Efficient cryptographic protocols for wireless mesh networks

Efficient Cryptographic Protocols for Wireless Mesh Networks Andreas Noack

Dissertation for the Degree of Doktor-Ingenieur (Dr.-Ing.)

Department for Electrical Engineering and Information Technology Ruhr University Bochum (Germany)

Network and Data Security (NDS) Group Bochum, 2011

Author contact information: [email protected]

This thesis was submitted to the Department for Electrical Engineering and Information Technology of Ruhr-University Bochum on 7th of June 2011 and defended on 20th of July 2011. Examination committee: Prof. Dr.-Ing. Christof Paar (committee chair) Prof. Dr.-Ing. Dorothea Kolossa (committee member) Prof. Dr.-Ing. J¨ urgen Oehm (committee member) Prof. Dr. rer. nat. J¨ org Schwenk (Ruhr-University Bochum - supervisor) Prof. Dr.-Ing. Dipl.-Wirtsch.-Ing. York T¨ uchelmann (Ruhr-University Bochum - supervisor)

To my parents, Mechthild and Kurt, who supported me on my way through all this, and who have always believed in me.

Abstract

This dissertation is about estimating the performance of Group Key Agreement (GKA) protocols in Wireless Mesh Networks (WMN). In a step-by-step approach we begin with the determination of the special network characteristic of WMN that enables to evaluate, improve and create cryptographic solutions particularly adapted to wireless mesh networks. As group key agreement (GKA) protocols turn out to be more efficient in WMN than pairwise key systems (recommended by the IEEE 802.11s standard), we concentrate on them in this thesis. We introduce two different models for performance estimation of network protocols in WMN. These models are used to estimate the performance of three representative GKA protocols, whereby the tree based key agreement (TBKA) protocol provides the best performance in WMN. The knowledge about the network characteristic of WMN helped us furthermore to develop an improved version of Burmester-Desmedt II (BD2) that is able to overtake the performance results of TBKA due to its particular optimizations. Practical measurements for each protocol prove the correctness of the performance measurement models.

Kurzbeschreibung

Diese Dissertation beschäftigt sich mit der Performanzuntersuchung von Gruppenschlüsselaustauschprotokollen (GKA) in Wireless Mesh Netzwerken (WMN). In einem Schritt f¨ ur Schritt Ansatz beginnen wir zun¨ achst mit der Analyse der speziellen Netzwerkcharakteristik von WMN, welches uns eine Auswertung, Verbesserung und das Erstellen von kryptographischen Lösungen erlaubt, die gezielt auf Wireless Mesh Netzwerke abgestimmt sind. Es hat sich herausgestellt, dass Gruppenschl¨ usselaustauschprotokolle (GKA) effizienter f¨ ur Wireless Mesh Netzwerke sind, als paarweise Schl¨ usselsysteme (vorgeschlagen durch den IEEE 802.11s Standard). Daher konzentriert sich diese Arbeit auf den Einsatz von GKA Protokollen. Zwei verschiedene Modelle f¨ ur die Performanzmessung in WMN werden eingef¨ uhrt und verwendet, um die Perfomanz von drei repräsentativen GKA Protokollen zu untersuchen. Die Ergebnisse zeigen, dass das Tree Based Key Agreement (TBKA) Protokoll die beste Performanz in WMN bietet. Mit dem Wissen u ¨ber die spezielle Netzwerkcharakteristik von WMN waren wir dar¨ uberhinaus in der Lage, eine verbesserte Version von Burmester-Desmedt II (BD2) zu entwickeln, das durch seine gezielte Anpassung bessere Ergebnisse als das TBKA Protokoll liefert. Praktische Messungen der getesteten Protokolle bestätigen die Ergebnisse und zeigen die Praktikabilität der beiden Performanzmessmodelle.

Acknowledgements

I would like to thank Prof. Dr. Jörg Schwenk for supervising my dissertation and supporting me with my research that led towards it. I would like to thank Christoph M¨ uller, CEO from MineTronics GmbH, who always supported me and gave me a lot of work experience in several challenging and interesting projects since 2004. I would also like to thank Prof. Dr.-Ing. York T¨ uchelmann for supporting me as second thesis supervisor. Furthermore I am very thankful for all my colleagues at the Ruhr-University Bochum and at MineTronics, who have always been there when I needed some advice or distraction from the daily routine. And I would like to thank my parents, my girlfriend and all my friends (especially from the Judo course of the Ruhr-University Bochum) who made the time of my promotion even more attractive. Andreas Noack

Contents

1

2

3

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

15

1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

15

1.2 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

16

Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

17

2.1 Definitions for Security and Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

17

2.2 Wireless Communication according to IEEE 802.11 . . . . . . . . . . . . . . . . . . . . . . . . . .

18

2.2.1 Physical Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

18

2.2.2 Operation Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

19

2.2.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

20

2.2.4 Extensible Authentication Protocol (EAP) . . . . . . . . . . . . . . . . . . . . . . . . . . .

22

2.3 Wireless Mesh Networks (WMN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

22

2.3.1 Practical Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

24

2.3.2 Single/Multi Radio & Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

24

2.4 Network and Link Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

25

2.4.1 Duplex Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

26

2.4.2 Wireless Interference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

27

2.5 Routing Protocols for WMN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

29

2.5.1 Different Classes and Types of Routing Protocols . . . . . . . . . . . . . . . . . . . . . .

30

2.5.2 Routing Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

31

2.5.3 Common Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

32

Characteristic of Wireless Mesh Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

35

3.1 Network Characteristic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

35

3.2 Experimentally determining the Network Characteristic of WMN . . . . . . . . . . . . . .

37

3.2.1 Results for Single Radio WMN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

39

3.2.2 Determining the Influences of Transmission related Effects . . . . . . . . . . . . . .

44

3.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

47

3.3.1 Description of the Network Characteristic for WMN . . . . . . . . . . . . . . . . . . .

47

10

4

5

Contents

3.3.2 Distinction from other Network Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

48

3.3.3 Consequences for WMN Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

48

Efficient Protocols for Wireless Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

51

4.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

52

4.2 Dynamic Threshold Cryptosystem without Group Manager . . . . . . . . . . . . . . . . . . .

53

4.2.1 Threshold Scheme without Group Manager . . . . . . . . . . . . . . . . . . . . . . . . . . .

55

4.2.2 Confidential Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

61

4.2.3 Practical Application of our Threshold Scheme . . . . . . . . . . . . . . . . . . . . . . . .

61

4.2.4 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

62

4.2.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

65

4.3 Efficient Authenticated Roaming via Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

66

4.3.1 Roaming Protocol (EAWRT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

68

4.3.2 Efficiency of EAWRT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

71

4.3.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

71

4.4 An efficient EAP Protocol for Wireless Handover (EAP-MPA) . . . . . . . . . . . . . . . .

72

4.4.1 Our Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

72

4.4.2 Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

73

4.4.3 Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

75

4.4.4 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

76

4.4.5 Performance Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

78

4.4.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

80

Group Key Agreement in Wireless Mesh Networks . . . . . . . . . . . . . . . . . . . . . . . .

81

5.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

81

5.2 Group Key Agreement Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

82

5.2.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

83

5.2.2 Burmester-Desmedt I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

84

5.2.3 Burmester-Desmedt II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

85

5.2.4 Tree Based Key Agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

87

5.3 Performance Estimation Models for Cryptographic Protocols in WMN . . . . . . . . .

88

5.3.1 Common Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

89

5.3.2 Conditions for Performance Measurement in WMN . . . . . . . . . . . . . . . . . . . .

90

5.3.3 Probabilistic Performance Estimation Model for WMN . . . . . . . . . . . . . . . . .

92

5.3.4 Grid Model for Performance Estimation in WMN . . . . . . . . . . . . . . . . . . . . . 101 5.3.5 Model Comparison: Probabilistic vs. Grid Model . . . . . . . . . . . . . . . . . . . . . . 106 5.3.6 Practical Measurements in a Testbed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 5.4 Improvement of Burmester-Desmedt II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 5.4.1 Burmester-Desmedt II+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 5.4.2 Theoretical Performance Estimations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Contents

11

5.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 6

Conclusion and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 6.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 6.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Nomenclature

AP . . . . . . . . . . . Access Point AS . . . . . . . . . . . Authentication Server BSS . . . . . . . . . . Basic Service Set BSSID . . . . . . . . Basic Service Set Identifier CCMP . . . . . . . . Counter-Mode/CBC-Mac Protocol CPU . . . . . . . . . . Central Processing Unit CRC-32 . . . . . . . Cyclic Redundancy Check (32 bit) CSMA/CA . . . Carrier Sense Multiple Access/Collision Avoidance CSMA/CD . . . Carrier Sense Multiple Access/Collision Detection DS . . . . . . . . . . . Distribution System DV . . . . . . . . . . . Distance Vector EAP . . . . . . . . . . Extensible Authentication Protocol ESS . . . . . . . . . . Extended Service Set ESSID . . . . . . . . Extended Service Set Identifier GKA . . . . . . . . . Group Key Agreement GTK . . . . . . . . . Groupwise Transient Key IBSS . . . . . . . . . Independent Basic Service Set IEEE . . . . . . . . . Institute of Electrical and Electronics Engineers ISP . . . . . . . . . . . Internet Service Provider IV . . . . . . . . . . . . Initialization Vector LAN . . . . . . . . . . Local Area Network LS . . . . . . . . . . . . Link State MAC . . . . . . . . . Media Access Control MAN . . . . . . . . . Metropolitan Area Network MANET . . . . . . Mobile Ad-hoc Network MIC . . . . . . . . . . Message Integrity Code MIMO . . . . . . . . Multiple-Input and Multiple-Output NIC . . . . . . . . . . Network Interface Card

14

Contents

PMK . . . . . . . . . Pairwise Master Key PSK . . . . . . . . . . Pre-Shared Key PTK . . . . . . . . . Pairwise Transient Key RADIUS . . . . . . Remote Authentication Dial In User Service RC4 . . . . . . . . . . Rivest Cipher 4 RSN . . . . . . . . . . Robust Security Network RTS/CTS . . . . Request To Send/Clear To Send SNR or S/N . . Signal-to-Noise Ratio STA . . . . . . . . . . Station TCP . . . . . . . . . . Transmission Control Protocol TKIP . . . . . . . . . Temporal Key Integrity Protocol TLV . . . . . . . . . . Tag Length Value TTP . . . . . . . . . . Trusted Third Party VANET . . . . . . Vehicular Ad-hoc Network WAN . . . . . . . . . Wide Area Network WEP . . . . . . . . . Wired Equivalent Privacy WLAN . . . . . . . Wireless Local Area Network WMN . . . . . . . . Wireless Mesh Network WPA . . . . . . . . . Wi-Fi Protected Access

Chapter 1 Introduction

This chapter provides an introduction to this dissertation about efficient cryptographic protocols for wireless mesh networks.

1.1 Motivation Wireless Mesh Networks (WMN) have emerged as a promising concept for realizing wide wireless network coverage with only few costs. Due to the decentralized approach and many redundant communication paths, WMN provide a high flexibility, a self-healing and auto-configuration property. That is why WMN are perfectly suited for communication in difficult surroundings like in the metalworking [1][2] or mining industry [3], where cabling is very expensive or difficult to realize. Due to very cost-effective hardware, the WMN concept is also very interesting for community networks like the MIT Roofnet [4] or the Freifunk project [5]. Although there are already some practical projects involving wireless mesh networks, the security of such systems is mainly unconsidered. Current implementations do not provide confidentiality nor authentication, often not even secure routing. Even the upcoming IEEE standard for wireless mesh networks (802.11s), that is currently available as draft version [6], does not propose a reasonable and efficient security concept. In this dissertation, we analyze the special network characteristic of wireless mesh networks and propose cryptographic solutions for realizing an adequate security level. The main focus lies on group key agreement protocols that take advantages of the particular properties provided by WMN. Hence communication efficiency plays an important role for wireless networks in general, we put a special focus on the efficiency of the examined cryptographic protocols.

16

1 Introduction

1.2 Outline This dissertation begins with an introduction of basic knowledge and definitions that are used throughout the document (Chapter 2). These information include general security targets, basics about wireless communication and network quality as well as an introduction and motivation of wireless mesh networks. Chapter 3 continues with an analysis of the special network characteristic of wireless mesh networks, that is necessary for further research in this dissertation, e.g. choosing reasonable cryptographic primitives. Chapter 4 contains three approaches for efficient network protocols in wireless scenarios, whereby they are not only dedicated to WMN. A dynamic threshold cryptosystem allows cooperative cryptographic operations like digital signatures and joint decryptions. Due to the decentralized approach, this solution is ideal for the use in WMN (section 4.2). Efficient authenticated roaming via tunnels (section 4.3) deals with providing a cheap Internet connectivity for a whole city region that can by directly reused for WMN. Finally this chapter proposes a new efficient EAP protocol in section 4.4, which could be integrated in WMN using the centralized enterprise security concept from the IEEE 802.11s draft [6]. Chapter 5 is the main chapter of this dissertation and introduces group key agreement (GKA) protocols for wireless mesh networks. As GKA protocols provide a more efficient operation than those measures proposed by the IEEE 802.11s standard, they are evaluated in detail in this dissertation. For determining the efficiency of cryptographic protocols in WMN, two performance measurement models are proposed and applied to determine the most efficient GKA protocols for wireless mesh networks. The last chapter of this dissertation gives a conclusion and outlines future work that should be done in the research field of wireless mesh networks.

Chapter 2 Basics

This chapter provides an overview about basic knowledge of security, cryptography and wireless communication according to the IEEE 802.11 [7] standard, whereby Wireless Mesh Networks (WMN) and all theoretical and practical issues that are related to them, have a special focus. The information provided in this chapter are used throughout the work and should enable readers without preliminary knowledge to understand the contributions.

2.1 Definitions for Security and Cryptography In this section, we will introduce common security targets used for security concepts and cryptographic properties for protocols. We begin with the general security targets. Definition 2.1 (Confidentiality). Confidentiality ensures that data is only available to those authorised to obtain it. This is usually achieved through encryption of the data so that only those with the correct decryption key can recover it. In cryptographic protocols confidentiality is essential to ensure that keys and other data are available only as intended [8]. Secrecy is a term synonymous with confidentiality and privacy [9]. Definition 2.2 (Data Integrity). Data integrity ensures that data has not been altered by unauthorised entities [during transport]. This can be achieved through use of hash functions in combination with encryption [, through use of digital signatures], or by use of a message authentication code to create a separate check field. Data integrity is essential in most cryptographic protocols to protect elements such as identity fields and nonces [8]. Definition 2.3 (Entity Authentication). An identification or entity authentication technique assures one party (through acquisition of corroborative evidence) of both the identity of a second party involved, and that the second was active at the time the evidence was created or acquired [9]. Definition 2.4 (Data Origin Authentication). Data origin authentication or message authentication techniques provide to one party which receives a message assurance (through corroborative evidence) of the identity of the party which originated the message [9].

18

2 Basics

Definition 2.5 (Non-Repudiation). Non-repudiation ensures that entities cannot deny sending data that they have committed to. This is typically provided using a digital signature mechanism. Non-repudiation is rarely a requirement in protocols for authentication and key establishment, but it automatically provides the important data integrity and data origin authentication services [8]. Cryptographic protocols often provide some special security targets in addition. These targets are seldom mentioned for security concepts. Definition 2.6 (Perfect Forward Secrecy). A protocol is said to have perfect forward secrecy if compromise of long-term keys does not compromise past session keys [9]. Forward secrecy is used as synonym for perfect forward secrecy, since the term perfect secrecy refers to unconditional (information-theoretic) security which is controversial in this context [8]. Definition 2.7 (Contributiveness). Contributiveness or contributory means that all members of a key agreement protocol contribute a part to the common key. In this way, no single member gains an advantage by influencing the common key in a special way.

2.2 Wireless Communication according to IEEE 802.11 The Institute of Electrical and Electronics Engineers (IEEE) has several working groups for communication topics in local (LAN), metropolitan (MAN) and wide area networks (WAN). IEEE 802.3 is the standard for ethernet communication [10] and IEEE 802.11 the standard for wireless communication [7]. Both count to the most popular IEEE standards, since they are widely used for communication purposes in the whole world. In this section we will go into details of the wireless standards (IEEE 802.11 and amendments) that build the foundation for Wireless Mesh Networks. The first IEEE 802.11 standard was released in June 1997 and its amendments are still under development. All aspects of wireless communication are covered by these documents that contain the definition for the physical layer (2.4 GHz communication in IEEE 802.11b/g, 5GHz communication in IEEE 802.11a/h, high throughput improvements with MIMO1 in 802.11n), a security framework (IEEE 802.11i), a standard for wireless mesh networks (IEEE 802.11s) and many more aspects. 2.2.1 Physical Layer The communication band within the wireless gigahertz communication is separated into different usable channels, which are fixed frequency intervals (e.g. 20 MHz in 802.11b/g). Channel selection in IEEE 802.11 based wireless networks must be done very carefully, because some channels overlap in their frequency with other channels leading to interference when communicating at 1

multiple input and output antennas

2.2 Wireless Communication according to IEEE 802.11

19

the same time. The 2.4 GHz frequency band (IEEE 802.11b/g) provides 13 different channels in Europe, whereby only three do not overlap (channel {1, 6, 11} or {1, 7, 13}). Instead, we have 19 non-overlapping channels in the 5 GHz band (IEEE 802.11a/h). More details can be found in the according amendments of the IEEE 802.11 standard [7]. 2.2.2 Operation Modes We have different operation modes and roles in classical wireless networks. The simplest setup is an Independent Basic Service Set (IBSS), where all wireless stations (STA) operate in the ad hoc mode. An ad hoc network consists of at least two stations, whereby all participants of this network have a direct connection to each other. Second type is the infrastructure network, where Basic Service Sets (BSS) are created by special stations that are called access points (AP). These access points connect the wireless BSS with a distribution system which is cable bound in most cases. Normal stations are enabled to communicate with the wireless and cable bound network through the access point. If several BSSs are interconnected by the same distribution system (DS), the whole network is called Extended Service Set (ESS). The identifier of an (extended) service set is called (E)SSID, not to confuse with the BSSID which is the MAC (Media Access Control address – a unique identifier assigned to network interfaces) of a service set. Thus wireless stations can operate in different modes, even though not all network interface card (NIC) drivers support each mode: •

AP/Master – An access point creates a BSS and connects with the distribution system (DS).

•

Ad Hoc – Stations in ad hoc mode form a common network (IBSS).

•

Client/Managed – A station in managed mode connects to an access point.

•

Monitor – Enables the eavesdropping of all communicated packets, including control messages that are regularly sent from all stations. For wireless communication, a CSMA/CA algorithm manages the message flow on the data

link layer (CSMA/CD for ethernet). There are different algorithms for the different operation modes. For infrastructure networks there is a RTS/CTS (Request To Send/Clear To Send) coordination, whereby it is extended to a 4-way RTS/CTS/data/ACK exchange for ad hoc networks due to the hidden node problem2 [11]. Unfortunately this 4-way exchange produces a lot of overhead and decreases the network performance consequently [12]. In addition to the mentioned coordination algorithms there are among others the Distributed Coordination Function (DCF), the Point Coordination Function, the Hybrid Coordination Function (HCF) and the Mesh Coordination Function (MCF) that is used in IEEE 802.11s [6]. Details can be found in a seminar work by Andre Loos, who gives an overview about the different coordination functions for IEEE 802.11s [13]. 2

Three network nodes A, B, C in ad hoc mode: A and C cannot see each other. It is possible that both nodes begin a transmission to B (who can be seen by both) at the same time. Then a collision occurs at node B.

20

2 Basics

2.2.3 Security In contrast to cable bound networks, there are no physical restrictions for accessing a wireless LAN. Thus the IEEE committee has introduced security measures to provide a Wired Equivalent Privacy (WEP). WEP is based on the RC4 stream cipher and uses CRC-32 for integrity checks, whereby not providing a key management. Neither an automatic re-keying nor dynamic session keys are possible, so that the used WEP key consists only of a 24 bit short Initialization Vector (IV), communicated in cleartext, and a 40 bit or 104 bit static key. After Fluhrer, Mantin and Shamir [14] have discovered strong cryptographic weaknesses in the key scheduling, WEP is considered completely broken. Even more, current attacks have improved dramatically [15][16][17], so that breaking WEP within 60 seconds is realistic today. Since WEP was broken, the IEEE needed to supply a new security system for wireless networks immediately. For this purpose Wi-Fi Protected Access (WPA) was developed, which was aimed to fix WEP’s weaknesses and to provide a fair security level with the current hardware. Yet not officially released, the first WPA version (TKIP) was implemented widely. The Temporal Key Integrity Protocol (TKIP) increases the length of the initialization vector to 48 bit and exchanges the non-keyed homomorphic check function CRC-32 (integrity protection) with the stronger cryptographic algorithm Michael. In this way, WPA-TKIP was able to withstand Fluhrer et al.’s attack. WPA furthermore provides a key management that creates dynamic session keys and does an automatic re-keying. In 2007, the security amendment IEEE 802.11i [18] was finally released. With this release, the term Robust Security Network (RSN) was introduced, which stands for a whole security concept for wireless LANs. This concept includes the new WPA protocol CCMP (Counter-Mode/CBCMac Protocol) which is a new design that uses AES in different operation modes as cryptographic primitives for encryption and authentication/integrity purposes. With RSN, the old WPA protocol TKIP becomes optional. WEP and WPA offer two different operation modes: personal and enterprise mode. In personal mode, a common pre-shared key PSK is used to provide confidentiality and authentication. WEP uses this pre-shared key directly for encryption (as groupwise key), whereas WPA agrees on a pairwise (PTK) and a groupwise transient key (GTK) between STA and AP, that are based on the PSK. The transient key derivation is done in a 4-way handshake protocol (Figure 2.1), where both the supplicant and the authenticator generate random nonces and exchange them. Afterwards, the PTK is derived from both nonces and the Pairwise Master Key (PMK), which again is directly derived from the pre-shared key PSK (and the SSID). Both acknowledge the PTK by computing a MIC (Message Integrity Code) and sending it to the other side. If needed, the authenticator generates a GTK and sends this key to the supplicant in an encrypted way. The enterprise mode uses an IEEE 802.1X [19] authentication with an extensible authentication protocol (EAP) [20], performed between the STA (supplicant) and the Authentication Server (AS) to create a common Pairwise Master Key (PMK). After the successful authentication and

2.2 Wireless Communication according to IEEE 802.11

21

Fig. 2.1. IEEE 802.11i: 4-way handshake [18]

agreeing on a PMK, the authentication server (AS) transmits the PMK securely (“Key Material”) to the AP (authenticator). Figure 2.2 demonstrates the enterprise authentication.

Fig. 2.2. EAP authentication [18]

Finally, STA and AP agree on a pairwise and a groupwise transient key PTK and GTK with a 4-way handshake. However, the handshake is identical to the personal mode except for the fact that the PMK is not directly derived from the PSK but agreed between supplicant and authentication server. Common authentication server protocols are RADIUS [21] and Diameter [22], whereby there is a big amount of EAP protocols for several purposes.

22

2 Basics

2.2.4 Extensible Authentication Protocol (EAP) IEEE 802.1X [19] is usually applied in ethernet switches and wireless access points to regulate the access to the network. Extensible authentication protocols (EAP) are used within this IEEE 802.1X context for authentication and key exchange purposes. Alternatively to the personal mode (with PSK), the authenticator initiates an EAP protocol run with the supplicant. The supplicant then starts a communication with the authentication server, performing an EAP upper layer authentication protocol (“EAP Authentication Protocol Exchange” in Fig. 2.2) to provide security targets, i.e. unilateral authentication, mutual authentication and key agreement (or key exchange). Those upper layer authentication protocols work in a challenge-response manner, therefore they always use a multiple of two messages to achieve their desired security targets. After a successful execution of the upper layer authentication protocol, the AS sends the authentication (ACCEPT/REJECT) and the optional key agreement result (“Key Material” = PMK in Fig. 2.2) to the authenticator in an encrypted way using another pre-shared key between the authenticator and the AS. The authenticator forwards the authentication result (EAP Success) to the supplicant and unblocks the (virtual) port. Upper layer authentication protocols for the use in EAP can accomplish the authentication and key exchange in different ways. That leads to EAP protocols that authenticate both sides with X.509 certificates (i.e. EAP-TLS), protocols that authenticate on the basis of symmetric keys (i.e. EAP-MD5, EAP-PSK, LEAP) and hybrid protocols that use both a certificate authentication and a key based authentication (i.e. EAP-TTLS, EAP-PEAP, EAP-IKEv2). More detailed information and an informal security analysis of common EAP protocols can be found in [23].

2.3 Wireless Mesh Networks (WMN) Wireless Mesh Networks (WMN) are a special kind of wireless networks. A network of wireless mesh nodes provides a full reachability among them by applying a routing mechanism on each node that forwards data in a multi-hop fashion [24]. Mesh routers are assumed to be fixed in their position or at least have a limited mobility [25], so that a quite static wireless infrastructure is created. Compared to other wireless networks like Mobile Ad-hoc Networks (MANET [26][27][28]), Vehicular Ad-Hoc Networks (VANET [29][30]) or sensor networks [31][32], WMN nodes do not necessarily have energy or computation power constraints. In addition, WMN nodes normally provide a far better network quality than the other network types, since they may use several radio interfaces, different channels at the same time and higher transmission powers. Wireless mesh networks are structured networks so that wireless mesh nodes can be assigned to different logical layers in respect to their functionality in the whole network. An overview is given in Figure 2.3.

2.3 Wireless Mesh Networks (WMN)

23

Fig. 2.3. Layers in Wireless Mesh Network (modified from [33])

The upper layer realizes the transition of the WMN to other networks, e.g. the Internet. Nodes in this logical layer of WMN are called Mesh-Gateways. Clients are separated in routing Mesh-Clients and non-routing Mesh-Clients, whereby a set of routing mesh-clients can be called MANET, since these nodes can be fully mobile and may have energy or computation power constraints. Thus a MANET, a VANET (installed on vehicles, shorter connection lifetimes due to a higher mobility) or a sensor network can be a part of a wireless mesh network. The essence of wireless mesh networks are the Mesh-Routers, which are located in the middle layer. These routers are limited in their mobility and do not have energy or power constraints. When we refer to wireless mesh networks, we refer to this middle layer unless stated otherwise. A good classification of wireless mesh networks can be found in chapter 1 “An Introduction to Wireless Mesh Network” by Franklin et al. in [24]. WMN have special properties that distinct them from common network types. Very important is the auto configuration ability, which enables to add and remove nodes from the network without changing the configuration from other nodes. Furthermore there is the self healing property that compensates network failures with sensible routing decisions. With the redundancy property of WMN, the infrastructure gets robust on the one hand and allows (dependent on the routing protocol) load-balancing to optimize the overall network throughput on the other hand. However, these properties are ideal properties which may not be fully supported by each implementation. Wireless mesh networks are mostly used as a cheap alternative for a full wire cabling. Thus applications in scenarios where it is difficult or very expensive to use cables are tailor-made for wireless mesh networks. We present some practical scenarios in the next section.

24

2 Basics

2.3.1 Practical Applications The concept of wireless mesh networks is well established in practice, since it is a cheap way to interconnect several nodes without laying or burying cables which may be very expensive dependent on the actual scenario. Typical deployment scenarios are: •

Home Networking. The network, multimedia or automation systems base on a wireless

•

Security Surveillance System. The single network components (cameras, sensors, etc.) are

mesh network that is installed in the house or building complex [34]. connected with a WMN that provides capacity to transport the security relevant multimedia content, e.g. video and audio streams. Network security is an important point here [35].

•

Community Networking. A specific area in a city is interconnected with a wireless mesh network for the purpose of sharing a broadband Internet connection or just for sharing data between the participants. Prominent examples are the MIT Roofnet [4], SeattleWireless [36], the Freifunk project in Berlin [5] or the Funkfeuer project in Wien [37].

•

Industrial Application. WMN can be used to connect machines in difficult surroundings [1], e.g. a metalworking factory where cabling is too expensive and normal WLANs have too little range. Another very suitable location for WMN is the working area in an underground mine.

•

Disaster Management/Rescue Operations/Military Application. In all of these three scenarios there is the demand for a fast to install and performant communication infrastructure. WMN are able to provide this in a robust way [38].

2.3.2 Single/Multi Radio & Channel Wireless mesh networks differ in their radio and channel configuration, which has a strong impact on their network characteristic. Gupta et al. [39] has evaluated the performance of single radio single channel wireless networks, while beside others Kyanasur et al. [40] and Kodialam et al. [41] have determined the network capacity for (multi radio) multi channel wireless networks. We distinguish between three types of WMN, ordered by their performance (slowest to fastest): •

Single Radio / Single Channel. Each mesh node is equipped with one wireless interface card. Consequently, all mesh nodes have to use the same wireless channel to be a part of that network. Mesh nodes with one wireless interface card do only support the half-duplex operation mode (see section 2.4.1) and they will additionally face interference related issues (see section 2.4.2). Although this type of WMN is the least performant, it is mostly used in practice, since most home wireless LAN routers (e.g. Linksys WRT54G or ASUS WL500G) only have one wireless interface.

•

Multi Radio / Single Channel. Mesh nodes are equipped with several (≥ 2) wireless interface cards, which all operate on the same wireless channel. These networks can operate in full-duplex mode, but will suffer from interference related issues when several nodes in the

2.4 Network and Link Quality

25

same area send simultaneously. Mesh nodes using less wireless channels than radio interfaces are very rare in practice and research, since using more channels is just a configuration issue that improves performance notably. This kind of WMN is necessary to practically prove wireless interference (cf. chapter 3) and is therefore mentioned for the principle of completeness. •

Multi Radio / Multi Channel. The mesh nodes are equipped with several (≥ 2) wireless interface cards that operate on different wireless channels. Multi radio and channel networks operate in the full-duplex mode and are able to avoid interference issues due to a smart channel selection.

