Adaptive and Resilient Security for Multi-hop Multi ... - Semantic Scholar

Adaptive and Resilient Security for Multi-hop Multi-media Mobile Wireless Middleware

Ph.D. Dissertation Prospectus Jiejun Kong Computer Science Department University of California, Los Angeles Los Angeles, CA 90095 Advisor: Mario Gerla

i The proposed dissertation work focuses on adaptive and resilient security solutions for mobile applications in ad-hoc networks interconnected with wired infrastructure. Mobile middleware hides the complexity of underlying networks and provides a complete support environment for mobile applications. A diverse range of mobile networks will appear as a seamless, homogeneous communications medium. Differences in these networks appear to applications–and therefore to the user–as changes in Quality of Service (QoS). In addition, the mobile middleware makes the application aware of user location, transmission path characteristics, transmission and content costs, user preferences and terminal capabilities. Mobile middleware is also responsible for adapting the information to network and terminal characteristics and ensuring application mobility across various networks. The main goal of this prospectus is to develop security solutions of mobile middleware functions and components for efficient seamless support of wireless mobile users and applications, as well as for secured access of mobile users to wired Internet resources. The most important metrics of evaluating mobile middleware are adaptability to wireless network dynamics, resilience against adversaries’ attacks, high availability in service provisioning, and scalability in network size. In our study, we found that multimedia applications with real-time constraints experience significant problem in ad hoc wireless networks, even though it performs well in the “last hop” wireless networks such as the wireless LAN. Besides, centralized protocols, such as entity/identity authentication schemes, cannot provide qualitative service in ad hoc networks. We seek to provide demanded solutions for these problems via a middleware approach, that is, a convergence sub-layer between the network and the mobile applications. The middleware approach will enable adaptive data processing and distributed service provisioning for mobile users and applications. Compared to existing security solutions, our solution is particularly designed to serve real-time applications in a scalable ad hoc network with highly volatile network dynamics. Our proposed approach seeks to provide (i) real-time data privacy and integrity support that is adaptive to wireless channel dynamics and device heterogeneity, (ii) real-time identity authentication service that is adaptive to ad-hoc network settings and resilient to node compromises, (iii) localized intrusion detection support to efficiently isolate compromised nodes, and (iv) security solutions for ad hoc network supports such as efficient multicast protocols. After presenting the preliminary research progress, the future work is also listed.

Contents 1

2

3

4

Introduction

1

1.1

Mobile application middleware . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2

1.1.1

Application middleware . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2

1.1.2

Ad-hoc networking and mobile application middleware . . . . . . . . . . . .

3

1.2

Demanded security supports for I-MANET . . . . . . . . . . . . . . . . . . . . . . .

5

1.3

Accomplishments and Proposed Research . . . . . . . . . . . . . . . . . . . . . . .

6

1.4

Overview of the Prospectus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7

Related Work

9

2.1

Existing wired and wired-equivalent security solutions . . . . . . . . . . . . . . . .

9

2.1.1

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

9

2.1.2

Data privacy and data integrity . . . . . . . . . . . . . . . . . . . . . . . . .

10

2.2

Estimation schemes in ad hoc networks . . . . . . . . . . . . . . . . . . . . . . . .

12

2.3

Routing and secure routing in ad-hoc networks . . . . . . . . . . . . . . . . . . . .

13

2.4

Trust and authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

14

Adaptive Security for Real-time Data Transmissions

15

3.1

Adaptive model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

16

3.2

Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

18

3.3

Preliminary implementation and measurement . . . . . . . . . . . . . . . . . . . . .

21

Adaptive and Resilient Identity Authentication

24

4.1

UAV-MBN Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

25

4.2

Security of UAV-MBN Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . .

25

4.3

Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

26

i

CONTENTS

ii 4.4

4.5

Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

27

4.4.1

Primitives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

28

4.4.2

Infrastructure Mode with UAV . . . . . . . . . . . . . . . . . . . . . . . . .

29

4.4.3

Infrastructureless Mode without UAV . . . . . . . . . . . . . . . . . . . . .

33

-resilient Polynomial sharing of

Threshold cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

35

. . . . . . . . . . . . . . . . . . . .

35

4.5.2

Localized Multi-signature . . . . . . . . . . . . . . . . . . . . . . . . . . .

36

4.5.3

-bounded coalition offsetting . . . . . . . . . . . . . . . . . . . . . . . . .

37

4.5.1

4.6

4.7

5

7

37

4.6.1

Protecting backup certificate signing key

. . . . . . . . . . . . . . . .

37

4.6.2

Threshold

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

38

4.6.3

Less than

neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

39

4.6.4

Storage Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

39

Evaluation of Implementation and Simulation . . . . . . . . . . . . . . . . . . . . .

40

4.7.1

Computational Measurements and Evaluation . . . . . . . . . . . . . . . . .

40

4.7.2

Communicational Measurements and Evaluation . . . . . . . . . . . . . . .

42

Security Architecture for Application Session Handoff

44

5.1

iMASH Background and Application Session Handoff . . . . . . . . . . . . . . . .

44

5.2

Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

46

5.3

Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

47

5.3.1

Design Rationales . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

47

5.3.2

Protocol Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

50

Implementation and Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

52

5.4.1

Experiments on capability model . . . . . . . . . . . . . . . . . . . . . . . .

53

5.4.2

Evaluation of ASH Push/Pull models . . . . . . . . . . . . . . . . . . . . .

53

5.4

6

Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Future Work

56

6.1

More work on security and real-time adaptation . . . . . . . . . . . . . . . . . . . .

56

6.2

More work on resilient authentication service . . . . . . . . . . . . . . . . . . . . .

57

6.3

More work on localized intrusion detection . . . . . . . . . . . . . . . . . . . . . .

57

6.4

More work on securing MANET multicast protocols . . . . . . . . . . . . . . . . .

57

Publications

58

Chapter 1 Introduction Mobile information access is a three-piece puzzle composed of Mobile Devices, Wireless Networks and Applications. While there are significant advances in the devices and networks related technology, the applications for specific mobile use has lagged significantly. The mobile environment imposes a number of challenges which impair the robustness of client/server operation: adaptation to varying quality of service, reliability in the face of disconnected links, roaming between different carriers and network types, movement between different geographical locations, re-configurable real-time multi-user connections, security of data, and personalized user information filtering. Currently available embedded operating systems do not provide much functionality to address these problems. To deal with these discrepancies, an emerging paradigm called mobile middleware that enables applications to be mobile friendly is seen as a very promising development. Mobile Middleware hides the complexity of underlying networks and provides a complete support environment for mobile applications. A diverse range of mobile networks will appear as a seamless, homogeneous communications medium. Differences in these networks appear to applications– and therefore to the user–as changes in Quality of Service (QoS). In addition, the mobile middleware makes the application aware of user location, transmission path characteristics, transmission and content costs, user preferences and terminal capabilities. Mobile middleware is also responsible for adapting the information to network and terminal characteristics and ensuring application mobility across various networks. Mobile middleware to provide Internet access to roaming users already exists today. A novel challenge in this prospectus is to consider I-MANET, a more general model with relaxed constraints on wireless links and seamless integration with wired infrastructure. The wireless portion of I1

CHAPTER 1. INTRODUCTION

2

MANET is a mobile ad-hoc network (MANET) where autonomous nodes roam independently and wireless communications are typically multi-hop. The wired portion of I-MANET is a highly available infrastructure such as the Internet. Middleware services are provided in MANET and Internet access networks to facilitate mobile user’s wireless communications. In particular, this prospectus will address security services provided in the mobile middleware framework to support a wide range of mobile applications, which include multimedia and traditional transaction-based applications.

1.1 Mobile application middleware 1.1.1 Application middleware By the term “application middleware” we denote a number of locally available or highly available services provided between the network and the applications. The middleware services are provided to improve inter-operability between the network and the applications. Without the helpful services provided by the middleware, related communication would incur considerable overhead and exhaust critical system resources. In wired Internet, a highly available middleware service, such as CORBA’s ORB service, can be provided remotely without losing service availability. However, in a mobile wireless network, service availability is determined by wireless transmission distance and hop count. Thus the term “high availability” normally means “local availability” in mobile wireless networks. This notion of highly available middleware service is used in the iMASH project [3]1 , a multi-discipline collaborative effort between the UCLA Medical School and the Computer Science Department geared towards the design, implementation, and deployment of a computing infrastructure for the new UCLA hospital currently being built. In this environment physicians and staff workers will have wired and wireless ubiquitous access to medical record databases to hopefully enable more effective patient treatment through high information accessibility. To enable this vision, iMASH project employs an array of dedicated and strategically deployed Middleware Servers to provide useful middleware services to heterogeneous clients (Figure 1.1). The idea of a middleware tier is not new, but in the context of iMASH, the Middleware Servers provide the system with high availability, scalability, and new middleware services, such as Application Session Handoff (ASH). 1 Other examples include Internet2 consortium (http://middleware.internet2.edu/) and CORBA (http://www.omg.org/).

1.1. MOBILE APPLICATION MIDDLEWARE

3

Figure 1.1: System architecture of iMASH system and its middleware tier The ASH capability allows users to experience a convergence of all their owned computing platforms. For example, suppose a user is working with an iMASH-enabled application on a wired desktop and then decides to move to a wirelessly connected PDA. By utilising the ASH functionality, the user’s application session state is seamlessly moved from the desktop to the PDA in a timely manner upon his request. This session state can include both discrete and streaming data across a variety of network interfaces and bandwidths. We note that the state consists of only the data structures and variables needed for an application to define a session and is never the entire process space, immediately differentiating this approach from that of process migration. The iMASH middleware handles data transfer from the desktop on behalf of the user and can automatically adapt the content of moved data to fit the device characteristics of the PDA (such as transcoding to fit the PDA’s CPU, bandwidth, and display). To the end user, the program appears as a continuously-living application across all platforms.

1.1.2 Ad-hoc networking and mobile application middleware An ad-hoc network is a dynamically reconfigurable wireless network with no fixed infrastructure or central administration. Due to the limited radio propagation range of wireless devices, routes are often “multihop”. Applications such as disaster recovery, crowd control, search and rescue, and automated battlefields are typical examples of where ad hoc networks are deployed. Nodes


4

in these networks move arbitrarily, thus network topology changes frequently and unpredictably. Moreover, bandwidth and battery power are limited. These constraints, in combination with the dynamic network topology make data communication in ad-hoc networks extremely challenging. In a heterogeneous network system with scalable ad-hoc networks embedded as subsystems (Figure 1.2), connectivity service is maximally provided to all mobile nodes. Mobile nodes can freely roam to many areas either without infrastructure installation, or when infrastructure support is faulty (e.g., automated battlefield, disaster recovery). However, under the new circumstances the middleware tier employed in iMASH system can no longer satisfy mobile application’s demands. In particular, the communication and security requirements for mobile ad-hoc networks are significantly different from the last hop wireless networks used in iMASH. In this prospectus we denote the heterogeneous network system depicted in Figure 1.2 as IMANET, that is, a highly available communication infrastructure with potentially large-scale mobile ad-hoc networks as its extensions. We are going to analyse the security demands in I-MANET and provide novel middleware-based security services to serve the demands.

Internet Servers

MWS (ASH service)

Last−hop Wireless Network

Wired Clients Scalable Mobile Ad Hoc Networks (New mobile middleware service)

Figure 1.2: System architecture of I-MANET

1.2. DEMANDED SECURITY SUPPORTS FOR I-MANET

5

1.2 Demanded security supports for I-MANET The nature of wireless ad-hoc networks makes them very vulnerable to an adversary’s malicious attacks. Compared to wired infrastructure, wireless ad-hoc network has many unique features like open medium access, dynamic multi-hop topology, cooperative algorithms, lack of centralized management, and lack of a clear line of defense. Full range of attacks and threats: In a purely wired network, the transmission medium can be physically secured, and access to the network is easily controlled. Consequently, an adversary must gain physical access to the transmission wires or pass through several lines of defense at firewalls and gateways. On the contrary, a mobile wireless network will not have a clear line of defense. Every node must be prepared to encounter with an adversary directly or indirectly. Wireless adversaries can easily launch all kinds of security attacks ranging from passive eavesdropping to active interfering. Threats are posed on nearly all security concerns including data confidentiality, data integrity, identity authentication, authorization, and access control. Highly volatile network dynamics: In ad-hoc networks, design challenges like mobility, wireless channel errors, and device heterogeneity are decisive factors affecting security design. The highly volatile network dynamics invalidate many existing security solutions that have been designed for the wired Internet. In particular, although centralized or non-adaptive security schemes are widely used in the Internet, they do not work well in ad-hoc networks. Dilemma of trust: Mobile nodes are autonomous units that are capable of roaming independently. This means that nodes with inadequate physical protection are receptive to being compromised and hijacked. From the security perspectives, any node in a wireless ad-hoc network must be prepared to operate in a mode that trusts no peer. On the other hand, cooperative algorithms in ad-hoc networks demand mobile nodes to trust each other for packet delivery. The dilemma of trust is a challenging topic to address. Loopholes in de-centralized management: Decision-making in ad-hoc networks is usually decentralized and many ad-hoc network algorithms rely on the cooperative participation of all nodes. The lack of centralized authority means that the adversaries can exploit this vulnerability for new types of attacks designed to break the cooperative algorithms, particularly ad-hoc routing protocols.


6

We observe that many existing security solutions designed for the wired Internet do not handle well the type of node mobility, wireless channel dynamics, device heterogeneity, and rapid network topology changes that occur in ad-hoc networks. In wired Internet, ultimate trust can be established on dependable centralized authorities (KDC, CA and CRL Server), and most network hosts are capable of employing popular security protocols (IPsec, SSL/TLS) to secure their data transmission in relatively reliable channels. In contrast, mobile nodes in a scalable ad-hoc network cannot fully rely on security services provided on centralized authorities, and an ideal security solution must be resilient to mobility, wireless channel dynamics, and device heterogeneity. Hence this prospectus will study how to devise new security schemes to substitute or improve wired security schemes for ad-hoc networks.

1.3 Accomplishments and Proposed Research Our proposed research will include following related topics. The goal of this prospectus is to develop adaptive, resilient2 , efficient, and scalable security functions for ad-hoc wireless networks. The security functions are locally available or highly available so that they are suitable to be implemented as middleware services. To inter-operate with the infrastructure, the security functions must also be compatible with those existing security schemes already employed in the Internet. Our ongoing and future work are stated in terms of each mobile node in a scalable ad-hoc wireless network. Given a mobile node roaming in ad-hoc networks, we provide following security services: 1. We seek to achieve adaptive security for real-time data transmission on heterogeneous mobile nodes. Our solution enables each mobile node to send and receive secured data with realtime constraints, hence provides security support for various mobile applications including multimedia applications. The affected security services include encryption and message authentication. They must be adaptive to wireless channel dynamics and device heterogeneity. Related subjects are studied in Chapter 3. 2. We seek to isolate compromised nodes by adaptive and resilient identity authentication services. Our approach provides identity authentication services that are adaptive to the environment with and without centralized management. The identity authentication services are 2

In distributed computing and threshold cryptography, -resilient means the system tolerates up to

anomalies.

1.4. OVERVIEW OF THE PROSPECTUS

7

resilient to node compromise, highly available in each locality, and robust against node mobility or wireless channel dynamics. Related subjects are studied in Chapter 4. 3. We seek to provide qualitative security services at the converging place between the wired infrastructure and the wireless networks. In particular, this means enabling secured application session handoff (ASH) in the middleware server tier. Related subjects are studied in Chapter 5. The security goals described above will be accomplished by middleware services running on mobile nodes as well as on those static middleware servers used in iMASH system. Figure 1.3 depicts the protocol stack overview of how the middleware services are realized. In particular, a convergence sub-layer is introduced in network protocol stack to represent the functionalities common to mobile applications, but not specific to transport layer, network layer, and link layer. The functionalities include: (i) obtaining network feedbacks by polling, monitoring, and measurement, (ii) adapting contents and bitrates according to network feedbacks, and (iii) scheduling system and network resources by interacting with higher and lower layers. The needed security services, including adaptive real-time data privacy and integrity support, adaptive and resilient identity authentication service, localized intrusion detection, and secured multicast support, will be integrated with other components in the middleware sub-layer. More details of the ongoing and future work will be described in Chapter 6.

