04287870

Upload: srinivas-vemula

Post on 05-Apr-2018

214 views

Category:

Documents


0 download

TRANSCRIPT

  • 7/31/2019 04287870

    1/5

    Secure Routing for Mobile Ad Hoc Networks

    Jing Liu, Fei Fu, Junmo Xiao and Yang LuPLA University of Science and [email protected]

    Abstract

    Buttyan found out a security flaw in Ariadne[10] andproposed a secure routing protocol, EndairA[19-20],

    with the ability to resist active-1-1 attacks. But

    unfortunately we discover an as yet unknown active-0-1 attack which we call man-in-the-middle attack and

    EndairA couldnt resist. Accordingly we propose a new

    secure routing protocol, EndairALoc. Analysis showsthat EndairALoc can resist not only active-1-1 attacks

    but also the wormhole attack. FurthermoreEndairALoc uses pairwise secret keys instead of public

    keys used in EndairA. Compared with EndairA,

    EndairALoc can save more energy in the routing

    establishment..

    1. Introduction

    Wireless Ad-hoc Networks (WANET) is currently avery active area of the academic and industrial researchfor the foreseeable broad applications. However, it is

    vulnerable to a wide range of attacks due to the openmedium, dynamically changing topology, possiblenode compromise, difficulty in physical protection,absence of infrastructure and lack of trust amongnodes[1-5]. Especially, the routing protocols in MANET

    bears different kinds of attacks[1,6-8]. In this paper wefocus on the designing of secure routing protocols toresist the attacks for WANET.

    Up to now there are many proposed securityprotocols, e.g. SRP[9], Ariadne[10], SAODV[11-12],ARAN[13-14], SADSR[15], SEAD[16], and SLSP[17]. BothSRP and Ariadne are improved secure routing

    protocols based on DSR[18]. SRP requires that the

    initiator and the target should have a securityassociation between them, while Ariadne needs thesecurity association between the initiator and everynode including intermediate nodes and the target.Ariadne is declared to be able to prevent all active-1-1attacks (This attaker model will be introduced later).

    In 2005 Buttyan firstly found an active-1-1 attackthat SRP and Ariadne couldnt resist, and proposed a

    new secure protocol named EndairA[19-20]. However wefind out a new attack that EndairA cant resist. We callthis attack man-in-the-middle attack. Based onEndairA, we propose a new secure routing protocolnamed EndairALoc, which uses the locationinformation of the node to resist this attack. Analysisresult shows that our protocol could resist not only theattacks EndairA could, but also the man-in-the-middle

    attack and even the wormhole attack. In addition, weutilize the symmetric key mechanism to replace the

    public key mechanism used in EndairA, which canreduces the energy consumption greatly.

    In Section 2 of this paper, we introduce an attackermodel and EndairA protocol. Section 3 gives thevulnerability of EndairA. Then a new secure routing

    protocol named EndairALoc is proposed in Section 4.In Section 5 we analyze the security and performanceof EndairALoc, and in Section 6 we present ourconclusions.

    2. Attacker model and analysis of Endaira

    2.1.Attacker ModelIn paper [10], the attacker model Active-n-m was

    firstly introduced. In that paper, the author classifiedthe attacker into two main classes: passive and active.The passive attacker only eavesdrops on the network. Itmainly threats against the privacy or anonymity ofcommunication, rather than against the functioning ofthe network or its routing protocol. An active attackercan inject packets into the network and generally alsoeavesdrop. So we should lay more emphasis on anactive attacker. Then, the author characterizes the

    attacker based on the number of nodes it owns in thenetwork, and based on the number of those that aregood nodes it has compromised. It is assumed that theattacker owns all the cryptographic key information ofcompromised nodes and distributes it among all itsnodes. In the attacker model Active-n-m, n representsthe number of nodes the attacker has compromised,and m is the number of the nodes the attacker owned.

    Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computin

    0-7695-2909-7/07 $25.00 2007 IEEE

    DOI 10.1109/SNPD.2007.223

    314

    Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computin

    0-7695-2909-7/07 $25.00 2007 IEEE

    DOI 10.1109/SNPD.2007.223

    314

    Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computin

    0-7695-2909-7/07 $25.00 2007 IEEE

    DOI 10.1109/SNPD.2007.223

    314

    Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computin

    0-7695-2909-7/07 $25.00 2007 IEEE

    DOI 10.1109/SNPD.2007.223

    314

  • 7/31/2019 04287870

    2/5

    The attacker copies the cryptographic key informationof the compromised node to the other malicious nodesit owned. Consequently these nodes could participatein the network activities pretending legal nodes. It isimplied that the more the nodes compromised are, themore powerful the attacker is.

