fore, through the analytical model, we quantify
tion. The malicious MR acts as an AR and relays the AAA cost (CAAA), which is defined as the
authentication messages between the victim MR volume of AAA-related messages delivered over
and the AR. After the authentication procedures, the network and the unit of CAAA is bytes * hops
the malicious MR still can relay all of the traffic (Lo, Lee, Chen, & Liu, 2004).
between the victim MR and AR. However, the Let i and j be the numbers of intra-domain hand-
malicious MR cannot use any network resource offs and inter-domain handoffs for each session,
because it has no knowledge of K LOCAL and K HOME. respectively. It is assumed that the subnet residence
Namely, if a fresh session key is established, the time of the MONET follows a general distribu-
malicious MR cannot further compromise the tion with mean 1/ S , which probability density
authentication procedure between the MR and function (PDF) is f S(t) and its Laplace transform
the AAAL server. is f *S(s). In addition, the domain residence time of
the MONET follows a general distribution with
mean 1/ D, whose PDF is f D(t) and its Laplace
transform is f *D(s). When the inter-session arrival
time is assumed to be an exponential distribution
with rate I , the PDFs of i and j are respectively
given by (Lin, 1997)
0
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
1 MR MR
1 − [1 − f S ( I )] i= 0 where Cintra and Cinter are the costs for intra-
*
(3)
10 49 1 1 2, 5, 10 2, 5 2, 5
0
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
AAA = ∑ C AAA ( k ) ⋅ ( k )
As shown in Figure 8, the proposed AAA
C VMN VMN
(7) protocol has a smaller AAA cost than the non-
k
localized AAA protocol. Also, it can be seen that
MR
In this section, we evaluate the effects of mo- C AAA increases as µS increases (i.e., as the subnet
bility and the distance between a foreign network residence time of the MONET decreases). This is
and a home network on the AAA cost (i.e., CAAAMR because the number of inter- or intra-handoffs is
and CAAAVMN). The parameters and the size of each reduced when the mobility (i.e., µS) is low. Figure 8
AAA message are shown in Tables 2 and 3, respec- also indicates the AAA cost variation for different
0
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
0
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
0
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
Section III
Security in Ad Hoc and Sensor
Networks
Chapter XXVI
Security in Mobile Ad Hoc
Networks
Bin Lu
West Chester University, USA
AbstrAct
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security in Mobile Ad Hoc Networks
Security in Mobile Ad Hoc Networks
of DoS attack, namely “sleep deprivation torture” • Authentication ensures that the identity of a
attack (Stajano & Anderson, 1999), by forcing a node in communication is indeed the entity
node to relay packets. it declares to be. Authentication can prevent
Ad hoc routing requires the participation of identity masquerade and unauthorized access
all the nodes in the network. MANETs are peer- to resource or information. Authentication
to-peer, namely all the nodes play the same roles is usually provided by digital signature or
as end hosts and routers as well. However, some possession of a secret (such as a key). Due
selfish nodes may refuse to forward data packets to stringent resource constraint of MANETs,
or routing requests for other nodes to save energy the authentication protocols for the traditional
or communication resources. Some more dramatic Internet are not applicable because these
attacks by malicious nodes include dissemination protocols consume too much computational
of false routing information, sending frequent resources. Some authentication approaches
routing updates to achieve denial-of-service, and that use one-way hash function, which proves
deviating traffic from legal route. to be faster than other cryptographic opera-
Like in the traditional wired networks, attacks tions, have drawn much attention because of
can target the security mechanisms as well. For their efficiency.
examples, cryptographic operations can be at risk • Integrity ensures that a message in trans-
if a secret key is intercepted and compromised, or mission has not been maliciously altered or
a trusted authority is brought down. These attacks corrupted. A message can be corrupted due
are not intrinsic to wireless networks, but they to presence of malicious attacks, or com-
are difficult to prevent and detect in the context munication failures, which may be common
of MANETs. on the lossy channels of ad hoc networks.
In addition to the traditional approaches
security services for the Internet, some researchers proposed
that a node could perform integrity check by
The services that should be provided in MA- overhearing the next hop when this next hop
NETs are the same as those in the wired networks, forwards the packet on along the path. This
which include availability, authentication, integ- overhearing technique can be easily used in
rity, confidentiality, and nonrepudiation. ad hoc networks because of the open nature
of the communication channels.
• Availability ensures that network services • Confidentiality guarantees that sensitive
are provided as supposed to be. In an ad hoc information is not disclosed to unauthorized
network without protection of proper security entities. Encryption used in wired networks
mechanisms, its service performance and is also used for MANETs.
availability can be easily compromised. For • Nonrepudiation ensures that the origin
example, signal jamming at the physical and of a message cannot deny having sent the
media access control layers can seriously message. Nonrepudiation allows a malicious
interfere with communications or even bring node who has sent false information to be
down the physical channels. A malicious or accused by legitimate users, and therefore
selfish node can also disrupt routing services, is important in intrusion detection. Asym-
which may result in network partition. To metric key cryptography has been used to
solve the problem, some economic models provide nonrepudiation for both the Internet
have been proposed to stimulate cooperation and MANETs.
among nodes. Monitoring techniques are also
used to ensure proper provision of network Other security services for MANETs include
services. For instance, a node in promiscuous authorization and accounting. But to our best of
mode can monitor the communications in the knowledge, not much research work has been pub-
vicinity.
Security in Mobile Ad Hoc Networks
Security in Mobile Ad Hoc Networks
is built by applying a one-way hash function re- A malicious node can also transmit strong noise
peatedly. To create a one-way hash chain, a node signals to prevent messages in the victim vicinity
should choose a random value and then generate a from being received.
list of hash values, h0, h1, h2, ..., hn, from the random No matter a node is selfish or malicious, the
value, where hi+1 = H(hi) for 0 ≤ i < n, where H is consequences of their misbehaviors can be severe
the hash function. To use a one-way hash chain and disastrous, and therefore should be addressed
for authentication, hn should be distributed first. as security problems with essential concerns. The
Consecutive element, hi, can be authenticate by security solution is to detect misbehaviors and
applying H to previously distributed element, hj to locate the misbehaving nodes in a timely and
( j > i), for ( j - i) times. reliable manner. This is not a trivial task due to
Monitoring technique has been proved an the random nature of the MAC protocols and the
effective way to provide availability to routing shared and volatile medium. It is especially dif-
advertisement or data packet forwarding, and to ficult to differentiate between misbehavior and
promote fair share of bandwidth at MAC layer. an occasional deviation caused by impairment of
To monitor, nodes turn on promiscuous mode to wireless link.
listen to communication of neighboring nodes in Several approaches have been proposed to
order to ensure proper transmission of frames or handle selfish and malicious misbehaviors at the
packets. MAC layer1.
Reputation mechanisms have been used to- One approach is to address selfish misbehaviors
gether with cooperation mechanisms to enhance by using game theoretic techniques to find a state
security in routing and MAC layer protocols. It where the misbehaving nodes cannot gain any
will be discussed in “Cooperation” topic in a later advantage over the well-behaved nodes (Cagalj,
section. Ganeriwal, Aad, & Hubaux, 2004; Konorski, 2001,
2002; Mackenzie & Wicker, 2000, 2003; Michiardi
wireless MAc security & Molva, 2002b). This approach has also been used
at network layer to secure routings.
MAC protocols for wireless networks such as IEEE Konorski (2001, 2002) proposes a game theo-
802.11 (1999) use a contention resolution mecha- retic model that targets selfish nodes who fail to
nism for sharing the open communication channel. adhere to MAC protocols by waiting for smaller
This resolution mechanism is fully distributed and backoff intervals than supposed to be. By apply-
requires cooperation among all the participating ing the noncooperative game model (Jones, 2000),
nodes. The participating nodes are expected to the approach modifies the backoff algorithm using
perform a random backoff before transmission to blackbursts and leads the game to a Nash equilib-
reduce contention and to ensure a reasonably fair rium point (Nash, 1950). The approach requires
share of the channel. accurate measurement of the duration, which is
However, in an untrusted network environment difficult to grant in MANETs. Cagalj et al. (2004)
where selfish or malicious nodes may be included, developed a strategy that employs two Markov
cooperation cannot always be guaranteed. A self- chains (Jha, Tan, & Maxion, 2001) to derive from
ish node may intentionally deviate from MAC contention windows the access possibilities of the
protocols to maximize its throughput by obtain- misbehaving nodes and the well-behaved nodes,
ing an unfair share of the bandwidth. A malicious respectively. The approach can reach the Nash
node may intend denial-of-service (DoS) attacks equilibrium with multiple selfish nodes.
by injecting frames on the wireless medium con- Another approach, which has been mostly used,
tinuously, or intermittently with the intention of is to monitor the neighboring node by overhear-
conserving its own energy. The injection may cause ing and then penalize the identified misbehaving
radio collisions and transmission jamming, and nodes (Gupta, Krishnamurthy, & Faloutsos, 2002;
thus repeated backoffs among legitimate nodes. Kyasanur & Vaidya, 2005; Radosavac, Baras, &
Security in Mobile Ad Hoc Networks
Koutsopoulos, 2005; Radosavac, Cardenas, Baras, ity of other compromised nodes, availability of
& Moustakides, 2006; Raya, Hubaux, & Aad, 2004; routing information, together with the fairness,
Xu, Trappe, Zhang, & Wood, 2005). determine the efficacy of the DoS attacks. Xu et
Raya et al. (2004) deals with MAC misbehaviors al. (2005) also provide interesting insights into
in wireless hot-spot communities, such as inten- jamming attacks at MAC layer. They proposed
tionally scramble frames or illegal manipulation four jamming attack models that can be used by
of backoff intervals also. A sequence of observa- an adversary who intend DoS attacks: constant,
tions is required to detect misbehaviors based on deceptive, random, and reactive jamming. The
the extent to which MAC protocol parameters are effectiveness of the four jammer strategies is
manipulated. evaluated by implementation of a prototype using
Kyasanur and Vaidya (2005) propose modifica- Berkeley Motes platform. Different measurements
tions to IEEE 802.11, such as letting the receiver for detecting jamming attacks are proposed. The
of the particular transmission decide whether the authors found that not a single measurement is
sender has deviated from the protocol. It is proposed sufficient to conclusively differentiate malicious
to use additional nodes in the vicinity to detect col- attacks from link impairment.
lusions between the receiver and the sender. The To reliably detect misbehaviors at MAC layer,
authors also present a diagnosis scheme, which accurately and reliably monitoring the transmis-
uses a moving window and thresh to capture the sion pattern from a node is a critical factor and
misbehaving nodes. A scheme for punishing a still worth further investigation.
selfish node is also presented. Simulation results
show that the detection and penalty schemes are secure routing Protocols
effective in handling selfish MAC misbehaviors.
Radosavac et al. (2005) propose to let a node Routing protocols for MANETs are very different
compute the backoff values of its neighboring node from those existing Internet protocols, because
based on the RTS (request-to-send), CTS (clear-to- MANETs are self-organized and the protocols need
send), or ACK (acknowledgement) messages. The to cope with frequent topology change, open shared
problem is cast into a “minimax robust detection medium, and resource restrictions. In addition, all
framework,” in which the worst-case instance of the nodes also serve as routers, participating in route
attack will be identified and a detection rule of discovery, route maintenance, and packet delivery.
optimum performance is generated with uncer- These characteristics have introduced significant
tain information. The approach requires clock difficulty to routing security in MANETs.
synchronization, which is considered not realistic In 1996, The Internet Engineering Task Force
by some researchers. A recently published work (IETF) established a MANET workgroup (Macker
by Radosavac et al. (2006) is an advanced version & Chakeres, 2006), which goal is “to standardize
of the published work of Radosavac et al. in 2005. of the IP routing protocol functionality suitable for
The work studies the single-node attacks as well wireless routing applications.” Since then, some
as colluding attacks. routing protocols have been proposed particularly
Gupta et al. (2002) and Xu et al. (2005) studied for MANETs.
the DoS attacks at MAC layer and analyzed dif- AODV (ad hoc on-demand vector) (Perkins,
ferent attack models with their traffic patterns. Belding-Royer, & Das, 2003) is a reactive rout-
Gupta et al. (2002) demonstrate simulation of IEEE ing protocol. In AODV, the node who needs to
802.11 protocol as well as emulation of a perfectly establish a route to another node will broadcast a
fair MAC (FAIRMAC) protocol in order to show route request (RREQ) message to its neighbors.
how the employment of MAC layer fairness can Each node that receives the message establishes
prevent or alleviate the effect of the DoS attacks. a reverse link toward the originator of the RREQ,
The authors also show that many other factors unless such a link has already existed. Dynamic
such as location of the malicious node, availabil-
Security in Mobile Ad Hoc Networks
source routing (DSR) (Johnson, Maltz, & Hu, 2004) licious nodes establish a link via private network
is a protocol that uses source routing technique, connection and forward all the received traffic to
in which the sender constructs a “source route” in each other. In this type of attack the normal flow
the packet’s header that gives the hosts on the path. of routing packets will be short-circuited, and a
Destination-sequenced distance-vector (DSDV) virtual vertex cut of nodes can be created in the
(Perkins & Bhagwat, 1994) is a proactive routing network that the attackers control.
protocol which maintains a routing table that lists An adversary can also mount a replay attack by
all possible destinations in the network as well as sending an old advertisement in an attempt to get
metric and next hop to the destination. other nodes to update its routing table with stale
These protocols are designed without security routes. Sequence number is usually used to prevent
concern in mind, and therefore are susceptible to packets from being repeatedly passed on.
various attacks. Denial-of-service (DoS) attack can be attempted
by injecting packets into the network which may
Attacks on MANET Routing cause excessive consumption of resources. One
special type of DoS attacks, jellyfish attacks (Aad
A selfish or malicious node can disrupt routing ser- Hubaux, & Knightly, 2004), is to hold packets
vices passively or actively. Their purposes include unnecessarily for some amount of time before for-
selfish conservation of own resource, disruption warding them. The jellyfish attack can cause high
of routing, excessive resource consumption, and end-to-end delay and delay jitter. Rushing attacks
so forth. (Hu, Perrig, & Johnson, 2003b) takes advantage of
A selfish node may refuse to participate in the suppression mechanisms that are used by on-
routing by simply discarding routing packets. demand routing protocols to prevent duplicate rout-
This attack is usually not defended against secure ing requests from being spread. The suppression
routing protocols in that the node can still fail to mechanism processes only the first request while
forward data packets even if a path including the skipping the duplicate ones. All these attacks are
selfish node has been established. To prevent this difficult to detect in MANETs due to the inherent
attack, some cooperation mechanisms have been volatility of the communication channels.
proposed, which will be discussed later. Besides failing to follow routing protocols,
A malicious node can maliciously advertise which is sometimes referred as routing attacks,
falsified routing information by tampering fields an attacker may also target the data messages
such as source, destination, metric, and so forth. traversing an established path. A misbehaving
For example, an attacker can claim falsified short node may maliciously alter or drop data packets in
distance information by advertising zero or a very transit, which is called packet forwarding attacks.
small metric in order to attract and later drop the These two types of attacks are different due to
traffic originally destined to other nodes (blackhole the differences of routing and data packets. Usu-
attack), or in order to include itself on the path so ally, routing packets are altered as they circulate
that it can analyze the communications. Another around the network (such as in metric field that
example is that an attacker can use forged routing states the shortest distance to destination). Thus
packets to create a routing loop, causing packets routing packets are mutable, and called hop-by-hop
to circulate in the network without reaching their transmission. The data packets are nonmutable,
destinations. This malicious attack should be because the data are not changed during trans-
distinguished from nodes unknowingly providing mission (except for some particular fields in the
incorrect or obsolete routing information, which header) and therefore is end-to-end transmission.
may result from topology change. This is not a The integrity of the data packets can be protected
trivial task due to the nature of ad hoc networks. by traditional cryptographic operations, while
Another type of attack, wormhole attack (Hu, routing packets are hard to protect.
Perrig, & Johnson, 2003a), happens when two ma-
Security in Mobile Ad Hoc Networks
0
Security in Mobile Ad Hoc Networks
path, and decremented on a broken path. A node observations and reports by other nodes. It applies
calculates a path metric by averaging the node different weights to subjective reputation (obser-
ratings in the path. vations), indirect reputation (positive reputation
reported by others), and functional reputation
2. Another approach is to design protocols (the subjective and indirect reputation calculated
that stimulate cooperation by penalizing mis- with respect to different functions). At each node,
behavior or rewarding behavior of forwarding reputation values are stored in a reputation table,
for other nodes’ benefit. and a watchdog mechanism is used to detect mis-
Buttyan and Hubaux (2000, 2003) propose a behaving nodes.
protocol that can stimulate packet forwarding. It Sprite is a cheat-proof and credit-based system
requires a node to pass all packets to its security (Zhong, Chen, & Yang, 2003), which also requires
module, which maintains a counter called nuglet that nodes receive enough credits by forwarding
counter. The counter is decreased whenever the for other nodes to send their own packets. To prove
node sends a packet as the originator, and increased a node has received or forwarded a message, the
when the node forwards a packet for another node. node keeps a receipt of the message and uploads
Since the value of the counter must remain positive, the receipt to a credit clearance service (CCS).
a node needs to maintain a balance on the counter To motivate nodes to report receipts, CCS gives
by forwarding packets for the benefits of others to more credits to a node that forwards a message
have its own packets to be sent. To prevent a node than to a node that does not. Proper actions are
from illegitimately increasing its own counter, the taken to prevent the cheating action. If a message
counter is required to be maintained by a trusted is not received by the destination, the credits to the
and tamper resistant hardware module (such as a intermediate nodes will be greatly reduced, and
Smart card). therefore the benefit of falsely reporting a receipt
CONFIDANT (cooperation of nodes fairness in by an intermediate node will be reduced too. The
dynamic ad-hoc networks) (Buchegger & Boudec, approach needs a centralized trusted entity, which
2001, 2002a, 2002b) was proposed to detect, dis- is hard for MANETs.
courage and stop selfish misbehaviors. CONFI- Some other interesting approaches that use
DANT consists of four components: a monitor to punishment or rewarding systems can be found
observe the neighborhood; a trust manager to deal by Mohan and Joiner (2004) and Salem, Buttyan,
with incoming and outgoing warning messages; a Hubaux, and Jakobsson (2003).
reputation system to maintain reputation records
based on own experiences, vicinity observations, 3. Game-theoretic techniques (Jones, 2000)
and reported records; and a path manager for nodes have also been used to develop protocols for
to adapt their behavior according to the reputa- stimulating cooperation (Anderegg & Eiden-
tion of a node or a path. CONFIDANT takes into benz, 2003; Srinivasan, Nuggehalli, Chiasserini,
consideration the problem of nodes providing false & Rao, 2003).
information to gain good reputation. With a proper These techniques assume that all nodes are self-
weight system and a modified Bayesian estimation ish and rational, that is, they only do things that
procedure, the second-hand information can still are beneficial to themselves and their purpose is
speed up the detection while suppressing false to maximize their own utility. Usually noncoop-
positives and negatives. The simulation results erative game model is used in these approaches.
show that the network performance can still be By means of imposing suitable costs on network
good even when half of the network population operation, the game reaches a stable state called
misbehaves. “Nash equilibrium” (Nash, 1950), where a selfish
CORE is a collaborative reputation mecha- node cannot gain an advantage over well-behaved
nism (Michiardi & Molva, 2002a). Similarly to nodes.
CONFIDANT, CORE also differentiates between
Security in Mobile Ad Hoc Networks
Anderegg and Eidenbenz (2003) provide a game prevent a malicious node from tampering a node
theoretic approach, which goal is to achieve truth- that has delays in receiving the newest key, by
fulness and cost-efficiency for routing protocols means of using the newest key to forge packets
in MANETs. The approach pays the forwarding with valid authentication information. Authentica-
nodes a premium over their actual costs for for- tion techniques that use one-way hash chain keys
warding data packets. The authors show that the can tolerate packet loss and have the advantage of
total overpayment is relatively small. low overhead. TESLA has been adopted by many
Although protocols developed with game-theo- approaches to authenticate neighboring commu-
retic techniques may be resilient to misbehavior, nications in MANETs.
they may not achieve the same performance of Zhu, Xu, Setia, and Jajodia (2003) propose a
protocols developed under the assumption that all light-weight hop-by-hop authentication protocol
nodes are well-behaved. (LHAP), in which every node authenticates all the
packets received from neighbors before forward-
Authentication and key Management ing it. LHAP also uses one-way hash chain, like
in MAnEts TESLA, but it does not use delayed key disclosure.
LHAP uses TRAFFIC chain (a one-way hash chain)
Authentication and key management are essential to authenticate packets, and uses TESLA chain to
problems for MANET security. authenticate TRAFFIC keys. Security properties
and performance is analyzed. The analysis shows
Authentication in MANETs that LHAP is lightweight and practical.
Security in Mobile Ad Hoc Networks
for distribution of the private key, where the key However, Chan (2004) argues that although
is divided into n shares. Therefore, n parties are some protocols are fully distributed and self-or-
allowed to share the ability to perform a crypto- ganized without needing any trusted third party
graphic operation (e.g., creating a digital signature), (TTP), they are not robust to dynamic topology
and any t + 1 parties can perform the operation or sporadic links because they need the routing
jointly. To sign a certificate, each server produces structure that has been established initially.
a partial signature for the certificate using its share Chan (2004) proposes a distributed symmetric
and submits the partial signature to a combiner key management scheme for MANETs, which uses
that can generate the entire signature. In this way, a fully distributed and self-organized key pre-dis-
the system can tolerate a certain number (t < n) of tribution scheme (DKPS) without relying on TTPs
compromised servers. or infrastructure support. The DKPS scheme has
A similar approach proposed by Kong, Zer- three phases, namely distributed key selection
fos, Luo, Lu, and Zhang (2001) provide a more (DKS), secure shared-key discovery (SSD), and
fair distribution by allowing each node to carry key exclusion property testing (KEPT). In the
a secret share. Any t + 1 nodes in the vicinity of DKS phase, each node randomly picks keys from
the requesting node can jointly provide complete the publicly known universal set to form its key
service, which increases availability and scalability ring, in which exclusion property will be ensured
of the service. However, this scheme is not secure to avoid collision. As soon as each node shares a
if an attacker can compromise arbitary t + 1 nodes common key with any other node, it enters the
and thus can collect enough shares and reconstruct SSD phase and broadcasts its key identifiers to
the system’s private key. others. To guarantee that the nodes can let each
According to Zhou and Haas (1999) and Kong other know which keys they are having in common
et al. (2001), a trusted authority is needed for without revealing the keys to others, the author
initialization of the first t + 1, which is difficult proposes MRS (modified Rivest’s scheme) and
in MANETs. In addition, it is still not clear how built SSD upon MRS. MRS is based on the work
to determine the number t initially and adapt t of Rivest, Adleman, and Dertouzos (1978), and is
based on n. a special class of encryption functions that allow
Capkun, Buttyan, and Hubaux (2003) propose operations on the encrypted data without needing
a fully self-organized public-key management knowledge of the decryption functions. In KEPT
system that does not require use of any trusted phase, a node tests whether its set of keys satisfy
authority even in the system initialization phase. the exclusion property.
Like PGP (pretty good privacy)(Zimmermann, Crepeau and Davis (2003) provide a certificate
1995), the scheme allows a node to create public and revocation scheme that can defend against attacks
private keys by itself. But the keys and certificates of maliciously accusing other nodes and using
are not stored in centralized certificate reposito- revoked certificate to access network services.
ries. Instead, they can be stored at the nodes in a Many researchers are still making efforts to
fully distributed manner. When a node wants to find a secure yet cost-efficient key distribution
obtain the public key of another node, it acquires approach.
a chain of valid public-key certificates. The first
certificate of the chain can be directly verified by Intrusion detection systems (Ids) for
using a trusted public key. Then each sequential MAnEts
certificate can be verified using the public key
contained in the previous certificate of the chain. In the traditional Internet, network devices such
The last certificate contains the public key of the as routers, switches, and gateways can be used
target user. The system allows the nodes in the to monitor the traffic. Due to the lack of these
network to perform key authentication based only network devices and a fixed infrastructure, intru-
on their local information. sion detection in MANETs is more challenging
Security in Mobile Ad Hoc Networks
than that in the Internet. Moreover, the restriction agents; a local response module that triggers lo-
of resources again brings more difficulty to data cal response actions; a global response module
analysis, which usually plays an important role that coordinates responses among neighboring
in intrusion detection. A comprehensive survey nodes; and a secure communication module that
on IDS for MANETs can be found by Avantvalee provides secure communication channels among
and Wu (2006). IDS agents. On the anomaly detection model,
An IDS for MANETs not only has the same two classification techniques, RIPPER(repeated
requirements as in the wired networks (such as incremental prunig to produce error reduction) and
reliability, minimal false positive and false nega- SVM (support vector machine) light, are applied
tive rates, transparency to system and users, etc.), to compute classifiers as anomaly detectors. The
but also requires low usage of system and network classifiers are used to detect anomaly updates to
resources. Therefore, the design and development routing tables. The performances are evaluated and
of IDS for MANETs is not a trivial task. compared through simulations. The authors find
A simple solution for IDS in MANETs is that that protocols with strong traffic correlation tend
each host relies on itself for detection, where the to have better detection performance.
audit data are gathered and processed locally. Some Kachirski and Guha (2003) propose an agent-
IDS proposed for MANETs use this solution of based IDS that uses multiple mobile sensors to de-
letting individual nodes to determine intrusions termine intrusions. The system assigns functional
independently in case the local evidence is strong. tasks different agents: a network monitoring agent
But many systems also allow a node to request to monitor network packets (only on certain nodes
complementary information from others so that to preserve resources); a host monitoring agent on
cooperation can be reinforced in case of weak or every node to monitor system and applications
inconclusive local evidence. level activities; a decision-making agent on every
Albers, Camp, Percher, Jouga, Me, and Puttini node to determine intrusions based on host-level
(2002) propose a local IDS (LIDS), which uses information, and on certain nodes to determine
several mobile agents on each node. All the LIDS network-level intrusions; and an action agent on
in a community can collaborate to alert each other every node to respond to intrusions. Similarly to
of intrusions. These data are independent from the two IDS described above, this system makes
operating system and need no additional resources intrusion decisions based on both independent and
for local information. A LIDS has several data collaborative monitoring, and the level of the moni-
collecting agents of different types: a local agent toring can be adapted according to the availability
that locally detects intrusions and responds to intru- of the computational and network resources.
sions; a collection of mobile agents that collect and Another intrusion detection technique is the dy-
process data from remote hosts; and a local MIB namic hierarchical intrusion detection architecture
agent that collects MIB (management information proposed by Sterne, Balasubramanyam, Carman,
base) variables for the mobile agents or the local Wilson, Talpade, Ko et al. (2005). The system
LIDS agent. The implementation of prototypes requires every node to monitor, log, analyze, and
was claimed by the authors, but the results are not respond to detected intrusions. It also uses clus-
demonstrated in the publication. tering to form a hierarchical structure. Different
A distributed intrusion detection model was nodes (e.g., leaf nodes and clusterhead nodes in
later proposed by Zhang, Lee, and Huang (2003). the structure) may perform different functions in
The model of the IDS agent is composed of six intrusion detections. This hierarchical structure
modules: a local data collection module that is advantageous in monitoring end-to-end traffic
collects real-time audit data; a local detection and thus can help detect end-to-end attacks. The
engine that performs local anomaly detection; a system does not use promiscuous listening, which
cooperative detection engine that helps collabo- is arguably unrealistic for MANETs. However,
ration and collects broader data sets from other some researchers have also argued that a hierarchi-
Security in Mobile Ad Hoc Networks
cal architecture may not be suitable to MANETs information or evidence provided by peers, not
either, due to the rapid topology change of MANETs by trusted authorities or a central administration
and the high overhead introduced by organizing point (as in the Internet or wireless networks with
the hierarchy. base-stations). Additionally, the gathering of the
Sun, Wu, and Pooch (2003) propose a zone- trust evidence may be difficult due to the small
based IDS (ZBIDS). ZBIDS divides the network bandwidth, and therefore local information has to
into nonoverlapping zones. The nodes are cat- be relied on. Evaluation with uncertain and incom-
egorized into two types based on their locations plete trust evidence certainly poses challenges to
to a zone: intrazone nodes (within a zone and not trust management.
connected to nodes in another zone) and interzone Research progress has been made on au-
nodes (within a zone and connected to nodes in thentication and key management. But finding
another zone). Intrazone nodes are responsible cryptographic mechanisms that consume less
for local detection and broadcast in case of alerts. computational resources and impose lower time
Interzone nodes perform aggregation and correla- complexity is still a major research concern in
tion of these local detection results. The system can MANET security.
limit the detection cooperation in a zone, which Another problem for MANET security is to find
may reduce the overhead by the broadcast and ag- an effective and efficient approach for intrusion
gregation. However, the system requires that each response. Many publications simply mentioned
node know its physical location, which needs prior that proper actions should be taken to react to
design setup. The management of zones is not a intrusions, which may include alarming the other
trivial task either. nodes in the network, isolating the compromised
Intrusion detection has been a challenging task nodes, or re-establishing the trust relationship for
for MANETs, mainly due to the distribution na- the entire network. But the problem of how to locate
ture and resource constraints of ad hoc networks. and then isolate the compromised nodes is not dis-
To determine intrusions with local or incomplete cussed in details. The location and isolation could
information and with low overhead has been a be even more difficult when distributed attacks
major concern for researchers. are launched from multiple sources. Eliminating
the compromised nodes by rekeying or rebuilding
the trust could be an effective solution. However,
oPEn cHAllEngEs And it is certainly not efficient taking into account
conclusIon the computation and communication overhead it
may cause.
Some other unexplored research problems in-
challenges
clude the tradeoff between privacy (such as identity
anonymity and location privacy) and other security
The research in MANET security is still in its early
services (such as accounting and intrusion detec-
stage. Some areas that are interesting but little
tion), and the tradeoff between security strengths
explored include accounting, trust management,
and network performance.
authentication, and key management.
Yang et al. (2004) argue that MANET security
Accounting provides the method for collecting
needs a “multifence security solution,” namely re-
the information used for billing, auditing, and
siliency-oriented security design. They argue that
reporting. Accounting mechanisms can track the
the existing proposals are attack-oriented because
services that users are accessing as well as the
the protocols target some specific attack that has
amount of network resources they are consuming.
been identified first. These protocols therefore may
Accounting is a challenging problem due to the
not work well in the presence of unanticipated
distributed and ephemeral nature of MANETs.
attacks. They propose that a security solution is
The characteristics of MANETs also bring
needed that can be embedded into every component
difficulty to trust management. In MANETs,
or every layer in the network. The solution can
the trustworthiness is evaluated based on the
Security in Mobile Ad Hoc Networks
offer multiple lines of defense against many both International Workshop on Wireless Information
known and unknown security threats. Systems (WIS-2002) (pp. 1-12).
Besides problems described above, how to adapt
Anderegg, L., & Eidenbenz, S. (2003). Routing
the security mechanisms in a large-scale wireless
and forwarding: Ad hoc-VCG: A truthful and
network is also an interesting problem. The scal-
cost-efficient routing protocol for mobile ad hoc
ability of security mechanisms and the compro-
networks with selfish agents. In Proceedings of
mise between security and network scalability
the 9th Annual International Conference on Mobile
are certainly topics worth further research study.
Computing and Networking (MobiCom 05), San
Diego, (pp. 245-259). ACM Press.
conclusion
Avantvalee, T., & Wu, J. (2006). A survey on in-
With the rapid proliferation of wireless networks trusion detection in mobile ad hoc networks. In Y.
and mobile computing applications, MANETs Xiao, X. Shen, & D. -Z. Du (Eds.), Wireless/mobile
have received increased attention. Security is an network security (pp. 170-196).
important feature for ad hoc networks, especially
Balfanz, D., Smetters, D.K., Stewart, P., & Wong,
in untrustworthy environments such as battlefields.
H.C. (2002). Talking to strangers: Authentication in
Development of security solutions for ad hoc
ad-hoc wireless networks. Paper presented at the
networks has therefore become a major research
Symposium on Network and Distributed Systems
concern.
Security (NDSS ‘02), San Diego.
However, the characteristics of ad hoc networks
have not only introduced vulnerabilities to mali- Buchegger, S., & Boudec, J.L. (2001). The selfish
cious attacks varying from passive eavesdropping node: Increasing routing security in mobile ad hoc
to active interfering, but also imposed difficulty networks (IBM Research Report: RR 3354).
and challenges in introducing security features
to MANETs. Buchegger, S., & Boudec, J.L. (2002a) Nodes
This book chapter has discussed the security bearing grudges: Towards routing security, fair-
vulnerabilities, challenges, and security solu- ness, and robustness in mobile ad hoc networks. In
tions for MANETs. A variety of attacks and their Proceedings of the Tenth Euromicro Workshop on
countermeasures have been identified for different Parallel, Distributed and Network-based Process-
network operations, mechanisms, and network lay- ing, Canary Islands, Spain, (pp. 403-410). IEEE
ers. Existing research efforts as well as the open Computer Society.
challenges were discussed in the chapter. Buchegger, S., & Boudec, J.L. (2002b). Performance
analysis of the CONFIDANT protocol: Cooperation
of nodes - fairness in dynamic ad-hoc networks. In
rEfErEncEs Proceedings of IEEE/ACM Symposium on Mobile
Ad Hoc Networking and Computing (MobiHoc),
Lausanne, CH, (pp. 226-236). ACM Press.
Aad, I., Hubaux, J.-P., & Knightly, E.W. (2004).
Denial of service resilience in ad hoc networks. In Buttyán, L., & Hubaux, J.-P. (2000). Enforcing
Proceedings of the ACM International Conference service availability in mobile ad-hoc WANs.
on Mobile Computing and Networking (MobiCom In Proceedings of Workshop on Mobile Ad-hoc
2004), Philadelphia, (pp. 202-215). networking and Computing (MobiHOC), Boston,
(pp. 87-96).
Albers, P., Camp, O., Percher, J., Jouga, B., Me, L.,
& Puttini, R. (2002). Security in ad hoc networks: A Buttyán, L., & Hubaux, J.-P. (2003). Stimulating
general intrusion detection architecture enhancing cooperation in self-organizing mobile ad hoc
trust based approaches. In Proceedings of the 1st networks. Mobile Networks and Applications,
8(5), 579-592.
Security in Mobile Ad Hoc Networks
Cagalj, M., Ganeriwal, S., Aad, I., & Hubaux, J.-P. Hu, Y.C., Perrig, A., & Johnson, D. (2003b). Rush-
(2004). On cheating in CSMA/CA ad hoc networks ing attacks and defense in wireless ad hoc network
(Tech. Rep. IC/2004/27, EPFL-DI-ICA). Lausanne, routing protocols. In Proceedings of ACM WiSe
Switzerland: Swiss Federal Institute of Technol- 2003, San Diego, (pp. 30-40). ACM Press.
ogy Lausanne.
IEEE. (1999). Standard for wireless LAN-medium
Capkun, S., Buttyan, L., & Hubaux, J.-P. (2003). access control and physical layer specification,
Self-organized public-key management for mobile P802.11.
ad hoc networks. IEEE Transactions on Mobile
Jha, S., Tan, K., & Maxion, R. (2001). Markov
Computing, 2(1), 52-64.
chains, classifiers, and intrusion detection. In
Chan, A.C.-F. (2004). Distributed symmetric Proceedings of the 14th IEEE Computer Security
key management for mobile ad hoc networks. In Foundations Workshop, Cape Breton, Nova Scotia,
Proceedings of the 23rd Annual Joint Confer- Canada, (pp. 206-219).
ence of the IEEE Computer and Communications
Johnson, D.B., Maltz, D.A., & Hu, Y. (2004). The
Societies (INFOCOM), Hong Kong, China, (pp.
dynamic source routing protocol for mobile ad hoc
2414-2424). IEEE.
networks (DSR). INTERNET DRAFT, MANET
Crepeau, C., & Davis, C. R. (2003). A certificate working group. Retrieved November 17th, 2006,
revocation scheme for wireless ad hoc networks. from http://www.ietf.org/internet-drafts/draft-ietf-
In Proceedings of the 1st ACM Workshop Security manet-dsr-10.txt
of Ad Hoc and Sensor Networks, Fairfax, Virginia,
Jones, A. (2000). Game theory: Mathematical
(pp. 54-61). ACM Press.
models of conflict (pp. 210-236). Horwood Pub-
Gupta, V., Krishnamurthy, S., & Faloutsos, M. lishing.
(2002). Denial of service attacks at the MAC layer
Kachirski, O., & Guha, R. (2003). Effective intru-
in wireless ad hoc networks. In Proceedings of
sion detection using multiple sensors in wireless ad
MILCOM.
hoc networks. In Proceedings of the 36th Annual
Hu, Y.C., Johnson, D., & Perrig, A. (2002). SEAD: Hawaii International Conference on System Sci-
Secure efficient distance vector routing for mobile ences (HICSS’03) (pp. 57.1-57.8). IEEE.
wireless ad hoc networks. In Proceedings of the
Kong, J., Zerfos, P., Luo, H., Lu, S., & Zhang, L.
4th IEEE Workshop on Mobile Computing Systems
(2001). Providing robust and ubiquitous security
and Applications (WMCSA ’02), Callicoon, New
support for mobile ad hoc networks. In Proceedings
York, (pp. 3-13).
of the 9th International Conference on Network
Hu, Y.C., Perrig, A., & Johnson, D. (2002). Ari- Protocols (ICNP) (pp. 251 - 260). ACM Press.
adne: A secure on-demand routing protocol for
Konorski, J. (2001). Protection of fairness for
ad hoc networks. In Proceedings of the 8th ACM
multimedia traffic streams in a non-cooperative
International Conference on Mobile Computing
wireless LAN setting. Paper presented at PROMS
and Networking (MobiCom), Atlanta, Georgia,
(LNCS 2213, pp. 116-129). Springer.
(pp. 12-23). ACM Press.
Konorski, J. (2002). Multiple access in ad-hoc wire-
Hu, Y.C., Perrig, A., & Johnson, D. (2003a). Packet
less LANs with noncooperative stations. Network-
leashes: A defense against wormhole attacks in
ing (LNCS 2345, pp. 1141-1146). Springer.
wireless ad hoc networks. In Proceedings of the
Twenty-Second Annual Joint Conference of the Kyasanur, P., & Vaidya, N.H. (2005). Selfish
IEEE Computer and Communications Societies MAC layer misbehavior in wireless networks.
(INFOCOM 2003) (pp. 1976-1986). IEEE. IEEE Transactions on Mobile Computing, 4(5),
502-516.
Security in Mobile Ad Hoc Networks
Lu, B., & Pooch, U.W. (2005). A lightweight au- Distributed Systems Modeling and Simulation
thentication protocol for mobile ad hoc networks. Conference (CNDS 2002), San Antonio, TX.
In Proceedings of the International Conference
Perkins, C.E. (Ed.). (2001). Ad hoc networks. Upper
on Information Technology: Coding and Comput-
Saddle River, NJ: Addison-Wesley.
ing (ITCC’05), Las Vegas, (pp. 546-551). ACM
Press. Perkins, C.E., Belding-Royer, E.M., & Das, S.R.
(2003). Ad hoc on-demand distance vector (AODV)
Mackenzie, A.B., & Wicker, S.B. (2000). Game
routing. Internet request for comments RFC 3561.
theory and the design of self-configuring, adap-
Retrieved November 17th, 2006, from http://www.
tive wireless networks. IEEE Communications
ietf.org/rfc/rfc3561.txt.
Magazine, 39(11), 126-131.
Perkins, C.E., & Bhagwat, P. (1994). Highly dynam-
Mackenzie, A.B., & Wicker, S.B. (2003). Stability
ic destination-sequenced distance-vector routing
of multipacket slotted aloha with selfish users and
(DSDV) for mobile computers. Paper presented at
perfect information. In Proceedings of Infocom
the ACM Conference on Communications Architec-
2003, San Francisco, (pp. 1583 -1590). IEEE.
tures, Protocols and Applications (SIGCOMM ‘94)
Macker, J., & Chakeres, I. (2006). Mobile ad-hoc London, (pp. 234-244). ACM Press.
networks (MANET). Retrieved November 17th,
Perrig, A., Canetti, R., Song, D., & Tygar, D.
2006, from http://www.ietf.org/html.charters/ma-
(2001). Efficient and secure source authentication
net-charter.html
for multicast. In Proceedings of Network and Dis-
Marti, S., Giuli, T., Lai, K., & Baker, M. (2000). tributed System Security Symposium (NDSS’01),
Mitigating routing misbehavior in mobile ad hoc San Diego, CA, (pp. 35-46).
networks. In Proceedings of the 6th ACM Inter-
Perrig, A., Canetti, R., Tygar, D., & Song, D. (2000)
national Conference on Mobile Computing and
Efficient authentication and signing of multicast
Networking (MobiHoc’05), Urbana Champaign,
streams over lossy channels. In Proceedings of
IL, (pp. 255- 265). ACM Press.
IEEE Symposium on Security and Privacy, Berke-
Michiardi, P., & Molva, R. (2002a). CORE: A ley, CA, (pp. 56-73). IEEE
collaborative reputation mechanism to enforce
Perrig, A., Canetti, R., Tygar, D., & Song, D. (2002,
node cooperation in mobile ad hoc networks.
Summer). The TESLA broadcast authentication
Paper presented at the Sixth IFIP Conference on
protocol. RSA CryptoBytes, 5, 2-13.
Security Communications, and Multimedia (CMS
2002), Portoroz, Slovenia. Radosavac, S., Baras, J.S., & Koutsopoulos, I.
(2005). A framework for MAC protocol misbehav-
Michiardi, P., & Molva, R. (2002b). Game theoretic
ior detection in wireless networks. Paper presented
analysis of security in mobile ad hoc networks
at the Wireless Security Workshop (WiSe ‘05),
(Tech. Rep. RR-02-070). Institut Eurecom.
Cologne, Germany, (pp. 33-42).
Mohan, M., & Joiner, L.L. (2004). Solving bill-
Radosavac, S., Cardenas, A., Baras, J.S., &
ing issues in ad hoc networks. In Proceedings of
Moustakides, G. (2006). Detecting IEEE 802.11
ACMSE ’04, Huntsville, AL, (pp. 31-36). ACM
MAC layer misbehavior in ad hoc networks: Ro-
Press.
bust strategies against individual and colluding
Nash, J. (1950). The bargaining problem. Econo- attacker. Journal of Computer Security: Special
metrica, 18, 155-162. The Econometric Society. Issue on Security of Ad Hoc and Sensor Networks
15(2007), 103-128.
Papadimitratos, P., & Haas, Z.J. (2002). Secure
routing for mobile ad hoc networks. Paper pre- Raya, M., Hubaux, J.-P., & Aad, I. (2004). DOM-
sented at the SCS Communication Networks and INO: A system to detect greedy behavior in IEEE
Security in Mobile Ad Hoc Networks
802.11hotspots. In Proceedings of the Second (WiSe ‘03) in conjunction with the 9th Annual
International Conference on Mobile Systems, Ap- International Conference on Mobile Computing
plications, and Services (MobiSys ‘04), Boston, and Networking (MobiCom ‘03), San Diego, (pp.
MA, (pp. 84-97). 69-78). ACM Press.
Rivest, R.L., Adleman, L., & Dertouzos, M.L. Venkatraman, L., & Agrawal, D. (2000). A novel
(1978). On data banks and privacy homomorphisms authentication scheme for ad hoc networks. Paper
(pp. 169-179). Foundations of secure computation. presented at the IEEE Wireless Communications
Academic Press. and Networking Conference (WCNC 2000), Chi-
cago, IL, (Vol. 3, pp. 1268-1273). IEEE.
Salem, N.B., Buttyan, L., Hubaux, J.-P., & Ja-
kobsson, M. (2003). A charging and rewarding Weimerskirch, A., & Thonet, G. (2001). A distrib-
scheme for packet forwarding in multi-hop cel- uted light-weight authentication model for ad-hoc
lular networks. In Proceedings of MobiHoc’03, networks. In Proceedings of 4th International
Annapolis, MD, (pp. 13-24). ACM Press. Conference on Information Security and Cryp-
tology (ICISC 2001), Seoul, Korea, (pp. 341-354).
Sanzgiri, K., Dahill, B., Levine, B.N., Shields, C.,
ACM Press.
& Royer, E.M. (2002). A secure routing protocol for
ad hoc networks. In Proceedings of the 10th IEEE Xu, W., Trappe, W., Zhang, Y., & Wood, T. (2005).
International Conference on Network Protocols The feasibility of launching and detecting jamming
(ICNP’02), Paris, (pp. 78-87). IEEE. attacks in wireless networks. In Proceedings of the
Sixth ACM International Symposium on Mobile Ad
Song, N., Qian, L., & Li, X. (2005). Wormhole
Hoc Networking and Computing (MobiHoc ‘05),
attacks detection in wireless ad hoc networks: A
Urbana Champaign, IL, (pp. 48-57). ACM Press.
statistical analysis approach. In Proceedings of
19th IEEE International Parallel and Distributed Yang, H., Luo, H., Ye, F., Lu, S., & Zhang, L. (2004).
Processing Symposium (IPDPS ‘05), Denver, CO, Security in mobile ad hoc networks: Challenges
(pp. 289-296). and solutions. IEEE Wireless Communications,
11(1), 38-47.
Srinivasan, V., Nuggehalli, P., Chiasserini, C.F., &
Rao, R.R. (2003). Cooperation in wireless ad hoc Zapata, M.G. (2006). Secure ad hoc on-demand
networks. In Proceedings of IEEE INFOCOM, distance vector (SAODV) routing. INTERNET
San Francisco, (pp. 808-817). DRAFT, MANET working group. Retrieved De-
cember 12th, 2006, from http://www.ietf.org/inter-
Stajano, F., & Anderson, R.J. (1999). The resur-
net-drafts/draft-guerrero-manet-saodv-06.txt.
recting duckling: Security issues for ad-hoc wire-
less networks. In B. Christiano, B. Crispo, & M. Zhang, Y., Lee, W., & Huang, Y. (2003). Intrusion
Roe (Eds.), Security Protocols, 7th International detection techniques for mobile wireless networks.
Workshop Proceedings (LNCS, vol. 1796, pp. Wireless Networks Journal (ACM WINET), 9(5),
172-194). 545-556. ACM/Kluwer Press.
Sterne, D., Balasubramanyam, P., Carman, D., Zhong, S., Chen, J., & Yang, Y.R. (2003). Sprite: A
Wilson, B., Talpade, R., Ko, C., et al. (2005). A simple, cheat-proof, credit-based system for mobile
general cooperative intrusion detection architec- ad-hoc networks. In Proceedings of IEEE Infocom,
ture for MANETs. In Proceedings of the 3rd IEEE San Francisco, (pp. 1987-1997). IEEE.
International Workshop on Information Assurance
Zhou, L., & Haas, Z. (1999). Securing ad hoc
(IWIA ‘05), Oahu, HI, (pp. 57-70).
networks. IEEE Network, 6(13), 24-30.
Sun, B., Wu, K., & Pooch, U.W. (2003). Alert aggre-
Zhu, S., Xu, S., Setia, S., & Jajodia, S. (2003).
gation in mobile ad hoc networks. In Proceedings
LHAP: A lightweight hop-by-hop authentication
of the 2003 ACM Workshop on Wireless Security
Security in Mobile Ad Hoc Networks
protocol for ad-hoc networks. In Proceedings of MANET (mobile ad hoc network): An infra-
23rd International Conference on Distributed structure-less, self-organizing network of mobile
Computing Systems Workshops (ICDCSW ‘03), hosts connected with wireless communication
Providence, RI, (pp. 749-755). IEEE. channels. A MANET does not have a fixed topology
because all the hosts can move freely, which results
Zimmermann, P. (1995). The official PGP user’s
in rapid and unpredictable topology change.
guide. MIT Press.
Medium Access Control (MAC): A sublayer
of the data link layer specified in the seven-layer
OSI (open systems interconnection) model. It ad-
kEy tErMs dresses problems of moving data frames across a
shared channel.
Authentication: The processes of verifying
the identity of an entity if it is indeed the entity it Routing: The process of selecting paths in a
declares to be. network along which to send data packets.
Intrusion Detection: The techniques or pro- Security: The concepts, measures, or processes
cesses of detecting inappropriate, incorrect, or of protecting data from unauthorized access or
anomalous activities. disruption.
Key Management: The techniques or processes
of creating, distributing, and maintaining a secret
key, which will be used to protect the secrecy of End notE
communications or to ensure the original data are
not maliciously altered.
1
Signal jamming can also be launched at physi-
cal layer, but it is not within the scope of this
chapter because it is more related to electrical
engineering than computer security.
0
Chapter XXVII
Privacy and Anonymity in
Mobile Ad Hoc Networks
Christer Andersson
Combitech, Sweden
Leonardo A. Martucci
Karlstad University, Sweden
Simone Fischer-Hübner
Karlstad University, Sweden
AbstrAct
Providing privacy is often considered a keystone factor for the ultimate take up and success of mobile ad
hoc networking. Privacy can best be protected by enabling anonymous communication and, therefore,
this chapter surveys existing anonymous communication mechanisms for mobile ad hoc networks. On
the basis of the survey, we conclude that many open research challenges remain regarding anonymity
provisioning in mobile ad hoc networks. Finally, we also discuss the notorious Sybil attack in the context
of anonymous communication and mobile ad hoc networks.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Privacy and Anonymity in Mobile Ad Hoc Networks
communication mechanisms, to, for instance, en- This chapter is structured as follows. First, an
able pseudonymous applications. introduction to privacy, anonymity, and anonymity
This chapter investigates how anonymous metrics is provided in “Background.” Then, exist-
communication can be enabled in mobile ad hoc ing approaches for enabling anonymity in ad hoc
networks (Corson & Macker, 1999); networks networks are described in “Anonymous Commu-
constituted by mobile platforms that establish nication in Mobile Ad Hoc Networks.” In “Survey
on-the-fly wireless connections among themselves of Anonymous Communication Mechanisms for
and ephemera networks without central entities to Ad Hoc Networks” these approaches are evaluated
control it. They are of great importance as they against the aforementioned requirements. Then,
constitute a basic core functionality needed for de- Sybil attacks in the context of anonymous commu-
ploying ubiquitous computing. In short, ubiquitous nication and mobile ad hoc networks are discussed
computing would allow for computational envi- in “Future Trends.” Finally, conclusions are drawn
ronments providing information instantaneously in “Conclusions.”
through “invisible interfaces,” thus allowing
unlimited spreading and sharing of information.
If realized, ubiquitous computing could offer an bAckground
invaluable support for many aspects of our society
and its institutions. However, if privacy aspects are In this section, the concepts of privacy and anonym-
neglected, there is a great likelihood that the end ity and their relation are introduced. Methods for
product will resemble an Orwellian nightmare. quantifying anonymity are also discussed.
In this chapter, we study how privacy and
anonymity issues are tackled today in mobile ad Definitions of Anonymity and Related
hoc networks by surveying existing anonymous concepts
communication mechanisms adapted for mobile
ad hoc networks1. Only recently, a number of such Pfitzmann and Hansen (2006) define anonymity as
proposals have been suggested. In the survey, we “the state of being not identifiable within a set of
evaluate some of these approaches against a set subjects, the anonymity set” (p. 6). The anonymity
of general requirements (Andersson, Martucci, set includes all possible subjects in a given scenario,
& Fischer-Hübner, 2005), which assess to which such as possible senders of a message.
degree these approaches are suitable for mobile Related to anonymity is unlinkability, where
ad hoc networks. We also discuss Sybil attacks unlinkability of two or more items of interest (IOIs,
(Douceur, 2002) in the context of anonymous com- e.g., subjects, messages, events, actions, etc.) means
munication and mobile ad hoc networks. that within the system (comprising these and pos-
Figure 1. Unlinkability between a user in the anonymity set and an item of interest
Messages
Privacy and Anonymity in Mobile Ad Hoc Networks
Figure 2. Setting a path between A and D (through B and C) using layered encryption; PKB and PKC are
the public keys of B and C. KAB and KAC are shared symmetric keys. D is an external receiver
A B:
EPKC{D, KAC}
C learns D
A B C D
sibly other items), from the attacker’s perspective, and a symmetric key shared with the initiating
these items of interest are no more and no less node (see Figure 2). In this way, expensive public
related after his observation than they are related key encryption is only used for constructing the
concerning his a-priori knowledge. (Pfitzmann & path; for data delivery symmetric encryption is
Hansen, 2006, p. 8) used. Messages encrypted in layers are often de-
Anonymity can be defined in terms of unlink- noted message onions. Layered encryption enables
ability: sender anonymity entails that a message anonymity as intermediary nodes do not know
cannot be linked to the sender, while receiver whether their predecessor and successor nodes are
anonymity implies that a message cannot be linked the sender or receiver, respectively.
to the receiver (see Figure 1). An alternative approach, first applied in Crowds
In traditional networks, such as the Internet, (Reiter & Rubin, 1997), is to let the sender select
anonymous communication is often realized by its successor randomly, which in turn flips a biased
anonymous overlay networks, which establish vir- coin to decide whether it should end the path and
tual paths consisting of one or more intermediary connect to the receiver, or extend the path to a
nodes, along which packets are transmitted. Using random node. The flipping of the biased coin is
methods described below, the anonymous overlay repeated until a node decides to connect to the re-
network constructs the paths in such a manner that ceiver (see Figure 3). In this approach, link-to-link
the correlation between the sender and receiver, encryption between intermediary hops in the path
and possibly also the identity of the sender and/or is usually combined with end-to-end encryption.
the receiver, is hidden. This approach enables sender anonymity towards
A classic method enabling anonymity, where network nodes and the receiver, as neither of these
the sender determines the full path, is layered nodes can deduce if the previous node in the path
encryption2: a message is wrapped into several is the sender.
encryption layers. As the message propagates the Another method specifically tailored for pro-
network, these layers are sequentially decrypted viding receiver anonymity is invisible implicit
by each successive node in the path, until the re- addressing (Pfitzmann & Waidner, 1987). Invisible
ceiver decrypts the final layer. Each layer usually implicit addressing hides the identity of the receiver
includes the identity of the next node in the path by first encrypting a message (or a part of it) with
Privacy and Anonymity in Mobile Ad Hoc Networks
the receiver’s public key (or a shared symmetric less the right to informational self-determination
key). Instead of sending the message directly to is affected. Art. 6 (1) of the EU Data Protection
the receiver, the message is then broadcasted to Directive 95/46/EC embodies the principle of data
all nodes in the network, which all must try to minimization by stating that personal data should
decrypt the message. However, only the intended be limited to data that are adequate, relevant, and
receiver will be able to successfully decrypt the not excessive, and by requiring that data should
message. only be kept in a form that permits identification
of data subjects for no longer than it is necessary
on the relation between Privacy and for the purpose for which the data were collected
Anonymity or for which they are further processed. Conse-
quently, technical tools such as privacy-enhancing
Privacy is recognized either explicitly or implicitly technologies should be available to contribute to
as a fundamental human right by most constitutions the effective implementation of these requirements
of democratic societies. Privacy can be defined by providing anonymity and/or pseudonymity for
as the right to informational self-determination, the users and other concerned individuals.
that is, individuals must be able to determine for More specific legal requirements for anony-
themselves when, how, to what extent, and for mization can also be found in the E-Communica-
what purpose personal information about them is tions Privacy Directive 2002/58/EC: Pursuant to
communicated to others. Art.9 of the Directive: location data may only be
In Europe, the right for privacy of individuals processed when they are made anonymous, or with
is protected by the by a legal framework mainly the consent of the user or subscriber to the extent
consisting of the EU Data Protection Directive and for the duration necessary for the provision of
95/46/EC, which defines general privacy re- a value-added service.
quirements, and the E-Communications Privacy
Directive 2002/58/EC, which specifically applies on Measuring Anonymity
for personal data processing within the electronic
communication sector. This section discusses anonymity metrics, which
An important privacy principle is data minimi- quantify the degree of anonymity in a given sce-
zation, stating that the collection and processing nario in the following manner. First, the given
of personal data should be minimized. Clearly, the attacker model, together with the properties of the
less personal data are collected or processed, the anonymous communication mechanism, are passed
Privacy and Anonymity in Mobile Ad Hoc Networks
A classic indicator of anonymity is the size of the anonymity set. This metric is appropriate for mechanisms in which all users are equally likely
to be the sender of a particular message, as in the DC-networks (Chaum, 1988) or Crowds, regarding the Web server (Reiter & Rubin, 1997).
K-anonymity
If a mechanism provides k-anonymity (Sweeney, 2002), k constitutes a lower bound of the anonymity set size n. For example, k = 3 implies that
an attacker cannot exclude more than (n − 3) users from the anonymity set.
Crowds-based metric
In the Crowds-based metric3 (Reiter & Rubin, 1997), anonymity is measured on a continuum, including the points possible innocence (the
probability that a user is not the sender is not negligible), probable innocence (the probability that a user is a sender ≥ 1/2), and beyond suspicion
(the user is not more likely than any other user to be the sender). The analysis is based on the communication patterns in Crowds, and the result
is a probability depending on the anonymity set size and the number of corrupted users.
Entropy-based metrics
In entropy-based metrics (Diaz, Seys, Claessens, & Preneel, 2002; Serjantov & Danezis, 2002), each user is first assigned with a probability of
being the sender of a message. The entropy regarding which user sent the message is then calculated using Shannon’s theories (Shannon, 1948).
The resulting degree is system-wide and may change depending on, for example, changes in the attacker’s knowledge. Diaz et al. solely bases
their analysis on the probability distributions (equally distributed probabilities → max degree of anonymity), while in Serjantov and Danezis
metric, a large anonymity set contribute positively to the degree of anonymity.
as input to the anonymity metric. Then, the metric In reactive routing protocols (Perkins, 2001),
determines the degree of anonymity based using routes between nodes are established on demand,
for example, analysis or by simulation, depending meaning that less packets are circulated in the
on the metric at hand. In Table 1, we summarize network, for example, for status sensing. Also
the most common anonymity metrics. standard reactive routing protocols fail to enable
Although the metrics listed above differs in anonymity. As a proof of concept, consider the
many respects, the main parameters contributing reactive protocols dynamic source routing (DSR)
to the degree of anonymity in all metrics are size of (Johnson & Maltz, 1996) and ad hoc on-demand
anonymity set (anonymity set size and k-anonym- distance vector routing (AODV) (Perkins & Royer,
ity), probability distributions (entropy-based metric 1999).
by Diaz et al.), and both (entropy-based metric
by Serjantov and Danezis and the Crowds-based • In DSR, during route discovery4 the route
metric). request (RREQ) includes the IP addresses
of the sender and receiver in plain. The IPs
Anonymous Communication in Mobile are also disclosed by the route reply (RREP)
Ad Hoc Networks message. During data transfer, the path be-
tween the sender and receiver is included in
In proactive routing protocols (Perkins, 2001), each plain in the packet headers.
node always maintains routes to all other nodes, • Also in AODV, the RREQ and RREP mes-
including nodes to which no packets are being sages disclose the sender and receiver IP
sent. Standard proactive protocols do not enable addresses. Also, routing data at each node
anonymity as all nodes know significant amounts in an active path discloses the receiver IP.
of information about other nodes.
Privacy and Anonymity in Mobile Ad Hoc Networks
This situation applies for virtually any standard anonymity is enabled by invisible implicit ad-
routing protocol. So far, two methods for enabling dressing, meaning in this context that a challenge
anonymous communication in mobile ad hoc net- is included in the RREQ that only the receiver
works have been proposed: anonymous routing can decrypt5.
protocols and anonymous overlay networks. They The main disadvantage with invisible implicit
are explained in the next sections. addressing is that all nodes receiving the RREQ
must try to decrypt the challenge, resulting in
Anonymous routing Protocols considerable overhead (especially as the RREQ
reaches all nodes). When the RREP is propagated
An anonymous routing protocol replaces the stan- back to the sender on the path created by the
dard routing protocol with a protocol preserving corresponding RREQ message, visible implicit
anonymity (see Figure 4). Anonymous routing addressing (Pfitzmann & Waidner, 1987) is often
protocols normally include building blocks for used to hinder nodes other than the sender from
anonymous neighborhood authentication, anony- matching RREP messages with corresponding
mous route discovery, and anonymous data trans- RREQ messages. This is often enabled by includ-
fer. The first phase is not always included; instead ing sequence numbers in the RREP and RREQ so
many approaches assume that other mechanisms that only the sender can conclude that the sequence
offer this service. number of a given RREP corresponds to an earlier
During anonymous neighborhood authentica- sent out RREQ.
tion, nodes establish trust relationships with their During anonymous data transfer, data mes-
neighbors (i.e., nodes within one-hop distance). sages are sent along the paths created during route
“Trust” implies that the nodes prove mutual posses- discovery. Only protocols that use source routing
sion of some valid identifiers, such as certificates, can apply layered encryption, as the sender in this
pseudonyms, public/private key-pairs, or combina- case needs to decide the full path. Else, link-to-link
tions thereof. encryption, possibly combined with end-to-end
The task of anonymous route discovery is to encryption, is normally used.
establish an anonymous path between the sender
and receiver. Sender anonymity is often achieved
through layered encryption. Sometimes, receiver
Trans.
Layer Transp.
Layer
Net- Anonymous
Network
work Routing Protocol Layer
Layer
Privacy and Anonymity in Mobile Ad Hoc Networks
Table 2. Pros and cons with anonymous routing protocols and anonymous overlay networks
Advantages with Anonymous Routing Protocols
They make it possible to control already on the routing level what information is being disclosed during routing. Yet, this does not
exclude the possibility that additional efforts may be needed in upper layers. Also, most approaches use the shortest path between
the sender and receiver.
Disadvantages with Anonymous Routing Protocols
The replacement of the standard routing protocol; this will likely decrease the user base, which degrades anonymity according
to many metrics. Besides, nodes may be exposed if a connection-oriented transport layer is used above the anonymous routing
protocol, as they establish direct connections between nodes.
Advantages with Anonymous Overlay Networks
Flexibility; an anonymous overlay network is independent of the routing protocol and, further, compatible with applications expecting
services from for example, a reliable transport layer.
Disadvantages with Anonymous Overlay Networks
The performance can be expected to be slightly worse as messages are detoured through a set of overlay nodes, instead of being
transmitted on the shortest route between the sender and recipient.
Privacy and Anonymity in Mobile Ad Hoc Networks
Privacy and Anonymity in Mobile Ad Hoc Networks
Privacy and Anonymity in Mobile Ad Hoc Networks
The RREP is created as a message onion. During be build for the reply).
data transfer, it is not specified whether or not the R1. Discount ANODR can be expected to scale
data payload is encrypted. well. However, the bias of the coin flipping
R1. It is unclear how senders and receivers share may have to be adapted if the geographical
symmetric keys. Given that they share a size of the network increases.
key, to solve the challenge in the RREQ, the R2. Discount ANODR provides sender anonymity
receiver against local observers, as the coin flipping
may have to try all keys shared with other and random padding during route discovery
nodes (see R4). Further, other network nodes confuse observers to a certain degree. No
must try all their shared keys to conclude that receiver anonymity.
they are not the intended receiver. Data messages are padded with random
R2. ANODR offers sender and receiver ano- bits.
nymity against observers, path insiders, R3. There are no special nodes and no public
and networks nodes. Senders and receivers encryption on behalf of other nodes.
are not mutually anonymous. ANODR uses R4. Discount ANODR avoids public key encryp-
traffic mixing to thwart observers, where tion and invisible implicating addressing.
messages are independently and randomly The coin flipping may degrade performance
delayed. Yet, traffic patters are leaked as only as nodes on the shortest path may drop the
nodes assumed to forward the RREP does so. RREQ, resulting in nonoptimal paths. Also,
Further, as the payload of data messages is RREP packets can be lost for the same
not altered at intermediary hops, it is trivial reason. Unidirectional paths also hamper
for a global observer to trace data traffic. performance.
R3. Each node must spend considerable resources R5. The nodes have to collectively administrate
when forwarding RREQ packets. two values determining the bias of the coins
R4. There are serious performance issues in deciding whether a node should forward a
ANODR (see R1). RREQ and a RREP, respectively.
Although ANODR has performed reasonably R6. Discount ANODR rebuilds broken paths, but
well in a simulation scenario, problems can does not discuss how to collectively adapt the
be expected in a real world scenario. bias of the coin flipping when the network
R5. No special nodes are needed, and thus AN- characteristics change.
ODR adheres well to the P2P paradigm.
R6. ANODR supports path rebuilding in case of
broken paths. However, it is unclear how new Anonymous routing Protocol for Mo-
nodes should share symmetric keys with old bile Ad Hoc networks (ArM)
nodes
ARM (Seys & Preneel, 2006) aims to foil global
observers by using random time-to-live values and
discount Anonymous on-demand padding for all messages. Senders and receivers
routing (discount Anodr) share one-time pseudonyms. Invisible implicit ad-
dressing hides the receiver by including the secret
Discount ANODR (Yang, Jakobsson, & Wetzel, pseudonym in the RREQ. The RREP is created as
2006) is a low-latency source routing protocol that a message onion. Link-to-link encryption is used
avoids invisible implicit addressing. A random time for data transfer.
to live counter is used for RREQ/RREP messages R1. As a tight synchronization scheme is used
to confuse observers (implemented by flipping between sender and recipients, it is assumed
a biased coin). Data are sent as message onions that senders shares keys and pseudonyms
along unidirectional paths (i.e., a new path must
0
Privacy and Anonymity in Mobile Ad Hoc Networks
with a limited set of receivers. nodes in the network, the more generated
R2. ARM offers sender and receiver anonymity RREQ packets.
against networks nodes, path insiders, and R2. Senders and receivers are not mutually anony-
observers. Senders and receivers have an a- mous as they have an a-priori relationship.
priori relationship. In ARM, data messages Anonymity is offered against path insiders
have a uniform size, RREQ/RREP messages and network nodes, and ASRP alters message
are randomly padded, and RREQ/RREP/data appearance and maintains a uniform message
messages are propagated using random time- size to confuse attackers.
to-live values. The effectiveness of this lim- R3. All nodes spend significant resources when
ited dummy traffic is not formally proven. forwarding RREQ and RREP packets. For
R3. While no nodes perform public key operations, the RREQ, see R1. For propagation of RREP
the amount of nodes forwarding RREQ/ packets, all nodes on the path must perform
RREP and data messages increases due to three public key operations (one private
the random time-to-life values. key decryption and two public key encryp-
R4. If assuming a static environment, there tions).
are no conclusive arguments orthogonal to R4. The performance of ASRP has not been
performance. However, all nodes in ARM simulated. Route discovery can be expected
generate overhead traffic. to offer a low performance, as public key
ARM has not yet been simulated to assess encryption is extensively used.
the performance. R5. No special nodes are needed, and thus ASRP
R5. There are no special nodes in ARM. In a real adheres to the P2P paradigm.
world scenario, central infrastructure may be R6. Path rebuilding in case of broken paths is not
required to realize the assumption that each considered. This means that the expensive
node should possess a unique identifier; it is route discovery process has to be initiated
unclear how this would clash with the P2P for each case of path failure.
paradigm.
R6. The assumption that each node establishes a Privacy Preserving routing (PPr)
broadcast key with its neighbors is problem-
atic when considering dynamic topologies. PPR (Capkun, Hubaux, & Jakobsson, 2004) is a
Further, ARM does not consider path rebuild- proactive protocol for communication between
ing in case of broken paths. ad hoc networks interconnected by fixed access
points (AP). Nodes know each other by temporal
distributed Anonymous secure rout- pseudonyms. In the sender network, nodes main-
ing Protocol (AsrP) tain the shortest path to the AP. In the receiver’s
network, the AP maintain the shortest paths to
ASRP (Cheng & Agrawal, 2006) is a routing pro- the nodes. Routing consists of three parts: uplink
tocol not based on source routing where nodes are (distance vector protocol), inter-station, and down-
known by dynamic random pseudonyms. Invisible link (source routing). In uplink, a sender sends a
implicit addressing (based on public encryption) is message that reaches the AP as a message onion.
used for both RREQ and RREP packets. Data mes- In downlink, the receiver’s AP send an onion to
sages are link-to-link and end-to-end encrypted. It the receiver.
is not specified whether the paths are bidirectional R1. The AP and the CA are the major points of
or unidirectional. workload aggregation in PPR, but as these
R1. All nodes in the network must perform two are centrally offered services, PPR can be
public key operations per RREQ (one private expected to scale well.
key decryption and one public key genera- R2. PPR offers sender and receiver anonymity
tion). This hampers scalability as the more
Privacy and Anonymity in Mobile Ad Hoc Networks
Privacy and Anonymity in Mobile Ad Hoc Networks
Privacy and Anonymity in Mobile Ad Hoc Networks
Table 5. Summary of survey results (left) and summary of anonymity requirement R2 (right)
Privacy and Anonymity in Mobile Ad Hoc Networks
absence of reliable network identifiers may also pairs represent Sybil nodes. One drawback
disrupt routing, as a rouge user could announce with this strategy is that it is unclear how to
false information using multiple {IP, MAC} pairs. prevent a detected attacker from generating
Also, as senders and receivers establish direct new {IP, MAC} pairs and relaunch a new
connections, they are still vulnerable to traffic attack later, as there is no underlying long-
analysis and physical layer oriented attacks (Cap- term identity that can be blocked from the
kun et al., 2004). system.
However, the Sybil attack also poses a threat • Another strategy is to cryptographically
against anonymous routing protocols and anony- guarantee a one-to-one mapping between all
mous overlay networks. For both approaches, the temporal network identifiers seen in a par-
anonymity set denotes the user base. There are some ticular network and corresponding certified
differences though. In an anonymous overlay net- long-term identifiers (Martucci et al., 2008).
work, the anonymity set is used as a pool of nodes To tailor this approach for ad hoc networks,
serving as an input parameter to the path creation the nodes must be able to assert the validity
algorithm. Polluting the anonymity set with many of the temporal identifiers without having
Sybil identities might yield a path only containing to interact with the TTP. Further, to protect
Sybil identities. If this happens, the attacker can privacy, only the TTP should be able to link
easily break anonymity by linking the sender to a temporal identifier to the corresponding
the receiver. In an anonymous routing protocol, long-term identifier and there should be
however, each node only stepwise extends the unlinkability between temporal identifiers
path to another node within a single-hop distance, used in different contexts. The fact that you
until the receiver is reached. Thus, the locations need reliable identifiers to protect against the
of the nodes play a more important role here, and Sybil attack and to provide reliable anony-
as all Sybil identities share the same location, it mous communication has been labeled as the
is difficult for the attacker to force the creation of identity-anonymity paradox (Martucci et al.,
paths in which it controls all nodes. 2006).
Thus, the Sybil attack poses a greater threat
to anonymity in anonymous overlay networks
compared to anonymous routing, although it still conclusIon
poses a great threat to other security properties
for anonymous routing. In mobile ad hoc networks, anonymous com-
munication can either be enabled by anonymous
Mechanisms for detecting the sybil routing protocols or anonymous overlay networks.
Attack in mobile Ad Hoc networks Currently, anonymous routing is the most popular
approach, although future requirements, such as
In this section, we describe two recent propos- flexibility regarding the applications, may raise the
als for thwarting Sybil attacks in mobile ad hoc need for anonymous overlay networks.
networks. We evaluated commonly proposed anonymous
• The fact that Sybil nodes in mobile ad hoc routing protocols and anonymous overlay networks
networks naturally travel together in clusters for mobile ad hoc networks against a set of evalua-
can be used for detecting Sybil attacks (Piro tion criteria and showed that a number of research
et al., 2006). Piro et al. propose a detection challenges remain. For instance, it is difficult to
mechanism in which each node records offer receiver anonymity without using a complex
all encountered {IP, MAC} pairs. If a user and performance-hampering invisible implicit
repeatedly observes a set of {IP, MAC} addressing scheme, and it is further difficult to
pairs sharing the same location, there is an protect against global observers.
increased likelihood that these {IP, MAC} Finally, we introduced Sybil attacks, a notorious
Privacy and Anonymity in Mobile Ad Hoc Networks
threat to all computer networks, including mobile ad Douceur, J. R. (2002). The Sybil attack. In P.
hoc networks. We expect that the area of enabling Druschel, F. Kaashoek, & A. Rowstron (Eds.),
reliable identifiers in a privacy-friendly manner is Peer-to-peer Systems: Proceedings of the 1st
an interesting future research area. International Peer-to-Peer Systems Workshop
(IPTPS) (pp. 251-260). Springer-Verlag.
Goldschlag, D. M., Reed, M. G., & Syverson, P.
rEfErEncEs F. (1996). Hiding routing information. Informa-
tion hiding (LLNCS 1174, pp. 137-150). Springer-
Andersson, C., Martucci, L. A., & Fischer-Hübner,
Verlag.
S. (2005). Requirements for privacy: Enhance-
ments in mobile ad hoc networks. In Proceedings Jiang, S., Vaidya, N. H., & Zhao, W. (2004). A
of the 3rd German Workshop on Ad Hoc Networks mix route algorithm for mix-net in wireless mobile
(WMAN 2005) (pp. 344-348). Gesellschaft für ad hoc networks. In Proceedings of the 1st IEEE
Informatik (GI). International Conference on Mobile Ad Hoc and
Sensor Systems (MASS 2004).
Boukerche, A., El-Khatib, K., Xu, L., & Korba, L.
(2004). A novel solution for achieving anonymity Johnson, D. B., & Maltz, D. A. (1996). Dynamic
in wireless ad hoc networks. In Proceedings of the source routing in ad hoc wireless networks. In
7th ACM International Symposium on Modeling, Computer Communications Review: Proceed-
Analysis and Simulation of Wireless and Mobile ings of the ACM SIGCOMM’96 Conference on
Systems (pp. 30-38). Communications Architectures, Protocols and
Applications.
Capkun, S., Hubaux, J. P., & Jakobsson, M. (2004).
Secure and privacy-preserving communication in Kong, J., Hong, X., Sanadidi, M. Y., & Gerla, M.
hybrid ad hoc networks (EPFL-IC Tech. Rep. No. (2005). Mobility changes anonymity: Mobile ad
IC/2004/10). Lausanne, Switzerland: Laboratory hoc networks need efficient anonymous routing.
for Computer Communications and Applications In Proceedings of the 10th IEEE Symposium on
(LCA)/Swiss Federal Institute of Technology Computers and Communications (ISCC 2005).
Lausanne (EPFL).
Levine, B. N, Shields, C., & Margolin, N. B.
Chaum, D. (1981). David Chaum: Untraceable (2006). A survey of solutions to the Sybil attack
electronic mail, return addresses, and digital (Tech. Rep. 2006-052). Amherst, MA: University
pseudonyms. Communications of the ACM, 24(2), of Massachusetts Amherst.
84-88.
Martucci, L. A., Andersson, C., & Fischer-Hübner,
Cheng, Y., & Agrawal, D. P. (2006). Distributed S. (2006). Chameleon and the identity-anonymity
anonymous security routing protocol in wireless paradox: Anonymity in mobile ad hoc networks.
mobile ad hoc networks. Paper presented at the In Short-Paper Proceedings of the 1st Interna-
OPNETWORK 2005. tional Workshop on Security (IWSEC 2006) (pp.
123-134).
Corson, M. S., & Macker, J. (1999). Mobile ad hoc
networking (MANET): Routing protocol perfor- Martucci, L., Kohlweiss, M., Andersson, C.,&
mance issues and evaluation considerations (RFC- Panchenko, A. (2008). Self-certified Sybil-free
2501), Internet RFC/STD/FYI/BCP Archives. pseudonyms. In 1st ACM Conference on Wireless
Network Security (WiSec 2008).
Dıaz, C., Seys, S., Claessens, J., & Preneel, B.
(2002). Towards measuring anonymity. In Pro- Perkins, C. E. (2001). Ad hoc networking. Addison-
ceedings of the Workshop on Privacy Enhancing Wesley Professional.
Technologies (PET 2002) (LNCS 2482). Springer-
Perkins, C. E., & Royer, E. M. (1999). Ad-hoc on
Verlag.
demand distance vector routing. In Proceedings
Privacy and Anonymity in Mobile Ad Hoc Networks
of the 2nd IEEE Workshop on Mobile Computing Yang, L., Jakobsson M., & Wetzel, S. (2006). Dis-
Systems and Applications (WMCSA ‘99). count anonymous on demand routing for mobile
ad hoc networks. In Proceedings of SecureComm
Pfitzmann, A., & Hansen, M. (2006) Anonymity,
2006, Baltimore, MD.
unlinkability, unobservability, pseudonymity, and
identity management: A consolidated proposal for Zhang, Y., Liu, W., & Lou, W. (2005). Anonymous
terminology v0.27. Retrieved April 25, 2007, from communication in mobile ad hoc networks. In
http:// dud.inf.tu-dresden.de/literatur/Anon_Ter- Proceedings of the 24th Annual Joint Conference
minology_v0.28.doc of the IEEE Communication Society (INFOCOM
2005), Miami.
Pfitzmann, A., & Waidner, M. (1987). Networks
without user observability. Computers and Secu-
rity, 6(2), 158-166.
Piro, C., Shields, C., & Levine, N. L. (2006). De-
kEy tErMs
tecting the Sybil attack in mobile ad hoc networks.
Anonymity: The state of being not identifiable
In Proceedings of the IEEE/ACM International
within a set of subjects.
Conference on Security and Privacy in Commu-
nication Networks (SecureComm). Anonymity Metrics: Metrics for quantifying
the degree of anonymity in a scenario.
Reiter, M., & Rubin, A. (1997). Crowds: Anonymity
for Web transactions. Technical report No. 97-15, Mobile Ad Hoc Network: Networks consti-
DIMACS (pp. 97-115). tuted of mobile devise which may function without
the help of central infrastructure or services.
Serjantov, A., & Danezis, G. (2002). Towards
and information theoretic metric for anonymity. Privacy: The right to informational self-de-
In Proceedings of the Workshop on Privacy En- termination, that is, individuals must be able to
hancing Technologies (PET 2002) (LNCS 2482) determine for themselves when, how, to what
.Springer-Verlag. extent, and for what purpose personal information
about them is communicated to others.
Seys, S., & Preneel, B. (2006). ARM: Anonymous
routing protocol for mobile ad hoc networks. In Receiver Anonymity: Implies that a message
Proceedings of International Workshop on Per- cannot be linked to the receiver.
vasive Computing and Ad Hoc Communications
(PCAC ‘06). Sender Anonymity: Means that a message
cannot be linked to the sender.
Shannon, C. E. (1948). A mathematical theory of
communication. The Bell System Technical Jour- Unlinkability: If two items are unlinkable,
nal, 27, 379-423. they are no more or less related after an attacker’s
observation than they are related concerning the
Song, R., Korba, L., & Yee, G. (2005). AnonDSR: attacker’s a-priori knowledge.
Efficient anonymous dynamic source routing for
mobile ad-hoc networks. In Proceedings of the 2005
ACM Workshop on Security of Ad Hoc and sensor
Networks (SASN 2005) (pp. 32-42). Alexandria. End notEs
Sweeney, L. (2002). k-Anonymity: A model for 1
As devices in ad hoc networks are responsible
protecting privacy. International Journal on for their own services, including security and
Uncertainty, Fuzziness and Knowledge-based routing, protocols for anonymous communi-
Systems, 10(5), 557-570. cation for wired networks are not suitable for
ad hoc networks, not even those based on the
Privacy and Anonymity in Mobile Ad Hoc Networks
6
peer-to-peer paradigm (P2P) (Andersson et In the survey, we omit approaches relying on
al., 2005). the existence of either a positioning device
2
This method is sometimes also called tele- (e.g., GPS) in the mobile devices or a location
scope encryption. A public key based version server in the mobile ad hoc network.
7
of the method was initially introduced by A global observer is an observer that is capable
Chaum (1981). Onion Routing, which only of observing all networks traffic in the whole
uses public key encryption for setting the network.
8
path, and then relies on symmetric encryp- Note that no anonymity is provided against
tion, was later proposed by Goldschlag, Reed, the access points (not included in attacker
and Syverson (1996). model).
3
The Crowds-based metric was developed 9
Batching and reordering traffic to hide the
for Crowds, but has since been used in other correlation between incoming and outgoing
contexts. traffic.
4 10
This denotes the process of setting a path No sender anonymity if path length is one.
11
between the sender and a receiver. First, the No receiver anonymity against last mix on
sender floods a route request (RREQ) into the path.
12
the network, which triggers the sending of It is commonly believed that omnipresent
a route reply (RREP) from the receiver to protection against a global observer can only
the sender. During the propagation of the be achieved if all nodes transmit a constant
RREQ and RREP, respectively, the path is flow of traffic, requiring massive usage of
interactively formed. dummy traffic.
5
In the context of mobile ad hoc networks,
this method is often referred to as a global
trapdoor.
Chapter XXVIII
Secure Routing with
Reputation in MANET
Tomasz Ciszkowski
Warsaw University, Poland
Zbigniew Kotulski
Warsaw University, Poland
AbstrAct
The pervasiveness of wireless communication recently gave mobile ad hoc networks (MANET) signifi-
cant researchers’ attention, due to its innate capabilities of instant communication in many time and
mission critical applications. However, its natural advantages of networking in civilian and military
environments make it vulnerable to security threats. Support for anonymity in MANET is orthogonal
to a critical security challenge we faced in this chapter. We propose a new anonymous authentication
protocol for mobile ad hoc networks enhanced with a distributed reputation system. The main objective
is to provide mechanisms concealing a real identity of communicating nodes with an ability of resist-
ance to known attacks. The distributed reputation system is incorporated for a trust management and
malicious behaviour detection in the network.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Secure Routing with Reputation in MANET
0
Secure Routing with Reputation in MANET
scope of security considerations was significantly and should assure a self-configurable principle
limited, such as AODV, DSR, DSDV, and LSP of MANET, which is an important and challeng-
(Royer et al., 1999). A complete protection from ing task for the nowadays research (Hu & Perrig,
various attacks in MANET takes into account ac- 2004; Mangipudi, Katti, & Fu, 2006; Yang et al.,
tions such as prevention, detection, and reaction. 2004).
The prevention is usually achieved by means of Even though the many solutions for mobile ad
secure routing protocols (path discovery and main- hoc networks ensure secure communications (Hu
tenance), while the abnormal behaviour detection & Perrig, 2004; Yang et al., 2004), very few of them
is performed by monitoring end-to-end communi- address privacy guaranties as complementary to
cation or by overhearing the local neighbourhood. a strict security approach (Kong, Hong, & Gerla,
In both cases the security extensively employs 2005). The main objective of the anonymous
different cryptographic primitives authenticating communication in mobile ad hoc network is to
routing messages (Hu & Perrig, 2004; Yang, Luo, provide privacy for all of its users represented by
Ye, Lu, & Zhang, 2004). The main difference be- the nodes. Demanding for anonymity imposes a
tween authentication schemes was characterized series of requirements for protocol construction and
in the following list: creates the new types of attacks. A set of formal
notions of the anonymity and its related properties
• First method takes advantage of a single can be found by Chaum (1981) and Pfitzmann and
shared session key widely distributed in the Hansen (2005), where the authors characterize a
group of MANET nodes, for example, used general anonymous system with identity man-
in secure routing protocol (SRP) (Papadimi- agement designed for fixed network topology but
tratos & Haas, 2002). This approach does not easily applicable for MANET. ANODR protocol
provide anonymity and is vulnerable to single (Kong & Hong, 2003) delivers a full irrevocable
node compromise. anonymity based on symmetric cryptography
• Second method assumes sharing pair-wise primitives. Note that the pure anonymity of the us-
keys between all nodes in the networks and is ers limits the accountability for malicious activity
used for HMAC in Ariadne (Hu et al., 2002). in the network. In order to avoid such a restriction
It suffers from lack of scalability and in this a revocable anonymity was introduced which is
case of N nodes; N(N-1)/2 keys are required based on pseudonyms managed by trusted third
priory to allow communication. party, as it was proposed in ANAP (Ciszkowski
• Third approach makes use of scalable public & Kotulski, 2006), MASK (Zhang et al., 2005),
key cryptography where digital certificates and SDAR (Boukerche, 2004). Authors of SDAR
and signatures allow the mobile nodes to be identified that anonymous MANET is an environ-
mutually authenticated (Sanzgiri, Dahill, ment suffering from the lack of personal and direct
Levine, Shields, & Belding-Royer, 2002; incentives to be well cooperative between nodes.
Zapata & Asokan, 2002). It is a principle In order to overcome this important vulnerability,
method for secure routing in ARAN, SEAD, SDAR was proposed: a node’s trust management
and SAODV. Although this method is linearly system providing a scoring of node’s local activ-
scalable when a node’s number increases, its ity whereby during the communication the most
flexibility and efficiency may suffer from trustful nodes were promoted.
vulnerability to denial-of-service (DoS) at- In the anonymous communication in the mobile
tacks and computation overhead. ad hoc networks the trust management is used for
misbehaviour detection and nodes evaluation. This
All of aforementioned methods assume exis- evaluation creates a long-term node assessment
tence of trusted authority TA (certifying authority called a reputation. A reputation is known from
CA) dealing with a key setup phase. The online e-market mostly thanks to online auctioning sys-
and distributed TA supports key management tems, but in terms of MANET, it was defined by
Secure Routing with Reputation in MANET
Secure Routing with Reputation in MANET
Secure Routing with Reputation in MANET
Figure 1. Model of distributed reputation system providing the following vector metrics: own experience
OEB(A), votes VB(A), service reputation SRB(A), cumulative reputation CRB(A) and path reputation
PRB(A)
B
SR (A) CR B(A)
B
V (A)
OE B(A)
B AA
B
V (A)
B
PR (A)
Secure Routing with Reputation in MANET
depends on a set of weighted metrics m monitored taking into account the information reputation (IR)
by a node during network packets exchanging. A of recommending nodes. Considering a set GV of
metrics vector corresponds to all kinds of detect- voting nodes on A, the node B takes into account
able observations such as every overheard packet only nodes with positive IR. Own information
modifications, attacks (DoS, reply attack, etc.), is usually more valuable (Kong et al., 2005; Bu-
and network quality of service (QoS) parameters, chegger, 2005), hence scaling factor ∈< 0,1 > is
for example, transmission delay and packet drops. introduced to the formula:
This set of direct measurement is evaluated by
expectation function E, which allows the assigning SRnB ( A) = OEnB ( A) + (1 − )
∑ p∈GV \ B
IRnB ( p )VnBp ( A)
, IRn ( p ) > 0
of different importance factor to a particular type ∑ p∈GV \ B
IRnB ( p )
Secure Routing with Reputation in MANET
∑
L −1
CRnB ( A) =
∑ V Bp ( A)
p∈GAV \GBV n
, IRn ( p ) > 0
RˆiO = n =0
OEnOEn−i (10)
GAV \ GAB RˆiV =∑
L −1
VV
(6) n =0 n n −i (11)
where GBV and GAV are sets of nodes being Defined distance functions for every new vote
in neighbourhood of respectively node B and A. V provide a measure of correlation change be-
Every time a source node wants to send data to tween own experience and already known history
an immediate node it calculates a path reputation of votes from a particular node. Any attempt of
(PR) as a product of service reputation, combin- voting unrelated to the historical observation will
ing own and immediate nodes experience and be observed by substantial increase of distance
cumulative reputation: function DV. Additionally we can observe how
much our own experience differ from the received
PRnB ( A) = SRnB ( A)CRnB ( A) (7) by neighbour nodes analyzing value of DO. These
two metrics should be taken into account if their
A set of path with the highest PR is selected values exceed some threshold separately defined
for communication. For path, which PR falls for each of them ThO, ThV. In the case where the
below zero, a communication channel should be abnormal behaviour is detected following actions
closed. may be undertaken:
A trust history evolution of own and immedi-
ate nodes is stored at every node in appropriate • DO > ThO and DV >ThV - the votes from misbe-
reputation parameters, represented by L-length haved nodes are rejected and their information
vectors. This set of information is used for vali- reputation is arbitrary decreased.
dating incoming second-hand votes by means of • DO < ThO and DV >ThV - the votes are accepted
correlation analysis. Note, the own experience but service reputation (SR) is updated with
vector OE is a weighed moving average process higher scaling factor a. This less restrictive
(MA) of the order L. The γ function coefficients approach gives an ability to react to dynami-
determine the dynamic of changes in MA process cally changing reputation but prevents too
and make the all observation jointly dependent. As fast malicious attacks from targeting too
it was defined in Equations 4 and 5 the correla- discrediting nodes.
tion is propagated to the service reputation (SR) • DO > ThO and DV <ThV - in this case a node
and information reputation (IR) (indirectly by IR reaction should be similar to the previous
influence to CR and PR). anomaly, however, it may be symptomatic of
The correlation validation is based on autocor- long term attack against reputation service
relation functions of own experience R̂nV second- by nodes being in collusion.
hand information R̂nO and distance functions,
respectively O and V: Every node during messages exchanging col-
lects its own experience of elementary interactions
∑
L −1
DO = i =0
( RˆiO −RˆiV+1 ) 2 (8) STE. The following list describes types of behav-
iour that can be taken into consideration during
=∑
L −1
DV i =0
( RˆiV −RˆiV+1 ) 2 (9) reputation building:
where R̂nO and R̂nV are estimators of autocor- • Forwarding: During network operations
relation function know as a convolution time series nodes are able to verify integrity of messages
evaluated for a linear and stationary system, such anonymously forwarded in behalf of them
as a reputation system: by overhearing the first intermediate node.
Every message tampering, delays, double
Secure Routing with Reputation in MANET
relays, and dropping are detected as a mali- class of new attacks will appear focusing on the
cious behaviour. reputation system. Keeping in mind that the se-
• Receiving: Every obtained message that curity of the every system depends on its weakest
could not be successfully verified, repeated point, the potential vulnerabilities of the reputation
messages and break down paths without error system may be treated as an important challenge
message notification coming form involved for the future research. Two interesting forms of
immediate node should be treated as untrust- attacks for the reputation system may be Sybil
worthy. and Collusion attack. In the case of first, the at-
• Anonymous path establishing: In case tacker takes advantage of using multiple identities
of ANAP, an anonymous path establishing by adversary’s node, while in the second several
a three-pass process and in every phase malicious nodes are in collusion. In both cases it
multilayered operations are performed. By is highly possible that own experience and shared
default every request packet REQ should be reputation may be affected by these attacks. Pro-
forwarder only once by every node. In the posed by us, autocorrelation analysis for anomaly
case of detection of behaviour inconsistent detection in reputation recommendations may not
with this rules or obtaining multiple copies be sufficiently sensitive to cope with mentioned
of reply REP or error ERR messages, the attacks. Now, a statistical method validation of
reputation system should be informed. recommendation, such as the cross-validation
• Recommendation exchanging: Sharing a (Hildebrand et al., 1977), has been proposed and
reputation between nodes allows to compare is being developed. It is a very promising direc-
an own experience with a given by recom- tion of research, since the cross-validation is very
mending nodes. In the case when the one of flexible and easily applicable for complex data.
the votes differs much from the rest voters On the other hand, the method is mathematically
there exists presumption of node discrediting. rigorous, so the obtained results are verifiable and
Additional statistical cross-validation (Hil- easy to implement.
debrand, Laing, & Rosenthal, 1977) methods Another interesting area is the secure routing
may be used for this case evaluation. in MANET enforced by an ontology-based reputa-
tion system (Caballero, Botia, & Gomez-Skarmeta,
The interaction of the presented reputation 2006). A conceptual-based reputation may be
system with the anonymous authentication proto- identified as a reputation created for different types
col is performed ensuring the purely anonymous of services provided in MANET with an ability of
communication. The reputation information is creating a similarity measures between them. This
exchanged between nodes in on-demand manner approach in a natural way improves the model of
of interested node, encrypted by public key of incentives for the ad hoc communication giving
message originator. This ensures that recommen- ability to treat MANET networks as a service
dation sharing is hidden and may be read only by oriented.
legitimated recipients. At the moment several applications apart from
strict MANET paradigm take advantage of the
dynamic ad hoc routing phenomenon and make
futurE trEnds use of it in an akin to MANET wireless environ-
ments such as wireless mesh networks or vehicular
In the contemporary information society the mobile ad hoc networks (VANET). This example shows
ad hoc networks is a promising and very attractive that researching in the MANET’s area may bear
alternative for wireless access networks. Proposed unlimited applications.
in the last section, a solution for managing routing
in secure MANETs is based on the distributed
reputation system. We expect in the near future a
Secure Routing with Reputation in MANET
concludIng rEMArks Boukerche, A., El-Khatiba, K., Xua, L., & Korba,
L. (2005). An efficient secure distributed anony-
In this chapter we presented a new approach of mous routing protocol for mobile and wireless ad
distributed reputation-based secure routing mecha- hoc network. Computer Communications, 28(10),
nism in MANET. In the background section the 1193-1203.
main concepts of secure and anonymous mobile
Buchegger, S. (2005). Self-policing mobile ad hoc
ad hoc networks were presented. The overview
networks by reputation systems. IEEE Communi-
of applied authentication schemes in secure MA-
cations Magazine, 43(7), 101-107.
NET was analyzed giving an introduction to trust
management and reputation basis as a mean for Buchegger, S., & Le Boudec, J.-Y. (2002, June).
detecting misbehaviour and improving the routing Performance analysis of the CONFIDANT pro-
performance. tocol: Cooperation of nodes fairness in dynamic
In the main part of this chapter we focused on ad-hoc networks. In Proceedings of IEEE/ACM
a new proposal of a distributed reputation system, Symposium on Mobile Ad Hoc Networking and
which was an extension of the Liu and Issarny Computing (MobiHOC), Lausanne, Switzerland,
(2004) model and which was introduced in the (pp. 226-236).
anonymous authentication protocol for mobile ad
Caballero, A., Botia, J. A., & Gomez-Skarmeta,
hoc networks (Ciszkowski & Kotulski, 2006). We
A. F. (2006). A new model for trust and reputation
emphasized in the proposal the method of evaluat-
management with an ontology based approach for
ing recommendation reputation considering the
similarity between tasks. In K. Fischer, I. J. Timm,
past experience and recommendation reputation
E. André, & N. Zhong (Eds.), Multi-agent System
of voters. We defined two types of the second-
Technologies, 4th German Conference, MATES
hand information, related to the immediate nodes
2006, Erfurt, Germany, (LNCS 4196, pp. 172-183).
and cumulative reputation, describing aggregated
Berlin: Springer.
reputation of immediate nodes’ neighbourhood.
Second-hand information is exchanged on demand Chaum, D. (1981). Untraceable electronic mail,
of interested nodes. In order to detect the malicious return addresses, and digital pseudonyms. Com-
activity and any anomalies in the information munications of the ACM, 24(2), 84-88.
exchange we incorporated the second-hand recom-
mendation validation by the statistical correlation Ciszkowski, T., & Kotulski, Z. (2006). ANAP:
approach. Anonymous authentication protocol in mobile ad
We pointed out the the security in MANET is hoc networks. Paper presented at the 10th Domestic
a primary concern for researchers, in particular Conference on Applied Cryptography ENIGMA,
this becomes a very important issue since several Warsaw, Poland, (pp. 191-203).
applications apart from strict MANET commu- Hildebrand, D. K., Laing, J. D., & Rosenthal, H.
nication model take advantage of the dynamic ad (1977). Prediction analysis of cross classification.
hoc routing phenomenon. New York: John Wiley & Sons.
Hu, Y., & Perrig, A. (2004). A survey of secure
rEfErEncEs wireless ad hoc routing. IEEE Security & Privacy
Magazine, 2(3), 28-39.
Blaze, M., Feigenbaum, J., & Lacy, J. (1996). De- Hu, Y.-C., Perrig, A., & Johnson, D. B. (2005).
centralized trust management. In Proceedings of Ariadne: A secure on-demand routing protocol
the IEEE Symposium on Security and Privacy (p. for ad hoc networks. Wireless Networks, 11(1-2),
164). IEEE Xplore. 21-38.
Secure Routing with Reputation in MANET
Huang, C., Hu, H., & Wang, Z. (2006, September Liu, J., & Issarny, V. (2004, March 29-April 1).
3-6). A dynamic trust model based on feedback Enhanced reputation mechanism for mobile ad hoc
control mechanism for P2P applications. In L. T. networks. In C. Jensen, S. Poslad, & T. Dimitra-
Yang, H. Jin, J. Ma, & T. Ungerer (Eds.), Pro- kos (Eds.), Proceedings of Second International
ceedings of Third International Conference on Conference on Trust Management (iTrust 2004),
Autonomic and Trusted Computing (ATC 2006), Oxford, UK, (LNCS 2995, pp. 48-62). Berlin:
Wuhan, China, (LNCS 4158, pp. 312-321). Berlin: Springer.
Springer.
Mangipudi, K., Katti, R., & Fu, H. (2006). Authen-
Hussain, F., Chang, E., & Dillon, T. S. (2004, tication and key agreement protocols preserving
March). Classification of trust in logistic peer-to- anonymity. International Journal of Network
peer communication. In Proceedings of the IEEE Security, 3(3), 259-270.
International Conference on Sciences of Elec-
Nilsson, N. J. (1986). Probabilistic logic. Artificial
tronic, Technologies of Information and Telecom-
Intelligence, 28(1), 71-87.
munications (SETIT 2004), Tousse, Tunisia.
Papadimitratos, P., & Haas, Z. (2002, January 27-
Johnson, D. B. (1994). Routing in ad hoc networks
31). Secure routing for mobile ad hoc networks. In
of mobile hosts. In Proceedings of IEEE Workshop
Proceedings of the SCS Communication Networks
on Mobile Computing Systems and Applications
and Distributed Systems Modelling and Simulation
(pp. 158-163). IEEE Press.
Conference (CNDS 2002), San Antonio, (pp.192-
Jøsang, A. (2002, July). Subjective evidential 204).
reasoning. In Proceedings of the 9th Interna-
Perkins, C., & Royer, E. (1999, February). Ad hoc
tional Conference on Information Processing and
on-demand distance vector routing. In Proceedings
Management of Uncertainty in Knowledge-Based
of the 2nd IEEE Workshop on Mobile Computing
Systems (IPMU 2002), Annecy, France.
Systems and Applications, New Orleans, (pp.
Kong, J., & Hong, X. (2003). ANODR: Anony- 90-100).
mous on demand routing with untraceable routes
Pfitzmann, A., & Hansen, M. (2005). Anonymity,
for mobile ad-hoc networks. In Proceedings of
unobservability, pseudonymity, and identity man-
the 4th ACM International Symposium on Mobile
agement: A proposal for terminology. Retrieved
Ad Hoc Networking & Computing (MobiHoc03),
October 4, 2007, from http://dud.inf.tu-dresden.
Annapolis, MD, (pp. 291-302).
de/Literatur_V1.shtml
Kong, J., Hong, X., & Gerla, M. (2005). Mobil-
Royer, E., & Toh, C. (1999, April). A review of
ity changes anonymity: Mobile ad hoc networks
current routing protocols for ad hoc mobile wire-
need efficient anonymous routing. In Proceed-
less networks. IEEE Personal Communications,
ings of 10th IEEE Symposium on Computers and
6(2), 46-55.
Communications (ISCC 2005) (pp. 57-62). IEEE
Computer Society. Sanzgiri, K., Dahill, B., Levine, B. N., Shields, C., &
Belding-Royer, E. M. (2002, November). A secure
Lee, K.-M., Hwang, K.-S., Lee, J.-H., & Kim, H.
routing protocol for ad hoc networks. In Proceed-
J. (2006, September). A fuzzy trust model using
ings of 10th IEEE International Conference on
multiple evaluation criteria. In L. Wang, L. Jiao,
Network Protocols (pp. 78-87). IEEE Press.
G. Shi, X. Li, & J. Liu (Eds.), Proceedings of Third
International Conference on Fuzzy Systems and Yang, H., Luo, H., Ye, F., Lu, S., & Zhang, L. (2004).
Knowledge Discovery (FSKD 2006) (LNCS 4223, Security in mobile ad hoc networks: Challenges
pp. 961-969). Berlin: Springer. and solution. IEEE Wireless Communications,
11(1), 38-47.
Secure Routing with Reputation in MANET
Zapata, Z. G., & Asokan, N. (2002). Securing ad MANET: Mobile ad hoc network is a self-con-
hoc routing protocols. In Proceedings of ACM figuring network of freely moving nodes connected
Workshop on Wireless Security (WiSe 2002) (pp. by wireless links that can constitute a path joining
1-10). ACM Press. two arbitrary nodes of the network.
Zhang, Y., Liu, W., & Lou, W. W. (2005). Anony- Privacy: The ability of keeping secret some-
mous communications in mobile ad hoc networks one’s identity, resources, or actions. It is realized
(INFOCOM 2005). In Proceedings of 24th An- by anonymity and pseudonymity.
nual Joint Conference of the IEEE Computer and
Pseudonymity: Hides the user’s real identity be-
Communications Societies (Vol. 3, pp. 1940-1951).
hind some virtual identity called a pseudonym.
Proceedings IEEE.
Reputation: Perceived grade of trustworthiness
Zimmermann, J. (1994). PGP user’s guide. Cam-
to a particular peer created by their historical be-
bridge: MIT Press.
haviour during observations and interactions with
third party peers in the given context and time
Routing: A method of selecting a path (a chain
kEy tErMs of links between neighbouring nodes) from a source
node to a destination node. One can distinguish two
Anonymity: Aims at hiding an entity’s identity groups of protocols designed for MANET: reactive
completely. (on-demand) and proactive (table-driven). The first
Anonymous Authentication: A method of type tries to resolve a path to a destination node
proving that someone has rights to certain ac- on the source node demand, whereas the second
tions or resources without disclosing the user’s approach is more preventive and continuously
real identity. keeps routing tables up to date by monitoring the
nearest neighbourhood.
Attacks: Attacks on MANET can destroy avail-
ability of nodes (attacks on routing) and contest Security: Security of a system means that the
reputation of nodes. system does exactly what it is designed to do and
nothing else, even in a case of attack. Secure MA-
Authentication: A method of proving some- NET enables reliable routing: privacy of communi-
one’s identity, especially if that someone is an cation with immediate degree of authentication of
authorized user of processes or resources. the parties of the information exchange process.
Collusion Attack: If a number of adversary Sybil Attack: When one adversary node uses
nodes make a coalition against reputation of other several identities to multiply its ability of rating
nodes. other nodes in MANET.
Cross-validation: A statistical method derived Trust: A subjective probability of a one peer
from cross-classification which main objective is (trustee) so that particular actions of another peer
to detect the outlying point in a population set. It is (trusted) they are willing and capable to perform
a candidate method for anomalies detection in the will be done according to trustee’s expectations
reputation sharing (recommendations) and regular in the given context and time
communication in MANET. Denial-of-Service
(DoS) attack: An attempt of keeping an access to VANET: A form of mobile ad hoc network, to
computer resources (nodes) unavailable, especially provide communications among nearby vehicles
by generating dummy traffic from one source and between vehicles and nearby fixed equipment,
(DoS) or a large number of sources (distributed usually described as roadside equipment.
DoS [DDoS]).
0
Chapter XXIX
Trust Management and
Context-Driven Access Control
Paolo Bellavista
University of Bologna, Italy
Rebecca Montanari
University of Bologna, Italy
Daniela Tibaldi
University of Bologna, Italy
Alessandra Toninelli
University of Bologna, Italy
AbstrAct
The increasing diffusion of wireless portable devices and the emergence of mobile ad hoc networks promote
anytime and anywhere opportunistic resource sharing. However, the fear of exposure to risky interac-
tions is currently limiting the widespread uptake of ad hoc collaborations. This chapter introduces the
challenge of identifying and validating novel security models/systems for securing ad hoc collaborations,
by taking into account the high unpredictability, heterogeneity, and dynamicity of envisioned wireless
environments. We claim that the concept of trust management should become a primary engineering
design principle, to associate with the subsequent trust refinement into effective authorization policies,
thus calling for original and innovative access control models. The chapter overviews the state-of-the-
art solutions for trust management and access control in wireless environments by pointing out both
the need for their tight integration and the related emerging design guidelines, that is, exploitation of
context awareness and adoption of semantic technologies.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Trust Management and Context-Driven Access Control
Trust Management and Context-Driven Access Control
on assumptions that are unacceptable in these class principle that explicitly guides both policy
environments (Cahill et al., 2003; Capra, 2004). In specification and enforcement; it is not possible to
fact, in traditional distributed systems trust deci- define a policy without the explicit specification of
sions can be delegated to centralized and trusted the context making the policy valid. The second
third parties with full visibility and control over main requirement is the full integration of novel
the whole trust management domain (most entities trust models/solutions with trust-dependent (pos-
are fixed and statically known). On the contrary, sibly context-aware) access control policies. That
in the wireless Internet the lack of both a globally integration represents the most significant goal in
available trust management infrastructure and the state-of-the-art research in security for ad hoc
clearly defined administrative boundaries calls wireless collaborations, with currently only a very
for fully decentralized and self-organized trust few proposals at an early stage.
solutions. Moreover, trust management solutions The achievement of secure, open, and dynamic
are effective as far as it is possible to bind trust wireless collaborations requires not only proper
opinions to security decisions. We claim that trust trust and access control models, but also shared
management should be considered as the key and interoperable vocabularies for trust and ac-
starting point for subsequent refinement of trust cess control specifications to avoid inconsistent
into security policies related to authorization and interpretations. Some initial research efforts tend
security management. In particular, authorization to propose the adoption of ontological technologies
can be seen as the outcome of the refinement of as a significant guideline toward common policy
trust relationships among strangers (Grandison & understanding (Kagal, Finin, & Joshi, 2003; Tonti
Sloman, 2000). et al., 2003; Uszok, Bradshaw, & Jeffers, 2004). Se-
Therefore, the issue of access control is also mantically rich representations of trust and access
crucial for the provisioning of anytime and any- control policies permit resource/context descrip-
where collaborative applications, and raises chal- tions at different levels of abstraction and enable
lenges similar to trust management, thus calling for reasoning about both structure and properties of
novel access control models. Only few proposals entities, context, and operations, thus enabling
are starting to emerge in that research area, by ad- flexible opportunities for policy analysis, conflict
dressing two main needs. A primary requirement detection, and harmonization. It is worth noticing
is to design/develop access control solutions that that current security solutions for wireless Internet
take into account heterogeneity and dynamicity collaborations represent interesting steps forward,
of available services, computing devices, and user but are still more proof-of-concept prototypes of
characteristics. Along this direction, the emerging single aspects rather than comprehensive method-
design guideline for novel access control solutions ological and technical reference guides.
advocates a paradigm shift from subject-centric The goal of the chapter is to survey the most
access control models to context-centric ones (Cov- relevant support solutions in the literature by
ington, Long, Srinivasan, Dey, Ahamad, & Abowd, considering the two primary research directions
2001; Corradi, Montanari, & Tibaldi, 2004; Ko, emerging in the area, that is, trust management
Won, Shin, Choo, & Kim, 2006; Toninelli, Mon- and semantic context-driven access control. In
tanari, Kagal, & Lassila, 2006). Hereinafter, at a particular, examples of solutions in each category
high abstraction level, the term “context” is defined will be presented in the Trust Management section
as any information that is useful for characterizing and the Semantic Context-driven Access Control
the state or the activity of an entity or the world section, respectively. The COMITY Framework
where this entity operates (Dey, Abowd, & Salber, section will focus on the main design choices of
2001). Differently from subject-centric solutions our trust-dependent context-aware middleware
where context is an optional element of policy proposal, with the aim of exemplifying the main
definition, simply used to restrict the applicability concerns and solution guidelines about the inte-
scope of the permissions assigned to the subject, gration of trust and access control management.
in context-centric solutions context is the first- Primary open issues and expected directions of
evolution end the chapter.
Trust Management and Context-Driven Access Control
trust MAnAgEMEnt tion, and management, but has not yet achieved
universally accepted techniques/tools, as detailed
The adoption of the concept of trust as the basis in the following.
for engineering secure collaborative applications
is currently attracting relevant research interests. Trust Definition and Properties
Trust has always been an important element in
the establishment of relationships in many fields. Trust is a complex and multifaceted notion relat-
Humans use trust daily to promote interaction ing to belief in the honesty, truthfulness, compe-
and to accept risk in situations where they have tence, and reliability of a trusted person or service
only partial information (Cahill et al., 2003). In (Grandison & Sloman, 2000). Currently there is
computing, the need for trust models and support no consensus in the literature on the meaning of
systems has recently grown with the widespread trust though several research activities recognize
Internet usage where transactions involve entities its importance. Due to the fact that trust is an in-
spanning a range of domains and organizations, tegral part of human nature, it is normally treated
not all of which may be trusted to the same extent. as an intuitive and universally understood concept.
