-
1
Embedding Security in the Design of Routing
Protocols for Ad-Hoc Networks
Computer Science DepartmentWestern Michigan University
Mohsen Guizani, Ph.D. [email protected]
Western Michigan University
WMU is located in Kalamazoo, MichiganWMU is one of 15 Michigan
state schoolsWMU has more than 28,000 studentsThe Computer Science
is home to about 400 studentsCS has 18 faculty members, 5 full
professors, 7 associate professors, and 6 assistant professors.
Examples of Hacked Websiteswww.onething.com/archive
Commercial sites: Yahoo, BMW, Motorola, New York Times, Telia
Value Jet, etc.
Political sites: Amnesty International, UK Conservative Party,
etc.
Administrative sites: CIA, American Justice Department, Los
Angeles Police Department, etc.
Media sites: Spice Girls, Janet Jackson, Leonardo diCaprio,
etc.
Al-Jazeera.net, March 25, 2003
Central Intelligence Agency (CIA)September 20th, 1996
US Department of JusticeAugust 18th, 1996
-
2
US Department of JusticeAugust 18th, 1996
New York Times, Sept. 13, 1998
The main page of the New York Timeswas hacked by a group called
HFG
The main page of the New York Timeswas hacked by a group called
HFG
UK Conservative Party, April 27, 1997 BMW, Jan. 2, 1998
www.cert.orgNumber of cases reported
-
3
OutlineIntroduction to Mobile Ad-Hoc Networks (MANETs)Ad-hoc
Routing Protocols Overview
Design featuresClassifications
Secure Ad-hoc Routing ProtocolsNeed for Secure RoutingSecurity
Design MechanismsSecure Aware Routing Protocol (SAR)
Trust Aware Routing Protocol (TARP)TARP SpecificationsTARP
DesignProgress
Mobile Ad-Hoc Networks
Mobile Ad-Hoc Network (MANET):Autonomous nodesDynamic topologyNo
fixed infrastructure
Applications:Disaster recovery networksBattlefield
environmentsSurveillance applicationsSetting up temporary
networks
MANET ConstraintsLack of fixed infrastructure
supportMobility
Due to mobility, topology of network can change frequentlyNodes
can be temporarily off-line or unreachable
Resource constraints Energy constraintsMemory and CPU
constraintsBandwidth constraints
Wire-line based protocols are not applicable in wireless
networksLimited physical securityIntrinsic mutual trust vulnerable
to attacks
Routing Protocols:Overview
Routing Challenges
Malicious nodes can insert spurious information into routing
packets
Routing loopsLong timeoutsFalse metricsReplay of old
messages
Any node can overhear routing requestCan be used to determine
communication pattern
Routing Protocol Design Features
Desired characteristics of ad-hoc routing protocols:
Distributed operationsLoop freedomDemand-based operationBest
routeSleep period operationSecurityScalability
-
4
Routing Protocols Classification Criteria
- Reactive- Proactive- Hybrid
- Event driven- Regular update
- Full topology- Reduced topology
- Distance vector
- Link state
- Position based - Topology based
- Uniform - Non-uniform
- Hierarchical/Clustered - Flat protocols
- Full- Limited- Local
Broadcast messages
Route selection Strategy (metrics)
- Signal strength- Link stability- Shortest path- Distance
vector- Hybrid protocols
Criterion 1
Criterion 2
Criterion 3
Criterion 4
Criterion 5
Criterion 6
Criterion 7
Routing Protocol Classification (contd.)
Proactive routing protocolsTable-driven and distance vector
protocolsEvery node can operate with consistent and up-to-date
tablesNodes periodically refresh the existing routing info and
update routing table even for not used pathsExample: DSDV, OLSR,
TBRPF, etc.
DrawbackExcessive amount of overhead messages exchanged to
maintain the routing table in a highly mobile network
Proactive Routing Protocol Examples
Proactive
DSDV OLSRCGSR, WRP,STAR, HSR,
FSR
SEAD SLSP
Routing Protocol Classification (contd.)
Reactive (on-demand) routing protocolsupdates the routing
information only when necessaryMost routing protocol are
reactiveExample: DSR, TORA, AODV, etc.
DrawbackDelay caused by route discoveryRoute maintenance can
still generate traffic overhead when network changes
frequentlyPackets are likely to be lost if the route to the
destination changes
Reactive Routing Protocol Examples
Reactive(On Demand)
DSR AODV TORAABR, SSR,FORP, LAR,
PLBR
QoS Guided Route Discovery
Securing QoS Guided Route
Discovery
Confidant
Ariadne
CORE
SAODV
SAR
SPREAD
ARAN
Routing Protocol Classification (contd.)
Hybrid routing protocolsUses both reactive and proactive
protocolsFor example, proactive protocol between networks, reactive
protocol inside of networksExample: ZRP, SRP, CEDAR, etc.
DrawbackRoute maintenance can still generate traffic overhead
when network changes frequently
-
5
Hybrid Routing Protocol Examples
Hybrid
ZRP
SRP
CEDAR,ZHLS
Secure Routing Protocols in Ad-Hoc Network
General Security Considerations in Ad-Hoc Networks
Authentication
Confidentiality
Integrity
Non-repudiation
Availability
Verifying the identity and privileges of a user.
