Authentication and Key Management in
Wireless Mesh Network
Shweta Agarwal
Department of CSIT Moradabad Institute of Technology
Moradabad, U.P., INDIA Email: [email protected]
Neha Gupta
Department of CSIT Moradabad Institute of Technology
Moradabad, U.P., INDIA Email: [email protected]
ABSTRACT
A wireless mesh network is a new and emerging wireless technology and it also becomes a popular choice for internet service providers as it allows a fast, easy and inexpensive network deployment. Wireless mesh network does not rely on
any fixed infrastructure as most of the wireless networks do [1, 2].
Before deploying any wireless mesh network there is number of issues that we need to aware of. The most important issue
in any wireless technology is security. As wireless mesh networks consist of nature of wireless and multi hop so it is more vulnerable to security attacks. For securing the network we have to secure the access to the network and it is only possible by good authentication and key management mechanism. As the point of security concern mesh network does not have
well defined or specified security. Wireless mesh security architecture is based on 802.11i standard [3]. 802.11i standard is sufficient for providing security to single hop network but it is not sufficient for wireless mesh network as it is multi
hop network. Here in this paper we will discuss the various authentication and key management schemes in wireless mesh networks for secure network access.
Keywords:WMN, MANET, PMK, EAP, PANA.
1. INTRODUCTION
In the context of emerging wireless technologies, different access network architectures are possible. Infrastructure, ad hoc, meshes or hybrid wireless access networks can be used for different environments and applications. One of the very promising architecture is the extension of a wireless mesh network by an ad hoc network, this will allow a rapid coverage
extension in order to offer access for different services located in the wired part of the network. This architecture is very encouraged by wireless operators that own the mesh network part [4]. This architecture is composed of a set of Access Points (e.g. Wimax) interconnected as a mesh network shown in Figure 1.
Wireless Mesh Networks (WMNs) represent a good solution to providing wireless Internet connectivity in a
sizable geographic area. Wireless Mesh Network or WMN
is a dynamically self-organization and self-configuration
network by automatically setting up an Mobile Ad hoc Network (MANET) for its internal nodes to obtain the connectivity of nodes. There are two types of nodes in WMN – the Mesh Routers (MR) and the Mesh Clients (MC). MR provides strong switch ability, minimum mobility and ignorable battery restriction. Meanwhile, MC could be designed with light architecture with the support of simplest routing ability and light-weighed communication protocols. However, without a solid security solution, WMN with open medium won’t be able to succeed [5]. Currently there is no standard method for authentication and key management in wireless mesh network. The processes which play important role in wireless mesh network security are authentication, authorization and accounting.
2. Authentication
Authentication is any process by which you verify that someone is who they claim they are. Authentication of mobile nodes in WMNs can assure authorized clients participation. The simplest solution is to employ an authentication key shared by all nodes in the network. Although this mechanism is simple, it has the following disadvantages:
• An attacker only needs to compromise one node to break
the security of the system and paralyze the entire network.
• If the global key is divulged, it is not possible to identify
the compromised node.
• It is expensive to recover from a compromise as it usually
involves a group key update process.
Another well-known approach that can provide strong source authentication is attaching digital signature to packets. However, signing every packet can be prohibitively expensive because the computational capacity and battery
power of mobile nodes are quite constrained. Therefore, the
challenge is to design authentication mechanisms for the more vulnerable yet more resource-constrained environment of WMNs. Authentication, authorization, and accounting
(AAA) are provided in most of the WLANs applications and
commercial services through a centralized server such as RADIUS or DIAMETER. However, the centralized scheme is not appropriate in the case of multi-hop WMNs and secure
key management is much more difficult. Thus, distributed
authentication and authorization schemes with secure key
management are required in such an environment. Because
WMNs can be managed by more than one operator/provider, authentication should be performed during mobile nodes’ roaming across different wireless mesh routers and across different administrative domains. A possible approach for distributed authentication is the continuous discovery and mutual authentication between neighbors, whether they are
mobile clients or fixed/mobile mesh nodes. The IEEE 802.11i
standard proposed the storage of session keys at authenticators to mitigate the overhead of re-authentication.
