Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
Embedding Security in the Design of Routing
Protocols for Ad-Hoc Networks
Computer Science DepartmentWestern Michigan University
Mohsen Guizani, Ph.D. [email protected]
Western Michigan University
WMU is located in Kalamazoo, MichiganWMU is one of 15 Michigan state schoolsWMU has more than 28,000 studentsThe Computer Science is home to about 400 studentsCS has 18 faculty members, 5 full professors, 7 associate professors, and 6 assistant professors.
Examples of Hacked Websiteswww.onething.com/archive
Commercial sites: Yahoo, BMW, Motorola, New York Times, Telia Value Jet, etc.
Political sites: Amnesty International, UK Conservative Party, etc.
Administrative sites: CIA, American Justice Department, Los Angeles Police Department, etc.
Media sites: Spice Girls, Janet Jackson, Leonardo diCaprio, etc.
Al-Jazeera.net, March 25, 2003
Central Intelligence Agency (CIA)September 20th, 1996
US Department of JusticeAugust 18th, 1996
2
US Department of JusticeAugust 18th, 1996
New York Times, Sept. 13, 1998
The main page of the New York Timeswas hacked by a group called HFG
The main page of the New York Timeswas hacked by a group called HFG
UK Conservative Party, April 27, 1997 BMW, Jan. 2, 1998
www.cert.orgNumber of cases reported
3
OutlineIntroduction to Mobile Ad-Hoc Networks (MANETs)Ad-hoc Routing Protocols Overview
Design featuresClassifications
Secure Ad-hoc Routing ProtocolsNeed for Secure RoutingSecurity Design MechanismsSecure Aware Routing Protocol (SAR)
Trust Aware Routing Protocol (TARP)TARP SpecificationsTARP DesignProgress
Mobile Ad-Hoc Networks
Mobile Ad-Hoc Network (MANET):Autonomous nodesDynamic topologyNo fixed infrastructure
Applications:Disaster recovery networksBattlefield environmentsSurveillance applicationsSetting up temporary networks
MANET ConstraintsLack of fixed infrastructure supportMobility
Due to mobility, topology of network can change frequentlyNodes can be temporarily off-line or unreachable
Resource constraints Energy constraintsMemory and CPU constraintsBandwidth constraints
Wire-line based protocols are not applicable in wireless networksLimited physical securityIntrinsic mutual trust vulnerable to attacks
Routing Protocols:Overview
Routing Challenges
Malicious nodes can insert spurious information into routing packets
Routing loopsLong timeoutsFalse metricsReplay of old messages
Any node can overhear routing requestCan be used to determine communication pattern
Routing Protocol Design Features
Desired characteristics of ad-hoc routing protocols:
Distributed operationsLoop freedomDemand-based operationBest routeSleep period operationSecurityScalability
4
Routing Protocols Classification Criteria
- Reactive- Proactive- Hybrid
- Event driven- Regular update
- Full topology- Reduced topology
- Distance vector
- Link state
- Position based - Topology based
- Uniform - Non-uniform
- Hierarchical/Clustered - Flat protocols
- Full- Limited- Local
Broadcast messages
Route selection Strategy (metrics)
- Signal strength- Link stability- Shortest path- Distance vector- Hybrid protocols
Criterion 1
Criterion 2
Criterion 3
Criterion 4
Criterion 5
Criterion 6
Criterion 7
Routing Protocol Classification (contd.)
Proactive routing protocolsTable-driven and distance vector protocolsEvery node can operate with consistent and up-to-date tablesNodes periodically refresh the existing routing info and update routing table even for not used pathsExample: DSDV, OLSR, TBRPF, etc.
DrawbackExcessive amount of overhead messages exchanged to maintain the routing table in a highly mobile network
Proactive Routing Protocol Examples
Proactive
DSDV OLSRCGSR, WRP,STAR, HSR,
FSR
SEAD SLSP
Routing Protocol Classification (contd.)
Reactive (on-demand) routing protocolsupdates the routing information only when necessaryMost routing protocol are reactiveExample: DSR, TORA, AODV, etc.
