An Advanced Signature System for OLSR Daniele Raffo Cédric Adjih Thomas Clausen Paul Mühlethaler 2004 ACM Workshop on Security of Ad Hoc and Sensor Networks.

Slides:

Advertisements

Similar presentations

Dynamic Source Routing (DSR) algorithm is simple and best suited for high mobility nodes in wireless ad hoc networks. Due to high mobility in ad-hoc network,

Advertisements

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 6. Security in Mobile Ad-Hoc Networks.

Secure Network Bootstrapping Infrastructure May 15, 2014.

A Survey of Secure Wireless Ad Hoc Routing

Design and Implementation of the OLSR Protocol in an Ad Hoc Framework Juan Gutiérrez Plaza Supervisor: Raimo Kantola Instructor: José Costa Requena Networking.

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Introduction to Sensor Networks Rabie A. Ramadan, PhD Cairo University 4.

MANETs Routing Dr. Raad S. Al-Qassas Department of Computer Science PSUT

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1

Securing OLSR Using Node Locations Daniele Raffo Cédric Adjih Thomas Clausen Paul Mühlethaler 11 th European Wireless Conference 2005 (EW 2005) April

Optimized Link State Protocol Version 2 Assaf Israel, Eli Nazarov, Asi Bross Version 2 Assaf Israel, Eli Nazarov, Asi Bross.

Secure Routing in WSNs: Attacks & Countermeasures Chris Karlof & David Wagner, UC Berkeley 1 st IEEE International Workshop on Sensor Network Protocols.

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #4 Mobile Ad-Hoc Networks AODV Routing.

An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.

Duplicate address detection and autoconfiguration in OLSR Saadi Boudjit; Cedric Adjih; Anis Laouiti; Paul Muhlethaler Hipercom Project National Institute.

SUMP: A Secure Unicast Messaging Protocol for Wireless Ad Hoc Sensor Networks Jeff Janies, Chin-Tser Huang, Nathan L. Johnson.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

UM-OLSR OLSR routing protocol in NS2

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

Security & Efficiency in Ad- Hoc Routing Protocol with emphasis on Distance Vector and Link State. Ayo Fakolujo Wichita State University.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

Security Risks for Ad Hoc Networks and how they can be alleviated By: Jones Olaiya Ogunduyilemi Supervisor: Jens Christian Godskesen © Dec

Ad hoc Network 江崎研究室修士１年中島亮. What is Ad hoc Network?  Meaning of Ad hoc Network Ad hoc ＝その場限りの Node to node → ノード間で一時的に形成されるネットワーク.

1 29 September 2010 NATO IST-092 Symposium New Capabilities in Security and QoS Using the Updated MANET Routing Protocol OLSRv2 Christopher Dearlove

Wireless internet routing Philippe Jacquet. Internet and networking Internet –User plurality connected to –Sources plurality.

1 Computer Communication & Networks Lecture 22 Network Layer: Delivery, Forwarding, Routing (contd.)

MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.

Secure Cell Relay Routing Protocol for Sensor Networks Xiaojiang Du, Fengiing Lin Department of Computer Science North Dakota State University 24th IEEE.

1 Spring Semester 2009, Dept. of Computer Science, Technion Internet Networking recitation #3 Mobile Ad-Hoc Networks AODV Routing.

Scalable Routing Protocols for Mobile Ad Hoc Networks Xiaoyan Hong, Kaixin Xu, and Mario Gerla at UCLA.

MANETs & Routing.

Security in Mobile Ad Hoc Networks (MANETs) Group : ►NS. Farid Zafar Sheikh ►NS. Muhammad Zulkifl Khalid ►NS. Muhammad Ali Akbar ►NS. Wasif Mehmood Awan.

Ad hoc On-demand Distance Vector (AODV) Routing Protocol ECE 695 Spring 2006.

Security for the Optimized Link- State Routing Protocol for Wireless Ad Hoc Networks Stephen Asherson Computer Science MSc Student DNA Lab 1.

Carlos Rodrigo Aponte OLSRv2 High Level Overview.

A survey of Routing Attacks in Mobile Ad Hoc Networks Bounpadith Kannhavong, Hidehisa Nakayama, Yoshiaki Nemoto, Nei Kato, and Abbas Jamalipour Presented.

