An Anonymous Authentication and Communication Protocol for Wireless Mesh Networks

An Anonymous Authentication and Comm unication Protocol for Wi reless Mesh Netw orks Jaydip Sen Innovation Lab, Tata Consultancy Services L td., Bengal Intelligent Park, Salt Lake Electronics Complex, Kolkata – 700091 , India Jaydip.Sen@tcs.com Abstrac t. Wireless mesh networks (WMNs) h ave emerg ed as a key techn ology for next generation wireless broadband networks showing rapid progress and inspiring numerous com pelling applications. A W MN com prises of a set of mesh routers (M Rs) and mesh clients (MCs), where MRs are connected to th e Internet backbone th rough the Intern et gatew ays (IGWs). The MCs are wireless devices and communicate am ong themselves over possibly m ulti-ho p paths with or without th e involvement of M Rs. User p rivacy and security have been primary concerns in WMNs due to their peer-to-peer network top ology, shared wireless medium, stringent resource constraints, and highly dynamic enviro n- ment. Moreover, to support real-time applications, WMNs must also be equipped with rob ust, reliable and eff icient communication prot ocols so as to minimize the end–to-end latency and packet dro ps. Design of a secure and effi- cient communication protoco l for WMNs, therefore, is of paramount impor- tance. In this paper, we propo se a security and privacy p rotocol that provides security and user ano nym ity while maintaining co mm unication ef ficiency in a WMN. The security p rotocol ensures secure authentication and encryption in access and th e backbone networks. The u ser anon ym ity, authentication and data privacy is achieved by application of a protoco l that is based on Ri vest’s ring signature scheme. Simulation results demonstrate that while the p rotocols have minima l sto rage and comm unication overhead, they are robust an d provide h igh level of security and p rivacy to the u sers of the network services. Keyw ords: Wireless mesh network (WMN), user anonymity , security, authen- tication, key ma nagement, Rivest ring signature scheme , privacy. 1 Introduction Wireless mesh networking has emerged as a pr omising concept to meet the challenges in next-generation wireless netw orks such as providing flexible, adaptive, and reconfi- gurable ar chitecture while offering cost-effective solutions to ser vice pr oviders. WMNs ar e multi-hop wireless networks for med by mesh routers (which form a w ire- less mesh backbo ne) and mesh clients. T he m esh routers p rovide a rich radio mesh connectivity which significantly red uces the up-front dep loym ent co st o f the network. Mesh r outers are typically stationary and d o not have power constraints. Ho wev er, the clients are m obile and energy- constrained. Some mesh routers are designated as gate- way ro uters wh ich a re connected to the Internet through a wired ba ckbone. A gateway router provides access to c onventional clients and interco nnects ad hoc, sensor, cellu- lar, and other netw orks to the Internet. A mesh network can provide multi- hop com- mun ication pa ths between wireless clients, thereby serving as a commu nity network, or can pr ovide multi-h op paths be tween the client and the gateway router, thereb y providing broad band Internet access to the clients. As WM Ns become an increasingly pop ular rep lacement technology for last-mile connectivity to the home networking, commun ity and neighborhood netw orking, it is imperative to design an efficient resource managem ent protoco ls for these networks. However, several vulnerabilities curr ently exist in v arious pro tocols for W MNs. These vulnerabilities can be exploited by the attackers to degrade the p erformance of a net- work. The absence of a central point of ad min istration mak es the W MN protoco ls vulnerable to vario us types of attacks. Security is therefore an issue which is of p rime importance in WM Ns [ 1]. Since in a WMN, traffic of an end user is relayed via mu l- tiple wireless m esh routers, pr eserving privacy o f the user data is also a critical re- quirement [2 ]. Maj ority of the current security and privacy p rotocols for WMNs are extensions of pr otocols originally d esigned for mobile ad hoc networks (MANETs) and therefore their per formances are suboptimal. Keeping this prob lem in mind, this paper presents a novel security p rotoco l for node authentication and m essage confidentiality for WMNs. In additio n it also presents a user anonym ization schem e that ensures secure authentication o f the mesh clients (i.e., the