Secure Routing for Mobile Ad Hoc Networks (MANETs) Presented by Karthik Sadasivam Date: 9/14/2004 9/16/2018
Overview Introduction MANETs Routing Protocols for MANETs DSR AODV DSDV Exploits allowed by existing protocols 9/16/2018
Overview (contd.) Conclusion References Secure Routing Protocols ARAN SRP TESLA ARIADNE SEAD Conclusion References 9/16/2018
Introduction Prior research in ad hoc networking has generally studied the routing problem in a non-adversarial setting, assuming a trusted environment The current routing protocols have been developed only for trusted environments Ad hoc networks are vulnerable to several types of attacks due to the distributed nature of the nodes. Several new routing protocols have been devised to overcome the 9/16/2018
Mobile Ad hoc Networks (MANETs) A group of wireless mobile computers (nodes) Nodes cooperate by forwarding packets for each other Need no fixed network infrastructure Can be quickly and inexpensively setup Applications: military exercises, disaster relief, mine site operations, etc 9/16/2018
Routing Protocols for MANETs Table driven (proactive) DSDV On-demand (reactive) DSR AODV Hybrid ZRP (Zone Routing Protocol) 9/16/2018
DSDV Design goals: Keep the simplicity of Bellman-Ford Avoid the looping problem Remain compatible in cases where a base station is available Idea: modify the conventional Bellman-Ford routing algorithm Approach: Model each host as a router Tag each routing table entry with a sequence number Destination Next Hop Metric Seq. No Install Time Stable Data 9/16/2018
DSR Dynamic Source Routing An on-demand ad hoc network routing protocol composed of two phases: Route discovery Initiator transmits ROUTE REQUEST (RREQ) packet as local broadcast specifying target and a unique identifier from the initiator Each node receiving the RREQ discards the request if it has seen the request identifier from the originator Otherwise it appends its node address to a list in RREQ and rebroadcasts the RREQ When RREQ reaches target, target sends ROUTE REPLY (RREP) back to initiator of RREQ with a copy of the accumulated address list from RREQ 9/16/2018
DSR (Contd.) Route Maintenance DSR is a source routing protocol Path to be followed included in the packet header If a node on path does not get an ack after a limited number of local retransmissions it returns ROUTE ERROR (RERR) back to originator identifying the broken link Originator then removes path containing broken link from cache May use an alternate route to destination if one exists in cache Else it initiates a new route discovery 9/16/2018
Example of DSR Intermediate nodes broadcast it to their neighbors if identifier is “fresh” S broadcasts RREQs to its neighbours S- Source D- destination 9/16/2018 D unicasts a reply to S
AODV Ad Hoc On Demand Distance Vector Routing AODV builds routes using a route request / route reply query cycle In addition to the source node's IP address, current sequence number, and broadcast ID, the RREQ also contains the most recent sequence number for the destination of which the source node is aware. A node receiving the RREQ may send a route reply (RREP) if it is either the destination or if it has a route to the destination with corresponding sequence number greater than or equal to that contained in the RREQ 9/16/2018
AODV (contd.) if yes it unicasts RREP back to source else it rebroadcasts RREQ If the source later receives a RREP containing a greater sequence number or contains the same sequence number with a smaller hop count, it updates its routing information for that destination. 9/16/2018
Exploits allowed by existing protocols Attacks using modification (Data Integrity, Availability)) Redirection by modified route sequence numbers Redirection with modified hop counts DoS with modified source routes Tunneling Attacks using impersonation (Source Integrity, Authenticity) Forming loops by spoofing Attacks using fabrication (Data integrity) Falsifying route errors in AODV and DSR Route cache poisoning in DSR Wormhole Attack 9/16/2018
Redirection by modified route sequence numbers 9/16/2018
DoS with modified source routes 9/16/2018
Tunneling 9/16/2018
Forming loops by spoofing M- malicious node 9/16/2018
Falsifying Route Errors in AODV and DSR 9/16/2018
Route Cache Poisoning in DSR In addition to learning routes from headers of packets that a node processes along a path routes may be learned from promiscuously received packets A node overhearing any packet may add routing information contained in that packets header to its own route cache even if it is not on the path from source to destination This type of attack may lead to added overhead in terms of memory since falsified routes are added to the routing table 9/16/2018
Wormhole attack S M1 N2 M2 N3 N4 D Tunnel Two colluding malicious nodes attempt to tunnel packets between them Disrupts the communication by preventing routes from being discovered Solution : Packet leashes – Authentication based on timestamps and location information 9/16/2018
