Authentication inMANETCryptography and Network SecurityBasit AliCT-22/2010-11
MANET• The MANET is a collection of mobile nodes such aslaptop, cellphones, etc., form a network.• The nodes which comprise MANET will always having movingnature. That is why it could not maintain a permanenttopology such as ring, star, bus, and mesh in wired network.• In MANET nodes can directly communicate to all other nodeswithin the radio communication range. If a node could nothave direct communication then they can use intermediatenodes to communicate with other nodes.• Though each node in MANET will act as host as well asrouter, the security is a major issue and the chances of havingthe vulnerabilities are also more.
Authentication• Authentication is simply a process carried out bytwo parties in order to identify one another.• Without authentication, an unauthorized nodecould easily “come in” and use the availableresources within the network.• The problem gets worse if the unauthorizednode is a malicious user. Therefore, it isnecessary to have a mechanism for preventingan “outsider” from being part of the network.
Authentication• It is generally accomplished in two ways: directand indirect authentication.• In direct authentication, two parties use pre-shared symmetric or asymmetric keys forverifying each other and the flow of databetween them.• In indirect authentication, a trusted third party,i.e. a Certification Authority, is made responsiblefor certifying one party to another party.
Related Research workID-based cryptography• Keys do not have to be distributed.• Necessary to involve a third party node in order to establish akey so that network packets can be decrypted.Threshold cryptography• Authority of CA is distributed among many t+1 networknodes, called servers, to minimize the chance of a single CAbeing compromised.• Reduces the problem of a single point of failure, but the userhas to contact a number of machines before being able toread a message.
Related Research workSelf-organized MANETS• The nodes rely on themselves for all routing, authenticationand mobility management.• The nodes issue certificates to their trustees for bringing theminto MANET which are verified on the basis of repositoriesmaintained by the nodes.• Though the scheme is self-organized, it has the overheads ofmaintaining repositories which consumes the memory andbandwidth.
KERBEROS ASSISTEDAUTHENTICATION IN MOBILE AD-HOC NETWORKS (KAMAN)
Overview• Multiple Kerberos servers are present for distributed authenticationand load distribution.• As mobile nodes are susceptible to physical possession, only theusers know the secret key or password and the servers know acryptographic hash of these passwords.• All servers share a secret key with each other server.• The server is usually a single point of failure as it has the repositoryof hashed passwords of all users. Therefore all serversperiodically, or on-demand, replicate their databases with eachother.• An election based server selection mechanism, so the non-availability of a server after some time initiates the server electionprocess.• Whenever unicast or multicast communication is required amongnodes, the nodes approach the Kaman servers whom in turnallocate a session key for their secure authentic communication.
Assumptions1. All users have a secret key or password knownonly to them2. All servers know the hashed passwords of allthe users3. All servers share a secret key with each otherserver
Initialization• During the initial configuration there may exist only a single serverwith the repository.• In this repository each user’s ID and their hashed password is storedalong with a priority and a lifetime.• All possible users who are trustworthy enough are allocated higherpriority than users with lower trust. Based on the usage scenario,the lifetimes of the users are allotted.• If the network environment is friendly the password lives may belong but in case of insecure environments these lives may beshortened.
User Authentication• Whenever a node wants to establish a secure connection withanother node it approaches the Authentication Server andfollows the following protocol,
Options: Used to request that certain flags be set in thereturned ticketTimes: Used to specify the start, end and renewal time settingsin the ticketFlags: Status of the ticketNonce: A random value used as a pseudo-unique transactionidentifier to avoid replay attacksSubkey: Choice for another encryption key for this sessioninstead of KC1,C2Seq#: Starting sequence number to detect replaysIDC1: Identity of Client1IDC2: Identity of Client2ADC1:Network Address of Client1KCn: Encryption key based on hashed password of user nKC1,C2: Session key between Client1 and Client2TS: Informs of time when this authenticator was generated
Key Revocation• The Kaman server only authorizes users until theexpiry of their password lifetimes. The ticketautomatically expires when this period expires.• The session between two clients is alsoterminated when the ticket expires.• All clients requiring extended authorization mustapply for a new password before expiration ofthe last ticket.
Server ElectionsBased on the area of coverage and range of the nodes, theremay need to exist one or more servers. Server elections aretriggered in the following situations:1. When the number of servers available increases ordecreases2. When the server lifetime expires3. When a server fails the optional availability checkmechanism
Server Elections• Servers periodically use secure ECHO packets to discover theavailability of other servers.• In the event that a server is not available either due to its wirelesstransmission range, geographical position or if its lifetime hasexpired an election is triggered.• During these elections, the servers check their repositories for userswith the highest priority levels. If more than one node has the samepriority then their lifetimes are taken into account.• These nodes with the greatest priority and lifetime are automaticallyupgraded to servers by securely transferring the repository to them.• Similarly if the number of servers is increased (an unavailable servercomes up) the server with the lowest priority and lifetime isdowngraded to a client. The periodicity of these elections isdependent on the area of dispersal, node density and severity of thesituation.
Summary• The KAMAN scheme is based on the reliable Kerberosprotocol.• For inter-client communication, each node approaches one ofthe servers for a session key.• The server generates the key and encapsulates it in a ticketand sends it to the requesting client.• The client can then use this ticket to create a secure sessionwith the intended party.• Due to the mobility and short range of the nodes, measureslike replication and elections are introduced.
References• [Security issues and vulnerabilities in Mobile Ad hocNetworks (MANET) - A Survey] - P.Visalakshi, S.Anjugam• [Authentication in Mobile Ad Hoc Networks] - SirapatBoonkrong, Russell Bradford• [Kerberos Assisted Authentication in Mobile Ad-hocNetworks] - Asad Amir Pirzada, Chris McDonald