Secured Identity Based Approach with Privacy Preservation for Wireless Mesh Networks

7/29/2019 Secured Identity Based Approach with Privacy Preservation for Wireless Mesh Networks

1/8

Vol 01, Issue 02, December 2012 International Journal of Communications Networking System

http://iirpublications.com ISSN: 2278-2427

Integrated Intelligent Research (IIR) 90

SECURED IDENTITY BASED APPROACH WITH PRIVACYPRESERVATION FOR WIRELESS MESH NETWORKS

S. Ravichandran,Associate Professor,

Department of Information Technology,

Sri Krishna Engineering CollegeMail-id: [email protected]

Abstract:

Wireless Mesh Networks (WMNs) have been expected to be the ultimate solution for the next decadewireless networking. The attractions of WMNs include easy set-up on the fly, off-the-shelf cost,flexible interoperability with other networks, and highly reliable connectivity. One main challenge inthe design of these networks is their vulnerability to security attacks. The attacker will possibly beable to identify an ongoing communication session between any two network users by analyzing thenetwork traffic pattern without knowing the users identity information. To address these security

risks, Secured routing scheme that preserves the privacy of end users is proposed using SecuredIdentity Based Approach (SIBA) in which every nodes are assigned with the Security cards forefficient authentication. The major goal of the proposed systemis to reduce the number of attackerlevel by providing anonymity in routing. This implementation results show that the proposed schemecan provide substantial performance increases and protects against performance degradation even inthe presence of malicious behavior.

Keywords: Wireless Mesh Networks, Security, Privacy, Secured Identity Based Approach (SIBA).

I . INTRODUCTION

Wireless mesh networking (WMNs) is an

attractive, emerging and new way ofcommunication due to its low cost and itsscalable wireless internetworking solutions fornear future, which is the reason that it isbecoming little popular communication sector.It consists of mesh routers and mesh clients,where mesh routers have minimal mobilityand form the backbone of WMNs. Figure 1shows the architecture of WMN. They providenetwork access for both mesh andconventional clients. The integration ofWMNs with other networks such as theInternet, cellular, sensor networks, etc. can beaccomplished through the gateway andbridging functions in the mesh routers. Meshclients can be either stationary or mobile, andcan form a client mesh network amongthemselves and with mesh routers. Theadvantages of WMNs also include simplesettings, broadband capability, self

configuration, self maintenance and reliableservice coverage in the network.

Fig. 1 An Architecture of Wireless MeshNetwork

Security is the vital problem in the designof WMN. The client should have end-point toend-point security assurance. However, being


2/8




different from wired and traditional wirelessnetwork, WMN could easily be compromisedby various types of attacks. Even the WMNinfrastructure like mesh router could berelatively more easily reached and modified byattackers. Wireless links in WMN are easilyprone to active attacks, passive attacks andmessage distortion. In WMNs, passive attackswould compromise confidentiality and activeattacks would result in violating availability,integrity, authentication and non-repudiation.Many communications in WMNs containvarious kinds of sensitive user information likepersonal identities, activities, locationinformation, movement patterns, financialinformation, transaction profiles, andsocial/business connections. Hence, securingthese communications is of paramountpractical importance in WMNs.

It describes a new proposed scheme, theSecured Identity Based Approach (SIBA) forWMNs that addresses these security concernsand secures against malicious adversaries byusing security cards. Routing between eachnode is constructed based on anonymoussecurity card approach. Each mesh clientanonymously constructs key pairs for thatduration with its neighboring nodes and then,these keys are used for mesh clients to findroutes to the nearest mesh router and havetheir identities registered. The registered

identities are protected from adversaries andthen used for route discovery within the meshbackbone. Since the routing in mesh backboneare known to mesh routers to make use of pairwise secret keys along with security cards tokeep mesh clients anonymous from meshrouters. Specifically, the major contributionsin this paper include 1) Design of a securitycard based authentication system withanonymity property 2) Bind of the securitycard for anonymous routing and access controlwith mesh clients and mesh routers. Thisimplementation results show that the Secured

Identity Based Approach (SIBA) providessubstantial performance increases in networkefficiency and throughput even in the presenceof malicious behavior. The rest of the paper isorganized as follows. In Section II to discussrelated work on which can build. In SectionIII, Secured Identity Based Approach isintroduced with detailed description ofsecurity framework. In Section IV, security

properties along with performance analysis ofthe scheme will be examined. And Section Vconcludes the paper.

