SEAD: Secure Efficient Distance Vector Routing for Mobile Wireless Ad Hoc Network Raymond Chang March 30, 2005 EECS 600 Advanced Network Research, Spring 2005

2 Introduction SEAD: A secure ad hoc network routing protocol based on the design of the Destination- Sequenced Distance Vector (DSDV) protocol..

EECS 600 Advanced Network Research, Spring Overview of SEAD SEAD is robust against multiple uncoordinated attackers creating incorrect routing state in any other node, even in spite of any active attackers or compromised nodes in the network Instead of asymmetric cryptographic operations, SEAD use efficient one-way hash function to prevent sequence number and hop count from being modified by malicious node.

EECS 600 Advanced Network Research, Spring Limitation of SEAD SEAD can not defend the following attacks; - Tunneling attack - Vertex cut attack

EECS 600 Advanced Network Research, Spring Routing protocol Periodic protocols –Nodes periodically exchange routing information with other nodes in an attempt to have each node always know a current route to all destination. On-demand protocols –Nodes exchange routing information only when needed, with a node attempting to discover a route to some destination only when it has a packet to send to that destination. Hybrid protocols –Hybrids of periodic and on-demand mechanism

EECS 600 Advanced Network Research, Spring Distance Vector Routing Protocol Find shortest paths between nodes in the network through a distributed implementation of the classical Bellman-Ford algorithm. Each router maintains a routing table. –List all possible destination within the network –Each entry in a routing table contains The address of destination The shortest distance to that destination The address of the first hop on the shortest route to the destination

EECS 600 Advanced Network Research, Spring Distance Vector Routing Protocol (Continue) How to maintain routing table -Each node periodically transmits a routing update to its neighbors. -Each node uses the information advertised by its neighbors to update its own routing table. -Triggered updates: A node transmits a new update about some destination changes, rather than waiting for its next scheduled periodic update to be sent.

EECS 600 Advanced Network Research, Spring Distance Vector Routing Protocol (Continue) Routing Loop Problem (Counting to infinite) –More common in ad hoc network: the motion of the nodes and the possible changes in wireless propagation conditions. –Possible solution: Poisoned reverse Solution to “counting to infinite” problem in SEAD –The maximum metric value is defined to be relatively small. –Sequence number in each routing table entry: Prevent routing loops caused by updates being applied out of order

EECS 600 Advanced Network Research, Spring DSDV-SQ Each node maintains a sequence number that is included in each routing update it sends. Each entry in a node’s routing table is tagged with the most recent sequence number it knows for that destination. When a node detects a broken link to a neighbor, the node creates a new routing update for that neighbor as a destination, with an “infinite” metric. A node applies the newly received updates to routing table - the update with a greater sequence number - same sequence number and lower metric If a node receives a routing update with a lower sequence number than the sequence number in the corresponding entry in node’s routing table, the node discard the update. The receipt of a new sequence number can cause a triggered update.

EECS 600 Advanced Network Research, Spring Assumption All wireless links are bi-direction. Physical layer and link layer attacks are not considered in this paper. (Spread spectrum) The maximum network diameter: m-1(upper bound) The node at initialization generates the elements of its one-way hash chain as follows: h 0, h 1, h 2, h 3,…., h n h 0 = x and h i = H(h i-1 )

EECS 600 Advanced Network Research, Spring One-way hash chain It is computationally hard to produce the pre-image of a particular hash value. That means that, given h i, it is hard to compute h i-1. In using values of hash chain, the node progresses from “right to left” ( in order of decreasing subscript i) within the generated chain. Given an existing authenticated element of a one-way hash chain, it is possible to verify elements later in the sequence of use within the chain. For example, given an authenticated value h i, a node can authenticate h i-3 by computing H(H(H(h i-3 ))) and verifying that the resulting value equal to h i. Assume some mechanism is used for a node to distribute an authentic element such as h n from its generated hash chain.