In chapter 3 we discuss the network characteristic of wireless mesh networks, whereby we also show up the practical differences between the three WMN types introduced here. The IEEE is currently developing a standard for wireless mesh networks (IEEE 802.11s), whereby a draft is already available [6]. There are a lot of different terms for the same objects in the field of wireless mesh networks, because there are a lot of authors working on it. The terms used here are mainly based on the IEEE draft and are kept for the rest of the document.

2.4 Network and Link Quality Regarding network and link quality there are a lot of terms that should not be misunderstood or confused with each other. We give definitions for the most important network and network quality terms here: Definition 2.8 (Hop). A hop denotes the transition between two hops, the edges in a graph. Therefore a two hop connection needs three nodes (vertices) to get established. (According to Tanenbaum [42]) Definition 2.9 (Signal-to-noise ratio). The amount of noise present is measured by the ratio of the signal power to the noise power, called the signal-to-noise ratio. If we denote the signal power by S and the noise power by N, the signal-to-noise ratio is S/N. Usually, the ratio itself is not quoted; instead, the quantity 10 log10 S/N is given. These units are called decibels (dB) [42]. Definition 2.10 (Bandwidth). The range of frequencies transmitted without being strongly attenuated is called the bandwidth [43]. A signal of bandwidth B may change at a maximum rate of 2B. If each change is used to signify a bit, the maximum information rate (R) is 2B. Bandwidth is usually expressed in Hertz (Hz) or bits/bytes per second (bps/Bps) [44]. Definition 2.11 (Capacity). There is a theoretical maximum to the rate at which information passes error free over the channel. This maximum is called the channel capacity, C. The famous Hartley-Shannon Law states that the channel capacity, C, is given by: C = B log2 (1 + (S/N )) [44].

26

2 Basics

Definition 2.12 (Throughput). The term throughput is quite similar to bandwidth, sometimes even interchangeable. Network throughput means the average data rate that can be achieved over a network link, whereas bandwidth describes the theoretical maximum [44]. Definition 2.13 (Latency). Latency is the time, the first bit of a datagram takes from the source to the destination [43]. Definition 2.14 (Packet loss rate). The ratio between lost and sent packets (to the receiver) is called packet loss rate: Packet loss rate =

lost packets sent packets .

2.4.1 Duplex Mode There are two duplex modes: half - and full -duplex. Half-duplex means that your not enabled to transmit and receive at the same time, whereby this is possible with full-duplex. Usual fast ethernet and gigabit cards (NICs) support full-duplex mode, resulting in the possibility to communicate 200Mbps over a 100Mbps cable connection: 100Mbps incoming and 100Mbps outgoing. In contrast, wireless NICs do not support full-duplex so that it is not possible to receive and transmit at the same time. Let the net throughput of a wireless connection be 20Mbps, then you are able to receive 10Mbps and transmit 10Mbps simultaneously. Computing the total capacity (C) of a N-hop link under ideal conditions (no noise, no processing time) where each NIC operates in half-duplex mode can be done using the following formula [45] (Cn is the capacity of the particular links): C=

N X 1 C n=1 n

!−1

Since single radio WMN operate in half-duplex mode, there is a strong impact on the overall capacity in dependence of the number of hops. Figure 2.4 shows the half-duplex effect for 1 to 6 hops under ideal conditions in a single radio WMN. Note that providing the full capacity of a single wireless link in a multi-hop WMN is only possible with a multi radio configuration.

Fig. 2.4. Capacity of half-duplex link in dependency of the #Hops

2.4 Network and Link Quality

27

2.4.2 Wireless Interference Wireless interference is the occurrence of meaningful or not meaningful signals influencing the current transmission. Interference can either be caused by transmissions from other nodes in the same network or from external sources, e.g. another wireless network or a microwave. We subdivide interference into three categories: inter-flow, intra-flow and external interference, whereby the first two categories deal with interference caused by the own network and the last with all remaining interference from other sources. We will focus on inter- and intra-flow interference, since we are able to influence their occurrence by e.g. a sensible protocol design. External interference cannot be influenced and becomes therefore less important for the main course of this work. Definition 2.15 (Inter-flow Interference). Inter-flow interference means that a transmission is influenced by network participants that are not within the transmission path. (According to Raniwala et al. [46]) This kind of interference is very typical for wireless mesh networks. The greater the network is, the greater is the probability for the occurrence of inter-flow interference because the probability for simultaneous transmissions increases. Since the interference range is usually greater than the transmission range [47], inter-flow interference cannot be excluded by standard mechanisms like the RTS/CTS exchange. Further details to RTS/CTS can be found in the IEEE 802.11 standard [7] and the bachelor thesis of Frosch [48].

Fig. 2.5. Inter-flow Interference in classical wireless network

Figure 2.5 shows a schematic illustration of inter-flow interference in a classical wireless scenario, while Figure 2.6 shows the same in a wireless mesh network using a single wireless channel. It is important to note that transmissions do not need to cross each other to produce interference.

28

2 Basics

Fig. 2.6. Inter-flow Interference in wireless multi-hop network

Definition 2.16 (Intra-flow Interference). Intra-flow interference occurs when the transmission is disturbed by network participants that are located on the transmission path. (According to Raniwala et al. [46]) Other than inter-flow interference does intra-flow interference only occur in wireless multi-hop networks using several hops for a transmission. When nodes on the transmission path disturb other nodes on the same path then there is intra-flow interference. This kind of interference is typical for multi-hop networks as a forwarding node in the middle of a communication path always encounters wireless noise from the left and the right side. Therefore the main difference to inter-flow interference is that inter-flow interference does not occur every time. You can see a schematic illustration of intra-flow interference in Figure 2.7.

Fig. 2.7. Intra-flow Interference in wireless multi-hop network

Definition 2.17 (External Interference). External interference is induced by external sources which are not part of the own network. (According to Subramanian et al. [49]) Every wireless network suffers from the consequences of external interference, which can either be active or passive. Typical active sources for external interference are other wireless networks, that are transmitting on the same or a similar frequency. Moreover there are common devices that overframe the frequency spectrums of wireless networks, when they are located in the direct surrounding, e.g. a microwave. Actively transmitting components (i.e. DVB-T, DECT, GSM, 3GPP,

2.5 Routing Protocols for WMN

29

etc.) that theoretically do not interfere with the wireless network frequency may influence the signal quality when the distance is too short and the transmission power high. This is especially problematic when designing hardware components with several different wireless transmission modules on the same board. Sources for passive external interference do not transmit any signal, but attenuate the signal of the wireless network. A prominent example for this is rain, which can change the behavior of a wireless network considerably. Some authors, e.g. Subramanian et al. [49], subdivide interference into the terms controlled and uncontrolled interference whereby uncontrolled interference is equal to external interference. External interference cannot be influenced by the network operator, while intra-flow and interflow interference can be controlled. While the effect of inter-flow interference is quite obvious, there is an ambiguity with intraflow interference. As mentioned before, single radio WMN operate in half-duplex mode, which has a strong impact on the performance (i.e. 2 hops → 50% throughput, see Fig. 2.4). If nodes are

not enabled to transmit and receive at the same time, the load factor and thus the interference level of the network decreases, because data is sent step-by-step. Due to this half-duplex mode, the available capacity of a two hop communication is dropped to nearly the half. Instead, when a network operates in full-duplex mode, the network has obviously a much higher load and therefore also a higher interference level. In practice, the capacity of a two hop full-duplex communication will also drop to nearly the half (cf. section 3.2.2), since the shared medium is used twice. However, both the half-duplex and the intra-flow interference effect should not be confused with each other, although the practical results are similar. Intra-flow interference describes the effect of congestion on the shared medium, while the half-duplex effect is a physical limitation of the devices. Consequently, if there is a half-duplex effect on the throughput, the impact of intraflow interference becomes less significant, since the channel use is considerably smaller. Whereas if the network is operating in full-duplex mode (≥ 2 radio interfaces per node), the resulting throughput can be approximated by the total capacity of the channel divided by the number of simultaneous senders

2.5 Routing Protocols for WMN Everytime a node needs to communicate with another node that is more than one hop away, the intermediate nodes have to make decisions about where to forward the datagrams at best. This can either be done by a static route configuration, which does not scale well with large networks, or a routing protocol. Thus routing protocols play an essential role for larger multi-hop networks, since they transform a non coherent ad-hoc network into an actual mesh network by making the forwarding decisions automatically.

30

2 Basics

2.5.1 Different Classes and Types of Routing Protocols We have different types of routing protocols: proactive, reactive and hybrid protocols. Proactive means that the routing decisions are made before the user communication in a network begins. Obviously, this causes message independent communication overhead when the network is started up and everytime there is a change. Reactive protocols determine a particular route on demand, which means that there is a small routing protocol executed before each transmission. Consequently there is a delay before each message. Proactive protocols make sense in mostly static networks, while reactive protocols perform better in very dynamic networks like MANETs. Hybrid protocols combine both approaches and are therefore well suited for semi mobile networks like WMN [50][51]. There are two major classes of proactive routing protocols, the Distance Vector (DV) [52][53] and Link State (LS) [54] routing protocols. Basically both protocol classes differ in their general approach for generating the view on the network topology. Distance vector routing protocols use the distributed Bellman-Ford [52] and the FordFulkerson [53] routing algorithm. Each node sends its complete routing table to the direct neighbors. When receiving a routing table from a neighbor, the own routing table is updated, while paths with less costs replace older paths. Subsequently, the new table is rebroadcasted to the direct neighbors. The routing protocol terminates when the datagrams from the direct neighbors do not provide any new information for a particular time period. Most implemented DV routing protocols like RIPv1 [55], RIPv2 [56] and IGRP [57] do not produce a complete view on the network topology but do only save information that are related to themselves (i.e. given a network A–B–C–D: A will only save the costs and the first hop to reach D, but not the costs for the path between B and D). Figure 2.8 gives an example for the DV routing algorithm. Note that after each change, a node sends his new routing table to his neighbors. The link state routing algorithm is based on the Dijkstra algorithm [58]. This algorithm is completely contrasting to the distance vector algorithm, as information about own direct links are broadcasted to every node in the network. Each node is able to compute the complete view on the topology from incoming information. In comparison to the distance vector routing algorithm, the computational complexity and the message overhead is higher for the link state approach. A general advantage over distance vector approaches is the better reaction time to changes and a deterministic termination time. OSPF [59], IS-IS [60] and OLSR [61] are common candidates for link state routing protocols. The Rensselaer Polytechnic Institute has developed a Java applet for browsers that simulates the Dijkstra (link state) routing algorithm online [62]. Reactive protocols mostly conform with the following design pattern. The destination of the packet is searched via broadcasts and when reached, there is a unicast packet back to the sender, telling where to send at best. Protocols differ concerning the point whether the route information is added to the initial searching message or to the unicast message back. Some prominent examples for reactive routing protocols for mobile networks are AODV [63], DSR [64], Ariadne [65] and endairA [66].


B 3 A

1 1

31

2 D

C

From A via A via B via C via D to A to B

3

to C

1

Time: 0 A knows the direct paths to the neighbors.

to D


2

to C

1

to D

5

Time: 1 A knows B's and C's routing table, who know their direct neighbors. B can be reached faster via C. D is reachable via B.


2

to C

1

to D

3

Time: 2 D can be reached faster via C, B than via B directly.

Fig. 2.8. Distance vector routing algorithm (View of A)

A hybrid protocol combines proactive and reactive approaches. For example, the protocol handles the direct neighborhood with a proactive routing protocol and uses a reactive protocol for distant nodes, who are contacted less common. HWMP is one of the first hybrid routing protocols and is introduced with the upcoming IEEE 802.11s [6] standard for wireless mesh networks. 2.5.2 Routing Metrics Routing metrics are used describe path costs in routing protocols. Basically, each routing protocol tries to find the best path from a source to a destination, whereby the best path consists of several links with the least path costs in sum. The metric can be the hop count, network speed, link

32

2 Basics

quality or even monetary costs per transmitted byte. Many practical metrics combine several properties and use different algorithms helping to improve the decision of the routing protocol. The table in Figure 2.9 gives a short overview about common routing metrics for generic routing protocols and also for special routing protocols in the field of wireless communication, especially ad-hoc and wireless mesh networks. The number of hops between two nodes is counted. The path with

Hop-Count

the fewest hops has the least path cost. [67] Expected

Transmission The ETX metric considers the quality of the links insofar that the

Count (ETX)

ETX value represents the number of transmissions that are expected to transmit one packet. An ETX value of 1 equals a 100% link quality. [68]

Modified ETX (mETX) & mETX and ENT do not consider whole packets but a single bit Effective Number of Trans- failure probability, predicting the transmission count based on the missions (ENT)

failure probability and its variance. If a failure rate exceeds the limits of a higher layer protocol (e.g. TCP), the specific path is dropped out. [69]

Expected Transmission Time ETT multiplies the ETX metric with a time component t (ET T = ET X × t), which depends on the raw data rate (C) that is available

(ETT)

on the link. [70] Weighted pected

Cumulative

Transmission

Ex- Based on ETT, WCETT additionally considers interflow interferTime ence effects by evaluating the channel diversity. Therefore WCETT

(WCETT)

is suitable for wireless multi channel networks. [48]

Airtime

Introduced with the IEEE 802.11s standard [6], this metric computes the path costs considering the modulation rate and the bit failure rate of special test frames. [51]

iAWARE

The first ETT based metric capable of modeling inter- and intraflow interference for multi channel multi radio wireless networks. The SNR (Signal to Interference and Noise Ratio) is used to rate the path with the least interference best. [48][71][72] Fig. 2.9. Routing metrics for generic and wireless routing protocols [48][73]

2.5.3 Common Protocols There are three protocols that are very common for practical wireless mesh networks like the MIT Roofnet [4], Freifunk network in Berlin [5] or the Funkfeuer project in Wien [37]: •

OLSR (Optimized Link State Routing Protocol)

•

HWMP (Hybrid Wireless Mesh Protocol)

•

B.A.T.M.A.N. (Better Approach To Mobile Ad-hoc Networking)

The OLSR protocol is widely used in current practical implementations, B.A.T.M.A.N. is going to be the successor of OLSR and HWMP is the proposal made in the IEEE 802.11s standard.


33

Furthermore there is the AODV (Ad hoc On-Demand Distance Vector) protocol [63] which is optimized for the more dynamic mobile ad hoc networks due to the reactive operation mode. Hence we focus on WMN in this dissertation, we provide a short description for the common WMN routing protocols. OLSR, the Optimized Link State Routing protocol, is defined in the IETF RFC 3626 [61]. The proactive link state routing protocol uses the Dijkstra algorithm [58] to compute the routing table on each node. This allows for a complete view on the network topology for all network members. The basic OLSR implementation for Linux only uses the Hop-Count metric, which has been extended with several extensions and plugins later on. Meanwhile, even a security extension is available [74]. A very prominent example for the operation of OLSR is the Freifunk project [5] that uses an adapted OpenWrt [75] Linux distribution. B.A.T.M.A.N. (Better Approach To Mobile Ad-hoc Networking) [76] was developed by a group of OLSR developers who wanted to create a better routing approach for lossy networks. The main difference to the OLSR approach is that this proactive link state routing protocol does not create a full topology view for all protocol participants. Due to this approach, the protocol performs better with noisy links in terms of failure detection and autoconfiguration. A Linux implementation for the OpenWrt [75] project is available, so that B.A.T.M.A.N. can be tested in existing networks without major modifications. HWMP (Hybrid Wireless Mesh Protocol) is introduced in the IEEE 802.11s standard [6] and combines two routing approaches. The mobile part of the mesh network is handled with the reactive AODV protocol, while the static part is analyzed with a proactive tree based routing approach. HWMP does its routing on the link layer (OSI layer 2), whereas both other approaches do the routing on the network layer. By this means, HWMP enables IP roaming within the mesh network. Further details have been investigated by Loos [13].

Chapter 3 Characteristic of Wireless Mesh Networks

This chapter deals with the special network characteristic of Wireless Mesh Networks. In order to make useful proposals for network protocols and finding measures to improve the performance, it is essential to know the specific advantages and disadvantages of WMN in comparison to conventional networks. There are some researchers who have dealt with the special properties of wireless mesh networks too, e.g. Akyildiz and Wang wrote a book [77] and several articles (e.g. [25]) about wireless mesh networks that clearly differentiate the characteristic of WMN from the characteristic of mobile ad-hoc networks (MANET). Kyasanur and Vaidya [40], Kodialam and Nadagopal [41] have investigated the capacity of WMN, which is directly bound to the description of network performance as we use it in this dissertation. Aguayo et al. [78] and Johnson [79] provide analyses for single radio wireless networks, while Raniwala and Chiueh [80] examine the throughput of wireless multihop networks using multiple radio interfaces. We focus on practical measurements in this chapter as many research results only provide simulated measurement results. The goal of this chapter is to differentiate all particular performance related effects of WMN, although if they only occur combined in practice.

3.1 Network Characteristic Before evaluating the network characteristic of wireless mesh networks, we have to determine what we mean with the term network characteristic. The network characteristic is a description of the communication behavior of a network, mainly determined by the performance of common communication models (uni-, multi- and broadcast) over different distances. Additionally special limitations (e.g. high latencies due to a reactive routing protocol) and particular advantages (e.g. low time costs for local broadcasts) play a role for the characteristic, whereby they are mostly covered by the network performance of the communication models. When comparing network types with each other, the network characteristic expresses what is special about a certain network and what makes the difference to other networks. We describe the network performance and characteristic for WMN as follows.

36

3 Characteristic of Wireless Mesh Networks

Network Performance of WMN. The network performance is expressed by three values that are evaluated independently: (1) Throughput is measured between two nodes in Mbps, (2) Latency is the time, a transmission needs to reach its destination, measured in µs (or ms) and (3) Packet loss rate can be calculated as: 1 −

received packets communicated packets ,

whereby communicated packets

are all transmitted packets towards the measuring node and received packets are those packets that were actually received by the measuring node. Network Characteristic of WMN. The average network performance for the common communication models: (1) unicast, (2) multicast and (3) broadcast with different distances (i.e. #hops or physical distance) is called network characteristic. Special advantages and disadvantages of particular networks not covered by the performance of the common communication models are taken into account as additional note. Based on the definition of wireless mesh networks according to section 2.3 and following, we

can make assumptions on the expected network characteristic before determining it with measurements. However, we have to distinguish between several WMN types what were introduced in section 2.3.2: (1) Single radio/single channel, (2) Multi radio/single channel and (3) Multi radio/multi channel. The least performant, but at the same time most used setup, is the single radio/single channel wireless mesh network. Due to its low hardware costs, this WMN type is best suited as a cheap alternative to wire cabling. Because of interference and the half-duplex effect, we expect low throughputs and high latencies with an increasing number of hops. Since local broadcasting to physical neighbors needs the same effort as a wireless unicast transmission, the broadand multicast performance in the near communication field will be equal to the performance of single unicast transmissions (unlike to wired networks). Instead, each communication (uni-/multi/broadcast) to a N-hop distance decreases the throughput and increases the latency linearly in dependency of N. When having a high network load, we will additionally face an evident packet loss rate that is due to the use of one single channel for the whole network. Multi radio wireless mesh networks using one wireless channel operate in the full-duplex mode. Since the whole capacity of the channel can now be used for sending (listening is parallel), the interference influences are notably stronger (full use of the channel). Therefore we have only a slight throughput and latency improvement in the near communication area, because intra-flow interference limits the (successful) access to the transmission medium. More distant communication (except there is a lot of inter-flow interference) will probably be more performant than in the first setup, because the performance limitation due to intra-flow interference scales better than the half-duplex effect. The packet loss rate is higher than in the first setup, because the channel use is notably higher when operating in full-duplex mode. Multi radio WMN using multiple channels also operate in full-duplex mode, but can theoretically avoid intra- and inter-flow interference completely. The performance throughout the whole

3.2 Experimentally determining the Network Characteristic of WMN

37

network is almost on the level of a single wireless link, while the behavior of throughput and latency is nearly independent of the distance (comparable with a wired network), since there are no interfering effects left. Only the propagation time (≈ speed of light [42]) of the signals and the processing time of the nodes (up to 440µs per packet with 20MHz CPU [81]), respectively their wireless interfaces, decrease the performance, while those times are more or less negligible. We expect a quite low packet loss rate when assuming that interference is avoided by a sensible channel selection. For all wireless mesh network types holds that a routing protocol may induce additional latencies. If a proactive routing protocol is deployed then there is an initial delay and a delay every time the topology of the network changes. Even more delay can be expected with reactive routing protocols, as the route to the destination of the next transmission has to be determined before.

3.2 Experimentally determining the Network Characteristic of WMN We have determined the characteristic properties of wireless mesh networks with several practical setups in different surroundings. Some of our tests were located in the network lab of the chair for network and data security (NDS) that was equipped with WiFi enabled personal computers. Figure 3.1 shows the schematic structure of the NDS network lab.

Übersichtsplan Netzlabor Fenster

Fenster

PC213 192.168.2.13

PC212 192.168.2.12

192.168.2.1

Subnetz 2 PC215 192.168.2.15

192.168.1.2

ROUTER2

PC211 (SERVER2) 192.168.2.11

(netz2.test) 192.168.2.0/24

Fenster Fenster

Serverdienste DHCP HTTP(S) FTP SMTP POP3 IMAP

Serverdienste DHCP pri. DNS HTTP(S) FTP SMTP POP3 IMAP

PC111 (SERVER1) 192.168.1.11

HIRN

PC112 192.168.1.12

192.168.1.3

ROUTER1

PC214 192.168.2.14

PC113 192.168.1.13

Kein Laborbereich

PC114 192.168.1.14

Subnetz 1 (netz1.test) 192.168.1.0/24

Subnetz 0 (netz0.test) 192.168.0.0/24 PC015 192.168.0.15

Imageserver Bedienplatz

PC014 192.168.0.14

Serverdienste DHCP sec. DNS HTTP(S) FTP SMTP POP3 IMAP

PC012 192.168.0.12

PC011 (SERVER0) 192.168.0.11

PC116 192.168.1.16

PC117 192.168.1.17

PC118 192.168.1.18

192.168.1.1

ROUTER0

Eingang RUHR-UNIVERSITÄT BOCHUM Lehrstuhl für Netz- und Datensicherheit Prof. Dr. Jörg Schwenk

Fig. 3.1. Sketch of the NDS network lab, German [82]

Fenster

PC013 192.168.0.13

192.168.0.1

PC115 192.168.1.15

Netzlabor IC 4 / 58 - 60 April 2005 (Marc Erdmann)

38


However, there have been different test setups for the individual tests, as for some tests more mesh nodes are required as for other tests. The test setups for the throughput and latency measurement in the NDS lab are illustrated in Figure 3.2. The idea behind the test setups was to create setups with symmetrical link qualities and several hops.

Fig. 3.2. Sketch of the test setups (left: throughput, right: latency) modified from Frosch [48]

Another test series has been performed inside and outside the office building of the MineTronics GmbH (previously Embigence GmbH) in Ladbergen (see Figure 3.3 – wireless nodes marked with ’A’ are not attenuated), using different embedded hardware.

Fig. 3.3. Sketch of test setup in Ladbergen, modified from [48]

I was strongly supported by Tilman Frosch, who performed a lot of tests determining the network characteristic of wireless mesh networks within the scope of his bachelor thesis [48] and a subsequent seminar work [12]. Besides that, experimental results from student works of Gilles-Roméo Agbamaté [83] and Sebastian Kr¨ uck [84] are used.


39

We begin with the presentation of the network performance results of single radio/single channel wireless mesh networks, demonstrating the characteristic of the most common WMN type. After that, we determine the influence of different network effects (inter- and intra-flow interference, half-duplex effect) on the performance of WMN for being able to extrapolate the general behavior of all WMN types. The main objective of this chapter is to make general statements on the behavior of wireless mesh networks, whereby we have tried to minimize the number of tests. Therefore our approach is not to determine the behavior with brute force (complete performance tests for each network type and node number), but in a smart way. 3.2.1 Results for Single Radio WMN There is already a lot of research done on the performance of single radio wireless mesh networks. In 2000, Gupta et al. [39] have published a theoretical work on the capacity of wireless multihop networks. Johnson [79] evaluates the performance of single radio wireless mesh networks in a practical project in South Africa. The performance of wireless ad-hoc networks using a different number of radios and channels is examined by Li et al. [47]. Robinson et al. [85] examine the capacity of mesh networks, mainly focusing on the geographical distribution of the mesh nodes, but considering nodes with a single and several radios. Aoun et al. [86] deal with capacity improvements in multi radio WMN when the number of radios is increased. In single radio wireless mesh network, we have a strong impact of the half-duplex effect (see section 2.4.1). By this means, the theoretical throughput drops notably in dependency of the number of hops (blue line in figure 3.4). In practice, the network throughput is even worse, as Bicket et al. [87] found out and which could be approved by our own measurements.

Fig. 3.4. Throughput in dependency of #hops

Our own measurements have been performed in the network lab of the chair for network and data security, using five nodes combined to a WMN with a maximum hop count (see Figure 3.2 (left)). The WMN nodes did not have any computation power nor energy constraints and were

40


equipped with Atheros WiFi cards that had been shielded with aluminum foil to avoid a complete network sight (see Figure 3.5), since all nodes were located in one room.

#Hops

∅ Throughput

1

4.66 Mbps

2

1.27 Mbps

3

0.28 Mbps

4

0.12 Mbps

Fig. 3.5. Average throughput results and topology of the test setup [48]

Firstly, you can see from these results (Figure 3.5), that single radio WMN have a strong throughput drop when deploying several hops. In our test case, the practical usage of the WMN is strongly limited, e.g. video streaming with a fair quality would not be possible over more than two hops. Secondly, we are experiencing a throughput that is notably below the theoretical value introduced by the half-duplex effect. This leads to the conclusion that the throughput must be influenced by more than the half-duplex effect. A good latency is very important for remote control and other near realtime applications like VoIP calls. For that reason latency in wireless mesh networks is considered by several researchers in the field of MANETs and WMN, e.g. Gandhi et al. [88] investigate broadcast latencies in single radio ad-hoc networks, while Chou et al. [89] deal with broadcast latencies in multi radio wireless mesh networks. However, latency behavior is connected with throughput behavior in many cases, which means that you usually experience a high throughput together with a low latency and the other way around. This holds for the average latency while a transmission is done. But it is not that easy to predict the latency for any given throughput value, since latency depends on more circumstances, e.g. the used packet size and the transmission mode (uni-/broadcast).


41

Fig. 3.6. Latency measurement in the NDS network lab, extracted from [83]

You can observe in figure 3.6 that the latency grows only linearly with an increasing number of hops. Each hop adds a certain amount of time to the total latency of the packet, depending on the packet size. Usually, single latency measurements give results that do not correlate with the behavior of previous or subsequent throughput measurements, since the latency measurements are done with single packets, whereas a throughput measurement uses the entire network capacity. Latency results that are not acquired under full network load are thus not reasonable for data transfer, but represent the minimal latency that can be reached with a particular data volume.

Fig. 3.7. Average latency results (in ms) and topology of the test setup [48]

The latency results in figure 3.7 are measured in the NDS network lab (Figure 3.2 (right)) and represent the time (in ms) that was needed to transmit a packet with {16, 256, 512, 1400}

bytes to all nodes in the network. In unicast mode, the packets were sent to each host separately, whereby in broadcast mode all hosts were addressed by the same packet which is forwarded by every node. Recall that packets are bouncing back when every node forwards respectively rebroadcasts packets once. You can see that the packet size has a larger influence on the latency

42


in unicast mode and that for each packet size broadcasting is faster than a series of unicast transmissions.

Fig. 3.8. Average latency results in ms: broadcast (left) and unicast (right) [48]

Furthermore, the standard deviation is larger in the unicast transmission mode, as you can observe in figure 3.8 (x-axis = sequence number ≈ time). Note that the results are an average over latencies for different hop counts.

All in all broadcasting is more efficient than unicasting to reach all hosts in the network, which is however an important point to consider when designing network protocols for WMN. Note that less information are transferred with broadcasting, since each packet could have been different in the unicast test. Latency tests have been realized in the net lab of the chair for network and data security (NDS) at the Ruhr-University Bochum. Beside throughput and latency, the packet loss rate is an important factor to characterize wireless mesh networks. Campista et al. [90] have evaluated packet loss rates for different routing metrics in multihop WMN. Aguayo et al. [78] found out that the signal-to-noise ratio and the distance have little predictive value for the packet loss rate, when they performed measurements in an IEEE 802.11b wireless mesh network. They suppose multipath fading [91] rather than attenuation or interference to be the main cause for higher packet loss rates. Our packet loss rate measurements have been performed in a larger wireless mesh network inside and outside the office building of the MineTronics GmbH (according topology graph in figure 3.9).


43

Fig. 3.9. Topology of packet loss measurement [48]

The measurement results in figure 3.10 show that there is a high packet loss rate (given in %) in the WMN. The packet loss rate depends on different factor, e.g. the quality of the single links (shown as ETX metric values in figure 3.9) and the amount of intra- and inter-flow interference. Additionally, the packet loss rate can be temporarily increased by external influences, e.g. a moving obstacle.

