Add New Page: You are not allowed to add pages Select section/namespace. New page title.
 

Mesh Security Overview

Security Concerns

Censorship and persecution need to be taken into consideration when designing computer mediated communication systems in areas where government oppression is likely. Exposing violent governments abuses will likely lead to retribution, communication during a time of government oppression will likely be monitored for dissident behavior, and news is likely to be censored to show the government in a positive light.

First, mechanical practices that separate individuals from their input (text/audio/etc) must be maintained. It must be possible to add data “without revealing the identity of the inserter, so that attacking those who insert information will not be a viable means of censoring that information.”

Secondly, anonymity must apply both to submitting and accessing data. It must also be possible to access others submissions “without revealing the identity of the recipient, so that attacking those who request information will not be a viable means of censoring that information.”

Third, and finally, the location of the stored information must be obscured or dispersed in such a way that destruction physical location of the medium of communication is not a viable means of censoring the information.

An anonymous computer mediated communication architecture must try to adhere to as many of following principles as possible: The source (terminal) must be obscured from the medium of communication so that data “hijacked” from the medium cannot be linked to the user. Posted information should be encrypted before transmission so that individuals who are under surveillance cannot have their submissions decoded. Connections to the medium must be obscured so that transmission cannot tracked or blocked. A method for verifying the authenticity of a users submissions must be ensured. And, data must still be accessible after the physical removal of parts of the network.

Mesh in a Security Context

Wireless “ad-hoc” methods create a device-as-infrasture network where software allows any wireless enabled device to send messages through any other similarly configured wireless device. These networks can use other mesh-network nodes (phones, computers, and dedicated routers) to communicate, or can tunnel through nodes connected to existing infrastructure (Internet, phone lines, etc.) to send messages. The self-healing mesh structure of these networks allow for nodes to be added and removed without disrupting the network. When overlaid with the previously mentioned techniques of encryption and obfuscation, mesh-networks allow for a robust, censorship-resistant network. When a user submits data it is passed through other users’ nodes until it finds its way to a wireless or Internet connection to the medium. Because any enabled device freely transmits data through its connection to the Internet, submissions and requests from that device cannot be directly attributed to it, even if the device itself is being used to submit or view information.

Mesh-networks, like other wireless communication are easily jammed by tuning jamming equipment to the frequency and modulation of the targeted equipment and overpowering the original signal. Jamming signals can be circumvented through counter-signal jamming which inserts an out of phase copy of the jamming signal onto the same frequency to cancel it out. Mesh-networks could conceivably also use synchronised random frequency hopping to avoid jamming by never staying on a frequency long enough to be jammed. Forward error correction codes, such as fountain codes, which are used to control errors in noisy or unreliable networks by encoding symbols in a document into potentially limitless set of encoding symbols. The document can be recompiling using a set of any encoding symbols as long as they are are a larger number of symbols than the document itself. Encoding public documents using these methods can be used to combat jammed and moving nodes by allowing for a user to pull encoded symbols of a desired document from multiple users to recompile a document when the source is removed. The Device-as-infrastructure architecture of Mesh-networking offers an ease of implementation that other wireless communication technologies are not able to match. With its easy implementation and robust design mesh-networks stand out as a strong choice for the implementation of a conflict communications medium.

Threat Classification

Passive Threats

  • Traffic Analysis: The collection of protocol headers, sizes, and/or timings to gather insight into the network topology and traffic patterns
  • Eavesdropping: The examination of the content of messages along the network to gather information transmitted.

Active Threats

  • Denial of Service: The transmission of packets or raw energy to deny or delay legitimate services over the mesh.
  • Masquerade: The emulation or activation of a valid node for the purpose of performing a routing style attack. (wormhole/sybil/tunnel attacks)
  • Modification: The alteration of content (node exposure and route manipulation) of an intercepted message before passing it on.

Layer Level Overview

Physical - Layer (1)

This layer delivers bits across one hop. It deals with such problems as modulation, clocking, voltage levels, and connector shapes.

  • _Dynamic transmit power:_ A plugin that is able to look at the mesh routing table and dynamically scale down the transmit power of an individual node to the minimum required to maintain optimal connectivity will make it harder to detect an individual node and reduce the effects of interference.

This is the layer responsible for delivering packets of information across one hop. It deals with framing of packets, error detection, and link usage coordination on shared media.

