Anonymous Communications in Mobile Ad Hoc Networks Yanchao Zhang, Wei Liu, Wenjing Lou Presenter: Bo Wu

Outline Introduction Threat Model MASK Model Performance Evaluation Conclusion

MANETs A mobile ad hoc network (MANET) is a type of wireless network, and is a self-configuring network of mobile devices connected by any number of wireless links.

MANETs Every node in a MANET is also a router because it is required to forward traffic unrelated to its own use. Each MANET device is free to move independently. Wireless links are particularly vulnerable to eavesdropping and other attacks

MANETs: Ad hoc? A short lived network just for the communication needs of the moment Self Organizing Infrastructure-less network Energy conservation Scalability

MANETs: Challenges Lack of a centralized entity Network topology changes frequently and unpredictably Channel access/Bandwidth availability Hidden/Exposed station problem Lack of symmetrical links Power limitation

MANETs: AODV Source node initiates path discovery by broadcasting a route request (RREQ) packet to its neighbors Every node maintains two separate counters  Sequence number  Broadcast-id B S E C G F A H D Y I K P L J T Z RREQ AODV part adapted from slides of Sirisha R. Medidi

MANETs: AODV A neighbor either broadcasts the RREQ to its neighbors or satisfies the RREQ by sending a RREP back to the source Later copies of the same RREQ request are discarded B S E C G F A H D Y I K P L J T Z Reverse Path Setup

MANETs: AODV B S E C G F A H D Y I K P L J T Z Reverse path are automatically set-up Node records the address of the sender of RREQ Entries are discarded after a time-out period

MANETs: AODV B S E C G F A H D Y I K P L J T Z

B S E C G F A H D Y I K P L J T Z

B S E C G F A H D Y I K P L J T Z Forward Path Setup

MANETs: AODV B S E C G F A H D Y I K P L J T Z

B S E C G F A H D Y I K P L J T Z

B S E C G F A H D Y I K P L J T Z

Advantages: efficient algorithm for ad-hoc networks Highly Scalable Need for broadcast is minimized Quick response to link breakage in active routes Loop free routes

Traffic Analysis Frequent communications — can denote planning Rapid, short, communications — can denote negotiations A lack of communication — can indicate a lack of activity, or completion of a finalized plan Frequent communication to specific stations from a central station — can highlight the chain of command Who talks to whom — can indicate which stations are 'in charge' or the 'control station' of a particular network. This further implies something about the personnel associated with each station Who talks when — can indicate which stations are active in connection with events, which implies something about the information being passed and perhaps something about the personnel/access of those associated with some stations Who changes from station to station, or medium to medium — can indicate movement, fear of interception

General Defending Methods  Prevent detection  Spread spectrum modulation  Effective power control  Directional antennas  Traffic Padding  End to End Encryption and/or Link Encryption on Data Traffic

Threat Model Passive  Totally quiet, or just inject a small amount of traffic Monitor every transmission of each node Many adversaries can communicate with each other very fast May compromise a small number of nodes Limited computational capability

Basic Math Let G 1,G 2 be two groups of the same prime order q. Pairing is a computable bilinear map f : G1 × G1 → G2 satisfying the following properties:  1. Bilinearity: ∀ P, Q, R, S ∈ G1, we have f (P + Q, R + S) = f (P, R)f (P, S)f (Q, R)f (Q, S)  2. Non-degeneracy: If f (P, Q) = 1 for all Q ∈ G 1, then P must be the identity element in G 1.  3. Computability: There is an efficient algorithm to compute f(P, Q) for all P, Q ∈ G 1.

MASK MASK stands for ? A novel anonymous on-demand routing protocol for MANETs anonymous neighborhood authentication anonymous route discovery and data forwarding

MASK System Model A number of non-malicious nodes No selfish behavior Moderate movement Trusted Authority bootstrap security parameters  g the master key  H 1 : {0, 1} ∗ → G 1 mapping arbitrary strings to points in G 1  H 2 : {0, 1} ∗ →{0, 1} β mapping arbitrary strings to β-bit fixed-length output  Every node is blind to g  TA furnishes each node ID i with a sufficiently large set PS i of collision resistant pseudonyms and a corresponding secret point set as S i = gH 1 (PS i ) = {S i,j } = {gH 1 (P S i,j ) ∈ G 1 } (1 ≤ j ≤ |PS i |).

