Professional Documents
Culture Documents
Secure Routing For Mobile Ad Hoc Networks: Jing Liu, Fei Fu, Junmo Xiao and Yang Lu
Secure Routing For Mobile Ad Hoc Networks: Jing Liu, Fei Fu, Junmo Xiao and Yang Lu
Secure Routing For Mobile Ad Hoc Networks: Jing Liu, Fei Fu, Junmo Xiao and Yang Lu
1. Introduction
Wireless Ad-hoc Networks (WANET) is currently a very active area of the academic and industrial research for the foreseeable broad applications. However, it is vulnerable to a wide range of attacks due to the open medium, dynamically changing topology, possible node compromise, difficulty in physical protection, absence of infrastructure and lack of trust among nodes[1-5]. Especially, the routing protocols in MANET bears different kinds of attacks[1,6-8]. In this paper we focus on the designing of secure routing protocols to resist the attacks for WANET. Up to now there are many proposed security protocols, e.g. SRP[9], Ariadne[10], SAODV[11-12], ARAN[13-14], SADSR[15], SEAD[16], and SLSP[17]. Both SRP and Ariadne are improved secure routing protocols based on DSR[18]. SRP requires that the initiator and the target should have a security association between them, while Ariadne needs the security association between the initiator and every node including intermediate nodes and the target. Ariadne is declared to be able to prevent all active-1-1 attacks (This attaker model will be introduced later). In 2005 Buttyan firstly found an active-1-1 attack that SRP and Ariadne couldnt resist, and proposed a
314
The attacker copies the cryptographic key information of the compromised node to the other malicious nodes it owned. Consequently these nodes could participate in the network activities pretending legal nodes. It is implied that the more the nodes compromised are, the more powerful the attacker is.
1) 2) 3) 4) 5) 6)
Figure 1. An operation example of EndairA and format of EndairA messages. The initiator of the route discovery is S, the target is D, and the intermediate nodes are R1 and R2. Qid is a randomly generated query identifier. SigD, SigR2 and SigR1 are digital signatures of D, R1, and R2, respectively. Each signature is computed over the message fields that precede the signature. In Figure 1, the operation of EndairA is illustrated. The initiator of the route discovery firstly generates a route request message and broadcasts it to its neighbors. The route discovery message contains the identifiers of the initiator and the target, a randomly generated request identifier Qid. Each intermediate node receives the request for the first time. It appends its identifier to the list of identifiers accumulated in the request and re-broadcasts it. When the target D receives the request. D checks route list in the request to make sure that the last node in route list is its neighbor. If not, D discards the request. Otherwise D will generates a route reply and sends it back to the initiator via the reverse of the route obtained from the route request. SigD is the signature of D computed over the message fields that precede the signature. Each intermediate node that receives the reply verifies that its identifier is in the route list carried by the reply, and that the preceding and following identifiers on the route belong to neighboring nodes. If these verifications fail, then the reply is discarded. Otherwise, it is signed by the intermediate node, and passed to the next node on the route(towards the initiator). When the initiator receives the route reply, it verifies if the first identifier in the route carried by the reply belongs to a neighbor. If so, then it verifies all the signatures in the reply. If all these verifications are successful, then the initiator accepts the route.
S -> * : (rreq,S,D,Qid), R1 ->* : (rreq,S,D, Qid,R1), R2->* : (rreq,S,D, Qid,R1R2), D->R2 : (rrep,S,D, Qid,R1R2, SigD), R2->R1: (rrep,S,D, Qid,R1R2, SigDSigR2), R1->S : (rrep,S,D, Qid,R1R2, SigDSigR2SigR1,)
There are two main differences between EndairA and Ariadne. First, in Ariadne, the initiator and intermediate nodes insert their own digital signatures into route request packet. To generate the route reply packet, the target node would copy the signatures in the request packet into the reply packet. However, in EndairA, signatures are only generated after the target node generates route reply; Second, Ariadne uses perhop hashing to prevent removal of identifiers from the accumulated route in the route request. In fact, it could not function well, but only introduce overhead. In EndairA, there are no per-hop hashing. In Paper[19-20] it is described in detail how Ariadne was vulnerable to an active-1-1 attacker, which could delete the preceding nodes signature to forge a non-existent route. Buttyan, the author of EndairA, declared Besides being provably secure against an Active-1-1 adversary (and most probably against an Active-1-x adversary too), it is extremely simple and intuitive. He also proved that EndairA could overcome the vulnerability of Ariadne. However, we find out an active-0-1 attacker EndairA not resistant against, and we call it man-in-the-middle attack.
3. Vulnerabilities of endaira
(1)
R1
(2)
(1)
R2
(2)
Figure 2. The man-in-the-middle Model. A is an attacker; R1 and R2 are valid communicating nodes Figure 2 shows the procedure of the man-in-themiddle attack. The attacker A forwards packets between R1 and R2 without modification, which makes R1 and R2 take the other as a neighbor in mistake. The man-in-the-middle attack is an indirect attack, and is popular in Internet. In mobile ad hoc networks, this attack can make two nodes beyond the communication scope take the other as neighbor.
