Selección de estrategias a implementar en FOCOMIPRO

2.1 Introduction

As we have seen in the previous chapter, the development of wireless networks has followed a centralized pattern: The network infrastructure (meaning all pieces of equipment except the terminal) has remained under the full supervision of the network operator, who traditionally used to be a large organization, very careful at respecting the legislation (and at nurturing the value of its own brand). As a result, the users generally tend to trust the operator, but do not generally trust the other users.

As we have also seen, current technology such as WiFi makes infrastructure equip- ment (and in particular access points) affordable to very small operators or even individuals, thus allowing the emergence of community networks and similar initia- tives.

In this chapter, we will show that we are only at the beginning of this evolution, and that not only WiFi, but also other wireless technologies are about to dramati- cally transform the deployment and operation philosophy of wireless networks. As a consequence, the notions of authority and of trust need to be completely revisited, and this is exactly one of the reasons for writing this book: the novel organization of the wireless networks calls for a thorough study of the possible malicious and selfish behaviors, and of the techniques to thwart them.

In order to be as concrete as possible, we will first provide a certain number of examples of emerging wireless networks, spanning personal networks, vehicular net- works, sensors, and RFID (Radio Frequency IDentification, described later in this chapter). Then, in spite of the substantial and deliberate diversity of these examples, we identify relevant trends common to all or to most of them. By the same token, from these trends we identify the most significant challenges that underpin Part II and Part III of this book.

2.2 Upcoming wireless networks

For each wireless network presented in this section, we provide a brief description and a set of security and cooperation challenges. If these challenges can be taken up by well-established techniques, we mention possible solutions right away. If, on the contrary, more sophisticated mechanisms are required, we refer the reader to the related chapters of Part II and Part III.

2.2.1 Personal communications

Personal communications have been and are likely to remain the most relevant and diverse kind of wireless communication systems. In the previous chapter, we have discussed their security requirements. In this subsection, we will describe the most relevant upcoming types of these networks; we start with those most similar to the existing cellular and WiFi networks and progressively relax the assumptions of one- hop radio connectivity between the mobile station and the base station and of a strong trust relationship between the user and the operator.

Small operators, operators in shared spectrum

The first type of networks resembles existing cellular and wireless data networks: a radio access device (a base station or a WiFi access point), installed and managed by an operator, provides mobile devices with one-hop access to the backbone. Yet, even this relatively classical type of networks will go through substantial modifications in the coming years, and this will have strong implications.

First of all, the increased programmability of the devices opens the door to selfish behavior with respect to the shared radio channel. In Chapter 9, we will see how a selfish user can modify the behavior of her wireless adapter to achieve this selfish goal, and how such a misdeed can be detected by the Access Point.

Moreover, the number of operators is likely to dramatically increase (especially in unlicensed frequency bands), because of the low cost of the access points. This means that the level of trust that can be associated with operators’ brands can significantly decline. We will address this issue of trust in the next chapter.

Another important change is that the very notion of licensed band could be ques- tioned. Indeed, the current practice consisting in allocating a different chunk of the spectrum to each operator is highly inefficient and can become an obsolete approach as soon as more sophisticated technology such as cognitive radios [139, 278] becomes available. The implications of such a change can be overwhelming: In this new set- ting, operators will have to cope with each others’ presence, and program their base stations accordingly. In Chapter 11, we will show how to model this kind of situation. Note that this scenario already happens on a small scale, when several WiFi operators deploy their access points in the same area.

Wireless mesh networks

As shown in Figure 2.1, a typical mesh network is comprised of one Wireless Hot Spot (WHS), connected to the Internet, and of several Transit Access Points (TAPs) which relay traffic between the mobile stations and the WHS in a multi-hop fashion. A nice property of the mesh networks is that they are (in principle) relatively easy to deploy, as they require a single connection point to the Internet.

WHS

TAP: Transit Access Point MS: Mobile Station WHS: Wireless Hot Spot Legend:

Internet

Fig. 2.1. A Wireless Mesh Network: the (wireless) Transit Access Points (TAPs) relay the traffic between the Wireless Hot Spot and the mobile stations

Wireless Mesh Networks (WMNs) represent a good solution to providing wireless Internet connectivity in a sizable geographic area; this new and promising paradigm allows for network deployment at a much lower cost than with classic WiFi networks. WMNs are particularly interesting for us, because they contain some features (and vulnerabilities) typical of future networks such as wireless multi-hopping and are already in the standardization and early deployment phase. And, as we will see, they nicely illustrate the fact that performance (in this specific case fairness) and security are closely related. For these reasons, we will describe these networks in some detail. WMNs, however, are not yet ready for wide-scale deployment for two main reasons. First of all, the communications being wireless and multi-hop (and therefore prone to interference), WMNs present severe capacity and delay constraints. Nevertheless, there are reasons to believe that technology will be able to overcome this problem, for example by using multi-radio and multi-channel TAPs. The second reason for the

slow deployment of WMNs is the lack of security guarantees. The reader interested in the security peculiarities of mesh networks should refer to Subsection 2.2.6. Hybrid ad hoc networks

In mesh networks, the relay stations (the TAPs) between the mobile station and the backbone are specialized devices under the control of one or several operators. A bold design decision consists in removing these relay stations and assigning the relaying task to other mobile stations. Such a network is usually called a “hybrid ad hoc network” or, in some cases, a “multi-hop cellular network”.

