International Transactions on Electrical, Electronics and Communication Engineering, Vol. 1, No.

5, 2011

A Novel Approach for Secure Access Control over Heterogeneous Multi-hop MANET
1,2

Saurabh Kumar Srivastava1 , A. K. Vatsa2 School of Computer Engineering & IT, Shobhit University, Meerut, UP, INDIA Abstract

MANET technology has been gaining rapid popularity and its adaptation depends on the ease of use and level of security it provides. We require strong security mechanism due to their open media and heterogeneous nature of network. Therefore, Security protocols have emerged as a vital issue to support secure and reliable communication. Many work related to security services over heterogeneous multi hop network form a functional and operational prospective; however, different network and security protocols affects system performance with reference to access control over heterogeneous multihop environment. Therefore, In this paper, we propose a Security Mechanism for Access Control Over Heterogeneous Multi-hop MANET in which accessing mechanism provides secure access to nodes in heterogeneous network and it would be protected by certification authority over encrypted data. Moreover, WPA provides security at interfaces by consideration of certificates and cipher text. Keywords: MANET(Mobile Ad-hoc Network), Multi-hop, WEP(Wired RADIUS(Remote Authentication Dial in User service), AUC_CODE, Security. Equivalent Privacy),

1. Introduction: Mobile ad-hoc network is a decentralized, self configuring, infrastructure less, autonomous, selforganizing, rapidly deployable and dynamically reconfigurable collection of mobile nodes[12-13]. Each node participates in routing by forwarding data to other adjacent nodes, and so the determination of destination node comes out dynamically based on the forwarded data. It is the requirement that data could travel at different heterogeneous network for sake of communication among mobile nodes. Thus, data travels in different kinds of networks which has different attribute. Heterogeneous network [11] have communicating devices with different architecture and protocols [5]. Such network differs on the basis of following parameters like protocol, architecture, platform, chipset instructions, and frame format etc. It is also used in wireless networks with lack of security using different access methods. Security is the prevention of unauthorized access or damage to devices using wireless networks [17]. Wireless networking is prone to some security issues. cryptoanalyst have found wireless networks relatively easy to break into, and even use to crack into wired networks. As a result, it's very important that enterprises define effective wireless security policies that guard against unauthorized access to important resources [21].Wireless Intrusion Prevention Systems (WIPS) or Wireless Intrusion Detection Systems (WIDS) are commonly used to enforce wireless security policies. Therefore, Security protocols have emerged as a vital issue to support secure and reliable communication. Many work related to security services over heterogeneous network form a functional and operational prospective; however, different network and security protocols affects system performance with reference to access control over heterogeneous multi-hop environment. This paper is organized in sections. Section - 1 discusses Introduction. Section - 2 deals with Backgrounds that includes related work in reference to present problem. Moreover, the proposed architecture and mechanism is discussed in Section - 3 under heads of Proposed Work. The conclusion of this paper is mentioned in Section - 4 under heads of Conclusion. Section 5 discussed about the future aspects of this paper. Finally Section 6 mention all references thats used in this paper. 2. Backgrounds: Now a days security is a general term for discussion, communication and sharing of information through secure media is always the need of every ones, security issues are mandatory especially when we move globally and want to access the different networks resources. A lot of issues are associated for providing security mechanism. I studied certain previous research work, and proposed a secure mechanism for accessing the heterogeneous network resources.

November Issue

Page 74 of 84

ISSN 2249 8923

International Transactions on Electrical, Electronics and Communication Engineering, Vol. 1, No.5, 2011