I . RELATED WORKWireless mesh network (WMN) represents

a paradigm shift away from the rigid, long-lead planning and implementation of the wiredbackbone, and toward a real-time plug-and-play deployment model that is up to thechallenges of todays rapidly-changingconnectivity environment. Security is animportant issue in multi-hop WMN and notmuch research works are done till now in areaof WMN security. Ben Salem and Hubauxdiscussed specifics of WMNs and identifiedfundamental network operations that need tobe secured. Siddiqui and Hong surveyed thethreats and vulnerabilities faced by WMNsand also identified a number of security goals.

In, the authors have identified theoperations to be secured in WMN as corrupted

TAPs, routing and fairness, and proposedsome solutions to secure the operations.However they ignored the class of attacks onmesh clients and behavior of a malicious node.Capkun have given a privacy-preservingscheme for the so-called hybrid ad hocnetworks, which are actually WMNs. This

scheme provides anonymity and locationprivacy for mobile nodes. The identifiers ofthe mobile nodes have to be disclosed toaccess points and also some access points maybe able to track a specific mobile user therebyadversary can able to link messages. Zhang etal. in have come up with an attack resilientsecurity architecture for multi hop wirelessmesh networks. They have modeled WMNarchitecture as credit card based e-commercesystem and showed that a mesh client need notto be bound to a specific WMN operator, canget ubiquitous network access by a universal

pass issued by a third-party broker. They usedidentity-based cryptosystem for authenticationand key agreement between mesh clients androuters.

A neighborhood authentication protocolhas been proposed that allows neighboringnodes to authenticate each other withoutrevealing their identities. As destination IDneeds to reveal for route discovery, only


3/8




conditional anonymity is achieved fordestination. The authors have focused on thetraffic privacy by proposing a penalty basedrouting algorithm in. But, they used sourcerouting scheme for their protocol. They haveignored how to deal with identity privacy andnot mentioned how authentication isperformed between mesh nodes. The authorsof presented an authentication scheme forWMNs, which is resilient against mesh routercompromise. Other general privacy-awareauthentication techniques are described in. Asecure multi-path Hybrid routing protocol,MHRP, is proposed in. Privacy-preserving ofthe end-users is not considered in this work.

After reviewing the previous work, topropose a new approach for routing in WMNswith higher security based on security cardswith anonymous user communication forreducing the number of attacker level.

I I . SECURED IDENTITY BASEDAPPROACH (SIBA)

A. Network Model:The WMN architecture at metropolitan-

scale and it comprises of four entities: aWMN operator (WMNO), a trusted authority(TA), mesh routers (MRs), and network users(NUs). WMN Operator forms a well-connected WMN using static mesh routers

and provides network services to networkusers. The global topology information of thewhole WMN are maintained by these meshrouters by constantly exchanging informationwith each other. To enjoy WMN access, eachnetwork user/client has to first register withthe Trusted Authority (TA) which in turnissues a security card to the users. WMNOperator will grant network access to networkusers holding valid security cards issued bytrusted authority. In addition TA also providesnecessary revocation capabilities andcryptographic means to network users to

protect their communication againsteavesdropping, altering and also sophisticatedattacks aimed to compromise privacy. Tofurther assume that all the network trafficexcept for the communication within the samesubnet serviced by the same router has to gothrough a mesh router. Network userscooperate with each other on relaying thepackets. Communication channels in WMNs

are bidirectional and a reliable TCP has beenimplemented over mesh networks.B. Notations:

We denote Ti and Oi the trusted authorityand WMN Operator respectively. To use MC

i,j to indicate the unique identifier of client jregistered in Ti. MR i,j refers to the uniqueidentifier of mesh router j of Oi. To indicatethe security card for MC i,j as MC i,j-card andKMCi,j is a card-based key both are issued by Tito MC i,j. Likewise, MR i,j-card and KMRi,j areused to denote the router card and the card-keyrespectively.