DrawbackDelay caused by route discoveryRoute maintenance can still generate traffic overhead when network changes frequentlyPackets are likely to be lost if the route to the destination changes
Reactive Routing Protocol Examples
Reactive(On Demand)
DSR AODV TORAABR, SSR,FORP, LAR,
PLBR
QoS Guided Route Discovery
Securing QoS Guided Route
Discovery
Confidant
Ariadne
CORE
SAODV
SAR
SPREAD
ARAN
Routing Protocol Classification (contd.)
Hybrid routing protocolsUses both reactive and proactive protocolsFor example, proactive protocol between networks, reactive protocol inside of networksExample: ZRP, SRP, CEDAR, etc.
DrawbackRoute maintenance can still generate traffic overhead when network changes frequently
5
Hybrid Routing Protocol Examples
Hybrid
ZRP
SRP
CEDAR,ZHLS
Secure Routing Protocols in Ad-Hoc Network
General Security Considerations in Ad-Hoc Networks
Authentication
Confidentiality
Integrity
Non-repudiation
Availability
Verifying the identity and privileges of a user.
Passwords, Smart cards, Biometrics
The data sent by the source node should reach the destination node unaltered.
Message Hash
To guarantee that the sender of a message cannot later deny having sent the messageand that the recipient cannot deny having received the message.
Digital signatures
The data sent by the sender must be comprehensible only to the intended receiver.
Encryption The network should remain operational all the time.It must be robust enough to tolerate link failures and also be capable of surviving various attacks mounted on it.
Network Security
Dynamic changing topologyTransport layer
End-to-end security measureNetwork layer
Routing is cooperative Susceptible to erroneous routing updates, replay attacks etc.Based on implicit ‘trust-your-neighbor’ relationships
Poor protection to protocol packets at physical layerPhysical/MAC layer approaches
Encryption, error correcting codes, etc.
Security Challenges in Wireless Ad-Hoc Networks
Physical
Link/MAC
Network
Transport
Application
Prot
ocol
Sta
ck
Need for Secure RoutingChallenges
Ensuring data is routed through a secure route composed of trusted nodesSecurity of the information in the routing protocol messages
Example:
Transmission range
Shortest route
secure route
secure
Less Secure
Unsecure
SourceTarget
Ad Hoc Networks SecurityTypes of Security Threats
Application Layer Attacks
• Wormhole
• Blackhole
• Byzantine
• Information Disclosure
• Resource Consumption
• Routing Attacks
• Selfishness
MAC Layer Attacks
• Jamming
Network Layer Attacks
Security Attacks
Active Attacks
Transport Layer Attacks
Passive Attacks
• Snooping
adversary snoops the data exchanged in the network without altering it.
Attempt to keep the shared channel busy and un-usable for other nodes
Other Attacks
A compromised intermediate node or a collusion of nodes• Create routing loops• Route packets on non-optimal paths• Selectively drop packets
Hard to detect. • Unnecessary route requests• Frequent beacon packets• Forwarding of stale packets
Sleep deprivation attack
Attacks mounted on routing protocol• Routing table overflow - advertises routes to .-non-existent nodes• Routing table poisoning - fictitious routing .-.0updates• Packet replication – to consume additional .-.0resources and cause confusion• Route cache poisoning• Rushing attack - floods RouteRequest packet .-quickly to become blackhole.
Tunnel between two colluding attackers.Forward selected packets and drop others.Routing algorithms may fail to find valid routes.
S
B
A
D
Sinkhole: A malicious node falsely advertises good paths to hinder the route discovery process or to intercept all data being sent to some nodes.
