1

Security for Ad Hoc Network Routing

2

Ad Hoc Networks Properties

Mobile Wireless communication

Medium to high bandwidth High variability of connection

No fixed infrastructure Participants from different administrative

entities Medium to high computation, memory Usually human user with each device

3

Key Establishment Seen So Far SSL/TLS

Assumption: browser can authenticate server’s certificate with its local CA root certificates

Large-group key distribution Assumption: each client already has a

secure connection to key distribution server Challenge in ad hoc networks: establish

keys without any prior trust relationships

4

Problem Definition Goals

Secure, authenticated communication between devices that share no prior context

Demonstrative identification: ensure to human user which other device they are communicating with

No prior context? No CAs or other trusted authorities No PKI No shared secrets No shared communication history

Problem reduces to key establishment Diffie & Hellman taught us how to share secrets…

5

Diffie-Hellman Key Agreement Public values: large prime p,

generator g Alice has secret a, Bob has secret b A B: ga mod p B A: gb mod p Bob: (ga mod p)b mod p = gab mod p Alice: (gb mod p)a mod p = gab mod p Eve cannot compute gab mod p

6

Problem: Man-in-the-middle Attack Mallory can impersonate Alice to Bob, and

impersonate Bob to Alice! A M: ga mod p

M A: gm mod p

M B: gm mod p

B M: gb mod p

Bob: (gm mod p)b mod p = gbm mod p

Alice: (gm mod p)a mod p = gam mod p

7

How Serious is MitM Attack?

Wireless communication is invisible People can’t tell which devices are connected

Neighbor can easily execute MitM attack If neighbor has a faster computer, it can easily

respond faster than the legitimate devices Easy to perform with high success rate!

8

Solution to Man-in-the-Middle Attack Authentication! Public DH values must be authenticated Topic of this lecture

Tradeoffs between security, usability, and transparency to the user

Transparency: Does the user realize she is involved in a key

establishment protocol? Does the user need to realize this?

9

Commitment Schemes

Commitment semantics: Binding Hiding

(c, d) commit( m ) m: message; c: commitment; d: opening value

It is infeasible to find d’ such that (c, d’) reveals m’ ≠ m

Example c = H( m || r ) where r is a random number d = m, r

10

Simple Protocol: String Comparison Public values: large prime p, generator g Alice has secret a, Bob has secret b A B: ga mod p B A: gb mod p Alice and Bob compute: gab mod p Alice’s and Bob’s devices display last 20 bits

of H(gab mod p) and they manually compare them (5 hexadecimal digits), if they match, they both click “ok”

11

Shortcomings of Simple Protocol First, Alice and Bob may not really

compare the strings, but simply click “ok”, how to avoid this?

Knowing ga and gb, attacker can compute gc and gd such that [H(gac )]n

= [H(gbd )]n Complexity: only O(2n/2) operations!

How to prevent this attack?

12

Secure routing in ad hoc network Here we consider DSR as a

showcase. So, we revisit the routing operations

in DSR, and show the possible attacks in these operations, and consider secure ways of preventing these attacks.

13

Dynamic Source Routing (DSR) Flooding is used for the delivery of

control packets, not data packets. The control packets are flooded to

discover routes. Then data packet is sent over the discovered path.

14

Route discovery in DSR

D

E

O

M

J

I

GA

C

F

HK

LN

B

{C}

{C}

{C}

{C}

{C}

C initiate the route discovery by flooding Route Request(RREQ).

Each node appends its id to RREQ when it forwards RREQ.

15

Route discovery in DSR

D

E

O

M

J

I

GA

C

F

HK

LN

B

{C,G}

{C,F}

16

Route discovery in DSR

D

E

O

M

J

I

GA

C

F

HK

LN

B{C,G,I}

{C,F,H}

Node K receives two RREQs. It

may choose the shorter one

(hops).

17

Route discovery in DSR

D

E

O

M

J

I

GA

C

F

HK

LN

B

{C,F,H,K}

18

Route Reply in DSR

When a destination node receives RREQ, it sends a Route Reply(RREP).

RREP is sent by reversing the route appended in the RREQ if the links are bidirectional. If links are unidirectional, the destination

node(D) may need a route discovery. In that case RREP is piggybacked on RREQ from D.

RREP contains the complete path from the sender to the destination.

19

Route reply in DSR

D

E

O

M

J

I

GA

C

F

HK

LN

B

{C,F,H,K,L}

20

Data delivery in DSR

D

E

O

M

J

I

GA

C

F

HK

LN

B{C,F,H,K,L}

Entire nodes on the path are included in the packet header.

That is why it is called source routing.

21

Data delivery in DSR

Promiscuous listening Data delivery is unicast. So packets have next

hop’s IP address and MAC address. When next hop node’s MAC layer receives a

frame, it compares destination MAC address with its MAC address. Since they do not match, MAC layer discards the frame.

