Evaluating IEEE 802.

11s Against Security Requirements of Wireless Mesh Networks

Andr Egners e
UMIC Research Center, RWTH Aachen University Email: http://itsec.rwth-aachen.de/people

AbstractWireless Mesh Networks (WMNs) surely are one of the most prominent trends for Next Generation Networks. Their future success, however, depends on their security features. We introduce detailed security requirements for WMNs that can be used to analyze existing and future security architectures for WMNs. As an example we present an analysis of IEEE 802.11s with respect to these security requirements.

I. I NTRODUCTION Wireless Mesh Networks (WMN) represent the fusion of ad-hoc and infrastructure wireless networking. The infrastructure of WMNs, namely mesh routers, are connected in an ad-hoc fashion exhibiting all pros and cons. Clients can be part of the infrastructure providing routing and connectivity for other clients that cannot directly reach mesh routers. The notion of coverage extension by using regular clients and the communication over a wireless backbone introduce new security threats. In [1] the new security challenges arising from WMNs were identied as the detection of corrupted nodes, secure multi-hop routing and fairness wrt. to the distribution of network resources. While these challenges are generally accepted in literature, a more detailed generally accepted list of security requirements for WMNs is still missing. As a consequence, it is hard to evaluate strengths, weaknesses, and open issues of existing proposals such as the IEEE 802.11s standard. In this paper we take a rst step towards dening security requirements for WMNs and use them as basis to evaluate the security features provided by IEEE 802.11s [2]. II. S ECURITY R EQUIREMENTS This section introduces communication patterns and security requirements wrt. Wireless Mesh Networks. In the following we will refer to a mesh client as MC, mesh router as MR, mesh gateway as MG and mesh access point as MAP. MCs can either be legacy clients or regular clients with mesh routing functionality. MRs are the entities forming the wireless backbone and connected to other MRs in a wireless fashion. MRs that also serve as rst hop for network access of MCs are referred to as MAPs. A MG provides access to other networks, e.g. to the Internet. Communication Patterns in WMNs between the different network entities include the following: MC MC, MCMR and MC MG MR MG, MR MR MCMC communication refers to communication between two clients located in the same WMN. MCMR communication refers to the communication between MC and the associated MAP. MCMG communication refers to trafc destined to leave the WMN through the MG, e.g. to a destination somewhere on the Internet. This may also include management trafc, e.g. when communicating with a AAA-Server located outside of the WMN. MRMR communication refers to all trafc between MRs. MRMG communication can be considered as special cases of MRMR. It may can include management trafc, but also forwarded user trafc.

Condentiality is required between two MCs to prevent intermediate MRs, MCs and outsiders from eavesdropping on the communication. While encryption between MC and MR/MAP would prevent eavesdropping on the initial wireless connection, it does not safeguard against eavesdropping by other MRs, MCs and outsiders located on the path segment after the initial hop. Therefore, we require MCMG communication to be condential. This counters eavesdropping threats originating from intermediate MRs, MAPs, and MCs. Additionally MRMR communication may also be condential. For example, if user trafc is condential between MCMG, information who communicates with whom can still be leaked by the routing protocol. Integrity and replay protection are both important for all of the introduced communication patterns. Just as condentiality, integrity and replay protection are both required between two MCs, MCMAP, and MCMG. However, integrity and replay protection are also required for MRMR as well as MRMG communication. Note that one can argue that assuming condentiality of MCMG communication, integrity without additional condentiality is sufcient on the rst hop between MCMAP. The MAP can simply check whether the MCs trafc is allowed to pass. Within the WMN integrity can be attained between MRs in a hop-by-hop fashion and the MRs checking the trafc for its legitimacy. Access Control entails authentication and authorization of network entities. It is required to control which entities are allowed to access the network. Entity authentication can be combined with key establishment to bootstrap integrity and encryption mechanisms. Authentication is equally important for user and operator, since users need to ensure that the network is the one it claims to be, as well as vice versa. Access control is required for MCs as well as newly joining MRs, MAPs, and MGs Privacy is similar to condentiality, but is not automatically achieved alongside. Privacy issues can for example arise when authenticating a MC to a MAP. Although the communication can be kept condential between MAP and MC, the MAP could still learn identity attributes of the MC. In context of mobility and repeated authentication, tracking also becomes an issue that cannot solely be solved by keeping the communication between MC and MAP condential. Availability in WMNs is of importance wrt. network access itself, as well as access to offered services and QoS parameters. For example, if a AAA-Server is used for access control, its availability is of vital importance for network access. Fairness can directly be inuenced by attacking the availability, since denying access to certain parts of the network can be considered unfair. Fairness in wireless networks is, however, typically related to radio channel access and access to the available network bandwidth. This is of particular importance in WMNs, since multi-hop communication imposes additional challenges to the fair distribution of bandwidth. MCs that communicate with a MG over multiple hops

