On predictive routing of security contexts in an all-IP network

While mobile nodes (MNs) undergo handovers across inter-wireless access networks, their security contexts must be propagated for secure re-establishment of on-going application sessions, such as those in secure mobile internet protocol (IP), authentication, authorization, and accounting (AAA) services. Routing security contexts via an IP network either on-demand or based on MNs' mobility prediction, imposes new challenging requirements of secure cross-handover services and security context management. In this paper, we present a context router (CXR) that manages security contexts in an all-IP network, providing seamless and secure handover services for the mobile users that carry multimedia-access devices. A CXR is responsible for (1) monitoring of MNs' cross-handover, (2) analysis of MNs' movement patterns, and (3) routing of security contexts ahead of MNs' arrival at relevant access points. The predictive routing reduces the delay in the underlying security association that would otherwise fetch an involved security context from a remote server. The predictive routing of security contexts is performed based on statistical learning of MNs' movement pattern, gauging (dis)similarities between the patterns obtained via distance measurements. The CXR has been evaluated with a prototypical implementation based on an MN mobility model on a grid. Our evaluation results support the predictive routing mechanism's improvement in seamless and secure cross-handover services by a factor of 2.5. Also, the prediction mechanism is shown to outperform the Kalman filter-based method [13] as a Kalman Fiter-based mechanism up to 1.5 and 3.6 times regarding prediction accuracy and computation performance, respectively. Copyright © 2009 John Wiley & Sons, Ltd.Peer Reviewedhttp://deepblue.lib.umich.edu/bitstream/2027.42/65037/1/135_ftp.pd

Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks

Wireless mesh networks (WMNs) have emerged as a promising concept to meet the challenges in next-generation wireless networks such as providing flexible, adaptive, and reconfigurable architecture while offering cost-effective solutions to service providers. As WMNs become an increasingly popular replacement technology for last-mile connectivity to the home networking, community and neighborhood networking, it is imperative to design efficient and secure communication protocols for these networks. However, several vulnerabilities exist in currently existing protocols for WMNs. These security loopholes can be exploited by potential attackers to launch attack on WMNs. The absence of a central point of administration makes securing WMNs even more challenging. The broadcast nature of transmission and the dependency on the intermediate nodes for multi-hop communications lead to several security vulnerabilities in WMNs. The attacks can be external as well as internal in nature. External attacks are launched by intruders who are not authorized users of the network. For example, an intruding node may eavesdrop on the packets and replay those packets at a later point of time to gain access to the network resources. On the other hand, the internal attacks are launched by the nodes that are part of the WMN. On example of such attack is an intermediate node dropping packets which it was supposed to forward. This chapter presents a comprehensive discussion on the current authentication and privacy protection schemes for WMN. In addition, it proposes a novel security protocol for node authentication and message confidentiality and an anonymization scheme for privacy protection of users in WMNs.Comment: 32 pages, 10 figures. The work is an extended version of the author's previous works submitted in CoRR: arXiv:1107.5538v1 and arXiv:1102.1226v

Versatile Extensible Security System for Mobile Ad Hoc Networks

Mobile Ad hoc Network (MANET) is becoming more and more popular in scientific, government, and general applications, but security system for MANET is still at infant stage. Currently, there are not many security systems that provide extensive security coverage for MANET. Moreover, most of these security systems assume nodes have infinite computation power and energy; an assumption that is not true for many mobiles. Versatile and Extensible System (VESS) is a powerful and versatile general-purpose security suite that comprises of modified versions of existing encryption and authentication schemes. VESS uses a simple and network-efficient but still reliable authentication scheme. The security suite offers four levels of security adjustments base on different encryption strength. Each level is designed to suit different network needs (performance and/or security), and the security suite allows individual end-to-end pair-wise security level adjustments; a big advantage for highly heterogeneous network. This versatility and adjustability let each pair of talking nodes in the network can choose a security level that prioritize either performance or security, or nodes can also choose a level that carefully balance between security strength and network performance. Finally, the security suite, with its existing authentication and encryption systems, is a framework that allows easy future extension and modification

