Institutional Archive of the Naval Postgraduate School

Calhoun: The NPS Institutional Archive DSpace Repository

Theses and Dissertations 1. Thesis and Dissertation Collection, all items

2007-06

Multistage security mechanism for hybrid, large scale wireless sensor networks

Katsis, Grigorios

Monterey, California. Naval Postgraduate School

http://ndl.handle.net/10945/3424

Downloaded from NPS Archive: Calhoun

Calhoun is the Naval Postgraduate School's public access digital repository for

/ (8 D U DLEY research materials and institutional publications created by the NPS community. «ist : Calhoun is named for Professor of Mathematics Guy K. Calhoun, NPS's first

NY KNOX appointed and published -- scholarly author.

; | LIBRARY Dudley Knox Library / Naval Postgraduate School

411 Dyer Road / 1 University Circle Monterey, California USA 93943

http://www.nps.edu/library

NAVAL POSTGRADUATE SCHOOL

MONTEREY, CALIFORNIA

THESIS

MULTISTAGE SECURITY MECHANISM FOR HYBRID, LARGE-SCALE WIRELESS SENSOR NETWORKS

by Grigorios Katsis

June 2007

Thesis Advisor: Murali Tummala

Thesis Co-Advisor: Gamani Karunasiri

Second Readers: J. Bret Michael Owens Walker

Approved for public release; distribution is unlimited

THIS PAGE INTENTIONALLY LEFT BLANK

REPORT DOCUMENTATION PAGE

Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188) Washington DC 20503.

1. AGENCY USE ONLY (Leave blank) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED June 2007 Master’s Thesis

4. TITLE AND SUBTITLE Multistage Security Mechanism For Hybrid, Large- 5. FUNDING NUMBERS Scale Wireless Sensor Networks

6. AUTHOR(S) Grigorios Katsis

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION Department of Electrical and Computer Engineering REPORT NUMBER Naval Postgraduate School Monterey, CA 93943-5000

9. SPONSORING /MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING/MONITORING Missile Defense Agency AGENCY REPORT NUMBER

11. SUPPLEMENTARY NOTES The views expressed in this thesis are those of the author and do not reflect the official policy

or position of the Department of Defense or the U.S. Government.

12a. DISTRIBUTION / AVAILABILITY STATEMENT 12b. DISTRIBUTION CODE Approved for public release; distribution 1s unlimited oer | 13. ABSTRACT (maximum 200 words)

A wide area network consisting of ballistic missile defense satellites and terrestrial nodes can be viewed as a hybrid, large-scale mobile wireless sensor network. Building on research in the areas of the wireless sensor networks (WSN) and the mobile ad hoc networks (MANET), this thesis proposes an efficient multistage security mechanism for node and data authentication and data confidentiality. Node authentication is provided by digital signatures and the public key infrastructure (PKI). The TESLA algorithm and IPSec are utilized for data authentication and confidentiality, respectively. Performance analysis and simulation results demonstrate that the proposed mechanism meets the real-time data dissemination requirements of a ballistic missile defense system while maintaining throughput commensurate with unencrypted Internet Protocol (IP).

14. SUBJECT TERMS 15. NUMBER OF Wireless Sensor Network, Ballistic Missile Defense, Authentication, Security Mechanism, Digital PAGES Signatures, TESLA Algorithm 80

16. PRICE CODE

17. SECURITY 18. SECURITY 19. SECURITY 20. LIMITATION OF CLASSIFICATION OF CLASSIFICATION OF THIS CLASSIFICATION OF ABSTRACT REPORT PAGE ABSTRACT

Unclassified Unclassified Unclassified UL

NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89) Prescribed by ANSI Std. 239-18

THIS PAGE INTENTIONALLY LEFT BLANK

ll

MULTISTAGE SECURITY MECHANISM FOR HYBRID, LARGE SCALE WIRELESS SENSOR NETWORKS

Grigorios Katsis Lieutenant, Hellenic Navy

B.S., Hellenic Naval Academy, 1997

Submitted in partial fulfillment of the requirements for the degree of

MASTER OF SCIENCE IN APPLIED PHYSICS and MASTER OF SCIENCE IN ELECTRICAL ENGINEERING from the

NAVAL POSTGRADUATE SCHOOL

June 2007 Author: Grigorios Katsis Approved by: Murali Tummala Thesis Advisor

Gamani Karunasiri Thesis Co-Advisor

J. Bret. Michael Second Reader

CDR Owens Walker Second Reader

James H. Luscombe Chairman, Department of Physics

Jeffrey B. Knorr Chairman, Department of Electrical and Computer Engineering

il

THIS PAGE INTENTIONALLY LEFT BLANK

1V

ABSTRACT

A wide area network consisting of ballistic missile defense satellites and terrestrial nodes can be viewed as a hybrid, large-scale mobile wireless sensor network. Building on research in the areas of the wireless sensor networks (WSN) and the mobile ad hoc networks (MANET), this thesis proposes an efficient multistage security mechanism for node and data authentication and data confidentiality. Node authentication is provided by digital signatures and the public key infrastructure (PKI). The TESLA algorithm and IPSec are utilized for data authentication and confidentiality, respectively. Performance analysis and simulation results demonstrate that the proposed mechanism meets the real-time data dissemination requirements of a ballistic missile defense system

while maintaining throughput commensurate with unencrypted Internet Protocol (IP).