Computer Science 1 CSC 774 Advanced Network Security Distributed detection of node replication attacks in sensor networks (By Bryan Parno, Adrian Perrig,

Trust- and Clustering-Based Authentication Service in Mobile Ad Hoc Networks Presented by Edith Ngai 28 October 2003.

Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.

Authors: Yih-Chun Hu, Adrian Perrig, David B. Johnson

Secure routing in wireless sensor network: attacks and countermeasures Presenter: Haiou Xiang Author: Chris Karlof, David Wagner Appeared at the First.

Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.

Security in Ad Hoc Networks. What is an Ad hoc network? “…a collection of wireless mobile hosts forming a temporary network without the aid of any established.

An OLSR implementation, experience, and future design issues.

Simulation of the OLSRv2 Protocol First Report Presentation.

Doc.: IEEE /1047r0 Submission Month 2000August 2004 Avinash Joshi, Vann Hasty, Michael Bahr.Slide 1 Routing Protocols for MANET Avinash Joshi,

Security in Mobile Ad Hoc Networks: Challenges and Solutions (IEEE Wireless Communications 2004) Hao Yang, et al. October 10 th, 2006 Jinkyu Lee.

Link State Routing David Holmer Generic Link State Routing  Each node monitors neighbors/local links and advertises them to the network.

Shambhu Upadhyaya 1 Ad Hoc Networks – Network Access Control Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 20)

Establishing authenticated channels and secure identifiers in ad-hoc networks Authors: B. Sieka and A. D. Kshemkalyani (University of Illinois at Chicago)

SEAD: Secure Efficient Distance Vector Routing for Mobile Wireless Ad Hoc Network Raymond Chang March 30, 2005 EECS 600 Advanced Network Research, Spring.

SRI International 1 Topology Dissemination Based on Reverse-Path Forwarding (TBRPF) Richard Ogier September 21, 2002.

Intro DSR AODV OLSR TRBPF Comp Concl 4/12/03 Jon KolstadAndreas Lundin CS Ad-Hoc Routing in Wireless Mobile Networks DSR AODV OLSR TBRPF.

Shambhu Upadhyaya 1 Sensor Networks – Hop- by-Hop Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 22)

A Framework for Reliable Routing in Mobile Ad Hoc Networks Zhenqiang Ye Srikanth V. Krishnamurthy Satish K. Tripathi.

1 Routing security against Threat models CSCI 5931 Wireless & Sensor Networks CSCI 5931 Wireless & Sensor Networks Darshan Chipade.

A Key Management Scheme for Distributed Sensor Networks Laurent Eschaenauer and Virgil D. Gligor.

Ad Hoc On-Demand Distance Vector Routing (AODV) ietf

Jinfang Jiang, Guangjie Han, Lei Shu, Han-Chieh Chao, Shojiro Nishio

1 Chapter 4: Internetworking (IP Routing) Dr. Rocky K. C. Chang 16 March 2004.

Mobile IP 순천향대학교 전산학과 문종식

1 Optimized Link State Routing Protocol for Ad Hoc Networks Jacquet, p IEEE INMIC Dec park gi won

BGP Validation Russ White Rule11.us.

Modified Onion Routing GYANRANJAN HAZARIKA AND KARAN MIRANI.

An Efficient Routing Protocol for Green Communications in Vehicular Ad-hoc Networks Jamal Toutouh, Enritue Alba GECCO’ 11, July Presented by 劉美妙.

Fourth Edition by William Stallings Lecture slides by Lawrie Brown

Presented by Edith Ngai MPhil Term 3 Presentation

Internet Networking recitation #4

Path key establishment using multiple secured paths in wireless sensor networks CoNEXT’05 Guanfeng Li University of Pittsburgh, Pittsburgh, PA Hui Ling.