2.1 802.11i Authentication Model
In most commercial deployments of WLANs, IEEE 802.11i
[7] is the most common approach for assuring authentication and secure links setup at layer 2. However, the IEEE 802.11i
authentication does not fully address the problem of WLAN
vulnerability. In IEEE 802.11i authentication, the mobile station and the Authentication Server (AS) apply the 802.1X [8] authentication model carrying out some negotiation to agree on Pair wise Master Key (PMK) by using some upper layer authentication schemes or using a pre-shared secret. This key is generated by both the mobile client and the AS, assuring the mutual authentication between them. The Access Point (AP) then receives a PMK copy from the AS, Authenticating the mobile client and authorizing its communication. Encryption
keys can assure confidential transfer between the mobile
station and the AP.
2.2 Data Packets Authentication
An authenticating transmitted data packet is another approach preventing unauthorized nodes’ connection to the WMNs.
A Lightweight Hop-by-hop Access Protocol (LHAP)
[9, 10] is proposed for authenticating mobile clients in wireless dynamic environments, preventing resource consumption attacks through employing packet authentication.
LHAP implements lightweight hop-by-hop authentication,
where intermediate nodes authenticate all the packets they receive before forwarding them. This protocol allows a
mobile node to first perform some in expensive authentication
operations to bootstrap a trust relationship with its neighbors,
then to apply a lightweight protocol for subsequent traffic
authentication.
2.3 AAA Architectures for WMNs
WMN deployment requires appropriate architectures for
the different types of scenarios. An important step toward the wide commercial deployments of WMNs is the trust relationship between stakeholders of different access networks, each having its own security mechanisms. A lightweight AAA infrastructure is proposed in [11] providing continuous, on-demand, end-to-end security in heterogeneous networks including WMN scenarios. This infrastructure presents an AAA model for supporting secure global mobility in access networks that are managed by different administrators. The notion of a security manager is used through employing an AAA broker. This architecture dynamically provides AAA through forming a virtual layer on top of the underlying mesh of network domains, thus supporting user as well as service mobility across multiple access networks.
2.4 Extensible Authentication Protocol
Variants
The mesh network model with no structure and no trust between the nodes makes the security problem more complex. IEEE 802.1X has been applied to resolve some of the security problems introduced in the 802.11 standard, where the mobile station and the AS authenticate each other through applying an
upper layer authentication protocol like EAP-TLS (Extensible Authentication Protocol encapsulating Transport Layer
Security) protocol [12] in most of the cases. Although
EAP-TLS offers mutual authentication, it introduces high latency
in WMNs because each terminal behaves as an authenticator for its neighbor to reach the AS, which can result in longer paths to the AS. This section discusses some recent related contributions.
2.4.1 EAP with Token-Based Re-Authentication
The dynamic environment together with the multiple possible connectivities in WMNs raises the need for secure fast
hand-off protocols. Because each node requiring access to the mesh
network initially performs a full and costly authentication,
then re-using the information of this initial authentication can speed up the following re-authentications and enhance protocol performance. In this context, a fast secure hand-off protocol is presented in [13], which allows mutual authentication and provides access control protection through limiting the possibility of insider attackers during the re-authentication process.
2.4.2. EAP-TLS over PANA
A security architecture suitable for multi-hop mesh network is
presented in [14], employing EAP-TLS over PANA (Protocol
for carrying Authentication and Network Access) [15]. This work proposes an authentication solution for wireless mesh networks growing in an ad hoc manner and using ad hoc network capabilities. Authentication architecture is developed,
and data confidentiality is assured. IEEE 802.1X is adapted so
that mobile nodes can be authenticated by mesh access routers that can be APs as well as mobile hosts. PANA enables clients to authenticate to the access network using IP protocol, it is used in this work to overcome the problem of association between mobile clients and mesh access routers that can be
attached through more than one intermediate node. Because
PANA is an EAP lower layer, any EAP method is suitable for clients’ authentication.
3. KEY MANAGEMENT
Key management deals with the secure generation, distribution, and storage of keys. Once a key is randomly generated, it must remain secret to avoid unfortunate mishaps (such as impersonation). Users must be able to securely obtain a key pair suited to their efficiency and security needs.
Certificates are used to authenticate the user and to verify the identity of the user. Certificates must be unforgeable. The issuance of certificates must proceed in a secure way,
impervious to attack.
Key management is one of the most important tasks for network security. However, the key management for
mobile ad hoc networks becomes much more difficult, because
there is no central authority, trusted third party or server to manage security keys. Key management needs to be performed in a distributed way. A self-organization scheme was proposed in [16, 17] to distribute and manage the security keys. In
this self-organizing key management system, certificates are
stored and distributed by users themselves. When the public
keys of two users need to be verified, they first merge the local certificate repositories and then find the appropriate certificate chains within the merged repositories that can pass this verification.
3.1 Key Management Approaches
3.1.1 Virtual Certification Authority (VCA)
node and its corresponding public key. To construct the VCA, all the nodes present in the network take part in a
threshold secret sharing scheme. Let the threshold level is fixed as “k”, then collaborative effort of “k” number of
nodes provides the functionality of an authentication server.
Basic assumption of this model is that at any point of time, an intruder cannot break into “k” or more nodes present in the network [18]. A node is trusted if it is certified by at least “k” of its one-hop neighbors. The certificate held by a node
has an expiration time after which it has to be renewed. The
certificate acquiring process has a time constraint “TCERT”, the time elapsed between the request and the issuance of the certificate. All the “k” nodes must certify the node within this
time. Hence the trust model is distributed both in space (k) and
time (TCERT). This certificate is valid for “Tvalid” seconds. When a node requires a new certificate, it sends requests to
all of its one-hop neighbors.
3.1.2 Off-line Certification Authority
In WMNs node can join or leave dynamically, only requirement is that a node must hold a valid and unrevoked certificate. This supposes the existence of an Off-line Certification Authority for signing an ‘Off-line Public Key Certificate’ for any legitimate
node that will participate in the WMN. For joining the network,
each node must hold its ‘Off-line Public Key Certificate’ and
the public key of this Off-line Authority to be able to verify
the validity of any ‘Off-line Public Key Certificate’. If a node joins the network for the first time must use its ‘Offline Public Key Certificate’ to be pre-authenticated [19].
3.1.3 Distributed Certification Authority
COCA (Cornell Online Certification Authority) is a
secure distributed on-line certification authority providing
fault tolerance [20]. COCA uses replication to achieve availability, proactive recovery and threshold cryptography to combat mobile adversaries. Each of COCA servers has a piece of the CA’s private key, and clients need to contact
a quorum of COCA servers to get the CA’s full signature. Because COCA is designed toward an environment like the Internet or a LAN, this design assumes that COCA servers
are either in a correct mode or compromised. If this approach were extended to WMN, the nodes will have more complex
behavior, including frequent connectivity changes due to node
mobility. The problem stems from the difference between a compromised state and an unreachable state. Compromised servers will need some sort of re-initialization procedure to get back on-line but unreachable servers can become reachable without any external intervention simply by the mobility of the nodes.
4. LIMITATIONS AND CHALLENGING
ISSUES
(i) Complexity: The more complicated the operation procedures in a security protocol, the higher is the
possibility that the security can be compromised, since more components are subject to security attacks.
(ii) Overhead: The overhead of the protocol is really unknown.
(iii) Peer link management: This procedure also
speci-fies how one of the MPs is selected as an 802.1X
authenticator. However, it lacks a mechanism that considers the scenario where a new MP needs to set up a peer link with an MA or a supplicant MP [21].
5. CONCLUSIONS
Security is the most important issue of any network environment especially in case of wireless network. In case of wireless mesh network the authentication and key management becomes the very critical issues to handle. More work is
required to improve the existing security scheme so that the
complexity of the network will decrease and performance
of the network will increase. Modifications are necessary to
reduce the complexity of these schemes in handling issues
related to frequent topology change and mobility. Besides
enhancement of existing security schemes, Novel security mechanisms are also desired. In particular, new security protocols in MAC are needed to be developed, because the
specific features of WMNs make a MAC protocol in WMNs significantly different from that in any other networks.
REFERENCES
[1] Security Issues in Wireless Mesh Networks by Muhammad Shoaib Siddiqui, Choong Seon Hong, Sochen-ri, Giheung-eup, Yongin-si and Gyeonggi-do in 2007.
[2] Mutual authentication in wireless mesh network by Yingfang Fu, Jingsha He, Rong Wang2 and Guorui Li in 2008. [3] Wireless mesh network security— a study of centralized and
distributed authentication mechanism by Amit K. Maheshwary, Dr. Sanjeev Sofat and Divya Bansal, 2008.
[4] Security architecture in a multi-hop mesh Network by Omar Cheikhrouhou, Maryline Laurent-Maknavicius and Hakima Chaouchi in June 2006.
[5] Security in Wireless Mesh Networks: Challenges and Solutions by Ping Yi, Tianhao Tong, Ning Liu, Yue Wu and Jianqing Ma in 2009.
[6] Security issues in wireless mesh network by yan zhang,jun zheng,honglin hu .
[7] A. Baggio: Wireless sensor networks in precision agriculture, in ACM Workshop on Real-World Wireless Sensor Networks (REALWSN 2005), Stockholm, Sweden, June 2005. [8] A. Mainwaring, J. Polastre, R. Szewczyk, D. Culler, and J.
Anderson,Wireless sensor networks for habitat monitoring, in 1st ACM Workshop on Wireless Sensor Networks and Applications, Atlanta, September 2002.
[9] C. Karlof and D. Wagner, Secure routing in wireless sensor networks: Attacks and countermeasures, in Workshop on Sensor Network Protocols and Applications, 2003.
[10] K. Sanzgiri, B. Dahill, B.N. Levine, C. Shields, and E. Belding-Royer: A secure routing protocol for ad hoc networks, in International Conference on Network Protocols (ICNP), November 2002.
[11] D. Culler, J. Hill, P. Buonadonna, R. Szewczyk, and A. Woo: A network centric approach to embedded software for tiny devices, in Ist International Workshop on Embedded Software (EMSOFT 2001), Tahoe City, CA, October 2001.
[12] L. Buttyn and J.P. Hubaux, Stimulating cooperation in self-organizing mobile ad hoc networks, Mobile Networks and Applications, October 2003.
[13] L. Eschenauer and V.D. Gligor: A key-management scheme for distributed sensor networks, in November 2002.
[14] H. Chan, A. Perrig, and D. Song, Random key management predistribution schemes for sensor networks, in IEEE Symposium on Research in Security and Privacy, 2003. [15] W. Du, J. Deng, Y.S. Han, S. Chen and P. Varshney, A key
management scheme for wireless sensor networks using deployment knowledge, in IEEE Infocom 2004, March 2004. [16] Hubaux J.P., Butttan L. and Capkun, S:2001, The quest for
security in mobile ad hoc networks.
[17] Group Key Management in Wireless Mesh Networks by Celia Li, Uyen Trang Nguyen.
[18] H Luo, P. Zerfos, J. Kong, S. Lu, L. Zhang, “Self-securing adhoc wireless networks”, Proc. 7th Int. Symp. Computers and Communications, pp. 567-574, ISCC, July, 2002. [19] On Recent Security Enhancements to Auto configuration
Protocols for MANETs Real Threats and Requirements by Abdelmalek, M. Feham and A. Taleb-Ahmed.
[20] Practical PKI for Ad Hoc Wireless Networks by Seung Yi, Robin Kravets in aug 2001.
[21] Wireless Mesh Networks by Professor Ian F. Akyildiz and Dr Xudong Wang.