Securing Handover in Wireless IP Networks

In wireless and mobile networks, handover is a complex process that involves multiple layers of protocol and security executions. With the growing popularity of real time communication services such as Voice of IP, a great challenge faced by handover nowadays comes from the impact of security implementations that can cause performance degradation especially for mobile devices with limited resources. Given the existing networks with heterogeneous wireless access technologies, one essential research question that needs be addressed is how to achieve a balance between security and performance during the handover. The variations of security policy and agreement among different services and network vendors make the topic challenging even more, due to the involvement of commercial and social factors. In order to understand the problems and challenges in this field, we study the properties of handover as well as state of the art security schemes to assist handover in wireless IP networks. Based on our analysis, we define a two-phase model to identify the key procedures of handover security in wireless and mobile networks. Through the model we analyze the performance impact from existing security schemes in terms of handover completion time, throughput, and Quality of Services (QoS). As our endeavor of seeking a balance between handover security and performance, we propose the local administrative domain as a security enhanced localized domain to promote the handover performance. To evaluate the performance improvement in local administrative domain, we implement the security protocols adopted by our proposal in the ns-2 simulation environment and analyze the measurement results based on our simulation test

Security and mobility in 802.11 structured networks

Mestrado em Engenharia Electrónica e TelecomunicaçõesNesta tese é apresentado um protocolo que permite handovers rápidos e seguros em redes estruturadas 802.11. Este protocolo recupera o paradigma original do 802.11: autenticar primeiro, reassociar depois. Partindo deste paradigma, apresentamos duas novas operações 802.11 de autenticação e (re)associacão, que permitem que uma estacão móvel realize reautenticacões e reassociações com as mesmas funcionalidades do 802.1X. Esta nova aproxiamação requer pouca mudança na arquitectura da rede, nomeadamente só necessita de um novo Servidor de Reautenticação, para armazenar os dados usados pelas estações móveis durante as reautenticações. Nesta tese é também apresentada uma extensão do nosso protocolo, de maneira a permitir uma migração rápida e segura entre ESS usando Mobile IP. ABSTRACT: This thesis presents a fast, secure handover protocol that recovers the original 802.11 paradigm: authenticate first, reassociate next. Following this paradigm, we present two new 802.11 authentication and (re)association operations which allow a mobile station to perform network reauthentications and reassociations with the same functionality of a complete 802.1X authentication. This new approach requires very little from the environment, namely it only requires a new, central network Reauthentication Service, for storing data used in the reauthentication of stations. This thesis also presents a layer 3 extension of our protocol, to support fast, secure transitions between ESS using Mobile IP

Principles of the Wireless Standards Security

Počítačové sítě jsou v rámci organizace IEEE normalizovány výborem 802, jehož součástí je v současnosti šest pracovních skupin vyvíjejících specifikace pro bezdrátové komunikace. Těmi jsou IEEE 802.11 pro bezdrátové lokální sítě, IEEE 802.15 pro bezdrátové osobní sítě, IEEE 802.16 pro bezdrátové metropolitní sítě, IEEE 802.20 pro mobilní širokopásmový přístup, IEEE 802.21 pro vertikální handover a IEEE 802.22 pro bezdrátové regionální sítě. Diplomová práce se zaměřuje na bezpečnostní analýzu jednotlivých standardů, uvádí hrozby, zranitelná místa, aktuální bezpečnostní opatření a provádí vzájemné srovnání bezdrátových norem z bezpečnostního hlediska s vyzdvižením vlastností specifických pro danou oblast. Závěr práce je věnován celkovému zhodnocení projektu, jeho přínosům a možnostem dalšího vývoje ve formě navazujících studií.Computer networks are in the scope of the IEEE organization normalized by the 802 board which currently comprises six working groups for wireless communications. IEEE 802.11 for wireless local area networks, IEEE  802.15 for wireless personal area networks, IEEE 802.16 for wireless metropolitan area networks, IEEE 802.20 for mobile broadband wireless access, IEEE 802.21 for media independent handover and IEEE 802.22 for wireless regional area networks. This master's thesis focuses on a security analysis of particular standards, describes threats, vulnerabilities, current security measures and mutually compares wireless specifications from a security point of view. The conclusion is devoted to overall evaluation of the project, to its contributions, possible enhancements and continuation in the form of consequential studies.