1.4 Overview of the Prospectus The rest of the prospectus is organized as follows. In Chapter 2 we present the related work on designing security solutions for mobile ad-hoc networks. Preliminary research results are reported from Chapter 3 to Chapter 5. In Chapter 3 we discuss our preliminary research results on adaptive encryption service for real-time transmissions. Then in Chapter 4 we present a de-centralized architecture to enable localized and resilient entity/identity authentication service. In Chapter 5 we present the security architecture for Application Session Handoff (ASH) in the wired infrastructure. Future research plans are elaborated in Chapter 6 and related publications are listed in Chapter 7.


8

Application layer Application layer

Traditional applications (WWW, Multimedia,FTP) Field force automation. Online medical record access and exchange. Emergency response services. Battlefield command and control.

Mobile Middleware (sub−layer)

Transport layer

Transport layer

Network layer

Network layer

Link layer & physical layer

Link layer & physical layer

Mobile Middleware Security

Application layer

Adaptive real−time data security Adaptive and resilient node authentication Localized intrusion detection Secured MANET multicast

Mobile Middleware (sub−layer) Resource Management (iMASH) Session management, Service discovery User/device profiling Resource allocation, reservation, scheduling Resource monitoring, measurement

Content adaptation (iMASH) Rate adaptation Mobility and Network Control Network monitoring, measurement Channel management Energy management

Transport layer TCP, UDP

Network layer IP (with mobile and cellular extension)

Link layer & physical layer Wireless

Wired

802.11b, 802.11a, 802.11g Bluetooth, GPRS, CDPD, Satellite

Internet and LAN

Non−middleware node

Middleware node

Middleware node

Figure 1.3: Protocol stack overview of mobile wireless middleware

Chapter 2 Related Work 2.1 Existing wired and wired-equivalent security solutions 2.1.1 Authentication Key Distribution Center (KDC) based services and Certificate Authority (CA) based services are two basic paradigms of authentication services for computer networks. KDC is a centralized server sharing a secret with each authenticated node. Before a secure channel is established between two authenticated nodes, both nodes must be authenticated to the KDC which acts as a “trusted third party” (TTP). Kerberos [93], RADIUS [82], and EKE [7] are exemplary authentication and key exchange services furnished on the KDC paradigm. They may be used to support other specialized authentication services that are particularly designed for certain network protocols. For example, recently IEEE published its authentication protocol 802.1x [43], which relies mostly on RADIUS to enable authenticated access to IEEE 802 media, including 802.3 Ethernet, 802.5 Token Ring, and 802.11 wireless LANs. Certificate Authority (CA) based authentication is another paradigm following TTP trust model. It relies on digital certification implemented by public key cryptosystems. One or more trusted CAs issue digital certificates to each node which holds a personal public/private key pair. A node’s valid certificate must be signed by a CA and it typically contains unique ID information, the personal public key, and the binding between the ID and the personal public key. The binding is bounded by valid time constraints, and the certificate must be renewed following re-registration policy. In contrast to KDC, the CA is only contacted at the (re-)registration period. As long as both certificates are valid, two authenticated nodes can establish secured channel upon well-defined certificate 9

CHAPTER 2. RELATED WORK

10

exchange and key exchange protocols, for example, ISAKMP/IKE [62, 34] at network layer, or SSL/TLS/WTLS [67] at transport layer.

2.1.2 Data privacy and data integrity Link layer security protocols

Link layer security protocols includes those for wired ATM and

dial-up services like PPTP and L2TP, as well as for wireless networks like 802.11 WEP. In the 802.11 protocol suite, Wired Equivalent Privacy (WEP) defines the algorithm to protect authorised users from eavesdropping. Recently it has attracted critical attention in both academia and industry. Several network security research groups have published crytanalysis against WEP [13, 94]. They have successfully explored the broadcasting nature of wireless channels to reveal protocol design flaws. Given the capability of overhearing large amount of ciphertexts transmitted in wireless channels, Borisov et al. [13] revealed several insecurities in WEP design including short IV and linear message authentication code. Adversaries can easily launch data confidentiality, message modification, and message injection attacks against the wireless access point and gain unauthorized access to the network. In another research group, the Fluhrer-Mantin-Shamir attack [25] realized by Stubblefield et al. [94] can successfully reveal a 128-bit WEP secret key by eavesdropping on 5,000,000 packets, or less than 2,000,000 packets after the attack is improved. These discoveries demand more effective countermeasures to secure 802.11 wireless LANs. The substitutes of WEP are being developed to address the new challenges. For example, new encryption algorithms and authentication protocols, such as AES and 802.1x 1 , are being integrated into WEP and WEP2. Such efforts seek to offer more security supports by following the original design framework, namely a layer 2 solution that only affects the data link layer in the protocol stack [43, 10]. As a result, the new functionalities are implemented mostly inside data link layer with little support from other layers. This single layer design has several advantages. For example, uniform services are provided to the upper layers, and each wireless hop is protected if the security features are enabled on all wireless devices. Nevertheless, as we will analyse in 3.2, provisioning of many security services is driven by local network settings and application’s preferences. It is more appealing to outstep a layer-2 only design where all security services are embedded in link layer device drivers, especially when other proven security protocols have already been widely deployed in IP networks. 1

Unpublished report [2] reveals some vulnerabilities in 802.1x design.

2.1. EXISTING WIRED AND WIRED-EQUIVALENT SECURITY SOLUTIONS

11

Network layer security protocols IPsec is the leading standard for cryptographically based authentication, integrity, and confidentiality services at the network layer. In TCP/IP protocol stack, IPsec secures the IP datagram layer between two trusted networks. As depicted in Figure 2.1, a path between an IP packet sender and receiver is divided into three segments: (i) the trusted local network at the sender end, (ii) the untrustworthy public IP network segment, and (iii) the trusted local network at the receiver end. IPsec gateways (

and

in Figure 2.1) are placed at each boundary

between a trusted and an untrustworthy segment. In IPsec’s terminology, they are named as Security Association (SA) with point-to-point security warranties.

G1

Trusted network

G2

Untrusted network providing connectivity only

Trusted network

Figure 2.1: IPsec system model IPsec readily provides the security infrastructure to build all three categories of Virtual Private Networks (VPNs). Intranet VPNs and extranet VPNs are implemented following the paradigm depicted in Figure 2.1 where the two trusted networks could both be an enterprise’s internal networks or one of them could be its business partner’s network. For remote access VPNs, one of the trusted network degenerates into a single host used by the remote user, and the other end is unchanged. The IPsec architecture employs three protocols to provide data integrity, data confidentiality, authentication, and key exchange services, namely AH (Authentication Header) protocol [48], ESP (Encapsulating Security Payload) protocol [49], and IKE (the Internet Key Exchange) protocol [34]. AH provides integrity services to each IP datagram, and ESP provides confidentiality and optionally integrity services to each IP datagram. IKE employs public key cryptosystems and digital certificates to authenticate network entities and exchange a shared secret key between them. After the entities reach a key agreement, IP datagrams or TCP packets are encrypted and authenticated before they are delivered to the data link layer, thus insecurity existing on the link layer does not pose threats to ongoing IP traffics. Security protocols at transport layer or above

In contrast to lower-layer security solutions, trans-

port layer security seeks to provide end-to-end data security services at or above the transport layer. It ensures per-connection based security. During connection setup period, a security agreement is


12

negotiated between two user applications by an initial handshake process. The two applications may authenticate each other and obtain session secrets using digital certificates defined by Public Key Infrastructure (PKI). After the two applications agree on a session master secret and the cryptographic algorithms, critical data is signed and encrypted at or above the transport layer before reaching the network, thus any break-ins and compromises occurring en route at the lower layers do not compromise the applications’ data security. Common transport layer security solutions are Netscape’s Secure Sockets Layer (SSL) and its variants including the IETF standard TLS [20] and WAP Forum’s standard WTLS [100]. They are among a few network security protocols that have received positive crytanalytical feedbacks from cryptographic research community [98].

2.2 Estimation schemes in ad hoc networks Mobile systems must adapt their behavior to changing conditions in ad hoc networks. They demand accurate estimation techniques to evaluate available bandwidth in the presence of mobility and wireless channel errors. Prediction-based link availability estimation In mobile ad hoc networks, mobility is a crucial factor affecting link availability. A probabilistic link availability model which can predict the future status of a wireless link is proposed in [64] and [63]. The basic idea is to let a node to first predict a continuous time period ( ) that a currently available link will last from time . He et al. [36, 18] proposed a measurement-based scheme where a node can predict for an active link with another node by measuring relative distances between them without knowing the velocities of their movements. Su and Gerla [95] proposed a similar scheme where the velocity of a nodes movement is supposed to be known by using Global Position Systems (GPS). In [44], link availability can be estimated by prediction and routing metrics. Although the prediction algorithms cannot accurately calculate the link availability, it can reflect the general tendency of a link availability as shown by the simulation results presented in [44]. Bandwidth estimation Estimating available network capacity at real time is a difficult problem, since the effective latency and bandwidth between a mobile host and other nodes is constantly changing.

2.3. ROUTING AND SECURE ROUTING IN AD-HOC NETWORKS

13

Producing quality estimates is challenging because network observations are noisy, particular in multi-hop mobile wireless networks. Kim and Noble [51] presented four filters designed to react quickly to persistent changes while tolerating transient noise. In contrast with explicit bandwidth measurement schemes, end-to-end schemes measure bandwidth based on the return of acknowledgments. TCP Vegas [14] adopt advanced congestion control mechanism to estimate available bandwidth at sender side. Packet pair is an implicit end-to-end dynamic rate congestion control protocol [108, 50]. TCP Westwood [60] employs bandwidth sampling and filtering to minimize unnecessary congestion avoidance actions for wireless or lossy wired links.

2.3 Routing and secure routing in ad-hoc networks A lot of research has been devoted to routing algorithms in mobile ad-hoc networks. In most cases, the nodes are assumed to be cooperative. Ad hoc routing protocols employ two types of mechanism to maintain routing information in the network: (i) Reactive (or on-demand) routing protocols, such as AODV [75] and DSR [46], seek to minimize routing overhead by invoking route determination procedure only when routing is needed. (ii) Proactive routing protocols, such as DSDV [74] and LANMAR [73, 104, 39], seek to decrease periodic routing overhead by various methods including implementing incremental update and decreasing routing table size. Some hybrid routing schemes seek to combine the advantages of both proactive and reactive schemes. For example, proactive LANMAR can be implemented on top of reactive DSR or AODV to enable scalable routing schemes. In Zone Routing Protocol (ZRP) [45, 71, 33], proactive schemes are used in local zones while remote routing requests are served by reactive schemes. Recently many researchers have proposed secure routing protocols for ad hoc networks. Yi et al. [106] treat security as part of QoS and realize a scheme with AODV to discover routes with security protections. Zhou et al. [110] and Dahill et al. [17] propose to use public-key cryptosystem and digital signature to secure on-demand ad hoc routing protocols. Basagni et al. [5] uses a network-wide symmetric key to secure routing communication, which is vulnerable to a single point of compromise. The authors argued to use hardware-based tamper resistance mechanisms to limit the damage. Papadimitratos and Haas [70] devise a scheme that secures on-demand routing protocol against non-collaborative adversaries. Hu et al. [40, 41] use one-way key chains to authenticate routing messages for proactive and on-demand protocols.


14

2.4 Trust and authentication Some popular network security services are provided by Kerberos and X.509 Directory Authentication Service. In these proposals, services are typically achieved via a centralized CA and is not scalable. Common fix such as deploying a mesh of CAs can alleviate, but cannot solve the problem of service ubiquity and node mobility. Besides, these approaches suffer from the single point of compromise and DoS attack. Threshold secret sharing and proactive secret share updates have been very active research topics in cryptography [88, 37, 86, 29, 16, 28]. However, most of these proposals target a system that has a few secret share holders with rich connections. Hence, the proposed solutions do not address the scalability issue, as admitted in [16]. Besides, as connections are assumed to be reliable, they do not make explicit efforts to minimize communication cost. In contrast, our solution works under very weak network assumptions. We also make explicit efforts to reduce communication overhead to one or two rounds. Wireless network security research has been a relatively new research area. [26] proposes a Kerberos-based solution to authentication for wireless and mobile users. [57] studies the problem of authentication in PCS. However, these solutions do not solve the problem of break-ins. Besides, they do not address the scalability issue. A more recent work also applies the concept of threshold secret sharing and proactive secret share updates to ad-hoc wireless networks [110]. However, they directly applied the existing threshold secret sharing and proactive secret share update algorithms to their problem domain. As the algorithms do not address the scalability issues, their solution is not scalable. In fact, they need to deploy a few servers that jointly serve as the CA. The fundamental concept is still the same as in previous works [16]. Ubiquitous services are not feasible in the scheme.

Chapter 3 Adaptive Security for Real-time Data Transmissions In I-MANET, information flows along two directions between mobile nodes and the infrastructure. One direction is common in the traditional client-server model where wireless clients access wired or wireless servers which in turn provide transaction-based services. The other one is the reversed direction, wireless mobile clients can act as information sources that provide volumes of useful information to the infrastructure. In particular, we consider a set of mobile devices with real-time data processing capability. With proper hardware configuration, mobile real-time data collectors (Figure 3.1) can freely roam and provide volumes of useful multimedia information to reflect the changing environment at real time. Applications such as automated battlefields, paramedical emergency, and real-time news report are typical examples of where mobile data collectors are deployed. The applications also demand security supports because wireless communication is vulnerable to various security attacks ranging from passive eavesdropping to active interferencing. Wireless ad hoc networks provide the demanded connectivity support for mobile data collectors to transmit real-time contents back to information sinks. However, providing real-time communication support in ad hoc networks is challenging. Network bandwidth available to a mobile node is highly volatile due to wireless interference, mobility, and dynamic network topology. Consequently it is appealing to employ adaptive mobile applications that can adjust wireless communications according to network conditions measured at real time. This prospectus seek to devise an adaptive security solution for real-time multimedia contents. 15

16 CHAPTER 3. ADAPTIVE SECURITY FOR REAL-TIME DATA TRANSMISSIONS In contrast to the transaction-based security paradigm which ignores network feedbacks and hence is not adaptable, the new adaptive security paradigm (Figure 3.3) seeks to satisfy prescribed security requirements according to real-time network feedbacks. network feedback (bandwidth estimation etc.)

data encoding

φ bps

security module

secured data

ϕ bps

φ∗ϕ bps φ+ϕ

data encoding (adaptable)

security module (adaptable)

adaptable bitrate adaptable security complexity (both with guaranteed lower bound)

fixed bitrate key

Figure 3.1: Mobile realtime data collector

fixed security complexity

Figure 3.2: Existing Security Paradigm

secured data

key

Figure 3.3: Paradigm

Adaptive

Security

3.1 Adaptive model We define mobile real-time data collector as a mobile information source that roams in ad hoc networks and transmits real-time contents back to information sinks. Unlike regular mobile clients roaming in last-hop wireless networks, mobile data collectors produce potentially large amount of real-time data within a working cycle. The collected data must be delivered to their destinations following real-time constraints. A qualified security solution for mobile data collectors should have following properties: Performance-centric design: When short-term performance concerns is more critical than long-term protection concerns, it is reasonable to trade off protection for performance gain. Mobile data collectors have different security demands from transaction-based Internet commercial applications. The real-time contents should be protected to resist wireless adversaries, however the collected real-time contents must be transmitted to intended destinations on time. The security supports become useless if data transmission fails to follow real-time constraints. Consequently, available bandwidth, network capacity, processing throughput, and error control are critical factors affecting security design. On-device processing: As mobile data collectors roam independently, each of them must

3.1. ADAPTIVE MODEL

17

prepare to process collected real-time contents on site and on device. It is appealing to employ on-device end-to-end QoS measurements with little help from the network. Adaptive encoding: Encoding raw data into efficient multimedia format is the first step of processing. State-of-art encoding technology can adapt multimedia contents according to throughput/bit-rate, jitter, error rate, and buffer capacity. Adaptive security processing: The security module must also be adaptable. As we analyse in Section 3.2, when processing bit rate of encoding and enciphering is

and , respectively,

the overall throughput is . If

is adaptable to be much larger than (i.e.,

), then the . This implies that the overall scheme is not adaptable if the overall throughput is

security module is not adaptable.

