Secure Ad-Hoc Routing Protocols
ARIADNE (A secure on demand RoutIng protocolfor Ad-Hoc Networks)& TESLA
ARAN (A Routing protocol for Ad-hoc
Networks)SEAD (Secure Efficient Distance Vector
Routing Protocol for Ad-Hoc Network)
Routing
• Transfer of information from one router to another router
• Routing has been divided into two categories• Distance Vector Protocol• Link State Protocol
• Drawback• Periodic updates required. • Routing loops possible
Ad-hoc Routing …. The Difference
Nodes are mobileEach node is router as well as hostProblems
Nodes are resource constrainedLimited CPU powerLimited MemoryLimited Battery Power
Network Bandwidth limited
Ad-Hoc Routing…requirements
SecureMinimum communication requirementsMinimum computational requirementsMinimum energy consumption
Attacks
ModificationFabricationImpersonationDropping PacketsDenial Of Service
Ad-hoc routing Protocols
DSR DSDV
ARAN SEADAriadne
Routing protocols
Security extensions
On-Demand(static)
Distance VectorClassesof routing protocols
ARIADNE
• Overview• Secure extension of DSR• Uses symmetric cryptosystem with
asymmetric primitive• TESLA used to achieve the asymmetric
primitive• Why TESLA ?
• Broadcast Authentication
Timed Efficient Stream Loss-tolerant Authentication
•Broadcast Authentication Protocol.•How it works ?
Requires MAC and One-Way Hash-key chain and shared secret keyDelayed key disclosureRequires the sender and receiver to loosely
synchronize their time
One Way chains
Diagram :
Generate • Disclosure is opposite of generation.
• F () - One way Hash Function.• Kl - Random Value.
F(Kl)F(K1) F(Kl-1)F(K2)Kl-1Kl-2K0
…K1
Use/Reveal
Time SynchronizationtR – Receiver time at sending the querytS - Sender time∆ - Max Synchronization
error δ - Actual Synchronization
error Ks
-1 - Private key of SenderN - Nonce by Receiver
Diagram :
tR
tS
tR,N
(tS,N) Ks
-1
δ
∆
TESLA Sketch Cont’d…
Authenticate the keys
F(Ki) = Ki-1
Generate MAC keys using F’ hash function
F(K5)F(K4)F(K3)F(K2)
M1, MACK’1(M1)
K4
F’(K4)
K5
Timeinterval 1 2 3 4 5
K3
M3,
MACK’3(M3),
K1
M2,
MACK’2(M2),
K’4
K1
M4,
MACK’4(M4),
K2Key Disclosure Delay,
d = 2
’(K3)
K2
F’(K1) FF’(K2)
F(K1)K0
K’3K’2K’1 K’5
M5,
MACK’5(M5),
K3
TESLA Sketch Cont’d…
Simplified TESLA protocol: • Perfect time synchronization• F’ function not used
F(K5)F(K4)F(K3)F(K2)
M1, MACK1(M1)
K4 K5K1
M4,
MACK4(M4),
K2
Timeinterval
M3
MAC
K1
M2,
MACK2(M2),
K3
,
K3(M3),
Key Disclosure Delay, d = 2
K2F(K1)K0
Sender’s time
Receiver’s timeTimeinterval
Message M1 accepted
TESLA Sketch Cont’d…
Simplified TESLA protocol: • Perfect time synchronization• F’ function not used
F(K5)F(K4)F(K3)F(K2)
M1, MACK1(M1)
K4K5K1
M4,
MACK4(M4),
K2
Timeinterval
M3,
MAC
K1
M2,
MACK2(M2),
K3
K3(M3),
K2F(K1)K0
Sender’s time
Receiver’s timeTimeinterval
Message M1 rejected
TESLA Sketch Cont’d…
Simplified TESLA protocol: • F’ function not used
but• only loose synchronization
F(K5)F(K4)F(K3)F(K2)
M1, MACK’1(M1)
K4K5K1
M4,
MACK’4(M4),
K2
Timeinterval
M3,
MACK’3(M3),
K1
M2,
MACK’2(M2),
K3K2F(K1)K0
Timeinterval
Sender’s time
Receiver’s time
∆ - synchronization errorMessage M1 rejected
ARIADNE
AssumptionsAll nodes are aware about ∆Assumes a shared-key setup between sender and receiverAll assumptions that are valid for TESLA
Design Goals
Authentication of TargetShared Key.
Authentication of Data in Route Requests.TESLADigital Signatures
• MACsA mechanism to verify that no node is
missing.Per Hop Hashing.
ARIADNE FLOW DIAGRAM Share key between
source and destination
Send Route Request
Node != Target
Target generates MACcovering entire message
Send Reply
Append node name to the node list
Extend hash chain
Compute MAC with Tesla secret key and add this MAC to the
MAC chain
Yes
No
Each Node appends its Tesla Key
Source verifies all MACs
End of Route Discovery
Route Maintenance
A node returns a Route Error if it cannot reach a node.Route replies have to be authenticated.Route Reply Packet:
Sending Addr – Error Encountering Node. Receiving Addr – Error Node.Time Interval – TESLA interval.Authentication delayed since packets are buffered.
The routes are stored till authentication is received in terms of TESLA key.Once the authentication is received all the routes are removed.
Route Error Sending Addr Receiving Addr Time Inter Error MAC Tesla Key
ARAN
OverviewRequirements
Prevent alteration of data in route request and reply.
Certification
Requires a Trusted authority T, to issue certificates.Format of certificate
T -> cert A = [ IPA, KA, t, e ] Kt-1.
IPA = IP Address of A.KA = Public key of At = Time the certificate was issued.e = Time the certificate expires.Kt
-1 = Private key of T.
IP Address A Public Key A Creation Time Time to Live
ARAN…Route Discovery
Route Request from A -> X
[REP, IPx, CertA, Na, t]
Ka-1
{ [RDP, IPx , CertA , Na ,t ] Ka-1 }
Kb-1 CertB
{ [RDP, IPx , CertA , Na ,t ]Ka-1}
Kc-1 CertC
[REP, IPa, CertX, Na, t] Kx-1
{ [REP, IPa , CertX , Na ,t ]
Kx-1 }Kc-1CertC
{ [REP, IPa , CertX , Na ,t
]Kx-1 }Kb-1 CertBA
B
X
C
Route Maintenance
Each node deletes route if no traffic is detected for certain interval of time.Data received on deleted ROUTE causes ERR.ERR Packet :
Same Packet used for Broken links and Deleted routes.All ERR messages should be signed.
A node tries certain number of times before generating a ERR packet.B -> C : {[ERR, IPA, IPx, CERTB, Nb, t ] KB
-1}.ERR = Error packet.IPa = IP address of source.IPx = IP address of destination.Nb & t = Nonce and timestamp to ensure freshness.
Difficult to determine whether the ERR packet was generated due to broken link or not.
SEAD
Secure Efficient Ad hoc Distance vector routing protocolSecure Extension of DSDVUses one-way hash functions to authenticate routing updates.
Assumptions
All nodes should be aware of the network diameter (m)A mechanism to distribute commitment of a
chainEvery node generates a hash chain of length
(n), which is divisible by (m)
Metric & Sequence # Authentication
A node computes one-way hash chain and shares the commitment with the network.It uses one-way hash chain to authenticate routing updates
let h0, h1, h2 ….hn be hash chain valuesi = sequence numberThen, K = n/m -iAn element from hkm, hkm+1 ..hkm+m-1 used to authenticate routing update.
If metric is j, 0<j<m, then hkm+j is used to authenticate routing update for that sequence #
SEAD Metric Authentication
12
47
89
15
35
62
54
77
45
74
14
85
25
96
36
98
Seq_No = 2
77
55
22
33
66
11
44
22
Seq_No = 1 Seq_No = 3
01
2
3
4
5
6
7
0
1
2
3
4
5
6
7
01
2
3
4
5
6
7
MetricMetric Metric
Hash Values
Security Analysis
Attacks ARIADNE ARAN SEAD
Modification Yes Yes No
Impersonation Yes Yes Yes
Fabrication Yes Yes Yes
Packet Dropping Yes/ Discovered later No, if node compromised No
Gratuitous detour Yes Yes No
Eavesdropping No No No
DoS No/Proposes a scheme No No
Unauthorized Participation
Yes Yes Yes
Performance Analysis…ARIADNE and SEAD
Packet Delivery ratioAverage Latency
Packet delivery ratio
0
0.2
0.4
0.6
0.8
1
1.2
0 100 200 300 400 500 600 700 800 900
Pause Time
Pack
et d
eliv
ery
ratio
SEADDSDVDSRARIADNE
Average Latency
0
10
20
30
40
50
60
0 100 200 300 400 500 600 700 800 900
Pause Time
Ave
rage
Lat
ency SEAD
DSDVDSRARIADNEX
Performance Analysis…(contd)
Packet OverheadByte Overhead
Packet Overhead
0
20
40
60
80
100
120
140
0 100 200 300 400 500 600 700 800 900
Pause Time
Pake
t Ove
rhea
d
SEADDSDVDSRARIADNEX
Byte Overhead
0
10
20
30
40
50
60
70
0 100 200 300 400 500 600 700 800 900
Pause Time
Byt
e O
verh
ead SEAD
DSDVDSRARIADNE
Performance Analysis... ARAN
Average packet Latency delivery fractionAverage Routing load (Packets)
0.80.820.840.860.880.9
0.920.940.960.98
1
0 2 4 6 8 10Node Speed (m/s)
Aver
age
Pack
et D
eliv
ery
Frac
tion
ARANAODV
0
0.5
1
1.5
2
2.5
0 2 4 6 8 10Node Speed (m/s)
Aver
age
Rou
ting
Load
(pac
kets
)
AODV
ARAN
ARAN
Average Routing load (bytes)Average Path Length
0
0.2
0.4
0.6
0.8
1
1.2
0 2 4 6 8 10Node Speed (m/s)
Aver
age
Rou
ting
Load
(byt
es)
AODVARAN 0
0.5
1
1.5
2
2.5
3
3.5
4
0 2 4 6 8 10Node Speed (m/s)
Aver
age
Path
Len
gth
AODVARAN
Performance Analysis…ARAN
Average Data Packet Latency
0
5
10
15
20
25
30
35
40
45
0 2 4 6 8 10Node Speed (m/s)
Aver
age
Dat
a Pa
kcet
Lat
ency
(ms)
AODVARAN
Conclusion…Ariadne
Innovative DesignMemory expensiveRequires Time SynchronizationExtremely Secure
Conclusion…SEAD
Better Performance than AriadneFundamentally difficult to secure Distance vector protocolDoes not handle modern attacks
Black hole, Gray hole etc. Difficult to incorporate security features to guard against future security attacks
Conclusion…ARAN
High Performance overheadAuthenticity dependent on IP address of a mobile node…DoubtfulSecurity heavily dependent on Certification Authority Has a good key Revocation feature
References
Kimaya Sanzgiri, Bridget Dahill, Brian Neil Levine, Clay Shields, Elizabeth Belding-Royer “ARAN”Yih-Chun Hu, David B Johnson, and Adrian Perrig, “ARIADNE”Time efficient stream loss-tolerant Authentication.Yih-Chun Hu, David B Johnson, and Adrian Perrig, “SEAD”Adrian Perrig, Ran Canetti, J.D. Tyagar, Dawn Song, “TESLA”
THANK YOU !