    2.2. Analysis of EndairA

    1) S -> * : (rreq,S,D,Qid),2) R1 ->* : (rreq,S,D, Qid,R1),3) R2->* : (rreq,S,D, Qid,R1R2),4) D->R2 : (rrep,S,D, Qid,R1R2, SigD),5) R2->R1: (rrep,S,D, Qid,R1R2, SigDSigR2),6) R1->S : (rrep,S,D, Qid,R1R2, SigDSigR2SigR1,)

    Figure 1. An operation example of EndairA and

    format of EndairA messages. The initiator of the

    route discovery is S, the target is D, and the

    intermediate nodes are R1 and R2. Qid is a randomly

    generated query identifier. SigD, SigR2 andSigR1 are

    digital signatures of D, R1, and R2, respectively.

    Each signature is computed over the message fields

    that precede the signature.

    In Figure 1, the operation of EndairA is illustrated.The initiator of the route discovery firstly generates aroute request message and broadcasts it to itsneighbors. The route discovery message contains theidentifiers of the initiator and the target, a randomlygenerated request identifier Qid. Each intermediatenode receives the request for the first time. It appends

    its identifier to the list of identifiers accumulated in therequest and re-broadcasts it. When the target Dreceives the request. D checks route list in the requestto make sure that the last node in route list is itsneighbor. If not, D discards the request. Otherwise Dwill generates a route reply and sends it back to theinitiator via the reverse of the route obtained from theroute request. SigD is the signature of D computedover the message fields that precede the signature.Each intermediate node that receives the reply verifiesthat its identifier is in the route list carried by the reply,and that the preceding and following identifiers on theroute belong to neighboring nodes. If these

    verifications fail, then the reply is discarded.Otherwise, it is signed by the intermediate node, andpassed to the next node on the route(towards theinitiator). When the initiator receives the route reply, itverifies if the first identifier in the route carried by thereply belongs to a neighbor. If so, then it verifies allthe signatures in the reply. If all these verifications aresuccessful, then the initiator accepts the route.

    There are two main differences between EndairAand Ariadne. First, in Ariadne, the initiator andintermediate nodes insert their own digital signaturesinto route request packet. To generate the route reply

    packet, the target node would copy the signatures inthe request packet into the reply packet. However, inEndairA, signatures are only generated after the targetnode generates route reply; Second, Ariadne uses per-hop hashing to prevent removal of identifiers from theaccumulated route in the route request. In fact, it couldnot function well, but only introduce overhead. InEndairA, there are no per-hop hashing. In Paper[19-20] itis described in detail how Ariadne was vulnerable to anactive-1-1 attacker, which could delete the precedingnodes signature to forge a non-existent route. Buttyan,the author of EndairA, declared Besides being

    provably secure against an Active-1-1 adversary (andmost probably against an Active-1-x adversary too), itis extremely simple and intuitive. He also proved thatEndairA could overcome the vulnerability of Ariadne.

    However, we find out an active-0-1 attacker EndairAnot resistant against, and we call it man-in-the-middleattack.

    3. Vulnerabilities of endaira

    Figure 2. The man-in-the-middle Model. A is an

    attacker; R1 and R2 are valid communicating nodes

    Figure 2 shows the procedure of the man-in-the-middle attack. The attacker A forwards packets

    between R1

    and R2

    without modification, which makesR1 and R2 take the otheras a neighbor in mistake. Theman-in-the-middle attack is an indirect attack, and is

    popular in Internet. In mobile ad hoc networks, thisattack can make two nodes beyond the communicationscope take the other as neighbor.

