Title: Security in Wireless Residential Networks
1Security in Wireless Residential Networks
- Prashant Krishnamurthy
- Joseph Kabara
- Tanapat Anusas-amornkul
- IEEE Transactions on Cosumer Electronics
- February 2002
2Outline
- Introduction
- A brief overview of network security
- Security in wireless technologies for residential
networking - Characteristics of residential networks
- An approach ofr implementing security in WRNs
- Conclusions
3Introduction
- Residential networking is expected to experience
accelerating growth over the next few years. - The residential networks will interconnect a wide
variety of Internet appliances. - WRNs must support a variety of devices, different
types of traffic, different applications and be
simple ton install, inexpensive, and easy to
manage and modify.
4Introduction (cont.)
- Breaching security in wireless networks by
eavesdropping and masquerading is particularly
easy. - We provide a mechanism that can unify a security
architecture for the home despite the diverse
nature of the requirements, network , devices and
protocols. - We also provide a classification of the security
issues and requirements in WRNs and provide a
frame work that may be employed in WRNs for
designing security services and mechanisms.
5A brief overview of network security
Security Services
6A brief overview of network security (cont.)
- Other security services ----
- Authorization
- Authentication
- Identification
7A brief overview of network security (cont.)
- The strength of the encryption is dependent
mostly on the size of the secret key. - Encryption algorithms employed today are almost
impossible to break except by brute force that
involves searching through all possible keys.
8A brief overview of network security (cont.)
- Encryption algorithms
- Hybrid encryption schemes tat use a public key
algorithm for key exchange and secret key
algorithms for bulk data transfer are currently
in vogue
9A brief overview of network security (cont.)
10Security in wireless technologies for residential
networking
- Wireless technology is becoming the popular
choice for networking in residences because of
convenience. - The greatest obstacle to networking in residences
is the lack of structured wiring. - Also, wireless networking provides mobility for
consumer electronic devices. - Lastly, wireless networking provides the ability
to control or access networked devices.
11Security in wireless technologies for residential
networking (cont.)
- Wired solutions inherently provide more security
than wireless because they cannot be tapped
easily. - The most popular technologies in the market today
and the ones likely to be deployed in the
residential environment are the IEEE 802.11b and
the Bluetooth standards.
12Security in IEEE 802.11
- The 802.11 standard specifies a Wired Equivalent
Protocol (WEP) mechanism for wireless security.
The WEP can provide confidentiality, access
control and message integrity services. - An access point can be configured in 2 modes
- Open-system modeWEP data encryption
- Shared-key modeprovides WEP encryption and
authentication - Denial of service
13Security in Bluetooth
- Bluetooth devices operate in an ad-hoc manner
(peer-to-peer communication). - Bluetooth specifications provide usage protection
and information confidentiality. - It has three modes of operation
- Non-secure mode
- Service-level mode
- Link-level security mode
14Security in Bluetooth (cont.)
- Devices also can be classified into trusted and
distrusted. - Bluetooth uses
- two secret keys (128 bits for authentication and
8-128 bits for encryption) - A 128d-bit random number and the 48-bit MAC
address of devices.
15General technique for sharing keys in wireless
networks
- Most wireless networks employ identification
schemes followed by hash algorithms to generate
fresh keys that can be used with a secret key
algorithm to provide various security services. - Hashing a random number concatenated with a
secret identifying parameter known only to the
communicating parties can securely generate keys. - Generally, the shared secret should be at least
80 to 128 bits in length.
16Characteristics of residential networks
- The lack of standardization, the different
perspectives from which consumer devices are
manufactured, and especially their varying
capabilities and needs. - This heterogeneity affects the requirements of
any protocol or security mechanism used to
support the network.
17Heterogeneity of devices, their capabilities and
their requirements
- Electronic devices networked in residences are
usually classified into two categories home
automation and computer communications. - Home automation mostly operate at low data rates.
- Computer with multimedia Internet appliances have
the ability to download music or obtain video on
demand over the Internet via broadband Internet
service to the home.
18Heterogeneity of devices, their capabilities and
their requirements (cont.)
- The device capabilities are vastly different with
respect to implementation of security mechanisms. - No single security mechanism can provide all
possible security services and not all devices
require the same level of sevurity.