Secure Routing Protocols Route signaling cannot be spoofed (Source integrity) Fabricated routing messages cannot be injected into the network (Data integrity) Routing messages cannot be altered in transit except according to the normal functionality of the routing protocol (Data integrity) Routing loops cannot be formed through malicious actions (Availability) Routes cannot be redirected from shortest path through malicious actions (Availability) Unauthorized nodes should be excluded from route computation and discovery (Authenticity) 9/16/2018
ARAN Authenticated Routing for Ad hoc Networks Components Certification Authenticated route discovery Authenticated route setup Route maintenance Key revocation 9/16/2018
Certification Requires use of trusted certificate server T (Potential bottleneck?) Before entering network each node needs to request a certificate from T Node A receives certificate as: T->A :certA=[IPA ,KA+ ,t ,e] KT- 9/16/2018
Authenticated route discovery Source A begins route instantiation to destination X by broadcasting a route discovery packet (RDP): A->brdcst:[RDP, IPX, certA, NA, t] KA- Let B be the neighbor that receives the RDP which it subsequently rebroadcasts B->brdcst:[[RDP, IPX, certA, NA, t] KA-] KB-, certB Let C be the neighbor that receives Bs broadcast. C subsequently broadcasts C->brdcst:[[RDP, IPX, certA, NA, t] KA-] KC-,certC Each node along the path repeats these steps of validating previous node’s signature, removing the previous node’s certificate and signature, recording the previous node’s IP address, signing the original contents of the message, appending its own certificate and forward broadcasting the message 9/16/2018
Authenticated Route Setup After receiving RDP destination unicasts a reply REP packet back along reverse path to source. Let D be the first node that receives the REP sent by X X->D:[REP,IPa,certX,Na,t] Kx- Let D’s next hop to source be C D->C:[[REP,IPa,certX,Na,t]Kx-]Kd,certD C->B:[[REP,Ipa,certX,Na,t]Kx-]Kc-,certC When source receives REP it verifies destination’s signature and nonce returned by the destination. 9/16/2018
Route Maintenance When no traffic occurs on an existing route for sometime that route is deactivated in routing table Data received on an inactive route causes nodes to generate Error (ERR) messages that travel the reverse path towards the source Nodes also use ERR to report links in active routes that break due to node movement. All ERR messages must be signed B->C:[ERR,IPa,IPx,certB,Nb,t]Kb- Nonce and timestamp ensure ERR message is fresh. 9/16/2018
Key revocation In the event that a certificate needs to be revoked the trusted certificate server T sends a broadcast message to the ad hoc group announcing the revocation T-> brdcst : [revoke,certR] Kt- Nodes receiving this message re-broadcasts it to its neighbors Neighbors of nodes with revoked certificates need to reform routing as necessary to avoid transmission through the now untrusted node. 9/16/2018
Summary of ARAN 9/16/2018
SRP Secure Routing Protocol Assumptions Security association between S and T assumed KS,T (bidirectional) Bidirectional links Promiscuous mode operation 9/16/2018
Overview of SRP S initiates route discovery by constructing route request packet identified by query sequence number and random query identifier Source, destination and query ID used as input for MAC calculation with KS,T Identities of traversed nodes accumulated in route request packet. Intermediate nodes discard previously seen route requests Destination T constructs route reply; calculates MAC covering route reply contents and returns packet to S Multiple replies may reach S S validates replies and updates its topology view 9/16/2018
Possible attack against SRP Nodes collude during the two phases of single route discovery E.g. M1 receives request tunnels it to M2, M2 broadcasts request with path between M1 and M2 falsified e.g. {Qs,t:S,M1,Z,M2}. T constructs reply and routes over {T,M2,Z,M1,S}. M2 tunnels reply to M1 thus completing attack 9/16/2018
SRP Packet Format SRP extension of a reactive routing protocol 9/16/2018
TESLA Broadcast authentication protocol Timed Efficient Stream Loss-tolerant Authentication sender chooses a random initial key Kn and generates a one-way hash function H on this value: K n-1=H(Kn); Kn-2=H(Kn-1)... sender predetermines a schedule at which it discloses each key of its one-way key chain in the reverse order from generation i.e. K0,K1,K2,... 9/16/2018
TESLA Loose time synchronization between sender and receiver when receiver receives a packet it verifies security condition i.e key Ki used to authenticate packet cannot yet have been disclosed if yes receiver buffers packet and waits for sender to disclose Ki while using disclosed key to authenticate buffered packets (potential performance bottleneck) if no it drops packet 9/16/2018