S1
D2
A
D1
D3
D4S2
S3S4
S5
6
• Denial of Service
• Impersonation
• Device Tempering
• Network Traffic ._Manipulation
• Sybil Attack
• Wormhole
• Blackhole
• Byzantine
• Information Disclosure
• Resource Consumption
• Routing Attacks
• Selfishness
• Repudiation
• Replay
Application Layer Attacks
• Session ._Hijacking
MAC Layer Attacks
• Jamming
Network Layer Attacks
Security Attacks
Active Attacks
Transport Layer Attacks
Passive Attacks
• Snooping
Other Attacks
To save its battery life a selfish node could endanger the network operation by:
• Not taking part in routing protocol• Not forwarding packets
Cooperation enforcement mechanism
Major Issues: Key ManagementSecure Routing Cooperation Enforcement
Ad Hoc Networks SecurityTypes of Security Threats Security Design Mechanisms
AccountabilityEvent logging system for intrusion detection and/or prevention
Trust management Node-to-node trustNode-to-central authority trust Hierarchical trust
A BSource Destination
: General: Officer: Private
Security Design Mechanisms (contd.)
Authentication and Key managementKey creation
Central key creationDistributed key creation
Key storageCentralizedReplicated storage for fault toleranceDistributed, on each node (partial vs. full key storage)
Key distributionSymmetric and private keys: Confidentiality, integrity, and authenticity should not be violatedPublic keys: Integrity and authenticity should be preserved
Certificate authorityProvides public key certificate to mobile nodes for nodes to develop mutual trust
SAR: Secure Aware Routing
Protocol
Security Aware Routing (SAR)
ApproachUse different security attributes to improve the quality of the security of an ad-hoc routeIncorporate security levels of nodes into traditional routing metrics
Goal Quantify the notion of trust Represent trust relationships explicitly by defining a suitable hierarchy of trust valueIntegrate the trust value of a node and the security attributes of a route to provide an integrated security metric
SAR Protocol OverviewBasic protocol: On-demand protocol AODVEmbed security metric into the RREQ packet itself and change the forwarding behavior of the protocol with respect to RREQsSource node:
Specify desired level of security in the RREQBroadcast the packet
Intermediate node:Process/forward the packet only if it can provide the required security or has the required authorization or trust levelOtherwise drop the RREQ
If an end-to-end path with the required security found, the intermediate node or eventual destination sends a suitably modified RREP
7
Target Environment
Ad-hoc networks with hierarchical trust structure among mobile nodes
Example: Military field operations in hostile environment requiring secure communication between friendly units
Applicable to any on-demand ad-hoc routing protocol
SAR Specifications
Use trust relationship to make routing decisions
Ensure packets are only routed through trusted and capable nodesEnable end-to-end security measures.
Secure routing protocol packetsProtect against misbehaving nodesHide routing information
On-Demand Routing Ad-hoc Protocols mechanism (DSR, AODV, etc.)
Route discovery Source node
Broadcast the RREQ packet just as in AODVWhen an intermediate node receives an RREQ
First check if the node can satisfy the security requirement indicated in the packetIf yes, update the packet then forward it to its neighborsIf no, drop the RREQ packet
When RREQ arrives at the destinationIndicates the presence of a path from the sender to the receiver that satisfies the security requirement specified by the senderSend the RREP back to sender as in AODV with requested security
SAR Design FeaturesExpose the existing hierarchical “trust” structure of the organization to routing decisionsOnly “sufficiently secure” nodes participate in route discovery
Defined by node making route requestEnforced through encryption of routing messages and other cryptographic techniques
If route discovery failsRe-try with lowered security requirementSignal application failure to discover a route
Quantifiable security information on discovered paths is provided to both source and destination
Case Scenario: On-demand Routing
: General
: Officer
: Private
Data
A BSource Destination
Introducing Security: SAR
: General
: Officer
: Private
A B
“Only officers or higher ranking nodes participate.”
Do nothing
Do nothing
Source Destination
Route Reply
Route Request
8
SAR BehaviorRoute discovered by SAR may not be the shortest route in terms of hop-countSAR finds a route with a ‘quantifiable guarantee of security’If one or more routes satisfying the required security attributes exists, SAR finds the shortest such routeOptimal route: All nodes on the shortest path (in terms of hop-count) satisfy the security requirementsDrawback:
If no path with nodes that meet the RREQ’ssecurity requirements exists, SAR fails to find a route even though the network may be connected
Attacks/Defense/Parameters
Replay
Repudiation
Impersonation
Eavesdropping
Modification
Timestamp
Sequence No.
