Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing

Secure Routing for Mobile Ad Hoc Networks

Jing Liu, Fei Fu, Junmo Xiao and Yang Lu PLA University of Science and Technology tongyuanliu@163.com Abstract
Buttyan found out a security flaw in Ariadne[10] and proposed a secure routing protocol, EndairA[19-20], with the ability to resist active-1-1 attacks. But unfortunately we discover an as yet unknown active-01 attack which we call man-in-the-middle attack and EndairA couldnt resist. Accordingly we propose a new secure routing protocol, EndairALoc. Analysis shows that EndairALoc can resist not only active-1-1 attacks but also the wormhole attack. Furthermore EndairALoc uses pairwise secret keys instead of public keys used in EndairA. Compared with EndairA, EndairALoc can save more energy in the routing establishment.. new secure protocol named EndairA[19-20]. However we find out a new attack that EndairA cant resist. We call this attack man-in-the-middle attack. Based on EndairA, we propose a new secure routing protocol named EndairALoc, which uses the location information of the node to resist this attack. Analysis result shows that our protocol could resist not only the attacks EndairA could, but also the man-in-the-middle attack and even the wormhole attack. In addition, we utilize the symmetric key mechanism to replace the public key mechanism used in EndairA, which can reduces the energy consumption greatly. In Section 2 of this paper, we introduce an attacker model and EndairA protocol. Section 3 gives the vulnerability of EndairA. Then a new secure routing protocol named EndairALoc is proposed in Section 4. In Section 5 we analyze the security and performance of EndairALoc, and in Section 6 we present our conclusions.

1. Introduction
Wireless Ad-hoc Networks (WANET) is currently a very active area of the academic and industrial research for the foreseeable broad applications. However, it is vulnerable to a wide range of attacks due to the open medium, dynamically changing topology, possible node compromise, difficulty in physical protection, absence of infrastructure and lack of trust among nodes[1-5]. Especially, the routing protocols in MANET bears different kinds of attacks[1,6-8]. In this paper we focus on the designing of secure routing protocols to resist the attacks for WANET. Up to now there are many proposed security protocols, e.g. SRP[9], Ariadne[10], SAODV[11-12], ARAN[13-14], SADSR[15], SEAD[16], and SLSP[17]. Both SRP and Ariadne are improved secure routing protocols based on DSR[18]. SRP requires that the initiator and the target should have a security association between them, while Ariadne needs the security association between the initiator and every node including intermediate nodes and the target. Ariadne is declared to be able to prevent all active-1-1 attacks (This attaker model will be introduced later). In 2005 Buttyan firstly found an active-1-1 attack that SRP and Ariadne couldnt resist, and proposed a

2. Attacker model and analysis of Endaira

2.1. Attacker Model
In paper [10], the attacker model Active-n-m was firstly introduced. In that paper, the author classified the attacker into two main classes: passive and active. The passive attacker only eavesdrops on the network. It mainly threats against the privacy or anonymity of communication, rather than against the functioning of the network or its routing protocol. An active attacker can inject packets into the network and generally also eavesdrop. So we should lay more emphasis on an active attacker. Then, the author characterizes the attacker based on the number of nodes it owns in the network, and based on the number of those that are good nodes it has compromised. It is assumed that the attacker owns all the cryptographic key information of compromised nodes and distributes it among all its nodes. In the attacker model Active-n-m, n represents the number of nodes the attacker has compromised, and m is the number of the nodes the attacker owned.

0-7695-2909-7/07 $25.00 2007 IEEE DOI 10.1109/SNPD.2007.223

314

The attacker copies the cryptographic key information of the compromised node to the other malicious nodes it owned. Consequently these nodes could participate in the network activities pretending legal nodes. It is implied that the more the nodes compromised are, the more powerful the attacker is.