Recently, trust issues have taken on more urgency However, by realizing that it is unwise to assume
due to wireless environments of emerging relevance it is an intuitive, universal, and well-understood
populated by a plethora of unknown and anonymous concept, many researchers have proposed differ-
users/devices. Entities can interact as far as they ent definitions of trust and the importance of trust
are able to autonomously assess trust and to use standardization is widely recognized (Frank &
this as the basis for automated decision making, Peters, 1998; Gambetta, 2001; Marsh, 1994; Staab,
for example, whether to use a service or whether 2004). However, trust definitions vary depending
to permit access to resources. on researcher background and on addressed ap-
Incorporating trust in wireless Internet systems plication domain.
is important because trust can be an enabling Despite these differences, most proposals result
technology for application provisioning in open in having common basic properties. Trust is usu-
and dynamic environments in situations where we ally specified in terms of a relationship between
are given up complete control because traditional two entities that specifies the expectation of one
security solutions are inadequate or even inappli- trust-assigning entity, called the trustor, about the
cable. For instance, certificate-based authentica- actions of another entity (object of a trust estima-
tion and authorization mechanisms exhibit several tion), that is, the trustee, within a specified context
limitations when deployed over ad hoc wireless (Grandison & Sloman, 2000). Entities bound by a
scenarios. First, they impose too much compu- trust relationship may be completely or partially
tational overhead (especially due to certificate unknown to each other.
validation), often intolerable for mobile devices Trust relationships may differentiate depending
with limited computational resources. Second, the on the number of entities involved. They include
transient nature of ad hoc collaborations does not one-to-one relationships between two entities,
justify the efforts of going through the laborious one-to-many in the case of one entity that needs
and expensive certificate issuance process. Finally, to trust a group, many-to-many in the case, for
the lack of central authority and network infra- example, of a committee, or many-to-one in the
structure in MANET, coupled with the dynamic case of departments trusting a head branch. In any
nature of the network topology, complicates the case, trust relationship is asymmetric: trustor and
adoption of certificate-based authentication and trustee do not need to have similar trust in each
authorization mechanisms. other even if they exploit the same information
Trust-related research has been carried out along as their basis to establish their trust relationship.
several different directions and has proposed many This derives from the observation, common to all
approaches for trust definition, formation, evolu- trust definition proposals, that trust is a subjective
notion (Cahill et al., 2003).
Trust Management and Context-Driven Access Control
Trust Management and Context-Driven Access Control
keeping track of historical information about entity In addition, due to the high variability of MANET
behaviors and is based on a central server where scenarios, even if two entities re-encounter and
trust information is stored and used for decision collaborate, the collected historical data about one
making and analysis. entity’s reputation may refer to a completely dif-
A step further to better address the open and ferent deployment context, thus making historical
dynamic nature of wireless collaborative scenarios data less relevant to be the only aspect to consider
is represented by trust management solutions for calculating the appropriate trust level for the
specifically designed to deal with incomplete new interaction context.
knowledge and uncertainty. They all exploit the Other solutions in the literature have recently
concepts of recommendation and reputation to en- proposed trust models specifically targeted to
able trust decision making. The approach described MANET, in particular to deal with MANET
by Abdul-Rahman and Hailes (2000) improves node selfishness. For example, nodes can make
traditional solutions by proposing a distributed trust trust-guided decisions to choose the appropriate
model that allows entities to autonomously reason relay node for forwarding packets. Several relevant
about trust, without relying on a central authority. activities have focused on MANET reputation,
Based on direct experiences and recommenda- defined as the perception of one node regarding
tions, an entity derives its own trust evaluations. the performance of another node during the execu-
Mui et al. (2001) introduce a trust computational tion of a protocol (Srinivasan et al., 2007). Several
model, based on a Bayesian formalization of dis- reputation schemes have been proposed to mitigate
tributed rating processes, that takes into account selfishness. CONFIDANT (cooperation of nodes
the concept of reputation. The SECURE (secure - fairness in distributed ad-hoc. networks) proposes
environments for collaboration among ubiquitous a reputation system for misbehavior detection in
roaming entities) project proposes another trust MANET based on a modified Bayesian estima-
management solution, based on recommendations, tion approach (Buchegger & Le Boudec, 2002):
that addresses how entities in unfamiliar environ- everyone maintains a reputation rating and a trust
ments can overcome initial suspicion to provide rating about everyone else of interest. The reputa-
secure collaboration (Cahill et al., 2003). The model tion value of a node is calculated based on direct
dynamically builds trust from local trust policies, observation and trusted second-hand reputation
based on past observations and recommendations. messages. If a node observes another node not
A different approach for mobile environments participating correctly, it reports this observation
not relying on any third-party trusted entity is to other nodes that then perform actions to avoid
presented by Capra (2004): the proposed model being affected and to punish the “bad” node, for
enables nodes to form their trust opinions on the example, by refusing to forward its traffic. The
basis of aggregated trust information, mainly based approach is fully distributed and no static agree-
on direct experiences regarding past interactions ment is necessary. CORE (collaborative repuation)
with neighbor nodes. proposes another reputation mechanism to enforce
MANET push to the extreme the dynamicity, node cooperation in MANET (Michiardi & Molva,
heterogeneity, and uncertainty about the execution 2002). CORE uses a collaborative monitoring
environment, thus requiring further improvements technique and measures reputation as a node
to the design of trust management solutions to contribution to network operations. The OCEAN
secure collaborative applications. The previously (observation-based cooperation enforcement in ad
sketched solutions rely on historical reputation and hoc networks) proposal uses only direct first-hand
recommendation to derive appropriate trust levels. observations of other nodes behavior in contrast
In MANET, entities are likely to have only one- to CONFIDANT and CORE (Bansal & Baker,
shot encounters, thus making difficult to collect 2003). OCEAN discards second-hand reputation
sufficient historical reputation data about their past information because such information is considered
behavior for an appropriate trust level evaluation. subject to false accusations and requires maintain-
Trust Management and Context-Driven Access Control
ing trust relationships with other nodes. Liu, Joy, sEMAntIc contExt-drIvEn
and Thompson (2004) allows a MANET node to AccEss control
form and maintain a trust level value with each
other node, based on node behavior over time. The design and deployment of wireless Internet
The model relies on a collaborative scheme among collaboration services impose new challenges
nodes and exploits the trust value to determine a to distributed resource retrieval and operation,
secure routing path for message forwarding and undermining several assumptions of traditional
delivery. Parker et al. (2006) propose a solution that collaborative solutions. Whereas traditional col-
applies only to a laboratory setting, and relies on laboration relies on a static characterization of
a reputation management system to give MANET context where changes in the set of both service
nodes the ability to independently evaluate trust clients (users/devices) and accessible resources are
of nodes which they interact with. The reputation relatively rare and predictable, user/device mobility
model neither relies on any wired infrastructure causes frequent changes in physical user location,
nor assumes continuous connectivity among all accessible resources, and the visibility/availability
devices; the model only assumes that every device of collaborating partners. Therefore, traditional
can assign an accuracy degree to any information subject-centric access control solutions exhibit
provided to other peers and that every node main- some limitations when applied to wireless ad hoc
tains trust degrees for a subset of their peers. collaborations. The tight coupling of principal
Partially related to trust management MANET identities/roles with operating conditions, needed
solutions, there is also the relevant issue of intrusion in subject-centric access control, would require
detection, which is however out of the scope of this security administrators to foresee all contexts
chapter. For a comprehensive survey on the vari- where each collaborating principal/role is likely to
ous interesting proposals available in the literature operate. In wireless environments where entities
about MANET intrusion detection, please refer to are typically unknown and where operating condi-
Anantvalee and Wu’s (in press) work. tions frequently change even unpredictably, that
To end the section with extremely recent and traditional approach may lead to a combinatorial
just opened research directions in trust manage- explosion of the number of policies to write, force
ment, some activities are focusing on risk analysis a long development time, and induce potential
aspects relating to trust. Integrated management bugs. The traditional subject-centric approach also
of risk and trust is still at an early stage with only lacks flexibility: new access control policies need
few proposals. The SECURE project incorporates to be designed and implemented from scratch for
an explicit risk model for assessing collaborations any new principal and for any principal when new
(Cahill et al., 2003; Carbone, Nielsen, & Sassone, context situations occur.
2003; Dimmock, 2003; Josang & Presti, 2004), The emerging guideline proposed in several
analyzes the relationship between risk and trust, recent security solutions is to tightly bind context
and derives a computational model integrating awareness and access control models. By drawing
the two concepts; risk is used to deduce trust. An inspiration from role-based access control (RBAC),
opposite approach is taken by English et al. (2004) which exploits the role concept as a mechanism for
and Quercia, Hailes, and Capra (2006) where it is grouping subjects based on their properties, context
trust that drives the determination of risk: based can provide a level of indirection between entities
on trust assessment input, the proposed decision requesting resource access and their permitted set
model estimates the probability of potential risks of actions. Instead of assigning permissions directly
associated with an action, and consequently decides to subjects and defining in which contexts these
whether to carry out requested actions. Dimmock, permissions are valid, for each resource system
Bacon, Ingram, and Moody (2005) propose a risk administrators should define the context where to
model based on utility theory and evaluates it in a enable operations on it. When an entity operates
peer-to-peer collaborative scenario to drive trust- in a specific context, it automatically acquires the
based access control.
Trust Management and Context-Driven Access Control
ability to perform the set of actions active for the constraints are used to define conditional permis-
current context; when context changes, entities are sions, that is, RBAC permissions constrained by
instantaneously granted/denied access to resources context situations. In this security model, ac-
accordingly. For instance, let us suppose that a cess rights are granted to users if corresponding
printer can only be accessed by people located context constraints are satisfied. This approach
in the same room the printer is. Then, whenever also presents an engineering process for context
a person leaves that room, the person looses the constraints, based on goal-oriented requirement
permission. engineering: the first step is to fetch the model of
The integration of access control with context the current deployment scenario, by identifying
has two main characteristics. First, it is an example goals and obstacles; each goal is then examined
of an active access control model (Georgiadis, Ma- to derive the context attributes needed to describe
vridis, Pangalos, & Thomas, 2001). Active security that goal; then, goals are used to specify context
models are aware of the context associated with constraints. Although context is considered crucial,
an ongoing activity; that distinguishes the passive the proposal continues to follow a subject-centric
concept of permission assignment from the active approach where context conditions act simply as
concept of context-based permission activation. constraints on privilege applicability.
Second, the exploitation of context as a mechanism Another effort of exploiting context for access
for grouping policies and for evaluating applicable control decisions is presented by McDaniel (2003).
ones simplifies access control management by both Conditions in access control policy statements are
increasing policy reuse and simplifying policy not defined as expressions over a fixed set of attri-
update and revocation. butes, but viewed as general purpose programs used
The explicit consideration of context for access to measure context (every condition is a parametric
control decisions is a very recent research direc- function). This extended condition view embraces
tion that is attracting increasing interest, but only the environment dynamicity and allows expres-
a few context-dependent policy model proposals sion of complicated relationships between context
have currently emerged. Covington et al. (2001) conditions. However, in this approach the policy
strongly point out the relevance of context. The infrastructure only evaluates policies in response
proposal allows policy designers to represent to the trigger of user-requested operations; the ac-
contexts through a new type of role, called envi- cess control process is still subject-based.
ronment role. Environment roles capture relevant Corradi et al. (2004) propose a context-based
environmental conditions, used to restrict and access control management system for ubiquitous
regulate user privileges. Permissions are assigned environments that dynamically determines the
to roles (both traditional and environment ones) contexts of mobile users and rules the access to
and role activation/deactivation regulates resource resources by taking into account user contexts.
access. However, the proposed model considers a In particular, access control policies are defined
very limited set of context information represented as association rules between a set of permissions
by environment properties and states. Environment and a set of contexts.
roles do not provide any means for representing By specifically focusing on access control in
other kinds of contexts, such as current collabora- spontaneous wireless coalitions, Liscano and Wang
tive activities, or user movements. (2005) propose a delegation-based approach, where
An attempt of extending these kinds of contexts users participating in a communication session can
is proposed by Neumannb and Strembeck (2003). delegate a set of their permissions to a temporary
They present a context-based security approach session role, in order to enable transitory access
using special purpose RBAC constraints. A con- to the resources of all participants in the session.
text constraint is defined as a dynamic RBAC In particular, one user assigns the session role to
constraint that checks the actual values of one the entities the user is willing to communicate
or more context attributes. Accordingly, context with. Context is used to define the conditions that
Trust Management and Context-Driven Access Control
must hold for the assignment to take place. Only a policy granting access to the projector in the meet-
limited set of contextual information can be speci- ing room of a company. Suppose that meetings are
fied and no semantic technologies are exploited to normally scheduled until 5 p.m. and that access
represent either session role or context constraints. to the projector is consequently not allowed after
In addition, security problems may arise whenever that time. Let us now suppose that a meeting goes
an entity delegated to play the session role leaves beyond its scheduled end time. In this example, we
the collaborative session. In fact, unless the user need to “instruct” the system such that, if certain
explicitly states she is leaving the session, there context conditions hold, the meeting is still taking
is no way for the framework to be aware that the place and access to the projector should therefore
session role must be revoked. continue to be allowed.
The importance of adopting a semantic ap-
semantic Access control Policies proach to the specification of all security policy
building elements (subjects, actions, context,
Access control policies can be specified in many ect.) has recently emerged in well-known policy
different ways and multiple approaches have frameworks, such as KAoS (knowledgeable agent-
been proposed in different application domains oriented system) (Uszok et al., 2004) and Rei
(Tonti et al., 2003). Anyway, there are some gen- (Kagal et al., 2003), which have adopted semantic
eral requirements that any policy representation technologies due to their rich expressiveness and
should satisfy regardless of its field of applicabil- tractability.
ity: expressiveness to handle the wide range of However, the integration of semantic technolo-
possible management requirements, simplicity gies within context-driven access control is still
to ease policy definition tasks for administrators at its infancy with only a few proposals. In fact,
with different degrees of expertise, enforceability a major drawback of the approaches mentioned
to ensure a mapping of policy specifications into in the previous section is that they do not exploit
implementable policies for various platforms, semantic information describing contexts, which
scalability to ensure adequate performance, and could provide various advantages to context-aware
analyzability to enable reasoning about policies. access control systems. On the contrary, Toninelli
The challenge is to achieve a suitable balance among et al. (2006) present a novel semantic-based access
the objectives of expressiveness, computational control model that exploits context awareness to
tractability, and ease of use. control resource access and to enable dynamic
An important principle that is currently emerg- policy adaptation in response to context changes,
ing for novel access control models for wireless while adopting semantic technologies for con-
Internet environments is the adoption of seman- text/policy specification to enable reasoning about
tically-rich policy representations to improve context and policies. Ko et al. (2006) propose an
expressiveness, analyzability, and interoperability. approach that allows to overcome the semantic gap
A semantic-based approach allows description of between contexts specified in policies at design
contexts and associated policies at a high level of time and context data dynamically collected in the
abstraction, in a form that enables their classifi- execution environment. For instance, consider an
cation and comparison. This feature is essential, authorization policy stating that a doctor working
for instance, in order to detect conflicts between in a pediatrics ward can access information about
policies before their enforcement. In addition, the infants’ parents. If Doctor Green is currently
semantic techniques can provide the reasoning located in Room 209, and Room 209 belongs to
features needed to deduce new information from a pediatrics ward, then the authorization policy
existing knowledge. This ability may be exploited should apply to Doctor Green. Semantic-based
by policy frameworks when faced with unexpected policy rules are therefore used to explicitly state
situations to react in a contextually appropriate the semantic relationship between the condition
way. For example, let us consider an access control expressed in the policy and the condition revealed
by sensors, for example, the doctor’s location.
Trust Management and Context-Driven Access Control
tHE coMIty frAMEwork trust level, such as credentials and historical data
about one entity’s behavior. For instance, creden-
COMITY (context-based middleware for trust- tials, such as digital certificates, are often available
worthy services) is our original proposal of in traditional execution environments, but may not
trust-dependent access control framework that be verifiable in MANET, in that case becoming
exploits semantic-based context descriptions for useless to determine the first level of trust. The
collaborative applications over MANET. In par- idea underpinning our choice of distinguishing
ticular, COMITY allows different actors, sharing primary and secondary context is to base initial
little or no prior knowledge about each other, to trust decisions mainly on context information that
establish trustworthy relationships and to define can be always acquired, for example, user charac-
proper access control policies governing opera- teristics, device properties, and offered services. In
tions on shared resources depending on mutual addition, in wireless ad hoc collaborations, users
trust relationships. Let us note that COMITY tend to discover partners of interest and to create
largely exploits context awareness to model trust group aggregations on the basis of user prefer-
and access control policies. In addition, it adopts ences/interests, offered resources/services, and
semantic-based context/policy descriptions to pro- access terminal capabilities, that is, on the basis
vide expressive representation and reasoning over of primary context.
trust relationships and access control policies. More in details, as depicted in Figure 1, one
We claim that the COMITY framework is a user’s primary context includes data about the user,
good exemplification of an emerging trend for novel the user’s offered services, and the characteristics
security solutions based on semantic technologies, of the currently used access device. In particular,
on context awareness, and on the trust concept to the User Context represents user characteristics and
properly handle highly dynamic environments. To includes various types of context element parts. The
point out those emerging solution guidelines, the Identifier part represents the unique system-level
following section provides a rapid overview of the user identifier, for example, a personal identifier
main characterizing COMITY features. that does not convey information qualifying user
identity. The Social Attitude part represents the
coMIty context Model user willingness to cooperate, that is, the user’s
attitude to share information with other entities.
COMITY defines context as any characterizing A user may declare oneself selfish when the user
information about the controlled entities and their denies cooperation, for instance by not provid-
surrounding environment that is relevant for es- ing a service/information to save device battery
tablishing trust relationships and trust-dependent degradation; ignorant when the user disposition
access control policies. The COMITY context is not declared; and cooperative when the user
model distinguishes between the concepts of is willing to cooperate. The Team part specifies
entity and context. An entity “bears” one or more the team, that is, a group of users with common
contexts and a context “inheres in” one or more characteristics, if any, that the user belongs to. For
entities. COMITY contexts may be either primary instance, in the case of temporary unavailability
or secondary (see Figure 1). The primary context of one collaborating service provider, this context
identifies the set of information about a collabo- information facilitates entities to discover other
rating entity/device (and its resources/services) to entities possibly replacing it within the team. The
determine an initial level of trust; this set of in- Distance part represents the physical distance
formation should be always acquirable, without between two entities. In particular, distance is the
the need to rely on a fixed network infrastructure number of network hops required for an entity to
for its validation. The secondary context includes route a message to the collaborating entity which
context data that may not be always available, but the distance context part is associated with. The
that can be used, if available, to refine the initial need for this context information relies on the fact
0
Trust Management and Context-Driven Access Control
subClassOf subClassOf
Secondary Primary
hasDeviceContext hasServiceContext
Context Context
hasUserContext
hasMemoryCapacity belongsToTeam
maxHops
hopsNum wrt
subClassOf
hasQoC
that MANET users tend to prefer collaborating tailored to application-specific requirements and
with close peers due to typical link instability network deployment conditions at runtime.
and high error rates in message delivery in long It is worth noticing that in highly dynamic
routing paths. MANET scenarios there are several problems
The secondary context includes all other types arising in context determination and processing.
of information characterizing users/devices and A primary complexity is due to frequent context
provided services that are considered relevant, changes. Due to dynamic context variations, not
but not necessary, for determining the initial trust only the value of a context attribute is of interest,
level. For instance, user identities/roles, digital but also the moment when the value was determined
certificates, reputations, and recommendations are (van Sinderen et al., 2006). In addition, context
all information that COMITY takes into account as sources are generally restricted in their ability to
secondary context. Differently from primary con- estimate the precise value of a context attribute.
text, COMITY does not provide any static prebuilt Another factor of complexity stems from the
classification for secondary context elements; the possible unreliability of the context information
classification of secondary context data is usually provided by collaborating entities. An entity may
Trust Management and Context-Driven Access Control
purposely provide incorrect information (malicious specific trust degree. Contexts act as intermedi-
entity), may be unable to guarantee a reliable level aries between A and B and the set of operations
of provided information (ignorant entity), may for which A trusts B. COMITY users exploit the
provide correct information (cooperative entity), or primary and secondary context described in the
may have correct information but denies to make previous section to define their own trust relation-
it available (uncooperative). ships. In particular, the context involved in a trust
To deal with such aspects, COMITY adopts the relationship definition is the intersection between
notion of quality of context (QoC), as defined by A’s and B’s contexts (hereinafter called trust ac-
Buchholz, Kupper, and Schiffers (2003) and van tivating context, see Figure 1). This means that
Sinderen et al. (2006), which is metainformation an action is considered trusted if executed within
“that describes the quality of information that is the scope of specific conditions of the applicable
used as context information.” In particular, each trust activating context. Which trustor and which
context element is associated with a parameter that trustee are involved in the trust relationship is di-
indicates the accuracy (i.e., the difference between rectly derived from the identifier parts of the two
the value of the context attribute and the aspect of primary contexts involved in the trust activating
reality it represents), the probability of correctness context intersection.
(the probability, estimated by the context source, COMITY trust relationships have all an associ-
to be the correct value), the trustworthiness (the ated trust degree, which reflects the trustor opinion
probability, estimated by the context receiver, that about the trustworthiness of executing an action
the context source provided the correct value), within the scope of its associated trust activating
and the freshness (the age of the context value, context. We are currently integrating COMITY
typically represented by a timestamp). Let us note with existing trust models in the literature suit-
that the determination of the correct QoC levels able to derive trust degree values in decentralized
to apply in highly dynamic wireless environments MANET environments (Capra, 2004; Quercia et
is a challenging issue, in particular to achieve the al., 2006). In general, trust degree determination
most suitable tradeoff between minimum intru- depends on various factors. For instance, the need
siveness and accuracy. These mechanisms are perceived by A of letting B to perform the specified
currently under investigation in COMITY where action on either A’s or B’s resources influences trust
we are experimenting and validating novel highly degree calculation; that need may be quantified as
decentralized and localized techniques based on the expected loss deriving from not executing the
collaborative game theory. specified action. In addition to need, it is necessary
to take into account QoC levels and the risk of the
coMIty trust Model loss deriving from performing critical actions in
an incorrect way.
There are different forms of trust in the literature
relating to whether access is being provided to coMIty trust-dependent Access
trustor’s resources, the trustee is providing a ser- control Model
vice, trust concerns authentication, or it is being
delegated (Grandison & Sloman, 2000). The CO- COMITY uses trust-dependent access control
MITY trust model focuses on two specific aspects: policies to govern operations on resources when A
an entity A (trustor) trusts an entity B (trustee) i) trusts B to use resources that A owns or controls.
to use resources that A owns or controls, and ii) In this case, A has to define suitable authorization
to provide a service not requiring access to A’s policies. On the contrary, in the case A trusts B to
resources. provide a service that does not involve access to A’s
COMITY defines trust relationships as one- resources, B’s usage of the service is outside A’s
to-one associations between contexts and trusted control, but depends on the access control policies
actions, with each relationship characterized by a defined by B. Both A and B follow the COMITY
Trust Management and Context-Driven Access Control
trust-dependent access control model to define actions, trust activating contexts, trust relation-
proper access control policies. ships, and access control policies. In particular,
The COMITY trust-dependent access control we use Web ontology language (OWL)-based
model extends our approach proposed by Toninelli ontologies, as shown in Figure 2a (for the sake
et al. (2006). In particular, the access control model of simplicity, we use hereinafter a compact DL
is context-centric: contexts are associated with notation). A trust activating context is defined
allowed actions that represent all and only the as a subclass of a generic context. Each generic
conditions that enable access to the resources. By context consists of several context elements, with
drawing inspiration from Java protection domains each element characterized by at least an identity
(Gong, 1999), we call these contexts as protection property and a location property defining the physi-
contexts: they are determined by policies and cal or logical position of an entity, and eventually
provide users with a controlled visibility of the by other additional properties. A trust activating
performable resource access actions. context is defined by restriction on the trustor and
The COMITY extension we are currently work- trustee primary contexts (possibly by considering
ing on consists in exploiting the trust degree as a also secondary contexts when available). Each pri-
specific protection context with possibly associated mary context consists of several context elements,
actions. In other words, it is possible to allow/deny grouped within a specific context category, with
an action as far as the resource access requestor each element characterized by a value and at least
has a proper trust degree. More in details, at any a QoC attribute.
resource access request, COMITY verifies whether Figure 2a shows an example of a trust activat-
a trust activating context has been defined for the ing context, where the trustee is within two-hop
requested operation. In that case, COMITY checks distance from the trustor and has a device with a
whether the trust activating context is currently in full battery; both trustor and trustee are coopera-
effect (active context), that is, the context defining tive. Each information associates with values of
conditions match the operating conditions of the trustworthiness and/or freshness. Figure 2b shows
requesting entity, requested resource, and envi- an example of trust-dependent access control
ronment. In particular, there is the need to verify policy. The trust relationship defines an associa-
whether the requestor is the trustee indicated in the tion between the trust activating context shown in
trust activating context. Then, the corresponding Figure 2a (Trust_Activating_Context_1) and the
trust degree associated with the activating trust action of the trustee accessing the files included in
context and with the requested operation is used folder(A). COMITY assigns a level of trust (70%)
to select the proper access control policy. to this association. The access control policy states
that access to folder(A) files is granted to a trustee
context and trust relationship if the trust level associated to that action reaches the
Implementation minimum threshold of 60%. Therefore, Trust_Ac-
tivating_Context_1 is effective and the trustee is
The COMITY context model is based on an un- granted with the requested permission.
derlying system model that describes interactions The DL adoption in context modeling and
by using the concepts of entities and actions. An reasoning has well-known benefits. For instance,
entity represents any actor/resource in the system when considering activating contexts as classes
and is logically characterized by a number of and a set of sensor inputs as individuals, DL-based
properties expressed as attribute-value pairs. An reasoning allows one to determine which activat-
action describes an activity that an actor is able ing contexts are in effect by verifying which trust
to perform on another entity. An interaction is the activating context classes the current state is an
association of an entity and an action. instance of, and to figure out how activating con-
COMITY adopts description logics (DL) and texts relate to each other, for example, via nesting
associated inference mechanisms to model entities, [6]. For instance, let us consider the case of a user
Trust Management and Context-Driven Access Control
Figure 2. COMITY specifications for trust relationship and trust-based access control policy
who has a PDA with full battery, is self-defined promoting cooperation among (partially) unknown
as cooperative, and is one-hop far from a trus- entities. However, trust is insufficient for securing
tor. By means of DL-based reasoning, COMITY wireless Internet collaborations and there is the
can automatically recognize that this enables the need to associate it with proper resource access
trustee part of the trust activating context defined control policies.
in Figure 2a. In addition, in the specific field of trust man-
agement, novel solutions have started to emerge
specifically designed to deal with uncertainty and
conclusIons And oPEn incomplete knowledge that are usual in dynamic
rEsEArcH IssuEs wireless environments. However, despite the wide-
spread interest, the field is still immature. Sound
Securing ad hoc wireless collaborations is a terminological and methodological frameworks are
complex management issue that calls for novel still missing, there is not even a commonly agreed
security paradigms suitable for high heterogeneity definition of the concept of trust, and several as-
and dynamicity. In this perspective, trust is start- pects still require investigation, such as the proper
ing to be recognized as an enabling principle for evaluation and combination of trust and risk.
Trust Management and Context-Driven Access Control
Also the relationship between context and trust Anantvalee, T., & Wu, J. (in press). A survey on
has not received the needed attention whereas it is intrusion detection in mobile ad hoc networks. In Y.
crucial to form trust opinions and to reason about Xiao, X. Shen, & D.Z. Du (Eds.), Wireless/mobile
recommendation and reputation. The relation- network security. New York: Springer-Verlag.
ship is twofold. First, trust, recommendation, and
Bansal, S., & Baker, M. (2003). Observation-based
reputation opinions can be context-dependent.
cooperation enforcement in ad hoc networks.
Second, context elements at the time when trust,
Stanford, CA: Stanford University. Retrieved May
recommendation, and reputation opinions are cre-
15, 2007, from http://stanford.edu/~sbansal/pubs/
ated should be compared with the trustor’s context
ocean03.pdf
where interactions currently take place. Moreover,
there is the need to integrate trust management Blaze, M., Feigenbaum, J., & Keromytis, A.D.
solutions with run-time monitoring both to support (1998). KeyNote: Trust management for public-key
self-adaptation of trust opinions to dynamic varia- infrastructures. In B. Christianson et al. (Eds.),
tions and to detect (and possibly react to) violations Proceedings of the 6th International Workshop
to the initially estimated trust level. on Security Protocols (LNCS 1550, pp. 59-63).
Another open research issue is about mecha- Cambridge, UK: Springer-Verlag.
nisms and strategies to promote cooperation
among possibly unknown entities in dynamic Blaze, M., Feigenbaum, J., & Lacy, J. (1996).
environments: credit systems on top of trust man- Decentralized trust management. In Proceedings
agement solutions could reward the good behavior of IEEE Symposium on Security and Privacy (pp.
of cooperating peers and punish selfish/cheating 164-173). Oakland, CA: IEEE Computer Society
nodes. A very relevant research challenge at the Press.
moment is the full integration of novel trust-based Buchegger, S., & Le Boudec, J.Y. (2002). Perfor-
management models/solutions with trust-depen- mance analysis of the CONFIDANT protocol:
dent (possibly context-aware) access control poli- Cooperation of nodes - fairness in dynamic ad-hoc
cies. Finally, there is the need for standardization networks. In Proceedings of the 3rd ACM Interna-
efforts, based on semantic technologies, to open tional Symposium on Mobile Ad Hoc Networking &
new possibilities for entities to represent contexts, Computing (pp. 226-236). Lausanne, Switzerland:
trust relationships, and access control policies in a ACM Press.
fully interoperable way, which is crucial in open
and dynamic deployment scenarios. Buchholz, T., Kupper, A., & Schiffers, M. (2003).
Quality of context: What it is and why we need it.
Paper presented at the 10th HP–OVUA Workshop,
AcknowlEdgMEnt Geneva, Switzerland.
Cahill, V., Gray, E., Seigneur, J.M., Jensen, C.D.,
Work supported by the MIUR PRIN MOMA and Yong C., Shand, B., et al. (2003). Using trust for
the CNR IS-MANET Projects. secure collaboration in uncertain environments.
IEEE Pervasive Computing, 2(3), 52-61.
Capra, L. (2004). Engineering human trust in
rEfErEncEs
mobile system collaborations. In Proceedings of
the 12th ACM International Symposium on Foun-
Abdul-Rahman, A., & Hailes, S. (2000). Support-
dations of Software Engineering (pp. 107-116).
ing trust in virtual communities. In Proceedings
Newport Beach, CA: ACM Press.
of the 33rd Hawaii International Conference on
System Sciences (Vol. 6, p. 6007). Washington Carbone, M., Nielsen, M., & Sassone, V. (2003).
D.C.: IEEE Computer Society Press. A formal model for trust in dynamic networks. In
Proceedings of the 1st International Conference on
Trust Management and Context-Driven Access Control
Software Engineering and Formal Methods (pp. In Proceedings of the International Conference
54-63). Brisbane, Australia: IEEE Press. on Engineering and Technology Management:
Pioneering New Technologies - Management Is-
Chu, Y.H., Feigenbaum, J., LaMacchia, B., Resnick,
sues and Challenges in the Third Millennium (pp.
P., & Strauss, M. (1997). REFEREE: trust manage-
322-327). San Juan, PR: IEEE Computer Society
ment for Web applications. Computer Networks
Press.
and ISDN Systems, 29(8-13), 953-964.
Gambetta, D. (2001). Can we trust trust? In D.
Corradi, A., Montanari, R., & Tibaldi, D. (2004).
Gambetta (Ed.), Trust making and breaking co-
Context-based access control management in
operative relations (pp. 213-237), Oxford, UK:
ubiquitous environments. In Proceedings of the
University of Oxford. Retrieved December 29,
3rd IEEE International Symposium on Network
2006, from http://www.sociology.ox.ac.uk/papers/
Computing and Applications (pp. 253-260). Cam-
gambetta213-237.pdf
bridge, MA: IEEE Computer Society Press.
Georgiadis, C.K., Mavridis, I., Pangalos, G., &
Covington, M.J., Long, W., Srinivasan, S., Dey,
Thomas, K.R. (2001). Flexible team-based access
A.K., Ahamad, M., & Abowd, G.D. (2001). Secur-
control using contexts. In Proceedings of the 6th
ing context-aware applications using environmen-
ACM Symposium on Access Control Models and
tal roles. In Proceedings of the 6th ACM Symposium
Technologies (pp. 21-27). Litton-TASC, Chantilly,
on Access Control Models and Technologies (pp.
VA: ACM Press.
10-20). Chantilly, VA: ACM Press.
Gong, L. (1999). Inside Java 2 platform security.
Dey, A., Abowd, G., & Salber, D. (2001). A con-
Boston: Addison Wesley.
ceptual framework and a toolkit for supporting the
rapid prototyping of context-aware applications. Grandison, T., & Sloman, M. (2000). A survey of
Human-Computer Interaction, 16(2-4), 97-166. trust in internet applications. IEEE Communica-
tions and Surveys, 3(4). IEEE Communications
Dimmock, N., Bacon, J., Ingram, D., & Moody, K.
Society Press.
(2005). Risk models for trust-based access control.
In P. Herrmann, S. Shiu, V. Issarny (Eds.), Pro- Grandison, T., & Sloman, M. (2003). Trust man-
ceedings of the 3rd Annual Conference on Trust agement tools for internet applications. In P.
Management (LNCS, Vol. 3477, pp. 364-371). Nixon & S. Terzis (Eds.), Proceedings of the 1st
Rocquencourt, France: Springer-Verlag. International Conference on Trust Management
(LNCS 2692, pp. 91-107). Heraklion, Crete, Greece:
Dimmock, N., Bacon, J., Ingram, D., & Moody, K.
Springer-Verlag.
(2005). Risk models for trust-based access control.
In P. Herrmann et al. (Eds.), Proceedings of the Josang, A., & Presti, S.L. (2004). Analysing the
3rd Annual Conference on Trust Management relationship between risk and trust. In C. Jensen,
(LNCS 3477, pp. 364-371). Rocquencourt, France: S. Poslad, T. Dimitrakos (Eds.), Proceedings of
Springer-Verlag. the 2nd International Trust Management, Lecture
Notes in Computer Science (Vol. 2995, pp. 135-145).
English, C., Terzis, S., & Wagealla, W. (2004).
Oxford, UK: Springer-Verlag.
Engineering trust-based collaborations in a global
computing environment. In C. Jensen, S. Poslad, Kagal, L., Finin, T., & Joshi, A. (2001). Trust-based
T. Dimitrakos (Eds.), Proceedings of the 2nd security in pervasive computing environments.
International Conference on Trust Management, IEEE Computer, 34(12), 154-157.
Lecture Notes in Computer Science (Vol. 2995, pp.
Kagal, L., Finin, T., & Joshi A. (2003). A policy
120-134). Oxford, UK: Springer-Verlag.
language for pervasive computing environment.
Frank, N.M., & Peters, L. (1998). Building trust: In Proceedings of the 4th IEEE International
The importance of both task and social precursors. Workshop on Policy for Distributed Networks
Trust Management and Context-Driven Access Control
and Systems (pp. 63-74). Lake Como, Italy: IEEE Neumann, G., & Strembeck, M. (2003). An ap-
Computer Society Press. proach to engineer and enforce context constraints
in an RBAC environment. In Proceedings of the
Ko, H.J., Won, D.H., Shin, D.R., Choo, H.S., &
8th ACM Symposium on Access Control Models
Kim, U.M., (2006). A semantic context-aware
and Technologies (pp. 65-79). Como, Italy: ACM
access control in pervasive environments. In M.
Press.
Gavrilova et al. (Eds.), Proceedings of the Interna-
tional Conference on Computational Science and Parker , J., Patwardhan, A., Perich, F., Joshi, A.,
its Applications (LNCS, Vol. 3981, pp.165-174). & Finin, T.: (2006). Trust in pervasive computing.
Glasgow, Scotland: Springer-Verlag. Mobile Middleware, 21, 473-496. CRC Press.
Liscano, R. & Wang, K. (2005). A SIP-based ar- Quercia, D., Hailes, S., & Capra, L. (2006). B-trust:
chitecture model for contextual coalition access Bayesian trust framework for pervasive computing.
control for ubiquitous computing. In Proceedings In K. Stølen W. H.Winsborough, F. Martinelli, &
of the 2nd Annual Conference on Mobile and F. Massacci (Eds.), Proceedings of the 4th Inter-
Ubiquitous Systems (pp. 384-392). San Diego: national Conference on Trust Management (LNCS
IEEE Computer Society Press. 3986, pp. 298-312). Pisa, Italy: Springer-Verlag.
Liu, Z., Joy, A.W., & Thompson, R.A. (2004). A Ruohomaa, S., & Kutvonen L. (2005). Trust man-
dynamic trust model for mobile ad hoc networks. agement survey. In P. Herrmann, S. Shiu, V. Issarny
In Proceedings of the 10th IEEE International (Eds.), Proceedings of the 3rd Annual Conference
Workshop on Future Trends of Distributed Com- on Trust Management (LNCS 3477, pp. 77-92).
puting Systems (pp. 80-85). Suzhou, China: IEEE Rocquencourt, France: Springer-Verlag.
Computer Society Press.
Sloman, M. (2004). Trust management in Internet
Marsh, S.P. (1994). Formalising trust as a compu- and pervasive systems. IEEE Intelligent Systems,
tational concept. Computing science and math- 19(5), 77-79.
ematics (p. 170). Stirling, Scotland: University
Srinivasan, A., Teitelbaum, J., Liang, H., Wu, J.,
of Stirling.
& Cardei, M. (in press). Reputation and trust-
McDaniel, P. (2003). On context in authorization based systems for ad hoc and sensor networks.
policy. In Proceedings of the 8th ACM Symposium In A. Boukerche (Ed.), Algorithms and protocols
on Access Control Models and Technologies (pp. for wireless ad hoc and sensor networks. Wiley
80-89). Lake Como, Italy: ACM Press. & Sons.
Michiardi, P., & Molva, R. (2002). Core: A col- Staab, S. (2004). The pudding of trust. IEEE Intel-
laborative reputation mechanism to enforce node ligent Systems, 19(5), 74.
cooperation in mobile ad hoc networks. In B. Jer-
Toninelli, A., Montanari, R., Kagal, L., & Lassila,
man-Blazic & T. Klobucar (Eds.), Proceedings of
O. (2006). A semantic context-aware access control
the 6th IFIP TC6/TC11 Joint Working Conference
framework for secure collaborations in pervasive
on Communications and Multimedia Security: Ad-
computing environments. In I. Cruz et al. (Eds.),
vanced Communications and Multimedia Security
Proceedings of the 5th International Semantic Web
(Vol. 228, pp. 107-121). Deventer, The Netherlands:
Conference (LNCS 4273, pp. 473-486). Athens,
Kluwer.
GA: Springer-Verlag.
Mui, L., Mohtashemi, M., Cheewee, A., Szolovits,
Tonti, G., et al. (2003). Semantic Web languages
P., & Halberstadt, A.: (2001). Ratings in distributed
for policy representation and reasoning: A com-
systems: A bayesian approach. Paper presented at
parison of KAoS, Rei, and Ponder. In D. Fensel
the 11th Workshop on Information Technologies
et al. (Eds.), Proceedings of the 2nd International
and Systems, New Orleans, LA.
Trust Management and Context-Driven Access Control
Semantic Web Conference (LNCS 2870, pp. 419- deploying, and managing distributed applications
433). Sanibel Island, FL: Springer-Verlag. by providing a simple, consistent, and integrated
distributed programming environment.
Uszok, A., Bradshaw, J.M., & Jeffers, R. (2004).
KAoS: A policy and domain services framework Recommendation: A communicated opinion
for grid computing and semantic Web services. about the trustworthiness of a third party entity.
In C. Jensen, S. Poslad, T. Dimitrakos (Eds.),
Reputation: The opinion that one entity builds
Proceedings of the 2nd International Conference
about another entity. In particular, reputation refers
on Trust Management, (LNCS 2995, pp. 16-26).
to the general expectation about the future actions
Oxford, UK: Springer-Verlag.
of an entity based upon past actions. Reputation
van Sinderen, M.J., van Halteren, A.T., Wegdam, can be exploited in trust management by providing
M., Meeuwissen, H.B., & Eertink, E.H.: (2006). one relevant element to consider for the trustor to
Supporting context-aware mobile applications: An assess the prospective trustee’s trustworthiness.
infrastructure approach. IEEE Communications
Semantic Technologies: Technologies that
Magazine, 44(9), 96-104.
permit to add semantic metadata to information
resources. Semantic metadata allow to effectively
process data, for instance via automated inferences,
kEy tErMs that is, understanding what a data resource is and
how it relates to other data independently of its
Access Control: The ability to limit and control name and syntax.
the actions/operations that a legitimate user of a
Trustee: The entity (individual, access termi-
computer system can perform. Access control
nal, resource/service component) that is the object
constrains what a user can do directly, as well
of a trust evaluation by a trustor (see the following
what programs executing on behalf of a user are
definition).
allowed to do.
Trust Management: The collection, mainte-
Context: Many definitions of context are avail-
nance, and processing of the information required
able in the literature (Dey et al., 2001). The most
to make a trust relationship decision, to evaluate
accepted one defines “context” as any information
the criteria related to trust relationships, and to
useful for characterizing the state or the activity
monitor and re-evaluate existing trust relationships.
of an entity or the world in which this entity op-
The term was first defined by Blaze et al. (1996) as
erates. An entity is a person, place, or object that
a unified approach to specifying and interpreting
is considered relevant to the interaction between
security policies, credentials, and relationships
a user and an application, including the user and
in order to allow direct authorization of security-
applications themselves.
critical actions.
Middleware for Distributed Systems: A
Trustor: An individual who sets up a trust or,
distributed software support layer which abstracts
in other words, the subject that has the possibil-
over the complexity and heterogeneity of the un-
ity/responsibility to trust a target entity.
derlying distributed environment with its multi-
tude of network technologies, operating systems,
and implementation languages. The primary role
of middleware is to ease the task of developing,
Chapter XXX
A Survey of Key Management in
Mobile Ad Hoc Networks
Bing Wu
Fayetteville State University, USA
Jie Wu
Florida Atlantic University, USA
Mihaela Cardei
Florida Atlantic University, USA
AbstrAct
Security has become a primary concern in mobile ad hoc networks (MANETs). The characteristics of
MANETs pose both challenges and opportunities in achieving security goals, such as confidentiality,
authentication, integrity, availability, access control, and nonrepudiation. Cryptographic techniques
are widely used for secure communications in wired and wireless networks. Most cryptographic mecha-
nisms, such as symmetric and asymmetric cryptography, often involve the use of cryptographic keys.
However, all cryptographic techniques will be ineffective if the key management is weak. Key manage-
ment is also a central component in MANET security. The purpose of key management is to provide
secure procedures for handling cryptographic keying materials. The tasks of key management include
key generation, key distribution, and key maintenance. Key maintenance includes the procedures for key
storage, key update, key revocation, key archiving, and so forth. In MANETs, the computational load
and complexity for key management are strongly subject to restriction by the node’s available resources
and the dynamic nature of network topology. A number of key management schemes have been proposed
for MANETs. In this chapter, we present a survey of the research work on key management in MANETs
according to recent literature.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
A Survey of Key Management in Mobile Ad Hoc Networks
v
w
0
A Survey of Key Management in Mobile Ad Hoc Networks
• Dynamic topologies: The network topol- • Active attacks: In active attacks, an attacker
ogy may change randomly and rapidly at actively participates in disrupting the normal
unpredictable times, and may consist of both operation of the network services. An attacker
directional and unidirectional links. Nodes can create an active attack by modifying
freely roam in the network, join or leave the packets or by introducing false informa-
network at their own will, and fail occasion- tion. Active attacks can be further divided
ally. into internal and external attacks; internal
• Resource constraints: The wireless links attacks are from compromised nodes that
have significantly lower capacity than wired were once a legitimate part of the network.
links. The computation and energy resources Since the adversaries are already part of the
of a mobile device are limited. network as authorized nodes, they are much
• Infrastructure-less: There is no well-defined more severe (Wu et al., 2006) and difficult to
infrastructure, or access point, or some other detect compared to external attacks. External
central control point available. Moreover, attacks are carried by nodes that are not a
the wireless medium is accessible by both legitimate part of the network. Such attacks
legitimate nodes and attackers. There is no are often prevented through firewalls or some
clear boundary to separate the inside network authentication and encryption mechanisms.
from the outside world.
• Limited physical security: Portable devices Security Goals
are generally small with weak protection. The
physical devices could be stolen or compro- Security services include the functionality that is
mised. required to provide a secure networking environ-
ment. It comprises authentication, access control,
security challenges overview confidentiality, integrity, nonrepudiation, and
availability (Ilyas, 2003; Nichols & Lekkas, 2002;
Security Attacks Wu et al., 2005; Yang, Luo, Ye, Lu, & Zhang,
2004). Authentication is the ability to verify that
While MANETs can be quickly and inexpensively a peer entity in an association is the one it claims
setup as needed, security is a more critical issue to be, or can be used for the determination of data
compared to wired networks or other wireless origins. Availability ensures the survivability of the
counterparts. Many passive and active security network service despite denial-of-service attacks.
attacks could be launched from the outside by Confidentiality ensures that certain information is
malicious hosts or from the inside by compromised never disclosed to unauthorized entities. Integrity
hosts (Lou & Fang, 2003; Murthy & Manoj, 2005; guarantees that a message being transferred is
Wu, Chen, Wu, & Cardei, 2006). not corrupted. Nonrepudiation ensures that the
origin of a message cannot deny having sent the
• Passive attacks: In passive attacks, an message. Access control is the ability to limit and
intruder captures the data without altering control access to devices and/or applications via
them. The attacker does not modify the data communication links. The main security services
and does not inject additional traffic. The can be summarized as follows:
goal of the attacker is to obtain information
that is being transmitted, thus violating the • Authentication: The function of the authen-
message confidentiality. Since the activity of tication service is to verify a user’s identity
the network is not disrupted, these attacks and to assure the recipient that the message
are difficult to detect. A powerful encryption is from the source that it claims to be from.
mechanism can alleviate these attacks, mak- First, at the time of communication initiation,
ing it difficult to read the transmitted data. the service assures that the two parties are
A Survey of Key Management in Mobile Ad Hoc Networks
authentic, that each is the entity it claims to encrypt and decrypt the messages, while in the
be. Second, the service must assure that a third asymmetric-key approach, different keys are used
party does not interfere by impersonating one to convert and recover the information. Although
of the two legitimate parties for the purpose the asymmetric cryptography approaches are ver-
of authorized transmission and reception. satile (can be used for authentication, integrity, and
• Confidentiality: Confidentiality ensures privacy) and are simpler for key distribution than the
that the data/information transmitted over symmetric approaches, symmetric-key algorithms
the network is not disclosed to unauthorized are generally more computation-efficient than the
users. Confidentiality can be achieved by asymmetric cryptographic algorithms (Tanen-
using different encryption techniques such baum, 2003). There are varieties of symmetric and
that only legitimate users can analyze and asymmetric algorithms available, including data
understand the transmission. encyrption standard (DES), advanced encryption
• Integrity: The function of integrity control is standard (AES), international data encryption
to assure that the data are received exactly as algorithm (IDEA), RSA, and EIGamal (Menezes,
sent by an authorized party. That is, the data Oorschot, & Vanstone, 1996). Threshold cryptog-
received contain no modification, insertion, raphy is another cryptographic technique that is
deletion, or replay. quite different from the above two approaches. In
• Access control: This service limits and Shamir’s (k, n) secret sharing scheme, secret infor-
controls the access of a resource such as a mation is split into n pieces according to a random
host system or application. To achieve this, polynomial. Meanwhile, the secret could be recov-
a user trying to gain access to the resource ered by combining any threshold k pieces based
is first identified (authenticated) and then the on Lagrange interpolation. These cryptographic
corresponding access rights are granted. algorithms are the security primitives that are
• Nonrepudiation: This is related to the fact widely used in wired and wireless networks. They
that if an entity sends a message, the entity can also be used in MANETs and help to achieve
cannot deny that it sent that message. If an the security in its unique network settings.
entity gives a signature to the message, the
entity cannot later deny that message. In Key Management
public key cryptography, a node A signs the
message using its private key. All other nodes As in the above description, cryptography is a
can verify the signed message by using A’s powerful tool in achieving security. However, most
public key, and A cannot deny the message cryptosystems rely on the underlying secure, robust,
with its signature. and efficient key management subsystem. In fact,
• Availability: This involves making network all cryptographic techniques will be ineffective if
services or resources available to the legiti- the key management is weak. Key management is
mate users. It ensures the survivability of the a central part of the security of MANETs. In MA-
network despite malicious incidences. NETs, the computational load and complexity for
key management are strongly subject to restriction
Security Mechanisms by the node’s available resources and the dynamic
nature of network topology. Some asymmetric and
Cryptography is an important and powerful tool symmetric key management schemes (including
for secure communications. It transforms readable group key) have been proposed to adapt to the envi-
data (plaintext) into meaningless data (ciphertext). ronment of MANETs. Key management deals with
Cryptography has two dominant categories, namely key generation, key storage, distribution, updating,
symmetric-key (secret-key) and asymmetric-key revocation, deleting, archiving, and using keying
(public-key) approaches (Saloma, 1996). In sym- materials in accordance with security policies. In
metric-key cryptography, the same key is used to this chapter, we present a comprehensive survey
A Survey of Key Management in Mobile Ad Hoc Networks
A Survey of Key Management in Mobile Ad Hoc Networks
authentication code (HMAC) (Menezes et al., Key management for large dynamic groups
1996) are techniques used for data authentication is a difficult problem because of scalability and
and/or integrity purposes. Similarly, the public key security. Each time a new member is added or an
is protected by the public-key certificate, in which old member is evicted from the group, the group
a trusted entity called the certification authority key must be changed to ensure backward and
in public key infrastructure (PKI) vouches for forward security. Backward security means that
the binding of the public key with the owner’s new members cannot determine any past group key
identity. In systems lacking a TTP, the public- and discover the previous group communication
key certificate is vouched for by peer nodes in messages. Forward security means that evicted
a distributed manner, such as PGP (Burnett & members cannot determine any future group key
Paine, 2001). In some distributed approaches, the and discover the subsequent group communication
system secret is distributed to a subset or all of the information. The group key management should
network hosts based on threshold cryptography. also be able to resist against colluded members.
Obviously, a certificate cannot prove whether an
entity is “good” or “bad.” However, it can prove trust Models
ownership of a key. Certificates are mainly used
for key authentication. Centralized Trust Model
A cryptographic key could be compromised or
disclosed after a certain period of usage. Since the For the centralized trust model, there is a well-
key should no longer be usable after its disclosure, trusted entity known as a TTP (Kaufmanet, Perl-
some mechanism is required to enforce this rule. man, & Speciner, 2002; Menezes et al., 1996). A
In PKI, this can be done implicitly or explicitly. TTP is an entity trusted by all users in the system,
The certificate contains the lifetime of validity; it and it is often used to provide key management
is not useful after expiration. However, in some services. Depending on the nature of their involve-
cases, the private key could be disclosed during the ment, TTPs can be classified into three categories:
valid period, in which case the CA needs to revoke inline, online, or off-line. See Figure 2 for an il-
a certificate explicitly and notify the network by lustration. An inline TTP participates actively in
posting it onto the certificate revocation list (CRL) between the communication path of two users.
to prevent its usage. An online TTP participates actively but only for
(a) (b)
Offline TTP
(c)
A Survey of Key Management in Mobile Ad Hoc Networks
management purposes, as the two parties com- 2. The TTP encrypts the session key with the key
municate with each other directly. An off-line TTP it shares with Bob and returns it to Alice.
communicates with users prior to the setting up of 3. Alice sends the encrypted session key to
communication links and remains off-line during Bob, who can decrypt it and thereafter use
network operation. it to communicate securely with Alice.
KDC or KTC
Alice Bob
A Survey of Key Management in Mobile Ad Hoc Networks
End Entity
Certificate/CRL Repository
PKI Components
Registration
Authority
Certifiation
Authority
network, such as the Internet. We will discuss the not populate enough to provide certificate chains
fully distributed or web-of-trust model later. for a given pair of nodes, so it is difficult to predict
A PKI provides the mechanisms needed to whether any given authentication request can be
manage certificates, and normally consists of the fulfilled. Second, without relying on a TTP, any
components illustrated in Figure 4. trust relationship relies on the goodwill and the
In this diagram, the CA is the component correct behaviors of all participants. Obviously, that
responsible for issuing and revoking certificates, cannot always be assumed. However, since there is
while the registration authority (RA) is respon- no clear way to tell if a certificate chain includes
sible for establishing the identity of the subject any misbehaving nodes, the overall confidence for
of a certificate and the mapping between the the certificate is relatively low.
subject and its public key. The RA and CA can be
implemented as one component; therefore, RA is Decentralized Trust Model
an optional component. PKI components provide
basic services, such as registration, initialization, In MANETs, a framework for key management
certification, key update, revocation, key recovery, built on a fully centralized mode is not feasible, not
cross-certification, and so forth. only because of the difficulty of maintaining such a
globally trusted entity but also because the central
Web-of-Trust Model entity could become a hotspot of attacks. Thus,
this network suffers from a security bottleneck.
The web-of-trust model is also called certificate Meanwhile a completely distributed model may
chaining. PGP (Tanenbaum, 2002) is an example not be acceptable because there is no well-trusted
built on this trust model. In the web-of-trust model security anchor available in the whole system. One
there is no TTP that is well-trusted by all network feasible solution is to distribute the central trust
nodes. Instead, peer nodes can issue certificates to multiple entities (or the entire network) based
to each other and populate the certificate graph. on a secret sharing scheme. In the decentralized
Certificates can be authenticated through certifi- public key management scheme, the system public
cate chaining. Compared with the centralized trust key is distributed to the entire network, while the
model, the web-of-trust model does not require a system private key is split to multiple pieces and
heavy infrastructure or complex bootstrapping distributed to a subset (or all) of the nodes. The
procedures, and every node plays an identical role subset of group nodes creates a view of a CA and
and shares the same responsibility. Although the functions as a CA in combination.
web-of-trust model has the above advantages, it has
two major limitations. First, a certificate graph may
A Survey of Key Management in Mobile Ad Hoc Networks
This scheme takes advantage of the positive as- There are research papers that are based on the
pects of two different trust systems. The basic symmetric-key cryptography for securing MA-
idea is to incorporate a TTP into the certificate NETs. For instance, some symmetric key man-
graph. Here, the TTP is a virtual CA node that agement schemes are proposed for sensor nodes
represents all nodes that comprise the virtual CA. that are assumed to be incapable of performing
Some authentication metrics, such as confidence costly asymmetric cryptographic computations.
value, are introduced in order to “glue” two trust Pair-wise keys can be preloaded into nodes, or
systems (Yi & Kravets, 2004). While this model based on the random key distribution in which a
is theoretically sound, it is difficult to “glue” two set of keys is preloaded. Chan (2004) introduces
different trust systems since there is no clear way a distributed symmetric key distribution scheme
to assign a value of confidence level. for MANETs. The basic idea is that each node is
preloaded with a set of keys from a large key pool
overview of key Management (Chan, Perrig, & Song, in press; Du, Deng, Han,
schemes in MAnEts & Varshney, 2003). The key pattern should satisfy
the property that any subset of nodes can find at
least one common key, and the common key should
Asymmetric Key Management Schemes
not be covered by a collusion of a certain number
of other nodes outside the subset. Chan and Per-
Recently, research papers have proposed different
rig (2005) introduce a symmetric key agreement
key management schemes for MANETs. Most of
scheme for the sensor nodes. The basic idea of
them are based on public-key cryptography. The
their approach is that each node shares a unique
basic idea is to distribute the CA’s functionality
key with a set of nodes vertically and horizontally
to multiple nodes. Zhou and Hass (1999) present a
(in 2-dimensions). Therefore, any pair of nodes can
secure key management scheme by employing (t,
rely on at least one intermediate node to establish
n) threshold cryptography. The system can tolerate
the common key.
t-1 compromised servers. Luo et al., (2004, 2001)
propose a localized key management scheme in
which all nodes are servers and the certificate Group Key Management Schemes
service can be performed locally by a threshold
number of neighboring nodes. Yi, Naldurg, and Collaborative and group-oriented applications in
Kravets (2002) put forward a similar scheme. The MANETs are going to be active research areas.
difference is that their certificate service is dis- Group key management is one of the basic build-
tributed to a subset of nodes, which are physically ing blocks in securing group communications.
more secure and powerful than the others. Wu, However, key management for large dynamic
Wu, and Dong, (in press) also introduce a scheme groups is a difficult problem because of scalabil-
that is similar to Yi, in which server nodes form ity and security (Rafaeli & Hutchison, 2003). For
a mesh structure and a ticket scheme is used for instance, each time a new member is added or an
efficiency. Capkun, Buttyan, and Hubaux (2003) old member is evicted from a group, the group key
consider a fully distributed scheme that is based must be changed to ensure backward and forward
on the same idea of PGP. Yi and Kravets (2004) security.
provide a composite trust model. Their idea is to
take advantage of the positive aspects of both the
central and fully distributed trust models.
A Survey of Key Management in Mobile Ad Hoc Networks
AsyMMEtrIc kEy MAnAgEMEnt ficiently in case the servers are scattered in a large
scHEMEs In MAnEts area. A share-refreshing scheme is proposed to
counter mobile adversaries. The update of secret
secure routing Protocol (srP) shares does not change the system public/private
key pairs. Therefore, nodes in the network can still
SRP is a decentralized public key management use the same system public key to verify a signed
protocol proposed by Zhou and Hass (1999) by certificate so that the share-refreshing is transpar-
employing (t, n) threshold cryptography (Shamir, ent to all nodes. However, a method of distributing
1979; Wong, Wang, & Wing, 2002) in their research these updated subshares to all nodes securely and
paper called “Securing Ad Hoc Networks.” In the efficiently in the network is not addressed.
system, there are n servers, which are responsible
for public-key certificate services. Therefore, the ubiquitous and robust Access
system can tolerate t-1 compromised servers. control (ursA)
Servers can proactively refresh the secret shares
using the proactive secret sharing (PSS) (Herzberg, URSA is a localized key management scheme
Jarecki, Krawczyk, & Yung, 1995) techniques or by proposed by Luo et al. (2004, 2001) in their paper
adjusting the configuration structure based on share “URSA: Ubiquitous and Robust Access Control
redistribution techniques to handle compromised for Mobile Ad Hoc Networks”. The URSA proto-
servers or system failure. Since the new shares are col is also based on threshold cryptography as in
independent of the old ones, mobile adversaries SRP (Zhou & Haas 1999). The difference between
would have to compromise a threshold number URSA and SRP is that in URSA, all nodes are
of servers in a very short amount of time, which servers and are capable of producing a partial
obviously increases the difficulty of the success certificate, while in SRP only server nodes can
of adversaries. The system configuration of this produce certificates. Thus, certificate services are
scheme is illustrated in Figure 5. The system public distributed to all nodes in the network. URSA also
key K is distributed to all nodes in the network, proposes a distributed self-initialization phase that
whereas the private key S is split to n shares s1, allows a newly joined node to obtain secret shares
s2, s3, …, sn, one share for each server according by contacting a coalition of k neighboring nodes
to a random polynomial function. without requiring the existence of an online secret
In this scheme, the system model is such that n share dealer. The basic idea is to extend the PSS
servers are special nodes, each with its own public/ technique by shuffling the partial shares instead
private key pair and the public key of every node of shuffling the secret sharing polynomials. The
in the network. This is a critical issue in a large purpose of this shuffling process is to prevent
network. However, this scheme does not describe deducing the original secret share from a result-
how a node can contact t servers securely and ef- ing share.
S S S
Polynominal function
A Survey of Key Management in Mobile Ad Hoc Networks
In URSA, every node should periodically update CA is distributed to a subset of nodes. A service-
its certificate. To update its certificate, a node must requesting node can locate k + α MOCA nodes
contact its 1-hop neighbors, and request partial either randomly, based on the shortest path, or
certificates from a collection of threshold k number according to the freshest path in its route cache.
of nodes. It can combine partial certificates into a However, the critical question is how nodes can
legitimistic certificate. This will introduce either discover those paths securely since most secure
communication delays or cause search failures. routing protocols are based on the establishment
It could potentially utilize services from 2-hop of a key service in advance.
neighboring nodes.
The advantage of this scheme is efficiency self-organized key Management
and secrecy of local communications, as well as
system availability since the CA’s functionality Capkun et al. (2002) consider a fully distributed
is distributed to all network nodes. On the other key management scheme in their paper “Self-
hand, it reduces system security, especially when organized Public Key Management for Mobile
nodes are not well-protected because an attack can Ad Hoc Networks”. This scheme is based on the
easily locate a secret holder without much search- web-of-trust model that is similar to PGP. The
ing and identifying effort. One problem is that in a basic idea is that each user acts as its own authority
sparse network where a node has a small number and issues public key certificates to other users.
of neighbors, the threshold k is much larger than A user needs to maintain two local certificate re-
the network degree d and a node that wants to positories. One is called the nonupdated certificate
have its certificate updated needs to move around repository and the other one is called the updated
in order to find enough partial certificate “produc- certificate repository. The reason a node maintains
ers.” The second critical issue is the convergence in a nonupdated certificate repository is to provide
the share-updating phase. Another critical issue is a better estimate of the certificate graph. Key
that too great an amount of off-line configuration authentication is performed via chains of public
is required prior to accessing the networks. key certificates that are obtained from other nodes
through certificate exchanging, and are stored in
Mobile Certificate Authority (MOCA) local repositories.
The fully distributed, self-organized certificate
MOCA is a decentralized key management scheme chaining has the advantage of configuration flex-
proposed by Yi et al. (2002) in their paper “Key ibility and it does not require any bootstrapping
Management for Heterogeneous Ad Hoc Wireless of the system. However, this certificate chaining
Networks”. In this approach, a certificate service requires a certain period to populate the certificate
is distributed to mobile certificate authority nodes. graph. This procedure completely depends on the
MOCA nodes are chosen based on heterogeneity individual node’s behavior and mobility. One the
if the nodes are physically more secure and com- other hand, this fully self-organized scheme lacks
putationally more powerful. In cases where nodes any trusted security anchor in the trust structure
are equally equipped, they are selected randomly that may limit its usage for applications where
from the network. The trust model of this scheme high security assurance is demanded. In addition,
is a decentralized model since the functionality of many certificates need to be generated and every
node should collect and maintain an up-to-date
Figure 6. An example of certificate chain
Ka Kc Kd Kb
Alice Bob
A Survey of Key Management in Mobile Ad Hoc Networks
certificate repository. The certificate graph, which represents all nodes that comprise the virtual CA.
is used to model this web-of-trust relationship, Some authentication metrics, such as confidence
may not be strongly connected, especially in the value, are introduced in order to “glue” two trusted
mobile ad hoc scenario. In that case, nodes within systems. A node certified by a CA is trusted with
one component may not be able to communicate a higher confidence level. However, properly as-
with nodes in different components. Certificate signing confidence values is a challenging task. An
conflicting is another potential problem in this example of a composite key management model
scheme. is shown in Figure 7.
Kf
Kc 0.
Virtual CA
0.
0.
0.
.0
Ka 0. Ke Kd Kb
0.
Alice Bob
0
A Survey of Key Management in Mobile Ad Hoc Networks
tography. However, no schemes except for SEKM secure shared key discovery procedure (SSD). The
present detailed, efficient, and secure procedures theory behind the SSD is the additive and scalar
for communications and cooperation between se- multiplicative homomorphism of the encryption
cret shareholders that have more responsibilities. In algorithm as well as the property of nontrivial zero
SEKM, all servers that have a partial system private encryption. To discover the common secret key, one
key are to connect and form a server group. The side of the two parties can form a polynomial and
structure of the server group is a mesh structure send the encrypted polynomial to the other side.
as shown in Figure 8. Periodic beacons are used The coefficients of the polynomial are encrypted
to maintain the connection of the group so serv- with the sender’s secret key. The other side will
ers can efficiently coordinate with each other for send back the encrypted polynomial multiplied by a
share updates and certificate service. The problem random value. Because of the homomorphism and
with SEKM is that, for a large network with highly nontrivial zero encryption properties, either side
dynamic mobility, maintaining the structure server can only discover the common secret key, without
group can be costly. disclosing the other noncommon keys.
A Survey of Key Management in Mobile Ad Hoc Networks
the nodes that share a unique key with node A, and and distribution of group keys. Recently, collabora-
light lines connect nodes that share a unique key tive and group-oriented applications in MANETs
with node B. There are six nodes that each share have become an active research area. Obviously,
a unique key with node A and node B. group key management is a central building block
in securing group communications in MANETs.
However, group key management for large and
grouP kEy MAnAgEMEnt dynamic groups in MANETs is a difficult prob-
APProAcHEs lem because of the requirement of scalability and
security under the restrictions of nodes’ available
The messages are protected by encryption using resources and unpredictable mobility.
the chosen key, which in the context of group com- The literature presents several approaches to
munication is called the group key. Only those who group key management. In this section, we give
know the current group key are able to recover the an overview of those protocols. Most of the fol-
original message. Group key establishment means lowing group key protocols are designed for the
that multiple parties want to create a common secret infrastructure networks. However, with the proper
to be used in the secure exchange of information. extension, some of them could be utilized and
Two people who did not previously share a common adapted to the MANET environment, or could serve
secret can create one common secret with a DH key as a hint for the design of MANET-specific group
exchange protocol. The 2-party DH protocol can key management protocols. For instance, group
be extended to a generalized version of the n-party Diffie-Hellman (GDH) and logical key hierarchy
DH key-exchange model. Research efforts have (LKH) have been extended into the MANETs.
been put into the design of group key agreement Wu, Wu, and Dong (in press) propose a simple and
protocols to achieve better scalability, efficiency, efficient group key management scheme, called
and storage saving, such as the introduction of a SEGK, for MANETs. The basic idea of SEGK is
tree structure and hash function. Furthermore, that a physical multicast tree is formed in MANETs
the group key management also needs to address for efficiency. Group members take turns acting
the security issue related to membership changes. as group coordinator to compute and distribute
The modification of membership could require the intermediate key materials to group members.
group key to be refreshed (e.g., periodic rekey). The keying materials are delivered through the
The change of group keys when old members tree links. The coordinator is also responsible for
leave or new members join ensures backward and maintaining the connection of the multicast group.
forward security. Therefore, a group key scheme All group members can compute the group key
must provide a scalable and efficient mechanism locally in a distributed manner.
to rekey the group.
Group key management protocols can be logical key Hierarchy (lkH)
roughly classified into three categories, namely,
centralized, decentralized, and distributed (Rafa- LKH is a centralized group key management
eli & Hutchison, 2003). In centralized group key scheme proposed by Wallner, Harder, and Agee
protocols, a single entity is employed to control (1998) (Wong, Gouda, & Lam, 1998). It is based on
the whole group and is responsible for rekeying the tree structure with each user (group participant)
and distributing group keys to group members. corresponding to a leaf and the group initiator as
In the decentralized approaches, a set of group the root node. The tree structure will significantly
managers is responsible for managing the group reduce the number of broadcast messages and
as opposed to a single entity being held respon- storage space for both the group controller and
sible. In the distributed method, group members group members. The operation of this scheme is
themselves contribute to the formation of group outlined below.
keys and are equally responsible for the rekeying
A Survey of Key Management in Mobile Ad Hoc Networks
Figure 10. A sample tree structure of LKH shows keys that are affected. The new member
U5 receives a secret key k5 and attaches the inter-
k0
mediate node k56 logically. The keys k56, k58,
k14 k58
and k0, which are in the path from k5 to k0, need
to be refreshed. New keys, k’56, k’58, and k’0,
k12 k34 k56 k78 are generated as illustrated in Figure 11. These
keys are encrypted with their respective node’s
k1 k2 k3 k4 k5 k6 k7 k8
children’s key, for example, one instance of k’56
u1 u2 u3 u4 u5 u6 u7 u8 is encrypted by k5 and the other copy is encrypted
by k6 (see Figure 11). The removal of a member
follows a similar procedure. For instance, when
member U6 leaves the group, k56, k58, and k0
Each leaf node shares a pair-wise key with the should be changed and the new set of keys k’56,
root node as well as a set of intermediate keys from k’58, and k’0 are encrypted with their respective
it to the root. So, for a balanced binary tree, each children’s key. See Figure 12 for an illustration of
group member stores at most d+1 keys, where d a member leave.
= log2 n is the height of the tree, and n is the total
number of group members. See Figure 10: U5 stores one-way function trees (oft)
k5, k56, k58, and k0.
When a member joins the group, the rekey OFT is another centralized group key management
procedure will be started. A rekey message is scheme proposed by Sherman and McGrew (2003).
generated containing the new set of keys encrypted It is based on the tree structure that is similar to
with its respective node’s children key. Figure 10 the above LKH scheme. However, all keys in the
OFT scheme are functionally related according
to a one-way hash function. The idea is that the
Figure 11. Illustration of joining member U5 keys held by a node’s children are blinded using
{k’0}k’
a one-way hash function and then combined to-
{k’0}k
k’0
{k’}k’
gether using a mixing function, such as a bitwise
{k’}k exclusive-or operation. Each group user receives
k14
{k’}k
k’58
blind keys from its sibling set as well as the blind
{k’}k
key of its own sibling. Based on collected blinded
k’56 k78
keys, the group users can deduce each key of its
ancestor set. See Figure 13 for an illustration. k6
k5 k6 is the key of U5’s sibling. k56, k58, and k0 are the
u5 u6 keys of U5’s ancestor set. k78 and k14 are the keys
of U5’s sibling set.
Figure 12. Illustration of leaving member U6
{k’0}k’
{k’0}k
Figure 13. A sample tree structure of OFT
k’0 {k’}k’
{k’}k
k0
k14 k’58
k14 k58
{k’}k
k’56 k78
k12 k34 k56 k78
k5 k6
k1 k2 k3 k4 k5 k6 k7 k8
u5 u6 u1 u2 u3 u4 u5 u6 u7 u8
A Survey of Key Management in Mobile Ad Hoc Networks
A group user still needs to store d+1 keys, In TGDH, a sponsor takes a special role that
where d = log2 n is the height of the tree, and n is can involve computing keys and broadcasting the
the total number of group members. The scheme blinded keys to the group during events of member
has the same complexity as the LKH scheme for join, leave, partition, and merge. Any member in
a balanced tree structure, but in the rekeying pro- the group can take on this responsibility. Figure
cess, the size of keying materials reduces from 2 15 illustrates the operation of member join. When
· log2 n to log2 n. M4 joins the group, sponsor M3 will rename node
<1, 1> to <2, 2>, generate a new intermediate node
Figure 14. Illustration of join member U5 in <1, 1> and new member node <2, 3>, and promote
OFT <1, 1> as the parent node of <2, 2> and <2, 3>.
{g(k’)}k
Sponsor M3 knows blinded key BK<2, 3> (the blind
k’0
g(k’) key of newly joined member) and BK<1, 0>, so M3
{g(k’)}k
k14
can compute the new group key K<0, 0> as it can
k’58
{g(k)}k
Figure 15. Illustration of join member in TGDH
g(k’)
k’56 k78
g(k)
k5 k6
u5 u6
A Survey of Key Management in Mobile Ad Hoc Networks
actually contains three key distribution schemes Step 3: Each group member Ui computes the com-
n −1 n−2
mon secret: ki = ( zi −1 ) i ⋅ X i ⋅ X i +1 ... X i −2 mod p.
nr
that are extended from the DH protocols. In this
chapter, we only give the algorithm of GDH.3 That is, each group user will come up with the
and ignore GDH.1 and GDH.2 since these two same secret k = g r1r2 + r2r3 +...+rnr1 mod p which is the
protocols need a total of O(n2) exponentiations. group key shared by all group members.
The first stage involves collecting contributions In BD scheme, each group member needs to
from all group members (upflow). At the end of perform n+1 exponentiations. It also requires a total
this stage, user Un-1 obtains g ∏{ N k |k∈[1,n−1]} and number of 2n broadcast messages. Considering a
broadcasts this value to all other group members simple example with a group of four users, A, B,
at the second stage. At the third stage, every user C, and D, in the group, user B can compute k =
Ui (i ≠ n) factors out its own exponent and forwards (ga)4b ∙ (gcb/gab)3 ∙ (gdc/gbc)2 ∙ (gad/gcd)1 = gab+bc+cd+da.
the result to the last user Un. At the final stage, Un Obviously, it can be verified that other users A, C,
collects all inputs from the previous stage, raises and D can compute the same key as B.
every one of them to the power of Nn and broadcasts
the resulting n-1 values to the rest of the group. In skinny tree (str)
the end, every group member has a value of the
form g ∏{ Nk |k∈[1,n ]∧k ≠i} and can easily compute the STR is a simple group key management scheme
group key Kn. Member addition and deletion can proposed by Steer, Strawczynski, Diffie, and Wie-
be handled easily in this scheme. ner (1990). It is also extended from the DH. STR
A simple example is shown below to illustrate requires group users to be ordered in a chain. The
the operation of this scheme for a group of four outline of the algorithm is the following:
members, A, B, C, and D:
Step 1: Every user generates a random number ri,
Stage 1: A {B}: ga ; B{C}: gab and broadcasts g ri mod p.
Stage 2: C {A, B, D}: gabc Step 2: Users are ordered as a chain. The first and
Stage 3: A{D}: gbc ; B{D}: gac ; C{D}: gab the second user can calculate the value
Stage 4: D{A, B, C}: gbcd , gacd , gabd , {gabc} (... g ( r3g
( r1r2 ) )
))
( rn g ( rn−1g
Stage 5: K= gabcd k=g )
A Survey of Key Management in Mobile Ad Hoc Networks
Group key K
gg
n c g n a nb
g nd nc g na nb nc g na nnba nb nc g na nb
g g ( g ) d = g )d g ( n = =g gnnd ) g (= ( g )
nc g n a nb
g ncd n g n a nb
nd g nc g nd g
D
g n a nb g nc nd
g
na nb nc na nb na nb na nb na nb
g n a nb
C ( g) gc ) c(g = ng=ncgg nc n) g = ( g(= nc g) g g
g na g nb nc
algorithms require the use of keying materials. If Currently, secure group communications, such as
the cryptographic key is disclosed, then there is dynamic conferencing or multicasting in MANETs,
no security at all. Obviously, key management is is becoming an active research area. The security
in the central part of any secure communication of group communication involves the management
and is the weakest point of the security. However, of group keys. For efficiency, tree-based structures
ensuring the security of MANETs is more challeng- are utilized when a central or virtual central control
ing because of the host mobility, shared wireless entity is available. Most contributory group key dis-
medium, resource constraint of physical devices, tributions are based on DH protocol with different
and most seriously, lack of a fixed and trustable implementations. Meanwhile, key management can
control point in MANETs. Designing and build- also be classified into symmetric and asymmetric
ing an underlying secure, robust, and scalable key key management depending on the underlying
management system is a difficult problem that has cryptographic algorithms used. Currently, most
received increased attention recently. The current key management schemes are based on asymmetric
research on key management in MANETs is still cryptosystems. However, for some specific types
at its early stage. of MANETs, such as sensor networks, the sym-
Research on key management in MANETs goes metric key management scheme is dominant. An
in three directions according to the trust models, example of a symmetric approach is the random
which are centralized, decentralized, and fully key predistribution in sensor networks.
distributed. While centralized approaches are In summary, based on different assumptions,
of least interest in MANETs, decentralized ap- many key management protocols have been
proaches have gained a lot of research attention. proposed for MANETs. All key management ap-
The fully distributed trust model is also favored proaches are subject to various restrictions such as
for MANETs. Interestingly, a hybrid approach that the mobile device’s available resources, the network
combines the centralized model with the distributed bandwidth, and MANETs dynamic nature. An
scheme has been proposed recently. efficient key management protocol for MANETs
Key management in MANETs can also be is an ongoing hot research area.
roughly classified into unicast and multicast key
management according to the communication type.
Previously, most research focused on the secure rEfErEncEs
pair-wise communications, and key management
focus was on how to distribute or establish a ses- Burmester, M., & Desmedt, Y. (1994). A secure
sion key between a pair of communication parties. and efficient conference key distribution system.
A Survey of Key Management in Mobile Ad Hoc Networks
In A. De Santis (Ed.), Advances in Cryptology Kim, Y., Perrig, A., & Tsudik, G. (2000b). Simple
– EUROCRYPT ’94 (No. 950). and fault-tolerant key agreement for dynamic col-
laborative groups. Paper presented at the 7th ACM
Burnett, S., & Paine, S. (2001). RSA security’s of-
Conference on Computer and Communications
ficial guide to cryptography. RSA Press.
Security (pp. 235-244). ACM Press.
Capkun, S., Buttya, L., & Hubaux, P. (2003).
Lou, W., & Fang, Y. (2003). A survey of wireless
Self-organized public key management for mobile
security in mobile ad hoc networks: Challenges
ad hoc networks. IEEE Transactions on Mobile
and available solutions. In X. Chen, X. Huang, &
Computing, 2(1), 52-64.
D. Du (Eds.), Ad hoc wireless networks (pp. 319-
Chan, A. (2004). Distributed symmetric key man- 364). Kluwer Academic Publishers.
agement for mobile ad hoc networks. In Proceed-
Luo, H., & Lu, S. (2004). URSA: Ubiquitous and
ings of IEEE INFOCOM.
robust access control for mobile ad hoc networks.
Chan, H., & Perrig, A. (2005). PIKE: Peer interme- IEEE/ACM Transactions on Networking, 12(6),
diaries for key establishment in sensor networks. 1049-1063.
In Proceedings of IEEE INFOCOM.
Luo, H., Zerfos, P., Kong, J., Lu, S., & Zhang, L.
Chan, H., Perrig, A., & Song, D. (in press). Random (2001). Providing robust and ubiquitous security
key pre-distribution schemes for sensor networks. support for mobile ad-hoc networks. In Proceeding
In Proceedings of the IEEE Security and Privacy of the 9th International Conference on Network
Symposium. Protocols.
Du, W., Deng, J., Han, Y., & Varshney, P. (2003). A Menezes, A., Oorschot, P., & Vanstone, S. (1996).
pairwise key pre-distribution scheme for wireless Handbook of applied cryptography. CRC Press.
sensor networks. In Proceedings of the 10th ACM
Murthy, C., & Manoj, B. (2005). Ad hoc wireless
Conference on Computer and Communications
networks: Architectures and protocols. Prentice
Security (CCS), Washington, D.C.
Hall PTR.
Herzberg, A., Jarecki, S., Krawczyk, H., & Yung,
Nichols, R., & Lekkas, P. (2002). Wireless security-
H. (1995). Proactive secret sharing or: How to cope
models, threats, and solutions. McGraw Hill.
with perpetual leakage. Proceedings of Crypto’95,
5, 339-52. Oppliger, R. (1998). Internet and Intranet security.
Artech House.
Ilyas, M. (2003). The handbook of ad hoc wireless
networks. CRC Press. Perkins, C. (2001). Ad hoc networks. Addison-
Wesley.
Karygiannis, T., & Owens, L. (2002). Wireless
network security-802.11, bluetooth and hand- Rafaeli, S., & Hutchison, D. (2003). A survey of
held devices (pp. 800-848) (special publication). key management for secure group communication.
National Institute of Standards and Technology, ACM Computing Surveys, 35(3), 309-329.
Technology Administration, U.S Department of
Ravi, S., Raghunathan, A., & Potlapally, N.
Commerce,.
(2002). Secure wireless data: System architecture
Kaufman, C., Perlman, R., & Speciner, M. (2002). challenges. In Proceedings of the International
Network security private communication in a Conference on System Synthesis.
public world. Prentice Hall PTR.
Saloma, A. (1996). Public-key cryptography.
Kim, Y., Perrig, A., & Tsudik, G. (2000a). Simple Springer-Verlag.
and fault-tolerant key agreement for dynamic
Shamir, A. (1979). How to share a secret. Com-
collaborative groups (Tech. Rep. 2/USC Tech.
munications ACM 1979, 22(11), 612-613.
Rep. 00-737).
A Survey of Key Management in Mobile Ad Hoc Networks
Sherman, T., & McGrew, A. (2003). Key estab- Wu, B., Wu, J., Fernandez, E., Ilyas, M., & Magliv-
lishment in large dynamic groups using one-way eras, S. (2005). Secure and efficient key manage-
function trees. IEEE Transactions on Software ment scheme in mobile ad hoc networks. Journal
Engineering, 29(5), 444-458. of Network and Computer Applications (JCNA),
30(3), 937-954.
Stallings, W. (2002). Wireless communication and
networks. Pearson Education. Wu, B., Wu, J., Fernandez, E., Magliveras, S., &
Ilyas, M. (2005). Secure and efficient key man-
Steer, D., Strawczynski, L., Diffie, W., & Wiener,
agement in mobile ad hoc networks. In Proceed-
M. (1990). A secure audio teleconference system.
ings of the 19th IEEE International Parallel &
Paper presented a the Advances in Cryptology
Distributed Processing Symposium. Workshop
– CRYPTO ‘88.
17, (pp. 288.1)
Steiner, M., Tsudik, G., & Waidner, M. (2000).
Yang, H., Luo, H., Ye, F., Lu, S., & Zhang, L. (2004).
Cliques: A new approach to group key agree-
Security in mobile ad hoc networks: Challenges
ment. In Proceedings of the 18th International
and solutions. IEEE Wireless Communications,
Conference on Distributed Computing Systems,
11(1), 38-47.
(pp. 380-387).
Yi, S., & Kravets, R. (2004). Composite key man-
Tanenbaum, A. (2002). Network security. Com-
agement for ad hoc networks. In Proceedings of
puter networks (4th ed.). Prentice Hall PTR.
the 1st Annual International Conference on Mobile
Tanenbaum, A. (2003). Computer networks. Pren- and Ubiquitous Systems: Networking and Services
tice Hall PTR. (MobiQuitous’04) (pp. 52-61).
Wallner, D., Harder, E. J., & Agee, R. (1998). Key Yi, S., Naldurg, P., & Kravets, R. (2002). Security
management for multicast: Issues and architectures, aware ad hoc routing for wireless networks (Report
internet draft (work in progress). Internet Eng. Task No. UIUCDCS-R-2002-2290, UIUC).
Force. draft-wallner-key-arch-01.txt,.
Zhou, L., & Haas, Z. (1999). Securing ad hoc net-
Wong, C., Gouda, M., & Lam, S. (1998). Secure works. IEEE Network Magazine, 13(6), 24-30.
group communications using key graphs. In Pro-
ceedings of the ACM SIGCOMM ’98 conference
on Applications, Technologies, Architectures,
and Protocols for Computer Communication (pp.
kEy tErMs
68-79).
Certification Authority (CA): A trusted third
Wong, T., Wang, C., & Wing, J. (2002). Verifiable party in an asymmetric cryptosystem that vouches
secret redistribution for threshold sharing schemes for the binding of the public key with an identity.
(Tech. Rep. CMU-CS-02-114-R). School of Com-
puter Science, Carnegie Mellon University.
Group Key: A common secret known by the
Wu, B., Chen, J., Wu, J., & Cardei, M. (2006). group members
A survey on attacks and countermeasures in mobile
Key: A set of values that a cryptographic al-
ad hoc networks. Wireless/mobile network security
gorithm operates on
(Chapter 12). Springer.
Key Distribution Center (KDC): A trusted
Wu, B., & Wu, J., and Dong, Y. (in press). An ef-
third party in a symmetric cryptosystem that estab-
ficient group key management scheme for mobile
lishes a shared secret key between two parties
ad hoc networks. International Journal of Security
and Networks (IJSN), 3(4).
A Survey of Key Management in Mobile Ad Hoc Networks
Key Management: The process of managing Mobile Ad Hoc Network (MANET): A col-
key materials in a cryptosystem which is related lection of mobile hosts form a temporary network
to key generation, storage, exchange, update, and without centralized administration.
replacement
Key Ring: A set of public or private keys used
in PGP.
00
Chapter XXXI
Security Measures for Mobile
Ad-Hoc Networks (MANETs)
Sasan Adibi
University of Waterloo, Canada
Gordon B. Agnew
University of Waterloo, Canada
AbstrAct
Mobile ad hoc networks (MANETs) have gained popularity in the past decade with the creation of a
variety of ad hoc protocols that specifically offer quality of service (QoS) for various multimedia traffic
between mobile stations (MSs) and base stations (BSs). The lack of proper end-to-end security coverage,
on the other hand, is a challenging issue as the nature of such networks with no specific infrastructure is
prone to relatively more attacks, in a variety of forms. The focus of this chapter is to discuss a number
of attack scenarios and their remedies in MANETs including the introduction of two entities; ad hoc key
distribution center (AKDC) and decentralize key generation and distribution (DKGD), which serve as
key management schemes.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security Measures for Mobile Ad-Hoc Networks (MANETs)
sive attacks). In a broader sense, an intruder claim to be, such as people, clients, and
should not be able to determine the parties servers.
involved or whether a communication session Geo-authentication: In this type of
occurred (anonymous routing). There are two authentication, the location of the
levels of confidentiality: nodes or any information about
Data confidentiality: In which the locations are to be verified and
unauthorized users are unaware of the authenticated.
existing protected data and their Attribute authentication: This is the
associated with data integrity: Protecting the receiver from the send
Unauthorized modification pro-
er’s denial that the data were sent by the
tection:Protecting against any sender.
illegitimate alteration. Protection against forward denial:
0
Security Measures for Mobile Ad-Hoc Networks (MANETs)
0
Security Measures for Mobile Ad-Hoc Networks (MANETs)
Table 1. continued
Increasing the noise level, which leads to the decrease of the signal to noise ratio (S/N), causes degradation of the
Noise Signal bandwidth and roll-back of the transmission rates. In severe cases it can lead to DoS attack.
Denial of service attack can also impact the media access control (MAC) layer. For this, the attacker does not have to
be physically tampering with the infrastructure, though the ability to inject frames directly into the channel is required.
A MAC-layer-based DoS attack offers the following advantages to the attackers:
DoS - Medium Independency: Since many MAC-based communication protocols (i.e., 802.11) have similar MAC layer
structures, a single MAC-layer attack can devastate many different infrastructures.
- Energy Efficiency: A MAC layer attack does not necessarily and directly deal with the weakening of the com-
munication signals, therefore these types of attacks require less amount of energy compared to the physical layer
attacks
Jamming happens when the communication channel is flooded with MAC layer queries. In this scenario, the MAC layer
Jamming will not be able to service legitimate queries. Jamming can be considered as a DoS attack at MAC layer.
In this type of attack, the attacker (or a malicious node) advertises a zero routing metric for all destinations. This
Blackhole causes all the neighbor nodes to route all their packets through the attacker (node). This can also be recognized as a
Attack DoS attack at the network layer.
In this attack, the attacker records packets at one location in the network and tunnels them to another location in the
Wormhole network. This can cause an abrupt of service (DoS) due to the invalidity of routes for the packets, which are routed
Attack through this tunnel.
This type of attack incorporates more than one attacker (malicious adversaries). A Byzantine attack involves the
Byzantine leaking of authentication/authorization secrets so that the malicious adversaries are indistinguishable from legitimate
Attack nodes. Therefore when adversaries are accepted in the communication schemes, they can cause various types of mali-
cious activities, such as route changes, route loops, and nonoptimal routes. Byzantine attacks are very difficult to be
identified.
In this scenario, a compromised node may leak confidential and vital information to unauthorized nodes in the net-
Information work, such as, geographic location of nodes (sender, receiver, and intermediate nodes), network topology, and optimal
Disclosure routes.
This type of attack can be discussed as a physical layer issue or a network layer issue. In the network layer, this type
Resource of attack directly deals with routing issues rather then energy related issues. Therefore, a malicious node tries to con-
Consumption sume and waste the resources in the network through network layer-related activities, such as, unnecessary requests
Attack for routes, very frequent beacon packet creations, initiating a lot of route discoveries, and forwarding of staled packets
to nodes.
Routing These types of attacks deal with the routing algorithms and procedures, such as, routing table overflow and poisoning,
Attacks packet replication, route cache poisoning, and rushing attack. These are further discussed more in the fifth section.
Other types of network layer attacks include attacks on IP header/address (address sweep scan, timestamp attack, source
Others route attack, record route attack, and fragment DoS attack) and internet control message protocol (ICMP) floods.
Attacks on Attacks on the transport control protocol (TCP) include acknowledgement (ACK) DoS, synchronization (SYN) flood,
TCP LAND attack (where spoofed TCP SYN is sent) “sending a spoofed TCP/SYN packet,” session and tear-down attacks,
session hijacking, and port-scan attack.
Attacks on Attacks on user datagram protocol (UDP) include port attack, (UDP flooding) and session hijacking (using a valid
UDP session ID).
Session, Higher layers (session, presentation, and application layers) are more specific and application oriented. Therefore these
Presentation, types of attacks vary in different networks and applications.
Application
0
Security Measures for Mobile Ad-Hoc Networks (MANETs)
to the OSI layered model, namely, physical, MAC, • Consumption of relatively more bandwidth
network, transport, session, presentation, and compared to identical amount of data transfer
application layers. Internet-based systems have in other routing schemes.
adopted a more simplified five-layer approach • Increase of traffic overhead due to the constant
based on transport control protocol (TCP)/IP pro- updates.
tocol stack suite, in which the top three layers of
the seven-layer model (session, presentation, and The advantage is that there is no delay in route
application layers) have been merged as a single and destination determination. Examples of proac-
layer: the TCP/IP application layer (see Figure 2) tive routing protocols are (Lang, 2003):
(Adibi, Erfani, & Harbi, 2006; Lu, 2002; Manoj
& Murthy, 2005). • DSDV (destination-sequenced distance vector
routing)
wireless routing Protocols in • OLSR (optimized link state routing)
general
Reactive (On-demand)
Ad hoc routing protocols are divided into the fol-
lowing categories: In reactive protocols, routes are determined as they
are needed through “route request (RREQ)” and
Proactive (Table-driven) “route reply (RREP)” inquiries. The advantage of a
reactive routing protocol is the fact that it requires
In these types of routing protocols, nodes constantly relatively fewer traffic overhead. The disadvantage
search for routing information and storing them of reactive routing protocols, however, is relatively
in tables, therefore when a route is needed, the longer delays due to the sending and receiving
route is already known. The major disadvantages RREQs and RREPs. Examples of reactive routing
of proactive routing protocols are: protocols are (Lang, 2003):
0
Security Measures for Mobile Ad-Hoc Networks (MANETs)
0
Security Measures for Mobile Ad-Hoc Networks (MANETs)
AttAcks on Ad Hoc routIng when nodes drop them due to the duplicate
Protocols suppression).
• Isolation: Ability to identify misbehaving
Attacks on ad hoc routing protocols are presented nodes and disable them from interfering with
in Figure 4 and Table 2. Again these attacks are the routing schemes. Preventing wormhole
categorized into passive and active attacks. Each and black hole are examples of this cat-
attack works in such a way as to paralyze a sec- egory.
tion of the routing protocol, therefore securing the • Lightweight computations: Assigning
routing protocols is very important. heavy computing tasks to the least possible
In order to prevent attacks on routing protocols, number of nodes (battery power protection)
security measures should be taken into consid- to prevent sleep deprivation.
eration to prevent attacks and fortify the routing • Location privacy: Protecting information
algorithms. These measures should provide the about the location of nodes in a network and
followings: the network structure, to prevent location
disclosure.
• Availability: Ultimately it should always be • Self-Stabilization – Automatically recover
possible (with very high probability) to find from any problem in a finite amount of time
an available route from any source to any without human intervention.
destination within the wireless range. In ad • Byzantine robustness: This requires the
hoc routing protocols, this feature should function of the routing protocol to work cor-
include preventing routing table overflow (an rectly even if some of the nodes participating
entry in the table to a nonexisting destination) in routing are intentionally disrupting its
and rushing attacks (an attacker disseminates operation. This is important in preventing
RREQs quickly throughout the networks, impersonation attacks.
suppressing any later legitimate RREQs
Figure 4. Active and passive attacks in ad hoc routing protocols (Adapted from Wang, Lu, & Bhargava,
2003)
0
Security Measures for Mobile Ad-Hoc Networks (MANETs)
independent security agents. This way out- These two methods will be discussed in details
siders could not identify the communicating in the next section.
parties.
• Hierarchical structure or zone-based rout-
ing: This type of routing protocol provides cHAllEngEs In sEcurE routIng
a foundation for authentication and local for MAnEts
link-state routing.
As mentioned previously, securing routing proto-
cols for wireless systems is more challenging than
0
Security Measures for Mobile Ad-Hoc Networks (MANETs)
securing wired protocols, because not only do all Data encryption (long-term, short-term)
of the possible wired-based attacks apply to ad hoc keys
networks, but also mobility allows new attacks. Keys based on random number
discussed in details later in this chapter altering the signal’s frequency spectrum
• Key management service: Because of the in such a way that the signal could not
difficulties in key exchange, the key man- be reconstructed and understandable
agement is a challenge in ad hoc networks. without the knowledge of the inversion
The following schemes are a few examples pattern.
of existing key exchange methods ("Key Frequency hopping: Dividing the
0
Security Measures for Mobile Ad-Hoc Networks (MANETs)
kEy MAnAgEMEnt APProAcHEs point. The fact that there is a known center
for key distribution and its location is known
Due to the variable nature of ad hoc network to- to all, makes the AKDC prone to a variety of
pologies and the physical and resource limitations, attacks, including DoS attack. This problem
key management is of great importance. There are is remedied by the use of a decentralized and
many proposals for the key management for ad hoc distributed scheme.
protocols, however we introduce two methods, • Decentralized key generation and distribu-
namely, ad hoc key distribution center (AKDC), tion: In a DKGD scheme (Figure 6), the key
and decentralized key generation and distribution management scheme is distributed across the
(DKGD) (Adibi et al., 2006): wireless range through DKGD agents. Every
ad hoc element discovers the closest DKGD
• Ad hoc key distribution center: As shown agent and binds with it. The fact that DKGDs
in Figure 5, AKDC uses a centralized ad hoc are distributed across the network poses less
scheme for key management, distribution, and of a security concern as the single point of
access. In the AKDC, each device wishing to failure is no longer an issue. No matter if
communicate with another device will have AKDC or DKGD is used, all legitimate lo-
to undergo the following series of processes cal ad hoc elements should register with the
by the AKDC: AKDC or the DKGD.
Identity and location determination • Ad hoc gateway access control (AGAC):
Authentication So far, the AKDC and DKGD schemes as-
Authorization sume in-domain communications among
Key provision ad hoc elements. However for inter-domain
Key delivery security measures when an outside element
A lot of intelligence and power must be inte- seeks communication to a local element, a
grated into the design of an AKDC, however, new element, which is called the AGAC, is
there are a few downsides of having a central responsible for the security concerns. AGAC
0
Security Measures for Mobile Ad-Hoc Networks (MANETs)
Figure 6. DKGD scheme (Adapted from Adibi, Erfani, & Harbi, 2006)
agents are located at the boundaries of radio server group. This provides and update for
domains, that is, where two or more local ad certificate services for all the participating
hoc domains intersect. nodes. For an efficient certificate delivery
• Secure and efficient key management service, a ticket mechanism is introduced
(SEKM): SEKM (Wu, Wu, Fernandez, Ilyas, and used.
& Magliveras, 2005) creates a public key • Self-organized CA (SOCA) (Michiardi,
infrastructure (PKI) using a secret shared 2004): In traditional cryptographic systems,
key scheme and on top of an underlying mul- there is one sender, one receiver, and an
ticast server groups. In SEKM, a view of the eavesdropper who is the opponent. However
certificate authority (CA) is created by each a SOCA is based on threshold cryptography.
0
Security Measures for Mobile Ad-Hoc Networks (MANETs)
Threshold cryptography allows one to share Web of trust (PGP): Which is a Peer-
the power of a cryptosystem in which the based (one-to-one) system and requires
power to regenerate a secret key is shared no Certificate Authority. PGP
among several agents (Figure 7). The ad- symmetric and public-key cryptography
vantage of this is the distributed approach schemes and includes a mechanism,
with self-organization. The downside is the which binds the public keys to the
network density. user identities.
Crypto-based ID: A crypto-based ID
There are several mechanisms, which are embed- suggests that having an identity
ded into the protocol schemes, which contribute implies being authorized, therefore no
to the robustness of security. Below is a list of a certificates are needed.
few of these mechanisms. Context-dependent authentication:
Security Measures for Mobile Ad-Hoc Networks (MANETs)
mind, the entire protocol functionalities have been destination and to store a local trust value related
designed for security in the the network layer. Four to each node throughout the network. A trust value
of these protocols are introduced as follow: is also assigned to each path based on nodes trust
values. The paths with higher trust values are
ArIAdnE (A secure on-demand preferred and selected for routing.
routing Protocol for Ad Hoc
networks) sdsr (secure dynamic source
routing)
ARIADNE (Hu, Perrig, & Johnson, 2002) relies
only on highly efficient symmetric cryptographic SDSR (Kargl, Geiss, Schlott, & Weber, 2005) pre-
systems and does not require a trusted hardware vents various potential (active and passive) attacks
or powerful processors. Routing messages can to the ad-hoc-based networks. It also deals with
be authenticated using ARIADNE through one selfish nodes in the following scenarios:
of the following three schemes: 1) Using shared
secrets among each pair of nodes, 2) Using shared • Motivation-based approaches: Try to moti-
secrets among communicating nodes together vate network users to actively participate in
with broadcast authentication, and 3) Using digital the MANET.
signatures. ARIADNE works well with timed ef- • Detect and exclude: This scheme detects
ficient stream loss-tolerant authentication (TESLA) and excludes selfish nodes from the routing
(Hu et al. 2002), which is an efficient broadcast scheme
authentication scheme that requires loose time • Mobile Intrusion Detection System (MobIDS):
synchronization, where a receiver knows an upper Focuses on integrating with other mecha-
bound of difference between sender’s local time nisms for detecting selfish nodes.
and the receiver’s local time.
Security Measures for Mobile Ad-Hoc Networks (MANETs)
posium on Personal, Indoor and Mobile Radio Manoj, B. S., & Murthy, C. S. R. (2005, January).
Communication (PIMRC 2003), vol. 2, (pp. 1331 Transport layer and security protocols for ad hoc
-1335). Beijing, China. wireless networks. Retrieved October 7, 2007,
from http://www.phptr.com/articles/article.asp?p=
Choi, H., Song, H., Cao, G., & Porta, T. L. (2005).
361984 &seqNum=10&rl=1
Mobile multi-layered IPsec. Paper presented at
the INFOCOM. Menezes, A. J., Oorschot, P. C. V., & Vanstone, S.
A. (1996). CRC handbook of applied cryptography.
Ghazizadeh, S., Ilghami, O., Sirin, E., & Yaman, F.
CRC Press.
(2002). Security-aware adaptive dynamic source
routing protocol. ILCN. Michiardi, P. (2004, March). Security in wireless
ad hoc networks. Institut Eurecom.
Hu, Y. C., Johnson, D. B., Perrig, A. (2002). SEAD:
Secure efficient distance vector routing for mobile Rhee, K. H., Park, Y. H., & Tsudik, G. (2004,
wireless ad hoc networks. MCSA. June). An architecture for key management in
hierarchical mobile ad-hoc networks. Journal of
Hu, Y. C., Perrig, A., & Johnson, D. B. (2002).
Communications and Networks, 6(2).
Ariadne: A secure on-demand routing protocol
for ad hoc networks. Paper presented at the MO- Wang, W., Lu, Y., & Bhargava, B. (2003, March).
BICOM. On security study of two distance vector routing
protocols for ad hoc networks. Purdue Univer-
Kargl, F. (2006, November). Threats and security
sity, CERIAS and Department of Computer Sci-
requirements for VANETs secure vehicle com-
ences.
munication. Paper presented at the C2C-CC Sec.
Workshop. Wu, B., Wu, J., Fernandez, E. B., Ilyas, M., &
Magliveras, S. (2005). Secure and efficient key man-
Kargl, F., Geiss, A., Schlott, S., & Weber, M. (2005).
agement in mobile ad hoc networks. Elsevier.
Secure dynamic source routing. Paper presented
at the HICSS.
Key Management, National Institute of Standards
and Technology (NIST). (2001, November). Re-
kEy tErMs
trieved October 7, 2007, from http://csrc.nist.
gov/encryption/kms/Key%20Mgmt%20Guideli Access Control: This is a security mechanism to
ne%20Overview.ppt make sure that only legitimate parties have access
to the data they are supposed to have access.
Lang, D. (2003, March). A comprehensive over-
view about selected ad hoc networking routing AKDC: Ad hoc key distribution center is a
protocols (Tech. Rep. No. TUM-I0311). Technische central component in an ad hoc network responsible
Universität München, Department of Computer for providing keys to ad hoc elements.
Science.
ARIADNE: A secure on-demand routing
Lu, Q. (2002, December). Vulnerability of wireless protocol for ad hoc networks.
routing protocols. University of Massachusetts
Amherst. Authentication: Authentication is required
to make sure communicating parties are the ones
Maleki, M., Dantu, K., & Pedram, M. (2002, who they claim to be.
August). Power-aware source routing protocol
for mobile ad hoc networks. In Proceedings of Availability: A stochastic measure of predict-
the Symposium on Low Power Electronics and ing the availability of the communication channel
Design (pp. 72-75). and resources to the users
Security Measures for Mobile Ad-Hoc Networks (MANETs)
Chapter XXXII
A Novel Secure Video
Surveillance System Over
Wireless Ad Hoc Networks
Hao Yin
Tsinghua University, China
Chuang Lin
Tsinghua University, China
Zhijia Chen
Tsinghua University, China
Geyong Min
University of Bradford, UK
AbstrAct
The integration of wireless communication and embedded video systems is a demanding and interest-
ing topic which has attracted significant research efforts from the community of telecommunication.
This chapter discusses the challenging issues in wireless video surveillance and presents the detailed
design for a novel highly-secure video surveillance system over ad hoc wireless networks. To this end,
we explore the state-of-the-art cross domains of wireless communication, video processing, embedded
systems, and security. Moreover, a new media-dependent video encryption scheme, including a reliable
data embedding technique and real-time video encryption algorithm, is proposed and implemented to
enable the system to work properly and efficiently in an open and insecure wireless environment. Extensive
experiments are conducted to demonstrate the advantages of the new systems, including high security
guarantee and robustness. The chapter would serve as a good reference for solving the challenging is-
sues in wireless multimedia and bring new insights on the interaction of different technologies within
the cross application domain.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
by the techniques in wireless communication, hoc wireless networks. The rest of this chapter is
video processing, embedded systems, and security organized as follows. Section 2 provides a review
guarantee. of wireless networks, ad hoc solution and security
Recent advances in embedded system and wire- issues. Section 3 presents the design and imple-
less communications are enabling cost-effective mentation for the new video surveillance system
digital wireless multimedia systems. The forth- and Section 4 evaluates its performance. Section 5
coming integration of wireless communications highlights the future trends in the relevant research
and embedded video systems is a demanding and areas. Finally, Section 6 concludes this chapter.
interesting research topic. Video surveillance has
resorted to wireless transmission due to the several
serious problems when the traditional coaxial or bAckground
high-tech fiber-optic cables are adopted to transmit
video images from the surveillance cameras to the wireless networks
stations at which the images are monitored and/or
recorded. Compared with the traditional wire-line Wireless technologies, in the simplest sense, en-
counterparts, wireless video surveillance systems able one or more devices to communicate without
do not require expensive and time-consuming physical connections (without requiring peripheral
system constructions and civil-engineering work. cabling). Wireless networks serve as the transport
They can therefore be deployed rapidly with negli- mechanism among mobile devices or between
gible environmental impact. Furthermore, wireless these devices and the fixed wired networks (e.g.,
systems generally require lower costs of network enterprise networks and the Internet). A wireless
maintenance, management, and operation. network has tremendous advantages in comparison
However, some fundamental issues, such as with its wired counterpart: no network cable has to
framework design of wireless networks, video be installed through walls and floors, thus greatly
processing, video data transmission, video quality reducing the cost and making the architecture
control, and system security should be resolved more flexible.
before wireless video surveillance systems can be The development of 802.11g (IEEE, 2003) based
successfully deployed (Garcia-Macias et al, 2003). on the orthogonal frequency-division multiplexing
Among these important issues, the system security (OFDM) technology allows high-load applications
is the most challenging problem that becomes the to be adapted in wireless environment. It is claimed
main concern of this chapter. Intel IXP425 network that an optimal throughput of 54Mps and a range
processor provides an ideal choice for implement- up to 100 feet indoors can be achieved. As the
ing secure ad hoc video surveillance system, but signal is modulated at 2.4 GHz, it is less affected
the security issue is still a hot-spot that IXP425 by walls and physical obstacles than 802.11a (5
cannot handle well. Therefore, an effective video GHz). Thus our system is based on the 802.11g
encryption algorithm is necessary and meaning- wireless infrastructure ad hoc networks.
ful in a wireless video surveillance system. At the
same time, the secure routing protocol and system Ad Hoc Solution
architecture should be carefully designed to avoid
serious security flaws (Yin, Lin, Sebastien, & Ad hoc networks are a new wireless networking
Chu, 2005). paradigm for mobile hosts. Unlike traditional
This chapter explores the state-of-the-art cross mobile wireless networks, ad hoc networks do not
domains of wireless communication, video pro- rely on any fixed infrastructure. Instead, hosts rely
cessing, embedded systems and security, discusses on each other to keep the network connected. Ad
the challenging issues in wireless video surveil- hoc networks are designed to dynamically connect
lance, and presents the detailed design of a novel remote devices such as cell phones, laptops, and
highly-secure video surveillance system over ad PDAs. These networks are termed “ad hoc” because
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
of their shifting network topologies. Whereas allow for easy extraction, and achieve a high
wireless LANs use a fixed network infrastructure, embedding rate. The most popular application
ad hoc networks maintain random configurations, of data embedding is digital watermark. Lots of
relying on a master-slave system connected by wire- research work has been done in this field over the
less medium to enable communication between past years. Although it is worthy noting that none
mobile devices (Haas, 1999; Zhou, 1999). of the existing schemes are capable of satisfying
The system we are designing is organized in the demand for media-dependent access control in
an ad hoc manner. The nodes themselves (with wireless video surveillance system, some ideas and
camera) are carrying the flux towards the monitor- framework of these digital watermark algorithms
ing center, and all the routing tasks are performed are valuable and may be extended to design the
by the camera nodes. A careful deployment can desired data embedding scheme (Yin, Lin, Qiu,
share the traffic load among all the camera nodes Min, & Chu, in press).
and effectively reduce the bottleneck effect as The classical approach to watermark com-
compared with an architectural network. It is also pressed video stream is to decompress the video,
the cheapest solution as there is no need of extra then use a spatial-domain or transform-domain
networking hardware besides the cameras, network watermarking technique to embed the watermark
processors, and the monitoring center. into the video signal, and finally recompress the
However, the design of ad hoc architecture is watermarked video. Alattar, Lin, and Celik (2003)
complex because of the routing and security is- point out three major disadvantages of using the
sues. In a monitoring system, the node positions classical approach and further present a faster and
are static and predetermined by the topology of more flexible approach to watermark compressed
the building. The cameras are in a nonprotected video named as compressed-domain watermark-
environment, and they are susceptible to be dam- ing. With this approach, the original compressed
aged or even destroyed. Thus it would be preferable video is partially decoded to expose the syntactic
if every node has at least two direct neighbors on elements of the compressed bitstream (such as
the way towards the monitoring center so that the encoded discrete cosine transform [DCT] coef-
system can still work properly in case some camera ficients) that is modified to insert the watermark
nodes are faulty. and reassembled to form the compressed water-
marked video.
Security Issues Patchwork (Bender, Gruhl, Morimoto, & Lu,
1996) and quantization index modulation (QIM)
Among the issues the wireless solution face, the (Chen & Wornell, 2001) are the two known tech-
system security is the most challenging problem. niques for the embedding algorithm. Patchwork
The NIST handbook An Introduction to Computer (Bender et al., 1996) is a statistical scheme based on
Security generically classifies security threats into a pseudorandom and statistical process. Patchwork
nine categories ranging from errors and omissions is host image independent and can invisibly embed a
to threats to personal privacy (Basgall, 1999). All specific statistic pattern (composed of several pairs
of these represent potential threats in wireless of specific pixels) in a host image with a Gaussian
networks as well. However, the more immediate distribution. It shows reasonably high resistance
concerns for wireless communications are device to most nongeometric image modifications. But
theft, denial-of-service, malicious hackers, mali- the major disadvantage is that only one bit can be
cious code, theft of service, and industrial and embedded in one frame. Moreover, this algorithm
foreign espionage. operates specific pairs of points and the structure
Data embedding techniques allow for a signal of video bitstream is changed by some adaptive
to be hidden without dramatically distorting the processes such as transcoding. So during the de-
original content. Effective data embedding tech- tecting procedure these pairs of points at the same
niques should be able to invisibly embed data, position are not the same as the original, or even
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
out of borders due to the change of image size. As AODV is an on-demand protocol. Each node
a result, the extracted data are likely to be wrong. maintains its routing table only for the routes they
Our proposed scheme is based on the statistical actually use to communicate with other nodes.
property of the luminance value, but differently If a node wants to initiate a new communication
we use image fields instead of pairs of points to with another node that is not in its current rout-
overcome above mentioned problems. ing table, a route request (RREQ) is broadcast.