THIS PAGE INTENTIONALLY LEFT BLANK

Vi

TABLE OF CONTENTS

I. INTRODUC TIONaitieaiiei ei ra ie ee ass 1 A. THESIS OBJEC PUN Ui iasssecsussssuraassansiacaccseassuataderadesenusanteadveteswetsarveadevelesweucans 2 B. PRE TATED WORK rsaiiscesscissetcas se cats saseseceabesentonsavectiacaisccencvncsesnbsvanteneavectiasers 3 C. THESTS ORGANIZATION wigesscncinicoscatccaveveatacinseteccetatentvesdabacavevtanccoaveteceetesess 4

II. HYBRID, LARGE-SCALE, WIRELESS SENSOR NETWORK FOR INITSS TLE DEEEINSE: eesilitesdstatiictetditeenisin abhi ene eee eee 5 A. TEEAINE- EW ORK i varececestsacatiscssevtesanasecdvadiscnncandcaduvansaveusanvededhagsaccusarveadunenstveurane 5

1. Network Architecture and Topology ...............cssssssscccsssssssssssscccoeees 5

2. Network Design Requirements and Constraints...............ccccsssssssssees 7

a. Real-Time Data Dissemination Requirements................0000000+ 7

b. Satellite Lintkk ChArActeristics.........ccccccccsssssssssssssssssssescsccceeeeceees 8

B. tod Wiehe lO) ite pererern ereerrerereerrrreren Tre rrerrr:errerrrrer crrerrrrrrnrr er rrr rrr rrrry rrrerrerr rrr errr rer 11 1. DIRS CTISONS ssvcterasvasies viv sccasteiaiesacsusdeucuvesneudaruatatassuesescdssavscsnsuntareioustes 12

a. LR PROLO: DelC CH ON ve secicasaescicessaaid esau eoestaei weiss anes eciesenadieest 13

b. Quantum Well Infrared Photo Detectors (QWIP)...........+++++ 14

2 IRE SONS OLS ysccuss casecsncelestasapsatensistosesedthavsissnuistbteraanessaeGheisaadivessarenuelelias 16

C. hod BL BiG Eh AN a eterna ee rr Pr rn re Pr ne nee ere 17 1. SV MMMICTIC CIDMELS si esskcsscesacsdsuveticsveseussisuvadcneceeasteasexaniesscaacesaseuteeisente 19

a. Block Ciphers and Modes of Operation. ................000000000000008 20

b. SIP CGIN: CLINOTS wake sceescccuceecsestnes cas ecouelenseosatcceeteeseseescesesasscantes 21

2. Public Key Cryptography and RSA q................ssssssssscccccccsssssssssccsoees ZZ

a. Principles of Public Key Cryptosystems .........cccccccccssssssssssseees 2

b. Te KSA. ALC OViit secscnseagiastecetecsichesie sna teswsdaseiigieaeacecccaeencteees 23

3. Message Authentication and Hash Functions .................sssssssssesooees 24

a. CONVENTIONAL ENCHYPtiON............0seeeeccccccccccccccccccccccccsssssssssseees 24

b. TT ASTt FUN CUHONS cerescccccsvesasuavasssaviaadeecsapsrecteadesseatasuieaeaeases eaves. 25

Cc: Message Authentication Codes and HMAC ,.............00000000008 26

4 DISC Al SICMAUULES isn iiiiseasiiierseeisalcs nsdn iidiat sere anaes 27

5 UP SOC vsscecewnshcuxesunasecavsecvadstuagsecuwstaveasihunsteeusereatssvaiiesewsawieadivaneteceiauvadetses 28

a TP SOC ATCHUCCUUITE wisisscaesieGicerec etree bokaue aa ees 28

b Attthentication Header (A) ...........ccccccssssccssssseccccssseccccecseceees 29

C. Encapsulating Security Paylodd (ESP)).......cccccccccsssssssssssssnnees 29

d. Modes Of OD CPGUON isssiessasissinsdsnuse shassssoeneleaiepcastasteaseseeievianiaees 30

e Security ASSOCIALIONS (SA_)........cccccsssccccsssscccccsscccccssscccccssscccees 32

f. Key MANGS CIN CN i cissisc ies eseicise Adie hte aes 32

D. SS EIVEIV EAR Ye caoucasceasas chance ca canstteteacs etecvaccsedcansscncvastveoeues eewceessectaaes wareenstieteees 33

HI. PROPOSED MULTISTAGE AUTHENTICATION AND CONEIDENTIALUVY. S © HIE NIE vices ccccsdacrsisceviivciadsaevbecteasiaenkccvsacesesseeneteaseccoteeeceotene 35 A. DATA: CONEIDEN PEAT DEY se ssvsccesscvatissdcvacdacdessinadsavacincsevatasssavacdaadesesesecses 36 B. NODEVAUTHENTICA TION viscececscectssanevcccuccdustnetiesdedesctectetauevdevecseenteeteesteene 36

1. Centralized A Utne ntica tion sceecsiesscesescccaecetecsdivesscsceasevseccessceaeveseeseecess 36

Vil

2. Distributed Authentication ...............ccccccsscsscscccccscccccccccccccccsccccccccccces 39

C. DATA AUTHENTICATION wasivcsiscdiciiedicdicewcisesiscccsdeacicteeineessddcaceccssbnsassescexk 40

D. SS CIVEIVEALRR. V sets decscecisateadadecececeinss as beledscedacusnecde tea cesueseseseaeieds accuses suedulesaeoenieleke 43

IV. PERFORMANCE ANALYSIS AND SIMULATION ,....................cccccccccccsccccccccees 45 A. NODE AND DATA AUTHENTICATION .......................ccccccccccccccccccccccccees 45

1. Node Authentication Delay ...............ccsscsssoccsssssscccscsssssscccccsscssscoseeess 45

2; Data AvithentiCation vis scsssecidcescdisdccdecsccesesinscidsedecscncacacsoccanedeescceasscdsexs 46