Service quantification and differentiation: Security complexity, real-time constraints, and network conditions are quantified and differentiated into QoS classes. Each class corresponds to a set of service metrics. As the result, mobile data collectors can flexibly choose one of the QoS classes at real-time. Adversary model: Wireless adversaries are powerful adversaries with the following capabilities: (i) They can eavesdrop, capture, drop, resend, delay, and alter packets; (ii) They can access to a fast network with negligible delay; (iii) Their computational resources may be very large, but not unbounded. In particular, this means that the adversary can perform efficient computations, such as launching differential cryptanalysis or linear cryptanalysis with negligible overhead. Nonetheless, the adversary cannot invert an effective cipher function or MAC function without cipher or MAC key. It is computationally infeasible for them to invert a pseudo random function (or distinguish it from a random function) with non-negligible probability. Therefore, authentic senders and receivers can share symmetric cipher keys using well-defined key exchange protocols like ISAKMP/IKE [62, 34]. Based on the symmetric keys with appropriate key size, mobile applications can employ effective security protocols, such as IPsec ESP [49] and AH [48], to ensure data privacy and data integrity. In this work we use encryption service as example. Figure 3.4 illustrates the general design framework of encryption services with adaptive throughput guarantees. The differentiated classes are defined on a total order : for arbitrary two differentiated classes , class has greater throughput guarantee ( ) and less security complexity (!"#$ ) than class .

Throughput / Bitrate γ

18 CHAPTER 3. ADAPTIVE SECURITY FOR REAL-TIME DATA TRANSMISSIONS

Lowest security complexity Highest encryption rate

1

2

3

4

Highest security complexity

5

Lowest encryption rate throughput lower bound

6

security complexity lower bound

7

8

Security complexity χ

Figure 3.4: Throughput adaptive security (with differentiated service classes) On every type of mobile data collector we can (i) measure the performance of encryption algorithms by experiments, and (ii) obtain prescribed security complexity classes by cryptanalysis. Therefore, the diagram shown in Figure 3.4 can be determined on each device prior to its deployment.

3.2 Analysis Assumptions

In this work we focus on software-based implementations of data collection and data

encryption on mobile devices. Although theoretically all data encoding algorithms, compression algorithms, and encryption algorithms can be realized by hardware chips, we consider the hardwarebased solutions are less flexible than their software peers. For example, since vulnerabilities and loopholes of security algorithms have been frequently discovered by recent cryptanalysis, security patches must be applied in a timely manner to realize the corresponding countermeasures. Inflexible implementations pay higher cost in these scenarios. On the other hand, the measurements obtained on software implementation also present useful information of performance evaluation and cost estimation when candidate algorithms need to be built into hardwares and firmwares.

3.2. ANALYSIS

19

Table 3.1: RC5’s security complexity, varying number of rounds, 128-bit key and block size (“ ” denotes the case when the attack is impossible even at a theoretical level) substitution-permutation rounds differential cryptanalysis (chosen plaintext) differential cryptanalysis (known plaintext) linear cryptanalysis (known plaintext)

4

8

12

16

20

24 28

Table 3.2: RC5’s security complexity, varying number of rounds, 64-bit key and block size substitution-permutation rounds differential cryptanalysis (chosen plaintext) differential cryptanalysis (known plaintext) linear cryptanalysis (known plaintext)

Processing throughput

4

6

8

10

12

14

16

As recommended in many security protocols [20], encryption should be

applied as the last step before network transmission, because (i) data processed after encryption is not protected, and (ii) compression and other operations help increasing message entropy to foil cryptanalytic attacks. This implies that decryption would be the first step once data is received from the network. We quantify the device’s overall processing throughput based on encryption throughput. A mobile real-time data collector is treated as a single-CPU system. Pipelined execution

Sequential execution

for(each data unit) {

for(each data unit) {

A B

A } for(each data unit) { B }

}

For two processings and

running in a process of a single-CPU system, the pipelined execu-

tion and sequential execution have some system-level difference. For example, ’s response delay is larger in the case of sequential execution. Nevertheless, they are in general equivalent in semantics and throughput because exactly the same amount of machine instructions are executed on CPU. In other words, though a real execution of the single process could be a pipelined one, we can use the sequential case to quantify its throughput. We use this property to quantify device’s overall processing throughput. Encryption is treated as one processing, and all other data processings are abstracted as the other. Suppose the throughput of

20 CHAPTER 3. ADAPTIVE SECURITY FOR REAL-TIME DATA TRANSMISSIONS processing and

is

and , respectively, the overall processing throughput is

for arbitrary message size . In addition, the overall processing throughput should be greater than or equal to the available bandwidth

measured at real time. That is,

An equivalent form of (3.1) is

Therefore, given the real-time bandwidth estimation (

(3.1)

(3.2)

, we have to choose an encoding bit-rate

) and the differentiated class satisfying (3.2) with maximal security complexity.

Quantification of security complexity

Nowadays advanced encryption algorithms, including the

well-known Data Encryption Standard (DES [65]) and Advanced Encryption Standard (AES [66]), are block cipher algorithms based on Feistel structures and Substitution-Permutation Networks (SPN) [23]. Security complexity in these algorithms is achieved by many rounds of permutation and substitution. In particular, (i) the algorithms must achieve one-way property so that it is easy to obtain ciphertext from plaintext, but not vice versa; (ii) the algorithms must resist ciphertext-only attacks, knownplaintext attacks, chosen-plaintext attacks, adaptive chosen-plaintext attacks and their advanced variants like differential cryptanalysis [9] and linear cryptanalysis [61]; and (iii) the algorithms must resist brute-force attack on key enumeration and other attacks on keys such as related-key cryptanalysis [8]. For these modern block cipher algorithms, encryption throughput is adaptable by increasing or decreasing the number of substitution-permutation rounds. Related cryptanalysis is presented in many literatures. Here we use RC5 [4], an IETF standard encryption scheme widely used on the Internet, as an example. As claimed by the designer [83], a novel feature of RC5 is the heavy use of data-dependent rotations. Applications can choose a variable word size, a variable number of rounds, and a variable-length secret key. In particular, we explore the feature of variable number of rounds to speed up encryption performance. A summary of the data requirements for a successful attack

3.3. PRELIMINARY IMPLEMENTATION AND MEASUREMENT

21

against RC5 with a variable number of rounds is provided in [107] 1 based on various cryptanalysis (Table 3.1 and 3.2). For mobile data collectors, known-plaintext attacks are feasible due to standard headers used in network protocol and common encoding formats (e.g., MPEG). In most cases, security complexity can be differentiated according to resistance to known-plaintext attack. For other multimedia applications like video streaming, chosen-plaintext attacks are feasible if the video source is not secured.

3.3 Preliminary implementation and measurement We have realized an RC5 implementation with a variable word size, a variable number of rounds, and a variable-length secret key. Figure 3.5 and 3.6 show RC5’s encryption performance on two different hosts. One is an iPAQ3670 PocketPC running LinuxCE with Intel StrongARM 206MHz CPU, the other is a HP Kayak server running Mandrake Linux 8.2 with dual PentiumII 450Mhz CPUs. The RC5 algorithm can achieve 4–31Mbps and 17–128Mbps encryption throughput on iPAQ and Kayak server, respectively. In the figures, throughput is measured on CPU time for encryption only, not including the encoding overhead. Security complexity is quantified by number of substitution-permutation rounds. The security lower-bound corresponds to implies that re-keying is imperative after

chosen plaintexts used in differential cryptanalysis. It potential chosen plaintexts have been transmitted.

In Example 1 and 2, we show how security lower bound and encryption throughput affect mobile node’s behavior. Example 1 Suppose a mobile client is viewing a video stream from the Internet, and it uses 128-bit RC5 encryption algorithm with block size 128 bit. If the video source is 1.5Mbps MPEG-I stream

M blocks and

and was encoded by uncertified source2 , then the allowed data transmission roughly corresponds to

seconds. That is, the mobile client should employ key

exchange protocols to re-establish a secret symmetric key per 44.7 seconds. Otherwise, it is possible that an adversary can launch differential cryptanalysis against the sender’s wireless transmission and break the secret key.

1 2

RC6, one of the five AES finalists, was derived from RC5 and proposed by Rivest and Yin. It is possible to encode chosen plaintexts into video streams by manipulating encoder.

120 100 80 60 20

40

RC5 encryption throughput (Mbps)

30 25 20 15 10

28

24 (2^123 CP)

20 (2^106 CP)

16 (2^83 CP)

12 (2^58 CP)

4 (2^19 CP)

RC5 substitution-permutation rounds

8 (2^42 CP)

0 28

24 (2^123 CP)

20 (2^106 CP)

16 (2^83 CP)

12 (2^58 CP)

8 (2^42 CP)

4 (2^19 CP)

0

5

RC5 encryption throughput (Mbps)

35

40

140

22 CHAPTER 3. ADAPTIVE SECURITY FOR REAL-TIME DATA TRANSMISSIONS

RC5 substitution-permutation rounds

Figure 3.5: RC5’s adaptive encryption performance on iPAQ3670 PocketPC (security lower bound is chosen plaintexts. Throughput lower bound is 5Mbps)

Figure 3.6: RC5’s adaptive encryption performance on HP Kayak server (security lower bound is chosen plaintexts. Throughput lower bound is 20Mbps)

Example 2 Assuming available bandwidth is

Mbps which is used to transmit MPEG-I video streams, and on-device MPEG encoding bitrate is

Mbps, we have to select a differentiated QoS class with encryption throughput

#%$'&)(+*-,.

!"

Without the throughput adaptive scheme, RC5’s performance can only be 4Mbps, thus the overall processing throughput (including both encoding and encryption) is

0/

1$ 3 4 5$.&6(7*,

2/$

Thus about 23.8% of the 1.5Mbps MPEG-I stream contents are lost due to the overhead caused by slow encryption.

Experiments on audio encoders

When storing audio files in raw format, a large amount of data

is needed (44.1kHz * 2 channels * 16 bit results in 1441.2 kbit/s or nearly 10 MByte/min). The raw format needs high capacities of transfer or storage. The goal of data encoding is to reduce the

3.3. PRELIMINARY IMPLEMENTATION AND MEASUREMENT

23

needed bitrate and retain audible quality. On raw audio data streams, MP3 encoding can achieve compression ratio at about 1:11.

Throughput adaptive encryption is useful for mobile data encoders even when network capacity demand is small. In Figure 3.7, we depict

bitrate

for

kbps MP3 audio and small encoding

. In our experiments, we use Linux utility “lame” as MP3 encoder. The encoding

bitrate varies from 100kbps to 200kbps when we convert CD soundtracks in WAV format into MP3 format. Figure 3.7 illustrates that large encryption bitrate is needed when encoding bitrate is not

80

80

70

70

Required encryption bitrate (Mbps)

Required encryption bitrate (Mbps)

much larger than the required overall throughput.

60 50 40 30 20 10

60 50 40 30 20 10

Overall processing throughput 128Kbps

0

Overall processing throughput 1.5Mbps

0 130

135

140

145

150

Possible encoding bitrate (Kbps)

Figure 3.7: Required encryption throughput for 128kbps MP3 audio data

1.6

1.8

2

2.2

2.4

2.6

2.8

3

Possible encoding bitrate (Mbps)

Figure 3.8: Required encryption throughput for 1.5Mbps MPEG-I video data

Chapter 4 Adaptive and Resilient Identity Authentication In this section we present the results obtained from our research on ubiquitous and robust entity authentication service. We realize an adaptive entity authentication service in scalable ad hoc networks. In particular, the scalable network is realized by multiple level of heterogeneous mobile nodes with both aerial and ground backbone. Wired infrastructure support can be provided to the network via the backbone. % & ' ( ( % *) + + ,

! " # $

Figure 4.1: Hierarchical multi-level ad-hoc wireless networks with Mobile Backbone (MBN) and Unmanned Aerial Vehicles(UAVs)

24

4.1. UAV-MBN NETWORKS

25

4.1 UAV-MBN Networks In a UAV-MBN network, there are three levels composed of three kinds of networking units with heterogeneous communication capability and computation power, the regular ground mobile nodes, the ground mobile backbone (MBN) nodes, and the unmanned aerial vehicle (UAV) nodes. Based on the availability of the UAV nodes, a UAV-MBN network may operate in two different communication modes: the infrastructure mode and the infrastructureless mode. Regular ground nodes constitute the first level. They are typically soldiers equipped with limited communication and computation devices. They communicate through bandwidth-constrained and range-limited broadcast wireless channel. The second level consists of MBN nodes that are special ground fighting units such as trucks and tanks. They may carry a lot more facilities for stronger computation and communication power. With the beam-forming antennas, high-bandwidth point-topoint direct wireless links can be established between MBN nodes. These two ground levels form an ad-hoc wireless network with clustered hierarchy [56] where MBN nodes act as cluster heads. The network operates in the infrastructureless mode with these two ground levels when the third level is absent. The third level is an aerial mobile backbone structure that consists of UAVs flying at an altitude of about 10 miles and in a circle with a diameter of around 10 miles. Each UAV leads a singlearea theater. With the help of phased array antennas, it can provide the shared beam to its MBN nodes to maintain line-of-sight connectivity for one area of operations down below. All UAVs form the aerial mobile backbone that is employed to route inter-theater traffic. With UAVs, the network works in the infrastructure mode where intelligent and extremely efficient medium access [30] and routing [32, 31] are realized compared with homogeneous wireless ad-hoc networks.

4.2 Security of UAV-MBN Networks Security support is a must for networks deployed in tactical environments. In general, five security aspects have been defined: message privacy, message integrity, non-repudiation, authentication, and security service availability [92]. Cryptosystems and authentication protocols are employed in existing networks to address the five security concerns. Both symmetric key cryptosystems and asymmetric key (aka. public key) cryptosystems have been successfully migrated from existing wired networks to wireless networks. For example, the Wireless Application Protocol (WAP) standard [99] is fully certification-based and instantiated on

26

CHAPTER 4. ADAPTIVE AND RESILIENT IDENTITY AUTHENTICATION

symmetric key and public key cryptosystems. Some recently made WAP-enabled cellular phones (e.g., Siemens S35i) have integrated RSA chips to communicate via the WAP protocol. As the cryptosystem implementations become less expensive and more mature on both hardware and software, communication devices in military battlefield are capable of operating in both symmetric key and public key cryptosystems. For authentication services, current approaches assume centralized management by either key distribution centers (KDC) or certification authorities (CA). For UAV-MBN networks in digital battlefields, we may deploy centralized management in the third level UAVs so that each UAV provides authentication services for its theater, and the aerial mobile backbone serves the entire system with inter-theater authentication. However, relying on the centralized resources suffers from single-point of service denial. When the UAVs are destroyed by missiles or hostile aircrafts, the system security breaks down if no backup scheme is implemented. A simple solution to this problem is to deploy redundant authentication servers in some ground units such as the second level MBN nodes. However, this make-up suffers from single-point of compromise if any of these ground MBN nodes is broken in. We devise an adaptive security solution to address these issues, without sacrificing the efficiency, flexibility and strong security semantics of the centralized approaches. When the UAV is absent for any reason, the surviving ground units in the theater switch to the infrastructureless mode in terms of both communication and security. In the infrastructureless mode, the authentication services are distributed into each individual ground node’s vicinity. Like its centralized counterpart, the distributed scheme effectively maintains authentication services in the theater until a new UAV is available and the theater switches back to the infrastructure mode. Transitions between these two different modes are streamlined in a seamless fashion. Our main contribution is to provide robust security services that adapt to dynamic infrastructure changes of the UAV-MBN network. We achieve seamless transitions between the two communication modes. A suit of algorithms and protocols are implemented to realize the design with practical intrusion detection mechanisms.