user devices) while protecting their privacy. The key contrib utions of the p aper ar e as follows: (i) It prop oses a novel security protoco l for the mesh client nodes and the mesh routers. (ii) For p rotecting user priva- cy while pro viding a secure authentication framew ork for the mesh clients (user de- vices), it presents a novel anonym ization scheme that utilizes the essential idea of Rivest group signature schem e [3]. The rest of this paper is organized as follows. Section 2 describes r elated work on routing in WMNs. Section 3 p resents the d etails of the architecture of a WMN and the assum ptions made for the development of the propo sed protocols. Section 4 and Sec- tion 5 describe the p roposed security and the privacy proto cols r espectively. Section 6 presents some performance results o f the propo sed scheme, and Sectio n 7 highl ights some fu ture scope o f work and concludes the paper. 2 Related Work Since security and p rivacy are tw o extrem ely important issues in any commu nication netw ork, researchers have worked on these two areas extensively . However, as co ma- pred to MANETs and wireless sensor netw orks (WSNs), WMNs have re ceived very little attention in this regard . . T his section briefly discusses some of the existing me- chanism s for ensuring security and privacy in comm unications in WMNs. In [4], a standard mechanism has been p roposed for client authentication and access control to guarantee a high-level of flexibility and transparency to all users in a wireless network. T he users can access the mesh network with out re quiring any change in their devices and softwares. However, client mobility can pose severe pro b- lems to the security architecture, especially when real-time traffic is transm itted. T o cope with this problem, proactive key distribution has been propo sed [5, 6 ]. Providing security in the backbo ne network for W MNs is another important chal- lenge. Mesh networks typically employ resource constrained mobile clients, which are difficult to p rotect against r emoval, tam pering, or replication. If the device ca n be remotely managed, a d istant hacking into the device w ould work perfectly [7]. Accor- dingly , several r esearch w orks have been done to investig ate the use of cryptographic techniques to achieve secure comm unication in WMNs. In [8 ], a security architecture has been prop osed that is suitable for multi-hop W MNs employ ing P ANA (Pro tocol for carrying Authentication for Ne twork Access) [9]. In the schem e, the wireless clients ar e authenticated on pro duction of the cryptographic c redentials necessary to create an encrypted tunnel with the remote access router to w hich they ar e associated . Even though such fram ework pro tects the confidentiality of the information ex- changed, it cannot prevent ad versaries to per form active attacks against the network itself. For instance, a malicious adversary can replicate, modify and forge the topology information exchanged a mong mesh devices, in ord er to launch a denial of service attack. Moreover, P ANA necessitates the existence of I P addre sses in all the mesh nodes, which is poses a ser ious constraint on deployment of thi s proto col. Authen ticating transmitted data p ackets is an a pproac h for preventing unauthorized nodes to access the resources of a WMN. A light-w eight hop-by- hop access pr otocol (LHAP) has b een pro posed for authenticating mobile clients in wireless dy namic env i- ronments, p reventing resource co nsum ption attacks [10 ]. LHAP implements light- weig ht hop -by-h op authentication, wh ere intermediate nodes authenticate all the pack- ets they receive befor e forwarding them. LHAP employ s a packet authentication tech- nique based on the use of o ne-w ay hash chains. Moreover, LHAP uses TESLA [11] protoco l to reduce the number of p ublic key operations for b ootstrapp ing and main- taining trust betw een nodes. In [12 ], a lightweig ht authentication, authorization and accounting (AAA ) infra- structure is proposed for providing contin uous, o n-dem and, end- to-end security in heterogeneous networks including WMNs. The notion of a security manag er is used through employing an AAA bro ker. The broker acts as a settlement agent, pr oviding security and a central point of contact for many servi ce pro viders. The issue of user privacy in W MNs has also attracted the attention of the r esearch comm unity . In [ 2], a light-w eigh t privacy pre serving solution is presented to achieve well- maintain ed balance betw een