Fig. 3.10. Packet loss rate (in %) [48]

Broadcasting is more robust against packet loss, because each packet is rebroadcasted at each node. Thus, the same packet may arrive twice more often at a particular node, producing a more robust transmission. All packet sizes show up relatively high packet loss rates (more than 10%), especially unicasting large packets leads to high rates. Actually, the tested network was far away from representing an ideal behavior, because many links had a quite bad quality. If you setup a WMN testbed with only high quality links, you will clearly measure smaller packet loss rates on the one hand, but on the other hand may these values not be realistic in practical networks, where bad link qualities are usual.

44


The results are leading to the fact that network protocols in wireless mesh network have to be robust. Applications that base on a perfect reliable links need a lower network layer that cares for the reliability (e.g. with retransmissions). Finally, we can make some general statements. Single radio wireless mesh networks are experiencing strong throughput losses for an increasing number of hops. The latencies for particular data volumes show a linear behavior in dependency of the number of hops, whereby we expect a latency that is correlated with the throughput for normal transmissions (high throughput – low latency and the other way around). When all nodes in the WMN have to be reached, the latency and packet loss rate is clearly better in the broadcast mode. Using the unicast transmission mode to reach all nodes in the network results in higher latencies and more packet loss. Packet loss was tested with an average above 10% in our setup, which is a very high value in comparison with a wired ethernet network. Therefore network applications in WMN should be very robust against packet loss, packet delay and re-ordering. 3.2.2 Determining the Influences of Transmission related Effects The impact of transmission related effects is a very important topic in the research field of multihop wireless mesh networks, e.g. Jain et al. [92] examined the impact of interference related issues on the performance of WMN. Also Tang et al. [93] have realized that interference has a major impact on performance and they have proposed a mechanism for interference-aware topology control. The practical influences of intra-flow interference and the half-duplex effect could be seen in figures 3.4 and 3.6 (throughput and latency in dependency of # hops), but since both effects were applied at the same time, it was not possible to make a statement about the influence of the single effects. The half-duplex effect does not occur in both multi radio WMN types, so determining the intra-flow interference in multi radio setups enables us to differentiate the half-duplex effect and the intra-flow interference. Since the half-duplex influences the impact of the intra-flow interference, analyzing the effects independently will probably lead to new insights. The half-duplex effect [45] cannot be measured without intra-flow interference, because it is not possible to implement a single radio wireless mesh network that uses different channels for avoiding intra-flow interference1 . In contrast to the intra-flow interference, the half-duplex effect is a deterministic effect that is just based on the mode switching of the network interface card (listening or sending). Therefore we can assume a behavior that is near to the theoretical curve from figure 3.4. However, hardware based delays, the implementation of the NIC driver or the network stack can introduce slight deviations from this curve.

1

Some special wireless NICs support several virtual subdevices on different channels. Note that this setup introduces a new performance decreasing effect, the channel hopping, which avoids an exact measurement of the single effects.


45

The impact of intra-flow interference [46] can be extracted from a multi radio WMN test setup using one single channel (no half-duplex effect). To clarify the intra-flow interference effect, we launch a second multi radio test in the same environment that uses separate channels. The difference between both tests gives insight about the intra-flow interference impact on the network performance. Because the latency is assumed to behave analogue to the throughput performance when the link is under load, only throughput results are measured.

Fig. 3.11. Intra-flow interference measurement

Figure 3.11 shows the results of the intra-flow interference measurement in a multi-radio WMN setup with three nodes N1 , N2 and N3 , whereby link A connects N1 -N2 and link B connects N2 N3 . Link AB stands for the two hop connection N1 -N2 -N3 . In the single channel test, both links are using the IEEE 802.11b channel 1 (2.412 GHz), whereas the non-overlapping channels 1 (2.412 GHz) and 11 (2.462 GHz) are used in the multi channel setup. The single links, when tested in sequence, show throughput rates between 16.2 Mbps and 17.3 Mbps. With inter-flow interference (both links on channel 1), the two hop link AB reaches about 52% of the single links, approximately 8.6 Mbps. This leads to the assumption that the wireless medium in our test setup provides around 17 Mbps with the deployed IEEE 802.11b cards and the mounted antennas, which is then consumed by both links to nearly the same amount. In the multi channel setup, we achieve a considerably higher efficiency. The two hop link, using both channels, reveals a throughput of over 92% of the single links. This indicates at the one hand that the influence of intra-flow interference is very strong with the absence of the halfduplex effect and on the other hand that multi radio/multi channel WMN are able to provide very good throughput rates for multihop connections, which are even comparable to single hop links. The theoretical curve induced by the half-duplex effect (Figure 3.4) can be seen as an upper border for the throughput in single radio WMNs. Since sending and receiving is not possible at the same time, it is not possible to achieve throughput results that are in average higher than the theoretic curve. With a present half-duplex effect, the channel capacity is not fully exhausted, so that the intra-flow interference has a considerably lower impact, if not even none. In theory, the impact of intra-flow interference is induced by the distribution of the channel capacity, which

46


does not need to be fair in each case. Nevertheless the impact of intra-flow interference in larger networks is lower than the half-duplex effect, because the shared medium has more capacity in a large area, whereas the half-duplex does not depend on the geographic size of the network but only on the hop count. However, both effects have a similar impact on small networks. Inter-flow interference [46] can be analyzed with a simple single radio single channel test setup. Four nodes N1...4 are arranged in two independent communication paths: N1 -N2 (link A) and N3 -N4 (link B), whereby the nodes are positioned in a way that both communication paths are parallel. We have measured the throughput in sequence and then simultaneously.

Fig. 3.12. Inter-flow interference measurement

You can see the results from two inter-flow interference test setups in Figure 3.12. Test setup 1 shows different throughputs for link A and B in the sequential test, whereas the nodes in test setup 2 were rearranged to have identical throughput values. For the simultaneous operation of links A and B, you can observe that the throughputs in test 1 decreased by ≈5 Mbps for each link. The decrease of the performance is quite fair in test 1, whereby there is an unequal throughput drop in test 2 (-15 Mbps vs. -0.3 Mbps). We conclude that inter-flow interference has a strong impact on the overall performance of the WMN. You can see that the throughput drops dramatically in both cases, thus we reason that the shared medium has a particular capacity which cannot be exceeded. Test 1 shows a fair decrease in the throughput while the decrease in test 2 is unfair, link B is preferred. The simpler point to get along with is the capacity limit, whereas it is difficult to predict the unfair partitioning of the available capacity. Note that all test nodes were using the same hard and software and were aligned to a grid.

3.3 Conclusion

47

3.3 Conclusion We have practically analyzed the behavior of wireless mesh networks in the last section. Our approach getting an entire knowledge of the characteristic of WMN can be subdivided into two steps: Gathering entire performance results for single radio/single channel WMN (basic measurements) and analyzing the important effects on their own for being able to predict the characteristic for all WMN types with the combination of the basic measurements and the knowledge about the single effects. The description of the network characteristic for all WMN types is next, then a distinction from other network types like MANETs and the Internet. Lastly we provide consequences for network protocols that can be deduced from the determined network characteristic. 3.3.1 Description of the Network Characteristic for WMN Three types of wireless mesh networks have to be distinguished, (1) Single radio WMN, (2) multi radio WMN using a single channel and (3) multi radio WMN using multiple channels. Network Characteristic for Single Radio WMN. The throughput, the latency and the packet loss rate strongly depend on the number of hops. While the throughput decreases dramatically for each hop, the latency increases slower when the medium is not fully exhausted. If the medium is fully exhausted (e.g. while a throughput measurement), the latency behaves inversely proportional to the throughput and can thus be computed from the throughput rate. Reaching all nodes in the network is more efficient with the multicast or broadcast transmission mode (compared to unicast transmissions) and can be realized on behalf of lower latencies and less packet loss. Network Characteristic for Multi Radio / Single Channel WMN. The throughput, the latency and the packet loss rate depend on the density of the network. Overall performance (throughput and latency) in large networks will be better than in single radio WMN, because the performance limitation does not depend on the hops. When the network load does not reach the channel capacity, the latency throughout the whole network approximates the latency of the slowest single hop link in the current communication path. The packet loss rate will be quite high due to inter-flow and intra-flow interference as limiting factor. As well as in the single radio WMN, multicast and broadcast transmissions can be preferred to unicast communication for reaching all nodes. Network Characteristic for Multi Radio / Multi Channel WMN. The throughput, the latency and the packet loss rate is constant for the whole network. The packet loss rate is, in contrast to both other WMN types, very low, because the interference level is negligible. Reaching all nodes in a network is still more efficient with multicast or broadcast transmissions, since the number of messages is smaller (less redundancy!) for those modes in comparison with the unicast mode.

48


3.3.2 Distinction from other Network Types Wireless Mesh Networks differ very much from other networks types like MANETs (Mobile Ad-Hoc Network), VANETS (Vehicular Ad-Hoc Network), sensor networks or the Internet [43]. Properties in which the network types differ are the network performance (throughput, latency), the network stability (reliability of links), the mobility of the nodes, power constraints (battery powered, stationary power supply) and computation power constraints (slow CPUs or little memory). The particular properties of the different network types are summarized in Figure 3.13. WMN

MANET

VANET

Low Low Yes Yes Yes

Low Very low Yes No Yes

Network performance Average Network stability Average No Mobile nodes Power constraints No Computation constraints No

Sensor Network Low Low Yes Yes Yes

Internet High High No No No

Fig. 3.13. Network Properties

Due to the differences between the network types, network protocols have to be adapted to the particular network type to gain a maximum efficiency. For example, a network protocol designed for the Internet will not be very robust in a WMN, because Internet protocols usually assume a way faster network throughput and demand more reliable links. The same is for MANETs and WMN, since the network protocols for MANETs are normally optimized to save power and computation time. WMN protocols would not work in MANETs and MANET protocols would not utilize the WMN resources in a reasonable way and let therefore the use of the protocol be questionable. We provide some guidelines for the development of efficient WMN protocols in the next section 3.3.3. These guidelines can only be applied to WMN protocols and base on the determined network characteristic for the different WMN types from section 3.3.1. 3.3.3 Consequences for WMN Protocols The network performance of wireless mesh networks can be identified as average among the analyzed network types from section 3.3.2. Even single radio WMN, which are the slowest type of WMN, provide a better performance than e.g. an average VANET or a sensor network. The consequence is that we are allowed to transfer higher data volumes like they are common for asymmetric cryptography based protocols. A wasteful dealing with the data volumes is however not recommended, since the network performance is far away from e.g. the performance of the Internet, where the difference of some bytes does not matter. However, data fragmentation costs a lot of time due to a higher packet count, so that binary TLV (Tag Length Value pattern) protocols may be preferred to e.g. XML based protocols. Also the number of protocol messages

3.3 Conclusion

49

should be decreased to a minimum for reducing interference in the mesh network, which leads to a better overall performance [42]. Generally, transmission is a critical point in wireless mesh networks. If all nodes in the network need to receive a particular message, (global) broadcasting should be preferred to unicasting a message to every single node. Either way, unicasting/multicasting a message over several hops or (global) broadcasting should be avoided as often as possible, since these transmissions mean a substantial communication overhead. Local broadcasting, however, is very efficient in WMN because all physical neighbors are reached with only one transmission. Protocols should therefore try to make use of local broadcasting and avoid multihop communications whenever possible. Using asymmetric cryptography is unusual for MANETs, VANETs and sensor networks. This is not only due to larger packet sizes emerging with asymmetric cryptographic operations, but mainly because of computation and power constraints. The embedded CPUs need a long time for computing complex mathematics and even if they are powerful enough, the computation process costs a lot of battery power. In contrast, WMN do not have such constraints in most cases. Simple mesh routers usually have a constant power supply and CPUs that clock with 200MHz or faster (e.g. Linksys WRT54G). Thus for WMN, the focus in the protocol design should clearly prefer reducing the communication complexity over reducing the computation complexity. Anyway, for computation overhead holds the same as for communication overhead: A wasteful use of these resources decreases the efficiency, since mesh routers are usually not as performant as common personal computers. The average network stability of WMN demands a reliability layer in the network protocols. In the protocol design phase, researchers should not assume that each message arrives at its target at every time. Since WMN nodes are not mobile, route and address changes are rare, which allows a more or less static concept for node identifiers. Even more, the use of longterm keys can be reasonable and the establishment of session keys can improve the network security. All consequences are summarized in Figure 3.14. Consequence for network protocols WMN property Average network performance Larger messages allowed (e.g. asymmetric cryptography), but reducing message count is reasonable. Local broadcasts should be preferred to multihop communication. Average network stability Reliability layer needed, design rule No mobility Static identifiers okay, use of session keys reasonable No power constraints Complex computations are alright, faster CPUs available No computation constraints Complex computations are possible Fig. 3.14. Network Properties and Consequences

Chapter 4 Efficient Protocols for Wireless Scenarios

This chapter introduces several approaches for efficient network protocols in wireless scenarios. The focus of these network protocol lies on their efficiency, respectively latency, that is needed to realize responsive networks. The results can be seen as general concept work for wireless mesh networks or can be directly integrated in those networks. Research in the field of efficient cryptographic network protocols has been done for a long while. In 1993, Bellare and Rogaway [94] came up with a paper proposing the random oracle model for designing efficient cryptographic network protocols. In 2002, Katz [95] dealt with efficient cryptographic protocols that prevent “Man-in-the-Middle” attacks. Currently there is a lot of research for efficient cryptographic protocols within the field of mobile ad-hoc and sensor networks. Perrig et al. [32][96] underline the demand for very efficient cryptographic solutions for sensor networks due to severe computation constraints. Zhu et al. [97] propose efficient and robust key management protocols for mobile ad-hoc networks (MANET). Secure routing algorithms for wireless networks, e.g. by Boukerche et al. [98], also have to be designed efficiently and are therefore also part of the research field for efficient network protocols. Either way, efficient network protocols especially for constrictive environments like wireless scenarios are an important research topic. Therefore we begin with introducing a dynamic threshold cryptosystem without group manager in section 4.2, that was publicated in the International Journal of Network Protocols and Algorithms [99]. Secondly, we present an efficient authenticated roaming algorithm for large wireless networks, using a tunnel approach. Besides the efficient authentication and key exchange techniques, we contribute an accounting solution that enables the use in commercial scenarios. This work is published in the lecture notes1 “Quality of Service in Heterogeneous Networks” [100]. Moreover, we contribute an efficient extensible authentication protocol (EAP) for the use in wireless enterprise scenarios with demand for fast handover. This combined authentication and key agreement protocol can also be used in IEEE 802.11s compliant enterprise networks (WMN) 1

6th International ICST Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness, QShine 2009 and 3rd International Workshop on Advanced Architectures and Algorithms for Internet Delivery and Applications, AAA-IDEA 2009

52

4 Efficient Protocols for Wireless Scenarios

to lower authentication timeouts. The work has been published in the proceedings of the 5th International Symposium on Information Security [101].

4.1 Motivation Wireless networks are characterized by natural resource constraints due to their wireless transmissions that provide less performance and stability. Hence, protocols for wireless scenarios need to be optimized in regards to their efficiency which can be a lower latency, higher throughput or less computation effort. Many protocols are not optimized to handle the special properties of wireless networks, e.g. protocols that use TCP as transport layer protocol are less suitable for wireless scenarios where we have a higher packet loss rate as in wired networks. Therefore we suggest three protocols dedicated to wireless scenarios. A dynamic threshold cryptosystem without group manager (section 4.2) is useful for wireless mesh networks where several nodes should be enabled to perform cryptographic operations on behalf of the whole group. Up to date, there has not been a decentralized solution which allows for dynamically removing users from the group, which is mandatory for practical wireless networks. Efficient Authenticated Roaming via Tunnels (section 4.3) deals with roaming between wireless cells owned by foreign hosters. This approach is optimized for a lower communication and computation complexity as asymmetric cryptographic operations are not necessary in the protocol run. With this approach and a protocol design designated for few transmissions, a low latency can be realized which leads to an optimal situation for the roaming case. The last contribution in this chapter is an EAP protocol for efficient wireless handover (section 4.4). Only two round trip times are needed to authenticate both participants and to agree on a common key. Experimental results from a practical testbed show the superiority over the fastest EAP protocols and underline the aptitude of our approach.

4.2 Dynamic Threshold Cryptosystem without Group Manager

53

4.2 Dynamic Threshold Cryptosystem without Group Manager Threshold cryptosystems require an amount of k + 1 users from a group of n users to cooperate for performing a common cryptographic task, e.g. a digital signature or decryption. A prominent use cases for these (k, n) threshold schemes can be found in wireless mesh networks, where it is usually inefficient to ask for a cryptographic operation involving all nodes of the network. Threshold systems are feasible solution, because they allow a subset of the whole group to perform a cryptographic operation, e.g. a digital signature, on behalf of the whole group. Central systems destroy the self-healing property of wireless mesh networks, since the need for a central system means a restriction in terms of redundancy. Thus, central systems like a trusted third party (TTP) should be avoided in WMN. Usually wireless mesh networks have a dynamic user behavior, which means that users join and leave randomly. It is an open problem to find a suitable threshold cryptosystem for WMN that does not rely on a trusted third party and allows users to join and leave the group at any time. Our contribution is a dynamic threshold cryptosystem that allows users to join and leave without relying on a group manager or a trusted third party. Furthermore the provided scheme provides anonymity of users and a constant public group key, even with a changing group size. We stress that our threshold cryptosystem is the first system that can be operated autonomously (without TTP) in wireless mesh networks. Related Work In 1984, Shamir [102] proposed the concept of ID-based cryptography. This concept allows the identification of a user with a publicly known parameter such as an e-mail address, IP address or name. The identifier can be used in conjunction with the public key of the group to encrypt data destined to or verify signatures originating from this user. A trusted third party, who generates secret keys that correspond to the public key of the group and the ID of the user, is necessary. While Shamir provided the ID-based digital signature scheme, Boneh and Franklin [103] as well as Cocks [104] independently introduced schemes for ID-based encryption in 2001 which are based on Weil pairings respectively the problem of quadratic residues. Adding members in ID-based schemes is done by generating a secret key (Trusted Third Party) that fits to the public key of the group and to the identifier of the new member. Removing a member can either be done by using certificate revocation lists or by assigning a period of validity to the distributed identifier as suggested by [103]. An alternative to ID-based cryptography is the idea of using threshold schemes. In 1979, Shamir [105] presented the idea of “How to Share a Secret”. In this scheme, the secret is divided and distributed among several entities, whereby the secret can be reconstructed when a subgroup of entities work together. Desmedt and Frankel [106] used this idea to design a threshold cryptosystem based on ElGamal in 1989. During 1991, Pedersen [107] presented another threshold scheme based on Shamir’s idea and the ElGamal cryptosystem without a TTP or group manager.

54


An additional property of the Pedersen scheme is the verifiability of all member shares (VSS Verifiable Secret Sharing). In 2003, Libert and Quisquater [108] introduced a threshold cryptosystem based on pairings with the ability to efficiently revocate users within the group. To accomplish this task they used the idea of a so-called semi-trusted mediator (mostly a synonym for TTP) proposed by Boneh, Ding, Tsudik and Wong [109] in 2001. In 2005 Saxena, Tsudik and Yi [110] presented a scheme with the option of dynamically adding members to the group. Their scheme uses bi-variate polynomials, which allowed them to design a non-interactive threshold scheme. The key establishment can be performed by a set of founding members using the method of joint secret sharing [111], while adding members is possible through a subset of already established members of the group. In 1991, Desmedt and Frankel [112] introduced the idea of using RSA for threshold schemes with presenting a new non-robust and non-interactive threshold scheme. Similar to the ElGamalbased scheme of [106], adding or removing a member is not possible in their scheme. Gennaro et al. [113] introduced some ideas to provide robustness to RSA threshold schemes in 1996, with Shoup [114] presenting a robust RSA threshold signature scheme in 1999. Recently, during 2008 Gennaro et al. [115] developed a dynamic RSA threshold scheme. They utilize bi-variate polynomials for adding new members while being dependent on a trusted third party in the initial key distributing phase. In addition to the dynamic member adding, their scheme provides robustness and is non-interactive. In 1995, Herzberg et al. [116] developed a method to increase the security of a (k, n) threshold scheme by decreasing the time window during which an adversary must compromise ≥ k + 1

shares of the secret. In this proactive secret sharing scheme (PSS) the shares of all members are periodically renewed.

The threshold scheme of Libert and Quisquater [108] uses ID-based cryptography and provides the possibility to add and remove members dynamically, while being dependent on a TTP. Also the RSA-based scheme from Gennaro et al. [115] relies on a trusted third party. Only adding members is possible with Gennaro’s scheme. Tsudik and Yi’s scheme [110] is based on ElGamal and does also allow adding of members but without using a TTP. Contribution Our contribution is an ElGamal-based anonymous and autonomous threshold scheme based on techniques derived from the share renewal method in PSS. Table 4.1 shows the comparison of the related work schemes, their predecessors and our scheme. To the best of our knowledge, there is currently no threshold cryptosystem (neither ID-based, ElGamal-based nor RSA-based) which allows the removing of members without a TTP. Certificate revocation lists could be used to replace a TTP, but this possibility will not be considered due to the unlimited size of those lists and their impact to the anonymity property.


55

Table 4.1. Comparison of referenced schemes

Scheme Establish Group Add Member Remove Member Desmedt, Frankel [112] (RSA) ◦ − − Gennaro et al. [115] (RSA) ◦ • − Boneh, Franklin [103] (ID) ◦ ◦ (◦) Libert, Quisquater [108] (ID) ◦ ◦ ◦ Pedersen [107] (ElG.) • − − Saxena et al. [110] (ElG.) • • − Our Scheme (ElG.) • • • ElG. = ElGamal-based, RSA = RSA-based, ID = ID-based • without TTP, ◦ with TTP, (◦) with CRL/Timestamp, − not possible We propose a threshold scheme without group manager that allows for dynamically adding and removing members while retaining the group public key. Our scheme is secure against passive adversaries. 4.2.1 Threshold Scheme without Group Manager We have searched for a group oriented cryptosystem that has the following properties: it is autonomous, anonymous and provides security against inside and outside adversaries. ID-based systems do not accomplish the autonomous and anonymous property. A group manager is necessary in the known schemes based on pairings and furthermore no anonymity is present due to the fact that each party has its own public key. Group signature schemes need a group manager for the possibility to identify signers (signer ambiguous) and for adding or removing members. We came to the conclusion to deploy threshold schemes, since a group manager is not mandatory here and anonymity can be provided as well. A (k, n)-threshold scheme has n members from which at least k + 1 members are necessary to recover the group secret. This scheme is extended to a public key cryptosystem with a shared secret key SK and a single public key P K. Generating and distributing the public/secret key pair can be done by a TTP or a distributed key generation. A TTP generates the (P K, SK) pair, splits the secret key into n shares and distributes them securely to each member as used in Shamir’s secret sharing [105]. Our introduced scheme uses the second possibility where all members cooperate in the key generation. Setup and Adversarial Model We propose a cryptographic scheme that is secure against passive adversaries. That means that an adversary is only able to eavesdrop on all communication channels but not to manipulate or insert new messages. Due to simplicity reasons we do not present a concrete implementation for transmissions marked as “confidentially” at first, although confidential channels are necessary to protect against passive adversaries. A concrete implementation for confidential communication channels is demonstrated in section 4.2.2, to improve the readability of the main scheme.

56


Distributed Key Generation In this section, we show how a group U = {P1 , . . . , Pn } can cooperate to establish a public key

P K = (p, q, g, A) and corresponding secret key SK = (a0 ), such that at least k + 1 members

are needed to utilize SK. The distributed key generation is divided into two operations, the key generation and distribution. Prior to key generation, all members Pi need to agree on the public parameters p, q, g such that: p, q ∈ P P : p|q

g ∈ Z ∗p : ord(g) = q whereby P P is the set of primes. After agreeing on the public parameters and the desired threshold value k, each member Pi of group U generates a key pair for the El-Gamal encryption scheme as follows: ui,0 ∈R Z ∗q Ai := g ui,0

mod p

(4.1)

with Ai being a part of the public key parameter A. The value ui,0 is called member secret of Pi . ui,0 represents a part of the group’s secret key a0 , which is distributed among all members of U . This is done by creating a k-resilient (k, n) secret sharing scheme with the idea of Shamir [105]. {s1 , . . . , sk } ∈R Z ∗q

fi (x) = sk xk + sk−1 xk−1 + · · · + s1 x + ui,0

mod q

ui,j := fi (j), ∀j : Pj ∈ U

Send Ai , ui,j to Pj (confidentially), ∀Pj ∈ U

(4.2)

Each member Pi chooses a random polynomial of deg(fi ) = k and computes n member shares ui,j = fi (j) of its own secret polynomial. Then the member shares, as well as the values Ai , are sent confidentially to each Pj . After the distribution, each member computes its so-called secret share and public key parameter A. A= ai =

n Y

Ai

i=1 n X j=1

mod p

uj,i ≡

n X

fj (i)

mod q

(4.3)

j=1

Each Pi is now in possession of P K = (p, q, g, A) and a secret share ai of SK = (a0 ). The secret Pn share ai is the function evaluation of f (x) = j=1 fj (x) mod p at position i (homomorphism property).


57

Adding Members The adding of a specific user Pn+1 to a pre-established group U with n members is explained in detail within this section. The following conditions must hold when a user is added to the group 1. The public key P K = (p, q, g, A) and the secret key SK = (a0 ) remain unchanged. 2. The secret share an+1 and polynomial fn+1 is only known to Pn+1 . 3. The new an+1 of Pn+1 is a valid and fully functional secret share of the group U . We adapted the share renewal technique used in PSS [116] to implement an efficient adding and removing of members. While adding, k + 1 members split off a part of their secret and share this part with the new user. Removing a member is done by computing and redistributing the member’s secret to some remaining members, as shown in the next paragraph. The adding of a user is done in three phases. Phase 1a - Secret Sharing: During phase 1a, k + 1 members of U form a so called helper group Uh . These members cooperate in the generation of a new member secret un+1,0 for Pn+1 . For this, all Pi ∈ Uh cede a part of

their member secret ui,0 and submit it secretly to Pn+1 . A new polynomial is generated and the differences between the values generated from the new and the old polynomial are also distributed secretly. The details of this process executed by all Pi ∈ Uh are shown below: sharei ∈R Z ∗q

ui,0 = ui,0 − sharei

st ∈R Z ∗q , ∀t = {1, . . . , k}

fi0 (x) := sk xk + sk−1 xk−1 + · · · + s1 x + ui,0 δi [j] := fi0 (j) − fi (j) fi (x) = fi0 (x)

mod q, ∀j : Pj ∈ U

mod q

(4.4)

Each member Pi ∈ Uh is now in possession of a new fi (x) and a new member secret ui,0 . All Pi

then send (confidentially) sharei , δi , ui,n+1 to Pn+1 . Phase 1b - Share Computation: In this phase, the member shares ui,n+1 (∀i ∈ U ) for the new member Pn+1 are computed. During

the distributed key generation all n members were needed to compute their member shares, but with the help of the Lagrangian interpolation only k + 1 members need to cooperate to generate these n shares. The Lagrangian interpolation is defined as: def

L(α, β) =

Y γ∈U,γ6=β

α−γ β−γ

58


The communication progress is similar to a chain reaction. Without loss of generality, we start with member P1 , incrementing step-wise until Pk+1 is reached. The necessary k + 1 members are allowed to be in Uh . Phase 1a and phase 1b can be run simultaneous, since the operations do not depend on each other. P1 computes: r ∈R Z ∗q

ωj := uj,1 ∗ L(n + 1, j) + r Ω = {ω1 |ω2 | . . . |ωj }

mod q, ∀j : Pj ∈ U \ Uh

(4.5)

The array Ω contains a subset of all computed member shares of Pi , ∀i ∈ U \ Uh for user Pn+1

which is sent (confidentially) to the next member within the chain. It is necessary that the second user in the chain is a member of the group Uh , so that P2 is not able to recover the used r. In addition, r is sent (confidentially) to Pn+1 . Now, members Pi , ∀i ∈ {2, . . . , k + 1} proceed with: ωj = ωj + (uj,i ∗ L(n + 1, j))

mod q, ∀j : Pj ∈ U \ Uh

Send Ω to Pi+1 (confidentially)

(4.6)

The last member Pk+1 sends Ω confidentially to Pn+1 . Phase 2 - Reconstructing Shares: At the start of phase 2 the (yet to be added) new user Pn+1 receives the messages from phase 1a

and phase 1b, hence sharei , δi , ui,n+1 , ∀i ∈ Uh and Ω . When Pn+1 has received all h + 1 messages, the following is done: ui,n+1 = ωi − r, ∀i : Pi ∈ U \ Uh X un+1,0 = sharei mod q i:Pi ∈Uh ∗ st ∈R Z q , ∀t = {1, . . . , k}

fn+1 (x) := sk xk + sk−1 xk−1 + · · · + s1 x + un+1,0 X an+1 := ui,n+1 mod q

mod q

i:Pi ∈U ∪Pn+1

∆ = {δ1 |δ2 | . . . |δi }, ∀i : Pi ∈ Uh

Λ = {un+1,1 |un+1,2 | . . . |un+1,n }, with fn+1 (i) = un+1,i

Then Pn+1 sends ∆ , Λ via broadcast (confidentially). Phase 3 - Final Computation: During phase 3 each member Pi receives the broadcast from Pn+1 and computes:

(4.7)


uj,i = uj,i + δj [i] un+1,i = Λ[i] ai =

n+1 X

uj,i

59

mod q, ∀j : Pj ∈ Uh

mod q

(4.8)

j=1

All members now possess the member share of Pn+1 and the updated member shares from the members of Uh . Then, they compute their new secret share ai adding the user Pn+1 to the group. Removing Members Removing a member Pr is executed in three steps. First, the member secret ur,0 is recovered using the Lagrangian interpolation by at least k + 1 members. This secret is then shared between some members. From there on, the removing of a member is similar to the adding, with the details of each of the three phases shown below. Phase 1 - Secret Recovery/Share Computation: The user Pr shall be removed from the group U . For this, k + 1 members need to agree on the removing, forming the group Uk+1 , with one of the members designated as Pz . Each of the members Pi , ∀i ∈ {1, . . . , k + 1} (w.l.o.g.) computes: ωi := L(0, i) ∗ ur,i

mod q

(4.9)

With this, it is possible to reconstruct the secret of Pr by computing ur,0 = A helper group Uh0 .