4.3 Assumptions As the communication infrastructure of ad-hoc networks is volatile and vulnerable to wide-range of attacks [109], it is inappropriate to push the complexity into the infrastructure. Thus by enforcing

4.4. DESIGN

27

end-to-end security at the transport layer, we are able to provide solid and uniform security support to every node in the network despite security vulnerabilities in the lower layers. In our design, data privacy, data integrity, and data non-repudiation are realized by existing end-to-end security solutions as specified in SSL/TLS [67, 20] and its wireless extension WTLS [100]. Related cryptanalysis [98] has approved the overall design and also provided countermeasures to correct a number of minor flaws in the protocols. In transport layer security, authentication is based on certification services as specified in public key infrastructure (PKI). We employ the de facto standard RSA [84] as the public key cryptosystem in our design. We assume RSA cryptographic primitives are secure, and brute-force break-ins of the RSA primitives are impractical. This can be realized by employing state-of-art countermeasures proposed by cryptanalysts [11] and using keys of enough length [55]. Nodes are assumed to be appropriately initialized before combat. During combat, any node, including the ground nodes and the UAVs, may be destroyed at any time. Besides, any ground nodes can be captured and compromised unpredictably. Once the incident happens to ground nodes, we assume all their security-related information is compromised and made available to the enemies. Nevertheless, given UAV’s aerial positions and advanced tamper resistance technologies, we assume they are not compromisable. For example, a UAV may implement a self-destruction mechanism when its altitude sensing and speed sensing units report misposition. To ever make intrusion detection possible, we assume that the ground nodes can monitor and perceive local intrusions. Such local intrusion detection mechanisms do not require abrupt shifts from the methods currently used in tactical environments, where perception-based intrusion detection remains as the most effective and reliable means to authenticate intact units and isolate compromised units. In this paper we seek to provide robust end-to-end security support on top of localized intrusion detection and authentication schemes (Figure 4.2), such that (i) A node can only be broken on its standing site. Any break-ins and compromises occurring en route do not compromise its data traffic, which is encrypted at transport layer before reaching the network; and (ii) Once a node is broken, effective and efficient mechanisms are employed to isolate it.

4.4 Design In this section, we present our detailed design that adapts to the changes of the network infrastructure. We describe the RSA-based authentication primitives in 4.4.1. 4.4.2 presents infrastructure mode


28

PKa / SKa

PKa

PKB / SKB

PKB

Infrastructure routing (UAV−aided intelligent routing)

Vi

Vj Infrastructureless routing (regular on−demand routing)

localized detection and authentication (certification/counter−certification services)

Figure 4.2: End-to-end Security with Localized Intrusion detection and Security Services

Theater a

Theater B

Figure 4.3: Security Configuration in UAV-MBN Network

and 4.4.3 presents infrastructureless mode. We conclude in 4.6 with discussions.

4.4.1 Primitives Authentication via certificates In the theater , each networking node is associated with a personal RSA key pair . is ’s public key for encryption and verification. is ’s private key for decryption and signing. For the purpose of authentication, ’s public key has to be certified by the CA of its theater. Generally a certificate (denoted as ) is a statement (denoted as ! "# ) that is signed by theater ’s CA. The statement $! "% &(')* %,+-/.#01 %32465798*2#: may read: “It is certified that the personal public key of node is starting from the signing time ;+)9.60 until the expiration time ;2-465@A D1 . In RSA, =?>D&E'!A GF3H: and BI>JK&L'M A GF3H: , with F, as the modulo, N as the public exponent, and MH as the secret exponent. A

valid certificate is signed by BC>O ?P3 ,&LQ$! "6 )RTSU,V&EQ-! "6 )R6W

V

mod F,YX

The CA’s public key =>D is assumed to be well-known in the network. Other nodes verify the ’s certificate by applying =?>O to check if ! "6 ,&EQ?P3 )R6ZU,V&EQ?P3 )R

2V

mod F,YX

Security services related to certification Certification services include certificate issuing, certificate renewal, certificate revocation, and storage/retrieval of certificates and certificate revocation list (CRL). A valid certificate has to pass two tests: (i) it is not expired, and (ii) it is not in the CRL.

4.4. DESIGN

29

We assume every node has obtained a valid certificate before it joins the UAV-MBN network. Valid certificates are used in WTLS [100] to enforce end-to-end transport layer security in wireless networks. In WTLS’s class 3 authentication, both sender and receiver present and verify each other’s certificates. A shared master secret is then established between them to derive cipher keys used in secure communication. In ad-hoc networks, routing protocols are based on hop-by-hop packet forwarding. A node can be effectively isolated when all its neighboring nodes refuse to forward its packets. Thus by enforcing a data forwarding policy for the authenticated nodes only, nodes without valid certificates are isolated in the network.

4.4.2 Infrastructure Mode with UAV With UAV’s presence the theater

operates in the infrastructure mode. We propose an architecture

of centralized certification, centralized counter-certification and distributed local intrusion detection for this mode. The CA is implemented at the UAV to provide certification services for ground nodes in the theater ( 4.4.2). Inter-theater authentication is achieved through the interactions among UAVs through the aerial mobile backbone (Figure 4.3). End-to-end secure communication is realized by transport layer security via WTLS ( 4.4.2). Security states are maintained in the theater for transition to infrastructureless mode once the absence of its UAV is detected ( 4.4.2).

Certification and Counter-certification At the bootstrapping phase of the UAV-MBN network, every theater is equipped with a UAV and operates in infrastructure mode. The CA with key pair

Each CA’s public key is well known in the network. Given requires each ground node store the corresponding

is implemented at the UAV. theaters in the network, our design

public keys. We discuss in 4.6 on the storage

issue for low-end ground nodes. Certification is employed to authenticate intact nodes and isolate compromised nodes. The certificates held by the compromised nodes are revoked upon intrusion detections. We employ two complementary methods to achieve the goal. 1. Implicit certificate revocation by enforcing frequent certificate renewals in short periods. 2. Explicit certificate revocation by counter-certification.


30

is predefined in the theater , a certificate holder to bound the valid time of all certificates. That is, must renew its certificate within . The appropriate value for depends on the UAV’s In the case of implicit certificate revocation, a theater parameter

computation power and the number of ground units in its theater. In the case of explicit certificate revocation, compromised units are put into the theater CRL. On the Internet, normally a CRL is stored in a trusted centralized storage. If the CRL needs to be stored distributedly, an item in the CRL may be forged at each replication site. In our design we employ counter-certificates to solve this problem. Whenever a node CA signs a counter-certificate

where

is considered to be defected, the

is a special tag for counter-certificates. By

counter-certification nobody except the CA can generate an item in the CRL. To ensure the access to the theater CRL, CRL updates (i.e., new counter-certificates) are always delivered to all nodes in the theater. Unlike other CRL designs, in our design all counter-certificates are signed and not forgeable. They are public information that can be safely exchanged between any two nodes. Delivering counter-certificates is similar to delivering routing updates at IP layer where only unreliable channels are available. (i) A one-to-many broadcating requires a reliable broadcasting mechanism. It is similar to link-state algorithms where one node must send its updates to all other nodes. (ii) On the other hand, if reliable broadcast is expensive, any update can be delivered to all nodes by information exchanging only among one-hop neighbors. It is similar to distance vector algorithms where one node only sends its updates to one-hop neighbors, and all nodes synchronize their cache in

rounds of one-hop communication where

is the diameter of the network, or

diameter of the theater in our design. CRL’s storage requirements are optimized by the implicit revocation mechanism. Each node only needs to maintain a subset of counter-certificates within the past

certificate

!

. That is, given a counter-

"# $ and the current time %'& , a node must store the counter-certificate if '&( , or discard it otherwise. %

Intrusion Detection When a ground node

is compromised by enemy, each neighboring node that perceives this

incident sends an accusation to the theater CA. The accusation is signed with ’s private key

*)

as

,+-+-. /*0 1"2 ”. It is then delivered to the UAV together with ’s valid certificate. Once the UAV receives a certain number ( ) of such accusations against , it signs the counter-certificate toward and broadcasts it in the theater. in “

4.4. DESIGN

31

The threshold

is a critical parameter of the theater. If somehow the enemy manages to capture

and compromise

ground nodes before being detected by their neighbors, the enemy can gener-

ate false accusations from these

compromised nodes against intact nodes. The result is decided

by a temporal competition between the intact community and the compromised but not-yet-revoked nodes. There is at least one advantage available to the intact community: the enemy will experience a non-trial delay to compromise the captured devices and then issue false accusations. Adding various tamper resistance mechanisms [16, 35] to wireless devices can further increase the delay, thus minimize the winning chance of the compromised nodes.

Intra-theater and Inter-theater Secure Communication The first step toward secure communication is the authentication between two communicating ground nodes. In general, these two nodes need to verify each other’s certificate using (1) the well-known theater public keys and (2) the authentic up-to-date theater CRLs (Figure 4.4). In this section we present our design for authentication between two nodes both from theaters operating in infrastructure mode.

4.4.3 studies the scenarios where one or both nodes are from theaters operating in

infrastructureless mode. Sender

Receiver

senderHello (at time t1 ) obtain authentic theater CRL (after t 1)

receiverHello (at time t2 ) obtain authentic theater CRL (after t 2)

exchange certificates and master secret exchange application data

exchange certificates and master secret exchange application data

transport layer network layer Intra−theater or inter−theater routing

Figure 4.4: Enhanced WTLS Session Handshake For intra-theater authentication, since the UAV always broadcasts the theater’s up-to-date CRL, the step of exchanging authentic up-to-date CRL can be skipped since each node already has a local copy. Two ground nodes simply exchange their certificates to complete the authentication step.

32

CHAPTER 4. ADAPTIVE AND RESILIENT IDENTITY AUTHENTICATION When these two nodes are from different theaters, say node from theater

and node from

theater , each of them must provide the other node with the authentic and up-to-date CRL of its own theater. To get a up-to-date CRL of its theater , node has two options. It can either query its UAV so that the UAV combines all the counter-certificates and returns an

-signed CRL with

current timestamp to satisfy the timeliness requirement. Node may also query its

neighboring

ground nodes so that each of them returns a signed CRL with current timestamps. Both UAV-signed CRL and the

node-signed CRLs are considered to be authentic, where

is set to be the same

threshold in counter-certification. The second option can be applied when the UAV is under heavy load that results in large delay, or when the theater is in infrastructureless mode ( 4.4.3). Node then forwards the CRL(s) to node . If

node-signed CRLs are received by , checks all of

them to verify that ’s certificate is not revoked by any of these CRLs.

Ground nodes without valid certificates or having their certificates revoked are isolated. Their packets are dropped by other ground nodes or UAVs. On the contrary, two authenticated nodes can establish secure communication channels to ensure message privacy, integrity and non-repudiation. Depending on whether the two communicating nodes are in the same theater, intelligent intra-theater routing protocol [32] or multi-theater routing protocol [31] is employed with WTLS protocols to securely and efficiently exchange application data (Figure 4.4).

Transition to Infrastructureless Mode Although both communication and authentication in infrastructure mode feature efficiency with low overhead and flexibility as in a centralized system, the infrastructure is vulnerable to attacks. Deploying UAV-MBN networks in hostile environments has to handle the situation when the UAV becomes unavailable for any reason. A naive make-up is to replicate the theater CA to some ground nodes. However, as each replicated CA is exposed to unpredictable compromises on the ground, this scheme sacrifices the overall security level due to single-point of compromise. Based on Shamir’s secret sharing [88], our solution is to distribute the certification services into each ground node when the theater is operating in infrastructureless mode without UAV. As the result,

a localized coalition with a threshold number ( ) of members collaboratively provides authentication services to its locality, while the system tolerates up to

break-ins. Due to the inherent

local connectivity redundancy of ad-hoc networks, each ground node can receive highly available authentication services from its vicinity. The threshold parameter

is set to the same number in

counter-certification in order to maintain a comparable security level as in the infrastructure mode.

4.4. DESIGN

33

We present the service instantiation for infrastructureless mode in 4.4.3.

Smooth transition to infrastructureless mode is accomplished by a backup scheme. Occasionally, theater ’s UAV generates a backup authoritative key pair

. We name

the UAV’s primary authoritative key pair to differentiate with its backup key pair. As what has been done to the primary verification key

as

, the backup verification key

is advertised and well known in the network. The backup signing key

from the UAV. Since

is shared among the ground nodes in the theater. By end-to-end

secure channels, each authenticated node obtains a secret share

unauthenticated nodes cannot establish end-to-end secure channels without valid certificates, they are disqualified being secret share holders. This process creates a backup distributed certification authority (DCA) in theater

that will be

functional in the infrastructureless mode. Each ground node will have to maintain the primary and the backup public keys for every theater, resulting in theaters in the network ( 4.6). In Shamir’s scheme, compromises of

public-key storage requirement given

secret shares will expose the backup signing key, thus detected compromises. Switching to

the UAV must update the theater’s backup key pair for every

infrastructureless mode is triggered by the absence of the UAV, which may be detected by a timeout-

based UAV beaconing or line-of-sight perception. At the absence of UAV, the theater switches to infrastructureless mode and the backup

starts to function as the official signing key.

4.4.3 Infrastructureless Mode without UAV We propose an architecture of distributed certification, distributed counter-certification and distributed local intrusion detection when the theater is operating in infrastructureless mode. The functionality of certification authority is distributed among each surviving ground node. Local coalition of

ground nodes collaboratively provides services to a certification request ( 4.4.3). Intra-theater

and inter-theater authentication are presented in ( 4.4.3). The transition to infrastructure mode is studied in ( 4.4.3). Distributed Certification Services

key pair

, a system parameter ( ), and a centralized CA with RSA , cryptographic algorithms [27, 86, 81, 89, 52] and systems [103, 110, 111]

Given the size of network

34


allow the functionality of the CA to be distributed into the network where each node becomes a partial CA. Each partial CA holds a secret share

, and a coalition of any -out-of-

partial CAs can function as the centralized CA. During the certification process each partial CA in the coalition signs a partial certificate with its secret share, the complete certificate can be obtained by combining the

partial certificates.

Such a de-centralized scheme is able to find a balance point between service availability and intrusion tolerance. The adversaries must turn off services, while they must break in

*

.

partial CAs to turn off certification

partial CAs to steal the signing key

Further contributions on proactive secret share updates [37, 29, 28, 81], verifiable secret sharing [24, 91, 87], and fully-distributed DCA [52] offer more security warranties in applying the decentralized scheme in the context of scalable networks with long-term adversaries and untruthful

coalition members. In a scalable network with large number of secret share holders, not only the secret shares

can be proactively refreshed to resist break-ins, but also signing a

message with a fake secret share can be detected publicly or by the service requester. Compared to the above scheme, a naive CA-replicating scheme would reveal

once a single

site is compromised. A KDC-based authentication scheme [26, 93] lacks background and experience to distribute system secrets to multiple nodes, while both service availability and intrusion tolerance must be guaranteed. We employ the distributed CA in the infrastructureless mode. The cryptographic details are presented in the Appendix. In a theater operating in the infrastructureless mode, node ’s certification request is served by a local coalition of

-signed certificate as if the centralized CA

secret share holders. After each coalition member signs

and returns a partial certificate, is able to obtain an presents in its locality.

Counter-certification is similar to the certification process. Once a compromised ground node is detected by its neighbors, each of them signs a partial counter-certificate against

counter-certificate is generated by combining

. A full

such partial counter-certificates. Then it is flooded

in the theater so that other nodes in the theater can update their CRL caches.

Intra-theater and Inter-theater Secure Communication As in the infrastructure mode, end-to-end secure channels can be established if both ends hold valid certificates. For intra-theater communications, the step of exchanging CRLs can be skipped because the theater CRL is already locally cached.

4.5. THRESHOLD CRYPTOGRAPHY

35

For inter-theater communications, two scenarios are possible. In the first scenario one node is from a theater operating in infrastructure mode and the other from a theater operating in infrastructureless mode. In the second scenario both parties are from theaters operating in infrastructureless mode. In either scenarios, If a node is from a theater operating in the infrastructure mode, it may choose either of the two alternatives described in 4.4.2 to acquire authentic and up-to-date theater CRL. If a node is from a theater operating in the infrastructureless mode, it has to query

other

nodes in the same theater in the absence of UAV, typically among its neighbors. Each of these nodes returns a signed CRL with current timestamp to satisfy the timeliness requirement. The communication peer verifies that the node’s certificate is not revoked by any of these CRLs. Transition to Infrastructure Mode Ground nodes that belong to a theater in infrastructureless mode may join other theaters with UAVs for more efficient communication. Besides, a new UAV with original

may be available so that

the theater can switch back to infrastructure mode. The new UAV firstly broadcasts an

-signed

hello message in the theater to claim authority, then it has to obtain the authentic and up-to-date CRL. The new UAV can obtain signed-CRLs from exactly

surviving ground nodes with appronodes is revoked by the result CRL, the

priate certificates. If the certificate of any of these procedure has to restart again.