  • _Hidden SSID:_ Not a serious security mechanism, but something that reduces detectability for casual eavesdroppers.
  • _WiFi Encryption:_ Not a comprehensive security mechanism in and of itself, but a necessary one for WiFi to discourage casual attackers and packet injection attacks. WPA-NONE would provide casual discouragement, but better would be adapting the authSAE protocol. A component of 802.11s, Simultaneous Authentication of Equals does a zero-sum proof between two adjacent nodes, and they establish a strong session key using elliptical curve cryptography (ecc). This essentially provides WPA2-PSK-like encryption, but without a master and with much stronger crypto. Authenticated Mesh Peering Key Exchange (AMPKE) is the part of the protocol that allow for the passing of sessions between adjacent nodes, allowing for roaming even within an encrypted network.

Network Layer - Layer (3)

This layer is responsible for storing and forwarding packets across many hops, so that a mesh network will be logically fully connected. It deals with issues such as route calculation, allocation of finite resources, and packet fragmentation and reassembly.

  • _Service advertisement:_ This is critical for both advertising encryption services and for distributing public keys. Currently based on MDNS, but given time, we may look at an alternative like Telehash.
  • _Signed routing traffic:_ There are already very basic implementations of this, including olsr_secure and the Ninux olsr_gnupg plugin. An improved version of this would help protect against false routing traffic in the mesh, by providing a mechanism by which trusted nodes can be identified and untrusted nodes voted down.
  • _Anonymized IP and MAC addresses:_ IP addresses are based on the MAC addresses, which are identifiable. A better system will allow for multiple IPv4 and IPv6 address generation schemes, along with randomly spoofed mac addresses, making these systems reasonably non-identifiable with an individual device or person.
  • _Mesh Datagram Protocol:_ The Mesh Datagram Protocol provides a generic overlay network, passing traffic in a UDP-analagous network protocol and sending traffic in an encrypted fashion via hashes rather IPs, providing strong encryption and reasonable anonymity by disassociating IP-layer traffic. Its delay-tolerant nature additionally helps to prevent timing analysis by making traffic asynchronous.

Transport Layer

This layer is responsible for adding end to end reliability. It deals with conversation setup, packet numbering for reordering and retransmission of lost packets, and addressing of processes within a node.

Application Layer

This layer is the layer that actually uses the network. This includes such protocols as file transfer, packet voice, mail, and remote terminals.

  • _Commotion client:_ The client would be used to facilitate the use of all of the technologies above.
  • _Secure messaging services:_ Potentially, other client software could use other transportation and security means beyond the use of the built in encryption proxies. See Stanford's Musubi for a potential secure messaging application.

Use case

An individual with a Commotion-enabled Android phone starts up the client, which scans for a network. The phone picks up compatible Commotion networks, which signal the fact that they are Commotion-compatible as well as details such as routing metrics and IP subnets, either through 802.11u signaling or through other mechanisms such as SSID/BSSID encoding. The user chooses a network and either enters the key/passphrase for the network or the client selects it from a keyring. The client generates a MAC address and IP and initiates an SAE exchange with the closest node. Once the link is established, the client presents a list of services being advertised on the network. This includes MDP entry points, gateways, and other services. The advertisements include a signature from the advertising node, allowing users to select nodes from their own trust network if desired. Pre-configured applications included in the Commotion-bundle on the phone are able to send anonymous and encrypted messages to other network clients through the overlay network, as well as make encrypted VoIP phonecalls if desired.

Threat Model

For Commotions Threat Model, See: Threat Model

Threat Modelling Process [1]

Commotion uses the CIAAA Threat, Attack, Vulnerability, and Countermeasure[1] approach to ensure that all known and unknown threats and vulnerabilities are addressed. This process is described by Spiewak, Engel, and Fusening as such:

  • “A *threat* is an undesired event that will have a negative impact on the [Ad-Hoc Network] system including all its protocols and components. The threat can be malicious or not malicious, and might be for example caused by nature.

A threat is enabled through:

  • An *Attack* is a malicious action taken by utilization of vulnerabilities in the [Ad-Hoc Network] in order to realize a threat.
  • A *Vulnerability* is a weakness in some components or protocols of the [Ad-Hoc Network] making an Attack Possible.

A Vulnerability is Mitigated with:

  • A Countermeasure addresses a Vulnerability to reduce the probability of Attacks or the impacts of Threats. they do not directly address threats; instead, they address the realization factors that define threats. Countermeasures range from improving application design, over improving the code, to improving an operational practice.”