EECS 600 Advanced Network Research, Spring Distribute an authentic element Asymmetric cryptographic system –A trusted entity (CA) signs public key for each node –Each node distributes public key and public key’s credential –Sign authentic element PGP-like certificates without relying on a trusted public key infrastructure Symmetric-key cryptography

EECS 600 Advanced Network Research, Spring Attacks Fail to advertise certain routes or destroy or discard routing information available to other node. (Don’t attempt to defend against this attack in this paper). An attacker can modify an advertisement by changing the destination, metric, or source address. –An attacker advertising zero metric cause all nodes around it to route packets for all destinations toward it rather than toward the each actual destination. –Modifying source address of the advertisement, thus spreading inaccurate next-hop information Replay attack: advertise stale routing information Wormhole attack, tunneling attack and vertex cut attack

EECS 600 Advanced Network Research, Spring Basic Design of SEAD Destination sequence number –Provide replay protection of routing update messages Do not use an average settling time in sending trigger updates Metric and sequence number authenticator –One-way hash chain is used to authenticate metric and sequence number Neighbor authentication –A shared secret key among each pair of nodes and Message Authentication Code is used to authenticate the sender to ensure that the routing information originates from the correct sender.

EECS 600 Advanced Network Research, Spring Average weighted settling time Each node in DSDV tracks, for each destination, the average time between –When the node receives the first update for some new sequence number for that destination. –When the node receives the best update for the sequence number for it To reduce the number of redundant triggered update, each node waits the average weighted settling time before it send a routing update. SEAD does not use such a delay in order to prevent attackers from nodes that might maliciously not use the delay.

EECS 600 Advanced Network Research, Spring Metric and sequence number authenticator The lower bound on each metric and sequence number in a routing update is secured through one-way hash chain. Traditional approach: Asymmetric cryptographic approaches are used to sign routing updates. (Easy to incur denial of service attack)

EECS 600 Advanced Network Research, Spring Disadvantage to sign routing update The disadvantages of using asymmetric cryptographic approaches to sign routing update includes: –An attacker could send a large number of arbitrary forged routing updates to victim node. The victim spend all of its CPU resources in verifying the routing updates. –A compromised node can send updates claiming that any other node is a neighbor, causing other nodes to incorrectly direct packet for this destination node toward the attacker. –The larger signatures and longer signature generation and verification times of asymmetric cryptography would reduce the resource that otherwise be used for running useful applications and doing useful communication.

EECS 600 Advanced Network Research, Spring Protect metric and sequence number One-way hash chain is used by SEAD –A node uses elements from its one-way hash chain in group m. –A node’s hash chain is a sequence of values: h 0, h 1, h 2, …, h n n is divisible by m; i: sequence number; k=n/m-i –The group of elements used for routing update with sequence number i is. h km, h km+1, h km+2, …, h km+m-1 Example: seq =1 h n-m, h n-m+1, h n-m+2, …, h n-1 seq =2 h n-2m, h n-2m+1, h n-2m+2, …, h n-m-1 –One-way hash chain elements are used for authentication in reverse order.

EECS 600 Advanced Network Research, Spring Protect metric and sequence number (Continue) As a node sends a routing update, a hash value is included in that routing updates –An entry for itself in routing update Address: its own node address Metric: 0 Sequence number: its own next sequence number Hash value: the first element in the hash group corresponding to the sequence number. (h km ) –An entry for some other destination in routing update Address: that destination node’s address Metric: increase the metric stored in received updates by 1 sequence number: the values for that destination in its routing update Hash value: the hash value of the hash value received in the routing update –The one way hash chain provides authentication for the lower bound of the metric in other routing updates for the destination. (but does not prevent a malicious node from claiming the same metric as the node from which it had this route)

EECS 600 Advanced Network Research, Spring Protect metric and sequence number (Continue) Due to the one-way nature of hash chain, the adversary can’t advertise: –A sequence number larger than that destination’s own current sequence number –A route better than those for which it has received an advertisement, since the metric in an existing route can not be decreased. How receiver verify received routing updates –Based on the seq# and metric in the received entry and seq# and metric of this latest prior authenticate hash value for that destination, the receiver hashes the hash value received in this entry the correct times to confirm that the resulting value equals the prior authentic hash value.