Multi-layer traffic control for wireless networks

Le reti Wireless LAN, così come definite dallo standard IEEE 802.11, garantiscono connettività senza fili nei cosiddetti “hot-spot” (aeroporti, hotel, etc.), nei campus universitari, nelle intranet aziendali e nelle abitazioni. In tali scenari, le WLAN sono denotate come “ad infrastruttura” nel senso che la copertura della rete è basata sulla presenza di un “Access Point” che fornisce alle stazioni mobili l’accesso alla rete cablata. Esiste un ulteriore approccio (chiamato “ad-hoc”) in cui le stazioni mobili appartenenti alla WLAN comunicano tra di loro senza l’ausilio dell’Access Point. Le Wireless LAN tipicamente sono connesse alla rete di trasporto (che essa sia Internet o una Intranet aziendale) usando un’infrastruttura cablata. Le reti wireless Mesh ad infrastruttura (WIMN) rappresentano un’alternativa valida e meno costosa alla classica infrastruttura cablata. A testimonianza di quanto appena affermato vi è la comparsa e la crescita sul mercato di diverse aziende specializzate nella fornitura di infrastrutture di trasporto wireless e il lancio di varie attività di standardizzazione (tra cui spicca il gruppo 802.11s). La facilità di utilizzo, di messa in opera di una rete wireless e i costi veramente ridotti hanno rappresentato fattori critici per lo straordinario successo di tale tecnologia. Di conseguenza possiamo affermare che la tecnologia wireless ha modificato lo stile di vita degli utenti, il modo di lavorare, il modo di passare il tempo libero (video conferenze, scambio foto, condivisione di brani musicali, giochi in rete, messaggistica istantanea ecc.). D’altro canto, lo sforzo per garantire lo sviluppo di reti capaci di supportare servizi dati ubiqui a velocità di trasferimento elevate è strettamente legato a numerose sfide tecniche tra cui: il supporto per l’handover tra differenti tecnologie (WLAN/3G), la certezza di accesso e autenticazione sicure, la fatturazione e l’accounting unificati, la garanzia di QoS ecc. L’attività di ricerca svolta nell’arco del Dottorato si è focalizzata sulla definizione di meccanismi multi-layer per il controllo del traffico in reti wireless. In particolare, nuove soluzioni di controllo del traffico sono state realizzate a differenti livelli della pila protocollare (dallo strato data-link allo strato applicativo) in modo da fornire: funzionalità avanzate (autenticazione sicura, differenziazione di servizio, handover trasparente) e livelli soddisfacenti di Qualità del Servizio. La maggior parte delle soluzioni proposte in questo lavoro di tesi sono state implementate in test-bed reali. Questo lavoro riporta i risultati della mia attività di ricerca ed è organizzato nel seguente modo: ogni capitolo presenta, ad uno specifico strato della pila protocollare, un meccanismo di controllo del traffico con l’obiettivo di risolvere le problematiche presentate precedentemente. I Capitoli 1 e 2 fanno riferimento allo strato di Trasporto ed investigano il problema del mantenimento della fairness per le connessioni TCP. L’unfairness TCP conduce ad una significativa degradazione delle performance implicando livelli non soddisfacenti di QoS. Questi capitoli descrivono l’attività di ricerca in cui ho impiegato il maggior impegno durante gli studi del dottorato. Nel capitolo 1 viene presentato uno studio simulativo delle problematiche di unfairness TCP e vengono introdotti due possibili soluzioni basate su rate-control. Nel Capitolo 2 viene derivato un modello analitico per la fairness TCP e si propone uno strumento per la personalizzazione delle politiche di fairness. Il capitolo 3 si focalizza sullo strato Applicativo e riporta diverse soluzioni di controllo del traffico in grado di garantire autenticazione sicura in scenari di roaming tra provider wireless. Queste soluzioni rappresentano parte integrante del framework UniWireless, un testbed nazionale sviluppato nell’ambito del progetto TWELVE. Il capitolo 4 descrive, nuovamente a strato Applicativo, una soluzione (basata su SIP) per la gestione della mobilità degli utenti in scenari di rete eterogenei ovvero quando diverse tecnologie di accesso radio sono presenti (802.11/WiFi, Bluetooth, 2.5G/3G). Infine il Capitolo 5 fa riferimento allo strato Data-Link presentando uno studio preliminare di un approccio per il routing e il load-balancing in reti Mesh infrastrutturate.Wireless LANs, as they have been defined by the IEEE 802.11 standard, are shared media enabling connectivity in the so-called “hot-spots” (airports, hotel lounges, etc.), university campuses, enterprise intranets, as well as “in-home” for home internet access. With reference to the above scenarios, WLANs are commonly denoted as “infra-structured” in the sense that WLAN coverage is based on “Access Points” which provide the mobile stations with access to the wired network. In addition to this approach, there exists also an “ad-hoc” mode to organize WLANs where mobile stations talk to each other without the need of Access Points. Wireless LANs are typically connected to the wired backbones (Internet or corporate intranets) using a wired infrastructure. Wireless Infrastructure Mesh Networks (WIMN) may represent a viable and cost-effective alternative to this traditional wired approach. This is witnessed by the emergence and growth of many companies specialized in the provisioning of wireless infrastructure solutions, as well as the launch of standardization activities (such as 802.11s). The easiness of deploying and using a wireless network, and the low deployment costs have been critical factors in the extraordinary success of such technology. As a logical consequence, the wireless technology has allowed end users being connected everywhere – every time and it has changed several things in people’s lifestyle, such as the way people work, or how they live their leisure time (videoconferencing, instant photo or music sharing, network gaming, etc.). On the other side, the effort to develop networks capable of supporting ubiquitous data services with very high data rates in strategic locations is linked with many technical challenges including seamless vertical handovers across WLAN and 3G radio technologies, security, 3G-based authentication, unified accounting and billing, consistent QoS and service provisioning, etc. My PhD research activity have been focused on multi-layer traffic control for Wireless LANs. In particular, specific new traffic control solutions have been designed at different layers of the protocol stack (from the link layer to the application layer) in order to guarantee i) advanced features (secure authentication, service differentiation, seamless handover) and ii) satisfactory level of perceived QoS. Most of the proposed solutions have been also implemented in real testbeds. This dissertation presents the results of my research activity and is organized as follows: each Chapter presents, at a specific layer of the protocol stack, a traffic control mechanism in order to address the introduced above issues. Chapter 1 and Charter 2 refer to the Transport Layer, and they investigate the problem of maintaining fairness for TCP connections. TCP unfairness may result in significant degradation of performance leading to users perceiving unsatisfactory Quality of Service. These Chapters describe the research activity in which I spent the most significant effort. Chapter 1 proposes a simulative study of the TCP fairness issues and two different solutions based on Rate Control mechanism. Chapter 2 illustrates an analytical model of the TCP fairness and derives a framework allowing wireless network providers to customize fairness policies. Chapter 3 focuses on the Application Layer and it presents new traffic control solutions able to guarantee secure authentication in wireless inter-provider roaming scenarios. These solutions are an integral part of the UniWireless framework, a nationwide distributed Open Access testbed that has been jointly realized by different research units within the TWELVE national project. Chapter 4 describes again an Application Layer solution, based on Session Initiation Protocol to manage user mobility and provide seamless mobile multimedia services in a heterogeneous scenario where different radio access technologies are used (802.11/WiFi, Bluetooth, 2.5G/3G networks). Finally Chapter 5 refers to the Data Link Layer and presents a preliminary study of a general approach for routing and load balancing in Wireless Infrastructure Mesh Network. The key idea is to dynamically select routes among a set of slowly changing alternative network paths, where paths are created through the reuse of classical 802.1Q multiple spanning tree mechanisms