In [1], the 802.11 MANET standards specify the two lowest layer of the OSI network model[2] which is physical and data link layers. The major goals of IEEE for creating these standards were made different approach to the physical, for example different frequencies, different encoding methods, share the same hire layers[4]. They have succeeded and media access control(MAC) layer of the 802.11 a, b, and g protocols are considerable identical. At the next higher layer still, all 802.11 WLAN protocols specify the use of the 802.2 protocol for the logical link control (LLC) portion of the data link layer. In MANET privacy is achieve by the data contents protection with encryption [10][6]. Encryption is optional in 802.11 MANET s, but without it, any other standard wireless device can read all traffic in network. There have been three major generations for security approaches [2-3], like WEP(Wired equivalent Privacy),[1] WPA (Wi-Fi Protected Access)[3] and WPA2.1/802.11i(Wi-Fi Protected Access, Version 2)[2]. There are many kinds of security attacks in WLAN network which can harm the network and can exploit it. Mainly there are two general types of attacks, physical and logical attacks. WEP was included as the privacy of the original IEEE 802.11standard ratified in September 1999 WEP uses the stream cipher RC4 for confidentiality, and the CRC-32 checksum for integrity. Cryptanalysis broke the security of WEP, exploits the way the RC4 cipher and IV is used in WEP. Because RC4 is a stream cipher, the key having short length and cant used twice. The purpose of an IV, which is transmitted as plain text, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network. The way the IV was used also opened WEP to a related key attack. For a 24bit IV, there is a 50% probability the same IV will repeat after 5000 packets. Serious problem with WEP[1] was that it had not include a key management protocol, relying instead on a single shared key among users. Use of encrypted tunneling protocols (e.g. IPec, Secure Shell) can provide secure data transmission over an insecure network. However, replacements for WEP have been developed with the goal of restoring security to the wireless network itself. The solution to WEP security problem switched WPA(wi-fi protected acess)[2], WPA was designed as an interim software solution for WEP that could forestall immediate deployment of new hardware. However, TKIP( Temporal Key Integrity Protocol)[1] the basis of WPA has been deprecated in the next full release of the 802.11 standard because of WPA security broken by cryptanalyst. WPA similar to WEP specifies two operation manner: WPA-PSK(key Pre-Shared)[3] especially used for small offices and home for domestic use for authentication which does not use any authentication server and data cryptography key goes up to 256 bits. WPA provide mutual authentication and key never goes to the air Enterprise or commercial WPA[1-2-3], authentication is made by server 802.1X, generating an excellent control and security in the users traffic of the wireless network. It replaces WEP by using advanced TKIP encryption. Pre-shared key mode (PSK, also known as Personal mode) is designed for home and small office networks that don't require the complexity of an 802.1X authentication server. WPA2 (Wifi Protected Access version-2)[1-2-3] The main difference between WPA and WPA2 is of Advanced Encryption Standard (AES) using the CCMP algorithm for the complex encryption of data, while WPA uses temporal key integrity Algorithm (TKIP) for encryption. The AES offers sufficient security to meet the requirements of the Federal information processing standard (FIPS). The only one drawback of using AES which require new or additional equipments for the current deployed MANETs and must require specific chip for controlling encryption and decryption. For a long time the security is considered to be a major task in order to provide the privacy to each WLANs. The WPA2 supports two types like WPA, enterprise and home also known as personal version. The personal version works on a Pre shared key for authentication and the enterprise mode works with the help of 802.1x and RADIUS server. WPA2 devices are backward compatible with the devices that supports WPA[3], previous WPA devices can be upgrade to WPA2 only if the support AES. It is clear from the current studies that WPA2[] personal version is unable to protect the full security and faces many threats from miss configuration, rogues, ad hoc connections, MAC spoofing and DOS attacks. Hence WPA2 is finalize version of IEEE 802.11i and considered to be a complex and secure way for the wireless networks from security point of view especially for the enterprise network .

November Issue

Page 75 of 84

ISSN 2249 8923

International Transactions on Electrical, Electronics and Communication Engineering, Vol. 1, No.5, 2011

3. Proposed Work 3.1 Architecture for Access Control Over Heterogeneous Multi-hop Network:

Mobile Network

Adhoc Network

G-1

G-2

Wireless Network

Figure -1: Heterogeneous Network architecture G-1: First Gateway G-2: Second Gateway Figure - 1 is a heterogeneous network architecture. The network has different functionalities and nature.