C. Security Card Model:There are two types of security cards in

identity based approach: router cards (MR-Cards) issued by a WMN operator to its meshrouters, client cards (MC-Cards) provided by atrusted authority to the enrolled clients. In thissubsection, this focus on the issuance of MR-Cards and MC-Cards.

Issuance of MR-Cards: Prior to networkdeployment Oi issues to each controlled routerMRi,j an MR-Card, CardMRi,j := (MRi,j,expiration-time), as well as a card-key KMRi,j =

Oi HOi(CardMRi,j) which MRi,j keeps secret.Here,

Oi is operator Ois domain secret andHOi is the hash function specified. The

freshness of CardMRi,j is controlled by theexpiration-time field. Oi should send to MRi,j anew (CardMRi,j,KMRi,j) pair via a secure channelbefore its current one expires. (CardMRi,j,KMRi,j)may be updated hourly, daily, weekly, or evenmonthly depending on Ois security policies.In essence, MR-card and Card-Key is astandard ID-based approach in an IBCcryptosystem. Alternatively CardMRi,j can bedesigned as a conventional public-keycertificate and KMRi,j as the correspondingprivate key. This ID-based MRij-Card has atmost a few tens of bytes in size as compared

with a typical X.509 certificate of about 1KB.The main reason is that it dumps the mostspace-consuming fields and retains the entityidentifier and expiration-time parts of acertificate.

Issuance of MC-Cards: Each client has to firstenroll with the desired trusted authority forWMN access. Upon a registration request


4/8




from client j, Ti usually needs to validate theclients personal data and assigns to theapplicant an identifier MCi,j and a MC-Card inthe form of CardMCi,j := (MCi,j,expiry-time).Here, expiry-time specifies the expiry time ofCardMCi,j before which MC i,j has to renewitself. In addition to CardMCi,j, the Ti issues toMC i,j a card-key KMCi,j= Ti HTi (CardMCi,j),where Ti is Tis domain secret and HTi is thehash function used. Likewise, (CardMCi,j,KMCi,j) is a standard ID-based approach in anIBC cryptosystem. It is renewed hourly,weekly, daily or even monthly depending onthe Tis security policies once the card getsexpired. The freshness of the card is controlledby the expiration-time.

D. Generation and Updating Of Key Pair:The Trusted Authority generates key pairs

for secured routing and data transmission. TAis trusted not to disclose the user keyinformation and has the ability to regeneratethe keys when it gets expired. At the sametime, in order to improve the security of thenetwork, each node in WMN will maintain akey update record form, which helps toupdate new keys regularly. The generatingand updating process is shown in the Fig 2below:

Fig. 2 Generating and UpdatingProcess

E. Secured Routing:Wireless mesh network communication

occurs mainly between mesh clients, meshrouters and gateways. Fig 3 shows a generalcommunication scenario that it will considerwhen describing the protocol. So, when a

mesh client (MC) wants to send or receivesome data, it must have to authenticate itselfwith the nearest Mesh Router (MR). If MC iswithin the transmission range of MR then itrelies on that router to get service. Datagenerated or received by the MC must gothrough routers in a hop by hop fashion. Asdata are traversed in a multihop fashion andsome nodes act as forwarder, a maliciousattacker can trace the behavior of a meshclient, like who is accessing what kind of data?So, in this kind of network architecture it isalways preferable for the client to remainanonymous by hiding its identity, otherwise itcan be a victim of privacy attack. So, the mainmotivation is that no other entity other thanWMNO and TA should know the real identityand location of the mesh client.