3. STAUT ATION ROS UES: cisccsidccncebatecccdicccencesisecaveiikeccaiaieaseaualcssadinauaseenee esas 46

B. DATA CONEIDEN TEA LEE Y vccgcsccresecaeesedieti Blcets ae ina 51

1, OPNET Tm plementation issccccccssscesecsscsccocssscssessssseccessscesesvossecocsseseseses 51

2. STU ATION RES UES scscacetcercusctccciadadevavebascetenscceacicassvabebavsecnnacesccaseeseense 52

C. SUTIVEIN TARR Y sooececacceceasaseecccccee se ceaiiwessacawenecesewkbeeiacceuedagavsuseeceae ie eeoeaeeaeeeee etna 54

V. COIN GE WS TOIN GS caeasres hiss asceed cata steev cast cnewasueulsueedgacdaeSiclecuey cbdwates suncsceccdeustuesueveudecdeuaies 55 A. CONTRIBUTIONS OF THIS THESIS .............................ccscescccsccccccscccccees 55

B. RECOMMENDATIONS FOR FUTURE WORK, .......................ccceccecceeees 56

EIST OF REFERENCES iicsssicccccdeeceteteiecnceacescseuasicassaceetaledesecaiaaasecceewssiccsteawe recedes nabeease ieee 57 ENTTTAE. DISS RB UION Tol FB icisawecesecscccdeciwaccctasceccaadccswcaehitensdecasaaceasekssasaeisassusiaceasdecdesess 61

Vill

Figure 1. Figure 2.

Figure 3. Figure 4. Figure 5. Figure 6. Figure 7. Figure 8. Figure 9.

Figure 10. Figure 11. Figure 12. Figure 13. Figure 14. Figure 15. Figure 16. Figure 17. Figure 18. Figure 19.

Figure 20. Figure 21. Figure 22. Figure 23.

LIST OF FIGURES

Hybrid, Large-Scale Wireless Sensor Network for ballistic missile defense

QTE GOT TRS Dict ae hata eae ca ee Gti aes ahah ticie Seen ai aned ait acinstdlos 7 Sensor architecture schematic. Ground/Sea-Based and airborne RF sensors

in combination with Satellite-Based IR sensors (From Ref. [29])............0.. 1] Blackbody radiation intensity for different temperatures (From Ref. [14]) ....13 Band diagram of an intrinsic photo detector (From Ref. [7])........ eee 15 Quantum Well structure (From Ref. [7]) ........c cc ececccccccecceceeeeeeeececeeeeeaeeeeees 16 Cipher Block Chaining (CBC) Mode (From Ref. [23]).............cccceececceceeeeeeees 20 Stream Cipher Operation (From Ref. [23])..............ccccccccccccccceeeeeeeeeeeeseeseeseeeees 21 Message authentication using MAC (From Ref. [23]) ...............ceeeeeeesseseseeeeees 26 Authentication Header appended to an IP packet (AH).............. cc eeeeeeeeeeees 29 Encapsulating security payload (ESP) format (From Ref. [23])......... ee 30 ATA fransport-and Wine lIMOUS 2g tavstedikocinstancasiiy aveteusdecintunbenadeae. 31 BSP anspor and Tunnel M0de aeciacctncd ania tanvoudenieneanlaaneueaane 32 Centralized node authentication... ccseesesssssseeececccceeeeeeeeeaaaaaeesseeeeeeeeeeeeees 37 Pseudocode of centralized authentication phase request ...............ccccseseeeeeeeeees 38 Pseudocode of centralized authentication phase respOnse.............ccccseeeeeeeeeeees 38 Distributed node authentication ...............cccccccccccccccceeeaeeeeeesesseeeeeeeeeeeeeeeeeeeeaaaaas 39 TESLA Authentication algorithm example .............cccccccccccccccssssssseseeeeeeeeeeeeeees 42 VAN ASCOCE CXC CULM ENO 528 sss 5 cocsaraies ov onctecexatde iam escenes ws tescasauenabisiccias 48 Node authentication delays (tc, and tes ) for (a) encryption and (b)

e201 74 0) FL | 8 ae NR arn e o n RERree a oro eR a ee Oe 49 Total node authentication delay (trota] ) .....ccccccccccccccccccececceecaaaeseessssseeseeeeeeeeeeees 50 OPINE TMerwOrk 1OPOlOG y siscdvecie tater tia sas ices id auee hatin Dtnaar Neha ies uae aks 51 PNVCTASe Clay VELSUS FIRE s.in2 te accatte tat eet sta oan ed aa e terete 53 TENGOU SAPUL VCLSUS PIRD is siesatnscnoraidens vader eas esaomasetnede eos iannnosadeaadbvounaaeoiesden vee 54

THIS PAGE INTENTIONALLY LEFT BLANK

Table 1. Table 2. Table 3. Table 4. Table 5. Table 6.

Table 7.

LIST OF TABLES

IBMDS platforms and sensors inventory (After Ref. [13]) 0... eee 6 Nominal propagation times for missile defense network linkS.....................00086 9 Typical radar parameters (After Ref. [29]) 0... cccsssssssssseeeeeeeeeeeeeeeeeees 17 Comparison of SHA parameters (After Ref. [23])...... i eesssesesseeeeeeeeeeeeees ZS Summary of the IPSec services (After Ref. [21]) 0.0... cccssssseeeeeeeeeeees 28 Notation used to describe the operation of the proposed multi-stage

SOMEONE POM REE [9 |) eccssncaatoastetscasanitaanmestaliieavseketeosisedseatacnwiesnisovicastdnmeoriserts 35 OP NEF simula om par aiie (60S aie csndse sions seccinet iotslee Secueet a etseceesinst oneness 52

X1

THIS PAGE INTENTIONALLY LEFT BLANK

X11

ACKNOWLEDGMENTS

I would like first to express my sincere appreciation to Professor Murali Tummala, my thesis advisor, for his patience and guidance through the completion of this thesis. His advice kept me focused and on course, and taught me how to perform research

and writing at the postgraduate level.