Uh0

Pk+1 i

ωi later on.

with at least 2 members is formed. It is mandatory, that member Pz is in

Ideally, the remaining h − 1 members are from Uk+1 as well, which will reduce the number

of communications necessary for this phase. Now, h − 1 users Pi from Uh0 will do the following operations and then send the results to the remaining user Pz of this group: sharei ∈R Zp∗

ui,0 = ui,0 + sharei

mod q

st ∈R Z ∗q , ∀t = {1, . . . , k}

fi0 (x) := sk xk + sk−1 xk−1 + · · · + s1 x + ui,0

δi (x) := fi0 (x) − fi (x) fi (x) = fi0 (x)

mod q

mod q

(4.10)

In comparison with the corresponding adding phase 1a, the computations differ in the computation of the differences (δi ), because δi is now a polynomial. Therefore the data volume is much lower during removing phase, since the polynomial has only k + 1 values (coefficients). The differ

ence values during the adding phase consist of n values. Now, ωj , sharei , δi , ∀j ∈ {1, . . . , k + 1} and ∀i ∈ Uh0 is sent (confidentially) to Pz .

60


Phase 2 - Difference Transfer: During phase 2 all necessary computations for the removing of member Pr are executed. First, member Pz reconstructs the member secret of Pr by computing ur,0 =

k+1 X

ωi

mod q

(4.11)

i=1

Without loss of generality: i = 1, . . . , k + 1. Then, Pz computes δz similar to the other users of the helper group Uh0 . sharez = ur,0 −

h X

mod q

sharei

i=1

uz,0 = uz,0 + sharez

mod q

st ∈R Z ∗q , ∀t = {1, . . . , k}

fz0 (x) := sk xk + sk−1 xk−1 + · · · + s1 x + uz,0 δz (x) := fz0 (x) − fz (x) fz (x) =

mod q

mod q

fz0 (x)

∆ = {δ1 (x)|δ2 (x)| . . . |δi (x)}, ∀i : Pi ∈ Uh0

(4.12)

At the end of this phase, Pz broadcasts ∆ to all members of U . Phase 3: Each member Pi receives the broadcasts and computes: uj,i = uj,i + δj (i) mod q, ∀j : Pj ∈ Uh0 X uj,i mod q ai =

(4.13)

j:Pj ∈U \Pr

Similar to the adding, each member (except Pr ) is now in possession of h + 1 new member shares and the updated secret shares of the polynomial f (x) =

X

fi (x)

mod p

i:Pi ∈U \Pr

The secret share ar is no longer valid, hence Pr is not any longer able to cooperate with members Pi ∈ U to reconstruct the secret a0 using the Lagrangian interpolation. Finally each Pi deletes

Pr ’s entry ur,i from its local database, removing the last trace of the membership.


61

4.2.2 Confidential Channels Some transmissions in the previous description were marked with confidentially. A solution for this is the use of public key cryptography. At first, we assume that every node owns a private/public key pair and every node is aware of the public keys of all other nodes. Now, every message marked with confidentially is encrypted with the public key pkj of the receiver Pj , so that only the right receiver is able to decrypt this message. By this means we prevent adversaries from collecting all messages and computing the group key. 4.2.3 Practical Application of our Threshold Scheme In this section, we give an example for the practical application of our threshold scheme. An outsider encrypts data with the public key of the threshold group, which is then cooperatively decrypted by k + 1 group members. Another application, that is often quoted in the literature, is the creation of a cooperative signature. A typical use case for these applications may be the parameter update for a set of meshed intrusion detection systems (IDS) or a common report generation. Encryption: A user outside the group knows the public key (p, g, A) of the group U . choose a plaintext: m b ∈R {2, . . . , p − 2} B := g b

mod p

ciphertext: c := m ∗ Ab

mod p

The user sends the ciphertext < c, B > to the group U . Decryption - Phase 1: We assume that Pi begins the decryption of < c, B >. Since k + 1 users are needed, to decrypt the ciphertext, Pi asks for the help of k chosen users Pj with i 6= j.

To prevent an impersonation attack, Pi has to proof that she knows ai , her secret part of the group key. This can be accomplished by a Zero-Knowledge Proof (p0 ∈ P P with p0 > p, < g 0 >= Z ∗p0 ): t ∈R Z ∗p0 T := g 0t

mod p0

S := t − Hash(Ai , g 0 , p0 , T, < c, B >, Uhelp ) ai

mod p0 − 1

Pi sends (< T, S >, < c, B >, Uhelp ) to all users Pj , she wants to be helped from. The subgroup of users in U that decrypt cooperatively is called Uhelp , whereby Uhelp also includes Pi .

62


Decryption - Phase 2: All users Pj in Uhelp verify the ZK-Proof from Pi by checking: ?

Hash(Ai ,g 0 ,p0 ,T,,Uhelp )

T = g S Ai

mod p0

Then each user Pj in Uhelp computes the partial decryption and encrypts it with the personal key Ai of Pi : mj := B L(0,j)aj r

∈R Z ∗p0

Rj := g 0r

mod p

mod p0

dj := Ari mj

mod p0

where L(0, j) is the Lagrangian interpolation with: def

γ∈Uhelp ,γ6=β (α

Q

L(α, β) = Q

γ∈Uhelp ,γ6=β (β

− γ)

− γ)

mod q

All users in Uhelp send their encrypted shares < dj , Rj > to Pi . Decryption - Phase 3: Pi decrypts all shares < dj , Rj > with: 0

mj = Rjp −1−ai dj

mod p0

and then computes the plaintext m from < c, B > with: m=c∗ Q

1

∀j∈Uhelp

mj

mod p

It is important to note, that |Uhelp | is k + 1. 4.2.4 Security The security analysis of our scheme follows a two step approach. At first we just consider a passive adversary against our scheme, who is capable of eavesdropping on all communications channels but may not manipulate or send own data. Later on we point out what is necessary to make the scheme secure against active adversaries. Security Proof for Shamir’s Secret Sharing Scheme Our scheme uses Shamir’s secret sharing scheme as cryptographic primitive. For providing a


63

complete security evaluation of our scheme, we begin therefore with a formal security proof of Shamir’s scheme. Shamir’s scheme is secure, if it is not possible to recover the polynomial f (x) (or at least the last coefficient from f (x), the secret group key a0 ) with less than k + 1 shares ai (i > 0). The degree of f (x) is k, |f (i)| = 2l . We will show that an attacker owning k shares < i, ai > (i > 0) is not successful in recovering the secret a0 .

Theorem 4.1. For k + 1 shares < i, ai > (i > 0) with pairwise different i, there is exactly one polynomial f (x) of degree ≤ k with f (i) = ai , ∀i ∈ {1, . . . , k + 1} w.l.o.g. Proof. A proof by contradiction states that there are two different polynomials g(x) and h(x) with deg(g) ≤ k and deg(h) ≤ k, that can be created with k + 1 shares < i, ai > (i > 0). The difference polynomial ∆(x) = g(x) − h(x) must therefore have at least k + 1 zero points. W.l.o.g. ∆(i) = 0, ∀i ∈ {1, . . . , k + 1}.

Hence ∆(x) has a degree of maximal k, since g(x) and h(x) are of degree ≤ k, ∆(x) can have

a maximum of k zero points. Because ∆(x) has at least k + 1 zero points (but may have k zero points, degree ≤ k), ∆(x) must be the null polynomial. That means, that g(x) = h(x).

An attacker who only owns k shares < i, ai > from f (x) can interpolate a polynomial p(x)

with a maximum degree of k − 1 (Lagrangian interpolation). This polynom has the following

property w.l.o.g.:

f (i) = p(i), ∀i ∈ {1, . . . , k + 1} But additionally it must hold with a probability of Pr ≈ 1 −

1 , 2l

that:

f (i) 6= p(i), ∀i ∈ / {1, . . . , k + 1} This is because f (x) 6= p(x), which follows from the fact that f (x) has degree k and p(x) can have a maximal degree of k − 1. If the coefficients from f (x) over Z ∗p (p ∈ P P ) are uniformly

distributed, the probability for f (i) = p(i), i ∈ / {1, . . . , k + 1} is equal to the probability that a distinct value v with f (i) = v is hit. The probability is Pr[f (i) = v, ∀i ∈ Z ∗p ] ≈

1 . 2l

We finally state the adversary’s advantage of breaking Shamir’s Secret Sharing scheme with only k shares is

1 , 2l

which is negligible for large groups.

Security against Passive Adversaries In the distributed key generation phase, each party Pi generates a Shamir Secret Sharing scheme with a personal random polynomial fi (x). The associated shares ui,j = fi (j), ∀j ∈ U are confidentially broadcasted to all other parties.

Claim 4.2.1 (Security against Passive Adversaries). The proposed threshold cryptography scheme is secure against passive adversaries.

64


Proof. (Informal) Every node generates an own Shamir’s Secret Sharing scheme, which is known as a secure k-resilient (k,n) threshold scheme. Since all schemes are independent of each other, we have still the security level from Shamir’s Secret Sharing scheme. All shares are distributed in a confidential way. Therefore the security of the distribution phase depends on the security of the public key encryption scheme that is used for the confidential transmissions. Neither an internal nor external passive adversary is able to gain access to k + 1 shares, because all shares are encrypted with the public key of the corresponding particpant. Due to the use of Shamir’s secret sharing scheme as basis for our scheme, we just provide informal security proofs for the phases of our scheme that differ from Shamir’s scheme and that are therefore able to leak knowledge to an adversary. Adding Phase 1a: With the knowledge of (h − 1 = k) sharei values, an adversary gains P sharei no advantage, because the adversary can not recover ui,0 , nor the resulting un+1,0 = mod q. In the case of the new ui,0 values, the former state is unknown (only the difference sharei is known) and in the case of un+1,0 one fully random value sharei is missing. The differences δi give no knowledge about the former state of the secret shares ui,j to which they will be applied. Thus, storing old shares by an inside adversary is futile. Phase 1b: The first user adds a random value r to the secret products uj,1 ∗ L(n + 1, j).

A subsequent user (w.l.o.g.) P2 is prevented from recovering the uj,1 values due to the addition

of the random value r, which is transmitted confidentially to Pn+1 . When P2 knows any of the uj,1 values, she can recover the value r and with r all other uj,1 values. Since the ωj are created ∀j ∈ U \ Uh and user P2 is member of Uh (by definition), she does not get knowledge of any value

from uj,1 (j ∈ U \ Uh ). Additionally to this method, the messages are transmitted confidentially (unicast encryption) to prevent a former user to eavesdrop the changes of the following user and hereby recovering her secrets. Phase 2: To proof the security of the remaining scheme, it is necessary to show that Pn+1 can not gain any other information from ωi − r than ui,n+1 . ωi is a sum of k + 1 products of a

secret (uj,i ) and a known value L(n + 1, j). It is not possible to disassemble this sum into the separate addends, since all possibilities have the same probability. The secret values un+1,i will be sent encrypted to each user Pi , so only the recipient gets the knowledge of these values. Phase 3: If some of these values are faked or compromised, the scheme will not work. In this case, all changes since the last working state (probably since the last member adding) can be undone. Removing Phase 1: The proof for the security of the removing is quite similar to the adding of members. Equal techniques are applied, so that we will only give proofs, where differences exist. k + 1 members work together to recover the secret ur,0 of user Pr , who should be removed from the group. This is done by computing ωi := L(0, i) ∗ ur,i mod q, which can be sent in cleartext,

since there is no need to keep the shares ur,∗ of user Pr secret. Furthermore it is possible to send difference polynomials δi (x) instead of the difference values for each user in U . Each user can


65

recover ur,0 , but this will not impact the scheme negatively, hence there is no need so save the privacy of ur,0 (or fr (x)). Phase 2: It is necessary to prohibit Pz from altering the δi (x) in such a way that the sum stays equal but the individual values differ. This is achieved by signing δi (x). Outlook: Security against Active Adversaries We consider an active adversary that is capable of manipulating sent messages and participating in the protocol. Without the knowledge of the used keys, which are used to send data in a confidential way, an active adversary gains no information about the data. Firstly, wrong encrypted or random data is dropped by the participating members. Secondly, trustworthy members will not decrypt data for other participants and therefore act as a decryption oracle. To prevent secret share manipulation, verifiable secret sharing (VSS) techniques can be used to proof the shares’ authenticity [107].

4.2.5 Conclusion This is the first time a threshold cryptosystem with the ability to remove members without changing the public key is proposed. Furthermore, our scheme does not depend on a trusted third party. For adding and removing members, we extended the ideas from Herzberg et al. [116] that were used to refresh member shares. Our cryptographic contribution is a threshold cryptosystem that exceeds those trivial extensions (for adding and removing members) of Herzberg’s scheme in efficiency aspects. Due to its dynamics, our scheme can be deployed in emerging technologies such as mesh or ad-hoc networks, where members join and leave frequently. Without a TTP, our scheme fits to all kinds of decentralized networks where the location is not fixed to a specific area. The common application of our scheme will clearly be the threshold signature (based on DL - in contrast to [115]). Besides that, our scheme is also usable in shared decryption scenarios. When using a threshold signature with our scheme, the security property non-repudiation is provided for the group. All group members have the same functionality and equal knowledge, so that there is in fact no distinguished member. No single entity (e.g. TTP) has knowledge of the groups secret key. The group cannot deny that at least k + 1 members worked together to compute the signature. Therefore an outside entity can be sure that a valid signature has been created by the group. The reduction of the complexity of dynamic threshold schemes and providing an efficient noninteractive DL-based threshold signature scheme optimized for our scheme is an open challenge.

66


4.3 Efficient Authenticated Roaming via Tunnels Wireless LAN is a very popular communication medium to date, since it allows its users to be mobile while still having access to all services they usually use in a wired LAN. Recent technologies like IEEE 802.11a/g/n also allow a very high bandwidth, so that the advantages from the wired alternative become smaller and smaller. To let wireless LAN become even more attractive, the coverage has to be improved further on, so that everyone has everywhere access to his preferred services. Of course, it is not possible to realize a single wireless LAN that covers a whole city region. That means, it is necessary to work with several smaller wireless networks that may be operated by foreign network providers. Therefore a cooperation with foreign network providers is required. There are three problems to solve: 1. When connecting to foreign wireless LAN providers, it is important to preserve the own security. 2. While switching between two wireless LAN cells, current running services like VoIP, video or audio streaming should not be affected. 3. The foreign wireless LAN provider clearly wants to get paid for the service he provides; that means, a fair accounting must be arranged. Imagine a whole city covered with wireless nodes from private users. Most of them have a direct connection to the Internet and are able to distribute their Internet link over wireless LAN. There are several companies which want to provide seamless Internet access in the whole city by using the given infrastructure. These companies offer an accounting model for all private users who share their Internet connectivity, so that the companies’ customers may use these Internet links. The task is, to provide a network protocol that authenticates the companies’ customers to the companies and offers fair accounting for the private users, that share their Internet connection with the customers. A competitive technology for IEEE 802.11 wireless LAN is GSM [117], UMTS [118] and LTE [119] that normally offer a larger coverage per wireless cell. Efficient roaming is also an important task for these wireless technologies, whereby the main difference to wireless LAN is, that private persons are not allowed to setup a base station (equivalent for accesspoint in wireless LAN) for these technologies. Since that, GSM, UMTS and LTE are less interesting for the setup of a community controlled city wide wireless network. Sastry et al. [120] made a new proposal for the network structure that is needed for realizing a city-wide wireless LAN access. Shortly, they propose that a foreign network provider (in the following called F) does only relay the traffic between the mobile node (called M) and the home

network (called H) which then acts as a proxy server for all services, the mobile node wants to

access. The communication between the mobile node and the home network is protected by a

confidential and authenticated tunnel, to improve the security. The big advantage of this solution is, that the risk for the misuse of the foreign network’s Internet link drops to zero, because all

4.3 Efficient Authenticated Roaming via Tunnels

67

services (including Internet access) are provided by the home network. The single purpose of the foreign network F is to relay the tunnel data between the mobile node M and the home network H.

Nevertheless, Sastry et al. did not propose a concrete implementation for this solution. Manulis et al. [121] extended this idea with a concrete secure authentication and key establishment protocol for three parties. This protocol accomplishes mutual authentication between M, H

and F, H, which is necessary for the secure communication and can later be used for accounting purposes also. Their proposed protocol is not optimized for efficiency in terms of roaming.

We propose a new network protocol that is optimized for roaming, even when multimedia services like VoIP or video streaming are in use. The efficiency in comparison to the proposed protocol by Manulis et al. is improved strongly by relying on symmetric cryptography (smaller messages, faster operations) and avoiding asymmetric cryptographic operations while runtime. While the WRT protocol by Manulis et al. needs six asymmetric cryptographic operations, our protocol needs none while runtime. Moreover, due to no asymmetric cryptographic operations while runtime, our protocol saves communication overhead, since messages become smaller (e.g. from 1024 bit to 128 bit) with symmetric cryptographic fields. Protocol Participants and Keys The protocol participants are namely the mobile device M, a foreign network F and a home

network H. The user of the mobile device M has got a service contract with a home network

H, which gives him access to several services provided by H, wherever an appropriate network

infrastructure is given. An appropriate network infrastructure is realized through the nodes of

the foreign network F, that provide on the one side wireless access for all M and on the other side a fast link to the home network H.

We assume, M and H are in possession of a common longterm key kM H that is chosen

with respect to the security parameter l. For relaying data between M and H, the foreign network wants to get paid. Therefore there is another contract between each foreign network F

and home network H. Because there may be a lot of different home networks and even more

foreign networks, it is not efficient to provide a symmetric key between each foreign network and each home network. For that reason, each foreign network F and home network H own a

Diffie-Hellman public key pair {SK, P K} which is chosen with regard to the security parameter l. Instances and Protocol Sessions We have multiple mobile devices M, foreign networks F and home networks H, while each of them run several instances who may participate in several parallel protocol sessions.

In a protocol session, an instance of H, M, F accepts (ACCEPT) or aborts (ABORT) upon

the decision whether the protocol execution was successful in respect to the protocol aims or not.

68


Trust Assumptions Before protocol execution, the mobile device M and the home network H share some credentials

that allow them to do a mutual authentication, which is necessary for establishing a trusted communication tunnel. Since H provides a service for M, both parties must have a contract with each other, including credentials on the one hand and rules for accounting and usage on the other hand. The foreign network F is responsible for the relay of the tunnel data between the mobile device

M and the home network H. Mutual authentication between F and H is required, because the

foreign network F clearly wants to get paid for the forwarding service it provides and must

therefore be aware of H’s identity. Additionally the home network H wants to be sure about F’s

identity to realize a fair payment. Furthermore to support the accounting process, credentials between F and H are necessary.

The mobile device M will be implicitly authenticated against the foreign network F due to

the fact that H accepts in the protocol. The same applies for the foreign network F against M, because the mobile device M is assured that H would not have been accepted when the authentication between F and H had failed. Security Goals Now we state the security goals that have to be achieved between the mobile device M, the

foreign network F and the home network H. Between M and H mutual authentication, integrity and confidentiality is required. These goals can be obtained by using symmetric cryptographic

methods based on key material which is agreed on both sides. Non-repudiation is not explicitly required, which leads to the fact that no asymmetric cryptography is necessary. Between F and H mutual authentication is required for accounting. Both sides have to be

sure about the identity of the other party, so that one side can account its provided service and the other side will accept the issued bill. 4.3.1 Roaming Protocol (EAWRT) Building Blocks Now, we itemize the cryptographic primitives that are used by the proposed protocol EAWRT (Fig. 4.1). •

A message authentication code (MAC) that suffices the weak unforgeability against chosen

•

A pseudo random function PRF: {0, 1}l × {0, 1}∗ → {0, 1}∗ for key derivation.

• •

message attacks (WUF-CMA) [122]. A MAC is verified with verkey (value). A symmetric encryption scheme that suffices the indistinguishability property under adaptive chosen ciphertext attacks (IND-CCA2) [123]. A static Diffie-Hellman key agreement over a DH group, where the decisional Diffie-Hellman (DDH) assumption holds.


69

•

A set of database operations: lookup(AIDM ) searches for the given index AIDM and returns

•

A set of verification functions: validate and verify. validate checks, if a value is within a

the corresponding identity (M). add() inserts a new assignment: AIDM → M.

logical range. The range may be of length one (an expected value). verify is used, when the expected value must be cryptographically computed, e.g. when the expected value must be hashed.

Protocol Definition In the following, we propose a new protocol for the wireless roaming via tunnels scenario. We introduce a more efficient protocol than Manulis et al. by abandoning on digital signatures and asymmetric encryption. Due to this, we have smaller messages and we need less computation time. Mobile Device M {kM , AIDM }

rM ∈R {0, 1}l

Foreign Network F {SKF := f, P KF := g f }

Home Network H {kM : ∀M, AIDM : ∀M, SKH := h, P KH := g h }

rF ∈R {0, 1}l SKF tkF H := P KH

H, AIDM , rM

rH ∈R {0, 1}l tkF H := P KFSKH AIDM , rM , F , rF lookup(AIDM ) → M ∨ ABORT SID:=H, AIDM , F , rH , rM , rF kM H := P RFkM (SID) kF H := P RFtkF H (SID) MAC-1 := M ACkM H (SID|l1 ) EF := enckF H (rF , MAC-1) rH , E F

F , rF , rH , MAC-1

SID:=H, AIDM , F , rH , rM , rF kF H := P RFtkF H (SID) h rF0 , MAC-1 i := deckF H (EF ) validate(rF0 ) → ACCEPT ∨ ABORT

SID:=H, AIDM , F , rH , rM , rF kM H := P RFkM (SID) verkM H (MAC-1) → ACCEPT ∨ ABORT AIDM := P RFkM H (M) MAC-2 := M ACkM H (MAC-1|l2 ) MAC-2

MAC-2 verkM H (MAC-2) → ACCEPT ∨ ABORT AIDM := P RFkM H (M) add(AIDM → M)

Fig. 4.1. Efficient Authenticated Wireless Roaming via Tunnels (EAWRT)

70


The EAWRT protocol is shown in Figure 4.1. M, F, H are the identities of the participants

and AIDM is the anonymous identity of M.

SKi = i, P Ki = g i mod p are the private resp. public Diffie-Hellman parameter for i ∈ {F, H},

whereby the DDH assumption holds in this group. In detail (but not shown in the figure), there is also a big prime p that conforms to the security level l and a base g that generates Z ∗p . Security The security proof can be done similar to the proof presented by Manulis et al. [121], using an adapted Bellare and Rogaway [124] model and the sequence of games technique by Shoup [125]. We present an informal security proof here. Theorem 4.2. The EAWRT protocol provides Mutual Authentication between M and H.

In the EAWRT there is a shared key kM between M and H, a MAC construction (MAC-1 and

MAC-2) using the shared key kM and a common session ID (SID) which consists of fresh nonces (rH , rM , rF ) from all participants. Proof. (Informal) An adversary is not in possession of the shared key kM and is therefore not able to create a valid MAC-1. When M gets MAC-1 which is created using a shared key kM between

M and H over a fresh value SID, H is authenticated towards M because H is the only other participant besides M himself who knows kM . The value SID is fresh because it contains three fresh nonces rH , rM , rF , one from each participant. By this means, replay attacks are excluded.

Furthermore, the adversary is not able to compute a valid MAC-2 (over a fresh value SID) since he does not know kM . If H gets a valid MAC-2, he knows that M has authenticated successfully, since only M is in possession of the shared key kM (only used between M and H).

All in all, mutual authentication between M and H is provided, because both participants M and H have brought fresh proofs of possession of the shared key kM . It is obvious that an adversary is not able to impersonate one of the protocol particpants M and H, because the adversary does

not know the shared key kM and additionally every protocol session is fresh due to a fresh SID, so that replay attacks are not possible neither. Theorem 4.3. The EAWRT protocol provides Mutual Authentication between F and H. F and H have a common shared key tkF H (and kF H that is derived from tkF H ) , which originates

from a static Diffie-Hellman key exchange using the public key pair of both. Authentication is reached with an encryption challenge (EF containing a fresh nonce rF ). Proof. (Informal) H becomes implicitely authenticated towards F, If H is able to compute a valid encryption EF over a fresh nonce rF from F with their shared key tkF H . An adversary is

not able to compute a valid encryption over the fresh value since he is not able to recover the shared Diffie-Hellman key tkF H . F is implicitely authenticated towards H when MAC-2 arrives at H, because MAC-2 cannot

be computed without MAC-1 which is encrypted for F in the message EF with key kF H (derived


71

from tkF H and SID). So, H knows on arrival of MAC-2 that F has successfully decrypted EF , which brings the proof of possession of the shared key kF H . An adversary is not able to create

a valid MAC-1 (or MAC-2), because therefore he had to break the encryption EF (key kF H ) or find a MAC collision. It is obvious that an adversary is not able to impersonate one of the protocol particpants F and H, because the adversary is not able to compute the Diffie-Hellman key tkF H that is

necessary to create a forged MAC-1 or MAC-2 in a further step. Additionally every protocol session is fresh due to a fresh SID, so that replay attacks are not possible neither. 4.3.2 Efficiency of EAWRT In comparison with the WRT protocol from Manulis et al. [121], the EAWRT protocol has some obvious advantages in respect to performance, since we abandon digital signatures and asymmetric encryption. Due to this, we have notably smaller sized messages and less computation time needed. Particularly for mobile devices this approach fits good, because their computation power respectively battery power is limited. Moreover, we are able to improve the performance from EAWRT even more by applying some precomputations. The computation of tkF H , the static Diffie-Hellman key, is computational expensive but has to be done only one time for all protocol instances with the same F and H.

So, this key can be computed at the first contact between F and H and then stored for later use.

After the last message of the EAWRT protocol, H verifies MAC-2 by comparison with a self-

computed MAC-2. This computation can be done earlier to save time. The verification MAC-2 can be computed by H right after sending out his message hrH , EF i, while waiting for the last message of the protocol.

In direct comparison with the WRT protocol from Manulis et al., EAWRT has no asymmetric operations while runtime, whereby WRT needs 6 asymmetric operations (2 digital signatures [σH , σF ], 2 signature verifications [σH , σF ], 1 encryption and 1 decryption [X ]) while runtime.

Additionally symmetric operations lead to smaller message sizes (e.g. from 1024 bit to 128bit

fields), which reduces the overall communication overhead. 4.3.3 Conclusion We have presented an optimized AWRT protocol (named EAWRT), that fulfills the requirements proposed by Manulis et al. [121]. Our protocol is more efficient than the protocol of Manulis et al. since we avoid the computation of asymmetric cryptographic operations during runtime (vs. 6 asymmetric operations in Manulis’ protocol), which notably increases the latency for the nodes. Furthermore our protocol has smaller messages due to the use of symmetric cryptographic operations, which reduces the communication overhead (e.g. 1024 bit vs. 128bit messages). Near realtime services like VoIP or video chats in roaming cases become possible because of the efficient protocol design of EAWRT. Therefore even the use in single radio wireless mesh networks, which are the least performant type of WMN, is imaginable.

72


4.4 An efficient EAP Protocol for Wireless Handover (EAP-MPA) Wi-Fi Protected Access (WPA) is the common standard for securing wireless networks today. The WPA security concept was introduced in IEEE 802.11i [18] and defines two operation modes to establish a secure wireless infrastructure for wireless networks: personal and enterprise mode. The personal mode, normally used in the small office and home office (SoHo) environment, uses a common pre-shared key (PSK) to provide authentication and confidentiality. This preshared key must be manually configured in all mobile devices and access points. In contrast, enterprise networks use a central authentication server (e.g. RADIUS [21] or Diameter [22]) to authenticate the associated wireless clients via IEEE 802.1X [19]. Companies usually go for the enterprise mode because of the central administration ability, the possibility of linking the wireless accounts to existing authentication databases and last but not least for a higher security. In this section, we focus on mobile clients in the enterprise setting. These are mobile users who use small wireless devices for audio/video telephony, multimedia applications or remote control purposes. IP phones on the university campus or business premises, or video streaming to a smart phone user while being on the way, are practical examples. An important business use case (e.g. in the mining industry) is furthermore the remote controlling and monitoring of mobile machinery. Furthermore, the upcoming IEEE 802.11s [6] wireless mesh standard will also support the enterprise mode. Roaming between two access points or mesh routers means in the most cases delay or packet loss due to long authentication times. This can be very annoying in a realtime communication or can even interrupt the connection under certain conditions. In case of remote control, delay and packet loss due to handover can easily lead to dangerous incidents. Thus the delay and packet loss rate must be minimized for these scenarios. We present a secure authentication solution for the enterprise setting that is optimized for fast handover. Due to the optimization, which leads to smaller authentication delays, the new protocol is able to deal with (near) realtime communication in handover cases. 4.4.1 Our Contribution We present an efficient Extensible Authentication Protocol (EAP) [20] for the use with a RADIUS [21] or Diameter [22] authentication server. Our EAP protocol is called Mutual Preimage Authentication (MPA) due to its use of cryptographic hash functions for the authentication of both sides. With an improved hash chain technique, we achieve a secure key agreement and mutual authentication with only two cryptographic protocol messages that just use symmetric cryptography. Even more, the protocol provides non-repudiation for the authentication process, which is in contrast not given by trivial (two message) key derivation techniques (e.g. key derivation based on a a shared secret and exchanged random nonce). Note additionally that a secure authentication and key exchange is not possible with only two messages using conventional symmetric methods. The provided security level is underlined by an informal security proof in section 4.4.4.