Presentation transcript:

An Advanced Signature System for OLSR Daniele Raffo Cédric Adjih Thomas Clausen Paul Mühlethaler 2004 ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN 2004) October 25, 2004 Washington DC, USA

Index Overview of ADVSIG - Advanced Signature System Overview of the OLSR protocol Attacks against routing Topology changes step by step Link state steps (Required proofs) Link state atomic information ADVSIG control message Example of a HELLO/TC + ADVSIG ADVSIG protocol Conclusion An Advanced Signature System for OLSR Daniele Raffo SASN

Overview Signature of control messages. An attacker compromises a node X capturing its private key: now what? We can still check (to some degree) whether the topology information supplied by X is valid or not. This is because the information must be consistent with the information supplied in the past. Hence we have designed a security scheme in which this past information is embedded in a signature message called ADVSIG. The ADVSIG message has to be sent coupled with the standard HELLO and TC control messages. An Advanced Signature System for OLSR Daniele Raffo SASN

The OLSR protocol: overview OLSR is a proactive link state routing protocol for ad hoc networks. Periodic exchange of control messages: HELLOslinks with neighbors (link state), MPR selection 1 hop only, no forwarding TCsbi-directional links with nodes flooded via MPR in the entire network An Advanced Signature System for OLSR Daniele Raffo SASN

The OLSR protocol: overview Optimized flooding via Multipoint Relays (MPRs): each node selects MPRs from among its neighbors, such that a message emitted by that node and relayed by its MPRs will be received by all nodes 2 hops away. standard flooding MPR broadcast An Advanced Signature System for OLSR Daniele Raffo SASN

Attacks against routing We assume that a PKI and message signatures have already been deployed, so that identity spoofing is not possible. We make the hypothesis that a node has been compromised, so it is able to send false information in nonetheless correctly signed messages. We call this link spoofing : a node declares non-existant neighbors in its HELLO and TC messages. Results: the other nodes store an incorrect topology of the network  unreachable nodes and/or conflicting routes. An Advanced Signature System for OLSR Daniele Raffo SASN

Topologia non facit saltus Main idea: network topology changes step by step. We could therefore reuse topology information at time t i-1 to prove the validity of topology information at a later time t i. An Advanced Signature System for OLSR Daniele Raffo SASN t 1 (empty) t 2 A: ASYM_LINK t 3 B: SYM_LINK t 4 A: SYM_NEIGH / MPR_NEIGH BA

Link state steps (Required proofs) When A has the following link state with B... (HELLO) ASYM_LINK SYM_LINK SYM_NEIGH or MPR_NEIGH (TC) neighbor t i An Advanced Signature System for OLSR Daniele Raffo SASN this means that B recently had the following link state with A (not neighbor) ASYM_LINK or SYM_LINK SYM_LINK or SYM_NEIGH SYM_NEIGH or MPR_NEIGH t i-1

Link state atomic information The minimal quantity of certified link state information to be exchanged consists of: (information sent by node A concerning neighbor B) B’s address B’s link state with respect to A timestamp of creation signature of these three fields by A This atomic information is supplied by A as fresh new (Certificate), received and stored in a table by B, and reused afterward (Proof) by B to prove its actual link state. This actual link state information is spread by B in the form of a Certificate, and so on... Note that at bootstrap (ASYM_LINKs) there will be no Proof to give! An Advanced Signature System for OLSR Daniele Raffo SASN

ADVSIG control message We propose an ADVSIG message embedding Certificates’ and Proofs’ timestamps and signatures (along with a global timestamp and signature). This ADVSIG message is generated and sent along with any HELLO or TC. As an example, the next pages will show a HELLO + ADVSIG that advertises links with three neighbors, and a TC + ADVSIG that reports a neighbor. An Advanced Signature System for OLSR Daniele Raffo SASN

HELLO + ADVSIG | Reserved | Htime | Willingness | | Link Code | Reserved | Link Message Size | | Neighbor Interface Address | | Neighbor Interface Address | | Link Code | Reserved | Link Message Size | | Neighbor Interface Address | : Certificate address link state timestamp of creation signature Proof address of the node sending this HELLO link state can be extrapolated (see “Required proofs”) timestamp of creation signature An Advanced Signature System for OLSR Daniele Raffo SASN | Sign. Method | Reserved | MSN Referrer | | Global Timestamp | | Global Signature | | Signature of Certificate #1 | | Signature of Certificate #2 | | Signature of Certificate #3 | : | Timestamp of Proof #1 | | Signature of Proof #1 | | Timestamp of Proof #2 | | Signature of Proof #2 | | Timestamp of Proof #3 | | Signature of Proof #3 | :

