Security in Mobile Networks. Fault-tolerant authentication. Fault-tolerance principles for security.
Security in Mobile NetworksProviding security services in the mobile computing environment is challenging because it is more vulnerable for intrusion and eavesdropping. Most of the existing mobile systems assume the presence of stationary base stations, which is not quite true in applications. For example, in the tactical military mobile networks, base stations also move from one network to another network. Our research direction integrates the ideas from the science and engineering of security and fault-tolerance. The objective is to make systems survivable from intentional and unintentional attacks. We are motivated by the fact that systems will allow access to information during failures. Same ideas can be applied in a complimentary approach for making access unavailable to unauthorized users. Through this presentation, I would like to identify a set of problems in security that can benefit from the research in reliable distributed systems. The solutions to the fault-tolerant authentication problem are presented. I will outline a series of experiments that are in progress in our laboratory at Purdue. The applications domain for this talk is military systems but the problem and results are applicable to emergency services during earthquakes, forest fires, and disaster recovery after terrorist attacks. This research is applicable to multi-media mobile systems and other public use mobile communication.
Fault-tolerance principles for security
Recently there has been much focus on building secure distributed systems. We note that many of the ideas, concepts, algorithms being proposed in security have many common threads with reliability. To increase reliability in distributed systems, the use of quorums allows the transactions to read and write replica even if some replicas have failed or are unavailable. The systems manage the replicas so that a forum can be formed in the presence of failures. To make systems secure against unauthorized access, one can use the reverse strategy of making it difficult to form quorums. All accesses require permission from a group of authorities who could coordinate to deny a yes majority vote.
Checkpointing research has similarities to the work in intrusion-detection. In both cases, either failures or security violations are recorded. The checkpoints ensure that the systems can be brought to a safe consistent state through the use of recovery lines. Such checkpoints can be used to determine secure and safe states of a system. The action taken to rollback to a consistent state will be similar to bring the system to a secure status.
To deal with failures, we build systems that are adaptable. This way, we can deal with the type, duration, severity, timing, extent of a failure. The system will dynamically reconfigure and utilize the best scheme to deal with a specific situation. We must build systems adaptable to security attacks in the same way. The models, experiments, and infrastructure of adaptability to failures are very similar to the ones needed for adaptable secure systems.
There is no way that we can make a system one hundred percent reliable or secure. In the past, we have designed schemes that deal with one failure and integrated such schemes to build reliable systems. We actually believe that failures will come and go just like a person can get sick and healthy. We can not worry about each individual failures and spend all our resources in dealing with it. We need to identify transient and non catastrophic errors and failures and ignore them if it can benefit the system in dealing with severe causes of non availability. In the same tune, we need to conduct research in dealing with benign security violations that are part of daily system activity. In addition, we must find optimal solutions that allow the applications to succeed inspite of a large mix of failures, security attacks when large number of processes are communicating and accessing large databases.
Such effort is expected to lead us towards a dependable computing system that is adaptable to meet the performance, reliability and security requirements.
Fault-tolerant authentication
The military is greatly expanding their use of wireless networking for the battlefield of twenty-first century based on commercial technology including the IETF Mobile IP protocol suite. Mobile IP allows mobile hosts and mobile routers to change their point of attachment to the network while maintaining continuous network connectivity. Mobile IP does not provide enough security support for tactical military mobile networks. In a tactical military enviornment, the moving components include mobile hosts, mobile base stations (mobile routers/agents), mobile subnets, and even an entire intranet. In a battlefield, when troops move from one place to another, communication networks move with them. The troops need to quickly establish their wireless mobile communication networks in the new location. Most existing wireless network models assume the presence of stationary base stations, which are connected by a high bandwidth wireline network backbone. Wireless network architectures with fixed base stations are unable to adapt to battlefield's dynamic nature.
In a battlefield, fixed base stations are attractive targets, therefore, highly vulnerable. A destruction of a base station will disrupt many communication sessions. Hence, there is a need for mobile computing systems with mobile base stations. For tactical military networks, we can mount base stations on mobile platforms like helicopters and tanks. As the troops move these platforms, they can move their networks with them and provide continuous services to their infantry (mobile hosts).