    1) S -> * : (rreq,S,D,Qid),2) R1-> *: (rreq,S,D, Qid,R1),3) A -> * : (rreq,S,D, Qid,R1),4) R2-> * : (rreq,S,D, Qid,R1R2),5) D->R2 : (rrep,S,D, Qid,R1R2, SigD),

    6) R2->A(R1):(rrep,S,D, Qid,R1R2, SigDSigR2),7) A-> R1 : (rrep,S,D, Qid,R1R2, SigDSigR2),8) R1->S: (rrep,S,D, Qid,R1R2, SigDSigR2SigR1,)

    Figure 3. An example of the man-in-the-middle

    attack against EndairAFigure 3 shows an example of the man-in-the-

    middle attack against EndairA. We assume that amalicious node locates between the intermediate nodes

    SR1 R2

    D

    R1 R2A(1) (1)

    (2 (2)

    SR1 A R2

    D

    315315315315

  • 7/31/2019 04287870

    3/5

    R1 and R2. In step 6, R2 wants to forward the routereply packet to R1 after appending its signature.However, the attacker A intercepts it, and forwards itto R1 without modification in step 7. After receivingthis packet, R1 checks the route list in the packet toverify both the preceding node R2 and the followingnode S are its neighbors. If successful, R1 adds itssignature to the packet and forwards it to Ssuccessively. Otherwise, it discards the packet. Afterverifying R1 as its neighbor and the signatures in the

    packet, S accepts the non-existent route (S, R1, R2, D)as a valid route. It is obvious that the man-in-the-middle attack is an active-0-1 attack. It can easilydestroy the correct route discovery without the captureof valid nodes.

    4. A new secure routing protocol

    In order to solve the vulnerabilities of EndairA, wepropose a new secure routing protocol namedEndairALoc, which can resist the man-in-the-middleand even wormhole-attack. Furthermore, EndairALocuses pairwise secret keys instead of public keys used inEndairA, so it can prolong the life of networks greatly.

    The assumptions are:1) Cryptographic key system is ideal, without regard

    to its security.2) All nodes pre-share symmetrical pairwise keys to

    construct message authentication code(MAC).3) The initiator and the target are valid, and only the

    intermediate nodes could be malicious.4) The nodes could get its location information by

    some location systems[21].

    5) The wireless transmission range is constant, andonly two nodes in the transmission range can sendand receive data directly.

    1) S -> * : (rreq,S,D,Qid),2) R1->* : (rreq,S,D,Qid,R1),3) R2->* : (rreq,S,D,Qid,R1R2),4) D->R2 : (rrep,S,D,Qid,R1R2, LD ,MACDS),5) R2->R1: (rrep,S,D,Qid,R1R2, LDLR2,MACDSMACR2S)6) R1->S:(rrep,S,D,Qid,R1R2,LDLR2LR1,,MACDSMACR2SMACR1S)

    Figure 4. An operation example of EndairALoc

    and format of EndairALoc messages. The initiator

    of the route discovery is S, the target is D, and theintermediate nodes are R1 and R2. Qid is a

    randomly generated query identifier. MACDS is

    the message authentication code of D for S; LD is

    the location information of D.Figure 4 describes the operation of EndairALoc.

    The initiator of the route discovery firstly generates aroute request message and broadcasts it to its

    neighbors. The route discovery message contains theidentifiers of the initiator and the target, a randomlygenerated request identifier Qid. Each intermediatenode receives the request for the first time. It appendsits identifier to the list of identifiers accumulated in therequest and re-broadcasts it. After receiving therequest, the target D generates a route reply and sendsit back to the initiator via the reverse of the routeobtained from the route request. MACDS is themessage authentication code of D and can only beverified by S. LD is the location information of D.Each intermediate node that receives the reply packetdoes not verify the route list. Instead, it appends amessage authentication code (MAC) for itself and theinitiator and its location information to the reply

    packet, then passed the reply packet to the next nodeon the route(towards the initiator). When the initiatorreceives the route reply, it verifies all the MACs in thereply packet. If all these verifications are successful,the initiator continues to verify another important

    feature, location information in the reply packet. If allthe neighbor nodes in location information list are inthe communication scope, S accepts the correspondingroute list in the reply. Otherwise the initiator discardsit.

    It is assumed that a man-in-the-middle attack existsin the route. When finally the initiator S receives theroute reply packet, it checks the location informationlist (LDLR2LR1). Since the distance between LR2 andLR1 is beyond the transmission range, S would findthe route invalid and discard it.