4.4 An efficient EAP Protocol for Wireless Handover (EAP-MPA)

73

Additionally we contribute an implementation of EAP-MPA within the Host AP project [126] that consists of an access point part with integrated RADIUS authentication server (hostapd ) and a supplicant part (wpa supplicant). We evaluate the runtime performance of EAP-MPA and several widespread EAP protocols (EAP-TLS [127][128], EAP-TTLS [129], EAP-PSK [130]) in a practical test and provide a performance comparison in section 4.4.5 of our work. Roaming or authentication time optimized EAP protocols are quite rare in practice. EAPPSK is (as far as we measured) the fastest protocols that is supported by common RADIUS servers (protocol details in [23]). Cordasco et al. propose EAP-TLS-KS [131], a EAP-TLS variant that is optimized for fast roaming. While they achieve a slight improvement in the authentication time in comparison with EAP-TLS, they demand a modification of the EAP protocol messages at the authenticator which makes the protocol incompatible with the EAP standard. As we consider a scenario with standard components, we left this protocol out. 4.4.2 Protocol Overview The mutual preimage authentication protocol (MPA) consists of two phases: A main phase (phase 1) that is optimized for fast handover and an initialization phase (phase 0) that is called once before the first run of the main phase. In the main phase (Figure 4.2), both participants are mutually and non-repudiatively authenticated by sending a preimage that is verified with a cryptographic hash function on the other side. Together with each preimage, an encrypted image for the next authentication process is transmitted. Obviously the protocol must prevent this image from being replaced or modified, since a successful attack would break the mutual authentication property. The authentication concept is similar to a hash chain authentication, whereby in this case the hash chains have a length of one and are overlapping. With this authentication concept, we are able to do mutual authentication and key agreement at the same time with only two protocol messages. The protocol works as follows: Before the protocol starts, both participants know the values EKA , EKB (encryption keys), AU T HA/B (Hash value from N XT P ROOFB/A of the other party) and P ROOFA/B (own N XT P ROOFA/B value) from the previous session. The server B chooses N XT P ROOFB randomly and encrypts the hash value of it (N XTB ), the N XT P ROOFB value from the previous session, the ID from A and an integrity protection value IPB . The client A can decrypt the message and check if P ROOFB is the preimage of N XTB from the previous session. In this way, the current session is non-repudiatively combined with the previous session. Furthermore, the client A receives the AU T HB = N XTB value for the authentication of server B in the next session in a confidential and integrity protected way. When all tests are successful (integrity protection and matching preimage), client A encrypts a message for server B, that is assembled in the same way as the message from server B. After reception of the encrypted message, server B decrypts and applies the same tests on the message that client A has done with the first message.

74


A (Client/Supplicant)

B (Authentication Server) Known: EKA , EKB , AU T HA , P ROOFB N XT P ROOFB ∈R F2n N XTB := Hash(N XT P ROOFB ) IPB := Hash(N XTB , P ROOFB , IDA ) encEKB (N XTB , P ROOFB , IDA , IPB )

Known: EKA , EKB , AU T HB , P ROOFA ?

IPB = Hash(N XTB , P ROOFB , IDA ) ?

AU T HB = Hash(P ROOFB ) IF verifications false THEN STOP N XT P ROOFA ∈R F2n N XTA := Hash(N XT P ROOFA ) IPA := Hash(N XTA , P ROOFA , IDB ) KAB := P rf (EKA , EKB , P ROOFA , P ROOFB , N XTA , N XTB )(const) Next: Next: Next: Next:

EKA := Hash(N XTB , P ROOFB , IDB , IPA ) EKB := Hash(N XTA , P ROOFA , IDA , IPB ) AU T HB := N XTB P ROOFA := N XT P ROOFA

IDA , encEKA (N XTA , P ROOFA , IDB , IPA ) ?

IPA = Hash(N XTA , P ROOFA , IDB ) ?

AU T HA = Hash(P ROOFA ) IF verifications true THEN ACCEPT KAB := P rf (EKA , EKB , P ROOFA , P ROOFB , N XTA , N XTB )(const) Next: Next: Next: Next:

EKA := Hash(N XTB , P ROOFB , IDB , IPA ) EKB := Hash(N XTA , P ROOFA , IDA , IPB ) AU T HA := N XTA P ROOFB := N XT P ROOFB EAP-Success

ACCEPT

Fig. 4.2. EAP-MPA - Main phase (1)

Before being able to authenticate with the normal protocol phase, an initialization phase – phase 0 – must be completed to establish the necessary images on both sites (Figure 4.3). Phase 0 must provide a high security level, since the validity of the authentication in the main phase depends on a successful phase 0 authentication. Therefore the initialization phase is able to use a certificate based authentication, which actually leads to a longer handover time. However, phase 0 is only called once before a (theoretically unlimited) series of MPA main phases. For usability reasons, we optionally provide a pre-shared key (PSK) and a hybrid authentication in the initialization phase. The pre-shared key mode is used for scenarios, where no public key infrastructure can be deployed; both sides are mutually authenticated with the PSK. In the hybrid mode, only the server is authenticated with a certificate, the user with a pre-shared key.


A (Client)

75

B (Server)

Known: P SK or (CERTA , P KA , SKA )

Known: P SK or (CERTB , P KB , SKB )

N XT P ROOFA , NA ∈R F2n N XTA := Hash(N XT P ROOFA )

N XT P ROOFB , NB ∈R F2n N XTB := Hash(N XT P ROOFB ) IDB , M ODE, [CERTB ]

IDA , encP KB /P SK (NA , IDA ), [CERTA ] encP KA /P SK (N XTB , NB , NA , IDB , Hash(all)) encP KB /P SK (N XTA , NB , Hash(all)) ACCEPT Next: Next: Next: Next:

EKA := Hash(IDB , IDA , N XTA ) EKB := Hash(IDA , IDB , N XTB ) AU T HB := N XTB P ROOFA := N XT P ROOFA

Next: Next: Next: Next:

EKA := Hash(IDB , IDA , N XTA ) EKB := Hash(IDA , IDB , N XTB ) AU T HA := N XTA P ROOFB := N XT P ROOFB EAP-Success

ACCEPT

Fig. 4.3. EAP-MPA - Initialization phase (0)

This is similar to e.g. EAP-TTLS/CHAP, which is often used in this way, because the operator does not need to issue certificates for all clients (which means lower management costs). The first message originates from the server B and contains the chosen encryption mode (symmetric/asymmetric/hybrid), its ID and optionally the certificate of server B. Client A chooses a random nonce NA and encrypts it together with the own ID for server B, a certificate is attached optionally. After decryption, server B chooses a random nonce NB and a random value N XT P ROOFB . Then server B encrypts a message for client A that contains the hash value N XTB from N XT P ROOFB , the nonce NB , the client nonce NA , its IDB and an integrity protecting hash value Hash(all) about all communicated messages up to this point (including the data in message 3). Client A decrypts, verifies and assembles the last cryptographic protocol message. The hash value N XTA from the randomly chosen value N XT P ROOFA , the server nonce NB and an integrity protecting hash value Hash(all) about all communicated messages up to this point (including the data in message 4) are encrypted for server B. After the successful verification at server B, the EAP-Success message is sent. 4.4.3 Security Model Protocol Participants and Keys We have two protocol participants in our extensible authentication protocol EAP-MPA: Client ’C’ (Supplicant) and Authentication Server ’S’. In a practical scenario there is another party, the Authenticator (Access point). But since this party just forwards the data between both other parties, it does not play a role for the protocol design nor for the security proof. On the Client and the Authentication Server we need several preliminary values depending on which protocol phase is used. The main protocol needs a set of established values on both

76


sides: EKA , EKB , AU T HA/B and P ROOFA/B , whereby the initialization phase (phase 0) is able to agree these values on behalf of either a pre shared key P SK (i.e. password) or a public key pair {P KA/B , SKA/B } with a certificate CERTA/B . Instances and Protocol Sessions The number of clients C may be very high and it is even likely that there are different authen-

tication servers S in use. We therefore assume that it is possible that the same clients C or

authentication servers S are participants in parallel protocol sessions. We want to extend this by saying that it is possible that there are different protocol sessions with exactly the same C and S.

An instance of C, S in a protocol session calls ACCEPT or ABORT upon the decision if the

protocol execution was successful in respect to the protocol aims. Adversarial Model

The adversary A is modeled as a probabilistic polynomial time (PPT) machine which has full control over the communication and protocol invocations. This means that adversary A is able

to eavesdrop, manipulate and inject messages and in addition to it to trigger and abort protocol sessions with arbitrary participants. Building Blocks In this section, we list the cryptographic primitives that are used by both phases of our EAP protocol: the initialization and main phase. •

A cryptographic hash function that provides preimage, second preimage and collision resistance [132]. Hash: {0, 1}∗ → {0, 1}l . Using hash functions for message authentication is discussed in [133].

•

A pseudo random function PRF: {0, 1}l × {0, 1}∗ → {0, 1}∗ for key derivation.

•

An asymmetric encryption scheme that suffices the indistinguishability property under adap-

•

A symmetric encryption scheme with integrity protection that suffices the indistinguishability

tive chosen ciphertext attacks (IND-CCA2) [123]. property under adaptive chosen ciphertext attacks (IND-CCA2) [123].

4.4.4 Security We give an informal security proof for both phases of the EAP-MPA protocol: main and initialization. Theorem 4.4. The EAP-MPA main phase provides Mutual Authentication and Non-Repudiation. In the main phase there are two messages that are quite identical regarding their structure. Both messages include an encryption with a pre-shared key EKA respectively EKB over


77

a value N XT , P ROOF , the ID of the other participant and a IP value that is used to determine the integrity of the message. N XT is the hash value of a (fresh) randomly chosen value (N XT P ROOF ) by the participant (N XT is needed for verification in the next execution of the main phase). P ROOF is the own randomly chosen value N XT P ROOF from last protocol execution, whereby the other participant is able to verify this value by applying the hash function to it and comparing it with the corresponding N XT value from the last execution. Proof. (Informal) Authentication is provided by providing the right preimage for a previously given hash value. An adversary is not able to authenticate as one of the participants, because therefore the adversary would have to know the right preimage. The used authentication pairs (N XT , P ROOF ) are only valid for the active session and they are not reused for another session. A replay attack is therefore not possible because the authentication pairs can only be used once. Furthermore non-repudiation holds, because an internal adversary (after having sent a P ROOF value) cannot show that another participant has sent the P ROOF value corresponding to an existing N XT value from the last session. If an adversary would be able to send a forged P ROOF value, he would also be able to find preimages to given hash values (break the hash function) or the particular preimage/hash value pair has been used before. Concluding, after providing the preimage, a participant may not deny its authentication, because no other particpant could have computed the sent preimage unless he is able to break the applied hash function. All in all the main phase provides mutual authentication and non-repudiation, because the authentication process is executed on both sides identically. Moreover the protocol provides key agreement, as there are fresh session keys available on both sides after the protocol execution and every message containing parts of the session keys is encrypted (with the session key of the last session).

Theorem 4.5. The EAP-MPA initialization phase provides Mutual Authentication. The initialization phase uses a challenge-response protocol approach. The client sends an encrypted random value NA to the server, which is then sent back by the server. In the same message, the server sends an encrypted random value (NB ) to the client and expects this value to be mirrored in the next protocol message. Proof. (Informal) As for the encryption a pre-shared key or a public key pair is used, an adversary is not able to authenticate on behalf of a not compromised participant. On the one hand the proof of the knowledge of the key is done by performing a valid symmetric decryption of a fresh value and on the other hand by successfully decrypting the fresh value with the own private key. In both cases, the value is sent back to the other participant, who verifies that the right fresh value was decrypted. An adversary is not able to impersonate one of the protocol participants because therefore the adversary would need knowledge of the pre-shared or the private key (for the decryption) of the corresponding participant. Replay is impossible due to the used fresh values that must be sent back.

78


The initialization phase provides mutual authentication, because both participants perform this challenge-response protocol in a similar way. Additionally, the private contents of the encrypted messages (N XT values) are used to compute fresh session keys, so that the initialization phase also has a key agreement functionality. Note that the initialization phase does not provide non-repudiation in the shared key case because this security goal would require a preliminary exchange of preimages. Non-Repudiation is given in the public key pair case, because successfully decrypting with the own private key (and demonstrating the plaintext) cannot be denied by a participant. 4.4.5 Performance Analysis This chapter deals with a performance analysis of EAP-MPA and the comparison with three common EAP protocols. EAP Protocols EAP-TLS is one of the most secure EAP protocols, due to its use of client and server certificates for authentication. Furthermore EAP-TLS is very common, since supported by a big number of implementations. EAP-TTLS authenticates the server with a certificate while allowing the client to use an inner authentication method that can be based on simpler or even faster techniques. We have chosen CHAP as an inner authentication method since it uses only two small sized messages. Together with EAP-PEAP (which is a little bit slower due to more overhead), EAP-TTLS is one of the most used EAP protocols because it provides client authentication without a PKI and it is integrated in the Microsoft and Cisco implementations. Both, EAP-TLS and EAP-TTLS, support fast reconnection which leads to much smaller authentication times. EAP-PSK is designed to be very efficient because the authentication just relies on symmetric cryptography (pre shared key) while using only four messages. EAP-PSK is not very widespread but therefore a candidate for the fastest EAP protocol supported by wireless scenarios. Performance Results The performance analysis is based on the access point software hostapd (version 0.6.9, [126]) and the client supplicant software wpa supplicant (version 0.6.9) under Linux. Since hostapd did not support fast reconnection, a freeRADIUS [134] authentication server was additionally used on the access point device. All tests have been repeated 20 times, where we have noticed a small standard variance confirming their practicability [135].


79

Fig. 4.4. Performance comparison of all protocol phases

Figure 4.4 shows the time in ms that is consumed by EAP-MPA with different modes (symmetric [0xEE], hybrid[0xEC], asymmetric [0xCC]) and the time used by the EAP protocols EAPPSK, EAP-TLS and EAP-TTLS/CHAP. The left bars of each protocol (blue) represent the time of the first authentication, whereby this means for EAP-MPA the execution of the initialization and the main phase (both). Additionally there is another issue with the EAP-MPA implementation: Since there is no out-of-the-box fragmentation for large packets in hostapd, we deploy a quite inefficient fragmentation mechanism to allow the transmission of certificates. An improvement of this mechanism will probably create faster results than the corresponding EAP protocol (EAPMPA[0xCC] vs. EAP-TLS and EAP-MPA[0xEC] vs. EAP-TTLS/CHAP). EAP-PSK, EAP-TLS and EAP-TTLS are used in the normal mode (not fast reconnect). The right bars of each protocol block (orange) show the performance of the main phases of EAP-MPA, EAP-PSK and the fast reconnect phases of EAP-TLS and EAP-TTLS. As you can see, EAP-MPA provides the fastest results of all protocols when running in the main phase. Figure 4.5 underlines EAP-MPA’s advantage by only comparing the fast protocol phases of the examined EAP protocols. Note that the main phase of EAP-MPA is always the same for the different operation modes.

80


Fig. 4.5. Performance comparison of the “fast” protocol phases

Finally we have realized an EAP protocol that is twice as fast as EAP-TLS in fast reconnect mode and a third faster than EAP-PSK – which is one of the most efficient EAP protocols to date. 4.4.6 Conclusion In this section, we have introduced a new EAP protocol that is optimized for fast handover scenarios - the mutual preimage authentication protocol: EAP-MPA. The protocol consists of two phases, a high secure initialization phase that is executed only once and a fast main phase that is designed for fast execution. We concluded our work with a practical performance analysis that compares our proof of concept implementation with several common EAP protocols regarding their authentication time. EAP-MPA (main phase) is with an authentication time of only 10ms the fastest protocol among the common EAP protocols and can therefore be recommended for fast roaming scenarios. Future work is to provide a well tested and performance optimized EAP-MPA implementation for several operating systems. Furthermore, to enhance the wireless roaming performance, the underlying wireless network stacks must be prepared for fast roaming scenarios, i.e. implementation of smart access point selection mechanisms (best link) and optimizing network stack related timeouts.

Chapter 5 Group Key Agreement in Wireless Mesh Networks

This chapter provides an adaption of Group Key Agreement (GKA) protocols to Wireless Mesh Networks. Since GKA protocols are well researched in the literature (see related work in section 5.2.1), we especially focus on their performance in WMN. Amir et al. [136] presented a practical performance evaluation of well-known GKA protocols in a wired network scenario, while Kim et al. [137][138] and Liao [28] have shown theoretical results for the performance of GKA protocols. Moreover Zheng et al. [139] provided additional performance results and a security evaluation for GKA protocols. All these results assume the existence of perfect broadcast channels, which are not given in real wireless mesh networks. The main contributions of this chapter are published on international conferences or journals. In the paper “Group Key Agreement for Wireless Mesh Networks” [140], published in the 34th IEEE LCN & Workshops Conference Proceedings, we introduce three group key agreement protocols and the probabilistic performance estimation model for cryptographic protocols in WMN. In 2010, we have published the grid model in the 35th IEEE LCN & Workshops Conference Proceedings [141], an improved performance estimation model for WMN.

5.1 Motivation Currently, the security of wireless mesh networks in practical use is very weak or even nonexistent. Authentication, confidentiality and integrity protection are not provided in most cases, e.g. in the public community projects. This means, that all plain communication can be eavesdropped, replayed and modified by outsiders, which clearly differs from the security level of wired networks. Providing a security level that most users know from wired networks, means satisfying the security targets authentication, confidentiality and integrity protection. However, an efficient implementation is recommended, because the network performance of WMN is only at average (see chapter 3) and should not be further reduced. Although the IEEE 802.11s draft [6] for mesh networking is addressing the mentioned security targets, the proposed solutions seem to be compromise solutions that are just adapted from the IEEE 802.11i [18] standard. Similar to classical wireless LANs, a personal (PSK) and enterprise

82

5 Group Key Agreement in Wireless Mesh Networks

(IEEE 802.1X [19]) mode is proposed in the 802.11s mesh standard, establishing pairwise keys between the mesh routers. Some conceptual problems arise from the IEEE 802.11s security modes: (1) Pairwise keys between the mesh routers lead to regular reencryptions and prevent an efficient broadcasting. The faster the WMN is (multi radio / multi channel WMN), the more noticeable is the negative influence of reencryptions and the loss of broadcasting. In a WMN with nearly no latency, reencryption times and multiple transmissions to reach all neighbors become evident. (2) The personal mode needs the configuration and maintenance of a pre-shared key (PSK) on each node, which becomes very uncomfortable for large networks. (3) The enterprise mode requires a central authentication server which must be reachable all the time. This contradicts to the nature of WMN that contains the autoconfiguration and self-healing property. Moreover, there is up to date no operative implementation of the IEEE 802.11s standard including security features. We propose the use of group key agreement protocols to establish a common key and apply the security targets confidentiality and integrity protection on the network communication. A common key throughout the whole network enables fast broadcasting and avoids reencryptions at each node.

5.2 Group Key Agreement Protocols Group key agreement protocols (or distributed key agreement) are a special kind of group key management protocols, in which the common key is computed in a distributed way without using a central party or emphasized users.

Fig. 5.1. Taxonomy of Common Group Key Management Protocols [142]

However, there are two other types of group key management protocols according to Challal et al. [142]: centralized and decentralized protocols. Centralized protocols use a particular node that

5.2 Group Key Agreement Protocols

83

manages the key distribution, whereby in decentralized protocols, a hierarchy of key managers shares the labor of key distribution (Figure 5.1). Since both approaches use special nodes that may not be accessible all the time, we concentrate on the distributed key agreement protocols. After excluding a large amount of protocols due to their use of central parties, there is a vast amount of group key agreement protocols left in the literature. They differ in their cryptographic properties, their theoretical and practical performance. Some protocols provide contributiveness which means that all participants contribute a part to the common group key (e.g. TBKA and BD1). Non-contributive protocols allow only a subset of all participants to add information to the group key (e.g. BD2). Amir et al. [143] underline the importance of contributiveness by defining own classes for contributive and non-contributive protocols (not illustrated in Figure 5.1). Another criterion for sub-categorization is the internal logical structure of distributed key agreement protocols. There are protocols for (1) ring-based cooperation, (2) hierarchical cooperation and (3) broadcast cooperation. We have chosen three group key agreement protocols with different logical structures as basis for our work: •

Burmester-Desmedt I (BD1) – Ring structure [144]

•

Tree Based Key Agreement (TBKA) – Unstructured [146][147]

•

Burmester-Desmedt II (BD2) – Tree structure [145]

The decision for these protocols was not easy due to a large amount of candidates, but finally the chosen protocols turned out to be the most basic ones for their particular type. Hence some other protocols have been skipped because they were just modifications of the three chosen protocols. Other protocols again could be discarded due to obvious performance reasons when observed under the limitations of wireless mesh networks. The related work section 5.2.1 underlines our decision in detail. 5.2.1 Related Work ITW from Ingemarsson et al. [148] is a contributive ring-based group key agreement protocol like BD1 and was discarded due to the high number of rounds and messages in the WMN scenario. Steiner et al. proposed GDH [149][150], which is the extension of Diffie-Hellman key agreement for groups. The variants GDH.1, GDH.2 and GDH.3 have also high communication costs in our scenario, so they were discarded as well. CLIQUES [151] was proposed by Steiner et al. and is based on GDH.2. The improved variant M-CLIQUES by Chen et al. [152] is more scalable for key management than CLIQUES. Both variants have been skipped due to the structural similarity to GDH.2 and therefore high communication costs in our model, which does not assume perfect broadcast channels. The iterated Diffie-Hellman protocol IDH [153] was introduced by Becker et al. in 1998 and is a basic version of the tree based key agreement protocol TBKA [146][147] that is used in our work. STR [138] and TGDH [154] (based on IDH) were introduced by Kim et al. in 2004, whereby both protocols make an excessive use of broadcast messages. Because of that, both protocols are not

84


well suited for wireless mesh networks which induce a notable overhead with (full) broadcasting. Manulis has introduced µSTR and µTGDH [155], which are optimizations of STR and TGDH. The major improvement is the use of elliptic curves which lowers the message size and the computation time. Moreover Manulis contributed µBD, an optimization of the Burmester-Desmedt I (BD1) protocol, also using elliptic curves. However, using elliptic curves can speed up the communication and it is really recommended for a final GKA protocol, though the communication complexity (number of messages) is not reduced. TFAN by Liao et al. [156] is a merge of µSTR and µTGDH and is excluded due to the same reasons as STR and TGDH. Bhaskar et al. [157] proposed the AGDH protocol in 2007, assuming ideal broadcast channels. The initial key agreement phase has three rounds, whereby two of them use full broadcasts. Therefore this protocol can be rated as inefficient in our scenario and is skipped. The latest GKA proposal was by Kim et al. and states a robust key agreement protocol for wide area networks (W-RGKA) [158], whereby the basic structure of the protocol is very similar to the BurmesterDesmedt I protocol [144]. 5.2.2 Burmester-Desmedt I Burmester and Desmedt proposed a group key agreement protocol [144] (BD1) that agrees on a common key between n users who are arranged in a ring (see Figure 5.2). The protocol needs two communication rounds to complete. The first round uses local broadcasting (to reach the neighbor nodes) which is cheap in mesh networks, whereas for the second round a full broadcast from each user is required. Let U1 , . . . , Un be a dynamic subset of users who want to generate a common key K. q is a big prime number and g generates Z ∗q . All users Ui are arranged in a ring, so that (Ui , Ui+1 ) for all i and (Un , U1 ) are neighbors.

1

2

6

3 5

4

Fig. 5.2. Burmester-Desmedt I: Six users Ui are arranged in a ring


85

Initialization: • •

Round 1 : Each Ui with i = 1, . . . , n chooses ki ∈R Z ∗q . Then each Ui computes BKi := g ki

mod q and sends BKi to its direct neighbors Ui−1 and Ui+1 (local broadcast). k i BKi+1 Round 2 : Each Ui computes Xi = BK mod q and broadcasts Xi to all other Ui (full i−1 broadcast). Each Ui computes the common key ki ·n n−2 K = Ki = BKi−1 · Xin−1 · Xi+1 · ... · Xi−2

mod q,

which has the form g k1 k2 +k2 k3 +...+kn k1 mod q. Join: •

Round 1 : Unew chooses knew ∈R Z ∗q . Then Unew computes BKnew := g knew mod q and sends BKnew to its direct neighbors (local broadcast). Both direct neighbors send their BKi to Unew .

•

Round 2 : Unew and both neighbors compute Xi =

BKi+1 BKi−1

ki

mod q and broadcast Xi to

all other Ui (full broadcast). Additionally, one neighbor sends all n − 3 missing Xi to Unew .

Then each Ui computes the common key.

Leave: According to Schwenk et al. [146], at least the half of the secret keys ki (each second) must be changed when a user is leaving the group. Moreover, all Xi must be renewed. This leads to a scenario that is nearly as inefficient as the BD I initialization. • •

Round 1 : Each Ui with i = 1, ..., n and i mod 2 ≡ 1 chooses ki ∈R Z ∗q . Then Ui ’s compute BKi := g ki mod q and send BKi to their direct neighbors Ui−1 and Ui+1 (local broadcast). ki BKi+1 Round 2 : Each Ui (all) computes Xi = BK mod q and broadcasts Xi to all other Ui i−1

(full broadcast). Each Ui computes the common key K.

5.2.3 Burmester-Desmedt II The protocol which is known under the name Burmester-Desmedt II (BD2) uses a different topology in comparison to the BD1 protocol [145]. Here, the users are arranged in a binary tree without root node (see Figure 5.3). Like the BD1 protocol, BD2 completes also in two communication rounds. In BD2 there is no need for a full broadcast from each party, instead only a multicast from each party to its descendants is needed, which results in less messages in total. Let U1 , . . . , Un be a dynamic subset of users who want to generate a common key K. q is a big prime and g generates Z ∗q . All users Ui are attached as nodes to a binary tree without root node.

86


1

2

3 7

4 8

5

9

10 11

6 12

13

14

Fig. 5.3. Burmester-Desmedt II: Users Ui are arranged as nodes in a binary tree

Initialization: • •

Round 1 : Each Ui with i = 1, . . . , n chooses ki ∈R Z ∗q . Then each Ui computes BKi := g ki

mod q and sends BKi to its parent Udi/2e−1 and its children U2i+1 , U2i+2 (local broadcast). Round 2 : Each Ui computes

BK ki parent(i) BKleftchild(i) BK ki parent(i) = BKrightchild(i)

Xleftchild(i) = Xrightchild(i)

mod q mod q

Then Ui sends Xleftchild(i) , Xrightchild(i) to all descendants (semi broadcast). Each Ui computes the common key Y

ki K = Ki = BKparent(i)

Xj

mod q

j∈ancestor(i)

, whereby ancestor(i) stands for all Xj from Ui itself to the root. K has the form g k1 k2 mod q. Join: The new user Unew chooses a fresh key knew and attaches himself at a position in the tree, where a node has less than two children. His new parent computes Xnew and sends all Xi from the path to root node to Unew . Because K has the form g k1 k2 mod q, the join operation does not change the group key. •

Round 1 : Unew chooses knew ∈R Z ∗q ; compute BKnew := g knew mod q and send BKnew to

•

Round 2 : Ui = Uparent(new) computes

the Uparent(new) .

Xnew =

BK

parent(i)

ki

BKnew

mod q

and sends Xnew and BKi together with all Xi on the path to the root to Unew . Now, Unew can compute the common key as follows:


Y

ki K = Ki = BKparent(i)

Xj

87

mod q.

j∈ancestor(i)

Leave: Because the common key for the group is the key between two users (U1 and U2 ), both private keys must be changed, when a user Ur is removed. If the pairwise keys of BD2 are used in the mesh network, all private keys on the path from the removed user to the root have to be changed! •

Round 1 : U1 and U2 : choose a new k1/2 ∈R Z ∗q and compute BK1/2 := g k1/2 mod q. These

•

Round 2 : Then U1 and U2 compute new Xi values for their children:

values are broadcasted locally.

X3/5 = X4/6

BK

2/1

k1/2

BK3/5 BK k1/2 2/1 = BK4/6

mod q mod q

The X3/4/5/6 values are broadcasted to the whole group. Now, all users can recompute their group key K as follows: ki K = Ki = BKparent(i)

Y

Xj

mod q.

j∈ancestor(i)

5.2.4 Tree Based Key Agreement The Tree Based Key Agreement (TBKA) Protocol [146][147] is based on the Diffie-Hellman Key Agreement [159] which is applied iteratively to cope with more than two parties. All n users are arranged as leafs of a binary tree, which reflects the iterative approach. Compared to BD1 and BD2 the Tree Based Key Agreement needs a lot more communication rounds, strictly speaking log2 n instead of 2. It is of advantage that only local broadcasts, which are cheap in mesh networks, are used to complete the protocol. Let U1 , . . . , Un be a dynamic subset U of users who want to generate a common key K. q is a large prime number and g generates Z ∗q . All users Ui are attached as leafs to a binary key tree according to Figure 5.4. Initialization: • •

Round 1 : Choose a ki ∈R Z ∗q ; compute BKi := g ki mod q and send BKi to the sibling. ki Round 2 : Compute common key k(i,i+1) = BKother sibling mod q.

Then the algorithm is repeated on the next higher levels with the former agreed key instead of a new ki . Figure 5.4 shows an example of the TDH protocol with four parties.