Chen and Womell (2001) propose a QIM scheme If a node receives such a request, it looks up its
for efficiently embedding and drawing out data. routing table to find whether there is a path to the
QIM method embeds information not simply by destination nodes. If there exists a path, it replies
adding numbers to the host signal, but by first a route reply (RREP); otherwise, it broadcasts the
modulating an index of sequence of indices with RREQ. If a node receives the same RREQ twice, it
the embedded information and then quantizing simply discards the message. Routes are maintained
the host signal with the associated quantizer or in the routing table as long as they send packets.
sequence of quantizers. During the detecting pro- If nothing is received after a predefined timeout
cedure, the embedded information is determined value, the corresponding route entry is deleted. In
by judging the minimum distance between the case of nodes failure, neighbors on the active path
embedded signal and different quantized results. send a special RREP to the source which can start
It is known that the QIM method is better than a new path discovery phase. Neighbor’s discovery
additive spread spectrum and generalized low-bits is done either by local broadcasting of HELLO
modulation (LBM) not only from the point of rate messages or by receiving a broadcast message from
distortion-robustness tradeoffs, but also against a neighbor given that the links between nodes are
bounded perturbation and fully informed attacks bidirectional.
arising in several copyright applications. Since Perkins and Royer (1999) try to avoid relying
requantization is carried out in the transcoding on the underlying MAC-layer protocol, but no
procedure and the quantizers are different from solution has been proposed to avoid the overhead
the ones used in video encoding process, lots of created by the HELLO message. In our system
computational errors are produced and the detec- the routing protocols are coupled with the address
tion is likely failed. Our scheme improves the resolution protocol (ARP) protocol as described
QIM by proposing an approach to alter the average by Desilva and Das (2000) so that we can avoid
luminance value of fields. broadcasting HELLO messages. In addition, it
is preferred to implement the routing protocol at
Routing Protocol link layer due to the following reasons (Johnson,
Maltz, & Broch, 2001):
In recent years, a large number of ad hoc routing
protocols have been proposed in the literature • Pragmatically, running the protocol at the link
(Broch, Maltz, Johnson, Hu, & Jetcheva, 1998; layer maximizes the number of mobile nodes
Perkins & Royer, 1999; Per, 1999; Samir, Perkins, that can participate in ad hoc networks.
& Royer, 2000). In all these studies, two on-demand • Historically, the protocol has grew from a mul-
routing protocols show good performance: ad hoc tihop propagateing version of the Internet’s
distance vector (AODV) (Perkins & Royer, 1999) address resolution protocol (Plummer, 1982),
and DSR. In a scenario where a high volume of as well as from the routing mechanism used
traffic goes through a static ad hoc network (by in IEEE 802 source routing bridges (Perlman,
static we mean that the nodes configuration does 1992).
not change or changes slowly), AODV performs • Technically, our design would expect the pro-
better than DSR due to less additional load being tocol to be simple enough so that it could be
imposed by source routes in data packets. Therefore implemented directly in the firmware inside
our system is based on the AODV protocol. wireless network interface cards, well below
the layer 3 software within mobile nodes.
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
0
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
nodes are fixed. It is possible that some nodes are frame) of a group of pictures (GOP) and directly
out of range from the main network. In this case, modulated into the direct current (DC) component
some bidirectional signal repeaters or amplifiers of DCT coefficients of luminance blocks. In our
could be placed in strategic points to provide robust algorithm, 200 bits of data can be embedded in
coverage for every node (Yin et al., 2005). one I-frame of size 640x480. Moreover, the key
takes only 128 bits among the data.
Video Processing In order to improve the error resilience capa-
bility, we employ Reed-Solomon (RS) code as the
For the sake of security concerns, encryption keys error control scheme. RS code is used to encode
are updated periodically. Thus, a core part of the the key messages and an 8-bit flag and this takes
system is how to embed encryption keys in the the remainder 64 bits for RS code words. Then, all
video data stream. Unlike normal watermarking the GOPs are encrypted by the selective encryption
techniques, in our system the camera nodes should algorithm, which contains some hash functions
not only detect the existence of a new encryption supported by IXP425 hardware, corresponding
key but also extract it without losing any informa- to the old key. Finally, the encrypted data are sent
tion, as shown in Figure 3. out to a neighbor node via the wireless network.
Our key embedding algorithm focuses on the After the data are received, the incoming packets
reliability and accuracy of embedded keys against are first decrypted and then decoded. When the
the influences introduced by transmission errors embedded key messages are detected, the new
and adaptive mechanisms. Real-time processing is key is used for future data decryption. If a GOP
also a requirement when designing the algorithm. is badly damaged, the embedded key messages
The key embedding process can be divided into may not be extracted correctly. Therefore, we use
two parts: key embedding and key detecting. The more than one GOP to embed the rekey messages
first part is conducted by the video encoder, while for redundant recovery (Yin et al., 2005). Figure
the second part is conducted by the video decoder. 4 gives an example of three GOPs containing the
New keys are embedded in the I-frames (Intra redundant key messages.
Figure 3. Real-time key embedding and key detecting process, Ki is the 128-bit key information used to
encrypt the video content
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
Figure 4. The redundant GOPs used in key updating process. From GOPi+1 to GOPi+3 there are three
GOPs that contain the redundant key messages
system security Management has built in capabilities for extension headers. The
secure ad hoc distance vector (SAODV) protocol
To develop a secure wireless video surveillance is a proposal by Zapata (2005) for such extension
system, it is necessary to develop an effective headers. The extensions are used to send signatures
video encryption algorithm, and meanwhile the and hash values that are later used for verification
secure routing protocol and system architecture of the routing packets. The SAODV is not meant to
should all be carefully designed to avoid serious yield any confidentiality since this is usually not
security flaws. needed or desired in general ad hoc networks. The
protocol does provide means to get authentication,
Confidentiality integrity, and nonrepudiation of the routing control
packets. The protocol extensions use asymmetric
Data confidentiality is usually assured by en- cryptography to achieve authentication by signing
cryption. However, encryption introduces large the data packets with the private key. This allows for
computational overhead. In stringent environment the destination node and all intermediate nodes to
like real-time video transmission, encryption can validate the request. Also, this allows for the nodes
become the system bottleneck and it is the common to be certain that no one has altered the packets.
knowledge that full video stream encryption is not However, some fields of the packets must change
a good choice (Liu & Eskicioglu, 2003). Our video and these are signed as if they were zeroed out.
selective encryption algorithm takes advantage of To allow for verification of the hop count field, a
the properties of monitored video to achieve secure, one-way hash chain is utilized. The initiator of the
real-time encryption. route request decides a max hop count, such as 10
If the routing messages are not protected, eaves- or 15. It also generates a random value which is sent
droppers may discover the network topology by as the hash for the first hop count. The value is also
listening to the routing information and then attack hashed the max hop number of times producing a
the most active notes in the network. Topology so-called top hash. Each node can verify the hop
information disclosure is not a threat by itself, but count by checking that the incoming hash value
it can make other attacks more efficient. However, hashed max hop count minus the current hop count
encrypting routing information could greatly number of times is equal to the top hash. Since the
increase the overhead. The basic AODV protocol top hash value is not changed, and thus signed,
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
this provides the means to authenticate even the Reactive Protection Scheme
mutable hop count.
The SAODV extensions allow for two different The ad hoc environment is usually considered as
ways for nodes to reply to a route request. The first physically insecure. For instance, cameras can
way is to only allow the destination to reply. In easily be stolen or corrupted. A corrupted camera
this way the protocol works as described above. node can be used as a Byzantine enemy (Lamp-
The destination node creates a route reply and ort, Shostak, & Pease, 1995) to attack the rest of
signs it using its own secret key. The route reply the network. However, resources in the ad hoc
is sent according to the usual AODV and each network are limited due to the embedded nature
intermediate node can verify the reply and discard of the nodes; especially computational power is
it if not valid. This approach does not consider the system bottleneck. In this situation, signing
the possibility of having intermediate nodes reply every packet between every node is not realistic
directly if they do have a valid route already. To for real-time multimedia streaming. Besides, if a
add the ability for route discovery optimization a malicious entity controls a node, it also controls the
double signature scheme is devised. For each route authentication keys, and systematic authentication
request a second signature is added to the packet. is not useful against this type of attack.
This signature is stored in each intermediate node In our system only routing protocol messages
when they set up the reverse route. Later on, when are systematically signed and time-stampeded
a new route is needed because of node movement to avoid basic attacks such as erroneous routing
between the two peers an intermediate node that packet flooding. To prevent more subtle attacks like
still has a route can reply directly by also includ- grey hole or session hijacking, we use the existing
ing the second signature and the original signature knowledge about the data stream (e.g., continuity,
(Yin et al., 2005). In addition to this, the actual life stability, fixed length, etc.) to detect misbehavior
time is also sent in the reply which is signed by the in the trusted network. Nodes which have detected
intermediate node that sends the reply. misbehaving peers break the routing roads coming
from the suspected nodes so that further traffic is
Authentication ignored until a new (authenticated) road request
is broadcasted. The level of intrusion detection
The host-to-host authentication between the camera capability depends on the computational power.
and the monitoring center is achieved by data en- The system would have a misbehaving threshold
cryption. But in ad hoc networks, we also have to beyond which the system will cut itself from the
consider the problem of neighbors’ authentication, rest of the network. The level of the threshold and
as nodes are “observing” the external world though the way to isolate the node from the network is
the “eyes” of its neighbors. The neighbors must be worth further investigation.
authenticated before any other communication can
be initiated. In a nonauthenticated environment, Key Distribution
external nodes can insert themselves in the data path
and then collect, disrupt, or corrupt the information The key distribution solution proposed by Luo et
using man-in-the-middle or black and grey holes al. (2002) has been chosen to safely distribute and
attacks. To reduce the effect of computational power refresh encryption keys and periodically check in-
consumption attack, the authentication scheme is tegrity of the camera nodes. This protocol is based
performed at link layer. Neighbors’ authentication on the threshold share secret revealed by Shamir
is assured by a certificated-based approach (Stall- (1979) and improves the shares refreshing proposed
ings, 1999) which provides practical solutions for by Herzberg, Jarecki, Krawczyk, and Yung (1995).
data integrity, authentication, and nonrepudiation. The system is based on RSA public key signatures.
The practical protocol is presented by Luo, Zerfos, Each node gets a simple certificate in the form <
Kong, Lu, and Zhang (2002). vi, pki, Tsign, Texpire> where vi is the identification
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
number of the nodes, pki is the public key, Tsign is of our system. Intel IXP425 is a member
the time that the certificate is created, and Texpire of Intel’s IXP4XX product line of network
is the certificate expiration time. processor, for small-to-medium enterprise,
consumer, and other edge network ap-
plications. Like Intel’s high-end network
systEM PErforMAncE processors IXP2k series, IXP425 is also a
EvAluAtIon multicore system that employs system-on-
chip (SoC) techniques to support multiple
This session will test the performance of the system WAN and LAN technologies in a highly
we designed and meanwhile introduce one approach integrated and versatile architecture. The
to evaluate such system, which may be applied to Intel XScale core at up to 533 MHz provides
general wireless video surveillance systems. headroom for customer-defined applications.
It also supports a single-instruction stream
testing Environment multiple-data stream (SIMD) coprocessor
for multimedia application acceleration. In
The testing procedure involves three steps. First our system, video encoder and watermark
we evaluate the video encoding and encryption embedding are performed on XScale with
algorithms, along with the basic network stack optimization towards the SIMD coprocessor.
evaluation on a single link. In the second step, Three network processor engines (NPEs),
we measure the performance of a node for trans- like a micro-engine of IXP1k, 2k network
mitting traffic to other nodes. The third step is a processors, are designed to complement the
simulation study of a large scale network in order to Intel XScale core for many computationally
analyze how the system evolves when the number intensive data plane operations. These tasks
of cameras increases. include IP header inspection and modifica-
tion, packet filtering, packet error checking,
• Single node capability: The testbed is com- checksum computation, and flag insertion and
posed of an IXP425 network processor and removal. The NPE architecture includes an
its evaluation board. The network interface ALU, self-contained internal data memory,
of the camera node is a wireless 802.11g and an extensive list of I/O interfaces, together
compatible network interface. A desktop with hardware acceleration elements. The
computer equipped with the same network hardware acceleration elements associated
interface is used to stand for the monitoring with an NPE targets a set of networking
center and to test the video decryption and applications. Each hardware acceleration
playback. element is designed to increase the speed
• Routing capability: A set of low cost com- of a specific networking task that would
puters is equipped with wireless network otherwise take many MIPS to complete by
interface and generates traffic towards the a standalone RISC processor. Among these
tested node. Different physical dispositions functions, cryptographic hardware accelera-
are set to test one-hop and multihops routing tors (SHA-1, MD5, DES, 3DES AES) in NPEB
performance. are used in our application for selected video
• Scalability: Large scale experiments are very encryption.
challenging because they require too many
hardware. We plan to use the results obtained Experiments on key Embedding
from Steps 1 and 2 to build a realistic model of Algorithm
the node and simulate a large scale system.
• Nodal processor: Intel IXP425 network This subsection focuses on the performance evalu-
processor is chosen as the nodal processor ation of the key embedding algorithm in a wireless
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
environment. The algorithm is implemented on the video. Obviously, the modulation cycle is the most
platform of Intel IXP425 network processor. important factor that affects the quality of the video
We use two MPEG-2 test sequences, dinosaur sequence. When the modulation cycle is no larger
and live-captured video, which are both encoded than 4, the distortion derived from key embedding
at 640x480 size and 20fps using 500 frames. The can be neglected. Figure 6 illustrates the PSNR
sequences are selected because of their different of the dinosaur sequence at the receiver side. It is
characteristic in motion and scene change. Dino- worth noting that that the larger modulation cycle
saur contains fast motion and scene change, while can degrade not only the PSNR, but also introduce
live-captured video contains slow motion and fixed PSNR fluctuation, while modulation cycle less than
scene. Besides, we should face the challenge derived 4 can provide a good quality of video.
from packet loss and bit error. We test the system Figure 7 illustrates the number of error bits
in a real wireless network environment. The last found in the detection of all the 200 bits in a frame
module is a key detecting and decoding module, against the modulation cycle C. The downscaling in
which contains selective encryption algorithm, the transcoder reduces half of the width and height
MPEG-4 decoder, and the key embedding algo- of the original video. This procedure reduces the
rithm. They are used to decrypt the bitstream using blocks in each field, but does not have too much
old session key, and then detect the embedded key impact on the detection quality. However, it can
messages and decode the compressed video into be seen that the requantization greatly impacts the
playback video. detection quality when the modulation cycle is less
Based on this platform, we conduct a series of than 3. As shown in Figure 7, when the quantizer
experiments to evaluate the system performance in the requantization (denoted by “new quantizer”
(Yin et al., 2005). The source-coding distortion in the figure) is higher and the quantizer in the
introduced by our key embedding algorithm is source encoding (denoted by “old quantizer” in
illustrated in Figure 5. The video clip is MPEG-2 this figure) is closer to half of “new quantizer,”
encoded with different modulation cycle. It is then more error bits appear in the detection procedure.
transcoded and decoded by MPEG-4 decoder. All When the modulation cycle is more than 4, errors
the four pictures are selected from the playback have almost disappeared.
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
Figure 6. The PSNR of frames and the probability of Figure 7. Average error bits in total 200bits embed-
successfully detecting 200 bits in a frame changed ded in an I-frame after transcoding with different
with the modulation cycle at the receiver modulation cycles and quantizers
Figure 8. Average error bits in total 200bits of a GOP by using different packet loss rates, (a) RS code
is not used, while (b) RS (25, 17) code is used
(a) (b)
Figure 8 reveals the average error bits when packets leads to some error bits of the extracted
receiving 200 bits data vs. the packet loss rate in key message.
the network. It can be seen that the extracted data As for the coding speed, Table 1 shows the
error rate in a GOP rises as the packet loss rate coding time between the key embedded coding
increases. Usually the bitstream of an I-frame is scheme and pure MPEG-2 encoder without data
divided into more than 10 packets for transmis- embedding. We can find that after the introduction
sion in the network. As a result, key information of the key embedding algorithm, the processing
is distributed into all the packets and the loss of time is only increased by around 6%.
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
simulation of routing Protocols ated (we do not consider the effect of reverberation
against obstacles here). The figure shows that the
Preliminary simulations on AODV have been con- monitoring center is the bottleneck of the archi-
ducted in order to validate the choice of the routing tecture. This is inevitable in a monitoring system
protocol. The objective here is to have a qualitative where all the streams are converging in one point.
evaluation of the routing protocol. Simulations have However, this phenomenon implies that the over-
been conducted using NS2 simulator. all capacity is limited by the performance of the
The arrows in Figure 9(a) represent the stream monitoring center.
paths and we can see that the nodes are choosing
the shortest paths to reach the monitoring center
in order to reduce the number of hops per path in futurE trEnds
comparison with an architectural network.
Figure 9(b) reveals the volume of traffic received With the continuing need for video surveillance
by each node in the scenario where a few cameras in both fixed and remote locations, new advances
are placed at difference floors in a building and the in wireless networking would enable the develop-
distance between the nodes are greatly exagger- ment of a more secure, highly reliable wireless
video network capable of supporting real-time
high speed, high resolution video, and meanwhile
Table 1. Complexity of the key embedding algo- maintaining the highest levels of data and network
rithm security without impacting the video stream. Tech-
nical trends and key issues in the wireless video
Sequence Dinosaur Live-captured system may include:
Encoding speed without
35.45 37.27
embedding (frame/sec)
• Load balanced routing protocols: One
Encoding speed with problem of the routing protocol is that it is
33.50 35.00
embedding (frame/sec)
not reactive to the load in each node. Under
Increased processing time (%) 5.8% 6.5%
the particular topology, if a node has a more
critical location than others, a large por-
tion of the traffic may converge toward the
Figure 9(a). Topology of a small monitoring node and it may probably collapse under the
system heavy traffic. It would be more desirable for
an ad hoc network that the routing protocol
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
fairly distributes the traffic load among the video encryption algorithm, has been proposed
nodes. and implemented to enable the system to work in
• Local misbehavior detection system: The an open and insecure wireless environment. The
system also needs to detect misbehaving presented system offers several unique advantages:
neighbors. Only a few recent studies (e.g., (1) it provides high security guarantee; (2) it does
Kargl, Klenk, Schlott, & Weber, 2005; Marti, not require expensive access points/routers; (3) it
Giuli, Lai, & Baker, 2000) have been con- can be readily deployed since it is built upon the
ducted and reported in this field. Besides, in existing wireless ad hoc infrastructure; and (4) it is
our case, misbehavior detection capability robust in the presence of and adaptive mechanism
is limited by the computational power of the and error-prone channel. This chapter would serve
nodes. We hope to find an adaptive mecha- as a good reference for solving the issues of wire-
nism to suit our applications. less multimedia and would bring new insights on
• Scalability: As demonstrated by the the interaction of different technologies within the
simulation results of our network layer, the cross application domain.
monitoring center, as the only nondistributed
component, is the bottleneck of the system.
Some solutions must be found to scale the AcknowlEdgMEnt
network size as far as possible.
This work was supported in part by grants from
the National Natural Science Foundation of China
conclusIon (No.60673184, No. 60432030, No.60429202,
No.90412012), national 863 program of China
A distributed video surveillance system typically (No. 2007AA01Z419) and Microsoft Joint lab
consists of many video sources distributed over funding.
a wide area, transmitting live video streams to a
central location for processing and monitoring.
However, in the traditional wire-line solution, rEfErEncEs
the deployment and maintenance of large-scale
video surveillance system are often expensive Alattar, A.M., Lin, E.T., & Celik, M.U. (2003).
and time-consuming. Thus there have been hot Digital watermarking of low bit-rate advanced
interests in wireless solution. But the practical simple profile MPEG-4 compressed video. IEEE
implementation of wireless surveillance system Transaction on Circuits and Systems for Video
still faces the challenges of framework design of Technology, 13(8), 787-800.
wireless network, video processing, video data
transmission, video quality control, and system Allman, S. (2002). Encryption and security: The
security. Among them, the system security is the advanced encryption standard. EDN (pp. 26-30).
most challenging problem and also is the main Retrieved October 7, 2007, from http://www.edn.
concern in this chapter. com/article/CA253789.html?ref=nbsa
This chapter has presented the state-of-the- Basgall. (1999). Experimental break-ins reveal
art cross domains of wireless communication, vulnerability in Internet, Unix computer secu-
video processing, embedded systems, and security, rity. Retrieved October 7, 2007, from http://www.
through the design of a new secure video surveil- cs.duke.edu/news/index.php?article=16
lance system. This system is based on the 802.11g ad
hoc wireless infrastructure. Intel IXP425 network Bender, W., Gruhl, D., Morimoto, & Lu, A. (1996).
processors are used as the basic processing unit. A Techniques for data hiding. IBM System Journal,
media-dependent video encryption scheme, includ- 38(3-4), 313-316.
ing reliable data embedding technique and real-time
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
Borisov, N., et al. (2003). Intercepting mobile com- wireless ad hoc networks. Ad hoc networking (pp.
munications: The insecurity of 802.11. In Proceed- 139-172). Addison-Wesley.
ings of MOBICOM 2001 (pp. 180-189).
Kargl, F., Klenk, A., Schlott, S., & Weber, M.
Broch, J.D., Maltz, A., Johnson, D.B., Hu, Y.-C., &. (2005). Advanced detection of selfish or malicious
Jetcheva, J. (1998). A performance comparison of nodes in ad hoc networks. Paper presented at the
multi-hop wireless ad-hoc network routing proto- First European Workshop on Security in Ad-hoc
cols. Mobile Computing and Networking, 85-97. and Sensor Networks (LNCS 3313, pp. 152-165).
Chen, B., & Wornell, G.W. (2001). Quantiza- Lamport, L., Shostak, R., & Pease, M. (1982). The
tion index modulation: A class of provably good Byzantine generals problem. ACM Transactions
methods for digital watermarking and information on Programming Languages and Systems, 4(3),
embedding. IEEE Transaction on Information 382-401.
Theory, 47(4), 1423-1443.
Liu, X., & Eskicioglu, A. (2003, November 17-19).
Desilva, S., & Das, S.R. (2000). Experimental Selective encryption of multimedia content in
evaluation of a wireless ad hoc network. In Pro- distributed networks: Challenges and new direc-
ceedings of the 9th International Conference on tions. Paper presented at the IASTED International
Comp. Comm. & Networks (pp. 528-534). Conference on Communications, Internet and
Information Technology (CIIT 2003), Scottsdale,
Garcia-Macias, J. A., et al. (2003). Quality of ser-
AZ.
vice and mobility for the wireless Internet. ACM
Wireless Networks, 9, 341-352. Luo, H., Zerfos, P., Kong, J., Lu, S., & Zhang, L.
(2002). Self-securing ad hoc wireless networks.
Haas, Z. J. (1999). The Performance of the zone
In Proceedings of the Seventh IEEE Symposium
routing protocol in reconfigurable wireless net-
on Computers and Communications (ISCC ‘02)
works. Special Issue on Wireless Ad Hoc Network,
(pp. 567-574).
IEEE Journal on Selected Areas in Communica-
tions, 17(8). Marti, S., Giuli, T.J., Lai, K., & Baker, M. (2000).
Mitigating routing misbehavior in mobile ad hoc
Herzberg, A., Jarecki, S., Krawczyk, H., & Yung,
networks. In Proceedings of International Confer-
M. (1995). Proactive secret sharing or: How to cope
ence on Mobile Computing and Networking (pp.
with perpetual leakage. Lecture Notes in Computer
255-265).
Science, 963, 339.
Perkins, C.E., & Royer, E.M. (1999). Ad-hoc on-
IEEE. (2003). 802.11g IEEE Std 2003. Retrieved
demand distance vector routing. In Proceedings
October 7, 2007, from http://grouper.ieee.org/
of the 2nd IEEE Workshop on Mobile Computing
groups/802/11/
Systems and Applications, New Orleans, (pp.
Intel. (2006). Intel® IXP425 network processor. 90-100).
Intel product brief. Retrieved October 7, 2007,
Perlman, R. (1992). Interconnections: Bridges and
from http://www.intel.com/design/network/prod-
routers. Reading, MA: Addison-Wesley.
ucts/npfamily/ixp425.htm
Plummer, D.C. (1982, November). An Ethernet ad-
Johansson, P., Larsson, T., Hedman, N., Mielcza-
dress resolution protocol: Or converting network
rek, B., & Degermark, M. (1999). Scenario-based
protocol addresses to 48.bit Ethernet hardware
performance analysis of routing protocols for
(RFC 826).
mobile ad-hoc networks. In Proceedings of ACM
Mobicom’99 (pp. 195-206). Samir, R.D., Perkins, C.E., & Royer, E.E. (2000).
Performance comparison of two on-demand rout-
Johnson, D.B., Maltz , D.A., & Broch, J. (2001). DSR
ing protocols for ad hoc networks. In Proceedings
the dynamic source routing protocol for multihop
of IEEE INFOCOM (pp. 3-12).
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
0
Chapter XXXIII
Cutting the Gordian Knot:
Intrusion Detection Systems in
Ad Hoc Networks
Amitabha Das
Nanyang Technological University, Singapore
Boon-Chong Seet
Auckland Univerisity of Technology, New Zealand
Bu-Sung Lee
Nanyang Technological University, Singapore
AbstrAct
Intrusion detection in ad hoc networks is a challenge because of the inherent characteristics of these
networks, such as, the absence of centralized nodes, the lack of infrastructure, and so forth. Furthermore,
in addition to application-based attacks, ad hoc networks are prone to attacks targeting routing proto-
cols. Issues in intrusion detection in ad hoc networks are addressed by numerous research proposals in
literature. In this chapter, we first enumerate the properties of ad hoc networks which hinder intrusion
detection systems. After that, significant intrusion detection system (IDS) architectures and methodolo-
gies proposed in the literature are elucidated. Strengths and weaknesses of these works are studied and
are explained. Finally, the future directions which will lead to the successful deployment of intrusion
detection in ad hoc networks are discussed.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
characteristics of ad hoc networks. Chief among ad hoc IDS architectures and methodologies. They
the characteristics, which affect the design of an offer an extensive analysis and understanding of
effective security framework for such networks, IDS in ad hoc networks. A comprehensive compari-
are the highly distributed, decentralized, and son between various proposed intrusion detection
dynamic natures of ad hoc networks. These prop- systems for ad hoc networks are discussed. Selected
erties, coupled with the lack of infrastructure in architectures and detection strategies explained by
ad hoc networks, introduce some unprecedented Mishra et al., which were found significant, are
issues, which are absent and never been explored detailed in this writing.
in conventional networks. Zhang, Huang, and Lee (2005) propose an
A typical security system consists of two major evaluation environment for MANET (mobile ad
components. The first is the intrusion prevention hoc network) intrusion detection systems. They
mechanism that aims to control access to the system emulated routing attacks and evaluated applica-
and relies mainly on cryptographic techniques. tion-based intrusion detection architectures over it.
The second one is the intrusion detection system The work introduces a novel concept of evaluating
that tries to detect if the prevention mechanism has ad hoc IDS models using known attacks. Routing
been compromised by intruders, and if so, come attack libraries are used, which exhibit attack
up with an appropriate response to combat such scenarios over the IDS model under-evaluation.
intrusions. The intrusion detection system (IDS) The IDS models are evaluated for operational cost
thus forms the second line of defense (Nadkarni and effectiveness. Detection accuracy and false
& Mishra, 2003). alarms are the primary evaluation parameters for
Cryptographic techniques rely on secure key assessing of the IDS model, in terms of detection
management and key distribution which require effectiveness. The work is significant in providing
supporting infrastructure. The lack of infrastruc- a test-bed for ad hoc IDS models. Similarly, Little
ture makes it extremely difficult to implement (2005) proposes a test-bed called TeaLab for ad
cryptographic access control mechanisms in ad hoc IDS design.
hoc networks. This makes intrusion detection all Concurrent to simulation-based ad hoc test-
the more important for such networks. However, beds, Yang and Baras (2003) mathematically
it turns out that the inherent characteristics of ad analyze vulnerabilities in ad hoc networks. The
hoc networks render conventional IDS unsuitable authors provide a great deal of understanding to the
for such networks. This has spawned the research attack possibilities in ad hoc domain. Mathematical
in ad hoc IDS design (Brutch & Ko, 2003). methods find attacks exhaustively. In this theoreti-
This chapter illustrates the difficulties in cal analysis all possible attacks are hypothesized.
providing an efficient intrusion detection system This comprehensive vulnerability analysis aids
for ad hoc networks. In doing so, it discusses in the design of an effective ad hoc IDS design.
detail interesting ad hoc IDS models proposed in
literature. The strengths and weaknesses of these
models are explained and promising future direc- cHArActErIstIcs of Ad Hoc
tions for cutting the Gordian knot of ad hoc IDS nEtworks
are discussed.
Ad hoc networks differ from native wired/wireless
networks in various aspects. These unique charac-
bAckground teristics of ad hoc networks render typical security
systems unsuitable ( Awerbuch, Curtmola, Holmer,
Although various analyses on intrusion detection Rubens, & Nita-Rotaru, 2005; Papadimitratos &
mechanisms can be seen in the literature, only Haas, 2002). The fundamental concept of ad hoc
few qualify as significant. Mishra, Nadkarni, and networks is to have seamless connectivity without
Patcha (2004) give a detailed overview of various infrastructure or centralized control. The lack of
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
infrastructure and a centralized control node makes following are additional factors which also affect
it hard for security systems to be implemented. ad hoc network security design, but to a lesser
Furthermore, factors such as mobility, physical degree.
protection, and so forth affect the design of effec-
tive security models for ad hoc systems. These wireless links
factors are enumerated below.
In respect to security, wireless links are the weakest.
lack of Infrastructure This is due the omnipresence of wireless channel
and ease of physical access to the channel. Attacks
Ad hoc networks do not have a fixed infrastruc- such as eaves-dropping, active masquerading, and
ture. Typically, in conventional networks, the so forth are more possible in wireless networks
infrastructure provides a secure location for the than in a wired network. Furthermore, the most
implementation of critical security mechanisms notorious of all attacks, the denial-of-service
(Debar, Dacier, & Wespi, 1999). Due to the ab- (DoS) attacks, can be achieved easily in wireless
sence of infrastructure, ad hoc networks do not networks by jamming the wireless channel or by
provide a safe and efficient location to implement routing attacks.
the security system. Additionally, operations such
as control, maintenance, and other administrative Poor Physical Protection
functions have become hard in a distributed and
infrastructure-less network. The only and apparent Usually, the nodes in an ad hoc network are mo-
resort is to install these critical modules in end-user bile and easily accessible physically. This raises
nodes. Implementing critical security systems in concerns of physical protection of these devices. A
unreliable end-user nodes pose a real challenge. single compromised node can bring down the entire
network due to its prerogatives in the network.
Absence of a central Authority
Energy constraints
Conventional network have traffic concentra-
tion areas, otherwise called choke points, where Since ad hoc network nodes are mostly mobile and
security systems can be placed and implemented wireless, energy constraints are also a security
efficiently. Control nodes are placed in these choke issue. Typical symmetric encryption algorithms
points to monitor and control the network. Ab- such as 3DES (triple data encryption standard),
sence of centralized authority makes the network ADES (advanced encryption standard), and asym-
monitoring and control a challenging issue for ad metric encryption algorithms such as RSA (Rivest,
hoc networks. Shamir, and Adleman) and its variants incurs high
Every node in an ad hoc network has equal computation which may drain the battery of the
responsibility in network functions, such as routing, mobile node. Additionally, rnergy-targeted attacks
maintenance, and so forth. This unique charac- such as SDT (sleep deprivation torture), which
teristic will distribute the control authority to all aims to drain the mobile node’s battery, also need
nodes in the network. Nodes have to rely on other consideration while designing ad hoc security
neighbor nodes for routing and data forwarding. In system (Jacoby, Marchany, & Davis, 2004).
other words, nodes have to trust neighbor end-user
nodes for critical functions. As neighbors can be Unsuitability of Static Configurations
potential attackers, trusting unknown neighbors
is precarious to the integrity of security and other The obvious and immediate security solution for
critical systems. infrastructure-less and decentralized network is to
The above two issues are the crux of the secu- provide static security systems installed in nodes.
rity concern in the ad hoc network paradigm. The Ad hoc networks are mostly implemented over
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
over the network. Passive attacks such as route at a point of time in the future. In other words,
monitoring and so forth try to eavesdrop for steal- a malicious behavior highly resembles another
ing sensitive information (Kong, Hong, & Gerla, benign behavior. Therefore, intrusion detection
2003). To illustrate some of the difficulties and to becomes very challenging.
familiarize routing insecurity in ad hoc networks,
a trivial attack scenario is considered.
Let us examine route invasion, which is a trivial IntrustIon dEtEctIon
but destructive attack. In Figure 1(a), the benign tEcHnIquEs
route between S and D is through 1. In Figure
1(b), Node M sends a malicious routing control Intrusion detection systems are mechanisms which
message, stating that it has a better route to D than provide a “second wall of defense” (Nadkarni &
through Node 1. This modifies the path for S D Mishra, 2003) for the network system. In other
from S 1 D to S M 2 3 D. The words, IDS is a backup, in case the frontline security
modified path is not only inefficient; it includes the mechanisms fail. Therefore, IDS fundamentally
malicious Node M into the path. This extends the assumes that cryptographic systems do not prevail
attack possibilities for the malicious node M on or have failed. As mentioned earlier, IDS in ad
node A or B. To thwart intrusion detection, Node M hoc networks cannot trust information from other
can impersonate Node 1 and can provide falsified nodes. This limits the knowledge sharing between
routing information which supports its cause. the nodes. Knowledge in IDS is the new benign/
Due to the absence of centralized authority and malicious behavior patterns. Typical systems use
infrastructure, Node S has no trusted arbiter to get an arbiter (centralized) node to facilitate knowledge
advice regarding whether the announced path is sharing. However, the absence of any centralized
benign or otherwise. Malicious Node M has free node in ad hoc networks renders knowledge shar-
access to the wireless channel and can exhibit ing unreliable. Unreliable information in a security
anonymous routing attacks over S. system is worth no information at all.
Static crypto systems fail here, due to poor Conventional IDS are functional in application
physical protection, energy, and delay constraints. layer and monitor and detect malicious behavior
In the absence of centralized authority, dynamic exhibited by applications, such as, telnet, FTP,
crypto systems are not possible. Critical security SMTP, and so forth. In rare cases, relatively
systems such as key management, admission/ac- simple IDS, such as firewalls are implemented in
cess control, and authentication become hard to the IP layer. However, ad hoc networks’ necessity
implement due to the lack of infrastructure. Analo- for routing security has brought forth the need to
gous to IP spoofing, ad hoc routing protocols are implement IDS, which monitors and detects rout-
prone to spoofing. However, unlike IP, spoofing ing protocols, such as AODV, OLSR, DSR, and so
in ad hoc networks is done at the routing protocol forth. An IDS design for a routing protocol is an
rather than the IP. Generically, ad hoc security unexplored area of research. The requirements of
needs to prevent or detect spoofing. However, the IDS for a routing protocol differ vastly from the
issue is more serious than in IP, since the target of conventional IDS mechanisms.
the attack is the routing protocol itself. Research in ad hoc IDS design is still in the
Mobility and transient associations and dy- rudimentary stages. Some research works (Hi-
namicity make the detection of malicious routing jazi & Nasser, 2005) on ad- hoc IDS, which try
control messages impractical. In the above example, to cut the Gordian knot, follow strongly the IDS
Node S will not be able to determine with its local design methodologies of native IDS counterparts.
knowledge whether Node M is on a shortest route In addition, most of the IDS models proposed in
to D or acting maliciously. Because, even if Node the literature focus on application-level IDS. The
M is not on a shortest/optimal path to Node D assumption that application level IDS for ad hoc
now, due to changing topology, that may change network will suffice are the major weakness of
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
these works. Therefore, though these IDS models ing methodologies: misbehavior detection and
consider ad hoc network characteristics and provide anomaly detection. Misbehavior detection uses
a decentralized and distributed IDS, they fail to known malicious behavior patterns for comparison
address the routing insecurity. at the detection module. Anomaly detection uses
Zhang, Lee, and Huang (2003) propose a known normal behavior patterns and measures the
distributed and decentralized IDS system at the deviation of the node’s behavior from the known
routing layer but fail to describe the routing-level normal behavior patterns.
IDS model. Their work is similar to other research The main strength of misbehavior detection
models on ad hoc IDS design, which provid ap- is that the probability of false alarm is quite low.
plication-level IDS. Eventually, Huang and Lee However, the probability of deduction is also low,
(2004) analyze AODV intensively and provid a as unknown attacks will skip detection. On the
strong understanding of AODV and a guide to contrary, anomaly detection increases the prob-
design an AODV IDS at routing layer. However, ability of detection at the cost of increased false
they fail to state the statistical methodologies used alarm rates. Typically, both mechanisms are used
in the IDS design. in concurrence to define a tradeoff point between
In what follows, the existing IDS models are probability of detection and false alarm rates.
enumerated and its strengths and weaknesses are
analyzed. Additionally, the feasibility of imple-
mentation of these methods is studied. Ad Hoc nEtwork Ids
rEquIrEMEnts
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
spoofing network address becomes naïve, since dits from application layer protocols record user
an attacker can get hands on the routing protocol behavior (Balajinath & Raghavan, 2001), such
itself. The gamut of attack possibilities is infinite as login attempts and failures, access rate, and
(Awerbuch, Curtmola., Holmer., Nita-Rotaru., & so forth. Whereas, audits from routing protocol
Rubens., 2004). In the following sections, we will record node behavior such as mobility, speed, con-
explore the factors that affect ad hoc IDS. nectivity, and so forth. The user behavior feature
differs distinctly from routing protocol behavior
knowledge limitations in Audits features. Hence, the methodologies analyzing the
audit trails have to be revised.
To assess whether a behavior is malicious or
benign, a node needs knowledge about different detection strategies
behaviors. It is evident that with more knowledge,
efficiency of distinguishing between malicious Detection methodologies can be classified as rule-
and benign behaviors increases. In conventional based, statistical, and hybrid, which are explained
networks, knowledge is shared using a trusted below.
arbitrary node. Absence of a centralized node in Rule-based detection use static rules to deter-
ad hoc networks limits the knowledge sharing. mine maliciousness in behavior. Rules are a set
Knowledge sharing is precarious in a decentralized of logical conditions, and when these conditions
and distributed network. A malicious node can are met, the behavior is categorized as malicious.
cast malicious information which may affect the Let us consider a simple rule to illustrate. Failure
integrity and security of IDS itself. When a node of three or more consecutive login attempts can
receives contradictory information from benign reasonably be used to decide that the behavior is
and malicious nodes, a decision dilemma occurs. malicious. More complex rules are formed using
IDS will not be able to decide which information typical logical reasoning mechanisms such as ex-
is correct. To avoid this high risk scenario, the pert systems. Static rule-based approaches which
nodes can only resort to local knowledge. Local are practical in conventional IDS fail due to the
knowledge is information gained through the node’s dynamic nature of ad hoc networks. The dynamic
its own experience. behavior creates transient connections which makes
It can be argued that if the number of benign intrusion detection through static rules almost
nodes is more than the malicious nodes, knowledge impossible. Furthermore, static security systems
sharing will be reliable. It is true to some extent. are known to perform inefficiently in dynamic and
According to Byzantine agreement (Lamport, distributed systems.
Shostak, & Pease, 1982), for the distributed global Statistical approaches uses probability estima-
knowledge to be reliable, benign nodes should tion theory (Duda, Hart, & Stork, 2000) to allow
be greater than two-thirds of the total number of some flexibility to crisp logic and rule-based detec-
nodes. However, ad hoc networks have an interest- tion strategies. In statistical approach, probability
ing attack scenario, which can thwart Byzantine of behavior being malicious is determined by sta-
agreement even in the presence of sufficient benign tistically analyzing the known behavior patterns.
nodes. An attacker using address spoofing can cre- However, statistical analysis of routing behavior in
ate nonexistent neighbor nodes and can emulate ad hoc networks is inconclusive and so is statistical
malicious behavior for the nonexistent nodes. This IDS in ad hoc networks. Conventional IDS sys-
gives the attacker the advantage of controlling the tems use statistical approach (Verwoerd & Hunt,
apparent number of malicious nodes in the network, 2002) after very intensive data analysis (Bykova,
thereby, invalidating Byzantine agreement. Ostermann, & Tjaden, 2001) and are derived using
It is important to consider that audit trails from computational intelligence methodologies (Duda,
routing protocols differ significantly from audit Hart, & Stork, 2000). These analyses are done for
information from application layer protocols. Au- audit trails from application layer protocols. The
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
lack of similar research on routing behavior audits a routing message is kept as minimal as possible to
for ad hoc networks raises an interesting question increase the routing efficiency. This has decreased
on the suitability of statistical approaches for ad the features set describing a routing behavior. Dif-
hoc IDS. This is another unexplored research area ferent protocols have different features and the
in ad hoc security. feature set is highly protocol dependent.
Hybrid detection strategies combine the above
two approaches. Hybrid mechanisms are expected Inference
to perform better than the two approaches, since
they incorporate semantics (rule-based systems) It can be inferred that an ad hoc IDS model re-
and statistical intelligence. This is in fact supported quires a complete reconstruction of the current
by conventional IDS models where hybrid systems conventional IDS architecture. An IDS which
are usually superior. functions with only local knowledge, without a
In the ad hoc IDS paradigm, these detection centralized node, adapts to dynamic environments,
methodologies face numerous shortcomings. A and efficiently identifies malicious behavior will
major impediment is the lack of features describ- be a magnum opus in the field of ad hoc network
ing a routing behavior. Features are parameters security. Additionally, functions such as learning
or values describing a behavior. For example, the new attacks (part of adaptation) without corrupt-
number of server logins is a feature describing a ing the local knowledge base will be beneficial
user behavior over server-client-based application (Hossain, Bridges, & Vaughn, 2003; Pokrajac &
layer protocol. Similarly, delay between two rout- Lazarevic, 2004). Learning is itself a dynamic
ing requests is an example of a feature describing process; therefore learning in a highly dynamic,
a routing behavior. Typically, in a user behavior, distributed, decentralized, and insecure environ-
the number of features can extend from 40-100 or ment will be challenging.
more. On the contrary, a routing control message
has very few independent features. The content of
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
tion, which will eventually corrupt the information Apparently, it can be seen that stationary secure
base of the entire network. Finally, in a network database (SSD) conflicts with the ad hoc character-
with transient associations, feasibility of mobile istic of the absence of centralized authority. Even
agents is questionable. if a node is voted as the centralized node using
trust mechanisms, there is no surety that the node
Stationary Secure Database IDS will behave benignly. Furthermore, a malicious
node can corrupt the SSD by sending incorrect
Andrew (2001) proposes an IDS architecture which intrusion detection information. SSD creates a hot
consists of a stationary secure database (SSD). spot, which is a single point of failure. Addition-
Nodes post new information and decisions into ally, SSD assumes cryptographic mechanisms on
this database. The architecture is simple, as shown the communication between the IDS and SSD.
in Figure 4. Only detection processing is done on This violates the fundamental principle of IDS,
the host and the information is stored in a secure which assumes “no existence of cryptographic
stationary centralized point. mechanisms.”
The other components of the IDS are typical,
namely, misbehavior detection module (MDM), Modular Intrusion Detection Architecture
anomaly detection module (ADM), and commu-
nication port. These components form the mobile Kachirski and Guha (2002) propose an IDS where
agent. A local intrusion database is also used to the intrusion-detection system is modularized
store node specific attack patterns and temporary into various submodules, as shown in Figure 5.
information. The mobile agents will publish the The submodules are network monitoring, host
newly found attack pattern to the SSD, only after a monitoring, decision making, and response (ac-
certain level of confidence is reached. The commu- tion) modules. The modules are implemented in
nication port is used to communicate with the other mobile agent framework. Network monitoring is
nodes’ host-based intrusion detection system. packet monitoring over the network. Host monitor-
0
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
is critical. TIARA has no response system for threshold, the node is discarded from any path.
intrusions. This method is analogous to fault-tolerance in
typical routing algorithms. This method effectively
Threshold-Based Detection detects and responds to malicious packet drop-
ping attacks (sinks). However, it fails to address
A simplistic approach to ad hoc IDS is threshold- attacks such as route invasion, route disruption,
based detection. Bhargava and Agrawal (2001) and so forth.
propose an ad hoc IDS which prevents internal at-
tacks (attacks within the network). Internal attacks State-Based Anomaly Detection
are exhibited by nodes belonging to the network
which behave maliciously, either by themselves One of the interesting approaches in conventional
or when compromised. Each node maintains a IDS models are state-based intrusion detection.
local variable called “MalCount” for every other Michael and Ghosh (2000) incorporate a state-
node, which is increased for a particular node if its based model in ad hoc intrusion detection. They
behavior is suspicious. Thus the MalCount array propose two anomaly detection methodologies,
in a node tracks the level or state of suspicion that which use finite-state machines (FSM). FSM have
the host node has regarding the other nodes. Each proved successful in conventional IDS because of
node shares its local state of suspicion with respect their adaptability and dynamic learning capability
to a particular node with other nodes in the network of new attacks.
using a special packet REMAL. When a node Anomaly detection methods proposed by Mi-
receives REMAL, it increases its local MalCount chael and Ghosh (2000) used protocol states. In
for the particular node under suspicion. the first method, the sequence and frequency of
The authors overlooked many aspects of ad hoc protocol states are monitored. Intrusion is affirmed
security. First, malicious knowledge sharing using when a particular sequence deviates significantly
REMAL will have cumulative malign effect on from normal behavior patterns or the frequency of
the network. Second, the security of the REMAL states exceeds a threshold. To increase robustness,
packet is unknown. Eventually, the entire network their second approach uses probabilistic state-based
can be under threat by trusting unreliable REMAL intrusion detection. Each occurrence of a suspi-
packets. The crucial aspect of the security of the cious protocol state increases the probability of
IDS is not considered in this methodology. Fur- the behavior being malicious.
thermore, routing security is not addressed. These two approaches are well suited for trans-
Another interesting approach called watchdog- port and application layer protocols, which have
pathrater, which also uses threshold, is proposed many protocol states, and the protocol states are
by Sergio, Giuli, Kevin, and Mary (2000). Watch- predictable. For example, attacks such as, TCP SYN
dog-pathrater, as the name implies, has a monitor flood attack can be detected using this approach.
and evaluator. Unlike Bhargava and Agrawal’s However, this is not true in the case of routing
(2001) approach, Watchdog-pathrater functions protocols. State sequence or frequency of states
independently and does not share information does not distinguish a malicious behavior from
with other nodes. When a packet is forwarded to a benign one. Traditionally, FSM were used to
a neighbor node, the forwarding node listens and extract semantics from user behavior through
monitors how the node behaves upon receiving application-layer protocols. In the case of ad hoc
a packet. A benign node will forward faithfully, routing protocols, semantics is not represented by
which is overheard by the monitor. However, when protocol states, but factors such as current topology,
the node does not forward the packet, the pathrater mobility, connectivity, and so forth are.
increases the failure rate for the path. The monitor
does not distinguish between maliciousness and
node faultiness. Upon the failure rate reaching the
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
Paper presented at the Security and Privacy for Hubaux, J.-P., Buttyan, L., & Capkun, S. (2001).
Emerging Areas in Communications Networks, The quest for security in mobile ad hoc networks.
SecureComm 2005. Paper presented at the 2nd ACM international
Symposium on Mobile Ad hoc Networking &
Balajinath, B., & Raghavan, S. V. (2001). Intru-
Computing, Long Beach, CA.
sion detection through learning behavior model.
Computer Communications, 24(12), 1202-1212. Jacoby, G. A., Marchany, R., & Davis, N. J., IV.
(2004). Battery-based intrusion detection a first
Bhargava, S., & Agrawal, D. P. (2001, Fall). Secu-
line of defense. Paper presented at the Information
rity enhancements in AODV protocol for wireless
Assurance Workshop, 2004/Proceedings from the
ad hoc networks. Paper presented at the IEEE 54th
Fifth Annual IEEE SMC.
Vehicular Technology Conference, VTC 2001.
Kachirski, O., & Guha, R. (2002). Intrusion de-
Brutch, P., & Ko, C. (2003). Challenges in intru-
tection using mobile agents in wireless ad hoc
sion detection for wireless ad-hoc networks. Paper
networks. Paper presented at the IEEE Workshop
presented at the Applications and the Internet
on Knowledge Media Networking, 2002.
Workshops, 2003.
Kong, J., Hong, X., & Gerla, M. (2003). A new set of
Bykova, M., Ostermann, S., & Tjaden, B. (2001).
passive routing attacks in mobile ad hoc networks.
Detecting network intrusions via a statistical
Paper presented at the Military Communications
analysis of network packet characteristics. In
Conference, MILCOM 2003. IEEE.
Proceedings of the 33rd Southeastern Symposium
on System Theory, 2001. Lamport, L., Shostak, R., & Pease, M. (1982). The
Byzantine generalsproblem. ACM Transactions
Debar, H., Dacier, M., & Wespi, A. (1999). To-
on Programming Languages and Systems, 4(3),
wards a taxonomy of intrusion-detection systems.
382-401.
Computer Networks-the International Journal of
Computer and Telecommunications Networking, Little, M. (2005). TEALab: A testbed for ad hoc
31(8), 805-822. networking security research. Paper presented at
the Military Communications Conference, MIL-
Duda, R. O., Hart, P. E., & Stork, D. G. (2000).
COM 2005. IEEE.
Pattern classification (2nd ed.). Wiley Inter-Science
Publication. Michael, C. C., & Ghosh, A. (2000). Two state-
based approaches to program-based anomaly
Hijazi, A., & Nasser, N. (2005). Using mobile
detection. Paper presented at the 16th Annual
agents for intrusion detection in wireless ad hoc
Conference Computer Security Applications,
networks. Paper presented at the Second IFIP
ACSAC ’00.
International Conference on Wireless and Optical
Communications Networks, WOCN 2005 Mishra, A., Nadkarni, K., & Patcha, A. (2004).
Intrusion detection in wireless ad hoc networks.
Hossain, M., Bridges, S. M., & Vaughn, R. B.,
IEEE Wireless Communications, 11(1), 48-60.
Jr. (2003). Adaptive intrusion detection with data
mining. Paper presented at the IEEE International Nadkarni, K., & Mishra, A. (2003). Intrusion de-
Conference on Systems, Man and Cybernetics, tection in MANETS: The second wall of defense.
2003. Paper presented at the 29th Annual Conference of
the IEEE Industrial Electronics Society, IECON
Huang, Y. A., & Lee, W. (2004). Attack analysis
2003.
and detection for ad hoc routing protocols. Recent
advances in intrusion detection, proceedings Papadimitratos, P., & Haas, Z. (2002, January 27-
(Vol. 3224, pp. 125-145). Berlin: Springer-Verlag 31). Secure routing for mobile ad hoc networks. Pa-
Berlin. per presented at the SCS Communication Networks
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
and Distributed Systems Modeling and Simulation Zhang, Y. G., Lee, W. K., & Huang, Y. A. (2003).
Conference (CNDS 2002), San Antonio. Intrusion detection techniques for mobile wireless
networks. Wireless Networks, 9(5), 545-556.
Patrick, A., Olivier, C., Jean-Marc, P., Bernard,
J., Ludovic, M., & Ricardo, P. (2002). Security in
ad hoc networks: A general intrusion detection kEy tErMs
architecture enchancing trust based approaches.
Paper presented at the 1st International Workshop Ad Hoc Networks: Ad hoc networks are loosely
on Wireless Info. Sys., Cicudad Real, Spain. organized and configured network. There are no
centralized nodes, such as routers, gateways, and
Pokrajac, D., & Lazarevic, A. (2004). Applications
so forth. All network functions are done by every
of unsupervised neural networks in data mining.
node and thereby every node supports the network’s
Paper presented at the 7th Seminar on Neural
functioning.
Network Applications in Electrical Engineering,
NEUREL 2004. Anomaly Detection: Anomaly detection is
a type of intrusion detection in which historical
Ramanujan, R., Ahamad, A., Bonney, J., Hagel-
normal behavior of the network is used. Any de-
strom, R., & Thurber, K. (2000). Techniques for
viation of a behavior from the normal will raise
intrusion-resistant ad hoc routing algorithms
an alarm.
(TIARA).
Audit Trails: Audit trails describe a network
Sergio, M., Giuli, T. J., Kevin, L., & Mary, B.
or node behavior. It contains values for a set of
(2000). Mitigating routing misbehavior in mobile
parameters, which is recorded in periodic intervals
ad hoc networks. Paper presented at the Conference
of time. The parameter set is called as the feature
Name|. Retrieved Access Date|. from URL|.
set and usually differs between different network
Shimomura, T., & Markoff, J. (1996). Take down: environments, protocols, and systems.
The pursuit and capture of Kevin Mitnick, Amer-
Intrusion/Attack: Intrusion is a behavior of
ica’s most notorious cyber-criminal; by the man
an external or internal node(s) with malign intent,
who did it. London: Secker & Warburg.
which aims to affect other benign nodes in the
Verwoerd, T., & Hunt, R. (2002). Intrusion detec- network.
tion techniques and approaches. Computer Com-
Intrusion Detection: Intrusion detection is the
munications, 25(15), 1356-1365.
process of identifying and distinguishing malicious
Yang, S., & Baras, J. S. (2003). Modeling vulner- behavior from the normal network traffic.
abilities of ad hoc routing protocols. Paper pre-
Misbehavior Detection: Misbehavior detection
sented at the 1st ACM Workshop on Security of Ad
is a complement to anomaly detection. In this type
Hoc and Sensor Networks, Fairfax, Virginia.
of intrusion detection, known intrusion behavior
Zhang, Y., Huang, Y.-A., & Lee, W. (2005). An patterns are used. Any resemblance of a behavior
extensible environment for evaluating secure with these patterns will result in an alarm.
MANET. Paper presented at the First International
Mobile Agents: Mobile agents are specialized
Conference on Security and Privacy for Emerging
software which move between nodes to accomplish
Areas in Communications Networks, SecureComm
their assigned tasks, such as data collection and
2005.
so forth.
Chapter XXXIV
Security in Wireless
Sensor Networks
Luis E. Palafox
CICESE Research Center, Mexico
J. Antonio Garcia-Macias
CICESE Research Center, Mexico
AbstrAct
In this chapter we present the growing challenges related to security in wireless sensor networks. We
show possible attack scenarios and evidence the easiness of perpetrating several types of attacks due to
the extreme resource limitations that wireless sensor networks are subjected to. Nevertheless, we show
that security is a feasible goal in this resource-limited environment; to prove that security is possible we
survey several proposed sensor network security protocols targeted to different layers in the protocol
stack. The work surveyed in this chapter enable several protection mechanisms vs. well documented
network attacks. Finally, we summarize the work that has been done in the area and present a series of
ongoing challenges for future work.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security in Wireless Sensor Networks
same processing power. Based on this idea, many • Unreliable transfers. The packets can be
researchers have started to face the challenge of corrupted or even discarded due to errors in
maximizing processing capabilities and reduc- the communication channel or to congested
ing energy consumption while protecting sensor nodes which results in packet loss; as a con-
networks from possible attacks. sequence, application developers are forced
to allocate extra resources for error handling.
Most importantly is the fact that if a protocol
bAckground does not have the appropriate mechanisms
for error handling, packets including criti-
WSN have many more limitations than other tradi- cal security information could be lost (e.g.,
tional computer networks. Due to these limitations, a cryptographic key).
it is unfeasible to use the traditional security ap- • Conflicts. Even if we had a reliable communi-
proaches in these resource-constrained networks. cation channel, the communication still could
Thus, to develop efficient security techniques, it is be unreliable due to the broadcast nature of
imperative to consider the limitations involved. sensor networks. If a collision occurs in the
middle of a transfer, there would be conflicts
Extremely limited resources and the transfer itself would fail. On a highly
populated network this can be a big problem,
Every security mechanism requires a certain as has already been pointed out (Akyildiz, Su,
amount of resources for its implementation, Sankarasubramaniam, & Cayirci, 2002).
these resources include data memory, program •
Latency. Multihop routing, network conges-
memory, and energy source to power the sensor tion, and in-network processing can introduce
node; however, these resources are very scarce in latency to the network, making synchroniza-
sensor nodes. tion difficult between nodes. Synchronization
problems can be critical for network security
• Memory limitations. In order to implement an mechanisms that rely on error reporting and
efficient security mechanism, the algorithm cryptographic key distribution. Some real/
used for such implementation must have a time communications techniques could be
small footprint. used in WSN (Stankovic, Abdelzaher, Lu,
• Energy limitations. When including security Sha, & Hou, 2003).
mechanisms, careful attention should be paid
to energy-depleting factors including the con- unattended operation
sumed energy in computation of the security
functions (i.e., encrypt, decrypt, data signa- On most wireless sensor network applications,
tures, signature verification), the consumed nodes are left unattended for long time periods. The
energy of additional security related data three main disadvantages of leaving the network
transmissions or overhead (i.e., initialization unattended are:
vectors required for encrypt/decrypt), and the
energy spent in storing the security related • Exposure to physical attacks. The network
parameters (i.e., cryptographic keys). can be deployed in an environment open
to adversaries, in undesirable climatologic
Highly unreliable communication conditions, and so forth. Thus, the probability
Medium of a node suffering a physical attack is much
higher than in typical computers on traditional
Unreliable communication is another threat to networks, which normally are placed on a
WSN. The security relies heavily on a defined secure location and only face attacks through
protocol, which depends on communication. the network.
Security in Wireless Sensor Networks
Security in Wireless Sensor Networks
the addition of fake packets to the network. Con- flexible for configuring itself according to several
sequently, the adversary can make receiving node situations. There is no fixed infrastructure to ad-
believe that the data comes from an authentic minister a sensor network. This also brings a great
source. Additionally, authentication is needed for challenge for security in this type of networks.
several administrative tasks (i.e., dynamic network For instance, the dynamic nature of the network
reprogramming, controlling node duty cycle). Thus, suggest of preinstalling a key shared between the
we can determine that message authentication is base station and the rest of the nodes (Eschenauer
important for many sensor network applications. & Gligor, 2002). Several schemes of random key
distribution have been proposed in the context
Availability of symmetric encryption techniques (Chan, Per-
rig, & Song, 2003; Eschenauer & Gligor, 2002;
Adjusting current traditional encryption algo- Hwang & Kim, 2004; Liu, Li, & Ning, 2005). In
rithms to sensor network implies an additional the area of public key cryptography on wireless
cost. Some approaches suggest modifying code to sensor networks, this same dynamicity requires
favor code reutilization as much as possible. Other efficient mechanisms for key distribution. WSN
approaches tend to use additional communication must autoconfigure for key management and for
to achieve the same goal. Other more radical ap- establishing trust relationships among nodes, in
proaches impose restrictions to the data or propose a similar way as they autoconfigure to perform
less robust schemes (like centralized schemes) to multihop routing.
simplify algorithms. But all of these approaches If a sensor network lacks of autoconfiguration,
decrease the level of availability of the nodes and the damage done by an adversary or even by the
consequently, the availability of the entire network hostile environment could be fatal.
for the following reasons:
security Attacks on wireless sensor
• The introduction of additional processing networks
results in additional power consumption. If
we exhaust the available energy of a node, The nature of the WSN makes them vulnerable
its data would no longer be available. to several types of attacks. Such attacks can be
• Introducing additional communication perpetrated in a variety of ways, most notably are
operations also consumes more energy. the denial or service attacks (DoS), but there are
Furthermore, adding more communication also traffic analysis attacks, eavesdropping, physi-
considerably increases the probability of cal attacks, and others. DoS attacks in wireless
generating a collision. sensor networks go from simple communication
• If we introduce a centralized scheme, it channel saturation techniques to more sophisticated
would only have a single point, which can designed to tamper with the message authentication
be a constant threat to the availability of the code (MAC) layer protocol (Perrig, Stankovic, &
entire network. Wagner, 2004).
Due to the great differences in available energy
The implementation of security mechanisms and computational power, protecting against a well
not only interferes with network operation, it also designed denial-of-service attack is practically
can considerably affect availability of the entire impossible. A more powerful node could easily
network. block any other normal node, and consequently,
prevent the sensor network from performing its
Autoconfiguration function.
We can observe that attacks on sensor networks
WSN are an extreme case of ad hoc networks, are not exclusively restricted to denial-of-service
which require that each node be independent and attacks; among these other types of attacks we can
0
Security in Wireless Sensor Networks
include compromised nodes, attacks to routing nerable to attacks than their counterparts in ad hoc
protocols, and physical attacks. networks. Most attacks on network layer protocols
fall into one of the following categories:
Attack scenario
• Spoofed, altered, or replayed routing informa-
To propose and develop efficient prevention and tion. This attack is directed toward the routing
recuperation mechanisms for attacks on wire- information that is exchanged between nodes.
less sensor networks it is important to know and By spoofing, altering, or replaying routing
understand the nature of the potential adversar- information, the adversaries could potentially
ies; these can be classified in two groups (Karlof create routing loops, attract or repel network
&Wagner, 2003): mote class adversaries and laptop traffic, lengthen or shorten routes, generate
class adversaries. In the first case, the adversary fake error messages, partition the network,
has access to sensor nodes. In contrast, the laptop increase node to node latency, and so forth.
class adversary has access to more powerful de- • Selective forwarding. Multihop networks
vices such as personal computers, PDAs, and so often operate assuming faithfully that mes-
forth. Thus, in this case, the devices have many sages will be received by their destination.
advantages over legit nodes: larger energy source, On a selective forwarding attack, malicious
more powerful processors, and they could also nodes could prevent forwarding certain mes-
have high-power transmitters or a highly sensitive sages or even discard them; consequently,
antenna to eavesdrop on traffic. these messages would not propagate through
A laptop class adversary can produce more dam- the network. A simple form of this attack is
age as opposed to an adversary that only has access very easy to be detected because the neigh-
to a few sensor nodes. For instance, a sensor node bor nodes could easily infer that the route
can only block radio links in a small neighborhood is no longer valid and use an alternate one.
while an adversary with a laptop computer could A more subtle form of this attack is when
block the entire sensor network with the help of a and adversary selectively forwards packets.
more powerful transmitter. Furthermore, a laptop Therefore, if an adversary is interested in
class adversary could potentially eavesdrop on the suppressing or modifying packets that come
traffic of the entire network, while a mote class from certain source, the adversary could se-
adversary could only eavesdrop on the traffic in lectively forward the rest of the traffic, thus,
a very limited area. the adversary would not raise any suspicion
Another commonly used adversary classifica- of the attack.
tion considers external and internal adversaries. • Sinkhole attacks. In a sinkhole attack, the
Previously, we discussed external attacks, where goal of the adversary is to attract all the traf-
the adversaries do not have any access to the sen- fic to a certain area or the network through
sor network. Conversely, internal attacks are those a compromised node, creating a sinkhole
perpetrated by an authorized participant in the (metaphorically speaking). Due to the fact
network that has turned malicious. Internal attacks that the nodes that are located across the route
can be mounted from compromised nodes that are have the ability to alter application data, the
executing malicious codes or from laptop comput- sinkhole attacks could facilitate other types
ers that have access to cryptographic materials, of attacks (like selective forwarding for in-
data, and codes from authorized nodes. stance).
• Sybil attacks. In a Sybil attack (Douceur,
Attacks to Routing Protocols 2002), a node presents multiple identities to
the rest of the nodes. Sybil attacks are a threat
Most routing protocols for WSN are very simple; to geographical routing protocols, since they
due to this simplicity, they are generally more vul- require the exchange of coordinates for effi-
Security in Wireless Sensor Networks
cient packet routing. Ideally, we would expect Attacks to Data Aggregation Techniques
that a node only sends a set of coordinates,
but under a Sybil attack, an adversary could Data aggregation in wireless sensor networks can
pretend to be in many places at once. significantly reduce communication overhead
• Wormhole attacks. In a wormhole attack compared to all the nodes sending their data
(Hu, Perrig, & Johnson, 2002) an adversary to the base station. However, data aggregation
builds a virtual tunnel through a low latency complicates even more network security. This is
link that takes the messages from one part of due to the fact that every intermediate node could
the network and forwards them to another. potentially modify, forge, or discard messages.
The simplest case of this attack is when one Therefore, a single compromised node could be
node is located between two other nodes that able to alter the final aggregation value. Intruder
are forwarding. However, wormhole attacks node and compromised node attacks are two major
commonly involve two distant nodes that threats to security in sensor networks that use data
are colluded to underestimate the distance aggregation techniques.
between them and forward packets through
an external communication channel that is Physical Attacks
only available to the adversary.
• HELLO flood attacks. Some protocols require Sensor networks often operate in hostile environ-
nodes to send HELLO packets to advertise ments. In those environments, the size of the nodes
themselves to their neighbors. If a node re- plus the unattended operation mode contributes
ceives such packet, it would assume that it is to make them very vulnerable to physical attacks
inside the RF range of the node that sent that (i.e., node destruction) (Wang, Gu, Schosek,
packet. However, this assumption could be Chellappan, & Xuan, 2005c). In contrast to other
false because a laptop class adversary could types of attacks, physical attacks destroy the nodes
easily send these packets with enough power permanently, thus, their loss is irreversible. For
to convince all the network nodes that the instance, an adversary could extract cryptographic
adversary is their neighbor. Consequently, keys, alter the node’s circuitry, and reprogram it
nodes close to the adversary may try to use or replace it with malicious nodes (Wang, Gu,
the adversary as a route to the base station, Chellappan, Xuan, & Lai, 2005b). Previous work
while nodes further away would send packets shows that a Berkeley MICA2 mote (one of the
directly to the adversary. But the transmission most commonly used in the research community)
power of those nodes is much less that the can be compromised in less than a minute. Even
adversary’s, thus, the packets would get lost, though these results are not surprising, because
and that would create a state of confusion in MICA2 motes do not have any physical protec-
the sensor network. tion mechanism, they give us a good idea of what
• Acknowledgement spoofing. Some routing a well-trained adversary can do.
algorithms require the use of acknowledge-
ment signals (ACK). In this case, an adversary defense countermeasures
could spoof this signal in response to the
packets that the adversary listens to. This In this section we will present some security
results in convincing the transmitting node mechanisms that have been proposed in the lit-
that a weak link is strong. Thus, an adversary erature and that help in meeting the security
could perform a selective forwarding attack requirements discussed earlier. For this purpose,
after spoofing ACK signals to the node that we will begin by discussing the key establishment
the adversary intends to attack. process in WSN which is the base for security in
this type of networks. We will follow that with a
Security in Wireless Sensor Networks
Table 1. A summary of the analysis for cipher performance (Law et al. 2004)
By key setup
By encryption mode
Security in Wireless Sensor Networks
is that, computationally speaking, it is very heavy predistribution technique it is not necessary that
for the sensor nodes. However, there has been work each pair of nodes share a key. However, every pair
that shows that implementation is viable if a proper of nodes that does share a key may use that key to
selection of algorithms is made (Gaubatz, Kaps, & establish a direct secure connection between them.
Sunar 2004; Gura, Patel, Wander, Eberle, & Shantz, Eschenauer and Gligor (2002) show that under this
2004; Malan, Welsh, & Smith, 2004; Watro, Kong, scheme it is highly probable that sensor nodes can
Fen Cuti, Gardiner, Lynn, & Kruus, 2004). operate with shared keys.
For these reasons, symmetric encryption is the The LEAP protocol (Zhu, Setia, & Jajodia, 2003)
more widely selected technique for applications adopts the approach of using multiple techniques
that cannot handle the computational complexity of for key establishment. Here, the authors make the
asymmetric encryption. Symmetric techniques use observation than any mechanism by itself provides
a single key that is shared by the two communicating security for every type of connection in wireless
parties. This key is used for data encryption and networks. Thus, in this work they present four
decryption. The traditional example of symmetric different types of keys that are used depending on
encryption is the DES (data encryption standard) the communication type to be established.
algorithm. However, the use of DES has decreased In PIKE (Chan & Perrig, 2005), the authors de-
significantly because it can be easily broken. Cur- scribe a mechanism for establishing a key between
rently, other algorithms such as 3DES (triple DES), two nodes based on the trust that both nodes have
RC5, AES, and others (Schneier, 1996). toward a third node in the same network. The shared
An analysis of several cipher algorithms (Law, keys of each node are propagated throughout the
Doumen, & Hartel, 2004) is summarized in Table network in such a way that for every node A and
I, where two classifications are made: one by key B a node C exists that shares a key with A and B.
setup and the other by encryption mode. In both Thus, the key establishment protocol between A
classifications the algorithms were optimized for and B can be securely routed through C.
code size and speed and aspects such as speed, code Perrig et al. (2002) propose a key distribution
size, and required data memory were evaluated. scheme for secure broadcast authentification named
A great challenge for symmetric encryption μTESLA. The main idea of μTESLA is to achieve
is the problem of key management. The problem asymmetric cryptography through the delayed
resides in the fact that both parties need to know disclosure of symmetric keys.
the key prior to starting secure communication. It is important to point out that the most sig-
Thus, the problem can be summarized as follows: nificant advances in the integration of public cryp-
how can we assure that only the two communicat- tography to WSN (which will be discussed next)
ing parties know the key and no one else does? have been made recently. This makes random key
Distributing secret keys is not an easy problem to predistribution a less interesting topic.
solve because preinstalling the key in the sensor
node is not always an option. Public Key Cryptography
Key Establishment Protocols Two of the more commonly used public key cryp-
tography algorithms are RSA and ECC (Schneier,
There are several random key predistribution 1996). Traditionally, it was thought that these tech-
techniques that have been proposed. Eschenauer niques were way too complex for applying them
and Gligor (2002) propose a scheme based on to WSN. However, successful implementations of
probabilistic key sharing among sensor nodes. public key cryptographic systems in WSN have
This scheme operates first by distributing a key been published recently.
chain to all participant nodes before their deploy- Gura et al. (2004) report that it is possible to
ment. Each key chain consists of a set of keys implement RSA and ECC in 8-bit microprocessors,
that has been randomly selected from a larger demonstrating a performance advantage of ECC
offline-generated key set. To use the random key over RSA. Another advantage is that the 160-bit
Security in Wireless Sensor Networks
key in ECC generates shorter messages during countermeasures mechanisms are required. One
transmission compared to the 1024-bit key of RSA. approach to defend against the classic channel jam-
Particularly, this work demonstrates that the dot ming attack is to identify the part of the network
product operations used in ECC execute faster that is jammed and route traffic around that area.
than the operations in RSA. Wood and Stankovic (2002) describe a two phase
Watro et al. (2004) show that certain parts of approach where nodes along the perimeter of the
the RSA cipher can be implemented on current jammed area report their status to their neighbors
sensor network platforms, particularly in the who then collaboratively define the jammed region
MICA2 Berkeley motes (Hill, Szewczyk, Woo, and simply route around it.
Hollar, Culler, & Pister, 2000). They implemented To protect against jamming at the MAC layer,
the public key operations in the sensor nodes nodes could use an admission control mechanism
while the private ones were performed in more that limits their transmission rate. This would al-
powerful devices. In this case they used a laptop low the network to ignore the requests designed to
computer. exhaust the node’s energy source. However, this is
Malan et al. (2004) propose a scheme based not an optimal solution because the network must
on ECC and show an implementation of the Dif- be able to handle large volumes of traffic.
fie-Hellman algorithm based on the elliptic curve To protect against malicious nodes that inten-
discrete logarithm problem. While key generation tionally misroute traffic could be done at the cost
is by no means fast (around 34 seconds for gener- of redundancy. In this case, a node can send the
ating the pair of keys and another 34 seconds for message through multiple routes, thus increasing
generating the secret key), this probably would the probability that the message will arrive to its
suffice for applications that do not require frequent final destination simply because the message does
key renewal. not rely on a single route to get there.
Security in Wireless Sensor Networks
efficient routing mechanisms. There is a large simply not forward the request done by the base
demand of routing protocols that besides offering station.
energy efficiency they also offer security against To avoid this, Deng et al. (2002) use a technique
certain network attacks such as sinkhole attacks, similar to μTESLA where one-way key chains are
wormholes attacks, and the Sybil attack. As the used to authenticate the message from the base
WSN range of applications is increasing as well station.
as its network densities, secure routing will be a Tanachaiwiwat, Dave, Bhindwale, and Helmy
design factor that must be considered for future (2003) introduce a novel technique that they called
applications. TRANS (trust routing for location aware networked
sensors). This routing protocol was proposed for
security techniques for routing data-centric networks. It also uses delayed key
Protocols disclosure to achieve asymmetric cryptography.
In their implementation, they use μTESLA for
Deng, Han, and Mishra (2002) introduce an INtru- message authentication and confidentiality. By
sion tolerant routing protocol for sensor networks using μTESLA, TRANS can be sure that a mes-
(INSENS). This protocol is based on minimizing sage follows a trusted route through location-based
the damage caused by an intruder and keep rout- routing. The approach consists of the base station
ing despite its presence, without having to identify sending an encrypted broadcast message to its
the intruder. In this work, the authors state that neighbors. Only those trusted neighbors would
an intruder does not have to be a malicious node have the key required to decrypt that message.
necessarily, it very well could be a node that is just The trusted neighbors would add their location
malfunctioning for physical reasons. Identifying a to the route (for returning messages), and would
malicious node from a malfunctioning one could encrypt the message now with their own keys
be extremely difficult. For this reason they make and send the message to the neighbor closest to
no distinction between them. The first technique the destination. When the message arrives to its
that they propose is to mitigate the damage caused destination, the receiving node must authenticate
by a potential intruder by applying redundancy. the source (in this case the base station) using a
This is, as we previously mentioned, sending a MAC that belongs to the base station. Afterwards,
packet through multiple routes. the node can simply send a message to the base
They also assume that there are large dif- station through the trusted route that the original
ferences in available resources between the base message followed.
station and the sensor nodes, thus, they propose An important challenge in the area of secure
that routing table computation is to be performed routing for wireless networks is that it is very easy
at the base station. This is done in three phases. In to disrupt the routing protocol by simply disrupt-
the first phase the base station broadcast a request ing the route discovery process. Papadimitratos
that propagates through the entire network. On the and Haas (2002) propose a secure route discovery
next phase, the base station collects information protocol that guarantees, under certain condi-
about node connectivity. Finally, the base station tions, that the correct network topology would be
computes a series of routing tables for each node. obtained. This protocol is very similar to TRANS.
These tables include redundant routing information The security relies on the MAC layer and in an
used for the redundant message transmission we accumulation on the node identities that are in-
discussed earlier. cluded in the route. By doing this, a source node
There are several attacks that could be launched can discover the network topology because each
to the routing protocol during each one of the three node from the source to the destination appends
phases. On the first phase, a node could spoof a its identity to the message. In order to ensure that
request done by the base station. A malicious node the message has not been tampered with, a MAC
could forward the request through a fake route or code is also appended to the message, which can
Security in Wireless Sensor Networks
be authenticated by either the destination or by the Some researchers have proposed certain tech-
source (for returning messages). niques that make use of anonymity mechanisms.
For instance, Gruteser and Grunwald (2003a)
How to Protect from Traffic Analysis analyze the feasibility of anonymizing location
Attacks information for location-based services in an
automotive telematic environment. Beresford and
There are some strategies to protect from traffic Stajano (2003) evaluate anonymity techniques
analysis attacks. Deng, Han, and Mishra (2004) for an indoor location-based system based on the
propose a technique based on a random walk active nat.
through the network. This technique also send Producing total anonymity is a difficult problem
packets randomly to nodes different from the parent given the lack of knowledge about the concerning
node in the routing tree. The main goal of this tech- node’s location. Therefore, for the privacy problem,
nique is to make it harder to a potential adversary there is a tradeoff between the required anonymity
to infer the route from a given node to the base level and the need for public information. Three
station and also to prevent against a possible rate approaches have been proposed to address this
monitoring attack, but it would not protect against problem (Gruteser & Grunwald, 2003b; Gruteser et
a time correlation attack. To protect against a time al., 2003; Priyantha, Chakraborty, & Balakrishnan,
correlation attack, they propose a fractal strategy. 2000; Smailagic & Kogan, 2002):
With this technique a node would generate a fake
packet (with certain probability) while one of its • Decentralize sensitive data. The main idea in
neighbors is sending a packet to the base station. this approach is to distribute the sensed loca-
The fake packet would be sent to another neighbor tion data through a spanning tree. By doing
that consequently may send another fake packet, so, no single node will contain the original
thus, deceiving the potential adversary. These fake data.
packets would use the time-to-live (TTL) parameter • Secure the communication channel. By us-
to decide for how long they would be circulating ing secure communication protocols such as
throughout the network. SPINS (Perrig et al., 2002), eavesdropping
and active attacks can be prevented.
defending Against sensor node • Node mobility. Making the nodes move can
be an effective defense mechanism against
Privacy Attacks
privacy attacks, particularly due to the fact
that location information would be changing
To protect against privacy attacks, several propos-
constantly. For instance, the Cricket system
als have been made that reduce the effects of those
(Priyantha et al., 2000) is a system with
attacks, we will discuss some of those proposals
location support for mobile object inside
in this section (Gruteser, Schelle, Jain, Han, &
buildings.
Grunwald, 2003).
Security in Wireless Sensor Networks
telematics domain, Duri, Gruteser, Liu, Moskowitz, of their unattended operation mode and their ex-
Perez, Singh et al. (2002) propose a policy-based tremely limited resources. Nodes may be equipped
framework to protect data from the sensors, where with tamper-proof physical protection. For instance,
an on-board computer can act as a trusted agent. an alternative to this is tamper-proof packaging
Snekkenes (2001) presents advanced concepts for (Wood & Stankovic, 2002). Related research
policy specification on cell phone networks. These work focuses in the design of hardware that make
concepts allow access control based on criteria their memory content inaccessible to adversaries.
such as request time, location, object speed, and Another alternative is to use special software and
identity. Myles, Friday and Davies (2003) describe hardware to detect physical tampering.
an architecture for a centralized server that controls As the hardware costs decrease, integrating
the access of client applications through the use of tamper-proof hardware would be a feasible solu-
validation modules that verify the XML-formatted tion for sensor network applications. However, the
application policies. Hengartner and Steenkiste research community has agreed by consensus that
(2003) point out that access control policies must the trend should be making cheaper sensor nodes
be governed by room or user policies. The room without adding extra functionalities; thus, integrat-
policies specify who is authorized to find out ing physical protection is not a solution that would
about the people currently in the room, while user be commonly accepted in the near future. One
policies state who is permitted to access location possible approach for protecting against physical at-
information about another user. tacks is self-destruction. The main idea behind this
Langheinrich (2005) proposed a framework approach is that whenever a node detects a possible
called PawS (privacy awareness system). This attack it self-destructs. This is particularly feasible
framework is based on privacy policy advertise- on networks where there are redundant nodes and
ments through special packets called privacy bea- when the cost per node is low. Obviously, the key
cons. Those policies are maintained with privacy to this approach is detecting a possible attack. One
proxies, which keep databases that store those possible solution is to statically verify the status of
policies. their neighbors, but in mobile networks this still
is an open problem.
Information flooding Regarding the deployment of security compo-
nents outside the nodes, several proposals have
Ozturk, Zhang, Trappe, and Ott (2004) propose been made (Bulusu & Jha, 2005). Sastry, Shan-
antitraffic analysis mechanisms to prevent an exter- kar, and Wagner (2003) introduce the concept of
nal adversary from obtaining the location of a data secure location verification and propose a secure
source. Random data routing and phantom traffic localization scheme called ECHO that assures node
are used to hide real traffic, so that it is difficult location legitimacy. In this scheme, the security
for an adversary to track the data source through relies over physical sound properties and RF. The
traffic analysis. Ozturk et al. have developed adversary cannot claim to have a shorter distance
comparable methods that rely on flooding-based by starting the ultrasound response early because
routing protocols. it will not have the nonce.
Some similar mechanisms can be used to pre- Hu and Evans (2004) use directional antennas
vent an adversary to track the base station through to defend against wormhole attacks. In the work
traffic analysis (Gura et al., 2004). A key problem presented by Wang et al. (2005b) the authors study
with these techniques is that they involve an energy the modeling and defense of sensor networks
cost in order to provide information anonymity. against search-based physical attacks. They define
a physical attack-based model, where an adversary
Protecting from Physical Attacks walks the network using signal detecting equip-
ment to locate active nodes and destroy them. In
Physical attacks, as we pointed out earlier, represent prior work, the authors identified and modeled
an important threat to sensor networks because blind physical attacks (Wang, Gu, Chellappan,
Security in Wireless Sensor Networks
Schosek, & Xuan, 2005a). The defense algorithm aggregation techniques were proposed without
is executed by individual nodes in two phases: in security in mind, and thus, are vulnerable to at-
the first phase, the nodes detect the attacker and tacks. A mathematical framework is proposed to
notify other nodes; in the second phase, the nodes formally evaluate security for aggregation. This
receive the notification and change their state to theory allows quantifying the robustness of an ag-
safe mode. gregation operation against a malicious attack. By
Seshadri, Perrig, Van Doorn, and Khosla (2004) using the framework, it is argued that the aggrega-
introduce a mechanism called SWATT to verify tion functionalities that can be securely computed
and detect when memory content is altered. This under the presence of k compromised nodes are
mechanism can be use as defense against a physical exactly the functions that are (k, α)-resilient for
attack by modifying code in the nodes. some α that is not too large. This work opened the
door for secure data aggregation in sensor networks.
secure data Aggregation However, the presented level of aggregation model
is fairly simple compared to real sensor network
As sensor networks increase in size, the amount implementations. Extending this technique to mul-
of data that they collectively sense also increases. tilevel aggregation scenarios with heterogeneous
However, due to the computational limitations of devices is an interesting challenge.
each node, a small sensor is only responsible for a
very small portion of the entire data. Due do this, Secure Data Aggregation Techniques
a network search would probably return a large
amount of raw data, most of which would not be As we pointed out earlier, data aggregation has
of the user’s interest. been studied in reasonable depth. The problem
For this reason, raw data preprocessing is rec- with classical data aggregation is that they all
ommended to produce more meaningful results to assume trusted nodes. Of course, in practice this
the user. This is typically done by a series of aggre- may not be the case, and for this reason, secure
gators. An aggregator is responsible for collecting data aggregation techniques are required.
raw data from a subset of nodes and processing Przydatek, Song, and Perrig (2003) describe
that raw data into more usable data. a secure information aggregation (SIA). They
However, aggregation techniques are par- point out that aggregation techniques and sensor
ticularly vulnerable to attacks because a single networks are vulnerable to a variety of attacks
aggregator node is responsible for processing the including denial-of-service attacks. However,
data from multiple nodes. Due to this fact, secure this work focuses on protecting against a specific
data aggregation techniques are required by sen- type of attack called stealthy attack. The goal of
sor network that consider the possibility of one or SIA is to ensure that if a user accepts the result
more malicious nodes. of an aggregation as correct, then there is a high
probability that the value is close to the true ag-
Overview gregation value. In case that the aggregated value
has been tampered with, the user must reject the
If an aggregator node is compromised, then all forged value with a high probability.
the transmitted data in the network to the base Hu and Evans (2003) propose a secure aggrega-
station may be forged. To detect this, Ye, Luo, Lu, tion technique that uses the μTESLA protocol to
and Zhang (2005) define a mechanism based on provide security. In this case, the nodes organize
statistical filters. This uses multiple MAC codes into a hierarchy tree where intermediate nodes
across the entire route from the aggregator node play the aggregator role. Recall that the μTESLA
to the base station. Any packet that does not pass achieves asymmetry through delayed disclosure of
verification would be discarded. symmetric keys. For this, a child cannot verify the
Wagner (2004) analyzes the resiliency of ag- data authenticity immediately because the key used
gregation techniques, and argues that current to generate the MAC code has not been disclosed.
Security in Wireless Sensor Networks
However, this technique does not guarantee that the to appear, more efficient application-specific se-
data being reported by the nodes and the aggregator curity techniques will also emerge.
are correct. To address this problem, the base station But overall, perhaps the biggest challenge of all
is responsible for distributing temporary keys to is proving that the proposed security techniques
the network as well as the μTESLA key used for work well in real-world sensor network applica-
validating the MAC. By using this key, the node tions. Currently, there is a huge gap between
can verify their children’s MAC codes. real-world WSN development and WSN security
We can note that secure data aggregation tech- research. Thus, we consider that integrating the
niques play an important role in adopting WSN proposed security techniques to real-world appli-
technology due to the large amount of raw data cations is a challenge that should be faced in the
and the localized in-network processing required near future, as opposed to proposing new tech-
in these networks. Research efforts in this area niques that most of the time does not go beyond
have been limited, thus, much more investigation lab implementations.
is needed in this particular topic.
rEfErEncEs
conclusIon
Akyildiz, I., Su, W., Sankarasubramaniam, Y., &
Certainly, incorporating efficient security mecha- Cayirci, E. (2002). A survey on sensor networks.
nisms to WSN is a huge challenge, mainly because IEEE Communications Magazine, 40(8), 102-
of the differences they have compared to traditional 114.
networks. Their resource constraints, their large
Anderson, R. J., & Kuhn, M. G. (1996, Novem-
scale deployments, along with their operating en-
ber). Tamper resistance: A cautionary note. Paper
vironments, represent great obstacles to achieve
presented at the Second USENIX Workshop on
security. Nevertheless, efficient mechanisms have
Electronic Commerce, Oakland, CA.
been proposed to deal with a great variety of at-
tacks to which WSN presumably are subjected to. Anderson, R. J., & Kuhn, M. G. (1997). Low cost
These security techniques confront specific attacks attacks on tamper resistant devices. In B. Chris-
that operate across different layers of the protocol tianson, B. Crispo, T. M. A. Lomas, & M. Roe
stack. Attacks like signal jamming (physical layer), (Eds.), Security Protocols Workshop (LNCS 1361,
induced collisions (MAC sublayer), packet redirec- pp. 125-136). Springer.
tion (routing layer), and many others have been the
addressed through many security mechanisms, Beresford, A., & Stajano, F. (2003). Location
many of which we described in this chapter. privacy in pervasive computing. IEEE Pervasive
However, most of the security techniques rely Computing, 2(1), 46-55.
heavily on a key distribution protocol and assume Bulusu, N., & Jha, S. (2005). Wireless sensor net-
that secret keys have already been placed on the works: a system perspective. Artech House.
distributed nodes. However as we showed in this
chapter, efficient key distribution in WSN is no Carman, D. W., Kruus, P. S., & Matt, B. J. (2000).
easy task. In fact, most of the research efforts in Constraints and approaches for distributed sensor
WSN security are directed to proposing efficient network security (Tech. Rep. No. 00-010). NAI
key distribution techniques; in this chapter we Labs, The Security Research Division.
discussed research work in the area of WSN key Chan, H., & Perrig, A. (2005, March). PIKE: Peer
distribution. As of now, we still believe that there intermediaries for key establishment in sensor
is much room for improvement in efficient key networks. Paper presented at IEEE INFOCOM,
distribution in wireless sensor networks. As more Miami.
efficient key distribution key mechanisms continue
0
Security in Wireless Sensor Networks
Chan, H., Perrig, A., & Song, D.X. (2003, May). Gruteser, M., & Grunwald, D. (2003a). Anony-
Random key predistribution schemes for sensor mous usage of location-based services through
networks. Paper presented at the IEEE Symposium spatial and temporal cloaking. In Proceedings of
on Security and Privacy, Oakland, CA. the USENIX MobiSys.
Deng, J., Han, R., & Mishra, S. (2002). INSENS: Gruteser, M., Schelle, G., Jain, A., Han, R., &
Intrusion-tolerant routing in wireless sensor net- Grunwald, D. (2003). Privacy-aware location
works (Tech. Rep. No. CU-CS-939-02). University sensor networks. In M. B. Jones (Ed.), USENIX
of Colorado, Department of Computer Science. HotOS (pp. 163-168).
Deng, J., Han, R., & Mishra, S. (2004). Coun- Gura, N., Patel, A., Wander, A., Eberle, H., &
termeasures against traffic analysis in wireless Shantz, S. C. (2004). Comparing elliptic curve
sensor networks (Tech. Rep. No. CU-CS-987-04). cryptography and RSA on 8-bit CPUs. In M. Joye
University of Colorado, Department of Computer & J.-J. Quisquater (Eds.), CHES (LNCS 3156, pp.
Science. 119-132). Springer.
Diffie, W., & Hellman, M. E. (1976). New directions Hartung, C., Balasalle, J., & Han, R. (2005). Node
in cryptography. IEEE Transactions on Information compromise in sensor networks: The need for
Theory, 22(6), 644-654. secure systems (Tech. Rep. No. CU-CS-990-05).
University of Colorado, Department of Computer
Douceur, J. R. (2002). The sybil attack. In P. Drus-
Science.
chel, M. F. Kaashoek, & A. I. T. Rowstron (Eds.),
IPTPS (pp. LNCS 2429, pp. 251-260). Springer. Hengartner, U., & Steenkiste, P. (2003). Protecting
access to people location information. In Hutter
Du, W., Deng, J., Han, Y.S., & Varshney, P. K.
(pp. 25-38).
(2003). A pairwise key pre-distribution scheme for
wireless sensor networks. In Jajodia (pp. 42-51). Hill, J., Szewczyk, R., Woo, A., Hollar, S., Culler,
D. E., & Pister, K. S. J. (2000). System architecture
Duri, S., Gruteser, M., Liu, X., Moskowitz, P.,
directions for networked sensors. In Proceedings
Perez, R., Singh, M., et al. (2002). Framework for
of the 9th International Conference on Architec-
security and privacy in automotive telematics. In
tural Support for Programming Languages and
Proceedings of the 2nd International Workshop on
Operating Systems (pp. 93-104).
Mobile Commerce (WMC ’02), New York, (pp.
25-32). ACM Press. Hu, L., & Evans, D. (2003). Secure aggrega-
tion for wireless network. Paper presented at the
Eschenauer, L., & Gligor, V. D. (2002). A key-man-
SAINT Workshops IEEE Computer Society (pp.
agement scheme for distributed sensor networks.
384-394).
In V. Atluri (Ed.), ACM Conference on Computer
and Communications Security (pp. 41-47). Hu, L., & Evans, D. (2004). Using directional anten-
nas to prevent wormhole attacks. Paper presented
Estrin, D., Govindan, R., Heidemann, J. S., & Ku-
at the NDSS. The Internet Society.
mar, S. (1999). Next century challenges: Scalable
coordination in sensor networks. In Proceedings Hu, Y.-C., Perrig, A., & Johnson, D. B. (2002).
of the MOBICOM (pp. 263-270). Wormhole detection in wireless ad hoc networks
(Tech. Rep. No. TR01-384). Rice University, De-
Gaubatz, G., Kaps, J.-P., & Sunar, B. (2004). Public
partment of Computer Science.
key cryptography in sensor networks: Revisited.
In C. Castelluccia, H. Hartenstein, C. Paar, & D. Karlof, C., & Wagner, D. (2003). Secure routing
Westhoff (Eds.), ESAS (LNCS 3313, pp. 2-18). in wireless sensor networks: Attacks and counter-
Springer. measures. Ad Hoc Networks, 1(2-3), 293-315.
Security in Wireless Sensor Networks
Karp, B., & Kung, H. T. (2000). GPSR: Greedy pe- Perrig, A., Szewczyk, R., Tygar, J. D., Wen, V., &
rimeter stateless routing for wireless networks. Pa- Culler, D. E. (2002). SPINS: Security protocols
per presented at the MOBICOM (pp. 243-254). for sensor networks. Wireless Networks, 8(5),
521-534.
Langheinrich, M. (2005). Personal privacy in
ubiquitous computing: Tools and system support. Pietro, R. D., Mancini, L. V., Law, Y. W., Etalle,
Unpublished doctoral dissertation, Swiss Federal S., & Havinga, P. J. M. (2003). LKHW: A directed
Institute of Technology Zurich. diffusion-based secure multicast scheme for wire-
less sensor networks. Paper presented at the ICPP
Law, Y. W., Doumen, J., & Hartel, P. (2004). Sur-
Workshops. IEEE Computer Society.
vey and benchmark of block ciphers for wireless
sensor networks (Tech. Rep. No. TR-CTIT-04-07). Priyantha, N. B., Chakraborty, A., & Balakrishnan,
Mathematics and Computer Science University of H. (2000). The Cricket location support system.
Twente, Faculty of Electrical Engineering, The Paper presented at the MOBICOM (pp. 32-43).
Netherlands.
Przydatek, B., Song, D. X., & Perrig, A. (2003). SIA:
Madden, S., Franklin, M. J., Hellerstein, J. M., & Secure information aggregation in sensor networks.
Hong, W. (2002). TAG: A tiny aggregation service In I. F. Akyildiz, D. Estrin, D. E. Culler, & M. B.
for ad-hoc sensor networks. SIGOPS Oper. Syst. Srivastava (Eds.), SenSys. ACM (pp. 255-265).
Rev., 36(SI), 131-146.
Sastry, N., Shankar, U., & Wagner, D. (2003). Se-
Malan, D. J., Welsh, M., & Smith, M. D. (2004). cure verification of location claims. In Proceedings
A public-key infrastructure for key distribution of the 2003 ACM Workshop on Wireless Security,
in TinyOS based on elliptic curve cryptography. WiSe ’03, New York, (pp 1–10). ACM Press.
Paper presented at the SECON (pp. 71-80).
Schneier, B. (1996) Applied cryptography: Pro-
Molnar, D., & Wagner, D. (2004). Privacy and tocols, algorithms, and source code in C (2nd ed.).
security in library RFID: Issues, practices, and John Wiley.
architectures. In V. Atluri, B. Pfitzmann, & P. D.
Seshadri, A., Perrig, A., Van Doorn, L., & Khosla,
McDaniel (Eds.), ACM Conference on Computer
P. K. (2004). SWATT: Software-based attestation
and Communications Security (pp. 210-219).
for embedded devices. Paper presented at the
Myles, G., Friday, A., & Davies, N. (2003). Pre- IEEE Symposium on Security and Privacy. IEEE
serving privacy in environments with location- Computer Society.
based applications. IEEE Pervasive Computing,
Shrivastava, N., Buragohain, C., Agrawal, D.,
2(1), 56-64.
& Suri, S. (2004). Medians and beyond: New
Ozturk, C., Zhang, Y., Trappe, W., & Ott, M. aggregation techniques for sensor networks. In
(2004). Source-location privacy for networks of Proceedings of the 2nd International Conference
energy-constrained sensors. Paper presented at the on Embedded Networked Sensor Systems, SenSys
WSTFEUS (pp. 68-81). IEEE Computer Society. ’04, New York, (pp. 239-249). ACM Press.
Papadimitratos, P., & Haas, Z. (2002). Secure rout- Smailagic, A., & Kogan, D. (2002). Location
ing for mobile ad hoc networks. In Proceedings privacy in pervasive computing. IEEE Wireless
of SCS Communication Networks and Distributed Communications, 9(5), 10-17.
System Modeling and Simulation Conference,
Snekkenes, E. (2001). Concepts for personal
CNDS ’04.
location privacy policies. Paper presented at the
Perrig, A., Stankovic, J. A., & Wagner, D. (2004). ACM Conference on Electronic Commerce (pp.
Security in wireless sensor networks. Communica- 48-57).
tions of the ACM, 47(6), 53-57.
Security in Wireless Sensor Networks
Stankovic, J. A., Abdelzaher, T. F., Lu, C., Sha, Zhu, S., Setia, S., & Jajodia, S. (2003). LEAP:
L., & Hou, J. C. (2003). Real-time communication Efficient security mechanisms for large-scale dis-
and coordination in embedded sensor networks. tributed sensor networks. In Jajodia (pp. 62-72).
Proceedings of the IEEE, 91(7), 1002-1022.
Tanachaiwiwat, S., Dave, P., Bhindwale, R., & kEy tErMs
Helmy, A. (2003). Secure locations: Routing on
trust and isolating compromised sensors in loca- Compromised Node: A node on which an at-
tion-aware sensor networks. In Proceedings of tacker has gained control after network deployment.
the 1st International Conference on Embedded Generally compromise occurs once an attacker
Networked Sensor Systems, SenSys ’03, New York, has found a node, and then directly connects the
(pp. 324-325). ACM Press. node to their computer via a wired connection of
some sort. Once connected the attacker controls
Wagner, D. (2004). Resilient aggregation in sensor
the node by extracting the data and/or putting new
networks. In Proceedings of the 2nd ACM Workshop
data or controls on that node.
on Security of Ad Hoc and Sensor Networks, SASN
’04, New York, (pp. 78-87). ACM Press. Data Aggregation: Process of reducing large
amounts of sensor generated data to smaller and
Wang, X., Gu, W., Chellappan, S., Schosek, K., &
more representative data sets that synthesize the
Xuan, D. (2005a). Lifetime optimization of sensor
state of the phenomena that the network is moni-
networks under physical attacks. Paper presented
toring.
at the IEEE International Conference on Commu-
nications, ICC ’05 (Vol. 5, pp. 3295-3301). Data Freshness: Implies that the sensed data
are recent, and it ensures that no adversary replayed
Wang, X., Gu, W., Chellappan, S., Xuan, D., & Lai,
old messages.
T. H. (2005b). Sacrificial node-assisted defense
against search-based physical attacks in sensor Insider Attacks: These types of attacks are
networks (Tech. Rep.). Ohio State University, De- those launched by adversaries that have access
partment of Computer Science and Engineering. to one or more compromised nodes in a network.
Insider attacks are the most challenging ones be-
Wang, X., Gu, W., Schosek, K., Chellappan, S., &
cause the adversary has access to the network’s
Xuan, D. (2005c). Sensor network configuration
cryptographic materials (i.e., keys, ciphers, and
under physical attacks. In X. Lu & W. Zhao (Eds.),
data).
ICCNMC (LNCS 3619, pp. 23-32). Springer.
Key Distribution: Process of efficiently distrib-
Watro, R. J., Kong, D., Fen Cuti, S., Gardiner, C.,
uting cryptographic keys to the nodes that belong
Lynn, C., & Kruus, P. (2004). TinyPK: Securing
to a network. These keys could either be pairwise
sensor networks with public key technology. In
keys (for two party communications), group keys
Setia & Swarup (pp. 59-64).
(for cluster-wide communication), or network keys
Wood, A. D., & Stankovic, J. A. (2002). Denial (for secure broadcast communication).
of service in sensor networks. IEEE Computer,
Mote: A wireless receiver/transmitter that is
35(10), 54-62.
typically combined with a sensor of some type to
Ye, F., Luo, H., Lu, S., & Zhang, L. (2005). Sta- create a remote sensor. Some motes are designed
tistical en-route filtering of injected false data in to be incredibly small so that they can be deployed
sensor networks. IEEE Journal on Selected Areas by the hundreds or even thousands for various
in Communications, 23(4), 839-850. applications
Node Authentication: Process of ensuring that
a given node and its data are legit.
Security in Wireless Sensor Networks
Outsider Attacks: Attacks perpetrated by with wireless networks. Therefore, attacks such as
adversaries that do not have access to direct ac- replay messages and eavesdropping fall into this
cess to any of the authorized nodes in the network. classification. However, coping with this attack is
However, the adversary may have access to the fairly easy by using traditional security techniques
physical medium, particularly if we are dealing such as encryption and digital signatures.
Chapter XXXV
Security and Privacy in Wireless
Sensor Networks:
Challenges and Solutions
Mohamed Hamdi
University of November 7th at Carthage, Tunisia
Noreddine Boudriga
University of November 7th at Carthage, Tunisia
AbstrAct
The applications of wireless sensor networks (WSNs) are continuously expanding. Recently, consistent
research and development activities have been associated to this field. Security ranks at the top of the
issues that should be discussed when deploying a WSN. This is basically due to the fact that WSNs are,
by nature, mission-critical. Their applications mainly include battlefield control, emergency response
(when a natural disaster occurs), and healthcare. This chapter reviews recent research results in the
field of WSN security.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
• Sensor nodes have limited storage, computa- also be proposed. This taxonomy is based
tion, and power resources. For this reason, on three major attack activities: (1) attacks
security mechanisms should be adapted to on transmitted information, (2) attacks on
the WSN capabilities. architecture, structure, protocols, and (3)
• The network does not have a static infra- attacks on the localization framework.
structure. WSN architectures can be only 4. Countermeasures: Potential security solu-
timely defined. This renders the application tions that allow countering the aforemen-
of existing robust cryptographic mechanisms tioned threats will be proposed. They will be
(e.g., public key infrastructure [PKI], digital classified according to the level at which they
signature) more difficult than in customary act (e.g., link level, routing, and application).
networks. Countermeasures will be also categorized
• The sensing and communication tasks are into preventive and reactive solutions. For
often performed in a hostile environment example, robust localization (resp. fault-
where the gathered events are subjected to tolerance) schemes belong to the first (resp.
numerous threats that might affect the final second) category.
decision. 5. Building security policies for WSNs:
• The detected events are forwarded through Several key security processes, such as
the sensor nodes themselves, preventing the monitoring and incident response, can not
application of strong communication security be directly applied in the WSN field. They
mechanisms. should therefore be heavily adapted in order
to support WSN specific constraints.
This chapter surveys recent research activities
in the area of WSN security. More accurately, the
following aspects will be discussed: wIrElEss sEnsor nEtworks
1. Wireless sensor networks: This section ad- Due to advances in wireless communications and
dresses several WSN basic issues to highlight electronics over the last few years, the development
the related scientific challenges. Components, of networks of low-cost, low-power, multifunc-
architecture, topology, routing, mobile target tional sensors has received increasing attention.
tracking, and alert management will be, These sensors are small in size and able to sense,
among others, discussed. process data, and communicate with each other,
2. WSN security objectives: Traditional secu- typically over an radio frequency (RF) channel.
rity goals (i.e., confidentiality, authenticity, A sensor network is designed to detect events or
integrity, and availability) should be extended phenomena, collect and process data, and trans-
to fit the requirements of WSNs. Several par- mit sensed information to interested users. Basic
ticular concepts are introduced at this level. features of sensor networks are:
For instance, confidentiality, authenticity,
and integrity, which have been customarily • Self-organizing capabilities
associated to data and node identity, should be • Short-range broadcast communication and
extended to cover node location. This poses multihop routing
several new security challenges in the WSN • Dense deployment and cooperative effort of
context. sensor nodes
3. Attacks against WSNs: This section de- • Frequently changing topology due to fading
scribes the most important attacks techniques and node failures
concerning WSNs. Attacks are classified ac- • Limitations in energy, transmit power,
cording to the basic security properties they memory, and computing power
violate. A taxonomy of these attacks will
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
These characteristics, particularly the last three, of large numbers of inexpensive devices.
make sensor networks different from other wire- However, inexpensive devices can often be
less ad hoc or mesh networks. Clearly, the idea of unreliable and prone to failures. Rates of
mesh networking is not new; it has been suggested device failure will also be high whenever
for some time for wireless Internet access or voice the sensor devices are deployed in harsh or
communication. Similarly, small computers and hostile environments. Protocol designs must
sensors are not innovative per se. However, com- therefore have built-in mechanisms to provide
bining small sensors, low-power computers, and robustness. It is important to ensure that the
radios makes for a new technological platform that global performance of the system is not sen-
has numerous important uses and applications. sitive to individual device failures. Further,
Wireless sensor networks are interesting from it is often desirable that the performance of
an engineering perspective, because they present the system degrade as gracefully as possible
a number of serious challenges that cannot be ad- with respect to component failure.
equately addressed by existing technologies: • Synergy: Moore’s law-type advances in
technology have ensured that device capabili-
• Extended lifetime: As mentioned above, ties in terms of processing power, memory,
WSN nodes will generally be severely energy storage, radio transceiver performance, and
constrained due to the limitations of batteries. even accuracy of sensing improve rapidly
A typical alkaline battery, for example, pro- (given a fixed cost). However, if economic
vides about 50 watt-hours of energy; this may considerations dictate that the cost per node be
translate to less than a month of continuous reduced drastically from hundreds of dollars
operation for each node in full active mode. to less than a few cents, it is possible that the
Given the expense and potential infeasibil- capabilities of individual nodes will remain
ity of monitoring and replacing batteries for constrained to some extent. The challenge
a large network, much longer lifetimes are is therefore to design synergistic protocols,
desired. In practice, it will be necessary in which ensure that the system as a whole is
many applications to provide guarantees that more capable than the sum of the capabilities
a network of unattended wireless sensors can of its individual components. The protocols
remain operational without any replacements must provide an efficient collaborative use
for several years. of storage, computation, and communication
• Responsiveness: A simple solution to extend- resources.
ing network lifetime is to operate the nodes in • Scalability: For many envisioned applica-
a duty-cycled manner with periodic switching tions, the combination of fine granularity
between sleep and wake-up modes. While sensing and large coverage area implies
synchronization of such sleep schedules is that wireless sensor networks have the po-
challenging in itself, a larger concern is that tential to be extremely large scale (tens of
arbitrarily long sleep periods can reduce the thousands, perhaps even millions of nodes
responsiveness and effectiveness of the sen- in the long term). Protocols will have to be
sors. In applications where it is critical that inherently distributed, involving localized
certain events in the environment be detected communication, and sensor networks must
and reported rapidly, the latency induced by utilize hierarchical architectures in order to
sleep schedules must be kept within strict provide such scalability. However, visions
bounds, even in the presence of network of large numbers of nodes will remain un-
congestion. realized in practice until some fundamental
• Robustness: The vision of wireless sensor problems, such as failure handling and in-situ
networks is to provide large scale, yet fine- reprogramming, are addressed even in small
grained coverage. This motivates the use settings involving tens to hundreds of nodes.
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
There are also some fundamental limits on Hence, appropriate security needs and techniques
the throughput and capacity that impact the should be defined for WSN environments while
scalability of network performance. borrowing concepts from the currently used secu-
• Heterogeneity: There will be a heterogeneity rity mechanisms. In the following, we highlight the
of device capabilities (with respect to com- most relevant, from security point of view, WSN
putation, communication, and sensing) in intrinsic features.
realistic settings. This heterogeneity can have
a number of important design consequences. Resource Limitations
For instance, the presence of a small number
of devices of higher computational capability Security mechanisms and processes necessarily
along with a large number of low-capability require a certain amount of processing, power,
devices can dictate a two-tier, cluster-based storage, and memory resources. However, sensor
network architecture, and the presence of nodes are often resource-impoverished. In the
multiple sensing modalities requires pertinent following, we detail the basic resource limitations
sensor fusion techniques. A key challenge is characterizing WSNs.
often to determine the right combination of
heterogeneous device capabilities for a given • Processing limitations: A custom proces-
application. sor for sensor nodes should essentially have
• Self-configuration: Because of their scale a low-power sleep mode, allowing reducing
and the nature of their applications, wireless energy consumption, and a low-overhead
sensor networks are inherently unattended wakeup mechanism, preventing the occur-
distributed systems. Autonomous opera- rence of network congestion due to signalling
tion of the network is therefore a key design messages. Ekanayake (2004) shows that the
challenge. From the very start, nodes in a processing speed offered by most of the avail-
wireless sensor network have to be able to able microcontrollers ranges between 4 and
configure their own network topology: local- 400 MIPS. Even though this is a performance
ize, synchronize, and calibrate themselves, to implement the communication functions,
coordinate inter-node communication, and it turns out to be not sufficient to support
determine other important operating param- advanced security mechanisms, especially
eters. when a heavy traffic is exchanged across
• Privacy and security: The large scale, the WSN. For instance, it has been shown by
prevalence, and sensitivity of the information Blaß (2005) that a traditional Diffie-Hellman
collected by wireless sensor networks (as key exchange operation would last 48.04
well as their potential deployment in hostile seconds on the AmtelMega processor. As a
locations) give rise to the final key challenge result, novel security algorithms should be
of ensuring both privacy and security. considered to keep up with the sensor node
processing limitations.
• Limited memory and storage space: A
wsn sEcurIty objEctIvEs sensor is a tiny device with only a small
amount of memory and storage space for the
wsn security challenges code. In order to build an effective security
mechanism, it is necessary to limit the code
WSNs are characterized by many constraints size of the security algorithm. For example,
compared to traditional communication networks. one common sensor type (TelosB) has an
Due to these particular constraints, the application 16-bit, 8 MHz RISC CPU with only 10K
of existing network security approaches does not RAM, 48K program memory, and 1024K flash
allow to fulfill the required security properties. storage. With such a limitation, the software
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
built for the sensor must also be quite small. more, the unreliable wireless communication
The total code space of TinyOS, the de-facto channel also results in damaged packets. A
standard operating system for wireless sen- higher channel error rate also forces the soft-
sors, is approximately 4 K (Hill 2000), and ware developer to devote resources to error
the core scheduler occupies only 178 bytes. handling. More importantly, if the protocol
Therefore, the code size for the all security lacks the appropriate error handling it is pos-
related code must also be reduced. sible to lose critical security packets. This
• Power limitation: Energy is the biggest may include, for example, a cryptographic
constraint to wireless sensor capabilities. We key.
assume that once sensor nodes are deployed • Collisions: WSNs impose strict requirements
in a sensor network, they cannot be easily on a medium access protocol. This is basically
replaced (high operating cost) or recharged due to the ad hoc architecture characterizing
(high cost of sensors). Therefore, the battery WSNs as well as the long network lifetime
charge taken with them to the field must be needs. Moreover, as data are broadcasted over
conserved to extend the life of the individual the radio link, packets may collide resulting
sensor node and the entire sensor network. in decreasing of the channel throughput. De-
When implementing a cryptographic function pending on the medium access and transport
or protocol within a sensor node, the energy layer protocols, the information loss can reach
impact of the added security code must be a certain degree such that the analysis center
considered. When adding security to a sen- becomes no longer able to identify the events
sor node, we are interested in the impact that corresponding to the gathered data.
security has on the lifespan of a sensor (i.e., • Latency: Multihop routing, network con-
its battery life). The extra power consumed gestion, and node processing can lead to
by sensor nodes due to security is related to greater latency in the network, thus making
the processing required for security func- it difficult to achieve synchronization among
tions (e.g., encryption, decryption, signing sensor nodes. The synchronization issues
data, and verifying signatures), the energy can be critical to sensor security where the
required to transmit the security related security mechanism relies on critical event
data or overhead (e.g., initialization vectors reports and cryptographic key distribution.
needed for encryption/decryption), and the Interested readers please refer to Stankovic
energy required to store security parameters (2003) on real-time communications in wire-
in a secure manner (e.g., cryptographic key less sensor networks.
storage).