ARIADNE An on demand secure routing protocol based on TESLA broadcast authentication protocol Further based on DSR Assumptions Nodes may vary greatly in terms of resources hence it is assumed that nodes have few resources and hence asymmetric cryptography may be unsuitable for such resource constrained nodes Network links are bi-directional Network may drop, corrupt, reorder or duplicate packets in transmission Each node must be able to estimate end-to-end transmission time to any other node in the network 9/16/2018
Notation A, B are principals such as communicating nodes KAB and KBA denote secret MAC keys shared between A and B MAC KAB(M) denotes computation of message authentication code of M with MAC key KAB 9/16/2018
Ariadne Route Discovery Route discovery has two stages: initiator floods the network with ROUTE REQUEST and the target returns a ROUTE REPLY. Route Request packet has the following format- <ROUTE REQUEST, initiator, target, id, time interval, hash chain, node list, MAC list> To secure the Route Request packet Ariadne provides the following properties: Target node can authenticate initiator Initiator can authenticate each entry of the path in ROUTE REPLY No intermediate node can remove a previous node in the node list in Requestor REPLY 9/16/2018
Ariadne Route Discovery If RREQ valid RREP returned as <RREP,target,initiator,time interval,node list,MAC list,target MAC,key list> RREP returned to initiator of RREQ along source route obtained by reversing node list of the RREQ Node forwarding RREP waits till it can disclose its key from specified time interval; it then appends that key to key list and forwards packet Initiator verifies each key in key list is valid and target MAC is valid and that each MAC in MAC list is valid 9/16/2018
Ariadne Route Maintenance Node forwarding packet to next hop along source route returns Route ERROR to original sender of packet if it is unable to deliver packet after a limited number of retransmissions ERROR needs to be authenticated by sender Each node on return path to source forwards the ERROR 9/16/2018
SEAD Based on DSDV Using one-way hash chains rather than asymmetric cryptographic operations One-way hash chains Built on a one-way hash function. H:{0,1}*→{0,1}p Simple to compute but infeasible to invert Message Authentication The source node randomly pick up a value x in the beginning, and then it generates a hash chain: x=h0,h1,h2,…,hn Suppose m is the network diameter, and n is divisible by m It then releases hn to everybody 9/16/2018
SEAD (contd..) For authenticating a routing update with sequence number i and metric j, it sends hn-i*m+j The attacker can never forge better metrics or sequence numbers Attacker can only generate worse metrics or sequence numbers However, other information such as node name or next hop can be forged To prevent this, stream authentication schemes such as TESLA, HORS can be used Their recent paper Ariadne has this feature! 9/16/2018
Conclusions Examined the need for secure routing protocols Classification of attacks Current research aimed at symmetric cryptography in MANETs Study of secure routing protocols for MANETs Directions for further research Authentication and PKI Performance analysis 9/16/2018
Bibiliography Yih-Chun Hu, Adrian Perrig, David B. Johnson. "Ariadne: A secure On-Demand Routing Protocol for Ad hoc Networks" MobiCom 2002, September 23-28, 2002, Atlanta, Georgia, USA http://lambda.cs.yale.edu/cs425/doc/ariadne.pdf P. Papadimitratos and Z. Haas. "Secure routing for mobile ad hoc networks" (SRP) SCS Communication Networks and Distributed Systems Modeling and Simulation Conference, pp. 27--31, January 2002 http://wnl.ece.cornell.edu/Publications/cnds02.pdf Kimaya Sanzgiri, Bridget Dahill, Brian Neil Levine, Clay Shields and Elizabeth M. Belding royer. "A Secure Routing Protocol for Ad Hoc Networks" (ARAN) In International Conference on Network Protocols (ICNP), Paris, France, November 2002. www.cs.ucsb.edu/~kimaya/icnp2002.pdf Yih-Chun Hu, David B. Johnson, Adrian Perrig. "SEAD: Secure Efficient Distance Vector Routing for Mobile Wireless Ad Hoc Networks" Fourth IEEE Workshop on Mobile Computing Systems and Applications (WMCSA '02), pp:3-13, Jun 2002. http://www.cs.colorado.edu/~rhan/CSCI_7143_001_Fall_2002/Papers/Perrig2002_wmcsa02.pdf 9/16/2018
Bibiliography (contd..) Mobile Ad Hoc Networking Stefano Basagni (Editor), Marco Conti (Editor), Silvia Giordano (Editor), Ivan Stojmenovic, (Editor) ISBN: 0-471-37313-3 Wiley-IEEE Press : Chapter 12: Ad hoc networks Security Pietro Michiardi, Refik Molva http://www.eurecom.fr/~michiard/pub/michiardi-adhoc.pdf C. Perkins and P. Bhagwat. Highly Dynamic Destination-Sequenced Distance-Vector Routing (DSDV) for Mobile Computers. In Proc. of the ACM SIGCOMM, October 1994 - http://www.cs.umass.edu/~mcorner/courses/691M/papers/perkins.pdf C. E. Perkins and E. M. Royer, "Ad hoc on demand distance vector (AODV) routing (Internet-Draft)," Aug. 1998. - http://www.ee.surrey.ac.uk/Personal/G.Aggelou/PAPERS/aodv_WMCSA.pdf D. B. Johnson and D. A. Maltz, "Dynamic source routing in ad hoc wireless networks." draft-ietf-manet-dsr-04.txt, 2001 - http://www.ics.uci.edu/~atm/adhoc/paper-collection/johnson-dsr.pdf 9/16/2018
Thank you! Any Questions? 9/16/2018