In our threat model we shall explore threats using this process. As such, any new threats made apparent shall be classified and incorporated into this document. Linkages between threats, attacks, vulnerabilities, and countermeasures will be represented as hyperlinks between sections to best allow for analysis of progress of various categorizations of threats and the best customization of security models to address specific community and network needs.

Alternative (unused) Threat Models

The Dolev-Yao model

The Dolev-Yao model is the most traditional model that can be used to track attackers against authentication protocols. The authors define the attacker as [2]: ―someone who first taps the communication line to obtain messages and then tries everything he can to discover the shared secretOB. The Dolev-Yao attacker in a MANET is strong enough to capture any packet from the network and can also forward packet to any node in the network without anyone’s liability. However since the attacker can successfully divide the communication link between two nodes into two hop system passing through the attacker as intermediate node, the model can be regarded as the most effective way to evaluate MANET routing protocol. Unfortunately, the Dolev-Yao model is not been able to predict an attackers capability to utmost precision as results from a limited attacker evaluation may claim security that can be subverted by changing the attacker restrictions.

Technical Overview of Commotion Threats

It is relatively simple to snoop network traffic, replay transmissions, manipulate packet headers, and redirect routing messages. By exploring the possible ways to censor, degrade, and surveil a mesh we can put in place processes to allow for users to choose the types of security or anonymity they require most and easily configure their network or traffic to combat these.

  • Types of attacks
  • Censorship
    • Content Type
    • Traffic Type
    • Topic / Item
    • User Type
    • Mass \ Total
  • Surveilance
    • Content Type
    • Traffic Type
    • Topic / Item
    • User Type
    • Mass \ Total

Types of Attacks

Black Holes

A black hole is an attack where a node drops specified, or all, packets it receives while still participating in the routing protocol. This means that they pass along routing messages while not passing along non-routing data. This allows the node to be selected as a component of a path to another host, even though that will result in partial or complete loss of data.

Sybil

Packet Modifiers

Altering routing specific information such as the message size on every message a node receives will cause all data to be rejected by recipient devices as corrupt without identifying if or where a malicious node lay along the path. If packet or message size is only occasionally altered it becomes even more difficult to identify the malicious node.

Censorship

“When technology is plentiful but punishment or forces are restrained”

Content Type

Censoring content is a threat where an actor wishes to suppress a specific type of information or method of sending that information. By attacking types of content or traffic a actor can create a buffer between “proper” use of technology and “bad” or “illicit” uses. This type of censorship is often seen from high-power actors who are attempting to occlude negative statements about the legitimacy or behaviorist’s of their establishment, enforce a cultural ban against “disruptive”, or “morally disreputable” content, maintain a monopoly on private communication. This can be done by targeting a specific type of content by processing or parsing it, or by censoring the traffic of programs that allow those types of behaviour.

Traffic Type

Traffic based censorship is aimed at disrupting traffic that is commonly used to transmit unwanted content. This can be as broad as censoring any traffic that is encrypted or as specific as blocking traffic formatted for a specific program running on a specific server.

Black Holes

Network Flooding and the Sleep Deprivation effect on mobile nodes: By identifying mobile nodes and pushing traffic to them, or through them, a set of devices can drain the battery power of these devices. This is especially problematic when power is unavailable or a high-power actor wished to keep low-power agents stationary by quickly destroying their ability to communicate on their mobile devices.

Topic / Item

Black Hole Flood Rushing: for replacing content with adversary planted content that will be propagated instead of the real content. Sybil Gateways with false 404's Sybil Gateways with egress/ingress filtering

User Type

Black Holes Worm Holes: To create the shortest path to a commonly desired node for the user in question to capture all their traffic and run in through a black hole or modify and pass it on. Sybil Gateways with egress/ingress filtering Focused fragmentation attacks

Mass \ Total

Black Hole Flood Rushing Packet Overflow Jitter Nodes Physical Layer jamming Fragmentation attacks Sybil Gateways with egress/ingress filtering (malicious outbound content compliance)

Surveilance

Content Type

Wormholes Overlay Wormholes Sybil Services Sybil Nodes

Traffic Type

Wormholes Overlay Wormholes Sybil Services Sybil Nodes

Topic / Item

Wormholes Overlay Wormholes Sybil Services Sybil Nodes

User Type

Wormholes Overlay Wormholes Sybil Services Sybil Nodes Traffic analysis: not for surveilling a user, but for surveilling traffic to identify specific anonymous\hidden users

Mass \ Total

Wormholes Overlay Wormholes Sybil Services Sybil Nodes

Security Overlays

Care must be taken when implementing responses to these attacks as many of the security overlays proposed in the area od Ad-Hoc networking suffer from overhead issues or complicate the communication protocol such that interoperability among nodes could be threatened if different security solutions are implemented. Due to these concerns solutions must allow for differentiated security among nodes in a network, and be implementable solely on client devices or on low-cost embedded devices that act as routers. Solutions should also be implemented that combat multiple types of attacks so that users do not have to sacrifice one type of security for another due to packages not fitting on wireless routers.