S R1 A R2 D
1) S -> * : (rreq,S,D,Qid), 2) R1-> *: (rreq,S,D, Qid,R1), 3) A -> * : (rreq,S,D, Qid,R1), 4) R2-> * : (rreq,S,D, Qid,R1R2), 5) D->R2 : (rrep,S,D, Qid,R1R2, SigD), 6) R2->A(R1):(rrep,S,D, Qid,R1R2, SigDSigR2), 7) A-> R1 : (rrep,S,D, Qid,R1R2, SigDSigR2), (rrep,S,D, Qid,R1R2, SigDSigR2SigR1,) 8) R1->S:
Figure 3. An example of the man-in-the-middle attack against EndairA Figure 3 shows an example of the man-in-themiddle attack against EndairA. We assume that a malicious node locates between the intermediate nodes
315
R1 and R2. In step 6, R2 wants to forward the route reply packet to R1 after appending its signature. However, the attacker A intercepts it, and forwards it to R1 without modification in step 7. After receiving this packet, R1 checks the route list in the packet to verify both the preceding node R2 and the following node S are its neighbors. If successful, R1 adds its signature to the packet and forwards it to S successively. Otherwise, it discards the packet. After verifying R1 as its neighbor and the signatures in the packet, S accepts the non-existent route (S, R1, R2, D) as a valid route. It is obvious that the man-in-themiddle attack is an active-0-1 attack. It can easily destroy the correct route discovery without the capture of valid nodes.
neighbors. The route discovery message contains the identifiers of the initiator and the target, a randomly generated request identifier Qid. Each intermediate node receives the request for the first time. It appends its identifier to the list of identifiers accumulated in the request and re-broadcasts it. After receiving the request, the target D generates a route reply and sends it back to the initiator via the reverse of the route obtained from the route request. MACDS is the message authentication code of D and can only be verified by S. LD is the location information of D. Each intermediate node that receives the reply packet does not verify the route list. Instead, it appends a message authentication code (MAC) for itself and the initiator and its location information to the reply packet, then passed the reply packet to the next node on the route(towards the initiator). When the initiator receives the route reply, it verifies all the MACs in the reply packet. If all these verifications are successful, the initiator continues to verify another important feature, location information in the reply packet. If all the neighbor nodes in location information list are in the communication scope, S accepts the corresponding route list in the reply. Otherwise the initiator discards it. It is assumed that a man-in-the-middle attack exists in the route. When finally the initiator S receives the route reply packet, it checks the location information list (LDLR2LR1). Since the distance between LR2 and LR1 is beyond the transmission range, S would find the route invalid and discard it.
S
R1
A1
A2
R2
Figure 4. An operation example of EndairALoc and format of EndairALoc messages. The initiator of the route discovery is S, the target is D, and the intermediate nodes are R1 and R2. Qid is a randomly generated query identifier. MACDS is the message authentication code of D for S; LD is the location information of D. Figure 4 describes the operation of EndairALoc. The initiator of the route discovery firstly generates a route request message and broadcasts it to its
Figure 5. The wormhole attack model Furthermore, as far as we know, there are no secure routing protocols which can resist the wormhole attack[22-24]. As shown in Figure 5, the dashed line between the two collaborated nodes (A1,A2) represents the wormhole along which A1 and A2 collaborate to make R1 and R2 take the other as a neighbor. it is clear that EndairA can not resist it. But in EndairALoc, when the initiator S checks the location list (LDLR2LR1) in the reply packet, it would find the distance between R2 and R1 beyond the transmission range and discard the route. So EndairALoc can resist the wormhole attack.
316
retains the security of EndairA. The analysis is as following: 1) Malicious nodes alter the control information and location information: the control information includes identity, sequence number, and so on. But because of the message authentication code used, any malicious modification will be found out by the initiator after it receives the reply packet. 2) Malicious nodes discard route request or reply packets: EndairALoc belonging to secure DSR protocols could obtain several replies according to one route request. A small number of malicious nodes will not result in serious influence on the route establishment. 3) Replay attack: malicious nodes broadcast stale route request or reply packets to the network. Qid is unique for one route request and is generated randomly by the initiator of the route discovery. Therefore, the stale route request or reply packets with the stale Qid will be detected and discarded by the initiator.
6. Conclusions
This paper firstly presents a new attack named manin-the-middle attack on EndairA. In order to prevent this attack, a new secure routing protocol, named EndairALoc, was proposed. The analysis result shows that our protocol not only retains the security of EndairA but also could resist the man-in-the-middle attack and even the wormhole attack. Furthermore, EndairALoc uses the symmetrical key mechanism instead of the public key mechanism, so the energy consumption in the route discovery is decreased greatly.
References
[1] Y.C. Hu, and A. Perrig, A survey of secure wireless ad hoc routing, Security & Privacy Magazine, no. 2, pp. 28-39, 2004.