An anonymous route between a meshclient and its nearest mesh router is establishedby registering the client to the mesh router. Itconsists of three steps. In the first step, thesource node broadcasts a route establishmentthroughout the subnet to which it belongs, andthe request would reach the nearest meshrouter under the protection of key pairs. Thenthe mesh router registers the node and puts itinto its user list in the second step. Thisinformation is exchanged among mesh routersso that every mesh router knows how to reacha specific node. Next, the mesh router sends a

reply to the source node, and the route isconstructed when the reply successfullyreaches the source node.

Fig. 3 Communication process of meshnetwork

Path Request: Mesh Router MR periodicallybroadcasts a beacon via the single-hopdownlink to announce its presence. Thebeacon should at least include CardMRi,j,Cert Oi,and a fresh timestamp t1 signed with its card-


5/8




key KMRi,j. The beacon can be received by allmesh clients in router Rs coverage. MR sendsthe following beacon message to its neighbors:

MR i,j->:CardMRi,j, Cert Oi, KMRi,j(t1,Other

Info). (1)

The client S upon receipt of beacon find routeto that router through the intermediate nodes.S will broadcast the followingundistinguishable PREQ packet to MR byencrypting the Card Si,j, Seqno and SIGs withinits neighborhood:

Epks(PREQ,Card Si,j,MR,seqno,SIGs,pad)

(2)

Upon receiving the route request messagefrom S, intermediate nodes decrypts using itsprivate key and check for expiry of security

card and valid signature. If it is successfulroute is established and thereby it finallyreaches mesh router R. Note that R mayreceive more than one route request thatoriginates from the same source and has thesame sequence number, but he replies to thefirst arriving message and drop others.

Node Registration: Upon successful receiptand verification of a routing request message,the mesh router MR proceeds to register therequesting node. MR knows that S is currentlywithin its service coverage and puts S into its

current user list but only for a predeterminedperiod of time. S has to periodically reregisteritself to MR to maintain the active statusotherwise Ss registration automaticallyexpires in MRs user list. The real identity of anetwork user is not disclosed to the currentservice mesh router only the users card id willbe used for registering anonymously at meshrouter.

Path Reply: Path Reply messages (PREPs) areunicast backward toward the source node fromthe router. Once the reply message reached the

source node, message is transmitted throughthe established route. MR performs thepadding operation as appropriate and repliesthe following undistinguishable Path Replypacket to source S:

R, Epk(PREPR, R,CardMCi,j,seqno,pad).

(3)

Anonymous Message Delivery: The delivery ofa message consists of three steps i) uplinkrouting ii) router-router routing iii) downlinkdelivery. First, it is sent to the source meshrouter, which is the nearest mesh router to thesource node. The message is sent along theroute constructed from the source node to thesource mesh router, which is protected withkey pairs. Next, the source router finds out thecorrect destination router and routes the packetusing pair wise secrets to the destinationrouter. Every mesh router knows how to reacha specific node since each node has registeredwith the nearest mesh router. In the third step,the destination mesh router dispatches themessage to the destination node.

IV. SECURITY AND PRIVACY

ANALYSIS

In this section, to describe the countermeasures implemented in the proposed schemeagainst the attacks listed in that are relevant tothese protocols.

Identity privacy attack: Most peoplewould like to remain anonymouswhile roaming in WMNs for privacyreasons. In a client card, the client isidentified by an ID number assignedby the trusted authority when he/sheapplies for the card. Only this IDnumber is used in all subsequentcommunications, and not the personsdescriptive identity (e.g. user name,real name). The client descriptiveidentity is known to and can be tracedback from the assigned ID numberonly by the trusted authority.

Access Control: The protocols ensurethat only legitimate users can gainaccess to mesh networks. To be ableto access the mesh network, a mobileuser has to obtain a security card alongwith the card key and successfullyregister to the mesh router with it. Anadversary cannot easily forge the validsignature of TA of his choice whichwould not be authenticated by themesh router.