November Issue

Page 76 of 84

ISSN 2249 8923

International Transactions on Electrical, Electronics and Communication Engineering, Vol. 1, No.5, 2011

Heterog eneous Network

Integrity

Authenticat ion
Central Repository

Aut_Code

MN

Interfac e

Certificate Services

Cryptograp hic lib.

Security audits

JCE

JSSE

JAAS

RADIUS SERVER

Figure -2: Mobile Node Access Control Architecture over Heterogeneous Network JCE: Java Cryptographic Extensions JSSE: Java Secure Socket Extensions JAAS: Java Authentication and Authorization Services RADIUS server uses the AAA (Authentication, Authorization, and Accounting) concept to manage network resources and their access. The Mobile Node sends a request to a Remote Access Node (RAN) to gain access to a heterogeneous Network resources using certificate. The certificate verifies by the RADIUS SERVER. Processing with Interfaces: The Processing Interfaces entity is used to provide different interfaces for the handling of various data types provided by sensors. This entity provides the generic feature for the platform to be able to respond to every possible input. Through the nodes are in the radio range we provide MIN and PIN to the network translation of the data into secure code. Integrity. The failure of integrity validating is possibly due to network transfer error or information altered improperly. In initial phase RADIUS server checks the integrity of MIN and AUC_CODE. It has two different Cases if it performs above servicesCase 1: If device is new with the network it has to register itself with the network, RADIUS server stores host information in the form of secure code. Case 2: If device is already registered with the network it verifies itself access the network resources. Authentication: Authentication is used to identify whether the mobile agent comes from the legal host. If Authentication process completes successfully then authenticated devices goes for the next level services. Access control. The mobile station has to take permissions computational capabilities with the network resources, each of which specifies the authorized access to a particular resource using AUC_CODE and generated Certificate.
November Issue Page 77 of 84 ISSN 2249 8923

International Transactions on Electrical, Electronics and Communication Engineering, Vol. 1, No.5, 2011

RADIUS SERVER Components: JAAS(Java Authentication And Authorization Services): A Java security framework for user-centric security to augment the Java Codebasedsecurity. Especially this module is used for authenticating a device for being part of the network. JSSE(Java Secure Socket Extentions): The Java Secure Socket Extension (JSSE) is a set of packages that enable secure communications. It implements a Java technology version of Secure Sockets Layer (SSL) and Transport Layer Security(TLS) protocols. It includes functionality for data encryption, server authentication, message integrity, and optional client authentication. JCE(Java Cryptographic Extensions): The Java Cryptography Extension (JCE) is an officially released Standard Extension to the Java Platform. JCE provides a framework and implementation for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. JCE supplements the Java platform, which already includes interfaces and implementations of message digests and digital signatures. Security Audits: An information security audit is an audit on the level of information security in the RADIUS server. Auditing information security covers topics from auditing the physical security of data centers to the auditing logical security of databases and highlights key components to look for and different methods for auditing these areas. Cryptographic Library: Cryptographic Service Provider (CSP) is a software library that implements the Microsoft CryptoAPI (CAPI). CSPs implement encoding and decoding functions, which devices application programs may use, for example, to implement strong user authentication CSPs are independent modules that can be used by different applications. A user program calls CryptoAPI functions and these are redirected to CSPs functions. Since CSPs are responsible for implementing cryptographic algorithms and standards, applications do not need to be concerned about security details. Certificate Services: A cryptographic certificate is a public key certificate (also known as a digital certificate or identity certificate) is an electronic document which uses a digital signature to bind a public key with an identity information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual. Central Repository: Central repository is a database where certificate is putted with the reference to a particular AUC_CODE. When a request comes to access a network resource first it matches the same certificate at device which wants to access the network. Different cases For secure registration: CASE 1: If device is new to the network: New devices register itself with the network by using their MIN and PIN. The network is managed by its local RADIUS Server. CASE 2: If device is already registered: It is a RADIUS Server that maintains a list of registered mobile nodes in a list. It is used to forward mobile node information to the appropriate network when the mobile nodes are away from local network. CASE 3: If device is registered and going to switch off: If a MN is going to be switch off it sends a message to its local RADIUS Server that it is going to inactive mode. If MN is registered with the network, RADIUS Server generates a certificate that is stored in certificate library of RADIUS Server as well as MN both. Authority to Access network resources: After successful completion of authentication process MN has an authority to use network resource. If the certificate of MN matches with the Server certificate it would be allowed for accessing network resources. Cryptographic Algorithms: In proposed architecture, RC5 encryption algorithm is used for generating cipher data. If MN is authorized to access the network it communicate with the access point securely.