Uncontrollable Behavior
Data Loss
Depending on the function of the particular sensor
Certainly, unreliable communication is another network, the sensor nodes may be left unattended
threat to sensor security. The security of the net- for long periods of time. There are three main
work relies heavily on a defined protocol, which caveats to unattended sensor nodes:
in turn depends on communication.
• Exposure to physical attacks: The sensor
• Unreliable transfer: Normally the packet- may be deployed in an environment open
based routing of the sensor network is con- to adversaries, bad weather, and so on. The
nectionless and thus inherently unreliable. likelihood that a sensor suffers a physical
Packets may get damaged due to channel attack in such an environment is therefore
errors or dropped at highly congested nodes. much higher than the typical PCs, which is
The result is lost or missing packets. Further- located in a secure place and mainly faces
attacks from a network.
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
0
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
reference point. However, to ensure location party communication, data authentication can be
consistency, an attacking node would also have achieved through a purely symmetric mechanism:
to prove that its distance from another reference the sender and the receiver share a secret key to
point is shorter. Since it cannot do this, a node ma- compute the message authentication code (MAC)
nipulating the localization protocol can be found. of all communicated data.
For large sensor networks, the secure positioning Adrian Perrig et al. (2002) propose a key-chain
for sensor networks (SPINE) algorithm is used. It distribution system for their μTESLA secure
is a three phase algorithm based upon verifiable broadcast protocol. The basic idea of the μTESLA
multilateration. system is to achieve asymmetric cryptography by
Lazos (2005) describes secure range-inde- delaying the disclosure of the symmetric keys. In
pendent localization (SeRLoc). Its novelty is its this case a sender will broadcast a message gener-
decentralized, range-independent nature. SeRLoc ated with a secret key. After a certain period of
uses locators that transmit beacon information. It time, the sender will disclose the secret key. The
is assumed that the locators are trusted and can- receiver is responsible for buffering the packet until
not be compromised. Furthermore, each locator the secret key has been disclosed. After disclosure
is assumed to know its own location. A sensor the receiver can authenticate the packet, provided
computes its location by listening for the beacon that the packet was received before the key was
information sent by each locator. The beacons disclosed. One limitation of μTESLA is that some
include the locator’s location. Using all of the bea- initial information must be unicast to each sensor
cons that a sensor node detects, a node computes node before authentication of broadcast messages
an approximate location based on the coordinates can begin. Liu and Ning (2003, 2004) propose an
of the locators. Using a majority vote scheme, the enhancement to the μTESLA system that uses
sensor then computes an overlapping antenna re- broadcasting of the key chain commitments rather
gion. The final computed location is the centroid than μTESLA’s unicasting technique. They present
of the overlapping antenna region. All beacons a series of schemes starting with a simple prede-
transmitted by the locators are encrypted with a termination of key chains and finally settling on a
shared global symmetric key that is preloaded to multilevel key chain technique. The multilevel key
the sensor prior to deployment. Each sensor also chain scheme uses predetermination and broadcast-
shares a unique symmetric key with each locator. ing to achieve a scalable key distribution technique
This key is also preloaded on each sensor. that is designed to be resistant to denial-of-service
(DoS) attacks, including jamming.
Authentication
Attacks against wsns
An adversary is not just limited to modifying
the data packet. It can change the whole packet Sensor networks are particularly vulnerable
stream by injecting additional packets. So the to several key types of attacks. Attacks can be
receiver needs to ensure that the data used in any performed in a variety of ways, most notably as
decision-making process originate from the cor- denial-of-service attacks, but also through traf-
rect source. On the other hand, when constructing fic analysis, privacy violation, physical attacks,
the sensor network, authentication is necessary and so on. Denial-of-service attacks on wireless
for many administrative tasks (e.g., network sensor networks can range from simply jamming
reprogramming or controlling sensor node duty the sensor’s communication channel to more so-
cycle). From the above, we can see that message phisticated attacks designed to violate the 802.11
authentication is important for many applications MAC protocol (Perrig 2004) or any other layer of
in sensor networks. Informally, data authentication the wireless sensor network.
allows a receiver to verify that the data really are Due to the potential asymmetry in power and
sent by the claimed sender. In the case of two- computational constraints, guarding against a well
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
orchestrated denial-of-service attack on a wireless to exchange messages with, at least, part of the
sensor network can be nearly impossible. A more network. The transport layer is also susceptible
powerful node can easily jam a sensor node and to attack, as in the case of flooding. Flooding can
effectively prevent the sensor network from per- be as simple as sending many connection requests
forming its intended duty. We note that attacks on to a susceptible node. In this case, resources must
wireless sensor networks are not limited to simply be allocated to handle the connection request.
denial-of-service attacks, but rather encompass a Eventually, a node’s resources will be exhausted,
variety of techniques including node takeovers, thus rendering the node useless.
attacks on the routing protocols, and attacks on a
node’s physical security. In this section, we first Traffic Analysis Attacks
address some common denial-of-service attacks
and then describe additional attacking, including Wireless sensor networks are typically composed
those on the routing protocols as well as an identity of many low-power sensors communicating with
based attack known as the Sybil attack. a few relatively robust and powerful base stations.
It is not unusual, therefore, for data to be gathered
Denial-of-Service Attacks by the individual nodes where they are ultimately
routed to the base station. Often, for an adversary
A standard attack on wireless sensor networks is to effectively render the network useless, the at-
simply to jam a node or set of nodes. Jamming, tacker can simply disable the base station. To make
in this case, is simply the transmission of a radio matters worse, Deng et al. (2005) demonstrate
signal that interferes with the radio frequencies two attacks that can identify the base station in
being used by the sensor network (Wood 2002). a network (with high probability) without even
The jamming of a network can come in two forms: understanding the contents of the packets (if the
constant jamming and intermittent jamming. packets are themselves encrypted).
Constant jamming involves the complete jamming A rate monitoring attack simply makes use
of the entire network. No messages are able to be of the idea that nodes closest to the base station
sent or received. If the jamming is only intermit- tend to forward more packets than those farther
tent, then nodes are able to exchange messages away from the base station. An attacker needs
periodically, but not consistently. This too can only to monitor which nodes are sending packets
have a detrimental impact on the sensor network and follow those nodes that are sending the most
as the messages being exchanged between nodes packets. In a time correlation attack, an adversary
may be time sensitive. Attacks can also be made simply generates events and monitors to whom a
on the link layer itself. One possibility is that an node sends its packets. To generate an event, the
attacker may simply intentionally violate the com- adversary could simply generate a physical event
munication protocol, for example, ZigBee or IEEE that would be monitored by the sensor(s) in the
801.11b (Wi-Fi) protocol, and continually transmit area (turning on a light, for instance).
messages in an attempt to generate collisions.
Such collisions would require the retransmission Wormhole Attacks
of any packet affected by the collision. Using this
technique it would be possible for an attacker to In a wormhole attack, an attacker receives pack-
simply deplete a sensor node’s power supply by ets at one point in the network, “tunnels” them
forcing too many retransmissions. At the routing to another point in the network, and then replays
layer, a node may take advantage of a multihop them into the network from that point. For tun-
network by simply refusing to route messages. nelled distances longer than the normal wireless
This could be done intermittently or constantly transmission range of a single hop, it is simple for
with the net result being that any neighbor who the attacker to make the tunneled packet arrive
routes through the malicious node will be unable with better metric than a normal multihop route,
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
for example, through use of a single long-range can imply the position of pandas by monitoring
directional wireless link or through a direct wired the traffic. The main privacy problem, however,
link to a colluding attacker. It is also possible for is not that sensor networks enable the collection of
the attacker to forward each bit over the wormhole information. In fact, much information from sen-
directly, without waiting for an entire packet to sor networks could probably be collected through
be received before beginning to tunnel the bits of direct site surveillance. Rather, sensor networks
the packet, in order to minimize delay introduced aggravate the privacy problem because they make
by the wormhole. Due to the nature of wireless large volumes of information easily available
transmission, the attacker can create a wormhole through remote access. Hence, adversaries need
even for packets not addressed to it, since it can not be physically present to maintain surveil-
overhear them in wireless transmission and tun- lance. They can gather information in a low-risk,
nel them to the colluding attacker at the opposite anonymous manner. Remote access also allows a
end of the wormhole. If the attacker performs this single adversary to monitor multiple sites simulta-
tunneling honestly and reliably, no harm is done; neously (Chan 2003). Some of the more common
the attacker actually provides a useful service in attacks (Chan 2003; Gruteser 2003) against sensor
connecting the network more efficiently. However, privacy are:
the wormhole puts the attacker in a very powerful
position relative to other nodes in the network, and • Monitor and eavesdropping: This is the most
the attacker could exploit this position in a variety obvious attack to privacy. By listening to the
of ways. The attack can also still be performed data, the adversary could easily discover the
even if the network communication provides communication contents. When the traffic
confidentiality and authenticity, and even if the conveys the control information about the
attacker has no cryptographic keys. Furthermore, sensor network configuration, which contains
the attacker is invisible at higher layers; unlike a potentially more detailed information than
malicious node in a routing protocol, which can accessible through the location server, the
often easily be named, the presence of the wormhole eavesdropping can act effectively against the
and the two colluding attackers at either endpoint privacy protection.
of the wormhole are not visible in the route. The • Traffic analysis: Traffic analysis typically
wormhole attack is particularly dangerous against combines with monitoring and eavesdrop-
many ad hoc network routing protocols in which ping. An increase in the number of transmitted
the nodes that hear a packet transmission directly packets between certain nodes could signal
from some node consider themselves to be in range that a specific sensor has registered activity.
of (and, thus a neighbor of) that node. Through the analysis on the traffic, some
sensors with special roles or activities can
Attacks against Privacy be effectively identified.
• Camouflage: Adversaries can insert their
Sensor network technology promises a vast increase node or compromise the nodes to hide in
in automatic data collection capabilities through the sensor network. After that these nodes
efficient deployment of tiny sensor devices. While can masquerade as a normal node to attract
these technologies offer great benefits to users, the packets, then misroute the packets, for
they also exhibit significant potential for abuse. example, forward the packets to the nodes
Particularly relevant concerns are privacy prob- conducting the privacy analysis.
lems, since sensor networks provide increased data
collection capabilities (Gruteser 2003). Adversaries Physical Attacks
can use even seemingly innocuous data to derive
sensitive information if they know how to correlate Sensor networks typically operate in hostile out-
multiple sensor inputs. For example, in the famous door environments. In such environments, the small
“panda-hunter problem” (Ozturk 2004), the hunter form factor of the sensors, coupled with the unat-
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
tended and distributed nature of their deployment, unsuitable in low power devices such as wireless
make them highly susceptible to physical attacks, sensor networks. This is due largely to the fact
that is, threats due to physical node destructions that typical key exchange techniques use asym-
(Wang 2004). metric cryptography, also called public key cryp-
Unlike many other attacks mentioned above, tography. In this case, it is necessary to maintain
physical attacks destroy sensors permanently, so two mathematically related keys, one of which is
the losses are irreversible. For instance, attackers made public while the other is kept private. This
can extract cryptographic secrets, tamper with the allows data to be encrypted with the public key and
associated circuitry, modify programming in the decrypted only with the private key. The problem
sensors, or replace them with malicious sensors with asymmetric cryptography, in a wireless sensor
under the control of the attacker (Wang 2004). network, is that it is typically too computation-
Recent work has shown that standard sensor nodes, ally intensive for the individual nodes in a sensor
such as the MICA2 motes, can be compromised in network. This is true in the general case, however,
less than one minute (Hartung 2004). While these Gaubatz (2004), Gura (2004), Malan (2004), and
results are not surprising given that the MICA2 Watro (2004) show that it is feasible with the right
lacks tamper resistant hardware protection, they selection of algorithms.
provide a cautionary note about the speed of a Symmetric cryptography is therefore the typi-
well-trained attacker. If an adversary compromises cal choice for applications that cannot afford the
a sensor node, then the code inside the physical computational complexity of asymmetric cryptog-
node may be modified. raphy. Symmetric schemes utilize a single shared
key known only between the two communicating
Countermeasures hosts. This shared key is used for both encrypt-
ing and decrypting data. The traditional example
Now we are in a position to describe the measures of symmetric cryptography is data encryption
for satisfying security requirements and protecting standard (DES). The use of DES, however, is
the sensor network from attacks. We start with key quite limited due to the fact that it can be broken
establishment in wireless sensor networks, which relatively easily. In light of the shortcomings of
lays the foundation for the security in a wireless DES, other symmetric cryptography systems have
sensor network, followed by defending against been proposed including triple DES (3DES), RC5,
DoS attacks, secure broadcasting and multicasting, AES, and so on.
defending against attacks on routing protocols, One major shortcoming of symmetric cryptog-
combating traffic analysis attacks, defending raphy is the key exchange problem. Simply put, the
against attacks on sensor privacy, intrusion detec- key exchange problem derives from the fact that
tion, secure data aggregation, defending against two communicating hosts must somehow know the
physical attacks, and trust management. shared key before they can communicate securely.
So the problem that arises is how to ensure that the
key Management fundamentals shared key is indeed shared between the two hosts
who wish to communicate and no other rogue hosts
Key management issues in wireless networks are who may wish to eavesdrop. How to distribute a
not unique to wireless sensor networks. Indeed, shared key securely to communicating hosts is a
key establishment and management issues have nontrivial problem since predistributing the keys
been studied in depth outside of the wireless net- is not always feasible.
working arena. Traditionally, key establishment
is done using one of many public-key protocols. key Establishment
One of the more common is the Diffie-Hellman
public key protocol, but there are many others. One security aspect that receives a great deal of
Most of the traditional techniques, however, are attention in wireless sensor networks is the area
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
of key management. Wireless sensor networks are keys are used depending on whom the sensor node
unique (among other embedded wireless networks) is communicating with. Sensors are preloaded
in this aspect due to their size, mobility, and com- with an initial key from which further keys can
putational/power constraints. Indeed, researchers be established. As a security precaution, the initial
envision wireless sensor networks to be orders of key can be deleted after its use in order to ensure
magnitude larger than their traditional embedded that a compromised sensor cannot add additional
counterparts. This, coupled with the operational compromised nodes to the network.
constraints described previously, makes secure key In PIKE (Chan 2005), Chan and Perrig describe
management an absolute necessity in most wireless a mechanism for establishing a key between two
sensor network designs. Because encryption and sensor nodes that is based on the common trust of
key management/establishment are so crucial to the a third node somewhere within the sensor network.
defense of a wireless sensor network, with nearly The nodes and their shared keys are spread over the
all aspects of wireless sensor network defenses network such that for any two nodes A and B, there
relying on solid encryption, we first begin with an is a node C that shares a key with both A and B.
overview of the unique key and encryption issues Therefore, the key establishment protocol between
surrounding wireless sensor networks before dis- A and B can be securely routed through C.
cussing more specific sensor network defenses. Huang et al. (2003) propose a hybrid key
establishment scheme that makes use of the dif-
WSN Key Management Protocols ference in computational and energy constraints
between a sensor node and the base station. They
Random key predistribution schemes have several posit that an individual sensor node possesses far
variants. Eschenauer and Gligor (2002) propose a less computational power and energy than a base
key predistribution scheme that relies on probabi- station.
listic key sharing among nodes within the sensor In light of this, they propose placing the major
network. Their system works by distributing a key cryptographic burden on the base station where
ring to each participating node in the sensor network the resources tend to be greater. On the sensor
before deployment. Each key ring should consist side, symmetric-key operations are used in place
of a number randomly chosen keys from a much of their asymmetric alternatives. The sensor and
larger pool of keys generated offline. An enhance- the base station authenticate based on elliptic curve
ment to this technique utilizing multiple keys is cryptography. Elliptic curve cryptography is often
described by Chan (2003). Further enhancements used in sensors due to the fact that relatively small
are proposed by Deng (2005) and (Liu 2005) with key lengths are required to achieve a given level
additional analysis and enhancements provided of security.
by Hwang (2004). Using this technique, it is not Huang et al. also use certificates to establish
necessary that each pair of nodes share a key. the legitimacy of a public key. The certificates
However, any two nodes that do share a key may are based on an elliptic curve implicit certificate
use the shared key to establish a direct link to one scheme (Huang et al., 2003). Such certificates are
another. Eschenauer and Gligor show that, while useful to ensure both that the key belongs to a
not perfect, it is probabilistically likely that large device and that the device is a legitimate member
sensor networks will enjoy shared-key connectivity. of the sensor network.
Further, they demonstrate that such a technique Each node obtains a certificate before joining
can be extended to key revocation, rekeying, and the network using an out-of-band interface.
the addition/deletion of nodes. The LEAP protocol
described by Zhu et al. (2003) takes an approach WSN and Public Key Cryptography
that utilizes multiple keying mechanisms. Their
observation is that no single security requirement Two of the major techniques used to implement
accurately suites all types of communication in a public-key cryptosystems are RSA and elliptic
wireless sensor network. Therefore, four different curve cryptography (ECC). Traditionally, these
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
casting strategy. In the simple node broadcasting 2. Developing scalable security mechanisms:
strategy each sensor propagates an authenticated A common practice is to use exaggerated tools
broadcast message throughout the entire sensor of information security, which decrease ef-
network. Any node that receives a conflicting or ficiency and system availability and introduce
duplicated claim revokes the conflicting nodes. This redundancy. Another effect of exaggeration
strategy will work, but the communication cost is of the security mechanisms is increasing
far too expensive. In order to reduce the commu- the system complexity, which later influ-
nication cost, a deterministic multicast could be ences implementation of a given project in
employed where nodes would share their locations practice, especially increasing expenses and
with a set of witness nodes. In this case, witnesses decreasing efficiency. The solution of this
are computed based on a node’s ID. In the event inconsistency seems to be the introduction
that a node has been replicated on the network, of scalable security model, which can change
two conflicting locations will be forwarded to the the security level depending on particular
same witness who can then revoke the offending conditions of a given case. In this chapter
nodes. But since a witness is based on a node’s ID, a mechanism, which can modify the level
it can easily be computed by an attacker who can of information security for each phase of a
then compromise the witness nodes. Thus, securely protocol, is presented. Parameters, which
utilizing a deterministic multicast strategy would influence modification of the security level,
require too many witnesses and the communica- are the risk of successful attack, probability
tion cost would be too high. of successful attack, and some measures of
independence (leading to completeness) of
security elements. The used security ele-
futurE trEnds ments, which take care of the protection of
information, are based mainly on PKI serv-
Research on WSN security is still in infancy. Many ices and cryptographic modules.
key issues have not been sufficiently detailed or 3. Securing hybrid broadband wireless
have even remained unexplored. In the near future, sensor networks (HBWSNs): High-speed
advanced security features may be built into the WSNs begin to be widely used in different
sensor nodes available in the market. While their applications. Securing the corresponding
prospects look shiny, these security functionalities flows encompasses the development of novel
have surprisingly received little attention from the concepts that do not rely on thorough inspec-
research community. In the following, we describe tion of the transmitted packets but rather on
the most interesting (in our sense) WSN-related the control of a set of relevant samples that
research aspects. are representative with respect to the total
flow.
1. Building security policies for WSNs: Due to 4. Defining secure correlation functions: Two
their ad hoc topology, WSNs can not conform novels aspects are being investigated in the
to traditional rigid security policies. WSN- field of WSN security: blind correlation and
oriented security policies should be flask recursive signature. The first consists in cor-
enough to support the continuously modified relating encrypted events without revealing
network constituency and structure. The their content in order to optimize the use of
WSN architecture should therefore be flexible networking and processing resources. The
in their support of security policies, provid- second is applicable when, within a transmis-
ing sufficient mechanisms for supporting the sion chain, a set of nodes recursively sign
wide variety of real-world security policies. the event. This is a particularly challenging
Appropriate formalisms to build, model, problem in the WSN context because the
validate, verify, and test such architectures intermediary nodes are resource-impover-
should be evolved. ished.
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
Journal, Special Issue on Sensor Network Appli- Wang, X. G., W. Schosek, K., Chellappan, S., &
cations and Protocols, 1(2-3), 293-315. Xuan, D. (2004). Sensor network configuration
under physical attacks. D. o. C. S. a. engineering.
Lazos, L. P., & R. (2005). SERLOC: Robust
Ohio-State University. Retrieved October 9, 2007,
localization for wireless sensor networks. ACM
from www.springerlink.com/index/E5T6KWNK-
Transactions on Sensor Networks, 1(1), 73-100.
MABWR672.pdf
Liu, D. N., & P. (2003). Efficient distribution of key
Watro, R. K., D. Cuti, S., Gardiner, C., Lynn, C.,
chain commitments for broadcast authentication.
& Kruus, P. (2004). TinyPK: Securing sensor net-
Paper presented at the10th Annual Network and
works with public key technology. Paper presented
Distributed System Security Symposium, San
at the 2nd ACM Workshop on Security of Ad hoc
Diego.
and Sensor Networks, New York. ACM Press.
Liu, D. N., & P. (2004). Multilevel µTesla: Brodcast
Wood, A. D. S., & J. A. (2002). Denial of service
authentication for distributed sensor networks.
in sensor networks. Computer, 35(10), 54-62.
Transactions on Embedded Computing Systems,
3(4), 800-836. Zhu, S. S., S., & Jajodia, S. (2003). LEAP: Efficient
security mechanisms for large-scale distributed
Liu, D. N., P., & Li, R. (2005). Establishing pair-
sensor networks. Paper presented at the 10th ACM
wise keys in distributed sensor networks. ACM
Conference on Computer and Communications
Transactions on Information Systems Security,
Security, New York. ACM Press.
8(1), 41-47.
Malan, D. J. W., M., & Smith, M. D. (2004). A
public-key infrastructure for key distribution in Ti- kEy tErMs
nyOS based on elliptic-curve cryptography. Paper
presented at the 1st Annual IEEE Communications Camouflage: Adversaries can insert their node
Society Conference on Sensor and Ad Hoc Com- or compromise the nodes to hide in the sensor net-
munications and Networks, Santa Clara, CA. work. After that these nodes can masquerade as a
normal node to attract the packets, then misroute
Ozturk, C. Z., Y., & Trappe, W. (2004). Source-
the packets.
location privacy in energy-constrained sensor
network routing. Paper presented at the 2nd ACM Denial-of-Service Attack: An attack aiming
Workshop on Security of Ad Hoc and Sensor at disrupting the acquisition of information within
Networks, New York. a geographical zone or preventing the communi-
cation of alert and signalling messages between
Parno, B. P., A., & Gligor, V. (2005). Distributed
sensor nodes.
detection of node replication attacks in sensor
networks. Paper presented at the IEEE Symposium Key Management: Process of generating,
on Security and Privacy, Oakland, CA validating, exchanging, and renewing asymmetric
and symmetric keys.
Perrig, A. S., R. Tygar, J. D., Wen, V., & Culler,
D. E. (2002). SPINS: Security protocols for sensor Rate Monitoring Attack: A rate monitoring
networks. Wireless Networking, 8(5), 521-534. attack simply makes use of the idea that nodes clos-
est to the base station tend to forward more packets
Perrig, A. S., J., & Wagner, D. (2004). Security in
than those farther away from the base station.
wireless sensor networks. Communications ACM,
47(6), 53-57. Wireless Sensor Network (WSN): Dense col-
lection of tiny sensor motes deployed in a region
Stankovic, J. A. (2003). Real-time communication
of interest to gather information about a specific
and coordination in embedded sensor networks.
phenomenon for later analysis. WSNs allow ef-
Proceedings of the IEEE, 91(7).
0
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
ficient, distributed, and collaborative control of network, “tunnels” them to another point in the
various natural and human events. network, and then replays them into the network
from that point.
Wormhole Attack: In a wormhole attack,
an attacker receives packets at one point in the
Chapter XXXVI
Routing Security in Wireless
Sensor Networks
A.R. Naseer
King Fahd University of Petroleum & Minerials, Dhahran
Ismat K. Maarouf
King Fahd University of Petroleum & Minerials, Dhahran
Ashraf S. Hasan
King Fahd University of Petroleum & Minerials, Dhahran
AbstrAct
Since routing is a fundamental operation in all types of networks, ensuring routing security is a necessary
requirement to guarantee the success of routing operation. Securing routing task gets more challenging
as the target network lacks an infrastructure-based routing operation. This infrastructure-less nature that
invites a multihop routing operation is one of the main features of wireless sensor networks that raises
the importance of secure routing problem in these networks. Moreover, the risky environment, application
criticality, and resources limitations and scarcity exhibited by wireless sensor networks make the task
of secure routing much more challenging. All these factors motivate researchers to find novel solutions
and approaches that would be different from the usual approaches adopted in other types of networks.
The purpose of this chapter is to provide a comprehensive treatment of the routing security problem in
wireless sensor networks. The discussion flow of the problem in this chapter begins with an overview
on wireless sensor networks that focuses on routing aspects to indicate the special characteristics of
wireless sensor networks from routing perspective. The chapter then introduces the problem of secure
routing in wireless sensor networks and illustrates how crucial the problem is to different networking
aspects. This is followed by a detailed analysis of routing threats and attacks that are more specific to
routing operation in wireless sensor networks. A research-guiding approach is then presented to the
reader that analyzes and criticizes different techniques and solution directions for the secure routing
problem in wireless sensor network. This is supported by state-of-the-art and familiar examples from the
literature. The chapter finally concludes with a summary and future research directions in this field.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Routing Security in Wireless Sensor Networks
Routing Security in Wireless Sensor Networks
be presented. These differences are explained in a whether the solution will prevent the attack or avoid
way that emphasizes to the reader how they make it after detection. This section gives a comparison
WSN an independent research target as compared between these approaches based on the severity
with MANET. of the threats and WSN conditions and resources
Section 3, being the routing security section, availability. In this section, cryptographic-based
defines precisely the problem of secure routing in and noncryptographic-based approaches will be
general. This section will discuss the requirements discussed and the tradeoffs with resources will
for secure routing in WSN. This will be followed by also be analyzed. Examples of such solutions will
the challenges and constraints in WSN to achieve be provided with a focus on how these solutions
secure routing. After the reader understands the meet secure routing goals and what drawbacks
routing security problem in WSN, the reader will they exhibit. Reputation-based solution will be
be given a critical discussion about the importance discussed as a detection approach by presenting
of this problem. This will also include an explana- the general concept of reputation systems, fol-
tion of the relationship between routing security lowed by suggestions and approaches in reputation
and different network aspects like survivability, system solutions that can fit WSN secure routing
connectivity and network partitioning, throughput, requirements.
packet delay, and so forth.
Section 4 on routing attacks and threats presents
in brief the different possible communication mod- bAckground
els and trust relationships between WSN nodes that
a threat will be based on. It will clearly show how wireless sensor network overview
researcher assumptions on nodes communication
models and nodes relationships will impact the WSN is an ad hoc-like deployment of a large number
security analysis. In this section, the reader will of sensor nodes that are intended to monitor and
be provided with a global picture of the approaches communicate information pertaining to a phe-
and techniques that are used by the attackers. This nomenon or an event of interest. The deployment
will also include a discussion of the holes and is either random or utilizes predetermined loca-
weakness points that are exploited to achieve such tions near or inside the phenomenon. The typical
attacks. Some examples of famous attacks will be deployment scenario of WSN is depicted in Figure
given with explanation. The explanation will focus 1, where a number of sensor nodes are scattered in
on how the attack works by exploiting the routing the sensor field. The sensor nodes collect data from
protocol aspects. Thus, the section will also show the field and route the data through the multihop
the robustness level that is provided by different structure of the network to a specialized node
routing protocols. How we can think secure and referred to as the sink or base station. Finally, the
provide robust solutions against routing attacks sink may communicate the raw data or a processed
and threats will be the subject of this section. The version to the end-user utilizing an infrastructure
section gives examples of how an attack can be network such as the Internet.
prevented or detected as a tip for a more general
approach. Applications of wsn
Section 5, “Routing Security Solutions and
Techniques,” explains the objectives to be met Due to the versatility and flexibility of WSN, it has
when developing a routing security solution. These found many applications especially in situations
security objectives are explained under the lights where direct probing or measurement of the event
of WSN constraints. Thus, the reader will be aware of interest is either costly or risky. WSNs facilitate
of the tradeoffs that should be considered in the many applications including:
design. A first step in the solution design is to decide
Routing Security in Wireless Sensor Networks
Sensor node
User
Routing Security in Wireless Sensor Networks
processed to produce beneficial informa- processing and memory units of sensor nodes are
tion. still scarce resources. For instance, the processing
• Communication: Every node should be able unit of a smart dust mote prototype is a 4 MHz
to communicate and exchange raw data or Atmel AVR8535 micro-controller with 8 KB in-
processed information among them. struction flash memory, 512 bytes RAM, and 512
bytes EEPROM (Perrig, Szewezyk, Wen, Culler,
To accomplish the above tasks, the sensor node & Tygar, 2001). TinyOS operating system is used
comprises of four main components: the control- on this processor, which has 3500 bytes OS code
ler/memory module, the power supply module, the space and 4500 bytes available code space.
RF transceiver module, and the sensors/actuators
module. In addition, the sensor unit may optionally Power supply module: One of the most im-
contain two other modules, namely, the position portant components of a sensor node is the power
finding module and the mobilizer module. While unit. Since the sensor nodes are often inaccessible,
the former module is sometimes needed to deter- power is considered a scarce resource and the life-
mine the location of the node, the latter allows time of a sensor network depends on the lifetime
mobilizing the node to carry out certain tasks in of the power resources of the nodes. Power is also
the field of interest. The brief description of these a scarce resource due to the size limitations. For
modules of a sensor node is presented next. instance, the total stored energy in a smart dust
mote is of the order of 1 J (Pottie & Kaiser, 2000).
Controller/memory module: The controller It is possible to extend the lifetime of the sensor
consists of a processor and a memory system. The networks by energy scavenging, which means
processor manages the procedures that make the extracting energy from the environment. Solar
sensor node collaborate with the other nodes to cells are an example for the techniques used for
carry out the assigned sensing tasks. The memory energy scavenging.
system stores data, software, and application pro-
grams required to run the node. Though the higher Radio transceiver module: The radio trans-
computational powers are being made available in ceiver unit is responsible for connecting the node
smaller and smaller processors and controllers, to the network.
Figure 2. Wireless sensor network: (a) node structure, and (b) protocol stack
Application Layer
Mobility Management
Controller
RF Sensor/
ADC
Transceiver Actuator
Power Management
Memory
Transport Layer
Network Layer
Power
Power unit
generator
Data Link/MAC Layer
Typical module
Physical Layer
optional module
(a) (b)
Figure 2: Wireless sensor network: (a) node structure, and (b) protocol stack.
Routing Security in Wireless Sensor Networks
Node population: Typically the number of Addressing and identification: WSN nodes
nodes deployed in a WSN is orders of magnitude usually do not possess a unique identification ID as
greater than the number of nodes in a MANET. opposed to ad hoc node in a MANET where every
This is of course a function of the application node is identified by its media access control (MAC)
and the sensor field. In addition, wireless sensor address or the Internet address. Nodes within a
nodes usually have shorter communication range sensor field organize and establish a mechanism to
compared to their counterparts in MANET. This identify adjacent nodes and perform the required
implies that the deployment density for sensor functionality.
nodes may be significantly higher than that for
the MANET.
Routing Security in Wireless Sensor Networks
Routing Security in Wireless Sensor Networks
ent disadvantage of insecure wireless communi- Considering the above modified model, the
cation, limited node capabilities, possible insider attacks can be categorized as passive and active
threats, and the stronger attacker has the all-time attacks. In passive attacks, eavesdropper can
advantage of possessing powerful laptops with high continuously monitor the whole sensor network
energy and long range communication to launch and can launch two types of passive attacks: (i)
severe attack to the network. Most of the routing cipher text attack wherein given the cipher text,
protocols have not been designed with security as the adversary tries to recover the encryption key,
a goal. All of the proposed network routing pro- and (ii) chosen plain text attack wherein the at-
tocols in the literature are more prone to attacks. tacker can feed the sensor with known data and
Attackers can attract or repel traffic flows, increase then observe the encrypted message sent by the
latency, or disable the entire network, sometimes sensor. In active attacks, the attacker can capture a
with little effort. sensor, stealing all the information and keys stored
in the sensor. Hence, providing, maintaining, and
threat Models ensuring proper confidentiality and authenticity of
data is a paramount importance within the limited
In order to define a robust security model, specifica- inherent constraints of the underlying wireless
tion of both the security requirements and the threat sensor networks.
model are required. The security requirements Sensor network attackers can be classified into
identify the properties that have to be enforced two categories depending upon their capabilities
and the initial assumptions. The threat model (Karlof & Wagner, 2003). They are mote-class
formulates the hypothesis regarding the attacker’s attacker and laptop-class attacker.
capabilities and its possible behavior. A common Mote-class attacker has access to a few ordinary
assumption is that the attacker is compliant with sensor nodes with lesser capability and might only
the Dolev-Yao threat model (Dolev & Yao, 1983) be able to jam the radio link in its immediate vicin-
which is often used to formally analyze crypto- ity. They have limited range and cannot eavesdrop
protocols in communication networks. According on entire network, moreover, cannot coordinate
to this model, when two communicating parties their efforts to bring down the network.
communicate over an insecure channel, the attacker Laptop-class attacker has access to more power-
can gain control over the communication network ful devices like laptops with greater battery power,
to perform the following actions: more capable processor, a high-power transmitter,
and a sensitive antenna. These attackers might be
• Over hear the messages between the parties, able to jam the entire network using a stronger
intercept them, and prevent their delivery to transmitter and might be able to eavesdrop on an
the intended recipient. entire network. Laptop-class attackers might pos-
• Introduce forged messages into the system sess a high bandwidth, low-latency communication
using all the available information. channel invisible to legitimate sensor nodes thereby
setting up separate channels to allow such attackers
But this threat model also assumes that the end to communicate and coordinate their efforts.
nodes are not themselves subject to attack. In order Further, sensor network attacks can be classified
to take into account the distinguishing feature of as outsider (external) attacks and insider (internal)
WSNs that the sensors may be unattended and end attacks. Outsider attacks are launched by outsiders
nodes cannot, in general, be trusted, the following who have no special or legitimate access to the
more powerful action is required to be included sensor network, that is, they do not have authentic
in the model: keying material to participate in network operations
as legitimate nodes. Insider attacks occur when
• An attacker can capture a sensor node and an authorized participant in the sensor network
acquire all the information stored within it. has gone bad or compromised. The insider attack
Routing Security in Wireless Sensor Networks
may be mounted from either compromised sen- we consider tactical military network deployment
sor nodes running a malicious code or attackers for war-field surveillance, whereas for noncritical
using laptop-class devices to attack the network commodity, sensor networks a less strong threat
after stealing the key material, code and data from model may suffice.
legitimate nodes. Outsider attackers, once in full A new threat model to communication confiden-
control of certain nodes, can become insider ones tiality in WSNs termed as “smart attacker model” is
able to launch more subtle attacks. Insider attacks introduced by Di Pietro, Mancini, and Mei (2006).
are generally more difficult to defend against than All the random-key predeployment schemes (see
the outsider ones because of their possession of section 5 for detailed discussion) proposed in the
keying material. literature use an oblivious attacker model that at
In most of the threat models proposed in the each step the attack sequence randomly chooses
literature, it is assumed that the environments a sensor node to tamper without taking advantage
in which the sensors deployed are risky and un- of the information regarding the keys acquired
trusted. Each sensor trusts itself, but sensors do during the previous attacks. Contrary to this, the
not trust each other. Further, it is assumed that all smart attacker model greedily uses the previous
the compromised sensors in the sensor network attacks keys acquired information to choose the
are compromised by the same attacker and thus best sensor to tamper with in order to compromise
collude to compromise the network. The attacker the communication confidentiality. This reduces
may compromise multiple sensor nodes in the net- greatly the level of communication confidentiality
work, and there is no upper bound on the number of provided by all the random key predeployment
compromised nodes. However, the attacker cannot schemes
compromise the base station, also termed as sink,
which is typically resourceful and well protected. routing Attacks and Examples
Once a sensor node is compromised, all the secret
keys, data, and code stored on it are exposed to Any event that decreases or eliminates a network’s
the attacker. The attacker can load a compromised capacity to perform its expected function is termed
node with secret keys obtained from other nodes, as a denial-of-service attack or commonly known
termed as collision, among compromised nodes. In as a DoS attack (Wood & Stankovic, 2002). Some
other words, the goal of the attacker is to uncover of the major causes for DoS attacks are hardware
the keys used in the system in order to disrupt failures, software bugs, resource exhaustion, ma-
the network operation. In order to achieve this, licious attacks, and environmental conditions. A
the attacker compromises individual nodes and significant challenge in securing large sensor net-
fosters collusion among nodes. The main objective works is their inherent self-organizing, decentral-
of node collusion is to incrementally aggregate the ized nature. Many of the network deployments are
uncovered keys of individual nodes to a level that vulnerable to immensely more powerful attackers.
all encrypted traffic in the network is completely Considering the layered network architecture of
revealed. It is also assumed that the attacker can- sensor networks depicted in Figure 2(b), the DoS
not successfully compromise a node during the vulnerabilities to the first four layers of the stack
sensor deployment phase which is short, that is, can be identified (Wood & Stankovic, 2002) as:
the interval of tens of seconds when each sensor
bootstraps itself, during which the sensor nodes • Physical layer attacks: The most common
obtain their location information and derive few attacks to the physical layer of a WSN are
keys. Indeed, such attacks can be prevented in jamming and node physical tampering.
many of the real-life scenarios when appropriate • Data link layer attacks: Collisions, unfair-
network planning and deployment are carried out ness, or exhaustion of resources are the at-
to keep away attackers during the bootstrapping tacks that can be launched against the data
process. However, it should be noted that stronger link layer of a sensor network.
threat (attacker) models need to be applied when
0
Routing Security in Wireless Sensor Networks
• Network layer attacks: The possible rout- For example, since routing updates are not
ing layer attacks are routing information authenticated in a TinyOS beaconing protocol, it
spoofing, alteration or replay, blackhole is possible for any malicious node to claim itself
and selective forwarding attacks, sinkhole to be a base station and become the destination
attacks, Sybil attacks, wormhole attacks, of all traffic in the network. Mote class attackers
HELLO flood attacks, and acknowledgement can create very easily routing loops by spoofing
spoofing. routing updates. In GPSR, an adversary can forge
• Transport layer attacks: The most common location advertisements to create routing loops in
attacks to transport layer are flooding attacks data flows without having to actively participate
and desynchronization attacks. in packet forwarding.
Since our main focus in this chapter is towards Black hole and selective forwarding attack:
routing security, a detailed discussion on network Multihop networks basically work on the assump-
layer or routing attacks will be presented next. tion that nodes will participate faithfully in the
Sensor network routing attacks can be classified forwarding of the received messages. In a blackhole
into the following categories (Karlof & Wagner, attack, a malicious node refuses to forward every
2003): packet it receives thereby behaving like a block hole.
In a selective forwarding attack, a malicious node
• Routing information spoofing, alteration or selectively forwards the packets, that is, a mali-
replay cious node may refuse to forward certain messages
• Blackhole and selective forwarding attacks and simply drop them thereby ensuring that these
• Sinkhole attacks packets are not propagated any further. The mali-
• Sybil attacks cious node interested in suppressing or modifying
• Wormhole attacks the packets originating from a few selected nodes
• HELLO flood attacks can reliably forward the remaining traffic thereby
• Acknowledgement spoofing limiting the suspicion of its misbehavior. In order
to launch a selective forwarding attack effectively,
Routing information spoofing, alteration, the attacker must follow the path of least resistance
or replay: Targeting the routing information ex- and attempt to include explicitly the attacker’s self
changed between the nodes is the most direct attack on the actual path of the data flow.
against a routing protocol. By spoofing, altering,
or replaying routing information, an attacker can Most of the sensor network routing protocols
disrupt the network by creating routing loops, at- such as TinyOS beaconing, directed diffusion
tracting or repelling network traffic, extending or and its multipath variant, geographic routing
shortening source routes, generating false error (e.g., GPSR, GEAR), minimum cost forwarding,
messages, partitioning the network, or increasing clustering-based protocols (e.g., LEACH, TEEN,
the end-to-end latency. PEGASIS), and rumor routing, are highly prone
to selective forwarding attacks.
Most of the sensor network routing protocols For example, In LEACH protocol, nodes choose
such as TinyOS beaconing, directed diffusion a cluster-head based on received signal strength. A
and its multipath variant, geographic routing laptop-class attacker can take advantage of this to
(e.g., GPSR, geographic and energy aware routing send a powerful advertisement to all nodes in the
[GEAR]), minimum cost forwarding, rumor rout- network in order to mount a selective forwarding
ing, energy conserving, and topology maintenance attack on the entire network using a small number
protocols (e.g., SPAN, GAF, CEC, AFECA) are of nodes if the target number of cluster-heads or
prone to bogus routing information attacks. the size of the network is sufficiently small.
Routing Security in Wireless Sensor Networks
Sinkhole attacks: In a sinkhole attack, the goal traffic in the surrounding area if alternate routes
of the attacker is to attract nearly all the traffic are significantly less attractive. This will be the
from a particular region through a compromised case always when the endpoint of the wormhole
node, thereby creating a metaphorical sinkhole is relatively far from a base station. Wormholes
with the attacker at the center. Sinkhole attacks are normally used in combination with selective
typically work by making a compromised node forwarding. Detection becomes potentially difficult
appear especially attractive to surrounding nodes when used in conjunction with the Sybil attack.
with respect to the routing algorithm.
Most of the sensor network routing protocols
Most of the sensor network routing protocols such as TinyOS beaconing, directed diffusion
such as TinyOS beaconing, directed diffusion and and its multipath variant, minimum cost forward-
its multipath variant, minimum cost forwarding, ing, and rumor routing are prone to wormhole
and rumor routing are prone to sinkhole attacks attacks
For example, a laptop-class attacker with a For example, protocols that construct a topology
powerful transmitter can actually provide a high initiated by a base station are most susceptible to
quality route by transmitting with enough power wormhole and sinkhole attacks. A wormhole is
to reach the base station in a single hop. Because most effective when used to create sinkholes or
of this high quality route through the compromised artificial links that attract traffic. In sensor network
node, each neighboring node of the adversary will employing TinyOS beaconing protocol, a power-
forward packets destined for a base station through ful laptop-class attacker can launch a combined
the adversary and also propagate the attractiveness wormhole/sinkhole attack.
of the route to its neighbors. Due to the specialized
communication pattern used, hierarchical sensor Sybil attacks: In a sybil attack, a single node
networks are highly susceptible to sinkhole attacks. presents multiple identities to other nodes in the
In hierarchical sensor networks, all packets share network. An attacker can advertise multiple bogus
the same ultimate destination, that is, a base station; nodes surrounding each target in a circle or sphere
a compromised node is required only to provide a region, each claiming to have maximum energy.
single high quality route to the base station in order Most of the sensor network routing protocols
to attract a potentially large number of nodes. such as TinyOS beaconing, directed diffusion
and its multipath variant, geographic routing
Wormhole attacks: In the wormhole attack, an (e.g., GPSR, GEAR), rumor routing, and energy
attacker tunnels messages received in one region conserving and topology maintenance protocols
of the network over a low-latency link and replays (e.g., SPAN, GAF, CEC, AFECA) are prone to
them in a different region. Wormhole attacks more Sybil attacks
commonly involve two distant malicious nodes
colluding to understate their distance from each For example, Sybil attacks pose a significant
other by relaying packets along an out-of-bound threat to geographic routing protocols. Location
channel available only to the attacker. An adver- aware routing often requires nodes to exchange
sary situated close to a base station may be able to coordinate information with their neighbors to ef-
completely disrupt routing by creating a well-placed ficiently route geographically addressed packets. It
wormhole. An adversary could convince nodes is only reasonable to expect a node to accept but a
who would normally be multiple hops from a base single set of coordinates from each of its neighbors,
station that they are only one or two hops away via but by using the Sybil attack an adversary can be
the wormhole. This can create a sinkhole since the in more than one location at once. GEAR tries to
adversary on the other side of the wormhole can distribute the responsibility of routing based on
artificially provide a high quality route to the base remaining energy, so an appropriate attack would
station thereby drawing through it potentially all be to always advertise maximum energy as well.
Routing Security in Wireless Sensor Networks
HELLO flood attacks: In many routing cost zero powerful enough to be received by every
protocols, nodes broadcast HELLO packets to node in the network. In LEACH protocol, nodes
announce their presence to their neighbors, and choose a cluster-head based on received signal
a node receiving such a packet may assume that strength. A laptop-class attacker can take advantage
it is within the normal radio range of the sender. of this to make every node choose the attacker as
This assumption can be exploited by a laptop-class its cluster-head by using the HELLO flood attack
attacker by broadcasting routing and other infor- to send a powerful advertisement to all nodes in
mation with large enough transmission power in order to disable the entire network.
order to convince every node in the network that
the adversary is its neighbor. The HELLO flood Acknowledgement spoofing: Several sensor
attack uses a single hop broadcast to transmit a network routing algorithms that rely on implicit
message to a large number of receivers. or explicit link layer acknowledgements are sus-
ceptible to acknowledgement spoofing. Due to the
For example, an attacker advertising a very inherent broadcast medium, an attacker can spoof
high-quality route to the base station to every node link layer acknowledgements for “overheard”
in the network can cause a large number of nodes packets addressed to the neighboring nodes with
to attempt to use this route, but those nodes suf- the main objective to convince the sender that
ficiently far away from the attacker will be sending a weak link is strong or that a dead or disabled
their messages into oblivion thereby putting the node is alive.
network in a state of confusion. An attacker does not
necessarily need to be able to construct legitimate For example, a routing protocol may select the
traffic in order to use the HELLO flood attack. The next hop in a path using link reliability. A subtle
attacker can simply rebroadcast overhead packets way of manipulating such a scheme is to artificially
with enough power to be received by every node in reinforce a weak or dead link. Since packets sent
the network. HELLLO floods can also be thought along weak or dead links are lost, an adversary can
of as one-way, broadcast wormholes. effectively mount a selective forwarding attack us-
Most of the sensor network routing protocols ing acknowledgement spoofing by encouraging the
such as TinyOS beaconing, directed diffusion and target node to transmit packets on those links.
its multipath variant, minimum cost forwarding,
clustering-based protocols (e.g., LEACH, TEEN, countermeasures Against routing
PEGASIS), and energy conserving and topology Attacks
maintenance protocols (e.g., SPAN, GAF, CEC,
AFECA) are prone to HELLO Flood attacks. Countermeasures against outsider attacks: The
For example, in sensor network employing Ti- majority of outsider attacks against sensor network
nyOS beaconing protocol, a laptop-class attacker routing protocols can be prevented by simple link
with a powerful transmitter can launch a HELLO layer encryption and authentication using a glob-
flood attack to broadcast a routing update powerful ally shared key. Link layer acknowledgements can
enough to reach the entire network thereby caus- also be authenticated. In this case, Sybil attack is
ing every node to mark the attacker as its parent. no longer relevant since nodes are unwilling to
Most nodes will be likely out of normal radio range accept a single identity of the attacker. The major-
of both a true base station and the attacker. The ity of selective forwarding and sinkhole attacks
network is crippled as the majority of the nodes are not possible because the attacker is prevented
are stranded sending packets into oblivion. from joining the network. Although an attacker
In a sensor network employing minimum cost is prevented from joining the network, nothing
forwarding protocol, a laptop-class attacker can prevents the attacker from using a wormhole to
use the HELLO flood attack to disable the entire tunnel packets sent by legitimate nodes in one
network by transmitting an advertisement with part of the network to legitimate nodes in another
Routing Security in Wireless Sensor Networks
part to convince them that they are neighbors or by establishing a shared key after verifying each
amplifying an overheard broadcast packet with other’s identity to implement an authenticated and
sufficient power to be received by every node in encrypted link between them.
the network.
Wormhole and sinkhole attacks: Wormhole
Countermeasures against insider attacks: and sinkhole attacks are the hardest attacks to de-
In the presence of insider attacks or compromised fend against, especially when the two are used in
nodes, link layer security techniques using a glob- combination. Wormholes are hard to detect because
ally shared key proves completely useless. Insiders they use a private, out-of-band channel invisible
can attack the network by spoofing or injecting to the underlying sensor network. Sinkholes are
bogus routing information, creating sinkholes, difficult to defend against in protocols that use
selectively forwarding packets, using Sybil at- advertised information such as remaining energy
tack, and broadcasting HELLO floods. More or an estimate of end-to-end reliability to construct
sophisticated defense mechanisms are needed to a routing topology because this information is hard
provide reasonable protection against wormholes to verify. Geographic routing protocols, however,
and insider attacks. are resistant to these attacks because messages
are routed towards the physical location of the
We present some of the countermeasures sug- base station. False links will be detected by the
gested in the literature (Karlof & Wagner, 2003; neighboring nodes that figure out that the physical
Mun & Shin, 2005) for routing attacks discussed distance of an advertised route exceeds the radio
in section 4.2. Note that the full effectiveness of signal range of motes. Though geographic routing
these suggested countermeasures are yet to be can be relatively secure against wormhole, sink-
proven. hole, and Sybil attacks, a major problem lies with
the trustworthiness of the location information
Selective forwarding: The countermeasure advertised from neighboring nodes. Probabilistic
used against selective forwarding attacks is to selection of a next hop from several acceptable
introduce redundancy to the network in the form destinations or multipath routing to multiple base
of multipath routing. In this case, “n” disjoint stations can tackle this problem to some extent.
paths are required to protect completely against
selective forwarding attacks involving at most A technique for detecting wormhole attacks
“n” compromised nodes, which is very difficult known as “packet leashes” is presented by Hu,
to create. The use of multiple braided paths (i.e., Perrig, and Johnson (2003) for MANETs. A leash
paths having common nodes but no common links) is any information that is added to a packet de-
may provide probabilistic protection against selec- signed to restrict the packet’s maximum allowed
tive forwarding. Allowing nodes to dynamically transmission distance. There are two types of
choose a packet’s next hop probabilistically from leashes: geographical leash and temporal leash.
a set of possible candidates can further reduce the A geographical leash ensures that the recipient of
chances of an attacker gaining complete control the packet is within a certain distance from the
of a data flow. sender. A temporal leash ensures that the packet
has an upper bound on its lifetime, which restricts
Sybil attack: An insider attacker can participate the maximum travel distance. Either type of leash
in the network by using the identities of the nodes can prevent wormhole attack because it allows the
the attacker has compromised. The countermeasure receiver of a packet to detect if the packet has trav-
here is to verify the identities of the participating eled further than the leash allows. But it requires
nodes. One solution is to have every node share a extremely tight time synchronization and is thus
unique symmetric key with a trusted base station. infeasible for most sensor networks. The best
Two nodes can then communicate with each other solution is to carefully design routing protocols
Routing Security in Wireless Sensor Networks
which avoid routing race conditions and make When the network size is limited or topology
these attacks less meaningful. is well-structured or controlled, global topology
knowledge can be leveraged in security mecha-
HELLO flood attacks: The simplest coun- nisms. Drastic or suspicious changes to the topology
termeasure against HELLO flood attacks is to might indicate a node compromise, and appropriate
verify the bidirectionality of a link before taking action can be taken.
meaningful action based on a message received Countermeasures such as link-layer encryp-
over that link. However, this countermeasure is less tion and authentication, multipath routing, iden-
effective when an attacker has a highly sensitive tity verification, bidirectional link verification,
receiver as well as a powerful transmitter. Such an and authenticated broadcast can protect sensor
attacker can effectively create a wormhole to every network routing protocols against outsiders, bo-
node within the range of its transmitter/receiver. gus routing information, Sybil attacks, HELLO
One possible solution to this problem is for every floods, and acknowledgement spoofing and it is
node to authenticate each of its neighbors with an possible to augment existing protocols with these
identity verification protocol using a trusted base mechanisms. Sinkhole attacks and wormhole at-
station. In such a case, adversary is required to tacks pose significant challenges to secure rout-
authenticate itself to every victim before it can ing protocol design, and it is unlikely that there
mount an attack; an attacker claiming to be a exists effective countermeasures against these
neighbor of an unusually large number of the nodes attacks that can be applied after the design of the
will raise an alarm. protocol has completed. Hence, it is very crucial
to design routing protocols by considering these
Acknowledgement spoofing: The most obvi- attacks initially in the design so that with proper
ous solution to this problem would be authentication implementation of various security mechanisms,
via encryption of all sent packets and also packet that is, robust countermeasures, these attacks can
headers. Since base stations are trustworthy, attack- become ineffective.
ers must not be able to spoof broadcast or flooded
messages from any base station. This requires
some level of asymmetry wherein no node should routIng sEcurIty solutIons
be able to spoof messages from a base station; at And tEcHnIquEs
the same time every node should be able to verify
them. Authenticated broadcast is also useful for security goals
localized node interactions.
Security problems in WSN at the network layer can
The clustering algorithms used for WSNs rely be related to router identity and router behavior.
on the honesty of all participating nodes, allowing Theses two issues highlight two main tasks when
a malicious node to generate false information to we consider designing a secure routing solution.
ensure its selection as cluster head thereby allowing
an adversary to launch a sleep deprivation attack. To • Securing packet content: This task is
counteract this, Pirretti, Zhu, Narayanan, McDan- concerned with identity related security
iel, Kandemir, and Brooks (2005) proposes three problems. The goal of this task is to assure
separate defense mechanisms, the random vote that the packet is not accessed by unauthor-
scheme (randomizing the cluster head selection), ized nodes as it travels from the source to the
the round robbin scheme (cluster head selection in destination. This task can be achieved if we
a round robbin fashion), and the hash-based cluster can provide the following services:
head selection scheme (dynamic clustering) to form ° Data confidentiality: In this service,
clusters and the selection of cluster heads. only the destination node should be able
to access the packet content initiated
Routing Security in Wireless Sensor Networks
from the source node. Any intermediate • The solution should not consume much
router must not have any access to such memory or processing cycles. This is because
information. As we can see here, the security is considered as an added feature
access of the packet is restricted to the that must not compete with the application
destination node. Thus, if a node other tasks in sharing memory or CPU usage.
than the destination accesses the packet, Thus, security overhead must be reasonable
it means that the destination identity has to keep WSN service throughput and general
been compromised. performance almost not affected.
° Data integrity: When a destination • The solution proposed does not need to solve
node receives a message from a source, all security problems. However, a problem
the destination should be able to detect tackled by the proposed solution should be
any change that could occur in the mas- effective and robust. Such focused solutions
sage. should have the ability to be integrated with
• Securing packet delivery: This task deals other solutions. This means that the design
mainly with behavior related security prob- has to be flexible and has reasonable as-
lems. Its objective is to guarantee that any sumptions regarding the impact of nonsolved
packet transmitted will be ultimately received problems.
at the target destination. Thus, a misbehav- • The more modular the design is, the more
ing router node should not be able to drop robust the solution will be against future at-
a packet, misroute the packet, or deny the tacks. Moreover, modular design approach
ability of routing of other nodes by denial-of- introduces some dynamicity that meets the
service attacks. This task can be interpreted very active and dynamic nature of WSN.
in terms of a security service called data • Any proposed solution should be considered
availability. from an implementation point of view. If a
° Data availability: If a node A is autho- solution cannot be implemented, it will be
rized to get information from another useless. Implementability considers issues
node B, node A should acquire this like affordability, technology availability,
information at any time and without application needs for such a solution, and so
unreasonable delay. forth.
There are many solutions and different ap- Intrusion Prevention and detection
proaches to achieve these tasks. However, the Approaches
designer should be aware of the suitability of the
solution with WSN tight constraints. An intrusion can be defined as a set of actions that
Some important guidelines that a designer can lead to an unauthorized access or alteration of a
should consider in the solution are: certain system. Security is one of the key challenges
to creating a robust and reliable network. Network
• The solution should conserve energy as it is security solutions can be generally grouped into
the rarest resource in WSN nodes. Energy two main categories: intrusion prevention-based
conservation can be achieved by modifying techniques and intrusion detection-based tech-
an existing solution to reach the least possible niques. Intrusion prevention-based techniques
energy consuming solution that can guarantee such as encryption and authentication are often
a certain level of security. Another possible the first line of defense against attacks. These in-
approach is to make the design energy-aware trusion prevention techniques can deter attackers
in the sense that it adapts itself to the energy from malicious behavior and reduce intrusions
demands. effectively, but cannot totally eliminate intrusions.
The task of intrusion detection systems (IDS) is to
Routing Security in Wireless Sensor Networks
monitor computer networks and systems with the but there are only a few recently proposed detec-
main objective of detecting possible intrusions in tion-based mechanisms for senor networks.
the network, alerting users after intrusion detection,
and excluding the attacker, that is, reconfiguring Intrusion detection-based techniques: Detec-
the network. Thus, intrusion detection systems tion-based techniques are divided into two major
are considered to be serving as the second line of categories: signature detection (a.k.a. misuse detec-
defense by detecting existing intruders and are im- tion) and anomaly detection. Signature detection
portant in constructing highly survivable networks techniques match the known attack profiles with the
and have been accepted as an indispensable part current changes, whereas anomaly detection uses
of today’s computer security systems. established normal profiles and detects unusual
deviations from this normal behavior.
Intrusion prevention-based techniques:
Authentication and encryption-based security Misuse-based detection systems work based on
schemes for sensor networks are adaptations of a database of known attack signatures and system
security algorithms developed for MANETs. These vulnerabilities and raise alarms when an activity
adaptations aim to decrease the computation and matching a signature in the database is identified.
communication overhead of these methods which Several methods have been proposed in the litera-
were originally designed for more capable and ture to model attack signatures and to search for a
less resource-constrained MANET nodes. Sec- match, such as expert system, pattern matching,
tion 5 of this chapter briefly discusses a variety colored Petri-nets, and state transition analysis.
of approaches proposed in the literature for key Kaplantzis (2004) presents a comparative study of
agreement and key distribution for sensor networks. three classification techniques (i.e., k-means near-
Prevention-based security schemes are difficult est neighbor classifiers, artificial neural networks,
to implement especially over large scale sensor and support vector machines) in order to find the
networks as these techniques are vulnerable to best performing classifiers in terms of speed and
wireless networking challenges. Shared broadcast accuracy for an intrusion detection system using
medium, the possibility of passive listening, and pattern matching. Classifiers are tools that parti-
resource-limited network elements decrease the tion sets of data into different classifications on
effectiveness of prevention mechanisms. The multi- the basis of specified features in that data. They
hop nature of a network also necessitates additional showed that the support vector machines train in the
trust requirements among the nodes and increases shortest amount of time with an acceptable accu-
the vulnerabilities. It is not flexible to implement a racy, while neural networks exhibit high accuracy
dynamic public key cryptography scheme and to at the cost of long training times. The benefits of
provide key exchanges with trusted central author- misuse-based detection techniques are simplicity
ity. On the other hand, symmetric key cryptography of these systems, the ability to detect attacks im-
can be used to authenticate neighbors. In any case, mediately after installation and that the signatures
powerful encryption schemes will not be available are based on well known intrusion activities and
because of the computational capacity of the nodes. hence the detections are usually very accurate.
Thus, security provided to sensor networks with In contrast, the major drawback of misuse-based
prevention only techniques is not always sufficient, detection system is the ability to manage effectively
or practical, because of the scalability problems, the signature database containing a huge amount
the computation, communication, and storage of known attack patterns and updating the attack
overhead associated with these methods. Hence, signatures as new attacks are published. These
intrusion detection techniques are required to be systems cannot detect unpublished attacks and
incorporated to build a robust and reliable secure are prone to circumventing false negative alarms
system. Numerous prevention-based mechanisms and also the cost of generating signatures for all
for wireless sensor networks have been proposed, known attacks is very high.
Routing Security in Wireless Sensor Networks
Anomaly-based detection systems work ing. There has not been much work on the design
based on the assumption that an intrusion can be of general intrusion detection system for wireless
detected by observing a deviation from normal or sensor networks, though the published works on
expected behavior of the system. These techniques intrusion detection in this area deal with specific
buildup normal profiles from previously observed kind of attacks or particular operations.
subject behavior and signal intrusions when the The work by Onat and Miri (2005) propose a
observed activities differ significantly from the predefined statistical model to identify anomalies
normal behavior of the system. The major benefit in a distributed fashion wherein sensor nodes will
of the anomaly-based detection technique is that it have the ability to record simple statistics about
is very effective in defending against new attacks the neighbors’ behavior and detect anomalies in
as it does not distinguish between known attacks them. To make a sensor node capable of detecting
and unknown attacks. However, such techniques an intruder, a simple dynamic statistical model of
are complex as they require a periodic online the neighboring nodes is built in conjunction with
learning process in order to buildup up-to-date a low-complexity detection algorithm by monitor-
normal profiles and resource hungry as they are ing received packet power levels and arrival rates.
constantly generating logs and checking audit files. This work considers two types of attacks: node
Moreover, anomaly-based intrusion detection sys- impersonation and resource depletion attack. These
tems tend to have high false alarm rates because attacks reveal themselves by deviations from the
the comprehensive knowledge of expected normal normal transceiver and traffic behaviors.
behavior of a system is hard to model. Hence, a A distributed, nonparametric anomaly detection
major challenge in building anomaly-based IDS scheme to identify anomalous measurements in
is to control effectively the false alarms. Another sensor nodes has been proposed by Rajasegarar,
key challenge in identifying misbehaviors in wire- Leckie, Palaniswami, and Bezdek (2006). In this
less sensor networks is to develop techniques for approach, in order to minimize communication
detecting anomalies in the network, such that overhead, which is a major source of energy con-
these techniques minimize their communication sumption, each individual sensor measurement
overhead and energy consumption in the network. is not sent to a central node for analysis. Instead
Misbehaviors can be identified by analyzing sensor the measurements are clustered and only cluster
or traffic measurements to discriminate normal summaries are sent by the sensor nodes. Further,
behavior from anomalous behavior. Anomaly intermediate sensor nodes merge cluster sum-
detection in data with an unknown distribution is maries before communicating with other nodes.
an important problem to be addressed in wireless The clustering approach used here is based on the
sensor networks. fixed-width clustering algorithm which produces
a set of disjoint, fixed-width (or radius) clusters in
Several techniques have been proposed in the feature space. The anomaly detection algorithm
the literature to identify anomalies and perform used the average inter-cluster distance of the k-
distributed data clustering in the context of MA- nearest neighbor (KNN) clusters to identify the
NETs. Clustering is the process of finding groups anomalous clusters.
of similar data points, such that each group of data The work by Da Silva, Martins, Rocha, Lou-
points is well separated (Han & Kamber, 2001). reiro, Ruiz, and Wong (2005) proposes a decentral-
The Euclidean distance is used as the dissimilar- ized intrusion detection system for WSN which
ity measure between pairs of data. A distributed is based on the inference of the network behavior
k-means clustering algorithm has been proposed obtained from the analysis of events detected by a
by Bandoyopadhya and Coyle (2006). An intru- monitoring node. The only events considered are
sion detection scheme has been proposed by Loo, data messages listened to by the monitoring node
Ng, Leckie, and Palaniswami (2006) to identify that is not addressed to it and message collision
abnormal traffic patterns using fixed-width cluster- when the monitoring node tries to send a message.
Routing Security in Wireless Sensor Networks
The approach proposed consists of three phases: DoS attack, the interaction between a normal and
data acquisition, rule application, and intrusion a malicious node in forwarding incoming packets
detection. In the data acquisition phase, messages is captured as a noncooperative N player game.
are collected in a promiscuous mode and the impor- A framework is proposed to enforce cooperation
tant information is filtered before being stored for among nodes and punishment for noncooperative
subsequent analysis. In the rule application phase behavior. The intrusion detector residing at the
the seven rules, interval rule, retransmission rule, base station keeps track of node’s collaboration by
integrity rule, delay rule, repetition rule, radio monitoring them. If performances are lower than
transmission rule, and Jamming rule are applied some trigger thresholds, it means that some nodes
to the stored data and if the message fails the tests act maliciously by deviation. The intrusion detec-
being applied, a failure is raised. In the intrusion tion system rates all the nodes, which is known as
detection phase, the number of raised failures is subjective reputation (Michiardi & Molva, 2002),
compared with the expected amount of occasional and the positive rating accumulates for each node
failures in the network and if the raised failures as it gets rewarded.
are found to be higher than the expected, then an An emotional ant-based approach to identify
intrusion detection is raised. possible preattack activities in sensor networks is
Agah, Das, and Basu (2004) introduce an intru- presented in the work IDEAS proposed by Ban-
sion detection scheme based on a noncooperative nerjee, Grosan, and Abraham (2005). Security
game approach. In every game theory problem, a monitoring in the sensor network is achieved by
payoff or utility function is required to be defined the foraging behavior of natural ant colonies. The
between players. A payoff function used in this work emphasizes the emotional aspects of agents
work is based on two fundamental issues: coopera- where they can communicate the characteristics of
tion and reputation. Payoff between two sensors a particular path among them through pheromone
is dependent on their distance and each node’s update. Therefore, in a sensor network if the emo-
transmitter signal strength. The more transmit- tional ants are placed, they could keep track of the
ter signal strength a node has, the more likely it changes in the network path, following a certain
cooperates with its close neighbors. In order to knowledge base of rules depicting the probable
show how much each individual node is useful possibilities of attack. Once the particular path
for the whole network, and gain better reputation among the nodes is detected by the emotional ant,
among others, payoff between two sensor nodes it can communicate the characteristics of the path
should also represent how many packets each node through pheromone balancing to the other ants, and
receives and forwards at each time slot for the thereafter intrusion alarm can be raised.
sake of others. Here, a nonzero sum, noncoopera- Localization anomaly detection (LAD) pro-
tive game is defined between attacker and sensor posed by Du, Fang, and Ning (2005) is a general
nodes, where an attack is a denial-of–service at- scheme to detect localization anomalies that are
tack, which is intended to be prevented. By using caused by adversaries compromising the beacon
the game theory framework, authors show that the nodes. Here localization anomaly problem is for-
game achieves Nash equilibrium for both attacker mulated as an anomaly intrusion detection problem,
and the network. and a number of ways to detect localization anoma-
In the work proposed by Agah and Das (2007), lies are proposed. In the proposed work by Deng,
the prevention of passive denial of service attack Han, and Mishra (2004), a secure multipath routing
at routing layer in wireless sensor networks is to multiple destination base stations is designed
formulated as a repeated game between an intru- to provide intrusion tolerance against isolation of
sion detector and nodes of a sensor network where a base station. Antitraffic analysis strategies are
some of these nodes act maliciously. The repeated also proposed to help disguise the location of the
games are associated with sequences of history- base station from eavesdroppers.
dependent game strategies. In order to prevent
Routing Security in Wireless Sensor Networks
00
Routing Security in Wireless Sensor Networks
existing nodes in the network in such a way requiring network rekeying for sustained security
that the backward secrecy is still preserved. and survivability after deployment. Dynamic key
Backward secrecy is maintained by means of management schemes may change administrative
periodically changing the traffic encryption keys periodically on demand or upon detection of
keys. A newly added node can only obtain new node capture. The major advantage of dynamic
traffic encryption key and not the previous keying is enhanced network survivability, since
encryption keys being used in the network any captured key is replaced in a timely manner in
and hence is not able to decipher previous a process known as rekeying. Another advantage
traffic. of dynamic keying is providing better support for
• Node eviction/key revocation: Deals with network expansion, upon adding new nodes, un-
how a node should be evicted from the like static keying which use a fixed pool of keys
network such that it will not again be able and the probability of network capture does not
to establish secure sessions with any one of necessarily increase.
the existing nodes in the network, and not be Based on the key generation/distribution
able to decipher future traffic in the network techniques used, these key management schemes
thereby preserving forward secrecy. can further be categorized into the following:
pure probabilistic or random key predistribution
The metrics most commonly used in the pub- schemes, polynomial-based key predistribution
lished approaches to evaluate the performance schemes, Blom’s matrix-based key predistribu-
of the key management schemes are local/global tion schemes, deterministic key predistribution
connectivity, resilience to sensor nodes capture, schemes, and group key management schemes
scalability, and memory efficiency. The distribution (combinatorial formulation) using exclusion-basis
of keys to sensor nodes of large scale WSNs where systems. Most of the existing schemes based upon
physical topology is unknown prior to deployment the basic random key predistribution scheme intro-
would have to rely on key predistribution. Keys duced by Eschenauer and Gilgor (2002) are static
would have to be installed in sensor nodes before key management schemes. Many of these schemes
deployment in order to establish secure connectiv- propose improvements over the basic scheme by
ity between nodes after deployment. Establishing using key polynomials, deployment knowledge
secure pair-wise communications is a prerequisite (node locations, node clusters or group), as well
for the implementation of secure routing and also as attack probabilities in certain portions of the
useful for secure group communication. network to enhance scalability and resilience to
Key management schemes in sensor net- attacks.
works can be classified broadly into dynamic or The basic key predistribution scheme first pro-
static key management schemes based on whether posed by Eschenauer and Gilgor (2002) is based
rekeying or updating of the administrative keys is on probabilistic key sharing among the nodes
enabled or not after network deployment. Static of a sensor network. This scheme uses a simple
schemes assume a relatively static, short lived shared-key discovery protocol for key distribution,
network where node replenishments are rare and revocation, and node rekeying. In this scheme,
keys outlive the network. Static key management before sensor nodes are deployed, an initialization
schemes assume that once administrative keys phase, also known as key predistribution phase,
are predeployed in the nodes, they will not be is performed offline to generate a large random
changed. Administrative keys are generated prior pool of P keys out of the total possible key space.
to deployment, assigned to nodes either randomly, For each node, k keys (also known as node’s key
or based on some deployment information. Another ring) are randomly selected out of the large key
emerging class of schemes, termed dynamic key pool P without replacement and loaded into each
management schemes, assume long-lived networks sensor node’s memory. This key predistribution
with more frequent addition of new nodes, thus phase must ensure that only a small number of k
0
Routing Security in Wireless Sensor Networks
keys need to be stored in each sensor node’s ring and to provide scalability for random key predis-
such that any two nodes will share at least one key tribution in clustered distributed sensor networks.
with a chosen probability. This works considers the probability of node cap-
Q-composite random key predistribution ture for each subgroup in order to design a scalable
scheme proposed by Chan, Perrig, and Song security mechanism that improves resilience to the
(2003) is a modification to the method proposed attacks for the sensor subgroup with larger prob-
by Eschenauer and Gilgor (2002) where q common ability of node compromise. Hence this scheme can
keys are required to match between neighboring maintain flexibility in providing different security
nodes instead of a single common key, thereby concerns for different sensor groups. Since sen-
making it more difficult to compromise com- sor subgroups are located in different areas, they
munications. The motivating factor is that as the may have different chances of being attacked by
amount of required q common keys increases, it the adversaries.
becomes exponentially harder for an attacker with The work by Yang, Zhou, Zhang, and Wong
a given set of keys to break a link. (2006) proposes a polynomial-based key manage-
Pseudo random key deployment scheme ment scheme called group-to-group (G2G) pair-
proposed by Di Pietro, Mancini, and Mei (2003) wise key establishment which enables a node to
is a further improvement to the basic random communicate securely with nodes near a certain
predistribution scheme proposed by Eschenauer location using their location knowledge and the
and Gilgor (2002), which allows more efficient communicating nodes need not know each other’s
key discovery procedure. In the key deployment ID or need not be located within each other’s com-
phase, keys are assigned to a node according to munication range.
the output of a pseudorandom generator with a Zhang, Liu, Lou, and Fang (2006) propose
publicly known seed and the node’s ID as inputs. a suite of location-based compromise-tolerant
Di Pietro et al. (2006) further improve the above security mechanisms to mitigate the impact of
work by proposing a novel efficient and secure compromised nodes. They propose the novel no-
pseudo (ESP) random key deployment scheme that tion of location-based keys (LBKs) based on a new
requires no message exchange between nodes to cryptographic concept called pairing which binds
establish pair-wise keys, but only k applications of private keys of individual nodes to both their node
the pseudo-random function where k is the number IDs and geographic locations. The LBKs used in
of keys in the node’s key ring, thereby minimizing this approach can act as efficient countermeasures
energy consumption in the key discovery phase. against a Sybil attack, identity replication attack,
The work proposed by Du, Deng, Han, Chen, wormhole, and sinkhole attack. This work uses an
and Varshney (2004) presents a novel random identity-based cryptography (IBC) which is receiv-
key predistribution scheme that uses deployment ing extensive attention as a powerful alternative to
knowledge. With such deployment knowledge, it is traditional certificate-based cryptography (CBC).
shown that each node only needs to carry a fraction Its main idea is to make an entity’s public key di-
of the keys required by the other random key pre- rectly derivable from its publicly known identity
distribution schemes (Eschenauer & Gligor, 2002; information. Eliminating the need for public-key
Chan et al., 2003), while achieving improved level certificates and their distribution makes IBC much
of connectivity (in terms of secure links), higher more appealing for securing WSNs, where the
resilience against node capture, and reduction in need to transmit and check certificates has been
amount of memory required. identified as a significant limitation.
The random key management scheme using The major challenge in dynamic keying is to
both attack probabilities and deployment knowl- design a secure yet efficient rekeying mechanism.
edge proposed by Chan, Poovendran, and Sun A dynamic key management scheme is proposed
(2005) uses a subgrouping approach to isolate the by Jolly, Kuscu, Kokate, and Younis (2003) that
effect of node captures into one specific subgroup, is based on the identity-based symmetric keying.
0
Routing Security in Wireless Sensor Networks
In the work proposed by Eltoweissy, Heydaru, network. SPINS has two security building blocks:
Morales, and Sadborough (2004), a combinatorial secure network encryption protocol (SNEP) and the
formulation of group key management problem is micro-version of the timed efficient streaming loss-
developed using exclusion-basis systems (EBS). A tolerant authentication protocol (μTESLA). SNEP
drawback of the basic EBS-based solution is that provides data confidentiality, two-party authenti-
a small number of nodes may collude and col- cation, integrity, replay protection, and message
lectively reveal all the network keys. In SHELL, freshness. μTESLA provides authentication for data
Younis, Ghumman, and Eltoweissy (2006) propose broadcast. In the key deployment phase, every node
a modification to EBS approach to address the shares a unique master key with the base station.
collusion problem which performs location-based In key establishment phase, two kinds of traffic
key assignments to minimize the number of keys (node to node communications and broadcasts by
revealed by capturing collocated nodes. LOCK pro- the base station) are secured. SNEP allows two
posed by Eltoweissy, Moharrum, and Mukkamala nodes to establish a session key through the base
(2006) is an EBS-based dynamic key management station. μTESLA allows messages broadcast by
scheme for clustered sensor network which uses the base station to be authenticated. When a new
key polynomials to improve the network resilience node is added, it is loaded with a unique master
to collusion instead of location-based key assign- key that it shares with the base station. During a
ment as in SHELL. node eviction, the evicted node’s master key is
An important observation that can be drawn removed from the base station.
from these proposed schemes is that the location
knowledge can be used to improve the performance SNEP achieves semantic security with no
of the key management schemes, such as the con- additional transmission overhead by sharing a
nectivity, resilience against nodes capture, and counter between the sender and receiver for the
memory efficiency. Also it is evident that most of block cipher in counter mode. Since the counter
the key management solutions for wireless sensor value is incremented after each message, the same
networks are trying to find the better tradeoffs message is encrypted differently each time thereby
between system security (e.g., resilience to node preventing replay of old messages. To achieve
capture) and network connectivity. All of them two-party authentication and data integrity, a
have weak and strong points. The diverse usages message authentication code (MAC) is used which
of wireless sensor networks make it unreasonable enforces a message ordering and weak freshness.
to try to find the single perfect scheme suitable for In μTESLA, the requirement of asymmetric
all situations. mechanism for authenticated broadcast is achieved
Having provided a brief survey of the key man- through a delayed disclosure of symmetric keys.
agement schemes to highlight the current devel- μTESLA is based on one-way key chain. During
opments in this key area, in the following section initial set-up, the base station generates a one-way
we briefly describe some protocols based on key key chain of n keys by choosing the last key K n
predistribution schemes designed for WSN. randomly and generating the remaining values by
successively applying a one way hash function F
Protocols based on key (such as MD5), that is, Ki = F(Ki+1). Every node
Predistribution schemes synchronizes its time with the base station. Time
is divided into uniform time intervals and the
Security protocols for sensor networks base station associates each key of the key chain
(SPINS): This work proposed in by Perrig et al. with one time interval. To bootstrap μTESLA, the
(2001) uses a hierarchical/centralized commu- base station distributes the root of the key chain,
nication architecture that assumes a forest-like K n, to the sensor nodes. During the time interval
network formed around one or more base stations, i, the base station uses the key of the current time
which interfaces the sensor network to the outside interval Ki to compute the MAC of the packets to
0
Routing Security in Wireless Sensor Networks
be broadcast in that interval and discloses the key each sensor node to the controller with all routes
Ki-δ that authenticates all the messages broadcast from each sensor node to the controller secured.
in and before the time interval i-δ. When a node First, keys are predistributed to the sensor nodes
receives the disclosed key Ki-δ , it verifies the cor- and shared keys are discovered by the methods
rectness of the key and then uses it to authenticate proposed in Eschenauer and Gilgor (2002). The
the message stored in its buffer received during protocol has six phases and it starts after each
the time interval i-δ. node discovers shared keys with its neighbors.
Some remarks about this scheme are: The controller can communicate with the rest of
the nodes indirectly via the level-one nodes, which
1. This scheme requires key server (base sta- are defined as the nodes in the wireless range of
tion) for the establishment of pair-wise keys the controller. A route is formed using four phases:
compared to other schemes which only needs (1) level-one initialization phase (2), route learning
a bootstrap server (or base station) to initialize phase (3), authenticate neighbor and shorter path
and deploy nodes. discovery phase, and (4) key distribution phase.
2. SNEP protocol has low communication In the level-one initialization phase, the controller
overhead, only 8 extra bytes per message. and nodes in the wireless range of the controller
3. SNEP is an end-to-end security protocol and mutually authenticate themselves and the controller
cannot prevent routing misbehavior. distributes the session key to be used in further
4. µTESLA provides a secure broadcast com- phases. In the route learning phase, each node
munication, which is a common and important forwards messages containing route information to
communication pattern in almost all WSN their downstream nodes and an initial set of routes
applications. is established. In the authentic neighbor and shorter
5. µTESLA obtains routing security by authen- path discovery phase, nodes broadcast messages
ticated routing that is achieved by deriving in order to discover shorter paths to the control-
the operation on routing update packets and ler. If shorter paths are found, these paths must be
checking the correctness of the claiming secured by assigning a key to that path which is
parents by delayed key disclosure. performed by the controller in the key exchange
6. In µTESLA protocol, the base station and phase. If the controller detects that a security
nodes are required to be loosely time syn- breach has occurred during the execution of the
chronized. routing protocol, it starts the session key expiration
7. The periodic key disclosure of µTESLA phase to invalidate the session key. If a legitimate
ensures compromising a single sensor does sensor node is compromised, the controller starts
not reveal the keys of all the sensors in the the revocation phase in order to invalidate the key
network. ring of the compromised node. Resilient to replay
attacks is achieved in this protocol by associating
SeFER: secure, flexible and efficient rout- each message with a nounce value proposed by
ing protocol for distributed sensor networks: Perrig et al. (2001) and a time stamp indicating
This work by Oniz, Tasci, Savas, Ercetin, and expiration date.
Levi (2005) presents a secure, flexible, and effi- Some remarks about this scheme are:
cient routing protocol for sensor networks based
on the basic random key predistribution scheme 1. The proposed protocol is flexible such that it
Eschenauer and Gilgor (2002) discussed in section allows a tradeoff between route length and
5.3.1. This protocol aims to establish secure paths the route setup cost in terms of processing
in a sensor network between a controller and a set power and storage.
of nodes where each node has been assigned a set 2. Different security needs for different location
of randomly chosen keys out of a key pool. The of nodes are not considered.
primary aim of this protocol is to find routes from
0
Routing Security in Wireless Sensor Networks
3. This scheme is less energy efficient because sensor node transmitting the same reading as its
of the key discovery phase which requires own current reading can elect not to transmit the
a number of messages proportional to the same, thereby saving energy consumption in sen-
number of keys assigned to each sensor. sor networks. A node’s cluster key and one-way
4. The scalability of random key predistribution key chain allow its neighbors to authenticate its
is a concern and not addressed. locally broadcast messages. The combination of
cluster key and one-way key chain is interesting
Localized encryption and authentication because the cluster key can be used to hide the
protocol (LEAP): This work by Zhu, Setia, and keys in the key chain from cluster-outsiders, so
Jajodia (2003) presents a complete key manage- that the keys do not need to be disclosed accord-
ment framework for static WSNs which supports ing to a schedule as in SPINS, and the keys in the
in-network processing, while at the same time key chain can be used for authentication as usual.
restricts the security impact of a node compromise Pair-wise shared key is a key each node shares
to the immediate network neighborhood of the with each of its immediate neighbors. Pair-wise
compromised node. In order to meet the different keys are used for securing communications that
security requirements of the messages exchanged require privacy or secure authentication. For ex-
between the sensor nodes, this protocol provides ample, a node can use its pair-wise keys to secure
multiple keying mechanisms for securing node-to- the distribution of cluster key to its neighbors, or
base station traffic, base station to nodes traffic, to secure the transmission of its sensor readings
local broadcasts, as well as node-to-node (pair- to an aggregation node.
wise) communications. It also includes an efficient Some remarks about this scheme are:
protocol for local broadcast authentication based on
the use of one-way key chains. Each node shares 1. This scheme is very effective in defending
four types of keys: an individual key, a group key, against many sophisticated attacks such as
cluster keys, and pair-wise shared keys. In addition HELLO flood attack, Sybil attack and worm-
to these keys, a node also has to store a one-way hole attack.
key chain it creates, the commitments of the key 2. In this scheme, knowledge of node IDs is
chains its neighbors create, and the commitment required to establish pair-wise keys among
of the base station’s key chain. neighboring nodes.
Every node has a unique individual key that 3. It is assumed that all nodes are innocent
is only shared with the base station. This key is within a short period after deployment.
used for secure communication between the node 4. This scheme is scalable and efficient in com-
and the base station. This key is generated and putation, communication, and storage.
preloaded into each node prior to its deployment. 5. Sensor deployment is considered to be
A node uses its individual key to encrypt messages static.
it sends to the base station. A group key is a global 6. Different security needs for message ex-
key shared by all the nodes in the network. This key changed between nodes for the hierarchical
is used by the base station for encrypting messages WSN are considered.
that are broadcast to the whole group. Messages 7. The issues regarding the impact of key shar-
broadcast by the base station are encrypted with ing approach on in-network processing are
the group key, but authenticated with μTESLA. addressed using cluster-keying mechanism.
A cluster key is a key shared by a node and all its
neighbors and it is mainly used for securing lo- Intrusion tolerant routing protocol for wire-
cally broadcast messages such as routing control less sensor networks (INSENS): INSENS by
information or securing sensor messages which Deng, Han, and Mishra (2002) constructs a tree-
can benefit from passive participation. In passive structured routing for wireless sensor networks.
participation, a node that overhears a neighboring It aims to tolerate damage caused by an intruder
0
Routing Security in Wireless Sensor Networks
who has compromised deployed sensor nodes and is 2. Rather than rely on traditional intrusion-
intent on injecting, modifying, or blocking packets. detection techniques, INSENS’s strategy is
INSENS incorporates distributed lightweight secu- to design a routing mechanism that is intru-
rity mechanisms, including one-way hash chains sion-tolerant.
and nested keyed message authentication codes to 3. An important property of INSENS is that
defend against routing attacks such as wormhole while a malicious node may be able to
attack. Adapting to WSN characteristics, the design compromise a small number of nodes in its
of INSENS also pushes complexity away from vicinity, it cannot cause widespread damage
resource-poor sensor nodes towards resource-rich in the network.
base stations. It constructs forwarding tables at each
node to facilitate communication between sensor non cryptography-based solutions
nodes and a base station. The INSENS secure rout-
ing system is designed to prevent flooding attacks Noncryptographic-based solutions are mainly
by allowing only base station to broadcast. The concerned with behavior-related security attacks,
authentication of the base station is achieved via such as nonforwarding, selective forwarding, and
one-way hashes, so that individual nodes cannot denial-of-service attacks. The basic concept in
spoof the base station and thereby flood the network. this general approach is to enable sensor nodes
For unicast packets, nodes must first communicate to be aware of their neighbors’ behavior. When
through the base station, allowing the base station misbehavior is detected, the misbehaving node is
to act as a packet filter to prevent denial-of-service avoided in routing.
via a single node. To prevent advertisement of The main features of such solutions as compared
false routing data, control routing information is with crypto-based approach are:
authenticated. A key consequence of this approach
is that the base station always receives correct • Crypto-based solutions are not robust against
partial knowledge of the topology. Symmetric insider attacks in which the attacker is an
key cryptography is chosen for confidentiality identifiable and authorized member of the
and authentication between the base station and network. Such attacks can be done by com-
each resource-constrained sensor nodes, since it promised nodes or selfish nodes. Others are
is considerably less compute-intensive than public unintentionally done by faulty nodes (Josang
key cryptography, and the base station is chosen as & Ismail, 2002). However, security systems
the central point for computation and dissemina- that depend on treating nodes’ behavior in-
tion of the routing tables. To address the notion of stead of their identities are more robust. This
compromised nodes, redundant multipath routing is especially true in networks where such
is built into INSENS to achieve secure routing. misbehavior is very possible or sometimes
The paths are designed to be disjoint, so that even can be the dominant type of attacks, which
if an intruder brings down a single node or path, is the case in WSN.
secondary paths will exist to forward the packet • Unlike node’s identity, node’ behavior is not
to the correct destination. fixed and can be dynamically changed in in-
Some remarks about this scheme are: telligent ways. Crypto-based solutions do not
have the provision of this dynamic treatment.
1. This scheme minimizes computation, com- However, behavior-based approaches provide
munication, storage, and bandwidth require- a means for an adaptive and dynamic decision
ments at the sensor nodes at the expense of making and reaction at the individual node
increased computation, communication, level behavior.
storage, and bandwidth requirements at the • Cryptography overhead at the node level
base station. structure such as memory consumption and
0
Routing Security in Wireless Sensor Networks
computation complexities are all relieved from the experiences of others goes unused, which
in this approach. However, communication decreases efficiency.
overhead and behavior knowledge exchange Any reputation system in the context of MANET
is more complicated here. and WSN should, generally, exhibit three main
functions (Djenouri et al., 2005):
In literature, noncrypto approach is realized by
the adoption of reputation systems. A reputation • Monitoring: This function is responsible
system is a type of cooperative filtering algorithm for observing the activities of the nodes of
which attempts to determine ratings for a collection its interest set.
of entities that belong to the same community. Ev- • Rating: A node will rate its interest set nodes
ery entity rates other entities of interest based on a based on the node’s own observation (termed
given collection of opinions that those entities hold as first hand information), other nodes’ obser-
about each other (Michiardi & Molva, 2002). vations that are exchanged among themselves
Reputation systems have recently received (termed as second hand information), the
considerable attention in different fields such history of the observed node, and certain
as distributed artificial intelligence, economics, threshold values.
evolutionary biology, and so forth. Most of the • Response: Once a node builds knowledge
concepts in reputation systems depend on social about others’ reputations, it should be able
networks analogy. As expected, reputation systems to decide upon different possible reactions
are complex in the sense that they do not have a it can take, like, avoiding bad nodes or even
single notion, but a single system will consist of punishing them.
multiple parts of notions. Thus, comparing reputa-
tion systems is, in fact, a very difficult problem. For secure routing problem in WSN, a reputation
All known trials on such problem were based on system can be a good solution for behavior-related
qualitative approach. The work proposed by Mui, problems. The efficiency of a proposed solution
Halberstadt, and Mohtashemi (2002) makes an will depend on:
attempt on comparing reputation systems quan-
titatively based on game theory. The authors, • The ability to monitor misbehavior events
thus, identify different notions of reputation correctly.
systems like, contextualization, personalization, • Using a good rating model that closely reflects
individual and group reputation, and direct and the behavior of nodes.
indirect reputation. • Developing good routing algorithms and deci-
In the context of MANET and WSN (Bucheg- sion criteria that try to select the most trusted
ger & Boudec, 2003; Michiardi & Molva, 2002), routers and follow the least risky paths.
the reputation of a node is the amount of trust the
other nodes grant to it regarding its cooperation and In literature, there are reputation-based solu-
participation in forwarding packets. Hence, each tions proposed for MANET such as CONFIDANT
node keeps track of each other’s reputation accord- and CORE. The work, however, in WSN is not
ing to the behavior it observes, and the reputation heavily studied. When considering WSN, reputa-
information may be exchanged between nodes to tion systems become more challenging for the first
help each other to infer the accurate values. There two phases, that is, monitoring and rating. Good
is a trade-off between efficiency in using available monitoring requires a sensor node to be always
information and robustness against misinforma- awake overhearing others’ packets which is an
tion. If ratings made by others are considered, the energy consuming operation. A possible approach
reputation system can be vulnerable to false accu- is to make the responsibility of monitoring for a
sations or false praise. However, if only one’s own specific set of sensor nodes. However, this yields
experience is considered, the potential for learning a poor rating mechanism. Moreover, the rating
0
Routing Security in Wireless Sensor Networks
model should be able to mathematically track the • The routing decision is not to select the next
node behavior. Complex models may require a hop but to decide to participate in the trusted
heavy processing task and memory usages. Theses route. As a result, selfish behavior is not ad-
resources are more in demand for data processing dressed well in SAR.
in the constrained WSN node.
In the following sections, we briefly describe TRANS: Proposed by Tanachaiwiwat, Dave,
some reputation-based solution designed for Bhindwale, and Helmy (2004), TRANS is a geo-
WSN. graphic routing protocol (GPSR-based) that pro-
vides security services using trust metric. It can
Reputation-Based Solutions be considered as a tight trust-based routing due to
its specific targets and assumptions. It basically
SAR: Security-aware routing (SAR) proposed targets a misbehavior model in which an attacker
by Naldurg, Yi, and Kravets (2001) is a protocol selectively participates in routing signaling and
derived from AODV and based on authentication control packets, but drops consistently queries
and a metric called the hierarchal trust values and data packets. The protocol also assumes static
metric. The hierarchal trust values metric governs sensor networks in which a tight mapping can
routing protocol behavior. This metric is embedded be done between the nodes’ identities and their
into control packets to reflect the minimum trust locations. TRANS assumes a location-centric
value a router should have to be able to forward architecture that helps it in isolating misbehavior
the received packet. This value is determined by and establishing trust routing in sensor networks.
the sender. A node that receives any packet can As a result of that, the protocol assumes a certain
neither process it nor forward it unless it provides communication model in which a single or multiple
the required trust level present in the packet. sinks initiate communication requests with various
Moreover, this metric is also used as a criterion locations. During that phase, insecure locations are
to select routes when many routes satisfying the identified and blacklisted. The trust metric used
required trust value are available. to judge on location security is calculated based
There are some problems and limitations in on nodes’ experience among each other regard-
SAR: ing their identities, link availability, and packet
forwarding.
• The routing operation needs to encounter a There are some problems and limitations in
trusted route setup phase that is done using TRANS:
cryptographic authentication. This setup
contributes some initial delay and requires • In TRANS, the trust, in fact, is associated
some sophisticated crypto mechanisms. with locations rather than the nodes. The
• The trust metric used in SAR does not re- problem is that a location can be infected by a
flect exactly nodes’ behavior; rather, they single node. The detour, then, will be around
represent a “rank” that a node exhibits based a larger area rather than a single node.
on its identity and various security service • Nodes located in proximity of an infected
provision. Thus, a trusted node in SAR is a location might be also isolated. If not, they
node that has the appropriate rank that meets are also exposed to heavy routing duties that
the routing requirements. To rank a node is may induce selfish behavior.
another problem by itself that is not addressed • TRANS is limited by single or multiple sink
very well. communication models. This assumption is
• The routing decision rules in SAR are gov- necessary for the efficient operation of the
erned by the source, which makes the protocol protocol.
less flexible. • TRANS discusses approaches to decrease
energy consumption due to the security
0
Routing Security in Wireless Sensor Networks
• The protocol has no provision for energy • The monitoring mechanism uses a normal
efficiency. watchdog mechanism that assumes a promis-
• The protocol totally relies on trust-based cuous mode operation for every node. This is
forwarding. If a node is completely sur- not suitable for the WSN conditions in terms
rounded by misbehaving nodes, there is no of energy scarcity as discussed earlier.
other mechanism proposed to select a next • The system does not show a practical solu-
hop since all nodes will be eliminated from tion implementation of monitoring and rating
the node’s forwarding list. phases. From an implementation point of
• RGR is a multipath trust-based routing. view, the study should provide an example
Although multipath is important for reliable of how monitoring and rating will be done
services, it is also believed that multipath under some application assumptions.
routing is energy consuming, which is a very • The work does not propose a response meth-
important issue to consider in WSN odology, for example, a routing algorithm.
Instead, it leaves it an open issue. Therefore,
Reputation-based framework for high integ- the work lacks performance figures that can
rity sensor networks: Ganeriwal and Srivastava show the efficiency and security gain and
(2004) propose a reputation-based framework for benefits in routing operation that can be
sensor networks where nodes maintain a reputa- obtained in adopting this solution.
tion for other nodes and use it to evaluate their
trustworthiness. The authors tried to focus on an Reputation system-based solution for trust-
abstract view that provides a scalable, diverse, and aware routing: This work proposed by Maarouf
a generalized approach hoping to tackle all types and Naseer (2007) provides a reputation system-
of misbehaviors. They also designed a system based solution for trust aware routing as a main
within this framework and employed a Bayesian security concern in WSN. In contrast to similar
formulation, using a beta distribution model for existing solutions for ad hoc networks like CORE
reputation representation. (Michiardi & Molva, 2002) and CONFIDANT
In this system, monitoring mechanism follows (Buchegger & Boudec, 2003) or those for WSN like
the classic watchdog methodology in which a node RFSN (Josang & Ismail, 2002), this work proposes
0
Routing Security in Wireless Sensor Networks
solutions to focusing on satisfying WSN resources new contribution in CRATER is its mathematical
constraints and conditions, while maintaining the approach that is used to rate nodes based on what
security requirements. Thus, the solution proposes is called cautious assumptions, which are very
new mechanisms and approaches that are custom- true in most WSN. These assumptions basically
ized for WSN constraints. introduce the cases in which WSN nodes are very
The work adopts a modular design approach sensitive to hearing SHI and are concerned with
by which it treats every individual component as their immediate neighbors.
a separate problem and studies it in the lights of Moreover, the rating component is evaluated
WSN conditions adaptation and customization. The by a novel and promising mechanism proposed to
integrated reputation system is termed as senor evaluate different reputation systems. The evalu-
node attached reputation evaluator (SNARE) ation scheme is called reputation systems-inde-
(Maarouf & Naseer, 2006) which consists of pendent scale for trust on routing (RESISTOR).
three main components: monitoring component, RESISTOR is based on the analogy of the resistance
rating component, and response component. phenomenon in electric circuits. It defines a metric
For the monitoring part, the work proposes a called “resistance” to represent how much a node
new monitoring strategy called efficient monitor- is resisting its malicious neighbors by finding the
ing procedure in reputation system (EMPIRE) to ratio between the risk value for the malicious node,
solve the problem of efficient monitoring in WSN. which is computed by the monitoring node using
Efficient monitoring should guarantee a satisfying CRATER, and the number of packets flowed into
level of capturing neighborhood activities, while that malicious node. Then, based on that figure,
trying to minimize power consumption, memory which is called the resistance figure, the system
usage, processing activities, communication performance is analyzed for evaluation.
overhead, and so forth. In this work, monitoring Finally, the response component of the reputa-
efficiency is realized by the association between tion system suggests a new routing protocol that
the nodal monitoring activity (NMA) and various aims to provide a secure packet delivery service
performance measures. NMA is determined by guarantee by incorporating the behavior trust
the frequency of monitoring actions that a node concept into the routing decision. The proposed
takes to collect direct observation information. geographic, energy and trust aware routing (GE-
Reducing the frequency of monitoring, that is, TAR) protocol is an enhanced version of the GEAR
reducing NMA, will affect the quantity and/or protocol (Yu, Govindan, and Estrin 2001). GEAR
the quality of the obtained information. Thus, the is basically a geographic routing protocol in which
performance measures will be affected. However, the next hop is selected based on two metrics: the
on the other hand, this reduction implies a saving distance between the next hop and the destination
in node’s resources such as power, processing, and the remaining energy level the next hop owns.
and memory, which are the constraints that are The new contribution of this work is to add a third
faced in WSN. EMPIRE provides a probabilistic metric in the next-hop selection process, that is, the
approach to reduce nodal monitoring activities, risk level of a node defined as the amount of risk
while keeping the performance of the system, from the sender may encounter by selecting a particular
the behavior and trust awareness perspective, at a node as a next hop. The risk value a sender knows
desirable level. about a node reflects the “trustworthiness” that it
The rating component proposed in this work has towards that node.
is called cautious rating for trust enabled routing
(CRATER). Basically, this technique identifies
three rating factors: first hand information (FHI), futurE rEsEArcH dIrEctIons
second hand information (SHI), and a defined
period called neutral behavior period (NBP) dur- Recent research work focuses on energy-aware
ing which a node is not doing any activity. The design and efficient communication and net-
0
Routing Security in Wireless Sensor Networks
working within the WSN. On the physical layer order to look for anomalies, applications and typical
level, techniques for low-power hardware design, threat models must be understood. It is particularly
overcoming signal propagation, and optimized important for researchers and practitioners to un-
modulation schemes are of great interest. Another derstand how cooperating adversaries might attack
very important area of open research is the design the system. The promising approach for decentral-
of energy-aware and efficient medium access con- ized intrusion detection is the use of secure groups.
trol protocol for enhanced WSN performance and More research is needed to determine better node
prolonged network lifetime. On the network level, features addressing specific vulnerabilities and to
new integrated identity and behavior trust aware develop improved detection algorithms taking into
routing algorithms that are tailored for operation account sensor node capabilities.
given the limitations of the WSN are necessary. Novel techniques of network clustering that
Finally, at the application layer, protocols neces- maximize the network lifetime are also a hot area
sary for sensor management, task assignment and of research in WSNs (Bandyopadhya & Coyle,
data advertisement, and sensor query and data 2003). Since sensor nodes are prone to failure,
decimation are being developed. fault tolerance techniques come into the picture
Node mobility is an important issue to be con- to keep the network operating and performing its
sidered when developing secure routing protocols. tasks. Routing techniques that explicitly employ
Most of the current protocols assume that the fault tolerance techniques in an efficient manner are
senor nodes and the base stations are stationary. still under investigation (Dulman et al., 2003).
However, there might be situations such as battle Another area which needs extensive research
environments where the base station and possibly is the study of survivability issues in wireless
the sensors need to be mobile. In such cases, fre- sensor networks. Survivability of a system can be
quent update of the position of the base station and defined as the capability to fulfill its mission, in a
sensor nodes and propagation of that information timely manner, and in the presence of intrusions,
through the network and rekeying operation may attacks, accidents, and failures. A framework
excessively drain the energy of nodes. New secure of survivability model for WSN with software
routing algorithms are needed in order to handle rejuvenation methodology, which is applicable in
the overhead of mobility, rekeying, and topology security, has been proposed by (Kim, Shazzad,
changes in such an energy-constrained environ- and Park (2006).
ment. A feature that is important in every routing Most of the currently proposed key management
protocol is to adapt to topology changes very schemes are based on the assumption that all the
quickly and to maintain the network functions. nodes in the sensor networks are homogeneous
One aspect of sensor networks that complicates and with similar capabilities, such as memory and
the design of a secure routing protocol is in network radio range. It has been found that by applying
aggregation. In WSNs, in-network processing heterogeneous sensor nodes in a sensor network,
makes end-to-end security mechanisms harder the small percentage of more capable sensor
to deploy because intermediate nodes need direct nodes can provide an equal level of security, and
access to the contents of the messages. Finding meanwhile improve the resilience of node com-
efficiently and optimally the processing points in promise. The unbalanced scheme proposed by
WSNs is still an open research issue. Traynor, Choi, Cao, Zhu, and La Porta (2004) not
There are not many published work on the only reduces the number of transmissions neces-
general intrusion detection techniques for wireless sary to establish session-keys but also reduces the
sensor networks. There are some works on intru- effect of both single and multiple node captures.
sion detection targeted for specific kind of attacks. Another area which needs intensive research is the
Wireless sensor networks require a solution that is development of path-key establishment phase of
fully distributed and inexpensive in terms of com- key management scheme. Some special protocols
munication, energy, and memory requirements. In combined with routing information may be con-
Routing Security in Wireless Sensor Networks
Routing Security in Wireless Sensor Networks
Arazi, B., Elhanany, I., Arazi, O., & Qi, H. (2005). scheme in distributed sensor networks using at-
Revisiting public-key cryptography for wireless tack probabilities. Paper presented at the Global
sensor networks. Computer, 38(11), 103-105. Telecommunications Conference, GLOBECOM
‘05 (Vol. 2, pp. 5-). IEEE.
Bandoyopadhya, S., et al., (2006).Clustering
distributed data streams in peer-topeer environ- Da Silva, A.P.R., Martins, M.H.T., Rocha, B.P.S.,
ments. Information Sciences, 176(14), 1952-1955. Loureiro, A.A.F., Ruiz, L.B., & Wong, H.C. (2005,
Elsevier. October 13). Decentralized intrusion detection
in wireless sensor networks. Paper presented at
Bandyopadhya, S., & Coyle, E. (2003). An energy
Q2SWinet’05, Montreal, Quebec, Canada.
efficient hierarchical clustering algorithm for wire-
less sensor networks. In Proceedings of INFOCOM Deng, J., Han, R., & Mishra, S. (2002, November).
2003 (Vol. 3, 1713-1723). INSENS: Intrusion-tolerant routing in wireless
sensor networks (Tech. Rep. CU-CS-939-02).
Bannerjee, S., Grosan, C., & Abraham, A. (2005).
University of Colorado, Department of Computer
IDEAS intrusion detection based on emotional ants.
Science.
Paper presented at the 5th International Conference
on Intelligent Systems Design and Applications Deng, J., Han, R., & Mishra, S. (2004). Intrusion
(ISDA ‘05) (pp. 344-349). tolerance and anti-traffic analysis strategies for
wireless sensor networks. Paper presented at the
Barreto, P., Lynn, B., & Scott, M. (2004). On the
IEEE International Conference on Dependable
selection of pairing-friendly groups. In Proceeding
Systems & Networks (DSN) (pp. 594-603).
of Selected Areas Cryptography (LNCS 3006, pp.
17-25). New York: Springer Verlag. Di Pietro, R., Mancini, L.V., & Mei, A. (2003).
Random key-assignment for secure wireless sensor
Bertoni, G., Chen, L., Fragneto, P., Harrison, K.,
networks. In Proceedings of the 1st ACM Workshop
& Pelosi, G. (2005). Computing Tate pairing on
on Security of Ad Hoc and Sensor Networks, Fair-
smartcards (White paper STMicroelectronics).
fax, VA, (pp. 62-71).
Retrieved October 27, 2007, from http://www.
st.com/stonline/products/families/smartcard/ Di Pietro, R., Mancini, L.V., & Mei, A. (2006,
ast_ibe.htm December). Energy efficient node-to-node au-
thentication and communication confidentiality
Bettstetter, C. (2002). On the minimum node
in wireless sensor networks. Springer Journal on
degree and connectivity of a wireless multi-hop
Wireless Networking, 12(6), 709-721.
network. In Proceedings of the 3rd ACM Interna-
tional Symposium on Mobile Adhoc Networking Dolev, D., & Yao, A.C. (1983). On the security
and Computing’02, EPF Lausanne, Switzerland, of public-key protocols. IEEE Transactions on
(pp.80-91). ACM Press. Information Theory, 29(2), 198-208.
Buchegger, S., & Boudec, J.Y.L. (2003, July). A Du, W., Deng, J., Han Y.S., Chen, S., & Varshney,
robust reputation system for mobile ad-hoc net- P.K. (2004, March). A key management scheme for
works (Tech. Rep. IC/2003/50). EPFL IC. wireless sensor networks using deployment knowl-
edge. Paper presented at the IEEE INFOCOM.
Chan, H., Perrig, A., & Song, D. (2003, May
11-14). Random key predistribution schemes for Du, W., Fang, L., & Ning, P. (2005). LAD: Lo-
sensor networks. In Proceedings of the IEEE calization anomaly detection for wireless sensor
Symposium on Security and Privacy, Oakland, networks. Paper presented at the IPDPS.
CA, (pp.197-213).
Dulman, S., et al. (2003, March). Trade-off between
Chan, S., Poovendran, R., & Sun, M. (2005, traffic overhead and reliability in multipath routing
November 28-December 2). A key management
Routing Security in Wireless Sensor Networks
for wireless sensor networks. Paper presented at Jolly, G., Kuscu, M., Kokate, P., & Younis, M. (2003,
the WCNC Workshop, New Orleans. June). A low-energy key management protocol for
wireless sensor networks. In Proceedings of the
Eltoweissy, M., Heydaru, H., Morales, L., &
IEEE Symposium on Computers and Communica-
Sadborough, H. (2004, March). Combinatorial
tions, ISCC’2003 (p. 335).
optimization of key management in group com-
munications. Journal of Network and Systems Josang, A., & Ismail, R. (2002, June). The beta
Management: Special Issue on Network Security, reputation system. Paper presented at the 15th Bled
332. Electronic Commerce Conference, e-Reality: Con-
structing the e-Economy, Bled, Slovenia.
Eltoweissy, M., Moharrum, M., & Mukkamala, R.
(2006, April). Dynamic key managements in sen- Kaplantzis, S. (2004, October). Classification
sor networks. IEEE Communications Magazine, techniques for network intrusion detection (Tech.
122-130. Rep.). Monash University, ECSE.
Eschenauer, L., & Gligor, V.D. (2002). A key-man- Karlof, C., & Wagner, D. (2003). Secure routing
agement scheme for distributed sensor networks. in wireless sensor networks: Attacks and counter-
In Proceedings of the 9th ACM Conference on measures. Ad Hoc Networks, 1(2-3), 293-315.
Computer and Communications Security (pp.
Kerins, T., Marnane, W., Popovici, E., & Barreto,
41-47). Washington D.C.: ACM Press.
P. (2005, August-September). Efficient hardware
Eskin, E., Arnold, A., Pereau, M., Portnoy, L., for the for Tate pairing calculation in charac-
& Stolfo, S. (2002). A geometric framework for teristic three. In Proceedings of Workshop on
unsupervised anomaly detection: Detecting intru- Cryptographic Hardware and Embedded Systems,
sion in unlabeled data. Data Mining for Security Edinburgh, Scotland, (pp. 412-426).
Applications. Kluwer.
Kim, D.S., Shazzad, K.M., & Park, J. S. (2006).
Ganeriwal, S., & Srivastava, M. (2004). Reputa- A framework for survivability model for wireless
tion-based framework for high integrity sensor sensor network. In Proceedings of First Interna-
networks. In Proceedings of the 2nd ACM Work- tional Conference on Availability, Reliability and
shop on Security of Ad Hoc and Sensor Networks, Security (ARES’06).
Washington, D.C.
Loo, C.E., Ng, M.Y., Leckie, C., & Palaniswami,
Gaubatz, G., Kaps, J., & Sunar, B. (2004). Public M. (2006). Intrusion detection for sensor networks.
key cryptography in sensor networks: Revised. In International Journal of Distributed Sebsor Net-
Proceedings of 1st European Workshop on Security works.
in Ad-hoc and Sensor Networks (ESAS 2004),
Maarouf, I.K., & Naseer, A.R. (2007, May).
Heidelberg, Germany, (pp. 2-18). Springer.
WSNodeRater: An optimized reputation system
Gura, N., Patel, A., Wander, A., Eberle, H., & framework for security aware energy efficient
Shantz, S. C. (2004, April). Comparing elliptic geographic routing in WSNs. Paper presented at the
curve cryptography and RSA on 8-bit CPUs. In ACS/IEEE International Conference on Computer
Proceedings of CHES, Boston, (pp. 119-132). Systems and Applications, Amman, Jordan.
Han, J., & Kamber, M. (2001). Data mining: Malan, D. J., Welsh, M., & Smith, M.D. (2004,
Concepts and techniques. Morgan Kauffmann October). A public-key infrastructure for key
Publishers. distribution in tinyOS based on elliptic curve
cryptography. In Proceedings of IEEE SECON,
Hu, Y.C., Perrig, A., & Johnson, D. B. (2003,
Santa Clara, CA, (pp.71-80).
April). Packet leashes: A defense against wormhole
attacks in wireless networks. In Proceedings of Marouf, I.K., & Naseer, A.R. (2006, December).
IEEE INFOCOMM 2003. SNARE: Sensor node attached reputation evalua-
Routing Security in Wireless Sensor Networks
tor. Paper presented at the CONEXT ’06, LIsboa, Pottie, G., & Kaiser, W. (2000). Wireless integrated
Portugal. network sensors. Communications of the ACM,
43(5), 551-558.
Michiardi, P., & Molva, R. (2002, September).
Core: A collaborative reputation mechanism Rajasegarar, S., Leckie, C., Palaniswami, M., &
to enforce node cooperation in mobile ad hoc Bezdek, J.C. (2006, October 30-November 1).
networks. Paper presented Communication and Distributed anomaly detection in wireless sensor
Multimedia Security Conference, Portoroz, Slo- networks. In Proceedings of Tenth IEEE Interna-
venia, (pp. 26-27). tional Conference on Communications Systems
(IEEE ICCS 2006), Singapore.
