1 Ad Hoc Networks Security Instructor: Carlos Pomalaza-Ráez Fall 2003 University of Oulu, Finland

2 Introduction to Cryptography The idea is to protect data by transforming into a representation from which is hard to recover. This provide us with:  Confidentiality – only the sender and the receiver should know the message content  Authentication – sender and receiver can confirm the identity of each other  Integrity – sender and receiver can detect any alteration of the message  Non-repudiation – sender can not deny having created the message  Freshness – message is recent and not a replay Unless a message is properly protected unfriendly “agents” can capture or see it as it moves across the network and,  Insert messages into the connection  Impersonate – fake (spoof) source address  Hijack – take over connection a replacing the sender or receiver  Denial of service – by, for example, overloading the resources

3 Private (Symmetric) – Key systems In these systems the message M is encrypted using a key e which is known only to the sender and the receiver. To encrypt the message compute X = E(M, e), E being the encryption function. To decrypt X compute M = D(X, d), where d is the decryption key corresponding to e. There is usually a simple relationship between e and d. A widely known secret-key system is DES (Data Encryption Standard) M encryption algorithm decryption algorithm e – encryption key d – decryption key M = D(X, d) Alice X = E(M, e) Bob Unfriendly agent Eve

4 Public (Asymmetric)– Key systems In these systems the message M is encrypted using a key e which is public. To encrypt the message compute X = E(M, e), E being the encryption function. To decrypt X compute M = D(X, d), where d is the decryption key corresponding to e. Knowing e doesn’t help anyone to discover the decryption key d. M encryption algorithm decryption algorithm e – public encryption key d – private decryption key M = D(X, d) Alice X = E(M, e) Bob Unfriendly agent Eve

5 RSA – A Public-key Crypto-System RSA stands for its inventors Ron Rivest, Adi Shamir, and Len Ademan. We assume here that message is broken into parts of the right size, e.g bits. Choosing Keys  Choose two large prime numbers p, q (e.g., 512 bits each)  Compute n = pq, z = (p-1)(q-1) = Ф(n)  Choose e, (e<n), such that it has no common factors with z, e.g. gcd(e,Ф(n)) = 1 (gcd stands for greatest common divisor)  Choose d such that ed-1 is exactly divisible by z (in other words, ed mod Ф(n) = 1)  Public key is (n,e)  Private key is (n,d) R.L. Rivest, A. Shamir, L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Comm. of ACM, 21 (2), pp , Feb

6 RSA: Encryption - Decryption

7 Hash Algorithms A basic tool for cryptography is a secure hash algorithm. Given a variable length message x, a secure hash algorithm computes a function h(x) which has a fixed and often smaller number of bits. It is usually not possible to recover x from its hash function. Desirable properties of a secure hash function are:  A hash function h(x) is one-way if given y it is hard to find x such that h(x) = y  A hash function h(x) is weakly collision-free if given a message x 1 it is hard to find another message x 2 such that h(x 1 ) = h(x 2 )  A hash function h(x) is strong collision-free if it is hard to find any pair of messages x 1, x 2 such that h(x 1 ) = h(x 2 ) An important property of secure hash functions, like any hash function, is that they should uniformly cover their range. That is, for a uniform distribution of the inputs, the output probabilities from the hash function should be uniform.

8 Authentication via Digital Signatures Method I:  Bob encrypts entire message with his private key; this is Bob’s digital signature  Bob send both the message and his digital signature Similar to handwritten signatures Dear Alice, Bob Bob’s private key Ready for Transmission  Alice decrypts Bob’s message using Bob’s public key  If decrypted message matches the message, Alice knows that the signed message could only have come from Bob  Signing the entire document/message is computationally expensive Original Text Text encrypted with Bob’s private key

9 Authentication via Digital Signatures Method II:  Compute a hash on the document/message  The hash, also called a message digest, is much smaller than the document, resembles a CRC (Cyclic Redundancy Check)  Use private key to encrypt only the message digest  Encrypted digest is commonly called a digital signature  Computationally inexpensive  Send both the document and the digitally signed message digest At receiver  Hash the document → MD A and decrypt the digital signature → MD B  If MD A = MD B then receiver knows that:  the identity of sender correctly matches the advertiser of the public key (authentication)  that the document hasn’t been tampered with (data integrity)

10 Digital Signature - Signed message digest Bob sends digitally signed message Original Long Message Fixed-size message digest Encrypted message digest Bob’s private key Send to Alice Alice verifies signature and integrity of digitally signed message Many to one hash function Fixed-size message digest Original Long Message Many to one hash function Encrypted message digest Bob’s public key Fixed-size message digest Compare

11 Non-Repudiation via Digital Signatures Fixed-size message digest Original Long Message Many to one hash function Encrypted message digest Bob’s public key Fixed-size message digest Compare MD A MD B  Digital Signatures provide authentication, integrity, and non-repudiation  At receiver, if MD A = MD B then receiver knows that:  Only the sender’s private key could have created this signature (Non-repudiation & Authentication)  Sender can’t deny sending message

12 One-Way Hash Chains Construction  Pick random r N and a public one-way function F  r i = F(r i+1 )  Secret value: r N  Public value: r 0 F r8r8 r5r5 r6r6 r7r7 FFF r4r4 Properties  Use in reverse order of construction, i.e. r 1, r 2,…, r N  It is not feasible to derive r i from r j (j<i)  Good for authenticating r i knowing r j (j<i), e.g. verify if r j = F i-j (r i )  Robust to missing values

13 Message Authentication Codes (MAC)  It is a code – MAC(K,M)  Calculated by some function MAC that requires little computation  Inputs are the message M to be sent and K, the symmetric key known only by the two parties  The code is appended to each packet, i.e. {M, MAC(K,M)} Bob Alice Compute C = MAC(K,M) { M | C } It’s Alice not Alice YesNo Compute C’ = MAC(K,M) C = C’ Alice and Bob know in advance K and the MAC function

14 Unicast Source Authentication Bob Dave Carol Alice K a-b {M|MAC(K a-b, M)} K a-b K a-c K a-d M is duplicated and sent separately to each intended receiver with it a different MAC High overhead and consumes network resources Internet {M|MAC(K a-c, M)} {M|MAC(K a-d, M)}

15 Multicast Source Authentication Internet Bob Dave Carol Alice KaKa {M|MAC(K a, M)} KaKa KaKa KaKa K a is known to all receivers. Any receiver can forge a packet Low overhead and less network resources when compared with unicast method

16 TESLA Timed Efficient Stream Loss-Tolerant Authentication  Uses symmetric key cryptography  Asymmetric key cryptography via time  Based on initial loose time synchronization  MAC is attached to each packet  Delayed-disclosure of keys MAC( K i,M) M time t i-1 titi t i+1 F(K i ) Authentic Commitment K i is disclosed 1- Verify K i 2- Verify MAC 3- M is authentic A. Perrig, R. Canetti, J.D. Tygar, D. Song, “Efficient authentication and signing of multicast streams over lossy channels,” IEEE Symposium on Security and Privacy, May 2000.

17 TESLA – Sender Setup Alice time interval i -1interval iinterval i +1interval N K i+1 KiKi K i-1 KNKN  Use F' to derive the key to compute MAC K‘ i = F’(K i ) K’ i+1 K’ i K’ i-1 K’ N F’  Break time in intervals of same duration  Determine key chain length N, picks the last key K N randomly  Using a One Way Pseudo Random Function F compute K i = F(K i+1 ), assign one key to each interval Key generation

18 TESLA – Authentication K i+1 KiKi K i-1 K’ i+1 K’ i K’ i-1 F’ M i-1, K i-2 MAC(K’ i-1, D i-1 ) D i-1 M i, K i-1 MAC(K’ i, D i ) DiDi M i+1, K i MAC(K’ i+1, D i+1 ) D i+1 P i-1 PiPi P i+1 authenticatedauthenticated after reception of P i+1 not yet authenticated  When the receiver gets packet P i, it can not verify the MAC since it does not yet know K i from which it can compute K’ i  Packet P i+1 discloses K i and allows the receiver to:  verify that K i is correct, e.g., F(K i ) = K i-1  compute K’ i and check the authenticity of packet P i by verifying the MAC of P i

19 TESLA – Dynamic Packet Rates DjDj K’iK’i D j+1 K’ i+2 ii +5i +4i +3i +2i +1 D j+3 K’ i+3 D j+4 K’ i+3 D j+4 K’ i+5 M j+4 K i+1 M j+3 K i-1 M j+2 K i-1 MjMj K i-4 M j+1 K i-2 TΔTΔ d=4  The MAC key and the disclosed key depend of the time interval  The authentication key of P j is K i which is disclosed by packets sent in interval (i + d )  In this example packet P j+4 discloses key K i+1 which allows the receiver to compute K i and to authenticate packet P j PjPj P j+2 P j+1 P j+3 P j+4

20 Attacks to Ad-Hoc Networks Passive  Only eavesdrop  Threats against privacy/anonymity Active  Injects packets and eavesdrops  Characterized based on the number of controlled nodes in the network Routing disruption attacks  Causes legitimate data packets to be routed dysfunctionally (e.g., routing loop, black hole, gray hole, detour, partition) Resource consumption attacks  Consumes valuable network resources or node resources (e.g., injecting data packets, injecting control packets)

21 ARIADNE: A Secure On-Demand Routing Protocol for Ad Hoc Networks  Withstands node compromise  Relies on highly efficient symmetric cryptography  Does not require trusted hardware or powerful processors Authenticate routing messages using one of:  Shared secrets between each pair of nodes  Avoids need for synchronization  Shared secrets between communicating nodes combined with broadcast authentication  Requires loose time synchronization  Digital signatures Y-C Hu, A. Perrig, D. B. Jonson, “Ariadne: A Secure On-Demand Routing Protocol for Ad Hoc Networks,” 8th ACM International Conference on Mobile Computing and Networking, MobiCom 2002, pp

22 ARIADNE: Key Setup  Shared secret keys  Key distribution center  Bootstrapping from a Public Key Infrastructure (PKI)  Pre-loading at initialization  Initial TESLA keys  Embed at initialization  Assume PKI and embed Certifications Authority’s public key at each node  Digital signatures  A mechanism distribute one authentic public key for each node Each node also has an authentic element from the Route Discovery chain of every node initiating Route Discoveries

23 ARIADNE: Route Discovery  Takes after DSR  Assume sender and receiver share secret (non-TESLA) keys for message authentication  Target authenticates ROUTE REQUESTS  Sender includes a MAC computed with end-to-end key  Target verifies authenticity and freshness of request using shared key  Data authentication using TESLA keys  Each hop authenticates new information in the REQUEST  Target buffers REPLY until intermediate nodes release TESLA keys o TESLA security condition is verified at the target o Target includes a MAC in the REPLY to certify the condition was met  Attacker can remove a node from node list in a REQUEST, but  One-way hash functions verify that no hop was omitted (per-hop hashing)

24 ARIADNE: Route Discovery  Assume all nodes know an authentic key of the TESLA one-way key chain of every other node  Securing ROUTE REQUEST  Target can authenticate the sender (using their additional shared key)  Initiator can authenticate each path entry in the ROUTE REPLY  No intermediate node can remove any other node in the REQUEST or REPLY  ROUTE REQUEST packet contains eight fields:  ROUTE REQUEST: label  initiator: address of the sender  target: address of the recipient  id: unique identifier  time interval: TESLA time interval of the pessimistic arrival time  hash chain: sequence of MAC hashes  node list: sequence of nodes on the path  MAC list: MACs of the message using TESLA keys

25 ARIADNE: Route Discovery  Upon receiving ROUTE REQUEST, a node: 1.Processes the request only if it is new 2.Processes the request only if the time interval is valid (not too far in the future, but not for an already disclosed TESLA key) 3.Modifies the request and rebroadcasts it – Appends its address to the node list, replaces the hash chain with H[A, hash chain], appends MAC of entire REQUEST to MAC list using K Ai where i is the index for the time interval specified in the REQUEST  When the target receives the route request: 1.Checks the validity of the REQUEST (determining that the keys from the time interval have not been disclosed yet and that hash chain is correct) 2.Returns ROUTE REPLY containing eight fields – ROUTE REPLY, target, initiator, time interval, node list, MAC list – target MAC: MAC computed over above fields with key shared between target and initiator – key list: disclosable MAC keys of nodes along the path

26 ARIADNE: Route Discovery  Node forwarding ROUTE REPLY  Waits until it can disclose TESLA key from specified interval o Appends that key to the key list o This waiting does delay the return of the ROUTE REPLY but does not consume extra computational power  When initiator receives ROUTE REPLY 1.Verifies each key in the key list is valid 2.Verifies that the target MAC is valid 3.Verifies that each MAC in the MAC list is valid using the TESLA keys The ROUTE MAINTENACE mechanism has similar features, e.g.,  Based on DSR  Node forwarding a packet to the next hop returns a ROUTE ERROR to the original sender  Prevent unauthorized nodes from sending errors, e.g. sender we authenticates errors