Preventing Route Disruption: Thistype of attack is caused by the


6/8




malicious behavior of a node throughmodification of a mutable field anddropping routing informationelements. Note that, in this proposedscheme only authenticated nodes canparticipate in the route discoveryphase. Moreover, routing informationelements are authenticated andverified per hop. So, it is not possibleto launch a route disruption attack.

III.IMPLEMENTATION ANDANALYSIS

The proposed secured identity basedapproach (SIBA) with privacy preservationhas been implemented and analyzed in thenetwork simulator NS2. The proposed schemeutilizes a network topology comprising of 25wireless nodes and 2 mesh routers that

provides communication to other networks.All the network traffic except for thecommunication within the same subnetserviced by the same router has to go througha mesh router. Network users cooperate witheach other on relaying the packets.Communication channels in WMNs arebidirectional and a reliable TCP has beenimplemented over mesh networks.

Figure 4 shows the comparison of SIBAscheme with the Hybrid Wireless MeshProtocol (HWMP). As discussed above, when

the intruders attack to a network they capturedmost of the traffic. The most of the packets donot reach to the destination. The figure 4shows that in HWMP, almost 60% of thetraffic reaches to its destination and remainingis lost due to intrusion. However SIBA schemedelivers 90% of the traffic reached to itsdestination, because SIBA scheme firstauthenticates the node and then routes thepacket. If the node is an intruder, the routingnode detects it and follows an alternate path tothe destination. So that packet reachessuccessfully to the destination. The packetsmay experience a bit more delay due to thealternate longer paths, but SIBA ensuresmaximum packet delivery ratio. Packets inSIBA are dropped due to the random link/nodefailure.

0

20

40

60

80

100

50 75 100 125 150

Packetsdelivered

Number of Packets

HWMP

SIBA

Fig. 4 Packets Delivery Ratio by intruders at

various level

As SIBA is a secure routing and every

node follows the alternate path in case of

intruder, so most of the packets are not

dropped and the throughput is increased.

Figure 5 shows the comparison of throughput

at various levels.

0

5

10

15

20

25

30

35

40

45

50 75 100 125 150

Throughput

Number of nodes

HWMP

SIBA

Fig. 5 Throughput at various levels

The delay time for both the schemes

have been analyzed and it is shown in Figure

6, It can be observed that the SIBA

experiences longer delays with better packet

delivery ratio because it performs the situation

awareness to detect the broken links andperforms the authentication process to

authenticate next hop before transmitting the

packet.


7/8




0

5

10

15

20

25

30

35

40

45

50 75 100 125 150

PacketDelay(s)

Number of Packets

HWMP

SIBA

Fig. 6Total Packet Delay Time (s)

IV.CONCLUSION AND FUTUREWORK

In this paper, it have investigated the

problem of privacy-preserving routing in

WMNs and proposed Secured Identity Based

Approach (SIBA) to provide security and

anonymity, as well as authentication, in

WMNs. SIBA authenticates the registered

nodes before transmitting the packets.

Extensive simulation results in NS2 shows that

the authentication before the transmission is

needed for saving the traffic flows from

different attacks. The SIBA approach givesbetter packet delivery ratio with less packet

loss rate and the throughput observed when

compared with HWMP is also higher. Slight

tradeoff in terms of delay has been observed

while implementing the security. The

performance and security analysis show that

the proposed scheme is efficient and resilient

to various kinds of attacks. In future, it will

carry out an optimized technique to minimize

the delay and also the processing time.

REFERENCES

[1] Siddiqui, M.S. Amin, S.O. Choong Seon Hong.An Efficient Mechanism for Network Managementin Wireless Mesh Network. ICACT 10thInternational Conference, Feb. 2008.

[2] R.Ping Yi, S.Tianhao Tong, T.Ning Liu andH.Yue Wu, Security in Wireless Mesh Networks:Challenges and Solutions 6th InternationalConference on Information Technology: NewGenerations, Oct. 2009.

[3] S. Hansman and R. Hunt, A Taxonomy of

Network and Computer Attacks Computers andSecurity, Elsevier, Vol 24, No 1, 2005.

[4] William Stallings, Network SecurityEssentials, Third Edition, Prentice Hall, July2006.