Mui, L., Halberstadt, A., & Mohtashemi, M. (2002,
July). Notions of reputation in multi-agents systems: Savvides, A., Han, C., & Srivastava, M. (2001,
A review. In Proceedings of First International July). Dynamic fine-grained localization in ad-hoc
Joint Conference Autonomous Agents and Multi- networks of sensors. In Proceeding of 7th ACM
Agent Systems (pp. 280-287). MobiCom (pp. 166-179).
Mun, Y., & Shin, C. (2005, May 9-12). Secure Scott, M. (2005, February). Computing the Tate
routing in sensor networks: Security problem pairing. In Proceedings of Cryptographers’ Track
analysis and countermeasures. Paper presented at the RSA Conference, San Francisco, (pp. 293-
at the International Conference on Computational 304).
Science and Its Applications – ICCSA 2005, Sin-
Tanachaiwiwat, S., Dave, P., Bhindwale, R., &
gapore, (LNCS 3480, pp. 459-467). Heidelberg,
Helmy, A. (2004, April). Location-centric isola-
Germany: Springer Verlag.
tion of misbehavior and trust routing in energy-
Naldurg, S., Yi, R., & Kravets, R. (2001). Secu- constrained sensor networks.
rity-aware ad-hoc routing for wireless networks.
Traynor, P., Choi, H., Cao, G., Zhu, S., & La
Paper presented at the ACM Workshop on Mobile
Porta, T. F. (2004). Establishing pair-wise keys in
Ad Hoc Networks, MOBIHOC.
heterogeneous sensor networks (Networking and
Onat, I., & Miri, A. (2005, August). An intrusion Security Center, Tech. Rep. NAS-TR-0001-2004).
detection system for wireless sensor networks. Penn State University, Dept of Computer Science
Wireless and Mobile computing Networking and & Engineering.
Communications, 3, 253-259.
Wood, A., & Stankovic, J. (2002, October). Denial
Oniz, C.C., Tasci, S.E., Savas, E., Ercetin, O., of service in sensor networks. IEEE Computers,
& Levi, A. (2005). SeFER: Secure, flexible and 54-62.
efficient routing protocol for distributed sensor
Yang, C., Zhou, J., Zhang, W., & Wong, J. (2006,
networks. Paper presented at the IEEE 2005 (pp.
May 29- June 1). Pairwise key establishment for
246-255).
large scale sensor networks: From identifier based
Perrig, A., Szewezyk, R., Wen, V., Culler, D., & to location based. In Proceedings of the first In-
Tygar, J. (2001). SPINS: Security protocols for sen- ternational Conference on Scalable Information
sor networks. In Proceedings of Mobile Networking Systems, INFOSCALE’06, HongKong.
and Computing 2001.
Younis, M., Ghumman, K., & Eltoweissy, M.
Pirretti, M., Zhu, S., Narayanan, V., McDaniel, (2006). Location-aware combinatorial key manage-
P., Kandemir, M., & Brooks, R. (2005, October). ment for clustered sensor networks. IEEE Transac-
The sleep deprivation attack in sensor networks: tions on Parallel and Distributed Systems.
Analysis and methods of defense. Paper presented
Yu, Y., Govindan, R., & Estrin, D. (2001, May).
at the Conference on Innovations and Commercial
Geographical and energy-aware routing: A re-
Applications of Distributed Sensor Networks.
Routing Security in Wireless Sensor Networks
cursive data dissemination protocol for wireless key setup, node addition/rekeying, and node evic-
sensor networks (Tech. Rep. UCLA/CSD-TR-01- tion/key revocation.
0023). University of Southern California.
Reputation System: A type of collaborative
Zhang, Y., Liu, W., Lou, W., & Fang, Y. (2006, filtering algorithm which attempts to determine
February). Location based compromise-tolerant ratings for a collection of entities, given a col-
security mechanisms for wireless sensor networks. lection of opinions that those entities hold about
IEEE Journal on Selected Areas in Communica- each other.
tions, 24(2).
Routing Attacks: Network layer attacks such
Zhu, S., Setia, S., & Jajodia, S. (2003). LEAP: as routing information spoofing, alteration or re-
Efficient security mechanisms for large-scale play, blackhole and selective forwarding attacks,
distributed sensor networks. In Proceedings of sinkhole attacks, Sybil attacks, wormhole attacks,
ACM CCS, 2003. HELLO flood attacks, and acknowledgement
spoofing.
kEy tErMs Routing Security: Securing routing operation
from attacks in a network by deploying appropri-
DoS Attack: Any event that decreases or elimi- ate defense.
nates a network’s capacity to perform its expected
Trust: A relationship of reliance. Trust is a
function is termed as a denial-of-service attack or
prediction of reliance on an action, based on what
commonly known as DoS attack.
a node knows about the other node, in the context
Intrusion: Can be defined as a set of actions of wireless sensor networks. The notion of trust
that can lead to an unauthorized access or altera- is increasingly adopted to predict acceptance of
tion of a certain system. behaviors by others.
Key Management: A scheme to dynamically Wireless Sensor Network (WSN): A wire-
establish and maintain secure channels among less network consisting of spatially distributed
communicating nodes. In wireless sensor networks, autonomous devices using sensors to cooperatively
a key management scheme must deal with the monitor physical or environmental conditions, such
following important issues: key deployment/key as temperature, sound, vibration, pressure, motion,
predistribution, key discovery, key establishment/ or pollutants at different locations.
Chapter XXXVII
Localization Security in Wireless
Sensor Networks
Yawen Wei
Iowa State University, USA
Zhen Yu
Iowa State University, USA
Yong Guan
Iowa State University, USA
AbstrAct
Localization of sensor nodes is very important for many applications proposed for wireless sensor
networks (WSN), such as environment monitoring, geographical routing, and target tracking. Because
sensor networks may be deployed in hostile environments, localization approaches can be compromised
by many malicious attacks. The adversaries can broadcast corrupted location information; they can
jam or modify the transmitting signals between sensors to mislead them to obtain incorrect distance
measurements or nonexistent connectivity links. All these malicious attacks will cause sensors not able
to or wrongly estimate their locations. In this chapter, we summarize the threat models and provide a
comprehensive survey and taxonomy of existing secure localization and verification schemes for wire-
less sensor networks.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Localization Security in Wireless Sensor Networks
Localization Security in Wireless Sensor Networks
through manual configurations). These nodes are approaches. Besides the least mean square criteria,
called anchors and serve as location references for Kalman-filter (KF) and least mean square (LMS)
other nodes to localize. Depending on the avail- (Smith et al., 2004) can also be applied to obtain
ability of such anchors, we classify the localiza- the optimal solution for sensors’ location.
tion approaches as anchor-based or anchor-free
ones. We also classify them into range-based or Anchor-based range-free
range-free ones on whether they require distance Approaches
measurements between sensors, and centralized or
distributed on whether the localization is performed Since range-based approaches require special
by a computing center or by sensors themselves. hardware to measure the distances between sen-
The classification is given in Table 1, where “(c)” sor nodes, range-free approaches attracted more
means that the approach is centralized. research interests recently. In anchor-based range-
free approaches, no distance measurements are
Anchor-based range-based needed and sensors determine their locations using
Approaches the beacon messages from anchors. Both Active
Badge (Want et al., 1992) and Cricket (Priyantha et
In anchor-based localization approaches, some al., 2000) belong to this category. Centroid method
anchors are deployed whose positions are known (Bulusu et al., 2000) calculates a sensor’s loca-
from GPS device or manual configuration. In tion as the mean value of the locations of anchors
range-based approaches, the sensors’ locations are from which this sensor hears beacon messages.
determined by using trilateration technique based APIT (He et al., 2003) determines some triangles
on the distances between sensors. The trilateration in which a sensor may reside, and estimates the
method solves a set of equations and estimates sensor’s location as the overlapping region of theses
sensor’s location that best satisfy the distance con- triangles. SeRLoc (Lazos & Poovendran, 2004)
straints (according to some optimization criteria, uses sectored antennas equipped on anchors and
e.g., least square error criteria). Active Bat (Harter computes sensor’s location as the centroid of the
et al., 1999), RADAR (Bahl & Padmanabhan, overlapping region of multiple sectors. DV-hop
2000), AHLoS (Savvides et al., 2001), and SDP (Nicolescu & Nath, 2001) and DV-based AoA
(So & Yu, 2005) are all anchor-based range-based (Nicolescu & Nath, 2003) first obtain the hop
Localization Security in Wireless Sensor Networks
counts from sensors to anchors by flooding through Attackers can compromise anchors or sensors
the sensor field, then estimates the average hop and send out false location information. They can
distance and translates the hop-count distances jam the communications between sensors and
to real distances to determine sensors’ locations. replay the messages, which maes sensors wrongly
Amorphous (Nagpal et al., 2003) employs a similar estimate the time-of-flight value and obtain wrong
strategy as DV-hop but estimates the average hop distance measurements. They can strengthen or
distance offline. Convex (Doherty et al., 2001) weaken the signal strength, which also makes the
utilizes a linear programming (LP) method to sensors obtain wrong distance measurements.
solve the linear equations and obtain the optimal Finally, the attackers can use a wired link (called
solutions for the sensors’ locations. wormhole) to transmit messages received from
one location and broadcast at the other location,
Anchor-free range-based thus making sensors build nonexistent neighboring
Approaches connectivity, which results in wrong estimations
of the sensors’ locations.
There are relatively fewer anchor-free range-based We can classify the attackers into internal at-
localization approaches. One is MDS-MAP (Shang tackers and external attackers. An internal attacker
et al., 2003), which is based on multidimensional can compromise a sensor, obtain its key materials,
scaling technique to derive the locations of all and authenticate itself to others. An external at-
sensors. It can also work as a range-free approach tacker cannot obtain any cryptographic secrets or
when only using the connectivity information authenticate itself, but it can corrupt the physical
between sensors instead of the distance measure- features of the communications between sensors,
ments, which may cause some degradations of the for example, they can corrupt the distance mea-
localization performance. surements or neighboring connectivity by jamming
the communications between sensors. In Table 2,
Anchor-free range-free Approaches we list the threat models and the corresponding
attackers that can launch the threat models. We
MDS-MAP (Shang et al., 2003) is a centralized then describe them in more details in the follow-
anchor-free range-free localization approach. Be- ing subsections.
sides, Fang et al. (2005) proposed a decentralized
approach, which assumed that sensors are deployed fake location
in groups and the sensors in the same group can
land in different locations following a known prob- Fake locations information can be generated by
ability distribution. With this prior deployment the internal attackers who compromise sensors
knowledge, a sensor utilizes the observation of the and authenticate themselves as legitimate ones.
group memberships of its neighbors, and utilizes The impact of this attack is twofold. First, many
the maximum likelihood estimation method to location-based applications such as environment
determine its location. monitoring and target tracking will be fooled by
the wrong location of some specific events, for
example, high-temperature area and location of
tHrEAts to locAlIzAtIon an enemy tank. Second, other sensors’ locations
will be polluted if they refer to these fake locations
APProAcHEs
when localizing themselves.
Since sensor networks may be deployed in hostile
environments, the localization approaches are sub- wormhole
ject to many malicious attacks. In this section, we
classify and discuss the possible attacks launched Wormhole attack was first discussed by Hu, Perrig,
to the current localization approaches. and Johnson (2003). In the wormhole attack, the
0
Localization Security in Wireless Sensor Networks
s’
R A2
s s” R
A1 C B
adversaries copy the messages heard at one loca- range Enlargement and reduction
tion and replay them at another location.
Figure 1 illustrates how a wormhole attack The range modification attacks are detrimental to
can damage a sensor’s localization. As shown in range-based localization approaches.
the figure, sensor s can directly hear the beacon (1) If a time-of-flight method is used to estimate
message of anchor A1, but not of anchor A2. To distance, external attackers can jam and replay the
attack the localization of s, an adversary establishes signal or transmit it through multipaths to prolong
a wormhole between position B and C, which are the transmitting time (range enlargement attack).
near A2 and s, respectively. Then, the adversary Or they can speed-up the signals to shorten the
records A2’s beacon message at position B, trans- transmitting time (range reduction attack). For
mits it through the wormhole tunnel, and replays it example, they transform the ultrasound signal into
at position C. If s determines its location only based radio frequency signal whose transmitting speed is
on A2’s beacon message, it may assume it is near faster, and transform the signal back to ultrasound
anchor A2 (at some location within the transmission and broadcast the signals at the end point. Inter-
region of A2). If it uses both messages of A1 and nal attackers can fully control the compromised
A2, it may either believe it is located somewhere sensors, thus they may hold on to the signal for a
between A1 and A2 (e.g., at location s’’) or it may short period of time before transmitting to launch
not be able to determine its location at all because a range enlargement attack. (2) If a signal strength
it is not expected to receive the beacon messages method is used to estimate distance, external
from two anchors so far away from each other. attacker can jam and strengthen or weaken the
In such a wormhole attack, the adversaries signal before replaying it; internal attackers can
do not need to compromise any sensor or anchor directly broadcast signals with strengthened or
to understand the meaning of the messages, they weakened signals.
just copy and transmit the messages through the
established wormhole tunnel to corrupt the local-
ization approaches.
Localization Security in Wireless Sensor Networks
Distance-bounding
Delicate Packet Leashes (Brands & Chaum, 1993)
hardware (Hu et al., 2003) Claim (Sastry, Shankar, & Wagner, 2003)
required Verifiable Multilateration(L)
(Capkun & Hubaux, 2005)
Covert Base-station Capkun, Cagalj, &
Srivastava, 2006)
Sector antenna Sectored antenna
required (Hu & Evans, 2003)
SeRLoc (Lazos & Poovendran,
2004)
MMSE-Outlier (Liu, Ning, & LAD(L)
No special Du, 2005) (Du, Fang, & Ning, 2005)
hardware LMS-Outlier PLV (Ekici, McNair, & Al-Abri, 2006)
required (Li, Trappe, Zhang, & Nath,
2005)
COTA (Wei, Yu, & Guan,
2006)
Localization Security in Wireless Sensor Networks
sage is sent from Zone j of the sender node, and i through wormholes because the communications
and j are not opposite to each other, we can detect are unreliable in reality and the messages may
that messages may be transmitted through some need to be retransmitted multiple times before the
wormholes. Besides this basic detecting method, receiver can actually receive them.
the authors propose a verified-neighbor-discovery
protocol and a strict-neighbor-discovery protocol secure localization schemes Against
to detect the sophisticated wormholes. These All Attacks
protocols require some potential verifier nodes to
help a sensor to distinguish legitimate neighbors All malicious attacks to localization including fake
from the wormhole ones. Thus the lack of suffi- locations, wormholes, and range modifications have
cient verifier nodes will result in the lost of some a common feature: they all provide inconsistent
legitimate connectivity links and degradation of location references, namely, the sending sensor’s
the localization performance. location and the measured distance between the
Lazos and Poovendran (2004) propose another sender and the receiver are inconsistent. There-
secure localization scheme called SeRLoc that also fore, some experts suggested using statistical
uses sectored antennas. An anchor transmits dif- outlier-removing methods to filter out inconsistent
ferent beacons at each antenna sector containing references.
the anchor’s location and the angles of the antenna Liu et al. (2005) take the mean square error
boundary lines. Each sensor determines its location (MSE) as an indicator of the degree of inconsistency
as the center of gravity of the overlapping region of among location references. They propose a greedy
all sectors it hears. During this localization process, algorithm that starts with the set of all location ref-
wormholes can be detected using two properties: erences, and each time considers the subsets with
the sector uniqueness property and the communi- one fewer reference and chooses one subset with
cation range violation property. If two sectors of the least MSE as the input to the next round, until
a single anchor are heard, or if two anchors heard the MSE value drops below a reasonable thresh-
by the sensor have a mutual distance greater than old. This scheme can effectively enhance sensors’
2R (R is the communication range), the sensor attack-resistant ability, but it launches relatively
can detect that it is under wormhole attacks. After high computation overheads on sensors. Another
detecting the wormhole, the sensor broadcasts a problem is that it requires benign references to be
random nonce and identifies the closest anchor, Li, the majority among all location references, and may
by the first reply, then takes the center of gravity not work well when corrupted location references
closest to Li as its estimated location. This tech- collude together and take a larger percentage (e.g.,
nique is named attach to closer locator algorithm around 50%) among all references.
(ACLA). One problem of ACLA is that innocent Instead of identifying and eliminating inconsis-
packets may sometimes arrive later than the ones tent references before localization, Li et al. (2005)
propose a scheme that lives with these inconsistent
references and estimates reasonable locations for
Figure 2. Detect wormholes using sector anten- sensors using least median of the squares (LMS)
nas technique. LMS is one of the most commonly used
robust fitting algorithms and can tolerate up to
50% outliers among the total references. Since the
exact LMS solutions are computationally prohibi-
tive, the authors adopted an efficient alternative
technique (Rousseeuw & Leroy, 2003) to first get
several candidate reference subsets, then choose
the one with the least median squares to estimate
a sensor’s location.
Localization Security in Wireless Sensor Networks
Both of the above schemes try to prevent sen- propose the echo protocol to verify if a device is
sors from wrongly localizing themselves, however, inside some specific region (e.g., a room or a foot-
when a sensor fails to filter out the inconsistent ball stadium) to facilitate location-based access
references, its corrupted location would “pollute” control. Their protocol is very simple in that the
the localization of many downstream sensors and verifier node sends a packet containing a nonce
cascade through the entire sensor network. Wei, using RF and the device echoes the packet back
Yu, and Guan (2006) propose a scheme named using ultrasound. Then by checking the packet
COTA that uses confidence tags to identify spurious transmission time and the processing delay, the
localizations of sensors. COTA consists of a tag verifier can verify if the device locates inside the
generation process and a reference filtering process. circle region centered at the verifier.
In the tag generation phase, two methods (the sta- If RF time-of-flight method can be used to mea-
tistic indicator and the geographical indicator) can sure distance, distance-bounding protocol (Brands
be used to calculate the sensors’ confidence tags & Chaum, 1993) can upper bound the measured
based on the positions of their neighbors, distance distance from one device to another. The important
measurements, and the confidence tags of their assumption of this protocol is that the device can
neighbors. In the reference filtering phase, bad bound its xor processing to a few nanoseconds
references can be filtered out by comparing their and the verifier can measure time with nanosec-
confidence tags to the absolute and relative metrics. ond precision. Based on this distance-bounding
COTA can effectively prevent the proliferation of protocol, Capkun and Hubaux (2005) propose a
location errors in the sensor field. location verification scheme for wireless sensor
networks using a verifiable multilateration (VM)
Location Verification Schemes technique. The rationale behind VM technique is
that when a sensor claims to locate somewhere
Although many secure localization schemes have within a triangle region formed by three veri-
been proposed to provide robust localization per- fiers, then its location can be verified only when
formance, they require special hardware or assume all three distances from the sensor to the verifiers
some limitations on the adversaries’ abilities, and are consistent with the calculated ones. The limita-
cannot guarantee that all sensors can calculate tions of the VM technique are the requirement of
correct location estimations. Moreover, a compro- delicate hardware to perform distance-bounding
mised sensor (internal attacker) can directly report protocol and the requirement of dense deployment
corrupted locations to the base station; meanwhile of verifiers.
it provides a correct location to its neighbors and Lazos, Poovendran, and Capkun (2005) propose
cannot be detected. These corrupted locations a secure localization and verification system called
can cause severe consequences to many location- ROPE, which combines the secure properties of
based applications. For example, wrong locations the verifiable multilateration technique (Capkun
of enemy force will make the surveillance center & Hubaux, 2005) and SeRLoc (Lazos & Pooven-
not able to locate or track the real target, and thus dran, 2004).
the location verification is a necessary second-line Capkun et al. (2006) propose a verification
to defend against the adversaries. Note that some scheme using covert base stations. The covert
verification schemes can also be used as secure base stations (CBS) are silent to the on-going
localization schemes if sensors’ locations have not communications and their positions are only
been determined, and we denote them by “(L)” known to the verification infrastructure. Upon
in Table 3. receiving location messages from a sensor, several
CBS cooperate (through wired links) and check
Verification Using Special Hardware if their location is consistent with the difference
of time-of-arrival to each CBS. Because sensors
The location verification problem was first intro- do not know the positions of CBS, their success
duced by Sastry et al. (2003), where the authors rate to achieve consistency through guessing is
Localization Security in Wireless Sensor Networks
very small. A mobile base station (MBS) can also estimate false hop counts from them to the anchor,
play the role of verifier, by sending a verification resulting in a biased estimation of the average
request from one location, moving, and waiting for hop-distance.
the response at a different location. Therefore, at Another issue is that current location verification
the time of performing verification, a sensor does schemes either verify if a sensor exactly locates at
not know the positions of the MBS. its claimed location, or verify if it locates within
the anomaly degree of its true location. However,
Verification Without Special Hardware verification regions can be arbitrary and should be
related to the specific application. For example, in
Unlike other verification schemes that use some a military surveillance application, the monitoring
special hardware, Du et al. (2005) propose a scheme center decides to project a missile at the location
that verifies sensors’ locations by checking the reported by the sensor who detects the enemy force,
consistency of the locations with the deployment thus it should determine a specific verification
knowledge. They assume that all sensors are de- region in which the detecting sensor should reside
ployed in groups (each group has a unique group to guarantee that the target can be destroyed.
ID) following a known probability distribution.
A sensor’s location can be verified only when its
neighborhood observation is consistent with that conclusIon
derived from the deployment knowledge. The
difference between this scheme and the previous In this chapter, we provide a taxonomy of the
works is that in this scheme, the sensors are veri- research efforts devoted to secure localization in
fied if their locations are within an anomaly degree wireless sensor networks. We classify them into
from their true locations, rather than exactly at the secure localization schemes that aim to provide
true locations. correct location estimations for sensors at the
Recently, Ekici et al. (2006) proposed proba- front-line, and location verification schemes that
bilistic a location verification (PLV) algorithm to aim to detect abnormal locations of sensors at the
verify sensors’ locations in densely deployed sensor second-line, that is, after sensors’ locations have
networks. PLV explores the probabilistic relation been determined using any other (insecure or se-
between the number of hops a packet traverses to cure) localization approaches. We also classify the
reach a destination and the Euclidean distance be- security localization mechanisms on whether they
tween source and destination. Then the verifier can require any special hardware. Generally, localiza-
determine plausibility (between 0 and 1) and create tion for sensor networks becomes more robust
a trust level for each sensor’s location claim. with the availability of more advanced hardware,
for example, sectored antennas, fast processing
hardware, or even nanosecond-precision clocks.
futurE trEnds If there is no such special hardware, other infor-
mation such as deployment knowledge is needed
Although various secure mechanisms have been to detect the inconsistent information injected by
proposed for localization in wireless sensor adversaries.
networks, there is still a large space for future
improvements.
First, very few works have been done to se- rEfErEncEs
cure range-free localization approaches which
deserve more research efforts. For example, in Bahl, P., & Padmanabhan, V. N. (2000). RADAR:
DV-hop approach, if the adversaries compromise An in-building RF-based user location and tracking
a single node and send out a false hop count, then system. Paper presented at the IEEE Conference on
all down-steaming nodes will be influenced and Computer Communications (INFOCOM).
Localization Security in Wireless Sensor Networks
Brands, S., & Chaum, D. (1993). Distance-bounding the Annual International Conference on Mobile
protocols. Theory and application of cryptographic Computing and Networking (ACM Mobicom).
techniques (pp. 344-359).
Hu, L., & Evans, D. (2003). Using directional anten-
Bulusu, N., Heidemann, J., & Estrin, D. (2000). nas to prevent wormhole attacks. In Proceedings of
GPS-less low cost outdoor localization for very the 11th Network and Distributed System Security
small devices. IEEE Personal Communications, Symposium (pp. 131-141).
7(5), 284.
Hu, Y., Perrig, A., & Johnson, D. (2003). Packet
Capkun, S., Cagalj, M., & Srivastava, M. (2006). leashes: A defense against wormhole attacks in
Secure localization with hidden and mobile base wireless ad hoc networks. Paper presented at the
stations. Paper presented at the IEEE Conference IEEE Conference on Computer Communications
on Computer Communications (INFOCOM). (INFOCOM).
Capkun, S., & Hubaux, J. (2005). Secure position- Lazos, L., & Poovendran, R. (2004). SeRLoc:
ing of wireless devices with application to sensor Secure range-independent localization for wire-
networks. Paper presented at the IEEE Conference less sensor networks. Paper presented at the ACM
on Computer Communications (INFOCOM). Workshop on Wireless Security.
Doherty, L., Pister, K. S., & Ghaoui, L. (2001). Lazos, L., Poovendran, R., & Capkun, S. (2005).
Convex position estimation in wireless sensor Rope: Robust position estimation in wireless sensor
networks. Paper presented at the IEEE Conference networks. Paper presented at the ACM/IEEE Infor-
on Computer Communications (INFOCOM). mation Processing in Sensor Networks (IPSN).
Du, W., Fang, L., & Ning, P. (2005). LAD: Lo- Li, Z., Trappe, W., Zhang, Y., & Nath, B. (2005).
calization anomaly detection for wireless sensor Robust statistical methods for securing wireless
networks. In Proceedings of IEEE International localization in sensor networks. Paper presented at
Parallel and Distributed Processing Symposium the ACM/IEEE Information Processing in Sensor
(IPDPS). Networks (IPSN).
Ekici, E., McNair, J., & Al-Abri, D. (2006). A Liu, D., Ning, P., & Du, W. (2005). Attack-resistant
probabilistic approach to location verification in location estimation in sensor networks. Paper pre-
wireless sensor networks. In Proceedings of IEEE sented at the ACM/IEEE Information Processing
International Conference on Communications in Sensor Networks (IPSN).
(ICC).
Nagpal, R., Shrobe, H., & Bachrach, J. (2003).
Fang, L., Du, W., & Ning, P. (2005). A beacon-less Organizing a global coordinate system from local
location discovery scheme for wireless sensor net- information on an ad hoc sensor network. Paper
works. Paper presented at the IEEE Conference on presented at the ACM/IEEE Information Process-
Computer Communications (INFOCOM). ing in Sensor Networks (IPSN).
Harter, A., Hopper, A., Steggles, P., Ward, A., Nicolescu, D., & Nath, B. (2001). Ad-hoc posi-
& Webster, P. (1999). The anatomy of a context- tioning systems (APS). Paper presented at the
aware application. Paper presented at the Annual IEEE Global Telecommunications Conference
International Conference on Mobile Computing (GLOBECOM).
and Networking (ACM Mobicom).
Nicolescu, D., & Nath, B. (2003). Ad hoc position-
He, T., Huang, C., Blum, B., Stankovic, J., & Abdel- ing system (APS) using AoA. Paper presented at the
zaher, T. (2003). Range-free localization schemes IEEE Conference on Computer Communications
in large scale sensor network. Paper presented at (INFOCOM).
Localization Security in Wireless Sensor Networks
Priyantha, N., Chakraborty, A., & Balakrishnan, sensor networks. In Proceedings of IEEE/ACM
H. (2000). The cricket location-support system. International Conference on Distributed Comput-
Paper presented at the Annual International Con- ing in Sensor Systems (DCOSS).
ference on Mobile Computing and Networking
(ACM Mobicom).
Rousseeuw, P., & Leroy, A. (2003). Robust regres- kEy tErMs
sion and outlier detection. John Wiley & Sons,
Inc. Anchors: Anchors are special sensors that
know their locations before localization through a
Sastry, N., Shankar, U., & Wagner, D. (2003).
GPS device equipped on them or through manual
Secure verification of location claims. Paper
configurations.
presented at the ACM Workshop on Wireless
Security (WiSe). Localization: Localization in wireless sensor
networks is the process that all sensors obtain their
Savvides, A., Han, C.-C., & Srivastava, M. (2001).
relative or absolute locations, by themselves or by
Dynamic fine-grained localization in ad-hoc net-
network computing center.
works of sensors. Paper presented at the Annual
International Conference on Mobile Computing Location Verification: Location verification in
and Networking (ACM Mobicom). wireless sensor networks is the process that cor-
rectly estimated locations of sensors can be verified
Shang, Y., Ruml, W., Zhang, Y., & Fromherz,
and corrupted locations can be detected.
M. (2003). Localization from mere connectivity.
Paper presented at The ACM International Sym- Range-Based/Range-Free: A localization
posium on Mobile Ad Hoc Networking and Com- approach is range-based (or range-free) if it does
puting (MobiHoc). (or does not) use the measured distance between
sensors to estimation their locations.
Smith, A., Balakrishnan, H., Goraczko, M.,
& Priyantha, N. (2004). Tracking moving de- Secure Localization: Secure localization in
vices with the Cricket location system. Paper wireless sensor networks is the process that sen-
presented at the International Conference on sors can obtain their locations in the presence of
Mobile Systems, Applications, and Services malicious attacks.
(MobiSys).
Wireless Sensor Network (WSN): A wireless
So, A., & Yu, Y. (2005). Theory of semidefite sensor network (WSN) is a wireless network con-
programming for sensor network localization. sisting of autonomous devices that cooperatively
Paper presented at the ACM-SIAM Symposium monitor environmental conditions, such as tem-
on Discrete Algorithms (SODA). perature, sound, pollutants, and so forth.
Want, R., Hopper, A., Falcao, V., & Gibbons, J. Wormholes: Wormholes in wireless sensor
(1992). The active badge location system. ACM networks are nonexisting communication tunnels
Transactions on Information Systems, 10(1), 91- (usually wired links) created by adversaries. The
102. messages received at one end of a wormhole can
be transmitted through the tunnel, and broadcasted
Wei, Y., Yu, Z., & Guan, Y. (2006). COTA: A
at the other end.
robust multi-hop localization scheme in wireless
Chapter XXXVIII
Resilience Against False Data
Injection Attack in Wireless
Sensor Networks
Miao Ma
The Hong Kong University of Science and Technology, Hong Kong
AbstrAct
One of the severe security threats in wireless sensor network is false data injection attack, that is, the
compromised sensors forge the events that do not occur. To defend against false data injection attack,
six en-route filtering schemes in a homogeneous sensor network are described. Furthermore, one sink
filtering scheme in a heterogeneous sensor network is also presented. We find that deploying heteroge-
neous nodes in a sensor network is an attractive approach because of its potential to increase network
lifetime, reliability, and resiliency.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Resilience Against False Data Injection Attack in Wireless Sensor Networks
stored in the compromised nodes, and misuse them happens it can be detected by multiple sensors.
to launch insider attacks. Therefore, a nonresilient However, it is inefficient and also unnecessary
security protection scheme will exhibit a threshold for every sensor node to report their raw data to
breakdown problem. That is, the design is secure the sink node, because: (1) every data packet usu-
against t or less compromised nodes, but once ally needs to travel many hops (e.g., tens or event
more than t nodes are compromised the security longer) to reach the sink; (2) each sensor node is
design completely breaks down, where t is a fixed often constrained by scarce resources in memory,
threshold. Since in reality nobody can prevent an computation, communication, and battery; and (3)
attacker from compromising more than t nodes, in many cases there is high redundancy in the raw
such a security protection solution cannot meet the data. Hence, raw data are often fused and aggre-
resilience requirement. Our expectation in terms gated locally, and only the aggregated information
of resilience is that, compromising t nodes in a is returned to the sink. In such a setting, certain
certain area can only enable an adversary to forge nodes in the sensor network will function as cluster
nonexisting events in that specific area, rather than heads (CHs), to collect the raw sensing data from
any other location at all. Put in other words, for an the sensors, process it locally, and return the ag-
attacker, the only way to generate a valid report on gregation report to the sink. Once the sink receives
a nonexisting event happening in a certain area is an event report, it may take action accordingly.
to compromise t nodes in that area. Unfortunately, the above event detection and
In this chapter, we overview several schemes reporting process can be seriously threatened by
that have been proposed to defend against compro- false data injection attacks. As we stated above,
mised nodes. We will show that several schemes sensors are usually deployed in unattended or
are only resilient against a small, fixed number of even hostile environments, and an adversary may
compromised nodes with threshold breakdown capture or compromise sensor nodes. Once this
problems, while subsequent schemes partially happens, the compromised nodes can easily inject
and completely solve the threshold breakdown false data reports of nonexisting events. Even
problems. worse, when an adversary compromises more
The rest of this chapter is organized as follows. nodes and combines all the obtained secret keys,
In the next section, we introduce the background. the adversary can freely forge the event reports
Several en-route filtering schemes in a homoge- which not only “happen” at the locations where
neous sensor network are presented. Furthermore, the nodes are compromised, but also at arbitrary
a sink filtering scheme in a heterogeneous sensor locations in the field. These fabricated reports not
network is shown. Finally, the last section concludes only produce false alarms (and lead to false posi-
the chapter. tives), but also waste valuable network resources,
such as energy and bandwidth, when delivering the
forged reports to the base station. Therefore, it is
bAckground important to design an effective filtering scheme
to defend against such attacks and minimize their
false data Injection Attacks impacts.
In this chapter, we consider the following threat
We consider a sensor network, which consist of model. The attacker may compromise multiple sen-
hundreds or thousands of low-cost sensors. Each sor nodes in the network, but cannot compromise
sensor senses and collects data from the environ- the sink. Once a sensor node is compromised,
ment. There is at least one base station (or sink), the attacker can obtain all secret keys, data, and
which is typically a resource-abundant computer codes stored in the sensor. Whenever more nodes
equipped with sufficient computation and storage are compromised, the attacker can combine all the
capabilities. We assume that the sensor nodes are secret keys that have obtained, and can also load a
deployed in a high density, so that once an event compromised node with the secret keys obtained
Resilience Against False Data Injection Attack in Wireless Sensor Networks
from other compromised nodes. We also assume metric secret keys, and the MAC is generated by
that the attacker cannot successfully compromise using one of the secret keys.
a node during the short deployment phase.
Besides report fabrication attack, there are En-Route Filtering
various other attacks in wireless sensor networks.
For example, a compromised node may simply not By using a suitable key assignment scheme, any
report an event that occurs (which leads to false intermediate node is able to verify the report with
negative), or a compromised node replays a legiti- certain probability or deterministically. Whenever
mate report, and so forth. However, these threats an intermediate node receives a report, it first checks
are addressed in other related work and not the whether the report carries m distinct MACs; it then
focus of this chapter. Instead, in this chapter we check if itself stores a same key with the sensing
overview several schemes that have been proposed node. If yes, it checks whether the carried MAC
to reduce false positive, that is, prevent an attacker is the same as the MAC it computes via its locally
from fabricating reports about events that do not stored key. It drops the report when any of these
occur. Two main design goals of these schemes checks fails. Otherwise (i.e., it does not have any
are summarized as follows: of the keys or the MACs are correct), it forwards
the reports as usual. Notice that though the filtering
1. Resilience against a large number of com- power of any single node is limited, the collec-
promised nodes: A good protection scheme is tive filtering power along the forwarding path is
expected to degrade gracefully as the number significant. The more hops a forged report travels,
of compromised sensor increases, without the the higher chance it is dropped en-route.
threshold breakdown problem.
2. Adaptive to dynamic topology: The scheme Sink Verification
can deal with dynamic topology of sensor
networks and is scalable for large-scale sen- The en-route filtering performed by the intermedi-
sor networks. ate nodes may be probabilistic in nature, thus cannot
guarantee to detect and drop all forged reports.
En-route filtering framework The sink serves as the final guard in rejecting
any escaping ones. Because the sink knows all the
Statistic en-route filtering mechanism (SEF) (Ye, keys, it can verify each MAC carried in a report.
Luo, Lu, & Zhang, 2004) is the first effort that ad- On the basis of the number of correct MACs each
dresses false data injection attacks in the presence report carries, the sink decides whether to accept
of compromised sensors, where an en-route filtering the event or not.
framework was originally proposed. The en-route Besides a SEF scheme, five more designs
filtering framework has three components: report including interleaved hop-by-hop authentication
generation using message authentication codes (IHA) (Zhu, Setia, Jajodia, & Ning, 2004), com-
(MACs), en-route filtering, and sink verification. mutative cipher-based en-route filtering (CCEF)
(Yang & Lu, 2004), location-based resilient security
Report Generation Using MACs (LBRS) (Yang, Ye, Yuan, Lu, & Arbaugh, 2005),
location-aware end-to-end data security (LEDS)
To generate a valid report, multiple (say m, where (Ren, Lou, & Zhang, 2006), and dynamic en-route
m > 1) nodes detect the event simultaneously and filtering (DEF) (Yu & Guan, 2006) are all specific
agree on the content of the event report. To be instances within the above framework. Based on
forwarded by intermediate nodes and accepted by the above framework, these five proposals have
the sink, each valid report must carry m MACs; adopted different key management schemes, which
each MAC is generated by the sensing node that immediately lead to different resilience behavior of
detects the event. Each sensor stores a few sym- their designs. We will describe their methodologies
in details in the subsequent sections.
0
Resilience Against False Data Injection Attack in Wireless Sensor Networks
Resilience Against False Data Injection Attack in Wireless Sensor Networks
to the desired cluster head and a witness key in verify events claimed to happen in those cells.
plain-text to all forwarding nodes along the path, Each legitimate report carries m distinct MACs,
through a query message. A legitimate report is jointly generated by the detecting nodes using the
endorsed by a node MAC jointly generated by the keys bound to the event’s cell. When an intermedi-
detecting nodes using their node keys, and a ses- ate node receives a report, it retrieves the event’s
sion MAC generated by the source node using the location from the report and checks whether the
session key. Through the usage of a commutative location is in one of its verifiable cells. If so, it
cipher, a forwarding node can use the witness key checks whether it has one of the keys hose indices
to verify the session MAC, without knowing the are carried in the report. If it has such a key, it
session key, and drop the fabricated reports. The recomputes the MAC and compares to the carried
base station further verifies the node MAC in the one. If the two MACs do not match, the report is
report that it receives, and refreshes the session key dropped. Otherwise, it forwards the report. The
upon detection of compromised nodes. sink performs final verification on the received
reports. It knows all location-binding keys, thus
Features able to verify every MAC in the report.
Resilience Against False Data Injection Attack in Wireless Sensor Networks
is used to provide data confidentiality; and (c) a set to forwarding nodes) is high. Third, as the authors
of authentication keys shared with the nodes in its discussed in the chapter, LEDS raises some new
report-auth cells and used to provide cell-to-cell types of attacks specific to its scheme.
authentication and en-route bogus data filtering. All
these keys are computed by each node locally and
independently. In addition, LEDS adopts a (t, T) scHEMEs In HEtErogEnEous
threshold linear secret sharing scheme (LSSS) so sEnsor nEtworks
that the sink can recover the original report from any
t out of T legitimate report shares. Moreover, LEDS In the previous section, we looked at some of the
adopts a one-to-many data forwarding approach, security protection schemes in homogeneous sensor
that is, all reports in LEDS can be authenticated by networks. However, there is another class of sensor
multiple next-hop nodes independently so that no networks, heterogeneous sensor networks, which
reports could be dropped by a single node(s). use two or more type of nodes. It is known that
the presence of heterogeneous nodes in a sensor
Features network helps to increase network lifetime and
reliability. In this section, we present the design of
First, LEDS meets the expected requirement in a sink filtering scheme (SFS) (Ma, 2006a, 2006b)
terms of resilience, with totally solving the thresh- in a heterogeneous network, showing that the pres-
old breakdown problem. Second, LEDS is suitable ence of heterogeneous nodes in a sensor network
for the sensor networks with dynamic topology. also helps to improve the resiliency.
Resilience Against False Data Injection Attack in Wireless Sensor Networks
report it has agreed. A CH collects raw sensing breakdown problem. Second, SFS is adaptive to
data from basic sensors, generates an aggregation the dynamic topology. Third, compared with all
report, and relays the report to the sink node. A the schemes in homogeneous sensor networks, SFS
sink node checks the validity of the carried MACs in heterogeneous sensor networks is more efficient
in an aggregation report and filters out the forged and scalable. Interested readers may refer works by
report. Ma (2006a, 2006b) for more details on resiliency
study and overhead evaluation.
Methodology
Resilience Against False Data Injection Attack in Wireless Sensor Networks
Yang, H., Ye, F., Yuan, Y., Lu, S., & Arbaugh, W. Compromised Nodes: Nodes on which an
(2005). Toward resilient security in wireless sensor attacker has gained control after network deploy-
networks. Paper presented at the ACM MobiHoc ment.
(pp. 34-45).
False Data Injection Attack: The type of
Ye, F., Luo, H., Lu, S., & Zhang, L. (2004). Sta- attack when the compromised sensors forge the
tistical en-route filtering of injected false data events that do not occur.
in sensor networks. Paper presented at the IEEE
Key Management: The process of managing
INFOCOM.
key materials (e.g., key generation, key distribu-
Yu, Z., & Guan, Y. (2006). A dynamic en-route tion, etc.) in a cryptosystem.
scheme for filtering false data injection in wire-
Message Authentication Code (MAC): It is
less sensor networks. Paper presented at the IEEE
a short piece of information used to authenticate
INFOCOM.
a message.
Zhu, S., Setia, S., & Jajodia, S, (2003). LEAP:
Threshold Breakdown Problem: We say a
Efficient security mechanisms for large-scale
security design has threshold breakdown problem if
distributed sensor networks. Paper presented at
the design is secure against t or less compromised
the ACM CCS.
nodes, but once more than t nodes are compromised
Zhu, S., Setia, S., Jajodia, S., & Ning, P. (2004). the security design completely breaks down, where
An interleaved hop-by-hop authentication scheme t is a fixed threshold.
for filtering of injected false data in sensor net-
Wireless Sensor Network (WSN): The wire-
works. Paper presented at the IEEE Symposium
less networks consisting of small sensors that
on Security and Privacy (S&P).
cooperatively monitor environmental conditions,
such as temperature, humidity, and so forth.
kEy tErMs
Chapter XXXIX
Survivability of Sensors with Key
and Trust Management
Jean-Marc Seigneur
University of Genev, Switzerland
Luminita Moraru
University of Genev, Switzerland
Olivier Powell
University of Patras, Greece
AbstrAct
Weiser (1991) envisioned ubiquitous computing with computing and communicating entities woven into
the fabrics of every day life. This chapter deals with the survivability of ambient resource-constrained
wireless computing nodes, from fixed sensor network nodes to small devices carried out by roaming
entities, for example, as part of a personal area network of a moving person. First, we review the assets
that need to be protected, especially the energy of these unplugged devices. There are also a number of
specific attacks that are described, for example, direct physical attacks are facilitated by the disappear-
ing security perimeter. Finally, we survey the protection mechanisms that have been proposed with an
emphasis on cryptographic keying material and trust management.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Survivability of Sensors with Key and Trust Management
with enough energy for long term functioning be- bAckground AsPEcts of
cause it is assumed that they are unplugged from nodEs survIvAbIlIty
the main electrical power supply and can rarely
recharge themselves by this means. Any action In this section, we first discuss what we mean by
carried out by these entities depletes their energy. nodes survivability, their assets, and especially
In addition to being resource-constrained in terms their energy. Then, we focus on the routing as-
of energy, these entities are resource-constrained set, which is an important asset that enables the
in terms of memory and processing, which limit nodes to communicate beyond their own wireless
what they can do, especially when these entities communication range. It shows that the routing
are small, such as the sensors deployed in sensors has been initially engineered without attackers
networks. in mind, which is also the case for most of the
Usually, sensors are performing two important other enabling mechanisms and assets. However,
types of actions or tasks: they have to sense the there are a number of attacks that can be carried
environment and to send information to a specific out on these assets. We survey them at the end of
target entity, sometimes called sink. For example, the section.
the sink may be an Internet gateway that will
propagate the information for persistent storage node(s) survivability
and analysis. Security problems exist both when
messages are generated and when they are relayed. First, it is important to note we use the plural in
Working most of the time in an unattended envi- the heading of this section, nodes survivability,
ronment without tamper-proof hardware makes the because it emphasises that the scope of the node’s
sensors very vulnerable to attacks. mission may span more than one node. On one
Generally, mobile ad hoc networks (MANETs) hand, it may be a scenario where the survivabil-
are thought to be composed of nodes bigger than the ity of the node itself is more important than the
sensors of sensors networks. Also, whereas sensors survivability of the other nodes. For example, a
are considered (after their deployment) rather fixed user who carries a mobile phone in the mountains
concerning their location, MANETs imply that the may be selfish and would not bother forwarding
nodes move. If we assume that the MANET nodes the messages of other users as they are met on the
are also unplugged from the main power supply, way to the top of the mountain. The forwarding
the nodes have also limited energy. Another differ- of a message from another user would deplete
ence between sensors and MANET nodes is that the energy of the mobile phone and endanger the
instead of just having to sense and forward simple survivability of the device and its mission lifetime.
information, MANET nodes are expected to run On the other hand, the mission may be that the
much more complicated operations that surely majority of the nodes survive at the expense of
require more energy than simple tasks. In this the survival of one specific node. It is usually the
chapter, we consider all ad hoc networks where the case in sensors networks where the goal is to sense
wireless nodes are resource-constrained, especially and monitor a region thanks to the collaboration
in terms of energy. Thus, as introduced above, the of many nodes. If a part of the monitored region
nodes may go from the tiny fixed deployed sensor is quite active, it is possible that the nodes in this
to the mobile unplugged mobile device. active region take over the work of another node,
In this chapter, we first survey the different for example, to forward the sensed information in
assets of these entities and then delve into specific order to maximise the lifetime of the monitoring
attacks on these assets. We present further two of the whole region. That type of scenario requires
main protection mechanisms: cryptographic keying that there is some sort of control on the nodes; an
material and evidence-based trust management. authority is needed to guarantee that the nodes will
Finally, we discuss future trends and draw our collaborate and follow the rules. For example, in a
conclusion. military environment, the nodes that are deployed
Survivability of Sensors with Key and Trust Management
are configured before the deployment and we can Besides being captured by an adversary and
assume that they will all follow the rules (until they removed from the network, the lifetime of the node
are captured or they fail). A military environment and its mission mainly depend on its consumption of
is said to be a controlled environment, its extreme energy. The design of the node is an inherent asset
being an open environment where every node is of the node because both hardware and software
free to behave as it wishes. In the middle of these designs may end up in consuming more or less
extremes, there are scenarios where a selfish node energy. Current sensor nodes are battery-enabled
may increase its lifetime by sporadically helping devices. The energy consumption of a sensor is
other nodes: the nodes being interdependent. due to the computation and the communication
modules. Energy is depleted mainly by the com-
the Assets underlying the munication module. Radio transmission consumes
survivability most of the energy spent for security mechanisms
and encryption only consumes 3% (Hwang, Lai, &
As explained in the previous subsection, the first Verbauwhede, 2004). Thus, minimising security
type of asset underlying the survivability is the transmission is important with regard to energy
survivability of the node or the survivability of the saving. However, sensors are constrained devices
network of nodes. In interdependent settings, the and the security mechanisms available for conven-
neighbouring nodes are an asset that enables the tional networks are not suitable due to their limited
node to achieve more than what it could achieve computational, memory, and energy resources.
alone. An underlying asset is the trustworthiness They are often deployed in hostile environments
of these neighbouring nodes. The node may be with no physical access to nodes after deployment.
able to choose or influence whose nodes are its Thus, the sensor lifetime is limited by the initial
neighbours, for example, by moving to another energy of the battery. Different energy harvesting
location or by mere selection (the third section mechanisms are being researched for sensors, such
explains how evidence-based trust management as the use of solar cells, but they are still not very
can be used to optimise the selection process). In common. The user’s mobile computing devices
sensor networks, it is less often assumed that new like personal digital assistants and mobile phones
nodes can be added after the initial deployment of are also battery-powered but they can be more
the nodes. Sensors are mainly used to monitor the easily recharged.
characteristics of a specific fixed area or targets. While energy recharging and harvesting mecha-
However, in MANET scenarios, when the nodes nisms are put in place, the nodes need energy saving
correspond to devices carried by people, it is clear mechanisms. Usually, energy saving mechanisms
that the nodes can come and go as the people roam are based on the difference of energy consumption
from place to place. If the adjunct nodes and their between the active and the idle states. Energy is
location can be chosen, the survivability of the saved by minimising the fraction of time while the
network of nodes may be prolonged. All the nodes device is active. These energy saving mechanisms
may participate for the survivability of the network are normally targeting the subsystem of the device
of nodes. Therefore, the nodes’ participation can that has the greatest difference between the energy
be considered as an asset. consumption of the two states. Once no application
Another asset for a node is to be highly tam- is running on the device, it is put into a low power
per-proof. However, as said above, nodes in open state, extending the battery life. A sensor node can
environments can be captured and highly tamper- usually be in four different states: transmit, receive,
proof hardware may be too costly. An asset may idle, and sleep. The sleep state is significantly less
be the possibility to communicate the evidence energy consuming than the other states. Preserv-
of tampering, for example, an alert being sent at ing network longevity is one of the main issues in
time of capture or creating some form of tamper- sensor networks. The topology of the network is
evidence. not known a priori because the nodes are randomly
Survivability of Sensors with Key and Trust Management
scattered to a target area. Sensor networks are often energy, the use of security mechanisms may also
dense networks. Not all the nodes are necessary require more storage space, for example, for the
to accomplish a specific request. One method to keying material, and may slow down the processes
save energy is to put nodes to sleep in a manner due to the additional security steps, such as, en-
that does not interfere with the functionality of cryption, decryption, and signatures.
the network. In a sensor network the lifetime of Besides the above special assets, there are also
the network is more important than each sensor. more basic security assets, namely, the confidenti-
Thus, the protocols developed for sensor networks ality/privacy, integrity, and availability properties
consider the optimisation of network lifetime. of each node and their messages. When these basic
The topology of the network may be dynamic. assets are compromised, the other assets may be
Nodes may become temporary inactive to save more easily compromised.
their energy or they drain out of battery. At the The list below summarises the different assets
same time, new nodes may be deployed in the same that we have discussed in this section:
area. Energy is limited in the network. However,
the nodes may have to repeatedly communicate • Node-level assets:
with a base station on a hop-by-hop basis. To ° Node mission lifetime:
minimise the energy spent in the network, energy- Node energy
preserving secure routing protocols (surveyed in • Harvesting source
the following subsection) have been developed. • States and actions management
The communication patterns are concerned with Node tamper-proof and tamper-evi-
balancing energy consumption and preserving dence
network lifetime and purpose. Usually, the whole ° Node localisation
region needs to be covered by the nodes. The ° Node mobility (in case of non-fixed set-
purpose of the network requires that the sensing tings)
coverage works for all localisations. At any loca- ° Node computing performance
tion, the nodes should be able to send the collected ° Node neighbours presence in interde-
data to the base station. Energy saving should not pendent settings
deteriorate the connectivity and the coverage of the ° Node communication:
network. An energy optimisation scheme should Ability
also maintain the initial coverage. Energy efficient • Reception
schemes group sensors in different sets that are • Transmission
alternatively active (Cardei, 2005; Ramchurn, • Coverage range
Jennings, Sierra, & Godo, 2004). Confidentiality
Another solution is to enforce clustering algo- Integrity
rithms (Handy, 1995). An example of energy at Speed
the nodes level occurs with cluster-based sensors • Network of nodes-level assets:
network topology. In this case, energy efficient ° Network mission lifetime
routing protocols use hierarchical structures like ° Deployment of new nodes
clusters among the nodes forming the network. ° Nodes participation and trustworthi-
The nodes in the cluster only communicate with ness
the cluster head. The cluster head is the only one ° Network connectivity, performance and
to communicate with the other cluster heads and coverage
provides aggregation of data for the nodes form-
ing the cluster. the routing Asset case-study
The nodes that are not cluster head may receive
the information later. The responsiveness of the The nodes can use their wireless link to directly
node, concerning computation and communication, communicate with the other nodes in range. Some-
is also important. In addition to consuming more times the nodes can increase their transmission
Survivability of Sensors with Key and Trust Management
energy to reach farther nodes. However, as said In military MANETs, it is often assumed that the
above, communication tasks use a lot of energy; deployed nodes are controlled; it is a controlled
for example, if we assumes Friss’ (1946) free- environment where it is understandably supposed
space attenuation, the energy needed for wireless that nodes are not free to do whatever they can do.
transmission over a distance d is proportional to In open MANETs, where any user’s node can come
d square. Thus, the nodes may save energy by and go depending on the user’s will, the nodes
using other closer nodes to forward their message might not follow the rules and they challenge the
to farther nodes. In addition, if the nodes cannot correct functioning of these routing protocols.
increase their transmission energy to reach a Thus, the researchers had to revise their protocol
specific far-away node, the only remaining solu- approach (not to say restart from scratch) because
tion is to use intermediate nodes to forward the all was working well under the assumption that
message. It is why routing algorithms have been the nodes do collaborate, but in open MANETs,
researched. In this subsection, we survey the where nodes are owned by free people, assuming
most well-known protocols that allow the that everyone collaborates is simply not realistic. In
nodes to exchange messages. We start by the 2001, the conclusion was that security in MANETs
MANET protocols and then the protocols said is particularly difficult due to their specificities
to be specific to sensor networks, which are (Hubaux, Buttyán, & Capkun, 2001): vulnerability
explicitly energy-aware. of channels and nodes (i.e., less physical security);
resource-constrained nodes; high probability
MANET Routing Protocols of absence of infrastructure; and dynamically
changing topologies and high uncertainty. An
Maltz (2001) depicts the history of MANETs. The interesting issue is the question of collaboration,
first significant project towards MANETs is called which is vital for some MANETs to stay up: the
the DARPA-sponsored military packet radio net- nodes are neither dependent nor independent but
work (PRNET) in 1972. Now, MANETs seem to interdependent. If too many nodes are too selfish,
be used on battlefields. The goal of researchers, the overall availability is endangered (Miranda &
like Maltz, was to outperform the performance Rodrigues, 2003).
of the military protocols. They reached efficient
and good performance for routing in MANETs Sensors Network Protocols
with ad hoc on-demand distance vector routing
(AODV) (Perkins & Royer, 1999) or dynamic As mentioned above, in sensors networks, the de-
source routing (DSR) (Maltz, 2001). ployed nodes are usually supposed to collaborate.
Both AODV and DSR are reactive routing However, due to their small size and the assump-
protocols because they compute the route between tion that they can never be recharged, the MANET
two nodes only when the route is needed, that is, protocols are not sufficient to optimise the use of
‘on demand.’ In doing so, there are far fewer tasks the energy of the nodes. This is why other research-
to be carried out because all the routes do not have ers have researched new routing protocols with an
to be maintained all the time. It is very important emphasis on energy consumption optimisation.
from an energy point-of-view in mobile settings Energy-aware routing protocols explicitly take
where the nodes come and go very quickly and into account the energy consumption as a param-
where the routing information would need to be eter. This subsection surveys seven of these new
updated very often. However, neither AODV nor protocols that use one or several of these following
DSR integrate further specific mechanisms to mi- energy saving basic techniques:
nimise the energy consumption along the route.
Another limitation comes from the fact that • Keeping short range transmissions
Maltz and colleagues designed their protocols with • Aggregating data
the same assumption as for military MANETs. • Building efficient paths
0
Survivability of Sensors with Key and Trust Management
• Switching between sleep/awake states clustering technique: the ejecting nodes are cluster
• Efficiently controlling multi-paths heads and the cluster members are nodes which
propagate towards the ejectors. The cluster heads
During the set-up phase of the minimum cost (and thus the clusters) are automatically updated
forwarding algorithm (MCFA) (Ye, Chen, Liu, & by the distributed algorithm.
Zhang, 2001), each node initiates its least cost to the The low-energy adaptive clustering hierarchy
sink estimated to be at an infinite distance. The sink (LEACH) (Handy, 1995) is a more well-known
broadcasts to its neighbours a setup message. Each distributed randomised cluster formation algo-
of the neighbours computes and updates its least rithm. Many more complicated and optimised
cost estimate to the sink and eventually broadcasts algorithms that exist in the literature have been
further to its own neighbours. When receiving a inspired by LEACH. LEACH is based on parti-
broadcast message, a node computes its new least- tioning the network into clusters. It features two
cost estimate. If it is lower than the current least distinct phases:
cost estimate, the node updates it and broadcasts
its new estimated least cost to its neighbours, and 1. Cluster formation: Cluster heads are self-
so on and so forth. In order to avoid collision as elected according to a very simple random
well as duplication of unnecessary message, that is, rule: each node decides to become a cluster
in order to optimise the flooding involved, MCFA head with probability p, where p depends on
introduces a back-off mechanism which is basically a threshold value. This threshold function is
a timeout before propagating the updated values dependent of parameters such as the remain-
of the estimated least cost. During the propaga- ing energy, the time elapsed since the network
tion phase, when a node needs to send a message started, and the number of times it has been a
to the sink, it broadcasts to its neighbours. When cluster head before. Thus, energy balancing
a node receives a message, it checks if it is on the is possible through the fine-tuning of the pa-
least cost path, and if so, propagates the message rameters. Once self-elected, the cluster heads
further. Otherwise it just drops the message. advertise themselves to noncluster heads by
Gradient-based routing (GBR) (Schurgers & broadcasting an announcement message.
Srivastava, 2001) is somehow similar to MCFA. It Noncluster head nodes then decide to which
proposes to slide messages along a gradient towards cluster they will attach themselves. Basically,
the sink. GBR is a general scheme; it proposes a they attach themselves to the closest cluster
few gradients but it is open to other possible gradi- head, although closest could have different
ents. The gradient can be computed similarly as in meanings. Once the cluster head is aware of
MCFA, that is, using the back-off mechanism. If one all of its cluster members, it computes a time
wants to introduce the hop-count in the gradient, division multiple access (TDMA) scheme and
the hop-count is included in the gradient formula. assigns a time slot to each of the members
MIX (Powell, Jarry, Leone, & Rolim, 2006) is a of the cluster. The cluster members are only
variant of GBR that allows the node to eject a mes- allowed to transmit data to the cluster head
sage directly to the sink in case of high remaining during the time slot that they have been
energy on the current node compared to the energy assigned to. Hence, no message collision
remaining on its neighbours. In MIX, a sensor occurs.
can choose to eject a message when all its short- 2. Data propagation phase (once the clusters
range neighbours have lower energy than itself. To have been formed): Data are sent by the
eject means that the sensor increases the power of cluster members directly to their cluster
transmission to be able to reach the base station in head. The cluster head then aggregates the
one transmission. As said above, the energy spent data before sending them directly to the sink.
increases a lot, nonlinearly, with the distance. The Other protocols inspired by LEACH propose
ejection feature of MIX can be seen as a dynamic to run a more sophisticated algorithm than
Survivability of Sensors with Key and Trust Management
direct transmission to the sink by using an- nodes decide to send REQ messages by analysing
other routing protocol on a subgraph of the the ADV message which is assumed to contain the
communication graph, sometimes called a necessary information to take this decision. The
‘backbone network,’ where nodes are typi- actual encoding of the ADV message is application
cally the cluster heads. The distributed cluster specific and not specified by the SPIN protocol.
formation phase has to be rerun from time to Variants of SPIN offer different optimisation for
time in order to avoid early energy depletion different contexts. For example, nodes can decide
of cluster heads. to stop participating when they believe that they
do not have enough energy to complete all stages
The directed diffusion (DD) (Intanagonwiwat, of the protocol.
Govindan, Estrin, Heidemann, & Silva, 2003) pro- The final protocol that we survey is probabilistic
tocol is also very famous but a bit more complicated forwarding (PFR) (Chatzigiannakis, Dimitriou,
than LEACH. It works roughly in the following Nikoletseas, & Spirakis, 2006). It uses the following
way. The sink(s) sends interests (consisting of at- approach which is common in routing protocols.
tribute value pairs) which are flooded across the In order to ensure robustness (due to link failure,
network. The sources are being discovered as the message collision, etc.), data are propagated in a
nodes are capable of satisfying the interests. In a multipath way. However, the total number of paths
second stage, the gradients are being set (the exact has to be controlled. In PFR, it is assumed (although
way in which gradients are being set is application this assumption can be relaxed) that the angle of
specific). Different gradients permit to build routes reception as well as the direction to the destination
between the sources and the sink with different of a message can be computed. For example, this
properties, for example, high robustness, low assumption is possible in a localised network. Us-
latency, low energy cost, and so forth. Informa- ing this information and by piggy-backing/adding
tion is propagated along the paths following the O(1) bits of information to the message, the nodes
gradients. Energy can be further spared by carry- can probabilistically decide to forward or drop the
ing-out network data-aggregation as well as using message. The messages are propagated along a
caching techniques. DD seems to be very suitable multipath beam whose width can be controlled by
for the so called continuous monitoring application a parameter of the algorithm. The fact of being able
domain (as opposed to event driven monitoring), to control the width of the beam enables the control
because there is a cost in establishing the routes of the energy cost overhead implied by multipath
(or interests gradients, more precisely), and once routing, and the fact of having a multipath beam
they have been established they should be used for ensures the robustness to link failure.
some time, that is, continuously. In the next subsection, we cover a specific form
In the sensor protocols for information via of failure, namely, failure due to malicious activi-
negotiation (SPIN) (Kulik, Heinzelman, & Bal- ties, also known as attacks.
akrishnan, 2002), data are disseminated throughout
the network, assuming that each sensor node is a survey of the Attacks on the nodes
potential sink. This is particularly efficient in the Assets
case of mobile networks. The protocol works in
the following way. When a node detects an event, Above, we have surveyed the protocols that have
it sends an ADV message advertising the detected been proposed for routing. These protocols are more
event. The nodes receiving the ADV decide if or less energy-aware. However, most of the times
they are interested in the information, and if so, these protocols assume that there is no attacker. As
send a request (REQ) message, following which we are moving to a ubiquitous computing world,
the actual data will be sent. The idea is to avoid assuming that there is no attacker is unrealistic be-
unnecessary flooding of long data messages in the cause the nodes are deployed in open environments
network when the information is redundant. The where anybody can deploy nodes or try to tamper
Survivability of Sensors with Key and Trust Management
with any nodes. We consider the cost of a physical consumption. The attack may be detected by the
attack as low because the nodes are assumed to owner because the battery is expected to have a
not have significant tamper resistance due to the certain lifetime. Ultimately, the measure of this
cost of such protection for devices that are sup- attack may be the report between the real and
posed to be affordable for large scale deployment the expected lifetime of the battery. It has been
(Pirretti, Zhu, Narayanan, McDaniel, Kandemir, reported that for mobile devices the report may
& Brooks, 2005). In a node capture/tampering at- be from one to two orders of magnitude (Pirretti
tack, an adversary has physical access to the node. et al., 2005). Martin et al. (2004) identify three
Current security solutions are evaluated by taking types of sleep deprivation attacks on mobile de-
into account the resistance of the network to nodes vices. In a service request power attack, a device
capture, that is, the number of nodes needed to be must repeatedly execute a network service on a
captured in order to corrupt the entire network. remote entity. Even if the service is not available,
Time is the factor used to evaluate the attacks that the process of authentication consumes time and
are in progress. energy. Another type of power attack may be
Another type of attack may especially target the to request the devices to repeatedly execute an
energy asset. That form of attack is usually called energy-hungry task. On mobile devices, power
the energy starvation attack. For example, Martin, attacks may be detected by scanning software
Hsiao, Ha, and Krishnaswami, (2004) depict a that compares the current energy consumption to
denial-of-service attack targeting battery powered normal energy consumption. On small sensors, it
devices. Its purpose is to drain out the battery of may be infeasible to run such scanning software.
the device, for example, by obliging the nodes to Other solutions analyse the energy consumption
consume more energy than necessary. In the case pattern because power attacks modify the energy
of mobile computing devices, the attack leads to consumption signature of the applications. Another
an inoperable device. It may only be temporary solution may be to define and impose an energy
for a mobile device but it is usually not the case limit for an application or a task.
in sensors networks where the nodes cannot be The nodes executing important tasks, like
recharged. In addition, the inoperability of several cluster heads, are perfect targets to initiate stronger
sensors can disrupt the functionality of an entire attacks over the other nodes in the cluster. These
network region. An energy starvation attack may attacks are prevented by preventing the misbe-
prevent the device from entering into its low power having nodes from becoming a cluster head. The
state, thus increasing the time while the device is solution evaluated by Pirretti et al. (2005) as the
active. This attack can be carried out in the case of best to prevent this type of attack is a hash-based
the use of energy saving schemes. As said above, cluster head selection. The cluster head does not
an energy saving scheme schedules for each node decide itself to be the next cluster head, but it is
an awake/sleeping cycle. In a sleep deprivation selected by random vote by the neighbours. This
attack a node is forced to remain in the awake attack can be categorised as topologically-inspired
state. We start by two types of energy starvation attack (Seigneur, 2005), where the knowledge of
attacks. The first type is the sleep deprivation at- the topology of the network of nodes is used to
tack that targets the communication subsystem and carry out more harmful attacks. This knowledge
prevents the sleep state. The second type called the can be extracted by standard attacks that are also
barrage attack is enforced by demanding energy possible in our settings.
intensive operations. A node receives successive The messages sent by the nodes can be captured
task requests. and read by attackers, which constitutes a confi-
Another possibility of increasing the energy dentiality attack. A confidentiality attack may also
consumption is to increase the energy needed for be carried out to infer message provenance, route
executing a task. The measure of the success of analysis, and activity monitoring. In some sensors
the attack may be the increase in overall energy network scenarios, it is crucial that the location of
Survivability of Sensors with Key and Trust Management
the nodes that sensed the information is not known. they will be not forwarded at all. In a Sybil attack
For example, sensors network have been deployed (Douceur, 2002), a node uses multiple identities
to monitor the location of pandas in their natural without revealing that it owns these different iden-
habitat (Ozturk, Zhang, & Trappe, 2004). Due to tities. If some mechanisms in the network use the
the presence of hunters, source-location privacy is majority of votes in their decision making, a node
crucial. If we extend the scenario to the location with many identities can cheat during the voting
of people, we can really talk of source-location process by using more than one vote. For a routing
privacy attacks. The network topology can be protocol that use several paths to the destination, a
inferred from this information. More knowledge Sybil attack can advertise one path as several ones.
can help the attacker to carry out more harmful Additionally, a Sybil attack can be correlated with
attacks targeting specific active/low-energy zones sink hole or worm hole attacks.
or traffic control. Among the other standard attacks,
there are also the attacks that target the integrity
of the messages as well as of the traffic or specific ProtEctIon MEcHAnIsMs
zones. The messages may be change replayed,
delayed, or even destroyed. Different protection mechanisms have been pro-
As said above, the routing protocols work well posed to increase the survivability of the nodes
when all nodes cooperate. However, in real settings, and protect their assets. For example, a few of the
the cooperation assumption may not be valid. If surveyed above routing protocols have recently
the nodes are small, low-power devices, they are been patched with security mechanisms: secure-
limited in energy and may be motivated to have a SPIN (Xiao, Wei, & Zhou, 2006) adds crypto-
selfish, noncooperative behaviour when it comes graphic functions to SPIN that do not require too
to relaying the messages from other nodes. They much memory and processing power; and secure
can save power by not forwarding the messages directed diffusion (SDD) (Wang, Yang, & Chen,
received from the neighbours. Furthermore, self- 2005) uses an efficient one-way chain rather than
ishness is not the only misbehaviour that has to asymmetric cryptography, which is too complex
be addressed. An attacker can compromise nodes for the resource-constrained nodes, to increase
and then prevent packets to reach their destina- the security of the protocol. Indeed, the cost of
tion. For example, in MIX, a few neighbour nodes the protection mechanisms has to really be taken
may lie about their current energy level to avoid into account due to the resource-constraints of
having to forward messages, or worse, they may the nodes. Cryptographic solutions may be used
not forward messages when asked to do so. In the for confidentiality and integrity of data but they
latter case, these misbehaving nodes carry out an may be too heavy in some settings. Any protection
attack commonly called sink hole attack (Pirzada mechanism needs to be analysed with regard to its
& McDonald, 2005). A sensor behaving like a sink- computation cost, its memory cost, its communica-
hole will drop any packet it receives. In a worm tion cost, and its energy cost (Hwang et al., 2004).
hole attack (Hu, Perrig, & Johnson, 2002), two In the next subsections, we detail two fast-evolv-
colluding sensors create a tunnel between them. ing protection mechanisms: cryptographic key
The first node may be situated in the proximity of deployment and management among the nodes,
the base station and replays the messages received and computational trust management.
by the second one. The tunnel is a fast path and
will encourage the nodes to use it for routing. This key deployment and Management
attack is hard to detect because the authentic-
ity and confidentiality security requirements are A first line of defence is the use of cryptography
maintained. Once the packets are routed through to encrypt the communication between the nodes.
the wormhole, denial-of-service attacks can be However, this requires the distribution/deployment
enforced. Packets will be forwarded selectively or of secrets in the nodes to allow them to encrypt the
Survivability of Sensors with Key and Trust Management
communication with this secret. The distribution and it seems viable to extract the key from one
of keys is usually followed by a shared key dis- node as they are cheap and not so well protected
covery phase and a path key establishment phase. (at least in nonmilitary application scenarios). The
Other elements that need to be considered are key second approach is to have pairwise keys for all
revocation, rekeying, and addition of nodes. Two sensors on each sensor, which is impractical due to
neighbour nodes can communicate only if they the memory constraints of the sensors. Saurabh and
share the same key. Network resilience is defined Mani (2004) argue that previous approaches relying
as the number of captured nodes before an attacker on keying management and cryptographic means
is able to control the network. Network connectiv- are not suitable for small nodes, such as sensors,
ity is defined as the probability that two nodes can due to their resource constraints or the fact that
communicate. Rekeying overhead is defined as the it is easy to recover their cryptographic material
network traffic needed to establish a new key. Both because they are cheap and not fully tamper-proof.
network resilience to node capture and pair-wise For n nodes deployed in the network, each node
connectivity depends on the size of keying material would have to store n-1 keys. Even if the keys are
stored on the nodes. While public key cryptogra- small (e.g, 64 bits), for a network of tens of thou-
phy is not feasible due to limited computational sands of nodes the storage space required for the
resources, the distribution of secret keys to each keys is impractical. It is worth noting that only a
sensor is assumed to be feasible in the literature. small fraction of the keys may be used in fixed
As we underlined above, the nodes are low cost de- standard sensors networks because the density of
vices without strong tamper proof hardware. Thus, the network may be low and a sensor may only be
a captured node will, at some stage, permit access able to communicate with few neighbouring nodes
to its cryptographic material. Key management with direct communication. Eschenauer and Gligor
schemes (Chan, Perrig, & Song, 2003; Moham- (2002) mitigate the memory constraints problem
med & Mohamed, 2005) try to increase network whilst keeping the key resilience level at a target
resilience to node capture while maintaining the threshold level. If we consider N the number of
performance goals and minimising the resulting nodes in the network and p the probability that
cost of lower network connectivity due to sensors two nodes share a common key, then each node
who do not share similar secret keys. There is a will store a set of Np keys, called a key ring. The
trade-off between the energy spent, the cost of keys are selected from a larger key pool. Each
used memory for protection, and the security level node stores a set of keys and an identifier for each
reached (Hwang et al., 2004). key. A shared key discovery phase between the
Static keying means that the nodes have been neighbours is necessary after the deployment. Each
allocated keys off-line before deployment, that node broadcasts the identifiers of the keys in its
is, predeployment. The existing solutions assign key ring. If the nodes share a common key, there
keys either randomly or based on deployment is a link between them. If a common key between
information, for example, the predicted neighbour- two nodes does not exist, then a path key establish-
hood of the nodes. A basic scheme is to generate ment procedure takes place. An alternative is to
p keys off-line and the nodes are allocated k keys use location information to improve connectivity.
randomly among these p keys. After deployment, Polynomial-based key predistribution schemes
a node broadcasts a set of identifiers of its known (Chan et al., 2003) use a random symmetric t-de-
keys and can communicate with the nodes that gree polynomial P. A polynomial share is defined
have at least one common key. The advantage as a partially evaluated polynomial: P(i,y) or
of static keying is no communication overhead P(y,i). Based on the polynomial share, each node
after the deployment. The easiest way to secure a can compute a common key: f(i,j). The scheme is
network is to give a unique key at predeployment resistant to t collusions.
time. However, in this case, if only one node is Dynamic keying means that the keys can be
compromised the whole network is compromised (re)generated after deployment. New keys are cre-
Survivability of Sensors with Key and Trust Management
ated in order to prevent a potential attacker from definition tries to encompass the previous work in
using the keying information obtained by node cap- all these domains.
ture. It creates more communication overhead but Trust is a subjective assessment of another’s
stronger resilience to node capture. Dynamic key influence in terms of the extent of one’s percep-
management schemes are based on the exclusion tions about the quality and significance of another’s
basis systems (EBS) (Mohammed & Mohamed, impact over one’s outcomes in a given situation,
2005). There is an initial pool of k+m keys. Each such that one’s expectation of, openness to, and
node stores k keys. Rekeying is carried out from inclination toward such influence provide a sense
time to time because there is the assumption that of control over the potential outcomes of the situ-
some nodes are captured from time to time. The ation.
m keys that are unknown to the captured nodes A computed trust value in an entity may be seen
are used to encrypt replacement keys that are as the digital representation of the trustworthiness
distributed to the safe nodes. However, since m is or level of trust in the entity under consideration;
usually chosen quite small to limit the number of a nonenforceable estimate of the entity’s future
messages needed for rekeying, a few nodes may behaviour in a given context based on evidence
be enough to collude and unveil the keys of the (Trustcomp, n.d.). A computational model of trust
whole network. To mitigate this issue, Mohammed based on social research was first proposed by
and Mohamed (2005) propose a variant based on Marsh (1994). Trust in a given situation is called
key polynomials instead of basic keys. Each node the trust context. Each trust context is assigned
stores k polynomials of t-degree out of a k+m pool an importance value in the range [0,1] and utility
of polynomials. In order to obtain a key, t+1 shares value in the range [-1,1]. Any trust value is in the
of each polynomial are needed. Another approach range [-1,1). Risk is used in a threshold for trusting
to mitigate the attacks of colluding nodes may decision making. Evidence encompasses outcome
be to evaluate the trust that can be placed in the observations, recommendations, and reputation.
involved nodes. The propagation of trust in peer-to-peer network
has been studied by Despotovic and Aberer
computational trust Management (2004) who introduce a more efficient algorithm
to propagate trust and recommendations in terms
In the human world, trust exists between two of computational and communication overhead.
interacting entities and is very useful when there Such overhead is especially important in networks
is uncertainty in result of the interaction. The of nodes as any communication overhead requires
requested entity uses the level of trust in the re- more energy spending.
questing entity as a mean to cope with uncertainty A high level view of a trust engine is depicted
and to engage in an action with potential benefits in Figure 1. The decision-making component can
in spite of the risk of a harmful outcome. In our be called whenever a trusting decision has to be
settings, the nodes may be interdependent, for made. Most related work has focused on trust
example, to reach far away nodes via routing and decision making when a requested entity has to
forwarding between intermediate nodes. We have decide what action should be taken due to a request
seen above that it is an asset for the nodes to have made by another entity, the requesting entity. It
trustworthy neighbours and computational trust is the reason that a specific module called entity
is a means to compute trust in them. There are recognition (ER) (Seigneur, 2005) is represented
many definitions of the human notion trust in a to recognise any entities and to deal with the re-
wide range of domains with different approaches quests from virtual identities. In our network of
and methodologies (McKnight & Chervany, nodes settings, when keying material is used, the
2000), such as sociology, psychology, economics, nodes may be recognised via the secret keys that
pedagogy, and so forth. Romano’s (2003) recent they own and use.
Survivability of Sensors with Key and Trust Management
The decision making of the trust engine uses The relation with trust evidence comes from
two subcomponents: the fact that an opinion about a binary event can
be based on statistical evidence. Information on
1. A trust module that can dynamically assess posterior probabilities of binary events are con-
the trustworthiness of the requesting entity verted in the b, d, and u elements in a value in
based on the trust evidence of any type stored the range [0,1]. The trust value (w) in the virtual
in the evidence store. identity (S) of the virtual identity (T) concerning
2. A risk engine that can dynamically evaluate the trust context p is:
the risk involved in the interaction, again
based on the available evidence in the evi- wTp ( S ) = {b, d , u}
dence store.
The subjective logic provides more than 10
A common decision-making policy is to choose operators to combine opinions. For example, the
(or suggest to the user) the action that would main- recommendation (⊗) operator corresponds to use
tain the appropriate cost/benefit. For example, in the recommending trustworthiness (RT) to adjust
the sensor network application domain, we have to a recommended opinion. Jøsang’s approach can be
balance ejecting a message or forwarding it based used in many applications since the trust context
on how much energy has to be spent and risk of is open. In the case of our networks of nodes,
failure in each case to successfully reach the base we can apply this kind of triple and statistical
station or sink. In the background, the evidence evidence count to compute the node trust value.
manager component is in charge of gathering For example, in case of a sink base station and a
evidence such as recommendations, comparisons network of nodes, the messages sent by a node may
between expected outcomes of the chosen actions be acknowledged by the base station by sending
and real outcomes, and so forth. These pieces of an acknowledgement message with strong energy
evidence are used to update risk and trust levels. transmission. Depending on which neighbour node
Thus, trust and risk follow a managed lifecycle. was used to forward the message, the sending
Although ‘subjective logic’ (Jøsang, 2001) does node can count how many times the sent mes-
not use the notion of risk, it can be considered as a sages were acknowledged via this neighbour node.
trust engine that integrates the element of ignorance Each neighbour node is given a triple (b, d, u) as
and uncertainty, which cannot be reflected by mere its trust value. If a message is acknowledged, b is
probabilities but is part of the human aspect of increased by one. If after a timeout, the message
trust. In order to represent imperfect knowledge, has still not been acknowledged, d is updated by
an opinion is considered to be a triplet whose ele- one. From the sending time of the message to the
ments are belief (b), disbelief (d), and uncertainty acknowledgement or the timeout, u is increased
(u), such that: by 1 (and then decreased by 1). Concerning the
memory/protection cost trade-off (Hwang et al.,
b+d+u=1 {b, d, u}∈[0,1]3 2004), it seems to be a reasonable assumption be-
Evidence
making Decision
Store Virtual
Identities
Risk Analysis
Survivability of Sensors with Key and Trust Management
cause there are usually few neighbours and there is table. However, the monitor module of confidant
enough memory space for a few triples. However, still requires the consumption of a non-negligible
each node has to maintain active the radio link, in amount of energy for resource-constrained nodes.
the so-called promiscuous mode, in order to listen Saurabh and Mani’s (2004) trust model uses only
to the activity of the neighbours. Since sensors are positive ratings and models the reputation value as
low energy devices, the energy consumption due a probabilistic distribution by the means of a beta
to the listening state represents a major drawback distribution model. A sensor will cooperate with
of any trust system. the neighbours that have a reputation value higher
Several other mechanisms have been proposed than a threshold. Twigg’s (2003) trust model focuses
to make decisions about whether to cooperate or on the MANET DSR protocol and on the relation
not with their peer nodes based on their previous between trust value communication and energy
behaviour. The information used to build the repu- cost. He assumes Friss’ free-space attenuation to
tation value of the neighbours is collected mainly compute the risk and cost of ejecting to more or
by direct interactions and following observations. less far nodes. He proposes to consider aggregate
Although it is accurate, it requires some time before properties including retransmissions and calculate
enough evidence has been collected. In a scenario the probability of successful transmission before
consisting of static nodes such as deployed sensors, a certain time. Pirzada and McDonald (2005)
there is more time to build trust with the neighbour introduce the use of computational trust based on
sensors because they do not move. In this case, one direct observations to mitigate both sinkhole and
may consider using a temporary ramp-up counter wormhole attacks. However, their work is also
of 10 messages in the trust metrics to be sure of limited to the MANET DSR protocol. They cover
the behaviour of the node. If recommendations are two trust contexts: trust packet precision (TPP) for
used, the reputation of the nodes that provide the wormhole and trust packet acknowledgment (TPA)
recommendations has to be taken into account. for sinkhole. They combine the two trust contexts.
In this latter case, it may create a vulnerability to If the sensor is suspected to be a wormhole, the
false report attacks. We survey below the other combined trust value T is 0. Otherwise TPP is
trust models that have been applied to the appli- equal to 1. TPA is a counter that is incremented
cation domain of resource-constraint nodes and each time a node is used to forward a packet and
sensors networks. an acknowledgement has been received before a
Michiardi and Molva’s (2002) core trust model timeout; it is decreased otherwise. The inverse
builds the reputation of a sensor as a value that is of the combined trust value simply replaces the
increased on positive interactions and decreased default cost of 1 in the LINK CACHE of the stan-
otherwise. It takes also into account positive rat- dard DSR protocol. If it is a wormhole the cost is
ings from the neighbours. If the aggregated value set to infinity.
of the reputation is positive, the sensor cooperates,
otherwise it refuses cooperation. Buchegger and
Le Boudec’s (2004) confidant trust model consid- futurE trEnds
ers only negative ratings from the neighbours and
monitors the communication to detect the nodes that In the future, the importance of the energy asset
do not forward the messages. In order to compute of the nodes may decrease. For example, a new
a reputation value, different weights are assigned energy solution may come from new contact-less,
to personal observations and reported reputations. distant energy transfer means to recharge nodes,
Concerning the memory/protection cost trade-off such as via inductive coupling. In addition, al-
(Hwang et al., 2004), it seems feasible because they though current energy harvesting mechanisms have
only forward second-hand information/recom- performance and size limitations, the advances in
mendations, called alarms, to a limited number nanotechnologies may allow even small nodes to
of nodes, called friends, maintained in a simple effectively harvest energy after deployment. For
Survivability of Sensors with Key and Trust Management
example, solar cells in new nanomaterial are much Cardei, M. (2005). Energy-efficient target cover-
more flexible than before. In this case, the attacks age in wireless sensor networks. Paper presented
may be turned towards the external harvested at the INFOCOM.
energy sources.
Carle, J., & Simplot-Ryl, D. (2004). Energy-effi-
The advances in nanotechnologies may also
cient area monitoring for sensor networks. IEEE
mean that even smaller nodes are possible. In
Computer, 37(2).
this case, it is likely that current cryptographic
mechanisms will have to be scaled down. Rout- Chan, H., Perrig, A., & Song, D. (2003). Random
ing and communication between these nanoscale key predistribution schemes for sensor networks.
nodes may also change dramatically. Quantum Paper presented at the IEEE Security and Privacy
computing may introduce even further probabilistic Symposium.
mechanisms with less determinism at the node
level than at the nodes as a whole level. In this Chatzigiannakis, I., Dimitriou, T., Nikoletseas,
case, decision-based under uncertainty may still S., & Spirakis, P. (2006). A probabilistic algo-
benefit from the use of computational trust. rithm for efficient and robust data propagation in
smart dust networks. Elsevier Journal of Ad-hoc
Networks, 4(5).
conclusIon Despotovic, Z., & Aberer, K. (2004). Trust and
reputation management in P2P networks. Paper
Due to the resource-constraints of the nodes presented at the International Conference on E-
involved in mobile ad hoc or sensors networks Commerce Technology.
settings, new security mechanisms are needed
to guarantee the survivability of these networks Douceur, J. R. (2002). The Sybil attack. Paper
of nodes. However, these new security mecha- presented at the 1st International Workshop on
nisms have a strong constraint with regard to Peer-to-Peer Systems.
their resource consumption. Computational trust Eschenauer, L., & Gligor, V. (2002). A key manage-
management is one of these new schemes that are ment scheme for distributed sensor networks. Paper
proposed because the nodes are interdependent presented at the ACM Conference on Computer
and need to collaborate to achieve more that what and Communications Security.
they can achieve alone. There are still limitations
though: both the listening mode and the communi- Friss, H. T. (1946). A note on a simple transmis-
cation overhead are costly in terms of energy. The sion formula. Paper presented at the Proceedings
cryptographic tasks involved in key management of IRE.
consume less energy but rekeying still necessitates Handy, M. J., Haase, M., & Timmermann, D.
extra communication. There is still some work (2002). Low energy adaptive clustering hierarchy
ahead to fine-tune and combine these new secu- with deterministic cluster-head selection. Paper
rity mechanisms for optimal survivability, being presented at the International Conference on Mobile
survivability at the node level or at the network and Wireless Communications Networks.
of nodes level.
Hu, Y., Perrig, A., & Johnson, D. (2002). Wormhole
detection in wireless ad hoc networks (Tech. Rep.).
rEfErEncEs Rice University.
Hubaux, J.-P., Buttyán, L., & Capkun, S. (2001).
Buchegger, S., & Le Boudec, J.-Y. (2004). A robust The quest for security in mobile ad hoc networks.
reputation system for P2P and mobile ad-hoc net- Paper presented at the ACM Symposium on Mobile
works. Paper presented at the Second Workshop on Ad Hoc Networking and Computing.
the Economics of Peer-to-Peer Systems.
Survivability of Sensors with Key and Trust Management
Hwang, D. D., Lai, B.-C. C., & Verbauwhede, sensor networks. Paper presented at the 2nd ACM
I. (2004). Energy-memory-security tradeoffs in International Workshop on Performance Evalua-
distributed sensor networks. Paper presented at tion of Wireless Ad hoc, Sensor, and Ubiquitous
the Ad-hoc Now Conference. Networks, Montreal, Quebec, Canada.
Intanagonwiwat, C., Govindan, R., Estrin, D., Ozturk, C., Zhang, Y., & Trappe, W. (2004).
Heidemann, J., & Silva, F. (2003). Directed dif- Source-location privacy in energy-constrained
fusion for wireless sensor networking. IEEE/ACM sensor network routing. Paper presented at the
Transactions on Networking, 11. 2nd ACM Workshop on Security of Ad hoc and
Sensor Networks.
Jøsang, A. (2001). A logic for uncertain prob-
abilities. Fuzziness and Knowledge-Based Systems, Perkins, C. E., & Royer, E. M. (1999). Ad hoc on-
9(3). demand distance vector routing. Paper presented
at the 2nd IEEE Workshop on Mobile Computing
Kulik, J., Heinzelman, W. R., & Balakrishnan, H.
Systems and Applications.
(2002). Negotiation-based protocols for dissemi-
nating information in wireless sensor networks. Pirretti, M., Zhu, S., Narayanan, V., McDaniel, P.,
Wireless Networks, 8. Kandemir, M., & Brooks, R. R. (2005). The sleep
deprivation attack in sensor networks: Analysis
Maltz, D. A. (2001). On-demand routing in multi-
and methods of defense. Paper presented at the
hop wireless ad hoc networks. Unpublished doc-
Innovations and Commercial Applications of
toral thesis, Carnegie Mellon University.
Distributed Sensor Networks Symposia.
Marsh, S. (1994). Formalising trust as a compu-
Pirzada, A. A., & McDonald, C. (2005). Circum-
tational concept. Unpublished doctoral thesis,
venting sinkholes and wormholes in wireless sen-
University of Stirling, Department of Mathematics
sor networks. Paper presented at the International
and Computer Science.
Workshop on Wireless Ad-hoc Networks.
Martin, T., Hsiao, M., Ha, D., & Krishnaswami, J.
Powell, O., Jarry, A., Leone, P., & Rolim, J. (2006).
(2004). Denial-of-service attacks on battery-pow-
Gradient based routing in wireless sensor net-
ered mobile computers. Paper presented at the 2nd
works: A mixed strategy (Tech. Rep.). University
IEEE Pervasive Computing Conference.
of Geneva.
McKnight, D. H., & Chervany, N. L. (2000). What
Romano, D. M. (2003). The nature of trust: Con-
is trust? A conceptual analysis and an interdis-
ceptual and operational clarification. Unpublished
ciplinary model. Paper presented at the Americas
doctoral thesis, Louisiana State University.
Conference on Information Systems.
Saurabh, G., & Mani, B. S. (2004). Reputation-
Michiardi, P., & Molva, R. (2002). Core: A col-
based framework for high integrity sensor net-
laborative reputation mechanism to enforce node
works. Paper presented at the 2nd ACM Workshop
cooperation in mobile ad hoc networks. Paper pre-
on Security of Ad hoc and Sensor Networks,
sented at the IFIP TC6/TC11 Sixth Joint Working
Washington D.C.
Conference on Communications and Multimedia
Security. Schurgers, C., & Srivastava, M. B. (2001). Energy
efficient routing in wireless sensor networks. Paper
Miranda, H., & Rodrigues, L. (2003). Friends and
presented at the MILCOM Communications for
foes: Preventing selfishness in open mobile ad hoc
Network-Centric Operations: Creating the Infor-
networks. Paper presented at the 23rd International
mation Force.
Conference on Distributed Computing Systems.
Seigneur, J.-M. (2005). Trust, security and privacy
Mohammed, A. M., & Mohamed, E. (2005). A
in global computing. Unpublished doctoral thesis,
study of static versus dynamic keying schemes in
Trinity College Dublin.
0
Survivability of Sensors with Key and Trust Management
Trustcomp. (n.d.). Retrieved August 4, 2006, from Reactive Routing Protocols: Compute the
http://www.trustcomp.org/ route between two nodes only when the route is
needed, that is, ‘on demand.’
Twigg, A. (2003). A subjective approach to rout-
ing in P2P and ad hoc networks. Paper presented Energy-aware Routing Protocols: Explicitly
at the First International Conference on Trust take into account the energy consumption as a
Management. parameter.
Wang, X., Yang, L., & Chen, K. (2005). SDD: To Eject: Means that the sensor increases the
Secure directed diffusion protocol for sensor. power of transmission to be able to reach the base
Security in ad-hoc and sensor networks (Vol. station in one transmission.
3313). Springer.
Static Keying: Means that the nodes have been
Weiser, M. (1991). The computer for the 21st century. allocated keys off-line before deployment, that is,
Scientific American. predeployment.
Xiao, D., Wei, M., & Zhou, Y. (2006). Secure- Dynamic Keying: Means that the keys can be
SPIN: Secure sensor protocol for information via (re)generated after-deployment.
negotiation for wireless sensor networks. Paper
Network Resilience: The number of captured
presented at the Conference on Industrial Electron-
nodes before an attacker is able to control the
ics and Applications.
network.
Ye, F., Chen, A., Liu, S., & Zhang, L. (2001). A
Network Connectivity: The probability that
scalable solution to minimum cost forwarding in
two nodes can communicate.
large sensor networks. Paper presented at the Tenth
International Conference on Computer Commu- Rekeying Overhead: The network traffic
nications and Networks. needed to establish a new key.
Trust: Trust ‘is a subjective assessment of
kEy tErMs another’s influence in terms of the extent of one’s
perceptions about the quality and significance of
Node: A node may go from the tiny fixed another’s impact over one’s outcomes in a given
deployed sensor to the mobile unplugged mobile situation, such that one’s expectation of, openness
device. to, and inclination toward such influence provide
a sense of control over the potential outcomes of
Node(s) Survivability: Emphasises that the
the situation’ (Romano, 2003).
scope of the nodes mission may span more than one
node. The survivability of the node itself may be Computed Trust Value: A nonenforceable
more important than the survivability of the other estimate of the entity’s future behaviour in a given
nodes or the mission may be that the majority of context based on evidence (“Trustcomp,” n.d.).
the nodes survive at the expense of the survival
of one specific node.
Chapter XL
Fault Tolerant Topology
Design for Ad Hoc and
Sensor Networks
Yu Wang
University of North Carolina at Charlotte, USA
AbstrAct
Fault tolerance is one of the premier system design desiderata in wireless ad hoc and sensor networks.
It is crucial to have a certain level of fault tolerance in most of ad hoc and sensor applications, espe-
cially for those used in surveillance, security, and disaster relief. In addition, several network security
schemes require the underlying topology provide fault tolerance. In this chapter, we will review various
fault tolerant techniques used in topology design for ad hoc and sensor networks, including those for
power control, topology control, and sensor coverage.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
Ad hoc and sensor networks trigger many chal- the case in sensor networks where the equipment
lenging research problems, as they intrinsically is restricted to a minimum due to limitations in
have many special characteristics and unavoidable cost and weight. First of all, battery driven sensor
limitations, compared with other wired or wireless nodes may stop working because they run out of
networks. An important requirement of ad hoc and energy supply. Second, the shared wireless medium
sensor networks is that they should be self-organiz- is inherently less stable than wired media. This
ing, that is, transmission ranges and data paths are situation results in more packet losses and lower
dynamically restructured with changing topology. throughput. Third, sensor networks often operate
Energy conservation and network performance in potentially hostile or at least harsh and uncon-
are probably the most critical issues in ad hoc and ditioned environments. Tiny sensor devices with
sensor networks, since wireless devices (such as limited security techniques are usually vulnerable
tiny sensor nodes in sensor networks) are usually from various attacks. Another aspect that has an
powered by batteries only and have limited com- influence on the required degree of redundancy
puting capability and memory. Topology control and fault-tolerance is mobility, which is a key is-
and power control are two primary techniques sue in ad hoc networks. Therefore, reliability and
with respect to energy-efficiency in ad hoc and fault-tolerance are emerging as premier and crucial
sensor networks. system design desiderata in ad hoc and sensor
The topology control technique is to let each networks. In addition, fault-tolerance design is
wireless device locally select certain neighbors also one of basic components in ad hoc and sensor
for communication, while maintaining a topol- network security.
ogy that can support energy efficient routing and Fault tolerance strongly depends on the network
improve the overall network performance. Unlike connectivity. To make fault tolerance possible,
traditional wired networks and cellular wireless first of all, the underlying network topology must
networks, mobile devices are often moving dur- be k-connected for some k > 1, that is, given any
ing the communication, which could change the pair of wireless devices, at least k disjoint paths are
network topology in some extent. Hence it is more needed to connect them. With k-connectivity, the
challenging to design a topology control algorithm network can survive k-1 node/link failures. Tradi-
for ad hoc and sensor networks. The power control tional topology control or power control solutions
technique is to control the network topology by cannot cope with those fault-tolerance require-
adjusting the wireless device’s transmission range. ments, since fault-tolerance is usually sacrificed
Reducing the transmission range can save the power for power efficiency. In order to be power efficient,
consumption at each node and reduce the signal topology control and power control algorithms try
interference among neighbors, but it may hurt the to reduce the number of links and thereby reduce
connectivity of the induced topology. Power control the redundancy available for tolerating node and
tries to minimize the power consumption used link failures. On the other hand, to achieve fault-
by all nodes while maintaining a topology that is tolerance, existing algorithms usually sacrifice
connected and has certain desired properties such power efficiency concern. Thus, topology design
as fault tolerance. for ad hoc and sensor networks needs to consider
Although fault tolerance has been studied both power efficiency and fault-tolerance.
for several decades in computer and VLSI sys- This chapter is focused on fault tolerant topol-
tems, limited resources on small devices, lack ogy design for ad hoc and sensor networks. In the
of centralized control, and high mobility make second section, fault tolerant techniques used in
fault-tolerance much harder to achieve in ad hoc power control protocols (such as power assignment
and sensor networks. One key characteristic of and critical transmission range) are reviewed. In
such networks is that node and link failure is an the third section, we survey fault tolerant design
event of non-negligibility, in some cases even as in topology control, that is, how to design fault
a regular or common event. This is particularly tolerant geometric or hierarchical structures. In the
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
fourth section, fault tolerant coverage and protec- Recently, applying stochastic geometry, Pen-
tion in sensor networks are discussed. There is a rose (1999), Bettstetter (2002), Li, Wang, Wan, and
conclusion in the fifth section, while the chapter Yi (2003), and Wan and Yi (2004) studied CTR to
ends with references and key definitions. achieve the k-connectivity with certain probability
for a network when wireless nodes are uniformly
and randomly distributed over a two-dimensional
fAult tolErAnt dEsIgn In region. Penrose (1999) shows that with high prob-
PowEr control ability the network becomes k-connected when the
minimum node degree in the communication graph
Fault tolerant design in power control studies how becomes k. In other words, the characterization of
to set the transmission range for each node in a net- the CTR for k-connectivity can be derived by ana-
work such that the induced topology is k-connected, lyzing the probability of the relatively simpler event
that is, the network can survive under k-1 failures. that every node in the network has a degree at least
Obviously, by setting the transmission range suf- k. Based on results from Penrose, Li et al. (2003)
ficiently larger, the induced network topology will first derives the upper bound and the lower bound
be k-connected without doubt. However, as power of the CTR for k-connectivity in a two-dimensional
is a scarce resource in ad hoc and networks, it is network. They proved that, given n wireless nodes
important to save the power consumption without which are randomly distributed in a unit square,
losing the network connectivity. Thus, the question if the transmission range rn of wireless devices
is how to find the minimum transmission range such satisfies, np ⋅ rn2 ≥ ln n + (2k − 3) ln ln n − 2ln(k − 1)
that the induced topology is multiply connected. !+ α + 2ln(8(k − 1) / (2k −1 p ))then G(V,r
−α n
) is k-con-
There are two sets of research in this direction: nected with probability at least e − e as n goes to
critical transmission range for random networks infinity. Here α is any real number. Wan and Yi
and minimum power assignment optimization for (2004) close the gap between the upper bound
static networks. and the lower bound by giving an exact formula
Given n static wireless nodes V, each with for the probability of k-connectivity when n goes
transmission range rn, the wireless network can be to infinity. They show the CTR for k-connectiv-
modeled by graph G(V,rn) in which two nodes are ity: rn = (log n + (2k − 3) log log n + f (n)) / pn
connected if their Euclidean distance is no more where f(n) is an arbitrary function such that
than rn. The minimum range rn used by all wireless lim n →∞ f (n) = +∞. Bettstetter (2002) also investi-
nodes such that the induced network topology has gated the minimum node degree and k-connectivity
certain property (such as connectivity) is called and constructed various simulations to verify his
the critical transmission range (CTR). The CTR analytical expressions. However his theoretical
for connectivity has been studied in the literature result does not consider the boundary effects (as-
(Gupta & Kumar, 1998; Penrose, 1997; Ramanathan sume the network is distributed in a very large
& Rosales-Hain, 2000; Sanchez, Manzoni, & Haas, area), which is impossible in real networks. Even
1999). Characterizing the CTR for connectivity though the theoretical results of the CTR for k-con-
(or k-connectivity) helps the system designer to nectivity has been derived, the theoretical bounds
answer fundamental questions, such as: (1) given a only hold when n goes to infinity. How to set the
number of nodes n to be deployed in a region, what transmission range in a real network where n is a
is the minimum value of transmission range that small pratical integer is studied by Li et al. (2003)
ensures network connectivity (or k-connectivity)?; by conducting simulations. Another related work
or (2) given transmission range of certain technol- is about the CTR for connectivity with Bernoulli
ogy, how many nodes need to be distributed over nodes. So far we assume that all nodes will always
a given region to ensure network connectivity (or function properly, however, in certain scenarios,
k-connectivity)? nodes may be fault (or put into sleep) with a certain
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
probability p > 0. Wan and Yi (2005) model this Clementi, Penna, & Silvestri, 2000; Clementi,
scenario using Bernoulli nodes and studied the Huiban, Penna, Rossi, & Verhoeven, 2002; Kirou-
CTR for connectivity with Bernoulli nodes. sis, Kranakis, Krizanc, & Pelc, 2000; Ramanathan
All analytical results on CTR assume wireless & Rosales-Hain, 2000). Along this line, Calinescu
nodes are randomly distributed and the transmis- and Wan (2006), Cheriyan, Vempala, and Vetta
sion range of every node is equal. These assump- (2002), and Hajiaghayi, Immorlica, and Mirrokni
tions are not always true for ad hoc and sensor (2003) consider the minimum total power assign-
networks in practice. Another power control ment while the resulting network is k-connected (or
technique is to allow each wireless device to adjust (k-1) fault tolerant). This problem has been shown
its transmission power according to its neighbors’ to be NP-hard too. Many of the best-known ap-
positions. A natural question is then, given a static proximation algorithms (e.g., Cheriyan et al., 2002)
network, how to assign the transmission power for are based on linear programming (LP) approaches.
each node such that the network is k-connected However, Haijaghayi et al. (2003) show that for the
with optimization criteria minimizing the total minimum total power assignment for k-connectiv-
(or maximum) transmission power assigned. This ity problem, the natural integer LP formulation has
kind of optimization questions is called minimum an integrality gap of Ω(n/k), implying that there is
power assignment optimization. See Figure 1 for no approximation algorithm based on LP with an
illustrations of minimum total power assignment approximation factor better than Ω(n/k).
for k-connectivity (k = 1 or 2). Some heursitics (Bahramgiri, Hajiaghayi, &
The minimum maximum power assignment Mirrokni, 2002; Ramanathan & Rosales-Hain,
problem can be solved in polynomial time by us- 2000) are proposed as well. Bahramgiri et al.
ing a simple binary-search-based approach (Lloyd, (2002) show that the cone-based topology control
Liu, Marathe, Ramanathan, & Ravi, 2002). The (CBTC) algorithm by Wattenhofer, Li, Bahl, and
minimum total power assignment for connectivity Wang (2001) and Li, Halpern, Bahl, Wang, and
problem was first studied and proved to be NP-hard Wattenhofer (2001) can be extended to slove the
by Chen and Huang (1989), in which the induced k-fault tolerance. Haijaghayi et al. (2003) also
communication graph is strongly connected while constructed examples which demonstrate that
the total power assignment is minimized. Recently, the approximation factor for CBTC algorithm
this problem has been heavily studied and many is at least Ω(n/k). Recently, Lloyd et al. (2002)
approximation algorithms have been proposed presented a centralized 8(1-1/n)-approximation
when the network is modeled using symmetric or for the minimum total power assignment for 2-
asymmetric links (Althaus, Calinescu, Mandoiu, connectivity problem. Calinescu and Wan (2006)
Prasad, Tchervenski, & Zelikovsly, 2003; Cali- further show that their algorithm could achieve 2k-
nescu, Kapoor, Olshevsky, & Zelikovsky, 2003; approximation ratio for the minimum total power
Figure 1. Illustrations of power control: minimum total power assignment for connectivity
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
assignment for k-connectivity problem. Haijaghayi Geometric topology control algorithms assume
et al. (2003) present algorithms minimizing power each node knows the position information of itself
while maintaining k-connectivity with guarantee. and its neighbors and all nodes have the same
Their first algorithm gives an O(kα)-approxima- transmission range. Using this geometric infor-
tion where α is the best approximation factor for mation, each node makes a local decision to keep
the related problem in wired networks (the best some links and remove other links. Well-known
α so far is in O(log k) by Cheriyan et al., 2002)). geometric topologies used in ad hoc networks in-
The second algorithm is based on an approxima- clude local minimum spanning tree (LMST) (Li,
tion algorithm introduced by Kortsarz and Nutov Hou, & Sha, 2003), relative neighborhood graph
(1994). It is more complicated and can achieve O(k) (RNG) (Bose, Morin, Stojmenovic, & Urrutia,
approximation for general graphs. Their first two 2001; Seddigh, Gonzalez, & Stojmenovic, 2002),
algorithms are centralized algorithms. Then they Gabriel graph (GG) (Bose et al., 2001; Karp &
present two distributed approximation algorithms Kung, 2000), Yao graph (YG) (Li, Wan, & Wang,
for the cases 2- and 3-connectivity in geometric 2001; Li, Wan, Wang, & Frieder, 2002) and CBTC
graphs with constant approximation ratios. Both (L. Li et al., 2001; Wattenhofer et al., 2001). See
these algorithms use the distributed minimum Figure 2 for illustrations of their definitions. All of
spanning tree algorithm. these topologies do guarantee the connectivity but
not fault tolerance. Therefore, variations of these
topologies have been proposed to improve the fault
fAult tolErAnt dEsIgn In tolerance, that is, preserving k-connectivity.
toPology control Li and Hou (2004) present a variation of LMST
algorithm to construct a k-connected topology,
Topolgoy control algorithms have been proposed called fault-tolerant local spanning subgraph
to maintain network connectivity while improving (FLSSk). Similarly to LMST, algorithm to build
energy efficiency and increasing network capacity FLSSk is composed of three phases: information ex-
by solely keeping selected links. However, by reduc- change, topology construction, and determination
ing the number of links in the network, topology of transmit power. The main difference between
control actually decreases the degree of routing LMST and FLSSk is in the topology construction
redundancy. As a result, the induced topology is phase: instead of building a local MST on its
more susceptible to node failures or departures. neighbor (such as the two local trees for u and v
Thus, in this section we review the fault tolerant in Figure 2[a]), a node builds a spanning subgraph
design which enforces k-connectivity in the topol- to preserve k-connectivity using a simple greedy
ogy control process. Usually, there are two sets of algorithm. Li and Hou prove that FLSSk guarantees
solutions for topology control: geometric topology the k-connectivity and maintains bidirectionality
(flat structure) and virtual backbone (hierarchical for all the links in the topology while reducing the
structure). power consumption.
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
Zhou, Das, and Gupta (2005) generalize the Ties are broken arbitrarily. X.-Y. Li et al. (2003)
RNG structure to k-RNG structure to preserve proved that the modified Yao structure (YGp,k) can
the k-connectivity for sensor networks. In RNG, a preserve the k-connectivity. In addition, YGp,k is a
link uv exists if and only if there is no other node length/power spanner with bounded node degree
w with edges uw and wv satisfying ||uw||<||uv|| even when (k-1) nodes fault. Here a length/power
and ||wv||<||uv|| simultaneously. Here ||.|| is the spanner has constant length spanning ratio and
Euclidean distance. See Figure 2(b). In k-RNG, an power spanning ratio, which indicates the topology
edge exists between u and v if and only if there are is power efficient for unicast routing.
at most (k-1) nodes w that satisfy ||uw||<||uv|| and Bahramgiri et al. (2002) also discuss how to
||wv||<||uv||. Obviously, similar to RNG, k-RNG generalize the CBTC algorithm to ensure k-con-
can be constructed locally. Zhou et al. proved nectivity. Basically, for each node, it enlarges the
that k-RNG is k-connected if the original com- transmission range until it reaches its maximum
munication graph is k-connected. Notice that it power or the maximum angle between two con-
is also easy to show we can use the same idea to secutive neighbors of the induced topology is at
generalize GG structure to k-GG while preserving most 2π/(3k). See Figure 2(e). Finally, it eliminates
the k-connectivity. There is an edge uv in k-GG one-directional edges and keeps bidirectional
if and only if there are at most (k-1) nodes inside edges. Bahramgiri et al. (2002) proved the resulted
the disk with uv as the diameter. See Figure 2(c). topology is k-connected if the original graph is
The nice property of GG and k-GG is that their k-connected. We can also prove the topology is a
power spanning ratios are equal to one (X.-Y. Li length spanner even with (k-1) nodes faults. How-
et al., 2001, 2002). In other words, GG/k-GG can ever, unlike YGp,k, the topology does not bound the
keep all links on least power consumption paths node degree. A counter example is given by X.-Y.
in the original communication graph. Notice that Li et al. (2003), so is an enhancement method to
LMST/FLSSk and RNG/k-RNG do not have this bound the node degree.
property. While all geometric structures above are flat
X.-Y. Li et al. (2003) modifiy the Yao structure structures, there is another set of structures, called
as follows such that the structure is k-connected. hierarchical structures, widely used in ad hoc and
Each node u defines any p equally-separated rays sensor networks. Instead of involving all nodes
originated at u, where p > 6. These rays define p to relay packets for other nodes, the hierarchical
cones inside the transmission range. Figure 2(d) topology control protocols pick a subset of nodes
shows an example with p = 8 cones. In each cone, u to serve as the cluster-heads. These cluster-heads
chooses the k closest nodes in that cone, if there is form a virtual backbone and forward packets for
any, and adds directed links from u to these nodes. other nodes. The structure used to build this virtual
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
backbone is usually a (connected) dominating set. on the authors’ previous method for 1-CDS. The
Many distributed clustering (or dominating set) last algorithm (color-based k-CDS constriction,
algorithms have been proposed in the literature CBKC) is a hybrid paradigm that enables 1-CDS
(e.g., Alzoubi, Wan, & Frieder, 2002; Das & algorithms to construct a k-CDS with high prob-
Bharghavan, 1997; Wan, Alzoubi, & Frieder, 2002; ability in relatively dense networks. It is a hybrid
Wu & Li, 1999, 2000). All these algorithms first of probabilistic and deterministic approaches.
form several clusters where all cluster-heads form Besides k-DS and k-CDS, there are other tech-
a dominating set. Each node either is a cluster-head niques to enhance the fault tolerance of virtual
(or called dominator) or belongs to one cluster (i.e., backbones. Chen and Son (2005) present methods
it is dominated by a dominator). All the cluster- to add necessary redundant nodes to the simple
heads can then be connected via several additional CDS backbone, which results in a higher vertex
gateways to form the virtual backbone. However, a connectivity degree. They also identify several
single node failure may cause the backbone to be factors and synchronization methods that may
broken in these algorithms. Thus, a fault-tolerant affect the redundant node selection. For example,
design is needed for these backbones too. the nodes in CDS would like to select nodes with
Kuhn, Moscibroda, and Wattenhofer (2006) more power or higher degree or some combination
studied the k-dominating set (k-DS) problem: find of factors. Wang, Wang, and Li (2006) propose
a set of nodes such that each of the (other) nodes is an efficient distributed method to construct a
dominated by at least k nodes from this set. The set weighted backbone with low cost. By assuming
of such nodes is called a k-dominating set. Thus, each node has a cost, they can construct a weighted
the backbone can survive (k-1) node failures in CDS while the total cost of the CDS is bounded
the k-dominating set. For example, black nodes by a constant from the optimal. If each node can
v1 and v3 in Figure 3(b) form a DS for the network estimate its probability of being faulty and we treat
in Figure 3(a), while black nodes v3, v4, and v5 in it as the weight, we can use the algorithm by Y.