88

5 Group Key Agreement in Wireless Mesh Networks kABCD = g kAB kCD g kAB

g kCD

kAB = g kA kB g kA

kCD = g kC kD

g kB

g kC

g kD

A

B

C

D

kA

kB

kC

kD

Fig. 5.4. Tree Based Key Agreement Protocol

Join: A leaf is split up into two leafs, which are attached to a new node at the position, where the original leaf had been. The new user Un+1 takes the “free” leaf and agrees upon a key with its sibling. Then all keys from the new node to the root node have to be recomputed. •

Round 1 : A leaf with an associated user Uh is chosen. This leaf should be on the highest possible level of the tree, in order to keep the tree balanced. Then the leaf is replaced by a new node with two children, Uh and Unew . Uh sends BKh = g kh mod q to the new user Unew . Meanwhile the new user Unew chooses knew ∈R Z ∗q and computes BKnew := g knew , which is

sent back to Uh . •

kh A new node key k(h,new) ≡ BKhknew ≡ BKnew mod q is computed.

Round 2,3,. . . : All nodes (≈ log2 n) on the path from Uh to the root refresh their keys depending on the change of k(h,new) (formerly BKh ).

Leave: The sibling Uh of the user that shall be removed (Ur ) generates a new key kh and moves to the position of its parent node. All keys on the path from this position to the root have to be recomputed. • •

Round 1 : Uh chooses a new kh ∈R Z ∗q and computes BKh := g kh mod q. Then Uh moves to

the position of its and the former user’s parent node, while using BKh as his key.

Round 2,3,. . . : All nodes (≈ (log2 n) − 1) on the path from Uh to the root refresh their keys depending on the change of BKh (formerly k(h,r) ).

5.3 Performance Estimation Models for Cryptographic Protocols in WMN Up to date, the performance or efficiency of cryptographic protocols was usually determined with the communication complexity that describes the number of rounds and messages for a complete protocol run, e.g. [143] or [28]. Thus, a cryptographic protocol with two rounds was identified as faster than a protocol with three rounds. However, the performance of cryptographic

5.3 Performance Estimation Models for Cryptographic Protocols in WMN

89

protocols is notably influenced by the network characteristic of the evaluated network type. This is especially controversial when dealing with wireless mesh networks, because among others we cannot assume perfect broadcast channels as it is done in the publications of the most group key agreement protocols. Hence a (global) broadcast transmission induces a series of local broadcast transmissions in WMN, it becomes obvious that this is far more inefficient than in classical wired networks, where only one transmission must be made. Therefore assuming perfect broadcast channels is not feasible for WMN. However, if we want to determine the real performance of a network protocol, we have to consider some issues before. Normally the physical structure of the network in that we want to evaluate the network protocol is unknown or not precisely specified. Furthermore different network types have various network characteristics, as shown in chapter 3, that have to be taken into account. Finally for wireless networks transmission related effects (section 3.2.2) have to be considered. We introduce two different performance estimation models that are explicitly dedicated to wireless mesh networks. Both models reflect the particular properties of WMN and allow to approximate the performance of cryptographic protocols while both models provide different solutions for the unknown network structure problem. As we are mainly dealing with group key agreement protocols in this dissertation, both models will be applied to evaluate the network performance of GKA protocols within wireless mesh networks. 5.3.1 Common Assumptions We differentiate between two types of broadcasting in wireless mesh networks: local and full broadcasting. Local broadcasting addresses all nodes within the collision domain of the wireless sender. Full broadcasting means that a data packet is distributed hop by hop until all nodes are reached, whereby each transmission uses local broadcasting again. Local broadcasting is very efficient in wireless networks due to the shared medium, since there is no need for a device like a switch that replicates packets for each attached port. In contrast, full broadcasting is less efficient than in cable bound networks, because a hop by hop forwarding is necessary. This property of WMN demands a new way of message counting, hence ideal broadcast channels like in classical wired networks cannot be assumed. It is obvious that omitting the forwarding costs as it is done for classical networks will lead to wrong performance results for WMN. Definition 5.1 (Message Counting). •

Each message sent from one node to a neighboring node (local broadcast) is counted as

•

For each message from one node to a distant node, we count #Hops messages.

1 message. (#Hops is the number of edges in a graph modeling the network structure.)

90


However, if we would only count the total number of transmitted messages, this would lead to a serialized network model that does not consider simultaneous transmissions. Wireless mesh networks instead allow for simultaneous transmissions of independent data, although interference may arise in those cases. Thus we need a time based unit for the performance estimation of cryptographic protocols in WMN, because just the message count would be inappropriate. Definition 5.2 (Timeslot). Given an interference-free channel with full capacity, let a timeslot be the time needed for sending a local broadcast of one maximum sized message (MTU – Maximum Transfer Unit). Creating a clear definition for a measurement unit requires the exclusion of non-deterministic effects like interference, so that we assume an interference-free channel and care for interference effects later. Furthermore we assume that all messages have a constant maximum size to simplify the computations. Tanenbaum [42] states that an additional message means more overhead than the size of a message. When determining the performance of a network protocol in WMN, we proceed with the timeslot evaluation as follows: Definition 5.3 (Timeslot Evaluation). •

Each message sent from one node to a neighboring node (local broadcast) is counted as

•

For each message from one node to a distant node, we count #Hops timeslots.

•

For simultaneous transmissions, the timeslots of the longest transmission are counted.

1 timeslot. (#Hops is the number of edges in a graph modeling the network structure.)

Note that the number of timeslots varies from the number of messages when there are simultaneous transmissions in the network. The performance of cryptographic protocols in wireless mesh networks can be expressed with the timeslot value. The timeslot value describes the runtime of a protocol for a given network size (number of nodes). However, when measuring the protocol performance according to the timeslot evaluation, we do not cover interference influences. That is why we introduce two different performance estimation models for WMN covering interference influences in sections 5.3.3 and 5.3.4. Before, we give an overview about conditions for reasonable performance estimation models for WMN in the next section. 5.3.2 Conditions for Performance Measurement in WMN In wireless mesh networks there are several conditions that have to be considered by performance estimation models. These conditions are related to the physical properties of the network and the transmission behavior. 1. Position of nodes 2. Transmission range


91

3. Wireless interference 4. Interference range 5. Synchronous/Asynchronous transmissions 6. Predetermined/Controlled sending order 7. Do nodes have knowledge of the network structure? 8. Is routing available? The position of nodes is important when evaluating network protocols in WMN, since e.g. transmissions over multiple hops need more timeslots than a communication between direct neighbors. Therefore performance estimation models have to consider the physical network structure which can be computed by evaluating the transmission range and the position of nodes. Wireless interference plays an important role in WMN, as it has a big impact on the performance (see chapter 3). It is necessary for a reasonable performance estimation model for WMN to consider wireless interference and its properties (i.e. range). Synchronous transmissions mean, that there are fixed common times, where transmissions take place. In contrast, asynchronous transmissions enable the nodes of the network to transmit anytime and independently of each other. Both transmission types have to be handled differently, although only asynchronous transmissions are relevant for practical applications of wireless mesh networks. A controlled sending order means that every node knows exactly when to transmit or the transmission moment is even triggered by an external server. Usually such a behaviour allows for reducing wireless interference. An assumption on synchronous transmissions (clocked sending time) and controlled sending order allows to simplify a theoretic performance estimation, as the results are easier to collect or to count. This is obvious, because with synchronous transmissions the protocol execution can be broken up in timeslots (counting is clearer) and with a controlled sending order, retransmissions due to transmission failures do not have to be considered because they can be avoided. However, in practice both assumptions do not hold, because the reliability of links, nodes and timers cannot be guaranteed exactly. As these assumptions (transmission mode/sending order) influence the performance noticeably, the estimation model has to consider them. Most network protocols require the knowledge of the network structure and therefore e.g. a routing protocol. Either way, routing protocols influence the execution of other network protocols while they are running, because a lot of messages are transmitted. In case the performance estimation takes place while the routing protocol transmits messages (e.g. has not finished), this has to be considered by the estimation process by e.g. calculating an overhead for the routing service. Another possibility is to integrate a routing mechanism in the evaluated protocol. In this way, the overhead caused by the routing protocol is directly considered within the performance estimation.

92


5.3.3 Probabilistic Performance Estimation Model for WMN We propose a probabilistic performance estimation model [140] that allows for the performance estimation of general cryptographic protocols in wireless mesh networks. Probabilistic means that we consider interference influences in a probabilistic way to a variable amount. In this way we are enabled to estimate the practical feasibility of network protocols in WMN by adapting the weight of the interference influences to practical conditions like the wireless network card type, link quality, surrounding, etc. Additionally to the assumptions from section 5.3.1, we need to make an assumption on the physical structure of the network. Hence we only know the investigated network protocol, but want to make a general statement for wireless mesh networks, we have to specify the physical network structure. As the determination of the network structure is important for performance counting (definitions 5.1 and 5.3), we assume an ideal structure by saying that the physical structure is identical to the logical structure of the investigated network protocol. By this means we provide optimal conditions for each investigated network protocol and thus we have a basis for comparability. The logical structures are a ring structure for BD1, a binary tree structure for BD2 and a line structure for TBKA. Actually TBKA has a loose structure, which means that the physical topology (structure) does not need to be in a particular form, because the protocol builds small subgroups that grow dynamically in each round. As TBKA does not have a logical structure that we can assume as physical structure, we use a line structure, which is the most trivial approach to deal with that. Furthermore the line structure does not produce an ideal broadcast channel (full reachability of the group; this would be the actual logical structure for TBKA) so that we have similar preconditions for each protocol. Moreover we assume synchronous transmissions and a controlled sending order to simplify counting the timeslots. We also assume that routing is given and all nodes have knowledge of the network structure. Performance Estimation We start counting the messages of the network protocol, using the logical structure (by assumption identical to the physical structure). The smallest atomic operation in wireless mesh network transmissions is local broadcasting, because all transmissions are done via the shared medium air. Therefore we have to break down all communication patterns to local broadcasts, leading to several local broadcasts (depending on the network size and structure) for one global broadcast and one local broadcast for a unicast transmission to a direct neighbor.


Round 1

93

Round 2

1

2

1

6

3 5

+

4

2

6

3 5

Every node sends BKi as local broadcast.

n²-n messages

4

Every node sends Xi as full broadcast.

n • 1 message

n • (n-2) messages

Fig. 5.5. Counting messages on the example of BD1

Figure 5.5 shows on the example of Burmester-Desmedt I, how messages are counted according to definition 5.1. The same idea applies to the join and leave phases, as well as for all other evaluated protocols. Burmester-Desmedt I 2

Burmester-Desmedt II

Tree Based Key Agreement

Initialization

n −n

2n + 2 + (log2 n − 3) · n

n log2 n

Join (n-1 → n)

4n − 6

1 + log2 n

n + log2 n − 1

n2 − 23 n

2+n

n−2

Leave (n+1 → n) n := Number of nodes

Fig. 5.6. Protocol messages (results in messages)

Figure 5.6 shows the number of messages (local broadcasts) that are used by BD1, BD2 and TBKA in dependency of the number of nodes and Figure 5.7 shows how they are counted.

94

5 Group Key Agreement in Wireless Mesh Networks Burmester-Desmedt I

Initialization

First round needs n


First round has n messages. When every node agrees a

messages (local broadcast) Round 2: Dependent on the and second round n times n − 2 (full broadcasts).


tree height h, every height

key with his neighbor, n messages are needed. The

increase induces two times combination of these groups more messages plus 2h (f (h + 1) = 2f (h) + 2h ).

need also n messages ( ni key agreements +

log2 n−i n

This can be expressed with forwardings), for every level 2 + n + n(log2 n − 3), using

in the tree. The sum is

a height of 2 as induction

n log2 n.

start (n = 2

h+1

− 2).

Example for height = 3: root nodes send 4 X values (4); Second row sends 8 X values; Second row forwards 4 X values from root nodes via local broadcast (4). Total = 16 messages.. Join (n-1 → n)

3 messages in the first

Round one needs 1 local

log2 n − 1 levels in the tree

round. Second round needs broadcast (BK) and round need a new key agreement 3 full broadcasts (n − 2) of

two a forwarding of all X

plus n forwardings (from

X values and the

values (log2 n) to the new

edge to edge, independent

transmission of n − 3 X

node.

of joining node).

In round one both root

One changed key is

nodes choose new keys (2

forwarded (n messages,

values to the new node. Leave (n+1 → n)

First round has

n 2

messages, since every

second BK must change to messages) and in the second change every X. Then we round the new X values are

from edge to edge, independent of leaving

have n full broadcasts in

sent down the tree

node) minus 2 messages

the second round.

(2log2 n ≈ n messages). Note

because of the local

that there are additional

broadcast of the sponsor.

messages dependent on the height of the leaving node (2 per level), covered by our formula in average. n := Number of nodes

Fig. 5.7. How the messages are counted

However, for the final performance estimation the number of timeslots of the protocol runtime are more important, because when there are simultaneous transmissions, the protocol runtime does not need to correspond to the number of messages any more. In the probabilistic model, we


95

explicitly allow simultaneous transmissions without any limitations. We care for the interference separately. Since 1 local broadcast transmission consumes 1 timeslot, we count #hops timeslots for a distant transmission due to the serialized forwarding. When several simultaneous transmissions occur, we count #hops timeslots of the longest path.

Round 1

Round 2

1

2

1

6

+

3 5

4

2

6

3 5

Every node sends BKi as local broadcast.

1+

n 2

timeslots

4

Every node sends Xi as full broadcast. n timeslots 2

1 timeslot

Fig. 5.8. Counting timeslots on the example of BD1

In Figure 5.8 there is an example for counting timeslots with Burmester-Desmedt I. It is easy to see, that the timeslot counting is an estimation, as

n 2

is only exact for even n. However, the

deviation due to this rounding error does not have a noticeable impact on the overall results. Counting timeslots for other protocols and protocol phases is done in an analogous way. Burmester-Desmedt I Initialization

1+

Join (n-1 → n)

1+

Leave (n+1 → n)

1+

n 2 n 2 n 2



1 + log2 n

n−1

2

n

log2 n

n−1

n := Number of nodes

Fig. 5.9. Timeslot evaluation (results in timeslots)

Figure 5.9 presents the results of the timeslot estimation for BD1, BD2 and TBKA for n nodes and Figure 5.10 shows how they are counted.

96

5 Group Key Agreement in Wireless Mesh Networks Burmester-Desmedt I

Initialization



First round needs 1

First round needs 1

The key exchange needs

timeslot (local broadcast)

timeslot, and in the second

log2 n timeslots (height of

round we need log2 n

the tree), but the longest

and second round

n 2

(full

broadcasts).

timeslots (height of the

path is an information

tree).

traversal from the left to the right edge, therefore n − 1 timeslots are needed.

Join (n-1 → n)

First round needs 1

Round one has 1 timeslot


timeslot and second round

and round two also 1


timeslot for forwarding

the tree), but the longest

n 2

for full broadcasts

aggregated data

path is an information traversal from the left to the right edge, therefore n timeslots are needed.

Leave (n+1 → n)

First round needs 1 timeslot and second round n 2

for full broadcasts

Round one needs 1 timeslot


and round two log2 n − 1


(height of the tree minus 1)

the tree), but the longest path is an information traversal from the left to the right edge, therefore n − 1 timeslots are needed.


Fig. 5.10. How the timeslots are counted

The determined timeslot value is a first approach to estimate the protocol performance in wireless mesh networks, since it describes the completion time of the protocol in dependency of the number of nodes. Reasonable results, however, must include wireless interference because they are the main cause for performance issues in wireless mesh networks. Hence we need a value that approximates wireless interference and add it to the determined timeslot values. We consider the number of messages per timeslot as a measure for wireless interference, because it describes the communication density while the protocol runs. Figure 5.11 shows the computed values for the interference approximation.

5.3 Performance Estimation Models for Cryptographic Protocols in WMN Burmester-Desmedt I



2n2 −2n 2+n 8n−12 2+n 2n2 −3n 2+n

2n+2+(log2 n−3)·n 1+log2 n 1+log2 n 2 2+n log2 n

n log2 n n−1 n+log2 n−1 n n−2 n−1

Initialization Join (n-1 → n) Leave (n+1 → n)

97


Fig. 5.11. Interference approximation –

#messages timeslots

Finally our interference approximation can only be regarded as proportional to the real interference, because it is up to date an unsolved problem to find a real deterministic approximation for wireless interference. Furthermore wireless mesh networks differ in many points in practice, e.g. the physical surrounding, used wireless communication standard, used wireless interface cards, antennas, humidity, etc. Therefore we propose the use of an unknown impact factor x that is multiplied to our interference approximation value, leading to the final formula for the performance estimation: Performance Estimation = timeslots + x ·

#messages timeslots

(5.1)

Formula 5.1 consists of two addends: “timeslots”, the static part that relates to the time duration the evaluated protocol would need without any interference and “x ·

#messages timeslots ”

which is a value

that describes the amount of data being sent within one timeslot. Therefore the second addend is a value proportional to the interference the evaluated protocol will produce. An unknown factor x gives the possibility to adapt the performance estimation results to real conditions, e.g. type of wireless transceivers or environmental conditions. Further details to message counting and performance estimation can be found in [140]. Before

the formula for the protocol performance estimation can be used, we need to define a reasonable interval for the unknown impact factor x [141]. We begin with the definition of the minimum and maximum possible execution time (in timeslots): mint = # timeslots maxt = # messages If there is no interference, the total performance value is obviously the number of computed timeslots. In case that we have the maximum interference impact, meaning that no messages can be transmitted simultaneously, this leads to “# messages” timeslots. While the total performance value was computed as defined in definition 5.1, we conclude that x has to be drawn from the following interval to satisfy mint and maxt : x ∈ [0, timeslots −

timeslots2 ]. #messages

(5.2)

Taking the maximum value of the interval, we get the following distribution for 5, 20 and 100 nodes (Fig. 5.12):

98

5 Group Key Agreement in Wireless Mesh Networks 5 Nodes 20 Nodes 100 Nodes BD1

x = 2.89 x = 10.70 x = 50.70

BD2

x = 1.88 x = 4.57 x = 6.88

TBKA x = 2.10 x = 12.19 x = 56.39 Fig. 5.12. Maximum impact factor x (initialization phases)

For an increasing number of nodes, you can see an almost linear growth in the maximum impact factor for BD1 and TBKA, for BD2 even a little bit less. The maximum impact factor only depends on the number of timeslots and messages, but the real impact factor depends on the (geographic) size of the network too, since it is obvious that there are successful simultaneous transmissions in big networks, whereas they would lead to collisions in smaller networks. Because there is a linear growth in the maximum impact factor and a linear growth in the geographic size of the network (whose effects work contrary), we assume that there is a hardly constant impact factor x for different network sizes. An impact factor x = 1.00 means that the average number of

#messages timeslots

is added once to the

whole completion time. But note that this average number of messages is transmitted in every timeslot, leading to the point that x = 1.00 would only hold for quite interference free networks. Therefore higher values for x are more realistic for average wireless mesh networks. We choose a value of x = 2.00 for a start, since we do not have practical reference points yet and assume that x = 1.00 would be too low. Performance Results We have determined the performance of BD1, BD2 and TBKA for different network sizes, using an impact factor of x = 2.00 chosen in the last paragraph. Therefore the overall performance results are computed as Performance Estimation = timeslots + 2.00 ·

#messages timeslots

according to equation 5.1 and figures 5.6, 5.9 and 5.11. The best initialization phase performance among the tested protocols is provided by TBKA, as illustrated in Figure 5.13. Burmester-Desmedt II is on the second place, whereby the performance results are quite near to the TBKA protocol. For five and ten nodes, BD2 does even show a better performance than TBKA, also if it does not scale as good as TBKA for larger networks. Burmester-Desmedt I is the slowest protocol in this test, exceeding the timeslot values of the other protocols to a large amount, especially for high node counts.


99

Fig. 5.13. Probabilistic model: Initialization (x=2.00)

The ring topology of Burmester-Desmedt I leads to a very inefficient communication behavior, since with each local broadcast only two neighbors can be reached. Moreover, the demand for full broadcast transmissions from each node (round two) consumes a lot of timeslots. Consequently the number of (basic) timeslots is very high and it is then even more increased by a large number of concurrent transmissions. The large difference to both other examined protocols seems reasonable and does therefore disqualify BD1 as a serious opponent for BD2 and TBKA in WMN. Burmester-Desmedt II scales quite good with an increasing number of nodes. This is due to the binary tree structure and the waiver of full broadcast which makes this solution efficient. The number of (basic) timeslots is very low, only the emerging interference on behalf of the messages per timeslot decreases the final performance result. Assuming a WMN with few interference (e.g. impact factor x = 0.5), BD2 would be faster then TBKA (note the results of both protocols for five and ten nodes). The Tree Based Key Agreement protocol does not have a fixed logical structure and does therefore not use the specific advantage of wireless mesh networks (very efficient local broadcasting). Due to a large round number (log2 n), the number of (basic) timeslots is very high for TBKA. But because TBKA does not transmit broadcast messages, the number of simultaneous transmissions is very low, which leads to a very efficient scaling for a large number of nodes. Finally, this allows TBKA to reach the first performance place in this test.

Fig. 5.14. Probabilistic model (x=2.00): Join (left), Leave (right)

100


Figure 5.14 presents the performance results for the dynamic part of the group key agreement protocols: Join and Leave. Now, Burmester-Desmedt II reaches the best results, which is obvious due to the fact that BD2 is the only GKA protocol in this test, that does not provide contributiveness. A joining node does not induce a complete key refreshment with all nodes for BD2, but for both other solutions. Moreover, it does not surprise that BD1 offers the worst performance, because of the extensive use of full broadcasts and the inadequate ring structure. Finally, we can draw the conclusion that, from the performance aspect, TBKA fits best to static wireless mesh networks, while BD2 is optimal for dynamic WMN. Though we are confident that our probabilistic model is a reasonable approach for determining the network protocol performance in WMN, the actual practical significance of our results depends on the feasibility of the used model and its options (i.e. impact factor x). Therefore we present practical results in section 5.3.6 to estimate the practical relevance of these theoretical results. Probabilistic model revisited The probabilistic model for the performance estimation of cryptographic protocols in WMN makes some abstractions regarding unknown factors of the network. This is necessary to make a computation of performance results possible, because perfectly modeling all aspects of WMN would not be realizable. We are using

#messages timeslots

to estimate the wireless interference in the probabilistic model. The

impact factor (x) describes the impact of wireless interference on the communication. Further on the amount of additional communication due to wireless interference (e.g. retransmissions) obviously depends on the practical scenario of the WMN, since it is clear that simultaneous transmissions in a wide area cause less interference than simultaneous transmissions in a small room. Therefore the impact factor x is used to adapt to all practical conditions (network density, quality of wireless signals, etc.) in one option. With this approach we are dealing with all conditions in total, but not with individual effects. Generally, we do not have unique WMN nodes in our model, meaning that all nodes have the same bandwidth, the same transmission and interference range and the same computation power. This abstraction is of course necessary to be able to compute deterministic results. The performance estimation take place under ideal conditions, which means that no external interference is considered. Moreover, no selective interference sources can be modeled. Finally the probabilistic model does not allow different logical and physical topologies which will lead to less optimal results, unless the physical structure of the network matches the logical structure of the protocol perfectly. However, due to these drawbacks of the probabilistic model, we decided to develop another model that deals with interference in a simpler way. A major demand was to cut out the biggest weakness of the probabilistic model, the strong assumption on the physical topology. In the following section 5.3.4, we introduce the so called grid model for the performance estimation of cryptographic protocols in wireless mesh networks.


101

5.3.4 Grid Model for Performance Estimation in WMN The name “grid model” refers to the physical structure of this performance estimation model. Other than in the probabilistic model, where the logical structure of the protocol specifies the physical structure, we align all nodes in a grid structure. By this means, we provide the same conditions to each of the tested protocols, without preferring a single one. The grid structure was

1

1

also considered by some other authors, e.g. Robinson et al. [85].

1

1

Fig. 5.15. Alignment and wireless range in the grid model

Besides the assumption on the physical structure, the modeling of the interference differs from the probabilistic model. We make a certain assumption on wireless interference by saying that simultaneous transmissions are only allowed, if the particular transmissions are not within their wireless range. In this way, we exclude the probabilistic interference impact by forbidding the occurrence of concurrent transmissions. This leads to a digital interference behavior that is easy to understand and easy to apply to theoretic performance estimations. Figure 5.15 shows the grid model and the wireless range of the nodes, whereby we assumed a radial wireless range of 1, so that only neighboring nodes on the same axis are able to communicate √ with each other. Diagonal positioned nodes with a distance of 2 are out of range.

S1

S1

S1 S2

S2

S2

Fig. 5.16. Allowed simultaneous transmissions in the grid model

102


Figure 5.16 illustrates simultaneous transmissions that are allowed according to the interference restrictions of the grid model in a 3x3 node alignment. The range of the transmissions from sender 1 and 2 (S1 , S2 ) must not collide at one node. For simplicity reasons and with reservation, we assume the interference range equal to the transmission range. If the results vary considerably from practical results (that are by the way always bound to a specific scenario), then finding a reasonable average relation between both ranges is a point for further research. Like in the probabilistic model, we use Timeslot (TS) as the measurement unit (definition 5.2) and messages with uniform size. While protocol messages to direct neighbors can be delivered within one timeslot, messages sent to a distant node need #Hops timeslots, whereby #Hops is the number of single transmissions from the start to the end point. Simultaneous transmissions are allowed as long as the interference radii do not overlap. All transmissions are synchronous and we have a determined sending order as in the probabilistic model. Likewise, routing is given and all nodes have knowledge of the network structure and their own position in the network. Due to the introduced restrictions of the grid model, the theoretic results determine a lower bound for the performance of a protocol. Additionally, the grid model is not restricted to structures with symmetric edge lengths, also discontinuous structures are allowed. This enables performance estimations in the case that the physical structure is already given, since the physical structures can be recreated/approximated with some simplifications. Figure 5.17 shows an example.

Fig. 5.17. Approximation of an already given physical structure

Performance Estimation Prior to the performance estimation of a cryptographic protocol in the grid model, some important points have to be considered. The first point emerges in coherence with the physical grid structure. Many cryptographic protocols have a special logical structure (ring, binary tree, etc.) that does not fit perfectly into the grid. As consequence, we need a mapping algorithm that adapts the logical structure of the protocol in a perfect way to the grid structure.


103

Burmester-Desmedt I


Fig. 5.18. Mapping: Logical to physical structure

Figure 5.18 shows the mapping of the logical protocol structure to the physical structure for Burmester-Desmedt I and II. Since the mapping algorithm for BD1 is trivial, we only show the mapping algorithm for BD2. 1. Select two neighboring nodes U1 , U2 in the middle of the grid as the two root nodes and set position(U1 ) := 1 and position(U2 ) := 2. i := 3. 2. Choose j with used(j) = f alse and position(j) minimal. Set current node := j. 3. Attach two nodes (least distance that is possible and not yet attached ) to current node. For each node U 0 attached, set position(U 0 ) := i and increase i. 4. Set used(current node) := true. 5. Proceed with 2. or terminate when all nodes attached The tree based key agreement protocol (TBKA) does not have a fixed logical structure1 , but only general rules for the selection of the logical neighbors. However, TBKA’s protocol design (many small rounds, ≈ log2 n) makes it easy to choose the next logical communication partner

from the direct physical neighbors. Following this approach, this leads to an efficient and automatic adaption to the physical network structure without the need for an independent mapping algorithm. Generally the mapping to the physical structure demands random decisions, because there is usually more than one solution that fits perfectly to the physical structure. Note that this also holds for TBKA, as the subset of direct physical neighbors can be greater than the number of required logical communication partners. 1

We use a logical line structure for TBKA in the probabilistic model due to lack of a usable structure

104


A perfect mapping is reached when the protocol needs a minimum number of local broadcasts. In particular, it does not include detours (diagonal lines in Figure 5.18), which lead to a higher number of messages due to forwarding when a node cannot be reached directly (limited transmission radius). Definition 5.4 (Perfect mapping). A mapping from the logical protocol structure to the physical network structure is perfect, if all logical neighbors in the protocol are physical neighbors. There is always a perfect mapping for Burmester-Desmedt I, when the product of the axis lengths of the grid is even. Unfortunately, there is no such perfect mapping for the BurmesterDesmedt II protocol into the grid structure. Our algorithm accomplishes a nearly perfect mapping by using a fuzzing approach, which may not lead to the best result in each case. Therefore the algorithm is executed several times with different random decisions, which leads to a good result in average. TBKA has a loose structure and therefore the definition of perfect mapping is not reasonable for this protocol. The embedded neighbor finding algorithm from TBKA uses random decisions for choosing the nodes that should agree on a common (sub-)key. However, the chosen nodes are always physical neighbors. Different structures lead to slightly different performance estimations, so that we compute the mappings several times and execute the protocol with each mapping to get an average. Mapping is the first step (1) of the performance estimation. The second step (2) of the performance estimation is executing the network protocol for the given mapping. Since most protocols do not have a determined communication order (who sends first?), we also need random decisions in this performance estimation step. An obvious example for that is Burmester-Desmedt I, where all nodes would start the first communication round simultaneously when powered up at the same time. In practice, several nodes within the same interference radius cannot transmit simultaneously. Therefore our randomization approach approximates the reality by specifying a sending order, which again means that different protocol runs will need a different number of steps (timeslots) for computing the common group key. Hence the randomization of the protocol execution and the non deterministic mapping algorithm both induce different performance results, we have to summarize the results and build an average in a third step (3). We have performed 100 protocol runs with each different random decisions and calculated an average over the number of needed protocol steps (in timeslots). Note that the number of steps clearly differs from the number of rounds of the protocol, since in each step only a direct communication to the physical neighbors is allowed. A protocol round consists of several steps, whereby one step is counted as one timeslot. The abstraction in this point is, that we say that each transmission needs the same time, which is not surprising under the condition that there is no interference, the distances between the nodes are standardized and the message size is fixed due to our model assumptions. Simulation We have implemented a simulator in C++ that executes these three steps for the initializa-


105

tion phase of BD1, BD2 and TBKA. The protocols are executed several times, using different mappings. Further on, the simulator works according to the following pseudocode: •

•

DO { –

WHILE (Grid not completely used AND transmissions pending) DO { ·

Randomly choose node

·

Perform transmission according to protocol definition

·

Block other nodes in interference range

·

}

–

Increase timeslot counter

–

Clear interference range blocks

} UNTIL (Group key can be computed)

This process is performed until the evaluated protocol completes (group key can be computed), which means that all necessary messages are transmitted and received by the right receiver. After the execution, the number of timeslots are saved and the simulation can start over. As our actual model assumes a fixed grid structure, we have omitted the simulation of joining and leaving nodes and consider that later. Performance Results Figure 5.19 shows the averaged results of 100 protocol runs, created with our grid simulation software.