November Issue

Page 78 of 84

ISSN 2249 8923

International Transactions on Electrical, Electronics and Communication Engineering, Vol. 1, No.5, 2011

RADIUS Packet Structure:

Certificate
AUC_CODE

Identifier Length
Authenticator 16 Byte long

Attributes 1 Byte

Figure -3: General Structure of RADIUS Server Packet

Mobile Node

CRC Gen. Algorithm

Certificate

Payload + CRC

||

RC5

Figure -4: Encryption Model at Sender RC5: RC5 encryption algorithm is symmetric block cipher designed by professor Ronal Rivest of MIT . It is a parameterized algorithm, with a variable block size, a variable number of rounds with a variable size of secret key. RC5 is suitable for both hardware and software. Encryption and decryption algorithm is also very simple. Encryption uses three process: addition, XOR and rotation.

November Issue

Page 79 of 84

OTHER NETWORK ACCESSING INTERFACE

Payload
Encrypted data

ISSN 2249 8923

International Transactions on Electrical, Electronics and Communication Engineering, Vol. 1, No.5, 2011

MAC Header
Additional Authentication DATA Encrypted data

Encrypted data at sender

CCMP Encrption

MIC Encrypted data

Output Data

Identifier

Nounce

||

Certificate

CCMP header

Figure-5: Cross layer Model on heterogeneous network using WPA2 Strong encryption and authentication support for infrastructure and ad-hoc networks Reduced overhead in key derivation during the wireless LAN authentication exchange. Support for opportunistic key caching to reduce the overhead in roaming between access points. Support for pre-authentication, where a station completes the IEEE 802.1X authentication exchange before roaming. Support for the CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) encryption mechanism based on the Advanced Encryption Standard (AES) cipher as an alternative to the TKIP protocol. Additional Authentication: Additional Authentication provided with including Message Authentication Code header with he Encrypted data. Nounce: Nounce is created by combining two fields, MPDU(per packet encrypted data) and CCMP(counter mode cipher block chaining message authentication code). CCMP Header: CCMP(counter mode cipher block chaining message authentication code) header used to provide additional security for unauthorized access. CCMP Encryption: it uses thee different fields for providing more secure encrypted data, internally uses RC5 encryption algorithm. Identifier: Identifier is a number used for identifying a packet.

November Issue

Page 80 of 84

ISSN 2249 8923

International Transactions on Electrical, Electronics and Communication Engineering, Vol. 1, No.5, 2011

Receivers prospects:

MIC ENCRYPTED DATA

Additional Authentication DATA

Encrypted data

MIC KEY

CCMP Decryption Process

Output Data

Identifier

Nounce

||
Replay Check
Payload

Certificate

Certificate Figure -6: Decryption At Receivers End 3. 2 Mechanism for Access Control Over Heterogeneous Multi-hop Network: Phase-1: Access Control In Heterogeneous Network Step 1: Registering the new devices with the network class Authenticate{ public static void main(String ar[]){ protected int PIN,AUC_CODE; protected String MIN; public void authenticateMobileAgent(String x, String y){ MIN=x; PIN=y; } public void generateAuthenticationCode(){ AUC_CODE=concate(x,y); Return(AUC_CODE); } } } class Test{ public static void main(String ar[]){ Authenticate A; A=new Authenticate(); A.authenticateMobileAgent(AUC_CODE) } } import Authenticate; class Registration extends Authenticate{ public void register(Authenticate AUC_CODE){ System.out.println(The device has been Authenticated.); } }

November Issue

Page 81 of 84

ISSN 2249 8923

International Transactions on Electrical, Electronics and Communication Engineering, Vol. 1, No.5, 2011