Or the new UAV can obtain signed-CRLs from more than picks out a set of

surviving ground nodes, then

nodes such that none of their certificates is revoked by the

CRLs they

signed. After the new UAV claims authority and obtains authentic up-to-date CRL of the theater, it can provide efficient security services to all surviving ground units.

4.5 Threshold cryptography 4.5.1

-resilient Polynomial sharing of

We adopt the polynomial secret sharing to share of theater

’s backup certification key pair

among the theater . Let 0 be the RSA modulo

0

0

. In our algorithm,


36

2 and its additive share 2 in term of a specific coalition, are defined over the ring , instead of or as the previous works [27, 86, 81, 89] did.

In the infrastructure mode ( 4.4.2), the UAV chooses a random polynomial where and are uniformly distributed random numbers over a finite field. The UAV then private sends each ground node with its ID a polynomial

share 2 mod 0 . By this means we eliminate the insecurity of releasing 0 or 0 . ground node ’s polynomial share

Moreover, with the

-bounded coalition offsetting that is presented below, we make the conversion

from polynomial shares to additive shares scalable to the overall theater size. Only the IDs and shares of the participating

nodes are involved.

4.5.2 Localized Multi-signature Ground node firstly chooses a coalition of

nodes from its neighborhood. Without loss of gen-

. Note that node itself can also be in the coalition erality, let the coalition be * neighboring share holders. broadcasts the if it is a secret share holder, hence needs only request, together with the IDs of these nodes. Once a node receives the request and decides

to serve the request, it firstly translates its secret share

where the Lagrange coefficient

#

into its Lagranged secret share

mod 0

in the coalition is defined as

#

:

Lagrange interpolation ensures that

For arbitrary number/message

mod 0

, the following formula holds in arithmetic:

# # ! We would be able to obtain !" from the product #$ .

(4.1)

#

.

4.6. DISCUSSIONS

4.5.3

37

-bounded coalition offsetting

In the Equation 4.1, the sum of Lagrange interpolation

mod

0

0

for certain

. However, there is no mathematical identity ensures that the result of the multiplicative multisignature equals the

-signed message: "

Fortunately, each

"

the help from the original message

Require:

1: mod 0 2: 3: while do

4: if ( mod 0 ) then 5: Success, break the loop 6: end if 7: mod 0 8: 9: end while

Ensure:

"

mod 0

"

due to modular

. After Algorithm 1 we are able to recover

and the system public key

-bounded Coalition Offsetting 2 2 2 mod

" "

mod 0 is a value between 0 and 0

arithmetic. Thus satisfies the inequation

Algorithm 1

mod 0

0

"

by

.

is the product of all partial certificates.

mod 0

In an ad-hoc network

is a small number corresponding to number of nodes in a neighbor-

hood. Thus the loop in Algorithm 1 ends within reasonable rounds. Also it is well-known that

-verification in RSA is an inexpensive operation [102]. The complexity of

tion offsetting is the sum of

*

exponentiation,

-bounded coali-

modular multiplications, and

RSA

-verifications.

4.6 Discussions 4.6.1 Protecting backup certificate signing key

In the infrastructure mode, UAV maintains the backup DCA by distributing the backup certificate signing key

in the theater. The backup DCA key pair is occasionally updated for every

38


compromised ground nodes. In the infrastructureless mode, it is ineffective to generate and renew the backup DCA key pair due to lack of central management1 . Fortunately, proactive secret share update [37, 29, 28, 81] and self-initialization [52] allow the network to periodically update all the ground nodes is protected broken between two consecutive secret share updates, the backup signing key secret shares without compromising the shared secret. As long as there are less than

against break-ins and can remain unchanged throughout.

4.6.2 Threshold The threshold

affects our system in the following aspects:

between two consecutive share updates, the backup DCA signing key

Intrusion tolerance: In the infrustructureless mode, if the enemy is able to break

nodes

is compromised.

Various tamper resistance mechanisms [16, 35] can be further applied to increase the level of intrusion tolerance. Certification service availability: In the infrastructureless mode, the communication overhead is minimal when a ground node has at least

one-hop partial CAs. Otherwise, any of the

partial CA can serve as a proxy and use its own trust to bring in more partial CAs, though the communication overhead is increased in this scenario. False accusations: As described before,

should be appropriately chosen so that the intact

community outperforms the not-yet-revoked defected nodes. Obviously

must be greater

than the expected number of nodes involved in a captivity. Battlefield statistics are helpful in finding an appropriate value, and adding tamper resistant mechanism to mobile devices helps to decrease the value. Counter-certification overhead: In either mode,

valid accusations or

partial counter-

certificates are needed to revoke a certificate. The overhead of counter-certification increases as a larger

is adopted.

In military environments, the privilege for every node is inherently hierarchical and heterogeneous. For example, a lieutenant usually hold more confidential information than a private. This 1 Though shared key-generation schemes are available in literatures [12, 58], the result key pair is revealed to the key-generation requester. Besides, it is an open question who has the authority to annul current signing key.

4.6. DISCUSSIONS

39

implies that an asymmetric function sharing model is more reasonable. In UAV-MBN networks, the

MBN nodes could hold more shares of the backup DCA than common soldiers. If an MBN node

holds )

shares, it only needs another regular ground mobile node to function as the backup DCA.

However, breaking the MBN nodes also results in more damage on security services.

4.6.3 Less than

neighbors one-hop neighbors. In the simulation

So far we assume that the requesting entity has at least described in

4.7.2, every requesting entity broadcasts the requests for a limited number of times

(e.g., 2-3) over a time window to “accumulate” enough number of neighbors, even if at any time constant it does not have

neighboring nodes. In this scenario the node mobility actually helps

providing certification services. Besides, in tactical mobile networks group mobility [38, 73, 72] is considered a valid mobility model where a group of network entities randomly roam together within certain distance. Appropriate group sizes can be chosen according to the threshold

, or vice versa.

Node certification can also be built on top of the perception-based intrusion detection, as we assumed in Section 4.3. A uncompromised node might fail to maintain certification because it had met less than

neighbors. As long as it is currently identified as uncompromised by

neighbors,

they should issue a valid new certificate to it according to the intrusion detection model. On the other hand, even if a compromised node is not counter-certified because less than

uncompromised

nodes present at its neighborhood, its current certificate will expire in less than

time. After

that it cannot obtain a new valid certificate in our intrusion detection model.

4.6.4 Storage Requirements The theater CRL, the primary public keys, and the backup public keys of all theaters are required to be locally stored at each node. From our empirical experience, the size of a public key or a counter-certificate is normally in the range of 128 to 256 bytes (as for RSA signing key length 1024 to 2048 bit). Given the typical size of a theater

and the probability of compromise

, the storage required for system CRL and public keys is acceptable for most low-end devices

( 200k bytes). Besides, the implicit revocation mechanism helps to reduce the storage requirement significantly ( 4.4.2). The storage requirement can be further optimized with standard features available in WTLS [100], where a URL-based access method has been invented to relieve low-end devices from storing infor-

40


mation locally. In particular, low-end devices can put information on trusted nodes with enough storage, then use short URLs to refer to the resources. In our system where WTLS is implemented, a low-end node manages to store information locally, otherwise it has to depend on storage resources on other local nodes. This can be realized on the cluster-head MBN nodes, or even the UAV. The compromises of MBN nodes or the failure of UAV may hurt the availability of these public informations, but not the overall system security level since no secret information is exposed. The affected nodes can obtain the public informations from its neighborhood at real time, as described in 4.4.3.

4.7 Evaluation of Implementation and Simulation We have implemented our design on both UNIX platforms and a popular network simulator GloMoSim [97]. In this section we will first evaluate computation overheads of our cryptographic implementations on heterogeneous UNIX platforms, then evaluate network communication overheads and the impact of mobility by our UAV-MBN implementation in GloMoSim simulator.

4.7.1 Computational Measurements and Evaluation We have realized the standard transport layer security protocol WTLS [100] and the fully-distributed backup DCA in our implementation. We use SPECint [90] metrics to differentiate computation power on heterogeneous platforms. The testbed we employed is shown in Table 4.1, where

represents heterogeneous computation power from various mobile laptops, and

’s computation

2

power is less than popular portable computing devices such as iPaq . Table 4.1: Testbed configuration Host H1 H2 H3 H4

CPU microSPARCII 85M PentiumII 300M PentiumIII 500M PentiumIII 850M

O.S. Solaris2.7 RedHat 6.2 RedHat 6.2 RedHat 6.2

SPECint1995 1.3 12 21 39

Table 4.2: Measurements of Computation Delay in RSA cryptosystem key length (bit) 768 1024 1280 1536

-verification

(10 second) H1 H2 H3 H4 4 2 1 1 4 2 1 1 4 2 1 1 4 3 1 1

H1 0.640 1.295 2.461 3.854

-signing (second) H2 H3 0.031 0.017 0.066 0.039 0.121 0.067 0.172 0.109

H4 0.010 0.019 0.037 0.059

2 Though there is no official SPECint result measured for iPaq’s StrongARM CPUs, results obtained from industry (e.g., http://n0cgi.distributed.net/statistics/stats.html) show that SPECint95 value for StrongARM/206M CPU falls in the range between 3 and 6.

4.7. EVALUATION OF IMPLEMENTATION AND SIMULATION

41

Table 4.3: Measurements of Computation Delay in Table 4.4: Measurements of Combackup DCA (Varying CA’s signing key length, putation Delay in backup DCA , result unit: second) (Varying system parameter , CA’s signing key length=1024bit, CA’s Sign a Partial Certificate Combine Partial Certificates key (as a coalition member) (as a service requester) result unit: second) (bit) H1 H2 H3 H4 H1 H2 H3 H4

768 1024 1280 1536

1.48 3.17 5.55 10.13

0.08 0.17 0.30 0.79

0.04 0.08 0.15 0.25

0.02 0.05 0.09 0.15

1.65 3.33 5.90 10.43

0.09 0.19 0.33 0.53

0.04 0.09 0.17 0.27

0.02 0.06 0.09 0.16

2 3 5 7 10 20 30

SPC 2.991 2.998 3.174 3.163 3.099 3.078 3.082

H1 Combine 3.304 3.293 3.328 3.530 3.394 3.458 3.410

SPC 0.079 0.080 0.080 0.082 0.081 0.080 0.080

H3 Combine 0.094 0.096 0.096 0.099 0.098 0.100 0.098

We use RSA cryptographic primitives to realize the public key cryptosystem in our design. The result shown in Table 4.2 illustrates the performance of RSA cryptosystem are not prohibitively expensive even for the low-end device. Thus leveraging PKI-based approaches into wireless ad-hoc networks is an acceptable solution. Table 4.3 and 4.4 illustrate the computation overhead of our distributed certification services

under typical cryptographic and network settings. In Table 4.3, various values for the length of signing key

are selected, while

is kept as a constant in typical network scenarios. Our

measurements show that computation power is a critical factor that affects the efficiency of our design, although for typical scenarios the performance is acceptable (assuming nowadays typical RSA key length 1024 and 1280). A major computation overhead owes to exponentiation on large numbers. We observe that the standard RSA

-signing is almost 2.5 times faster than signing a partial certificate or combining

partial certificates. This is due to a major optimization technique employed in PKCS#1 standard [85] when every secret parameter in RSA signing key is known (i.e., RSA modulo 0

as for

0

and the

). The Chinese remainder theorem allows the RSA algorithm to decrease the

, thus significantly decrease the computation overhead. When

exponentiation on the large private exponent

to smaller exponents with values less than and

and

are not available, such

optimization technique cannot be used. In Table 4.4, various values for

are selected, while CA’s signing key length is kept as a typical

value. The measurements show that the variation of certification services, since the

has small impact on the computation delay for

partial certificates are signed in parallel by the coalition members.

Table 4.5 shows the computation overhead in establishing an end-to-end secure channel between


42

arbitrary two nodes. By enforcing WTLS authentication class 3 in the UAV-MBN network, both sides must do authentication by presenting valid certificates. The authentication delay incurred is only a one-time cost for each session. The measurements show that the one-time cost is acceptable since the users need not tolerate more than 10 seconds session startup delay. After then a secure channel is established between the two ends. Cryptoanalysis [98] has shown that the SSL/TLS/WTLS protocol is robust against attacks.

Table 4.5: Measurements of Computation Delay for Authentication and Cipher Key Exchange in WTLS Session Handshake (result unit: second) my key length (bit) 768 1024 1280 1536

Client Side (WTLS class 3) H1 H2 H3 H4 0.51 0.03 0.02 0.01 1.01 0.06 0.03 0.02 1.80 0.11 0.05 0.03 2.84 0.16 0.08 0.05

Server Side (WTLS class 2 & 3) H1 H2 H3 H4 0.64 0.04 0.02 0.02 1.29 0.07 0.03 0.02 2.46 0.14 0.06 0.03 3.85 0.22 0.11 0.06

4.7.2 Communicational Measurements and Evaluation Our simulation environment for UAV-MBN network is GloMoSim and hierarchical landmark [104]. We model a single theater in infrastructureless mode with 1000 ground nodes placed randomly within a 3200m 3200m area. Among them 100 are MBN nodes with point-to-point direct wireless link of 800m transmission range. Others are regular nodes with broadcasting wireless link of 175m range.

3.5 3 2.5 2 1.5 1 0.5 0

100

1450

Node mobility 2.5m/sec Node mobility 10m/sec Node mobility 40m/sec

1400

Ratio of Successful Requests (%)


4 Average Delay [second]

Average Communication Overhead [Byte]

1500 4.5

1350 1300 1250 1200 1150 1100

4

6

8

10

System Parameter K

12

14

16

60

40


20

1050 1000

2

80

0 2

4

6

8

10

System Parameter K

12

14

16

2

4

6

8

10

12

14

16

System Parameter K

Figure 4.5: Average Certifi- Figure 4.6: Average Certifi- Figure 4.7: Certification Recation Delay cation Overhead quest Success Ratio

4.7. EVALUATION OF IMPLEMENTATION AND SIMULATION

43

Performance is measured for certification service over the entire backbone where each node periodically broadcast a certification request to “accumulate” partial certificates. In particular, whenever a request is issued, the next request is scheduled to be issued at the middle point between the current clock time and the certificate expiration time. Therefore, (i) if this request fails to obtain a new full certificate, then the subsequent tries of the same request are repeated more frequently as the clock approaches the expiration time; or (ii) if this request succeeds, then the first renewal request is scheduled at the middle point of the new certificate’s valid time. The assumed backup signing key length is 1024 bit and the assumed computation power corresponds to

0

. Each request is served within one-hop neighborhood only as no

routing scheme is employed. The first set of experiments in Figure 4.5 shows the average delay of the certification services. With various

values at typical roaming speeds(2.5m/sec,10m/sec,40m/sec),

the average service delay for a certification request increases as the value extra efforts are demanded to collect more partial certificates. When

grows. This is because

is greater than a critical value

(14 in the scenario), it is prohibitively difficult to find enough neighbors, thus the system performance degrades. In Figure 4.6, we study the impact of certification service on the bandwidth of this UAV-MBN network. With various

values under typical roaming speeds, the results show that the overall

certification overhead of all nodes increases linearly as

increases, since more partial certificates

need to be collected, and the number of partial certificates increases linearly as analyzed in 4.6.2. After a

-coalition is formed, communication among them may fail due to the reasons like

node mobility and wireless channel errors. In Figure 4.7, we study the success ratio of certification requests as a function of value values. Once

. The result shows that 100 percent ratio is achieved for reasonable

grows over a critical value (11 in the scenario), more certification requests will

fail as it is more difficult to maintain the

-coalitions.

The simulation confirms that the one-hop certification design is insensitive to varying mobility in UAV-MBN networks with reasonable configuration, thus is ready to realize end-to-end communication security for the roaming entities in battlefields.