MASK: Anonymous Neighbor Authentication Definition:  two neighboring nodes can ensure that they belong to the same party or have trustable relationship with each other without revealing their either real identifiers or party membership information. Existing methods:  Network-wide key  Pairwise key  Public-key certification

MASK: Anonymous Neighbor Authentication Alice and Bob are using pseudonyms randomly selected from their set Alice starts the authentication by sending her pseudonym and a challenge Bob can calculate the corresponding master session key and send the authentication message back Alice authenticated Bob and replied authentication message Both Bob and Alice generate link IDs and session keys based on the master session key

MASK: Anonymous Neighbor Authentication After the authentication both sides have: If a packet is identified by, then it should be decrypted using Whenever these pairs are used up, Alice and Bob are required to automatically increase both n 1 and n 2 by one and generate new pairs. Every node follows this procedure and establishes a neighbor table

MASK: Anonymous Neighbor Authentication Only TA can infer real ID based on pseudonyms To adversary, Link IDs are random bits Adversary can not infer session key based on Link IDs

MASK: Anonymous Route Discovery Besides neighbor table, each node has:  Forwarding route table  Reverse route table  Target link table The current node is the final destination for the packets bearing the linkIDs which are in its target link table.

MASK: Anonymous Route Discovery Anonymous route request   ARREQ_id uniquely identifies the request  Dest_id is the real id of the destination  destSeq is the last known sequence number for the destination  PS x is the active pseudonym of the source

MASK: Anonymous Route Discovery For each node in the network:  Receives ARREQ for the first time inserts an entry into its reverse route table where this ARREQ comes from rebroadcasts the ARREQ after changing the embedded pseudonym field to its own.  Discards any ARREQ already seen All nodes broadcast only once

MASK: Anonymous Route Discovery Anonymous route replies LinkID is the to be used shared packet identifier between the sender and the corresponding receiver {ARREP, dest_id, destSeq} is encrypted by the paired session key such that only the intended receiver can decrypt it

MASK: Anonymous Route Discovery Intermediate nodes will discard replies with smaller destSeq than its own record intermediate node can also generate a route reply if it has one forward route entry for the dest id with destSeq equal to or larger than that contained in the received ARREQ. Multiple paths are established during this process

MASK: Anonymous Route Discovery Anonymous Data Forwarding next-LinkID is randomly selected from the next-link-list field MASK payload may be end-to-end encrypted message Do not necessarily select the best path

Security analysis Message Coding Attack  Adversary can easily link and trace some packets that do not change their content or length MASK countermeasures  Hop-by-hop encryption  Random padding

Security analysis Flow Recognition and Message Replay Attacks  Recognize the packets belonging to some communication flow MASK countermeasures  Hop-by-hop encryption  LinkID update

Security analysis Timing Analysis Attack  Tell the difference between nodes by transmission timing, e.g. transmission rate MASK Countermeasures  When the traffic is light, this attack is quite dangerous

Performance Evaluation Tate paring for bilinear map f  Most expensive part  indispensable SHA-1 to implement the collision resistant hash functions efficient symmetric algorithm RC6 as hop-by-hop encryption and decryption

Performance Evaluation For normal traffic, AODV is a little bit better MASK outperforms AODV for heavy traffic due to available multiple paths

Performance Evaluation MASK outperforms AODV in terms of overhead  It conducts costly route discovery less frequently

Performance Evaluation AODV has much less latency MASK tries to balance tradeoff between anonymity and latency

Conclusion Very good resistance to passive attackers Timing attack is still unresolved in this model Very good routing performance But AODV also has a multi-path version --- AOMDV

Questions?