To avoid it, MAC layers use the promiscuous listening. In this case, MAC layer delivers frames to its network layer regardless of matching destination address with its MAC address.

22

Attack model in DSR

Excessive Route Discovery floods

Modifying discovered routes: By dropping nodes

By altering the node list

Sending bogus ROUTE ERRORs

Failing to send ROUTE ERROR for broken route

Failing to forward packets

23

Ariadne

The solutions explained here are based on the following paper. “Ariadne: A Secure On-Demand Routing

Protocol for Ad Hoc Networks,” Y.-C. Hu, A. Perrig, A.B. Johnson, Wireless Network 11, 21-38, 2005

24

Ariadne Authentication RequirementsCan use any of three types of authentication: Pairwise shared keys:

But requires setting up O(n2) keys

Digital signatures and asymmetric key setup: But uses expensive asymmetric cryptography

Time-delayed broadcast authentication (TESLA): But requires time synchronization

Ariadne requires only one of these types: Each appropriate for different circumstances

25

ROUTE REQUEST Flooding Attack

On-demand protocols discover routes using flooding

An attacker can use this to flood the network: A solution: rate-limit Discoveries when forwarding But attacker can forge claimed Discovery initiator

X

ROUTE REQUEST “from A”

ROUTE REQUEST “from B”

ROUTE REQUEST “from C”

ROUTE REQUEST “from D”

ROUTE REQUEST “from E”

26

Excessive ROUTE REQUEST Floods Solution: Node uses a one-way hash

chain: Authenticates the true source of ROUTE

REQUEST

Disclose a new element per Discovery Each element can be used only once

27

One-Way Hash Chains

Pick random Cn and public one-way function H Ci=H(Ci+1) Infeasible to derive Ci from Cj (j<i) Efficiently authenticate Ci using Cj (j<i): Cj=Hi-j(Ci)

C1

Cn-1=H(Cn)

C0 Ci

Ci=H(C1+1)

Ci+1

C0= H(C1)

Cn-1 Cn

28

Each node uses a one-way hash function H which is known to every node.

Each node picks a random Cn which is secret value and compute each chain value Ci = Hn-i(Cn). So each node has its own hash chain.

Publicize C0 to every node like a public key.

Every time a node sends a RREQ message, it includes the next Ci starting from C0.

Using Hash Chains

29

Hop Drop Attack

Attacker can drop or alter nodes on this list

Can prevent discovery of a correct route

S A B DCS S, A S, B S, B, C

30

Initiator S and Target D share (or generate) KSD

S adds Message Authentication Codeh0 = MAC(KSD, request id) to ROUTE REQUEST

MAC can only be computed by S and D Each hop computes hi = H(node address ||

hi-1) B needs h0 to drop A but can’t derive from h1

Preventing Hop Drop

S A B DCh0 h1 h2

31

In an Ariadne ROUTE REQUEST: h0 = MAC(KSD, request id)

Target can compute h0

hi = H(node address || hi-1) Target can reconstruct each hi

Target can thus detect hop drop

Preventing Hop Drop

S A B DCh0 h1 h2 h3

32

Node List Corruption

Attacker can insert arbitrary nodes into node list

Instead of attacker’s node address

Or in addition to attacker’s node address

Can prevent discovery of a correct route

S A B DCS S,A S,A,Z S,A,Z,C

33

When using shared keys between all node pairs:

Each node F forwarding a REQUEST packet p: Computes a MAC over p using the key it shares

with the target Includes it in hi as hi = H(F || MAC(KFD,p) || hi-1) Only that F and the target can compute this

Route Authentication using Shared Keys

S A B DCh0 h1 h2 h3

34

In an Ariadne ROUTE REQUEST: As before, target can recompute h0

hi = H(F || MAC(KFD,p) || hi-1) Target can reconstruct each hi

Target can detect bogus nodes in node list

If received hi is valid, return authenticated REPLY

Route Authentication using Shared Keys

S A B DCh0 h1 h2 h3

S,A,B,C,D MAC(KSD, S,A,B,C,D)

35

Authenticating ROUTE ERRORs

Attacker could send forged ROUTE ERRORs to break good routes that are in use

Solution: Authenticate ROUTE ERRORs If using pairwise shared keys:

Authenticate ERROR to original source of packet

36

Secure Route Maintenance ROUTE ERRORs can be only an optimization:

Malicious nodes might refuse to send them To ensure Ariadne does not persistently use

non-working routes: Sources may use multipath routing Each packet is acknowledged end-to-end,

preferably using the reverse path Sender should more often choose routes that

successfully deliver packets Never fully stop using an apparently good route:

Short-term Denial-of-Service would otherwise result in permanent crippling of that route