Fig. 5.19. Grid simulation results (average of 100 runs)

The grid simulator executes the GKA protocols precisely according to the rules of our grid model in the above mentioned three steps. Remarkably the results are very similar to the results of the probabilistic model. TBKA turns out to be the fastest GKA protocol of the test. Especially for higher node numbers, this becomes obvious, concluding that the tree based key agreement protocols scales very well with the number of nodes. Burmester-Desmedt I (BD1) is by far the

106


slowest protocol for all network sizes. The second Burmester-Desmedt protocol (BD2), in contrast, shows a very good behavior for smaller networks (up to 16 nodes), which is very near to the TBKA protocol. Only for larger networks, TBKA provides a better scaling and is faster than BD2. Grid model revisited Similar to the probabilistic performance estimation model, the grid model makes several abstractions but has also options that have influence on its practical feasibility. The main abstraction is of course the modeling of wireless interference with the introduction of sending permissions. However, this can be regarded as a disadvantage as related to the practical feasibility, since in practice every node may try to send at arbitrary times. Certainly simultaneous transmissions in reality may fail when senders are in the same interference radius, but this is actually not a digital decision. Preventing concurrent transmissions in the same interference radius is a compromise solution that enables a simpler theoretic simulation on the one hand, but has to be tested towards its real practical feasibility on the other hand. Li et al. [160] found out that the interference radius from WiFi devices is bigger than their transmission radius in ad-hoc networks. Therefore our model allows to regulate the transmission and the interference radius independently. Other than in the reality, both radii are fixed radial (circular) areas around a node and cannot have arbitrary structures. Nevertheless, regulating the transmission and interference radius independently is the first option to further improve the practical feasibility of our model. A next development step towards practical feasibility is breaking up the fixed grid structure. Our model allows to replicate actual network structures by modifying the x- and y-axis of the grid and omitting particular nodes within the grid. In this way, real structures can be approximated with only the limitation that vertical and horizontal distances between the nodes have to be fixed (grid aligned). 5.3.5 Model Comparison: Probabilistic vs. Grid Model The probabilistic and the grid model are both approaches that approximate the behavior of cryptographic protocols in real wireless mesh networks. Both models use abstractions of real world properties, which are summarized in Figure 5.20.

Physical structure Structure known Routing given Transmission range Interference Interference range Measurement unit

Probabilistic Model Grid Model = logical structure n × m grid yes yes yes yes direct neighbor variable x · #messages excluded timeslot none variable timeslots (TS) timeslots (TS)

Fig. 5.20. Abstractions of both models


107

The biggest advantage from the grid model over the probabilistic model is the assumption on the physical structure, whereby the assumed physical structure has a questionable practical feasibility in the probabilistic model. Using one generic structure for all protocols provides a better comparability of the protocols than assuming an optimal structure by using the given logical structures of the single protocols. In practice having an optimal structure including appropriate transmission and interference range is very unlikely so that the grid model provides more realistic results in general. A known structure and a given routing cannot be expected in the practice and may therefore be regarded as drawbacks of both models. However, there are two possibilities to improve this. Either there must be performance value compensation for these features in the model or the cryptographic protocols have to be modified in a way, that both features are included. Actually it is more reasonable to include routing features into the protocol, because this is more flexible than adding a constant overhead to every protocol. The transmission range strongly depends on the practical setup and can therefore only be assumed, as long as no practical presets are given. Restricting the transmission range to the direct neighbors is a good starting point, so that both models are reasonable in this point. Moreover both the transmission range and the interference range is variable in the grid model, enabling a better scaling than in the probabilistic model. Modeling the interference with an impact factor can result in perfectly approximated results. The downside is that the impact factor is applied globally and therefore it is not able to describe single effects independently. Excluding the occurrence of interference by using sending permissions is on the one hand more precise but does on the other hand not allow modeling general impacts (e.g. constant background noise) or interference impacts with different strengths. All in all modeling interference with an impact factor does not consider the structure of the evaluated protocol, only the average number of messages sent out per timeslot. In contrast, the grid model considers interference of every single transmission, even if interfering connections are blocked completely (superimpositions are not allowed). However, the interference modeling of the grid model is better adapted to the physical structure (grid aligned, cf. Fig. 5.17) and the properties of the protocol and it is therefore better suited to estimate the reality. Performance Results Figure 5.21 illustrates the performance results from both models, the grid model and the probabilistic model. The chosen impact factor x = 2.99 leads to equal results for BD2 and 100 nodes. This decision was made, since we have the smallest differences at the other protocols with this adaption.

108


Fig. 5.21. Grid model (left) and Probabilistic model with x=2.99 (right)

Comparing the results from the models leads to the conclusion that both models predict a similar trend. If we go into detail, we see that BD1 has a way faster growth in the probabilistic model than in the grid model, whereby BD2 and TBKA behave almost in the same way. Figure 5.22 shows the absolute numerical differences between the probabilistic and the grid model for the three tested protocols. Those differences are caused by different estimation qualities (e.g. due to different physical structures and in general different approaches of the models) and estimation inaccuracies. An important inaccuracy are the different network sizes that are compared with each other, e.g. 16 and 20 nodes.

Fig. 5.22. Difference: Grid and probabilistic model with x = 2.99

Apart from BD1, we are able to conclude that both models come to similar results when using an adapted impact factor (i.e. x = 2.99) for the probabilistic model. As the results of both independent models (with different abstractions/assumptions) confirm the results of each other, we are confident to have reasonable results. Actually this conclusion demands an explanation for the different behavior of BurmesterDesmedt I. BD1 has an internal ring structure and uses full broadcasts as figured out in section 5.2.2. Both models deal in a different performant way with this. The grid model uses a grid structure, while in the probabilistic model the estimation is made with a physical ring structure (assumption: physical = logical structure). The physical structures (grid vs. ring) have a different


109

impact on broadcasts, as a broadcast message reaches between two and four nodes simultaneously in the grid structure, while this is restricted to only two nodes in the ring structure (probabilistic model). Because the most messages (n2 −2n from n2 −n) of BD1 are broadcasted, the performance is considerably better in the grid model. There is hardly no divergence with TBKA and BD2, because the logical structures of these protocols are more feasible for WMN. We can draw two conclusion from this section. First, both estimation models generate equivalent results for WMN with general structures like the binary tree or grid structure when using an adapted impact factor. Second is that the TBKA protocol scales best with an increasing number of nodes in WMN.

5.3.6 Practical Measurements in a Testbed In this section, we present performance measurement results from a practical test setup accomplished in the context of a student work [161]. The testbed consists of nine Linksys WRT54 routers with 200MHz MIPSel CPUs and 16 MB of RAM, running an adapted Linux distribution using a 2.4 kernel. The used hardware is very common and widely deployed in community network projects, so that the hardware builds a realistic basis for wireless mesh network tests. The physical alignment of the nine nodes is realized as a 3x3 grid like in the grid model (see Figure 5.15). In this test setup, only direct physical neighbors were able to communicate with each other, which was accomplished by applying an antenna attenuation (same attenuation for all antennas) and by using same distances between all nodes. In practice, interference is handled by the IEEE 802.11 CSMA/CA mechanism called RTS/CTS: A sender observes the channel for transmissions. If free, the sender sends out the Ready-To-Send (RTS) packet which should be answered with Clear-To-Send (CTS), before the sender may start his transmission. If the channel is not free, the sender waits for a random time. This means, that in practice every node tries to send out pending data, when the channel is free (or believed to be free – hidden node problem). Our first practical test has been concentrated on the Burmester-Desmedt II protocol that should produce similar results as the TBKA protocol for nine nodes, according to both simulation models. The protocol implementation was done in C and the cross compiled MIPSel binaries have been installed in the router firmware, so that the nine devices could be used to determine the performance values of the key agreement protocol autonomously. Note that, in contradiction to the grid model, there are no restrictions regarding simultaneous transmissions nor is the communication coordinated by an external source. We expect slightly better results than from the grid simulation, because the hard restrictions on the communication behavior are probably not a realistic assumption. The measurement procedure was performed in two steps, whereby the initial measurement is just for determining the average timeslot duration and the second step measures the actual group key agreement protocol performance. A precondition for both tests are synchronized clocks on all nodes (time synchronization every 60 seconds), so that reliable time measurements can be made

110


on every node. The initial measurement is executed with different nodes to consider inaccuracies based on the position and link quality of the particular nodes. The initial measurement is executed for a pair of nodes, whereby 100 transmissions were made. Sender and receiver write the current time into a local logfile when they transmit or receive a message. After the measurement, all logfiles are gathered, aggregated and the average is computed. Initial measurement: 1. Tstart := Tcurrent time 2. Execute: Single message transmissions. Count messages (#msg) 3. Tend := Tcurrent time 4. ∅ timeslot duration Ttimeslot :=

Tend −Tstart #msg

(in ms)

The protocol performance measurement is executed with all nodes of the test network, whereby 100 test runs are performed. All nodes are synchronously initialized over a wire connection, so that the protocol run on all nodes starts nearly to the same time. Start and end time of the protocol run (and further debugging information) is written into local logfiles on the nodes which are downloaded afterwards. All results are aggregated and an average is calculated over all values to get meaningful results. Protocol performance measurement: 1. Tstart := Tcurrent time 2. Execute: GKA processes 3. Tend := Tcurrent time 4. Protocol Performance P :=

Tend −Tstart Ttimeslot

(in timeslots)

The results of the measurement are averaged about 100 protocol runs, whereby a static mapping of the logical to the physical structure was used. Figure 5.23 illustrates the mapping of both structures and the internal logical structure from BD2 for this setup. We use a static structure for the reason that the focus of the measurement lies just on the real performance of the BD2 protocol in a WMN grid alignment, not on a practical application. A flexible structure would demand a topology agreement protocol before the actual protocol run that would imply performance results not fitting to the protocol description of BD2. Developing flexible versions of GKA protocols for the operation in practical networks are regarded as future work. The average timeslot duration in our test setup could be determined as Ttimeslot = 751ms, whereby some nodes needed a longer time to transmit messages and some nodes a shorter time. Variances in the transmission time can be explained with the current link quality, which changes


1

8 9 5 3 1 2 7 4 6

2

3 7

4 8

111

5

6

9

Fig. 5.23. Logical structure used by the practical setup

very frequently in wireless networks, especially when the antennas are attenuated. With the results from 100 test runs, we can determine the average group key agreement duration in our test setup as T∅duration = 10516ms, which leads to the final performance value P =

10516ms 751ms

= 14.00

timeslots.

Fig. 5.24. BD2 with 9 nodes: practical results, grid and probabilistic model

As you can see in Figure 5.24, the results from the practical setup are a little bit faster than the results from the grid model. Since the topology is the same for both setups and the practical results do not differ very much from the simulation results, the practical use of the grid model is confirmed here. The results from the probabilistic model (computed for 9 nodes) with an impact factor of x = 2.99 are notably higher than the results from the grid model. When using an impact factor x = 2.00 for the probabilistic model, the values for 9 nodes adapt to the practical results, but the differences between both models become more distinctive for a higher number of nodes, as Figure 5.25 shows. The differences in Fig. 5.25 are computed in the same way as in Fig. 5.22.

112


Fig. 5.25. Difference: Grid and probabilistic model with x = 2.00

With an impact factor of x = 2.00, you can clearly see that the results for BD1 become more similar in both models, but the differences for BD2 (≥ 20 nodes) are larger. We can conclude that the conformance of both models strongly depends on the used impact factor x in the probabilistic model. Future practical measurements have to show, whether a constant impact factor x for all node numbers can be used or if this impact factor depends on the node number. Due to the inconsistent divergence (no continuous difference to the grid model) between the results with different impact factors, we follow that the results from the probabilistic model may be a bit inaccurate with scaling. The interference impact in the grid model is, in contrast to that, simulated precisely. Tree Based Key Agreement with Negotiation Extension The TBKA protocol does not demand a fixed logical structure for the key agreement and is therefore well suited for random topologies. Although no topology exchange is necessary, the TBKA protocol cannot be implemented in its original form. For each round, the current participants including their key state, must be known. Thus the two-message handshake of each round is extended by a third message that acknowledges the current participants. On average, TBKA needs log2 n rounds to compute the common key whereby the majority of the rounds can be performed simultaneously, if the transmission radii do not interfere with each other (according to the grid model). Let U1 , . . . , Un be a dynamic subset U of users who want to compute a common key K. q is a large prime number and g generates Z ∗q . All users Ui are attached as leafs to a binary key tree according to Figure 5.4. A round in TBKA is defined as the key agreement between two sets of users: Si ⊂ U (initiator)

and Sj ⊂ U (responder) with Si ∩ Sj = ∅, whereby both sets contain at least one user ∈ U . After

the key agreement, both sets of users Si and Sj are merged into a new set Sij . In practice, two neighboring users Ui ∈ Si and Uj ∈ Sj perform the DH-based key agreement process, whereby

the DH public key of the other set is distributed among the own set. For each completed TBKA


113

round, a new parent node Sij is inserted into the binary key tree. The protocol is completed when the binary key tree is coherent and has a single root node. Our extension modifies the steps that are executed in each round, while not touching the general concept of TBKA for the initialization phase (described above) and the join, leave, partition and merge phases. • •

Step 1 : Ui ∈ Si sends 1|| · ||Si via local broadcast, while Si contains all identifiers of the users

within the own subset.

Step 2 : Uj ∈ Sj ∧ Uj ∈ / Si . Uj computes BKj := g kj mod q (DH public key), whereby kj is the common key of the subset Sj . Uj transmits 2||Si ||BKj ||Sj as local broadcast, while Sj

contains all identifiers of the users within the responder subset and Si marks the message as

answer to the request from Ui . •

Step 3 : Ui ∈ Si computes BKi := g ki mod q (DH public key), whereby ki is the common key

of the own subset Si . Ui sends 3||Sj ||BKi as local broadcast, while Sj are the identifiers of the responder subset to acknowledge the participants of the key agreement. All users Uk0 ∈ / Sj

•

reset their state, while all users Uk ∈ Si ∪ Sj compute the common key g ki kj .

Step 4 (optional): BKi and BKj are forwarded to all users Uk ∈ Si ∪Sj , who have not received the corresponding message yet.

Note to step 4, that this step is really necessary in larger networks. When both joining subgroups Si and Sj contain several users, it is unlikely that sending BKi once will be sufficient to reach every user in subgroup Sj , which may have a diameter of several hops. Therefore BKi has to be actively forwarded to each user in subgroup Sj . The same holds for BKj and subgroup Si . New to the protocol is the acknowledgement of the participants of the current round. Without this acknowledgement and the explicit naming of the participants, the computed keys would be inconsistent in practice. We abbreviate the Tree Based Key Agreement protocol with negotiation extension with TBKA (real) in the following. Practical Test Results for TBKA (real) and Implications The implementation of the extended TBKA protocol and the execution of the subsequent performance tests were done by Vladislav Mladenov [162] with the testbed introduced above. Figure 5.26 shows the average results of practical tests for 2-9 nodes in timeslots, complemented by simulator results.

114


Fig. 5.26. Performance of TBKA (real); Practical and simulated results

The duration for one timeslot was determined in a separate test, in which each node transmits only one full sized random message. All nine nodes were aligned to a grid and the local broadcast messages were sent in sequence. Although the average time for the transmission of one message to a direct neighbor (according to the timeslot definition 5.2) had a quite big variance, the average timeslot duration for all nodes could finally be determined as 0.25s. Determining the practical TBKA(real) performance in timeslots is done by dividing the total execution time by the average timeslot duration. As you can see on the results in Figure 5.26 (the practical performance result for 4 nodes should be lower), practical results are not always as linear as the results of the simulator. Such variances are due to the physical environment, e.g. a special reflection of the wireless waves because a person crosses the room. Nevertheless, the implication of this test is clear: The practical results confirm the feasibility of the simulation results.

5.4 Improvement of Burmester-Desmedt II

115

Fig. 5.27. Extrapolated results for TBKA (real)

In Figure 5.27, we show a logarithmic extrapolation of our test results to approve the accordance with the grid simulator. We have included two separate simulator results into the graph, whereby both simulator runs use a transmission radius (TR) of 1. The first simulator was configured to use the same interference radius (IR=1) as the transmission radius (TR=1), while the second simulator uses the twice interference radius (IR=2). Note that the transmission radius of our practical test is around 1 and the interference radius unknown. The practical curve lies very near by the simulated curve with interference radius 1, so that we can assume a good predictability of our simulator with these settings. Several extrapolation algorithms have been tested, whereby the logarithmic extrapolation has shown the best accordance to the real values.

5.4 Improvement of Burmester-Desmedt II The Burmester-Desmedt II (BD2) protocol [144][145] arranges the users in a logical binary tree structure without root node (see Figure 5.3). Two communication rounds with local broadcast and multicast transmissions are required to complete the GKA protocol. A multicast transmission from all parties to its descendants replaces a full broadcasting, which reduces communication complexity in BD2. When we map the logical binary tree structure of BD2 to a physical grid structure, we are experiencing some performance issues with BD2. As you can see in Figure 5.18, there are some diagonal links and links that overleap wireless mesh nodes. Regarding the assumed radial transmission range, it becomes clear that these particular links introduce additional transmission costs.

116


The idea is to reduce additional overhead by choosing a logical structure that fits better to the physical structure. We present an improvement of BD2 for WMN in section 5.4.1. 5.4.1 Burmester-Desmedt II+ Let U1 , . . . , Un be a dynamic subset of users who want to generate a common key K. q is a large prime and g generates Z ∗q . All users Ui are efficiently attached to a normal unbalanced tree without root node, whereby the number of children for each node can be different (see Figure 5.28).

1 3 9

2

4 10

5 11

12

6

7

13

14

8 15

16

Fig. 5.28. Burmester-Desmedt II+: Users Ui are arranged as nodes in a normal tree

An efficient algorithm for mapping the logical structure of the protocol to the physical structure of the network builds the foundation for a fast protocol execution. Note that the algorithm always processes both root nodes first: 1. Select two neighboring nodes U1 , U2 in the middle of the grid as the two root nodes and set position(U1 ) := 1 and position(U2 ) := 2. i := 3. 2. Choose j with used(j) = f alse and position(j) minimal. Set current node := j. 3. Attach as many nodes as possible (in range and not yet attached ) to current node. For each node U 0 attached, set position(U 0 ) := i and increase i. 4. Set used(current node) := true. 5. Proceed with 2. or terminate when all nodes attached The algorithm ensures that additional transmission costs are avoided completely, as illustrated in Figure 5.29. We can expect a better performance due to a more efficient protocol behavior.

5.4 Improvement of Burmester-Desmedt II

117

Burmester-Desmedt II+

Fig. 5.29. Mapping the logical BD2+ structure to a physical grid structure

Similar to the processing of the BD2 protocol, the initialization phase of the BD2+ group key agreement protocol is executed right after the mapping process. •

Round 1 : Each Ui with i = 1, . . . , n chooses ki ∈R Z ∗q . Then each Ui computes BKi :=

g ki mod q and sends BKi to its parent Uparent(i) and all m children Uchild{1...m} (i) (local broadcast).

•

Round 2 : Each Ui computes ∀k ∈ {1 . . . m} Xchildk (i) :=

BK

parent(i)

ki

BKchildk (i)

mod q

Then Ui sends Xchild{1...m} (i) to all descendants (multicast). Each Ui computes the common key ki K = Ki = BKparent(i)

Y

Xj

mod q

j∈ancestor(i)

, whereby ancestor(i) stands for all Xj from Ui itself to the root. K has the form g k1 k2 mod q. Note that the mapping algorithm of the logical to the physical structure is not included in the communication complexity analysis. The BD2+ protocol is, just like the BD2 protocol, able to support dynamic scenarios by providing join, leave, partition and merge phases for the topology graph. All those dynamic phases can be applied analogous to the BD2 protocol. 5.4.2 Theoretical Performance Estimations In this section, the performance of BD2+ is evaluated and compared to other well known group key agreement protocols. The performance estimations are determined with a simulator written in C++ that operates according to the grid model defined in section 5.3.4. You can see a performance chart in Figure 5.30 that illustrates the average results of 100 test runs (for each protocol, network size and with different random decisions) in timeslots according to definition 5.2.

118


Fig. 5.30. Grid model: Performance Chart including BD2+

The BD2+ group key agreement protocol shows the smallest timeslot values for all network sizes. It is even faster than the previous performance winner TBKA. Due to the optimized internal structure, BD2+ does not need additional transmissions implied by a non-perfect mapping of the logical and the physical structure like it is present in BD1 and BD2. Moreover, some protocol messages (X and BK) can be saved in comparison to BD2, because the BD2+ tree has a smaller average height than a binary BD2 tree. Additionally, the need for message forwarding has been reduced, because logical neighbors in the BD2+ protocol are also physical neighbors when using the BD2+ mapping algorithm.

5.5 Conclusion This chapter has dealt with group key agreement protocols in wireless mesh networks. In this context, three basic group key agreement protocols (BD1, BD2 and TBKA) with different logical structures have been presented. Hence wireless mesh networks have a special network characteristic, the performance evaluation presented in those papers where the three basic protocols were proposed, cannot be applied to them. Therefore two different models for performance estimation in WMN have been proposed: the probabilistic and the grid model. Practical test results have shown that both models create feasible results, but the grid model should be preferred due to a better scaling for higher node counts. Basing on the knowledge gained from both models, an efficient variant (BD2+) of BurmesterDesmedt II was created and tested successfully in the simulator. This variant uses the specific attributes of WMN and allows therefore for a much better performance. The GKA protocols lack an important security feature that is especially needed in public networks: Authentication. Without providing the authentication/authorization property, everyone can join a group and compute the common group key. Considering authentication for this setting is an important point for further research.

Chapter 6 Conclusion and Future Work

This chapter concludes the dissertation by summarizing the contributions and outlining future work that should be done in the research field of wireless mesh networks.

6.1 Conclusion The main goal of this dissertation was providing an efficient and complete security concept for wireless mesh networks (WMN). We have reached that goal following a step-by-step approach that began with the determination of the special network characteristic of WMN. With this knowledge about efficient protocol design, we have been enabled to evaluate, improve and create cryptographic solutions that are particularly adapted to wireless mesh networks. Besides, three cryptographic applications for wireless scenarios have been proposed that involve the knowledge gained in the previous chapters. All of these solutions or their concepts are applicable to WMN but can also be used for classical wireless scenarios. Following the main line of this dissertation, group key agreement (GKA) protocols turned out to be a more efficient solution for WMN than pairwise key systems, e.g. proposed by the IEEE 802.11s standard. We have introduced two models for performance measurement of network protocols in WMN. These models were used to estimate the performance of three representative GKA protocols afterwards. The tree based key agreement (TBKA) protocol has provided the best performance in WMN, but was overtaken later by an improved variant of Burmester-Desmedt II (BD2) which was developed knowing the WMN network characteristic. The theoretical results were verified with practical measurements to both get a real impression of the tested GKA protocol and to prove the correctness of the performance measurement models.

6.2 Future Work Generally there are only few practical measurement results available for wireless mesh networks, especially for single radio WMN which are ideal for practical projects as their hardware is very cost-effective. Certainly multi radio WMN are far more performant and therefore very present

120

6 Conclusion and Future Work

in research but it is the other way around in practice. Practical results are necessary to support researchers improving their network protocols, as simulated results do not cover all existing aspects of communication and computation. Future work is the development of a security concept based on group key agreement protocols, since GKA protocols allow for more efficient group communication which is useful for multicast applications like audio/video streaming. Such a security concept has to use authenticated group key agreement protocols to be safe against active adversaries. An authentication extension for the introduced BD2+ protocol would be a good starting point to realize such a GKA based security concept for wireless mesh networks.

References

[1] A. Herms, G. Lukas, and S. Schemmer, “Echtzeitfähigkeit f¨ ur mesh-netzwerke in der automatisierung,” SPS/IPC/DRIVES 2007, 2007. 15, 24 [2] M. Kn¨ odler, “Praktische evalulation der einsatzfähigkeit eines drahtlosen mesh-netzwerkes im industriellen umfeld,” Diploma thesis, Ruhr-University Bochum, 2009. 15 [3] “Minetronics - incorporating experience in mine automation since 1992 (website),” 2011, https://www.minetronics.com. 15 [4] “Mit roofnet,” 2011, http://pdos.csail.mit.edu/roofnet/doku.php. 15, 24, 32 [5] “Freifunk website,” 2011, http://freifunk.net. 15, 24, 32, 33 [6] IEEE 802.11 Working Group., “Ieee standard for information technology – part 11: Wireless lan medium access control (mac) and physical layer (phy) specifications/amendment 10: Mesh networking,” Draft IEEE 802.11s D3.03, IEEE Computer Society, 2009. 15, 16, 19, 25, 31, 32, 33, 72, 81 [7] ——, “Ieee standard for information technology – part 11: Wireless lan medium access control (mac) and physical layer (phy) specifications,” IEEE 802.11, IEEE Computer Society, 2007. 17, 18, 19, 27 [8] C. Boyd and A. Mathuria, Protocols for Authentication and Key Establishment, 1st ed. Springer, 9 2003. [Online]. Available: http://amazon.com/o/ASIN/3540431071/ 17, 18 [9] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography. CRC Press, 2001. [Online]. Available: http://www.cacr.math.uwaterloo.ca/hac/ 17, 18 [10] IEEE 802.3 Working Group., “Ieee standard for information technology – part 3: Carrier sense multiple access with collision detection (csma/cd) access method and physical layer specifications,” IEEE 802.3, IEEE Computer Society, 2008. 18 [11] J. Padhye, S. Agarwal, V. N. Padmanabhan, L. Qiu, A. Rao, and B. Zill, “Estimation of link interference in static multi-hop wireless networks,” in IMC ’05: Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement.

Berkeley, CA, USA: USENIX

Association, 2005, pp. 28–28. 19 [12] T. Frosch, “Interferenzen in meshnetzwerken,” Seminarwork in Summersemester 2009, Ruhr-University Bochum, 2009. 19, 38

122

References

[13] A. Loos, “Mac-layer und routing im wireless mesh networking standard (ieee 802.11s),” Seminarwork in Wintersemester 2009/2010, Ruhr-University Bochum, 2010. 19, 33 [14] S. R. Fluhrer, I. Mantin, and A. Shamir, “Weaknesses in the key scheduling algorithm of rc4,” in SAC ’01: Revised Papers from the 8th Annual International Workshop on Selected Areas in Cryptography.

London, UK: Springer-Verlag, 2001, pp. 1–24. 20

[15] E. Tews, R.-P. Weinmann, and A. Pyshkin, “Breaking 104 bit wep in less than 60 seconds,” Cryptology ePrint Archive, Report 2007/120, 2007, http://eprint.iacr.org/. 20 [16] E. Tews, “Attacks on the wep protocol,” Cryptology ePrint Archive, Report 2007/471, 2007, http://eprint.iacr.org/. 20 [17] M. Beck and E. Tews, “Practical attacks against wep and wpa,” Cryptology ePrint Archive, Report 2008/472, 2008, http://eprint.iacr.org/. 20 [18] I. . W. Group., “Ieee standard for information technology – part 11: Wireless lan medium access control (mac) and physical layer (phy) specifications/amendment 6: Medium access control (mac) security enhancements.” IEEE 802.11i, IEEE Computer Society, 2007. 20, 21, 72, 81 [19] LAN/MAN Standards Committee., “Ieee standard for local and metropolitan area networks – port-based network access control.” IEEE 802.1X, IEEE Computer Society, 2004. 20, 22, 72, 82 [20] B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, and H. Levkowetz, “Extensible Authentication Protocol (EAP),” RFC 3748 (Proposed Standard), jun 2004, updated by RFC 5247. [Online]. Available: http://www.ietf.org/rfc/rfc3748.txt 20, 72 [21] C. Rigney, S. Willens, A. Rubens, and W. Simpson, “Remote authentication dial in user service (radius),” RFC2865, Network Working Group, 2000. 21, 72 [22] P. Calhoun, J. Loughney, E. Guttman, G. Zorn, and J. Arkko, “Diameter base protocol,” RFC3588, Network Working Group, 2003. 21, 72 [23] A. Noack, “Sicherheitsanalyse von eap-protokollen,” Master thesis, Ruhr-University Bochum, 2007. 22, 73 [24] Y. Zhang, J. Zheng, and H. Hu, Eds., Security in Wireless Mesh Networks (Wireless Networks and Mobile Communications), 1st ed.