    Figure 5. The wormhole attack model

    Furthermore, as far as we know, there are no securerouting protocols which can resist the wormholeattack[22-24]. As shown in Figure 5, the dashed line

    between the two collaborated nodes (A1,A2) representsthe wormhole along which A1 and A2 collaborate tomake R1 and R2 take the other as a neighbor. it is clearthat EndairA can not resist it. But in EndairALoc,when the initiator S checks the location list (LDLR2LR1)in the reply packet, it would find the distance betweenR2 and R1 beyond the transmission range and discardthe route. So EndairALoc can resist the wormholeattack.

    5. Analysis of security and performance

    5.1. Security Analysis

    Besides the capabilities of resisting the man-in-the-middle attack and the wormhole attack, EndairALoc

    S R1 DR2A2A1

    316316316316

  • 7/31/2019 04287870

    4/5

    retains the security of EndairA. The analysis is asfollowing:1) Malicious nodes alter the control information and

    location information: the control informationincludes identity, sequence number, and so on.But because of the message authentication codeused, any malicious modification will be foundout by the initiator after it receives the reply

    packet.2) Malicious nodes discard route request or reply

    packets: EndairALoc belonging to secure DSRprotocols could obtain several replies accordingto one route request. A small number of maliciousnodes will not result in serious influence on theroute establishment.

    3) Replay attack: malicious nodes broadcast staleroute request or reply packets to the network. Qidis unique for one route request and is generatedrandomly by the initiator of the route discovery.Therefore, the stale route request or reply packets

    with the stale Qid will be detected and discardedby the initiator.

    5.2. Performance Evaluation

    Secure routing protocols add the security functionto the normal routing protocols, so they would lead tomore communication and energy consumption. Theverification of the message authentication code andlocation information increases the computationconsumption of the initiator and the latency of theroute discovery. Fortunately, in the process of routerequest, each node takes a few actions. And nodes only

    need to generate message authentication codes in theprocess of route reply. Furthermore, there are severalreplies according to one route request. Therefore, theconsumption is not very high on the whole. On theother side, symmetrical key mechanism is utilized inEndairALoc to decrease the computation consumption,while public key mechanism is chosen in EndairA. It iswell known that asymmetric algorithms consume muchmore energy than other cryptographic algorithms do.Studies in [22] compared the energy consumption of

    public key arithmetic and symmetrical key arithmeticin quantity, as listed in Table1.

    The result shows that the energy consumption of

    public key arithmetic is orders of magnitude morepowerful than symmetrical key arithmetic. Fromabove, it is concluded that EndairALoc enhances thesecurity of the routing protocol without introducingmore energy consumption and is more suitable for thenetwork with constrained energy.

    Table 1. Energy Consumption for Different

    Cryptographic AlgorithmsAlgorithms Consumption

    Public-key(RSA,DSA,ECDSA)

    100500mJ

    Secret-key(DES,AES,IDEA) 25uJHash(MD5,SHA,HMAC) 0.51uJ

    6. Conclusions

    This paper firstly presents a new attack named man-in-the-middle attack on EndairA. In order to preventthis attack, a new secure routing protocol, namedEndairALoc, was proposed. The analysis result showsthat our protocol not only retains the security ofEndairA but also could resist the man-in-the-middleattack and even the wormhole attack. Furthermore,EndairALoc uses the symmetrical key mechanisminstead of the public key mechanism, so the energy

    consumption in the route discovery is decreasedgreatly.

    References

    [1] Y.C. Hu, and A. Perrig, A survey of secure wireless adhoc routing, Security & Privacy Magazine, no. 2, pp. 28-39,2004.

    [2]F. Stajano, R. Anderson, The ResurrectingDuckling: Security Issues in Ad-Hoc Wireless

    Networks, in 7th International Workshop on SecurityProtocols, Berlin 1999.

    [3]T. S. Messerges, et al, A Secure Design for aGeneral Purpose, Self-Organizing, Multihop Ad HocWireless Network, in 1st ACM Workshop Security ofAd Hoc and Sensor Networks, Fairfax, Virginia, 2003.

    [4]A. Perrig, J. Stankovic, D. Wagner, Security inWireless Sensor Networks, Communications of theACM, vol. 47,no. 6,pp.53-57, 2004.[5]L. Buttyn and J.-P. Hubaux, Report on a WorkingSession on Security in Wireless Ad Hoc Networks,ACM Mobile Computing and CommunicationsReview (MC2R), vol. 7, no. 1, March 2003.

    [6]K. Inkinen, "New Secure Routing in Ad HocNetworks: Study and Evaluation of ProposedSchemes", Telecommunications Software andMultimedia, 2004.