HELLO + ADVSIG | Reserved | Htime | Willingness | | Link Code | Reserved | Link Message Size | | Neighbor Interface Address | | Neighbor Interface Address | | Link Code | Reserved | Link Message Size | | Neighbor Interface Address | : Certificate address link state timestamp of creation signature Proof address of the node sending this HELLO link state can be extrapolated (see “Required proofs”) timestamp of creation signature An Advanced Signature System for OLSR Daniele Raffo SASN | Sign. Method | Reserved | MSN Referrer | | Global Timestamp | | Global Signature | | Signature of Certificate #1 | | Signature of Certificate #2 | | Signature of Certificate #3 | : | Timestamp of Proof #1 | | Signature of Proof #1 | | Timestamp of Proof #2 | | Signature of Proof #2 | | Timestamp of Proof #3 | | Signature of Proof #3 | :

HELLO + ADVSIG | Reserved | Htime | Willingness | | Link Code | Reserved | Link Message Size | | Neighbor Interface Address | | Neighbor Interface Address | | Link Code | Reserved | Link Message Size | | Neighbor Interface Address | : Certificate address link state timestamp of creation signature Proof address of the node sending this HELLO link state can be extrapolated (see “Required proofs”) timestamp of creation signature An Advanced Signature System for OLSR Daniele Raffo SASN | Sign. Method | Reserved | MSN Referrer | | Global Timestamp | | Global Signature | | Signature of Certificate #1 | | Signature of Certificate #2 | | Signature of Certificate #3 | : | Timestamp of Proof #1 | | Signature of Proof #1 | | Timestamp of Proof #2 | | Signature of Proof #2 | | Timestamp of Proof #3 | | Signature of Proof #3 | :

TC + ADVSIG | ANSN | Reserved | | Advertised Neighbor Main Address | : TC messages contain no Certificates, because they do not carry link state information Proof address of the node sending this TC link state can be extrapolated (see “Required proofs”) timestamp of creation signature An Advanced Signature System for OLSR Daniele Raffo SASN | Sign. Method | Reserved | MSN Referrer | | Global Timestamp | | Global Signature | | Timestamp of Proof #1 | | Signature of Proof #1 | :

ADVSIG protocol | Reserved | Htime | Willingness | | Link Code | Reserved | Link Message Size | | Neighbor Interface Address | | Neighbor Interface Address | | Link Code | Reserved | Link Message Size | | Neighbor Interface Address | : When you generate a HELLO/TC message: 1. compute the Signature of Certificate (HELLO only) 2. find the required proof in your table, and copy the Timestamp of Proof and Signature of Proof 3. compute the Global Signature 4. send the HELLO/TC + ADVSIG messages An Advanced Signature System for OLSR Daniele Raffo SASN | Sign. Method | Reserved | MSN Referrer | | Global Timestamp | | Global Signature | | Signature of Certificate #1 | | Signature of Certificate #2 | | Signature of Certificate #3 | : | Timestamp of Proof #1 | | Signature of Proof #1 | | Timestamp of Proof #2 | | Signature of Proof #2 | | Timestamp of Proof #3 | | Signature of Proof #3 | :

ADVSIG protocol | Reserved | Htime | Willingness | | Link Code | Reserved | Link Message Size | | Neighbor Interface Address | | Neighbor Interface Address | | Link Code | Reserved | Link Message Size | | Neighbor Interface Address | : When you receive a HELLO/TC + ADVSIG messages: 1. check that the Global Timestamp is valid 2. check that the Global Signature is valid 3. for each advertised link/neighbor in the HELLO/TC, rebuild the required proof and check that the Timestamp & Signature of Proof are valid 4. (HELLO only) if the advertised link is with you, extract the proof relevant to you and store it in your table If any of these tests fail, discard the HELLO/TC + ADVSIG. An Advanced Signature System for OLSR Daniele Raffo SASN | Sign. Method | Reserved | MSN Referrer | | Global Timestamp | | Global Signature | | Signature of Certificate #1 | | Signature of Certificate #2 | | Signature of Certificate #3 | : | Timestamp of Proof #1 | | Signature of Proof #1 | | Timestamp of Proof #2 | | Signature of Proof #2 | | Timestamp of Proof #3 | | Signature of Proof #3 | :

Conclusion This system protects the network against false routing information issued by a lone attacker multiple attackers that do not communicate between each other The network is still vulnerable to connected attackers in collusion (wormhole, etc.), or an attacker failing to forward messages (DoS). Heavy overhead, but improves robustness against isolated attackers. An Advanced Signature System for OLSR Daniele Raffo SASN