The tactical military network architecture is a hierarchical arrangement of mobile components. Each unit (corps, division, brigade, battalion and company) has a local area network (or an intranet). High level network interconnections may be based on wired, such as ATM, or satellite. Low level network interconnections are based on wireless links, such as Radio Access Point (RAP) networks. RAPs are highly mobile and support multimedia hosts with mobile TCP/IP. Mobile network introduces several unique network security problems. We discuss the following problems:
Deficiency in mobile IP authentication approaches: In Mobile IP networks, one of the primary security concern is authentication. More specifically, we must implement some mechanisms to allow mobile host and the base station (mobile agent) to authenticate each other as the mobile host moves from cell to cell. Authentication protects the base stations from unauthorized intrusion. One serious deficiency in Mobile IP authentication approaches is that a mobile host (MH) authentication is only through its home agent (HA). If an HA is out of service because of failure, destruction, or temporary non-availability, then all its home mobile hosts will become homeless and will not be able to connect to any other mobile node.
Deficiency in mobile IP key management: Once a mobile host has been authenticated, it can communicate to other mobile hosts. To secure the communications, data packets should be encrypted before sending and decrypted after receiving. Data privacy protects data transmitted over a communication channel from being either faked or snooped by an unauthorized entity. It, therefore, prevents both active and passive intrusions. Most methods available to enforce authentication, data privacy, integrity and nonrepudiation use some form of cryptography, which requires exchange of secret keys and/or public keys between message sender and receiver. Session key establishment, agility, distribution and management are challenging tasks. Mobile IP, however, does not provide a mechanism for peer-to-peer session key management or for multicast session key management, except assuming manual key distributions. Each key must be kept and distributed in a secure manner. A truly viable key distribution algorithm for mobile network must scale well to a large number of nodes and must be secure and dynamic.
Replicated data consistency: In a battlefield, mobile nodes may be lost, destroyed, or out of order. To provide fault tolerance capability, important data is replicated in many nodes. However, if multiple replicated databases are modified independently, these replicas may not be mutually consistent. Moreover, if different replicas of a data unit are in mutually inconsistent states, the consequences of the inconsistency may depend on the nature of data. For example, in some case weak reads may be permitted to retrieve out-of-date information or to retrieve values written by write operations that have yet to be committed. To keep data privacy in wireless networks, we can use the same algorithms used in wireline networks. In the following, we identify several research questions and experiments and evaluationd.
Experiments and Evaluation: We need to conduct experiments that simulate the initial key exchange and also the key maintenance between mobile base stations and the mobile hosts. Our experiments simulate the initial key exchange and the key maintenance between mobile base stations and the mobile hosts. Techniques like ISAKMP/Oakley and Diffie Helman will be used for this purpose. We evaluate factors that affect secret key sharing. We use the Berkeley's network simulation tool, ns-2 (network simulator). We briefly outline the following set of experiments for secure mobile systems.
1. The simulation environment used for this research achieves fault-tolerant authentication using a hierarchical organization of agents granting service to mobile hosts that are present in its leaf nodes. Five factors come into play when computing the priority of a secret key shared between a leaf node and an internal node. These factors are communication delays between nodes, the processing speed of the internal node, how many times the secret key has been used, the lifetime of that key, and the availability of the key to that internal node.
One popular form of analysis is maximizing the effectiveness of the factor being tested, while minimizing the other factors. The tests center around the total time it takes for the system to process a number of requests. The effectiveness of the factor being tested is maximized, and all other effects can be said to be statistically negligible. Each factor is individually tested using different sizes of trees (from 2 levels to 10 levels) to show that any trend holds; there is no correlation between number of levels and service time in this section, since the simulation is reconstructed at each point of experimentation.
2. The Intrusion Detection System available in the CERIAS Laboratory can be used to simulate an internal base station setup and to study methods of detecting and acting against possible intrusions into the mobile base stations.
3. Additional experimental studies include experiments on hierarchical mobile host authentication, key management in group communications, security as a QoS parameter, and denial of service.
Bharat Bhargava
CERIAS and Department of Computer Science, Purdue University
West Lafayette, IN 47907 bb@cs.purdue.edu 765-494-6013
References:
A. Bhargava, B. Bhargava, "Applying Fault-Tolerance Principles to Security Research" In Proceedings of 20th IEEE Symposium on Reliable Distributed Systems, New Orleans, USA, Oct 28-31, 2001 pp 68-69
B. Bhargava, S. Babu, and S. Madria, "Fault-Tolerant Authentication and Group Key Management in Mobile Computing", Proceedings of International Conference on Internet Computing, Las Vegas, June 2000, pp 67-76
B. Bhargava (Editor), "Concurrency Control and Reliability in Distributed Systems", Van Nostrand and Reinhold, 1987.
D. McClure, B. Bhargava, On Assigning Priorities of Keying Parameters in a Secure Mobile Network Technical Report, Department of Computer Science, Purdue University, Oct 2001
S. McCanne, S. Flyod, "ns-2: Network Simulator", http://www.isi.edu/nsnam/ns, 1997
Comments: