Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 1 Introduction to Secured Communicat...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 2Introduction Ad hoc and sensor netw...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 3Distributed Systems Security Threat...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 4Security in Ad Hoc Networks There i...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 5Security SolutionsConstraints Netwo...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 6 The wireless links present in an a...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 7 Secured Routing Contemporary rout...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 8Authentication Authentication denot...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 9Key Management Description of the d...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 10Key Management Definition 10.7: Ke...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 11A, B protocol participantsp large p...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 12Setupp and α are chosen and publish...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 13N-Party Diffie-Hellman KeyAgreement...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 14N-Party Diffie-Hellman KeyAgreement...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 15N-Party Diffie-Hellman KeyAgreement...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 16 Downflow The downflow is initial...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 17Group Mutation The protocol depict...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 18Member Deletion Deleting a member ...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 19The Ingemarsson ProtocolOverview ...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 20The Ingemarsson ProtocolThe Protoc...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 21Complexity of the Ingemarssonprotoc...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 22The Burmester and DesmedtProtocol ...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 23Complexity of theBurmester and Desm...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 24The Hypercube ProtocolOverview Be...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 25Hypercube Protocol (d=2) Setup Ea...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 26Hypercube Protocol ExampleFigure 10...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 27Complexity of the Hypercubeprotocol...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 28The Octopus Protocol Overview Hyp...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 29Topology Example in the OctopusProt...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 30Octopus ProtocolNotationA, B, C, D ...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 31 Setup All participants elect con...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 32jIKIK BA )()( ∪α)( )( DICIK ∪αϕα)()...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 33Complexity of the OctopusprotocolCh...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 34The CLIQUES Protocol Suite Overvie...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 35N, n number of protocol participant...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 36GDH.2 Overview GDH.2 is a refinem...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 37Table 10.5 – Complexity ofGDH.2Char...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 38GDH.3 Overview Try to reduce the ...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 39Complexity of GDH.3Characteristic C...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 40STR Overview and NotationN<j> tree ...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 41STR Notation Examplek4k3, bk3 r4, b...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 42The Tree-based GeneralizedDiffie-He...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 43 Each node in the key tree, <l, v>...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 44Secure Routing Security services i...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 45Problems Affecting Secure Ad HocRou...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 46S A B C D XM(a) – Malicious node M ...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 47Redirection Effect Remote Redirect...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 48Different Attacks Attacks using Fa...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 49Impact of Attacks Detect and Isola...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 50Secure Routing Protocols Current e...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 51Stage 1 of ARAN Preliminary Certif...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 52 Nodes do not rebroadcast duplicat...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 53Stage 2 Stage two is performed onl...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 54Route Maintenance When an existing...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 55Concealing Network Topology Using ...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 56Identifying and AvoidingMisbehaving...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 57Identifying and AvoidingMisbehaving...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 58WatchdogReceiver collision In the...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 59Watchdog and Pathrater False Misbe...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 60Security-Aware Ad Hoc Routing This...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 61Secure Routing Protocol Secure Rou...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 62SRP Functional Algorithm Node sour...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 63Case 1 When node M1 receives {QSD;...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 64Attacks on SRP andARIADNE Tunnelin...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 65ARIADNE The initiator and target a...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 66SEAD A proactive secure routing pr...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 67The Wormhole Attack In a wormhole ...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 68Cooperation in MANETs There is no ...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 69CONFIDANT The CONFIDANT (Cooperati...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 70Token-Based Each node of the ad ho...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 71Wireless Sensor Networks Each sens...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 72Key Distribution andManagement How...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 73Pre-distribution Scheme Eschenauer...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 74Intrusion Detection Systems(IDS) T...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 75Intrusion Detection Systems(IDS) I...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 76Unsuitability of Current IDSTechniq...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 77IDSIDSIDSIDSIDSIDSAn IDS Architectu...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 78 Local Data Collection The Local ...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 79Cooperative Detection and Intrusion...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 80Cooperative Detection and Intrusion...
Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 81IDS AgentConceptual Components of a...
Adhoc and Sensor Networks - Chapter 10
Adhoc and Sensor Networks - Chapter 10
Adhoc and Sensor Networks - Chapter 10
Adhoc and Sensor Networks - Chapter 10
Adhoc and Sensor Networks - Chapter 10
Adhoc and Sensor Networks - Chapter 10
Upcoming SlideShare
Loading in …5
×

Adhoc and Sensor Networks - Chapter 10

783 views
726 views

Published on

Adhoc and Sensor Networks

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
783
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
64
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Adhoc and Sensor Networks - Chapter 10

  1. 1. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 1 Introduction to Secured Communication Distributed Systems Security Security in Ad Hoc Networks Requirements Security Solutions Constraints Challenges Authentication Key Management Conceptual Background Diffie-Hellman Key Agreement N-Party Diffie-Hellman Key Agreement The Ingemarsson Protocol The Burmester and Desmedt Protocol The Hypercube Protocol The Octopus Protocol The CLIQUES Protocol Suite The Tree-based Generalized Diffie-Hellman Protocol Secure Routing Problems Affecting Secure Ad Hoc Routing Secure Routing Protocols The Wormhole Attack Cooperation in MANETs CONFIDANT Token-Based Wireless Sensor Networks WSN Security Key Distribution and Management Intrusion Detection Systems Overview Unsuitability of Current IDS Techniques An IDS Architecture for Ad Hoc Networks Anomaly Detection Conclusions and Future DirectionsTable ofContents
  2. 2. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 2Introduction Ad hoc and sensor networks intended for diverse audiences andcontexts Many of these applications share a common characteristic: theyare information–centric Security remains largely unanswered Numerous research initiatives have been launched Many questions remain open as existing approaches havelimited functionalities, unrealistic computational requirements,or inability to address core security issues Security is an essential for basic network functions like packetforwarding and routing If a-priori trust relationship exists between nodes, entityauthentication can be sufficient A-priori trust can only exist in a managed environment On the other hand, entity authentication in a large networkraises key management requirements The considered threats are thus not just limited tomaliciousness, but a new type of misbehavior called selfishnessshould also be considered Security in ad hoc networks is a much harder task than intraditional wired networks
  3. 3. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 3Distributed Systems Security Threats are divided into three categories: Disclosure threats Integrity threats and Denial of Service threats This by no means covers all the possible threats, but will suffice for our purposes Disclosure threat involves the leakage of information Integrity threat involves an unauthorized modification of information Denial of Service threat involves inability to access a system resource that is beingblocked by a malicious attacker Disclosure Authentication means ensuring the identity of another user Non-repudiation ensures that a user that has sent a certain message cannot deny sendingthis message at a later time Another related matter is a process called delegation When a user, using a local access wants to execute a program on a remote machine, theprogram will need certain rights to use the resources and the user typically delegates hisaccess rights to the program If the remote machine is weakly protected and a malicious user can exploit a legitimateuser’s rights Security should be enforced centrally or locally This by no means covers all the possible threats, but will suffice for our purposes Centralized security enforcement, there could be some kind of Key DistributionCenter (KDC) In local security enforcement scheme, each user enforces security policy and truststhe machines he/she logs into; there could be a trusted Certification Authority (CA),which issues public key certificates as the users have their own pair of keys and cancertify their public keys with the CA
  4. 4. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 4Security in Ad Hoc Networks There is no fixed infrastructure in ad hoc network Devices connect to each other in their own communication range via wireless links Individual devices act as routers when relaying messages to other distant devices The topology of an ad hoc network is not fixed eitherRequirements Availability Availability seek to combat Denial of Service (DoS) and energy starvation attacks As all the devices in the network depend on each other to relay messages, DoS attacks areeasy to perpetrate There are routing protocols that can adjust well to the changing topology, but there arenone that can defy all the possible attacks Authorization and Key Management Identifying users is not an easy task There are problems with trusted third party schemes and identity-based mechanisms forkey agreement A password authenticated multi-party Diffie-Hellman key exchange seems to overcomemany problems Confidentiality and Integrity Message cannot be understood by anyone other than the authorized personnel Without proper authentication, it is difficult to enforce confidentiality If the proper authenticity has been established, securing the connection with appropriatekeys does not pose a big problem Data integrity denotes the immaculateness of data sent from one node to another If a robust confidentiality mechanism is employed, ensuring data integrity may be assimple as adding one–way hashes to encrypted messages Non-Repudiation This ensures that the origin of a message cannot deny having sent the message
  5. 5. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 5Security SolutionsConstraints Network security personnel have adopted a centralized, largelyprotective paradigm to satisfy these requirements Attempts to adapt similar client-server solutions to adecentralized environment have largely been ineffective To be efficiently applicable, security solutions for ad hocnetworks should ideally have the following characteristics: Lightweight: Solutions should minimize the amount ofcomputation and communication required to ensure thesecurity services Decentralized: attempts to secure must be ad hoc Reactive: Security paradigms must react to changes innetwork state; they must seek to detect compromises andvulnerabilities Fault-Tolerant: Wireless medium is known to be unreliable;security solutions should be designed with such faults inmind These are not stringent requirements: specific applicationsmay relax some or all of the above based on their domainand the sensitivity of the information involved
  6. 6. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 6 The wireless links present in an ad hoc network render it susceptible toattacks ranging from passive eavesdropping to active impersonation Eavesdropping might give an attacker access to secret information Active attacks could range from message replay or deletion, injectingerroneous messages, impersonating a node Nodes roaming freely in a hostile environment with relatively poor physicalprotection have good probability of being compromised For high survivability, ad hoc networks need to have a distributedarchitecture with no central entities, which certainly increases vulnerability Security mechanism needs to be dynamic and scalable Key Management: In a public key infrastructure, each node has a public/private key pair A node distributes its public key freely to the other nodes in thenetwork; however it keeps its private key to only itself A CA is used for key management and has its own public/private keypair The trusted CA is responsible to sign certificates, binding public keys tonodes, and has to stay online to verify the current bindings If the CA is unavailable, nodes cannot get the current public keys ofother nodes to establish secure connections Naive replication of CAs can make the network more vulnerable Hence, it may be more prudent to distribute the trust to a set of nodesby letting these nodes share the key management responsibilityChallenges
  7. 7. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 7 Secured Routing Contemporary routing protocols designed are not designed to providedefense against malicious attackers Nodes exchange network topology to establish routes between them As for attackers, we can classify them into external and internal External attackers may inject erroneous routing information, replayold routing data or distort routing information Compromised nodes inside the network are harder to detect ascompromised nodes can generate valid signatures using their privatekeys Routing protocol should be used to bypass compromised nodes Intrusion Detection Each MH in an ad hoc network is an autonomous unit and is free tomove independently It is difficult to track down a single compromised node in a largenetwork While encryption and authentication can reduce the risks of intrusion,they cannot be completely eliminated Intrusion detection can be used as a second line of defense to protectnetwork systemsChallenges
  8. 8. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 8Authentication Authentication denotes the accurate, absolute identification of users who wish toparticipate in the network Unfortunately the ad hoc paradigm does not accommodate a centralized entitycreating protocol deployment issues Trusted Third Parties Use a Trusted Third Party (TTP) Every node that wishes to participate obtains a certificate from a universallytrusted third party When two nodes wish to communicate, they first check to see if the other nodehas a valid certificate It probably is not reasonable to require all ad hoc network-enabled devices tohave a certificate Secondly, each node needs to have a unique name Many appropriate variations of TTPs discussed later Chain of Trust Chain of trust paradigm relies on any node in the network to performauthentication This paradigm fails if malicious modes are within the network Location-Limited Authentication Location-limited authentication levies on the fact that ad hoc networks exist ina small area Although it may not seem obvious, location-limited authentication ispotentially very secure The security is obtained from physical assurance and tamper-detection Authenticating node can be reasonably certain that the node it thinks is beingauthenticated is the node it is actually authenticating Although this is well-suited, it is not feasible for large, group-based settings
  9. 9. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 9Key Management Description of the dominant key management paradigms An overview of the generalized Diffie–Hellman algorithm – the defacto standard for contributory key agreement algorithms Trusted Third Parties Definition 10.1: A group key is a secret that is used by two or moreparties to communicate securely and is symmetric; that is, thesame group key is used to encrypt and decrypt messages Definition 10.2: Key independence ensures that a passiveadversary who knows a proper subset of group keys cannotdiscover any other group key Definition 10.3: Forward secrecy ensures that a passive adversary(member or non-member) who knows a contiguous subset of oldgroup keys cannot discover subsequent group keys Definition 10.4: Backward secrecy ensures that a passive adversarywho knows a contiguous subset of group keys cannot discoverpreceding group keys Definition 10.5: Key establishment is the process, protocol, oralgorithm by which a group key is created and distributed to thegroup Definition 10.6: Key agreement is a protocol by which two or moreparties contribute to the creation of a shared group key
  10. 10. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 10Key Management Definition 10.7: Key distribution is the process by which each group member isapprised of the group key Some systems may necessitate key agreement and distribution protocols, whileothers may only have one or the other Paradigms in centralized systems, a single entity, is responsible for generating anddistributing the key Similarly, paradigms that employ a key agreement protocol are often referred to asdistributed Another notable drawback of centralized techniques is that they often require asecure channel to transmit the group key from the group controller to each member Distributed key management techniques require that two or more group memberscontribute to the creation of the group key and one or more public values could bebroadcast to the group Upon receipt of the public value(s), each group member uses its own secret tocalculate the actual group key Most forms of distributed key management are based on a generalization of well-known Diffie-Hellman algorithm Although distributed techniques do not have a single point of failure or attack,active adversaries may compromise the security of the key by masquerading as agroup member as the attack occurs during the key generation phase Definition 10.8: Key integrity ensures that the group key is a function of allauthenticated group members and no one else One of the easiest ways for an adversary to sacrifice key integrity is by compromisingprior keys or the individual contribution – the secret shared key – of a group memberand is closely related form of attack is known as a known key attack Definition 10.9: A protocol is vulnerable to a known key attack if compromise of pastsession keys allows a passive adversary to compromise future group keys, or an activeadversary to impersonate one of the protocol parties
  11. 11. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 11A, B protocol participantsp large prime numberG unique subgroup of Z *pof order q with p, q primeα exponentiation base – the generator in the group Gx random secret chosen by A such that 1 ≤ x ≤ p – 2y random secret chosen by B such that 1 ≤ y ≤ p – 2K the shared keyKi the partial key created by member iDiffie-Hellman KeyAgreement Diffie-Hellman key agreement protocol, developed by Whitfield Diffie andMartin Hellman is perhaps the largest publicly–known cryptographicbreakthrough of the twentieth century Diffie-Hellman protocol provided a way for two parties to agree on a secret keyand use it to communicate over an insecure medium in an ad hoc fashionProtocolNotations
  12. 12. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 12Setupp and α are chosen and published (broadcasted)Key AgreementA chooses its secret, x, creates KA = αxmod p, and sends it toBB chooses its secret, y, creates KB = α ymod p, and sends it toAA receives KB and computes K = KAB = (α y) xmod pB receives KA and computes K = KAB = (α x) ymod pBA pK xA → = modαBA pK yB ← = modα Despite the widespread acceptance of Diffie-Hellman, it issusceptible to the man-in-the-middle attack Diffie, van Oorschot, and Wiener presented an authenticatedalternative to the original protocol in 1992
  13. 13. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 13N-Party Diffie-Hellman KeyAgreementN number of protocols participantsi, j, k protocol participants; i, j, k ∈ [1, n]Mi i-th group member; i ∈ [1, n]Ni random secret chosen by the member Miq order of the algebraic groupp large prime numberG unique subgroup of Z*pof order q with p, q primeα exponentiation base – the generator in the group GKn group key shared by n membersNotationDiffie-Hellman key agreement protocol was generalized to n participants
  14. 14. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 14N-Party Diffie-Hellman KeyAgreementKey Agreement Two stages – upflow and downflow Each member’s contributions are collected during the upflow stage, and theresultant intermediate values are broadcast to the group in the downflowstage, with large prime number p and α known to every oneSetup The setup for GDH is identical to that of two-party Diffie-Hellman: allparticipants, M1, . . ., Mn choose a cyclic group, G, of order q, and a generator,α in G; each member then chooses a secret share, Ni ∈ GUpflow During the upflow, each member Mi performs a single exponentiation,appends it to the flow, and forwards the flow to Mi+1 The upflow stage terminates and the downflow commences when Mi = Mn-1 , thelast member has received the upflow2)(11MMN →α1],1[|]),[|(+∈ →∏ ∈iiji MMjiKKNα1),...,,( ...21211+ → ii MMiNNNNNNααα3),(2211MMNNN → αα4),,(3321211MMNNNNNN → αααnn MMnNNNNNN →−−),...,,(11...21211 ααα
  15. 15. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 15N-Party Diffie-Hellman KeyAgreementUpon receipt of the upflow, Mn calculates the new group key, Kn, by exponentiation of the lastintermediate value in the flowOnce Kn has been calculated, Mn commences the downflowDownflowThe downflow is initially comprised of n-1 intermediate values,exponentiated to the nthgroup member’s secret, Nn and Mn sends the downflow to Mn-1),...,,( 221211 ... nnnn NNNNNNNNN −αααnn NNNNnKK )( 121 ... −== αnn MMnNnNNNnNNNnNN ←−−),...,,(12...21211 ααα1),...,,(213...2112111−−  ←−−−−nn MMnNnNnNNNnNnNNNnNnNNααα
  16. 16. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 16 Downflow The downflow is initially comprised of n-1 intermediatevalues, exponentiated to the nthgroup member’s secret, Nn and Misends the downflow to Mi-1 Upon receipt of the downflow, each member, Mi, removes itsown intermediate value,calculates the group key, ,exponentiates the remaining i-1 intermediate values in theflow, and forwards the flow to its predecessor, Mi-1N-Party Diffie-Hellman KeyAgreement),...,,( 221211 ... nnnn NNNNNNNNN −αααii MMiNiNNNnNiNNNnNiNN ←−−),...,,(12...21...21...1 ααα)( ...,,..., 1121 nii NNNNN +−αinii NNNNNNnK )( ...,..., 1121 +−= α,111 ... iinn NNNNN +−α
  17. 17. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 17Group Mutation The protocol depicts the key agreement protocol when all group membersare present Many contexts necessitate group mutation after the initial group has beenformed The group key must be changed whenever group membership changes The nthgroup member functions as the group controller for the memberaddition and deletion protocols Member Addition Mn generates a new secret, and this step may be removed from theprotocol if backward secrecy is not required, as simply preventsMn+1 from calculating the previous group key(s) Using , Mn computes a new upflow message of the form Mn sends the new upflow to the new member, Mn+1 Mn+1 receives the upflow and calculates the new group key, K = Kn+1 byexponentiating the previous cardinal value with its own share, Nn+1 Mn+1 then calculate n intermediate values and commence the downflowstage by sending the new intermediate values to MnnNˆnNˆnnk NNNNjkikNnjˆ...)],1[|( 121],,1[| −∈∏ ≠∧∈αα1),...,,( 1...21211+ →−nn MMnNNNNNNααα121)(ˆ...1+== +nn NNNNnKK α1,...,, 11...2112111+ ←+−++nn MMnNnNNNnNNNnNNααα
  18. 18. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 18Member Deletion Deleting a member from the group requires that the excluded memberwill not be able decrypt subsequent group messages and if Mp be themember to be removed, then the protocol works as follows The group controller, Mn, generates a new exponent, Using , Mn calculates a new set of n-2 sub-keys, such that Np isabsent, and broadcasts them to the group Each member receives the broadcast and calculates the new groupkey, as: Because Np is absent from , Mp is unable to determine the new group key Analysis It allows group members to generate and distribute a shared groupkey over an insecure medium Basic form of GDH is computationally complex, and does not scale In addition, the message size and the frequency demanded fromthe protocol require considerable bandwidth These requirements may be prohibitive Although GDH is a distributed paradigm, it heavily relies on agroup GDH is as secure as 2-Party Diffie-Hellman, the proof assumes apassive adversarynNˆnNˆnnpp NNNNNKˆ...... 1111ˆ ∗∗∗ −+−=α
  19. 19. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 19The Ingemarsson ProtocolOverview The Ingemarsson et al. (Ingemarsson protocol) protocol was the firstgeneralization of Diffie-Hellman algorithm The performance of this protocol has since been surpassed by more effectiveprotocolsDesign The design requires that group members be organized as a logical ring Each member of the group receives the intermediate value from its predecessor,exponentiates using its own share, and forwards the result to its successor After n-1 rounds, the protocol is complete, and each member calculates the groupkeyj = 1 {}j = 2 {N1} {N2}j = 3 {N1, N2} {N1,N3} {N2, N3}j = 4 (= n − 1) {N1, N2, N3} {N1, N2,N4} {N1,N2, N4} {N2, N3, N4}j = 5 (= n) {N1, N2, N3, N4} {N1, N2, N3,N5} {N1, N2, N4, N5} {N1, N3, N4, N5} {N2, N3, N4, N5}{z } basic trigon with exponent base α and all numbers mod p
  20. 20. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 20The Ingemarsson ProtocolThe Protocol Setup Prior to the first round of the protocol, all group members mustsynchronously form a ring This step requires each member to be apprised of its successorand predecessor, as well as the start time of the first roundKey Agreement {1, 2, 3, 4, …n} asComplexity As discussed earlier, the Ingemarsson protocol requires n-1rounds and at each round, n messages are sent – one by eachmember which yields the complexity of this process (the inputparameter, n, denotes the number of group members) as shownin Table 10.1nii MMinkijjNmod1)]},mod)[(|{(+ →∏ −∈αnjforg jxjj,...,2,1∈∏ ∈
  21. 21. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 21Complexity of the IngemarssonprotocolCharacteristic ComplexityNumber of rounds n – 1Number of messages n(n – 1)Exponentiations per member NTotal exponentiations n2Total message size n(n – 1)Analysis The Ingemarsson protocol is quite slow – the slowest of all protocols discussed Many of the design requirements make the resulting protocol quite restrictive Firstly, all members must join and form a ring synchronously Secondly, the protocol requires members to maintain their predecessor and successorat all times
  22. 22. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 22The Burmester and DesmedtProtocol Overview The Burmester and Desmedt protocol presents a much fastervariation of the generalized Diffie-Hellman The setup phase of the Burmester and Desmedt protocol isidentical to that of basic GDH, with integers p, q andα broadcasted to all members The Protocol Each participant, Mi, i ∈ [1, n] executes the following rounds: Mi generates a secret, Ni, and broadcasts the new key, , toall group members Each member, Mi, computes and broadcasts Mi mod n computes the new group key, Kn as: Complexity Burmester and Desmedt protocol provides a considerableimprovement This is achieved due to few rounds of messagesiNiz α=iNiiizzX )(11−+=ppXXXzKKrrrrrrrrinininNinnimodmod...1433221 ......22111++++−−+−− =∗∗== α
  23. 23. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 23Complexity of theBurmester and DesmedtProtocolCharacteristic ComplexityNumber of rounds 2Number of messages 2nExponentiations per member n + 1Total exponentiations n(n + 1)Total message size 2n Similar to the Ingemarsson protocol, the Burmester protocolrequires n + 1 exponentiations per group member Each exponentiation is significantly less complex However, implementations of the Burmester protocol are unlikely toachieve theoretical performance measures described above Sequential broadcasts do not compromise the security, they result indecreased performance
  24. 24. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 24The Hypercube ProtocolOverview Becker and Willie developed theHypercube and Octopus protocolsto lower bounds on thecommunication complexity ofDiffie-Hellman protocols The two protocols differ only intheir logical arrangement of groupmembersDesign The Hypercube Protocol requires2dparticipants, where d representsthe dimensions of the cube Each participant is logicallypositioned as a point in the cube;each edge of the cube depicts a keyexchanged dimensions of the cuben number of group members (n = 2d)vector representing each participant;∈ GF(2)dbasis of GF(2)d; i ∈ [1, d]random secret generated byparticipantq order of the algebraic groupp large prime numberG unique subgroup of Z *pof order qwith p, q primeα exponentiation base – the generator inthe group Gϕ bijection of the form ϕ: G → Z*pK group key shared by n membersvibrv
  25. 25. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 25Hypercube Protocol (d=2) Setup Each participant in the d-dimensional vector spaceGF(2)dchooses a basis of GF(2)dwith eachparticipant, , then generates its secret, Key Agreement Each participant, , performs a 2-Party Diffie-Hellman key exchange with During the ithround, each participant performs akey exchange with + and the participant usesthe result of the i-1 round as the secret The protocol terminates when i = d,since , ..., forms the basis of GF(2)dandevery participant can generate the shared key:vvvr1bvib v1bdb)(...)()( 14321 dvrdvrvrvrvrvrK ⋅−⋅⋅⋅⋅⋅= αϕαϕαϕα
  26. 26. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 26Hypercube Protocol ExampleFigure 10.1 – Example of the Hypercube protocol (d = 2))()( brardrcrαϕαϕα ⋅Ma McMbMdRound2)()( brardrcrαϕαϕα ⋅dc rrαMaMbMcMdRound1ba rrα
  27. 27. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 27Complexity of the HypercubeprotocolCharacteristic ComplexityNumber of roundsNumber of messagesExchanges per round nTotal exchangesnnn2nn Hypercube protocol imposes group members to perform parallel keyexchanges synchronously (difficult to achieve) Hypercube is extremely sensitive to network failures and memberdeparture Members must join and leave the group in powers of two so the cubestructure can be maintained Hypercube protocol provides an efficient approach to key management
  28. 28. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 28The Octopus Protocol Overview Hypercube protocol motivated Becker and Willie to develop amore flexible protocol The resulting protocol, named Octopus, allows an arbitrarynumber of group members to contribute to the group key While minimizing the number of messages and rounds, theOctopus protocol has a desirable communication complexity Design Topology of the Octopus protocol loosely models an octopus: 4nodes comprise the core of the group and are positioned as asquare Remaining nodes are logically positioned as tentacles off the fournodes The four core nodes perform 2-Party Diffie-Hellman with each ofthe tentacles attached to it Using the subkey generated from their tentacles, the four corenodes then perform the Hypercube protocol for d = 2 The group key is then sent to all tentacles in the octopus Figure 10.2 shows an example of a topology in the Octopusprotocol, with the corresponding elements described next
  29. 29. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 29Topology Example in the OctopusProtocolABCDP4P1P5P3P2P7P6P8IAICIB ID
  30. 30. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 30Octopus ProtocolNotationA, B, C, D controlling group MembersX central node; X ∈ {A, B, C, D}IX subgroup connected to x; IA, IB, IC, ID are pairwise disjointPi non-controlling participants; Pi ∈ {IA, IB, IC, ID }ri random secret generated by participant iQ order of the algebraic groupP large prime numberG unique subgroup of Z *pof order q with p, q primeα exponentiation base – the generator in the group Gϕ bijection of the form ϕ: G → Z *pK group key shared by n members
  31. 31. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 31 Setup All participants elect controlling nodes, A, B, C, D, and theremaining nodes establish membership in some IX A, B, C, D, Pi then choose a cyclic group, G, of order q, anda generator, α in G; each member then chooses a secretshare, ri ∈ G Key Agreement For all X ∈ A, B, C, D and all i ∈ IX, X and Pi perform 2-party Deffie-Hellman Controlling nodes, A, B, C, D perform the Hypercubeprotocol with d = 2 Each node uses the subkey generated during the previoussteps as its secret for the Hypercube rounds of this step: ra =K(IA), rb = K(IB), rc = K(IC), rd = K(ID) Thus, after performing the Hypercube rounds, A, B, C, Dhold the group key:Octopus Protocol Key Agreement)()( )()( DICIKBIAIKK∪∪⋅= αϕαϕα
  32. 32. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 32jIKIK BA )()( ∪α)( )( DICIK ∪αϕα)()()()( BAjKBAIIKjIIK∪∪= αα ϕ)()( )()()(BIAIKDICIKK∪∪= αϕαϕαjIKIK DC )()( ∪α)( )( BIAIK ∪αϕα)()()()( DCjKDCIIKjIIK∪∪=αα ϕ)()( )()()(DICIKBIAIKK∪∪= αϕαϕα3. Each controlling node now sends thepartial key to its subgroup:A. For all j ∈ IA:i. A sends Pj:ii. A sends Pj:iii. Pjcalculatesiv. Pjderives the group key:B. For all j ∈ ID:i. D sends Pj:ii. D sends Pj:iii. Pjcalculatesiv. Pjderives the group key:Octopus Protocol Key Agreement
  33. 33. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 33Complexity of the OctopusprotocolCharacteristic ComplexityMessagesExchangesSimple roundsSynchronous rounds 2 + ddn dd⋅+−⋅ 2)2(3dn dd⋅+−⋅ −12)2(2dndd+ −⋅222
  34. 34. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 34The CLIQUES Protocol Suite Overview The CLIQUES protocol remains one of the most effective andpopular key management paradigms in use today CLIQUES is comprehensive key management paradigm, whichincludes well-defined group semantics, four key agreementprotocols, an application programming interface (API), and anempirical analysis CLIQUES has been specifically designed to accommodate dynamicand fault-prone group settings Since its initial development, three additional variations of GDHhave been developed: GDH.2, GDH.3, and STR Design CLIQUES is largely event-driven; that is, it uses membershipevents (e.g., join, leave, and merge) to trigger key regeneration CLIQUES use a group controller group mutation events – add,remove, merge, partition, etc. However, the group controller is not solely responsible for keygeneration The controller may be a trusted third-party or make the newest oroldest member as the controller
  35. 35. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 35N, n number of protocol participantsi, j protocol participants; i, j ∈ [1, j]Mi i-th group memeber; i ∈ [1, n]ri random secret chosen by member Mibri Mi’s blinded session key;ki key shared by M1...Mjbkj blinded key shared by M1...Mj;Q order of the algebraic groupP large prime numberG unique subgroup of Z*pof order q with p, q primeα exponentiation base – the generator in the group GKn group key shared by n memberspbr iri modα=pbk jkj modα=The CLIQUES Protocol Suite
  36. 36. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 36GDH.2 Overview GDH.2 is a refinement of GDH.1 GDH.2 consists of an upflow and downflow n - 1 contributions are collected during the upflow stage; and the resultingintermediate values are broadcast to the group during the downflow Setup Members of the group select p, q, G, and α Each member is assigned a sequential identifier in 1...n Mn assumes the role of the group controller Key Agreement Each Mi selects a random secret, ri∈ Mi receives the upflow, exponentiates each intermediate value, adds a newintermediate value that excludes its own contributions, updates thecardinal value, and forwards the upflow to Mi +1: Mn receives the upflow from Mn-1, calculates the group key from thecardinal value, exponentiates all intermediate values, and broadcast therevised intermediate values to the group: Each member receives the broadcast message from Mn, extracts its intermediatevalue, and exponentiates it using its secret, ri, to calculate the group key K:∗qZ1],,1[| ...1...1+∈ → iiji MMirrjrirrααnniMALLirrirnrr ← ∈ ...1...1],,1[| ααinnii rrrrrrrK )( 11121 ...... −+− ⋅⋅⋅⋅⋅⋅= α
  37. 37. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 37Table 10.5 – Complexity ofGDH.2Characteristic ComplexityMessages nRounds nMessage sizeExponentiations permemberTotal exponentiations1)22)(1( −+−nn)()1( nOi −+12)3(−+ nn
  38. 38. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 38GDH.3 Overview Try to reduce the number of exponentiations required Setup Members of the group select p, q, G, and α Each member is assigned a sequential identifier in 1...n Key Agreement First state is identical to upflow of GDH.1: each memberreceives upflow, adds its contribution, and forwards it to itssuccessor Mn receives the upflow from Mn-1, calculates the group key fromthe cardinal value, exponentiates all intermediate values, andbroadcast the revised intermediate values to the group: The third stage is the nthround, which entails a response fromevery group member In the final stage, Mn collects all responses, exponentiates them torn, and broadcasts all intermediate values to the group1]},1[|{+ →∏∈ii MMikkrα1]}1,1[|{− ←∏ −∈ni MMnkkrαni MMiknkkr →∏ ≠−∈ }];1,1[|{αnnii MMiknkkr ←−∈∏ ≠∈]}1,1[|{}];,1[|{α
  39. 39. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 39Complexity of GDH.3Characteristic ComplexityMessages 2n – 1Rounds n + 1Message size 3(n – 1)Exponentiations per member 4Total exponentiations 5n – 6 The GDH.3 protocol provides considerable enhancements overGDH.1 and GDH.2 with its constant message sizes andcomparatively fewer exponentiations per member GDH.3 does require the group controller, Mn, to perform nexponentiations This may be the source of a computational bottleneck in ad hocnetworks
  40. 40. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 40STR Overview and NotationN<j> tree node jIN <l> internal tree node at level lLN<i> leaf node associated with member MiT <i> tree of member MiBT <i> tree of member Mi including its blinded keys The GDH.1, GDH.2, and GDH.3 protocols have been designed forrelatively small groups They do not scale well in the context of larger groups To accommodate wide area groups, a tree-based protocol called STR isdeveloped Although the protocol can be used in small, proximal settings, it is best-suited for wide area networks
  41. 41. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 41STR Notation Examplek4k3, bk3 r4, br4k2, bk2 r3, br3r2, br2IN<4>IN<3>IN<2>IN<1>LN<4>LN<3>LN<2>LN<1>1111,bkbrkrCharacteristics ComplexityMessages 2Rounds 1Exponentiationsper member2Totalexponentiations2n CLIQUES provide an elegant solution togroup key management Key generation overhead is distributed As many as M + 1 messages may be sentfor a single rekey event Each member receives M + 1 broadcastmessages Member leaves and evictions will beannounced about these and as thepredecessor and successor of the removedmember must be notified, such updatessignificantly increase the complexity
  42. 42. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 42The Tree-based GeneralizedDiffie-Hellman ProtocolOverview CLIQUES takes time to generateand distribute the group key Recall that Mn must wait for n-1members exponentiate theimmediate and the cardinal values The Tree-based Generalized Diffie-Hellman (TGDH) key agreementprotocol structures key generationhierarchically The tree-based key agreementalgorithm is identical to CLIQUESto generate the keys (Diffie-Hellman) TGDH provides a secure grouplayer that would supportcontributors structured as treenodes onlyn number of group membersH height of the key tree<l, v> v-th node at level l in thetreeM i ith group member, where i∈ [1, n]Ti Mi’s view of the key treeMi’s modified tree after themembership operationp, q prime integersα exponentiation baseiTˆNotations
  43. 43. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 43 Each node in the key tree, <l, v>, has a key, Kl,v, a blinded key, BKl,v,and member, Mi, associated with it A blinded key is simply the modular exponentiation of the key inprime order groups (i.e., BKl,v = αkmod p) Each Kl,v is computed recursively as follows: Computing Kl,v requires knowledge of one child’s key and the other’sblind key It is important to note that the key tree does not actually contain thegroup key; rather, the composition of all of the nodes in the tree formsthe group secret from which the group key is derived A cryptographically strong, one-way hash function is used to performthis derivation The key path for a given node, i, is composed of every key that residesin the path from i to the root node, inclusive The co-path is composed of all of the siblings of nodes that appear inthe key-path A node, <l, v>, uses the blinded keys in its co-path and its own key toderive the group secretThe Tree-based GeneralizedDiffie-Hellman ProtocolDesignpK vlvl KKvl mod12,12,1,>++<>+< ∗=α
  44. 44. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 44Secure Routing Security services in the MANET faces a set of challenges specificto its environment. The insecurity of the wireless links, energy constraints,relatively poor physical protection of nodes in a hostileenvironment, and the vulnerability of statically configuredsecurity schemes have been identified as challenges Nevertheless, the single most important feature thatdifferentiates MANET is the absence of a fixed infrastructure There is no guarantee that a path between two nodes would befree of malicious nodes Currently MANET routing protocols cannot cope up withdisruptions due to malicious behavior Any node could claim to be one hop away from the soughtdestination Alternatively, a malicious node could corrupt any in-transitroute request (or reply) packet to be misrouted Even a small number of adversarial nodes could compromiseroutes, and would incur arbitrary delays Intentionally falsified routing messages would result in a DoS
  45. 45. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 45Problems Affecting Secure Ad HocRouting Infrastructure In an ad hoc network, there is no pre-deployed infrastructure Frequent Changes in Network Topology Nodes may frequently change their locations This results in frequently changing neighbors on whom a node has to rely for routing Wireless Communication As the communication is through a wireless medium, it is possible for any intruder to easilytap it Wireless channels offer poor protection and routing related control messages can betampered The wireless medium is susceptible to signal interference, jamming, eavesdropping anddistortion Problems with Existing Ad Hoc Routing Protocols Routing security is very often peculiar to a specific protocol A given vulnerability may or may not be present in a given protocol Implicit Trust Relationship amongst Neighbors Most ad hoc routing protocols depend on neighboring nodes to route packets This naive trust model allows malicious nodes to paralyze an ad hoc network by insertingerroneous routing updates, replaying old messages, changing routing updates or advertisingincorrect routing information Throughput Ad hoc networks maximize total network throughput by using all available nodes forrouting and forwarding However, a node may misbehave by agreeing to forward packets and then fail to do so,because it is overloaded, selfish, malicious or out of service Average loss in throughput due to a single node may not be too high but may besignificantly high if group attack
  46. 46. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 46S A B C D XM(a) – Malicious node M announces a shorter route to node XS A B C D XM(b) – Traffic destined to node X goes to nodeM We assume that that nodes do not alter the messages passing through them Since the level of trust in a traditional ad hoc network cannot be measuredor enforced, compromised nodes may intercept and filter routing protocolpackets to disrupt communication Malicious nodes can easily cause redirection of network traffic and DoSattacks by simply altering these fieldsAttacks using Modification ofProtocol Message Fields
  47. 47. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 47Redirection Effect Remote Redirection with Modified Route Sequence Number (AODV) Remote redirection attacks are also called black hole attacks A malicious node uses the routing protocol to advertise itself as theshortest path to those nodes whose packets it wants to intercept In AODV, any node may divert traffic through itself simply by advertisinga route to a node with a destination sequence number greater than theauthentic (or actual) value Redirection with Modified Hop Count (AODV) A redirection attack is also possible in certain protocols, such as AODV,by modification of the hop count field in the route discovery messages When routing decisions cannot be made by other metrics, AODV uses thehop count field to determine the shortest path Once the malicious node has been able to insert itself, it is able to do nearlyanything with the packets exchanged between them Denial of Service with Modified Source Routes A Denial of Service attack is also possible in the DSR routing protocol,which explicitly states routes in data packets A simple Denial of Service attack can be launched by altering the sourceroutes in packet headers Modification to source routes in DSR may also include introduction ofloops in the specified path Attacks using Impersonation Current ad hoc routing protocols do not authenticate the source IPaddress A malicious node can launch many attacks by altering its own MAC or IPaddress, with the goal of pretending to be some other node
  48. 48. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 48Different Attacks Attacks using Fabrication Generation of false routing messages is termed as fabrication of messages Falsifying Route Error Messages (AODV or DSR) AODV and DSR implement path maintenance measures to recover brokenroutes whenever nodes move If the destination node or an intermediate node along an active pathmoves, the node upstream of the link breakage broadcasts a route errormessage to all active upstream neighbors The vulnerability here is that routing attacks can be launched by sendingfalse route error messages Route Cache Poisoning in DSR This is a passive attack that can occur in DSR due to its optionalpromiscuous mode of updating routing tables This occurs when information stored in the routing table at routers isdeleted, altered or injected with the false information A node overhearing any packet may add the routing informationcontained in that packet header to its own route cache, even if that node isnot on the path from a source to a destination Routing Table Overflow Attack The attacker attempts to create routes to non-existent nodes The goal is to create enough routes to prevent new routes from beingcreated Proactive routing algorithms attempt to discover routing informationcontinuously, while reactive algorithms create only when they are needed This makes proactive algorithms more vulnerable to routing tableoverflow attacks
  49. 49. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 49Impact of Attacks Detect and Isolate Misbehaving Nodes Misbehaving nodes can affect the network throughputadversely Existing ad hoc routing protocols do not include anymechanism to identify these misbehaving nodes and need todefine A node may appear to be misbehaving while encounteringtemporary problem such as overload or low battery Information Leaking on Network Topology Ad hoc routing protocols carry routes discovery packets inclear text (e.g., AODV and DSR) By analyzing these packets, any intruder can find out thestructure of the network The attacker knows which nodes are adjacent to the targetand attack can be carried out passively Lack of Self-Stabilization Routing protocols should be able to recover from an attackin finite time An intruder should not be able to permanently disable thenetwork
  50. 50. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 50Secure Routing Protocols Current efforts are mainly oriented to reactive (on-demand) routing protocolssuch as DSR or AODV as have significantly lower overheads Node selfishness (described later) also needs to be addressed Prerequisite for all available solutions implies a managed environment Major secure routing protocols for ad hoc networks can be classified into fourcategories: Those using pre-deployed security infrastructure Those aiming at concealing the network topology Those targeting at mitigating node misbehavior Other routing protocols Assumptions for Using Pre-Deployed Security Infrastructure The type of ad hoc environment is called managed-open environment Nodes wishing to communicate can exchange initialization parametersbeforehand, perhaps within the security of an infrastructured network ARAN Protocol The Authenticated Routing for Ad-hoc Networks (ARAN) introducesauthentication, message integrity and non-repudiation in an ad hocenvironment. ARAN makes use of cryptographic certificates for authentication and non-repudiation Route discovery in ARAN is composed of two distinct stages: the first stageis simple and requires little extra work from peers, while the second stage isoptional by increasing nodes security of their routing Described in the next slide
  51. 51. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 51Stage 1 of ARAN Preliminary Certification ARAN requires a trusted certificate server, T Before entering the ad hoc network, each node requests a certificate from T For example, the certificate is issued by T to a given node A would be: T → A: CertA = [IPA, KA+,,t,e]KAT- The certificate contains the IP address of A (IPA), the public key of A (KA+), atimestamp t of when the certificate has been created, and the time e at whichthe certificate expires All nodes in the network must know public key (KT+) of T End-to-End Authentication To enable source node to verify if intended destination has been reached The behavior of the various nodes in ARAN during the route discoveryprocedure in two separate parts: Route Request and Route Reply Suppose a source node A wants to find a route to a destination node X Route request (RREQ) packet (e.g., in on-demand protocols) to its neighbors inthe following form: A → broadcast: [RREQ, IPX, CertA, NA, t] KA- Each time node A initiates a route discovery, it increases its nonce (i.e., NA) Other nodes receiving the RREQ packet store the nonce they have last seenwith its corresponding timestamp Intermediate nodes record from which neighbor RREQ packet was received It then rebroadcasts the RREQ packet to each of its neighbors, signing thecontents of the packet This signature prevents spoofing attacks that may alter the route Let B be a neighbor of node A Node B would rebroadcast the packet as: B → broadcast: [[RREQ, IPx, CertA, NA, t]KA-]KB-, CertB
  52. 52. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 52 Nodes do not rebroadcast duplicate packets Supposing node C is a neighbor of node B, it validates the packet signaturewith the given certificate upon receipt of node B’s broadcast Node C then rebroadcasts the RREQ to its neighbors after removing node B’ssignature, resulting in:C → broadcast: [[RREQ, IPX, CertA, NA, t] KA_] KC-, CertC Upon receipt of the first RREQ packet with the corresponding nonce at thedestination node X, it replies back to the source with a route reply (RREP) Assuming node D is the first hop in the reverse path, RREP sent by node Xtakes the form X → D: [RREP, IPA, CertX, NA, t]KX- Intermediate nodes receiving the RREP forward it to the predecessor nodefrom which they received the corresponding RREQ All RREP packets are signed by the sender Let node D’s next hop back to the source be node C, then RREP sent by node Dis: D → C: [[RREP, IPA, CertX, NA, t]KX-]KD-, CertD Nodes along the path check the signature of the previous hop as the RREP isreturned to the source This procedure avoids attacks where malicious nodes instantiate routes byimpersonation or replay of node X’s packet When the source node A receives the RREP from the destination node X, itfirst verifies that the correct nonce has been returned by the destination as wellas the destination’s signature Disadvantages: ARAN requires that nodes keep one routing table entry persource-destination pair that is currently activeStage 1 of ARAN
  53. 53. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 53Stage 2 Stage two is performed only after discovery of shortest path in Stage one Data transfer can be pipelined with the shortest path discovery operation employed inStage two Using the same example, the source node A initiates the shortest path discoveryoperation by broadcasting a Shortest Path Confirmation (SPC) message to itsneighbors as: A → broadcast: SPC, IPX, CertX, [[IPX, CertA, NA, t] KA-]KX+ The SPC signed message is then encrypted with node X’s public key so that othernodes cannot modify its contents Intermediate nodes receiving this message rebroadcast the same after including itsown cryptographic credentials The message rebroadcast by node B would be: B → broadcast: SPC, IPX, CertX, [[[[IPX, CertA, NA, t]KA-] KX+] KB-, CertB] KX+ Nodes receiving the SPC packet create entries in their routing table This entry also serves to route the reply packet from the destination to the sourcealong the reverse path Destination node X checks that all the signatures are valid Node X replies to the first SPC it receives and also to any SPC with a shorterrecorded path. Then, it sends a Recorded Shortest Path (RSP) packet to the sourcenode A through its predecessor node, say D X → D: [RSP, IPA, CertX, NA, route]KX- The source node A will eventually receive this packet and verify that the noncecorresponds to the SPC originally generated Advantages: The onion-ring like signing of messages prevents nodes in betweensource and destination from changing the pathStage 2 of ARAN
  54. 54. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 54Route Maintenance When an existing route is not used after some pre-specified lifetime, it issimply deactivated (i.e., expired) in the route table Nodes also use Error (ERR) packets to report links that are broken For a given route between source A and destination X, an intermediatenode B generates a signed ERR packet for its neighbor node C as follows:B → C: [ERR, IPA, IPX, CertC, NB, t]KB-Key Revocation ARAN attempts a best effort key revocation with limited time certificates If a certificate needs to be revoked, the trusted certificate server, node T,sends a broadcast message The transmission appears as:T → broadcast: [revoke, CertR]KT- Any node receiving this message rebroadcasts it to its neighbors Revocation need to be stored until the revoked certificate has expired Neighbors of the node with the revoked certificate may need to rebuildtheir routes so as to avoid paths passing through the now untrusted node If an untrusted node whose certificate is being revoked is in between twoother nodes, it may simply not propagate the revocation message In order to deliver the packet, node S sends it to the first security agentSA1 which decrypts the outer most encapsulation and forwards the packetto the next agent Each SA knows only the address of the previous and the next hop. The lastagent finally decrypts the message and forwards it to node R. This schemeintroduces a large amount of overhead and hence is not preferred forroutingARAN
  55. 55. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 55Concealing Network Topology Using Independent Security Agents: non-disclosure method (NDM) In NDM, a number of independent security agents (SA) are distributed Each of these agents SAi owns a pair of asymmetric cryptographic keys KSAiand KSAi- Suppose node S wishes to transmit a message M to a receiver node Rwithout disclosing its own location Node S sends the message using a number of SAs, such as: SA1  SA2  …SAN  R The message is encapsulated N times using the public keys KSA1…KSAn asfollows: M’ = KSA1(SA2, (KSA2 (SA3 (…(KSAN(R, M))…))))Utilizing Zones ZRP protocol is a hierarchical algorithm where the network is divided intozones which operate independently from each other Such a hierarchical routing structure is favorable since it should be able toconfine certain problems to small portion of the hierarchy ZRP has some features that appear to make it somewhat less susceptible torouting attacks Its hierarchical organization hides some of the routing information withinthe zones In addition, this zone organization provides some form of security againstdisclosing network topology Therefore, utilization of zones may help against security attacks and limittheir damageARAN
  56. 56. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 56Identifying and AvoidingMisbehaving Nodes Assumptions Wireless links are bi-directional It assumes support for promiscuous mode of operation This assumption helps the nodes to supervise eachother’s operation The third assumption is that the underlying routingprotocol is DSR Overview of the Mechanisms The watchdog identifies misbehaving nodes, while thepathrater avoids routing packets through these nodes When a node forwards a packet, the node’s watchdogverifies that the next node in the path also forwards thepacket This is done by listening promiscuously to the nextnode’s transmissions The pathrater uses this knowledge of misbehavingnodes to choose the network path that is most likely todeliver packets
  57. 57. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 57Identifying and AvoidingMisbehaving Nodes Watchdog The watchdog method is used to detect misbehaving nodes Assume node S is transmitting packets to node D Further assume that node A’s transmission cannot be heard by node C, but it can listen to nodeB’s traffic If encryption is not performed separately for each link, then node A can also tell if node B hastampered with the packet payload or the header If the packet is in the buffer, it can be removed and no longer monitored by the watchdog, as ithas been forwarded on If the packet has remained in the buffer for longer than a certain timeout, the watchdog sends amessage to the source notifying it of the misbehaving station Ambiguous collision The ambiguous collision problem prevents a given node, say A, from overhearing transmissionsfrom another node, say B A packet collision occurs at node A while it is waiting for node B to forward a packetS A B C DS A B C D
  58. 58. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 58WatchdogReceiver collision In the receiver collision problem, node A can only tell whether node B sends thepacket to node C, but it cannot tell if node C receives it successfully. If a collision occurs at node C when node B first forwards the packet, node A can onlydetermine that node B has forwarded the packet and assumes that node C hassuccessfully received itS A B C DFalse misbehavior: This occurs when nodes falsely report other nodes as misbehaving A malicious node could attempt to partition the network by claiming that some nodesfollowing it in the path are misbehaving For instance, node A could report that node B is not forwarding packets when in fact ithas done so This will cause node S to mark node B as misbehaving while node A is the culpritS A B C D
  59. 59. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 59Watchdog and Pathrater False Misbehavior Misbehaving node with transmission power control, can circumvent thewatchdog Multiple colliding nodes Multiple nodes in collision can mount a more sophisticated attack For example, nodes B and C in Figure 10.5 could collide so as to cause a mischief Partial dropping A node can also circumvent the watchdog by dropping packets at a lower ratethan the watchdog’s configured minimum misbehavior threshold Pathrater Just like the watchdog, the pathrater is run at each node Each node maintains a rating for every other node it knows about It then calculates a path metric by averaging the node ratings over that path If there are multiple paths to the same destination, the path with the highestmetric is chosen When a node in the network becomes known to the pathrater (through routediscovery), the pathrater assigns it a “neutral” rating of 0.5 A node always rates itself with 1.0 The pathrater increments the ratings of nodes on all actively used paths by 0.01at periodic intervals of 200 ms, with a maximum value of 0.8 The node’s rating is decremented by 0.05 when a link breakage is detected andthe lower bound is 0.0
  60. 60. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 60Security-Aware Ad Hoc Routing This makes use of trust levels to make informed, secure routing decisions SAR does not take path length into account when establishing routes, whilesecurity attributes are the main criteria for selecting appropriate routes A node initiating route discovery sets the desired security level for theroute, i.e., the required minimal trust level for participating nodes Nodes at each trust level share symmetric encryption keys Intermediate nodes of different levels cannot decrypt in-transit routingpackets and simply drop the packet they cannot understand Only the nodes with the correct key can read the packet header, determinethe destination node, and forward itSDSecurerouteShortest routeNetwork nodeSecure node(with key)
  61. 61. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 61Secure Routing Protocol Secure Routing Protocol (SRP) has been conceived as an extension thatcan be applied to a multitude of existing reactive routing protocols Assumptions A Security Association (SA) exists between the source node, say S,and the destination node, say D One way of establishing this SA is by negotiating a shared secret keybased on the public key of other end Each end host chooses a secure communication scheme and, shouldbe able to authenticate each other SA would be established by any of the group key exchange schemes The existence of SAs with intermediate nodes is unnecessary Broadcast nature of the radio channels requires transmissions to bereceived by all neighbors by operating in promiscuous mode3M1SM21 4562D
  62. 62. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 62SRP Functional Algorithm Node source S wants to find a route to destination D with a established SA In this scenario, node S initiates the route discovery procedure byconstructing a RREQ packet with a uniquely identified random queryidentifier (RND#) and a sequence number (SQ#) Node S then constructs a Message Authentication Code (MACO) which is ahash of the source, the destination, the random query identifier, the sequencenumber, and KSD, i.e., MACO = hash(S, D, RND#, SQ#, KSD) Intermediate nodes relay RREQ, and append their identifiers (IP addresses)to the RREQ packet The destination node D then calculates a MACO covering the RREP contentsand returns the packet to node S over the reverse route SRP guarantees that message integrity is preserved and data confidentialitycan be implemented by encrypting the packet with shared key KSD Let M1 and M2 be two malicious intermediate nodes in the ad hoc network We denote the query request as a list {QSD; n1, n2, …, nk}, where QSD denotes theSRP header for a search query for the destination node D, initiated by node S In addition, ni, i ∉ {1, k}, are the IP addresses of the intermediate nodes,where n1= S, nk= D Similarly, a route reply is denoted by {RSD; n1, n1, …, nk}, with similarparameters
  63. 63. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 63Case 1 When node M1 receives {QSD; S}, it tries to mislead node S by generating {RSD; S, M1, D} and fakes thatdestination D is its neighbor This is possible in a regular routing protocol, but not in SRP as only node D can generate the MACOwhich is verified by node SCase 2 If node M1 discards request packets that it receives from node S, it narrows the topology view of S At the same time, it removes itself from node S’s view and cannot cause harm to data flows originatingfrom node SCase 3 When M1 receives {RSD; S, 1, M1, S, 4, D}, it tampers its contents and relays {RSD; S, 1, M1, Y, D}, where Ycan be any arbitrary sequence of nodes SRP overcomes this attack given that node S will readily discard the reply due to the integrity protectionprovided by the MACOCase 4 When node M2 receives {QSD; S, 2, 3}, it corrupts the accumulated route and relays {QSD; S, X, 3, M2} to itsneighbors, where X is a false IP address This request arrives at node D, which constructs the reply and routes it over {D, M2, 3, X, S} towards thesource node S However, when node 3 receives the reply it cannot forward it any further as X is not its neighbor and thereply is droppedCase 5 If node M2 replays route requests, intermediate nodes will discard these as they maintain a list of queryidentifiers seen in the past As we have seen, the query identifier is a random number so that it cannot be easily guessed by themalicious nodesCase 6 If node M1 attempts to forward {QSD; S, M1*}, i.e., M1 attempts to spoof its IP address, node S wouldaccept {RSD; S, M1*, 1, 4, D} as a possible route However, the connectivity information conveyed by such a reply is correct In this case, packets would be discarded when relayed by the same data link interface, i.e., same MACaddress with more than one different IP addressSRP Functional Algorithm
  64. 64. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 64Attacks on SRP andARIADNE Tunneling If two nodes collide during the route request and reply phases of a single route discovery, thenthe protocol could be attacked For example, if M1 in Figure 10.9 received a route request, it tunnels to M2, i.e., it can discover aroute to M2 and send the request encapsulated in a data packet Then, M2 would broadcast a request with the route segment between M1 and M2 falsified suchas, for example, {QSD; S, M1, Z, M2} The destination node D will receive the request and construct a reply which is routed as {D, M2,Z, M1, S} M2 then receives the reply and tunnels it back to M1, which returns it to the source node S As a result, the connectivity information is only partially correct Replay If node M1 rewrites the RND# with some other random number, its neighbors will think that itis a genuine packet and will keep on forwarding it Only when the packet reaches the destination, can this misuse be detected using the MACO ARIADNE On-demand protocol based on DSR that relies only on highly efficient symmetric cryptography A route discovery process can authenticate the initiator, each intermediate node on the path tothe destination ARIADNE needs some mechanism to bootstrap authentic keys required by the protocol Each node needs a shared secret key (KS,D is the shared key between a source S and adestination D) with each node it communicates with at a higher layer, an authentic TimedEfficient Stream Loss-tolerant Authentication (TESLA) key for each node ARIADNE provides point-to-point authentication of a routing message using a MACO and ashared key between the two parties Authentication of a broadcast packet such as RREQ, ARIADNE employs the TESLA broadcastauthentication protocol. In ARIADNE, the basic RREQ mechanism is enriched with eight fields used to provideauthentication and integrity to the routing protocol: <ROUTE REQUEST, initiator, target, id, time interval, hash chain, node list,MAC list>
  65. 65. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 65ARIADNE The initiator and target are set to the address of the initiator and the target nodes,respectively As in DSR, the initiator sets the id to an identifier that it has not recently been used ininitiating a Route Discovery The time interval is the TESLA time interval at the pessimistic expected arrival time ofthe request at the target, accounting for clock skew The initiator of the request then initializes the hash chain to (initiator, target, id, timeinterval) and the node list and MACO list to empty lists When any node A receives a RREQ for which it is not the target, the node checks itslocal table of <initiator, id> values from recent requests The node also checks whether the time interval in the request is valid The node modifies the request by appending its own address (A) to the node list in therequest, replacing the hash chain field with H [A, hash chain], and appending a MACOof the entire REQUEST to the MACO list The node uses the TESLA key KAi to compute the MACO Finally, the node rebroadcasts the modified RREQ, as in DSR When the target node receives the RREQ, it checks the validity of the request and thatthe hash chain field is equal to: H [ηn, H [η n-1, H [..., H [η1, (initiator, target, id, time interval)]...] ] ], where ηi is thenode address at position i, and n is the number of nodes in the node list If the target node determines that the request is valid, it returns a RREP to the initiatorcontaining eight fields: <ROUTE REPLY, target, initiator, time interval, node list,MACO list, target MACO, key list> The RREP is then returned to the initiator of the request along the source routeobtained by reversing the sequence of hops in the node list of the request. When the initiator receives a RREP, it verifies that each key in the key list is valid, thatthe target MACO is valid, and that each MACO in the MACO list is valid
  66. 66. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 66SEAD A proactive secure routing protocol is based on the DSDV protocol Secure Efficient Ad hoc Distance vector routing protocol (SEAD) is inspired by the DSDV-SQversion of the DSDV protocol SEAD deals with attackers that modify routing information broadcasted during the updatephase of the DSDV-SQ protocol Replay attacks are also taken into account SEAD makes use of efficient one-way hash chains rather than relaying on expensive asymmetriccryptography operations SEAD assumes some mechanism for a node to distribute an authentic element of the hash chain Key distribution relies on a trusted entity that signs public key certificates for each node; eachnode can then use its public key to sign a hash chain element and distribute it The basic idea is to authenticate the sequence number and metric of a routing table updatemessage using hash chains elements Each node uses a specific authentic (i.e., signed) element from its hash chain in each routingupdate that it sends about itself (metric 0) Based on this initial element, the one-way hash chain provides authentication for the lowerbound on the metric in other routing updates for that node The use of a hash value corresponding to the sequence number and metric in a routing updateentry prevents any node from advertising a route to some destination, claiming a greatersequence number than that destination’s own current sequence number When a node receives a routing update, it checks the authenticity of the information for eachentry in the update using the destination address, the sequence number and the metric of thereceived entry, together with the prior authentic hash value received from that destination’shash chain The source of each routing update message in SEAD must also be authenticated Two different approaches are possible to provide node authentication: the first is based on abroadcast authentication mechanism such as TESLA, and the second is based on the use ofMessage Authentication Codes
  67. 67. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 67The Wormhole Attack In a wormhole attack, a malicious node can record packets (or bits) at one location inthe network and tunnel them to another location through a private network sharedwith a colluding malicious node A dangerous threat can be perpetrated if a wormhole attacker tunnels all packetsthrough the wormhole honestly and reliably since no harm seems to be done However, when an attacker forwards only routing control messages and not datapackets, communication may be severely damaged. This attack prevents routes more than two hops long from being discovered, as RREPmessages would arrive at the source faster than any other replies or, worse, RREQmessages arriving from other nodes next to the destination than the attacker wouldbe discarded since already seen Temporal leashes or Geographical leashes are used to calculate delay bounds on apacket In some special cases, wormholes can also be detected through techniques that do notrequire precise time synchronization nor location information For example, it would be sufficient to modify the routing protocol used to discoverthe path to a destination so that it could handle multiple routes: a verificationmechanism would then detect anomalies when comparing the metric (e.g., number ofhops) associated with each route Any node advertising a path to a destination with a metric considerably lower thanall the others could be branded as a suspect of a wormhole Furthermore, if the wormhole attack is performed only on routing information whiledropping data packets, other mechanisms can be used to detect this misbehavior When a node does not correctly participate in the network operation by not executinga particular function, a collaborative monitoring technique can detect and graduallyisolate misbehaving nodes
  68. 68. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 68Cooperation in MANETs There is no reason to assume that the nodes in the network will eventuallycooperate with one another since network operation consumes energy, aparticularly scarce resource in a battery powered environment like MANETs. The new type of node misbehavior that is specific to ad hoc networks is caused bythe lack of cooperation and goes under the name of node selfishness A selfish node does not directly intend to damage other nodes with active attacks(mainly because performing active attacks can be very expensive in terms ofenergy consumption) but it simply does not cooperate to the network operation,saving battery life for its own communications Damages provoked by selfish behavior can not be underestimated: a simulationstudy shows the impact of a selfish behavior in terms of global networkthroughput and global communication delay Simulation results show that even few selfish nodes leads to severe performancedegradation Any security mechanism ought to focus on both the routing and the packetforwarding function Schemes that enforce node cooperation in a MANET can be divided in twocategories: the first is currency based and the second uses a local monitoringtechnique The currency based systems are simple to implement but rely on a tamperproofhardware The main drawback is in establishing how the virtual currency has to beexchanged On the other hand, cooperative security schemes based on local monitoring ofneighbors can evaluate a metric that reflects nodes’ behavior Based on that metric, a selfish node can be gradually isolated from the network
  69. 69. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 69CONFIDANT The CONFIDANT (Cooperation Of Nodes, Fairness In Dynamic Ad hoc NeTworks)cooperation mechanism detects malicious nodes by means of observation or reportsabout several types of attacks, thus allowing nodes to route around misbehaved nodesand thereby isolate them. Nodes are provided with: A monitor for observations Reputation records for first-hand and trusted second-hand observations aboutrouting and forwarding behavior of other nodes Trust records to control trust given to received warnings A path manager to adapt their behavior according to reputation and to take actionagainst malicious nodes The dynamic behavior of CONFIDANT is as follows: Nodes monitor their neighbors and change the reputation accordingly If they have some reason to believe that a node is misbehaving, they can take actionin terms of their own routing and forwarding When a node receives such an ALARM either directly or by promiscuously listeningto the network, it evaluates how trustworthy the ALARM is based on the source ofthe ALARM and the accumulated ALARM messages about the node in question It can then decide whether to take action against the misbehaved node in the form ofexcluding routes containing the misbehaving node, re-ranking paths in the pathcache, reciprocating by non-cooperation, and forwarding an ALARM about thenode Simulations with nodes that do not participate in the forwarding function have shownthat CONFIDANT can cope well, even if half of the network population acts maliciously Further simulations on the effect of second-hand information and slander have shownthat slander can effectively be prevented while still retaining a significant detectionspeed-up over using merely first-hand information The limitations of CONFIDANT lie in the assertion that the reputation is based on thedetection
  70. 70. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 70Token-Based Each node of the ad hoc network has a token in order to participate in the networkoperations, and its local neighbors collaboratively monitor to detect any misbehavior inrouting or packet forwarding services Upon expiration of the token, each node renews its token via its multiple neighbors A well-behaving node accumulates its credit and renews its token less frequently The security solution is composed of four components: Neighbor verification: describes how to verify whether each node in the network is alegitimate or malicious node Neighbor monitoring: describes how to monitor the behavior of each node in thenetwork and detect occasional attacks from malicious nodes Intrusion reaction: describes how to alert the network and isolate the attackers Security enhanced routing protocol: explicitly incorporates the security informationcollected by other components into the ad hoc routing protocol In the token issuing/renewal phase, it is assumed a global secret key (SK)/public key (PK)pair, where PK is well known by every node of the network SK is shared by k neighbors who collaboratively sign the token requested or renewed bylocal nodes. On the other hand, token verification follows three steps: Identity match between the nodes’s ID and the token ID Validity time verification Issuer signature If the token verification phase fails, the corresponding node is rejected from the network Routing security relies on the redundancy of routing information However, the proposed solution possesses some drawbacks Bootstrap phase for generating a valid collection of partial tokens has some limitations The number of neighbors necessary to have every partial token has to be at least k Frequent changes in the local subset can cause high computational overhead Spoofing attacks, where a node can request more than one token based on differentidentities, are not taken into account
  71. 71. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 71Wireless Sensor Networks Each sensor node can exchange information with other nodes within a short range WSN Security Strong security requirements for military applications are often combined with an inhospitable andphysically unprotected environment In commercial applications, privacy protection is as important as security and reliability On sensor nodes level, the main constraints are the limited battery power, limited memory size andshort radio transmission range On network level, the main constraints are the limited pre-configuration, ad hoc networking and theintermittent connectivity Key distribution and Management Traditional protocols can not be used directly due to inherent properties and limited recourses Need to scale to a large number of sensor nodes To propagate data via multi-hop mode, each sensor node needs to set up keys with its neighbors Secrecy and Authentication To prevent eavesdropping, injection, and modification of data packets, cryptography is required Hardware cryptographic support may achieve computational efficiency Software cryptography provides same secrecy and authentication with only 5%~10% overhead Computations can be overlapped with transmission Privacy Malicious parties can deploy secret surveillance networks to spy on unaware victims Societal norms, laws and technological responses need to be adopted to protect privacy Secure Routing Most of current routing protocols are vulnerable Denial-of-service on the routing protocol can easily prevent the network’s communication Secure Data Aggregation Data aggregation can be taking place in any places and all aggregation locations should be secured Denial of Service An adversary can disrupt is broadcasting a high enough energy signal to jam the entire system The adversary also can inhibit communication by violating the 802.11 MAC protocols Resilience to Node Capture Sensor nodes might be physically captured by the attacker Then, the attacker can extract its cryptographic secrets, or replace it with a malicious node Tamper-resistant hardware may provide some level of security against node capture attack The mostimportant issue is the key distribution and management
  72. 72. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 72Key Distribution andManagement How to secure the communications among sensor nodes in wireless sensor networks? Cryptographic key computations can be used to establish trust between communication nodes, eitherusing secret key or public key based techniques Due to the resource constraints of wireless sensor networks, secret key mechanisms are preferred There are three types of general key agreement schemes:Trusted-server schemeSelf-enforcing schemeKey pre-distribution scheme Trusted Server ProtocolsThe trusted–server scheme depends on a trusted server for key agreement between nodes, e.g.,KerberosKerberos uses a series of encrypted messages, timestamps and ticket-granting serviceTrusted-server scheme is not suitable as there is no trusted infrastructure in sensor networks Self-enforcing ProtocolsSelf-enforcing scheme depends on asymmetric cryptography, such as key agreementHowever, limited computation and energy resources of sensor nodes in wireless sensor networksoften make it undesirable to use public key algorithms Key Pre-distribution ProtocolsIn key pre-distribution protocols, key is distributed among prior to deploymentSensor nodes can communicate with each other if they share a common keyThere exist many key pre-distribution schemesA naïve approach is let all sensor nodes share a master secret keyAny pair of nodes can use this global master secret key to achieve key agreement and obtain anew pairwise key to secure the communication between themThe main advantage of this scheme is it requires low memory size and has low computationcomplexity.However, once the master secret key is compromised by any node, the security of the entirenetwork could be compromised easilyAnother key pre-distribution scheme is to let each pair nodes share a secret pairwise key
  73. 73. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 73Pre-distribution Scheme Eschenauer-Gligor’s Random Key Pre-distribution Scheme In this random key pre-distribution scheme, proposed by Eschenauer and Gligor, each sensornode receives a random subset of keys from a large key pool before deployment Two nodes can communicate securely if they share a common key within their key subsets The authors show that if the probability that any two nodes share at least one common key in arandom graph to satisfies a certain critical value, the whole network can form a completelyconnected graph with secure links That means any node can find a secure path to communicate with any other nodes in thenetwork Blom’s λ-secure key pre-distribution scheme This key pre-distribution method allows any pair of nodes in a network to be able to find apairwise secret key by constructing a (λ+1)*N matrix G over a finite field GF(q), where N is thesize of the network. As long as no more than λ nodes are compromised, the network is perfectlysecure (this is called the λ-secure property) Separating the singe key space into multiple key spaces and using random key selection schemeto improve performance and resilience, performance of λ-secure key pre-distribution schemecan be improved Polynomial-based key pre-distribution scheme Polynomial-based key pre-distribution schemes allow any group of t parties to compute acommon key while being secure against collusion between some of them These schemes focus on saving communication costs while memory constraints are not placedon group members The polynomial-based key pre-distribution scheme can tolerate no more than t compromisednodes, where the value of t is limited by the storage capacity for pairwise keys in a sensor node A location-based pairwise keys scheme using bivariate polynomials is proposed by takingadvantage of sensors’ expected locations information This employs a threshold technique and provides a trade-off between the security against nodecapture and the performance of establishing pairwise keys Limitations of Current Key Pre-distribution Schemes Current schemes only consider parts of system parameters, such as memory size, batterypower, and computation capacity in general Some important application based parameters, such as lifetime of network, required securitylevel of different applications are not taken into account
  74. 74. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 74Intrusion Detection Systems(IDS) The use of wireless links renders a wireless ad hoc networkvulnerable to malicious attacks, ranging from passiveeavesdropping to active interference In wireless networks, the scenario is much different as thereare no firewalls or gateways in place and attacks can takeplace from all directions Each MH in an ad hoc network is an autonomous unit in itself,free to move independently It is difficult to track down a single compromised node in alarge network; attacks stemming from compromised nodes arefar more detrimental and much harder to detect Ad hoc networks have a decentralized architecture, and manyad hoc network algorithms rely on cooperative participationof the member nodes Adversaries can exploit this lack of centralized decisionmaking architecture to launch new types of attacks aimed atbreaking the cooperative algorithms Ad hoc routing presents vulnerabilities since routing protocolsare designed based on their cooperative nature
  75. 75. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 75Intrusion Detection Systems(IDS) Intrusion prevention techniques like encryption and authenticationcan reduce the risks of intrusion but cannot completely eliminatethem The protocols and systems which are meant to provide usefulservices can be a prime target for attacks such as Distributed Denialof Service (DDoS) Intrusion detection can be used as a second line of defense to protectnetwork systems In general terms, “Intrusion” is defined as “any set of actions thatattempt to compromise integrity, confidentiality or availability of aresource” Intrusion detection is all about capturing audit data, and on thebasis of this audit data determining whether it is a significantaberration from normal system behavior Based on the type of audit data, IDS can be classified into 2 types: Network-based: Network-based IDS sits on the network gatewayand captures and examines network packets that go through thenetwork hardware interface Host-based: Host-based IDS relies on the operating system auditdata to monitor and analyze the events generated by the users orprograms on the host
  76. 76. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 76Unsuitability of Current IDSTechniques In MANETs, the only available audit data is restricted to communicationactivities taking place within a node’s radio range Traditional anomaly detection models of IDS cannot be used for wireless adhoc networks, as the separating line between normalcy and anomaly is obscure A node that transmits erroneous routing information (fabrication) can beeither a compromised node or is currently out of sync due to volatile physicalmovement Hence, in a MANET, it is relatively difficult to distinguish between falsealarms and real intrusions An IDS Architecture for Ad hoc Networks IDS should be both distributed and cooperative to suit the needs ofwireless ad hoc networks Every node in the wireless ad hoc network should participate in possibleintrusion detection Each node is responsible for detecting intrusion locally and independently,but neighboring nodes have some mutual understanding and cancollaboratively investigate in a broader range Therefore, each node within the network may have its own individual IDSagent and these agents run independently and monitor user and systemactivities as well as communication activities within their radio range If an anomaly is detected in the local data or if the evidence isinconclusive, IDS agents on the neighboring nodes will cooperativelyparticipate in a global intrusion detection scheme These individual IDS agents constitute the IDS system employed to protectthe wireless ad hoc network
  77. 77. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 77IDSIDSIDSIDSIDSIDSAn IDS Architecture forWireless Ad hoc Networks
  78. 78. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 78 Local Data Collection The Local Data Collection module gathers streams of real time audit data from eclectic sources,which might include user and system activities within the mobile node, communication activitiesby this node as well as any communication activities within the radio range of this node andobservable to this node Local Detection Engine The Local Detection Engine requires the IDS to maintain some expert rules for the node againstwhich the audit data collected would be checked However, as more and more appliances are becoming wireless, the types of planned attacksagainst these appliances is going to increase Moreover, updating these existing expert rules is not a simple job Any IDS meant for a wireless ad hoc network might have to resort to statistical anomalydetection techniques The normal behavior patterns, called “Normal Profiles”, are determined using the trace datafrom a “training “ process where all activities are normal. During the “testing” process, anydeviations from the normal profiles are recorded if at all any occur A detection module is computed from the deviation data to distinguish anomalies fromnormalcy Cooperative Detection If a node locally detects a known intrusion with strong evidence, it can very well on its own inferthat the network is under attack and can initiate a response or a remedial action However, if the evidence of an anomaly is a weak one or is rather inconclusive, then the nodedecides it needs a broader investigation and can initiate a global intrusion detection procedure Intrusion detection state information may be a mere level-of-confidence expressed as percentage: With p% confidence, node A after analyzing its local data concludes that there is an intrusion With p% confidence, node A after analyzing data from its neighbors concludes that there is anintrusion With p% confidence, nodes A, B, C, and so on, collectively conclude that there is an intrusionAn IDS Architecture forWireless Ad hoc Networks
  79. 79. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 79Cooperative Detection and IntrusionResponse A list of suspects is also possible For example, with p% confidence, node A concludes after analyzing itslocal data that node X has been compromised A distributed consensus algorithm is then derived to compute the newintrusion detection state for the node under consideration, with the helpof the state information recently received from other nodes in thenetwork The algorithm might involve a weighted computation, assuming thatnearby nodes have greater effects than the far away ones A majority-based Intrusion Detection Algorithm can include thefollowing steps: The node sends to its neighboring node an “intrusion state request” Each node, including the one which initiates this algorithm, thenpropagates the state information indicating the likelihood of anintrusion to its immediate neighbors Each node then determines whether the majority of the receivedreports point towards an intrusion; if yes, then it concludes that thenetwork is under attack Any node that detects an intrusion to the network can then initiatethe remedial/response procedure
  80. 80. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 80Cooperative Detection and IntrusionResponse As a rule of thumb, audit data from other nodes should not betrusted as compromised nodes might tend to send misleading data However, sending audit data from a compromised node do nothold any incentives, as it might create a situation which wouldresult in its expulsion from the network Hence, unless the majority of nodes are compromised and thereexists at least one valid node, the remedial procedure will not beinitiated Intrusion Response The type of intrusion response for wireless ad hoc networksdepends on the type of intrusion, the type of network protocolsand the confidence in the veracity of the audit trace data The response might range from resetting the communicationchannels between nodes, or identifying the compromised nodesand precluding them from the network The IDS agent can notify the end user to perform his/herown investigation and take the necessary actions It also sends re-authentication requests to all the nodes in thenetwork
  81. 81. Copyright © 2006, Dr. Carlos Cordeiro and Prof Dharma P Agrawal, All rights reserved 81IDS AgentConceptual Components of an IDS Agent

×