Step 2: IF Registered devices are going to switch off class Message{ public static void main(String ar[]){ System.out.println(Send Message to the RADIUS Server for being INACTIVE); } } Step 3: IF Device is in Roaming import Authenticate; class Roaming{ public static void main(String ar[]){ /* Request to nearest RADIUS SERVER public void register(Authenticate AUC_CODE){ public void RSAuthentication(AUC_CODE){ System.out.println(RADIUS SERVER Authentication Processed.); return(AUC_CODE); } /* Response to the RADIUS SERVER that the device has been Authenticated. System.out.println(Device has been Authenticated.); } } } Phase-II: Certificate Generation by using AUC_CODE Step - 1. MN requests for registration to the nearest RADIUS server, in request it sends AUC_CODE. Step - 2. RADIUS server receives the request, checks the integrity, generates a unique certificate corresponding to AUC_CODE . Step - 3. Certificate is stored at both end MN and central repository for verification process. Step - 4. To access a network resource certificate verification process has to perform every time which authenticate devices. Phase III: Verification Process and corresponding Actions taken by RADIUS Server Step - 1. A request from a MN for which the RADIUS server does not have a shared secret (certificate) silently discarded. If the MN is valid, the RADIUS server verifies certificate with central repository, and allow to access the network. Step - 2: If authentication or authorization is not met, the RADIUS server sends a RADIUS Access-Reject packet in response, indicating that this user request is invalid. Step - 3: If all conditions are met, the list of configuration values for the user are placed into a RADIUS Access-Accept packet that is sent back to the MN. Pseudo Code of Phase II and Phase III: /* import radius server services api /* class Certificate_Generation(AUC_CODE) // Certificate Generation { String ac=AUC_CODE; /* Basic services checks integrity, confidentiality, and access rights. */ Check_basic_Services( ac ){ return ac; } Radius_Services(ac){ return certificate; } } class Store_Certificate // Certificate Store Process { CertificateStore cs= CertificateStore.getInstance(certificate);
November Issue Page 82 of 84 ISSN 2249 8923

International Transactions on Electrical, Electronics and Communication Engineering, Vol. 1, No.5, 2011

for( int i=0; i<=certificate.length(); i++){ cs.setCertificateEntry(certificate); } } Certificate Validation Process: class Certificate_Validation{ Certifciate_Validation(){ CertificateFactory cf= CertificateFactory.getInstance(certificate); if( cf= = CertificateStore.getInstance(certificate)){ System.out.println(Authorized to Access the Resources.);} } } Phase-IV: Communication between MN and Network: Step - 1: Certificate used as Authenticator for the network resource. Step - 2: Local / Remote RADIUS SERVER used for verification of Network devices.. Step - 3: After verification MN and Network communicate with each other.. PHASE-V: Secure Communication Step - 1: Secure communication performs by verifying certificate at both end MN and network interface. Step - 2: Certificate and Payload is used for Encryption (algorithm used RC5) Step - 3: Decryption process of step 2 applies at receiver end.

4.

CONCLUSION:

In this paper, a mechanism is provided to authenticate a device with the RADIUS server, code segment is provided for registering new devices when they come contact with the network first time. Two special cases When devices are using network and goes into inactive mode and When a device is in roaming scenarios considered. The environment is heterogeneous kind of nature either GSM, CDMA, Adhoc Network, Mobile Adhoc Network or VANET. Paper explains the Operational Model of RADIUS Server, AUC_CODE and RADIUS packet format for secure access and communication.

5.