[2]F. Stajano, R. Anderson, The Resurrecting Duckling: Security Issues in Ad-Hoc Wireless Networks, in 7th International Workshop on Security Protocols, Berlin 1999. [3]T. S. Messerges, et al, A Secure Design for a General Purpose, Self-Organizing, Multihop Ad Hoc Wireless Network, in 1st ACM Workshop Security of Ad Hoc and Sensor Networks, Fairfax, Virginia, 2003. [4]A. Perrig, J. Stankovic, D. Wagner, Security in Wireless Sensor Networks, Communications of the ACM, vol. 47,no. 6,pp.53-57, 2004. [5]L. Buttyn and J.-P. Hubaux, Report on a Working Session on Security in Wireless Ad Hoc Networks, ACM Mobile Computing and Communications Review (MC2R), vol. 7, no. 1, March 2003. [6]K. Inkinen, "New Secure Routing in Ad Hoc Networks: Study and Evaluation of Proposed Schemes", Telecommunications Software and Multimedia, 2004. [7]M. Jakobsson, S. Wetzel, B. Yener, Stealth attacks on ad-hoc wireless networks, in Vehicular
317
Technology Conference, vol.3, pp.2103- 2111, Oct 2003. [8]G. cs, L. Buttyn, and I. Vajda, Provable Security of On-Demand Distance Vector Routing in Wireless Ad Hoc Networks, Second European Workshop on Security and Privacy in Ad Hoc and Sensor Networks (ESAS 2005), Visegrd, Hungary, July 13-14, 2005. [9]P. Papadimitratos, and Z. Haas, Secure routing for mobile ad hoc networks, In: Proc. of the SCS Communication Networks and Distributed Systems Modelling and Simulation Conf. San Antonio, pp.2731,2002. [10]Y.C. Hu, A. Perrig, and D. B. Johnson, Ariadne a secure on-demand routing protocol for ad hoc networks, in Proc. of the Eighth ACM Int1 Conf. on Mobile Computing and Networking (MOBI.COM 2002), pp.23-28. Atlanta, GA.2002. [11]M.G. Zapata, Securing ad hoc routing protocol, in Proc. of ACM workshop on wireless Security, pp.19.Atlanta. Sep. 2002. [12]M.G. Zapata,"Secure Ad hoc On-Demand Distance Vector (SAODV) Routing", http://personals.ac.upc.edu/guerrero/papers/draftguerrero-manet-saodv-06.txt, September 2006. [13]K sanzgiri, B Dahill et al, A secure routing protocol for Ad Hoc networks, in: Proc. of 2002 IEEE International Conference on Network Protocols (ICNP), Nov 2002. [14]K sanzgiri, et al, Authenticated Routing for Ad hoc Networks, IEEE Journal on Selected Areas in Communications, vol.23, no.3, pp.598-610,2005. [15]S. Ghazizadeh, O. Ilghami, and E. Sirin, Security aware adaptive dynamic source routing protoco1, in Proc. of the 27th Annual IEEE Conf. on Local Computer Networks, 2002. [16]Y.C. Hu,, D. B. Johnson, and A. Perrig, SEAD: secure efficient distance vector routing for mobile
Ad
hoc
[17]P. PAPADIMITRATOS, Z. J. HAAS, secure link state routing for mobile ad hoc networks, in Proc. of the 2003 Symposium on Applications and the Internet Workshops (SAINT'03 Workshops), 2003. [18]D.B. Johnson, D. Maltz, and Y. C. Hu, The dynamic source routing protocol for mobile ad hoc networks, http://www.ietf.org/internet-drafts/draftietf-manetdsr -10.txt, 2005. [19]L. Buttyan, and I. Vajda, Towards provable security for ad hoc routing protocols. in Proc. of the 2nd ACM Workshop on Security of ad hoc and Sensor Networks, 2005. [20]G. cs, L. Buttyn, and I. Vajda, Provably Secure On-demand Source Routing in Mobile Ad Hoc Networks, IEEE Transactions on Mobile Computing, Vol. 5, No. 11, November 2006. [21]Ad Hoc Positioning System(APS). In GLOBECOM 2001 IEEE Global Telecommunications Conference, pp.2926-2931, 2001. [22]C. Karlof and D. Wagner, Secure Routing in Sensor Networks: Attacks and Countermeasures, at the 1st IEEE International Workshop on Sensor Network Protocols and Applications, May 2003. [23]Y.C. Hu, A. Perrig, and D.B. Johnson, Packet leashes: a defense against wormhole attacks in wireless networks, in Proc. of the 22nd Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM), pp. 19761986, 2003. [24]L. Hu and D. Evans, Using Directional Antennas to Prevent Wormhole attacks, in Network and Distributed System Security Symposium, 2004. [25]N. Potlapally, et al.. Analyzing the Energy Consumption of Security Protocols, in SLPED03, 2003
318