The proper operation of these networks raises a number of formidable technical challenges and it is unclear, at the time of this writing, whether such networks will ever be implemented. These challenges include notably the problem of power management, as (by definition) a priori planning is not possible. With respect to the focus of this book, the routing protocol of such a network can be secured by making use of the protocols described in Chapter 7; the packet forwarding operation can benefit of stimulation mechanisms described in Chapter 10.

An example of a hybrid ad hoc network is provided in Figure 2.2.

Internet

Fig. 2.2. A hybrid ad hoc network: mobile wireless stations relay packets to and from the Internet

Mobile ad hoc networks

A step further towards decentralization consists in removing completely the (on-line) infrastructure: the network then consists only of (mobile) nodes that relay each others’ traffic (see Figure 2.3). These networks are usually called mobile ad hoc networks (often abbreviated as “MANET” or wireless ad hoc networks1_{). Such networks have}

1 _{The first investigations and implementations of these networks took place in the seventies and}

were intended for military applications; at that time, these networks were known as “Packet Radio Networks.”

been a strong stimulus to the research community, who has devoted to it hundreds of papers, essentially during the last ten years or so. It is very important to distinguish between the following two kinds of such networks.

Fig. 2.3. A mobile ad hoc network: mobile wireless stations relay packets mutually

a. Mobile ad hoc networks in hostile environments designate a set of mobile nodes that are expected to carry out a mission in an environment where the presence of a “strong” attacker is expected. This is typically the case of military networks (some- times lamentably camouflaged as “rescue operation networks” in the literature). The need for security is of course particularly acute in this category. In this case, the authority would typically pre-load appropriate cryptographic keys in the devices, in compliance with the role of each of the users; these keys would then protect the com- munication between the devices during the unfolding of the mission. As long as a node is not compromised, it is reasonable to assume that it will have a highly cooperative behavior with respect to the other nodes of the network.

The security challenges typically encountered in this kind of networks include se- cure routing, prevention of traffic analysis2_{, and resistance of a captured device to}

reverse engineering and key retrieval. Secure routing is addressed in Chapter 7, and the other two are not addressed in this book; the interested reader can check the spe- cialized literature, for example the proceedings of the IEEE Conference on Military Communications (MILCOM).

2 _{Traffic analysis consists in establishing who is communicating with whom, typically in a network}

b. In self-organized3 _{mobile ad hoc networks, there is no authority whatsoever to}

take care of the network, not even in the initialization phase. This means that the network is purely peer-to-peer, and that the nodes have to figure out how to secure the communications by themselves. We will see in Chapter 5 how two nodes can establish a security association between themselves. We will also show that selfishness can be a serious issue in such networks; more specifically, we will show that, without appropriate mechanisms, such a network can collapse, either because nodes selfishly refuse to forward packets (Chapter 10) or greedily overuse the common radio channel (Chapter 9). In both cases, we will explain how these problems can be solved.

It is unlikely that personal communication networks of this kind be deployed on a large scale any time soon, because their operation is very difficult to ensure (power management, for example, is extremely complicated). In addition, all-wireless net- works exhibit intrinsic scalability problems [158], although the mobility of the nodes can mitigate the problem, but at the expense of a higher packet delay [157]. Yet some small scale applications can certainly be envisioned: a group of people can get together, each equipped with a laptop or a PDA; they can be willing to establish a network between their devices, without having to rely on an infrastructure. To- day’s technology already allows doing this with laptops and PDAs, albeit somewhat painstakingly.

Other personal communication networks As mentioned in the previous chapter, there exist many other wireless personal communication networks, including Blue- tooth and WiMAX. We do not discuss them here further, however, as their character- istics in terms of security and cooperation are already covered by the network types we have just described.

2.2.2 Vehicular networks

Initiatives to create safer and more efficient driving conditions have recently begun to draw strong support. Vehicular communications (VC) will play a central role in this effort, enabling a variety of applications for safety, traffic efficiency, driver assistance, and infotainment. For example, in order to improve safety, warnings for environmental hazards (e.g., ice on the pavement) or abrupt vehicle kinetic changes (e.g., emergency braking) will be provided by these systems.

Vehicular networking protocols will allow nodes, that is, vehicles or road-side in- frastructure units, to communicate with each other over single or multiple hops. In other words, nodes will act both as end points and routers, with vehicular networks

3 _{By self-organization, we refer in this book to the organization of security and not of other mech-}

emerging potentially as the largest instantiation of the mobile ad hoc networking tech- nology. By their very nature, vehicular networks stand somewhere in between the two extreme cases of mobile ad hoc networks that we have just described: they cannot be fully self-organized, but they also cannot be placed under the strict control of a single authority.

