<<

. 66
( 87 .)



>>

wireless networks are susceptible to security attacks ranging from passive eavesdropping
to active interfering and DoS attacks; occasional break-ins in a large-scale mobile net-
work are inevitable over a large time interval; ad hoc networks provide no infrastructure
support; mobile nodes may constantly leave or join the network; mobility-induced wire-
less links breakage/reconnection and wireless channel errors make timely communica-
tions over multiple hops highly unreliable; and a scalable solution is a must for a large-
scale network. However, the provision of basic security services such as authentication,
confidentiality, integrity, and nonrepudiation is critical in order to deploy the mobile wire-
less ad hoc technology in commercial and military environments.
Authentication services specific to the ad hoc environment have been recently studied
by the research community in order to come up with a fully self-organized architecture to
overcome the limitations intrinsic to the secure routing protocols that have been presented
in Section 12.2.2.
The basic assumption adopted by some secure routing protocols such as SRP is the ex-
istence of an a priori security association between all the communicating nodes of the net-
work. The limitations introduced by this approach range from the need for a managed en-
vironment, such as a common authority that precharges all the mobile terminals with a
secret key shared by every couple of communicating nodes, to scalability problems.
Other secure routing protocols (such as Ariadne) rely on an initialization phase during
which a well-known trusted third party (TTP) issues public key certificates used to authen-
ticate (together with the private key of each certificate holder) hash chain elements that will
344 AD HOC NETWORKS SECURITY


be subsequently used to provide some low-cost (in terms of CPU usage) authentication ser-
vices. In this case, the use of such a secure protocol is not limited to the managed environ-
ment, and the open environment can be targeted. Indeed, it is not necessary for the mobile
nodes that form the ad hoc network to be managed by the same authority that provides the
initial authentication setup. However, the bootstrap phase requires an external infrastruc-
ture, which also has to be available during the lifetime of the ad hoc network to provide re-
vocation services for certificates that have expired or been explicitly revoked.
Current efforts to provide scalable, fully self-organized public key infrastructure and
authentication services can be classified into two categories: one based on a PGP-like ar-
chitecture and one based on the polynomial secret sharing technique. These are presented
in the next sections.

12.4.1 Self-Organized Public-Key Management Based on PGP
Capkun, Buttyan, and Hubaux propose a fully self-organized public key management sys-
tem that can be used to support security of ad hoc network routing protocols [21]. The
suggested approach is similar to PGP [22] in the sense that users issue certificates for
each other based on their personal acquaintances. However, in the proposed system, cer-
tificates are stored and distributed by the users themselves, unlike in PGP, where this task
is performed by on-line servers (called certificate directories). In the proposed self-orga-
nizing public-key management system, each user maintains a local certificate repository.
When two users want to verify the public keys of each other, they merge their local cer-
tificate repositories and try to find appropriate certificate chains within the merged repos-
itory that make the verification possible.
The success of this approach very much depends on the construction of the local cer-
tificate repositories and on the characteristics of the certificate graphs. By a certificate
graph is meant to be a graph whose vertices represent public keys of the users and the
edges represent public key certificates issued by the users. The authors investigate several
repository construction algorithms and study their performance. The proposed algorithms
take into account the characteristics of the certificate graphs in a sense that the choice of
the certificates that are stored by each mobile node depends on the connectivity of the
node and its certificate graph neighbors.
More precisely, each node stores in its local repository several directed and mutually
disjoint paths of certificates. Each path begins at the node itself, and the certificates are
added to the path such that a new certificate is chosen among the certificates connected to
the last node on the path (initially the node that stores the certificates). The new certificate
leads to the node that has the highest number of certificates connected to it (i.e., the high-
est vertex degree). The authors call this algorithm the Maximum Degree Algorithm, as the
local repository construction criterion is the degree of the vertices in a certificate graph.
In a second, more sophisticated, algorithm that is called the Shortcut Hunter Algorithm,
certificates are stored in the local repositories based on the number of shortcut certificates
connected to the users. The shortcut certificate is a certificate that, when removed from
the graph, makes the shortest path between two users previously connected by this certifi-
cate strictly larger than two.
When verifying a certificate chain, the node must trust the issuer of the certificates in
the chain for correctly checking that the public key in the certificate indeed belongs to the
node identification (ID) named in the certificate. When certificates are issued by the mo-
bile nodes of an ad hoc network instead of trusted authorities, this assumption becomes
345
12.4 KEY MANAGEMENT