Auerbach Publications, 8 2008. [Online].

Available: http://amazon.com/o/ASIN/0849382505/ 22, 23 [25] I. Akyildiz, X. Wang, and W. Wang, “Wireless mesh networks: a survey,” Computer Networks, vol. 47, pp. 445–487, 2005. 22, 35 [26] L. Zhou and Z. Haas, “Securing ad hoc networks,” Network, IEEE, vol. 13, no. 6, pp. 24–30, 1999. 22 [27] S. Giordano, “Mobile Ad Hoc Networks,” Handbook of Wireless Networks and Mobile Computing, p. 325, 2002. 22 [28] L. Liao, “Group key agreement for ad hoc networks,” Cryptology ePrint Archive, Report 2006/006, 2006, http://eprint.iacr.org/. 22, 81, 88

References

123

[29] S. Yousefi, M. Mousavi, and M. Fathy, “Vehicular ad hoc networks (VANETs): challenges and perspectives,” in ITS Telecommunications Proceedings, 2006 6th International Conference on.

Ieee, 2006, pp. 761–766. 22

[30] H. Hartenstein and K. Laberteaux, “A tutorial survey on vehicular ad hoc networks,” Communications Magazine, IEEE, vol. 46, no. 6, pp. 164–171, 2008. 22 [31] I. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “Wireless sensor networks: a survey,” Computer networks, vol. 38, no. 4, pp. 393–422, 2002. 22 [32] A. Perrig, R. Szewczyk, J. Tygar, V. Wen, and D. Culler, “SPINS: Security protocols for sensor networks,” Wireless networks, vol. 8, no. 5, pp. 521–534, 2002. 22, 51 [33] A. Zimmermann, M. Gunes, M. Wenig, U. Meis, and J. Ritzerfeld, “How to study wireless mesh networks: A hybrid testbed approach,” in Proceedings of the 21st International Conference on Advanced Networking and Applications. IEEE Computer Society, 2007, pp. 853–860. 23 [34] E. Callaway, P. Gorday, L. Hester, J. Gutierrez, M. Naeve, B. Heile, and V. Bahl, “Home networking with ieee 802.15. 4: a developing standard for low-rate wireless personal area networks,” Communications Magazine, IEEE, vol. 40, no. 8, pp. 70–77, 2002. 24 [35] F. Licandro and G. Schembra, “Wireless mesh networks to support video surveillance: architecture, protocol, and implementation issues,” EURASIP Journal on Wireless Communications and Networking, vol. 2007, no. 1, pp. 34–34, 2007. 24 [36] “Seattlewireless,” 2011, http://www.seattlewireless.net. 24 [37] “Funkfeuer website,” 2011, http://www.funkfeuer.at. 24, 32 [38] M. Iqbal, X. Wang, D. Wertheim, and X. Zhou, “Swanmesh: a multicast enabled dual-radio wireless mesh network for emergency and disaster recovery services,” Journal of Communications, vol. 4, no. 5, pp. 298–306, 2009. 24 [39] P. Gupta and P. Kumar, “The capacity of wireless networks,” Information Theory, IEEE Transactions on, vol. 46, no. 2, pp. 388–404, 2000. 24, 39 [40] P. Kyasanur and N. Vaidya, “Capacity of multi-channel wireless networks: impact of number of channels and interfaces,” in Proceedings of the 11th annual international conference on Mobile computing and networking.

ACM, 2005, pp. 43–57. 24, 35

[41] M. Kodialam and T. Nandagopal, “Characterizing the capacity region in multi-radio multichannel wireless mesh networks,” in Proceedings of the 11th annual international conference on Mobile computing and networking.

ACM, 2005, pp. 73–87. 24, 35

[42] A. S. Tanenbaum, Computer Networks (4th Edition), 4th ed.

Prentice Hall, 8 2002.

[Online]. Available: http://amazon.com/o/ASIN/0130661023/ 25, 37, 49, 90 [43] A. Tanenbaum, Computer networks, ser. Prentice Hall international editions.

Prentice

Hall PTR, 2003. [Online]. Available: http://books.google.com/books?id=Pd-z64SJRBAC 25, 26, 48

124

References

[44] S. N. Bhatti, “Lecture notes for m.sc. data communication networks and distributed systems,” D51 - Basic Communications and Networks, Department of Computer Science University College London, 1995. 25, 26 [45] O. Oyman, N. Laneman, and S. Sandhu, “Multihop relaying for broadband wireless mesh networks: from theory to practice,” Communications Magazine, IEEE, vol. 45, no. 11, pp. 116–122, 2007. 26, 44 [46] A. Raniwala and T. Chiueh, “Architecting a high-capacity last-mile wireless mesh network,” in Proceedings of MobiCom, 2004. 27, 28, 45, 46 [47] J. Li, C. Blake, D. De Couto, H. Lee, and R. Morris, “Capacity of ad hoc wireless networks,” in Proceedings of the 7th annual international conference on Mobile computing and networking.

ACM, 2001, pp. 61–69. 27, 39

[48] T. Frosch, “Charakteristik von wireless mesh-netzwerken,” Bachelor thesis, Ruhr-University Bochum, 2009. 27, 32, 38, 40, 41, 42, 43 [49] A. Subramanian, M. Buddhikot, and S. Miller, “Interference aware routing in multi-radio wireless mesh networks,” in Wireless Mesh Networks, 2006. WiMesh 2006. 2nd IEEE Workshop on.

IEEE, 2006, pp. 55–63. 28, 29

[50] M. Bahr, “Proposed routing for ieee 802.11 s wlan mesh networks,” in Proceedings of the 2nd annual international workshop on Wireless internet.

ACM, 2006, pp. 5–es. 30

[51] J. Camp and E. Knightly, “The IEEE 802.11s extended service set mesh networking standard,” Communications Magazine, IEEE, vol. 46, no. 8, pp. 120–126, 2008. 30, 32 [52] R. Bellman, “On a Routing Problem,” Quarterly of Applied Mathematics, vol. 16, pp. 87–90, 1958. 30 [53] L. Ford and D. Fulkerson, Flows in networks.

Princeton Univ Pr, 1962. 30

[54] J. McQuillan, I. Richer, and E. Rosen, “The new routing algorithm for the ARPANET,” Communications, IEEE Transactions on, vol. 28, no. 5, pp. 711–719, 1980. 30 [55] C. Hedrick, “Routing Information Protocol,” RFC 1058 (Historic), Internet Engineering Task Force, June 1988, updated by RFCs 1388, 1723. [Online]. Available: http: //www.ietf.org/rfc/rfc1058.txt 30 [56] G. Malkin, “RIP Version 2,” RFC 2453 (Standard), Internet Engineering Task Force, Nov. 1998, updated by RFC 4822. [Online]. Available: http://www.ietf.org/rfc/rfc2453.txt 30 [57] W.

Schulte,

Handbuch

Suedwestdeutscher

Verlag

der

Routing

fuer

Protokolle

Hochschulschriften,

der

Netze

(German

9

2009.

[Online].

Edition). Available:

http://amazon.com/o/ASIN/3838110668/ 30 [58] E. Dijkstra, “A note on two problems in connexion with graphs,” Numerische mathematik, vol. 1, no. 1, pp. 269–271, 1959. 30, 33 [59] J. Moy, “OSPF Version 2,” RFC 2328 (Standard), Internet Engineering Task Force, Apr. 1998, updated by RFC 5709. [Online]. Available: http://www.ietf.org/rfc/rfc2328.txt 30

References

125

[60] R. Callon, “Use of OSI IS-IS for routing in TCP/IP and dual environments,” RFC 1195 (Proposed Standard), Internet Engineering Task Force, Dec. 1990, updated by RFCs 1349, 5302, 5304. [Online]. Available: http://www.ietf.org/rfc/rfc1195.txt 30 [61] T. Clausen and P. Jacquet, “Optimized link state routing protocol (olsr),” Published Online, Internet Engineering Task Force, RFC 3626, October 2003. [Online]. Available: http://rfc.net/rfc3626.txt 30, 33 [62] R. P. Institute, “Graph theory applet,” http://links.math.rpi.edu/applets/appindex/ graphtheory.html, 1998. 30 [63] C. Perkins, E. Belding-Royer, and S. Das, “Ad hoc On-demand Distance Vector (AODV),” Request For Comments (RFC), vol. 3561, 2003. 30, 33 [64] D. Johnson, D. Maltz, Y. Hu, and J. Jetcheva, “The dynamic source routing protocol for mobile ad hoc networks (DSR),” 2002. 30 [65] G. Acs, L. Buttyan, and I. Vajda, “Provably secure on-demand source routing in mobile ad hoc networks,” Mobile Computing, IEEE Transactions on, vol. 5, no. 11, pp. 1533–1546, 2006. 30 [66] L. Butty´ an and I. Vajda, “Towards provable security for ad hoc routing protocols,” in Proceedings of the 2nd ACM workshop on Security of Ad hoc and Sensor Networks. ACM, 2004, pp. 94–105. 30 [67] M. Campista, P. Esposito, I. Moraes, L. Costa, O. Duarte, D. Passos, C. de Albuquerque, D. Saade, and M. Rubinstein, “Routing metrics and protocols for wireless mesh networks,” Network, IEEE, vol. 22, no. 1, pp. 6–12, 2008. 32 [68] D. S. J. D. Couto, D. Aguayo, J. Bicket, and R. Morris, “A high-throughput path metric for multi-hop wireless routing,” in Proceedings of the 9th annual international conference on Mobile computing and networking.

San Diego, CA, USA: ACM, 2003, pp. 134–146.

[Online]. Available: http://portal.acm.org/citation.cfm?id=939000 32 [69] C. Koksal and H. Balakrishnan, “Quality-Aware routing metrics for Time-Varying wireless mesh networks,” Selected Areas in Communications, IEEE Journal on, vol. 24, no. 11, pp. 1984–1994, 2006. 32 [70] R. Draves, J. Padhye, and B. Zill, “Routing in multi-radio, multi-hop wireless mesh networks,” in Proceedings of the 10th annual international conference on Mobile computing and networking.

Philadelphia, PA, USA: ACM, 2004, pp. 114–128. [Online]. Available:

http://portal.acm.org/citation.cfm?id=1023732 32 [71] P. Gupta and P. Kumar, “The capacity of wireless networks,” Information Theory, IEEE Transactions on, vol. 46, no. 2, pp. 388–404, 2000. 32 [72] A. Subramanian, M. Buddhikot, and S. Miller, “Interference aware routing in Multi-Radio wireless mesh networks,” 2006. 32 [73] C. Menzel, “Routing in mesh-netzwerken,” Seminarwork in Wintersemester 2008/2009, Ruhr-University Bochum, 2009. 32

126

References

[74] C. Adjih, T. Clausen, P. Jacquet, A. Laouiti, P. Muhlethaler, and D. Raffo, “Securing the OLSR protocol,” in Proceedings of Med-Hoc-Net.

Citeseer, 2003, pp. 25–27. 33

[75] A. Boyett and N. Thill, “Openwrt – wireless freedom,” Website, 2011, http://openwrt.org/. 33 [76] A. Neumann, C. E. Aichele, and M. Lindner, “B.a.t.m.a.n.” Website, 2011, http://www. open-mesh.org. 33 [77] I. Akyildiz and X. Wang, Wireless mesh networks.

John Wiley & Sons Inc, 2009. 35

[78] D. Aguayo, J. Bicket, S. Biswas, G. Judd, and R. Morris, “Link-level measurements from an 802.11 b mesh network,” in ACM SIGCOMM Computer Communication Review, vol. 34, no. 4.

ACM, 2004, pp. 121–132. 35, 42

[79] D. Johnson, “Evaluation of a single radio rural mesh network in South Africa,” in Information and Communication Technologies and Development, 2007. ICTD 2007. International Conference on.

IEEE, pp. 1–9. 35, 39

[80] A. Raniwala and T. Chiueh, “Architecture and algorithms for an IEEE 802.11-based multichannel wireless mesh network,” in INFOCOM 2005. 24th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE, vol. 3, 2005, pp. 2223–2234. 35 [81] D. Clark, V. Jacobson, J. Romkey, and H. Salwen, “An analysis of TCP processing overhead,” Communications Magazine, IEEE, vol. 27, no. 6, pp. 23–29, 1989. 37 [82] “Chair for network and data security (website),” 2010, http://nds.rub.de. 37 [83] G.-R. Agbamaté, “Dynamische sendeleistung in wireless mesh netzwerken,” Student Work, Ruhr-University Bochum, 2010. 38, 41 [84] S. Kr¨ uck, “Analyse der auswirkungen dynamischer sendeleistungsmodifikationen auf die performance von single radio wireless mesh networks,” Student Work, Ruhr-University Bochum, 2010. 38 [85] J. Robinson and E. Knightly, “A performance study of deployment factors in wireless mesh networks,” in INFOCOM 2007. 26th IEEE International Conference on Computer Communications. IEEE.

IEEE, pp. 2054–2062. 39, 101

[86] B. Aoun, R. Boutaba, and G. Kenward, “Analysis of capacity improvements in multi-radio wireless mesh networks,” in Vehicular Technology Conference, 2006. VTC 2006-Spring. IEEE 63rd, vol. 2.

IEEE, pp. 543–547. 39

[87] J. Bicket, D. Aguayo, S. Biswas, and R. Morris, “Architecture and evaluation of an unplanned 802.11 b mesh network,” in Proceedings of the 11th annual international conference on Mobile computing and networking.

ACM, 2005, p. 42. 39

[88] R. Gandhi, S. Parthasarathy, and A. Mishra, “Minimizing broadcast latency and redundancy in ad hoc networks,” in Proceedings of the 4th ACM international symposium on Mobile ad hoc networking & computing.

ACM, 2003, pp. 222–232. 40

References

127

[89] C. Chou, A. Misra, and J. Qadir, “Low-latency broadcast in multirate wireless mesh networks,” Selected Areas in Communications, IEEE Journal on, vol. 24, no. 11, pp. 2081–2091, 2006. 40 [90] M. Campista, P. Esposito, I. Moraes, L. Costa, O. Duarte, D. Passos, C. de Albuquerque, D. Saade, and M. Rubinstein, “Routing metrics and protocols for wireless mesh networks,” Network, IEEE, vol. 22, no. 1, pp. 6–12, 2008. 42 [91] J. Smith, “A computer generated multipath fading simulation for mobile radio,” Vehicular Technology, IEEE Transactions on, vol. 24, no. 3, pp. 39–40, 1975. 42 [92] K. Jain, J. Padhye, V. Padmanabhan, and L. Qiu, “Impact of interference on multi-hop wireless network performance,” Wireless networks, vol. 11, no. 4, pp. 471–487, 2005. 44 [93] J. Tang, G. Xue, and W. Zhang, “Interference-aware topology control and QoS routing in multi-channel wireless mesh networks,” in Proceedings of the 6th ACM international symposium on Mobile ad hoc networking and computing.

ACM, 2005, pp. 68–77. 44

[94] M. Bellare and P. Rogaway, “Random oracles are practical: A paradigm for designing efficient protocols,” in Proceedings of the 1st ACM conference on Computer and communications security.

ACM, 1993, pp. 62–73. 51

[95] J. Katz, “Efficient Cryptographic Protocols Preventing ”Man-in-the-Middle” Attacks,” Ph.D. dissertation, COLUMBIA UNIVERSITY, 2002. 51 [96] A. Perrig, J. Stankovic, and D. Wagner, “Security in wireless sensor networks,” Communications of the ACM, vol. 47, no. 6, pp. 53–57, 2004. 51 [97] B. Zhu, F. Bao, R. Deng, M. Kankanhalli, and G. Wang, “Efficient and robust key management for large mobile ad hoc networks,” Computer networks, vol. 48, no. 4, pp. 657–682, 2005. 51 [98] A. Boukerche, K. El-Khatib, L. Xu, and L. Korba, “An efficient secure distributed anonymous routing protocol for mobile and wireless ad hoc networks,” Computer communications, vol. 28, no. 10, pp. 1193–1203, 2005. 51 [99] A. Noack and S. Spitz, “Dynamic threshold cryptosystem without group manager,” International Journal of Network Protocols and Algorithms (ISSN: 1943-3581), vol. 1, no. 1, pp. 108–121, 2009. [Online]. Available: http://www.macrothink.org/journal/index. php/npa/issue/view/14/showToc 51 [100] A. Noack, “Efficient Authenticated Wireless Roaming via Tunnels,” Quality of Service in Heterogeneous Networks, pp. 739–752. 51 [101] A. Noack and M. Borrmann, “Mutual preimage authentication for fast handover in enterprise networks,” in On the Move to Meaningful Internet Systems: OTM 2010, ser. Lecture Notes in Computer Science, R. Meersman, T. Dillon, and P. Herrero, Eds., vol. 6426. Springer, 2010, pp. 583–599. 52 [102] A. Shamir, “Identity-based cryptosystems and signature schemes,” in Proceedings of CRYPTO 84 on Advances in cryptology. York, Inc., 1985, pp. 47–53. 53

New York, NY, USA: Springer-Verlag New

128

References

[103] D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,” Lecture Notes in Computer Science, vol. 2139, pp. 213–229, 2001. [Online]. Available: citeseer.ist.psu.edu/boneh01identitybased.html 53, 55 [104] C. Cocks, “An identity based encryption scheme based on quadratic residues,” in Proceedings of the 8th IMA International Conference on Cryptography and Coding. London, UK: Springer-Verlag, 2001, pp. 360–363. 53 [105] A. Shamir, “How to share a secret,” Commun. ACM, vol. 22, no. 11, pp. 612–613, 1979. 53, 55, 56 [106] Y. G. Desmedt and Y. Frankel, “Threshold cryptosystems,” in CRYPTO ’89: Proceedings on Advances in cryptology.

New York, NY, USA: Springer-Verlag New York, Inc., 1989,

pp. 307–315. 53, 54 [107] T. P. Pedersen, “A threshold cryptosystem without a trusted party (extended abstract),” in EUROCRYPT, 1991, pp. 522–526. 53, 55, 65 [108] B. Libert and J.-J. Quisquater, “Efficient revocation and threshold pairing based cryptosystems,” in PODC ’03: Proceedings of the twenty-second annual symposium on Principles of distributed computing.

New York, NY, USA: ACM, 2003, pp. 163–171. 54, 55

[109] D. Boneh, X. Ding, G. Tsudik, and C. M. Wong, “A method for fast revocation of public key certificates and security capabilities,” in SSYM’01: Proceedings of the 10th conference on USENIX Security Symposium.

Berkeley, CA, USA: USENIX Association, 2001, pp.

22–22. 54 [110] N. Saxena, G. Tsudik, and J. H. Yi, “Efficient node admission for short-lived mobile ad hoc networks,” in ICNP ’05: Proceedings of the 13TH IEEE International Conference on Network Protocols.

Washington, DC, USA: IEEE Computer Society, 2005, pp. 269–278.

54, 55 [111] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “Secure distributed key generation for discrete-log based cryptosystems,” Lecture Notes in Computer Science, vol. 1592, pp. 295+, 1999. [Online]. Available: citeseer.ist.psu.edu/199021.html 54 [112] Y. Desmedt and Y. Frankel, “Shared generation of authenticators and signatures (extended abstract),” in CRYPTO ’91: Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology. London, UK: Springer-Verlag, 1992, pp. 457–469. 54, 55 [113] R. Gennaro, T. Rabin, S. Jarecki, and H. Krawczyk, “Robust and efficient sharing of RSA functions,” Journal of Cryptology: the Journal of the International Association for Cryptologic Research, vol. 13, no. 2, pp. 273–300, 2000. [Online]. Available: citeseer.ist.psu.edu/article/gennaro96robust.html 54 [114] V. Shoup, “Practical threshold signatures,” Lecture Notes in Computer Science, vol. 1807, pp. 207–220, 2000. [Online]. Available: citeseer.ist.psu.edu/shoup99practical.html 54 [115] R. Gennaro, S. Halevi, H. Krawczyk, and T. Rabin, “Threshold rsa for dynamic and ad-hoc groups,” Cryptology ePrint Archive, Report 2008/045, 2008, http://eprint.iacr.org/. 54,

References

129

55, 65 [116] A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung, “Proactive secret sharing or: How to cope with perpetual leakage,” Lecture Notes in Computer Science, vol. 963, pp. 339–352, 1995. [Online]. Available: citeseer.ist.psu.edu/herzberg95proactive.html 54, 57, 65 [117] M. Mouly and M. Pautet, The GSM system for mobile communications.

Telecom Pub-

lishing, 1992. 66 [118] T. Halonen, J. Romero, and J. Melero, GSM, GPRS and EDGE performance: evolution towards 3G/UMTS.

Wiley, 2003. 66

[119] S. Sesia, I. Toufik, and M. Baker, “Lte–the umts long term evolution,” From Theory to Practice, published in, 2009. 66 [120] N. Sastry, K.Sollins, and J. Crowcroft, “Architecting citywide ubiquitous wi-fi access,” HotNets-VI, 2007, http://conferences.sigcomm.org/hotnets/2007/papers/hotnets6-final88. pdf. 66 [121] M. Manulis, D. Leroy, F. Koeune, O. Bonaventure, and J. Quisquater, “Authenticated wireless roaming via tunnels: Making mobile guests feel at home,” in Proceedings of the 4th International Symposium on Information, Computer, and Communications Security. ACM, 2009, pp. 92–103. 67, 70, 71 [122] B. M. and N. C., “Authenticated encryption: Relations among notions and analysis of the generic composition paradigm,” In ASIACRYPT’00, LNCS 1976, pp. 531-545, 2000. 68 [123] R. C. and S. D. R., “Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack,” In CRYPTO’91, LNCS 576, pp. 433-444, 1992. 68, 76 [124] M. Bellare and P. Rogaway, “Entity authentication and key distribution,” Lecture Notes in Computer Science, vol. 773, pp. 232–249, 1994. 70 [125] V. Shoup, “Sequences of games: a tool for taming complexity in security proofs,” Cryptology ePrint Archive, Report 2004/332, 2004, http://eprint.iacr.org/. 70 [126] J. Malinen, “Host ap project (hostapd/wpa supplicant),” Website, 2009, http://hostap. epitest.fi/. 73, 78 [127] B. Aboba and D. Simon, “PPP EAP TLS Authentication Protocol,” RFC 2716 (Experimental), Internet Engineering Task Force, Oct. 1999, obsoleted by RFC 5216. [Online]. Available: http://www.ietf.org/rfc/rfc2716.txt 73 [128] D. Simon, B. Aboba, and R. Hurst, “The EAP-TLS Authentication Protocol,” RFC 5216 (Proposed Standard), Internet Engineering Task Force, Mar. 2008. [Online]. Available: http://www.ietf.org/rfc/rfc5216.txt 73 [129] P. Funk and S. Blake-Wilson, “Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated Protocol Version 0 (EAP-TTLSv0),” RFC 5281 (Informational), Internet Engineering Task Force, Aug. 2008. [Online]. Available: http://www.ietf.org/rfc/rfc5281.txt 73

130

References

[130] F. Bersani and H. Tschofenig, “The EAP-PSK Protocol: A Pre-Shared Key Extensible Authentication Protocol (EAP) Method,” RFC 4764 (Experimental), Internet Engineering Task Force, Jan. 2007. [Online]. Available: http://www.ietf.org/rfc/rfc4764.txt 73 [131] J. Cordasco, U. Meyer, and S. Wetzel, “Implementation and performance evaluation of eap-tls-ks,” Securecomm and Workshops, 2006, pp. 1–12, 2006. 73 [132] R. P. and S. T., “Cryptographic hash-function basics: Definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance,” FSE 2004, LNCS 3017, pp. 371-388, 2004. 76 [133] B. M., C. R., and K. H., “Keying hash functions for message authentication.” 76 [134] Opensource, “Freeradius project,” Website, 2009, http://freeradius.org/. 78 [135] M. Borrmann, “Implementierung eines effizienten eap-protokolls,” Diploma thesis, RuhrUniversity Bochum, 2009. 78 [136] Y. Amir, Y. Kim, C. Nita-Rotaru, and G. Tsudik, “On the performance of group key agreement protocols,” in Distributed Computing Systems, 2002. Proceedings. 22nd International Conference on.

IEEE, 2002, pp. 463–464. 81

[137] Y. Kim, A. Perrig, and G. Tsudik, “Communication-Efficient Group Key Agreement,” in Proc. IFIP TC11 16th Annual Working Conference on Information Security (IFIP/SEC), Kluwer.

Citeseer, 2001. 81

[138] ——, “Group key agreement efficient in communication,” IEEE Transactions on Computers, vol. 53, no. 7, pp. 905–921, 2004. 81, 83 [139] S. Zheng, D. Manz, J. Alves-Foss, and Y. Chen, “Security and performance of group key agreement protocols,” in Proceeding of the IASTED International Conference on Networks and Communication Systems, Mar.

Citeseer, 2006, pp. 29–31. 81

[140] A. Noack and J. Schwenk, “Group key agreement for wireless mesh networks,” in 34th IEEE LCN & Workshops Conference Proceedings, 2009, pp. 945–952. 81, 92, 97 [141] ——, “Group key agreement performance in wireless mesh networks,” in 35th IEEE LCN & Workshops Conference Proceedings, 2010, pp. 176–179. 81, 97 [142] Y. Challal and H. Seba, “Group key management protocols: A novel taxonomy,” International Journal of Information Technology, vol. 2, no. 1, pp. 105–118, 2005. 82 [143] Y. Amir, Y. Kim, C. Nita-Rotaru, and G. Tsudik, “On the performance of group key agreement protocols,” ACM Transactions on Information and System Security (TISSEC), vol. 7, no. 3, p. 488, 2004. 83, 88 [144] M. Burmester and Y. Desmedt, “A secure and efficient conference key distribution system,” in EUROCRYPT’94, vol. 950 (LNCS), 1994, pp. 275–286. 83, 84, 115 [145] ——, “Efficient and secure conference key distribution,” in Cambridge Workshop on Security Protocols, vol. 1189 (LNCS), 1996, pp. 119–129. 83, 85, 115 [146] J. Schwenk, T. Martin, and R. Schaffelhofer, “Tree-based multicast key agreement,” In Communications and Multimedia Security 01, 2001. 83, 85, 87

References

131

[147] Y. Kim, A. Perrig, and G. Tsudik, “Tree-based group key agreement,” ACM Trans. Inf. Syst. Secur., vol. 7, no. 1, pp. 60–96, 2004. 83, 87 [148] I. Ingemarsson, D. Tang, and C. Wong, “A conference key distribution system,” IEEE Transactions on Information theory, vol. 28, no. 5, pp. 714–720, 1982. 83 [149] M. Steiner, G. Tsudik, and M. Waidner, “Diffie-Hellman key distribution extended to group communication,” in Proceedings of the 3rd ACM conference on Computer and communications security.

ACM New York, NY, USA, 1996, pp. 31–37. 83

[150] G. Ateniese, M. Steiner, and G. Tsudik, “New multiparty authentication services and key agreement protocols,” IEEE Journal on Selected Areas in Communications, vol. 18, no. 4, pp. 628–639, 2000. 83 [151] M. Steiner, G. Tsudik, and M. Waidner, “CLIQUES: A new approach to group key agreement,” in Distributed Computing Systems, 1998. Proceedings. 18th International Conference on, 1998, pp. 380–387. 83 [152] X. Chen, B. Ma, and C. Yang, “M-CLIQUES: Modified CLIQUES key agreement for secure multicast,” Computers & Security, vol. 26, no. 3, pp. 238–245, 2007. 83 [153] K. Becker and U. Wille, “Communication complexity of group key distribution,” in Proceedings of the 5th ACM conference on Computer and communications security.

ACM,

1998, pp. 1–6. 83 [154] Y. Kim, A. Perrig, and G. Tsudik, “Tree-based group key agreement,” ACM Transactions on Information and System Security (TISSEC), vol. 7, no. 1, pp. 60–96, 2004. 83 [155] M. Manulis, “Contributory Group Key Agreement Protocols, Revisited for Mobile Ad-Hoc Groups,” in Proceedings of 2nd IEEE International Conference on Mobile Adhoc and Sensor Systems (MASS 2005).

IEEE Computer Society, 2005, pp. 811–818. 84

[156] L. Liao and M. Manulis, “Tree-based group key agreement framework for mobile ad-hoc networks,” Future Generation Computer Systems, vol. 23, no. 6, pp. 787–803, 2007. 84 ´ Adjih, P. M¨ [157] R. Bhaskar, D. Augot, C. uhlethaler, and S. Boudjit, “AGDH (Asymmetric Group Diffie Hellman) An Efficient and Dynamic Group Key Ageement Protocol for Ad Hoc Networks,” New Technologies, Mobility and Security, pp. 633–633, 2007. 84 [158] J. Kim and G. Tsudik, “Survival in the Wild: Robust Group Key Agreement in Wide-Area Networks,” Lecture Notes In Computer Science, pp. 66–83, 2009. 84 [159] W. Diffie and M. Hellman, “New directions in cryptography,” Information Theory, IEEE Transactions on, vol. 22, no. 6, pp. 644–654, 1976. 87 [160] J. Li, C. Blake, D. S. J. De Couto, H. I. Lee, and R. Morris, “Capacity of ad hoc wireless networks,” in Proceedings of the 7th ACM International Conference on Mobile Computing and Networking, Rome, Italy, July 2001, pp. 61–69. 106 [161] A. Queisser, “Practical implementation of burmester desmedt ii,” Studentwork, RuhrUniversity Bochum, 2010. 109 [162] V. Mladenov, “Die implementierung von tree-based-key-agreement f¨ ur wireless mesh netzwerke,” Student Work, Ruhr-Universität Bochum, 2010. 113

132

References