FUTURE SCOPE:

The proposed architecture and mechanism is efficient, reliable and secure for multi-hop heterogeneous environment, but it might have problems with different architectural platform of communicating equipments. This architecture performance also depends on the scalability of number of nodes at any instance on the network. The portability feature vary due to different chip set instructions issued by different venders therefore degrades the performance. If nodes mobility is very high then it also degrades the performance of software due to complexity. 6. REFERENCES:

[1] Arash Habibi Lashkari, F. Towhidi, R.S. Hoseini, Wired Equivalent Privacy (WEP) [2] Arash Habibi Lashkari, MIR MOHAMMAD DANESH, A Survey on Wireless Security Protocols( WEP, WPA, and WPA2.1/802.11i) [3] Arash Habibi Lashkari, Masood Mansoori, Amir Seyed Danesh, Wired Equivalent Privacy (WEP) versus Wi-Fi Protected Access [4] Avesh K. Agarwal, Janise Y. Nair, An Experimental Study of Cross-Layer Security Protocols in Public Access Wireless Networks [5] Bin-Xie, Anup Kumar, S.Sriniwasan, Dharma Prakash Agarwal, GMSP: A Generalized Muti-Hop Security Protocol for Heterogeneous Muti-hop Wireless Network [6] Yongguang Zhang, Member, IEEE, A Multilayer IP Security Protocol For TCP Performance Enhancement in Wireless Networks [7] Hannu Sikkila, Mikael Soini, Petri Oksa, Lauri Sydanheimo, and Markku kivikoski, KILAVI Wireless Communication Protocol for the building Environment- Security Issues
November Issue Page 83 of 84 ISSN 2249 8923

International Transactions on Electrical, Electronics and Communication Engineering, Vol. 1, No.5, 2011

[8] Fernando C. Colon Osario, Kerry McKay and Emmanuel Agu, Comparison Of Security Protocols in Mobile Wireless Environments: Tradeoffs between level of security obtained and battery life [9] Byung-Gil Lee, Member, IEEE, Hyun-Gon Kim, Sung-Won Sohn and Kil-Houm Park, Concatenated Wireless Roaming Security Association and Authentication Protocol using ID-Based Cryptography [10] Avesh K. Agarwal, Jorinjit S. Gill, Wenye Wang, An Experimental Study on Wireless Security Protocol over Mobile IP Networks [11] Lusheng Wang, David Binet, Mobility-based Network Selection Scheme in a Heterogeneous Wireless Networks [12] MANET REFERENCE CONFIGURATIONS AND EVALUATION OF SERVICE LOCATION PROTOCOL FOR MANET by Mohamed M. Abou El Saoud. [13] MANETconf: Configuration of Hosts in a Mobile Ad Hoc Network Sanket Nesargi, Ravi Prakash [14] W. Qu and S. Srinivas. IPSEC-Based Secure Wireless Virtual Private Networks. In Processing of IEEE MILCOM, pages 1170-1112, October 2002. [15] IETF PPP EAP TLS Authentication Protocol. RFC 2716, October 1999. [16] IEEE 802 standards, http://standards.ieee.org/getieee802 [17] IPSEC, http://www.freewan.org [18] Mobile IPv4, http://dynamics.sourceforge.net [19] RADIUS, http://www.freeradius.org [20] 802.1x supplicant, http://www.opne1x.org [21] OpenSSL, http://www.openssl.org [22] IEEE Std 802.1x-2001x: Port-Based Network Access. http://www.ieee802.org/1/pages/802.1x.html, June 2001. [23] M. D. Corner and B. D. Noble. Zero-Interaction Authentication. In Proceedings of IEEE/ACM MOBICOM, pages 1-11, September 2002. [24] IETF PPP EAP TLS Authentication Protocol. RFC 2716, October 1999. [25] T. Karygiannis and L. Owens. Wireless Network Security 802.11, Bluetooth and Handheld devices . National Institute Of Technology, Special Publication, pages 800-848, November 2002. [26] R. L. Rivest, (1997, March). The RC5 Encryption Algorithm. MIT laboratory For Devices Science. [online]. http://theory.1cs.mit.edu/~rivest/Rivest-rc5rev.pdf [27] R. L. Rivest, The RC5 Encryption Algorithm in Proceeding of the 2nd Workshop on Fast Software Encryption , pp. 86-96, 1995 [28] http://www.cc.gatech.edu/~traynor/f08/slides/lecture13-wep2.pdf

November Issue

Page 84 of 84

ISSN 2249 8923