Securing Wireless Mesh Networks Yanchao Zhang Department of Electrical & Computer Engineering New Jersey Institute of Technology In collaboration with: Professor Yuguang “Michael” Fang Department of Electrical & Computer Engineering University of Florida 2007 Network/Computer Security Workshop Lehigh University, May 2007
43
Embed
Securing Wireless Mesh Networks Yanchao Zhang Department of Electrical & Computer Engineering New Jersey Institute of Technology In collaboration with:
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Securing Wireless Mesh Networks
Yanchao ZhangDepartment of Electrical & Computer Engineering
New Jersey Institute of Technology
In collaboration with:Professor Yuguang “Michael” Fang
Department of Electrical & Computer EngineeringUniversity of Florida
2007 Network/Computer Security Workshop
Lehigh University, May 2007
2/43
Roadmap
Introduction to wireless mesh networks Necessity, architecture, state of the art
Deployment practices Seattle, New York, San Francisco, London, Rome, Paris…
9/43
Roadmap
Introduction to wireless mesh networks Necessity, architecture, state of the art
Security issues
Our solutions
Conclusion & future work
Other security projects
10/43
Classification
Infrastructure security Security of signaling and data traffic transmitted
over the wireless mesh backbone
Application security Security of mesh clients’ concrete applications
Network access security Security of communications among a mesh router
and mesh clients it serves
11/43
Network Access Security
Why difficult to achieve? Mesh routers are designed to accept open access requests
from most likely unknown mesh clients Open access to wireless channels Multi-hop, cooperative communications Dynamic network topology due to client mobility
InternetInternet
WMN backbone
WMN backbone Our goal
12/43
Network Access Security Issues
Router-client authentication
Router-client key agreement
Client-client authentication
Client-client key agreement
InternetInternet
WMN backbone
WMN backbone Our goal
13/43
Network Access Security Issues
Bogus-beacon flooding attack
Allowing the attacker to Beguile mesh clients into always processing beacons
Impede the Internet access of mesh clients
InternetInternet
WMN backbone
WMN backbone
meshmesh
beacon
bogus beacon
14/43
Network Access Security Issues
Incontestable billing
Location privacy Mesh clients can travel incognito
Secure routing and MAC protocols
When Internet marries multi-hop wireless DoS/DDoS mitigation, worm detection &
Analysis A router performs one signature generation every n
broadcast beacons A client carries out one signature verification every
n broadcast beacons
super beacon intervalst
1b 2nb 1nb nb2b 3b 4b
n
'1b
37/43
Incontestable Billing
Challenges WMN operators may overcharge Mesh clients may deny the received network services Intermediate clients desire reward for forwarding traffic
Our solution: a real-time hash-chain approach
1,1R 1,1C
38/43
Incontestable Billing
C1,1 Create a one-way hash chain with each hash value associated
with a monetary value x0
Send the signed (b1, x0) to R1,1 as a payment commitment Periodically release hash values in sequence
R1,1
Record the signed (b1, x0) and the last bm s.t. b1=hm-1(bm)
Redeem bm at broker B1 and get paid mx0
1 2 2 1 n n n
h h h h hb b b b b
1,1R 1,1C
39/43
Incontestable Billing
How to pay intermediate clients? C1,1 pays R1,1 what R1,1 and others should get
R1,1 pays each client using the hash-chain approach
Merit: each client just has a payment relationship with R1,1 instead of each of other clients
Analysis Each client must pay in real time to avoid service cutoff He cannot deny the payment due to the signed commitment Operators cannot fake hash values to overcharge clients
1,1R 1,1C
40/43
Location Privacy
Mesh clients prefer to travel incognito Remain anonymous to both visited WMN operators
and potentially malicious eavesdroppers
Solution A client uses dynamic (pass, pass-key) pairs A secure, lightweight way to refresh client
pass/pass-key pairs
41/43
Conclusion
Identified security requirements & challenges in multi-hop wireless mesh networks
Proposed a client-broker-operator trust model
Presented efficient solutions to Router-client and client-client AKA Mitigating bogus-beacon flooding attack Incontestable billing Location privacy
42/43
Future Work
Secure wireless mesh backbone
Secure routing and MAC protocols
When Internet marries multi-hop wireless DoS/DDoS mitigation Worm detection & prevention IP traceback Intrusion detection …
43/43
References Y. Zhang and Y. Fang, “ARSA: An Attack-Resilient