1 Security for Ad Hoc Network Routing

2 Ad Hoc Networks Properties Mobile Wireless communication Medium to high bandwidth High variability of connection No fixed infrastructure Participants from different administrative entities Medium to high computation, memory Usually human user with each device

3 Key Establishment Seen So Far SSL/TLS Assumption: browser can authenticate server s certificate with its local CA root certificates Large-group key distribution Assumption: each client already has a secure connection to key distribution server Challenge in ad hoc networks: establish keys without any prior trust relationships

4 Problem Definition Goals Secure, authenticated communication between devices that share no prior context Demonstrative identification: ensure to human user which other device they are communicating with No prior context? No CAs or other trusted authorities No PKI No shared secrets No shared communication history Problem reduces to key establishment Diffie & Hellman taught us how to share secrets …

5 Diffie-Hellman Key Agreement Public values: large prime p, generator g Alice has secret a, Bob has secret b A B: g a mod p B A: g b mod p Bob: (g a mod p) b mod p = g ab mod p Alice: (g b mod p) a mod p = g ab mod p Eve cannot compute g ab mod p

6 Problem: Man-in-the-middle Attack Mallory can impersonate Alice to Bob, and impersonate Bob to Alice! A M: g a mod p M A: g m mod p M B: g m mod p B M: g b mod p Bob: (g m mod p) b mod p = g bm mod p Alice: (g m mod p) a mod p = g am mod p

7 How Serious is MitM Attack? Wireless communication is invisible People can t tell which devices are connected Neighbor can easily execute MitM attack If neighbor has a faster computer, it can easily respond faster than the legitimate devices Easy to perform with high success rate!

8 Solution to Man-in-the-Middle Attack Authentication! Public DH values must be authenticated Topic of this lecture Tradeoffs between security, usability, and transparency to the user Transparency: Does the user realize she is involved in a key establishment protocol? Does the user need to realize this?

9 Commitment Schemes Commitment semantics: Binding Hiding (c, d) commit( m ) m: message; c: commitment; d: opening value It is infeasible to find d such that (c, d ) reveals m m Example c = H( m || r ) where r is a random number d = m, r

10 Simple Protocol: String Comparison Public values: large prime p, generator g Alice has secret a, Bob has secret b A B: g a mod p B A: g b mod p Alice and Bob compute: g ab mod p Alice s and Bob s devices display last 20 bits of H(g ab mod p) and they manually compare them (5 hexadecimal digits), if they match, they both click ok

11 Shortcomings of Simple Protocol First, Alice and Bob may not really compare the strings, but simply click ok, how to avoid this? Knowing g a and g b, attacker can compute g c and g d such that [H(g ac )] n = [H(g bd )] n Complexity: only O(2 n/2 ) operations! How to prevent this attack?

12 Secure routing in ad hoc network Here we consider DSR as a showcase. So, we revisit the routing operations in DSR, and show the possible attacks in these operations, and consider secure ways of preventing these attacks.

13 Dynamic Source Routing (DSR) Flooding is used for the delivery of control packets, not data packets. The control packets are flooded to discover routes. Then data packet is sent over the discovered path.

14 Route discovery in DSR D E O M J I G A C F H K L N B {C} C initiate the route discovery by flooding Route Request(RREQ). Each node appends its id to RREQ when it forwards RREQ.

15 Route discovery in DSR D E O M J I G A C F H K L N B {C,G} {C,F}

16 Route discovery in DSR D E O M J I G A C F H K L N B {C,G,I} {C,F,H} Node K receives two RREQs. It may choose the shorter one (hops).

17 Route discovery in DSR D E O M J I G A C F H K L N B {C,F,H,K}

18 Route Reply in DSR When a destination node receives RREQ, it sends a Route Reply(RREP). RREP is sent by reversing the route appended in the RREQ if the links are bidirectional. If links are unidirectional, the destination node(D) may need a route discovery. In that case RREP is piggybacked on RREQ from D. RREP contains the complete path from the sender to the destination.

19 Route reply in DSR D E O M J I G A C F H K L N B {C,F,H,K,L}

20 Data delivery in DSR D E O M J I G A C F H K L N B {C,F,H,K,L} Entire nodes on the path are included in the packet header. That is why it is called source routing.

21 Data delivery in DSR Promiscuous listening Data delivery is unicast. So packets have next hops IP address and MAC address. When next hop nodes MAC layer receives a frame, it compares destination MAC address with its MAC address. Since they do not match, MAC layer discards the frame. To avoid it, MAC layers use the promiscuous listening. In this case, MAC layer delivers frames to its network layer regardless of matching destination address with its MAC address.

