Presentation is loading. Please wait.

Presentation is loading. Please wait.

Raphael Frank 20 October 2007 Authentication & Intrusion Prevention for Multi-Link Wireless Networks.

Published byGarey Marsh Modified over 9 years ago

Similar presentations

Presentation on theme: "Raphael Frank 20 October 2007 Authentication & Intrusion Prevention for Multi-Link Wireless Networks."— Presentation transcript:

1 Raphael Frank 20 October 2007 Authentication & Intrusion Prevention for Multi-Link Wireless Networks

2 2 Overview 1  Introduction 2  Authentication in WMN using exisitng protocols 3  Emerging Security Issues 4  Authentication protocol based on WMN properties 5  Security Analysis 6  Conclusion

3 3 Introduction What is Wireless Mesh Network (WMN)? Mesh Nodes: Devices with at least two radio interfaces Mesh nodes form together a wireless network (Ad-Hoc) Second interface (AP) is used by mobile clients to connect to the network Hot Spots (HS): Mesh Nodes equipped with a wired internet connection Transient Access Points (TAP): Mesh Nodes without wired internet connection  Provide Internet Access to Mobile Clients by using the WMN as a backhaul

4 4 Authentication in WMN using existing protocols (1) Authentication protocols for the State of the Art of Wireless Networks IEEE 802.11: First WiFi standard released in 1997 Provides Data encryption and authentication IEEE 802.11i: Most recent security standard released in 2004 Provides a robust data encryption and includes an external authentication framework

5 5 Authentication in WMN using existing protocols (2) IEEE 802.11 Encryption Protocol  Wired Equivalent Privacy (WEP), based on shared-key (Key length 64 or 128 bit) Authentication based on the knowledge of the shared-key Security Goals: Prevent Eavesdropping  PRIVACY Prevent Message Modification  INTEGRITY Network Access Control  AUTHENTICATION Weaknesses – None of the security goals are met: Key stream reuse  PRICACY CRC attacks  INTEGRITY Authentication Spoofing  AUTHENTICATION

6 6 Authentication in WMN using existing protocols (3) IEEE 802.11i Encryption Protocol  WiFi Protected Access 1 & 2 (WPA1 & WPA2) Provides robust security properties Authentication performed using the Extensible Authentication Protocol (EAP) Needs a centralize authentication server Different authentication possibilities (EAP methods)

7 7 Authentication in WMN using existing protocols (4) Extensible Authentication Protocol (EAP) Used in wireless and fixed networks Port Based Network Access Authentication framework Currently about 40 different EAP methods Commonly used methods : EAP-TLS, EAP-TTLS

8 8 Emerging Security issues (1) Problems with the standard protocols Originally developed for the State of the Art of Wireless Networks Security only for the first wireless link  no End-To-End features Privacy: No data encryption after the first hop Authentication: No Layer 2 authentication after the first hop Single point of failure: Centralized Authentication Server Mesh nodes cannot be considered as trustworthy No topology authentication

9 9 Emerging Security issues (2) What are the problems related to the architecture of a WMN? Mesh nodes cannot be considered as trustworthy They are often deployed in a hostile environment An attacker can spoof and/or take over a mesh node No topology authentication An attacker can easily inject a malicious node into the WMN Gain access to the network Perform Denial of Service (DoS) Perform Man in the Middle Attacks (MitM)

10 10 Definition of a new authentication protocol (1) Why a new protocol? No standardized security protocols for WMN The existing protocols do not meet the requirements What should the protocol provide? “Real-time/Continuous” Authentication  Acceptable performance Authentication of every participating node of WMN  Topology authentication Authentication of the network traffic Trustworthy mesh nodes  Mesh Node Access Control Attack Detection/Reaction mechanism

11 11 Definition of a new authentication protocol (2) How does it work? Based on digital signatures to verify integrity and authenticity Hybrid authentication protocol using symmetric and asymmetric cryptography Offers the best properties in terms of security and performance The administrator plays the role of the CA Provides the needed keys to the Nodes

12 12 Definition of a new authentication protocol (3) What are the required keys? Every node is in possession Personal Public Key Personal Private Key Personal Secret Key  symmetric Public Key of the Administrator Nodelist  Containing the allowed communication neighbors After initialization  different public/secret keys of neighbor nodes The procedure can be subdivided in two operations: I)  Initialization of a new node II)  Information transmission }  asymmetric

13 13 Definition of a new authentication protocol (4) Initialization of a new node (asymmetric) Node A wants register to the WMN NodelistCert(A) WMN Signature broadcast Initialization message The receiving node B Checks if it is included in the node list (NL) Checks the signature  Using the Public Key of the Admin B encrypts its secret key and sends it to A After a successful decryption, A encrypts its secret key and sends it to B A :

14 14 Definition of a new authentication protocol (5) Initialization of a new node (asymmetric) Node A wants register to the WMN Node B (1) Broadcast: NL, Cert(A), SIG{[NL,Cert(A)], PrivK(Admin)} (2) ENC{[Cert(B),K(B),T 1 ], PubK(A)} (3) ENC{[K(A),T 2 ], PubK(A)} Node A

15 15 Definition of a new authentication protocol (6) Information transmission (symmetric) Every node needs to have the secret key of its neighbor nodes  Initialization Symmetric Signature  Message Authentication Code (MAC) = Fingerprint encrypted using a secret key  Faster Node A wants to send a message to node C via node B DataTimestamp C Signature Message to be transferred A : Send via node B

16 16 Definition of a new authentication protocol (7) Information transmission (symmetric) Signature verification and newly generated at every hop of the transmission path A different Timestamp guarantees a different signature Node ANode BNode C (1) MSG, T 1, SIG{(MSG,T 1 ), K(A)}(2) MSG, T 2, SIG{(MSG,T 2 ), K(B)} (4) MSG, T 4, SIG{(MSG,T 4 ), K(B)}(3) MSG, T 3, SIG{(MSG,T 3 ), K(C)}

17 17 Definition of a new authentication protocol (8) How to create trustworthy nodes? We need to guarantee that a attacker cannot retrieve the sensitive data (Keys, Nodelist, …) form a mesh node Mesh Node Access Control Before an attacker gains access to a node, the keys are erased a replaced by dummy values Consequence  Neighbor nodes will fail to verify the messages form the attacked node and drop them Passive attack detection The node is automatically excluded form the WMN

18 18 Definition of a new authentication protocol (9)

19 19 Security Analysis (1) Security & Performance Requirements Acceptable performance : YES  Using symmetric signatures Topology authentication : YES  Every node participating in a communication is authenticated Authentication of the traffic : YES  The source of every message is known Trustworthy mesh nodes : YES  Mesh Node Access Control Attack Detection and Reaction : YES  Corrupt Nodes are detected and excluded form the WMN

20 20 Security Analysis (2) Other Security features No replay attacks using timestamps No single point of failure  No centralized entity Node Spoofing/Injection not possible  Topology authentication  The attacker does not know the needed keys Man in the Middle Attack can be used to perform DoS If an attacker modifies a transient message, it will be discarded

21 21 Conclusion What’s next? Extend the authentication protocol Implementation of a prototype Client/User authentication Add an administration procedure Remotely reintroduce attacked node into the WMN Attack reporting Privacy and Performance on WMN need to be considered as well Release of a security standard for WMN IEEE 802.11s?

22 22 The end … Thank you for your attention Questions? Raphael.Frank@uni.lu Wiki.uni.lu/Secan-Lab

Download ppt "Raphael Frank 20 October 2007 Authentication & Intrusion Prevention for Multi-Link Wireless Networks."

Similar presentations

Chris Karlof and David Wagner

Chris Karlof and David Wagner
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
How secure are 802.11b Wireless Networks? By Ilian Emmons University of San Diego.

How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
Cryptography and Authentication Lab ECE4112 Group4 Joel Davis Scott Allen Quinn.

Cryptography and Authentication Lab ECE4112 Group4 Joel Davis Scott Allen Quinn.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
研 究 生:蔡憲邦 指導教授:柯開維 博士 Design of Efficient and Secure Multiple Wireless Mesh Network 具安全性及自我組織能力的 無線網狀網路.

研 究 生:蔡憲邦 指導教授:柯開維 博士 Design of Efficient and Secure Multiple Wireless Mesh Network 具安全性及自我組織能力的 無線網狀網路.
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.

Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Design of Efficient and Secure Multiple Wireless Mesh Network Speaker: Hsien-Pang Tsai Teacher: Kai-Wei Ke Date: 2005/06/28.

Design of Efficient and Secure Multiple Wireless Mesh Network Speaker: Hsien-Pang Tsai Teacher: Kai-Wei Ke Date: 2005/06/28.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE

Similar presentations

Ads by Google