Intrusion Detection

* Misuse detection[6] Misuse detection is also called signature-based detection because it represents every attack by a signature (pattern or rule of behavior). Rules can be divided into a single part (atomic) signatures or multi-part (composite) signatures. This type of detection is very accurate for known attacks, but cannot identify new attacks until a new rule is created around that attacks signature. * Anomaly detection[6] Anomaly detection is sometimes called behavior-based detection. Anomaly detection tries to characterize normal behavior, and everythign else is assumed to be anomalous (although not necessarily malicious). Anomaly detection uses an aggregate of previous (normal) behavior, and recognizes new attacks by behavior that significantly deviates from normal behavior. It can be extreemly difficult to accurately charicterize normal behavior because normal activities can have such large deviations. The choices for statistical metrics for an accurate profile is still an open research problem. Anomaly detection often shows a high rate of false negatives.

Thoughts I think we should use this method. By putting this on each node and notifying the user with a simple graphic of the changed behavior and a few canned responses for “defensive” configuration we can allow users to be a part of our defensive model. !>detectRespond.png! * WATCHERS (Watching for Anomalies in Transit Conservation: a Heuristic for Ensuring Router Security)[6] One of the important ideas of WATCHERS is a totally distributed intrusion detection scheme running concurrently and independently in every router. Each router checks incoming packets to detect any routing anomalies. Also, each router keeps track of the amount of data going through neighboring routers. The objective is to detect misbehaving routers in a distributed way. [6] Routers periodically share their respective data by a flooding protocol, and then start a diagnostic phase. Flooding is necessary to overcome any malicious nodes that might try to interfere in the information sharing by blocking packets. If a router is found to exhibit any of these misbehaviors, it is deemed to be a bad router (but it is impossible to determine if the cause is an intrusion or malfunction, based solely on the router’s external behavior). In response to any routers deemed to be misbehaving, routing tables at good routers are changed to avoid forwarding packets through those misbehaving routers. Since the watchdog is a rather simple monitoring process, several limitations were noted. First, the scheme is limited to source routing because the watchdog needs knowledge of the proper route for each packet. Second, it is vulnerable to interference by a malicious node falsely reporting other nodes as misbehaving. (see: thoughts for a response using olsr-secure) Third, multiple misbehaving nodes could collectively interfere with the watchdog process.( a system for addressing behavior report disparity needs to be developed) Lastly, a misbehaving node could escape detection by dropping packets just below the threshold level (see: thoughts relating to user set thresholds for devices) Thoughts By having other routers broadcast their respective data using olsrdSecure we can authenticate the data. Each router must then work with the other routers data to build its own routing tables. This way, routers cannot be overtaken by malicious broadcasts of false misconduct. By users being able to specify thresholds for their devices each device will take the information passed by other routers to build a customized level of security and “pickyness” for interacting with other routers.

* TIARA (Techniques for Intrusion-resistant Ad Hoc Routing Algorithms)[6] TIARA was actually a set of mechanisms to ensure an ad hoc network could continue to operate under hostile adversarial conditions, rather than an intrusion detection scheme.However a flow monitoring mechanism in TIARA is designed to detect path failures from misbehaving nodes.

The basic idea is for source nodes to periodically send special ”flow status” messages to destination nodes. Flow status messages contain information about the number of packets that have been sent from the source to destination since the previous flow status message. To prevent interference with flow status messages, each message is numbered sequentially (to detect loss) and encrypted with a digital signature (for authentication).

Upon receiving a flow status message, the destination node compares the carried number to the actual number of packets received since the last flow status message. A path failure is notified to the source node if (1) a flow status message has been lost or not received by a specified time interval (2) the actual number of received packets is less than a threshold fraction of the number indicated by the source or (3) the actual number of received packets is much more than the number indicated by the source.

There are two obvious disadvantages of this scheme for intrusion detection. First, a path failure does not identify which specific nodes could be compromised. Second, the flow status messages incur a cost in additional traffic that is proportional to the number of source-destination pairs in the network.