netw ork performance and traffic privacy pr eserva- tions. At the center of the solution is of inform ation-theoretic metric called tra ffic entropy, wh ich quantifies the amoun t of information required to describe the traffic pattern a nd to characterize the performance o f traffic privacy p reservation. T he au- thors have also presented a p enalty- based shortest p ath routing algorithm that max- imally preserves traffic p rivacy b y minimizin g the mutual information of traffic entro - py o bserved at each individual relaying node, m eanw hile controlling perform ance degradation within the acceptab le region. Extensive simulation study pro ves the soundness of the solution and its resilience to cases when two malicious observers collude. However, one of the major problems of the solution is that the algorithm is evaluated in a single-radio, single channel WMN. Performance o f the algorithm in mul tiple radios, multiple channels scenario will be a really questionable issue. More- over, the solution has a scalability problem. In [ 13], a mechanism is prop osed with the ob jective of hiding an active node that connects to a gatew ay r outer, where the active mesh node has to be anonymous. A novel commun ication p rotocol is designed to pr otect the node’s pr ivacy using b oth cryptography and redundancy. This proto col uses the concept of o nion routing [1 4]. A mobile user w ho requires anonym ous commu nication sends a r equest to an o nion router ( OR). T he OR acts as a proxy to the mobile user a nd constructs a onion route consisting of other ORs using the public keys o f the ro uters. T he onion is constructed such that the inner most part is the message for the intended d estination, and the mes- sage is wrapped b y being encrypted using the public keys of the ORs in the route. The mechan ism p rotects the routing information from insider a nd outsider attac k. Ho wev - er, it has a high computation and comm unication overhead. None of the above propositions, how ever, a ddresses a ll the security problems of a typical WMN. Most o f the schemes handle security issues at a specific layer, and therefore, fail to p rovide a mu lti-layer attac k on the protoc ol stack of a WM N. This paper prop oses a security a nd privacy framew ork that addresses issues both at the access and the backbone networks w hile not affecting the n etwork performance. 3 WMN Security Arc hitecture In this section, w e first present a standard arc hitecture of a typical WMNS for which we propose a security and privacy pro tocol. The architecture is a very generic one that represents majority o f the real-world d eploymen t scenarios for WM Ns. The architec- ture of a hierarchical WMN consists of three lay ers as shown in Fig. 1 . At the top layers are the In ternet g ateways ( IGWs) that are connected to the wired Internet. They form the backbone infrastructure for pro viding Internet connectivity to the elements in the second level. T he entities a t the sec ond level are called w ireless mesh route rs (MRs) that eliminate the need for wired infrastructure at every MR and forward their traffic in a multi-h op fashion towards the IGW . At the lowest level are the mesh clients (MCs) which a re the wireless devices of the users. Internet connectivity and peer-to-peer com mu nications inside the mesh a re two important applications for a WMN. T herefore de sign o f an efficient and low- overhead commun ication protoco l wh ich ensure security and privacy of the users is a critical requirement w hich poses signifi cant research challenges. Fo r design of the p roposed protoco l and to specify the WMN scenario, the followin g assum ptions are made. (1) Eac h MR wh ich is authorized to j oin the wireless backbone (through the IGWs), has two certificates to pr ove its id entity . One certificate is used during the authentication phase that o ccurs when a new node jo ins the network. EAP- TLS [15] for 80 2.1X authentication is used for this purpose since it is the strongest authentication method pro vided b y EAP [ 15], wh ereas the second certificate is used for the authentication w ith the authentica tion server (AS). (2) T he certificates used for a uthentication with the RADIUS server and the AS are signed b y the same certificate auth ority (CA). Only r ecognized MRs a re authorized to j oin the backbone. (3) Synchronization of all MRs is achieved by use of the n etwork time protoco l (NTP ) pro tocol [1 6]. Fig. 1 . The three-tier architecture of a wireless m esh network (WMN) The p ropo sed security pro tocol serves the dual purpose o f p roviding security in the access network (i.e., between the MCs and the MRs) and the backbo ne netw ork (i.e., between the MRs and the IGWs). These are described the followin g sub-sections. 3.1 Ac cess Netwo rk Security The access m echanism to the WMN is assum ed to be the same as that of a local area network (LAN), w here mobile devices au thenticate th emselves and connect to an access p oint (AP). T his allows the users to the access the services of the WMN ex- ploiting the authentication and authorization mechanism s without installin g any addi- tional softw are. It is evident that such security solution p rovides protec tion to the wireless links between the MCs a nd the MRs. A separate security infrastructure is needed for the links in the backbone networks. This is discussed in Section 3.2. Fig. 2 . Secure information exchange am ong the M Cs A and B th rough th e MRs 1 and 2 Fig. 2 illustrates a scenario where users A and B are commu nicating in a secure w ay to MRs 1 and 2 resp ectively. If the wireless links are not p rotected, an intruder M will be a ble to eavesdr op on and p ossibly m anipulate the information b eing exchanged over the network. This situation is prevented in the prop osed security scheme w hich encrypts all the traffic transm itted on the wireless lin k using a stream cipher in the data link lay er of the pro tocol stack. 3.2 B ackbone Netw ork Security For providing security for the traffic in the b ackbone netw ork, a tw o-step approach is adopted . When a new MR joins the network, it first pr esents itself as an MC and com- pletes the association for malities. It subsequently upgrad es its association by suc- cesssfully authenticating to the AS. In order to make such authentication pr ocess effi- cient in a high mobility scenario, the key managemen t and distribution pro cesses have been designed in a way so as to mi nimize the effect o f the authentication overhead on the netw ork performance. T he overview of th e pro tocol is discussed as follows. Fig. 3 . Steps performed by a new MR ( N ) using backbone encrypted traffic to join the WMN Fig. 3 show s the three phases o f the authentication proc ess that a MR (say N ) un- dergoes. When N wants to join the network, it scans all the r adio channels to detec t any MR that is already co nnected to the wireless backbone. Once such an MR (say A ) is detected, N req uests A for access to netw ork services including a uthentication and key distribution. After connecting to A , N can per form the tasks pr escribed in the IEEE 802 .11i proto col to complete a mutual authentication with the netw ork and es- tablish a security association wi th the entity to w hich it is physically connected. This completes the Phase I of the authentication proce ss. Essentially , during this phase, a new MR performs all the steps that an MC has to perform to establish a secure chan- nel w ith an MR for authentication and secure comm unication over the WMN. During Phase II of the authentication pr ocess, the MRs use the T LS p rotoco l. Only authorized MRs that have the requisite cred entials can authenticate to the AS and obtain the cryptographic credentials needed to derive the key sequence used to protect the wi reless backbo ne. In the prop osed pro tocol, an end-to-end secure channel be- tween the AS and the MR is established at the end of a successful authentication through w hich the cry ptographic cr edentials can be exchanged in a secure way . To eliminate any po ssibility of the same key be ing used o ver a long time, two p ro- tocols are proposed for secure key managem ent. T hese proto cols are presented in Section 4. As mentioned ear lier in this section, all the MRs are assumed to be syn- chronized with a central server using th e NT P pro tocol. Fig. 4 . Autonomous configuration o f the MRs in th e proposed security schem e Fig. 4 show s a collectio n o f four MRs connected w ith ea ch o ther by five wireless links. T he MR A is connected with the AS by a wired link. At the time of network bootstrapp ing, only node A can connect to the network as an MR, since it is the o nly node that can successfull y authenticate to the AS. No des B and C which are neighbors of A then detect a wireless netw ork to w hich can connect and pe rform the authentica- tion pro cess following the IEEE 8 02.11 i proto col. At this point of time, nodes B and C are successfully authenticated as MCs. After their authentication as MCs, nodes B and C ar e allow ed to authenticate to the AS and request the information used by A to pr o- duce the currently used cryptographic key for comm unication in the network. After having derived such key, bo th B a nd C will be able to comm unicate wit h each other, as well as with node A , using the ad hoc mode of commu nication in the WMN. At this stage, B and C both have full M R functionalities. They will be able to turn on their access interface for providing node D a connection to the AS for jo ining the n etwork. 4 The Key Distribution Protoc ol In this section, the details o f the p roposed key distribution and managem ent p rotoco l are p resented. T he pr otocol is essentially a server-initiated proto col [1 7] and p rovides the clients (MRs and MCs) flexibility and autonomy during the key gen eration. 4.1 Ser ver Initiated K ey M anagement Proto col In the propo sed key man agement pr otocol d elivers the keys to a ll the M Rs from the AS in a reactive manner. T he keys are used subsequently by the MRs for a sp ecific time interval in their message commun ications to ensure integrity and confidentiality of the messages. After the expir y of the time interval for validity of the keys, the exist- ing keys are revoked and new keys are generated by the AS. Fig. 5 depicts the mes- sage exchanges betw een the MRs and the AS during th e execution of the protoc ol. A newly joined MR, after its successful mutual authentication with a central server, sends its first r equest for key list ( and its time of generation) curre ntly being used by other existing MRs in the w ireless backbone. Let us denote the key list timestamp as TS KL . Let us define a session as the max imum time interval for validity of the key list currently being used by each node MR and M C). We also define the duration of a session as the p roduct of the cardin ality of the key list ( i.e., the num ber o f the keys in the key list) and the longest time interval of validity of a key (the parameter timeo ut in Fig. 5). The validity o f a key list is computed from the time instance when the list is generated (i.e., TS KL ) by the AS. An MR, based on the time instance at w hich it joins the backbone ( t now in Fig. 5) , can find o ut the key (fro m the current list) being used b y its peers ( key idx ) and the interval of validity of the key ( T i ) using (1) and (2) as follows: 1 +         − = timeout t key TS KL now idx (1) ) ( * TS t key T KL now idx i timeout − − = (2) In the p roposed protoco l, each WMN nod e requests the AS for the key list that will be used in the next session b efore the expiry of the c urrent session. This is feature is essential for nod es which are loc ated multiple hops away from the AS, since, re s- ponses from the AS take longer time to reach these nodes. The responses may also get delayed due to fading or congestion in the wireless links. If the nodes send their re- quests for key list to the AS just before expiry of the current session, then d ue to li- mited tim e in hand, only the nodes w hich have good quality links with the AS w ill receive the key list. Hence, the nodes which will fail to receive respo nses for the serv- er will not be able to comm unicate in the next session due to non-availability of the current key list. This w ill lead to an undesirable situation of netw ork partitioning. Fig. 5 . The mess age exchanges betw een an MR and the AS in the key manag ement protocol. The key ind ex value that triggers the r equest from the nod es to the server can b e set equal to the difference between the card inality o f the list and a correction factor . T he correction factor can be estimated based on parameters like the netw ork lo ad, the distance of the node from the AS and the tim e required for the previous response. In the pr oposed protoc ol, the correction facto r is estimated based on the time to re- ceive the r esponse from the AS using (3 ), where t s is the time instance when the first key request w as sent, t r is the tim e instance when the key response was received from the AS, and timeout is the validity per iod of the key. T herefore, if a nod e fails to receive a response (i.e. , the key list) from the AS d uring timeout, and takes a time t last , it mus t send the next request to the AS before setting the last key.         − = timeout timeout c t last if timeout t last ≥ = 0 if timeout t last < t t t s r last − = (3) The first request of the key list sent by the new node to the AS is forw arded by the peer to which it is connected as an MC through the wireless access netw ork. However, the subsequent requests are sent directly over the wireless backbone. 5 The Privacy and Anonymity P rotocol As menti oned in Section 1, to ensure privacy of the users, the p roposed security p ro- tocol is complem ented w ith a privacy protoco l so as to ensure user anony mity and privacy. The sam e a uthenticatio n server (AS) used in the security p rotocol is used for manag ing the key distribution for preserving the privacy. To enable user authentica- tion and anony mity , a novel proto col has been designed extending the ring signature authentica tion scheme in [18]. It is assum ed that a sym metric encryption algor ithm E exists such that for any key k , the fun ction E k is a permutation over b -bit strings. We also assum e the existence o f a family of keyed combin ing fu nctions C k,v ( y 1 , y 2 , …., y n ), and a publicly defined collision- resistant hash function H ( .) that maps arb itrary inputs to strings of constant length which are used as keys for C k,v ( y 1 , y 2 , …., y n ) [3 ]. E very keyed co mbining fun ction C k,v ( y 1 , y 2 , …., y n ) takes as input the key k , an initialization b -bit value v , and arbitrar y values y 1 , y 2 , …., y n . A user U i wh o w ants to generate a session key with the authentication server, uses a ring of n lo gged-on-us ers and per- forms the f ollowing steps. Step 1 : U i chooses the followin g para meters: ( i) a large p rime p i such that it is hard to compute discrete logarithms in GF ( p i ), (ii) another lar ge p rime q i such that q i | p i – 1, and (iii) a generator g i in GF ( p i ) with order q i . Step 2 : U i chooses i i q A Z x ∈ as his p rivate key, and computes the p ublic key i x i A p g y Ai i mod = . Step 3 : U i defines a trap-do or function i i q Ai i p g y f i mod . . ) , ( mod β α α β α = . Its in- verse function ) ( 1 y f i − is defined as ) , ( ) ( 1 β α = − y f i , where α and β are com- puted as follows ( K is a random integer in qi Z . i q p g K i Ai p g y i i K i mod . mod ) mod .( − = α ( 4) i q mod * α α = (5 ) i Ai i K i q x p g K mod . ) mod .( * α β − = (6 ) U i makes p i , q i , g i and i A y public, and keeps i A x as secret. The au thentication server ( AS ) chooses: (i) a large prime p such that it is hard to compute discrete logarithms in GF ( p ), (ii) another large pr ime q such that q | p – 1, (iii) a generator g in GF ( p ) with order q , (iv) a r andom integer x B from Z q as its private key. AS computes its public key p g y B x B mod = and publishes ( y B , p , q , g ). Anonymous authenticated key excha nge : T he key-exchan ge is initiated by the us- er U i and involves three rounds to co mpute a secret session key between U i and AS . The op erations in these three rounds are as follows: Round 1 : When U i wan ts to generate a session key on the behalf of n ring users U 1 , U 2 , ….. U n , where n i ≤ ≤ 1 , U i does the following: (i) U i choo ses two ra ndom integers x 1 , x A ∈ * q Z and com putes the following: p g R x mod 1 = , q p y Q x B m od m od 1 = , p g X a x mod = and ) , , , , ( I y V Q X H l B = . (ii) U i Chooses a pair of values ) , ( t t β α for every o ther ring mem ber U t ) , 1 ( k t n t ≠ ≤ ≤ in a pseudorandom way , and compu tes t t t t t p f y mod ) , ( β α = . (iii) U i randomly chooses a b -bit initialization value v , and finds the value of i y from th e equation v y y y C n v k = ) ( ,........ 2 , 1 , . (iv) U i computes ) ( ) , ( 1 i i i i y f − = β α by usin g the tr ap-door informati on of i f . First, it chooses a r andom integer i q Z K ∈ , computes i α using (6), and keeps K secret. It then com putes * i α using (5) and finally computes i β using (6). (v) ) , ( ),. , , ( ), , ( , , , ., , ( 2 2 1 1 , 2 1 n n n R V v U U U β α β α β α is the ring signatu re σ on X . Finally , U i sends σ and I to the server AS . Round 2 : AS does the follow ing to recover and verify X from the sign ature σ . (i) AS computes q p R Q B x mod mod = , recovers X using p g V X Q mod . = and hash- es X , Q , V and y b to recover l , where ) , , , , ( I y V Q X H l B = . (ii) AS computes i t t i t p f y mod ) , ( β α = , for t = 1,2,….. n . (iii) AS checks whether . ) ......... ( , 2 , 1 , v y y y C n v k = If it is true, AS accepts X as valid; otherw ise, AS rejects X . If X is valid, AS chooses a random integer x b from * q Z , and computes the following : p g Y b x mod = p X K b x s mod = and ) , , , ( ' I Y X K H h s = . AS sends { h , Y , ' I } to U i . Round 3 : U i verifies wh ether ' S K is from the server A S . For this purpose, U i com- putes p Y K a x S mod ' = , hashes K , X , Y to get ' h us ing ) , , , ( ' ' ' I Y X K H h s = . If h h = ? ' , U i accepts K s as the sessi on key. Security analysis : The key ex change sch eme sat isfies th e followin g requirem ents. User anonymity : For a given signature X , the server can o nly be convin ced that the ring signature is actually pro duced b y at least one of the possible users. If the actual user does not reveal the seed K , the server cannot determine the identity o f the user. The strength of the anony mity depends on the security of the pseudorandom num ber generator. I t is not possible to determi ne the identity of the actual user in a r ing of size n w ith a pro bability greater than 1/ n . Since the values of k and v are fixed in a ring signature, there are 1 ) 2 ( − n b num ber of ) ,... , ( 2 1 n x x x that satisfy the equation v y y y C n v k = ) ,... , ( 2 1 , , and the probability of generation of each ) ,... , ( 2 1 n x x x is the sam e. Therefore, the signatu re can’t leak th e identity inform ation of the us er. Mutual authentication : In the proposed schem e, not only the server verifies the us- ers, but the users can also verify the server. Because of the hardness of inv erting the hash function f(.) , it is computation ally inf easible for the attacker to determin e ) , ( i i β α , and hence it is infeasible for him to forge a signatu re. If the attacker want s to masque- rade as the AS , he needs to compute ) , , ( Y X K H h s = . He r equires x B in order to com - pute X . Howev er, x B is the private key of AS to w hich the attack er has no access. Forward secrecy : The forward secrecy of a schem e refers to its ability to defend leaking of its key s o f previous session s w hen an attacker is able to catch hold of the key of a p articular session. The forward secrecy of a schem e enables it to prevent replay attacks . In the proposed schem e, since x a and x b are both selected r andomly , the session key of each per iod has not relation to the other periods. Therefore, if the session key generated in the period j is leaked, the attacker can not get any inform a- tion of the session keys generated before the period j . The p roposed protocol is, there- fore, resistant to replay attack. 6 Perform ance Evaluation The proposed security and p rivacy pr otocols have been im plemen ted in the Qualnet netw ork sim ulator, version 4.5 [19]. T he sim ulated network consists of 5 0 nodes ran- domly distributed in the simu lation area formin g a dense WMN. T he WMN topology is show n in Fig. 6, in whi ch 5 are MRs and remaini ng 45 are MCs. Each MR has 9 MCs associated wit h it. T o evaluate the performance of the security pro tocol, first the netw ork is set as a full- mes h topology, wh ere each MR (and also MC) is directly con- nected to two of its neighbors. In such as scenario, the throughput of a T CP co nnec- tion established over a wireles s link is measu red with the security protocol activated in the nodes. T he obtained results are then compared with the through put obtained on the sam e wireles s link protected by a static k ey to encry pt the traff ic. After having 1 0 sim ulation runs, the average throughput of a w ireless link b etw een a pair o f MRs w as found to b e eq ual to 30 .6 MB PS, when the link is p rotected b y a static key. However, the average throughpu t for the sam e link was 2 8.4 MB PS when the link was protected by the proposed security protocol. The results confirm that the protocol do es not cause any sign ificant overhead on the performance o f the w ireless link, sin ce the through put in a link on average decreased by only 7%. Fig. 6. The simulated network topology in Qualnet Simulator The impact of the security pro tocol for key generation and revocation on packet drop rate in real-tim e applications is also studied in the simu lation. For this purpose, a VoIP application is inv oked between two MRs w hich generated UDP traff ic in the w ireless link. T he packet drop rates in wireless link when the link is protected wit h the proposed security pro tocol and w hen the link is protected wit h a static key . The transm ission rate w as set to 1 MBPS. The average packet drop rate in 10 simulati on runs was foun d to be o nly 4%. T he results clearly demons trate that the proposed security schem e has no adverse impact on packet drop rate even if several key sw itch- ing (regen eration and revocation) operations are carried out. The performan ce of the privacy protocol is also analyzed in terms of its storage, comm uni cation overhead. Both storage and comm unicati on overhead w ere foun d to increase linearly wit h the number of nodes in the network. I n fact, it has been analyti- cally show n that overhead d ue to cr yptographi c op eration on each message is: 60 n + 60 bytes, where n represents the number of public key pairs used to generate the ring signatu re [20]. It is clear that the privacy protocol has a low overhead. 