Digital Signature
Message Digest
Encryption
Signature Chaining
Algorithm
Key Size
Attacks Defense Techniques Parameters
Fabrication
Digital Certificate
TARP: Trust Aware Routing
Protocol
Outline
Design GoalTARP CharacteristicsTARP Metrics SpecificationsTARP IllustrationTARP Protocol DesignStatus
Goal
Design, develop and evaluate a suite of scalable protocols for unicast, multicast and broadcast communication primitives providing secure on-demand ad hoc rout ing serv ice from a source to a destination with desired confidence level (such as 90% assurance, 80% assurance, etc.) based on extended set of parameters
TARP CharacteristicsSecurity will be inherently built into TARP Messages are received with a high level of confidenceUsers and applications can prescribe their required level of security (e.g., 90% assurance, 85% assurance, etc.) An optimal secure route is found based on a prescribed trust level, or it finds an optimal route that has highest level of security that the current network can provide The trust level of a node depends on characteristics of trust metrics that include software configuration, hardware configuration, power, credit history, exposure, and organizational hierarchy
9
TARP Characteristics (contd.)The trust level is computed dynamically within the node’s cluster Graceful network performance degradation is obtained by limiting control message exchanges within the cluster Fuzzy-based adaptive techniquesControlled flooding of messages is achieved in the route discovery phase in which a neighboring node can participate only if it provides the minimum trust level. Resource usage is optimized. The protocol suite adapts to changes in the environment, such as the nodes' power level, exposure to the network, credit history, etc.
Trust Metric SpecificationSoftware configuration
Encryption ability of the nodeA node with strong encryption algorithm has high trust level (e.g., Triple-DES, RC6, etc.)A node with weaker encryption algorithm has low trust level (e.g., Standard DES, RC5, etc.)
Hardware configurationComputation ability of a node (e.g., memory, processor, etc.)A node with powerful hardware configuration has high level of trust
Battery powerBattery power is limited resourcesNodes with no sufficient power are not able to participate in packet forwardingNode trust level is set to low if battery power is low
Trust Metric Specification (contd.)
Credit historyGive reputation to the node while evaluating the trust levelReputation is based on node’s forwarding behaviorForwarding behavior includes: data messages, control messages, dropping packets, etc.Increase the reputation metrics of all intermediate nodes upon the reception of randomized ACK/NACK messages from the destination nodeDecrease the reputation metrics upon dropping or misrouting packetsHigh trust level for nodes with good forwarding behavior
Trust Metric Specification (contd.)
ExposureHow much a node moving in an arbitrary path is exposed to other nodes in the networkHigher exposure leads to greater risk of being exposed to malicious nodeHigh exposure corresponds to low trust levelExposure metric is a function of mobility, speed, path length, etc. Minimizing the exposure favors shorter paths and nodes with less mobility
Trust Metric Specification (contd.)
Organizational hierarchyHierarchy represents the security, importance, and capability of the mobile nodesWe assume predetermined organizational hierarchy which does not change with timeIn the absence of organizational hierarchy, nodes are assumed to be at the same levelThe level of hierarchy reflects the level of trust
TARP Parameters Specifications
TARP
Software Hardware Power Exposure Credit Hierarchy
NONE
Encry1
Encry2
Encry3
CPU RAM
Busy
Not Busy
Low
High
Low
Med
High
VeryHigh
Mobile
Fixed
Bad
Good
Private
Officer
Captain
General
average
10
TARP Illustration
: General
: Officer
: Private
A BSource Destination
Data
TARP Illustration
: General
: Officer
: Private
A B
“Only officers or higher ranking
nodes participate.”
Source Destination
Route Reply
Route Request
do nothingLow power
do nothingHigh Exposure
%70%75
%30
%45
%55 %65
%80
%72%75
%40
do nothingWeak Encryption
do nothingLess Hierarchy ranking
do nothingBad credit history
TARP Protocol Design GoalOn the fly determination of feasible paths
Find route based on user specified confidence levelFind path with highest level of security
Optimization of resource usageAdvertise resource availability to neighboring nodes
Routing metric to be exchangedAdvertise the following metrics: power, hardware, software configuration, credit history, exposure, hierarchy, etc.