39P. Nature and Extent of Identity Crime through Wireless Technology Abuse and its Impact on Individual and Organisational Levels

Perpetrator(s) are stealing personal data abusing wireless networks to commit identity fraud and related crimes that is affecting us on individual, organisational and national levels. These threats affect national security also (Smith et al. 2010). There have been instances of identity and data theft crimes involving millions of debit and credit card numbers, which indicate the seriousness of this issue and reinforce the concerns of security professionals. These cases were taken from newspapers and recent research papers related to this field and analysed in this study. The objective of this research paper is to investigate the security weaknesses in the wireless protocols and examine how perpetrators are exploiting the wireless networks. The security limitations found in the commonly used types of wireless networks are also presented. The sharing of information on social networking services such as Facebook and Twitter also pose privacy and security threats. The current study presents guidelines and discusses approaches employed to safeguard and protect wireless networks in organisations. It is a study to create public awareness about the threats and related privacy issues in the use of wireless and hand held communication devices

Efficient Security Protocols for Fast Handovers in Wireless Mesh Networks

Wireless mesh networks (WMNs) are gaining popularity as a flexible and inexpensive replacement for Ethernet-based infrastructures. As the use of mobile devices such as smart phones and tablets is becoming ubiquitous, mobile clients should be guaranteed uninterrupted connectivity and services as they move from one access point to another within a WMN or between networks. To that end, we propose a novel security framework that consists of a new architecture, trust models, and protocols to offer mobile clients seamless and fast handovers in WMNs. The framework provides a dynamic, flexible, resource-efficient, and secure platform for intra-network and inter-network handovers in order to support real-time mobile applications in WMNs. In particular, we propose solutions to the following problems: authentication, key management, and group key management. We propose (1) a suite of certificate-based authentication protocols that minimize the authentication delay during handovers from one access point to another within a network (intra-network authentication). (2) a suite of key distribution and authentication protocols that minimize the authentication delay during handovers from one network to another (inter-network authentication). (3) a new implementation of group key management at the data link layer in order to reduce the group key update latency from linear time (as currently done in IEEE 802.11 standards) to logarithmic time. This contributes towards minimizing the latency of the handover process for mobile members in a multicast or broadcast group