22 Attack model in DSR Excessive Route Discovery floods Modifying discovered routes: By dropping nodes By altering the node list Sending bogus R OUTE E RROR s Failing to send R OUTE E RROR for broken route Failing to forward packets

23 Ariadne The solutions explained here are based on the following paper. Ariadne: A Secure On-Demand Routing Protocol for Ad Hoc Networks, Y.-C. Hu, A. Perrig, A.B. Johnson, Wireless Network 11, 21-38, 2005

24 Ariadne Authentication Requirements Can use any of three types of authentication: Pairwise shared keys: But requires setting up O(n 2 ) keys Digital signatures and asymmetric key setup: But uses expensive asymmetric cryptography Time-delayed broadcast authentication (TESLA): But requires time synchronization Ariadne requires only one of these types: Each appropriate for different circumstances

25 R OUTE R EQUEST Flooding Attack On-demand protocols discover routes using flooding An attacker can use this to flood the network: A solution: rate-limit Discoveries when forwarding But attacker can forge claimed Discovery initiator X R OUTE R EQUEST from A R OUTE R EQUEST from B R OUTE R EQUEST from C R OUTE R EQUEST from D R OUTE R EQUEST from E

26 Excessive R OUTE R EQUEST Floods Solution: Node uses a one-way hash chain: Authenticates the true source of R OUTE R EQUEST Disclose a new element per Discovery Each element can be used only once

27 One-Way Hash Chains Pick random C n and public one-way function H C i =H(C i+1 ) Infeasible to derive C i from C j (j<i) Efficiently authenticate C i using C j (j<i): C j =H i-j (C i ) C1C1 C n-1 =H(C n ) C0C0 CiCi C i =H(C 1+1 ) C i+1 C 0 = H(C 1 ) C n-1 CnCn

28 Each node uses a one-way hash function H which is known to every node. Each node picks a random C n which is secret value and compute each chain value C i = H n-i (C n ). So each node has its own hash chain. Publicize C 0 to every node like a public key. Every time a node sends a RREQ message, it includes the next C i starting from C 0. Using Hash Chains

29 Hop Drop Attack Attacker can drop or alter nodes on this list Can prevent discovery of a correct route S AB D C SS, AS, BS, B, C

30 Initiator S and Target D share (or generate) K SD S adds Message Authentication Code h 0 = MAC(K SD, request id) to R OUTE R EQUEST MAC can only be computed by S and D Each hop computes h i = H(node address || h i-1 ) B needs h 0 to drop A but can t derive from h 1 Preventing Hop Drop S AB D C h0h0 h1h1 h2h2

31 In an Ariadne R OUTE R EQUEST : h 0 = MAC(K SD, request id) Target can compute h 0 h i = H(node address || h i-1 ) Target can reconstruct each h i Target can thus detect hop drop Preventing Hop Drop S AB D C h0h0 h1h1 h2h2 h3h3

32 Node List Corruption Attacker can insert arbitrary nodes into node list Instead of attacker s node address Or in addition to attacker s node address Can prevent discovery of a correct route S AB D C SS,AS,A,ZS,A,Z,C

33 When using shared keys between all node pairs: Each node F forwarding a R EQUEST packet p: Computes a MAC over p using the key it shares with the target Includes it in h i as h i = H(F || MAC(K FD,p) || h i-1 ) Only that F and the target can compute this Route Authentication using Shared Keys S AB D C h0h0 h1h1 h2h2 h3h3

34 In an Ariadne R OUTE R EQUEST : As before, target can recompute h 0 h i = H(F || MAC(K FD,p) || h i-1 ) Target can reconstruct each h i Target can detect bogus nodes in node list If received h i is valid, return authenticated R EPLY Route Authentication using Shared Keys S AB D C h0h0 h1h1 h2h2 h3h3 S,A,B,C,D MAC(K SD, S,A,B,C,D)

35 Authenticating R OUTE E RROR s Attacker could send forged R OUTE E RROR s to break good routes that are in use Solution: Authenticate R OUTE E RROR s If using pairwise shared keys: Authenticate E RROR to original source of packet

36 Secure Route Maintenance R OUTE E RROR s can be only an optimization: Malicious nodes might refuse to send them To ensure Ariadne does not persistently use non-working routes: Sources may use multipath routing Each packet is acknowledged end-to-end, preferably using the reverse path Sender should more often choose routes that successfully deliver packets Never fully stop using an apparently good route: Short-term Denial-of-Service would otherwise result in permanent crippling of that route