**1. Introduction**

176 Wireless Mesh Networks – Efficient Link Scheduling, Channel Assignment and Network Planning Strategies

*the University of Illinois at Urban-Champaign*, pp. 1-7, ANI-0125859.

*the University of Illinois at Urban-Champaign*, March 2, 2005.

*Network & Mobile Summit 2012*, Berlin, Germany, 4-6 July 2012.

Cologne, Germany: ISBN: 1-59593-020-5.

at *http://www.meshdynamics.com*.

www.csir.co.za : Reference no: HE04-PO-F.

InTech, ISBN: 978-953-307-519-8, Croatia.

Chapter 7, University of California Berkley.

58113-486-X

Kodialam, M., and Nandagopal. T. (2005). Characterizing the capacity region in multi-radio multi-channel wireless mesh networks. *MobiCom'05,* August 28-September 2, 2005,

Kyasanur, P. & Vaidya, N. H. (2004). Routing and interface assignment in multi-channel multi-interface wireless networks, *Technical Report of Department of computer science at* 

Kyasanur, P. & Vaidya, N. H. (2005). Capacity of multi-channel wireless networks: impact of number of channels and interfaces, *Technical Report of Department of computer science at* 

Li, J.; Blake, C.; De Couto, D. S. J.; Lee, H. I. & Morris, R. (2001). Capacity of Ad hoc Wireless Networks, *Proceedings of MobiCom Conference,* July 2001, Rome, Italy, pp. 61-69, ISBN: 1-

Mesh Dynamics Inc., (2010). Wireless mesh networks that scale like switch stacks, Available

Makitla, I. ; Makan, A. & Roux, K. (2010). Broadband provision to underprivileged rural communities. *In Proceedings of CSIR 3rd Biennial Conference 2010*. Also available at

Mekuria, F.; Masonta, M. T., and Olwal, T.O. (2012). Future networks to enable wireless broadband technologies and services for the next billion users, *In Proceeding Future* 

Miu, A., Balakrishnan, H., and Koksal, C. E. (2007). Multi-radio diversity in wireless

Olwal, T. O. (2010). *Decentralised dynamic power control for wireless backbone mesh networks*, PhD Thesis, University of Paris-EST and Tshwane University of Technology. Olwal, T. O et al. (2011). Optimal control of transmission power management in wireless backbone mesh networks, In: *Wireless Mesh Networks*, Funabiki, N (Eds). PP. 3-28,

Tse, D., and Viswanath, P. (2005). *Fundamentals of wireless communication*, Chapter 5 and

networks, *Wireless Networks*, pp.13:779-798. DOI:10.1007/s11276-006-9854-2.

We discuss our proof of security properties of a standards-track protocol suite for authentication and key establishment using a formal verification technique. Our technique is Protocol Composition Logic (PCL) [15] (see Section 2.1). Our setting is the IEEE 802.11 Mesh Networking task group, known as 802.11s, which was formed to define extensions to IEEE 802.11 [1] to support wireless mesh networking [25]. A goal of the task group is to secure a mesh by utilizing existing IEEE 802.11 security mechanisms and extensions.

The Mesh Security Architecture (MSA) proposal [4–7] to 802.11s consists of a definition of a key hierarchy and a suite of protocols to enable security in a wireless mesh network. The proposal includes detailed information to implement MSA within the framework defined by 802.11s, including key derivation, protocol execution, and message formatting. The suite of protocols encompasses all the necessary components to create and maintain a mesh of nodes.

We describe the following three major contributions in this chapter:

• We conduct a comprehensive assessment of all 10 protocols (averaging 4 messages and 8 components) of the MSA proposal from a security standpoint and proven its correctness. We present an overview of the protocol suite and the main insights from the proof. The full details are generally unenlightening; a companion technical report [28] complements this chapter.

As this is one of few instances of the proof of correctness of a substantial, standards-track protocol suite of which we are aware, we feel that this is an important contribution.