    [7]M. Jakobsson, S. Wetzel, B. Yener, Stealth attackson ad-hoc wireless networks, in Vehicular

    317317317317

  • 7/31/2019 04287870

    5/5

    Technology Conference, vol.3, pp.2103- 2111, Oct2003.

    [8]G. cs, L. Buttyn, and I. Vajda, Provable Securityof On-Demand Distance Vector Routing in WirelessAd Hoc Networks, Second European Workshop onSecurity and Privacy in Ad Hoc and Sensor Networks(ESAS 2005), Visegrd, Hungary, July 13-14, 2005.

    [9]P. Papadimitratos, and Z. Haas, Secure routing formobile ad hoc networks, In: Proc. of the SCSCommunication Networks and Distributed SystemsModelling and Simulation Conf. San Antonio, pp.27-31,2002.

    [10]Y.C. Hu, A. Perrig, and D. B. Johnson, Ariadnea secure on-demand routing protocol for ad hocnetworks, in Proc. of the Eighth ACM Int1 Conf. onMobile Computing and Networking (MOBI.COM2002), pp.23-28. Atlanta, GA.2002.

    [11]M.G. Zapata, Securing ad hoc routing protocol,in Proc. of ACM workshop on wireless Security, pp.1-9.Atlanta. Sep. 2002.

    [12]M.G. Zapata,"Secure Ad hoc On-Demand DistanceVector (SAODV) Routing",http://personals.ac.upc.edu/guerrero/papers/draft-guerrero-manet-saodv-06.txt, September 2006.

    [13]K sanzgiri, B Dahill et al, A secure routingprotocol for Ad Hoc networks, in: Proc. of 2002 IEEEInternational Conference on Network Protocols (ICNP),

    Nov 2002.[14]K sanzgiri, et al, Authenticated Routing for Adhoc Networks, IEEE Journal on Selected Areas inCommunications, vol.23, no.3, pp.598-610,2005.[15]S. Ghazizadeh, O. Ilghami, and E. Sirin,Security aware adaptive dynamic source routing

    protoco1, in Proc. of the 27th Annual IEEE Conf. onLocal Computer Networks, 2002.

    [16]Y.C. Hu,, D. B. Johnson, and A. Perrig, SEAD:secure efficient distance vector routing for mobile

    wireless ad hoc networks, Ad hocNetworks,vol.2,no.2,.pp.175-192,2003.

    [17]P. PAPADIMITRATOS, Z. J. HAAS, secure linkstate routing for mobile ad hoc networks, in Proc. ofthe 2003 Symposium on Applications and the InternetWorkshops (SAINT'03 Workshops), 2003.

    [18]D.B. Johnson, D. Maltz, and Y. C. Hu, Thedynamic source routing protocol for mobile ad hocnetworks, http://www.ietf.org/internet-drafts/draft-ietf-manetdsr -10.txt, 2005.

    [19]L. Buttyan, and I. Vajda, Towards provablesecurity for ad hoc routing protocols. in Proc. of the2nd ACM Workshop on Security of ad hoc and Sensor

    Networks, 2005.

    [20]G. cs, L. Buttyn, and I. Vajda, Provably SecureOn-demand Source Routing in Mobile Ad Hoc

    Networks, IEEE Transactions on Mobile Computing,Vol. 5, No. 11, November 2006.

    [21]Ad Hoc Positioning System(APS). InGLOBECOM 2001 - IEEE GlobalTelecommunications Conference, pp.2926-2931, 2001.

    [22]C. Karlof and D. Wagner, Secure Routing inSensor Networks: Attacks and Countermeasures, atthe 1st IEEE International Workshop on Sensor

    Network Protocols and Applications, May 2003.

    [23]Y.C. Hu, A. Perrig, and D.B. Johnson, Packet

    leashes: a defense against wormhole attacks in wirelessnetworks, in Proc. of the 22nd Annual JointConference of the IEEE Computer andCommunications Societies (INFOCOM), pp. 1976-1986, 2003.

    [24]L. Hu and D. Evans, Using Directional Antennasto Prevent Wormhole attacks, in Network andDistributed System Security Symposium, 2004.

    [25]N. Potlapally, et al.. Analyzing the EnergyConsumption of Security Protocols, in SLPED03,2003

    318318318318