Figure 3(d) form a 2-DS. Kuhn et al. (2006) give Wang et al. (2006) to build a fault-tolerant back-
two distributed approximation algorithms for bone. Notice that building the most fault-tolerant
the k-minimum dominating set problem in two backbone is equivalent to finding a CDS with the
different models: general graphs and unit disk minimum total cost.
graphs (UDG). The first one is for general graphs Most of the fault tolerant topology designs
and based on LP approximation. For an arbitrary discussed so far assume the underlying commu-
parameter t, it runs in time O(t2) and achieves nication graph is k-connected. This is true when
an approximation ratio of O(t∆ 2/tlog∆), where ∆ the network density is large, but for sparse network
denotes the maximal degree. The second one is it may not hold. Bredin, Demaine, Hajiaghayi,
a probabilistic algorithm for unit disk graphs. It and Rus (2005) studied an interesting problem of
runs in time O(loglogn) and achieves a constant repairing a sensor network to guarantee a speci-
approximation in expectation. fied level of connectivity. They present a generic
Dai and Wu (2005) studied how to construct algorithm that determines how to establish k-con-
a k-connected k-dominating set (k-CDS) as a nectivity by placing minimum additional sensors
backbone to balance efficiency and fault tolerance. geographically between existing pairs of sensors.
Here, a k-DS is a k-CDS if its induced topology is This problem is NP-hard, and thus their algorithm
k-connected. Figure 3(c) shows a CDS, and Figure is an approximation algorithm. They proved that the
3(e) shows a 2-CDS. Three localized k-CDS con- number of additional sensors is within a constant
struction algorithms are proposed. The first one factor of the absolute minimum, for any fixed k.
(called k-Gossip) randomly selects virtual back- A related fault-tolerant problem in two-tiered
bone nodes with a given probability pk, where pk sensor network deployment is studied by Hao, Tang,
depends on network condition and the value of k. and Xue (2004) and Liu, Wan, and Jia (2005). A
The second one is a deterministic approach based two-tired sensor network is a cluster-based network.
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
Relay nodes are placed in the playing field to act as studied the efficient recovering mechanism for
cluster-heads and to form a connected topology for cluster-head failures. However, since fault detection
data transmission in the higher tier. They are able and recovering are not the focus of this chapter,
to fuse data from sensor nodes (lower tier) in their we do not review them in detail.
clusters and send them to sinks through higher tier
topology. Hao et al. (2004) studied a fault-tolerant
relay node placement problem, where a minimum fAult tolErAnt dEsIgn In
number of relay nodes are placed such that (1) each covErAgE And ProtEctIon
sensor node can communicate with at least two
relay nodes and (2) the network of relay nodes is In sensor networks, coverage problem (Cardei &
2-connected. They proved the problem is NP-hard Wu, 2006) is also a critical issue during topology
and gave a O(Dlogn)-approximation, where D is design and sensor deployment. Usually each sensor
the diameter of the network. Notice that the ratio has a sensing range covering a small sensing region,
is not a constant but a function of the size of input. and it can sense certain kinds of events happening
Liu et al. (2005) studied a more general relay-node inside its sensing region. Thus, we say the sensor
placement problem where a minimum number of covers its sensing region. The main objective of the
relay-nodes are placed in a 2-tiered sensor network sensor network is to cover (monitor) an area A, that
such that the whole network is (1) connected or (2) is, every point in the area should be covered. Some
2-connected. They assumed that sensor nodes do applications may require different degrees of cover-
not participate in forwarding data for others. They age. A network has a coverage degree k (k-coverage)
first gave a (6+ξ)-approximation algorithm for a if every location is within the sensing range of at
1-connectivity case. Then they further proposed a least k sensors. Networks with a higher coverage
(24+ξ)-approximation algorithm and a (6/T+12+ξ)- degree can obtain higher sensing accuracy and be
approximation algorithm for a 2-connectivity case, more robust to sensor failures. Given a sensor field
respectively, for any ξ > 0, where T is the ratio of with n sensor nodes of sensing range r deployed,
the number of relay nodes placed to the number and a desired coverage degree k≥1, minimum k-
of sensors in the first case. coverage problem studies how to select a minimal
Thallner and Moser (2005) studied fault-tolerant subset of nodes to entirely cover all locations in
overlay topology for a fully connected network. A such that every location is within the sensing
They modeled the network as a weighted complete range of at least k different nodes. The minimum
graph, where the weight of an edge is the cost of k-coverage problem is also a well-known NP-hard
that connection. Their proposed algorithm can problem. Figure 4 illustrates a set of examples of
build and maintain a k-regular subgraph that is coverage set. Figure 4(a) shows the sensors and
k-connected and has low total weight. However, their sensing ranges. Assume that the target area
since it assumes a fully connected communication A is the big square area v1v3v9v7. Figures 4(b) and
graph, the algorithm is more suitable for an overlay 4(c) give two 1-coverage sets (black nodes), while
network (such as peer-to-peer network) than an ad Figure 4(d) gives a 2-coverage set.
hoc network. Zhou, Das, and Gupta (2004) studied the mini-
Another fault tolerant issue in topology control mum connected k-coverage problem and give a
is how to detect and recover from topology failures centralized approximation algorithm that achieves
for classical topology control protocols (not the O(log n) approximation ratio. Their method is a
fault tolerant ones we discussed above). It focuses greedy algorithm: iteratively adding a set of nodes
on the design of detection and recovering schemes which maximizes a measure called k-benefit to an
instead of redundancy topology design with certain initially empty set of nodes. The authors also pres-
redundancy (k-connectivity). For example, Stratil ent a distributed version of their algorithm.
(2005) presents an analysis of the requirements to Kumar, Lai, and Balogh (2004) studied k-cover-
tolerate crash failures in the topology with the help age problem in sensor networks where many sensors
of failure detectors. Gupta and Younis (2003) also are put to sleep for most of their lifetimes. They
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
first propose a sleep/active schedule, to minimize et al. (2006) studied the minimum 1-self protec-
energy consumption, in which each sensor is active tion problem and give a centralized method with
with probability p, independently from the others. 2(1+logn) approximation ratio, using approxima-
Then they derive the critical sensing range for their tion algorithm for the minimum dominating set, and
sleep scheme such that the sensor network achieves two randomized distributed algorithms. Wang et
k-coverage with high probability. al. (2007) provide several efficient centralized and
Yang, Dai, Cardei, and Wu (2006) also studied distributed algorithms with constant approximation
the minimum connected k-coverage problem with ratios for the minimum p-self-protection problem
different coverage assumption. They assumed in sensor networks with either homogeneous or
that the network is sufficiently dense so that point heterogeneous sensing radius.
coverage can approximate area coverage. Thus Not until recently have coverage and connec-
instead of covering the whole area A, they only tivity problems been studied together in sensor
required covering every sensor in area A. This networks. Xing, Wang, Zhang, Lu, Pless, and Gill
k-coverage problem is also NP-hard since it is an (2005) designed an integrated coverage configu-
extension of the k-dominating set problem. They ration protocol to provide both certain degrees
propose a centralized approximation solution based of coverage and connectivity guarantee. Zhang
on integer linear programming. The algorithm and Hou (2005) propose a decentralized density
works by relaxing the problem to ordinary linear control algorithm to maintain sensing coverage
programming, where the variables may take real and connectivity in high-density sensor networks.
values. They also designed two distributed algo- Both Xing et al. (2005) and Zhang and Hou (2005)
rithms. One uses a cluster-based approach to select prove that if the radio range is at least twice of the
backbone nodes to form the active set; the other sensing range, complete k-coverage of a convex area
uses the pruning algorithm based on only 2-hop implies k-connectivity among the working set of
neighborhood information to reduce the number nodes. Recently, Bai, Kuma, Xua, and Lai (2006)
of active sensors. studied the optimal deployment pattern to achieve
Notice that the coverage problem studied by both 1-coverage of an area and 2-connectivity of
Yang et al. (2006) is the same problem studied by the sensors. Zhou et al. (2005) propose a set of
Wang, Zhang, and Liu (2006) and Wang, Li, and distributed algorithms to achieve both k-connected
Zhang (2007) as self-protection problem. A self- and k-covered network by using localized Voronoi
protection problem focuses on using sensor nodes and extended relative neighborhood graphs.
to provide protection to themselves instead of the
objects or the area, so that they can resist the at-
tacks targeting on them directly. A wireless sensor conclusIon
network is p-self-protected, if at any moment, for
any wireless sensor (active or non-active), there are Fault tolerance is one of the premier system design
at least p active sensors that can monitor it. D. Wang desiderata in wireless ad hoc and sensor networks.
0
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
It is crucial to have a certain level of fault tolerance age and connectivity. In Proceedings of the ACM
in most of ad hoc and sensor applications, especially MobiHoc 2006.
for those used in surveillance, security, and disaster
Bettstetter, C. (2002). On the minimum node
relief. In addition, several network security schemes
degree and connectivity of a wireless multihop
(such as localized intrusion detection) require that
network. In Proceedings of the 3rd ACM Interna-
the underlying topology provide fault tolerance.
tional Symposium on Mobile Ad Hoc Networking
In this chapter we discussed various fault tolerant
and Computing (MobiHoc ’02).
techniques used in topology design, including those
for power control, topology control, and sensor Bose, P., Morin, P., Stojmenovic, I., & Urrutia, J.
coverage. Due to space limit, we did not give all (2001). Routing with guaranteed delivery in ad
of the detailed algorithms, proofs, and simulation hoc wireless networks. ACM/Kluwer Wireless
results for most techniques reviewed here. For more Networks, 7(6), 609-616.
details, please refer to the references. Though fault
tolerant topology design has attracted considerable Bredin, J. L., Demaine, E. D., Hajiaghayi, M., &
attention and has been heavily studied recently, Rus, D. (2005). Deploying sensor networks with
there are still many open problems, such as how to guaranteed capacity and fault tolerance. In Pro-
efficiently maintain these proposed fault tolerant ceedings of the ACM Mobihoc 2005.
topologies. We strongly believe that fault tolerant Calinescu, G., Kapoor, S., Olshevsky, A., & Ze-
topology design remains one primary challenge likovsky, A. (2003). Network lifetime and power
and plays an important role in research of ad hoc assignment in ad-hoc wireless networks. In Pro-
and sensor networks. ceedings of the 11th Annual European Symposium
on Algorithms (ESA 2003).
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
Clementi, A., Huiban, G., Penna, P., Rossi, G., & ference on Mobile Computing and Networking
Verhoeven, Y.C. (2002). Some recent theoretical ad- (MobiCom).
vances and open questions on energy consumption
Khuller, S., & Vishkin, U. (1994). Biconnectivity
in ad-hoc wireless networks. In Proceedings of the
approximations and graph carvings. Journal of
3rd Workshop on Approximation and Randomiza-
ACM, 41, 214-235.
tion Algorithms in Communication Networks.
Kirousis, L. M., Kranakis, E., Krizanc, D., &
Clementi, A., Penna, P., & Silvestri, R. (2000). The
Pelc, A. (2000). Power consumption in packet
power range assignment problem in radio networks
radio networks. Theoretical Computer Science,
on the plane. In Proceedings of the XVII Sympo-
243(1-2), 289-305.
sium on Theoretical Aspects of Computer Science
(STACS’00) (LNCS 1770, pp. 651-660). Kuhn, F., Moscibroda, T., & Wattenhofer, R.
Dai, F., & Wu, J. (2005). On constructing k-con-
(2006). Fault-tolerant clustering in ad hoc and
nected k-dominating set in wireless networks. In
sensor networks. In Proceedings of the IEEE
Proceedings of the International Parallel and
ICDCS 2006.
Distributed Processing Symposium. Kumar, S., Lai, T. H., & Balogh, J. (2004). On
Das, B., & Bharghavan, V. (1997). Routing in ad-hoc
k-coverage in a mostly sleeping sensor network.
networks using minimum connected dominating
In Proceedings of the ACM MobiCom 2004.
sets. In Proceedings of the IEEE International Li, L., Halpern, J. Y., Bahl, P., Wang, Y.-M., &
Conference on Communications (ICC’97). Wattenhofer, R. (2001). Analysis of a cone-based
distributed topology control algorithms for wireless
Gupta, P., & Kumar, P. R. (1998). Critical power
multi-hop networks. In Proceedings of the ACM
for asymptotic connectivity in wireless networks.
Symposium on Principle of Distributed Comput-
In W. M. McEneaney, G. Yin, & Q. Zhang (Eds.),
ing (PODC).
Stochastic analysis, control, optimization and
applications: A volume in honor of W.H. Fleming. Li, N., & Hou, J. C. (2004). FLSS: A fault-tolerant
Boston: Birkhäuser. topology control algorithm for wireless networks.
In Proceedings of the ACM MOBICOM 2004.
Gupta, G., & Younis, M. (2003). Fault-tolerant
clustering of wireless sensor networks. In Proceed- Li, N., Hou, J. C., & Sha, L. (2003). Design and
ings of the IEEE Wireless Communications and analysis of a mst-based topology control algorithm.
Networking 2003. In Proceedings of the IEEE INFOCOM 2003.
Hajiaghayi, M., Immorlica, N., & Mirrokni, V. Li, X.-Y., Wan, P.-J., & Wang, Y. (2001). Power
S. (2003). Power optimization in fault-tolerant efficient and sparse spanner for wireless ad hoc
topology control algorithms for wireless multi- networks. In Proceedings of the IEEE International
hop networks. In Proceedings of the 9th Annual Conference on Computer Communications and
International Conference on Mobile Computing Networks (ICCCN ’01).
and Networking.
Li, X.-Y., Wan, P.-J., Wang, Y., & Frieder, O. (2002).
Hao, B., Tang, J., & Xue, G. (2004). Fault-tolerant Sparse power efficient topology for wireless net-
relay node placement in wireless sensor networks: works. In Proceedings of the 35th IEEE Hawaii
formulation and approximation. In Proceedings of International Conference on System Sciences
the IEEE HPRS 2004. (HICSS-35).
Karp, B., & Kung, H. (2000). GPSR: Greedy Li, X.-Y., Wang, Y., Wan, P.-J., & Yi, C.-W. (2003).
perimeter stateless routing for wireless networks. Fault tolerant deployment and topology control for
In Proceedings of the ACM International Con- wireless ad hoc networks. In Proceedings of the 4th
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
ACM International Symposium on Mobile Ad Hoc Wan, P.-J., Alzoubi, K. M., & Frieder, O. (2002).
Networking and Computing (MobiHoc ’03). Distributed construction of connected dominating
set in wireless ad hoc networks. In Proceedings of
Liu, H., Wan, P.-J., & Jia, X. (2005). Fault-tolerant
IEEE INFOCOM 2002.
relay node placement in wireless sensor networks.
In Proceedings of the COCOON 2005 (LNCS Wan, P.-J., & Yi, C.-W. (2004). Asymptotic critical
3595, pp. 230-239). transmission radius and critical neighbor number
for k-connectivity in wireless ad hoc networks. In
Lloyd, L., Liu, R., Marathe, M. V., Ramanathan,
Proceedings of the 5th ACM International Sympo-
R., & Ravi, S. S. (2002). Algorithmic aspects of
sium on Mobile Ad hoc Networking and Computing
topology control problems for ad hoc networks.
(MobiHoc ’04).
In Proceedings of the 3rd ACM International
Symposium on Mobile Ad Hoc Networking and Wan, P.-J., & Yi, C.-W. (2005). Asymptotic critical
Computing (MobiHoc ’02). transmission ranges for connectivity in wireless
ad hoc networks with Bernoulli nodes. In Pro-
Penrose, M. (1997). The longest edge of the random
ceedings of 2005 IEEE Wireless Communications
minimal spanning tree. Annals of Applied Prob-
and Networking Conference (WCNC 2005), New
ability, 7, 340-361.
Orleans.
Penrose, M. (1999). On k-connectivity for a geo-
Wang, Y., Li, X.-Y., & Zhang, Q. (2007). Efficient
metric random graph. Random Structures and
self protection algorithms for Static wireless sensor
Algorithms, 15, 145-164.
networks. In Proceedings of the 50th IEEE Global
Ramanathan, R., & Rosales-Hain, R. (2000). Telecommunications Conference (Globecom 2007).
Topology control of multi-hop wireless networks Extended version to appear in IEEE Transaction on
using transmit power adjustment. In Proceedings Parallel and Distributed Systems (TPDS), 2008.
of the IEEE INFOCOM.
Wang, Y., Wang, W., & Li, X.-Y. (2006). Efficient
Sanchez, M., Manzoni, P., & Haas, Z. (1999). distributed low-cost weighted backbone formation
Determination of critical transmission range in ad- for wireless ad hoc networks. IEEE Transaction on
hoc networks. In Proceedings of the Multiaccess, Parallel and Distributed Systems (TPDS), 17(7),
Mobility and Teletraffic for Wireless Communica- 681-693.
tions (MMT ’99).
Wang, D., Zhang, Q., & Liu, J. (2006). Self-protec-
Seddigh, M., Gonzalez, J. S., & Stojmenovic, I. tion for wireless sensor networks. In Proceedings
(2002). RNG and internal node based broadcast- of the IEEE ICDCS 2006.
ing algorithms for wireless one-to-one networks.
Wattenhofer, R., Li, L., Bahl, P., & Wang, Y.-M.
ACM Mobile Computing and Communications
(2001). Distributed topology control for wireless
Review, 5(2), 37-44.
multihop ad-hoc networks. In Proceedings of the
Stratil, H. (2005). Fault tolerant topology control IEEE INFOCOM 2001.
with unreliable failure detectors. In Proceedings
Wu, J., & Li, H. (1999). On calculating connected
of the 17th International Conference on Parallel
dominating set for efficient routing in ad hoc
and Distributed Computing and Systems.
wireless networks. In Proceedings of the Third
Thallner, B., & Moser, H. (2005). Topology control International Workshop on Discrete Algorithms
for fault-tolerant communication in highly dynamic and Methods for Mobile Computing and Com-
wireless networks. In Proceedings of the Third munications.
International Workshop on Intelligent Solutions
Wu, J., & Li, H. (2000). Domination and its ap-
in Embedded Systems.
plications in ad hoc wireless networks with unidi-
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
rectional links. In Proceedings of the International under single or k node/link failures simultane-
Conference on Parallel Processing. ously.
Xing, G., Wang, X., Zhang, Y., Lu, C., Pless, R., K-Connectivity: If a network (graph) has k-
& Gill, C. (2005). Integrated coverage and con- connectivity, it means the it is k-connected, that is,
nectivity configuration for energy conservation given any pair of wireless devices (nodes), there
in sensor networks. ACM Transactions on Sensor are at least k disjoint paths to connect them.
Networks, 1(1), 36-72.
K-Coverage: A sensor network achieves k-
Yang, S., Dai, F., Cardei, M., & Wu J. (2006). On coverage if every location is covered by at least
connected multiple point coverage in wireless k different sensor nodes, that is, every location
sensor networks. Journal of Wireless Information is within the sensing range of at least k different
Networks, 13(4), 289-301. sensor nodes.
Zhang, H., & Hou, J. (2005). Maintaining sensing Power Control: Controls the network topology
coverage and connectivity in large sensor networks. by adjusting the wireless device’s transmission
Ad Hoc and Sensor Wireless Networks: An Inter- range to minimum energy consumption while
national Journal, 1(1-2), 89-123. maintaining a topology that is connected or has
certain desired properties.
Zhou, Z., Das, S., & Gupta, H. (2004). Connected k-
coverage problem in sensor networks. In Proceed- Self-Protection: A sensor network is p-self-
ings of the International Conference on Computer protected, if at any moment, for any wireless sen-
Communications and Networks. sor (active or nonactive), there are at least p active
sensors that can monitor it.
Zhou, Z., Das, S.R., & Gupta, H. (2005). Fault
tolerant connected sensor cover with variable Topology Control: Let each wireless device
sensing and transmission ranges. In Proceedings locally select certain neighbors for communica-
of the IEEE MASS 2005. tion, while maintaining a topology that can support
energy efficient routing and improve the overall
network performance.
Virtual Backbone: A connected backbone
kEy tErMs formed by a subset of wireless nodes selected to
perform communication tasks for the other nodes
Fault Tolerance: If a network is fault tolerant and the whole network.
or k-fault tolerant it means the network can survive
Section IV
Security in Wireless PAN/LAN/
MAN Networks
Chapter XLI
Evaluating Security Mechanisms
in Different Protocol Layers for
Bluetooth Connections
Georgios Kambourakis
University of the Aegean, Greece
Angelos Rouskas
University of the Aegean, Greece
Stefanos Gritzalis
University of the Aegean, Greece
AbstrAct
Security is always an important factor in wireless connections. As with all other existing radio technolo-
gies, the Bluetooth standard is often cited to suffer from various vulnerabilities and security inefficiencies
while attempting to optimize the trade-off between performance and complementary services including
security. On the other hand, security protocols like IP secure (IPsec) and secure shell (SSH) provide
strong, flexible, low cost, and easy to implement solutions for exchanging data over insecure communi-
cation links. However, the employment of such robust security mechanisms in wireless realms enjoins
additional research efforts due to several limitations of the radio-based connections, for example, link
bandwidth and unreliability. This chapter will evaluate several Bluetooth personal area network (PAN)
parameters, including absolute transfer times, link capacity, throughput, and goodput. Experiments
shall employ both Bluetooth native security mechanisms, as well as the two aforementioned protocols.
Through a plethora of scenarios utilizing both laptops and palmtops, we offer a comprehensive in-depth
comparative analysis of each of the aforementioned security mechanisms when deployed over Bluetooth
communication links.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
quadruple in number between now and 2008, from link layer. Virtually all Bluetooth devices support
under 100 million to about 440 million. Bluetooth this feature, and it is, in most cases, considered to
enabled devices are used in several different envi- be adequately secure. However, this may not be
ronments and cover a wide range of applications. applicable for all deployment scenarios. In order to
For instance, for mobile applications, the device establish a secure channel with another Bluetooth
periodically connects to the network to download device, a preshared secret called PIN is required. A
music, to transfer files, or to synchronize with one’s symmetric key is generated from this PIN. On cus-
desktop on calendar and other files. Consequently, tomer devices this PIN typically consists of four or
the safety and security of these applications, for five digits. Supposing a whole piconet network would
instance, the security of the private information utilize this PIN to encrypt its communication, anyone
stored on the devices, becomes a major issue. By acquiring this PIN could theoretically decrypt all
attacking actively or passively the communica- communication. On top of that, in applications like
tion link, aggressors could obtain personal and VoIP that mandate IP connectivity to access points
also important business data. However, security (APs), the encryption would end at the AP, which
features (Gehrmann, Persson, & Smeets, 2004) means that the AP, or any host that can manipulate
must be carefully considered and analyzed in order the communication between the Mobile Device and
to decide whether Bluetooth technology indeed the other end, can expose the data (see Figure 1).
provides the right answer for any particular task Thus, it is obvious that Bluetooth encryption is not
or application. well suited for all applications which may exploit
The Bluetooth standard has been long criticized Bluetooth connections.
for various vulnerabilities and security inefficien- Under these circumstances and for certain
cies, as its designers are trying to balance between classes of security sensitive applications deployed
performance and complementary services includ- in Bluetooth PAN networks, the investigation of
ing security. So far, both the Bluetooth Special complementary and advanced security protocols
Interest Group (SIG) (Bluetooth SIG, 2003) and apart from Bluetooth’s native security mechanisms,
several researchers have made significant contribu- even if deployed as an interim countermeasure, is
tions on Bluetooth security aspects, discovering an interesting research issue. On the other hand, as
numerous vulnerabilities and potential weaknesses Bluetooth wireless technology is targeting devices
and proposing solutions (Adam, 2003; Gehrmann, with particular needs and constraints (e.g., process-
& Nyberg, 2002; Jacobson & Wetzel, 2001; Persson ing power and battery consumption) the trade-offs
& Manivannan, 2003; Shaked & Wool, 2005). For between security services and performance must be
example, the Bluetooth pairing procedure has been carefully considered. Furthermore, considering that
anticipated to be weak under certain circumstances. radio links in general suffer from limited bandwidth
Moreover, other categories of threats, either active and are unreliable by nature, performance issues
or passive, have also been investigated, including must be thoroughly investigated to make a decision
ad hoc security issues, malicious software like whether certain security protocols and their mecha-
“Cabir,” war-nibbling, and so forth. nisms are advantageous over Bluetooth connections,
An obvious choice for any Bluetooth application delivering robust and agile security services within
would be to use Bluetooth encryption provided at tolerable service response times.
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
During the last few years, several researchers Experiments shall employ both Bluetooth native
have examined various Bluetooth security param- security mechanisms as well as the two aforemen-
eters and some of them do explore performance tioned protocols. Through a plethora of scenarios,
parameters (e.g., Chakraborty, 2000; De Morais utilizing both laptops and palmtops, we intend
Cordeiro, Sadok, & Agrawal, 2001; Francia, Kilaru, to offer a comprehensive in-depth comparative
Le Phuong, & Vashi, 2004; Golmie & Rebala, 2003; analysis of each of the aforementioned security
Howitt, 2002; Karnik & Kumar, 2000; Kitsos et mechanisms when deployed over Bluetooth com-
al., 2003; Lim et al., 2001; Miorandi, Caimi, & munication links.
Zanella, 2003; Wang, Arumugam, & Krishna, The rest of the chapter is structured as fol-
2002). However, to the best of our knowledge, none lows. The next section gives an overview of our
of these works focus on performance evaluation experimental test-bed related parameters and
comparing Bluetooth’s native security mechanisms procedures, while the third section presents the
with well-respected, strong security protocols like derived performance measurement results. The
IPsec and SSH. forth section offers an analytical discussion over
The chapter will focus on the performance of the conducted results. The chapter finishes with
existing protocols and mechanisms rather than on some concluding thoughts and future directions
security itself, estimating the performance of both of this work.
the built-in Bluetooth security mechanisms, namely
security modes, and two other standard security
protocols operating at different layers of the TCP/IP ExPErIMEntAl frAMEwork
protocol suite, namely SSH and IPsec. Protocols dEscrIPtIon
like SSH and IPsec provide robust, flexible, costless,
and easy to implement solutions for exchanging The experimental topology consists of two pairs
data over insecure communication links. However, of machines. The first pair of Bluetooth devices
although their deployment is a well established and employs a laptop and a palmtop machine, while
accustomed practice in the wireline world, more the other consists of two similar laptop machines.
research effort is needed for wireless links, due to The members of each pair are located at 10 meters
the several aforementioned limitations. Depending apart and connected via Bluetooth adapters (or
on the scenario involved, the user may utilize SSH built in Bluetooth chip), thus forming a small two-
or IPsec security services, either individually or member wireless PAN (WPAN) or piconet. The
in combination with Bluetooth security modes, main components’ characteristics, both software
allowing applications to communicate securely, and hardware, are presented in Table 1. To estimate
constructing a secure tunnel. Thus, in a sense, the the performance of the Bluetooth network, the data
whole procedure can also be seen as the deployment were transmitted from one network node (server)
of small VPNs in Bluetooth PANs. Note however, to the other (client). Hence, in order to record the
that the efficiency of the SSH and IPSec depends incoming and outcoming packets between the cor-
mainly on the performance of the used end-system. responding network entities and to calculate the
On the contrary, Bluetooth security native modes network performance parameters we utilized on
utilize the hardware encryption of the Bluetooth the server side the well known network analyzer
chip, thus performance depends heavily on the “ethereal” (www.ethereal.com), version 0.10.12,
chip per se. This situation will allow us to make which in turn uses the “tcpdump” tool. In addi-
several observations about different layer security tion, for the Linux environment, we employed
mechanisms when deployed over dissimilar user the BlueZ official Linux Bluetooth protocol stack
devices. (www.bluez.org), which provides support for the
Specifically, the chapter will evaluate several core Bluetooth layers and protocols.
personal area network (PAN) parameters, includ- Bluetooth supports three different security
ing transfer times, link capacity, and throughput. modes called security modes I, II, and III, but in
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
our tests we decided to use only security modes 3DES algorithms for confidentiality in both ma-
I and III. Security mode I offers no real security chines by installing IPsec-tools (http://ipsec-tools.
as authentication and confidentiality services are sourceforge.net/) and Openswan (www.openswan.
disabled. On the other hand, security mode II org) as well. For SSH secured communication we
provides security services after the connection used OpenSSH. In fact, many open-source projects
between the two devices has been established and exist. In addition to FreeSWAN and openswan
only if a given application has requested them. which both enable IPsec in the Linux kernel,
Thus, the security services in mode II depend on openvpn (http://openvpn.net/) can be used to cre-
the application running. The last security mode is ate TLS-encrypted point-to-point connections.
the most powerful among the three modes because For SSH confidentiality services we chose four
it mandates both authentication and confidentiality algorithms to test namely, 3DES, AES, Arcfour,
built-in mechanisms independently of the applica- and Blowfish. Finally, for both IPsec and SSH
tion running. These mechanisms are referred to we employed only symmetric cryptography and
as Bluetooth baseband security procedures, where manual keying procedures for the authentication of
the baseband layer deals with the SAFER+ algo- parties considering the fact that usually Bluetooth
rithms (Massey, Khachatrian, & Kuregian, 1998). piconets are formed ad hoc and their users do not
As implied, one of the terminals was acting as a hold public key certificates.
client and the other one as the server. Therefore,
the server should require security and the client
should respond accordingly. PErforMAncE MEAsurEs
For IPsec, the engaged machines must have the
same security policies in order to communicate As mentioned before, the experimental procedure
securely. So, we configured Linux to use MD5 and consists of three main parts: evaluation of Bluetooth
SHA1 algorithms for data integrity and DES and built-in security modes I (no security), and III
Palmtop Client
Model HP iPAQ h5400
Processor 400 MHz Intel XScale PXA250
RAM 64 MB
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
Figure 2. Average metric values for network parameters measured/Bluetooth Modes I and III
0.0
0.0
0.0 .
seconds
0.0
0.0
0.
0.0
Mode I
0.0
Mode III
.
0.0
. MB MB 0. MB MB
file size
0. 0.
.
. 0.0 0.
kbps
.
. .
. .0
.0
. .0
.
.
Mode I .0 .0 Mode I
. .
. Mode III Mode III
.
.0
.
. MB MB 0. MB MB
. MB MB 0. MB MB
file size
file size
0
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
decreased. Measurements were gathered during Moreover, encryption algorithms are applied
repeated FTP file transfers, between the laptop during the transaction for mode III and as a result
server and the PDA client from the one hand and the overall transfer time is increased. We can also
between the laptop client and server from the other. perceive that the larger the file size is, the longer
Each file was transferred twelve times and only the TT difference between mode Ι and mode ΙΙΙ is
average values were recorded. In all scenarios, expected to be. This situation is also depicted in
the ping response times between client and server the respective plot of Figure 2. In general, these
were varying among 19.7 and 21.8msecs. Due measurements advocate that mode I utilizes the
to space limitations, in the following first three network better than mode III. Because of the
subsections we present only the analytical results volatile nature of the wireless link, we also report
derived from the laptop server/PDA client, which standard deviation (SD) for the measured values
is without doubt the most interesting one, while in Table 2.
some indicative corresponding comparisons with
the other laptop client–server pair is exhibited in secure shell (ssH) Evaluation
the subsection titled “Comparison Between PDA
and Laptop Clients.” Experimental procedures for the SSH mechanism
(IETF, 2006; OpenSSH, 2006) consider the transfer
bluetooth security Modes I and III of the same four files, as before, between the client
Evaluation and the server. Table 3 displays the average times
of all metrics used, while Table 4 presents the cor-
Measurements for testing Bluetooth modes I and responding standard deviation values.
III were gathered by transferring four different files As we can notice, SSH gives highly increased
between each client–server pair. The files’ sizes transfer times when compared to Bluetooth secu-
were 5.26, 7.0, 10.5, and 15 Mbytes, respectively. rity modes. For instance, we can spot a difference
Figure 2 provides a graphical representation of of +12.6 seconds to +13.4 seconds for the small-
these values comparing TT times achieved in the est file depending on the cipher used. Moreover,
PDA client–laptop server piconet. As we can eas- it is more than obvious that all the ciphers used
ily notice, the results are generally as expected, are more or less of the same performance. This
but there are some interesting points which need is easily proven if we examine for example the
further analysis. At first, the TT metric is slightly achieved transfer rates in each case, which shown
higher for mode ΙΙΙ, as well as the ATR is higher for very slight differences.
mode Ι. This happens because mode III mandates Another interesting assumption that we can
authentication (handshake) at the beginning of each make is that as the size of the file increases, the
transaction. Keep in mind that the handshake time achieved transfer rate and the throughput become
is included in TT too. bigger. This happens because of the procedure of
the authentication which takes place during the ini-
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
tial SSH handshake. In any case it should be noted and the server. IPsec uses two mechanisms (proto-
that the improvement in the achieved transfer rates cols) that may be used independently or jointly to
always compared to Bluetooth security mode I and secure the outcoming traffic, namely authentication
induced by SSH, are negative for any scenario. This header (AH) offering data origin, connectionless
means that Bluetooth’s native mechanisms offer
better bandwidth and network utilization at almost
all cases examined. This remark is confirmed by Table 5. %ATR deterioration for SSH
the values given in Table 5. Bluetooth
3DES AES128 RC4 Blowfish
Size Mode I
IPsec Evaluation 5.26 618.0 -14.8 -15.0 -15.2 -15.3
7 620.2 -10.4 -10.4 -10.6 -10.9
The procedure for the IPsec protocol (Kent & 10.5 621.2 -6.3 -6.2 -6.4 -11.0
Atkinson, 1998a, 1998b) considers once again the 15 621.4 -2.9 -2.9 -3.3 -3.3
transfer of the same four files between the client
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
data integrity, and optionally replay protection, vices. Note however that MD5 is not considered
and encapsulating security payload (ESP) offering secure anymore and is reported here for the sake of
confidentiality and protection against traffic analy- completeness. In total, we deployed six scenarios
sis. In our scenarios we utilized both mechanisms, as shown in Table 6.
using the MD5 and SHA1 algorithms for integrity First and foremost, all network metrics for IPsec
and DES and 3DES to support confidentiality ser- are remarkably concentrated. Standard deviation
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
values rendered in Table 7 confirm this remark. comparison between PdA and
Surprisingly, IPsec gives better transfer times laptop clients
for all file sizes when compared to Bluetooth and
SSH. This is also confirmed by %ATR improve- Considering the second experimental pair, which
ment for IPsec shown in Table 8. In particular, all employs laptops for both the server and the client
IPsec times are very close to those of Bluetooth’s (see Table 1), TT times were better for all the cor-
mode I, while at the same time are considerably responding scenarios, namely Bluetooth native
better than SSH’s. Note, that IPsec renders 210.5 security modes, SSH and IPsec. For instance,
seconds as the highest time duration for transferring Bluetooth modes show a slight TT improvement
the biggest file, while correspondingly SSH gives ranging from 1 to 3 seconds depending on the
222.1 seconds, mode III produces 213.2 seconds, file size. Specifically, TT for the 7 MB file was
and mode I 211.6 seconds. This is partially due 102.8 and 106.5 for Bluetooth mode I and III,
to substantially increased (and highly stabilized) respectively. Approximately the same situation is
bandwidth that IPsec generates. The aforemen- reported for SSH and IPsec as depicted in Figure
tioned observations are also confirmed by the fact 3. This is expected as the laptop client incorporates
that during IPsec measurements we had a very a faster CPU and thus gains more in cryptographic
low rate of packet loss reported by the Ethereal operations that SSH and IPsec mandate. The same
utility. It is important to note that the throughput remark is applied for the other two network per-
was better when using ESP. On the contrary, when formance parameters, throughput and ATR. As in
using AH, the throughput for transferring the files the PDA client case, IPsec continues to perform
was lower. This can be explained by the fact that better under all circumstances for the laptop client
authentication is applied in AH. due to its throughput optimization. However, IPsec
Figure 3. Comparison of network transfer times between Laptop and PDA clients
ssH transfer tim e (7 Mb) IPsec transfer tim e (7 Mb)
.0 0.
0.
. . 0.0
.0 0.0
. 0.0
. 0.
.0 0.
0.
seconds
0.
0.0
seconds
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
TT times remain very close to those of Bluetooth bits is encoded into a 15 bit codeword, and is capable
security modes. The same situation is confirmed of correcting single bit error in each block. Table
by the minimum standard deviation values that 9 shows the different ACL packet types and their
characterize the IPsec case. Also in this case, SSH properties. The values in the table are theoretical
gives the worst performance compared with IPsec without packet overhead. For example, over an
and Bluetooth native security modes. ACL link using DH5, one can send about 300 to
320 kbit/s of UDP user data, while the theoretical
limit is 433.9 kbit/s.
coMMEnts on tHE rEsults This means that in order to overcome the effect
of low and varying link quality on throughput,
This section provides a comparative view of the the selection of the optimal link layer packet size,
conducted results. Also, we attempt to provide a under estimated channel conditions, is crucial.
better explanation of the experiment outcomes. Indeed some research work (Chen, Kapoor, Sana-
But before that we must shortly discuss important didi, & Gerla, 2004) points this out by evaluating
characteristics of Bluetooth connections that may the “optimal” link layer packet size based on the
affect the performance of the connection. Bluetooth current bit error rate of the channel. Moreover, in
employs frequency hopping spread spectrum regions that Wi-Fi networks coexist with Bluetooth
(FHSS) to avoid interference. There are 79-23 in and because Wi-Fi and Bluetooth utilize spectrum
some countries-hopping frequencies, each having in different ways, they can cause considerable
a bandwidth of 1MHz. Frequency hopping is as- interference between each other (depending on
sisted with fast automatic repeat request (ARQ), the relative location of the 802.11b and Bluetooth
cyclic redundancy check (CRC), and forward error devices) (Yip & Kwok, 2004). By transmitting at
correction (FEC) to achieve high reliability on the the highest power level, Bluetooth class 1 devices
wireless links. All the data/control packet transmis- would create more interference than Bluetooth’s
sions are synchronized by the master. Slave units class 2 and class 3 devices, which transmit at
can only send in the slave-to-master slot after being lower power levels. Furthermore, because each
addressed in the preceding master-to-slave slot, Bluetooth PAN will occupy the entire ISM band,
with each slot lasting 625 microseconds. two or more coexisting Bluetooth PANs will oc-
For real-time data such as video, synchronous casionally collide, possibly causing loss of data
connection oriented (SCO) links are used, while packets. Of course, apart from implementation
for data transmission, asynchronous connectionless issues (e.g., protocol stacks), the aforementioned
link (ACL) links are employed. There are several parameters are closely related and can affect real
ACL packet types, differing in packet length and Bluetooth connections and the results gathered
whether they are FEC coded or not. The FEC cod- in this chapter. For instance, all experiments
ing scheme used in ACL DM mode is a shortened were conducted inside the coverage area of the
Hamming code, where each block of 10 information University’s hot-spot.
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
0
ESP_DES_SHA
rying about. According to some other works (e.g.,
0
0
FreeSwan, 2002) utilizing low-end machines, a
0 60 MHz Pentium running a host-to-host tunnel
0
00
to another machine shows an FTP throughput of
0 slightly over 5 Mbit/s either way. Thereafter, we
0 file sizes
0 can conclude that in our case the IPsec mechanisms
. MB MB 0. MB MB running on “relatively” low-end processors is not
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
really a bottleneck. The overall performance is protocol overhead induced. These screens illustrate
rather affected most by the quality of the Bluetooth the overall network statistics for Bluetooth mode III
link itself, meaning that due to better utilization of and IPsec AH_MD5, respectively. The “Data” sec-
the link and possibly due to optimal ACL scheme tion corresponds to the overall percent of data that
and lower packet drop rate, IPsec performs slightly were sent from the server towards the PDA client
better than native Bluetooth modes do. for the 5.26 MB file. We observe that IPsec needs
In Figure 6, we present some indicative ethereal considerably lower percent of TCP data packets to
screens that attest why in practice IPsec performs complete the transaction (49.63%) than Bluetooth
better from the other two in terms of the additional mode III which requires 66.24%. Note, that exclud-
ing ARP messages, the remaining percent corre-
sponds to control information sent from the client
Figure 5. Comparison of network throughput for
to the server including ACKs, retransmissions, and
six different scenarios (PDA client)
so forth. Therefore, IPsec utilizes the link better,
Comparison of Throughput for different scenarios achieving higher performance.
Another important factor that may affect the
conducted results is the operating system itself. For
that we performed partial measurements using the
0
Windows XP operating system in the laptop client,
while keeping all the other test-bed parameters
unchanged. Under this setting, we observed sig-
Percentage (%)
nificantly lesser packet retransmissions and logged
fairly better times. For example, for Bluetooth mode
III and file size 10.5 MB we got an average transfer
0
MODE I time of 150 seconds, namely 5 seconds better than
MODE III
DES
Linux. One can presume that the Bluetooth stack
Blowf ish is better implemented in Windows than in Linux or
AH_SHA
ESP_DES_SHA
the Bluetooth adapters that we used perform better
. MB MB
under Windows, perhaps due to their drivers’ imple-
file sizes 0. MB MB
mentation. Nevertheless, a detailed analysis of this
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
This chapter addresses performance issues for De Morais Cordeiro, C., Sadok, D., & Agrawal, D.
Bluetooth host-to-host connections. Three distinct P. (2001). Modeling and evaluation of Bluetooth
categories of scenarios were used to test whether MAC protocol. In Proceedings of Tenth Interna-
well respected security mechanisms of Internet tional Conference on Computer Communications
and application layers of the TCP/IP suite are ad- and Networks (pp. 518-522).
vantageous when deployed over Bluetooth PANs Francia, G., Kilaru, A., Le Phuong, & Vashi, M.
compared to Bluetooth native security modes. The (2004). An empirical study of Bluetooth perfor-
results disclose that IPsec better utilizes the wireless mance. In Proceedings of the 2nd Annual Confer-
link and thus provides radically improved transfer ence on Mid-South College Computing, ACM
times when compared with SSH. Native Bluetooth International Conference Proceeding Series (Vol.
modes service times are close to those of IPsec’s 61, pp. 81-93).
thus significantly better from SSH ones. On the
other hand, there is an important disadvantage FreeSwan. (2002). Performance of FreeSwan.
which is the high amount of the memory resources Retrieved October 14, 2007, from http://www.
IPsec consumes. freeswan.org/freeswan_trees/ freeswan-1.95/doc/
As future work we would like to expand this performance.html
study, investigating the performance of asymmetric Gehrmann, C., & Nyberg, K. (2002). Enhancements
cryptography mechanisms, for example, public key to Bluetooth baseband security. Ericsson Mobile
certificates, and to support authentication services in Communcations AB, Ericsson Research.
the context of such protocols that promote automatic
keying. Another direction is to detect how much Gehrmann, C., Persson, J., & Smeets, B. (2004).
energy is required for this sort of secure connec- Bluetooth security. Artech House Publishers.
tions, as mobile devices can not afford batteries
Golmie, N., & Rebala, O. (2003). Techniques to im-
with unlimited capacity.
prove the performance of TCP in a mixed Bluetooth
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
and WLAN environment. In Proceedings of IEEE OpenSSH. (2006). OpenSSH project home page.
International Conference on Communications, Retrieved October 14, 2007, from http://www.
ICC, Anchorage, AK, (pp. 1181-1185). openssh.org
Howitt, I. (2002). Bluetooth performance in the Persson, K., & Manivannan, D. (2003). Secure con-
presence of 802.11b WLAN. IEEE Transactions nections in Bluetooth scatternets. In Proceedings of
on Vehicular Technology, 51(6), 1640-1651. the 36th Annual Hawaii International Conference
on System Sciences (HICSS ‘03) (p. 314b).
IEEE. (2002). Wireless PAN medium access control
MAC and physical layer PHY specification. IEEE Shaked, Y., & Wool, A. (2005). Cracking the Blue-
standard 802.15. New York: IEEE. Retrieved Oc- tooth PIN. In Proceedings of the 3rd ACM Interna-
tober 14, 2007, from http://www.ieee802.org/15/ tional Conference on Mobile Systems, Applications,
and Services (pp. 39-50). ACM Press.
IETF. (2006). IETF secure shell (secsh) working
group. Retrieved October 14, 2007, from http:// Wang, F., Arumugam, N., & Krishna, G. H. (2002).
tools.ietf.org/wg/secsh/ Performance of a Bluetooth piconet in the presence
of IEEE 802.11 WLANs. In Proceedings of the
Jacobson, M., & Wetzel, S. (2001). Security weak-
13th IEEE International Symposium on Personal,
nesses in Bluetooth. In Proceedings of the Confer-
Indoor and Mobile Radio Communications (Vol.
ence on Topics in Cryptology: The Cryptographer’s
4, pp. 1742-1746).
track at RSA (LNCS 2020, pp. 176-191).
Yip, H. K., & Kwok, Y-K. (2004). A performance
Karnik, A., & Kumar, A., (2000). Performance
study of packet scheduling algorithms for coordi-
analysis of the Bluetooth physical layer. In Proceed-
nating colocated Bluetooth and IEEE 802.11b in
ings of IEEE International Conference on Personal
a Linux machine. In Proceedings of the 7th Inter-
Wireless Communications (pp. 70-74).
national Symposium on Parallel Architectures,
Kent, S., & Atkinson, R. (1998a). IP authentication Algorithms and Networks (ISPAN’04).
header (AH) (IETF RFC 2402).
Yujin, L., Jesung, K., Sang, L. M., & Joong, S. M.
Kent, S., & Atkinson, R. (1998b). IP encapsulating (2001). Performance evaluation of the Bluetooth-
security payload (ESP) (IETF RFC 2406). based public Internet access point. In Proceedings
of the 15th International Conference on Information
Massey, J., Khachatrian, G., & Kuregian, M. (1998). Networking (pp. 643-648).
Nomination of SAFER+ as candidate algorithm for
the advanced encryption standard (AES). In Pro-
ceedings of the1st Advanced Encryption Standard
Candidate Conference. Retrieved October 14, 2007, kEy tErMs
from www.ee.princeton.edu/ ~rblee/safer+
Bluetooth: An industrial specification for
Miorandi, D., Caimi, C., & Zanella, A. (2003).
wireless personal area networks (PANs). Bluetooth
Performance characterization of a Bluetooth pi-
provides a way to connect and exchange infor-
conet with multi-slot packets. In Proceedings of
mation between devices such as mobile phones,
the WiOpt’ 03.
laptops, PCs, printers, digital cameras, and video
Misic, J., Chan, K. L., & Misic, V. B. (2005). TCP game consoles via a secure, globally unlicensed
traffic in Bluetooth 1.2: Performance and dimen- short-range radio frequency.
sioning of flow control. In Proceedings of WCNC
Goodput: The application level throughput,
’05 (pp. 1798-1804).
that is, the number of useful bits per unit of time
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
forwarded by the network from a certain source and IP header integrity (with some cryptography
address to a certain destination, excluding protocol algorithm also nonrepudiation). On the other hand,
overhead retransmissions, and so forth. the encapsulating security payload (ESP) protocol
provides data confidentiality, payload (message)
IEEE 802.15: The IEEE 802.15 WPAN working
integrity, and with some cryptography algorithm
group focuses on the development of consensus
also authentication.
standards for personal area networks or short dis-
tance wireless networks. These WPANs address Network Performance: The level of quality of
wireless networking of portable and mobile com- service of a telecommunications resource, protocol,
puting devices such as PCs, PDAs, peripherals, cell or product.
phones, pagers, and consumer electronics, allowing
Secure Shell or SSH: A set of standards and
these devices to communicate and interoperate with
an associated network protocol that allows estab-
one another. The IEEE Project 802.15.1 has derived
lishing a secure channel between a local and a
a wireless personal area network standard based on
remote computer. It uses public-key cryptography
the Bluetooth v1.1 Foundation Specifications.
to authenticate the remote computer and to option-
IPsec: IPsec (IP security) is a suite of protocols ally allow the remote computer to authenticate the
for securing Internet protocol communications by user. SSH provides confidentiality and integrity of
encrypting and/or authenticating each IP packet data exchanged between the two computers using
in a data stream. IPsec also includes protocols for encryption and MACs.
cryptographic key establishment. There are two
Throughput: The amount of digital data per
modes of IPsec operation: transport mode and
time unit that are delivered to a certain terminal
tunnel mode. IPsec is implemented by a set of
in a network, from a network node, or from one
cryptographic protocols for securing packet flows.
node to another, for example, via a communica-
Specifically, the authentication header (AH) pro-
tion link.
tocol provides authentication, payload (message),
0
Chapter XLII
Bluetooth Devices Effect on
Radiated EMS of Vehicle Wiring
Miguel A. Ruiz
University of Alcala, Spain
Felipe Espinosa
University of Alcala, Spain
David Sanguino
University of Alcala, Spain
AbstrAct
The electromagnetic energy source used by wireless communication devices in a vehicle can cause elec-
tromagnetic compatibility problems with the electrical and electronic equipment on board. This work
is focused on the radiated susceptibility (electromagnetic susceptibility [EMS]) issue and proposes a
method for quantifying the electromagnetic influence of wireless radio frequency (RF) transmitters on
board vehicles. The key to the analysis is the evaluation of the relation between the electrical field emitted
by a typical Bluetooth device operating close to the automobile’s electrical and electronic systems and
the field level specified by the electromagnetic compatibility (EMC) directive 2004/104/EC for radiated
susceptibility tests. The chapter includes the model of a closed circuit structure emulating an automobile
electric wire system and the simulation of its behaviour under electromagnetic fields’ action. According
to this a physical structure is designed and implemented, which is used for laboratory tests. Finally,
simulated and experimental results are compared and the conclusions obtained are discussed.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
context, the present work appears in order to bring Taking advantage of the trend towards the use
up methods and results that contribute to establish- of DC voltage supplies of 36-42 volts instead of
ing the possible risks limit of the use of wireless the 12-14 volts currently used, an increase in elec-
devices inside the automobile, and more precisely tronics is being adopted to control key elements of
those based on Bluetooth technology. the automobile such as the steering, braking, and
To centre the problem, it is mentioned the acceleration. For example, the car uses a range of
tendencies in the automobile field that bet for the electric actuators and also has an innovative driver
incorporation of new electrical and electronic sys- interface. The driver has all the vehicle functional-
tems (X-by-Wire technology) (Leen & Hefferman, ity in a special steering wheel, which is used for
2002; Mazo, Espinosa, Awawdeh, & Gardel, 2005) acceleration and braking as well as for steering
front of the current mechanical systems, aspects of and gear shifting. The vehicle uses a conventional
automotive electromagnetic compatibility (EMC) engine for propulsion but electromechanical ac-
standard 2004/104/EC (2004) for evaluation of tuators for braking, clutching, and gear shifting
susceptibility/immunity in vehicles are detailed, (Larses, 2003).
it is justified the interest to focus the study on the With the progress of X-by-Wire technology,
extended Bluetooth wireless communication tech- in-vehicle data traffic is always growing. Conven-
nology. However there are nonregulated questions tionally, individual wire harnesses were used for
by the 2004/104/EC concerning the use of Bluetooth data transfers between control units and their as-
devices what rise uncertainties around the risk sociated sensors or display devices. As the number
derived from its use. of control units and associated devices increase,
To get a better knowledge of this issue, we the number of wire harnesses and interconnec-
lay a few questions regarding the increase of the tions required is swelling. The in-vehicle local-area
electronic equipment role in the automobile, the network (controller area network [CAN], local in-
characteristics of commercial Bluetooth devices, terconnect network [LIN], and FlexRay) provides
some notes about the EMC European Directive an answer to this problem: it minimises the use of
involved in vehicles, and last but not least, some of individual wire harnesses for data exchanges and
the directive gaps concerning Bluetooth wireless reduces both interconnections and vehicle weight,
devices in this context. trying to improve consumption, power, security,
and comfort.
the Increase in Electrical and However, associated with these electronic
Electronic components in and communication innovations new sources of
Automobiles potential equipment failure appear, leading to the
necessity to continue working on both diagnosis
It is clear that nowadays on board electronic com- and prognosis in the automotive sector.
ponents play an important role on vehicles (Ban-
natyne, 2000; Leen & Hefferman, 2002; Mazo et bluetooth devices and Applications in
al., 2005), as much for the increase in the number Automobiles
of electronically controlled units (ECUs) as for the
complexity of the communication system (field The presence of radio frequency transmitters in
buses) implemented. automobiles as a way for multiple wireless com-
Continuous development in the industrial auto- munication appliances continue to grow. Apart
mobile sector means that dynamic systems that have from the well known uses for the assistance and
traditionally been of a mechanical and hydraulic entertainment (GPS, laptops, PDAs, digital cameras,
nature, such as the steering, braking, and accelera- portable multimedia devices CD/DVD, etc.), others
tion are being replaced by electronic ones, which such as remote diagnosis, traffic control, accident as-
leads to the proposal of networks such as X-by-Wire sistance, and so forth are being promoted (Campos,
with its own protocol (Mazo et al., 2005). Mills, & Graves, 2002; Mazo et al. 2005).
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
There are several wireless technologies (WiFi, Bluetooth technology, where a logic 1 level is rep-
DSRC, Zigbee, etc.) available to automobile manu- resented by a positive frequency shift and a logic 0
facturers and users, but at present the most widely level is represented by a negative frequency shift.
used is Bluetooth. Although the functionality and Keeping all this in mind, a Bluetooth transmitter,
operativity of each technology is different, they from an EMC viewpoint, can be considered as
have in common the incorporation of a transmitter an interfering RF source in the 2.4 to 2.4835 Ghz
or an electromagnetic energy source in the environ- frequency band.
ment in which they operate. This extra energy can Two levels of Bluetooth technology application
cause any kind of failure on equipment situated can be considered inside an automobile: Bluetooth
close to the transmitter, as is the case of ECUs on integrated into the vehicle at a system level and
board a vehicle where the driver introduces several Bluetooth at a user device level. From a user device
wireless devices. At the same time, the metal cage level point of view, Bluetooth technology allows
of the vehicle can act as a concentrating reflector, connecting inside the vehicle electronic mobile
amplifying radio frequency (RF) density emit- devices such as PDAs, laptops, GPSs, handsfree
ted by different radiation sources to higher and sets, or cell phones, as seen in Figure 1.
potentially more dangerous levels. The concept of ‘Bluetooth integrated into the
Bluetooth is an open technology that works vehicle at a system level’ is used when a Bluetooth
with low power and is designed for short range network can provide a functionality and versatility
(10 m-100 m), leading to being widely used in similar to a vehicle control cabled network (e.g.,
transport applications in general and in automobiles CAN bus) which is nowadays the most widely
in particular. The operating frequency range is extended solution (network and protocol) in ve-
within the industrial, scientific, and medical (ISM) hicles.
bandwidth used of 2.4 GHz to 2.4835 GHz. The
frequency range is divided into 79 individual RF directive 2004/104/cE for the
channels, each one separated by 1MHz. The output Assessment of EMc in vehicles
levels are divided into three classes (SIG, 2006):
class I (100 mW, +20 dBm), class II (2.5 mW, +4 In Europe, EMC activity in automobiles is regu-
dBm) and class III (1 mW, 0 dBm). lated by the recent directive on electromagnetic
The equation that determines the frequency for
each one of the channels is as follows:
Figure 1. Typical applications of Bluetooth in
F(MHz) = 2402 + k where, k = 0…..78 vehicles
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
(equipment under test [EUT]). A metallic (copper from different wireless devices, the following
or galvanised steel) ground plane of a minimum of observations remain to be made:
0.5 mm thickness and 1000 x 2000 mm (WxL) area
has to be located 900±100 mm above the floor. • The specifications of the radiated susceptibil-
Each one of the power supply cables must be ity test, mentioned in the directive using the
connected to the EUT through an artificial network semianechoic chamber method to carry it
(AN) [5] of 5 µH/50 Ω to get a reference impedance out, determine that the range of frequencies
(usually 50 Ω). The ANs should be placed over the to be tested is from 20 MHz to 2000 MHz.
ground plane and connected to it. Therefore, the directive does not make it
The electric or electronic equipment under test compulsory to test electrical and electronic
has to be placed on a dielectric material [7] of low automobile equipment at frequencies higher
permeability (er ≤ 1.4) and 50±5 mm thickness. than 2 GHz. Bluetooth works at frequencies
One of the EUT faces has to be placed 200±10 between 2.400 and 2.4835 GHz, and hence
mm from the edge of the ground plane. The cables an electronic subsystem or component that
connected to the EUT are exposed along 1500±75 complies with the directive does not guarantee
mm to the electromagnetic radiation generated by electromagnetic compatibility in the presence
the antenna. They are placed on the same dielectric of a Bluetooth device.
material as the EUT 100±10 mm away from the • The electrical field levels specified by the
edge of the ground plane. directive to be tested in the 20 to 2000 MHz
The antenna that generates the electric field range are of 30 V/m for 90% of the frequency
has to be located at a 100±10 mm height above the band and 25 V/m for the whole frequency
ground plane, that is 1000 mm above the floor and band. It is foreseeable that in the near future
also 1000 ± 10 mm away from the EUT cables. the directive will be modified to increase the
The test procedure can be divided in two range of frequencies to at least include the
steps: operating frequencies used by the wireless
devices available on the market to automobile
• A first one where the electric field level users.
calibration is done (without EUT, cables nor • The test method specified in the directive
ANs). corresponds to a situation in which the trans-
• A second in which the test is taken place mitter is not situated close to the equipment
based on the levels obtained in the preceding being studied. This leads to the use of a
step. plane wave in the test setup, which requires
one or more transmitter antenna working in
In the calibration stage, an isotropic probe 150 far field. However, in this particular case it
± 10 mm above the ground plane and 100 ± 10 mm is easy to find Bluetooth transmitters within
away from the edge is used. The calibration is done the automobile’s own electrical and electronic
for both horizontal and vertical electric field. system or another ones (introduced by users)
operating a few centimetres away from the
Aspects of bluetooth devices that are electronic systems and wires of the vehicle’s
not considered in directive 2004/104/ electrical installation.
Ec
With this background, the present work is
Having mentioned some of the properties of Blue- developed with the aim of determining whether a
tooth, as well as the EMC regulation applicable to device that complies with the requirements of the
the automobile context, and focusing the study on EMC automobile directive presents any possible
the assessment of the susceptibility of the electrical electromagnetic compatibility risks to Bluetooth
and electronic components on board to radiations transmitters located a short distance away. In addi-
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
tion a measure procedure is proposed for assessing cal-field levels of 25 V/m, which is close to the
the degree of interrelation between the electronics limit level indicated by EMC standard.
on board and the Bluetooth devices incorporated
by vehicles’ users.
ProPosEd MEtHod for
related Published works AssEssIng tHE PossIblE
EffEcts of bluEtootH dEvIcEs
In the technical literature, negative examples of usEd InsIdE vEHIclEs
vehicle-communication system interaction can
be found, as in the case of ‘Project 54’ (Kun, Taking into account previous published studies
Lenharth, & Millar, 2004), in which the origin (Schoof et al., 2003; Stadtler et al., 2002) and the
and possible solutions to random signal reception EMC specifications in the automotive context,
by appliances normally used by traffic police of- certain questions must be made in relation with
ficers are analysed. There are other more complex the incorporation of Bluetooth transmitters in
cases, such as the one stated by Tatoian (2005), in automobiles by either the manufacturer or the us-
which the possibility of equipping the police with ers of the vehicle. As mentioned earlier, the EMC
electromagnetic systems in order to block cars directive (2004/104/EC EMC, 2004) does not
in conflictive traffic conditions is assessed. The require radiated susceptibility tests above 2 GHz
impact of the transient surrounding perturbations and restricts the field level of the equipment under
(especially due to electromagnetic interferences) test to 25 or 30 V/m. Moreover, in present day traf-
on the dependability of systems distributed on fic conditions, it is easy to find several Bluetooth
TDMA-based networks in automotive domain is transmitters inside the cabin of the vehicle and
analysed in by Campos et al. (2002). within a few centimetres of the vehicle’s cables
All of this justifies the interest of automobile and electronic systems.
manufacturers in regulating the incorporation of
new information and communication technologies.
fundament of the Proposed Measure
In Australia for example, exists the FCAI (1997)
initiative, in which the automobile industry and
The setup for the radiated susceptibility test for
the nation’s government are working together to
an automobile component in accordance with
establish the emission and susceptibility limits
ISO regulation 11452-2 (ISO 11452-2, 2004) was
to which new vehicles must conform in order to
represented in the previously in the chapter. This
guarantee the compatibility of the electronics on
setup contains similarities to the actual layout of
board the vehicle with the multimedia equipment
the components inside a vehicle. For example, the
for drivers available on the market. EMC centres
equipment under test [1], wiring [2], simulators [3],
work along the same lines in association with au-
and power supply [4], are placed on a ground plane
tomobile manufacturers such as Audi or Renault
that emulates the chassis of the vehicle. The length
(Renault, 2006).
of wire exposed to the radiation is 1.5 m, being the
On the other hand, there are several previous
usual length of cable on board a vehicle.
research works related to this subject. Stadtler
In this context, a study is made of the radio
Schoof, and Haseborg (2002) calculate that a 100
frequency current that is induced in the cable [2]
mW Bluetooth transmitter in far-field (1 m) gener-
when it is submitted to the action of a Bluetooth
ates a electric-field level of 2.45 V/m, that means a
transmitter in near field, that is to say with a few
quite lower level to the one used in EMC test ac-
centimetres between transmitter and cable.
cording to the 2004/104/EC standard. Nevertheless,
Once the current induced in the EUT cable by
simulations results presented by Schoof, Stadtler,
the Bluetooth transmitter has been determined, the
and Haseborg (2003) inside a cockpit vehicle with
electrical field level that must be applied during
a 100 mW Bluetooth transmitter achieved electri-
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
the radiated susceptibility test in order to induce the transmission frequency of the device is used to
a current value identical to that induced by the measure the induced current. The resistance of 50
Bluetooth transmitter a few centimetres away Ω that corresponds to the EUT is provided by the
is analysed. If the electric field level required to spectrum analyser input; as an impedance of 50 Ω
induce the current value is under the 25 or 30V/m at the other end of the cable, a load 50 Ω with an
specified by 2004/104/EC EMC, it will confirm that N connector is used. The analyser will register the
all equipment that fulfil the EMC directive should voltage value at its input terminals and by direct
not present compatibility problems. However, if relation the value of current induced in the cable
the electric field level is similar to or higher than is determined.
the one specified by EMC directive, there is no
guarantee that the automotive component will not design of the Interference Pattern
have electromagnetic compatibility problems in
close proximity to a Bluetooth transmitter. An electromagnetic radiation source in the 2.400
to 2.483 GHz range has been designed with adjust-
able power between 1 and 100 mW, emulating the
PrActIcAl IMPlEMEntAtIon And behaviour of class I, II, and III Bluetooth transmit-
rEsults ters. The radiation source consists of an antenna
connected to a R&S SMR20 RF generator. The
Following the guidelines indicated by Stadtler et al. antenna design is based on a commercial radio
(2002), the setup shown in Figure 3 is used for the frequency module (SparkFun, 2005), simulated
present research work. The impedance presented using FEKO and implemented on a PCB.
by the EUT [1] between the cable and the ground
plane [6] is modelled as an ideal impedance of 50 Elements of the setup
Ω. At the other end of the cable an ideal imped-
ance of 50 Ω represents the one corresponding Figure 4 shows the setup used to measure the
to the artificial network [5] or to other auxiliary current induced in the cable when the Bluetooth
equipment. transmitter is situated a short distance away. The
In the first approach at validating the proposed right hand side of the cable is loaded with an im-
thesis the electromagnetic simulation tool FEKO pedance of 50 Ω, while the impedance of 50 Ω
(2005) is used. In the laboratory experimental phase, on the left hand side is provided by the spectrum
a R&S ESIB 26 spectrum analyser syntonised to analyser input (R&S ESIB 26), which is outside
Figure 3. Setup diagram of the test used to determine the current induced by a transmitter in near
field
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
the semianechoic chamber (Space Saver of ETS) (FP6001 AR) placed at a height of 10 cm above
during the test and is connected by means of an the ground plane and 10 cm from the edge facing
RG214 cable. The attenuation caused by the RG214 the antenna. The value of the current induced by
cable is corrected by the spectrum analyser. the radiation of the AT4000 AR antenna situated
To measure the induced current, the radiation at a distance of 1 m is constantly measured on the
source is placed in different positions with respect spectrum analyser. The power transferred to the
to the 1.5 m long cable. The measurements are antenna is varied until the induced current values
made with the transmitter facing the cable and in are identical to those obtained when the Bluetooth
various positions along its length. The transmit- transmitter was situated a few centimetres from
ter is placed at distances of 2 cm, 5 cm, and 8 cm the same cable. This is the way to determine the
from the cable and at heights with respect to the electric field level that induces the same current
ground plane of 0.6 cm and 3.7 cm. as a Bluetooth transmitter in the conditions previ-
To determine the value of the electric field ously described.
intensity (V/m), the setup represented in Figure 4
is used, corresponding to the radiated susceptibil- results
ity test for automobile components (2004/104/EC
EMC, 2004). The electric field level is registered In the following section, some of the results about
by means of an isotropic electric-field probe the setups proposed in previous sections obtained
by both simulations and practical measurements
made in the laboratory are given, with the principal
aim of determining the electromagnetic compat-
ibility risks caused by commercial Bluetooth
Figure 4. Setup of the test used to measure the transmitters in automobiles.
current induced by a transmitter in near field The FEKO tool is used to simulate a ground
(top). Setup used to determine the electric field plane with a 150 cm cable above it at a height of 5
level (down) cm, with both ends loaded with a resistance of 50
Connecting spectrum Load 50 Ω
Ω. A monopole antenna connected to a generator
analyzer (EUT) was used as a transmitter in the simulation. The
simulations are made with the antenna transmitter
situated in the centre of the 1.5 m cable structure
and at distances of 2 cm, 5 cm, and 8 cm and at
heights above the ground plane of 0.6 cm and 3.7
Antenna and RF cm. In addition, the simulations are carried out
generator
(Bluetooth TX
Cable under taking into account the different power types (I, II,
test
simulated) and III) specified by the Bluetooth technology.
Tables 1 and 2 represent a comparison between
Electric-field the results obtained with the FEKO simulation
probe
tool and those obtained in laboratory tests. First
of all, the results belong to a transmitter working
at 2.425 GHz and at a height above the ground
plane of 0.6 cm are presented. The table shows
the variation in the induced current as a function
of the distance that separates the transmitter from
Transmitter
antenna
the cable, and for three different power transmis-
sion (+20, +4, and 0 dBm). For example, in case
the class I transmitter is separated a distance of
2 cm from the cable, the simulated current value
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
is 1990 µA in contrast with the value of 1870 µA located at a distance of 2 cm and 5 cm from the
experimentally obtained. cable, and at a height above the ground plane of
Besides, one can see in Table 2 the comparison 0.6 cm. The same table shows the increase in the
between simulated and experimental induced cur- induced current due to the effect of different power
rent when the emission frequency is changed for class transmitter (class I, II, and III).
three Bluetooth devices (class I, II, and III) at a To conclude, Figure 5 shows the electric field
distance of 5 cm and a height of 0.6 cm. levels that the structure being tested is submitted
On the other hand, Table 3 shows some of the to in order to induce the same RF currents as those
measurements obtained in the laboratory corre- produced if a Bluetooth transmitter is situated in
sponding to the current induced by the transmitter near field. The setup used for the test is the one
Table 1. Values obtained by simulation and experimentally of the induced current as a function of the
transmitter distance. (frequency 2425 MHz and height 0.6 cm)
Wire Induced Current
Power transmission Distance
Simulation (µA) Measurement (µA)
Bluetooth devices (cm)
2 1990 1870.0
+20 dBm
5 879 715.3
(Class I)
8 337 378.0
2 315 319.5
+ 4 dBm
5 139 123.0
(Class II)
8 53.3 62.2
2 200 203.4
0 dBm
5 87.7 78.8
(Class III)
8 33.5 43.3
Table 2. Values obtained by simulation and experimentally of the induced current as a function of the
transmitter frequency (distance 5 cm and height 0.6 cm)
Induced Current
Power transmission Frequency
Simulation (µA) Measurement (µA)
Bluetooth devices (MHz)
2400 921 827.0
+20 dBm 2425 879 715.3
(Class I) 2450 941 604.0
2475 1060 645.0
2400 145 142.8
+ 4 dBm 2425 139 123.0
(Class II) 2450 148 104.8
2475 167 111.7
2400 91.1 90.8
0 dBm 2425 87.7 78.8
(Class III) 2450 93.8 67.5
2475 105 71.28
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
Table 3. Measurement of the induced current as a function of the frequency and of the Bluetooth trans-
mitter location (height 0.6 cm)
Figure 5. Identical induced current on the cable under test by the intensity of electric field (V/m) accord-
ing to the described test as well as Bluetooth transmitters working with variable distance and power
(dBm)
0
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
shown in Figure 4 (down). For example, a class I radiated susceptibility test according to a valid
transmitter (+20 dBm) located at a distance of 5 EMC directive for automobiles.
cm and at a height of 0.6 cm induces a current of In short, more consideration should be given
715 µA. In the same way, this transmitter situated to the electromagnetic interference generated by
at a distance of 2 cm induces a current of 1870 Bluetooth devices as they get closer to electrical
µA. Identical current values are induced when the and electronic circuits whose performance they
wire loaded by resistances of 50 Ω is exposed to a can affect, and even more so in confined spaces
uniform plane wave with an electric field level of where multiple sources of interference coexist,
42.3 V/m and 122 V/m, respectively. as is the situation with automobiles. The effect of
increasing the power of the transmitter or reducing
the distance between it and the wired elements of
futurE works the automobile is equivalent to submitting them to
increasing electric far-field levels in radiated sus-
Once the above shown results are analyzed, the ceptibility tests in accordance with the 2004/104/
authors suggest to keep on evaluating the elec- EC EMC directive, which increases the risk of a
tromagnetic field generated from these kinds failure in the system.
of wireless communication devices and others This work leads to support the need for the
alike, varying the setup conditions (relative cable prevailing EMC directive to be modified in order
and antenna location, cables, different antennas to assess and ensure the electromagnetic compat-
transmitting simultaneously, etc.). All this is done ibility of automobiles’ on board systems in the
comparing the results obtained from the simulation presence of wireless devices with a frequency
tools as well as from the experimental tests in the range above 2.0 GHz.
EMC laboratory.
It would also be interesting to study and evaluate
the amplifying effect due to the metallic structure AcknowlEdgMEnt
of the cabin, measuring inside and outside the
vehicle. This work has been possible thanks to the support of
the Centre of High Technology and Homologation
(CATECHOM) at the University of Alcala (UAH),
conclusIon as well as the COVE Project funded by the Spanish
Science and Education Ministry TRA2005-05409/
From the simulated and experimental results AUT and TRA2006-12105/TAIR.
obtained by this work, it can be deduced that the
electromagnetic interference supported by the
cable structure under study, when situated a few rEfErEncEs
centimetres from a commercial Bluetooth transmit-
ter, is similar to the action of a plane wave with 2004/104/EC EMC. (2004). Directive relating to
electric field levels superior to those specified by the radio interference of vehicles. Commission of
directive 2004/104/EC (25 or 30 V/m). the European Communities.
Comparing the magnitude of the electric fields
95/54/EC EMC. (1995). Directive relating to the
obtained in the present analysis with the real
radio interference of vehicles. Commission of the
values at which on board electronic components
European Communities.
are tested in accordance with the EMC directive,
it can be deduced that Bluetooth transmitters of Bannatyne, R. (2000, May). The sensor explosion
20 dBm can cause electromagnetic susceptibility and automotive control systems. Sensors Maga-
problems in the vehicle’s electronic and electrical zine, 17(5).
systems, which would not be detected during the
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
Campos, F.T., Mills, N.W., & Graves, M.L. (2002). Larses, O. (2003). Modern automotive electron-
A reference architecture for remote diagnostics ics from an OEM perspective (Tech. Rep. KTH
and prognostics applications. In Proceedings of S-100 44). Royal Institute of Technology, Me-
the IEEE Autotescon (pp. 842-853). chatronics Lab, Department of Machine Design,
Stockholm.
CISPR 12. (2001). Vehicles, boats and internal
combustion engine driven devices. Radio dis- Leen, G., & Hefferman, D. (2002, January).
turbance characteristics. Limits and methods Expanding automotive electronic systems. IEE
of measurement for the protection of receivers Computer, 35(1), 88-93.
except those installed in the vehicle/boat/device
Mazo, M., Espinosa, F., Awawdeh, A.M.H., &
itself or in adjacent vehicles/boats/devices. The
Gardel, A. (2005). Automotive electronics diag-
International Special Committee on Radio Inter-
nosis: State of the art and next tendencies. FITSA.
ference (CISPR).
Madrid. Retrieved October 15, 2007, from http://
CISPR 25. (2002). Radio disturbance characteris- www.fundacionfitsa.org/fitsa/pub/Libro%20diag
tics for the protection of receivers used on board nosis%20electronica.pdf
vehicles, boats, and on devices. Limits and methods
Renault. (2006). Renault EMC unit. Aubevoye,
of measurement. The International Special Com-
France. Retrieved October 15, 2007, from
mittee on Radio Interference (CISPR).
http://www.worldcarfans.com/news.cfm/new-
FCAI. (1997). Federal Chamber of Automotive sid/2060406.004/country/ecf/Renault-inaugu-
Industries (FCAI). Retrieved October 15, 2007, rates-emc-unit
from http://www.dcita.gov.au/Article/0,,0_4-
Schoof, A., Stadtler, T., & Haseborg, J.L. (2003,
2_4008-4_10465,00.html
May 11-16). Simulation and measurement of the
FEKO. (2005). EM software & systems. FEKO. propagation of Bluetooth signals in automobiles.
Retrieved October 15, 2007, from http://www. Paper presented at the 2003 IEEE International
feko.info/ Symposium, EMC’03 (pp.1297-1300).
ISO 11452-2. (2004). Road vehicles: Component SIG. (2006). Specification of the Bluetooth system.
test methods for electrical disturbances from nar- Retrieved October 15, 2007, from http://www.
rowband radiated electromagnetic energy. Part 2: bluetooth.com
Absorber-lined shielded enclosure. The Interna-
SparkFun. (2005).Transceiver MiRF - Miniature
tional Organization for Standardization (ISO).
RF 2.4GHz. Retrieved October 15, 2007, from http://
ISO 7637-2. (2004). Road vehicles: Electrical www.sparkfun.com/commerce/product_info.
disturbance from conduction and coupling. Part php?products_id=153
2: Electrical transient conduction along supply
Stadtler, T., Schoof, A., & Haseborg, J.L. (2002,
lines only on vehicles with nominal 12V or 24V
September 9-13). Electromagnetic compatibility
supply voltage. The International Organization
of a system under the influence of a Bluetooth
for Standardization (ISO).
transmitter. Paper presented at the Symposium
Kerry, P.J. (2003). EMC in the European Union. EMC Europe 2002, Sorrento.
IEEE. 0-7803-7779-6/03.
Tatoian, J. (2005). Car chases zapped. Pasadera,
Kun, A., Lenharth, W., & Millar, W.T. (2004). California: Eureka Aerospace. Retrieved October
Project 54. Dirham: University of New Hampshire. 15, 2007, from http://www.defensetech.org/ar-
Retrieved October 15, 2007, from http://www. chives/001369.html
project54.unh.edu/
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
tion technology, such as Bluetooth or Wi-Fi, can WLAN: The acronym for wireless local-area
be used for longer range communication or for network. Also referred to as LAWN. A type of
transferring larger amounts of data. local-area network that uses high-frequency radio
waves rather than wires to communicate between
RF: Short for radio frequency, any frequency
nodes. LAN is a computer network that spans a
within the electromagnetic spectrum associated
relatively small area. Most LANs are confined to
with radio wave propagation. When a RF current
a single building or group of buildings. However,
is supplied to an antenna, an electromagnetic field
one LAN can be connected to other LANs over
is created that then is able to propagate through
any distance via telephone lines and radio waves.
space. Many wireless technologies are based on
A system of LANs connected in this way is called
RF field propagation, including cordless phones,
a wide-area network (WAN).
radar, ham radio, GPS, and radio and television
broadcasts. RF waves propagate at the speed of
light, or 186,000 miles per second (300,000 km/s).
Their frequencies however are slower than those
of visible light, making RF waves invisible to the
human eye.
Chapter XLIII
Security in WLAN
Mohamad Badra
Bât ISIMA, France
Artur Hecker
INFRES-ENST, France
AbstrAct
The great promise of wireless LAN will never be realized unless there is an appropriate security level.
From this point of view, various security protocols have been proposed to handle wireless local-area
network (WLAN) security problems that are mostly due to the lack of physical protection in WLAN or
because of the transmission on the radio link. The purpose of this chapter is (1) to provide the reader
with a sample background in WLAN technologies and standards, (2) to give the reader a solid ground-
ing in common security concepts and technologies, and (3) to identify the threats and vulnerabilities of
WLAN communications.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security in WLAN
802.11 WLAN started being rolled out, especially than the wired LAN. The open access to the net-
in enterprises to replace or extend the wired lo- works permits malicious action at a distance and
cal-area network (LAN) with an implementation simplify passive interception. The temptation for
of WLAN, and in airports and various business unauthorized access and eavesdropping is also
venues where they installed several WLAN access a reality (Khan & Khwaja, 2003) because an at-
points offering a public Internet access (so-called tacker could easily access the transport medium.
hotspots), which can range from a small covered This is not easy in wired LAN due to the physical
zone to many square miles of overlapping hotspots access to the media. WLANs have introduced a
in metropolitan areas. new security threat, sometime referred to as park-
While the most obvious advantage of the WLAN ing lot attack (Arbaugh, 2003) (i.e., a person with
is mobility, there are also other benefits: a wireless computer and a makeshift antenna can
gain access to your the WLAN from hundreds
• Installing and maintaining flexibility: of feet away). Other security issues are mostly
Installation of a WLAN system is fast and because of the lack of physical protection of the
easy and eliminates the terminal cabling wireless network access or of the transmission on
costs. It extends to area where wires cannot the radio that cannot be confined to the walls of
be installed. an organization.
• Apparent ease of use: WLAN is easy for The original 802.11 standard defines authen-
novice and expert users alike, eliminating the tication and encryption mechanisms based on
need of a large knowledge to take advantage the use of the wired equivalent privacy (WEP)
of WLAN. protocol. Unfortunately, this protocol suffers from
• Transparency: WLAN is transparent to a serious design flaws (Miller & Hamilton, 2002).
user network, allowing applications to work Furthermore, it does not define a key manage-
in the same way as they do in wired LANs. ment mechanism; it presumes that the secret key
• Scalability: WLANs are designed to be is conveyed between WLAN entities through a
simple or complex; they range from networks secure channel independent of 802.11 WLAN. As
suitable for a small number of nodes to full a result of different flaws discovered in WEP, the
infrastructure networks of thousands of nodes security of WLAN has been widely studied, and a
and large physical area by adding access set of standards have been developed by IEEE and
points to extend coverage and to provide users IETF, especially 802.1X (802.1X, 2004), 802.11i
with roaming between different areas. (802.11i, 2004) and extensible authentication pro-
tocol (EAP) (Aboba, Blunk, Vollbrecht, Carlson, &
WLAN was developed to extend wired LAN Levkowetz, 2004). The 802.1X standard has been
wirelessly and therefore to minimize Ethernet ca- standardized by 802.1 working group. 802.1X was
bling. It was designed to provide “data obscurity” initially conceived to securely manage the access
equivalent to that provided by wired Ethernet with to different IEEE 802.1 networks. It is a framework
easier installation. However, there is some dif- for authenticating and controlling user traffic at
ference between WLAN and wired LAN due to the network level, as well as dynamically varying
constraints introduced by the first, especially the and exchanging encryption keys between a mobile
shared medium, interference, the collisions that station and an authentication server. By pushing
cannot be detected reliably, the physical bound- the authentication method to the virtual layer,
ary that is difficult to control, and to the signal. the 802.1X defines an open security architecture,
These differences make the WLAN security which principally allows user authentication and,
harder to maintain in comparison to wired LAN. optionally, session key generation and derivation
In WLAN, it is possible for an attacker to snoop on a per-user and per-session basis. Because of
on confidentiality communications or modify them this possibility for dynamic provisioning, 802.1X
to gain access to the network much more easily is used as the common base in the current WLAN
Security in WLAN
security suites such as Wi-Fi protected access a terminal attached to the network. WLAN uses
(WPA) (WPA, 2003) and IEEE 802.11i (802.11i, a concept called port-based access control that is
2004). based on the notion of a port. The port-based ac-
The rest of the chapter presents a more detailed cess control blocks all traffic on a (logical) port
description of the various WLAN standards from until some condition is true. The condition for the
the security perspective: challenges and possible port opening is a successful user association and
attacks in WLAN security; WLAN infrastructure authentication.
security; authentication, authorization, and ac- An association precedes each communication
cess control; confidentiality and privacy; and key between the STA and the AP. The association is
management and establishment. formed between a STA and an AP by exchanging
messages, by the means of so-called management
frames, allowing both STA and AP to create and
wlAn MAnAgEMEnt frAMEs to maintain the association states. WLAN defines
three states: unauthenticated and unassociated,
A WLAN network is formed by entities called authenticated and unassociated, and authenticated
stations (STA). A WLAN can operate in two and associated.
modes: infrastructure and ad hoc. In the ad hoc The management frames can be started by the
mode, each STA communicates directly with STA sending a probe request management frame
other stations. In the infrastructure mode, stations to find an AP affiliated with a selected ESSID, or
communicate with each other via a special STA, scanning the beacon management frame broadcast
called access point (AP). Each AP additionally by the APs at a fixed interval. As part of the as-
has a connection to the distributing system (DS), sociation processes, the STA and the access point
which can take different forms (wireless, wired, perform an authentication. IEEE 802.11 originally
OSI layer, etc.). In this chapter, we focus on the defines two authentication modes, the open system
infrastructure mode. authentication (OSA), practically equivalent to
The infrastructure mode extends the range of no authentication, and shared key authentication
the wired LAN. It introduces a notion of basic (SKA), a simple challenge handshake protocol
service set (BSS). Each BSS is formed by an AP based on a preshared key between the STA and the
and associated stations, and can be roughly un- AP and the specified WEP protocol. Furthermore,
derstood as a WLAN equivalent of a cell (a base other methods can be used to restrict the access
station and mobile nodes). It is uniquely identified to an AP, such as classical MAC address filtering
by the medium access control (MAC) address of (whitelisting or blacklisting STA MAC addresses)
the STA of its AP, called BSSID. By using their and the suppression of service advertisement, usu-
DS connection, several APs can allow a station ally called SSID hiding.
to move from one BSS to another. Several BSSs It must be noted that neither of these methods
may be collected, constructing an extended ser- can be considered sufficiently secure given the
vice set (ESS). The identifier of the ESS is a case current usage of the 802.11 technology. Since
sensitive string of 32 bytes (ESSID), and can be MAC addresses need to be transported in clear and
roughly understood as a “network name.” In the can be easily changed, the MAC address filtering
infrastructure mode, it is usually called SSID for is not enough of a barrier. SSID hiding only can
convenience. work as long as nobody uses the service, since the
One of the primary services of WLAN manage- associating STA will try to solicit an AP under a
ment frames is to provide access control reliability. given SSID, thus effectively disclosing this “secret.”
This is done originally based on a predetermined The included SKA scheme lacks mutuality and is
set of MAC address and improved later with way too static (no session key derivation, no key
802.1X. The access control usually implements a management) to be applicable in an operational
way to provide authentication or authorization to industrial environment. Accidentally SKA was
Security in WLAN
Security in WLAN
WLAN devices broadcast their MAC addresses directly exposing the long term secret), and to the
over-the-air and it is therefore easy to observe the absent message integrity checking (the available
MAC address for an associated mobile station and CRC32 integrity does not depend upon the keys
spoof it to masquerade as a legitimate device. and mainly targets transmission problems; it is
Due to the nature of WLAN, intruders can flood therefore possible to alter a packet whose content
the open medium access and are able to execute was known even if it had not been decrypted).
denial-of-service attacks (DoS) to bring down More information on WEP attacks may be found
WLAN access or services. An attacker may launch by Borisov, Goldberg, and Wagner (2001).
denial-of-service attacks by spoofing, replaying, In a WLAN context, a passive attack takes
or generating management frame packets. advantage of several weaknesses in the key-
Another problem related to the open medium scheduling algorithm of RC4. It could be done
is jamming WLAN frequencies. Jamming against also by a comparison of the encrypted version of
WLAN is almost impossible to prevent and can be a known message (e.g., TCP fields) to repetitive
executed easily as noise or interference on chan- IV-based encryption combinations of the known
nels that deliver WLAN services. For example, in text and to reveal the secret key (Morrison, 2002).
a military environment, jammers are often located In fact, the 24-bit IV implies that 224 packets can
in helicopters as the line-of-sight propagation gives be protected with the same key, before changing
them an advantage over communication transmit- the key. Because the IV is relatively short, and is
ters located on the ground (Stahlberg, 2000). transmitted in the clear text, it will be repeated with
WLANs are also vulnerable to session hijack- sufficient frequency that the rest of cipher can be
ing attacks due to the lack of authentication of the relatively easily cracked. On the other hand, WEP
management frames as well as to the WLAN state by its design cannot efficiently reduce overhead of
machines. Session hijacking is a combination of denial-of-service attacks. In particular, it does not
DoS and identity spoofing attacks and it can be protect beacon packets, or the part of the packet
launched by 1) eavesdropping on the medium to header, which includes the MAC address unen-
discover the MAC address of a legitimate station crypted. Consequently, it is not hard to infiltrate
and/or of the AP, 2) deauthenticating the legitimate the WLAN using WEP.
station to terminate its connection to the AP (spoof- Consequently, a dedicated task group called
ing STA or spoofing AP addresses), and 3) using the 802.11i has been set up by IEEE to create a replace-
eavesdropped MAC to reauthenticate to a different ment security solution. The released IEEE 802.11i
or to the same AP on the same WLAN. amendment introduces an improved security
mechanism called Wi-Fi protected access (WPA)
wEP weaknesses to solve WEP-related authentication and confi-
dentiality problems and to introduce an efficient
Shared key authentication was designed to help frame integrity scheme. 802.11i security solution
in reducing attacker activities against WLAN. (called robust secure network or WPA2) uses a
Unfortunately, WEP has turned out to be much new counter-mode/CBC-MAC protocol (CCMP)
less secure than intended. Fluhrer, Mantin, and cipher based on the advanced encryption standard
Shamir’s (2001) paper entitled “Weaknesses in the (AES) instead of RC4.
Key Scheduling Algorithm of RC4” describes how
an attacker can intercept transmissions and gain
unauthorized access to wireless networks. Other 802.1x, wPA, And IEEE 802.11I
problems are related to the insufficient IV length (wPA2)
(thus permitting to decrypt frames without key
knowledge), absent key management (on the one IEEE 802.11i is a dedicated task group to specify
hand resulting in manual settings and typically and to create a replacement security solution. It
weaker alphanumeric keys, and on the other hand provides enhanced security services and mecha-
Security in WLAN
nisms for the IEEE 802.11 medium access control that every data packet is sent with its own unique
beyond the features and capabilities provided by encryption key. Moreover, it includes a key hash
WEP. These security services are established by de- function to improve resistance against Fluhrer
fining temporal key integrity protocol (TKIP) and attacks (Fluhrer et al., 2001) and MIC and it uses
counter-mode/CBC-MAC protocol (CCMP) that 802.1X for key management and establishment.
provide more robust data protection mechanisms The MIC prevents forged packets from being
than what WEP affords. 802.11i also introduces accepted. Thanks to per-packet key mixing, it is
the concept of a security association and defines very hard for an eavesdropper to correlate the IV
security association management protocols called and the per-packet key used to encrypt the packet
the 4-way handshake and the group key handshake. (Chandra, 2005). More precisely, TKIP hashes
Also, it specifies how IEEE 802.1X may be utilized the combination of the IV value, the data encryp-
by IEEE 802.11 LANs to effect authentication. tion key (derived from the master secret), and the
The IEEE 802.11i architecture usually contains MAC address. This mechanism addresses the
or implements the following components: WEP problem when concatenating the key with
the IV to form the traffic key, and then reducing
• 802.1X for authentication, entailing the use of the ability of the related key attack.
IETF’s EAP and an authentication server.
• Robust security network (RSN) for keeping key Hierarchy
track of associations.
• AES-based CCMP to provide confidentiality, The master secret used in key hierarchy can be a
integrity, and origin authentication. Another preinstalled key or a per-session key. In fact, TKIP
important element of the authentication pro- can be used with an IEEE 802.1X authentication
cess is the four-way handshake, explained server, which shares a master key with each user
below. as a consequence of a successful authentication
process as well as in a preshared key (PSK) mode
wPA where all authorized users share a PSK. These two
modes target two distinct environments respec-
Because WEP has been shown to be totally inse- tively, enterprise and home networking.
cure and in order to strengthen the weak keys used As we cited before, TKIP extends the WEP
by WEP, 802.11 Working Group has proposed a key hierarchy to reduce the exposure of the (long
new WPA protocol called TKIP. This protocol term) master secret and to provide per-packet key
is designed to strengthen the security of 802.1X mixing, a message integrity check as long as a
networks and to leverage the existing WEP-en- rekeying mechanism. This extension is shown in
abled WLAN network interface card (NIC), while the following figure. At a given layer, the different
remaining backward compatible with existing keys are generated by applying the pseudo random
hardware (no change in the hardware engine). function (PRF) on, among others parameters, the
This is done by distributing firmware/software key of the upper layer and the MAC addresses of
upgrades including new algorithms to be added to the two endpoints.
WEP, such as message integrity code (MIC) and
per-packet key mixing function. Preshared key
TKIP uses a key scheme based on RC4, but
unlike WEP that uses the master key for authen- As we cited before, 802.11i security solution uses
tication and per-packet encryption, TKIP extends 802.1X (see next section) that requires a logical
this key hierarchy to reduce the exposure of the authentication server entity. However, 802.11i de-
master secret and to provide per-packet key mix- fines the preshared key solution as an alternative
ing, a message integrity check as long as a rekey- to 802.1X-based master key establishment. This
ing mechanism. Consequently, TKIP ensures solution can be used for home or small networks
00
Security in WLAN
and does not require installation of an authentica- tor. It dialogue with the authentication server
tion server. through the authenticator.
The PSK is 64 hexadecimal digits or a pass • The Authenticator: Typically a wireless
phrase 8 to 63 bytes long, in which each STA has access point that controls the state of each
its own PSK tied to its MAC address and uses it port (open/close) and mediates an authentica-
to get access to the network. The key hierarchy tion session between the supplicant and the
is showed in Figure 1. The PSK is however used authentication server.
directly to compute the pair-wise transient key • The Authentication Server: Typically a
(PTK). The rest of the key computation process (remote authentication dial in user service)
remains unchangeable. RADIUS server that performs the authentica-
The PSK is a 256-bit random value or a pass tion process on behalf of the authenticator.
phrase 8 to 63 bytes long, in which each STA has The resulting decision consists of whether
a PSK tied to its MAC address and uses it to get the supplicant is authorized to access the
access to the network. The key hierarchy is showed authenticator’s network. Note that 802.1X
in Figure 1. The PSK is however used directly to does not require use of a central authentication
compute the PTK. The rest of the key computation server, and thus can be deployed with stand-
process remains unchanged. alone bridges or access points, as well as in
centrally managed scenario (802.1, 2004).
IEEE 802.1x
The most important component in 802.11i ar-
IEEE 802.1X is introduced for port-based network chitecture is the IEEE 802.1X port access entity
access control. It provides authentication to stations (PAE), which controls the forwarding of data to
attached to a LAN port, establishing a point-to- and from the MAC. A STA always implements a
point connection in case of success or preventing Supplicant PAE and implements EAP peer role,
access from that port if authentication fails. and an AP, acting as an Authenticator, always
802.1X uses three terms: implements an Authenticator PAE and implements
the EAP Authenticator role.
• The Supplicant: A station that requests ac- 802.1X is based on EAP, which is a powerful
cess to the network offered by the authentica- umbrella that shelters multiple authentication
0
Security in WLAN
Figure 2. 802.1X messages exchange between a supplicant, an authenticator, and the authentication
server
methods. When IEEE 802.1X authentication is used (PMK) by two parties and to distribute a group
within 802.11 networks, EAP is used transparently temporal key (GTK). Several keys are established
between the station and the (usually remote) authen- as a result of a successful authentication. The keys
tication server and relayed through the AP. 802.1X are derived from the PMK (in particular, the pair-
requires the cooperation between the authentication wise transient key).
server and an EAP method. In the case of a wire- 802.11i defines two key hierarchies: (a) pair-
less LAN, the EAP method is required to perform wise key hierarchy to protect unicast traffic and
mutual authentication and key management and (b) GTK, a hierarchy consisting of a single key to
distribution \REF-RFC-REQ-EAP-WLAN. Using protect multicast and broadcast traffic. Further-
the flexibility proposed by the IEEE 802.1X archi- more, it defines TKIP (uses existing hardware) and
tecture, multiple EAP-based security protocols CCMP (needs additional hardware) to repair the
and mechanisms such as EAP-SIM (Haverinen & problems caused by WAP. TKIP provides stronger
Salowey, 2006), EAP-TLS (transport layer secu- security through a keyed cryptographic message
rity) (Aboba & Simon, 1999), and protected-EAP integrity code (MIC), an extended IV space, and
(Palekar, Simon, Zorn, Salowey, Zhou, & Josefsson, a key mixing function. And the CCMP is used to
2004) are proposed. These EAP methods are used provide data confidentiality, integrity, and replay
with the 802.11i (or WAP2) and WPA standards protection.
in order to establish authenticated access and key
calculation and distribution. -Way Handshake
IEEE 0.i (WPA) Once the authenticator and the mobile station have
agreed upon a shared PMK, they can begin a 4-way
The procedures defined in 802.11i adopt the key- handshake: STA represents the station; STAA and
hierarchy defined by WPA and provide fresh keys AA, SNonce and ANonce, represent the MAC ad-
by means of protocols called the 4-way handshake dress and the nonce of the station and authenticator,
and group key handshake. 4-way handshake is a respectively; SN is the sequence number; msg1,
pair-wise key management protocol used to confirm msg2, msg3, and msg4 are indicators of different
the mutual possession of a pair-wise master key message types; and MICEAPOL-KCK() represents the
0
Security in WLAN
0
Security in WLAN
0
Security in WLAN
related data in clear text and without any encryp- A smart card is a portable and tamper-resistant
tion. Therefore, security parameters flowing in computer. It provides data security, data integ-
the network could potentially be logged, archived, rity, and personal privacy and supports mobility.
and searched. Furthermore, major application areas including
Basically, certificates are issued by a trusted mobile communication use smart card to convey
third party linking the identity of the certificate user subscription and identification information
owner to the public key, whereas the shared secret as well as to provide user identity and to build
is managed through its identifier. Certificate or computer and network access.
shared key identifiers are usually sent in clear In the 802.1X/EAP context, (Urien & Pujolle,
text and consequently, entities cannot protect 2005) describes the interface of the EAP protocol
their identities from eavesdropping. Thus, an in smart cards, which can store multiple identi-
intruder can learn who is reaching the network, ties associated to EAP methods and appropriate
when, and from where, and hence, track users by credentials. It presents implementations of the
correlating client identity to connection location. EAP-TLS smart cards, which securely stores TLS
Especially in WLAN, where the access medium security parameters, such as client X509 certifi-
is open to eavesdroppers, and the mobility is a cate, client private RSA key, and CA public key.
reasonable service, the location tracking can be a For more information regarding the EAP smart
serious security issue. The PEAP and EAP-TTLS card configuration and test steps, please refer to
authentication methods can be used to protect the OpenEAPSmartCard (2006), which is an open
user identity. Both are two-phase protocols with Java card platform for authentication in Wi-Fi and
the first phase used to establish a TLS with only WLAN networks.
server authentication and the second phase used
to deliver, among others, the user identity.
Privacy and identity protection are increas- tHE unIvErsAl AccEss MEtHod
ingly required for 802.1X/EAP and consequently,
research is being carried out to add credentials and A different approach to authentication and authori-
identity protection to EAP methods, especially to zation for WLAN is that based on Web-based un-
EAP-TLS. In this latter method, the client certificate licensed mobile access (UAM), the most prevalent
is sent in clear text and therefore, an attacker can form of access to WLAN. This approach defines
easily sniff packets conveying the client creden- a sign-on usage model using the user navigator
tials. To avoid sending identity information in clear or Web browser and it is adopted by a number of
text during the TLS session, Hajjeh and Badra (in WLAN hotspots providers. The Web-based UAM
press) extend TLS with an enhanced, completely approach is very simple. When the user attends to
backwards compatible mechanism. The client get Internet access through a given hotspot, this
identity protection is provided by symmetrically latter will redirect the user’s browser to a local
encrypting the client certificate with a key derived Web server. After redirection, the user will be
from the TLS master secret, invited to be authenticated by entering its creden-
tials (e.g., username, password). These credentials
Hardware security in wlAn are tunnelled through a secure session, typically
established using TLS.
Many agencies (GAO, 2001) require the use of
smart cards to overcome the vulnerabilities of
the storage of private and shared keys. In fact, unlIcEnsEd MobIlE AccEss
without smart cards, unauthorized access can be
easily established to an authorized device (e.g., UMA stands for Unlicensed Mobile Access; a tech-
station) to retrieve confidential and personal data nology provides access to GSM and GPRS mobile
stored on it. services over unlicensed spectrum technologies,
0
Security in WLAN
0
Security in WLAN
Figure 5. Computing times distribution for a smart WLAN security risks have increased expo-
card nentially as wireless services have become more
popular. The risks represent any malicious and
undesirable event on the various applications,
which possibly suffer from faults facilitating treat
concretization. Risks can result in sniffing and hi-
jacking of sensitive and personal data over the link
for unprotected Internet access. The consequences
are therefore variants (Hurley, 2002). It can eat
up bandwidth, but it could pose a darker issue as
virus writers can use the access to anonymously
performance of congested wireless networks. send viruses out.
Network performance degradation increased as the In answer, WLAN defined, among other,
number of clients was increased under all security the 802.1X standard, providing a framework for
mechanisms. authenticating and controlling user traffic to a
On the other hand and in order to show the protected network, as well as dynamically vary-
impact of smart cards use within 802.1X/EAP, ing and exchanging encryption keys between the
we implemented EAP-TLS on smart cards, in wireless entity and the authenticator server. This is
which performance, benefits, and drawbacks are done using EAP methods, which are also deployed
discussed and analysed by Urien, Badra, and jointly with the 802.11i and WPA standards. Imple-
Dandjinou (2004). menting WLAN technologies in a secure network
Figure 5 shows the repartition of computing requires on one hand a combination of these secu-
times during the authentication phase. The smart rity measures. On the other hand, organizations
card (10 MHz, 8 bits CPU, 2304 bytes RAM bytes, need to adopt security measures and practices that
96 Kbytes 32 Kbytes ROM, 32 Kbytes E2PROM) help bring down their risks to a manageable level.
processes the EAP-TLS protocol in about 5 seconds In early 2006, therefore, ISO members voted the
(Urien & Badra, 2006). Note that benchmarks are IEEE’s 802.11i standard for adoption.
performed on a 1 GHz Intel processor PC and only
about 50 ms are required to execute an EAP-TLS
session. This demonstrates the cost and perform- rEfErEncEs
ance influence of using smart cards, which are
required for credentials and private data storing. 802.1X. (2004). IEEE Standards for local and
metropolitan area networks: Port based network
access control (IEEE Std 802.1X-2004).
conclusIon 802.11i. (2004). Institute of electrical and electron-
ics engineers, supplement to standard for telecom-
Wireless technologies have evolved phenomenally munications and information exchange between
over the last few years. Wireless transmission has systems: LAN/MAN specific requirements. Part 11:
a big impact on new services and applications Wireless LAN medium access control (MAC) and
because it is the method for data communication physical layer (PHY) specifications: Specification
for, among others, cellular phones, text pagers, for enhanced security (IEEE 802.11i).
and Wireless LAN 802.11. In this chapter, we
focused on WLAN security threats, which extend Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., &
on several levels, from the identity spoofing to the Levkowetz, H. (2004). Extensible authentication
traffic analysis. protocol (EAP) (RFC 3748).
0
Security in WLAN
Aboba, B., &. Calhoun, P. (2003). RADIUS (remote Comm 2005, The First International Conference
authentication dial in user service) support for on Security and Privacy for Emerging Areas in
extensible authentication protocol (EAP) (RFC Communication Networks, Athens, Greece, (pp.
3579). 3-12).
Aboba, B., & Simon, D. (1999). PPP EAP TLS Hajjeh, I., & Badra, M. (in press). Identity pro-
authentication protocol (RFC2716). tection ciphersuites for transport layer security
(IETF Draft).
Arbaugh, W., Shankar, N., & Wan, Y. (2001). Your
802.11 wireless network has no clothe. Retrieved Haverinen, H., & Salowey, J. (2006). EAP-SIM
October 16, 2007, from http://www.cs.umd. authentication (RFC 4186).
edu/˜waa/wireless.pdf
He, C., & Mitchell, J. C. (2004). Analysis of the
Arkko, J., & Haverinen, H. (2006). EAP-AKA 802.11i 4-way handshake. In Proceedings of the
authentication (RFC 4187). 2004 ACM Workshop on Wireless Security (pp.
34-50). New York: ACM Press.
Baghaei, N. (2003). IEEE 802.11 wireless LAN
security performance using multiple clients (Hon- Hurley, E. (2002). Company tackles wireless net-
ours Project Report). work security risks. News Writer.
Blake-Wilson, S., et. al. (2003). Transport layer Kaufman, C. (Ed.). (2005). Internet key exchange
security (TLS) extensions (RFC 3546). (IKEv2) protocol (RFC 4306).
Borisov, N., Goldberg I., & Wagner D. (2001). In- Khan, J., & Khwaja, A. (2003). Building secure
tercepting mobile communications: The insecurity wireless networks with 802.11. Indiana: Wiley.
of 802.11 by.
Miller, B. R., & Hamilton, B. A. (2002). Issues
Chandra, P. (2005). Bulletproof wireless security. in wireless security WEP, WPA and 802.11i. In
Elsevier. Proceedings of the 18th Annual Computer Security
Applications Conference.
Dierks T., & Allen, C. (1999). The TLS protocol
version 1.0 (RFC 2246). Morrison, J. D. (2002). IEEE 802.11 WLAN security
through location authentication. Naval Postgradu-
Fluhrer, S., Mantin, I., & Shamir, A. (2001). Weak-
ate School.
nesses in the key scheduling algorithm of RC4
(LNCS 2259). OpenEAPSmartCard. (2006). Retrieved October
16, 2007, from http://www.infres.enst.fr/~urien/
Fogie, S. (2005). Cracking Wi-Fi protected access
openeapsmartcard/
(WPA): Part 2.
Palekar, A., Simon, D., Zorn, G., Salowey, J., Zhou,
GAO (United States General Accounting Of-
H., & Josefsson, S. (2004). Protected EAP protocol
fice). (2001). Information security: Advances and
(PEAP) version 2 (IETF Draft).
remaining challenges to adoption of public key
infrastructure technology (Report to the Chair- Rigney, C., Willens, S., Rubens, A., & Simpson, W.
man, Subcommittee on Government Efficiency, (2000). Remote authentication dial in user service
Financial Management and Intergovernmental (RADIUS) (RFC 2865).
Relations, Committee on Government Reform,
Simpson, W. (1994). The point-to-point protocol
House of Representatives).
(PPP) (RFC1661).
Grech, S., & Eronen, P. (2005). Implications of
Stahlberg, M. (2000). Radio jamming attacks
unlicensed mobile access (UMA) for GSM secu-
against two popular mobile networks. In H. Lip-
rity. In Proceedings of IEEE/Create-Net Secure-
maa & H. Pehu-Lehtonen (Eds.), Proceedings of
0
Security in WLAN
the Helsinki University of Technology. Seminar Urien, P., Badra, M., & Dandjinou, M. (2004).
on Network Security. Mobile Security. Helsinki EAP-TLS smartcards, from dream to reality. Paper
University of Technology. presented at the Fourth IEEE Workshop on Ap-
plications and Services in Wireless Networks.
UMA. (2005). Retrieved October 16, 2007, from
http://www.umatechnology.org/ Urien, P., & Pujolle, G. (2005). EAP-support in
smartcard (IETF Internet Draft).
Urien, P., & Badra, M. (2006). Secure access
modules for identity protection over the EAP-TLS WLAN. (2003). Information technology - tele-
- Smartcard benefits for user anonymity in wire- communications and information exchange
less infrastructures. In M. Malek, E. Fernández- between systems—local and metropolitan area
Medina, & J. Hernando (Eds.), SECRYPT 2006, networks—specific requirements Part 11: Wire-
Proceedings of the International Conference on less LAN medium access control (MAC) and
Security and Cryptography, Setúbal, Portugal, physical layer (PHY) specifications (IEEE Std.
(pp 157-163). 802.11-2003).
WPA. (2003). Wi-Fi protected access, version
2.0.
0
0
Chapter XLIV
Access Control in Wireless
Local Area Networks:
Fast Authentication Schemes
Jahan Hassan
The University of Sydney, Australia
Björn Landfeldt
The University of Sydney, Australia
Albert Y. Zomaya
The University of Sydney, Australia
AbstrAct
Wireless local area networks (WLAN) are rapidly becoming a core part of network access. Supporting
user mobility, more specifically session continuation in changing network access points, is becoming
an integral part of wireless network services. This is because of the popularity of emerging real-time
streaming applications that can be commonly used when the user is mobile, such as voice-over-IP and
Internet radio. However, mobility introduces a new set of problems in wireless environments because of
handoffs between network access points (APs). The IEEE 802.11i security standard imposes an authen-
tication delay long enough to hamper real-time applications. This chapter will provide a comprehensive
study on fast authentication solutions found in the literature as well as the industry that address this
problem. These proposals focus on solving the mentioned problem for intradomain handoff scenarios
where the access points belong to the same administrative domain or provider. Interdomain roaming is
also becoming common-place for wireless access. We need fast authentication solutions for these en-
vironments that are managed by independent administrative authorities. We detail such a solution that
explores the use of local trust relationships to foster fast authentication.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
be fully utilized since the traffic patterns typi- mation on the port-based authentication-driven
cally vary considerably over the course of a day. access control as suggested in IEEE802.11i, the
Thus, there will be unutilized capacity that could security ratifications from the IEEE task group
be offered to active users despite not being their i. This section equips the reader with the funda-
serving provider or AP. mentals of the authentication-based access control
In this model, each WLAN site that is connected process using 802.1X architecture. In the third
to the Internet via an individual RG or AP can be section we elaborate fundamental proposals found
considered as an individual domain as RGs are in the literature that provide fast-authentication
owned by individual residential consumers and schemes applicable in the intradomain handoffs.
wireless routers (or APs) at hotspots belong to This section also contains a subsection on com-
individual providers or businesses. An example of parative analysis of the presented proposals. In
a current operational commercial system building the fourth section we provide a possible direction
on this principle is the FON (FON Web site) com- that we have proposed for solving the interdomain
munity where individual subscribers share excess handoff latency problem because of authentication
capacity with the global FON community and FON delays. We sketch some open issues, and finally,
itself provides billing support so that used capacity we conclude this chapter.
is billed to a user’s own account.
If the current deployment trend continues, in
dense residential areas it will be common to find IEEE 802.11I AutHEntIcAtIon
a substantially large number of RGs within range. ProcEss
This also provides the opportunity for load-shar-
ing or load-balancing among the RGs by handing In this section, we provide fundamental informa-
off some visiting connections to other RGs within tion on the authentication-based access control
range when the original RG’s link utilization or load mechanism for IEEE802.11i, the security ratifica-
increases and affects its home traffic. Therefore, tions from IEEE802.11. IEEE 802.11i includes the
we see stationary handoff scenarios emerging in use of the architectural framework of IEEE802.1X,
the multiowner RG access network architecture, the port-based network access control standard
which can also apply to the commercial city area for different link layer technologies such as IEEE
hotspots. Depending on the load variation, there 802.3, FDDI, IEEE802.11, and so forth. In the
may be situations when during an active session a standard, there are three entities involved in the
visiting mobile node will have to undergo frequent authentication process: the supplicant or the user
handoffs to many new RGs. The same applies to wireless device, the authenticator or the network
the city area hotspot architecture. port (wireless access point), and the authentica-
The previous proposals and implementations tion server such as the RADIUS server. Figure 1
mentioned above aim at supporting a single domain shows this setup. The 802.1X standard uses exten-
where centralized control is an advantage. In the sible authentication protocol (Blunk, Vollbrecht,
collaborating scenarios between service providers Aboba, Carlson, & Levkowetz, 2003) to support
this is not the case since each domain has its own a variety of authentication mechanisms, of which
authentication mechanisms that are closed to other the transport layer security (TLS) providing strong
parties. In the RG access network or the city area encryption and authentication at the transport layer
hotspot architecture, such centralized control is is the most commonly used mechanism (EAP-TLS)
not possible since each RG or AP is under its own (Aboba & Simon, 1999) within 802.11 networks.
authority and administration. Hence, a distributed Next, we look at the functionalities of the entities
approach is required for multiowner and multipro- of the 802.1X framework in light of the 802.11
vider handoff scenarios. network setting:
The rest of the chapter is organized as follows.