Chapter 5 Security Architecture for Application Session Handoff 5.1 iMASH Background and Application Session Handoff The aim of ubiquitous computing is to provide mobile users “anytime, anywhere, any platform” access to computing services interconnected via a wide-area network such as the Internet. While much research has been performed to provide the infrastructure and application support for this goal, the issue of security has in general been difficult to address. Problems arise due to the highly heterogeneous nature of client devices intended to participate in the ubiquitous computing realm, especially mobile, wirelessly-connected platforms such as laptops and personal digital assistants. Such security issues have arisen in our Interactive Mobile Application Support for Heterogeneous Clients (iMASH) research project [3]. The iMASH architecture is depicted in Figure 1.1. At the top of the figure is an Application Server (AS) that provides services and data to a number of heterogeneous clients which may include wired desktop PCs and wireless mobile devices. We note that the AS is typically poorly suited to support such a myriad of clients. To improve the service availability of the AS, we introduce a Middleware layer between the AS and the clients. The idea of a middleware tier is not new, but in the context of iMASH, the Middleware Servers provide the system with scalability and new functionality, such as Application Session Handoff (ASH). The ASH capability allows users to experience a convergence of all their owned computing platforms. For example, suppose a user is working with an iMASH-enabled application on a wired desktop and then decides to move to a wirelessly connected PDA. By utilising the ASH functional44

5.1. IMASH BACKGROUND AND APPLICATION SESSION HANDOFF

45

ity, the user’s application session state is seamlessly moved from the desktop to the PDA in a timely manner upon his request. This session state can include both discrete and streaming data across a variety of network interfaces and bandwidths. We note that the state consists of only the data structures and variables needed for an application to define a session and is never the entire process space, immediately differentiating this approach from that of process migration. The iMASH Middleware handles data transfer from the desktop on behalf of the user and can automatically adapt the content of moved data to fit the device characteristics of the PDA (such as transcoding to fit the PDA’s CPU, bandwidth, and display). To the end user, the program appears as a continuously-living application across all platforms. In [80, 79] we demonstrated the utility of this functionality by enabling the Mozilla web browser and the Teaching File, a real-world medical multimedia program, to utilise ASH within the iMASH environment. In [78] we answered the question of scalability by designing a fully distributed Middleware Service layer composed of multiple autonomous Middleware Servers aggregated together. In recent work we have demonstrated the importance of ASH to mobile computing: this novel functionality allows applications to have a transparently migrating session of both discrete and streaming data seamlessly follow the user around a number of heterogeneous clients. To facilitate this behaviour, a Middleware layer acts as a data conduit and handoff mediator to enable scalability and presentation transcoding. However, despite successful implementation of a number of new capabilities, the issue for security has been difficult to resolve due to device heterogeneity constraints and lack of support in the iMASH infrastructure. This problem is all the more accentuated when one considers the importance of security in the legal and social context of medical records. Domain-critical functionality to address such high-priority issues include the following: (1) authentication and authorization of the users accessing shared system resources; (2) data privacy, data integrity, and data non-repudiation in network communications; and (3) definition of security semantics for our seamless session handoff functionality to support ubiquitous computing. In this prospectus we address these issues and contribute to mobile computing research by providing a number of application-layer protocols to support security for our ASH functionality. By providing efficient and effective security enforcement for ASH, we further strengthen its robustness. We believe ASH will be a key component leading to the convergence of heterogeneous mobile computing clients, and by augmenting its utility, we additionally provide a security framework that we envision can be generalisable to support future client-server applications for mobile computing.

46CHAPTER 5. SECURITY ARCHITECTURE FOR APPLICATION SESSION HANDOFF The specific challenges presented and addressed in this paper are to enforce effective access control of system resources and to provide end-to-end security for this Application Session Handoff without severely degrading the existing system’s performance. A security subsystem must be efficient enough to perform near-uninterrupted session handoff of real-time streaming data. To that end, we have implemented a security architecture that makes ASH resilient to a wide range of attacks, including impersonation, unauthorised access, passive eavesdropping, and malicious message alteration. Throughout our implementation we have utilised a number of known approaches to realise our design. First, to enforce access control, we have applied the well-known and proven Bell-LaPadula access control model to our application infrastructure. Additionally, we have augmented this model by using capabilities, an abstract representation of objects and the associated authorised operations on them, used in modern operating systems. Second, for network security, we employ a Public Key Infrastructure (PKI)-based scheme to enforce end-to-end security at the network transport layer. We use a push-pull model to realise the scheme. To demonstrate the effectiveness of our design, we have implemented a prototype application enabled with the security mechanism. With this implementation we shall show that our security architecture and protocols provide effective establishment and maintenance of secure channels between the clients, Middleware Servers, and Application Server. Furthermore, through experimentation we shall show that our system does not unreasonably degrade the performance of our currently existing iMASH architecture. Finally, we explain how our security architecture can be generalised for future work within iMASH.

5.2 Related Work Other research efforts have explored the use of software architectures to support mobile computing behaviour, but none have addressed the issue of session handoff between heterogeneous clients. Joseph et al. [47] present the Rover Toolkit’s distributed object model to support programming for mobile devices. Active Networks [96] and ANTS [101] suggest the use of programmable network nodes that can be injected with capsules of code and data. The Mobiware Toolkit [1] provides facilities for delivering and and adapting data to match network conditions. In the BARWAN project [15] a network of workstations was used as a middleware tier to provide transcoding for multiple WWW clients. Finally, Application Data Services [42] allows users to transfer data from non-traditional network appliances, such as digital cameras, through a network infrastructure.

5.3. SECURITY ARCHITECTURE

47

Security in the context of middleware-based networking is relatively new. Charon [26] uses Kerberos [93] to provide authentication service to the network, and addresses device heterogeneity by exploiting the computation power available in the middleware. However, Kerberos is essentially an approach based on a centralised key distribution center (KDC). Every authentication request must be processed by the KDC (i.e., AS/TGS), thus incurs large workload to the KDC and poses a single point of system failure as well as DoS attack. We seek to authenticate mobile clients by the distributed middleware infrastructure rather than a centralised KDC, thus avoid single point of failure at running time.

5.3 Security Architecture The iMASH security architecture is designed to provide ASH with the following features: (1) appropriate authentication of users and devices; (2) well-defined access control to system resources; and (3) secure communication between two arbitrary network entities. As a result, common security concerns, such as authentication, authorisation, message privacy, message integrity, non-repudiation, are addressed to make the system resilient to security attacks.

5.3.1 Design Rationales Authentication and end-to-end security To authenticate iMASH users and devices, we employ a certification-based approach leveraging the standard Public Key Infrastructure (PKI), which has been the foundation of several recent network security protocols such as IPsec IKE, TLS, and S-MIME. By setting up an iMASH certification authority (CA) and issuing certificates to valid users and devices, any two communicating entities may establish a temporary trust relationship via the unforgeable and globally verifiable certificates carried by each of the entities. Once the communicating entities are authenticated, we seek to ensure message privacy, message integrity, and non-repudiation at or above the transport layer. This design rationale is especially effective for wireless clients which are vulnerable to passive eavesdropping and active alteration due to their broadcast communication channels. In our design, critical data is signed and encrypted at or above the transport layer before reaching the network. Hence, the data security of a network entity can only be broken at its standing site, and any break-ins and compromises occurring en route at the

48CHAPTER 5. SECURITY ARCHITECTURE FOR APPLICATION SESSION HANDOFF lower layers do not compromise its data security. Recent cryptanalysis [13, 94] has found evident weakness and loopholes in certain lower-layer network security protocols, such as the widely deployed 802.11 WEP. However, similar cryptanalysis [98] approves the transport layer security protocol family SSL/TLS/WTLS [67, 20, 100]. We have employed WTLS in the iMASH system to accomodate heterogeneous wired and wireless clients. Security loopholes in the lower layers do not compromise the end-to-end data security provided in the iMASH system. Authorisation Authenticated users are authorised to access the system resources. Two well-defined and proven concepts in system security research, namely the access control model and capability, are employed and extended in the context of ubiquitous computing to enforce system authorisation. Extended Bell-LaPadula (BLP) Access Control Model

The BLP model [6] is one of the best-

known and well-proven access control models for information systems. It defines the security system constant set of objects, and

, where is a constant set of subjects, is an access matrix. The access rights are taken from a finite set

as a state machine. Each state is a triple allowed operations. In the BLP model,

is a of

consists only of read and write.

The BLP model is a Mandatory Access Control (MAC) model which restricts how subjects can pass access rights to other subjects. Subjects and objects are classified into a fixed lattice of security levels. As was shown in [6], it is guaranteed that information from a higher level is not exposed to the lower levels. Additionally, the simple rules in BLP model can be efficiently implemented with low cost. In iMASH, we offer a natural extension of BLP model by (i) defining four security levels: legal secret, secret, restricted, and public; (ii) inserting network entities into subject set

and object set

; (iii) inserting network communication operations send and receive into the access right set

;

1

(iv) allowing high-level subjects to read data or receive service from low-level objects, allowing low-level subjects to write data or provide service to high-level objects; and (v) prohibiting other operations. Various access control matrices are stored in application servers and middleware servers to regulate ASH. As the result, it is guaranteed by the BLP model that high level information in our system would not be exposed to low level users and devices. 1

Service is defined in terms of client-server model.


49

Capability We further augment the extended BLP model by another well-proven concept, the capability. Suppose all operations concerned have already been approved by the access control model; in this case a network entity can choose to handoff a session to a specific set of network entities by securely delivering its session capability to them. A capability [19, 22] is formally defined as an unforgeable pair made up of (i) a unique object identifier and (ii) a set of authorised operations as the interface associated with the object. Security in a capability-based model is enforced by three properties: (i) capabilities are unforgeable and tamper proof; (ii) system entities are able to obtain capabilities only by using authorised interfaces; and (iii) capabilities are only given to system entities that are authorised to hold them. Three well-known techniques, namely tagging, challenge-response, and segregation, have been widely used in modern operating systems to realise a capability. However, in a PKI-based security architecture, these three techniques cannot be directly used for ASH. We design and implement a practical mechanism to realise a capability by the well-defined [98] transport layer security protocols SSL/TLS/WTLS [67, 20, 100], where an initial session authentication handshake establishes a master secret for the session. This master secret is efficiently generated by the PRF function from three source data: (i) 128-bit random number generated by the server and the first 32-bit is current time on the server; (ii) 128-bit random number generated by the client and the first 32-bit is current time on the client; and (iii) a 160-bit random pre-master-secret exchanged between the two communicating parties via certification. Based on the following three observations, we can conclude that the master secret is qualified to be the capability of the session: (i) The PRF function is basically a clone of the standard SHA1 or MD5 message digest function, except with the capacity of generating outputs with arbitrary length. (ii) The combination of current client time, current server time, and the random pre-master-secret is unique for all live sessions. Thus by the computational property of message digest functions, the output of the PRF function is computationally unique. (iii) The master secret is unforgeable and tamper proof, as claimed by the well-defined SSL/TLS/WTLS design. In our design, communication is protected by data encryption. In order to decrypt ASH messages, the anchor session must hold the corresponding session capability (i.e., the master secret), otherwise ASH is not possible. The design is efficient in computation and communication as it reuses the system resources without incurring extra overheads.

50CHAPTER 5. SECURITY ARCHITECTURE FOR APPLICATION SESSION HANDOFF MWS

MWS

4

DCC

DCC

6

8

DCC

SCC 7

9

C_1

C_1

5.1: Device authentication protocol: 1. WTLS handshake 2. NewDeviceChannel(DCC) 3. AckDeviceChannel

S_1

Figure 5.2: User authentication per session: 4. Login 5. AckLogin 6. NewSessionChannel(SCC) 7. AckSessionChannel 8. NewDataChannel(SDC) 9. AckDataChannel

1

C_1

DCC

3

SCC 6

SDC 5

3

Figure

MWS 5

2

1

MWS

2

DCC 8

DCC SCC 4

SCC

7

C_2

S_1

C_1 S_1

10

9 C_2 S_1

Figure 5.3: ASH-push:

Figure 5.4: ASH-push:

1. RequestPushableDevices 2. PushableDeviceList 3. PushTo 4. PushRequest 5. NewSessionChannel(SCC) 6. PushAck 7. AckSessionChannel

8. HandoffToMe 9. SessionData 10. Cleanup

5.3.2 Protocol Details Authentication Both the device and the user need to be authenticated before using iMASH-enabled system resources. Device authentication is done through certificates, and user authentication through certificate-derived user/password pairs. Device authentication, shown in Figure 5.1, begins when an iMASH-enabled device is activated. The iMASH client layer, ICL, starts and remains resident to handle all iMASH related communication. The ICL contacts the MWS, using a WTLS class 3 authentication handshake to establish a secure device control channel (DCC). All communication is then encrypted with the computationallyunbreakable cipher scheme established by the WTLS handshake. If the device is authenticated and is approved by the access control matrices, the MWS registers the device in a local list. Once a device has created a DCC, it is considered part of the iMASH network and may participate in the following iMASH transactions: Users may (1) start sessions on the device, (2) pull a remote session to the device via ASH, or (3) push a session to the device via ASH after roaming to a remote place. Figure 5.2 depicts how users authenticate a new session to MWS. A secure session control channel (SCC) is established per session. The master secret used in SCC is obtained by applying the WTLS HMAC function to the master secret of the DCC. Though the DCC is shared by all sessions on the device, the one-way property of HMAC function prevents the sessions from knowing the secret of the DCC, thus ensures DCC’s privacy.


51 7000

ASH with encryption ASH without encryption

MWS

MWS 1

3 5

DCC

DCC

9

DCC

7

DCC SCC

SCC

SCC

2 4 6 C_1

8 C_2

C_1

11

Delay [milli-second]

6000

10

5000 4000 3000 2000 1000

C_2 0

S_1

S_1’

S_1

0

S_1

100

200

300

400

500

600

700

800

900 1000

Session data size [kilo-byte]

Figure 5.5:

ASH-pull: 1. Login 2. AckLogin 3. NewSessionChannel (SCC) 4. AckSessionChannel 5. RequestPullableSessions 6. PullableSessionList

Figure 5.6: ASH-pull: 7. Figure 5.7: Latency incurred from performing ASHHandoffToMe 8. TransferSession 9.10. SessionData 11. Cleanup

push with and without encryption from a 800Mhz PIII to a 200 Mhz Pentium Pro.

With the SCC in place, a secure session data channel (SDC) is established per network connection to an Application Server. The ICL creates different session data channels (SDCs) from the same SCC. The procedure is again employing the one-way HMAC function to create different SDCs from the same SCC. After sending a start-full-session command, the user begins to use the iMASH services by spawning iMASH-enabled applications on his device. These applications are part of the session and will migrate when an ASH occurs. ASH The ASH is realised by two modes: ASH-push or ASH-pull. A push is used to move an ongoing local session to another device, whereas a pull is used to move a remote ongoing session to the local device. Because of spatial and other constraints, the two devices concerned may not be able to establish a directly-connected secure channel, or even may not have a means to directly communicate with each other. As both of them can communicate with the iMASH middleware, our architecture allows an ongoing session to be securely handoffed between them. ASH push

As depicted in Figures 5.3 and 5.4, session

on device

starts an ASH-push with

(1) its ICL sending RequestPushableDevices(user) command to the MWS on behalf of the user; (2) After access control evaluation, the MWS responds with the list of qualified devices PushableDeviceList(deviceIDs); (3) The user then notifies the MWS about the desired destination PushTo(

,clientSession).

The ICL also sends the current client session to the MWS. The client session contains the session

52CHAPTER 5. SECURITY ARCHITECTURE FOR APPLICATION SESSION HANDOFF capability and all the application state to bootstrap the iMASH application on the destination host, making ASH possible. (4) The MWS then sends PushRequest(

) to

, which may ack or nack

according to its access control policy. (5)(6)(7) If the device chooses to ack, it establishes a new SCC with the MWS, and the MWS sends an AckPush() back to

. (8) Upon establishing the SCC,

sends a handoffToMe(SessionID) message to the MWS. (9) On receipt of the handoff-to-me mes-

sage, the MWS transfers the session data over the SCC, (10) and sends a cleanup message to

. The

original device then removes the session and the new device reconnects all the active session SDCs.