EECS 600 Advanced Network Research, Spring Example Assume m=4 h 0, h 1, h 2, h 3, h 4, h 5, h 6, h 7, h 8, h 9, h 10, h 11 An adversary receive an routing update: h 10 (sequence number 1 and hop count 2) An adversary would like to propagate an forged routing update with sequence number 2 and hop count 2. The hash value must be h 6 An adversary would like to propagate an forged routing update with sequence number 1 and hop count 0. The hash value must be h 8

EECS 600 Advanced Network Research, Spring Example Assume m=4 h 0, h 1, h 2, h 3, h 4, h 5, h 6, h 7, h 8, h 9, h 10, h 11 The latest prior authenticate hash value: h 10 (sequence number 1 and hop count 2) The received hash value: h 5 (sequence number 2 and hop count 1) (2-1)*4 + (2-1) = 5 To verify H(H(H(H(H(h 5 ))))) = h 10

EECS 600 Advanced Network Research, Spring Neighbor authentication The source of each routing update message in SEAD should also be authenticated, since otherwise, an attacker may be able to create routing loops. Solution –TESLA, HORS, TIK: require synchronized clock –A shared secret key among each pair of nodes and message authenticate code Each node trust any zero-metric update with a valid authenticator, if a node has received such an update from another node for a recent sequence number, it consider that node a neighbor and computes a Message Authentication Code for it in subsequent updates.

EECS 600 Advanced Network Research, Spring Evaluation- Security Analysis Since distance vector protocols compress the routing information into a hop count, it is challenging to verify the correctness of the hop count value. Given an advertisement for a route with a metric of h hops and a seq# of s, a malicious node can generate advertisements for h-hop or longer routes with seq# s. An attacker that has not compromised any node can not successfully send routing message, since an uncompromised neighbor node will reject the messages due to the failed neighbor authentication.

EECS 600 Advanced Network Research, Spring Evaluation-Security analysis (continue) SEAD can’t defend against tunneling attack length (Best route) = 4 length(compromised route)=2

EECS 600 Advanced Network Research, Spring Evaluation-Security analysis (continue) SEAD can’t defend against vertex cut attack

EECS 600 Advanced Network Research, Spring Evaluation (Simulation) Simulator: ns2 Nodes moved according to the random waypoint mobility model Communication pattern –Uses 20 source-destination pair –4 data packet per second –Packet size: 512 bytes

EECS 600 Advanced Network Research, Spring Evaluation (Simulation) Packet Delivery Ratio: The total over all nodes of the number of application-level packets received, divided by the total number of application-level packets originated Byte Overhead: The total over all hops of the number of overhead bytes transmitted Packet Overhead: The total over all hops of the number of overhead packets transmitted Median Latency: The elapse time between the application layer passing a packet to the routing layer and that packet first being received at the destination

EECS 600 Advanced Network Research, Spring Evaluation-Simulation Result

EECS 600 Advanced Network Research, Spring Evaluation – Simulation Result (Continue)

EECS 600 Advanced Network Research, Spring Evaluation - Simulation Result (Continue)

EECS 600 Advanced Network Research, Spring Evaluation - Simulation Result

EECS 600 Advanced Network Research, Spring Conclusion SEAD uses inexpensive cryptographic primitive to protect routing state from being maliciously modified. SEAD outperforms DSDV-SQ in terms of packet delivery ratio. It seems to be unavoidable to sacrifice performance as security functionalities are incorporated into routing protocol.

EECS 600 Advanced Network Research, Spring Discussion How can a distance vector protocol defend against tunneling attack? How can a routing protocol defend against vertex cut attack? How can we detect nodes that advertise routes but do not forward packets?