2.2. Analysis of EndairA

S R1 R2 D

1) 2) 3) 4) 5) 6)

Figure 1. An operation example of EndairA and format of EndairA messages. The initiator of the route discovery is S, the target is D, and the intermediate nodes are R1 and R2. Qid is a randomly generated query identifier. SigD, SigR2 and SigR1 are digital signatures of D, R1, and R2, respectively. Each signature is computed over the message fields that precede the signature. In Figure 1, the operation of EndairA is illustrated. The initiator of the route discovery firstly generates a route request message and broadcasts it to its neighbors. The route discovery message contains the identifiers of the initiator and the target, a randomly generated request identifier Qid. Each intermediate node receives the request for the first time. It appends its identifier to the list of identifiers accumulated in the request and re-broadcasts it. When the target D receives the request. D checks route list in the request to make sure that the last node in route list is its neighbor. If not, D discards the request. Otherwise D will generates a route reply and sends it back to the initiator via the reverse of the route obtained from the route request. SigD is the signature of D computed over the message fields that precede the signature. Each intermediate node that receives the reply verifies that its identifier is in the route list carried by the reply, and that the preceding and following identifiers on the route belong to neighboring nodes. If these verifications fail, then the reply is discarded. Otherwise, it is signed by the intermediate node, and passed to the next node on the route(towards the initiator). When the initiator receives the route reply, it verifies if the first identifier in the route carried by the reply belongs to a neighbor. If so, then it verifies all the signatures in the reply. If all these verifications are successful, then the initiator accepts the route.

S -> * : (rreq,S,D,Qid), R1 ->* : (rreq,S,D, Qid,R1), R2->* : (rreq,S,D, Qid,R1R2), D->R2 : (rrep,S,D, Qid,R1R2, SigD), R2->R1: (rrep,S,D, Qid,R1R2, SigDSigR2), R1->S : (rrep,S,D, Qid,R1R2, SigDSigR2SigR1,)

There are two main differences between EndairA and Ariadne. First, in Ariadne, the initiator and intermediate nodes insert their own digital signatures into route request packet. To generate the route reply packet, the target node would copy the signatures in the request packet into the reply packet. However, in EndairA, signatures are only generated after the target node generates route reply; Second, Ariadne uses perhop hashing to prevent removal of identifiers from the accumulated route in the route request. In fact, it could not function well, but only introduce overhead. In EndairA, there are no per-hop hashing. In Paper[19-20] it is described in detail how Ariadne was vulnerable to an active-1-1 attacker, which could delete the preceding nodes signature to forge a non-existent route. Buttyan, the author of EndairA, declared Besides being provably secure against an Active-1-1 adversary (and most probably against an Active-1-x adversary too), it is extremely simple and intuitive. He also proved that EndairA could overcome the vulnerability of Ariadne. However, we find out an active-0-1 attacker EndairA not resistant against, and we call it man-in-the-middle attack.

3. Vulnerabilities of endaira
(1)

R1
(2)

(1)

R2
(2)

Figure 2. The man-in-the-middle Model. A is an attacker; R1 and R2 are valid communicating nodes Figure 2 shows the procedure of the man-in-themiddle attack. The attacker A forwards packets between R1 and R2 without modification, which makes R1 and R2 take the other as a neighbor in mistake. The man-in-the-middle attack is an indirect attack, and is popular in Internet. In mobile ad hoc networks, this attack can make two nodes beyond the communication scope take the other as neighbor.
S R1 A R2 D

1) S -> * : (rreq,S,D,Qid), 2) R1-> *: (rreq,S,D, Qid,R1), 3) A -> * : (rreq,S,D, Qid,R1), 4) R2-> * : (rreq,S,D, Qid,R1R2), 5) D->R2 : (rrep,S,D, Qid,R1R2, SigD), 6) R2->A(R1):(rrep,S,D, Qid,R1R2, SigDSigR2), 7) A-> R1 : (rrep,S,D, Qid,R1R2, SigDSigR2), (rrep,S,D, Qid,R1R2, SigDSigR2SigR1,) 8) R1->S:

Figure 3. An example of the man-in-the-middle attack against EndairA Figure 3 shows an example of the man-in-themiddle attack against EndairA. We assume that a malicious node locates between the intermediate nodes

315

R1 and R2. In step 6, R2 wants to forward the route reply packet to R1 after appending its signature. However, the attacker A intercepts it, and forwards it to R1 without modification in step 7. After receiving this packet, R1 checks the route list in the packet to verify both the preceding node R2 and the following node S are its neighbors. If successful, R1 adds its signature to the packet and forwards it to S successively. Otherwise, it discards the packet. After verifying R1 as its neighbor and the signatures in the packet, S accepts the non-existent route (S, R1, R2, D) as a valid route. It is obvious that the man-in-themiddle attack is an active-0-1 attack. It can easily destroy the correct route discovery without the capture of valid nodes.

4. A new secure routing protocol

In order to solve the vulnerabilities of EndairA, we propose a new secure routing protocol named EndairALoc, which can resist the man-in-the-middle and even wormhole-attack. Furthermore, EndairALoc uses pairwise secret keys instead of public keys used in EndairA, so it can prolong the life of networks greatly. The assumptions are: 1) Cryptographic key system is ideal, without regard to its security. 2) All nodes pre-share symmetrical pairwise keys to construct message authentication code(MAC). 3) The initiator and the target are valid, and only the intermediate nodes could be malicious. 4) The nodes could get its location information by some location systems[21]. 5) The wireless transmission range is constant, and only two nodes in the transmission range can send and receive data directly.
1) S -> * : (rreq,S,D,Qid), 2) R1->* : (rreq,S,D,Qid,R1), 3) R2->* : (rreq,S,D,Qid,R1R2), 4) D->R2 : (rrep,S,D,Qid,R1R2, LD ,MACDS), 5) R2->R1: (rrep,S,D,Qid,R1R2, LDLR2,MACDSMACR2S) 6) R1->S:(rrep,S,D,Qid,R1R2,LDLR2LR1,, MACDSMACR2SMACR1S)

neighbors. The route discovery message contains the identifiers of the initiator and the target, a randomly generated request identifier Qid. Each intermediate node receives the request for the first time. It appends its identifier to the list of identifiers accumulated in the request and re-broadcasts it. After receiving the request, the target D generates a route reply and sends it back to the initiator via the reverse of the route obtained from the route request. MACDS is the message authentication code of D and can only be verified by S. LD is the location information of D. Each intermediate node that receives the reply packet does not verify the route list. Instead, it appends a message authentication code (MAC) for itself and the initiator and its location information to the reply packet, then passed the reply packet to the next node on the route(towards the initiator). When the initiator receives the route reply, it verifies all the MACs in the reply packet. If all these verifications are successful, the initiator continues to verify another important feature, location information in the reply packet. If all the neighbor nodes in location information list are in the communication scope, S accepts the corresponding route list in the reply. Otherwise the initiator discards it. It is assumed that a man-in-the-middle attack exists in the route. When finally the initiator S receives the route reply packet, it checks the location information list (LDLR2LR1). Since the distance between LR2 and LR1 is beyond the transmission range, S would find the route invalid and discard it.
S
R1

A1

A2

R2

Figure 4. An operation example of EndairALoc and format of EndairALoc messages. The initiator of the route discovery is S, the target is D, and the intermediate nodes are R1 and R2. Qid is a randomly generated query identifier. MACDS is the message authentication code of D for S; LD is the location information of D. Figure 4 describes the operation of EndairALoc. The initiator of the route discovery firstly generates a route request message and broadcasts it to its

Figure 5. The wormhole attack model Furthermore, as far as we know, there are no secure routing protocols which can resist the wormhole attack[22-24]. As shown in Figure 5, the dashed line between the two collaborated nodes (A1,A2) represents the wormhole along which A1 and A2 collaborate to make R1 and R2 take the other as a neighbor. it is clear that EndairA can not resist it. But in EndairALoc, when the initiator S checks the location list (LDLR2LR1) in the reply packet, it would find the distance between R2 and R1 beyond the transmission range and discard the route. So EndairALoc can resist the wormhole attack.