19Heterogeneous applications
- The applications supported on the network are
also diverse. Each application will have security
algorithms that are best suited for it. - Multimedia Internet appliances that directly
connect to the network cant tolerate delay or
jitter. - High data rate services will require algorithms
that can encrypt very fast while low data rate
services will be constrained by economic and
power consumption factors.
20Wireless security issues
- Modular exponentiation of 1024 bit numbers
consumes the mobile terminals battery very
quickly. (minimum required for public key
protocols) - Secret key algorithms require elaborate key
management schemes, violating the ease of
implementation requirement. - Several handshakes -gt consumes battery power,
bandwidth and time.
21Summary
- Any solution must satisfy the following
requirements - The cost of implementing the security mechanism
must not be prohibitive. - The security mechanism must be simple to
implement and maintain. - There should be minimum changes to existing
standards and products. - The solution should be scaleable.
- The solution should be upgradeable.
22An approach for implementing security in WRNs
- The primary concern in residential networks will
be access control. - We classify devices that connect to the WRN into
categories. We also classify different levels of
security assigned to these devices. - We then layout an infrastructure with a universal
access point that enforces security in the WRN by
implementing algorithm agility and a containment
security policy based on the category of device
and its security level.
23An approach for implementing security in WRNs
(cont.)
- Categories of WRN devices
- Low data rate low power fixed devices
- Low data rate high power fixed devices
- Low data rate low power mobile devices
- High data rate high power fixed devices
- High data rate low power mobile devices
- High data rate high power mobile devices
24An approach for implementing security in WRNs
(cont.)
- Categories of security services
- No security
- Moderate security
- Wireline equivalent security
- High security
- Ultra-high security
- Critically high security
25The architecture
- The architecture of a WRN can have two
possibilities - Ad hoc a topology
- An infrastructure-based network with an access
point - The second on is preferable because each device
has to identify/authenticate itself with the
access point. - A device is identified by its physical address
and a class that is determined based upon a tuple
associated with it. The tuple consists of the
device category and the security level.
26The architecture (cont.)
27The architecture (cont.)
- Authentication and access-control can be tied in
together with a message authentication code. - A message authentication code is represented as
MAC ck(x) where x is the message and k is a
shared secret key. - There are two ways of implementing a MAC either
encrypting a hash function or hashing together
the message and the secret key.
28The architecture (cont.)
- These two approaches ca be written as
- c1,k(x) ek (h (x))
- c2,k(x) h (k x)
- h () is the hash function,
- ek is a secret key encryption algorithm
- Both approaches are secure, but the second one is
faster and hence preferred. - A want to transmit a message to B, A will send
- y x ck(x)
29Enforcement of security using algorithm agility
and containment at the access point
- The access point will implement algorithm-agile
encryption and also have security mechanisms for
containment based on the algorithm chosen. - The algorithm-agile encryptor will allow the
access point to determine what encryption
algorithm is applied to an incoming request for
access and relay, and act accordingly based on
security policies associated with the connection.
30Enforcement of security using algorithm agility
and containment at the access point (cont.)
- Containment refers to the ability of the network
to keep certain security levels of information
from leaking out of a particular region. - Communication from a tuple consisting of a
security level and device category shall be
relayed only to another device with a tuple
falling into the same class. - The access point must ensure that no traffic from
a low-security communication session is relayed
to a high security device
31An example of the security mechanism
- The music deviceDeva
- Its device categoryDc, security level SL
- An algorithm Alg, a nonce RN
32An example of the security mechanism (cont.)
33Advantages and limitations
- The advantage of this approach is that the
security mechanism is simple to implement and
maintain. - The security mechanism is upgradeable. New
algorithms and policies can be put in place,
expanded, improved and customized as needed. - The primary limitation is that this does not
solve the simple denial of service attack
although the access point can discard packets
that are not part of the network.
34Advantages and limitations (cont.)
- The access point is unlikely that several streams
of devices will request service simultaneously. - Also, the medium access control protocols of IEEE
802.11 and Bluetooth prevent simultaneous access
to the medium from several devices. - It is possible that someone can hack into the
access point.
35Conclusions
- The cost of wiring a home for networking devices
being prohibitive, the trend is towards an all
wireless or hybrid wireless-wired networking
solution. - The complexity of the WRNs require a solution
that can service a variety of security levels and
different categories of devices. - We have presented a systematic classification of
WRN devices, security categories and discussed a
solution based on algorithm agility and a
containment based security policy.