[5] N. Ben Salem and J.-P. Hubaux, SecuringWireless Mesh Networks, IEEE Wireless Comm.,vol. 13, no. 2, pp. 50-55, Apr. 2006.

[6] M. Siddiqui and C. Hong, Security Issues inWireless Mesh Networks, Proc. IEEE Intl Conf.Multimedia and Ubiquitous Eng.,2007.

[7] B. Salem and J-P Hubaux, Securing WirelessMesh Networks, in IEEE WirelessCommunication, Volume 13, Issue 2, April 2006.

[8] S. Capkun, J . Hubaux, and M. Jakobsson,Secure and privacy preserving communication inhybrid ad hoc networks, Swiss Fed. Inst.Technol.,-DI-ICA, Lausanne, Switzerland, 2004.

[9] Y. Zhang, W.Liu and W.Luo, AnonymousCommunication in Mobile Ad Hoc Networks, inproceedings of INFOCOM, 2005.

[10] W. Taojun, X. Yuan and Y.Cui, Preserving

traffic privacy in Wireless Mesh Networks, in procof the 2006 International Symposium on aWorldof Wireless, Mobile and Multimedia Network.

[11] X. Lin, R. Lu, P.-H. Ho, X. Shen, and Z. Cao,Tua: A Novel Compromise-ResilientAuthentication Architecture for Wireless MeshNetworks, IEEE Wireless Comm., vol. 7, no. 4,Apr. 2008.

[12] X. Lin, X. Ling, H. Zhu, P.-H. Ho, and X.Shen, A Novel Localized Authentication Scheme inieee 802.11 Based Wireless Mesh Networks, IntlJ. Security and Networks, vol. 3, no. 2, pp. 122-

132, 2008.

[13] K. Ren, W. Lou, K. Kim, and R. Deng, ANovel Privacy Preserving Authentication andAccess Control Scheme for Pervasive ComputingEnvironment IEEE Trans. VehicularTechnology,vol. 55, no. 4, pp. 1373-1384, J uly2006.


8/8




[14] K. Ren and W. Lou, Privacy-Enhanced,Attack-Resilient Access Control in PervasiveComputing Environments with Optional ContextAuthentication Capability, ACM MobileNetworks and Applications (MONET) (specialissue on wireless broadband access), vol. 12, 2007.

[15] Y. Zhang and K. Ren, On Address Privacy inMobile Ad Hoc Networks, ACM/Springer MobileNetworks and Applications (MONET), vol. 14, no.2, Apr. 2009.

[16] M. Siddiqui, et.al, MHRP: A Secure Multi-Path Hybrid Routing Protocol for Wireless MeshNetwork, IEEE MILCOM, Oct. 2007.

[17] Y. Zhang and Y. Fang, ARSA: An attackresilient security architecture for multihop wirelessmesh networks, IEEE Journal on Selected AreasinCommunication, Vol.24 No.10, October,2006.

[18] G. Horn, M. Martin and C. Mitchell,Authentication Protocols for Mobile NetworkEnvironment Value-Added Services, IEEETransactions on Vehicular Technology, vol. 51,2002.

Author Profile:

S. Ravichandran S. Ravichandran is an

Associate Professor in Department of

Information Technology at Sri Krishna

Engineering College. He received Master of

Computer Applications degree from

Bharathidhasan University in 1996, hereceived Master of Philosophy in Computer

Science from Madurai Kamaraj University in

2007, he received Master of Engineering in

Computer Science and Engineering from Anna

University in 2010 and now he is perusing

Doctorate of Philosophy in Computer Science

at Bharathiar University. He has 17 years of

teaching experiences from various

Engineering Colleges. He has published 3

International journal papers and he has

presented in 14 International Conferences &presented in 17 National Conferences in

various Engineering Colleges. His area of

interest includes Cloud Computing, Artificial

Intelligence, Networks and Compilers.

Documents

Secured Identity Based Approach with Privacy Preservation for Wireless Mesh Networks