ASH pull

session

As depicted in Figures 5.5 and 5.6, an ASH-pull begins with (1)(2)(3)(4) a user authen-

ticating on a new device

up to the point where the SCC is established. This creates an anchor

on the device. (5) The user then sends RequestPullableSessions(user) to the MWS over

the newly established SCC. (6) After access control evaluation, the MWS replies with a list of qualified sessions for the user PullableSesssionList(SessionIDs). (7) The user notifies the MWS with the desired sessionID handoffToMe(

). (8) The MWS then sends TransferSession( ) over the SCC of

the selected session, which is located at device

transfers the client session and . (9) The ICL on its capability to the MWS which relays them to , which in turn merges into . (10) Cleanup is similar to the ASH-push: The MWS sends Cleanup() to , and on reconnects all the active session SDCs.

5.4 Implementation and Evaluation The iMASH architecture is implemented largely in Java on both the client and the Middleware Server. The choice of Java allows the software to be ported with modest difficulty and facilitates the integration of client devices running on heterogeneous hardware/OS combinations into the iMASH environment. The only native libraries required are those for the encryption and WTLS authentication; these were utilised primarily for performance enhancement and were linked to the Java application via the Java Native Interface (JNI) set of libraries. Although the architecture is written in Java, the architecture is not tied to any Java-specific structures. iMASH allows for the possibility of clients or Middleware servers running iMASH code written in other languages for performance or interoperability reasons. The only requirement is that the code follow the iMASH protocol, which has been designed in a language-neutral manner.

5.4. IMPLEMENTATION AND EVALUATION

53

Table 5.1: Collisions of WTLS master secrets length of secret (bit) 40 128 160

number of master secret collisions (per dataset with the following amount of sessions) 500K 1000K 2000K 3000K 4000K 5000K 1 2 8 11 21 25 0 0 0 0 0 0 0 0 0 0 0 0

5.4.1 Experiments on capability model To prove the feasibility of our design in

5.3.1, we have generated a large number of real session

master secrets from our WTLS implementation conforming to the WTLS standard [100]. The generated data are loaded into an Oracle8i database, and SQL queries are implemented and issued to check collisions on session master secrets. Table 5.1 shows the results for the cases where there are 0.5, 1, 2, 3, 4, 5 million of master secrets from different sessions. (i) The standard SSL/TLS/WTLS master secret is always 160-bit (20-byte) and we did not find any collision on master secret for up to 5 million sessions. (ii) The session signature can also be message digest of the master secret. We check the 128-bit MD5 checksums of the session master secrets and there is no collision for up to 5 million sessions. (iii) To test the arithmetic relation between the number of collisions and the number of sessions, we decrease the master secret length to 40-bit only. The results show that only 1 collision occurs in the half million sessions, and 25 collisions in 5 million sessions2 . The results demonstrate that the message digest functions and the WTLS PRF function are welldesigned. In practice, a 160-bit WTLS master secret, its 160-bit SHA1 checksum, or its 128-bit MD5 checksum can be directly used as the session capability which is employed to regulate ASH among heterogeneous clients. There is no need to design and implement extra network protocols to realise capability-based models when transport layer security implementations are available.

5.4.2 Evaluation of ASH Push/Pull models In order to quantitatively analyse the performance of our system, we performed a number of experiments under varying scenarios. 2 In the ideal case of designing message digest and PRF functions, the probability of collision is when the function output is -bit long. The chance of collision decreases exponentially as the output length increases linearly.

54CHAPTER 5. SECURITY ARCHITECTURE FOR APPLICATION SESSION HANDOFF Table 5.2: Average time for various iMASH operations (ms) Client Platform 200 Mhz 665 Mhz 800 Mhz Pentium Pro PIII PIII DCC handshake time (1024 bit certificate) DCC handshake time (2048 bit certificate User start new session time

347.4

188.27

159.83

537.73

221.18

165.083

27.10

23.55

14.67

Experiment 1: Device and user authentication times In this experiment we measure the time required for various machines to perform device authentication and user authentication. The experiment involves measuring the computation overhead over 10 trials for each device. All machines were running Java 1.3.1 with RedHat Linux 7.0 on 100 Mbps Ethernet. A Pentium III 600 Mhz Middleware Server is used for all experiments, with all the clients listed in Table 5.2. In WTLS, RSA is used as the public key cryptosystem and DES-CBC is used as the cipher scheme. Results in Table 5.2 show that device authentication can be costly on low end devices; on a 200 Mhz machine, it takes approximately 500 ms. This result is due to the computation overhead caused by RSA decryption in WTLS class 3 authentication. However, once the one-time cost of device authentication is paid at device bootstrapping time, SCCs can be established very quickly for each session; on average the latency was approximately 20 ms, which includes session initialization delay and the processing delay of executing the one-way WTLS HMAC function.

Experiment 2 & 3: Latency of ASH-push protocol In experiment 2, the latency is measured to do a ASH-push from a 800 Mhz machine to a 200 Mhz machine. This experiment is designed to measure the iMASH overhead in performing ASH to a slow machine. This measurement is important because most of the work required for ASH is done at the target side. The MWS is the same as the previous experiment. A 1-byte session data is transferred with the ASH-push to measure the overhead caused by the protocol. The average ASH-push latency

is

over 10 trials, showing that the ASH protocol has not created unreasonable overhead for this

particular hardware setup.

5.4. IMPLEMENTATION AND EVALUATION

55

To further quantify the latency, in experiment 3 we repeat the previous experiment while varying the session data that is transferred during ASH. The data size ranges from 1 byte to 1 megabyte. This experiment is performed with and without the WTLS cipher scheme turned on to show how much overhead is incurred by data encryption during ASH. Results in Figure 5.7 show reasonable ASH performance degradation for the tested session sizes up to a megabyte.

Chapter 6 Future Work The goal of this prospectus is to build a set of adaptive and resilient security solutions for the middleware convergence layer. A mobile node in I-MANET can utilize the middleware layer to facilitate its wireless communications at real time. In particular, our middleware security services allow its mobile applications to securely communicate with the infrastructure or another mobile node despite highly volatile network dynamics.

6.1 More work on security and real-time adaptation Real-time performance adaptation can be widely applied to various real-time applications, real-time network protocols, and network scenarios. The application context includes streaming of live multimedia and real-time interactive multimedia communication. We will run experiments in a diverse range of scenarios: Typical multimedia data include audio and video contents with considerable difference in bandwidth requirement and error control. Experiments will show how adaptive encoding and encryption schemes affect quality of service for different data contents. Real-time constraints also apply to network protocols like RTP. With the help from bandwidth estimation techniques, adaptive security schemes help to improve RTP’s performance. Our adaptive schemes will be tested on a variety of wireless settings. MAC protocol test cases include 802.11 and Bluetooth. Network tests will be furnished on mobile ad hoc network with and without mobile backbone. 56

6.2. MORE WORK ON RESILIENT AUTHENTICATION SERVICE

57

6.2 More work on resilient authentication service Recently threshold cryptography have been explored by several research groups to provide decentralized security services to computer networks. Compared to the centralized schemes, the decentralized paradigm provides resilient and robust services in the presence of several new types of strong adversaries. However, no research has quantified the comparison between centralized schemes and de-centralized schemes. We will investigate the possibility of quantifing system’s security strength using a probabilistic model, and devise a scheme to estimate security strength of the de-centralized systems.

6.3 More work on localized intrusion detection Localized intrusion detection is a relatively new topic in securing ad hoc networks. Yang and Lu [105] illustrates that ad hoc routing misbehavior can be mitigated by localized intrusion detection mechanisms based on redundancy in routing messages. Like the scheme proposed in [59], it explores each mobile node’s capability of overhearing neighbor’s broadcasting message with zero communication overhead and little computation overhead. To monitor neighbor’s transmission behavior and misbehavior, so far people have only explored a limited set of information in neighbor’s wireless transmissions. So far little efforts have been made to devise a systematic analysis on a bounded trace of neighbor’s transmissions. Related future work includes mobile network tracing [69, 68] and node classification based on data mining technologies [21].

6.4 More work on securing MANET multicast protocols Perrig et al. [76, 77] have devised data integrity support for Internet multicast applications. In [40, 41], similar integrity support has been integrated into unicast ad hoc routing schemes to foil routing misbehavior. However, so far little efforts have been exerted on securing multicast protocols in ad hoc networks. We will analyse the security demands of wireless multicast protocols in ad hoc networks and devise corresponding countermeasures. In particular, ODMRP [53, 54] is an efficient ad hoc multicast protocol that needs security protection.

Chapter 7 Publications Submitted Papers Jiejun Kong, Mario Gerla, “Adaptive Security Support for Real-time Transmissions in Ad Hoc Networks”, Extended Abstract, submitted to MED-HOC-NET Workshop. Jiejun Kong, Mario Gerla, B.S. Prabhu, Rajit Gadh, “Access Gateway: Providing Multi-layer Security Support for Wireless Communications in Local Area Networks”, submitted to Wireless Security Workshop. Jiejun Kong, Mansoor Mirza, James Shu, Christian Yoedhana, Mario Gerla, Songwu Lu, “Random Flow Network Analysis and Simulations for DDoS Attack Mitigation”, submitted to IEEE Communications Magazine. Jiejun Kong, Mario Gerla, “Peer-to-peer PKI: Integrating Advanced Secret Sharing System with PKI”, submitted to IEEE Internet Computing Magazine. Journal Papers Jiejun Kong, Haiyun Luo, Kaixin Xu, Daniel Lihui Gu, Mario Gerla, Songwu Lu, ”Adaptive Security for Multi-layer Ad-hoc Networks”, John Wiley InterScience Press, Special Issue of Wireless Communications and Mobile Computing, August, 2002.

58

59 Conference Papers Jiejun Kong, Mario Gerla, ”Providing Real-time Security Support for Multi-level Ad-hoc Networks”, IEEE MILCOM 2002. Haiyun Luo, Petros Zerfos, Jiejun Kong, Songwu Lu, Lixia Zhang, ”Self-securing Ad Hoc Wireless Networks”, IEEE 7th Symposium on Computers and Communications (ISCC’02), 2002. Erik Skow, Jiejun Kong, Thomas Phan, Fred Cheng, Richard Guy, Rajive Bagrodia, Mario Gerla, Songwu Lu, ”A Security Architecture for Application Session Handoff ”, IEEE International Conference on Communications (ICC’02), 2002. Jiejun Kong, Petros Zerfos, Haiyun Luo, Songwu Lu, Lixia Zhang, ”Providing Robust and Ubiquitous Security Support for Mobile Ad-hoc Networks”, IEEE 9th International Conference on Network Protocols (ICNP’01), 2001. Daniel Lihui Gu, Mario Gerla, Henry Ly, Kaixin Xu, Jiejun Kong, Xiaoyan Hong, ”Design of Multilevel Heterogeneous Ad-hoc Wireless Networks with UAVs”, Wireless and Mobile Communications Conference 4586 (APOC08), Proceedings of SPIE Vol. #4586, 2001. Technical Report Jiejun Kong, Mario Gerla, ”Robust Security Solution for Heterogeneous Mobile Networks”, UCLA Computer Science Department Technical Report–200031, 2001.

Bibliography [1] O. Angin, A. Campbell, M. Kounavis, and R. Liao. The Mobiware Toolkit: Programmable Support for Adaptive Mobile Networking. IEEE Personal Communication Magazine, August 1998. [2] W. Arbaugh and A. Mishra. An Initial Security Analysis of the IEEE 802.1X Standard. http:// www.cs.umd.edu/˜waa/1x.pdf, 2002. [3] R. Bagrodia, M. Gerla, S. Lu, R. Meyer, D. J. Valentino, and L. Zhang. Supporting Nomadic Healers. Technical Report 200021, Department of Computer Science Department, University of California, Los Angeles, 2000. [4] R. Baldwin and R. Rivest. The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms. http: //www.ietf.org/rfc/rfc2040.txt, 1996. [5] S. Basagni, K. Herrin, E. Rosti, and D. Bruschi. Secure Pebblenets. In MobiHoc, pages 156–163, 2001. [6] D. E. Bell and L. J. L. Padula. Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report ESD-TR-75-306, The MITRE Corporation, Bedford, MA 01730, October 1976. [7] S. M. Bellovin and M. Merritt. Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks. In Symposium on Research in Security and Privacy, pages 72–84. IEEE Computer Society, 1992. [8] E. Biham. New Types of Cryptanalytic Attacks Using Related Keys. In Advances in Cryptology– EUROCRYPT’93, pages 487–496. Spring-Verlag, 1994. [9] E. Biham and A. Shamir. Differential Crypanalysis of the Data Encryption Standard. Spring-Verlag, 1993. [10] L. Blunk and J. Vollbrecht. PPP Extensible Authentication Protocol (EAP). http://www.ietf. org/rfc/rfc2284.txt, 1998. [11] D. Boneh. Twenty Years of Attacks on the RSA Cryptosystem. Notices of the American Mathematical Society, 46(2):203–213, 1999.

60

BIBLIOGRAPHY

61

[12] D. Boneh and M. K. Franklin. Efficient Generation of Shared RSA Keys. In CRYPTO, pages 425–439, 1997. [13] N. Borisov, I. Goldberg, and D. Wagner. Intercepting Mobile Communications: The Insecurity of 802.11. In MOBICOM, 2001. [14] L. S. Brakmo and L. L. Peterson. TCP Vegas: End to End Congestion Avoidance on a Global Internet. IEEE Journal on Selected Areas in Communications, 13(8):1465–1480, 1995. [15] E. Brewer, R. Katz, E. Amir, H. Balakrishnan, Y. Chawathe, A. Fox, S. Gribble, T. Hodes, G. Nguyen, V. Padmanabhan, M. Stemm, S. Seshan, and T. Henderson. A Network Architecture for Heterogeneous Mobile Computing. IEEE Personal Communications, October 1998. [16] R. Canetti, S. Halevi, and A. Herzberg. Maintaining Authenticated Communication in the Presence of Break-Ins. Journal of Cryptology, 13(1):61–105, 2000. [17] B. Dahill, B. N. Levine, E. Royer, and C. Shields. A Secure Routing Protocol for Ad Hoc Networks. Technical Report UM-CS-2001-037, Electrical Engineering and Computer Science, Unverisity of Michigan, Ann Arbor, August 2001. [18] S. J. Dajiang He and J. Rao. Link Availability Prediction Model for Wireless Ad Hoc Networks. In International Conference on Distributed Computing System Workshop, pages D7–D11, 2000. [19] J. Denis and E. V. Horn. Programming Semantics for Multiprogrammed Computations. Communication of the ACM, 9(3):143–145, 1966. [20] T. Dierks and C. Allen. The TLS Protocol, version 1.0. http://www.ietf.org/rfc/rfc2246. txt, 1999. [21] C. Elkan. Boosting and Naive Bayesian Learning. In ACM SIGKDD, 1997. [22] R. Fabry. Capability-Based Addressing. Communication of the ACM, 17(7):403–412, 1974. [23] H. Feistel. Cryptography and Computer Privacy. Scientific American, 228(5):15–23, 1973. [24] P. Feldman. A Practical Scheme for Non-interactive Verifiable Secret Sharing. In Symposium on Foundations of Computer Science (FOCS), pages 427–437, 1987. [25] S. Fluhrer, I. Mantin, and A. Shamir. Weakness in the Key Scheduling Algorithm of RC4. In 8th Annual Workshop on Selected Areas in Cryptography, 2001.