5. Analysis of security and performance

5.1. Security Analysis
Besides the capabilities of resisting the man-in-themiddle attack and the wormhole attack, EndairALoc

316

retains the security of EndairA. The analysis is as following: 1) Malicious nodes alter the control information and location information: the control information includes identity, sequence number, and so on. But because of the message authentication code used, any malicious modification will be found out by the initiator after it receives the reply packet. 2) Malicious nodes discard route request or reply packets: EndairALoc belonging to secure DSR protocols could obtain several replies according to one route request. A small number of malicious nodes will not result in serious influence on the route establishment. 3) Replay attack: malicious nodes broadcast stale route request or reply packets to the network. Qid is unique for one route request and is generated randomly by the initiator of the route discovery. Therefore, the stale route request or reply packets with the stale Qid will be detected and discarded by the initiator.

Table 1. Energy Consumption for Different Cryptographic Algorithms

Algorithms Publickey(RSA,DSA,ECDSA) Secret-key(DES,AES,IDEA) Hash(MD5,SHA,HMAC) Consumption 100500mJ 25uJ 0.51uJ

6. Conclusions
This paper firstly presents a new attack named manin-the-middle attack on EndairA. In order to prevent this attack, a new secure routing protocol, named EndairALoc, was proposed. The analysis result shows that our protocol not only retains the security of EndairA but also could resist the man-in-the-middle attack and even the wormhole attack. Furthermore, EndairALoc uses the symmetrical key mechanism instead of the public key mechanism, so the energy consumption in the route discovery is decreased greatly.

5.2. Performance Evaluation

Secure routing protocols add the security function to the normal routing protocols, so they would lead to more communication and energy consumption. The verification of the message authentication code and location information increases the computation consumption of the initiator and the latency of the route discovery. Fortunately, in the process of route request, each node takes a few actions. And nodes only need to generate message authentication codes in the process of route reply. Furthermore, there are several replies according to one route request. Therefore, the consumption is not very high on the whole. On the other side, symmetrical key mechanism is utilized in EndairALoc to decrease the computation consumption, while public key mechanism is chosen in EndairA. It is well known that asymmetric algorithms consume much more energy than other cryptographic algorithms do. Studies in [22] compared the energy consumption of public key arithmetic and symmetrical key arithmetic in quantity, as listed in Table1. The result shows that the energy consumption of public key arithmetic is orders of magnitude more powerful than symmetrical key arithmetic. From above, it is concluded that EndairALoc enhances the security of the routing protocol without introducing more energy consumption and is more suitable for the network with constrained energy.

References
[1] Y.C. Hu, and A. Perrig, A survey of secure wireless ad hoc routing, Security & Privacy Magazine, no. 2, pp. 28-39, 2004.

[2]F. Stajano, R. Anderson, The Resurrecting Duckling: Security Issues in Ad-Hoc Wireless Networks, in 7th International Workshop on Security Protocols, Berlin 1999. [3]T. S. Messerges, et al, A Secure Design for a General Purpose, Self-Organizing, Multihop Ad Hoc Wireless Network, in 1st ACM Workshop Security of Ad Hoc and Sensor Networks, Fairfax, Virginia, 2003. [4]A. Perrig, J. Stankovic, D. Wagner, Security in Wireless Sensor Networks, Communications of the ACM, vol. 47,no. 6,pp.53-57, 2004. [5]L. Buttyn and J.-P. Hubaux, Report on a Working Session on Security in Wireless Ad Hoc Networks, ACM Mobile Computing and Communications Review (MC2R), vol. 7, no. 1, March 2003. [6]K. Inkinen, "New Secure Routing in Ad Hoc Networks: Study and Evaluation of Proposed Schemes", Telecommunications Software and Multimedia, 2004. [7]M. Jakobsson, S. Wetzel, B. Yener, Stealth attacks on ad-hoc wireless networks, in Vehicular