I would also like to thank my co-advisor and second readers, Associate Professor Gamani Karunasiri, who provided guidance and materials for the sensors section; Professor J. Bret Michael, who provided guidance and advices for subjects related to Missile Defense; and CDR Owens Walker, who helped me to focus my research and

writing.

Lastly, and most importantly, I wish to thank Danai, the inspiration of my life.

This thesis is dedicated to you.

X11

THIS PAGE INTENTIONALLY LEFT BLANK

X1V

EXECUTIVE SUMMARY

The Missile Defense Agency (MDA) is responsible for developing a ballistic missile defense system (BMDS) capable of protecting the U.S. homeland and its allies against inter-continental ballistic missiles (CBM) launched from anywhere in the world. To accomplish this objective, the BMDS mission requirements include surveillance, target detection, target tracking and discrimination, and kill assessment. These functions are performed by satellites at various orbits, mobile and fixed terrestrial platforms carrying IR and RF sensors, and ballistic missile interceptors for all stages of flight of the

ICBM.

All these sensors and platforms must be efficiently networked together, and target information should be transmitted back to a command and control center for decision making and weapon assignment purposes. This implies the need for real-time data

exchange despite challenges presented by the hybrid, large-scale network.

There are a number of security-related issues that should be addressed and solved prior to an early implementation of the system. These include node and data authentication as well as data confidentiality. Revealing any portion of the sensitive transmitted information to an untrusted party could degrade the accuracy and the reliability of the BMDS because target data could be deliberately altered or false data

information could be inserted into the network.

This thesis proposes a multistage security mechanism that provides node and data authentication as well as data confidentiality to protect the exchanging data from unauthorized viewing by applying encryption in the network layer. A two-stage node authentication is proposed based on digital signatures and public key infrastructure (PKI) because it uses certificate authorities for verification of the new node’s authentication credentials. Data authentication 1s accomplished through the timed efficient stream loss- tolerant authentication (TESLA) protocol, which is in the process of becoming an IEEE

standard. Finally, data confidentiality 1s provided by the IPSec set of protocols.

XV

The performance of the proposed security mechanism is demonstrated using a Java crypto library and an OPNET simulation. A library of cryptographic functions, written in Java, measure the delays associated with the cryptographic algorithms that the proposed mechanism utilizes. Additionally, an OPNET simulation of the network is performed to evaluate the network’s throughput and delay performance when IPSec is applied. Performance analysis and simulation demonstrate that the proposed security scheme performs well when compared with unencrypted IP. Delay and throughput evaluation emphasize the expected trade-off between security and overhead and also

verify that the real-time data dissemination objective is met.

XV1

I. INTRODUCTION

The threat of a nuclear attack has been a challenge to the United States for over fifty years. As technology and access to it continue to evolve, weapons of mass destruction become efficient and more deadly while falling into the hands of an increasingly layer set of potential adversaries. Under the auspices of the Missile Defense Agency (MDA), a system capable of providing protection against intercontinental ballistic missiles (ICBMs) carrying multiple nuclear warheads has been under development for several years [27]. Such a system, identified as the ballistic missile defense system (BMDS) should be able to detect, track, and intercept ballistic missiles

launched against the United States and its allies from any location in the world.

An ICBM is a long-range ballistic missile designed for the delivery of nuclear weapon warheads. Its effective range exceeds 5,500 km or more, which allows it to be launched over oceanic distances. Platforms from which an ICBM could be launched vary from protected military silos to submarines and specially constructed mobile trucks. An ICBM follows three phases of flight: boost, midcourse, and terminal. The boost phase lasts from 3 to 5 minutes, and the missile reaches a speed of 7 km/sec. During this phase, the missile is constantly accelerating. When the ICBM reaches an altitude of approximately 1,200 km, the 25-30 minute midcourse phase begins. During midcourse, the missile is capable of deploying anti-detection decoys and countermeasures. As the ICBM reaches its target at an altitude of 100 km, the terminal phase of its trajectory begins [27].

One functional requirement of the BMDS is the capability to intercept an ICBM in all phases of flight. Although midcourse offers several advantages including ample time for detection, weapon assignment and interception, the ability of the ICBM to deploy its countermeasures as well as the possibility of collateral damage or nuclear detonation over friendly territory make this phase challenging. Terminal phase tends to

9

be viewed as a “last choice,” so much work is now focused on the boost phase. The

relatively small duration of the boost phase necessitates early detection; therefore, sensors

and interceptors must be deployed in the vicinity of the launching area. Furthermore, the reaction time is minimal and target data have to be transmitted back to the decision maker almost instantly. The significant advantage is that detection during this phase can be accomplished by IR sensors because the ICBM’s thermal signature is high due to the

plumes produced by its acceleration.

A number of security challenges face any underlying network designed to support a boost phase solution. The target information must be transmitted from the sensors to a command and control center for threat assessment and potential weapon assignment. A complete security solution must provide confidentiality, integrity and authentication for

both the data and the communicating entities.