• PCL has been used to prove the correctness of the IEEE 802.11i protocol suite [26]. However, 802.11s presents new challenges that have necessitated extensions to PCL for us to be able to carry out our correctness proof. We present these extensions and details from the MSA proposal that illustrate their necessity (see Section 3). We believe that the extensions are general enough to be useful in other work in protocol verification.

©2012 Kuhlman et al., licensee InTech. This is an open access chapter distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0),which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. © 2012 The Author(s). Licensee InTech. This chapter is distributed under the terms of the Creative Commons Attribution License http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

• In the course of carrying out our proof, we discovered two security issues with protocols in the proposal. We discuss these issues and our suggestions for changes to address them. Our suggestions have since been incorporated into the proposal. As we point out in Section 5, our proof would not have been possible without these changes.

**MKHSH**, **TLS:CLNT**, **4WAY**, . . . denote protocols. We use the convention of protocol:role to note both the protocol and the associated role that a principal plays in an instance of the protocol; for example, in **TLS:CLNT**, **CLNT** denotes that it is the

A Correctness Proof of a Mesh Security Architecture 179

*pmkX*,*Z*, *gtkX*, . . . denote cryptographic keys. We use subscripts to indicate the

*θ*, Φ, Γ, . . . are used to denote logic formulae that express pre- or post-conditions, or

Has(), KOHonest(), SafeMsg(), . . . are logic predicates that are used in assertions (pre-

Many of the predicates follow a *Pred*(*actor*, *action*)format. Thus, Has(*X*, *m*) means that thread *X* has information *m*. Similar predicate formats follow for Send, Receive, New, and Computes. Other predicates can be more complicated. Honest(*X*ˆ) means that the principal (*X*ˆ ) running the thread is honest. KOHonest(*s*, K) essentially means that all principals with access to any key *k* ∈ K or to the value *s* are honest. Contains(*m*, *t*) is equivalent to *t* ⊆ *m* and means that

The proof methodology of PCL is described by Durgin et al. [21, 22] and Datta et al. [12–18, 26, 32]. We use the standard syntax of *θ*[*P*]*X*Φ. This means that with preconditions *θ* before the run of actions *P* by thread *X*, the result (postcondition) Φ is proven to hold. *θ* is always

The proof system is built on three fundamental building blocks. The first is a series of first-order logical axioms [15]. A first-order logical axiom is a natural logical assumption (e.g., creation of a value implies possession of that value). The second is a series of cryptographic/security axioms [15, 22, 26]. Cryptographic axioms provide formal logic equivalents of standard cryptography (e.g., possession of a key and a value provides possession of the encryption of the value with that key). These assume idealized cryptographic functionality which most cryptographic primitives do not achieve in practice.

The third building block is the fundamental principle of *honesty*. Honesty imposes certain restrictions on roles – that they follow protocol descriptions correctly and do not send out particular information assigned to that role. Honesty is a special type of rule that allows an instance of a thread to reason about the actions of another, corresponding thread that participates in the same protocol. The actions of an attacker are not assumed to be honest. We do, however, assume that the attacker does not violate an assumption, condition or invariant (e.g., the possession of a private key) that is necessary for a protocol to run to completion. This notion of an attacker model is the same as that considered in previous work that uses

All but one of the axioms on which we depend have been proposed previously [12, 15, 16, 26]; space constraints preclude the presentation of a comprehensive list of all PCL axioms in

used to denote a precondition, Φ a postcondition, and Γ an invariant.

For example, the hash of two different values is assumed to never be the same.

approaches based on mathematical logic to verify protocols (c.f. [26]).

client's portion of the **TLS** protocol.

and post-conditions, and invariants).

information *t* is a subterm of *m*.

*2.1.3. Proof methodology*

*invariants*.

principal(s) with whom a key is associated.

The remainder of this chapter is organized as follows. In Section 2, we provide a background on PCL, 802.11s and the MSA proposal. In Section 3 we present our additions to PCL; for each addition we illustrate its need via components from the protocol suite we have analyzed. We provide an overview of the proof in Section 4. In Section 5, we discuss our recommendations for changes to the original design of the protocol suite in the MSA proposal based on our proof efforts. We conclude with future work and general conclusions in Section 6.