Passwords, Smart cards, Biometrics
The data sent by the source node should reach the destination
node unaltered.
Message Hash
To guarantee that the sender of a message cannot later deny
having sent the messageand that the recipient cannot deny having
received the message.
Digital signatures
The data sent by the sender must be comprehensible only to the
intended receiver.
Encryption The network should remain operational all the time.It
must be robust enough to tolerate link failures and also be capable
of surviving various attacks mounted on it.
Network Security
Dynamic changing topologyTransport layer
End-to-end security measureNetwork layer
Routing is cooperative Susceptible to erroneous routing updates,
replay attacks etc.Based on implicit ‘trust-your-neighbor’
relationships
Poor protection to protocol packets at physical
layerPhysical/MAC layer approaches
Encryption, error correcting codes, etc.
Security Challenges in Wireless Ad-Hoc Networks
Physical
Link/MAC
Network
Transport
Application
Prot
ocol
Sta
ck
Need for Secure RoutingChallenges
Ensuring data is routed through a secure route composed of
trusted nodesSecurity of the information in the routing protocol
messages
Example:
Transmission range
Shortest route
secure route
secure
Less Secure
Unsecure
SourceTarget
Ad Hoc Networks SecurityTypes of Security Threats
Application Layer Attacks
• Wormhole
• Blackhole
• Byzantine
• Information Disclosure
• Resource Consumption
• Routing Attacks
• Selfishness
MAC Layer Attacks
• Jamming
Network Layer Attacks
Security Attacks
Active Attacks
Transport Layer Attacks
Passive Attacks
• Snooping
adversary snoops the data exchanged in the network without
altering it.
Attempt to keep the shared channel busy and un-usable for other
nodes
Other Attacks
A compromised intermediate node or a collusion of nodes• Create
routing loops• Route packets on non-optimal paths• Selectively drop
packets
Hard to detect. • Unnecessary route requests• Frequent beacon
packets• Forwarding of stale packets
Sleep deprivation attack
Attacks mounted on routing protocol• Routing table overflow -
advertises routes to .-non-existent nodes• Routing table poisoning
- fictitious routing .-.0updates• Packet replication – to consume
additional .-.0resources and cause confusion• Route cache
poisoning• Rushing attack - floods RouteRequest packet .-quickly to
become blackhole.
Tunnel between two colluding attackers.Forward selected packets
and drop others.Routing algorithms may fail to find valid
routes.
S
B
A
D
Sinkhole: A malicious node falsely advertises good paths to
hinder the route discovery process or to intercept all data being
sent to some nodes.
S1
D2
A
D1
D3
D4S2
S3S4
S5
-
6
• Denial of Service
• Impersonation
• Device Tempering
• Network Traffic ._Manipulation
• Sybil Attack
• Wormhole
• Blackhole
• Byzantine
• Information Disclosure
• Resource Consumption
• Routing Attacks
• Selfishness
• Repudiation
• Replay
Application Layer Attacks
• Session ._Hijacking
MAC Layer Attacks
• Jamming
Network Layer Attacks
Security Attacks
Active Attacks
Transport Layer Attacks
Passive Attacks
• Snooping
Other Attacks
To save its battery life a selfish node could endanger the
network operation by:
• Not taking part in routing protocol• Not forwarding
packets
Cooperation enforcement mechanism
Major Issues: Key ManagementSecure Routing Cooperation
Enforcement
Ad Hoc Networks SecurityTypes of Security Threats Security
Design Mechanisms
AccountabilityEvent logging system for intrusion detection
and/or prevention
Trust management Node-to-node trustNode-to-central authority
trust Hierarchical trust
A BSource Destination
: General: Officer: Private
Security Design Mechanisms (contd.)
Authentication and Key managementKey creation
Central key creationDistributed key creation
Key storageCentralizedReplicated storage for fault
toleranceDistributed, on each node (partial vs. full key
storage)
Key distributionSymmetric and private keys: Confidentiality,
integrity, and authenticity should not be violatedPublic keys:
Integrity and authenticity should be preserved
Certificate authorityProvides public key certificate to mobile
nodes for nodes to develop mutual trust
SAR: Secure Aware Routing
Protocol
Security Aware Routing (SAR)
ApproachUse different security attributes to improve the quality
of the security of an ad-hoc routeIncorporate security levels of
nodes into traditional routing metrics
Goal Quantify the notion of trust Represent trust relationships
explicitly by defining a suitable hierarchy of trust valueIntegrate
the trust value of a node and the security attributes of a route to
provide an integrated security metric
SAR Protocol OverviewBasic protocol: On-demand protocol
AODVEmbed security metric into the RREQ packet itself and change
the forwarding behavior of the protocol with respect to RREQsSource
node:
Specify desired level of security in the RREQBroadcast the
packet
Intermediate node:Process/forward the packet only if it can
provide the required security or has the required authorization or
trust levelOtherwise drop the RREQ
If an end-to-end path with the required security found, the
intermediate node or eventual destination sends a suitably modified
RREP
-
7
Target Environment
Ad-hoc networks with hierarchical trust structure among mobile
nodes
Example: Military field operations in hostile environment
requiring secure communication between friendly units
Applicable to any on-demand ad-hoc routing protocol
SAR Specifications
Use trust relationship to make routing decisions
Ensure packets are only routed through trusted and capable
nodesEnable end-to-end security measures.