unrealistic. In addition, there may be malicious nodes that issue false certificates. In order
to alleviate these problems, the authors propose the use of authentication metrics [23]: it is
not enough to verify a node ID key binding via a single chain of certificates. The authen-
tication metric is a function that accepts two keys (the verifier and the verified node) and
a certificate graph and returns a numeric value corresponding to the degree of authentici-
ty of the key that has to be verified: one example of an authentication metric is the num-
ber of disjoint chains of certificates between two nodes in a certificate graph.
The authors emphasize that before being able to perform key authentication, each node
must first build its local certificate repository, which is a relatively expensive operation
(in terms of bandwidth and time). However this initialization phase must be performed
rarely and once the certificate repositories have been built, any node can perform key au-
thentication using only local information and the information provided by the targeted
node. It should also be noted that local repositories become obsolete if a large number of
certificate are revoked, as then the certificate chains are no longer valid. The same com-
ment applies in the case when the certificate graph changes significantly. Furthermore,
PGP-like schemes are more suitable for small communities because that the authenticity
of a key can be assured with a higher degree of trustworthyness. The authors propose the
use of authentication metrics to alleviate this problem: this approach however provides
only probabilistic guarantees and is dependent on the characteristics of the certificate
graph on which it operates. The authors also carried out a simulation study showing that
for the certificate graphs that are likely to emerge in self-organized systems, the proposed
approach yields good performance both in terms of the size of the local repository stored
in each node and scalability.

12.4.2 Ubiquitous and Robust Authentication Services Based on
Polynomial Secret Sharing
In [24], Luo and Lu present a mechanism that provides ubiquitous authentication service
availability by taking a certificate-based approach. In the proposed scheme, any two com-
municating nodes can establish a temporary trust relationship via globally verifiable cer-
tificates. With a scalable threshold sharing of the certificate signing key, certification ser-
vices (issuing, renewal, and revocation) are distributed among each node in the network: a
single node holds just a share of the complete certificate signing key. Although no single
node has the power of providing full certification services, multiple nodes in a network lo-
cality can collaboratively provide such services.
The authors propose a localized trust model to characterize the localized nature of se-
curity concerns in large ad hoc wireless networks. When applying such trust model, an en-
tity is trusted if any k trusted entities claim so. These k trusted entities are typically the
neighboring nodes of the entity. A locally trusted entity is globally accepted and a locally
distrusted entity is regarded untrustworthy anywhere. k is a system-wide parameter that
sets the global acceptance criteria and should be honored by each entity in the system.
The basic assumptions that are necessary for the security mechanism to function prop-
erly are: 1) each node has a unique nonzero identifier (ID), such as its MAC layer address;
2) each node has some one-hop discovery mechanism; 3) each node has at least k one-hop
legitimate neighboring nodes, or the network has a minimum density of well-behaving
nodes; 4) each node is equipped with some detection mechanism to identify misbehaving
nodes among its one-hop neighborhood; 5) the mobility is characterized by a maximum
node-moving speed Smax.
346 AD HOC NETWORKS SECURITY


In the security architecture proposed [24], each node carries a certificate signed by
the shared certificate-signing key SK, and the corresponding public key PK is assumed
to be well known by all the nodes of the network, so that certificates are globally veri-
fiable. Nodes without valid certificates will be isolated; that is, their packets will not
be forwarded by the network. Essentially, any node without a valid certificate is treated
the same as adversaries. When a mobile node moves to a new location, it exchanges cer-
tificates with its new neighbors and goes through a mutual authentication process
to build trust relationships. Neighboring nodes with such trust relationships help each
other to forward and route packets. They also monitor each other to detect possible at-
tacks and break-ins. Specific monitoring algorithms and mechanisms are left to each in-
dividual node™s choice. When a node requests a signed certificate by the coalition of k
nodes, each of the certificate issuing nodes checks its record on the requesting node. If
the record shows that the requestor is a well-behaving legitimate node, it returns a par-
tial certificate by applying its share of SK. Otherwise, the request is dropped. By col-
lecting k partial certificates, the requesting node combines them together to generate the
full new certificate as if it were issued from a certification authority server. A misbe-
having or broken node that is detected by its neighbors will be unable to get a new cer-
tificate.
The security of the certificate-signing key SK is protected by a k-threshold polynomial
sharing mechanism. However, this technique requires a bootstrapping phase in which a
“dealer” has to privately send to each node its share of the SK. The authors propose a scal-
able initialization mechanism that they called “self-initialization.” In this case, the dealer
is only responsible for initializing the very first k nodes, no matter how large the network
is. The initialized nodes collaboratively initialize other nodes; repeating this procedure,
the network progressively self-initializes itself. The same mechanism is applied when new
nodes join the network.
Certificate revocation is also handled by the proposed architecture and an original ap-
proach to handle roaming adversaries is presented. Without this additional mechanism,
any misbehaving node that moves to a location of the network where its new neighbors
have no information in their monitoring records about the attacker could get a new valid
certificate. Roaming nodes are defeated with the flooding of “accusation” messages that
travel in the network and inform distant nodes about the behavior of a suspect node. Accu-
sation messages are accepted only if they come from well-behaving nodes and have a spe-
cific time-to-live (TTL) field that is calculated based on the maximum node speed speci-
fied in the assumptions.
The main drawbacks of the proposed architecture range from the necessity for an ex-
ternal, trusted dealer that initializes the very first k nodes of a coalition, to the choice of
the system-wide parameter k. To cope with the first problem, the authors propose to use a
distributed RSA key-pair generation [25] for the very first k nodes. On the other hand, no
practical solutions are presented to cope with the strong assumption that every node of the
network has at least k trusted and noncompromised neighbors. This limitation makes the
proposed architecture useless for all the nodes that are located at the perimeter of the ad
hoc network. More over, the authors assume that any new node that joins the system al-
ready has an initial certificate. Initial certificates can be obtained in two ways: every node
may be issued an initial certificate by an offline authority, or every new node may use any
coalition of k neighbors to issue the initial certificate via a collaborative admission control
mechanism. These problems reduce the effectiveness of the proposed architecture as a ful-
ly self-organized infrastructure.
347
12.5 SECURITY MECHANISMS IN LAYER 2


12.5 SECURITY MECHANISMS IN LAYER 2

This section presents data-link-layer security solutions that are suitable for MANET. The
most prevalent solutions are the security mechanisms that function as part of 802.11 and
Bluetooth specifications. Further to a detailed overview of their specifications, the weak-
nesses of each solution is analyzed. The relevance of these solutions with respect to the
security requirements of MANET are then discussed.

12.5.1 Wired Equivalent Privacy (WEP)
The first security scheme provided in the series of IEEE 802.11 standards is Wired Equiv-
alent Privacy (WEP), specified as part of the 802.11b Wireless Fidelity (Wi-Fi) standard
[26]. WEP was originally designed to provide security for wireless local area networks
(WLAN) with a level of protection that is similar to the one expected in wired LANs. The
latter enjoy security and privacy due to their physical security mechanisms like building
access control. Physical security mechanisms, unfortunately, do not prevent eavesdrop-
ping and unauthorized access in case of wireless communications. WEP thus aims at cov-
ering the lack of physical security of WLANs with security mechanisms based on cryp-
tography. Unfortunately, WEP suffers from various design flaws and some exposure in the
underlying cryptographic techniques that seriously undermine its security claims.