In the next section we provide background infor-
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
Authentication Server
(e.g., RADIUS)
Wireless AP
(Authenticator)
Secure
Network
EAP over RADIUS
Wireless link
Wireless device
(Supplicant)
Authentication Server
Wireless device Wireless AP (e.g., RADIUS)
(Supplicant) (Authenticator)
EAPOL-Start
EAP-Request Identity
EAP/TLS: Empty
EAP-Success
Fourway
Fourway Handshake
Handshake 802.11i
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
• Supplicant: This is a user device seeking function which will be used to generate additional
link layer connectivity with a network so keying material. Using this function and the MK,
that it can use the services offered by the a pair-wise maser key (PMK) is generated. The
network. PMK further produces four pair-wise transient
• Authenticator: This is the wireless AP keys (PTKs) when used with particular cipher
providing link layer connections to the user methods, and are used for origin authenticity and
devices. In any network, typically there will confidentiality of the four-way handshake proce-
be many APs. The authenticator liaises with dure, as well as for data encryption.
the authentication server by relaying infor-
mation to and from the supplicant. When the Figure 2 shows the full EAP-TLS authentica-
authenticator receives a success message from tion steps and messages exchanged. At the end of a
the authentication server, it allows the sup- successful EAP-TLS authentication (EAP success
plicant to establish a link layer connection. message), there is a four-way handshake process
• Authentication server: This is a central which ensures that the AP and the MN are active,
server which helps the authenticator with guarantees the freshness and synchronization of
the authentication decision based on what it the shared encryption key, as well as binds the
knows about the supplicant and the informa- PMK to the medium access control (MAC) ad-
tion supplied by the supplicant. dress of the MN.
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
multimedia applications in continuous mobility tions in wireless LANs, in the current form, no
scenarios1. This number can only magnify when mechanism has been used to select the most likely
the RADIUS server is located topologically far handoff candidate APs. Thus, there will probably
from the AP. As the APs in wireless LANs have be many instances of preauthentications that will
very small coverage2, many APs are required to not be utilized at all. This is a waste of resources.
be installed to cover a certain geographical area Also, when there is a large number of candidate
of a network. Thus, continuous mobility implies APs, this mechanism does not scale and, in addi-
that there will be many handoffs during an active tion, puts extra loads on the AAA server. It is to
real-time application session, even when the user be noted that the scope of the preauthentication
is within the same network (domain). There needs is, however, limited to a single network domain
to be mechanisms to cut down the authentication or ESS, making it inapplicable in interdomain
delay of 802.11i for this kind of intradomain hand- roaming scenarios.
offs. Below we discuss the IEEE 802.11i proposed
solution, and those found in the literature to tackle Proactive key distribution
this issue.
Proactive key distribution has been proposed as
Preauthentication a mechanism to provide fast authentication at
handoffs within the same administrative domain,
This is the solution specified within the IEEE802.11i by predistributing the keys to candidate APs in a
to support fast authentication at handoffs between neighbor graph (Mishra et al., 2004). Thus, this
APs in the same network domain or extended scheme avoids the involvement of the AAA or the
service set (ESS). In this solution, when an MN RADIUS server for distributing the keys to the
is connected with an old AP (oAP), it can initiate nAPs during handoffs. When the MN will finally
EAP-TLS authentication with a new AP (nAP) move to the nAP, the key will be already there and
within the same ESS by sending an IEEE 802.X the local handshake protocol (four-way handshake)
EAPOL-Start message via the oAP to the nAP. The can be used to establish the radio link between the
nAP then may initiate the EAP-TLS authentication MN and the nAP.
with the MN. The distributed system of the ESS The most important concept of this proposal is
has to be configured to forward the authentica- the use of the neighbor graph. The neighbor graph
tion messages to the oAP for the MN. While still is the dynamic identification of the mobility topol-
connected with the oAP, preauthentication for the ogy of the network: a set of APs that the mobile
MN is performed by exchanging all the EAP-TLS user device potentially could reassociate to. The
authentication messages between the MN and the authors suggest that this set is typically a small
nAP. The process ends when after deriving the subset of all the APs in the wireless network. By
new PMK, the nAP sends the first message of the selecting the possible candidate APs for handoffs by
four-way handshake to the MN. The MN and the a particular MN, the cost of proactively distributing
nAP must cache the new PMK to be used when the the key to these APs are justified and minimized.
MN finally moves to the nAP. Preauthentication The scheme utilizes the concept of a reassociation
can be performed in advance to a group of APs relationship by which the authors mean that two
that the MN may select from, for handing off in APs have this relationship if it is physically pos-
the future. At time of handoff, there will not be sible for a given MN to handoff from one to the
any more EAP-TLS exchanges, and the four-way next. Thus, this relationship depends on factors
handshake can be used straight away to resume such as physical distance between two APs and
the connection process. placement of the APs. The authors suggest that the
While the preauthentication mechanism pro- neighbor graphs can be autonomously learned and
vides a great way to cut down the authentication maintained by the wireless network, and can be
delay necessary for supporting real-time applica- maintained either in a centralized or distributed
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
manner. In their implementation, the authors have nature of the schemes. The two proposals differ in
stored this information in the centralized manner, the sense that in preauthentication, it is up to the
in the RADIUS server. MN to choose (using no particular guideline) APs
The authors propose that instead of distributing in the network to complete authentication before
the original PMK to all the neighbor graph APs, it performs the next handoff, but in the case of
the PMK is used to derive PMKs depending on proactive key distribution scheme, only the APs
the instance of reassociation (e.g., nth reassocia- the neighbor graph can get the PMK (some APs
tion) using a proposed equation. Special RADIUS in the neighbor graph may decide not to ask for
messages have been also introduced to aid the key the key at this stage). Also, the predistribution of
distribution process: NOTIFY-REQUEST, NO- the PMK scheme does not involve the MN in the
TIFY-ACCEPT, and ACCESS-ACCEPT. Once the process of distributing the PMKs to the neighbor
MN completes a full EAP-TLS authentication, the graph APs, whereas the preauthentication scheme
AAA server sends a NOTIFY-REQUEST message involves the MN to complete the preauthentication
to all the APs in the neighbor graph. This message process with the nAPs.
informs the APs that a given MN may roam to their
coverage. It is up to the APs to decide whether they Proactive key caching
want the security information (the PMK) for the
MN. If the AP decides to get the security infor- An industry solution, namely proactive key cach-
mation at this stage, it sends a NOTIFY-ACCEPT ing (PKC), is an extension of Airespace Inc.’s3
message to the AAA server, and the AAA server wireless enterprise platform, developed along with
sends an ACCESS-ACCEPT message in return Funk Software4 and Atheros Communications
to the AP containing the appropriate PMK and (Atheros Communications). In PKC, the MN can
an authorization for the MN to remain connected use the same master key to roam across an Aire-
to the network. From the experimental results, it space network, visiting one AP to the next. This
has been shown that the average latency of the eliminates the need for RADIUS authentication at
full authentication reduces to around 50ms from each handoff; only the four-way handshake will be
that of 1.1 second. required. Airespace has a centralized policy engine
The scheme provides a practical and feasible for creating and maintaining security parameters
way for maintaining the quality of real-time ap- across the entire enterprise. The use of the central
plications while the MN moves about in the same policy engine in the network also leads this solu-
network. However, this imposes extra functional- tion to be centralized and suitable only for a single
ity and loads on the AAA server, because it has administrative domain.
to send requests to candidate APs asking if they
want the security key for the MN before it hands Predictive Authentication
off to the APs. This centralized approach where a
single AAA server controls and manages the key This proposal from Pack and Choi (2002) is a
distribution will suit well the scenarios where the predictive-authentication scheme based on the
WLAN sites are all under the tight control of one selection of a frequent handoff region (FHR)
central AAA server such that the server can derive which works in a centralized manner. The main
and decide on the candidate APs for the MN’s next idea is to formulate a FHR consisting of a number
move. This proposal will not be directly applicable of APs in a public access LAN by using a FHR
to interdomain roaming scenarios. selection algorithm, and taking into account the
The proposal from Mishra et al. (2004) has user mobility and traffic pattern. The FHR APs
similarity with preauthentication proposal from are the ones that the MN is likely to associate with
IEEE 802.11i in the sense that (some) steps of the in the near future. The MN is preauthenticated to
authentication process is initiated even before all the APs within the FHR so that when the MN
the MN moves to the nAP, that is, the proactive handoffs from one AP to the next within that FHR,
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
Proactive Key distribution RADIUS server A subset of APs in the network; Decided by the nAP Intradomain handoffs
determined by the neighbor graph concerned
Predictive Authentication RADIUS A subset of APs in the network; Decided by the RADIUS Intradomain handoffs
server determined by the FHR server
Proactive Key Caching Centralized policy All APs in the network Centralized policy engine
engine Intradomain handoffs
dress this gap, we have proposed a “trust-cloud” party such as an ISP or indeed through personal
key sharing model (Hassan & Landfeldt, 2006). relationships if the community does not operate
with a subscription-based model. For example,
trust-cloud key sharing in community networks, the network operation is
dictated by personal preferences, thus even if two
According to our interdomain fast-authentication AP-owners (or WLAN owners) share the same ISP,
scheme based on a concept of “trust clouds,” a there is no guarantee that they would trust each
trust cloud is formed among neighboring access other. This is the difference from neighborhood
points based on a relationship among the owners networks with federated networks such as FON.
of the access points. The scheme enables fast and In our model, the serving AP6 of a visiting
simple authentication for mobile devices that move mobile node (VN) will share the key of the MN
between access points belonging to different ad- that is currently attached with it, within its trust
ministrative domains such as different ISPs. Used cloud. So, depending on the number of APs in the
together with an appropriate routing scheme, the serving AP’s trust cloud, some of the APs in the
scheme enables continuous service of delay sensi- hotspot area will have the key of the VN ready
tive flows even while roaming between different to be utilized for fast authentication when the
access providers. We define the following terms: VN hands off to one of these APs, and that AP
will share the key further among its trust cloud
Trust Link: A trust link defines the trust relation- APs. In our model of interdomain access points,
ship between any two given RG5. RGi and RGj have provider-provider (or AP-AP, or RG-RG) trust is
a trust relationship between them if they agree to not necessarily transitive: if RG X trusts RG Y
take part in key sharing for visiting mobile nodes and RG Y trusts RG Z, it does not necessarily
between them. mean that RG X trusts RG Z. Moreover, as this
trust may have to do with personal preferences, it
Trust Cloud: A trust cloud is a collection of trust is not necessary to be symmetric: RG X trusts RG
links for a given RG. Every RG has a different trust Y does not necessarily mean that RG Y trusts RG
cloud. One RG can appear in many trust clouds, X. Initially, we have simulated symmetry in the
depending on its relationship with other RGs. trust relationships between a given RG pair, and
also that trust is not transitive as it depends on the
The model is a security key-sharing scheme relationship or understanding between any given
which works on the basis of AP-to-AP (or RG-to- pair of RG (or RG-owners). This means that if RG
RG, network-to-network/ hotspot-to-hotspot) trust. X trusts RG Y, RG Y also trusts RG X. However,
Unlike the implicit trust among the APs within a we have also simulated with the symmetry being
single administrative domain or an ESS, this trust is relaxed thus two RGs may have uni- or bi-directional
not implicit and is a translation from the trust among trust relations, thus we deviate from a nondirected
the AP-owners through a relationship with a third trust graph to a directed one. By using the concept
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
of trust clouds in the area, we will see pockets of ress through that RG, the VN session will have to
fast authentication enabled coverage area, and not handoff to another lightly-loaded RG using one
an entire coverage area of federated fast authen- of the two trust cloud handoff algorithms, or the
tication areas. Therefore, we would still require trustless one described in the previous section. If
strong authentication mechanism provided by the no lightly loaded RGs are available, the session is
EAP-TLS in this setup as not all the handoffs will prematurely terminated.
be able to utilize fast authentication. The activity of the VN is modeled using the well
The fast-authentication for interdomain sites known on-off process. When the VN completes a
is achieved through cooperation among the trust session, or a session is prematurely terminated, the
cloud members. The approach is distributed without VN enters a silence mode before initiating another
a central authentication server being involved in session. The session and silence mode durations are
distributing the security master key to the access exponentially distributed. Mean session duration is
points belonging to the trust cloud. We have pro- denoted by S. Once the VN enters the silence mode,
posed two algorithms for mobile visiting nodes to its security association with a given RG becomes
select RGs to perform authentication at handoffs: invalid (an inactivity timer is implemented within
trust-aware and trust-unaware. In the trust-aware each RG, upon expiration of which the security
handoff algorithm, the MN needing to handoff to associations of the VN become invalid). Conse-
a new RG actively seeks to handoff to an RG that quently, the VN must go through the full security
is trusted by its prior-move RG, thus it has to keep association process (full authentication involving
track of which RGs are trusted by its prior-move the AAA server) at the start of each new session,
RG. In the trust-unaware handoff though, the MN even if it continues with the current RG.
just seeks to handoff to a suitable RG (e.g., an RG The primary performance variable that we mea-
that has low load and can accept more connections) sure is the number of times a full authentication is
but does not care about the fast authentication pos- needed for a session on average, since the goal is
sibility as the RG it hands off to may or may not to reduce this variable. This number is basically
be trusted by its prior-move RG. one (for the initial association) plus the number of
handoffs that require full authentication.
Performance Evaluation Figures 3 and 4 are two representative graphs
from our simulation studies. First of all, we see
We have carried out simulation-based perfor- that our trust-based handoff schemes, be it aware
mance evaluation. The scenarios we model are a or unaware, achieves much lower per session full
VN trying to complete a series of communication authentication than the usual no-trust or trustless
sessions by utilizing the unused capacity of nearby
RGs within its wireless communication range
(RG hotspot). There are a total of N RGs in the
hotspot area. The VN can sense the current load Figure 3. Full authentication vs. mean session
of each RG from their beacons, and can only as- time (S)
sociate with an RG that is lightly loaded. An RG
is modeled as a two-state Markov chain where the
states of an RG alternate between heavily loaded
and lightly loaded. The time spent in each state is
exponentially distributed with means (L) selected
to obtain a given fraction of time an RG spends in
the heavily loaded state7.
If an RG switches its state from lightly loaded
to heavily-loaded while a VN session is in prog-
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
0
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
5
EndnotEs In this section, RG, AP and wireless rout-
ers can be treated equally to mean wireless
1
Typically, the overall latency of handoffs AP-type devices not belonging in the same
should not exceed 50ms. domain, but to different domains.
6
2
For IEEE 802.11b, the coverage range is no In the interdomain handoff model, especially
more than 100-200 feet, as compared to the the trust-cloud model, the APs (or residential
cellular coverage area in cities which is around gateways-RGs, in the case of community
2640 feet, and more in the rural areas. networks) belong to different owners, and
3
Airespace later was acquired by Cisco Systems domains. APs and RGs are also used inter-
(Cisco Systems Web site) changeably here.
4
Funk Software has now been acquired by Lh
7
L= , where Lh and Ll are the mean values
Juniper Networks (Juniper Networks) Lh + Ll
for the sojourn times in the heavily and lightly
loaded states, respectively.
Chapter XLV
Security and Privacy in RFID
Based Wireless Networks
Denis Trček
University of Ljubljana, Slovenia
AbstrAct
Mass deployment of radio-frequency identification (RFID) technology is now becoming feasible for a
wide variety of applications ranging from medical to supply chain and retail environments. Its main
draw-back until recently was high production costs, which are now becoming lower and acceptable. But
due to inherent constraints of RFID technology (in terms of limited power and computational resources)
these devices are the subject of intensive research on how to support and improve increasing demands for
security and privacy. This chapter therefore focuses on security and privacy issues by giving a general
overview of the field, the principles, the current state of the art, and future trends. An improvement in the
field of security and privacy solutions for this kind of wireless communications is described as well.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security and Privacy in RFID Based Wireless Networks
These appealing properties also have draw- A model of RFID environment is described in
backs, many of them in the area of security and Figure 1. It consists of tags (also called respond-
privacy. But as RFID is already finding its place ers) and readers (also called transceivers). This is
in contemporary information systems (ISs), these the front-end of RFID applications, which have
issues need to be addressed seriously, which is the their back-end in database management systems,
goal of this chapter. In the second section, the back- where they are integrated with the rest of the IS
ground of RFID technology is given. In the third (see Figure 1). It is generally assumed that RFID
section, threats are described and countermeasures security and privacy is concerned with the front-
are given. In the fourth section anticipated future end part (the left-hand side of the dashed vertical
trends are discussed. There is a conclusion in the line in Figure 1). This is actually the part that is
fifth section, while the chapter ends with references covered by the reader’s signal; the tag’s signal
and key definitions. usually falls within its range.
Tags consist of a microchip and an antenna,
both encapsulated in polymer material. The micro-
bAckground ovErvIEw chip has encoded data, called identification (ID),
which typically include the manufacturer, brand,
Some definitions have to be given first. One basic model, and serial number. Communication takes
definition in the area of computer (communications) place on radio-frequencies, for example, from 125
security states that security means minimization kHz to 134 kHz for security cards and from 800
of vulnerabilities of assets and resources (ISO, MHz to 900 MHz for retail applications (Roussos,
1989). Wireless security thus means minimization 2006). However, increasing the frequency means
of vulnerabilities of assets and resources when increased accumulation of signal in bodies contain-
communicating information in electro-magnetic ing large quantities of water or in metal.
media through a free-space environment. Finally, Communication is achieved by electromagnetic
RFID technology will be defined as wireless coupling between readers and tags. A reader trans-
identification technology which operates on radio mits a signal, which induces a voltage in the tag’s
frequencies and deploys low-cost ICs. antenna. This coupling provides sufficient power
tag's range
SECURE ENVIRONMENT
reader's range
Security and Privacy in RFID Based Wireless Networks
for a tag to respond (after performing some cal- 200 read operations per second. An algorithm to
culations if required). If a tag is powered through respond to read primitives from a reader may be
this coupling, it is called a passive tag. However, probabilistic (e.g., Aloha (Prasad & Rugierre, 2003)
if a tag has some source of energy, for example, or deterministic (e.g., a binary walking tree) (Juels,
a battery, it is called an active tag. Each type has Rivest, & Szydlo, 2003). With such algorithms, a
certain advantages and disadvantages. Passive tags single tag can be identified and isolated. The related
are cheap, but remain active until being explicitly process is called singulation. Finally, the number
destroyed. They have a low operating perimeter of available gates that can be devoted to security
(typically 3 meters) with a relatively high error rate. operations is in the range of 400 to 4,000.
In contrast, active tags have a greater operating The above estimates are based on figures from
perimeter (up to a few hundred meters), lower er- Weis (2003) by applying Moore’ s law, which states
ror rate, and cease functioning when the source of that for the same price the available processing
power is exhausted. However, they are significantly power doubles every year and a half. It is therefore
more expensive. Both kinds of tags can be read clear that processing resources to support secu-
only, write once-read many, or rewritable. rity in RFID environments are very limited and
The main barrier to mass-deployment of RFID lightweight cryptographic solutions thus provide
tags is their price. A wish-price is limited by five an answer to this problem.
cents, but depending on quantities and using current Moore’s law also implies that there is always a
technologies, many application niches can already point where “ordinary” cryptographic algorithms
be covered. The total cost consists mainly of cost become feasible for computationally weak devices.
of an antenna, which can be from €/US$ 0.01 to An example of a thick RFID implementation, which
€/US$ 0.02, cost of silicon, and IC production; is based on AES to provide authentication, can be
silicon typically costs €/US$ 0.04/mm2 (Weis, found in the work of Feldhofer, Dominikus, and
2003), while IC production depends on the number Wolkerstorfer (2004). Despite this, a permanent
of logical gates, that is, technology. But roughly, need exists for lightweight cryptographic protocols
the cost ranges from €/US$ 0.025/mm2 with 1500 and also algorithms. One main reason is the gap
gates/mm2 to €/US$ 0.08/mm2 with 60.000 gates between ordinary devices where space and power
(Weis, 2003). consumption are not a serious concern (e.g., tag
A typical communication channel with a pas- readers, desktop systems), and weak devices with
sive RFID is asymmetric. This means that forward limited space and power consumption (e.g., RFID
communication, that is, communication from a tags, smart-cards). This gap means that increased
reader to a tag, has one order of magnitude larger processing power affects both kinds of devices
in range than backward communication, that is, equally; in the case of a cryptographic algorithm,
from the tag to the reader. In the former case this the key-length of this algorithm is extended.
is typically up to 100 meters, while in the latter As a consequence, weak devices are again less
case this is typically up to 3 meters. The reason, protected because they cannot deploy such inten-
of course, is the power consumption constraint, sive computations with enlarged keys. Further, if
which means that practical applications are limited the above use of a cryptographic algorithm can be
to a range of up to 3 meters. seen as a kind of variable cost (the longer the key,
Thus, the cost factor dictates that a typical RFID, the higher the processing overhead), cryptographic
or a reference RFID implementation, is currently protocols can be seen as a fixed cost. Note that cryp-
expected to have the following characteristics. It tographic protocols are ordinary communication
is passively powered and has 96 bits of read-only protocols that deploy cryptographic algorithms,
memory. These standardized bits serve to carry the and cryptographic protocols are often referred to
tag’s identity, which is unique for each tag (these as security services, while cryptography algorithms
IDs are stored in silicon by an imprinting process). are referred to as security mechanisms. Both kinds
A chip operates at 20,000 clock cycles, providing of costs contribute to the total processing power
Security and Privacy in RFID Based Wireless Networks
requirements, and have to be kept low while at the estimated damage D(ai, tj) caused by interaction
same time enabling a comparable level of security between asset ai and threat tj during this period is
to weak devices. This leads to a whole new research calculated. The result presents the upper bound for
area (Juels, 2004). investment in safeguards. A certain degree of risk,
called residual risk, is usually accepted and taken
rfId threats and countermeasures into account. This often makes sense economi-
cally. But in the majority of cases, a threat cannot
The very basic threat to each and every tag is that be completely neutralized (Trček, 2006).
it remains active when it is no longer supposed to The challenging parts of this process are
be active. To counter this problem, RFID logic identification of threats and their probability. For
may implement kill operation, which means that identification of threats in RFID environments a
upon receipt of a certain communication primitive, comprehensive taxonomy from Garfinkel, Juels,
the tag becomes permanently inoperative by, for and Pappu (2005) can be used. The first four threats
example, blowing a fuse in its circuitry. A more are related to corporate security, and the rest to
bullet-proof solution is exposure of RFID to micro- personal privacy:
wave radiation that melts its metalized layer.
Risk management drives each and every pro- • Corporate espionage threat: Tagged prod-
vision of security and privacy in ISs. A typical ucts may enable remote acquisition of supply
process is depicted in Figure 2. It starts with the chain details like logistics details, volumes,
identification of assets A (A = {a1, a2, …, an}) and and so forth.
threats T (T = {t1, t2, …, tm}) to those assets. For • Competitive marketing threat: Tags may
each asset and threat, that is, Cartesian product A enable access to customers’ preferences and
× T = {(a1, t1), (a1, t2), …, (an, tm)}, related vulner- use the data gathered for competition.
abilities are identified together with the likelihood • Infrastructure attacks threat: Where
of a threat to get into interaction with the asset RFID is central to a competitor’s advantage;
during a certain period of time. On this basis, the disruption of RFID operations becomes an
important point for attack.
Security and Privacy in RFID Based Wireless Networks
• Trust perimeter threat: Gathering addition- may be used for smart-home applications or to
al volumes of data through RFID introduces help disabled people.
new challenges related to sharing information The most common approach to security and
in a trustworthy way. privacy is by deploying cryptography. Using
• Action threat: Individuals actions may be cryptographic mechanisms (e.g., symmetric and
monitored. asymmetric cryptographic algorithms, strong one
• Association threat: When tagged products way hash functions), the following cryptographic
are associated with an individual’s ID (e.g., services can be implemented (ISO, 1995):
loyalty programs), these persons can be as-
sociated not only with the type of product, • Authentication: This ensures that the peer
but with the exact product, due to its unique communicating entity is the one claimed.
ID. • Confidentiality: This prevents unauthorized
• Location threat: Tags can be triggered by disclosure of data.
covert readers at various locations to reveal • Integrity: This ensures that any modification,
a person’s location. insertion, or deletion of data is detected.
• Preference threat: Tags disclose preferences • Access control: This enables authorized use
of customers and help to identify, for example, of resources.
more wealthy ones. • Nonrepudiation: This provides proof of
• Constellation and transaction threats: Con- origin and proof of delivery, such that false de-
stellation threat is similar to location threat, nying of the message content is prevented.
but in this case the identity of a customer is • Auditing: This enables detection of suspi-
not known. Despite this, a particular person cious activities and analysis of successful
can be spotted and traced. Further, chaining breaches. It provides evidence when resolving
one constellation threat with another, a whole legal disputes.
chain of actions, or transactions, becomes
traceable. In case of RFID tags, authentication, confiden-
• Breadcrumb threat: When products are tiality, and access control can be applied to counter
disposed with their original tags, an attacker threats described at the beginning of this section.
may use them and is tracked with falsified But to make these security services operational,
identity. This is actually just another kind of key management (i.e., handling of cryptographic
identity theft. algorithms’ keys) has to be resolved (Trček, 2005).
This is a complex issue in open environments
On top of all this, a fundamental threat exists, and has been known as such for almost two de-
called tag cloning, and such cloning has been suc- cades. Suffice it to say that only very simple key
cessfully demonstrated (Bono, Green, Stubblefield, management schemes are acceptable for RFID
Juels, Rubin, & Szydlo, 2005). What countermea- environments.
sures are at our disposal? With regard to security and privacy, it is re-
The basic option was mentioned at the begin- quired that authentication, and consequently access
ning with the physical destruction of a tag (e.g., control, is provided only to legitimate readers.
by exposure to microwaves or implementation of a Further, rogue readers should not be disclosed a
logical kill command that makes chip inoperable). tag’s ID, but should also be prevented from trac-
But the fact is that the latter approach often has ing a tag, regardless of the inaccessibility of its
flaws in implementations: logically killed tags may ID. Put another way, when rogue readers interact
remain active or be reactivated (Roussos, 2006). with a tag, it should be practically impossible (i.e.,
In many situations, it might be even beneficial to computationally difficult) to link the multiple
keep these tags active; for example, tagged items manifestations of a tag to this very tag.
Security and Privacy in RFID Based Wireless Networks
An example of recent solutions that meet these 2005). In this approach, each tag is given a cycling
requirements is the YA-TRAP protocol (Tsudik, sequence of pseudonyms that are chosen to reply
2006). However, to demonstrate a typical simple to reader requests. But by repeatedly scanning the
authentication RFID protocol, an example by same tag the whole cycling sequence would be
Weis (2003) is given. In this case, RFID contains discovered. A solution is to throttle the queries,
a derivative of some key, from which it is computa- that is, to use each pseudonym for some extended
tionally hard to obtain the real key. This derivative, period of time.
called metaID, can be a cryptographically strong Another option is blocker tags that are based
hash of the key. The tag authenticates the reader on the already mentioned tree-walking algorithm.
as follows: The singulation process deploying this algorithm
uses a k-bit identifier represented as a binary tree.
1. The reader queries a tag to send its me- Each leaf in this tree is the tag’s ID. The algorithm
taID. goes as follows:
2. After obtaining metaID, the reader looks up
the internal table to find the corresponding 1. The reader starts at the root (depth d=0). To
key, which is unique for each tag. It sends decide whether to proceed along the subtree
this key to the tag. with 0 or the subtree with zero, it first emits
3. After obtaining the key, the tag hashes this 0.
key and compares it with its metaID. If values 2. If all tags broadcast 0, the reader proceeds
match, the tag provides its full functional- by stepping one level down to the subtree
ity. beginning with 0 (depth d=1). If all tags
broadcast 1, it steps one level down to the
It can readily be observed that confidentiality subtree beginning with 1 (depth d=1). If
is not used in the above scenario. This means that the reader receives both zeros and ones, it
the communicated data are exchanged in plain and proceeds down both trees.
can be read by an adversary. In the above scenario, 3. The procedure is repeated at each level (the
it suffices to intercept the key, and afterwards to total depth d of the tree equals the number of
falsely authenticate to tag. bits that are used for identifiers, that is, d=k),
This is not the only threat to confidentiality. until only one singular tag is responding.
Confidential data are stored on RFID, the most
sensitive piece being its ID. Due to processing To spoof the reader, a blocker tag simply
requirements and key-management problems, the emits both bits 0 and 1, which means traversing
tendency is to store data in plain. In this case, many the complete tree. This reply actually forces the
other kinds of attacks can be applied that exploit reader to do an exhaustive search on the whole set
a tag’s tamper resistance, and may consequently of 296 combinations, which is impossible. Such a
lead to the tag’s cloning (Anderson & Kuhn, 1996). tag would, of course, disrupt all operations. Thus
Such attacks can be prevented by careful circuitry only a subtree of the whole ID space can be al-
design principles that are common in smart-card located to privacy protecting bits (e.g., only that
design (e.g., scrambling of memory addresses, subtree that starts with bit 1). When a reader would
proper positioning of the memory layer within enter such a subtree, it would cease the process of
the integrated circuit, and inclusion of dummy further singulation.
components). Another option is to regulate the range of emitted
But, as is always the case with security and signal from a tag (Fishkin & Roy, 2003). Based on
privacy in ISs, one should not rely solely on cryp- the strength of a signal, a tag can calculate an esti-
tography. One alternative architectural approach mated distance to the reader and adapt its emitting
is the use of tag pseudonyms (Garfinkel et al., power to the level, at which signal-to-noise ratio is
Security and Privacy in RFID Based Wireless Networks
such that a reader is able to read the reply. Other to relevant data can be encrypted by the reader and
devices that are out of this range are automatically written (back) to the tag. Permanent sensitive data
disabled from tracing the response. can be also decrypted at the reader’s side. But this
Finally, we propose a new hybrid technique requires efficient lightweight authentication proto-
called one-time pseudonyms. This technique cols, and this area is likely to get further attention
deploys the idea of tag pseudonyms and one-time from researchers.
password principle, which was proposed for the However, cryptography is no panacea. One basic
first time by L. Lamport (1981). The principle goes reason, described in the second section, is the gap
as follows. Take a seed value S0 and apply a strong between ordinary computational devices (devices
one-way hash function to obtain the value S1 = without stringent limitations on semiconductor
hash(S0). Next, calculate S2 = hash(S1), S3 = hash(S2), area and power consumption) and weak process-
and so on. Now, when a tag is to be identified by ing devices. Thus noncryptographic solutions, as
a reader, the reader sends an integer that denotes described in the previous section, may become
the index of the iteration to be done on the seed. more important.
Of course, in the case of RFIDs, the unique ID is It should be mentioned that no IS security and
assumed to be used as a seed. privacy can be fully exercised if there is no legal
From the point of background (secure environ- coverage. Although security and privacy related
ment) operations, these one-time pseudonyms regulation is becoming broad and diverse, the
introduce a workload comparable to that for ordi- RFID area has many specific issues that require
nary pseudonyms. The advantage is that there is tailored legislation. But this topic is outside the
no need for a logic circuit to throttle the queries scope of this chapter.
(i.e., to change pseudonyms only every few min-
utes). Further, the cycle of one-time pseudonyms
is not deterministic. Thus it is much harder for an conclusIon
attacker to follow the tag to collect the complete
sequence, which is the case with the basic tags A ubiquitous and pervasive computing paradigm is
pseudonyms technique. There is a slight drawback almost inherently tied to wireless communications.
with this technique if a large number of iterations In addition, this paradigm rests on massive deploy-
are required. A straightforward possibility would ment of computing devices, which therefore have
be to limit the highest index (number of itera- to be cheap. RFID technology is the special kind
tions), while another approach would be to store of such paradigm. Due to its specific properties it
in an RFID, for example, each 20th iteration of its places further constraints on wireless security and
hashed ID. This would also significantly expand privacy. These specific properties and available
the range of applicable iterations, because the up- existing solutions have been discussed in detail
per limit for this technique presents a computation in this chapter.
load that is related to the response of a tag and to The majority of solutions that support security
power consumption. and privacy are built on cryptography, while some
promising attempts are emerging that are not tied
to cryptography (e.g., blocker tags, antenna-energy
futurE trEnds analysis, tag pseudonyms). Further, a new hybrid
technique for tags authentication has been proposed
With regard to cryptography, it is anticipated that that deploys the principles of tags pseudonyms
encryption of RFIDs content will become the norm and one-time passwords. It compensates the basic
in providing confidentiality. Basically, in many drawback of the pure tag pseudonyms approach,
scenarios it is not necessary that a tag be capable while the price to be paid (in terms of additional
of performing strong encryption of its data. Once calculations and slightly prolonged response times)
it has successfully authenticated a reader, changes may be acceptable for many environments.
Security and Privacy in RFID Based Wireless Networks
There is no doubt that RFID devices are about to Garfinkel, S.L, Juels, A., & Pappu, R. (2005). RFID
become one kind of mainstream wireless technol- privacy: An overview of problems and proposed
ogy. Currently being implemented mostly in supply solutions. IEEE Security and Privacy, 3(3), 34-43.
chains and retail, their deployment possibilities are Los Alamitos: IEEE.
numerous, for example:
International Standards Organization (ISO). (1989).
Information processing systems: Open systems
• Health care information systems can be im-
interconnection - basic reference model, security
proved for better handling of patients’ data.
architecture, part 2 (ISO 7498-2). Geneva: ISO.
• Elderly and disabled people can benefit from
new applications that are based on RFID. International Standards Organization (ISO).
• New applications for intelligent, smart-homes (1995). IT, open systems interconnection: Security
can be built on top of RFID. frameworks in open systems (IS 10181/1 thru 7).
• Scientific research of certain species can be Geneva: ISO.
improved, and so forth.
Juels, A. (2004). Minimalist cryptography for RFID
As for every technology, RFID technology tags. In C. Blundo & S. Cimato (Eds.), 4th Confer-
has its advantages and disadvantages. To properly ence on Security in Communication Networks (pp.
ensure security and privacy related measures, a 149-164). Heidelberg: Springer Verlag.
proper risk management strategy has to be taken. Juels, A., Rivest, R., & Szydlo, M. (2003). The
Only the big picture of security and privacy assures blocker tag: Selective blocking of RFID tags for
to benefit from the use of this kind of wireless consumer privacy. Paper presented at the 8th ACM
technology. Conference on Computer and Communications
Security (pp. 103-111). New York: ACM.
Bono, S., Green, M., Stubblefield, A., Juels, A., Roussos, G. (2006). Enabling RFID in retail. Com-
Rubin, A., & Szydlo, M. (2005). Security analysis puter, 39(3), 25-30. Los Alamitos: IEEE.
of a cryptographically-enabled RFID device. In Trček, D. (2005). E-business systems security
Proceedings of the 14th USENIX Security Sympo- for intelligent enterprises. In M. Khosrow-Pour
sium (pp. ?). Berkeley: USENIX. (Ed.), Encyclopedia of information science and
Feldhofer, M., Dominikus, S., & Wolkerstorfer, J. technology (Vol. 2, pp. 930-934). Hershey, PA:
(2004). Strong authentication for RFID systems IGI Global, Inc.
using the AES algorithm. In Proceedings of the 6th Trček, D. (2006). Managing information systems
International Workshop Cryptographic Hardware security and privacy. Heidelberg/New York:
and Embedded Systems (LNCS 3156, pp. 357-370). Springer.
Heidelberg: Springer.
Tsudik, G. (2006). A-TRAP: Yet another trivial
Fishkin, K.P., & Roy, S. (2003). Enhancing RFID RFID authentication protocol. Paper presented at
privacy via antenna energy analysis (Memo IRS- the International Conference on Pervasive Comput-
TR-03-012, Intel Research). Santa Clara: Intel. ing and Communications PerCom 2006 (pp ?-?).
Los Alamitos: IEEE.
0
Security and Privacy in RFID Based Wireless Networks
Weis, S.A. (2003). Security and privacy in radio- Security Mechanism: A basis for a security
frequency identification devices. Unpublished service, where using a particular security mecha-
master’s thesis, Cambridge MIT. nism (e.g., cryptographic algorithm) enables the
implementation of security service.
Security Service: A service provided by an
kEy tErMs entity to ensure adequate security of data or sys-
tems in terms of authentication, confidentiality,
Active Tag: A tag that has some source of integrity, and nonrepudiation.
energy, for example, a battery.
Singulation: A process (an algorithm) that en-
Kill Operation: Upon receipt of a certain ables isolation and identification of a single tag.
communication primitive a tag becomes perma-
Tag: A small, low cost IC with unique ID and
nently blocked, for example, by blowing a fuse in
computational capabilities to support identifica-
its circuitry.
tion processes.
Passive Tag: A tag that is powered through
Tag’s Identity (ID): This is a unique number
electromagnetic coupling and obtains power from
for each tag that is stored in silicon with imprint-
the reader.
ing process.
Reader: A device that queries tags to obtain
Wireless Security: Minimization of vulner-
their IDs and that is connected to the back-end
abilities of assets and resources when communicat-
part of information systems.
ing information in electromagnetic media through
RFID Technology: Wireless identification a free-space environment.
technology that operates in radio frequencies and
deploys low-cost ICs.
Chapter XLVI
Security and Privacy
Approaches for Wireless
Local and Metropolitan Area
Networks (LANs & MANs)
Giorgos Kostopoulos
University of Patras, Greece
Nicolas Sklavos
Technological Educational Institute of Mesolonghi, Greece
Odysseas Koufopavlou
University of Patras, Greece
AbstrAct
Wireless communications are becoming ubiquitous in homes, offices, and enterprises with the popular
IEEE 802.11 wireless local area network (LAN) technology and the up-and-coming IEEE 802.16 wire-
less metropolitan area networks (MAN) technology. The wireless nature of communications defined in
these standards makes it possible for an attacker to snoop on confidential communications or modify
them to gain access to home or enterprise networks much more easily than with wired networks. Wireless
devices generally try to reduce computation overhead to conserve power and communication overhead
to conserve spectrum and battery power. Due to these considerations, the original security designs
in wireless LANs and MANs used smaller keys, weak message integrity protocols, weak or one-way
authentication protocols, and so forth. As wireless networks became popular, the security threats were
also highlighted to caution users. A security protocol redesign followed first in wireless LANs and then
in wireless MANs. This chapter discusses the security threats and requirements in wireless LANs and
wireless MANs, with a discussion on what the original designs missed and how they were corrected in
the new protocols. It highlights the features of the current wireless LAN and MAN security protocols and
explains the caveats and discusses open issues. Our aim is to provide the reader with a single source of
information on security threats and requirements, authentication technologies, security encapsulation,
and key management protocols relevant to wireless LANs and MANs.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security and Privacy Approaches for Wireless Local and Metropolitan Area Networks (LANs & MANs)
IntroductIon bAckground
The topic of this chapter is the security of 802.11 Traditionally, the term authentication in the context
wireless local area networks (WLANs) and of 802.16 of computer and network security concerns the
wireless metropolitan area networks (WMANs). ability of a verifier (or prover) entity to ascertain
These networks are based on the IEEE standards the correct identity of another entity claiming to
belonging to the 802 family, which include the be that identity. Thus, the aim of authentication is
much-beloved Ethernet (802.3) that is common to- for one entity to prove its identity to another based
day in homes and offices. Although the development on some credentials possessed by that first entity.
of the 802.11 technology and standards have been Examples of credentials include passwords, digital
ongoing sine the late 1990s, grassroots adoption of certificates, or even physical keys. The outcome
“wireless Ethernet” only began in the 2000-2001 of an authentication process is typically binary,
timeframe when access point (AP) devices became namely success or fail. The process is typically de-
cheap enough for the home user to obtain. fined and implemented as one or more protocols.
The convenience of having wireless access to The term authorization pertains to the rights,
the IP Internet is self-evident. The value proposi- privileges, or permissions given to an authenti-
tion in terms of employee productivity has been cated entity in relation to some set of resources. In
so compelling that many enterprises began also practice, authorization for an entity to take actions
to introduce the technology into their corporate (e.g., access network, read files) is preconditioned
networks. This enterprise adoption, however, on a successful authentication. The functions of
was prematurely halted when security flaws in authentication and authorization are often accom-
the wired equivalency privacy (WEP) algorithm panied by accounting (or auditing), with the three
were discovered and published. Various temporary loosely referred to as AAA.
patches were then suggested in order to support The level of authorization assigned to an entity
existing enterprise investments in WLAN equip- when it seeks access to resources is often tied to
ment, with the IPsec-VPN (e.g., over the wireless the type and strength of the authentication protocol
segment) as the most common approach. The used and the type of credential possessed by the
IEEE standards community completed the revi- authenticated entity. Hence, differing levels of as-
sion of the security-related components of 802.11 surance or certainty regarding the outcome of an
in 2004, with conforming products scheduled to authentication process can be gained by using dif-
be shipped in 2005. ferent credentials and authentication protocols.
This chapter is not a user guide to specific For example, when a password (as a creden-
WLAN or WMAN products, and intentionally tial) is used with a weak protocol (e.g., plaintext
avoids specific references to such products. It is also challenge-response), then a low or weak level as-
not a thesis on the various engineering solutions that surance is obtained as both the credential and the
could have been applied to solve the Wi-Fi security authentication protocol are weak. In contrast, a
problem. Instead, the chapter attempts to explain strong credential such as a digital certificate when
what current approaches and solutions have been combined with a strong authentication protocol,
adopted, and why these were chosen. such as SSL or transport layer security (TLS),
The contents of the chapter are arranged in achieves a higher level of assurance regarding the
four parts, where each part groups together top- identity of the authenticated entity.
ics and issues that are closely related. These parts In today’s complex computer and network
roughly cover the topics of WLAN authentication systems, multiple credentials might be needed for
and authorization, WLAN security algorithms an entity to access multiple resources, each access
and protocols, security in WLAN roaming, and instance of which may be governed by separate
security in WMANs. These are described in more sets of privileges. Thus, often the term layer (of
detail next.
Security and Privacy Approaches for Wireless Local and Metropolitan Area Networks (LANs & MANs)
authentication and authorization processes) is used ing entities. In contrast, an adversary may need to
to describe complex situations. gain entry to a physical access controlled building,
One of the earliest questions with regards to wiring closet, or a network device to attack a wired
authenticating dial-up users was how to run an network. The IEEE 802.11 standard attempts to
authentication protocol with a (dial-up) client when emulate the physical attributes of wired medium
it did not yet have an assigned IP address. This in designing the WEP suite of security protocols
issue was of particular concern since the assign- and data transforms.
ment of an IP address was subject to a successful WEP consists mainly of an entity authentica-
authentication. However, most of the existing au- tion protocol and a data security transform. The
thentication protocols, such as IKE or SSL, were authentication protocol has two modes: open-sys-
designed to be run over the IP layer with the end tem and shared-key authentication subtypes. The
points possessing known source/destination IP open-system authentication protocol is a 2-way
addresses. This apparent chicken-and-egg problem handshake initiated by the entity requesting service.
was solved with the introduction of the extensible It consists of the requester asserting its identity
authentication protocol (EAP), first published as an and the responder returning with “successful” or
Internet standard in 1998 in RFC2284 and more “unsuccessful” only on the basis of whether open-
recently revised in RFC3748 (2004). system authentication is supported or not. In other
In the last couple of years EAP has come to words, open-system authentication protocol does
the forefront of discussions, this time on 802.11 not provide any security whatsoever. The shared-
WLAN security and 802.1X. This is due to the key protocol is a 4-way exchange, also initiated by
similarity of the chicken-and-egg problem found the entity requesting service. It consists of request,
in WLANs, namely the question of how a server challenge, challenge-response, and result messages
on an IP network can authenticate an 802.IX sup- in that order. The responder challenges the requester
plicant when that supplicant does not yet have an to provide proof of possession of the shared secret.
IP address, and whose IP address assigned is in The requester encapsulates the challenge-response
fact subject to a successful authentication by the message using the WEP transform to prove that
server. it knows the WEP secret key. The responder de-
For the purposes of WLAN security EAP it- capsulates the message using its local copy of the
self can be viewed as a framework within which shared secret key and compares the decrypted text
a security protocol must be instantiated “inside” with the original challenge text. If there is a match,
(on top of) EAP. Thus, with the emergence of the requester is granted a connection.
EAP came the definition of a number of EAP The data security transform, comprising the
methods which load EAP with the appropriate WEP encapsulation and decapsulation processes, is
security protocol. One important EAP method is the other component of an 802.11 security solution.
EAP-TLS, which is an instantiation of the TLS The standard recommends that the authentication
(or SSL) protocol inside EAP. More stringent that protocol be used in conjunction with the data se-
plain TLS in terms of certificate usage, EAP-TLS curity transform.
mandates the use of digital certificates at both the WEP uses RC4 (Ron’s code: a proprietary
client and server side. stream cipher designed by Ron Rivest of RSA Labs
and later released into public domain) as the cipher
to protect 802.11 frames. The WEP encapsulation
sEcurIty IssuEs In wIrElEss process is designed to be “reasonably strong,”
lAns And MAns self-synchronizing (considering that medium ac-
cess control [MAC] protocol data units [MPDUs]
Wireless networks make it easy for an attacker to may be dropped or arrive out of order, the receiv-
read, modify, or drop packets, as the attacker often ing entity must be able to decapsulate an MPDU
needs only to be in the vicinity of the communicat- independent of prior or future MPDUs), efficient,
Security and Privacy Approaches for Wireless Local and Metropolitan Area Networks (LANs & MANs)
and easy to implement in hardware or software. sociation (RSNA) with an AP using IEEE 802.1X
Thus, an initialization vector (IV) for the RC4 and EAP for authentication and key distribution.
cipher accompanies each MPDU, along with a key From the resulting master key, the AP and the
ID (shared-key ID used to encapsulate the current STA engage in a 4-way exchange to derive ses-
MPDU), and an integrity checksum to protect sion keys. STAs can only communicate to other
against MPDU modification en route. Briefly, the entities in the wired or wireless network via an
key and the IV are input to the RC4 encryption authenticated secure channel (using CCMP or TKIP
algorithm to generate a pseudorandom key stream as the security protocols). Thus, an AP enforces
for MPDU encapsulation. A checksum is computed access control to the wired network and provides
over the MPDU using cyclic redundancy check a means for authenticated and confidential com-
(CRC-32) for integrity protection. The checksum munication between the STA and other entities
is then appended to the MPDU and is XORed in the network.
with the keystream to generate the ciphertext. The primary reason WLANs were developed
WEP decapsulation follows the reverse process, was to allow untethered connections between a
where, upon decryption of an MPDU, the received client and an 802.11 access point (AP), as a basis
checksum is compared with the locally computed for further access to resources and services on
checksum to verify the MPDU’s integrity. the Internet. The next step in this process is wire-
WEP design contains several well-publicized less roaming, in which a client can move across
flaws. The nature of the flaws will be clear as we multiple APs in one administrative domain and
delve into the design details. The design goals across multiple APs across differing administrative
themselves are suspect: the stated goal is wired domains. Currently, the most prevalent model for
equivalency privacy, which in itself is hard to wired roaming consists of a dial-up connection from
capture. The choice of cipher, and especially the a client (e.g., a laptop) through an Internet service
use of a stream cipher for encapsulating packets, provider (ISP), to a home domain (e.g., corporate
also makes it easy for an attacker to cryptanalyze network). This model presumes the prior existence
WEP encapsulated MPDUs. The choice of integ- of a business relationship between the client (or its
rity algorithm, CRC-32, which is linear, makes it corporation) and one or more ISPs.
easy for an attacker to modify encrypted MPDUs The term Wi-Fi roaming can be loosely defined
without the receiver being able to verify whether as the set of services supporting the deployment
the packets are legitimate or not. and management of 802.11 WLAN access at public
Wireless LAN devices or wireless stations venues or public hotspots, where the customer of
(STA) are considered as logically external entities one service provider can obtain services (e.g., IP
to an enterprise network. Radio frequency (RF) connectivity) from a different (visited) service
waves in most deployment scenarios do not have provider. The term service provider (SP) here is
physical boundaries and thus STAs should be al- intentionally left abstract since in today’s Internet
lowed to access the corporate network only after a number of entities can take the role of providing
going through a similar authentication procedure one or more services relating to Wi-Fi roaming. It
as in the case of remote access. For remote access, is important to note that Wi-Fi roaming involves
enterprises typically use IPsec for general pur- the crossing of both network-administrative bound-
pose access to their intranets, and SSL for access aries and security-administrative boundaries.
to e-mail and other similar applications. In both Therefore, on-campus WLAN access at different
cases, remote access servers and clients mutually remote locations (e.g., offices, buildings) under the
authenticate each other, and arrive at a common same administrative jurisdiction is not considered
security association (SA). Use of keys within that here as Wi-Fi roaming.
SA is proof of authentication for accessing the The business case for Wi-Fi roaming is self-evi-
enterprise intranet via the remote access server. dent: consumers with laptops or handheld devices
STAs establish a robust security network as- are willing to pay for IP connectivity through
Security and Privacy Approaches for Wireless Local and Metropolitan Area Networks (LANs & MANs)
hotspots located throughout the world, provided GSM phones) beyond the ring tones of today. Such
that Wi-Fi access is easy to use and secure. content may include MP3 music files, interactive
This desire is already true today, as seen in the online games, and MPEG4 video clips, depending
case of dial up IP services. Many traditional ISPs on the capabilities of the device.
see Wi-Fi roaming as providing a new business The authentication protocol used in GSM has
opportunity, by extending their edge services to a been the subscriber identity module (SIM), while
new kind of access point, namely, the public hotspot, for UMTS it will be UMTS subscriber identity
while retaining as much as possible their investment module (USIM). Both take the physical form of a
in their existing backend authentication, authoriza- universal integrated circuit card (UICC), with the
tion, and accounting (AAA) infrastructure. next generation based on tamperproof smartcard
For some mobile network operators (MNO) and technology. In the context of 3G-WLAN roam-
carriers, the case for Wi-Fi roaming can even be ing, the proposed protocols (EAP methods) for
considered imperative, as they are seeking to aug- authentication are EAP-SIM for SIM-based users
ment and extend existing mobile-related services and EAP- authentication and key agreement (AKA)
to their customers at affordable prices. Mobile for USIM-based users.
handsets that can make use of Wii hotspots—with The choice of the SIM and AKA methods for
speeds of 11 to 50 Mbps—could generate new busi- authentication has been dictated by the need of the
ness opportunities by providing users with higher- MNOs to keep as much as possible their back-end
quality content and a higher level of interactivity. AAA infrastructure unmodified for Wi-Fi usage.
The case for Wi-Fi roaming is of particular interest However, since the SIM and AKA protocol were
to MNOs that have invested heavily in the recent designed for GSM/UMTS networks, they are not
acquisition of three-generation (3G) licenses. transferable to the IP world without introducing
Given the increasing mobility of the workforce, some vulnerabilities. Thus, the “naked” SIM or
providing secure Wi-Fi roaming is an important AKA exchange needs protection while in the IP
challenge today. Corporations see remote access segment of the end-to-end handshake between the
as a given fact of life and expect services from SIM/USIM card (in the UE) and the HLR/HSS at
their ISPs supporting remote access. This is true the home network. One possible solution around
in dial-up today, and it is something expected of this problem is to wrap the SIM/AKA exchange
Wi-Fi roaming in the near future. within a TLS layer, which can be done by layer-
Wi-Fi roaming has recently taken an interesting ing the SIM or AKA handshake above (wrapped
direction in North America due to the entrance of within) protected extensible authentication protocol
a number of MNO into this space. These MNOs (PEAP) or tunneled TLS (TTLS).
want to enhance their 2G and 2.5G (and later However, in addition to these issues that are
their 3G) offerings with Wi-Fi related services. specific to EAP-SIM and EAP-AKA, the 3GPP-
Many MNOs already perceive that in practice WLAN interworking security specifications have
a universal mobile telecommunications system also outlined a number of other issues and require-
(UMTS) may not reach its theoretical data rates ments. Some of these are as follows:
of 2 Mbps. Thus, Wi-Fi at hotspots—with speeds
of up to 11 Mbps in 802.1lb and up to 54 Mbps • Mutual authentication: In addition to the
in 802.1la—may provide a solution for the need user authenticating itself to the home network,
for higher data rates complementing their 2.5G the network must in turn authenticate itself
and 3G offerings. From a content perspective, to the user. The EAP-AKA protocol provides
the marriage of GSM/UMTS and Wi-Fi roaming this feature.
makes very good sense. The ability of 802.11 Wi- • Signaling and user data protection: Sub-
Fi hotspots to provide high-speed connectivity to scribers should have at least the same security
the Internet makes it attractive for downloading level for WLAN access as for their current
richer content for mobile devices (e.g., PDAs and cellular access subscription. This require-
Security and Privacy Approaches for Wireless Local and Metropolitan Area Networks (LANs & MANs)
ment translates to the need to protect their thereby achieving true end-to-end EAP-AKA (or
interfaces or connections between the Wi-Fi EAP-SIM) exchange between the network and the
hotspot (namely, the WLAN access network) UICC (instead of the laptop hosting the UICC).
and the 3GPP network, between the 3GPP The area of broadband Internet has gained a lot
AAA proxy to the 3GPP AAA server, and of interest in recent years due the exciting business
between the 3GPP server and the HSS. opportunities enabled by high-speed Internet con-
For the connection between the Wi-Fi hotspot nectivity to homes and businesses. Content owners
and the 3GPP network, most likely the pro- (e.g., movie studios and record labels) and content
tocol used will be RADIUS or Diameter. providers/distributors (e.g., music and MPEG4
• Identity privacy: The user’s privacy while download services) see broadband Internet to the
roaming from one Wi-Fi hotspot in another home as crucial to providing the next source of
needs to be guarded. That is, when the user revenue, as it solves the difficult “last mile access”
is assigned a temporary identifier (or pseud- problem. Thus, if “content is king” as the saying
onym), it should be infeasible for an attacker goes, last mile access is the “queen” that enables
to reverse this process and correlate the content to flow to the consumer.
pseudonym with the actual user identifier. Today, only a fraction of U.S. households have
Naturally, it should also be infeasible for an broadband Internet in the form of cable modem
attacker to generate a valid pseudonym note services or DSL services. The mid-2004 subscriber
that temporary identifiers can be used within numbers indicate that there are just over 18 million
EAP-AKA. subscribers to broadband Internet. This is due,
• Protection of the interface between UIC among others, to the difficulty in installing cables
and WLAN access devices: Here, the con- for those services in dense areas with old buildings
cern relates to the wish of operators to reuse and infrastructures, despite the fact that the two
existing UICC and GSM SIM cards in laptops technologies have reached maturity. Furthermore,
and PDAs, which may have different physi- in many areas in the United States consumers who
cal security measures than mobile handsets. do have cable modem services available are un-
Thus, the UE is perceived to possibly have able to choose among service providers because a
a functional split implemented over several virtual monopoly has been established by one (or
physical devices/components, where one de- two) provider(s). The opportunity to remedy the
vice holds the UICC/SIM card, while another situation is somewhat better in countries that are
device provides WLAN access. still developing their physical infrastructures today
since they are able to build broadband Internet into
The interface across this functional split needs their infrastructure designs.
to be protected. There is little point in provid- It is with this background that wireless metro-
ing a near tamper-free UICC or SIM card, when politan area networks based on the 802.16 technol-
the WLAN-access device at the user (e.g., radio ogy have recently gained a lot of interest among
circuitry or WLAN software/hardware) can be vendors and ISPs as the possible next development
manipulated by an attacker to obtain PS from the in wireless IP offering and a possible solution for
home network or visited network, as these services the last mile access problem. With the theoretical
are core to the business of MNOs. speed of up to 75 Mbps and with a range of several
The aim is to provide protection to the level miles, 802.16 broadband wireless offers an alterna-
where attacking the PS domain (in UMTS network) tive to cable modem and DSL, possibly displacing
by compromising the WLAN access device is at these technologies in the future.
least as difficult as attacking the PS domain by Wireless MAN security architecture has two
compromising the card-holding device. main design goals: to provide controlled access to
It is for this reason that there is currently interest the provider’s network, and to provide confiden-
in providing EAP functionality on board the UICC, tiality, message integrity protection, and replay
Security and Privacy Approaches for Wireless Local and Metropolitan Area Networks (LANs & MANs)
protection to the data being transmitted. WMAN the case with digital certificates. Furthermore, in
communications can be one-to-one or one-to-many. most cases, the BS only forwards authentication
In one-to-one communication, typically users are protocol messages to the backend AS for authen-
interested in protecting their data, and service tication. After verifying the MS’s credentials, the
providers in controlling access to their networks. AS informs the BS of the result—authentication
In one-to-many communication, service or content success or failure—and securely transfers the
providers encrypt data and provide keys to their master session key (MSK).
subscribers; thus content access control is the only The second component of enforcing access
goal in this case. control is key distribution. The BS must be able to
For access control, one may use asymmetric uniquely and easily identify packets from autho-
(digital certificates) or symmetric (e.g., preshared rized MSs so it can enforce authorized access to the
keys, SIM cards) authentication methods; the re- WMAN. Thus, after successfully authenticating an
vised 802.16 specification allows the use of either MS, the BS establishes a secret key with the MS.
of these two classes of authentication methods. The MS must include a proof of possession of the
From a provider’s perspective, an SS authenticating secret key with each packet. The most common
itself to a BS is sufficient for enforcing controlled way to achieve this is to compute a cryptographic
access to the provider’s network. However, for user integrity checksum with each packet, and include
data confidentiality, the one-way authentication it with the packet. In WMANs, the BS and MS
is not sufficient. Consider, for example, that SS may derive the keying material as part of the
to BS authentication alone will not help detect an authentication protocol, or the BS may supply the
adversary claiming to be a BS and thereby launch- key(s) to the MS.
ing a man-in-the-middle attack. Third, the IEEE 802.16 specification defines a
The revised IEEE 802.16 specifications update multicast and broadcast service (MBS). This allows
the cryptographic algorithms used for encryption WMAN service providers to distribute content ef-
and integrity protection, increase key lengths, and ficiently via multicast to relevant subscribers. The
add replay protection. The revised key management provider enforces controlled access to the content
protocol design consists of robust protection again by distributing a per-group secret key to the sub-
replay attacks. scribers who paid for the additional services.
A few further additions to the 802.16 secu- In addition to covering service providers’
rity architecture facilitate symmetric key-based requirements, the security sublayer addresses
authentication, and more importantly mobility. WMAN users’ requirements. User requirements
Specifically, a key hierarchy is defined for fast are typically to protect the confidentiality and
keying when a mobile SS (MS) associates with integrity of the data. In simpler terms, users want
a new BS. to ensure that a third party cannot read their com-
Controlled or metered access to the WMAN or munications, their data are not modified en route,
any content disseminated via the WMAN is the and that no one injects or drops packets without
foremost requirement of service providers. This being detected. It is quite difficult, if not impos-
basic requirement typically translates into many sible, to protect against an adversary dropping
components. packets; the other requirements are fairly easy to
First, any service provider’s BS must be able to achieve and the 802.16 standard specifies how to
uniquely identify an MS that wants to get access in the WMAN context. Specifically, in addition to
to the network. The MS may identify itself to a BS encryption, WMAN secure encapsulation provides
using digital certificates or indirectly to a legacy per-MPDU integrity protection as well as replay
authentication server (AS) (e.g., AAA server) protection.
in conjunction with a symmetric authentication Within the extended security sublayer there
method. In the latter case, the MS does not need are two versions of the PKM protocol: version 1 is
to perform expensive computations as would be quite similar to the basic security sublayer, except
Security and Privacy Approaches for Wireless Local and Metropolitan Area Networks (LANs & MANs)
that it supports new ciphers including 3DES-ECB ing considered secure). EAP authentication follows
and AES-ECB for confidentiality of key material, the steps below:
and AES-CCM for MPDU confidentiality. HMAC-
SHA-1 protects the integrity of the key management • The authenticator or the BS initiates the EAP
messages. PKMv2 comparatively has many more authentication process. Note that in the pub-
desirable properties, including mutual authentica- lic-key-based authentication protocol, the MS
tion using various combinations of RSA-based and requests authentication. The BS sends an EAP
EAP-based authentication protocols, additional request message to the MS. This is typically
message integrity algorithms, and key management an EAP identity request encapsulated in MAC
protocols. management protocol data unit (PDU) (i.e.,
Before we delve into that discussion, a bit of the secondary management channel carries
context of the design motivation for PKMv2 is the EAP messages).
in order. PKMv2 is part of a specification to add • The MS responds to the request with an EAP
mobility extensions to the base 802.16 standard. response message. The authenticator and the
When MSs are mobile, it may be desirable that MS continue the EAP exchanges until the
they preauthenticate with a BS they plan to associ- authentication server determines whether the
ate with, to reduce any potential for interruption in exchange is a failure or a success. The exact
service, be it access to the provider’s network, or number of the EAP messages depends on the
a-multicast/broadcast content delivery service. Thus method used for authentication.
preauthentication is one of the additional features • An EAP success or an EAP failure terminates
in PKMv2. Similarly a key hierarchy is defined to the EAP authentication and authorization
allow an MS to authenticate itself to the backend process. At the end of the protocol run, the
AAA server once, irrespective of any number of BSs BS and the MS have the primary master key
it may associate with. Along with these extensions (PMK).
for mobility, the new specification includes several
enhancements to the WMAN security protocols. In If the EAP exchange follows and RSA authoriza-
the rest of this chapter, we discuss these additional tion exchange, the EAP messages are protected using
features and their advantages and shortcomings. the EAP integrity key (EIK) derived as a result of
EAP-based mutual authorization in PKMv2 the RSA authorization exchange. The EAP messages
alone can support mutual authentication (indirect contain an AK sequence number (the AK and the
mutual authentication via a proof of possession of a EIK are derived from the RSA exchange) for replay
key, if a back end AS is involved). However, a com- protection and an OMAC digest, computed using
bination of RSA authorization followed by an EAP the EIK, for integrity protection.
authentication may also be used in WMAN access. If a backend AS is involved in the EAP authen-
In that case, the RSA authorization is considered to tication process, the AS delivers the PMK to the
provide device mutual authentication, whereas the authenticator or the BS after the EAP exchange is
EAP authentication is user authentication (which complete. The BS and the MS then engage in a 3-way
is especially true if a SIM card is involved in au- exchange to prove to each other that they possess
thentication). the PMK. The 3-way exchange can be run several
EAP authentication in PKMv2 is similar to times under the protection of the PMK to amortize
that in the 802.1 X/EAP-based authentication of the cost of the EAP authentication exchange.
802.11i STAs: the MS authenticates to an AS via an
authenticator. The BS in 802.16 networks serves as
the authenticator, although in some architectures the IMPlEMEntAtIon IssuEs
functionality of the authenticator and the BS might
be separated (this model of separating the BS and IEEE 802 standards committee formed the 802.11
the authenticator needs a further review before be- Wireless Local Area Networks (WLAN) Standards
Security and Privacy Approaches for Wireless Local and Metropolitan Area Networks (LANs & MANs)
Working Group in 1990. IEEE 802.11 standard In order to have a fair and detailed comparison
does not provide technology or implementation, between the two schemes, the same implementa-
but introduces the specifications for the physical tion platform has been used (i.e., the same field
and the MAC layers. 802.11 is the wireless pro- programmable gate array [FPGA] device).
tocol for both ad hoc and client/server networks. For the AES scheme, a compact VLSI architec-
The users’ acceptance of this protocol is high. ture is presented. The implementation of this archi-
Although, the security of the transmission channel tecture minimizes the allocated area resources. The
is a matter of special attention that always has to area-optimized design does not sacrifice the system
be considered. performance in a restricted way. The throughput
The WEP scheme has been adopted by IEEE of the design is much higher than the required by
802.11 standard to ensure security for the trans- the IEEE 802.11 standard. Both WEP and AES
mitted information. The basic two components schemes are compared in terms of implementation
of WEP are the pseudorandom number generator performance: allocated area resources, operating
(PRNG) and the integrity algorithm. The PRNG frequency, throughput, and power consumption.
is the most valuable component because it actu- Aspects of the supported security of these encryp-
ally is the original encryption core. WEP adopts tion schemes are discussed and security level
RC4 cipher as the PRNG unit and CRC-32 as the strength comparisons are given.
integrity algorithm. Although WEP is a good se- The proposed architecture for the implemen-
curity scheme, the offered security in some cases tation of the WEP scheme is illustrated in Figure
can not satisfy the user demands. In order a higher 1.
security level to be ensured, 802.11i working group In order to implement in hardware the cyclic
introduced, as protocol’s security scheme, the redundancy check (CRC-32), a shift register of 32
advanced encryption standard (AES). flip-flops (F/Fs) and a number of XOR gates are
In this section the hardware implementation used. So, a linear feedback shift register (LFSR)
cost of both WEP and AES schemes is presented. design is produced by using the F/Fs chain with
Modulo s-box
Adder
data bus
control (8-bit)
key 128-bit
Plaintext ciphertext
control 128-bit 128-bit
transformation round
(128-bit xor blocks)
data bus (32-bit)
0
Security and Privacy Approaches for Wireless Local and Metropolitan Area Networks (LANs & MANs)
the XOR gates. The characteristic polynomial of IEEE 802.111 and Advanced
this LFSR is: Encryption standard (AEs)
(X) = X32+X26+X23+X22+X16+X12+X11+X10+X8+X7+ AES proposed architecture operates in counter
X5+X4+X2+X+1 mode with cipher block chaining–message au-
thentication code (CCMP). According to IEEE
The presence/absence of an XOR gate in CRC-32 802.11i working group, this operation mode is
architecture corresponds to the presence/absence used to ensure, at the same time, integrity and
of a term in G(X) polynomial. The required output privacy. The proposed AES architecture is shown
message is the content of the LFSR after the input in Figure 2.
message last bit is sampled. The AES scheme architecture operates each
RC4 is a variable key-size stream cipher and time on a column of 32-bit data. It needs 41 clock
operates on one plaintext block at a time. RC4 cycles to complete the transformation of a 128-bit
architecture consists of the key expansion unit plaintext block. The column subunit is composed
and the transformation round. The key expansion of four basic building blocks: S-Box, DataShift,
unit is mainly a S-Box component. For the S-BOX MixColumn, and KeyAddition. The RAM-based
implementation a 256-byte RAM memory block is design for the S-BOXes ([256x8]-bit) guarantees
used and another similar memory block is needed high performance. This “column”-based architec-
for the key array. The transformation round is a ture minimizes the area resources compared with
simple bit-by-bit XOR between the plaintext and “state”-based architectures.
the key.
128
Plaintext
128
InItIAl-kEy
rEgIstEr InItIAl round
Initial
key Input
32
column
basic block
control
transformation
signals column
128 s-box
control
unIt
dAtA sHIft
MIx coluMn
transformed
column
outPut rEgIstEr
128
ciphertext
Security and Privacy Approaches for Wireless Local and Metropolitan Area Networks (LANs & MANs)
00
00
00
00 40 57
0
f (MHz) ArEA (clbs) PowEr (uw)
Implementation cost and resources, (2) higher power consumption, and (3)
Performance Evaluation lower operating frequency. Concluding and based
on the above comparison results, the proposed AES
In Figure 3, the synthesis results for both WEP implementation is proposed for applications with
and AES implementations are illustrated. For the special needs in both area resources and operation
hardware integration the FPGA device Xilinx frequency.
Virtex (2V250fg256) (2003) has been used. For Concerning security aspects, AES offers, at the
power consumption estimation, the Xilinx tool same time, privacy and integrity. On the contrary,
was used. WEP scheme needs two different algorithms in
Based on the synthesis results regarding the order to support bulk encryption and data integrity.
area resources, the utilization of both implementa- In some cases, where AES security is unbreakable,
tions are: AES, 323 CLBs (allocated) + 1213 CLBs WEP security could be broken. These comparisons
(unused) = 1526 CLBs (available in the FPGA give AES advantages and make it an efficient
device), and for WEP, 750 CLBs (allocated) + and trustworthy solution for the next years’ IEEE
776 CLBs (unused) = 1526 CLBs (available in the 802.11 networks.
FPGA device). The AES implementation performs
better compared with WEP implementation. The
minimized area resources of AES do not sacrifice conclusIon And outlook
the system performance, which reaches throughput
value 177 Mbps. On the other hand, RC4 is a more
“heavy” design for mobile devices hardware im- Generally speaking, the entire field of the “wireless
plementation. This is due to the specified S-Boxes Internet”—namely, wireless connectivity to the
and the key expansion unit specifications. RC4 IP network—is still relatively new and may take
performance is the bottleneck for WEP throughput a few more years to reach the level of ubiquity
which reaches the value of 2.22 Mbps. The main comparable to other access technologies such as
RC4 implementation disadvantages, compared dial-up over PSTN. What is evident, however, is
with AES, are: (1) more required silicon area that user mobility is a crucial aspect of the next
Security and Privacy Approaches for Wireless Local and Metropolitan Area Networks (LANs & MANs)
generation Internet services where the ordinary In the context of Wi-Fi roaming, technically
user will expect connectivity to be something that 802.1X provides better security than the
is permanently available, much like electricity that UAM Web-based approach. Thus, one pos-
is “always on.” sible development is for MNOs to also begin
There are a number of emerging technologi- adopting 802. IX for their Wi-Fi hotspots,
cal trends today that may influence the future of possibly reusing their SIM-based authentica-
WLANs and WMANs. We summarize these in tion with 802.IX (e.g., using an EAP method
the following and describe possible outcomes and such as EAP-SIM).
developments in this exciting field. • Enterprise adoption of “IPsec every-
where”: Many enterprises who were early
• The transparent “always on” Internet: adopters of intracampus WLANs solved
Increasingly the details of the operations the 802.11 WEP security problem by run-
of the IP Internet will become transparent ning IPsec connections internally within
or removed from the ordinary user. In the the enterprise network. Although the “IPsec
past, many early-home adopters of WLANs everywhere” approach was initially promoted
have had to familiarize themselves with as a temporary patch over the insecure WLAN
important IP networking concepts (such as segment of the network, increasingly some
IP addresses, ports on switches/routers, and enterprises have continued to use IPsec for
so forth) in order to set-up a home WLAN. other purposes (e.g., establish virtual LANs).
Today, through improved quality and ease There are a number of possible consequenc-
of use of WLAN products, most products es—intended or unintended—of using IPsec
are essentially plug-and-play. This human in this manner.
aspect is important because it contributes
to the user’s expectations of an always-on One possible effect of the widespread use of
Internet, whether they access it from a home IPsec within internal corporate networks—both
WLAN, a Wi-Fi hotspot, a wireless broad- LANs and WLANs—is to bring the connectivity
band (WMAN) provider, or from a 3G/GPRS layer one step higher, introducing a new IPsec layer
provider. Increasingly, the lay user will not in the stack. Thus, here IPsec could be seen as the
care how connectivity is provided, but will network layer transport (instead of the plain IP at
expect high-bandwidth connectivity to be ISO/OSI layer 3), where the actual IP addresses
ubiquitous. This expectation will in turn of the endpoints become less important than the
influence how service providers establish identity and IPsec credentials (e.g., digital certifi-
seamless services between the IP Internet cates or shared secrets) of those endpoints. This
and the 2G/3G mobile networks. deemphasizing of the IP layer and increased focus
• Increased adoption of 802.1X: The 802.1X on the IPsec layer may force networking hardware
approach for WLAN authentication is in- vendors to introduce richer security functionality
creasingly being adopted by enterprises, due into their hardware. Examples would be routers
in part to its support within the Microsoft that can route based not only on IP addresses, but
Windows family of products. Although vari- also on other characteristics of the IPsec connection
ous networking vendors have been touting (e.g., IKE and IPsec security associations).
proprietary security products for WLAN
authentication, the completion of the revision
to the IEEE 802.1X standard together with rEfErEncEs
recent progress in the Internet Engineering
Task Force (IETF) on EAP-related standards
should lead to the strengthening of 802.1X Agis, E., Mitchel, H., Ovadia, S., Asisi, S., Bakshi,
in the market. S., Iyer, P., et al. (2004, August). Global, interop-
Security and Privacy Approaches for Wireless Local and Metropolitan Area Networks (LANs & MANs)
erable broadband wireless networks: Extending RFC 3580. (2003, September). IEEE 802.1X remote
WiMax technology to mobility. International authentication dial in user service (RADIUS).
Technical Journal, 8, 173-187. Usage guidelines.
Arkko, J., & Haverinen, H. (2004, December 21). RFC 3748. (2004, June). Extensible authentication
Extensible authentication protocol method for protocol (EAP).
3rd generation authentication and key agreement
Sklavos, N., & Koufopavlou, O. (2002). Architec-
(EAP-AKA). Retrieved October 22, 2007, from
tures and VLSI implementations of the AES-pro-
<draft-arkko-pppext-eap-aka-15.txt>
posal Rijndael. IEEE Transactions on Computers,
Cooklev, T. (2004). IEEE wireless communication 51(12), 1454-1459.
standards: A study of 802.11, 802.15, and 802.16.
Sklavos, N., & Koufopavlou, O. (2003). Mobile
New York: IEEE Press.
communications world: Security implementations
Eklund, C., Marks, R. B., Stanwood, K. L., & Wang, aspects-a state of the art CSJM journal. Institute of
S. (2002, June). IEEE standard 802.16: A technical Mathematics and Computer Science, 11(2).
overview of the wirelessMAN air interface for
Wireless LAN Medium Access Control (MAC)
broadband wireless access. IEEE Communications
and Physical Layer (PHY) specifications. (1999).
Magazine, 98-107.
ANSI/IEEE Std 802.11: 1999 (E) Part 11, ISO/IEC
Haverinen, H., & Saloway, J. (2004, December 21). 880211.
Extensible authentication protocol method for GSM
Xilinx Inc. (2003). Virtex, 2.5 V field programma-
subscriber identity modules (EAP-SIM). Retrieved
ble gate arrays, & a simple method of estimating
October 22, 2007, from <draft-haverinen-pppext-
power in XC40000X1/EX/E FPGAs application
eap-sim-16.txt>
brief XBRF 014 v1.0. San Jose, California. Retrieved
Hwang, G. J., Tseng, J. C. R., & Huang Y. S (2002). October 22, 2007, from www.xilinx.com
I-WAP: An intelligent WAP site management
system. IEEE Transactions on Mobile Comput-
ing, 1(2).
kEy tErMs
IEEE. (2001). IEEE standard 802.16-2000 standard
for local and metropolitan area networks. Air inter- Access Point (AP): The network access de-
face for fixed broadband wireless access systems vice for an 802.11 wireless network. It contains
part 16. New York: IEEE Press. a radio receiver/transmitter. It may be an 802.1x
authenticator.
IEEE Standard for Local and metropolitan area
networks-Port-Based Network Access Control. Certification Authority (CA): An entity that
ANSI/IEEE IEEE Std 802.1X-2001. issues digital certificates (especially X.509 cer-
tificates) and vouches for the binding between the
Karri, R., & Mishra, P. (2003). Optimizing the
data items in a certificate.
energy consumed by secure wireless sessions-
wireless transport layer security. Journal of Mobile Extensible Authentication Protocol (EAP):
Networks and Applications, 8, 177-185. Kluwer A protocol used between a user station and an
Academic Publishers. authenticator or authentication server. It acts as a
transport for authentication methods or types. It in
RFC 2865. (2000, June). Remote authentication
turn may be encapsulated in other protocols, such
dial in user service (RADIUS).
as 802.1x and RADIUS.
RFC 2869. (2000, June). RADIUS extensions.
EAP-AKA: This document specifies an exten-
sible authentication protocol (EAP) mechanism for
Security and Privacy Approaches for Wireless Local and Metropolitan Area Networks (LANs & MANs)
authentication and session key distribution using EAP-TTLS: Tunneled TLS is an EAP-type for
the authentication and key agreement (AKA) authentication that employs a two-phase authentica-
mechanism used in the 3rd generation mobile tion process. In the first phase the authentication
networks universal mobile telecommunications server is authenticated to the supplicant using an
system (UMTS) and CDMA2000. AKA is based X.509 certificate. Using TLS, a secure channel
on symmetric keys, and runs typically in a sub- is established through which the supplicant can
scriber identity module (UMTS subscriber identity be authenticated to the authentication server us-
module [USIM], or removable user identity module ing legacy PPP authentication protocols such as
[RUIM], a smart card like device). PAP, CHAP, and MS-CHAP. EAP-TTLS has the
advantage over EAP-TLS that it only requires
EAP-LEAP: Lightweight extensible authenti-
a certificate at the authentication server. It also
cation protocol is a Cisco proprietary EAPType.
makes possible forwarding of Supplicant requests
It is designed to overcome some basic wireless
to a legacy RADIUS server. EAP-TTLS also sup-
authentication concerns through mutual authentica-
ports identity hiding where the authenticator is
tion and the use of dynamic WEP keys.
only aware of the anonymous username used to
EAP-PEAP: Protected extensible authentica- establish the TLS channel during the first phase
tion protocol is a two-phase authentication like but not the individual user authenticated during
EAP-TLS. In the first phase the authentication the second phase.
server is authenticated to the supplicant using an
European Telecommunications Standards
X.509 certificate. Using TLS, a secure channel is
Institute (ETSI): ETSI is a multinational standard-
established through which any other EAP-Type
ization body with regulatory and standardization
can be used to authenticate the supplicant to the
authority over much of Europe. GSM standardiza-
authentication server during the second phase. A
tion took place under the auspices of ETSI. ETSI
certificate is only required at the authentication
has taken the lead role in standardizing a wireless
server. EAP-PEAP also supports identity hiding
LAN technology competing with 802.11 called the
where the authenticator is only aware of the anony-
high performance radio LAN (HIPERLAN).
mous username used to establish the TLS channel
during the first phase but not the individual user Integrity Check Value (ICV): The checksum
authenticated during the second phase. calculated over a frame before encryption by WEP.
The ICV is designed to protect a frame against tam-
EAP-SIM: EAP-SIM is an authentication
pering by allowing a receiver to detect alterations
mechanism that makes use of the SIM card to
to the frame. Unfortunately, WEP uses a flawed
perform authentication within the 802.1x frame-
algorithm to generate the ICV, which robs WEP
work for WLAN.
of a great deal of tamperresistance.
EAP-TLS: Transport layer security is an
Institute of Electrical and Electronics En-
EAP-Type for authentication based upon X.509
gineers (IEEE): A worldwide professional as-
certificates. Because it requires both the supplicant
sociation for electrical and electronics engineers
and the authentication server to have certificates,
that sets standards for telecommunications and
it provides explicit mutual authentication and
computing applications.
is resilient to man-in-the-middle attacks. After
successful authentication a secure TLS link is Initialization Vector (IV): Generally used as a
established to securely communicate a unique term for exposed keying material in cryptographic
session key from the authentication server to headers; most often used with block ciphers. WEP
the authenticator. Because X.509 certificates are exposes 24 bits of the secret key to the world in
required on the supplicant, EAP-TLS presents the frame header, even though WEP is based on
significant management complexities. a stream cipher.
Security and Privacy Approaches for Wireless Local and Metropolitan Area Networks (LANs & MANs)
Medium Access Control (MAC): The function (IETF) that set standards and are voluntarily fol-
in IEEE networks that arbitrates use of the network lowed by many makers of software in the Internet
capacity and determines which stations are allowed community.
to use the medium for transmission.
Wireless Application Protocol (WAP): A
MPDU: MAC protocol data unit is a fancy standard for providing cellular telephones, pagers,
name for frame. The MPDU does not, however, and other handheld devices with secure access
include PLCP headers. to e-mail and text-based Web pages. Introduced
in 1997 by Phone.com, Ericsson, Motorola, and
MSDU: MAC service data unit is the data ac-
Nokia, WAP provides a complete environment
cepted by the MAC for delivery to another MAC on
for wireless applications that includes a wire-
the network. MSDUs are composed of higher-level
less counterpart of TCP/IP and a framework for
data only. For example, an 802.11 management
telephony integration, such as call control and
frame does not contain an MSDU.
telephone book access. WAP features the wireless
OFDM: Orthogonal frequency division multi- markup language (WML), which was derived from
plexing is a technique that splits a wide frequency Phone.com’s HDML and is a streamlined version
band into a number of narrow frequency bands of HTML for small-screen displays. It also uses
and inverse multiplexes data across the subchan- WMLScript, a compact JavaScript-like language
nels. Both 802.11a and the forthcoming 802.11g that runs in limited memory. WAP also supports
standards are based on OFDM. handheld input methods, such as a keypad and voice
recognition. Independent of the air interface, WAP
Open Systems Interconnection (OSI): A runs over all the major wireless networks in place
baroque compendium of networking standards now and in the future. It is also device-indepen-
that was never implemented because IP networks dent, requiring only a minimum functionality in
actually existed. the unit to permit use with a myriad of telephones
Request for Comments (RFC): A series of and handheld devices.
numbered documents (RFC 822, RFC 1123, etc.),
developed by the Internet Engineering Task Force
Chapter XLVII
End-to-End (E2E) Security
Approach in WiMAX:
A Security Technical Overview for
Corporate Multimedia Applications
Sasan Adibi
University of Waterloo, Canada
Gordon B. Agnew
University of Waterloo, Canada
Tom Tofigh
WiMAX Forum, USA
AbstrAct
An overview of the technical and business aspects is given for the corporate deployment of services
over worldwide interoperability for microwave access (WiMAX). WiMAX is considered to be a strong
candidate for the next generation of broadband wireless access; therefore its security is critical. This
chapter provides an overview of the inherent and complementary benefits of broadband deployment over
a long haul wireless pipe, such as WiMAX. In addition, we explore end-to-end (E2E) security structures
necessary to launch secure business and consumer class services. The main focus of this chapter is to
look for a best security practice to achieve E2E security in both vertical and horizontal markets. The E2E
security practices will ensure complete coverage of the entire link from the client (user) to the server. This
is also applicable to wireless virtual private network (VPN) applications where the tunneling mechanism
between the client and the server ensures complete privacy and security for all users. The same idea
for E2E security is applied to client-server-based multimedia applications, such as in Internet protocol
(IP) multimedia subsystem (IMS) and voice over IP (VoIP) where secure client/server communication is
required. In general, we believe that WiMAX provides the opportunity for a new class of high data rate
symmetric services. Such services will require E2E security schemes to ensure risk-free high data-rate
uploads and downloads of multimedia applications. WiMAX provides the capability for embedded security
functions through the 802.16 security architecture standards. IEEE 802.16 is further subcategorized as
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
End-to-End (E2E) Security Approach in WiMAX
802.16d (fixed-WiMAX) and 802.16e (mobile-WiMAX). Due to the mobility and roaming capabilities in
802.16e and the fact that the medium of signal transmission is accessible to everyone, there are a few
extra security considerations applied to 802.16e. These extra features include: privacy key management
version 2 (PKMv2), PKM-extensible authentication protocol (EAP) authentication method, advanced
encryption standard (AES) encryption wrapping, and so forth. The common security features of 802.16d
and 802.16e are discussed in this chapter, as well as the highlights of the security comparisons between
other broadband access, third-generation (3G) technologies, and WiMAX.
End-to-End (E2E) Security Approach in WiMAX
why wireless networks could not Without WEP, a network can be accessed by any
Provide the required security anyone. Even with WEP enabled, a network is not
considered to be secure nowadays.
There were two main reasons why wireless was
never considered as a secured high-performance Problem #4: Performance and Service Con-
backbone option for business and corporate appli- straints
cations. The first issue was the bandwidth limita- 802.11b and 802.11g both have limited transmission
tions of wireless links and the second issue was capacities (11 and 54 Mbps) and due to MAC-layer
the high security requirements of VPNs and IMS overhead, the actual effective throughput is close
applications. The 802.11-based systems have an to half of that rate. In addition, bandwidth is not
upper limit on bandwidth of 54 Mbps for 802.11g, guaranteed.
however in real-world applications, this rate seldom
tops more than 20-25 Mbps due to the overhead Problem #5: MAC Spoofing and Session Hi-
in the medium access control (MAC) layer. It is jacking
also very difficult to have a minimum guaranteed 802.11 networks do not authenticate frames and
bandwidth for real-time applications such as VoIP there is no protection against a forgery of the
and videoconferencing. frame source address attack. Here, attackers can
The current Wi-Fi security standard is presented use spoofed frames to redirect traffic and corrupt
in 802.11i, which contains many fixes for the secu- address resolution protocol (ARP) tables. Station
rity concerns in 802.11. However 802.11i has not MAC addresses could easily be observed and en-
been widely implemented and distributed among gaged in malicious transmissions. Any user with
end-users and WiMAX is expected to dominate a strong transmitter can be situated in the middle
the market before 802.11i can affect the market. of a new session and potentially steal credentials
Therefore the main security comparisons are and gain access through a man-in-the-middle
between Wi-Fi (802.11a/g) and 802.16. The main (MITM) attack.
reasons for this weakness can be categorized as
follow (Gast, 2004): Problem #6: Traffic Analysis and Eavesdrop-
ping
Problem #1: Easy Access 802.11 is totally vulnerable to passive attacks. There
Since Wi-Fi networks generate beacon frames is no security of the header information, thus, no
containing the network parameters all of the time, protection against eavesdropping. Frame headers
attackers with high gain antennas can find net- are always “in the clear” and sender-receiver pairs
works and launch attacks. With the inherent and are vulnerable to traffic analysis.
add-on security features, WiMAX is expected to
be resilient against such attacks. Problem #7: Higher Level Attacks
Once an attacker gains access (either through
Problem #2: “Rogue” Access Points session-hijacking, MITM, spoofing attacks, or
Anyone can have access to an inexpensive access through breaking the WEP secure key), it is pos-
point (AP) and get connected to a corporate network sible to use that AP to launch attacks on other
and bypass authorization. In WiMAX networks, systems, which are within the trusted domain of
an E2E security scheme can protect APs against the initially attacked AP.
such a scenario.
The main reason for the failure of security in
Problem #3: Unauthorized Use of Service wireless networks is the fact that there are many
Nearly all APs have default configurations with weaknesses in the mechanisms and protocols used
wired equivalent privacy (WEP) or with a default in the architecture.
key used in WEP by all the vendor’s products.
End-to-End (E2E) Security Approach in WiMAX
0
End-to-End (E2E) Security Approach in WiMAX
Figure 1. IEEE 802.16 lower layers (Adapted from to authenticate itself to the BS, which poses
"Part 16," 2004) a risk for a MITM attack. To overcome this
issue, PKMv2 was proposed (later adopted
by 802.16e), which uses a mutual (two-way)
authentication protocol. Here, both the SS
and the BS are required to authorize and
authenticate each other
• Privacy and key management: The privacy
of the communications between the SS and
the BS is achieved through the PKM proto-
entities; namely BS and subscriber station (SS), is col. Phifer, L 2. (2003, September). Applying
done at the MAC layer through security sublayer, RADIUS to Wireless LANs, using RADIUS
which has five entities (Chandra, 2002): For WLAN Authentication, Part I, from
http://www.wi-fiplanet.com/tutorials/article.
• Security associations: A security asso- php/10724_3114511_1
ciation (SA) is a set of security information • Encryption: The data communication be-
parameters that a BS and one or more of its tween each SS and BS is encrypted using the
client SSs share in order to support secure advanced encryption standard (AES), with at
communications. Three types of SAs are de- least 128 bit keys. According to FIPS 140-2,
fined as (Johnston & Walker, 2004) primary, AES-128 is computationally secure for data
static, and dynamic (Figure 2), which define up to SECRET level for the next 10 years.
the security keys and associations established
between a SS and a BS during the authoriza-
tion phase. According to the initial drafts of WiMAX,
• X.509 certificate profile: This defines a the security sublayer provides enough security
digital certificate to verify the identity of mechanisms to provide privacy, authentication,
subscribers and prevents impersonation and encryption over the airlink. However, in
(unauthorized SS or BS) order to achieve maximal security strength, true
• PKM authorization: The privacy key man- end-to-end security is required for a corporate
agement (PKM) protocol is responsible for wireless backbone, which enhances the security
privacy, key management, and authorizing an mechanisms specified by the initial drafts.
SS to the BS. The initial draft for WiMAX
mandates the use of PKMv1 (Johnston & security at upper layers
Walker, 2004), which is a one-way authenti-
cation method. PKMv1 requires only the SS IEEE 802.16’s main focus on the security issue
is at the MAC layer, therefore WiMAX has the
Figure 2. Security model of the privacy sublayer (Adapted from Barbeau, 2005)
End-to-End (E2E) Security Approach in WiMAX
freedom to adopt the strong security measures for • TS 102 234: Lawful Interception (LI); Tele-
upper layers (network, transport, session, and ap- communications Security; Service-specific
plication layers). Upper layer security options, such details for internet access services.
as Internet protocol (IP) security protocol (IPSec) • TS 102 233: Lawful interception (LI); Tele-
and transport layer security (TLS), are examples communications Security; Service-specific
of the current security schemes for upper layers. details for e-mail services.
Through this freedom of choice, the security strength • TS 102 232: Lawful Interception (LI); Tele-
of WiMAX is comparable to the most secure net- communications Security; Handover Speci-
works in the market. fication for IP Delivery.
• TS 101 671: Lawful Interception (LI); Tele-
communications Security; Handover inter-
lawful Interception (lI) or lawful face for the lawful interception of telecom-
legal Interception (llI) (baker, munications traffic.
foster, & sharp, 2004; brown, 2006; • TS 101 331: Lawful Interception (LI); Tele-
communications Security; Requirements of
Mulholland, 2006)
Law Enforcement Agencies.
• TR 102 053: Lawful Interception (LI); Tele-
Since WiMAX-enabled nodes will be connected
communications Security; Notes on ISDN
as parts of the worldwide telecommunications net-
lawful interception functionality.
works and the telecommunications infrastructure
• TR 101 944: Lawful Interception (LI);
of the world, the need for law enforcement access
Telecommunications Security; Issues on IP
is required. Standards for access to the IP-based
Interception.
networks such as WiMAX have already been de-
• TR 101 943: Lawful Interception (LI); Tele-
veloped and are available from various standards
communications Security; Concepts of Inter-
and government bodies worldwide.
ception in a Generic Network Architecture.”
What follows is a discussion that focuses on
(copied from Arend, 2007).
two major standards bodies, the ETSI (European
Telecommunications Standards Institute) and the
IETF (Internet Engineering Task Force). IETF Decision on the Lawful
Interception
ETSI Approach to Lawful Interception
The IEFT has yet to consider wiretap require-
The Technical Committee on Lawful Interception ments as part of their standards. The reasons for
(TCLI) is the leading body for lawful interception this decision are:
standardization within ETSI. Lawful interception
standards have also been developed by ETSI techni- • Inappropriate in global standards – legal and
cal bodies: AT, TISPAN (SPAN and TIPHON™), privacy requirements are too varied
TETRA, and by 3GPP™. European governments • Would increase protocol complexity and
might expect WiMAX vendors to provide this law decrease security
enforcement access. Examples of ETSI standards • End-to-end security makes LI unworkable
include: “ • Other standards are already available
• ES 201 671: Lawful Interception (LI); Telecom- The IETF believes that designed mechanisms,
munications Security; Handover Interface for which facilitate or enable wiretapping, or methods
the Lawful Interception of Telecommunica- of using other facilities for such purposes, should
tions Traffic (revised version). be described openly, so as to ensure the maximum
• ES 201 158: Lawful Interception (LI); Tele- review of the mechanisms and to ensure that they
communications Security; Requirements for adhere as closely as possible to their design con-
Network Functions straints. This is considered by Cisco (Figure 3) for
End-to-End (E2E) Security Approach in WiMAX
Figure 3. Lawful intercept architecture reference model (Adapted from Mulholland, 2006)
End-to-End (E2E) Security Approach in WiMAX
IMS works: session initiations between two IMS (client/server), as well as in IMS/WiMAX applica-
users, between an IMS user and a user on the tions, including (Ramana Mylavarapu, 2005):
Internet, or between two users on the Internet.
IMS uses similar protocols for such initiations. • Client impersonation (unauthorized client
Furthermore, service developers use IP protocol seeks access)
stack for the interfaces, which is why IMS can • Server impersonation (unauthorized server
truly merge the Internet with the cellular world. pretend to be authorized)
This merge is done by using the cellular and mobile • Message tampering (additions, deletions, or
technologies, which provide ubiquitous access and delay of the message contents)
Internet connections, which provides appealing • Session tampering/hijacking (once the ses-
services. Accordingly, WiMAX enjoys one of the sion between a legitimate client and server
most enhanced cellular technologies, which could is established, an unauthorized entity takes
work in the most efficient method delivering IMS the session)
data and applications. • Signaling requests resulting in DoS attacks
In regards to the IMS security requirements,
WiMAX security mechanisms are there to ensure To protect against any of the aforementioned
all communicating parties, which gain access to vulnerabilities, an extensive two-way authentica-
the media, are legitimate and all parties wishing to tion method is used to ensure both the client’s and
gain access are thoroughly authenticated through the server’s right of access and the establishment
the authentication and authorization protocols. This of IPSec security associate with the IMS terminal.
has to be done before any access is permitted. An This prevents the mentioned vulnerabilities as well
ongoing mutual authentication mechanism ensures as snooping attacks and replay attacks and to protect
no illegitimate entity can highjack a session and the privacy of every individual user.
abduct an already authenticated link and take over Security issues in regards to SIP could also be
the communications at any points. summarized as follow (Access security for IP-based
IMS is designed to work on either fixed or mobile services, 2002):
systems. Since WiMAX offers most of the advan-
tages of fixed networks, it is expected that IMS is • Protection mechanism of SIP signaling be-
going to be offered on a pure WiMAX backbone tween the IMS server and the subscriber
to address corporate and end-user requirements. • Subscriber’s self authentication mechanism
The fact that WiMAX is based on an all-IP core • Subscriber’s authentication mechanism to
structure makes it a perfect match for IMS, with its the IMS server
so many IP-based services in use. These services
include voice over IP (VoIP), push to talk over The reactive and proactive security measures
cellular (POC), multiparty games, videoconfer- are the encryption/decryption of SIP messages and
encing, messaging, community services, presence deploying interconnection border control function
information, and content sharing. (IBCF). IBCF is used as a gateway to external
networks and provides network address translation
security of voIP (NAT) and firewall functions (Mylavarapu, 2005),
two-way authentication-authorization schemes,
One of the most important applications of IMS is and secure tunneling.
the VoIP that runs over the standard IP. A VoIP To enhance the deployment of IPSec, it is recom-
system uses protocols, such as, H.323, MGCP, mended to deploy IPv6 (Saito, 2003), which is the
MEGACO, and/or session initiation protocol (SIP) next generation Internet protocol. The important
for signaling, and real time protocol/real time factor of IPv6 is its mandate for utilizing IPSec.
control protocol (RTP/RTCP) for media transport Using a two-way IPSec connection (two one-way
and control. The threats for this type of scenario IPSec patterns) is required for an end-to-end se-
curity scheme (Saito, 2003).
End-to-End (E2E) Security Approach in WiMAX
End-to-End (E2E) Security Approach in WiMAX
End-to-End (E2E) Security Approach in WiMAX
End-to-End (E2E) Security Approach in WiMAX
Brown, I. (2006). The Internet standards process. Mylavarapu, R. (2005, August 1). Security consid-
Retrieved October 23, 2007, from http://www. erations for WiMAX-based converged network.
cs.ucl.ac.uk/staff/I.Brown/infosoc-course/inter- RFDESIGN.
netstandards.ppt
Part 16: Air Interface for Fixed Broadband Wireless
Chandra, P. (2002, July 30). Securing WLAN links: Access Systems, IEEE Std 802.16-2004 (http://stan-
Part 3. Telogy networks. Retrieved October 23, dards.ieee.org/getieee802/download/802.16-2004.
2007, from http://www.CommsDesign.com pdf)
Gast, M. (2004). The top seven security problems Product Overview. (2006). Citrix GoToMyPC
of 802.11 wireless (Airmagnet technical white corporate. Retrieved October 23, 2007, from
paper). https://www.gotomypc.com/downloads/pdf/m/
GoToMyPC_Corporate_Product_Overview.pdf
Johnston, D., & Walker, J. (2004). Overview of
IEEE 802.16 security. International Journal. Saito, Y. (2003, December). IPv6 and new security
paradigm. NTT communications.
Mulholland, C. (2006, February 8). Cisco systems
lawful intercept capabilities. Technical Specification Group Services and Sys-
tem Aspects; 3G Security; Access security for
IP-based services (Release 5). ARIB STD-T63-
33.203, 2002-06
Chapter XLVIII
Evaluation of Security
Architectures for Mobile
Broadband Access
Symeon Chatzinotas
University of Surrey, UK
Jonny Karlsson
Arcada University of Applied Sciences, Finland
Göran Pulkkis
Arcada University of Applied Sciences, Finland
Kaj Grahn
Arcada University of Applied Sciences, Finland
AbstrAct
During the last few years, mobile broadband access has been a popular concept in the context of fourth
generation (4G) cellular systems. After the wide acceptance and deployment of the wired broadband
connections, such as DSL, the research community in conjunction with the industry have tried to de-
velop and deploy viable mobile architectures for broadband connectivity. The dominant architectures
which have already been proposed are Wi-Fi, universal mobile telecommunications system (UMTS),
WiMax, and flash-orthogonal frequency division modulation (OFDM). In this chapter, we analyze these
protocols with respect to their security mechanisms. First, a detailed description of the authentication,
confidentiality, and integrity mechanisms is provided in order to highlight the major security gaps and
threats. Subsequently, each threat is evaluated based on three factors: likelihood, impact, and risk.
The technologies are then compared taking their security evaluation into account. Flash-OFDM is not
included in this comparison since its security specifications have not been released in public. Finally,
future trends of mobile broadband access, such as the evolution of WiMax, mobile broadband wireless
access (MBWA), and 4G are discussed.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Evaluation of Security Architectures for Mobile Broadband Access
0
Evaluation of Security Architectures for Mobile Broadband Access
In this context, Wi-Fi alliance is an organiza- erate totally independently from each other (Baek,
tion testing products in order to evaluate that they Smith, & Kotz, 2004). The authentication process
correctly implement the set of standards defined in of WPA and WPA2 adopts the three-entity model
the IEEE 802.11 specification. After the products of IEEE 802.1x which was originally designed for
have successfully passed these tests, they are al- the point-to-point protocol (IEEE, 2001). The three
lowed to use the Wi-Fi logo. entities involved in this protocol are the client, the
access point (AP), and the authentication server
security Architecture (AS). First, the client request to obtain access to
the network. The AP acts as a network guard, al-
Wi-Fi security standards include wired equivalent lowing access only to the clients that the AS has
privacy (WEP), Wi-Fi protected access (WPA), and authenticated. Finally, the AS is responsible for
WPA2. WEP was the first introduced security stan- deciding whether the client is allowed to access
dard. WPA was designed to be a security protocol the network. These three entities utilize EAP to
that corrects the security deficiencies of WEP and exchange communication messages in order to
to be backward compatible with existing hardware. coordinate the authentication process (Stanley,
The last development in Wi-Fi security is the WPA2 Walker, & Aboba, 2005).
standard which was published in June 2004 by In addition, there is a lighter version of WPA,
the IEEE 802.11i group. WPA2 was designed to called WPA-preshared key (WPA-PSK). This ver-
offer a further improved security scheme (Edney sion is based on a shared secret key or passphrase
& Arbaugh, 2003). The aforementioned security in order to authenticate the wireless clients. As
specifications are analyzed and compared in the a result, an attacker can use a wireless sniffer to
following paragraphs. capture the 4-way WPA handshake, log the packets,
and then try a brute force attack using a dictionary
Authentication file (Van de Wiele, 2005). Thus, if WPA-PSK is
deployed, the robustness of the network security
Authentication services are utilized to allow a cli- totally depends on the length and the complexity
ent to communicate with the serving access point. of the secret key.
After successful authentication, a session is initi-
ated and it can be terminated by either the client Encryption
or the access point. Wi-Fi provides the following
link-layer authentication schemes: Encryption services are utilized to provide confi-
dentiality over wireless communication links. In
• Closed system authentication Wi-Fi networks the following encryption schemes
• Media access control (MAC) filtering are available:
• WEP suthentication—Shared RC4 key
• W PA a nd W PA 2 aut he nt icat ion — • WEP based on the RC4 (Ron’s Code 4) stream
802.1X/extensible authentication protocol cipher
(EAP) • WPA encryption based on the temporal key
integrity protocol (TKIP)
Closed system authentication, MAC filtering, • WPA2 encryption based on the advanced
and WEP authentication are not recommended due encryption standard (AES)
to their well-known serious security flaws (Borisov,
Goldberg, & Wagner, 2001; Lynn & Baird, 2002; WEP is a weak implementation of the RC4
Welch & Lathrop, 2003). stream cipher and WEP encryption is thus not
WPA and WPA2 security schemes have some recommended (Borisov et al., 2001; Stubblefield,
major design differences from WEP, since the Ioannidis, & Rubin, 2002; Welch & Lathrop,
authentication and the confidentiality processes op- 2003).
Evaluation of Security Architectures for Mobile Broadband Access
WPA encryption is based on TKIP. It incor- plaintext in such a way that the checksum remains
porates the basic functionalities of WEP, but im- unchanged. Furthermore, due to the linearity of
provements have been made to address the security both the RC4 stream cipher and the CRC-32 check-
flaws. The length of the initialization vector (IV) sum, the attacker is able to change the message
has been increased from 24 bits to 48 bits and even when he does not know the plaintext (Welch
therefore the possibility of reused keys has been & Lathrop, 2003).
significantly decreased. Furthermore, WPA does WPA has incorporated mechanisms for the
not directly utilize the master keys. Instead it con- prevention of replay attacks. More specifically, the
structs a hierarchy of derived keys to be utilized in TKIP sequence counter (TSC) based on the IVs
the encryption process. Finally, WPA dynamically is utilized, so that the receiver can identify and
cycles keys while transferring data. Since keys are reject “replayed” messages. Furthermore, WPA
regularly changed, a malicious user has a very short uses an improved integrity mechanism in order
time window to attempt an attack. to generate the message integrity check (MIC).
WPA2 was designed from scratch taking the This mechanism, called Michael, is able to detect
vulnerabilities of the previous security architec- possible attacks and deploy countermeasures to
tures into account. WPA2 allows various network prevent new attacks.
implementations, but the default configuration WPA2 utilizes CCMP for providing integrity
utilizes the advanced encryption standard (AES) services. CCMP generates a MIC using the CBC-
and the counter mode CBC MAC protocol (CCMP). MAC method. In this method, even the slightest
AES is a block cipher, operating on blocks of 128 change in the plaintext will produce a totally dif-
bit data, and is a replacement of the RC4 algorithm ferent checksum.
used by WPA. AES is much more robust since it
has already been tested in various security archi- security vulnerabilities
tectures without revealing serious vulnerabilities.
CCMP comprises of two main parts. The first is Although the Wi-Fi security architecture has been
the counter mode (CM) which is responsible for greatly improved since WEP, there are still vul-
the privacy of the data in combination with AES. nerabilities which cannot be addressed by WPA2.
The second is the cipher block chaining message These vulnerabilities can lead to a number of link
authentication code (CBC-MAC) providing data layer denial-of-service (DoS) attacks (Van de
integrity checking and authentication. Wiele, 2005). All the DoS techniques described
here are fairly easy to use with freely available tools
Integrity found on the Internet. In most of the cases, the at-
tacker will use different forged MAC addresses to
Integrity services are responsible for making mount DoS attacks. These attacks can be detected
sure that transmitted information is not replayed by specialized hardware (e.g., air monitor, security
or modified during transmission. The following aware access point) which can detect the misuse of
techniques are applicable in Wi-Fi networks: the infrastructure. Furthermore, this specialized
hardware can notify the people responsible for the
• WEP cyclic redundancy heck 4 (CRC-32) follow-up of a DoS incident and give an estimate
Checksum on where the attacker is located by considering the
• WPA Integrity signal and noise levels.
• WPA2 Integrity
Disassociation Storm
WEP checksum is a noncryptographic linear
function of the plaintext. This means that multiple Before any wireless communication can occur, a
messages may correspond to a single 32-bit number. client has to send an association frame to the ac-
Hence, an experienced intruder could modify the cess point asking to join the network. Similarly,
Evaluation of Security Architectures for Mobile Broadband Access
after the end of the wireless session, the access packet-switched case. The visitor location regis-
point or client has to send a disassociation frame ter (VLR) and the serving GSN keep track of all
to terminate the connection. The frames of these mobile stations that are currently connected to
messages are broadcasted and can be sniffed by an the network. Every subscriber can be identified
attacker. The attacker can then flood the network by its international mobile subscriber identity
with spoofed disassociation frames every time the (IMSI). In order to protect against profiling at-
client tries to join the network, thus disrupting the tacks, this permanent identifier is sent over the
association process and the network access. air interface as infrequently as possible. What is
more, locally valid temporary mobile subscriber
Authenticated / Deauthenticated Storm identities (TMSI) are used to identify subscribers
whenever possible. Every UMTS subscriber has a
The aforementioned principle can be exploited in dedicated home network with which the subscriber
order to disconnect a client and try to keep the cli- shares a long term secret key Ki. The home location
ent disconnected. This technique starts by sending register (HLR) keeps track of the current location
a spoofed deauthentication frame followed by a of all subscribers of the home network. Mutual
disassociation frame in order to make sure that the authentication between a mobile station and a
client has disconnected from the legitimate access visited network is carried out with the support of
point. In a more advanced version of this attack, the current serving GSN (SGSN) or the mobile
a fake probe request and some beacon frames are switching center (MSC)/VLR respectively.
transmitted in order to force the client to connect The new series of 3.5G mobile telephony
to a rogue access point which ignores or monitors technologies, known as high speed packet access
the client’s traffic. (HSPA), will provide more bandwidth to the end-
user, improved network capacity to the operator,
uMts and enhanced interactivity for data applications.
HSPA refers to the improvements made in the
Universal mobile telecommunications system UMTS downlink, known as high speed downlink
(UMTS) is one of the third generation (3G) wire- packet access (HSDPA), and the UMTS uplink,
less cellular technologies for mobile communica- usually referred to as high speed uplink packet
tion. Mobile devices like smartphones, laptops, access (HSUPA) but also referred to as enhanced
and handheld computers can be used. UMTS is dedicated channel (E-DCH).
standardized by the 3G partnership project (3GPP) HSDPA provides a bandwidth of 14.4 Mbps/
and it is mainly deployed in Europe and Japan. user. For multiple-input-multiple-output (MIMO)
Theoretically UMTS supports up to 1920 Kbps systems up to 20 Mbps can be achieved. Both
data transfer rates, but currently the real world per- HSDPA and HSUPA can be implemented in
formance can reach 384 Kbps. It uses the W-code the standard 5 MHz carrier of UMTS networks
division multiple access (CDMA) technology over and can coexist with original UMTS networks.
two 5 MHz channels, one for uplink and one for As HSPA specifications refer only to the access
downlink. The specific frequency bands originally network, there is no change required in the core
defined by the UMTS standard are 1885-2025 MHz network (CN) except from the high data-rate links
for uplink and 2110-2200 MHz for downlink. required to handle the increase in clients’ traffic
In UMTS network topology, a mobile station generated by HSPA.
is connected to a visited network by means of a
radio link to a particular base station (Node B). security Architecture
Multiple base stations of the network are con-
nected to a radio network controller (RNC) and The 3G security architecture is based on GSM, but
multiple RNCs are controlled by a general packet certain improvements are added in order to correct
radio service (GPRS) support node (GSN) in the the described security vulnerabilities.
Evaluation of Security Architectures for Mobile Broadband Access
Security Vulnerabilities
Evaluation of Security Architectures for Mobile Broadband Access
to what 3GPP calls a “false base station attack” to obtain a valid authentication token AUTN from
even if subscribers are roaming in a pure UMTS any real network. It is assumed that the attacker
network and even though UMTS authentication has already retrieved the IMSI of the targeted
is applied. subscriber, since the latter is sent in clear-text
This attack can be categorized as a “roll-back when establishing a TMSI. The attacker can cap-
attack.” This category of attacks exploits weak- ture the AUTN by initiating the AKA procedure
nesses of old versions of algorithms and protocols with any legitimate network. The next step is to
by means of the mechanisms defined to ensure impersonate a valid GSM base station to the victim
backward compatibility of newer and stronger mobile station. The mobile station connects and
versions. According to this technique, the attacker verifies the rogue BS, since it possesses a valid
acts on behalf of the victim’s mobile station in order AUTN. Subsequently, the rogue BS is configured
Evaluation of Security Architectures for Mobile Broadband Access
by the attacker to utilize “no encryption” or weak • Authentication: The baseline authentication
encryption. Finally, the attacker can send to the architecture, by default, employs a public
mobile station the GSM cipher mode command key infrastructure (PKI) based on X.509
including the chosen encryption algorithm. The certificates. The base station (BS) validates
man-in-the-middle attack is mounted and the the client’s certificate before permitting
attacker can use passive or active eavesdropping access to the physical layer (see Figure 3).
without being detected. First, the subscriber station (SS) sends to the
BS an authorization request containing the
certificate, the available security capabilities,
wIMAx and the security association identifier (SAID).
The BS verifies the certificate and generates a
The IEEE 802.16 or broadband wireless access 128 bit authentication key (AK). Then, the BS
(BWA) Working Group was established in 1999 sends to the SS an authorization reply, which
to prepare specifications for broadband wireless contains the AK encrypted with SS’s public
metropolitan area networks. The first 802.16 stan- key, the AK’s lifetime, the selected security
dard was approved in December 2001 and was suite, and an AK sequence number. The SS
followed by three amendments: 802.16a, 802.16b uses its private key to recover the AK, which
and 802.16c. In 2004 the 802.16-2004 standard can now be utilized as an authentication token
(IEEE-SA, 2006) was released and the earlier in further communication.