* Malcounts[6] The central idea in the intrusion detection scheme is that each node maintains a ”mal-count” for neighboring nodes which is the number of observed occurrences of misbehavior. When the malcount for a node exceeds a given threshold, an alert is sent out to other nodes. The other nodes then check their malcounts for the suspected node and may support the initial alert with secondary alerts. If a suspected node triggers two or more alerts, it is deemed to be malicious and a ”purge” message is broadcasted. In response, the suspected node is avoided by the other nodes.

A problem with the proposed scheme is it is not clear if malcounts are only cumulative, so they can increase but not decrease. The ability to decrease malcounts would be useful for nodes with unusual but not malicious behavior that might be falsely identified as malicious. Their unusual behavior might cause their malcount to increase, but then a period of good behavior would result in their malcount returning to a normal value. This could avoid false alerts. Naturally, this scheme works only if at least two trustworthy nodes is observing a suspected node, and can be defeated by malicious nodes sending out false alerts. Also, the scheme depends on a threshold for malcounts. A compromised node could avoid detection by keeping its misbehavior under the threshold.

* CONFIDANT (Cooperation of Nodes: Fairness in Dynamic Ad-hoc Networks) [6] In each node, the CONFIDANT system includes four components: the monitor, reputation system, trust manager, and path manager. Similar to Zhang and Lee’s approach, the monitor in each node observes the activities of neighboring nodes (within radio range) to look for misbehavior. With source routing assumed, the monitor has knowledge of the next hop for each packet. When the node forwards a packet to a neighbor, it watches the neighbor to see whether the packet is forwarded correctly to the next hop. A copy of the entire packet is also stored temporarily to detect any suspicious modifications to the forwarded packet. If a misbehavior is observed, the reputation system is called.

The reputation system is similar in concept to Bhargava and Agrawal’s malcount and Marti et al.’s node ratings. The reputation system consists of a table listing all observed nodes and their reputation ratings. If a node is observed to be misbehaving (deviating from expected routing behavior), the node’s rating is changed by a weighting function depending on the confidence in the accuracy of the new observation. To reduce the chance of false alarms, a node’s rating can be improved after a specified period of good behavior. If a node’s rating falls below a threshold, the path manager is called.

The path manager has a number of responsibilities. It keeps track of a security rating for paths depending on the reputations of nodes in the path. Paths containing a malicious node are deleted. If a received packet is going on a path containing a malicious node, the packet is ignored and the source is alerted. If a received packet comes from a malicious node, the packet is ignored.

The last component, the trust manager is responsible for receiving and sending ”alarm” messages. Alarm messages contain information about observed misbehaviors to warn about suspected nodes. Alarm messages are sent to other nodes on a ”friends” list although the maintenance of the friends list has not been described. When a node receives an alarm message, the trust manager looks up the source of the message. If the source is trusted, the alarm message is added to a table of alarms. If there is enough evidence that a reported node is indeed malicious, the information is passed to the reputation manager. A number of details in the CONFIDANT scheme remain to be developed. For example, misbehaviors besides incorrect packet forwarding are not yet specified. Other missing details are the values for thresholds, timeout for improving reputations, and who qualifies for the friends list. Also, the scheme is currently limited to source routing.

* To be Continued (from page 19 of [6])

h3. Refrences

1.Dagmara Spiewak, Thomas Engel, and Volker Fusening, Towards a Threat Model for Mobile Ad-Hoc Networks, presented at the Proceedings of the 5th WSEAS Int. Conference on information Security and Privacy, Venicem Italy, November 20-22, 2006 2. Dolev, D., and A. Yao,“ On the security of public key protocols, IEEE Transactions on Information Theory.” 29 (1983), 198-208. 3. Rastogi, and Ahirwar, “Adaptive Threat Modeling For Secure MANET Routing Protocol” International Journal of Scientific & Technology Research Volume 1, Issue 4, May 2012 4. Perlman, Radia “Network layer protocols with Byzantine Robustness” Dissertation, Massachusetts Institute of Technology, August 1988 5.Kim, Yu-seung, and Lee Heejo “ On Classifying and Evaluating the Effects of Jamming Attacks” 6. Thomas M. Chen, Gend-Sheng Kuo, Zhang-Ping Li, Guo-Mei Zhu “Intrusion Detection in Wireless Mesh Networks”

commotion_architecture/core_components/security_architecture.txt · Last modified: 2014/03/18 20:00 (external edit)
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 3.0 Unported