12.5.1.1 WEP Security Mechanisms. WEP security mechanisms include data en-
cryption and integrity. Both mechanisms are handled simultaneously for each frame, as il-
lustrated in Figure 12.1.
To prepare a protected frame, first an integrity check value (ICV) of the frame payload
is computed using a cyclic redundancy check (CRC) function. The cleartext payload con-
catenated with ICV is then encrypted using a bit-wise exclusive-or operation with a
keystream as long as the payload concatenated with ICV. The keystream is a pseudoran-
dom bit stream generated by the RC4 [28] algorithm from a 40-bit secret key prepended




Figure 12.1. WEP frame security mechanisms.
348 AD HOC NETWORKS SECURITY


with a 24-bit initialization value (IV). The resulting protected frame includes the cleartext
frame header, the cleartext IV, the result of the encryption, and a cleartext frame-check se-
quence field.
The recipient of a WEP frame first generates the keystream with RC4 using the shared
secret key and the IV value retrieved from the received frame. The resulting keystream is
exclusive-ored with the encrypted field of the frame to decrypt the payload and the ICV.
The integrity of the payload is then checked by comparing the integrity check computed
on the cleartext payload with the ICV resulting from the decryption.
The secret key can either be a default key shared by all the devices of a WLAN or a
pair-wise secret shared only by two communicating devices. Since WEP does not provide
any support for the exchange of pair-wise secret keys, the secret key must be manually in-
stalled on each device.

12.5.1.1.1 Security Problems in WEP. WEP suffers from many design flaws and
some weaknesses in the way the RC4 cipher is used Data encryption in WEP is based on
an approximation of the “one-time pad” [28] algorithm that can guarantee perfect secrecy
under some circumstances. Like WEP encryption, one-time pad encryption consists of the
bit-wise exclusive-or between a binary plaintext message and a binary keystream as long
as the message. The secrecy of the resulting ciphertext is perfect provided that each new
message is encrypted with a different secret random keystream. The secrecy is not guaran-
teed when the keystream is reused or its values can be predicted. Hence, a first class of at-
tacks on WEP exploit possible weaknesses in WEP™s keystream generation process that
make the secret keystream easily predictable or cause its reuse.
The first type of exposure is due to the likeliness of keystream reuse between a pair of
communicating devices. Using the same secret key, the only variation in the input to the
keystream generator is due to the variation in the IV. Since the IV is a 24-bit value sent in
cleartext, the reuse of a keystream can be easily detected. The reuse of a keystream is also
very likely because of the small set of possible IV values that can be exhausted in a few
hours in busy traffic between two nodes. This type of exposure gets even worse if some
care is not taken during the implementation of the standard: some products set the IV to a
constant value (0 or 1) at the initialization of the encryption process for each frame se-
quence. The second type of exposure is due to the use of a 40-bit secret that is highly vul-
nerable to exhaustive search with current computational power.
WEP data encryption is also exposed through an advanced attack that takes into ac-
count the characteristics of the RC4 algorithm [29] and drastically reduces the set of pos-
sible keystream values based on the attacker™s ability to recover the first byte of encrypted
WEP payload.
Another class of exposure on WEP concerns the data integrity mechanism using CRC
in combination with the one-time pad encryption. Encryption using exclusive-or opera-
tion is transparent with respect to modification, in that flipping bits of the encrypted mes-
sage causes flipped bits on the same positions of the cleartext values resulting from de-
cryption. As opposed to a cryptographically secure hash function, an integrity check
computed with CRC yields predictable changes on the ICV with respect to single-bit
modifications on the input message. Combining the transparency of exclusive-or with the
predictable modification property of CRC, an attacker can flip bits on well-known posi-
tions of an encrypted WEP payload and on the corresponding positions of the encrypted
ICV so that the resulting cleartext payload is modified without the modification being de-
tected by the recipient. It should be noted that the transparent modification of the WEP
349
12.5 SECURITY MECHANISMS IN LAYER 2


payload does not require the knowledge of the secret payload value since the attacker only
needs to know the location of some selected fields in the payload to force tampering with
their value.
The last weakness of WEP is the lack of key management that is a potential exposure
to most attacks exploiting manually distributed secrets shared by large populations.

<<

. 66
( 87 .)



>>