7 Conclusion and Future Work WMNs have become an im portant focus area of research in recent years ow ing to their great pr omis e in realizing numerous next- generation wireles s services. Driven by the deman d for rich and high-speed content access, recent research has focused o n devel- oping high per forman ce com mun ication pro tocols, w hile security and privacy issues have r eceived relatively little attention . However, given the wireles s and multi- hop nature of comm unication , WMNs are subject to a wide r ange o f security and p rivacy threats. This paper has presented a security and user-privacy preserving protocol for WMNs. The prop osed security protoco l ensures security in bo th the access and the backbone networks, whereas the pr ivacy protocol enables anony m ous authentication of the users. Simulation results have shown the effectivenes s of the protocol. Future research issues include the study of a distributed and co llaborative system where the authen tication service is provided by a dynam ically selected set o f MRs. The integra- tion with the current centralized schem e w ould increase the robust ness of the proposed protocol, maintaini ng a low overhead since MRs would use the distributed service only wh en the central serv er is not available. References 1. S en, J.: Secure Rou ting in Wireless Mesh Networks. Wireless Mesh n etworks, Nobu o Fu- nabiki (ed.), InTech. Available from: http: //www .intechopen.com/articles/show/title/secure- routing-in-wireless-mesh-networks (2011) 2. Wu, T., Xu e, Y., Cui, Y.: Preserving Traffic Privacy in Wireless Mesh Networks. In : Pro c. of WoWMoM (2006 ) 3. Ri vest, R., Shamir, A., Tauman, Y.: How t o Leak a S ecret. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 224 8, pp. 552 – 565 .Springer, Heidelberg (20 01) 4. M ishra, A., Arbaugh, W.A.: An In itial S ecurity Analy sis of the IEEE 8 02.1X Standard . UM Computer Science Department Technical Report CS-TR-4328 (2002) 5. Kassab, M., Belghith, A., Bonnin, J.-M ., Sassi, S. : Fast P re-Authentication Based o n Proactive Key Distribu tion for 8 02.1 1 Infrastructure Networks. In: P roc. of WMuNeP, pp. 46 – 5 3 (200 5) 6. P rasad, A., Wang, H.: Roaming Key Based F ast Handover in WLANs. In Proc. of IEEE WCNC, vol. 3, pp . 1570 -1576 (2005 ) 7. Ben Salem, N., Hubaux, J.-P .: S ecuring Wireless Mesh Networks. I EEE Wireless Commu- nication, 1 3(2), 5 0-55 (2 006) 8. Ch eikhrouho u, O., M aknavicius, M., Chaou chi, H.: Securit y Architecture in a Multi-Hop Mesh Network. In: Pro c. of SAR (2006) 9. P arthasarathy, M.: P rotocol for Carrying Authentication and Network Acc ess (PANA) Threat Analy sis and Security Requirements. RFC 4016 (2005 ) 10. Zhu, S., Xu, S., Setia, S., Jajodia, S.: LHAP: A Lightwe ight Network Access Control Pro- tocol for Ad Hoc Networks. Ad Hoc Networks, 4(5), 567-5 85 (20 06) 11. Perrig, A., Canetti, R., Song, D., Tyg ar, J.: Efficient and Secure Sou rce Authentication for Multicast. In: Proc. of NDSS, pp. 3 5-46 (2001) 12. Prasad, N., Alam , M., Ruggieri, M.: Light-Weight AA A Infrastructure for Mobility Suppo rt across Heterogeneous Networks. Wireles s Person al Communications, vol. 29 (2004) 13. Wu, X., Li, N.: Achieving Privacy in Mesh Networks. In: P roc. of SASN, pp. 1 3-22 (2 006) 14. Reed, M ., Sy verson, P., G oldschlag, D.: Anonymous Co nnections and Onion Routing. IEEE Journ al on Selected Areas in Communications, vol. 16 , pp. 482-49 4 (199 8) 15. Aboba, B., Blunk, L., Vollb recht, J., Carlson, J., Levkow etz, H. : Extensible Authentication Proto col (EAP). RFC 3748 (2005 ) 16. Mills, D.L.: Network Tim e Proto col. RFC 1 305 (1 992) 17. Martignon, F., Paris, S., Capone, A.: Mo biSEC: A Novel Security Architecture for Wire- less Mesh Networks. In: Proc. of Q2SWinet, pp. 35-42 (2008). 18. Cao, T., Lin, D., Xue, R.: Improved Ring Authen ticated Encryption Scheme. In: Pro c. of JICC, pp. 3 41-34 6 (200 4) 19. Network Sim ulator QUALNET. URL : http ://www .scalable-networks.com . 20. Xiong, H., Bezno sov, K., Qin, Z., Ripeanu, M.: Eff icient and Spontaneou s Privacy - Preserving Pro tocol for Secure V ehicular Communication. In: P roc. of ICC, p p. 1-6 (2010 )