TARP Protocol Design Goal (contd.)
Graceful network performance degradationUse heuristic techniques to reduce the amount of exchanged control messages.
2
13
4
5
6 7
8
9
10
Neighbors of node 1
Neighbors of node 6 Neighbors of node 9
Resource message
updates for node 1
Resource message
updates for node 9
Scope of the resource message update exchange protocol
TARP Protocol Design Goal (contd.)
Trusted path computation:Path selection based on:
Security (trust level/credit history)Efficiency (resource availability)
Performance objective while computing trust-based paths
Better network throughput Less path request blocking probability
Security Use the Internet Key Exchange (IKE) protocol during the protocol message exchange to protect against intruder attacks
TARP Implementation Progress
Implementation from “scratch”Static network Dynamic network OPNET simulation toolPerformance evaluationCompare TARP to SAR performance Large-scale analysis2 Ph.D. students
11
References
Mobile Ad Hoc Networking, (S. Basagni, M. Conti, S. Giordano, I. Stojmenovic, eds.), IEEE Press/Wiley 2004
Security for Mobility, Chris Mitchell, John O'Reilly, William Webb. IEE Publishers, 2004H Yang, Y. Luo, F Ye, S Lu, and L Zhang, “Security in mobile ad hoc networks: Challenges and solutions” (2004). IEEE Wireless CommunicationsP. Papadimitratos and Z. Haas, “Secure Routing for Mobile Ad Hoc Networks”, CNDS proceedings 2002.P. Michiardi and R. Molva, “Core: A Collaborative Reputation mechanism to Enforce Node Cooperation in Mobile Ad Hoc Networks”, IFIP proceedings 2002.L. Buttyan and J. P. Hubaux, “Nuglets: A Virtual Currency to Stimulate Cooperation in Self-Organized Ad Hoc Networks”, Technical Report DSC/2001/001 Swiss Federal Institute of Technology, 2001.H. Yang, X. Meng and S. Lu, “Self-Organized Network-Layer Security in Mobile Ad Hoc Networks”, ACM MOBICOM Wireless Security Workshop 2002.S. Buchegger and J. Y. Le Boudec, “Nodes Bearing Grudges: Towards Routing Security, Fairness and Robustness in Mobile Ad Hoc Networks”, 10th Euromicro Workshop on Parallel, Distributed and Network-based Processing 2002.S. Bandyopadhyay et al., “A Game-Theoretic Analysis on the Conditions of Cooperation in a Wireless Ad Hoc Network”, 2005.J. Cai, U. Pooch, “Allocate Fair Payoff for Cooperation in Wireless Ad Hoc Networks Using Shapley Value”, Proceedings of the 18th International Parallel and Distributed Processing Symposium (IPDPS 2004)Haijin Yan and David Lowenthal, “Towards Cooperation fairness in Mobile Ad Hoc Networks”, WCNC 2005.
Thank you!
/ColorImageDict > /JPEG2000ColorACSImageDict > /JPEG2000ColorImageDict > /AntiAliasGrayImages false /DownsampleGrayImages false /GrayImageDownsampleType /Bicubic /GrayImageResolution 600 /GrayImageDepth -1 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages false /GrayImageFilter /DCTEncode /AutoFilterGrayImages true /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict > /GrayImageDict > /JPEG2000GrayACSImageDict > /JPEG2000GrayImageDict > /AntiAliasMonoImages false /DownsampleMonoImages false /MonoImageDownsampleType /Bicubic /MonoImageResolution 600 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages false /MonoImageFilter /CCITTFaxEncode /MonoImageDict > /AllowPSXObjects false /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile () /PDFXOutputCondition () /PDFXRegistryName (http://www.color.org) /PDFXTrapped /Unknown
/Description >>> setdistillerparams> setpagedevice