317

Technology Conference, vol.3, pp.2103- 2111, Oct 2003. [8]G. cs, L. Buttyn, and I. Vajda, Provable Security of On-Demand Distance Vector Routing in Wireless Ad Hoc Networks, Second European Workshop on Security and Privacy in Ad Hoc and Sensor Networks (ESAS 2005), Visegrd, Hungary, July 13-14, 2005. [9]P. Papadimitratos, and Z. Haas, Secure routing for mobile ad hoc networks, In: Proc. of the SCS Communication Networks and Distributed Systems Modelling and Simulation Conf. San Antonio, pp.2731,2002. [10]Y.C. Hu, A. Perrig, and D. B. Johnson, Ariadne a secure on-demand routing protocol for ad hoc networks, in Proc. of the Eighth ACM Int1 Conf. on Mobile Computing and Networking (MOBI.COM 2002), pp.23-28. Atlanta, GA.2002. [11]M.G. Zapata, Securing ad hoc routing protocol, in Proc. of ACM workshop on wireless Security, pp.19.Atlanta. Sep. 2002. [12]M.G. Zapata,"Secure Ad hoc On-Demand Distance Vector (SAODV) Routing", http://personals.ac.upc.edu/guerrero/papers/draftguerrero-manet-saodv-06.txt, September 2006. [13]K sanzgiri, B Dahill et al, A secure routing protocol for Ad Hoc networks, in: Proc. of 2002 IEEE International Conference on Network Protocols (ICNP), Nov 2002. [14]K sanzgiri, et al, Authenticated Routing for Ad hoc Networks, IEEE Journal on Selected Areas in Communications, vol.23, no.3, pp.598-610,2005. [15]S. Ghazizadeh, O. Ilghami, and E. Sirin, Security aware adaptive dynamic source routing protoco1, in Proc. of the 27th Annual IEEE Conf. on Local Computer Networks, 2002. [16]Y.C. Hu,, D. B. Johnson, and A. Perrig, SEAD: secure efficient distance vector routing for mobile

wireless ad hoc networks, Networks,vol.2,no.2,.pp.175-192,2003.

Ad

hoc

[17]P. PAPADIMITRATOS, Z. J. HAAS, secure link state routing for mobile ad hoc networks, in Proc. of the 2003 Symposium on Applications and the Internet Workshops (SAINT'03 Workshops), 2003. [18]D.B. Johnson, D. Maltz, and Y. C. Hu, The dynamic source routing protocol for mobile ad hoc networks, http://www.ietf.org/internet-drafts/draftietf-manetdsr -10.txt, 2005. [19]L. Buttyan, and I. Vajda, Towards provable security for ad hoc routing protocols. in Proc. of the 2nd ACM Workshop on Security of ad hoc and Sensor Networks, 2005. [20]G. cs, L. Buttyn, and I. Vajda, Provably Secure On-demand Source Routing in Mobile Ad Hoc Networks, IEEE Transactions on Mobile Computing, Vol. 5, No. 11, November 2006. [21]Ad Hoc Positioning System(APS). In GLOBECOM 2001 IEEE Global Telecommunications Conference, pp.2926-2931, 2001. [22]C. Karlof and D. Wagner, Secure Routing in Sensor Networks: Attacks and Countermeasures, at the 1st IEEE International Workshop on Sensor Network Protocols and Applications, May 2003. [23]Y.C. Hu, A. Perrig, and D.B. Johnson, Packet leashes: a defense against wormhole attacks in wireless networks, in Proc. of the 22nd Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM), pp. 19761986, 2003. [24]L. Hu and D. Evans, Using Directional Antennas to Prevent Wormhole attacks, in Network and Distributed System Security Symposium, 2004. [25]N. Potlapally, et al.. Analyzing the Energy Consumption of Security Protocols, in SLPED03, 2003

318