These problems are further complicated by the wireless nature of the transmission medium. In addition to simple eavesdropping, the lack of physical boundaries allows an adversary to intercept and inject rogue data with relatively little effort. An authentication mechanism to validate the credentials revealed by the incoming network nodes as well as an intrusion detection mechanism to identify and restrict access to rogue nodes must be applied. The requirement to deploy sensors near the launching platform further increases

the probability of a compromised node attempting to participate in the network. A. THESIS OBJECTIVE

The objective of this thesis is to propose a multistage security scheme for hybrid large-scale wireless sensor networks for missile defense. The wireless nature of this large-scale network makes security challenging. The lack of physical boundaries complicates the requirements to confirm the authenticity of the communicating nodes, ensure that data from a valid source were not altered during transit and to protect the data from unauthorized viewing. The proposed multistage scheme consists of three separate security mechanisms designed to provide node authentication, data authentication, and data confidentiality. Analysis and simulation are included to demonstrate the delay and

throughput performance of the proposed scheme.

B. RELATED WORK

The proposed security mechanism builds on research conducted for traditional wireless sensor networks (WSN) and mobile ad hoc networks (MANET) and applies it to a hybrid, large-scale network for missile defense. Unlike WSN and MANET applications, though, the nodes of this network are interconnected across large propagation distances and are not constrained by limited computational power, lack of

memory, or energy limitations.

A number of distributed public key management schemes to achieve node authentication for mobile ad-hoc networks have been proposed. Zhou et al. [34] propose a public key infrastructure (PKI) system in which the certificate authority (CA) private key 1s shared among nodes that have to cooperate in order to reveal the key. MOCA, proposed in [31] and [32], is an extension to [34] in which the CA 1s distributed not to the entire set of the nodes but only to those that exhibit physical security and adequacy in computational resources. J. Kong et al. [11] distributes portions of the CA’s key among different nodes. Our proposed scheme for digital signatures 1s based on a PKI infrastructure using strong encryption keys (1024 or 2048 bits in length) of the Rivest- Shamir-Adelman (RSA) algorithm [20], which produces asymmetric keys used for

encryption and decryption.

Unlike those designed for node authentication, data authentication protocols used for real-time data exchange must have small authentication delays. BiBa [16] and HORS [19] are one-time signature authentication schemes using one-way functions. Chang et al. [22] solve the problem of storing many hash function operations in these schemes. The TESLA protocol [17], [15] provides efficient broadcast authentication by using one-way key chains and time slots as asymmetric primitives and is in the process of being standardized in the IETF Multicast Security (MSEC) working group [12]. It minimizes the authentication overhead, exhibits robustness in the face of packet losses, and can support links with different propagation delays. The uwTESLA protocol [18] is the

“micro” version of TESLA, designed specifically for wireless sensor networks.

C. THESIS ORGANIZATION

This thesis is organized as follows. Chapter II describes the hybrid, large-scale network designed to support the ballistic missile defense system. The network real-time data dissemination requirements and link characteristics as well as the desired properties of the IR and the RF sensors are discussed. Security issues are addressed and the necessity of providing a multistage security mechanism for node and data authentication and data confidentiality 1s explained. A brief description of basic security primitives and protocols is given. Chapter III introduces the proposed multistage security mechanism, and Chapter IV examines the delay and throughput performance of the proposed algorithm through analysis and simulation. Chapter V provides conclusions of this thesis

as well as recommendations for future work.

I. HYBRID, LARGE-SCALE, WIRELESS SENSOR NETWORK FOR MISSILE DEFENSE

This chapter examines the network architecture, sensor characteristics, and security considerations. The observations in this chapter will be used to design the

proposed security solution of the large-scale wireless sensor networks for missile defense. A. THE NETWORK

The Missile Defense Agency (MDA) has provided guidelines on network structure and functionalities for the Integrated Ballistic Missile Defense system (IBMDS) [13]. Building on these requirements, we envision a network architecture that relies on reliable, efficient, real-time cooperation between the nodes to provide a layered defense against a wide range of ballistic threats. This section addresses the topology, coverage,

link characteristics, and security considerations of such a network. 1. Network Architecture and Topology

A ballistic missile defense system’s mission is to detect, track, and destroy one or multiple ballistic missiles launched from any platform and location in the world. A wireless wide-area network comprised of ballistic missile defense sensor platforms providing global coverage must be designed to support this challenging mission. Mission- related functions for this type of network include early warning/detection, real-time target tracking, and secure target data transfer to a command and control center for decision

making and weapon assignment.

The proposed hybrid, large-scale network consists of satellite and terrestrial nodes in a 3-tier hierarchical structure positioned to provide global coverage. At the higher tiers, Geostationary Earth Orbit (GEO) and Low Earth Orbit (LEO) satellites with search and track IR sensors are deployed, providing wider fields-of-view and redundancy in the network. Lower tier terrestrial platforms are mobile or fixed RF and IR sensors, such as land-based stations, warships, forward deployment radars (FDR), aircraft, and unmanned

air vehicles (UAV).

Ballistic missiles follow a trajectory that consists of three phases: boost, midcourse, and terminal. Although the system should provide protection in all phases of flight, the focus of this work is based on missile engagement during its boost phase. In this phase, the missile countermeasures would not yet be deployed, the low altitude provides a wider selection of weapons, and the likelihood of friendly, collateral damage would be minimized. Accordingly, nodes of our network capable of detecting launches, tracking missile trajectories, and intercepting ballistic targets will be deployed and distributed as close as possible to the enemy’s boundaries. Table 1 presents the evolving

IBMDS sensors and weapons inventory.

