
Achieving Privacy in Mesh Networks Xiaoxin Wu Ninghui Li Intel China Research Center Ltd Department of Computer Science Beijing, China Purdue University [email protected] West Lafayette, IN 47907-2086, USA [email protected] ABSTRACT between Mesh nodes and its Gateway router can be single Mesh network is vulnerable to privacy attacks because of hop or multi-hop. When multi-hop connection is needed, a the open medium property of wireless channel, the ¯xed Mesh node connects to the Gateway router with the aid of topology, and the limited network size. Traditional anony- other Mesh nodes that act as intermediate forwarders. An mous routing algorithm cannot be directly applied to Mesh example of such a Mesh network is illustrated in Fig. 1 (a). network, because they do not defend global attackers. In In such a Mesh network, as all tra±c goes through the this paper we design private routing algorithm that used Gateway router, the Gateway router may act as a centralized \Onion", i.e., layered encryption, to hide routing informa- control, as an access point in WLAN [6], or a base station in tion. In addition, we explore special ring topology that ¯ts the cellular network. A network with centralized control has the investigated network scenario, to preserve a certain level the advantages over a self-organized network because it can of privacy against a global adversary. have better resource allocation and routing optimization. It also makes security and privacy issues less challenging. In the Mesh network, a Mesh node then cannot initiate a Categories and Subject Descriptors session at its will. Instead, it has to send the Gateway router C.2.2 [Computer-Communication Networks]: Network an access request. The Gateway router grants an access Protocols|Routing protocols and sends an assigned route, through which the Mesh node connects to the Internet. General Terms The behavior of a Mesh node can be easily monitored or traced by adversaries due to the use of wireless channel, Security, Design multi-hop connection through third parties, and converged tra±c pattern going through the Gateway router. In this Keywords paper we consider a global adversary model that is made Mesh networks, Privacy up by colluded inside and outside attackers, as illustrated in Fig. 1 (b). Under such an adversary model, the primary 1. INTRODUCTION privacy objective we want to achieve is hiding an active node that connects to the Gateway router among a group Mesh network [1, 2, 3, 4, 5] has been proposed to be the of Mesh nodes. In other words, the active Mesh node has to solution for the last mile of network communications because be anonymous. Such a protection is important when on the it is able to provide low-cost, high-speed network services to Internet side, traditional anonymous routing approaches are the end users. A Mesh network can be deployed in an en- not implemented, or may be compromised by strong attack- vironment where there is no existing wired network to the ers. end users, or the capacity for the existing network is insu±- Traditional private communication approaches designed cient such that the Mesh network provides a supplementary for wired networks apply either cryptography [7, 8, 9] or service. For example, a Mesh network may be constructed redundancy to achieve communication end privacy [11, 12, in a rural community so that the community can share one 13]. Cryptographic approaches cannot be adopted directly satellite Internet connection. In such a network, each Mesh to achieve our privacy goal in the Mesh network because node is a household with wireless equipments, and there is they are not e±cient under a global attack. Redundancy ap- a Gateway router that is connected to the Internet. Mesh proaches, e.g., a broadcast at the Gateway router, may keep nodes can communicate with each other, and access the In- a receiving node anonymous. Yet as most communications ternet through the gateway router. The wireless connection in the Mesh network are bi-directional, a global attacker can still discover the node when it sends a message to the Gate- way router. Adding background noise for preserving sender Permission to make digital or hard copies of all or part of this work for privacy is expensive especially in wireless networks. personal or classroom use is granted without fee provided that copies are To solve the above problem, we design a novel commu- not made or distributed for profit or commercial advantage and that copies nication protocol, called Onion Ring, to defend against a bear this notice and the full citation on the first page. To copy otherwise, to global, aggressive attacker and to protect node privacy by republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. using both cryptography and redundancy. Such an approach SASN’06, October 30, 2006, Alexandria, Virginia, USA. explores the special topology of the Mesh network, i.e., all Copyright 2006 ACM 1-59593-554-1/06/0010 ...