The unique features of VC are a double-edged sword: a rich set of tools are offered to drivers and authorities, but a formidable set of abuses and attacks becomes pos- sible. Hence, the security of vehicular networks is indispensable, because otherwise these systems could make anti-social and criminal behavior easier, in ways that would actually jeopardize the benefits of their deployment. What makes VC security hard to achieve is the tight coupling between applications, with rigid requirements, and the networking fabric, as well as the societal, legal, and economical considerations. Solutions to this problem involve the industry, governments, and the academia.

The reader interested in more details about the security of vehicular communica- tions should refer to Subsection 2.2.7.

2.2.3 Sensor networks

Sensor networks are wireless networks that consist of a large number of sensor nodes and a few base stations or sinks (see Figure 2.4 for illustration). The sensor nodes are tiny devices that are equipped with sensing circuits that collect data about some physical phenomena, such as light, sound, vibration, humidity, temperature, etc. In addition, the sensor nodes have computing and wireless communication capabilities. The base stations are much more powerful than the sensor nodes, and their role is to collect the data gathered by the sensor nodes and to send those data to some application unit for further processing. For this reason, the base stations are often called sinks in the context of sensor networks.

The sensor nodes are usually battery powered, which has a profound effect on the design of sensor networks. Since recharging the batteries is often impractical, or even impossible in some deployment scenarios, the main design criteria for sensor networks is to reduce the energy consumption of the sensor nodes and increase network lifetime as much as possible. All networking mechanisms for these networks are designed with this requirement in mind.

In order to reduce their energy consumption, the sensor nodes cooperatively perform many functions. For instance, sensor nodes communicate with the base station using multi-hop wireless communications, where the nodes forward packets towards the base stations on behalf of other nodes. This reduces energy consumption in two ways: First, it is known that the energy needed for wireless transmission grows super- linearly with the distance of the transmission. Thus, the overall energy consumption can be reduced, if packets are sent in several smaller hops to the base station instead

  
 
   

Fig. 2.4. A sensor network: sensor nodes forward packets towards the base stations on behalf of other nodes in order to mitigate the overall energy consumption and interference.

of sending them directly in a single large hop. Second, communication via multiple smaller hops reduces the interference between the devices, which means that fewer re-transmissions are needed due to collisions.

In addition to packet forwarding, the sensor nodes can cooperate in the processing of the gathered data. The idea is that instead of relaying raw sensor readings to the base stations, the sensor nodes can perform in-network processing and aggregate data on their way to the base stations. This can greatly reduce the number of packets that need to be sent, and hence, reduce the energy consumption.

Sensor networks have many useful applications both in military and in civilian en- vironments. In the military setting, they can be used in monitoring, surveillance, and reconnaissance applications. In the civilian setting, they can be used for environ- mental monitoring purposes (such as forest fire detection and earthquake prediction) and in health applications (such as telemonitoring of physiological data of elderly or chronically ill people, and drug administration). More civilian applications of sensor networks include building automation, smart environments, monitoring the status of structures, such as bridges, increasing the effectiveness of agricultural processes, water management, etc.

In terms of security requirements, sensor networks must ensure the integrity (and in some cases, the confidentiality) of the data delivered to the base stations. Similarly, the integrity (and the confidentiality) of control messages sent by the base stations to the sensors must be guaranteed. Availability is also an important security require-

ment, especially when the sensor network is used in life critical applications, such as earthquake prediction and telemonitoring of people’s health conditions.

These are more or less standard security requirements that can also be found in traditional wired and wireless networks. However, the challenge is to satisfy these requirements under the special operating conditions of sensor networks. First of all, any security solution must take into account the requirement of reducing the energy consumption of the sensor nodes. In addition, as we mentioned before, sensor nodes are tiny devices, which means that their computing and storage capacity is severely limited. Thus, cryptographic algorithms and protocols that require intensive computation, communication, or storage cannot be used in sensor networks.

Furthermore, as sensor nodes are expected to be deployed in mass, they must be cheap, which makes their physical protection against tampering difficult. Moreover, sensor nodes are often deployed in areas where the access to them cannot be moni- tored. This means that an adversary can corrupt some of the sensor nodes. By doing that, the adversary can learn the content of the memory, including cryptographic se- crets, of the corrupted nodes, and she can also modify the behavior of the corrupted nodes. These constraints greatly increase the difficulty of providing security for sensor networks.

As an illustrative example, in Chapter 5, we will elaborate on the problem of establishing shared keys in sensor nodes. Traditional approaches for key establishment are inefficient for sensor networks. Hence, we must develop new solutions that take into account the special characteristics described above. In addition, in Chapter 7, we study how routing in sensor networks can be secured.

2.2.4 RFID

RFID (Radio Frequency Identification) is a wireless technology that enables the iden- tification of objects and people by computers. Humans usually solve the task of identification remarkably well by visual means. A huge amount of work in artificial intelligence and computer vision has been carried out by researchers to endow com- puters with similar capabilities. However, to a large extent, those efforts have failed: