Security in Ad Hoc Networks Still an active open area of research. No comprehensive solution suite. More questions than answers. I expect that we have a lot of questions/discussions – none of the methods I will outline are fool proof.

References used for this discussion L.Zhou and Z.J.Haas, “Securing Ad Hoc Networks”, IEEE Network Magazine, Nov/Dec Y.Zhang and W.Lee, “Intrusion Detection in Ad hoc Networks”, Proceedings of Mobicom 2000.

Attributes for Security Availability  Ensure that the network is survivable in spite of Denial of Service (DOS) attacks. At the physical layer and MAC layer – jamming. At network layer – disrupt routing. Bring down high level services such as the key management system. Integrity  Ensure that a packet being transferred is never corrupted. This could be due to malicious attacks on the network but also sometimes due to fading etc.

Attributes for Security (continued) Confidentiality  Ensure that certain information is never disclosed to unauthorized entities. Both data and control information might have to be confidential. Usually requires encryption. Authentication  Enables a node to ensure the identity of the peer node that it is communicating with. Without authentication an adversary could masquerade a node and get unauthorized access to network resources. Would interfere with normal operations.

Attributes for Security (continued) Non-Repudiation  Ensures that the origin of a message cannot deny having sent the message. Useful for the detection and isolation of compromised nodes. Usually involves something like a digital signature.

Why Ad Hoc Networks are different from a Security viewpoint ? Use of wireless links makes the network susceptible to link attacks: Passive Eavesdropping Undesired access to Secret Information Active Impersonation Adversary might pretend to be some one else. Message Replay A replay at a later time could cause confusion. Message Distortion Wrong information may be disseminated. All these violate our security attributes.

In addition, nodes roaming in a hostile environment (military) have a non-negligible probability of being compromised. Thus, attacks not only might come from outside the network but might stem from inside the network. So what is required ? No Central Entities  Why ? These entities could fall into wrong hands. Thus, a distributed security architecture is required. Furthermore, the network is dynamic. Nodes leave and join and trust relationships between nodes change. No administrative domains such as a cell (in cellular) The architecture should be capable of adjusting to on-the- fly changes.

Secure Routing In order to ensure availability, the routing protocols should not only be robust to the dynamically changing topology but also to malicious attacks. What could an external attacker do ? Inject erroneous routing information Replay old routing information Distort routing information. What could a compromised node do ? Advertise incorrect routing information. Note that compromised nodes can generate valid signatures  !

Protection against attacks Protection against external attackers Cryptographic schemes such as digital signatures If attacker has to sign erroneous routing info can be detected. Protection against compromised nodes Much more difficult to protect against. Nodes would be able to generate digital signatures. How can one say that the information is malicious or is genuine since there is a topological change ? Next few slides.

Possible ways of overcoming attacks by compromised nodes No proven efficient solution yet. Redundant paths  instead of using new info provided skip to alternate paths. Diversity Encoding: Uses multiple paths Transmit redundant information through additional routes for error detection and message retransmission. If there are n channels – use n-r for data and r for redundant info. If up to r channels are compromised still ok. Source Routes  source and destination have to authenticate RREQ and RREP messages  hash the route.

Key Management in Ad Hoc Networks A public key infrastructure may be adopted. Each node has a public/private key pair. Public keys are distributed to other nodes. Private keys are confidential to individual nodes. Usually with such an infrastructure, there is a trusted entity known as a Certificate Authority (CA). This authority has a public/private key pair. It signs certificates binding public keys to nodes.

Bindings could change over time: so the CA has to be online all the time. A node might refresh its key pair periodically to overcome brute force attacks on its private key. However, this is difficult in ad hoc networks. It may not be possible to maintain a single CA online. Compromise of CA could lead to disaster. Furthermore, if CA is down, nodes cannot get the current public keys of other nodes. One solution is : replicate the CA. But a blind replication could lead to more problems – more vulnerability.

The paper by Haas and Zhou proposes a key management service. They make certain assumptions which are: No bounds on message delivery and message processing times. Reliable Links – no fading or such. The key management service as a whole has a public/private key pair. All nodes in the network have this pubic key. The would be able to decrypt messages that are encrypted using the private key and trust that these messages are authentic. Nodes can submit “query” requests to obtain other clients’ public keys.

The Configuration There are “n” special nodes that are called servers. Each server has its own key pair and stores the public key of all nodes in the network. It knows the public keys of other servers. Thus, servers can establish secure connections with other servers. The configuration is (n,t+1) where n >= 3t +1. This means that up to t servers can be compromised at any given time with a certain duration.

Compromised servers can exhibit Byzantine behavior which means that it can deviate arbitrarily from its protocols. The scheme (which we are still to discuss) works if it is : Robust: Always able to process query and update messages from its clients. Every query always returns the last updated public key associated with the requested client. Confidentiality is preserved: The private key of the service is never disclosed to an adversary  Adversary can never issue certificates.

The Method: Threshold Cryptography Definition: An (n,t+1) threshold cryptography scheme allows n parties to share the ability to perform a cryptographic operation (such as a digital signature), such that: If there are t+1 entities out of these n parties, they can perform this operation jointly It is infeasible for at most t parties to do so, even by collusion. So in our case, there are n servers that share the ability to sign certificates. For the service to tolerate t compromised servers we employ a (n, t+1) threshold cryptography scheme.

The private key of the service is now divided into n shares (s 1, s 2,... s n ). Each server gets one share. For the service to sign a certificate each server generates a partial signature for the certificate using its private key share. This is then submitted to a combiner. Any server could be a combiner  to ensure that a compromised node cannot prevent a signature from being generated one can think of doing the combining at at least t+1 nodes ! With (t+1) partial signatures the combiner is able to compute the signature for the certificate.

S1S1 S3S3 S2S2 C m server 1 server 2 server 3 combiner We have 3 servers i.e., n = 3. Each has a share of the key k. We can tolerate up to 1 failure. Correct servers 1 2 and 4 generate partial signatures but 3 does not. C is still able to generate the signature of m signed by the service private key k. S3S3 server 4

Incorrect partial signatures can be identified by the combiner using the public key of the service. If any of the first (t+1) shares that the combiner chooses fails, it chooses a different set and tries to construct the correct signature. It continues until it can do so. Refer to paper on some more details and references to how the threshold cryptography scheme is actually implemented  involves having inherent redundancies in the partial signatures.

Shared Refreshing Mobile adversaries may be present  they would temporarily compromise a server and move to the next victim and so on. Over time, it is possible that the adversary may achieve the compromise of more than t servers. In order to countermeasure mobile adversaries, shared refreshing may be used. Shared refreshing enables servers to compute new shares from old ones in collaboration without disclosing the service private key to any server. After this process, servers remove the old shares and use new ones to generate partial signatures.

The new shares are independent of the old shares. Because of this property, it is impossible to construct the private key with a combination of old and new shares. Thus, the mobile adversary has to achieve the compromise of (t+1) servers between periodic shared refreshing. Share refreshing must tolerate missing sub-shares and compromised servers  compromised servers cannot send any sub-shares. There are crypto methods that allow incorrect sub-shares to be identified  refer to references in the paper.

How does Shared Refreshing work ? We won’t go into much detail but... Each server that is correct randomly generates shares of a key (s i1, s i2,..... s ij,... s in ) which is a (n, t+1) sharing of its key. The newly generated share s ij is now sent to server j via a secure link (how is this done ?). When server j gets the sub-shares s i1, s i1,...., s i1, it can generate a new share from these sub-shares and its old share s’ j = s j + i=1  n s i1. This is based on a property that this new key has the same sharing properties (refer paper).

This share refreshing can be done even if the number of sharing servers is different i.e., n’ instead of n. Now a (n’ t’+1) sharing is achieved. This allows dynamic changing of the key sharing service  required in an ad hoc network.

What we have described so far or at least looked at so far.. are intrusion prevention schemes. This means that these schemes are proactive in nature; they know that there are adversaries and try to prevent them from creating chaos in the system. But this is not enough. No matter what precautions you take, the game is a race between the hacker and the net admin mechanisms. We have not even come close to overcoming some of the attacks that might occur in ad hoc networks. If the attacks do occur, there has to be methods of detecting them and recovering from them. This is usually referred to as Intrusion Detection.

Reminding ourselves of some problems So far nothing done to prevent denial of service attacks at MAC layer. Ad hoc routing protocols are co-operative. They are therefore vulnerable – network operations can go topsy turvy upon attack. How is the secure link established in the first place for sharing of keys ? Are there even attacks that we have not yet thought of ? Questions that are yet to be answered.

Primary assumptions of an Intrusion Detection Schemes User and program activities are observable for example via system auditing mechanisms. Normal and Intrusion activities have distinctly different behavior. Thus, an intrusion detection mechanism involves capturing audit data and then reasoning about the evidence in the data to determine whether the system is under attack. IDSs (intrusion detection systems) can be network based or host based Network based IDS is placed at the gateway of a network and captures packets as they pass through the network hardware interface. Host based IDS relies on the OS audit data to monitor and analyze events generated by programs or users on the host.

Misuse Detection and Anomaly Detection Misuse detection systems use patterns of well-known attacks or weak spots to identify known intrusions. Example login failures Can detect known attacks but cannot handle innovative new attacks. Anomaly detection systems flag observed activities that deviate significantly from established normal usage profiles. A user is logging on much more frequently than he/she usually does. May not be able to describe the attack – high probability of false alarms.

Difficulties in an Ad Hoc Wireless Framework Traffic patterns cannot be easily established due to dynamically changing environment. No traffic concentration points such as routers or gateways – only local info is possible in some sense. Communication patterns vary more –stingy in bandwidth/battery usage, channel conditions differ in time, location dependent computing, etc. increases false alarm rates. No clear separation between normalcy and anomaly – volatility comes with the wireless environment.

An architecture for an IDS in ad hoc networks From Reference 2: by Zhang and Lee. Need for a distributed and co-operative IDS. Every ad hoc node participates in intrusion detection and response. Detect signs of intrusion locally and independently. Collaboratively increase the range of investigation. Each node monitors local activities and detects intrusion from local traces and initiates response. If anomaly is detected or if evidence is inconclusive, neighboring IDS agents will co-operatively participate in global intrusion detection actions.

local response secure communication local data collection co-operative detection engine local detection engine global response IDS agent neighboring IDS agents system call activities, communication activities, other traces gather audit traces and activity logs detect anomalies if more data sets are needed use this to talk to neighboring IDSs

Data collection, intrusion detection and response Data is collected from various sources –local, relay info, routing. Normal profiles are created by a training process and deviations from these normal profiles are observed. How much the observed phenomenon differs from the normal profile is of importance. If there is strong evidence locally a response can be triggered. If not, the co-operative engine is invoked. A distributed consensus mechanism is invoked. A node sends its neighbors an anomaly state request. Each node propagates this information. If majority of received reports indicate anomaly or intrusion take action.

This relies on the assumption that majority of the nodes are not compromised. If they are you are dead anyway  ! A few likely responses would be: Force re-key – reinitialize communication channels between nodes. Identify the compromised nodes and re-organize the nodes to preclude compromised nodes.

Anomalous updates to Routing Tables Main concern being addressed is that a compromised node generates false routing info. and disseminates this to other nodes. Trace data in this case would describe the normal or legitimate updates of routing information  caused by physical movements or network membership changes. The authors suggest two metrics : percentage of changed routes (PCR) and the percentage of changes in the sum of hops of all routes (PCH). During training process, normal situations are simulated and trace data gathered for each node. This allows description of normal changes to PCR and PCH. If the observed values are within certain confidence from observed data it is ok, else abnormal behavior.

Similar metrics could be defined for activities at other layers as well. Examples: At the MAC layer  how many channel requests in the past s seconds; to mean, variance, the largest and smallest of all these requests. At the application layer, in the past s seconds how many requests have been made for the same service ? Multi-layer integration could be required – layers need to co-operate in order to detect intrusions.

The final take is that this is a wide open area. Attack methods not explored to the fullest – what are the possible methods for attacking an ad hoc network ? What are the possible defenses against these attacks. It appears that traditional methods may not suffice. Survivability of the network key to its wide usage and deployment. REMEMBER NEXT TUESDAY – NO CLASS.