$5.00. wireless Gateway router link To Internet MESH user Gateway Outside Attacker router Victim Inside Attacker MESH Network (a) Mesh network (b) Privacy weakness Figure 1: Mesh network and privacy weakness the tra±c goes through the Gateway router. The extra For example, the Gateway router possesses a pair of pub- computing load caused by using cryptography is not a con- lic/private keys and the public key is con¯gured into each cern for Mesh networks because Mesh nodes are desktop Mesh node. We assume that the Gateway router is di±cult or laptop computers with su±cient power supply and com- to be compromised and is thus trusted. Each Mesh node puting capability. On the other hand, the network perfor- also possesses a pair of public/private keys and the public mance degradation caused by redundant transmissions can key is certi¯ed by the Gateway router. In other words, the be mitigated because the proposed approach enables cen- Gateway router acts as a Certi¯cation Authority (CA) local tralized control, which facilitates network optimization such to the Mesh network. Using these public keys, a symmet- as global scheduling. ric key is established between the Gateway router and each The paper is organized as follows. In Section 2 we list Mesh node. network assumptions, security assumptions, attacker mod- We assume that a Mesh node also establishes a symmetric els, and privacy goals. In Section 3 we review Onion rout- key with any of its one-hop neighboring Mesh node. The ing. In Section 4 we present redundant Onion routing in communication between any two neighboring nodes then the Mesh network. In Section 5 we present Onion ring that is con¯dential. However, plain text has to be used in the can defend against a global adversary. In Section 6 we ad- packet header to indicate the identity of the sender and the dress the intruder identi¯cation scheme that discovers the receiver 1. compromised Mesh nodes. In Sectionsix we present related works. In Section 8 we conclude and discuss future research 2.2 Attack Models and Privacy Goal directions. Refer to Fig. 1 (b), we list the capabilities for the following two di®erent kinds of attackers. 2. ASSUMPTIONS, ATTACK MODELS, ² Inside Attacker (Attacker 1): An inside attacker is a AND PRIVACY GOAL Mesh node that is included (probably as a forwarder) in a Mesh connection. Therefore, it knows who is its 2.1 Network and Security Assumptions: previous hop and who is its next hop. It also knows the Network Assumptions We assume that the wireless chan- type of the packets going through itself, e.g, whether nel is symmetric, i.e., if A can send data to B through a the packet is a data packet or a control packet. In multi-hop wireless path, B can send data to A using the particular, when non-private routing protocol is used, reverse path. We assume that error control is used at the the insider attacker is able to know the communication link layer, therefore an erroneous packet is not caused by ends for the Mesh connection. wireless transmission. We assume that the Gateway router ² Outside attacker (Attacker 2): An outside attacker is knows the network topology. This information can be ob- not a registered Mesh user. It monitors a Mesh node tained because when any new Mesh node joins the network, an routing update is required. It discovers its neighbors ¯rst. 1The transmissions on link layer can be anonymous, i.e., Then it uses RIP [14] or OPSF [15] to ¯nd a route to the without the header of sender and receiver information. How- Gateway router and update the network topology. ever, this results in high computing overhead because every neighbor of a sender has to decrypt the data using the keys Security Assumptions We assume that a PKI local to the that it shared with all of its neighbors, to ¯nd out whether Mesh network is in place when the Mesh network is set up. the packet is for itself. or the Gateway router by staying closely to its target. as the public keys of other ORs. An end user that requires It is able to obtain the link layer communication ends, an anonymous communication will send a request to an OR i.e., the identities of the sender and the receiver at any that it trusts; this OR is known as the Onion Proxy (OP) for hop. However, an outside attacker does not know the the user. The communication between an end user and its packet type. An attacker that monitors the behavior OP is protected from the adversaries.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages10 Page
-
File Size-