802.16 documents including the a/b/c amendments • Key exchange: The SS and the BS can agree
were withdrawn. An amendment to the standard on a transport encryption key (TEK), which
802.16e (IEEE-SA, 2006) addressing mobility will be utilized for data encryption (see Figure
was introduced in 2005. The main additions of 3).
the 802.16e were low density parity check (LDPC) TEK is randomly generated by the BS. The
codes at the physical layer, enhanced MIMO setup AK established during authentication is used
functions, new states for MS operation, param- to derive two additional keys:
eter-defined power saving classes of mobiles, and ° Message authentication key (HMAC
enhanced FFT sizes for scalable OFDMA. key), which is utilized to provide mes-
WiMax aims at providing high data rate triple- sage integrity and AK confirmation
play wireless services to fixed users, to nomadic during the key exchange process.
users, and to users of mobile devices. It is based on ° Key encryption key (KEK), which is
a low latency quality of service (QoS) architecture utilized for encrypting the TEK before
in order to provide real-time multimedia services. It sending it back to the SS. The modes
operates on the 2-6 GHz (IEEE802.16e) and 10-66 for encrypting TEK are:
GHz (IEEE802.16-2004) frequency bands and it a. 3DES with a 112 bit KEK
uses the OFDMA technology for modulation and b. AES with a 128 bit KEK
medium access. c. RSA using SS’s public key
• Data encryption and integrity: The modes
security Architecture for implementing data privacy are:
° Data encryption standard (DES) with
WiMax has been designed with security in mind, a 56 bit key and cipher block chaining
especially after the serious vulnerabilities dis- (CBC), which utilizes the Initializa-
covered in the original Wi-Fi security protocol. tion Vectors obtained during Key Ex-
The IEEE 802.16 specifications include a security change,
sublayer within the MAC layer. The IEEE 802.16 ° AES with a 128 bit key and counter
security architecture is based on the following mode with cipher block chaining mes-
issues: sage authentication code protocol, which
Evaluation of Security Architectures for Mobile Broadband Access
provides message integrity and replay in WiMax. The attacker must transmit at the same
protection. time as the legitimate BS using a much higher
power level in order to “hide” the legitimate signal.
Security Vulnerabilities Furthermore, WiMax supports mutual authentica-
tion at user network level based on the generic
WiMax supports unilateral device level authentica- extensible authentication protocol (EAP) (Aboba,
tion (Barbeau, 2005), which can be implemented Blunk, Vollbrecht, Carlson, & Levkowetz, 2004).
in a similar way as Wi-Fi MAC filtering based on EAP variants, EAP- transport layer security (TLS)
the hardware device address. Therefore, address (X.509 certificate based) (Aboba & Simon, 1999)
sniffing and spoofing make a MS masquerade and EAP-subscriber identity module (SIM) (Ha-
attack possible. In addition, the lack of mutual verinen & Salowey, 2004), are supported.
authentication makes a man-in-the-middle attack In the data privacy domain, the main security
from a rogue BS possible. However, a successful threat is the transmission of unencrypted manage-
man-in-the-middle attack is difficult because of ment messages over the wireless link. Eavesdrop-
the time division multiple access (TDMA) model ping of management messages is a critical threat for
Evaluation of Security Architectures for Mobile Broadband Access
users and a major threat to a system. For example, efficient packet switching over the air interface.
an attacker could use this vulnerability to verify Given segments can be dedicated for use with
the presence of a victim at its location before predefined functionality. Thus there is no need to
perpetrating a crime. Additionally, it might be send overheads, such as message headers. There-
used by a competitor to map the network. Another fore, network layer traffic experiences small delays
major vulnerability is the encryption mode based and no significant delay jitter.
on DES. The 56 bit DES key is easily broken by
brute force with modern computers. Furthermore, security Architecture
the DES encryption mode includes no message
integrity or replay protection functionality and is The security relies on “defence in depth,” that is,
thus vulnerable to active or replay attacks. The virtual private network (VPN) tunnelling and end-
secure AES encryption mode should be preferred to-end encryption are used. Security specifications
over DES. for flash-OFDM have not been presented in public
Finally, there is a potential for DoS attacks (Lehtonen, Ahonen, Savola, Uusitalo, Karjalainen,
because authentication operations trigger the ex- Kuusela et al., 2006).
ecution of long procedures. For example, a DoS
attack could flood a MS with a high number of Security Analysis
messages to authenticate. Due to low computational
resources, the MS will not be able to handle a large A security analysis of the mobile broadband tech-
amount of invalid messages, rendering the DoS nologies Wi-Fi, UMTS, and WiMax is presented.
attack successful. Inclusion of flash-OFDM in this comparison is not
possible because of the unavailability of public
security specifications. Threats are analyzed with
flAsH-ofdM respect to the likelihood of occurrence, the impact
on the network operation, and the global risk they
Fast low-latency access with seamless handoff represent. In the following paragraphs, we first
orthogonal frequency division multiplexing (flash- describe in detail the evaluation and comparison
OFDM) is an OFDM-based proprietary system methodology, and then a group of tables is presented
which specifies the physical layer, as well as higher in which the security threats of the investigated
protocol stack layers. It is an all IP technology technologies are evaluated. Security threats are
and it aims to compete with GSM/3G networks. classified based on four main axes: authentica-
Already implemented flash-OFDM technology tion, confidentiality, integrity, and physical layer
operating in the 450 MHz frequency band can resilience. Finally, the security evaluations of the
offer a maximum download speed of 5.3 Mbps studied technologies are compared and presented
and an upload speed of 1.8 Mbps. in a concise overview table.
Design objectives have included design of a
high capacity physical layer, a packet-switched Methodology
air interface, a contention-free and QoS-aware
MAC layer, and efficient operations using existing The evaluation and comparison methodology was
Internet protocols. The air interface is designed based on the method described by Barbeau, (2005)
and optimized across all protocol stack layers. and ETSI (2003). More specifically, three main
Fast hopping across all tones in a pseudorandom criteria are considered: likelihood, impact, and
predetermined pattern is employed. Channel risk. “Likelihood” refers to the probability that
coding and modulation are carried out on a per- an attack associated with a specific threat is suc-
segment basis and can be individually optimized cessfully launched. In this context, two variables
for each channel. The ability to send segments of are considered:
arbitrary size enables the MAC layer to perform
Evaluation of Security Architectures for Mobile Broadband Access
a. The technical difficulties of mounting the the evaluation criteria, that is, likelihood, impact,
attack in terms of the required software, and risk. The comparison axes are authentica-
hardware, and estimated time duration. tion, confidentiality, integrity, and physical layer
b. The attacker’s motivation in terms of the level resilience.
of network access or the severity of the system
malfunction that the attack achieves. objective-based comparison
Three levels of likelihood are available as This section applies the aforementioned methodol-
described in Table 1. “Impact” refers to the conse- ogy on four main objectives of wireless security
quences of an attack in terms of user and network architectures: authentication, confidentiality, integ-
security. The two variables of impact are: rity, and physical layer resilience. For each objec-
tive, a thorough discussion describes the rationale
a. User impact in terms of the severity of network behind the ranking of the security threats.
access degradation.
b. System impact in terms of the severity of
network degradation or outage. Authentication Evaluation
Three levels of impact are available as described Wi-Fi includes four security threats which are all
in Table 1. According to the level of likelihood ranked to have a high impact on the system, since
and impact, numerical values from a predefined the attacker can exploit them to override the authen-
range are assigned to each criterion (see Table 1). tication checks or launch a combination of attacks
For a specific threat, the “risk” refers to an overall which will grant him full network access. However,
threat level which is determined by the product of the likelihood ranking greatly varies. Closed system
the likelihood value and impact value. authentication and MAC filtering are very likely to
Security threats which result in a high evalu- be attacked by sniffing software which is readily
ated risk value are critical and additional measures available on the Internet. WEP attacks are more
should be taken to protect the network perimeter, complicated, because a combination of software
whereas threats which have a low risk can be toler- is required to induce and capture network traffic
ated without employing countermeasures. and then exploit the weak IVs in order to crack the
In this point, it is worth noting that this quantita- key. WPA-PSK is even more difficult to break since
tive ranking is subjective. However, this is a useful it requires a brute force attack. The resilience of
evaluation and comparison methodology which WPA-PSK is greatly dependent on the length and
can stimulate a structured discussion based on the complexity of the preshared key.
UMTS is far more resilient to authentication
attacks, since most of the security gaps have
Table 1. Evaluation and comparison methodology been identified during the deployment of GSM
Variables and tackled in the specification design of UMTS.
Criteria Cases Difficulty Motivation Rank However, UMTS includes two main authentication
Unlikely Strong Low 1
Likelihood Possible Solvable Reasonable 2 vulnerabilities which can be exploited to launch a
Likely None High 3 man-in-the-middle attack (high impact). The IMSI
User System
Low Annoyance
Very limited
1
hijack threat refers to the deployment of a rogue BS
outages
Loss of Limited in order to initiate an authentication procedure and
Impact Medium 2
service outages steal the IMSI of a mobile user. The motivation for
Long time Long time
High 3
loss of service outages this attack is high, but the equipment is expensive
Risk = Likelihood x Impact
and complicated to configure. AUTN capture is the
Minor No need for countermeasures 1-3 second step of the attack and it refers to capturing
Risk Major Threat need to be handled 3-6
Critical High priority 6-9
an authentication token by masquerading a MS.
Evaluation of Security Architectures for Mobile Broadband Access
It assumes that the IMSI Hijack attack has been can be easily established, but it cannot greatly affect
already successfully launched. However, this attack the system if robust authentication and integrity
does not require the deployment of a rogue BS and mechanisms have been deployed.
therefore it is more possible to happen.
In the WiMax architecture, the main security Integrity Evaluation
threat is the device-level authentication mode.
When this mode is utilized without certificate Wi-Fi supports null mode which leaves the mes-
support, it is as vulnerable as MAC filtering and sages totally unprotected against modification and
it can be exploited to launch MS or BS masquer- replay attacks. WEP CRC-32 integrity mechanism
ading attacks. A less critical vulnerability is the provides a moderate level of protection, but there
DoS attack which can be launched by flooding is no replay protection and the integrity protection
authentication requests. This attack mostly affects can be overridden by an experienced attacker.
the MS due to its limited processing resources, The UMTS architecture includes a major short-
but it is not a major threat since it has a medium coming, namely the inadequate replay protection
impact and a low motivation. of authentication tokens. This vulnerability can
have a high impact since it allows the reuse of the
Confidentiality Evaluation token retrieved by an AUTH capture attack and the
completion of the UMTS man-in-the-middle attack.
Wi-Fi includes some major vulnerabilities. It sup- However, it requires a prior successful launch of
ports a null mode encryption which is configured IMSI hijack and AUTN capture. Therefore it results
as default in the majority of the commercial access in a high technical difficulty.
points. WEP encryption can provide an elementary WiMax supports two modes that can greatly
level of protection, but it is still too weak to keep compromise information integrity. The first is the
the intruders out. WPA-PSK offers a satisfactory DES mode which does not support integrity and
level of confidentiality, if long and complex keys replay protection of data frames. The second is the
are utilized. The ranking of the Wi-Fi confiden- null MAC mode for management frames, which can
tiality vulnerabilities is similar to authentication allow the intruder to inject modified management
ranking, since both objectives are based on the frames and affect the network operation.
same mechanisms.
UMTS incorporates strong encryption algo- Physical Layer Resilience Evaluation
rithms which have eliminated the deficiencies of
its predecessor GSM. Nevertheless, the backwards The resilience of the physical layer of each tech-
compatibility with GSM can be exploited to com- nology is evaluated with respect to jamming and
promise dual-band mobile devices by launching a scrambling. Jamming is achieved by introducing
man-in-the-middle attack. In this attack, the rogue a source of noise strong enough to significantly
BS can mandate the MS to use null mode encryp- reduce the capacity of the channel. Scrambling
tion or one of the GSM encryption modes which is similar to jamming, but it takes place for short
can be easily broken (Biham & Dunkelman, 2000; intervals of time and it is targeted to specific frames
Biryukov, Shamir, & Wagner, 2000). However, this or parts of frames.
is an unlikely attack since it requires the deploy- Wi-Fi comprises of the three different specifi-
ment of a BS and a prior successful launch of the cations IEEE 802.11a/b/g which all utilize random
IMSI hijack and AUTN capture attacks. medium access techniques but operate on differ-
WiMax security architecture includes two main ent physical channels. IEEE 802.11a/g operate on
shortcomings. First of all, the DES encryption a 5 MHz OFDM channel, whereas IEEE 802.11b
mode provides an inadequate level of confidential- operates on a 5 MHz DSSS channel. The DSSS
ity, since it can be easily broken. In addition, the is more resilient to narrowband jamming than
eavesdropping of unencrypted management frames OFDM and therefore jamming has a higher impact
0
Evaluation of Security Architectures for Mobile Broadband Access
on IEEE802.11a/g. However, if the attacker wants are much more secure, but the poor usability and
to jam all the channels, the attacker has to jam a the limited security awareness have constrained
bandwidth of 40 MHz, which is quite difficult. their wide deployment. UMTS proved to be quite
Scrambling is easier to launch because of the robust by eliminating the security inefficiencies
random medium access layer. of its predecessor GSM. However, an attacker can
UMTS operates on two 5 MHz DSSS chan- still exploit some backward-compatibility issues
nels, one for the uplink and one for the downlink. to launch a man-in-the-middle attack. WiMax’s
It is resilient to narrowband jamming because of performance was not satisfactory enough mainly
the DSSS modulation, but it is still vulnerable to due to the provision of weak security modes.
scrambling because of the random access. Nevertheless, the practical performance is greatly
WiMax operates on a 1.25-20 MHz OFDM dependent on the actual security decisions of the
channel and it employs TDMA techniques. Thus, network operators. These decisions vary according
it can be vulnerable to jamming especially if it to the provided service requirements.
operates on a narrow channel, but it is resilient to
scrambling due to the TDMA.
Evaluation of Security Architectures for Mobile Broadband Access
The IEEE 802.20 (or MBWA) Working Group was Seamless convergence of heterogeneous wireless
established in December 11, 2002, with the aim to networks provides new security challenges for
develop a specification for an efficient packet-based the research community. Global authentication
air interface that is optimized for the transport of architectures are needed which can operate in-
IP based services. The goal is to enable worldwide dependently of the wireless physical protocol. In
deployment of affordable, always-on, and interop- addition, specifications are needed for maintaining
erable BWA networks. The group will specify the confidentiality and the integrity of the com-
the lower layers of the air interface, operating in munication data while the user terminal is in a
licensed bands below 3.5 GHz and enabling peak hand-off state. In this direction, a forum of mobile
Evaluation of Security Architectures for Mobile Broadband Access
operators called fixed mobile convergence alliance likelihood, impact, and risk. The methodology
(FMCA) is working on defining specifications for was applied on four evaluation axes: authentica-
the convergence of heterogeneous networks in the tion, confidentiality, integrity, and physical layer
context of all IP 4G wireless systems. resilience. According to the comparison results,
Security policy issues are: Wi-Fi is more liable to security attacks, followed
by WiMax and UMTS. However, WiMax has not
• The use of lightweight and flexible authen- been widely tested under real-world systems due
tication, authorization, account, and audit to its recent release. More security vulnerabilities
(AAAA) schemes, may therefore be discovered in the future. Finally,
• The use of Trusted Computing (Reid, Nieto, the security architecture of UMTS is quite robust
& Dawson, 2003), and because of the lessons learned from GSM, but it is
• Different security polices for different still not invincible against an experienced attacker
services are recommended for 4G systems with the right equipment.
(Zheng, He, Xu, & Tang, 2005a).
Evaluation of Security Architectures for Mobile Broadband Access
Borisov, N., Goldberg, I., & Wagner, D. (2001). on the security of interoperating GSM/UMTS
Intercepting mobile communications: The inse- networks. In Proceedings of IEEE International
curity of 802.11. In Proceedings of the 7th Annual Symposium on Personal, Indoor and Mobile Radio
International Conference on Mobile Computing Communications (PIMRC2004).
and Networking, Rome, (pp. 180-189).
Meyer, U., & Wetzel, S. (2004b). A man-in-the-
Edney, J., & Arbaugh, W. A. (2003). Real 802.11 middle attack on UMTS. In Proceedings of ACM
security: Wi-Fi protected access and 802.11i (1st Workshop on Wireless Security (WiSe 2004).
ed.). Addison-Wesley Professional.
Ohrtman, F. (2005). WiMax handbook. Building
ETSI. (2003). Technical specification ETSI TS 102 802.16 wireless networks. McGraw-Hill Com-
165-1 V4.1.1. munications.
Haverinen, H., & Salowey, J. (2004). Extensible Reid, J., Nieto, J., & Dawson, E. (2003). Privacy
authentication protocol method for GSM subscriber and trusted computing. In Proceedings of the 14th
identity modules (EAP-SIM) (Internet draft [work International Workshop on Database and Expert
in progress]). Internet Engineering Task Force. Systems Applications (pp. 383-388).
IEEE. (2001). IEEE standards for local and met- Stanley, D., Walker, J., & Aboba, B. (2005). Ex-
ropolitan area networks: Standard for port based tensible authentication protocol (EAP) method re-
network access control. IEEE Std 802.1x-2001. quirements for wireless LANs (IETF RFC 4017).
Retrieved April 24, 2007, from http://standards.ieee.
Stubblefield, A., Ioannidis, J., & Rubin, A. (2002).
org/getieee802/download/802.1X-2001.pdf
Using the Fluhrer, Mantin, and Shamir attack to
IEEE-SA. (2006). IEEE 802.16 LAN/MAN broad- break WEP. Paper presented at the NDSS.
band wireless LANS. IEEE 802.16 standards. Re-
Van de Wiele, T. (2005). Wireless security: Risks
trieved April 24, 2007, from http://standards.ieee.
and countermeasures (UNISKILL Whitepaper).
org/getieee802/802.16.html
Welch, D. J., & Lathrop, S. D. (2003). A survey
Kambourakis, G., Rouskas, A., & Gritzalis, S.
of 802.11a wireless security threats and security
(2004). Performance evaluation of public key-based
mechanisms (Tech. Rep. ITOC-TR-2003-101).
authentication in future mobile communication
United States Military Academy.
systems. EURASIP Journal on Wireless Commu-
nications and Networking, 1, 184-197 WiMax Forum. (2006). Mobile WiMax—Part I:
A technical overview and performance evala-
Lehtonen, S., Ahonen, P., Savola, R., Uusitalo, I.,
tion. Retrieved April 24, 2007, from http://www.
Karjalainen, K., Kuusela, E., et al. (2006, Septem-
wimaxforum.org/home/
ber). Information security in wireless networks.
Ministry of Transport and Communication. Finland: Zheng, Y., He, D., Xu, L., & Tang, X. (2005a). Se-
LUOTI Publications. ISBN 952-201-783-3. Retrieved curity scheme for 4G wireless systems. In Pro-
April 24, 2007, from http://www.luoti.fi/material/ ceedings of 2005 International Conference on
InfoSec_in_WNetworks_final.pdf Communications, Circuits and Systems (Vol.
1, pp. 397-401).
Lynn, M., & Baird, R. (2002). Advanced 802.11
attack. Paper presented at the Black Hat 2002 Con- Zheng, Y., He, D., Yu, W., & Tang, X. (2005b). Trust-
ference, Las Vegas. Retrieved April 24, 2007, from ed computing-based security architecture for 4G
http://www.blackhat.com/presentations/bh-usa-02/ mobile networks. Paper presented at the Sixth
baird-lynn/bh-us-02-lynn-802.11attack.ppt International Conference on Parallel and Distrib-
uted Computing, Applications and Technologies
Meyer, U., & Wetzel, S. (2004a). On the impact of
PDCAT 2005 (pp. 251-255).
GSM encryption and man-in-the-middle attacks
Evaluation of Security Architectures for Mobile Broadband Access
Chapter XLIX
Extensible Authentication (EAP)
Protocol Integrations in the
Next Generation
Cellular Networks
Sasan Adibi
University of Waterloo, Canada
Gordon B. Agnew
University of Waterloo, Canada
AbstrAct
Authentication is an important part of the authentication authorization and accounting (AAA) schemes
and the extensible authentication protocol (EAP) is a universally accepted framework for authentication
commonly used in wireless networks and point-to-point protocol (PPP) connections. The main focus of
this chapter is the technical details to examine how EAP is integrated into the architecture of next gen-
eration networks (NGN), such as in worldwide interoperability for microwave access (WiMAX), which
is defined in the IEEE 802.16d and IEEE 802.16e standards and in current wireless protocols, such as
IEEE 802.11i. This focus includes an overview of the integration of EAP with IEEE 802.1x, remote au-
thentication dial in user service (RADIUS), DIAMETER, and pair-wise master key version (2PKv2).
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
These integrations are often established with controlling user traffic for protecting networks.
other security protocols and mechanisms, such IEEE 802.1x also offers dynamically varying
as transport layer security (EAP-TLS), message encryption keys. IEEE 802.1x uses EAP in both
digest 5 (EAP-MD5), privacy key management wired and wireless LANs and supports multiple
(PKM-EAP), and so forth. authentication methods, such as Kerberos, one-time
The organization of the sections of this chap- passwords, and public key certificates. Our main
ter is as follows: Section II will discuss details focus is on wireless technologies.
about the EAP-IEEE 802.1x interactions. Section IEEE 802.1x initially starts the communications
III is dedicated to remote authentication dial in by an attempt to connect with an authenticator
user service (RADIUS) and DIAMETER in the (i.e., an 802.16 or 802.11 access point [AP]) to
authentication/authorization schemes. Section IV authenticate an unauthenticated supplicant. The
talks about the IEEE 802.1x-EAP functions imple- AP responds back by enabling a port for pass-
mented in Wi-Fi (IEEE 802.11i) and introductions ing only EAP packets between the clients to the
to EAP-MD5, lightweight extensible authentication authentication server, which is usually located on
protocol (LEAP), EAP-TLS (TTLS) and protected the wired side of the AP. The AP blocks all other
extensible authentication protocol (PEAP). Section traffic (i.e., HTTP and dynamic host configuration
V presents the PKMv2-EAP scheme in worldwide protocol [DHCP] packets), until the AP (authen-
interoperability for microwave access (WiMAX) ticator) is able to verify the client’s identity using
(IEEE 802.16) followed by section VI, which is a an authentication server (e.g., DIAMETER or
configured testbed for a WiMAX system. Sections RADIUS). Once authenticated, the AP opens the
VII and VIII contains conclusions and references client’s port for the rest of traffic types.
respectively. To better understand how 802.1x operates, the
interactions mentioned in Table 1a usually happen
between various 802.1x elements.
EAP And IEEE 802.1x As showed in Figure 1, EAP is an important
component of an 802.1x-based infrastructure. EAP
Based on RFC 3748 (Aboba, Blunk, Vollbrecht, improves the authentication scheme provided by
Carlson, & Levkowetz, 2004), EAP runs on top the point-to-point protocol (PPP) (RFC 1661). EAP
of IEEE 802.1x (Figure 1), therefore 802.1x is the provides PPP with a generalized framework for
key issue to understanding the EAP. IEEE 802.1x
offers a strong framework for authenticating and
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
various types of authentication schemes (Chen & operates in the following fashion (Piscitello, 2005)
Wang, 2005). The 802.1x standard includes a defi- (see Box 1).
nition of EAP encapsulation for Ethernet packages In a true end-to-end secure wireless network,
used over LANs, which is called EAP over LAN it is not only crucial that the authenticator and
(EAPOL). Figure 2 (Leira, 2005) shows various authentication server ensure user's legitimacy,
layers of selective authentication and network but also the supplicant has to be confident that
type 802.1x. the authentication server and the authenticator
There are three main components found in are legitimate and not spoofing devices who try to
802.1 X-based systems:
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
Box 1.
# Process Taking Place Message Transmitted/State
1. Supplicant tries to connect to the authenticator (AP) 8 0 2.1 x A s s o c i a t e
Request
2. Authenticator detects supplicant and enables client’s port Por t s et t o
Unauthorized
3. Authenticator returns a response to supplicant and waits 8 0 2.1 x A s s o c i a t e
Response
4. Supplicant transmits a message to authenticator EAP-START
5. Authenticator replies a message to supplicant, asks for identity EAP-REQUEST IDENTITY
6. Supplicant provides its identity to authenticator EAP-RESPONSE
7. Authenticator forwards EAP-RESPONSE to authentication server FORWARD EAP-RESPONSE
8. Authentication server authenticate clients Authenticates
via EAP-TLS, LEAP
9. If accepted by authentication server, signals to authenticator ACCEPT
10. If rejected by authentication server, signals to authenticator REJECT
11. If authenticator receives acceptation, responds to supplicant Supplicant can use the wireless EAP SUCCESS
LAN Port set to AUTHORIZED
12. If authenticator receives rejection, responds to supplicant EAP FAILURE
Supplicant remain blocked from the wireless LAN Port state no change
13. If client succeeded, authenticator passes global key to client Global Key Passed
14. When client terminates session, it logs off EAP LOGOFF
obtain the user name and password from the user. are authentication, authorization, and accounting
This scenario can be prevented by using a mutual (AAA) protocols for applications and mechanisms
authentication scheme where the authentication used in network access or Internet protocol (IP)
server and the authenticators also have to be au- mobility. They are intended to work in both local
thenticated by the supplicant. Examples of such and roaming situations.
mutual authentication schemes are used in TLS, Many applications running through ISPs using
tunneled TTLS (TTLS), LEAP, and PEAP. modems, DSL, cable, or wireless connections re-
IEEE 802.1x also provides a framework to re- quire some sort of user name/password for access
duce or eliminate the danger of session hijacking permission. This information is usually transmitted
and man-in-the-middle (MITM) attacks, however to a RADIUS server, over a network access server
it requires that the right type of authentication (NAS) device using the point-to-point protocol
(mutual authentication) be used. Secure authenti- (PPP) and the RADIUS protocol. The RADIUS
cation does not yet imply secure communication. server verifies that the information is correct.
A strong encryption method is required to ensure This is done using authentication schemes, such
data confidentiality. EAP enables the usage of as, password authentication protocol (PAP), chal-
different types of encryption with dynamic key lenge handshake authentication protocol (CHAP),
distribution techniques. or EAP. If authentication and authorization are
accepted, then the server will authorize access to
the ISP network and select an IP address and other
rAdIus And dIAMEtEr access control parameters (L2TP parameters).
The RADIUS server is also notified of any ses-
Both RADIUS (Hill, 2001) and DIAMETER (Cal- sion start-stop for related accounting, billing, and
houn, Loughney, Guttman, Zorn, & Arkko, 2003) other statistical issues. RADIUS is an extensible
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
protocol in which most RADIUS vendors have their a request to the wireless station, asking for its
own hardware and software implements. identity and relays the message to an AAA server
The DIAMETER protocol is proposed to re- using a RADIUS-based access-request user name
place RADIUS and it is designed to be backward message.
compatible in most cases. The main differences As expected, through the AP, the wireless sta-
between DIAMETER and RADIUS protocols tion and the AAA server establish the authentication
are, (see Box 2). process by exchanging RADIUS access-chal-
The message format and the authentication lenge and access-request messages. According to
flows in DIAMETER EAP applications are given the specific EAP type, an encrypted TLS tunnel
in Figures 4 and 5. could be used to convey the messages inside of
the tunnel.
Applying rAdIus to wireless lAns If an access-accept message is sent by the AAA
server, the wireless station and the AP establish
In wireless-based networks that use 802.1x port a handshake. This generates session keys that are
access control, the wireless station is a remote user used by either temporal key integrity protocol
and the wireless AP behaves as the network access (TKIP) or wired equivalence privacy (WEP) to
server (NAS) (Phifer, L 2., 2003). The IEEE 802.11- encrypt data. At this point, the port is unblocked
based protocols (a, b, or g) are used to associate by the AP and the wireless station is able to send
the wireless stations to the wireless APs. and receive data to and from the attached LAN.
Once the client is associated, it transmits an If an access-reject message is sent by the AAA
EAP-Start message to the AP. The AP sends server, the client will be disassociated by the AP.
Box 2.
# DIAMETER uses: RADIUS uses:
1. Reliable transport protocol (TCP or Uses an unreliable transport protocol (UDP)
stream control transmission protocol [SCTP])
2. End-to-end transport level security protocols End-users, such as, CHAP and PAP
(IPSec or TLS)
3. Transition support for RADIUS No direct compatibility with DIAMETER
4. Large address space for AVPs (attribute value Smaller address space – 8 bits
pairs) – 32 bits
5. A peer-to-peer protocol scheme Client-server protocol scheme
Server-initiated messages support Request/response scheme only
6. Both stateful and stateless models Only a stateless model
7. DNS (dynamic name system), SRV (generalized Static Discovery agents
service location), and NAPTR (naming authority
pointer), for dynamic discovery of peers
8. Capability Negotiation (version, applications, etc) No such built-in capability
9. Application layer acknowledgements and built-in No such failover mechanism
Failover (device-watchdog request/
device-watchdog answer [DWR/DWA])
10. Error notification No such notification
11. Better roaming support Average support for fixed and roaming users
12. Better extended command and attributes Average command and attributes
13. Better Mobile-IP supports and stronger security Average security options
0
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
Figure 4. DIAMETER message format (Adapted Figure 5. Authentication flows in diameter EAP
from Wu, Chen, Chen, & Fan, 2005) applications (Adapted from Wu, Chen, Chen, &
Fan, 2005)
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
ping are relatively very low. Therefore for wire- the client to be authenticated by the authentication
less 802.1x authentication schemes, stronger and server through a user name/password process and
more robust EAP authentication protocols should only requires a certificate used by the authentica-
be deployed. tion server. EAP-TTLS simplifies the roll out and
maintenance procedures while retaining strong se-
EAP with transport layer security (EAP-TLS): curity and relatively strong authentication scheme.
EAP-TLS is discussed in RFC 2716, which is the A TLS tunnel is used for protecting EAP messages
only secured standard option (along with EAP- and for reusing existing user credential services
TTLS) designed for wireless LANs. EAP-TLS for 802.1x authentication, such as RADIUS, ac-
mandates a procedure in which the station and the tive directory, and LDAP. AP-TTLS also provides
RADIUS server are both required to prove their backward compatibility for other authentication
identities using public key cryptography (i.e., se- protocols, such as, PAP, CHAP, MS-CHAP, and
curity tokens, smart-cards, or digital certificates). MS-CHAP-V2. If TLS tunnels are not used, EAP-
This procedure is secured by an encrypted TLS TTLS is not considered secure and can be fooled
tunnel, which makes EAP-TLS very resilient to into revealing identity credentials. EAP-TTLS
against dictionary, man-in-the-middle, and other is most suitable for infrastructures that require
types of attacks. However, the station’s identity, strong authentication without mandating the use of
which is the name attached to the certificate, can mutual certificates. Wireless 802.1x authentication
still be sniffed through eavesdropping. EAP-TLS schemes usually support EAP-TTLS.
is a very attractive candidate for large enterprises,
which only use Windows (2000/2003/XP)-based Protected EAP (PEAP): PEAP is an Internet-draft
applications with deployed certificates. EAP-TLS (still not an RFC), which is similar to EAP-TTLS in
provides strong security schemes by requiring terms of supporting mutual authentication. PEAP
both client and authentication server (mutual au- is currently being supported by Cisco Systems,
thentication) to be authenticated and authorized RSA Data Security Inc., and Microsoft. PEAP is an
by using PKI certificates. This works well within authentication protocol alternative to EAP-TTLS,
802.1x authentication schemes as the TLS tunnel which overcomes EAP weaknesses through:
between the client and the authentication server
protects the EAP messages from sniffing and a. Protecting user credentials
eavesdropping. The only notable drawback of b. Securing EAP negotiation flows
EAP-TLS is the requirement of PKI certificates c. Standardizing key exchange flows
on both sides (clients and authentication servers). d. Supporting fragmentation and reassembly
This causes complications in roll-out and main- procedures
tenance procedures and increases the amount of e. Supporting fast reconnects
overhead to establish a secure link as certificates
can be quite large. Figure 6 shows the EAP-TLS PEAP allows the utilization of other EAP-based
message flow. authentication protocols and securing the transmis-
sion through utilizing a TLS encrypted tunnel.
EAP with tunnelled TLS (EAP-TTLS): EAP- PEAP relies on the TLS keying method for the key
TTLS is an extension of EAP-TLS, which provides creation and exchange mechanisms. The PEAP
the benefits of a strong encryption scheme without client is authenticated directly with the back-end
the complexity of mutual certificates on both sides authentication server. The authenticator acts as a
(client and authentication server). Similar to the pass-through device, which does not require much
EAP-TLS scheme, EAP-TTLS scheme supports processing power or manipulation and needs little
mutual authentication, however it only requires the understanding of the EAP authentication protocol
authentication server to be validated to the client mechanism. Unlike EAP-TTLS, PEAP does not
using a certificate exchange. EAP-TTLS allows support inherent username and password authen-
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
tication against an existing user (unlike LDPA). module (SIM), or EAP-SIM, is an EAP-based
To support this, every specific vendor has its mechanism used for authentication and session
own feature built on top of the protocol. PEAP is key distribution, which is used in the GSM-SIM.
most suitable for infrastructures, which require EAP-SIM is described in RFC 4186.
strong authentication without the use of mutual Tables 1b and 2 show summaries and com-
certificates, similar to EAP-TTLS. Wireless 802.1x parisons between all mentioned EAP-based
authentication schemes usually support PEAP. protocols.
Depending on the specific EAP authentication
Cisco’s lightweight EAP (LEAP): LEAP goes protocol used, IEEE 802.1x authentication proto-
beyond EAP-MD5 in addressing the security is- col can help to solve the following security issues
sues of wireless networks by delivering the keys (Kwan, 2003):
used for WLAN encryption and requiring mutual
authentication. Mutual authentication reduces the • Dictionary attack: In this type of attack, the
risk of an attacker posing as an AP (MITM at- attacker obtains the challenge/response mes-
tack). However, station identities and passwords sage exchange from a password authentication
remain vulnerable to dictionary sniffing attacks. session and uses a brute force mechanism to
LEAP is mostly used when Cisco-based APs find the password. IEEE 802.1x solves this
and cards are involved. LEAP mandates mutual type of attack by using TLS-based tunnels
authentication between the client and the authen- for protecting credential exchanges among
ticator. The client first has to authenticate itself authenticator and supplicant.
to the authenticator and then the authenticator • Session hijack: In this attack, the attacker is
should authenticate itself to the client. If the two able to sniff the packets passed between the
authentication procedures are done successfully, a client and the authenticator and to recover the
network connection is granted. Unlike EAP-TLS, client’s identity information. This pushes the
LEAP is username/password-based and is not based “legitimate” client out of the scope through
on PKI certificates. This simplifies roll-out and a form of denial-of-service (DoS) attack
maintenance procedures. Being the proprietary and impersonates the client to continue the
to Cisco is one of the drawbacks of LEAP, which conversation with the authenticator (DoS and
is the reason it has not been widely adopted by session hijacking). IEEE 802.1x can thwart
other networking vendors. LEAP is most suitable the session hijacking through its ability to
for wireless scenarios that support Cisco AP’s and securely authenticate with dynamic session-
LEAP compliant wireless NIC cards. based keys.
• Man-in-the-middle: The MITM attack
EAP-SIM: The EAP method for global system for happens in one-way authentication or unbal-
mobile communications (GSM) subscriber identity anced schemes, where the attacker obtains the
necessary information from the client and/or
Table 1b. Comparison between different EAP methods in terms of client/server strength (Adapted from
Phifer, 2003)
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
the authenticator and comes in the middle of Figure 6. Message flow of EAP-TLS
the session and becomes the “middle man.”
Through IEEE 802.1x’s authentication and
dynamic session-based keys, the encryption
of the data stream between the client and au-
thenticator can prevent this type of attack.
Table 2. Comparison among various EAP methods in terms of wireless security strength (Adapted from
“What are Your EAP Authentication Options?,” 2005)
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
ance. WPA2 is a requirement for Wi-Fi compliance ter with cipher block chaining message
from 2006. authentication code (CCMP). CCMP
uses the AES encryption scheme.
EAP Method requirements for TKIP offers three advantages over
wireless lAns WEP:
Longer initialization vector (IV),
RFC 4017 (Stanley, Walker, & Aboba, 2005) which minimizes the chance ses-
specifies the requirements for EAP methods used sion key reuse
in IEEE 802.11-based systems, which uses IEEE Key hashing, which results in a
802.11i for authentication and authorization. This different key used for each data
in turn could be applied to IEEE 802.16 as well. packet
802.11i MAC security enhancements makes use of MIC, which ensures that the mes-
both IEEE 802.1x and EAP. Today’s deployments sage is not altered during the com-
of IEEE 802.11 wireless LANs are based on EAP, munication between sender and
integrated with several EAP methods, namely: receiver
EAP-TLS, EAP-TTLS, PEAP, and EAP-SIM, • Counter-mode/CBC-M AC protocol
which were discussed before. These methods sup- (CCMP): CCMP is similar to TKIP, in which
port authentication credentials, including digital it deals with the confidentiality of data, as
certificates, secure tokens, usernames/passwords, well as authentication and encryption. One
and SIM secrets. of the differences between CCMP and TKIP
IEEE 802.11i specifies the usage of EAP for both is the fact that CCMP uses AES in counter
authentication and key exchange among the EAP mode for data confidentiality. The other dif-
peers and servers. RFC 3748 (RFC 3748 - EAP) ference is the usage of cipher block chaining
outlines the EAP usage within IEEE 802.11i, which message authentication code (CBC-MAC)
is subject to threats, given that WLAN provides for authentication and integrity. In the ar-
ready access to any attacker within range. chitecture of 802.11i, CCMP uses a 128-bit
The following four components are integral key scheme. CCMP provides protections for
parts of IEEE 802.11i specifications (IEEE 802.11i: some fields, which are not encrypted through
WLAN Security Standards,” 2006): a mechanism, which is so-called additional
authentication data (AAD). AAD protection
• Temporal key integrity protocol (TKIP): includes a scheme which prevents attackers
TKIP is a protocol which uses an RC4 ci- from replaying packets to various destina-
pher for encryption of data and deals with tions.
confidentiality of data. TKIP improves the • IEEE 802.1x: IEEE 802.11i is a wireless
security weaknesses of WEP. It uses a mes- implementation of 802.1x, which offers an
sage integrity code, called “TKIP-Michael effective framework to authenticate and
algorithm,” which authenticates end devices control user traffic and also offers dynami-
for legitimacy. TKIP utilizes a mixing func- cally varying encryption keys. Through this
tion to overcome weak-key and brute-force component (802.1x), 802.11i is able to get tied
attacks. TKIP is used in 802.11i during two to EAP.
phases: • EAP encapsulation over LANs (EAPOL):
° First phase: In the first phase, TKIP is As discussed in Figure 2, EAP layer covers
used together with an improved message EAPOL, which is a key protocol in IEEE
integrity check (MIC). This is to stop 802.1x for key exchange. Two main schemes
data manipulation. covered in the EAPOL-key exchanges are
° Second phase: In the second phase, defined in IEEE 802.11i, which are the 4-way
TKIP and MIC are replaced with coun- handshake and the group key handshake.
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
PkMv2-EAP scHEME In wIMAx the IEEE 802.16 standard; PKM version 1 (PKMv1)
(IEEE 802.16) and PKM version 2 (PKMv2). PKMv1, which is
a one-way authentication method, is proven to be
WiMAX (IEEE 802.16) stands for worldwide prone to variety of attacks and is not covered in
interoperability for microwave access, which is this chapter. PKM supports two authentication
maintained by the WiMAX Forum. WiMAX has protocol mechanisms:
similarities with Wi-Fi; however it claims to achieve
higher bandwidth (up to 70 Mbps) over a 70 mile 1. RSA public key-based certificates, mandatory
(+110 km) range, which outperforms Wi-Fi. There in all devices
are also some similarities between the security 2. EAP
schemes between WMAX’s and IEEE 802.11i.
In this section, the security mechanisms for Authorization via PkM rsA
WiMAX are described. For an end-to-end authen- Authentication Protocol
tication scheme, WiMAX uses extensible authen-
tication protocol with privacy key management Figure 7 shows the authorization and authentication
(EAP-PKM), which relies on the transport layer processes of PKMv2 protocol using a request/grant
security (TLS) standard and public key cryptog- access method. For a SS (PKM client) to have
raphy (“WiMAX Technology,” 2005). PKM is access to the BS network, the PKM server has to
a protocol, which uses the Rivest, Shamir, and authorize the connection and the SS also needs to
Adleman (RSA) public-key scheme, X.509 digital authenticate the BS; after that, the SS will have
certificates, and a strong encryption scheme for the security features enabled. Once the SS associates
subscriber station (SS)-base station (BS) interac- with the BS, the SS shares a private encryption
tions. There are two PKM protocols supported in key with the BS and communication between
Figure 7. PKMv2 authentication and authorization process (Adapted from Adibi, Bin, Ho, Agnew, &
Erfani, 2006)
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
the BS and SS can be initiated using encrypted zation, which prevents attackers from gather-
messages. ing enough data to launch cryptanalysis.
5. To correct replay attacks, it is recommended
Authorization via PkM Extensible to add a random value transmitted from BS
Authentication Protocol and SS for SA authorization.
6. WiMAX security supports two strong en-
After the SS is associated to the BS, the EAP au- cryptions algorithms; triple data encryption
thorization procedure starts. Figure 8 shows the standard (3DES) and AES, which are con-
EAP authorization and authentication flow steps: sidered leading edge (AES in particular).
7. The ability of an SS to cache or transfer the
security Analysis of wiMAx master key to avoid a full reauthentication
procedure.
Authentication
8. EAP-PKM relies on the TLS standard that is
based on public key cryptography, which is
The EAP-PKM is intended to secure WiMAX cli-
costly for some wireless vendors. Therefore,
ents and servers in a more robust way. The following
a high performance security processor is
list summarizes the strength of EAP-PKM:
dedicated to BS in WiMAX, which enables
the implementation of a complicated authen-
1. PKMv2 supports mutual authentication,
tication system in WiMAX.
which can prevent man-in-the-middle at-
tacks.
In this section, a WiMAX-based authentication
2. The X.509 digital certificate issued for each
using EAP-TLS and EAP-PKM were presented.
SS is unique and cannot be easily forged.
This included the PKMv2 handshaking schemes.
3. Each service has a unique security associa-
It is believed that WiMAX possesses more ex-
tion identifier (SAID), therefore if one service
tensive security power compared to the ones in
is compromised, the other services are not
Wi-Fi, which in turn will favor WiMAX in the
affected.
comparative market share.
4. The limited lifetime of authorization key (AK)
provides key-refresh and periodic reauthori-
Figure 8. 802.16e EAP authentication process (Adapted from Adibi et al., 2006)
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
Phifer, L. (2003, September). Deploying 802.1X for DHCP: Dynamic host configuration protocol is
WLANs: EAP types. Retrieved October 25, 2007, a protocol that automatically manages (temporarily
from http://www.wi-fiplanet.com/tutorials/article. assign and release) IP addresses to devices on the
php/3075481 network (wireless and wired).
Phifer, L 2. (2003, September). Applying RA- EAP: Extensible authentication protocol is a
DIUS to Wireless LANs, using RADIUS For universally famous authentication protocol ac-
WLAN Authentication, Part I. Retrieved from cepted framework for authentication. Its integra-
http://www.wi-fiplanet.com/tutorials/article. tion with other security schemes usually produces
php/10724_3114511_1 strong frameworks for various wireless and wired
applications.
Piscitello, D. M. (2005, April 16). IEEE 802.1x and
EAP primer. Core Competence, Inc. MD5: Message-digest algorithm 5 is a 128-bit
hash function, which is a widely used cryptographic
Stanley, D., Walker, J., & Aboba, B. (2005, March).
element. MD5 has shown some weaknesses; there-
Extensible authentication protocol (EAP) method
fore it is not counted a robust scheme nowadays.
requirements for wireless LANs (RFC 4017).
PEAP: Protected EAP is a security method
What are Your EAP Authentication Options?
which transmits authentication information, in-
(2005, May). InteropNet labs full spectrum secu-
cluding passwords. PEAP can be used in variety
rity initiative. Retrieved October 25, 2007, from
of scenarios including wireless and wired topolo-
http://www.opus1.com/nac/whitepapers-old/04-
gies.
EAP_OPTIONS-LV05.PDF
PKM: Privacy key management is a private
WiMAX Technology. (2005). Retrieved October
key scheme used with EAP and TLS for provid-
25, 2007, from http://ww.hifn.com/docs/WiMAX_
ing end-to-end security schemes for wireless
AB_1.4.pdf
technologies.
Wu, W. T., Chen, J. C., Chen, K. H., & Fan, K.
RADIUS: Remote authentication dial in user
P. (2005). Design and implementation of WIRE
service is an AAA protocol that works in a cli-
diameter. Paper presented at the 3rd International
ent/server application scenario. RADIUS oversees
Conference on Information Technology: Research
the authentication and authorization scheme of
and Education, ITRE 2005.
the session established between two entities. It is
further updated by DIAMETER.
TLS: Transport layer security is used mostly
kEy tErMs in client/server applications, which require end-
point authentication and communications privacy,
AP: Access point (or wireless access point) is a particularly over the Internet. This is mostly done
device that connects wireless devices (i.e., mobile using cryptographic measures.
users [MUs], laptops, etc.) together. APs are usually
connected to another device called wireless control- WiMAX: WiMAX stands for worldwide
ler (WC). A wireless network is usually comprised interoperability for microwave access, which has
of a WC and a few APs, servicing MUs. been defined by the WiMAX Forum, formed in
2001. WiMAX is also known as IEEE 802.16
DIAMETER: DIAMETER is an authentica- standard, officially titled WirelessMAN and is an
tion, authorization, and accounting (AAA) proto- alternative to DSL (802.16d) and cellular access
col, an updated version of RADIUS. (802.16e).
Yan Zhang received the PhD degree in School of Electrical & Electronics Engineering, Nanyang
Technological University, Singapore. From August 2004 to May 2006, he worked with the National
Institute of Information and Communications Technology (NICT), Singapore. Since August 2006, he
has worked with Simula Research Laboratory, Norway (http://www.simula.no/). He is on the editorial
board of the International Journal of Network Security. He is currently serving as the Book Series Edi-
tor for the book series, Wireless Networks and Mobile Communications (Auerbach Publications, CRC
Press, Taylor, and Francis Group). He is serving as co-editor for several books: Resource, Mobility and
Security Management in Wireless Networks and Mobile Communications; Wireless Mesh Networking:
Architectures, Protocols and Standards; Millimeter-Wave Technology in Wireless PAN, LAN and MAN;
Distributed Antenna Systems: Open Architecture for Future Wireless Communications; Security in
Wireless Mesh Networks; Mobile WiMAX: Toward Broadband Wireless Metropolitan Area Networks;
Wireless Quality-of-Service: Techniques, Standards and Applications; Broadband Mobile Multimedia:
Techniques and Applications; Internet of Things: From RFID to the Next-Generation Pervasive Net-
worked Systems; Unlicensed Mobile Access Technology: Protocols, Architectures, Security, Standards
and Applications; Cooperative Wireless Communications; WiMAX Network Planning and Optimiza-
tion; RFID Security: Techniques, Protocols and System-On-Chip Design; Autonomic Computing and
Networking; Security in RFID and Sensor Networks; and Handbook of Research on Wireless Security.
He serves as industrial co-chair for MobiHoc 2008, program co-chair for UIC-08, general co-chair
for CoNET 2007, general co-chair for WAMSNet 2007, workshop co-chair FGCN 2007, program vice
co-chair for IEEE ISM 2007, publicity co-chair for UIC-07, publication chair for IEEE ISWCS 2007,
program co-chair for IEEE PCAC’07, special track co-chair for “Mobility and Resource Management in
Wireless/Mobile Networks” in ITNG 2007, special session co-organizer for “Wireless Mesh Networks”
in PDCS 2006, and he is a member of Technical Program Committee for numerous international confer-
ence, including CCNC, AINA, GLOBECOM, ISWCS, ICC, and so forth. He received the Best Paper
Award and Outstanding Service Award as Symposium Chair in the IEEE 21st International Conference
on Advanced Information Networking and Applications (AINA-07). His research interests include
resource, mobility, energy, and security management in wireless networks and mobile computing. He
is a member of IEEE and IEEE ComSoc.
Jun Zheng received the BS and MS degrees in electrical engineering from Chongqing University,
China, in 1993, 1996, respectively, the MSE degree in biomedical engineering from Wright State Univer-
sity, Dayton, Ohio, in 2001, and the PhD degree in computer engineering from University of Nevada, Las
Vegas in 2005. Currently he is an assistant professor in the Department of Computer Science at Queens
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
About the Contributors
College of The City University of New York. He is also a member of the faculty of the doctoral program
in computer science at the Graduate School and University Center of The City University of New York.
He is the co-editor for two books: Security in Wireless Mesh Networks and Handbook of Research on
Wireless Security. He served as general co-chair for WAMSNet-07, track co-chair for ITNG 2007, and
session co-organizer for PDCS 2006. He also served as TPC member for several international confer-
ences. His research interests are mobility and resource management in wireless and mobile networks,
media access control, performance evaluation, network security, computer architectures, fault-tolerant
computing, and image processing. He is member of IEEE.
Miao Ma received the BEng. and MEng. degrees in electrical engineering from Harbin Institute
of Technology, China, respectively, and the PhD degree in electrical and electronic engineering from
Nanyang Technological University (NTU), Singapore. From August 2002 to December 2006, she worked
at the Institute for Infocomm Research (I2R), Singapore. Since January 2007, she has been working
at the Hong Kong University of Science and Technology (HKUST). She is a member of IEEE. Her
research interests include media access control, cognitive radio, security, wireless communications,
and networking.
* * * * *
Sasan Adibi received his BSc degree from Amirkabir University, Tehran, Iran, in 1996, first MSc
degree from Brunel University, London in 1999, and second MSc degree from University of Windsor,
Canada, in 2005. He is currently studying towards his PhD degree at the University of Waterloo and
working as a contractor for Siemens Canada as a Verification System’s Engineer. His areas of research
include security (ad hoc networks, 3G, WiMAX, and Wi-Fi), quality of service (QoS) for MPLS- and
wireless-based systems, and optimizations in ad hoc networks. His work experiences include extensive
verification in routing (MPLS, OSPF, BGP), quality of service features (DiffServ, 802.11e, WMM, etc.),
security and authentication (WPA v2, OKC, 802.1X, 802.11i, and RADIUS), Wi-Fi (802.11a/b/g), and
VLAN (802.1D, 802.1Q, and 802.1p).
Gordon B. Agnew received his BASc and PhD in electrical engineering from the University of Wa-
terloo in 1978 and 1982, respectively. He joined the Department of Electrical and Computer Engineering
at the University of Waterloo in 1982. In 1984, he was a visiting professor at the Swiss Federal Institute
of Technology in Zurich where he started his work on cryptography. Dr. Agnew’s areas of expertise
include cryptography, data security, protocols and protocol analysis, electronic commerce systems,
high-speed networks, wireless systems, and computer architecture. He has taught many university
courses and industry sponsored short courses in these areas as well as having authored many articles.
In 1985, he joined the Data Encryption Group at the University of Waterloo. The work of this group led
to significant advances in the area of public key cryptographic systems including the development of a
practical implementation of elliptic curve-based cryptosystems. Dr. Agnew is a member of the Institute
for Electrical and Electronics Engineers, a foundation fellow of the Institute for Combinatorics and its
Applications, and a registered professional engineer in the Province of Ontario. Dr. Agnew has provided
consulting services to the banking, communications, and government sectors. He is also a co-founder
of CERTICOM Corp., a world leader in public key cryptosystem technologies.
About the Contributors
Sheikh Iqbal Ahamed is an assistant professor in the Department of Mathematics, Statistics, and
Computer Science at Marquette University and director of the Ubicomp Research Lab. His research
focuses on pervasive security, trust, and privacy for pervasive computing. He received the PhD in com-
puter science from Arizona State University and the BS from the Bangladesh University of Engineering
and Technology.
Christer Andersson is a doctoral student at Karlstad University, Sweden, and his main research topic
is designing and evaluating technologies for anonymous communication in mobile networks. He has
proposed anonymity technologies for both infrastructured and infrastructureless mobile networks. He is
furthermore interested in measuring the degree of anonymity and performance in mobile networks, as
well as finding an appropriate trade-off between anonymity and performance. He holds a Licentiate in
engineering degree from Karlstad University (2005), and a Master Degree in computer science (2002)
from Linköping University, Sweden.
AbdelBaset M.H. Awawdeh received the BEng degree in industrial automation engineering from
Palestine Polytechnic University in 1999 and the MSE and PhD degrees in electronics engineering from
Alcala University in 2004. From 1999 to 2000 he joined the Department of Electrical and Computer
Engineering at Palestine Polytechnic University, Palestine. Since 2004, he has held a researcher position
in the Department of Electronics at University of Alcala, Spain. His technical interests include multiagent
system interaction and design, vehicles on-board electronics, and vehicles fault diagnosis system.
Mohamad Badra is employed by the CNRS (National Center for Scientific Research, France)
researching wireless networks security. Badra performs his research activities at the LIMOS Labora-
tory - UMR6158, University Blaise Pascal. He was a postdoctoral fellow at the Computer Science and
Networks Department, ENST-Paris. His research interests include key exchange, wireless security,
public-key infrastructures, smart cards, and security algorithms. Badra received a PhD in networks and
computer sciences from ENST-Paris. He is a member of the IEEE and of ESRGroups.
Sungmin Baek received his BS degree in School of Information and Communication Engineering,
Sung Kyun Kwan University in 2004 and an MS degree from Department of Computer Engineering
and School of Computer Science and Engineering, Seoul National University in 2006. Currently, he is
a research engineer in information and technology laboratory, LG Electronics Institute of Technology.
His research interests include multimedia transmission over wireless network and wireless personal
area networks.
Javier A. Barria received the BSc degree in electronic engineering from the University of Chile,
Santiago, in 1980, and the PhD and MBA degrees from Imperial College London in 1992 and 1998,
respectively. From 1981 to 1993, he was a system engineer and project manager (network operations)
with the Chilean Telecommunications Company. Currently, he is a reader in the Intelligent Systems
and Networks Group, Department of Electrical and Electronic Engineering, Imperial College London.
His research interests include communication networks monitoring strategies using signal and image
processing techniques, distributed resource allocation in dynamic topology networks, and fair and
efficient resource allocation in IP environments. He has been a joint holder of several FP5 and FP6
European Union project contracts all concerned with aspects of communication systems design and
About the Contributors
management. Dr. Barria was a British Telecom Research Fellow (2001 – 2002) and a Tan Chin Tuan
Research Fellow, NTU Singapore (2003 - 2004). He is a fellow member of IEE, member of IEEE, and
a chartered engineer.
Paolo Bellavista graduated from University of Bologna, Italy, where he received PhD degree in
computer science engineering in 2001. He is now an associate professor of computer engineering at
the University of Bologna. His research activities span from mobile agent-based middleware solutions
and pervasive wireless computing to location/context-aware services and adaptive multimedia. He is
member of IEEE and Italian Association for Computing (AICA). He is an associate technical editor of
the IEEE Communication Magazine.
Soong Boon-Hee received his BEng (honors I) degree in electrical and electronic engineering from
University of Auckland, New Zealand and a PhD degree from the University of Newcastle, Australia
in 1984 and 1990, respectively. He is currently an associate professor with the School of Electrical and
Electronic Engineering, Nanyang Technological University. From October 1999 to April 2000, he was
a visiting research fellow at the Department of Electrical and Electronic Engineering, Imperial College,
UK under the Commonwealth Fellowship Award. He was awarded the Tan Chin Tuan Fellowship to
visit the Centre for Advanced Computing and Communications, Duke University in June 2004. He also
served as a consultant for mobile IP in a recent technical field trial of next-generation wireless LAN
initiated by IDA (InfoComm Development Authority, Singapore). His area of research interests includes
mobile ad hoc and sensor networks, mobility issues, mobile IP, optimization of wireless networks, rout-
ing algorithms, optimization and planning of mobile communication networks, queuing theory system
theory, quality of service issues in high-speed networks, and signal processing. He has served as a
reviewer for a number of IEEE top journals and international conferences. He has served on Technical
Program Committee for IEEE Globecom 2004, 2005, 2006, and 2007, IEEE WCNC 2005, and IEEE
ISWCS 2004, 2005, 2006, and 2007. He is currently organizing co-chair of IEEE Vehicular Technol-
ogy Conference, Spring 2008 to be held in Singapore. He is currently on the technical committee ISO
204/WG16 that tracks developments in the intelligent transport sector. He is listed in Marquis Who’s
Who in Science and Engineering 2006-2007. He has published more than one hundred international
journals and conferences. He is a senior member of IEEE and a member of ACM.
John Buford is a research scientist with Avaya Labs. Previously he was a lead scientist at the Panasonic
Princeton Laboratory, VP of Software Development at Kada Systems, director of Internet Technologies
at Verizon, and chief architect-OSS at GTE, Laboratories. Earlier he was tenured associate professor
of computer science at the University of Massachusetts Lowell, where he also directed the Distributed
Multimedia Systems Laboratory. He has authored or co-authored ninety refereed publications and the
About the Contributors
book Multimedia Systems. He is an IEEE senior member and is co-chair of the IRTF Scalable Adaptive
Multicast Research Group. He holds the PhD from Graz University of Technology, Austria, and MS
and BS degrees from MIT.
Mihaela Cardei is an assistant professor in the Department of Computer Science and Engineering at
Florida Atlantic University, and director of the NSF-funded Wireless and Sensor Network Laboratory.
Dr. Cardei received her PhD and MS in computer science from the University of Minnesota, Twin Cit-
ies, in 2003 and 1999, respectively. Her research interests include wireless networking, wireless sensor
networks, network protocol and algorithm design, and resource management in computer networks.
Dr. Cardei is a recipient of the 2007 Researcher of the Year Award at Florida Atlantic University. She
is a member of IEEE and ACM.
Luca Caviglione (M.D. 2002, Ph.D. 2006) participated in several research projects funded by the
EU, by ESA, and by Siemens COM AG. He is author and co-author of many academic publications
about TCP/IP networking, P2P systems, QoS architectures, and wireless networks. He is a member
of the Italian IPv6 Task Force and he participates in several TPCs and performance talks about IPv6
and P2P. He is with the Institute of Intelligent Systems for Automation (ISSIA) – Genoa Branch of the
National Research Council of Italy.
Symeon Chatzinotas has a BSc in electrical and computer engineering from Aristotle University of
Thessaloniki and a MSc in microwave engineering and wireless subsystem design from University of
Surrey. Since 2006 he has been working on his PhD at the Centre for Communication Systems Research,
University of Surrey. His current research interests include mobile networking, wireless security, and
network information theory.
About the Contributors
Thomas Chen is an associate professor at Southern Methodist University. Prior to joining SMU, he
worked on ATM research at GTE Laboratories (now Verizon). He has been the editor-in-chief of IEEE
Communications Magazine since 2006. He also serves as senior technical editor for IEEE Network, and
was the founding editor of IEEE Communications Surveys. He co-authored ATM Switching Systems
(Artech House 1995). He received the IEEE Communications Society’s Fred W. Ellersick Best Paper
Award in 1996.
Yifan Chen received the BEng and PhD degrees in electrical and electronic engineering from Nan-
yang Technological University (NTU), Singapore, in 2002 and 2006, respectively. He is presently with
the Biomedical Engineering Research Centre, NTU, as a research fellow. His current research interests
involve ultra-wideband (UWB) radar system for biomedical applications including microwave imaging
of human tissues and noncontact vital-signs monitoring, statistical modeling of mobile radio channels,
UWB signal processing for wireless communications and geolocation systems, multiple-antenna system
performance analysis, and wireless networks.
Zhijia Chen is currently a PhD student in Department of Computer Science and Technology, Tsin-
ghua University. He is a visiting graduate student at School of Engineering of Stanford in Spring 2007.
His research area is in P2P networking and media streaming. He has published four academic papers
in area of P2P streaming, protocol modeling, and so forth. He is the International First Prize winner in
American Mathematical Contest in Modeling (MCM 2004 Meritorious Winners). He is also the network
session chair in 1st Beijing-Hong Kong Doctoral Forum on Network and Media 2006.
Yanghee Choi received BS in electronics engineering from Seoul National University, MS in elec-
trical engineering from Korea Advanced Institute of Science, and Doctor of Engineering in computer
science from Ecole Nationale Superieure des Telecommunications (ENST) in Paris, in 1975, 1977, and
1984, respectively. He was with the Electronics and Telecommunications Research Institute (ETRI)
during 1977-1991. He is now leading the Multimedia and Mobile Communications Laboratory in Seoul
National University. He is also director of Computer Network Research Center in Institute of Computer
Technology (ICT). He is vice-president of Korea Information Science Society. His research interest lies
in the field of multimedia systems and high-speed networking.
Mohammad M. R. Chowdhury is working toward the PhD degree in the University Graduate Center
at Kjeller (UniK)/University of Oslo, Norway in the area of user mobility and service continuity. He
received his MSc from Helsinki University of Technology in radio communications. His current areas of
interest are identity and identity based service interactions, seamless user experience in heterogeneous
wireless networks, and development of innovative service concepts for mobile operators.
Tomasz Ciszkowski received MSc degree in electronics and computer engineering from Faculty of
Electronics and Information Technology of Warsaw University of Technology (WUT), Poland, in 2004.
Currently, he is working toward a PhD degree in telecommunications at WUT on reputation service in
anonymous ad hoc networks. Since 2004 he has been working for Polish Telecom in multimedia services
division. His research activities are reflected in European research projects on next generation Internet
(EuroNGI) and end-to-end QoS support over heterogeneous networks (EuQoS).
About the Contributors
Amitabha Das obtained his BTech (honors) degree in electronics and electrical communication
engineering from the Indian Institute of Technology, Kharagpur in 1985, and his PhD in computer
engineering from the University of California, Santa Barbara, in 1991. Currently he is an associate
professor in the School of Computer Engineering in Nanyang Technological University, Singapore. His
research interests include wireless and mobile networks, network security, and intrusion detection. He
is a senior member of IEEE.
Robert H. Deng received his Bachelor from National University of Defense Technology, China, and
his MSc and PhD from the Illinois Institute of Technology. He has been with the Singapore Management
University since 2004, and is currently a professor, associate dean for Faculty & Research, and director
of SIS Research Center, School of Information Systems. Prior to this, he was principal scientist and
manager of Infocomm Security Department, Institute for Infocomm Research, Singapore. He has 26
patents and more than 200 technical publications in international conferences and journals in the areas
of computer networks, network security, and information security. He served as general chair, program
committee chair, and member of numerous international conferences, including PC co-chair of the 2007
ACM Symposium on Information, Computer and Communications Security. He received the University
Outstanding Researcher Award from the National University of Singapore in 1999 and the Lee Kuan
Yew Fellow for Research Excellence from the Singapore Management University in 2006.
Mieso Denko is an associate professor of computing and information science at the University of
Guelph, Ontario, Canada. He received his BSc degree in statistics and mathematics from Addis Ababa
University. He received his MSc degree form the University of Wales, UK, and his PhD degree from
the University of Natal, South Africa, both in computer science. His current research interests include
wireless ad hoc networks, wireless mesh networks, wireless sensor networks, pervasive computing, and
networking. He has published numerous research papers in international journals, conferences, work-
shops, and contributed to book chapters. Currently he is co-editing three books in the above areas. Dr.
Denko has been actively involved in professional services as organizer or co-organizer of international
conferences, symposiums, and workshops, as well as TPC member for a number of conferences and
workshops. Among these, most recently he was the general co-chair of the IEEE PCAC-07, general
vice-chair of ISPA-07 and program vice-chair of IEEE AINA-07. Currently he is a program vice-chair
of the IEEE AINA-08, and co-organizer and program co-chair of the IEEE MHWMN-07 and IST-
AWSN-07. Dr. Denko is a senior member of the ACM, a member of the IEEE, ACM SIGMOBILE,
IEEE Communications Society, and IEEE Computer Society. Currently, he is an associate professor of
computing and information science at the University of Guelph, Ontario, Canada.
Yacine Djemaiel holds a Master Degree in telecommunications and he is currently preparing his
PhD thesis in telecommunications in the Engineering School of Communications (SUP’COM, Tuni-
sia). He is conducting research activities in the area of intrusion detection and tolerance and digital
investigation of security incidents. Since September 2006, Mr. Djemaiel has been a teacher assistant
in telecommunications.
Felipe Espinosa got the BSc and MSc degrees in telecommunications from Polytechnics University
of Madrid (Spain) in 1984 and 1991, respectively. He received the PhD degree in telecommunications
from University of Alcala (Spain) in 1998. He was a lecturer from 1985 to 2000 and has been an associ-
About the Contributors
ate professor since 2000, always in the Electronics Department at the University of Alcalá (Spain). His
main research interests include electronic control and communication applied to cooperative guidance
of robots and vehicles, as well as intelligent transportation systems.
Simone Fischer-Hübner has been a full professor at the Computer Science Department of Karlstad
University since June 2000, where she is the head of the PriSec (Privacy & Security) research group. She
received Doctoral (1992) and Habilitation (1999) degrees in computer science from Hamburg University.
Her research interests include technical and social aspects of IT-security, privacy, and privacy-enhancing
technologies. She was a research assistant/assistant professor at Hamburg University (1988-2000) and
a guest professor at the Copenhagen Business School (1994-1995) and at Stockholm University/Royal
Institute of Technologies (1998-1999).
J. Antonio Garcia-Macias holds a PhD from the Institut National Polytechnique de Grenoble
(INPG), France. He is currently a researcher at CICESE Research Center, working in the Computer Sci-
ence Department. His current research interests are wireless (ad hoc and sensors) networks, ubiquituous
computing, next-generation Internet services and protocols, and distributed collaborative systems.
Kaj J. Grahn, Dr. Tech. from Helsinki University of Technology, is presently a senior lecturer in
telecommunications at the Department of Business Administration, Media, and Technology at Arcada
Polytechnic, Helsinki, Finland. His current research interests include mobile and wireless networking
and network security.
Stefanos Gritzalis holds a BSc in physics, an MSc in electronic automation, and a PhD in informatics,
all from the University of Athens, Greece. Currently he is an associate professor, the head of the Depart-
ment of Information and Communication Systems Engineering, University of the Aegean, Greece, and
the director of the Laboratory of Information and Communication Systems Security (Info-Sec-Lab). His
published scientific work includes several books and more than 150 journal and international conference
papers. The focus of these publications is on information and communication systems security. He was
a member (secretary general, treasurer) of the Board of the Greek Computer Society.
Yong Guan is an assistant professor in the Department of Electrical and Computer Engineering
at Iowa State University. He received his BS (1990) and MS (1996) in computer science from Peking
University, China, and his PhD (2002) in computer science from Texas A&M University. His research
interests are computer and network forensics, wireless and sensor network security, and privacy-enhanc-
ing technologies for the Internet. He received the Best Student Paper Award from the IEEE National
Aerospace and Electronics Conference in 1998, won 2nd place in the graduate category of the Interna-
tional ACM Student Research Contest in 2002, and was named the Litton Assistant Professor by Iowa
State University in 2007.
Mohamed Hamdi received his Engineering Diploma, Master Diploma, and PhD in telecommunica-
tions from the Engineering School of Communications (Sup’Com, Tunisia) in 2000, 2002, and 2005,
respectively. From 2001 to 2005 he worked for the National Digital Certification Agency (NDCA, Tu-
nisia) where he was head of the Risk Analysis Team. Dr. Hamdi was in charge in building the security
strategy for the Tunisian Root Certification Authority and in continuously assessing the security of the
About the Contributors
NDCAs networked infrastructure. He has also served on various national technical committees for se-
curing e-government services. Currently, Dr. Hamdi is serving as a contract lecturer for the Engineering
School of Communications at Tunis. He is also a member of the Communication Networks and Security
Lab (Coordinator of the Formal Aspects of Network Security Research Team), where he is conducting
research activities in the areas of risk management, algebraic modeling, relational specifications, intru-
sion detection, network forensics, and wireless sensor networks
Munirul M. Haque is currently a PhD student at Purdue University. He received the MS degree
in computer science at Marquette University where he researched pervasive computing, security, and
privacy in the Ubicomp Research Lab. He completed the BS in computer science and engineering from
Bangladesh University of Engineering and Technology.
Jahan Hassan is a research fellow at the School of Information Technologies, University of Sydney.
She received her PhD in 2004 from University of New South Wales, Sydney, and Bachelor degree in
1995 from Monash University, Melbourne, both in computer science. She is published widely in peer-
reviewed conferences and journals. She was a member of the Technical Program Committee of IEEE
LCN 2006, IEEE ICC 2007, IEEE ISWPC 2007, IADIS AC 2006, and IADIS WAC 2007. She served
as a reviewer for many conferences and journals. Her research interests include mobile and wireless
networking architectures and wireless network security. Her current project focuses on the fast authen-
tication techniques for multiprovider access networks.
Artur Hecker received a diploma in computer science (Dipl.inform.) from the University of Karl-
sruhe (TH), Germany in 2001. In 2005, he received a PhD degree in computer science and networking
from the ENST, France. After his thesis, he worked as CTO of Wavestorm SAS, which he co-founded
in 2003. Since 2006, Dr. Hecker holds a position as associate professor at the INFRES department at
the ENST. His present research interests are wireless access security, security assurance of complex
systems, network and service management, and autonomous networking. Dr. Hecker is actively involved
in several IST FP6 and EUREKA CELTIC research activities.
Silke Holtmanns received her PhD in mathematics from the University of Paderborn (Germany),
Department of Computer Science and Mathematics. She has been a senior researcher at Nokia Research
Center since 2004. Before that, she was working in Ericsson Research Lab Aachen (Germany) as a
master research engineer and at the University of Paderborn as a scientific assistant. She has more then
30 publications and co-authored several books on mobile security. She is also rapporteur of six 3GPP
security specifications and reports and involved in various standardization activities.
Ismail Khalil Ibrahim is a senior researcher and lecturer at the Institute of Telecooperation- Jo-
hannes Kepler University Linz, Austria, where he teaches, consults, and conducts research in mobile
multimedia applications and services, agent technologies, and information integration. He received his
MSc and PhD in computer engineering and information systems from Gadja Mada University, Indonesia.
Dr. Ibrahim previously served as a research fellow at Intelligent Systems Group in the Netherlands and
as project manager at the Software Competence Center Hagenberg, Austria. He is the editor-in-chief of
Advances in Next Generation Mobile Multimedia book series and Journal of Mobile and Multimedia
Communications, and co-editor in chief of the International Journal of Web Information Systems (JWIS)
About the Contributors
and the Journal of Mobile Multimedia (JMM). His research interests also include business, social, and
policy implications associated with the emerging Web technologies.
Biju Issac is a lecturer in the School of IT and Multimedia in Swinburne University of Technology
(Sarawak Campus), Malaysia. He is also the head of Network Security Research Group in the Informa-
tion Security Research Lab at Swinburne University Sarawak. He is an electronics and communication
engineer with a post graduate degree in computer applications. Currently he is doing part-time PhD in
networking and mobile communications in UNIMAS, Malaysia. His research interests are in wireless
and network security, wireless mobility, and IPv6 networks.
Tao Jiang is a research scientist at the Department of Electronic and Computer Engineering, University
of Michigan, Dearborn. He received BS and MS degrees in applied geophysics from China University of
Geosciences, Wuhan in 1997 and 2000, respectively, and a PhD degree in information and communication
engineering from Huazhong University of Science and Technology, Wuhan, P. R. China in April 2004.
From August 2004 to August 2005, he worked at Brunel University, London, as an academic visiting
scholar, and then moved to University of Puerto Rico in 2006. His current research interests include
the areas of wireless communications and corresponding signal processing, especially for OFDM and
MIMO systems, cooperative networks, cognitive radio, and ultra wideband communications.
John Felix Charles Joseph is currently pursuing PhD in computer science from Nanyang Techno-
logical University, Singapore. His research interests include security in wireless and ad hoc networks,
computational intelligence, multicast routing security, and multimedia. He received his Bachelor in
engineering, computer science from Madras University, India in 2002 and MS from Anna University,
India in 2005. His current work involves design of an intrusion detection algorithm for mobile wireless
ad hoc network environment.
Admela Jukan is a professor in electrical and computer engineering at the Technical University
Carolo Wilhelmina in Braunschweig, Germany. Prior to coming to TU Braunschweig, she was with
University of Illinois at Urbana Champaign (UIUC), Georgia Tech (GaTech), University of Quebec
(EMT-INRS), and Vienna University of Technology (TU Wien). From 2002-2004, she served as program
director in computer and networks system research at the National Science Foundation (NSF) in Arling-
ton, VA. While at NSF, she was responsible for funding and coordinating US-wide university research
and education activities in the area of network technologies and systems. She received the MSc degree
in information technologies and computer science from the Polytechnic of Milan, Italy, and the PhD
degree (cum laude) in electrical and computer engineering from the Vienna University of Technology
(TU Wien), Austria. Dr. Jukan is the author of numerous papers in the field of networking, and she has
authored and edited several books. She serves as a member of the Quality Assurance Committee for the
EU Network of Excellence, ePhoton/One. Dr. Jukan has chaired and co-chaired several international
conferences, including IFIP ONDM, IEEE ICC, and IEEE GLOBECOM. She serves on the editorial
board of the IEEE Communications Surveys and Tutorials. She is a senior member of the IEEE.
György Kálmán is a graduate student at UniK, University Graduate Center in Kjeller, Norway. His
research area covers personal and device authentication, security, and privacy in wireless systems. He
got his MSc degree in the area of communication networks from the Budapest University of Technology
and Economics. He was research fellow at Telenor R&I at the Media Platforms group.
0
About the Contributors
Georgios Kambourakis received the diploma in applied informatics from the Athens University
of Economics and Business and the PhD in information and communication systems engineering from
the Department of Information and Communications Systems Engineering of the University of Aegean.
He also holds a MEd from Hellenic Open University. Dr. Kambourakis is a lecturer in the Department
of Information and Communication Systems Engineering of the University of the Aegean, Greece.
His research interests are in the fields of mobile and ad hoc networks security, VoIP security, security
protocols, and PKI, and he has more than 35 publications in the above areas.
Jonny Karlsson has a BSc in information technology from Arcada Polytechnic, Helsinki Finland.
Since May 2002 he has been working at Arcada Polytechnic as a course assistant and course teacher
in programming and network security related courses and as a research assistant. His current research
interests include wireless and mobile network security.
Paris Kitsos received the BSc degree in physics in 1999 and a PhD in 2004 from the Department
of Electrical and Computer Engineering, both at the University of Patras. Currently is research fellow
with the Digital Systems & Media Computing Laboratory, School of Science & Technology, Hellenic
Open University (HOU). His research interests include VLSI design, hardware implementations of
cryptographic algorithms, and security protocols for wireless communication systems. Dr. Kitsos has
published more than 60 scientific articles and technical reports, as well as is reviewing manuscripts for
books, international journals, and conferences/workshops in the areas of his research. He has partici-
pated in international journals and conferences organization, as program/technical committee member
and guest editor.
Giorgos Kostopoulos received his diploma in electrical and computer engineering from the Elec-
trical & Computer Engineering Department, University of Patras, Greece in 2003. Since then he has
been working as a researcher engineer in the Department of Electrical and Computer Engineering of
the University of Patras. His research interests include security in wireless networks, new generation
networks architectures, security management in new generation networks, and communication networks.
Giorgos Kostopoulos has published more than 15 technical papers and book chapters in these areas. He
has also participated as senior engineer in European Research Projects.
Zbigniew Kotulski received his MSc in applied mathematics from Warsaw University of Technology
and PhD and DSc degrees from Institute of Fundamental Technological Research of the Polish Acad-
emy of Sciences. He is currently professor at IFTR PAS and professor and head of Security Research
Group at Department of Electronics and Information Technology of Warsaw University of Technology,
Poland. He is the author and co-author of three books and more than 150 research papers on applied
mathematics, cryptology, and information security.
Odysseas Koufopavlou received the Diploma of Electrical Engineering in 1983 and the PhD degree
in electrical engineering in 1990, both from University of Patras, Greece. From 1990 to 1994 he was at
the IBM Thomas J. Watson Research Center, Yorktown Heights, NY. He is currently a professor with
the Department of Electrical and Computer Engineering, University of Patras. His research interests
include computer networks, high performance communication subsystems architecture and implementa-
tion, VLSI low power design, and VLSI crypto systems. Dr. Koufopavlou has published more than 150
About the Contributors
technical papers and received patents and inventions in these areas. He has participated as coordinator
or partner in many Greek and European R&D programs. He served as general chairman for the IEEE
ICECS’1999.
Geng-Sheng (G.S.) Kuo worked with R&D laboratories of the communications industry in the
United States, such as AT&T Bell Laboratories. In August 2000, he joined National Chengchi University,
Taipei, Taiwan as a professor. Since 2001, he has been invited as chair professor of Beijing University of
Posts and Telecommunications (BUPT) in Beijing, China. His current research interests include mobile
communications, wireless communications, and IP-networks. From 2001 to 2002, he was editor-in-chief
of IEEE Communications Magazine, whose impact factor in 2002 was 3.165. Currently, he is area editor
for Networks Architecture of IEEE Transactions on Communications, editor and ComSoc representative
to IEEE Internet Computing, editor of European Transactions on Telecommunications, and so forth.
Taekyoung Kwon is an assistant professor in Multimedia & Mobile Communications Lab., School
of Computer Science and Engineering, Seoul National University He received his PhD, MS, and BS
degrees in computer engineering from Seoul National University in 2000, 1995, and 1993, respectively.
He was a visiting student at IBM T. J. Watson Research Center in 1998 and a visiting scholar at the
University of North Texas in 1999. His recent research areas include radio resource management, wire-
less technology convergence, mobility management, and sensor network.
Pekka Laitinen received his MSc degree in information sciences in Helsinki University of Technol-
ogy, Department of Engineering Physics and Mathematics. He is principal engineer in Nokia Research
Center where he has been working since 1996. His research interests include identity management and
applied security.
Björn Landfeldt received a BSc equivalent from the Royal Institute of Technology in Sweden. He
received his PhD from The University of New South in 2000. Afterwards he joined Ericsson Research
in Stockholm as a Senior Researcher. In 2001, Dr. Landfeldt took up a position as a CISCO senior
lecturer in Internet Technologies at the University of Sydney. He has published more than 50 publica-
tions in international books, journals, and conferences. Dr. Landfeldt is serving on the editorial boards
of international journals and as a program committee member of many international conferences. His
research interests include wireless systems, systems modeling, mobility management, and QoS.
Peter Langendoerfer received his doctoral degree in 2001. Since 2000 he has been with the IHP in
Frankfurt (Oder) where he is leading the mobile middleware group. He has published more than 55 refer-
eed technical articles, filed seven patents in the security/privacy area, and worked as guest editor for the
Journal of Super Computing (Kluwer), Computer Communications (Elsevier), Wireless Communications
and Mobile Computing (Wiley), and ACM Transactions on Internet Technology. He is/was also a TPC
member/chair of many conferences. His research interests include mobile communication (especially
privacy and security issues), protocol engineering, and automated protocol implementation.
Shahram Latifi, an IEEE fellow, received the Master of Science degree in electrical engineering
from Fanni, Teheran University, Iran in 1980. He received the Master of Science and the PhD degrees
both in electrical and computer engineering from Louisiana State University, Baton Rouge in 1986 and
About the Contributors
1989, respectively. He is currently a professor of electrical engineering at the University of Nevada, Las
Vegas and director of the Center for Information and Communication Technologies (CICT). Dr. Latifi has
designed and taught graduate courses on security, image processing, computer networks, fault tolerant
computing, and data compression in the past 16 years. He has given seminars on the aforementioned
topics all over the world. He has authored over 120 technical articles in the areas of image processing,
document analysis, computer networks, fault tolerant computing, parallel processing, and data com-
pression. His research has been funded by NSF, NASA, DOE, Boeing, Lockheed, and Cray Inc. Dr.
Latifi is an associate editor of the IEEE Transactions on Computers and co-founder and general chair
of the IEEE International Conference on Information Technology. He is also a registered professional
engineer in the State of Nevada.
Bu-Sung Lee received his BSc (honors) and PhD from the Electrical and Electronics Department,
Loughborough University of Technology, UK in 1982 and 1987, respectively. He is currently associate
chair (research) with the School of Computer Engineering, Nanyang Technological University. He is
also the founding president of Singapore Research and Education Networks (SingAREN). He has been
an active member of several national standards organization such as the National Grid Pilot Project.
His research interests are in network management, broadband, distributed, ad hoc and mobile networks,
network optimization, as well as grid computing.
Supeng Leng is an associate professor in the School of Communication and Information Engineering,
University of Electronic Science and Technology of China (UESTC). He received his BEng degree from
UESTC in 1996, and PhD degree from Nanyang Technological University (NTU), Singapore in 2005.
He has experience as a R&D engineer in the field of computer communications, and as a research fellow
in the Network Technology Research Center, NTU. His research focuses on ad hoc/sensor networks,
wireless mesh networks, and broadband wireless networks.
Mo Li received the BE from Beijing University of Posts and Telecommunications. Then, he worked
for Lucent Technologies and Computer Associates (CA), where he has been involved in the design of
system architectures for DWDM/SDH/IP Backbone O&M systems. He is currently working toward the
PhD at the Faculty of Engineering, University of Technology, Sydney. His research interests include
handover management and trust-assisted networking.
Xinghua Li obtained his ME and Ph D degrees in computer architecture and computer application
from Xidian University (Xi’an) in 2004 and 2006, respectively. Currently, Xinghua Li is the lecturer of
the School of Computer of Xidian University. His research interests include information and network
security.
About the Contributors
Shiguo Lian, member of IEEE, SPIE, and EURASIP, got his PhD degree in multimedia security
from Nanjing University of Science and Technology in July 2005. He was a research assistant at City
University of Hong Kong from March to June in 2004, studying on multimedia encryption. He has
being with France Telecom R&D Beijing since July 2005, focusing on multimedia content protection,
including digital rights management (DRM), image or video encryption, watermarking and authentica-
tion, and so forth.
Chuang Lin is a professor and the former head of the Department of Computer Science and Technol-
ogy, Tsinghua University, Beijing, China. He received his PhD degree in computer science from Tsinghua
University in 1994. Professor Lin is a senior member of the IEEE, the Chinese Delegate in TC6 of IFIP,
and has served as associate editor for several journals. His current research interests include computer
networks, performance evaluation, logic reasoning, and Petri net theory and its applications. He has
co-authored more than 200 papers in research journals and IEEE conference proceedings in these areas
and has published three books.
Bin Lu is an assistant professor in the Department of Computer Science at West Chester University
of Pennsylvania. Dr. Lu received her BS (1996) and MS (1998) degrees in computer science from Harbin
Institute of Technology, China, and her PhD (2005) in computer science from Texas A&M University.
Her research interests include network security, quality of service, and wireless networks.
Jianfeng Ma received his BS degree in mathematics from Shaaxi Normal University (Xi’an) in 1985,
and obtained his ME and PhD degrees in computer software and communications engineering from
Xidian University (Xi’an) in 1988 and 1995, respectively. Professor Ma is a member of the executive
council of the Chinese Cryptology Society. Currently, Professor Ma is the director of the Ministry of
Education Key Laboratory of Computer Networks and Information Security, and he is the dean of the
School of Computer of Xidian University. His research interests include information security, coding
theory, and cryptography.
Ismat K. Maarouf obtained his BS degree in computer engineering in 2005 and an MS degree in
computer networks in 2007 from King Fahd University of Petroleum and Minerals (KFUPM), Dhahran,
Saudi Arabia. He is currently working as a research assistant in the Computer Engineering Department
in KFUPM. His main research interests include mobile ad hoc and wireless sensor networks, computer
networks security, reputation systems, and WLAN-Cellular networks integration.
Michael Maaser received his Master’s degree in computer science from Brandenburg University
of Technology Cottbus in 2004. After his thesis about negotiation of privacy he started as a research
scientist at IHP. His research focuses on privacy preserving techniques mainly, but not limited to, the
field of location based services. Throughout the recent 2 years he has seven publications thereof five in
the area of privacy and two filed patents.
Ashraf S. Hasan received the BSc degree in electrical and computer engineering from Kuwait Uni-
versity in 1990, and the MEng in engineering physics (computer systems) from McMaster University,
Hamilton, Canada in 1992. He received his PhD in systems and computer engineering from Carleton
University, Ottawa, Canada in 1997. During 1997-2002, he was with Nrtel Networks Research and De-
About the Contributors
velopment where he focused on development and evaluation of radio resource management algorithms
for broadband and 3G networks. Since 2002, he has been with the Computer Engineering Department at
King Fahd University of Petroleum and Minerals, Dhahran, KSA as an assistant professor. His research
interests include radio resource management for 3rd and 4th G networks, wireless local area networks,
and integration of heterogeneous networks.
Amel Meddeb Makhlouf received the engineering eegree (in 2001) and the Master degree in com-
munications (in 2003) from the Engineering School of Communications (SUP’COM, Tunisia). She is
member of the Communication Networks and Security (CN&S) Research Laboratory (University of
November 7th, Carthage, Tunisia). Since September 2004, she has joined the Engineering School of
Communications (SUP’COM, TUNISIA) as a teacher assistant in telecommunications.
Leonardo A. Martucci is a doctoral student at Karlstad University, Sweden, where he works with
research on privacy enhancing technologies for wireless environments. He is involved in education,
research, deployment, and industrial projects in the field of wireless network security and privacy since
2001. Mr. Martucci’s research is focused especially in privacy problems in dynamic and distributed
environments, such as mobile ad hoc networks. He holds a Licentiate in engineering from Karlstad
University (2006), a Masters in electrical engineering (2002), and an electrical engineer degree (2000)
from University of São Paulo, Brazil.
Geyong Min is a senior lecturer in the Department of Computing at University of Bradford, United
Kingdom. He received the PhD degree in computing science from University of Glasgow, UK, in 2003.
His research interests include performance modeling and simulation, network traffic engineering, mobile
computing and wireless networks, multimedia systems, and information security. Dr. Min has published
over 100 research papers in the well-established journals and conferences. Dr. Min serves on the edito-
rial board of the International Journal of Wireless and Mobile Computing and Journal of Simulation
Modeling Practice and Theory, and serves as the guest editor for 10 international journals.
Rebecca Montanari graduated from University of Bologna, Italy, where she received PhD degree in
computer science engineering in 2001. She is now an associate professor of computer engineering at the
University of Bologna. Her research primarily focuses on policy-based networking and systems/service
management, mobile agent systems, security management mechanisms, and tools in both traditional
and mobile systems. She is member of IEEE and AICA.
Luminita Moraru is currently a PhD candidate in the TCS-sensor lab of the Computer Science De-
partment of the University of Geneva. She received a BS degree in electrical engineering and computer
science from the Polytechnic University of Bucharest, in 2004, and a MS degree in computer science
(embedded systems) from the University of Science and Technology of Lille, in 2005. Her research in-
About the Contributors
terests are in sensor networks, mobile ad hoc networks, security, and reputation based trust. Her current
research focuses on security and QoS of routing protocols for sensor networks.
Huansheng Ning received BS degree from Anhui University, China, in 1996, and a PhD degree from
Beihang University, China, in 2001. From 2002 to 2003, he was the CTO of Aerospace Golden Card
Company. Since 2004, he has been an associate professor in Beihang University. His current research
interests include RFID, EM computing, ITS, and so forth.
Josef Noll holds a professor stipend from the University of Oslo in the area of mobile services.
Working areas include mobile authentication, wireless broadband access, personalized services, and the
evolution to 4G systems. He is also senior advisor in Movation, Norway’s leading innovation company
for mobile services. Previously he was senior advisor/group leader at Telenor R&I, project leader of
“Operators’ Vision on Systems Beyond 3G” and other international projects, use-case leader in the EU
“Adaptive Services Grid (ASG)” project, and has initiated a.o. the EU’s 6th FP ePerSpace and several
ITEA and Eurescom projects.
Christoforos Ntantogian received his BSc degree in computer science and telecommunications
from the Department of Informatics and Telecommunications, University of Athens, Greece. In 2006 he
finished his postgraduate studies in computer systems technology in the same department and currently
he is a PhD student. Since 2004 he has been working for the Communication Networks Laboratory of
the University of Athens and he is a member of the Security Group.
Sangheon Pack received the BS (2000) and PhD (2005) degrees from Seoul National University,
both in computer engineering. Since March 2007, he has been an assistant professor in the School of
Electrical Engineering, Korea University, Korea. From July 2006 to February 2007, he was a postdoctoral
fellow at Seoul National University. From 2005 to 2006, he was a postdoctoral fellow in the Broadband
Communications Research (BBCR) Group at University of Waterloo, Canada. His research interests
include mobility management, multimedia transmission, and QoS provision issues in next-generation
wireless/mobile networks. He is a member of the ACM and the IEEE.
Luis E. Palafox received his BS in computer engineering from the University of Baja California
in 1997. He also received his MS degree in digital systems from the National Polytechnic Institute of
Mexico in 2002. In 2004, he enrolled in the PhD program in computer science program at the CICESE
Research Center in Ensenada. He is a faculty member of the School of Chemical Science and Engi-
neering at the University of Baja California since 1999. His areas of interest are computer networking,
embedded systems, wireless sensor networks, and digital signal processing.
About the Contributors
Cyrus Peikari, MD, is a practicing physician and author of several leading technical security books,
including Security Warrior from O’Reilly and Maximum Wireless Security from SAMS. In his work
with Airscanner Corporation he pioneered some of the first antivirus solutions for handheld computing
devices. His main area of research is in reverse engineering of “airborne viruses.” Dr. Peikari has been
a popular speaker and keynote at several major security conferences.
Steffen Peter received his diploma in computer science from the Brandenburg University of Tech-
nology at Cottbus (BTU) in 2006. In 2006 he joined the IHP in Frankfurt (Oder), where he was also
involved in developing a hardware TCP accelerator as a student. In his diploma thesis he was developing
hardware cryptography accelerators. He is a member of the mobile middleware group, working on the
research of solutions for security issues in wireless sensor networks. He has filed three patents and has
authored two technical papers. His research interests include security and privacy in mobile environ-
ments focusing on efficient hardware implementation.
Krzysztof Piotrowski received his Master in computer science from the University of Zielona Gora
(Poland) in 2004. Since 2004, he has been with the IHP in Frankfurt (Oder) where he is a member of
the mobile middleware group. He published 15 refereed technical articles in the area of security and
privacy. His research interests include mobile/wireless communication (focus on privacy and security
issues), especially on resource-constrained devices (wireless sensor networks).
Olivier Powell is a senior researcher at the Computer Science Department of the University of Ge-
neva in Switzerland. He was previously a Swiss National Research Foundation fellow at the Research
and Academic Computer Technology Institute and the University of Patras in Greece. Previously, he
was a post-doctoral research associate at the TCS-sensor lab of the University of Geneva. He received
a PhD in computer science in the field of complexity theory from the University of Geneva and a MSc
degree in mathematics from the same university. His current research interest is algorithmic aspects of
wireless sensor networks.
Göran Pulkkis, Dr. Tech. from Helsinki University of Technology, is presently senior lecturer in
computer science and engineering at the Department of Business Administration, Media, and Technology
at Arcada Polytechnic, Helsinki, Finland. His current research interests are network security, applied
cryptographic, and quantum informatics
Slim Rekhis holds a PhD and a Master degree in telecommunications from the Engineering School
of Communications (SUP’COM, Tunisia). He is conducting research activities in the area of digital
investigation of security incidents, formal modelling, intrusion detection and tolerance, and wireless
security. Since September 2005, Dr. Rekhis has been an assistant professor in telecommunications.
Angelos Rouskas received the Diploma in Electrical Engineering from the National Technical Uni-
versity of Athens (NTUA), the MSc in communications and signal processing from Imperial College,
London, and the PhD in electrical and computer engineering from NTUA. He is an assistant professor in
the Department of Information and Communication Systems Engineering of the University of Aegean,
Greece, and director of the Computer and Communication Systems Laboratory. Dr. Rouskas has been
involved in several European and Greek funded research projects and has published extensively in the
field of mobile and wireless communication networks.
About the Contributors
Miguel A. Ruiz was born in Valdepeñas (Ciudad Real), Spain. He received the Technical Telecom-
munication Engineering and Telecommunication Engineering degrees from the Polytechnic School
at the University of Alcala (Madrid), Spain, in 1999 and 2003, respectively. He is currently working
toward the PhD degree in telecommunications at University Alcala. Since 2000, he has been working
in the Electromagnetic Compatibility Laboratory as technical manager at the High Technology and
Homologation Center (CATECHOM), research support center of the University Alcala. Furthermore, he
is an assistant lecturer at the Electronic Department of the same university. His main research interest
is EMC effect on electrical and electronic automotive systems.
Kumbesan Sandrasegaran holds a PhD in electrical engineering from McGill University (Canada)
(1994), a Masters of Science degree in telecommunication engineering and information Systems from
Essex University (UK) (1988), and a Bachelor of Science (honors) degree in electrical engineering (first
class) (UZ) (1985). Dr Sandrasegaran is a professional engineer (Pr.Eng) (ECSA) and has more than
20 years experience working either as a practitioner, researcher, consultant, and educator in telecom-
munication networks. During this time, he has focused on the planning, optimization, forecasting,
security, and network management of telecommunication networks. At present, he is program head of
ICT Engineering at the Faculty of Engineering, University of Technology Sydney (UTS).
David Sanguino was born in Talavera de la Reina (Toledo), Spain. He received the technical tele-
communication engineering degree from the Polytechnic School at the University of Alcala (Madrid),
Spain, in 2004. He is currently working toward the telecommunication engineering degree at University
Alcala (UAH). Since 2005, he has been working in the Electromagnetic Compatibility Laboratory as
Technician at the High Technology and Homologation Center (CATECHOM), research support center
of the University of Alcala.
Boot-Chong Seet received his PhD in 2005 from the School of Computer Engineering, Nanyang
Technological University (NTU), where he is currently serving as an instructional faculty. Prior to join-
ing NTU, he was with the Singapore-MIT Alliance (SMA), National University of Singapore, where
he worked as a research fellow for a pilot project on adaptive location-aware computing. His current
research interests include ad hoc, mesh, and sensor networks, mobile peer-to-peer computing, vehicular
communications, and emerging broadband wireless technologies. He has over 20 refereed publications
and one patent pending. He is a member of IEEE and ACM SIGMOBILE.
Jean-Marc Seigneur is a senior researcher and lecturer at the University of Geneva. He received his
MSc and PhD in computer science from Trinity College Dublin. His more than 30 international scientific
publications cover ubiquitous computing security, trust, reputation, and privacy. He is an international
expert reviewer for French ANR security research projects and the European Commission. He worked
in Hewlett-Packard in France and China. He leads the http://www.trustcomp.org online community on
computational trust management with now more than 190 academic and industrial members. He has
provided technical consulting and presentations to many companies, among them, Philips, Ericsson,
SAP, and Amazon.
Moushumi Sharmin is currently a PhD student at University of Illinois. She received the MS degree
in computer science at Marquette University where she researched pervasive computing, security, and
About the Contributors
privacy in the Ubicomp Research Lab. She completed the BS in computer science and engineering from
Bangladesh University of Engineering and Technology.
Nicolas Sklavos received the PhD degree in electrical and computer engineering, and the diploma in
electrical and computer engineering, in 2004 and 2000, respectively, both from the Electrical & Computer
Engineering Department, University of Patras, Greece. His research interests include cryptography,
wireless communications security, computer networks, and VLSI design. He holds an award for his
PhD thesis on “VLSI Designs of Wireless Communications Security Systems” from IFIP VLSI SOC
2003. He was the general co-chair of MobiMedia’07. He has participated to international journals and
conferences organization as program committee member and guest editor. Dr. N. Sklavos is a member
of the ACM, IEEE, IEE, the Technical Chamber of Greece, and the Greek Electrical Engineering So-
ciety. He has authored or co-authored up to 90 scientific articles, books chapters, tutorials, and reports
in the areas of his research.
Nilothpal Talukder is a graduate student in computer science at Marquette University where he re-
searches pervasive computing, security, and privacy in the Ubicomp Research Lab. He completed the BS
in computer science and engineering from Bangladesh University of Engineering and Technology.
Daniela Tibaldi graduated from University of Bologna, Italy, where she received her PhD degree
in computer science engineering in 2006. Her research activity is focused on middleware solutions for
supporting the secure service provisioning in mobile and heterogeneous environments. Since 2002 she
works at the DSAW – Direction and Development of Web Activities of the University of Bologna with
both technical and quality management responsibilities. One of the DSAW main tasks is to build the
University Web sites, services, and the corresponding technological, informative, and organizational
infrastructure to fully support University educational, academic, and administrative activities.
Tom Tofigh is a principal and technical member of the AT&T architecture team. He is responsible
for architecture studies and vendors technology evaluation. Currently, he supports the AT&T labs ad-
vanced services and architecture group. Tom has worked in semiconductor companies as director of
product management, director of software development, and has consulted and worked for a number
of start-ups and had responsibility for architecture and developments of switches and access products.
In addition Tom attended George Washington University and completed his doctoral course work in
electrical engineering and computer science graduate school. Furthermore, Tom has a judicial doctoral
degree from Northern Virginia Law School with emphasis in intellectual properties. Currently, Tom is
the founder and chair of the WiMAX Forum’s Application Architecture Working Group.
Alessandra Toninelli graduated from University of Bologna, Italy, where she is currently a PhD
student in computer science engineering. Her research interests focus on semantic-based middleware
supports for service provisioning, context-aware services, security solutions for pervasive environments,
policy-based service management, and mobile agent systems. She is a member of IEEE and ACM.
Denis Trĉek is principal investigator at Jozef Stefan Institute and has been involved in the field of
computer networks, security, and privacy for almost 20 years. He has taken part in various European
projects, as well as domestic projects in government, banking, and insurance sectors. His bibliography
About the Contributors
includes over one hundred titles, including works published by renowned publishers like Springer and
Wiley. D. Trcek has served (and still serves) as a member of various international boards, from editorial
to professional ones. He is inventor of a patented family of light-weight cryptographic protocols. His
interests include e-business, security, trust management, privacy, and human factor modelling.
Yu Wang received the PhD degree in computer science from Illinois Institute of Technology in
2004, and the BEng degree and the MEng degree in computer science from Tsinghua University, China,
in 1998 and 2000. He has been an assistant professor of computer science at the University of North
Carolina at Charlotte since 2004. His current research interests include wireless networks, ad hoc and
sensor networks, mobile computing, and algorithm design. He has published more than 50 papers in
peer-reviewed journals and conferences. Dr. Wang is a recipient of Ralph E. Powe Junior Faculty En-
hancement Awards from Oak Ridge Associated Universities.
Yawen Wei is a PhD candidate in the Department of Electrical and Computer Engineering at Iowa
State University. She obtained her BEng (2004) in electronic engineering from Tsinghua University,
China. Since then she has been doing research on localization security issues and location-based ser-
vices in wireless sensor networks.
Jie Wu is a distinguished research professor at the Department of Computer Science and Engineer-
ing, Florida Atlantic University and a program director at US National Science Foundation. He has
published over 350 papers in various journals and conference proceedings. His research interests are
in the areas of wireless networks and mobile computing, routing protocols, fault-tolerant computing,
and interconnection networks. Dr. Wu was on the editorial board of IEEE Transactions on Parallel
and Distributed Systems and was a co-guest-editor of IEEE Computer and Journal of Parallel and
Distributed Computing. He served as the program co-chair for MASS 2004, program vice-chair for
ICDCS 2001, and program vice-chair for ICPP 2000. He was also general co-chair for MASS 2006 and
is general chair for IPDPS 2008. He is the author of the text Distributed System Design published by
the CRC press. He was also the recipient of the 1996-97, 2001-02, and 2006-07 Researcher of the Year
Award at Florida Atlantic University. Dr. Wu has served as an IEEE Computer Society Distinguished
Visitor and is the chairman of IEEE Technical Committee on Distributed Processing (TCDP). He is a
member of ACM and a senior member of IEEE.
Christos Xenakis received his BSc degree in computer science in 1993 and his MSc degree in
telecommunication and computer networks in 1996, both from the Department of Informatics and
Telecommunications, University of Athens, Greece. In 2004 he received his PhD from the University
of Athens (Department of Informatics and Telecommunications). Since 1996 he has been a member of
the Communication Networks Laboratory of the University of Athens and, currently, he is the head of
0
About the Contributors
the Security Group. In addition, he is a lecturer (faculty of the Department of Technology Education
and Digital Systems) in the University of Piraeus, Greece.
Lu Yan is a research fellow at University College London and a Visiting Fellow at University of
Cambridge. Previously, he was with Department of Information Technologies in Åbo Akademi Univer-
sity, Distributed Systems Design Laboratory in Turku Centre for Computer Science (TUCS), Institute of
Microelectronics (IME) in Peking University. He holds visiting professor positions in both École Supéri-
eure d’Ingénieurs généralistes (ESIGELEC) and École Supérieure de Commerce de Rouen (ESC).
Laurence T. Yang is a professor in computer science at St Francis Xavier University, Canada. His
research includes high performance computing and networking, embedded systems, ubiquitous/perva-
sive computing, and intelligence. He has published around 250 papers in refereed journals, conference
proceedings, and book chapters in these areas. He has been involved in more than 100 conferences and
workshops as a program/general conference chair and more than 200 conference and workshops as a
program committee member. He served as the vice-chair of IEEE Technical Committee of Supercom-
puting Applications (TCSA) until 2004. Currently he is on the executive committee of IEEE Technical
Committee of Scalable Computing (TCSC), of IEEE Technical Committee of Self-Organization and
Cybernetics for Informatics, of IFIP Working Group 10.2 on Embedded Systems, and of IEEE Tech-
nical Committee of Granular Computing. He is also the co-chair of IEEE Task force on Intelligent
Ubiquitous Computing. In addition, he is the editors-in-chief of nine international journals and a few
book series. He is serving as an editor for around 20 international journals. He has been acting as an
author/co-author or an editor/co-editor of 30 books from Kluwer, Springer, Nova Science, American
Scientific Publishers, and John Wiley & Sons. He has received three Best Paper Awards, as well as: the
IEEE 20th International Conference on Advanced Information Networking and Applications (AINA-06);
one IEEE Best Paper Award, 2007; one IEEE Outstanding Paper Award, 2007; Distinguished Achieve-
ment Award, 2005; Distinguished Contribution Award, 2004; Outstanding Achievement Award, 2002;
Canada Foundation for Innovation Award, 2003; and University Research/Publication/Teaching Award
00-02/02-04/04-06.
Hao Yin, is currently an associate professor with the Department of Computer Science and Tech-
nology, Tsinghua University, Beijing, China He received Ph.D. degrees in electrical engineering from
Huazhong University of Science and Technology, China in 2002. His research interests span broad aspects
of network architecture, P2P technology, wireless network, video coding, multimedia communication
over wireless network, and network security. He has published over 50 papers in refereed journal and
conferences. He is on editorial boards of Advances in Multimedia and AD HOC NETWORKS Journal,
and has been involved in organizing over 12 conferences.
Rong Yu was born in Guangdong, China, in 1979. He received his BE degree in communications
engineering from Beijing University of Post and Telecommunications (BUPT), Beijing, China, in 2002.
After that, he joined the Electronic Engineering Department of Tsinghua University, Beijing, China,
where he received his PhD degree at July 2007. His research interests include protocol design and per-
formance analysis of wireless sensor networks and board-band wireless multimedia networks.
About the Contributors
Zhen Yu is a PhD candidate in the Department of Electrical and Computer Engineering at Iowa State
University. He obtained his BEng (1995) and MEng (2001) in electrical engineering from Shanghai Jiao
Tong University, China. He also received his MS in electrical engineering from Iowa State University
in 2003. Since then he has been researching security issues in wireless networks and distributed sys-
tems.
Said Zaghloul is currently a PhD candidate at the Technical University Carolo-Wilhelmina in Braun-
schweig, Germany. Prior to his PhD studies, he was with Sprint-Nextel as a telecommunication design
engineer mainly focusing on wireless IP infrastructures. During his employment at Sprint-Nextel, he
submitted two patents in the area of telecommunication protocols and received excellence awards. In
2002, he received the first IEE award for his BSc graduation project in UMTS capacity planning. In
2003, he was granted a Fulbright Scholarship to pursue his MSc studies at the University of Kansas.
In 2005, Mr. Zaghloul received his MSc degree with honors. His research interests include wireless
protocols, IP technologies, and wireless communications.
Guo-Mei Zhu received the BE degree in communication engineering from ChongQing University
of Posts and Telecommunications, Chongqing, China, in 2002. She is currently pursuing her PhD degree
at the School of Telecommunication Engineering, Beijing University of Posts and Telecommunications,
Beijing, China under the supervision of Professor Geng-Sheng Kuo. Her current research interests in-
clude distributed intrusion detection for wireless networks, cross-layer communication protocol design
for wireless networks, next generation wireless networks, and wireless mesh networks.
Albert Y. Zomaya is currently the head of school and the CISCO systems chair professor of internet-
working in the School of Information Technologies, The University of Sydney. He is the author/co-author
of more than 300 publications and serves as an associate editor for several leading journals. Professor
Zomaya is the recipient of the Meritorious Service Award (in 2000) and the Golden Core Recognition
(in 2006), both from the IEEE Computer Society. He is a chartered engineer (CEng), a fellow of the
American Association for the Advancement of Science, the IEEE, and the Institution of Electrical En-
gineers (U.K.), and a distinguished engineer of the ACM.
Aneta Zwierko holds MSc and PhD in telecommunications from Warsaw University of Technology,
Poland. Her doctoral thesis “Cryptographic Protocols for Mobile Agent Systems with Applications” con-
cerned application of cryptographic protocols in mobile environment for providing integrity, anonymity,
and more complex services such as secure e-voting. Her current interest include zero-knowledge proofs
and its application, identification, and authentication protocols, anonymity and privacy, security issues of
the agent systems, E/M-voting protocols, electronic payments, and AI and its application in security.
Index
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Index
Index
Index
Index
Index
Index
mobile ad hoc networks (MANETs) 461, 479, network access servers (NAS) 298
480, 637 network address translation (NAT) 356, 373
mobile agent, strong 29 network application function (NAF) 382
mobile agent, weakly 29 network convergence 178
mobile application part (MAP) 309, 324 network domain security (NDS) 324
mobile broadband 759 network entities (NEs) 325
mobile broadband wireless access (MBWA) network interface card (NIC) 700
759 network layer 768
mobile certificate authority (MOCA) 489 network mobility (NEMO) 184, 395
mobile code, security 28–43 Network Performance 680
mobile devices, and malicious software 1–10 networks 281
mobile devices, Internet access from 6 network selection 289
mobile equipment (ME) 382 new AP (nAP) 715
mobile multimedia services (MMS) 298 new European schemes for signatures, integrity,
mobile network (MONET 396 and encryption (NESSIE) 257
mobile network, and trust management 191 new SGSN (SGSNn) 342
mobile network nodes (MNNs) 396 Newsham, Tim 68
mobile network prefix [MNP] 396 next generation networks (NGN) 391, 776
mobile node (MN) 202, 397, 711 node, malicious 419
mobile service switching centre (MSC) 352 node, selfish 419
mobile station (MS) 320 node MAC 632
mobile stations (MSs) 500 nonrepudiation 501
mobile system, and access control 176–188 Nordic mobile telephony (NMT) 273
mobile system, and authentication 176–188
mobile system, and authorisation’ 176–188 O
monitoring technique 417 old AP (oAP) 715
multimedia, distribution 249 old SGSN (SGSNo) 342
multimedia, sharing 248 OMA broadcast (BCAST) 386
multimedia encryption, and multimedia water- OMA broadcast smart card service protection
marking 248 profile 379
multimedia encryption, in wireless environment on-demand protocol 518
236–255 one-way function trees (OFT) 493
multimedia encryption, requirements of 238 online certificate status protocol (OCSP) 704
multimedia watermarking, and multimedia open mobile alliance (OMA) 379
encryption 248 open system authentication (OSA) 697
multiple description code (MDC) 248 over-the-air (OTA) 380
over the air service provisioning (OTASP) 372
N
National Institute of Standards and Technology P
(NIST) 256 packed data gateway (PDG) 298
National Security Agency (NSA) 257 packet binary convolutional coding (PBCC)
near field communication (NFC) 104 520
Neighbor Graph 721 packet core 372
network-oriented design 280 packet data network (PDN) 352
network-to-network (N2N) 277 packet data protocol (PDP) 344, 353
Network Access Control 721 packet forwarding attacks 419
Index
Index
Index
10
Index
11
Index
wireless multimedia, and encryption algorithms wireless transport layer security (WTLS) 328,
239 368
wireless multimedia, and watermarking algo- wireless wardriving 61–77
rithms 245 wireless wide area network (WWAN) 347
Wireless network 209 WLAN 721
wireless network 189 WLAN-access gateway (WLAN-AG) 298
wireless network, and authentication 193 WLAN-access point name (W-APN) 299
Wireless Networks 721 WLAN authentication and privacy infrastruc-
wireless networks, and security challenges 130 ture (WAPI) 210
wireless networks, and threats in 79 worldwide interoperability for microwave ac-
wireless networks, and vulnerabilities 129–144 cess (WiMAX) 776
wireless networks, channel jamming 130 worm, Cabir 4
wireless networks, illicit use of 81 worm, Mabir 5
wireless networks, intrustion and anomaly wormhole attack 419, 644
detection in 78–94 wormhole attacks 648
wireless networks, passive scanning 81
wireless networks, service set identifier detec- X
tion 81 XML configuration access protocol (XCAP)
wireless networks, sniffing 81 391
wireless networks, spoofing 82 XML document management (XDM) 390
wireless networks, traffic analysis 130
wireless networks, unauthorized access 130 Y
wireless routing protocols 504
Yao graph (YG) 656
Wireless security 724
Wireless Sensor Network (WSN) 209 Z
Wireless sensor networks (WSN) 628
wireless sensor networks (WSN) 617 zone-based IDS (ZBIDS) 425
wireless sensor networks (WSNs) 565
wireless service access, and identity manage-
ment 104–114
12