share the available bandwidth with other nodes that are connected to the routers on the respective path. Non-repudiation is especially important in the context of correct billing. It enables one or multiple service providers to securely differentiate users. With a mechanism in place, a user cannot deny having committed specic actions. III. IEEE 802.11 S - M ESH N ETWORKING Recent IEEE effort to standardize wireless mesh networking is still in draft status. As opposed to typical wireless network access control, i.e. 802.11i, this amendment discards the notion of supplicant and authenticator. 802.11s introduces a protocol to simultaneously authenticate two arbitrary peers - both of which can initiate the authentication protocol and do not necessarily have to be direct neighbors. The new protocol is called Simultaneous Authentication of Equals (SAE) and results in a pairwise master key (PMK) shared between two peers. The authentication protocol assumes a pre-shared secret, namely a password to be known to all legitimate network entities. A so-called Abbreviated Handshake is used for authenticating peers that already share a PMK, effectively using less messages than SAE. Simultaneous Authentication of Equals: The computations used by SAE are either based on Elliptic Curve Cryptography (ECC) or prime modulus nite cyclic groups. In the following we use the notation of ECC-based SAE in which P (x, y) represents a point on a publicly known elliptic curve of the form y 2 = x3 + ax + b. By inv we refer to the additive inverse element of a point on the elliptic curve. SAE uses four messages to authenticate two peers in a simultaneous fashion. The message ow of SAE between parties A and B is depicted in Figure 1. In the rst step the initiating peer generates a password element (PWE) which represents a point on an elliptic curve. The PWE is combined with a hash m containing a combination of MAC addresses of the respective two peers by scalar multiplication to N = P W E m. The initiating peer A constructs a commit scalar csA = (randA + maskA ) mod r and a commit element ceA = inv(maskA N ). randA refers to a random number which is essential to computing the key to be shared by both peers. maskA is another value used to blind the transferral of the random number. Upon reception of a peers commit, both peers are able to compute the same secret k using a predened key derivation function F . k is derived by each party based on the other partys commit message, its own random random number, and N such that A computes k = F ((randA (csB N +ceB )) and B computes k = F ((randB (csA N + ceA )). The computation effectively represents a password authenticated ECC Dife-Hellman key exchange. Both peers will then build a conrmation message, namely a hash of the secret k, a replay-protection counter and the previously exchanged cs and ce values. If the received conrm message equals the expected result, authentication is considered successful. If authentication was successful, both peers will generate a pairwise master key as P M K = H(k counter (csA + csB ) mod r F (ceA +ceB )). Once a PMK has been successfully established, it can later on be used during the Abbreviated Handshake. The PMK is used to construct a key hierarchy in which a 128bit Abbreviated Handshake Key Conrmation Key (AKCK), a 256bit Abbreviated Handshake Key Encryption Key (AKEK), and a 128bit Mesh Temporal Key (MTK) are computed. The keys AKCK and AKEK are static in the sense that they can be used to provide data origin authenticity and data condentiality in multiple runs of the Abbreviated Handshake and Group Key Handshake. The AKEK is used to encrypt the GTK during the Abbreviated Handshake. The

MTK is used to protect the communication between two peers and derived in a more dynamic manner by also using freshly generated random numbers of both peers as input to the key derivation function. The PMK, AKCK and AKEKs lifetime is limited by the passwords lifetime, whereas the MTK should be regenerated on each peering instance.

Fig. 1.

ECC-based Simultaneous Authentication of Equals (SAE)

Abbreviated Handshake: The goal of the protocol is to generate a fresh MTK between two peers that already share a PMK. The new MTK is randomized by using two fresh random numbers selected by the peers. Since the peers share a PMK and therefore AKCK and also AKEK, the exchange of the nonces can be integrity protected. The protocol consists of two messages, i.e. a Peering Open Frame which also contains the random number and a Peering Conrm Frame containing the nonce of the respective other peer. Analysis: The proposed security features offered by the recent IEEE 802.11s draft are rudimentary and inexible. Although, password based network access can obsolete complex authentication and management infrastructure, it introduces unnecessary inexibility to a type of network that is supposed to be highly dynamic in nature. Once a peer knows the password in use he can access the network. Since the only additional identity attribute used in the protocols is the MAC address of a peer, impersonation of arbitrary peers by other peers is possible. Since routers are also considered to be peers just as clients, an attacker in possession of the password could impersonate the network to a client. The issue of excluding a specic client or router from the network is not addressed. The operator would have to change the password used to control the network access, i.e. restart the whole network. IV. C ONCLUSION SAE and the Abbreviated Handshake allow for the establishment of keys between any two peers in a WMN. However, a password-based authentication seems ill t to the exibility requirements of WMNs such as mobility and rejecting network entities after participating in the network. In addition 802.11s does neither cover access control and MCMG communication protection, nor does it address privacy, fairness and availability requirements. R EFERENCES
[1] N. Ben Salem and J.-P. Hubaux, Securing Wireless Mesh Networks, Wireless Communications, IEEE, 2006. [2] IEEE 802.11s Task Group, Amendment: ESS Mesh Networking, IEEE P802.11s/D3.0.