2005 2006 2007 WEAPONS

a | eae | (Long-Range Threat, Midcourse Defense) Patriot Advanced Capability-3 Defense) ce

Standard Missile-3 Sea-Based Interceptors (Short-to-Intermediate-Range Threat, Midcourse Defense

Aegis Ballistic Missile Defense 3 Destroyers 7 Destroyers 2 Cruisers 2 Cruisers 3 Cruisers SENSORS (except Existing Defense Support Program Satellites) Upgraded Existing Early Warning Radars

Aegis Ballistic Missile Defense Ships (Long Range Surveillance and Track Only) cme he (Menara Sea-Based X-Band Radar _——_}—4 js AN/TPY-2 as

Table 1. | IBMDS platforms and sensors inventory (After Ref. [13])

An example of a hybrid, large-scale wireless sensor network for missile defense has been proposed by [8] and is shown in Figure |. Here, the network is comprised of GEOs, LEOs, and terrestrial stations. When a potential target of interest (TOI) is detected, sensor nodes form an Area of Interest (AOI) based on predefined criteria, such as range to the TOI and whether the TOI 1s inbound or outbound. The AOI is a clustering

mechanism designed to facilitate data aggregation and data-centric routing within the 6

network. As the target moves through the sensors field, nodes make local (distributed) decisions to join or exit the AOI, and the AOI can be considered to “virtually” move in

time.

Figure 1. Hybrid, Large-Scale Wireless Sensor Network for ballistic missile defense (From Ref. [9])

Z Network Design Requirements and Constraints

In the following sections, the real-time data dissemination requirements generated by the missile defense application and the constraints of the satellite links are examined. The type of data, the manner in which the data are disseminated, and the underlying link characteristics play an important role in optimizing an appropriate security mechanism. For example, data broadcast requires a security mechanism that scales well for large numbers of recipients. Additionally, such a mechanism should be robust in the face of

packet losses if applied to a link with high bit error rates (BER). a. Real-Time Data Dissemination Requirements

Target tracking with the intent of missile engagement in the boost phase

imposes stringent real-time delay requirements on the underlying communications

i

network. By real-time, we mean that there exist defined maximum bounds on the end-to- end latency of the data transmissions. This requirement can be best illustrated by examining the flow of events that must occur during the 3-4 minute boost phase. Upon target detection, target data are broadcast to all the nodes in the network. Nodes inside the AOI pick up the tracking function and route target data through an aggregator back to the command and control center. The command and control center processes the data and assigns an order to the weapon platform to be used for the target engagement. These data continue until the missile is intercepted. Considering the large propagation times associated with the satellite network links, it 1s critical to avoid processing, routing or

security mechanisms that substantially increase the total delay. b. Satellite Link Characteristics

The topology proposed for the hybrid, large-scale network 1s comprised of both terrestrial and satellite links. Terrestrial links have been well-studied in the wireless network literature (e.g., IEEE 802.16 standard). Accordingly, this section focuses on the satellite links and their delay, throughput and BER characteristics.

Many communications satellites are located in the Geostationary Orbit (GEO) at an altitude of 35,863 km. Although, three satellites are necessary to achieve global coverage, four are typically used to provide sufficient overlaps. At this altitude, the orbit period is the same as the Earth's rotation period, and the satellite remains fixed over a point on the Earth’s surface. Therefore, each ground station is always able to “see” the orbiting satellite at the same position in the sky. The propagation time for a radio signal

to travel to a GEO satellite directly overhead is given by

ee Ss Gone (5:1)

C 3x10° me

where s 1s the satellite altitude and c the speed of light. In communication applications

where satellites act as relays for terrestrial nodes, delays are characterized by round trip

propagation times and increase by a factor of two. Furthermore, the satellite propagation delay will be even longer if the link includes multiple hops or if inter-satellite links are

used.

The lower orbits associated with LEO satellites require the use of more satellites for constant global coverage. To achieve global coverage, a constellation of at least 16 LEO satellites is required. Typically, twenty satellites are used to provide a sufficient overlap. LEO satellites are usually located at in an altitude band of 500—1500 km. The propagation delay to a LEO orbit ranges from several milliseconds when communicating with a satellite directly overhead to as much as 80 ms when the satellite is on the horizon. Table 2 summarizes the propagation delays for the different satellite

links comprising the ballistic missile network.

Characteristic Distance (km) a (a

LEO-LEO 2,318 0.008 Terrestrial-GEO 35,863 Terrestrial-LEO 1,000 0.003

Table 2. | Nominal propagation times for missile defense network links

A network that consists of both satellite and terrestrial nodes implies the need for both terrestrial-to-satellite and satellite-to-satellite links. Particular emphasis and attention should be given to the satellite-to-satellite propagation times because the missile defense network utilizes interconnected satellite nodes that do not simply act as communication relays between space and earth stations but are an internal part of a larger

network.

Satellite communication channels are dominated by two fundamental characteristics: large noise levels and limited bandwidth. The strength of a radio signal

falls off as a square of the distance traveled. For a satellite link, the large distance results

in a low signal-to-noise ratio. Additionally, some frequencies are particularly sensitive to atmospheric effects, such as rain attenuation. Satellite channels are especially susceptible to multi-path distortion. Typical bit error rates (BER) for a satellite link today are on the

order of 10° or less [1].

Satellite systems are typically bandwidth-limited, which makes it difficult to trade bandwidth to solve other design problems. In most applications, an asymmetric approach is used, and the downlink channel is provided a greater capacity than the uplink channel. This is because the downlinks are normally intended for broadcasting when the

satellites are used as communication relays.

In the context of the wireless network, these satellite link characteristics tend to degrade the performance of acknowledgement-based transport protocols, such as the transmission control protocol (TCP). Due to the large propagation delay of the satellite links, it will take a long time for a TCP sender to determine whether or not a packet has been successfully received at the final destination. Furthermore, TCP has no mechanism to determine whether a packet loss 1s due to congestion or bit errors. It 1s primarily designed for links with small BERs, so it assumes packet losses are due to congestion in the network and dramatically reduces the offered load. Thus, the congestion and flow control algorithms incorporated in TCP prevent it from fully utilizing the

satellite link, resulting in relatively poor performance [33].

Performing Enhancing Proxies (PEP) is one of the solutions designed to overcome the TCP performance degradation across satellite links [26]. PEP are deployed between the two communicating entities and use techniques, such as acknowledgement handling, speeding up the TCP slow start mechanism, and increasing the congestion window. PEP improves the congestion of the low speed uplink by delaying the transmission of acknowledgments of TCP segments that arrive in bursts or reconstructing acknowledgments if they are lost. PEP can also be used for retransmission of TCP segments when duplicate acknowledgements are received. This function requires additional buffering capabilities. Another useful function is tunneling in which messages are forced to follow a specific path. When coupled with compression capabilities, PEP

can also be used to reduce the amount of data that are inserted into the network [26]. 10

Research is currently being conducted to combine PEP with an end-to-end security mechanism, such as IPSec. The problem associated with this implementation is that [IPSec encrypts and/or authenticates the fields that the TCP PEP needs to be able to access. These include source and destination IP addresses as well as port and sequence numbers. A number of solutions, such as utilizing upper layer security mechanisms (SSL/TLS) instead of IPSec [2], placing the PEP before the IPSec protocol, coping hashed TCP flow control parameters in the new IP header [30] and encrypting different fields of the IP packet using different keys have been proposed [5].

B. SENSORS

Boost-phase intercept requires early launch detection and rapid, accurate tracking to launch and guide the interceptor. Although infrared or radar sensors can be used separately for initial detection and tracking, combining both approaches helps reduce the false alarm rate. Additionally, passive infrared sensors require triangulation from multiple sensors to obtain an accurate track because range information is not available [29]. For this purpose, forward deployable RF sensors could be used. Figure 2 illustrates these sensor options. Although detailed sensor architecture designs are quite complicated, their basic limitations and functionalities can be understood by examining the physics of each

sensor type.

wy. DSP or SBIRS-High

Boost phase *

“-..Ground/Sea-based radar

sie cs “--.. Airborne radar 2 Ree COTE _«.a-=-- |

or Detection Rang? “}

Figure 2. Sensor architecture schematic. Ground/Sea-Based and airborne RF sensors in combination with Satellite-Based IR sensors (From Ref. [29])

11

1. IR Sensors

Passive infrared systems can detect missile plumes from a distance of thousands of kilometers and, hence, can detect ballistic missile launches globally from high-Earth or geosynchronous orbits. Space-based IR sensors are very convenient because of their capability to cover wide areas. Infrared detection and tracking ranges depend on the infrared signal emitted by the target, the diameter of the optics, and the minimal detectable signal of the focal plane array, which 1s a function of the noise in the sensor and signal clutter returns from other objects (e.g., clouds, rain) in the sensor’s field of view. Sensor noise 1s determined by the detector’s dark current, which is a sensitive function of its operating temperature. The precision with which an infrared sensor can determine the missile booster position is determined by the pixel dimensions of the focal

plane array [3].

The IR spectrum can be divided into four categories: (1) Short-Wave IR (SWIR) with wavelengths of 1-3 um, (2) Medium-Wave IR (MWIR) with wavelengths of 3-5 um, (3) Long-Wave IR (LWIR) with wavelengths of 8-12 um and (4) Very Long-Wave IR (VLWIR) with wavelengths greater than 12 um. Target emission obeys the blackbody radiation theory, initially derived by Plank in the early 1900s, in which the amount and wavelength (color) of the emitted radiation of a blackbody (ideal source of thermal

radiation) are directly related to the temperature. This can be expressed as [3]

M( An =— Qrthe | Watt | 2.2)

Cae = 1) cm” -um

where M(/,7) is exitance of the object, 4 is the wavelength, h/ is the Plank’s constant, c the speed of light, T the temperature and K the Boltzmann’s constant. Figure 3 1s a plot of the blackbody radiation for different temperatures. The main idea is that as the temperature decreases, the peak of the blackbody radiation curve moves to lower intensities and

longer wavelengths.

12

Frequency (= 1014 Hz) 15 Fats) o. 0 a? 3.0 e.5 e. | 1.9 1? 1.5

Infrared

Intensity [x 10%ergaisec - cH]

4000 Kosa, at at Se ee e 00 400 BOO S00 1000 1200 1400 1600 1600 e000 Wavelength (ritt}

Figure 3. | Blackbody radiation intensity for different temperatures (From Ref. [14])

a. IR Photo Detection

For the BMDS, detection of the missile should be performed either in the endo-atmosphere or exo-atmosphere. There are two critical differences with respect to detection and tracking in these two cases. IR sensors used at lower altitudes below atmosphere level (endo-atmosphere) observe and discriminate warm targets with high background irradiance from scattered sunlight in the Earth’s surface. Exo-atmospheric IR sensors, on the other hand, engage targets that have cooler temperatures with low background irradiance levels because the space background has relatively much lower

temperatures than the Earth’s surface [25].

As derived from the blackbody radiation theory, a higher temperature target has a radiation peak at smaller wavelengths while at lower temperatures, longer

wavelength emissions are generated. Applying these principles to the BMDS, it becomes

13

clear that IR sensors with multicolor capabilities should be deployed. Surveillance, target detection, and target tracking could be performed using single color sensors if the target is easy to identify. If either the target or the background is uncertain or dynamic during the engagement process, a sensor with multicolor capability will improve the probability of successful interception. Multicolor operation 1s essential at the point where the ICBM shifts from one phase of flight to another. The boost phase background 1s significantly different from that in midcourse, and, more importantly, the midcourse thermal signature is also substantially different since no plumes exist and proper discrimination from

decoys and debris might be necessary [24].

Considering missile defense in both tactical and national theaters, IR sensors with multi-spectral (e.g., MWIR, LWIR, and VLWIR) as well as multicolor operation should be deployed. The sensors should exhibit high efficiency and uniformity. Along these lines, technology advancements are very promising in the field of Quantum Well Infrared Photo-detectors (QWIP), which play an important role in the sensing IR discipline [24].

b. Quantum Well Infrared Photo Detectors (OWIP)

The operation of conventional photo detectors is based on an inter-band transition of electrons across the band gap (£,) between the valence and the conduction band as shown in Figure 4. Photons are used to excite the electrons resting in the valence

band. Their energy (Av) must be sufficient to overcome the energy gap barrier; therefore,

hv>E, (2.3)

14

Conduction Band

Valence Band

a

h

Figure 4. | Band diagram of an intrinsic photo detector (From Ref. [7])

The photo-excited electrons can be collected to measure the produced photocurrent in a connected external circuit. This energy gap determines the spectral response of the photo detectors. Photosensitive materials have a defined energy gap, which constrains the photo detection to a single, limited band (one color photo detectors). Additionally, detection of VLWIR radiation up to 20 um requires small band gaps down to 62 meV [7]. These low band gap materials are more difficult to grow and process than large band gap semiconductors, such as GaAs. Quantum Well Photo detectors (QWIP) offer the advantage of multiple band gaps and consequently expand the photo detector capability to multicolor. They are constructed by placing a thin narrow band gap material between wider layers of a wide band gap material. The idea of using QW structures to detect infrared radiation can be understood by examining the basic principles of quantum mechanics. The quantum well is equivalent to the well-known “particle in a box” problem in quantum mechanics, which can be solved by the time-independent Schrodinger equation. The solutions to this problem are the eigenvalues that describe energy levels inside the quantum well in which the particle 1s allowed to exist. The energy levels are primarily determined by the quantum well dimensions (height and width) [3]. Figure 5

illustrates a QW photo detector structure.

15

« Conduction Band

B, ; . hil E j E, (Al,Gay.xAs) ; »— INTERSUBBAND | ABSORBTION E, (GaAs)

Valence Band

Figure 5. Quantum Well structure (From Ref. [7])

The position of the energy levels is determined by the thickness of the narrow band material and the band offset between the two materials. The QW structures offer the substantial advantage of having multiple wavelength detection capability (including the VLWIR band) in one sensor since different energy gaps exist. A common combination of materials used for QWIP is GaAs and AlGaAs due to their nearly identical lattice constants. A disadvantage of QW is its slightly lower operating

temperature compared to detectors based on bulk semiconductors [24]. Ze RF Sensors

Radars are a good means to provide accurate range measurements as well as efficient target tracking. Airborne radars, in particular, can provide early ballistic missile detection if the radar is approximately 400 km or less from the missile launch site because, at this range, an airborne radar flying at 12 km (40,000 ft) altitude has line of

sight to the ground. Targets beyond this range must climb high enough to be seen over

16

the radar horizon [29]. If they are deployed inside the high risk area, they can provide the triangulation needed for the IR sensors to generate target distance and can valuably

contribute to the boost phase interception of the missile.

Parameter Ground-based X- Sea-based S- Airborne X- band band band Operating Frequency (GHz)

Pulse repetition frequency (Hz) Total average power (kW)

Antenna height (m) Antenna width (m

a a

(deg) (deg)

| Azimuth scan sector (deg) scan sector | Azimuth scan sector (deg)

Search solid angle (sr) 2 0278 ot 0415 i 0264 Beam solid angle (sr) 1.36x107 7.38107 1.41x107 Noise temperature (°K)

System and atmospheric losses 19.5 (dB)

Table 3. Typical radar parameters (After Ref. [29])

Table 3 lists some of the typical characteristics of surveillance and tracking radar sensors that MDA uses for the BMDS (see also Table 1). In addition to the AEGIS Ballistic Missile Defense system (sea-based S-band radar) and the AN/TPY-2 (Terminal High Altitude Area Defense ground-based X-band Radar), MDA’s plan for RF detection and tracking includes the new Sea-based X-band radar (SBX). SBX is a floating, self- propelled radar, platform, capable of operating under heavy weather conditions and

exhibiting robust discrimination capabilities. C;. SECURITY

The dynamic topology and wireless nature of the hybrid networks associated with strategic missile defense scenarios drive the requirement for a fail-safe node and data

authentication scheme and robust data confidentiality mechanisms. As these scenarios 17

evolve in both time and space, new elements are often introduced into the existing network. The sensitivity and importance of the data being exchanged within the network often leaves no room for revealing all, or even part, of the information to an untrusted node. The primary requirement, therefore, becomes the effectiveness of the security mechanism in providing data encryption and node and data authentication, even at the price of longer delays. That being said, the real-time bounds still apply as there 1s clearly

a limit on the useful lifetime of the sensed data.

Data confidentiality can be achieved through encryption using symmetric and asymmetric cryptographic algorithms. Larger key lengths increase the strength of the

algorithm but lead to longer decryption and encryption delays.

Although minimizing network delays whenever possible is an important design