Brian DeCleene

Comparison of inter-area rekeying algorithms for secure wireless group communications

Many emerging mobile wireless applications depend upon secure group communications, in which data is encrypted and the groups data encryption key is changed whenever a member joins or leaves the groups session. Hierarchical approaches have recently been proposed to manage the distribution of the data encryption key in a scalable manner for fixed (non-mobile) networks. In this paper, we characterize the impact of mobility on secure rekeying of group communication in a hierarchical key-distribution framework. We propose several rekeying algorithms that preserve confidentiality as members move within the hierarchy. The algorithms differ in the locality of communication, the amount of messages needed to rekey the data key/key-encryption key, the key-encryption key rekey rate, and the number of key-encryption keys held by group members. We develop Markov models to quantify the performance of the proposed algorithms. Our results shows that the FEDRP and SR inter-area rekeying algorithms are superior under different circumstances. In the situation of lower arrival rate and higher mobility, SR has the lowest intra-AS message rate, rekey rate and a low inter-AS message rate. On the other hand, with higher arrival rate and lower mobility, FEDRP has a low rekey rate, inter-AS message rate and the lowest intra-AS message rate. This is achieved by allowing members to hold a small number of keys. In a wireless environment, where bandwidth is often a limiting resource, minimization of communication overhead is of critical importance. This goal could be achieved by using a dynamic strategy to combine the benefits of FEDRP and SR algorithms.

Experiences with network coding within MANET field experiments

While network coding offers many theoretical properties that can be used to improve performance, practical experiences have been largely limited to simulation, emulation, and small-scale demonstrations. This paper reviews observations and results from recently conducted 802.11-based MANET field trials contrasting a network-coded protocol stack against a candidate baseline protocol suite. These field trials were based on an operational scenario with dismounts, vehicles, and airborne relay nodes conducting a search and rescue mission using video, chat, and situational awareness applications. This paper examines practical implementation issues such as CPU performance demands of network coding on an embedded system as well as observed traffic characteristics.

Bootstrapping deny-by-default access control for mobile ad-hoc networks

We investigate the bootstrapping of policy-based access control in a deny-by-default mission-critical MANET. In the absence of any initial policies, a deny-by-default system fundamentally prevents all traffic flow. Providing all policies prior to deployment assumes advanced knowledge of all possible future scenarios - an assumption that is often unrealistic in practice; furthermore, policies may change over time. Thus, alternatively, network nodes can be initialized with a small set of initial policies (which we refer to as an axiomatic set of policies) that allow them to obtain additional policies, update outdated policies, and establish connectivity with neighboring nodes - a process that we refer to as bootstrapping. We identify a set of axiomatic policies for bootstrapping a deny-by-default system, propose a bootstrap protocol for neighbor link setup, and study how policies can be propagated within the MANET. Safety and liveness of the proposed bootstrap protocol are formally proved via model checking in SPIN. We also analyze the tradeoff between network vulnerability (the fraction of time that a nodepsilas policy is out-of-date) and the overhead incurred by different policy-dissemination approaches.

Cross-layer protocols for energy-efficient wireless sensor networking

The Armys next generation distributed sensor networks provide stand-off situational awareness for future troops. A major factor for the performance and lifecycle of these sensor networks is their ability to conserve battery power. As advances in RF components reach the physical limits of energy efficiency, new network protocols operating at the link layer and above hold the greatest opportunities for additional improvements in energy efficiency. Recently, a number of power-saving solutions have been proposed that separately consider power-consumption of media access control (MAC) scheduling and routing algorithms, but have not considered the potential benefit of cross-layer optimization across these algorithms. In this paper, we present an approach that integrates pseudo-dynamic scheduling at the link-layer with diversity routing at the network-layer. The link-layer protocol also provides detailed control of the physical-layers radio state. Our work focuses on reducing the energy loss due to idle listening, control signaling, congestion hot-spots, and packet collisions. We present analytical and simulation results that demonstrate the increased energy efficiency of this class of cross-layer protocols examine the throughput and latency impacts and define how parameters should be set to optimize the end-to-end performance. We anticipate that the technology presented here will have broad application to army sensor networks as well as public commercial wireless systems and plant automation

Security analysis of the Bootstrap protocol for deny-by-default Mobile Ad-hoc Networks

In previous work, we proposed a “Bootstrap” protocol for establishing neighbor relationships, between two mobile nodes in a mission critical deny-by-default Mobile Ad-hoc Network. In this paper, we formally characterize the security properties of this Bootstrap protocol, striving to answer the following questions: 1) To what extent can an adversary undermine the correctness and performance of the Bootstrap protocol? 2) To what extent can the Bootstrap protocol be improved in anticipation of an adversary? Our analyses employ a combination of formal logic and two standard automated model checkers, SPIN and PRISM. Two types of threats are considered, which we call the subverted node and the subverted link. In the subverted link analysis, we further categorize the adversary into two variants, which we call dark-red or light-red in correspondence with having detailed Bootstrap-protocol-specific knowledge or only generic neighbor setup knowledge, respectively. The subverted node analysis shows that the adversary cannot TCP-SYN-flood-like attack nor deadlock the good node within the Bootstrap protocol. The subverted link analysis shows that the adversary cannot undermine the correctness of the protocol, in the sense that the protocols performance is only degraded in a bounded manner by the dark-red adversary or in a benign manner by the light-red adversary.