BIBLIOGRAPHY

62

[26] A. Fox and S. D. Gribble. Security on the Move: Indirect Authentication using Kerberos. In MOBICOM, pages 155–164, 1996. [27] Y. Frankel and Y. Desmedt. Parallel Reliable Threshold Multi-signature. Technical Report TR-92-0402, Dept. of EECS, University of Wisconsin-Milwaukee, 1992. [28] Y. Frankel, P. Gemmell, P. MacKenzie, and M. Yung. Optimal Resilience Proactive Public-Key Cryptosystems. In Symposium on Foundations of Computer Science (FOCS), pages 384–393, 1997. [29] Y. Frankel, P. Gemmell, P. MacKenzie, and M. Yung. Proactive RSA. In CRYPTO, pages 440–454, 1997. [30] D. L. Gu, H. Ly, X. Hong, M. Gerla, G. Pei, and Y. Lee. C-ICAMA, A Centralized Intelligent Channel Assigned Multiple Access for Multi-layer Ad-hoc Wireless Networks with UAVs. In IEEE WCNC, pages 879–884, 2000. [31] D. L. Gu, G. Pei, H. Ly, M. Gerla, and X. Hong. Hierarchical Routing for Multi-layer Ad-hoc Wireless Networks with UAVs. In IEEE MILCOM, 2000. [32] D. L. Gu, G. Pei, H. Ly, M. Gerla, B. Zhang, and X. Hong. UAV-aided Intelligent Routing for Ad-hoc Wireless Network in Single-area Theater. In IEEE WCNC, pages 1220–1225, 2000. [33] Z. J. Haas and M. Pearlman. The zone routing protocol for ad-hoc networks, 2000. [34] D. Harkins and D. Carrel. The Internet Key Exchange (IKE). http://www.ietf.org/rfc/ rfc2409.txt, 1998. [35] J. Hastad, J. Jonsson, A. Juels, and M. Yung. Funkspiel Schemes: an Alternative to Conventional Tamper Resistance. In ACM CCS, pages 125–133, 2000. [36] D. He, S. Jiang, and J. Rao. Prediction of Link Availability in Wireless Ad Hoc Networks. In Singapore Pervasive Computing Conference, The National University of Singapore, 1999. [37] A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung. Proactive Secret Sharing or: How to Cope with Perpetual Leakage. extended abstract, IBM T.J. Watson Research Center, November 1995. [38] X. Hong, M. Gerla, G. Pei, and C.-C. Chiang. A Group Mobility Model for Ad Hoc Wireless Networks. In ACM/IEEE MSWiM, pages 53–60, 1999. [39] X. Hong, M. Gerla, Y. Yi, K. Xu, and T. Kwon. Scalable Ad Hoc Routing in Large, Dense Wireless Networks Using Clustering and Landmarks. In ICC’02, 2002.

BIBLIOGRAPHY

63

[40] Y.-C. Hu, D. B. Johnson, and A. Perrig. Secure Efficient Distance Vector Routing in Mobile Wireless Ad Hoc Networks. In Fourth IEEE Workshop on Mobile Computing Systems and Applications (WMCSA’02), 2002. [41] Y.-C. Hu, A. Perrig, and D. B. Johnson. Ariadne: A Secure On-demand Routing Protocol for Ad Hoc Networks. In MOBICOM, 2002. [42] A. C. Huang, B. C. Ling, J. J. Barton, and A. Fox. Making Computers Disappear: Appliance Data Services. In MOBICOM, pages 108–121, 2001. [43] IEEE Standards for Local and Metropolitan Area Networks. Port based Network Access Control, IEEE Draft 802.1X/D10, 2001. [44] S. Jiang, D. He, and J. Rao. A Prediction-based Link Availability Estimation for Mobile Ad Hoc Networks. In INFOCOM, pages 1745–1752, 2001. [45] M. Joa-Ng and I.-T. Lu. A Peer-to-Peer Zone-Based Two-Level Link State Routing for Mobile Ad Hoc Networks. IEEE Journal on Selected Areas in Communication, 17(8):1415–1425, 1999. [46] D. B. Johnson and D. A. Maltz. Dynamic Source Routing in Ad Hoc Wireless Networks. In Imielinski and Korth, editors, Mobile Computing, volume 353, pages 153–181. Kluwer Academic Publishers, 1996. [47] A. Joseph, A. de Lespinasse, J. Tauber, D. Gifford, and M. Kaashoek. Rover: A Toolkit for Mobile Information Access. In Symposium on Operating Systems Principles (SOSP’95, 1995. [48] S. Kent and R. Atkinson.

IP Authentication Header (AH).

http://www.ietf.org/rfc/

rfc2402.txt, 1998. [49] S. Kent and R. Atkinson. IP Encapsulating Security Payload (ESP). http://www.ietf.org/ rfc/rfc2406.txt, 1998. [50] S. Keshav and S. P. Morgan. SMART Retransmission: Performance with Overload and Random Losses. In INFOCOM, pages 1131–1138, 1997. [51] M. Kim and B. Noble. Mobile network estimation. In MOBICOM, pages 298–309, 2001. [52] J. Kong, P. Zerfos, H. Luo, S. Lu, and L. Zhang. Providing Robust and Ubiquitous Security Support for Mobile Ad-hoc Networks. In Ninth International Conference on Network Protocols (ICNP’01), pages 251–260, 2001.

BIBLIOGRAPHY

64

[53] S.-J. Lee, M. Gerla, and C.-C. Chiang. On-Demand Multicast Routing Protocol. In IEEE WCNC, pages 1298–1302, 1999. [54] S.-J. Lee, W. Su, and M. Gerla. On-Demand Multicast Routing Protocol (ODMRP) for Ad Hoc Networks. Internet Draft (draft-ietf-manet-odmrp-02.txt), January 2000. [55] A. K. Lenstra and E. R. Verheul. Selecting Cryptographic Key Sizes. In Public Key Cryptography, pages 446–465, 2000. [56] C. R. Lin and M. Gerla. Adaptive Clustering for Mobile Wireless Networks. IEEE Journal of Selected Areas on Communications, 15(7):1265–1275, 1997. [57] H.-Y. Lin and L. Harn. Authentication Protocols for Personal Communication Systems. In SIGCOMM, pages 256–261, 1995. [58] M. Malkin, T. Wu, and D. Boneh. Experimenting with Shared Generation of RSA keys. In Internet Society’s Symposium on Network and Distributed System Security (SNDSS), pages 43–56, 1999. [59] S. Marti, T. Giuli, K. Lai, and M. Baker. Mitigating Routing Misbehavior in Mobile Ad Hoc Networks. In MOBICOM, 2001. [60] S. Mascolo, C. Casetti, M. Gerla, M. Y. Sanadidi, and R. Wang. TCP Westwood: Bandwidth Estimation for Enhanced Transport over Wireless Links. In MOBICOM, pages 287–297, 2001. [61] M. Matsui. Linear Cryptanalysis Method of DES Cipher. In Advances in Cryptology–EUROCRYPT’93. Spring-Verlag, 1994. [62] D. Maughan, M. Schertler, M. Schneider, and J. Turner. Internet Security Association and Key Management Protocol (ISAKMP). http://www.ietf.org/rfc/rfc2408.txt, 1998. [63] A. B. McDonald and T. Znabi. A Mobility-based Framework for Adaptive Clustering in Wireless Ad Hoc Networks. IEEE Journal on Selected Areas in Communications, 17(8):1466–1487, 1999. [64] A. B. McDonald and T. Znabi. A Path Availability Model for Wireless Ad Hoc Networks. In WCNC, pages 35–40, 1999. [65] National Institute of Standards and Technology. Federal Information. Data Encryption Standard, Processing Standards Publication 46-2. http://www.itl.nist.gov/fipspubs/fip46-2.htm, 1993. [66] National Institute of Standards and Technology. Advanced Encryption Standard. http://csrc. nist.gov/encryption/aes/, 2001.

BIBLIOGRAPHY

65

[67] Netscape Communications Corporation. SSL 3.0 Specification. [68] G. T. Nguyen, R. H. Katz, B. D. Noble, and M. Satyanarayanan. A Trace-based Approach for Modeling Wireless Channel Behavior. In Winter Simulation Conference, pages 597–604, 1996. [69] B. D. Noble, G. Nguyen, M. Satyanarayanan, and R. H. Katz. Mobile Network Tracing. http: //www.ietf.org/rfc/rfc2041.txt, 1996. [70] P. Papadimitratos and Z. Haas. Secure Routing for Mobile Ad Hoc Networks. In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002), 2002. [71] M. Pearlman and Z. J. Haas. Determining the Optimal Configuration for the Zone Routing Protocol. IEEE Journal on Selected Areas in Communication, 17(8):1395–1414, 1999. [72] G. Pei, M. Gerla, X. Hong, and C.-C. Chiang. A Wireless Hierarchical Routing Protocol with Group Mobility. In IEEE WCNC, 1999. [73] G. Pei, X. Hong, and M. Gerla. LANMAR: Landmark Routing for Large Scale Wireless Ad Hoc Networks with Group Mobility. In IEEE/ACM MobiHOC, 2000. [74] C. E. Perkins and P. Bhagwat.

Highly Dynamic Destination-Sequenced Distance-Vector Routing

(DSDV) for Mobile Computers. In SIGCOMM, pages 234–244, 1994. [75] C. E. Perkins and E. M. Royer. Ad-hoc On Demand Distance Vector (AODV) Routing, 1998. [76] A. Perrig, R. Canetti, D. Song, and J. Tygar. Efficient and Secure Source Authentication for Multicast. In Network and Distributed System Security Symposium (NDSS), 2001. [77] A. Perrig, R. Canetti, J. D. Tygar, and D. Song. Efficient Authentication and Signing of Multicast Streams over Lossy Channels. In IEEE Symposium on Security and Privacy, 2001. [78] T. Phan, R. Guy, and R. Bagrodia. A Scalable, Distributed Middleware Service Architecture to Support Mobile Internet Applications. In First ACM Workshop on Wireless Mobile Internet (WMI’01), 2001. [79] T. Phan, R. Guy, J. Gu, and R. Bagrodia. A New TWIST on Mobile Computing: Two-Way Interactive Session Transfer. In IEEE WIAPP, 2001. [80] T. Phan, K. Xu, R. Guy, and R. Bagrodia. Handoff of Application Sessions Across Time and Space. In ICC, 2001. [81] T. Rabin. A Simplified Approach to Threshold and Proactive RSA. In CRYPTO, pages 89–104, 1998.

BIBLIOGRAPHY

66

[82] C. Rigney, S. Willens, A. Rubens, and W. Simpson. Remote Authentication Dial In User Service (RADIUS). http://www.ietf.org/rfc/rfc2865.txt, 2000. [83] R. L. Rivest. The RC5 Encryption Algorithm. In Fast Software Encryption: Second International Workshop, pages 86–96, 1994. [84] R. L. Rivest, A. Shamir, and L. M. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. CACM, 21(2):120–126, 1978. [85] RSA Security Inc. PKCS #1 - RSA Cryptography Standard. http://www.rsasecurity.com/ rsalabs/pkcs/pkcs-1/. [86] A. D. Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to Share a Function Securely (Extended Summary). In Symposium on the Theory of Computation (STOC), pages 522–533, 1994. [87] B. Schoenmakers. A Simple Publicly Verifiable Secret Sharing Scheme and its Application to Electronic Voting. In CRYPTO, pages 148–164, 1999. [88] A. Shamir. How to Share a Secret. Communications of the ACM, 22(11):612–613, 1979. [89] V. Shoup. Practical Threshold Signatures. In EUROCRYPT, pages 207–220, 2000. [90] Standard Performance Evaluation Corporation. http://www.specbench.org. [91] M. Stadler. Publicly Verifiable Secret Sharing. In EUROCRYPT, pages 190–199, 1996. [92] W. Stallings. Cryptography and Network Security: Principles and Practice. Prentice-Hall, 2nd edition, 1999. [93] G. Steiner, B. C. Neuman, and J. I. Schiller. Kerberos: An Authentication Service for Open Network Systems. In USENIX Winter, pages 191–202, January 1988. [94] A. Stubblefield, J. Ioannidis, and A. D. Rubin. Using the Fluhrer, Mantin, and Shamir Attack to Break WEP. Technical Report TD-4ZCPZZ, AT&T Labs, August 2001. [95] W. Su and M. Gerla. IPv6 Flow Handoff in Ad Hoc Wireless Networks using Mobility Predication. In GLOBECOM, pages 271–275, 1999. [96] D. L. Tennenhouse and D. J. Wetherall. Towards an Active Network Architecture. Computer Communication Review, 26(2), 1996.

BIBLIOGRAPHY

67

[97] UCLA Parallel Computing Laboratory and Wireless Adaptive Mobility Laboratory. GloMoSim: A Scalable Simulation Environment for Wireless and Wired Network Systems. http://pcl.cs. ucla.edu/projects/glomosim/. [98] D. Wagner and B. Schneier. Analysis of the SSL 3.0 protocol (revised version). In 2nd USENIX Workshop on Electronic Commerce, 1996. [99] WAP Forum. Wireless Application Protocol. http://www.wapforum.org/. [100] WAP Forum. Wireless Transport Layer Security Specification. http://www1.wapforum.org/ tech/documents/WAP-261-WTLS-20010406-a.pdf. [101] D. J. Wetherall, U. Legedza, and J. Guttag. Introducing New Internet Services: Why and How. IEEE Network Magazine, July 1998. [102] M. J. Wiener. Performance Comparison of Public-Key Cryptosystems. RSA CryptoBytes, 4(1):1–5, 1998. [103] T. Wu, M. Malkin, and D. Boneh. Building Intrusion Tolerant Applications. In Eighth USENIX Security Symposium (Security ’99), pages 79–91, 1999. [104] K. Xu, X. Hong, H. Ly, M. Gerla, and D. L. Gu. Landmark Routing In Large Wireless Battlefield Networks Using UAVs. In IEEE MILCOM, 2001. [105] H. Yang and S. Lu. Self-Organized Network Layer Security in Mobile Ad Hoc Networks. In First ACM Workshop on Wireless Security (WiSe), 2002. [106] S. Yi, P. Naldurg, and R. Kravets. Security-aware Ad Hoc Routing for Wireless Networks. Technical Report UIUCDCS-R-2001-2241, Department of Computer Science, Unverisity of Illinois at UrbanaChampaign, August 2001. [107] Y. L. Yin. The RC5 Encryption Algorithm: Two Years On. RSA CryptoBytes, 2(3):14–15, 1997. [108] H. Zhang and S. Keshav. Comparison of Rate-Based Service Disciplines. In SIGCOMM, pages 113– 131, 1991. [109] Y. Zhang and W. Lee. Intrusion detection in wireless ad-hoc networks. In MOBICOM, 2000. [110] L. Zhou and Z. J. Haas. Securing Ad Hoc Networks. IEEE Networks, 13(6):24–30, 1999. [111] L. Zhou, F. B. Schneider, and R. van Renesse. COCA: A Secure Distributed On-line Certification Authority. Technical Report 2000-1828, Computer Science Department, Cornell University, 2000.

Adaptive and Resilient Security for Multi-hop Multi ... - Semantic Scholar

Adaptive and Resilient Security for Multi-hop Multi ... - Semantic Scholar

Suggest Documents

Adaptive and Resilient Security for Multi-hop Multi-media Mobile

Adaptive Multi-path Prediction for Error Resilient H ... - Semantic Scholar

Adaptive Security for Multi-layer Ad-hoc Networks - Semantic Scholar

Adaptive Multihop Scheduling for IEEE 802.11s ... - Semantic Scholar

Adaptive Multihop Scheduling for IEEE 802.11s ... - Semantic Scholar

Provisioning Resilient, Adaptive Web Services ... - Semantic Scholar

Genetic algorithms for designing multihop ... - Semantic Scholar

On Perfect and Adaptive Security in Exposure-Resilient ... - Springer Link

Multihop cellular networks: Technology and ... - Semantic Scholar

An Adaptive Error Resilient Video Encoder - Semantic Scholar

Adaptive local multi-atlas segmentation - Semantic Scholar

Multi-Split Adaptive Filtering - Semantic Scholar

AN EMBEDDED ADAPTIVE MULTI-RATE ... - Semantic Scholar

A Byzantine Resilient Multi-path Key ... - Semantic Scholar

Resilient Control Systems A Multi-Agent Dynamic ... - Semantic Scholar

Adaptive security protocol selection for mobile ... - Semantic Scholar

An Evaluation Scenario for Adaptive Security in ... - Semantic Scholar

Adaptive Security Support for Real-time ... - Semantic Scholar

Self-Adaptive Agents for Debugging Multi-Agent ... - Semantic Scholar

Hybrid adaptive predictive control for the multi ... - Semantic Scholar

A run-time adaptive processor for embedded multi ... - Semantic Scholar

Adaptive multi-task compressive sensing for ... - Semantic Scholar

A collaborative adaptive Wiener filter for multi ... - Semantic Scholar

An Adaptive Link Layer for Heterogeneous Multi ... - Semantic Scholar