Requirements and architectures for Intrinsically Assurable Mobile Ad hoc Networks

An intrinsically assurable mobile ad hoc network (IAMANET) will directly support the integrity, availability, reliability, confidentiality, and safety of MANET communications and data. In contrast, the dominant Internet paradigm is intrinsically insecure. For example, the Internet does not deny unauthorized traffic by default and therefore violates the principle of least privilege. In addition, there are no provisions for non-repudiation or accountability and therefore adversaries can probe for vulnerabilities with impunity because the likelihood of attributing bad behavior to a particular adversary is limited. Finally (although not exhaustively) existing protocols are not robust to Byzantine failures and malicious behavior, leaving entire Internet-based systems vulnerable. This paper expands on these high-level requirements and threat models. It then presents an early view of two high-level architectures for an IAMANET, PIANO and Zodiac.

CONCERTO: Experiences with a Real-World MANET System Based on Network Coding

Publisher Summary This chapter presents control over network coding for enhanced radio transport optimization (CONCERTO), a fully implemented communication system based on a network coding protocol stack and reviews observations and results from recently conducted 802.11-based mobile ad hoc networks (MANET) field trials contrasting the CONCERTO system against a candidate baseline protocol suite. These field trials were based on operational scenarios with mobile radios conducting a search and rescue mission using video, file transfer, chat, and situational awareness applications. The CONCERTO system was shown to support 2 to 3 times more video throughput than a state-of-the-art set of protocols, as well as up to 7 times distance-utility product. This chapter examines practical implementation issues of network coding on an embedded system and analyzes performance results. CONCERTO derives its performance benefits from the combination of network coding and the use of a rich subgraph for forwarding. Network coding allows CONCERTO to exploit poor links and to use multiple forwarders to deliver information to mobile nodes. Network coded packets arriving from different forwarding nodes have a high probability of finding a path which allows delivery of sufficient information to recover the application data. Thus, CONCERTO achieves a high probability of delivery while efficiently using channel capacity. CONCERTO makes efficient use of the channel capacity by using multiple-paths to the destination and by using link-layer rather than end-to-end retransmissions to overcome link loss.

Tolerating adversaries in the estimation of network parameters from noisy data: A nonlinear filtering approach

Estimating network parameters from noisy data is a hard problem that can be made even more difficult by the presence of a malicious adversary who may corrupt the measurement process by capturing a trusted node or perturbing data externally. The adversary may have complete knowledge of the networking protocols that rely on the parameter estimates and may adjust its effect on the system to push protocols into incorrect operating regimes. This work focuses on studying how an adversary may impact the estimation of link quality (LQ) of a communications link. We propose a nonlinear filtering solution that simultaneously tracks both the quality of a link and the state of the adversary, tracking the latter to tolerate better the corruption in tracking the former. We provide empirical results while considering several types of adversarial perturbation, including ones that falsely report the LQ measurements or jam a link. Extensions of these analytical techniques and empirical results show how assumptions about symmetry between the LQ of each direction of a bidirectional link can improve adversary tracking and, in turn, LQ estimation.

Gateway Subset Difference Revocation

Subset difference revocation (SDR) provides a powerful mechanism for the efficient expression of the revocation state of a large group of key recipients. However, arbitrary assignment of receivers as leaf nodes in a static binary tree can lead to inefficiencies in certain group revocation states. Gateway subset difference revocation (GSDR), developed in our ongoing SecureKeys effort, provides the ability to group receivers based upon organizational characteristics while simultaneously introducing the ability to audit rekey and data transmission, delegate rekey decisions to subordinate decision makers, and override subordinate rekey authority when necessary. GSDR extends the existing SDR scheme by deploying rekey gateways in a hierarchy that mimics an organic decision making structure. Delegation of rekey authority offloads a significant computational and communications burden from gateways high in the tree, while correspondingly partitioning the rekey traffic required to be processed by leaf nodes in the tree. GSDR also significantly reduces label storage requirements in rekey devices by limiting terminal node fan-out

Fielding mobile IP on joint stars: challenges and solutions enabling IP connectivity via concurrent use of legacy communications links

We review the design of the multipath-enabled mobile IP-based dynamic routing and quality-of-service (QoS) management capability developed under the Air Forces Information for Global Reach (IFGR) Program. The dynamic routing and QoS management goals for IFGR are making multiple disparate communications resources appear as a single channel (i.e., inverse multiplexing across multiple data radios) to provide transparent air-to-ground IP connectivity to multiple IP hosts onboard aircraft (i.e., providing mobile subnet support). This paper describes the various network layer components that collectively enabled this service, and in particular the extensions made to mobile IP, which have resulted in several successful field evaluations on joint STARS.