Secure routing protocol packetsProtect against misbehaving
nodesHide routing information
On-Demand Routing Ad-hoc Protocols mechanism (DSR, AODV,
etc.)
Route discovery Source node
Broadcast the RREQ packet just as in AODVWhen an intermediate
node receives an RREQ
First check if the node can satisfy the security requirement
indicated in the packetIf yes, update the packet then forward it to
its neighborsIf no, drop the RREQ packet
When RREQ arrives at the destinationIndicates the presence of a
path from the sender to the receiver that satisfies the security
requirement specified by the senderSend the RREP back to sender as
in AODV with requested security
SAR Design FeaturesExpose the existing hierarchical “trust”
structure of the organization to routing decisionsOnly
“sufficiently secure” nodes participate in route discovery
Defined by node making route requestEnforced through encryption
of routing messages and other cryptographic techniques
If route discovery failsRe-try with lowered security
requirementSignal application failure to discover a route
Quantifiable security information on discovered paths is
provided to both source and destination
Case Scenario: On-demand Routing
: General
: Officer
: Private
Data
A BSource Destination
Introducing Security: SAR
: General
: Officer
: Private
A B
“Only officers or higher ranking nodes participate.”
Do nothing
Do nothing
Source Destination
Route Reply
Route Request
-
8
SAR BehaviorRoute discovered by SAR may not be the shortest
route in terms of hop-countSAR finds a route with a ‘quantifiable
guarantee of security’If one or more routes satisfying the required
security attributes exists, SAR finds the shortest such
routeOptimal route: All nodes on the shortest path (in terms of
hop-count) satisfy the security requirementsDrawback:
If no path with nodes that meet the RREQ’ssecurity requirements
exists, SAR fails to find a route even though the network may be
connected
Attacks/Defense/Parameters
Replay
Repudiation
Impersonation
Eavesdropping
Modification
Timestamp
Sequence No.
Digital Signature
Message Digest
Encryption
Signature Chaining
Algorithm
Key Size
Attacks Defense Techniques Parameters
Fabrication
Digital Certificate
TARP: Trust Aware Routing
Protocol
Outline
Design GoalTARP CharacteristicsTARP Metrics SpecificationsTARP
IllustrationTARP Protocol DesignStatus
Goal
Design, develop and evaluate a suite of scalable protocols for
unicast, multicast and broadcast communication primitives providing
secure on-demand ad hoc rout ing serv ice from a source to a
destination with desired confidence level (such as 90% assurance,
80% assurance, etc.) based on extended set of parameters
TARP CharacteristicsSecurity will be inherently built into TARP
Messages are received with a high level of confidenceUsers and
applications can prescribe their required level of security (e.g.,
90% assurance, 85% assurance, etc.) An optimal secure route is
found based on a prescribed trust level, or it finds an optimal
route that has highest level of security that the current network
can provide The trust level of a node depends on characteristics of
trust metrics that include software configuration, hardware
configuration, power, credit history, exposure, and organizational
hierarchy
-
9
TARP Characteristics (contd.)The trust level is computed
dynamically within the node’s cluster Graceful network performance
degradation is obtained by limiting control message exchanges
within the cluster Fuzzy-based adaptive techniquesControlled
flooding of messages is achieved in the route discovery phase in
which a neighboring node can participate only if it provides the
minimum trust level. Resource usage is optimized. The protocol
suite adapts to changes in the environment, such as the nodes'
power level, exposure to the network, credit history, etc.
Trust Metric SpecificationSoftware configuration
Encryption ability of the nodeA node with strong encryption
algorithm has high trust level (e.g., Triple-DES, RC6, etc.)A node
with weaker encryption algorithm has low trust level (e.g.,
Standard DES, RC5, etc.)
Hardware configurationComputation ability of a node (e.g.,
memory, processor, etc.)A node with powerful hardware configuration
has high level of trust
Battery powerBattery power is limited resourcesNodes with no
sufficient power are not able to participate in packet
forwardingNode trust level is set to low if battery power is
low
Trust Metric Specification (contd.)
Credit historyGive reputation to the node while evaluating the
trust levelReputation is based on node’s forwarding
behaviorForwarding behavior includes: data messages, control
messages, dropping packets, etc.Increase the reputation metrics of
all intermediate nodes upon the reception of randomized ACK/NACK
messages from the destination nodeDecrease the reputation metrics
upon dropping or misrouting packetsHigh trust level for nodes with
good forwarding behavior
Trust Metric Specification (contd.)
ExposureHow much a node moving in an arbitrary path is exposed
to other nodes in the networkHigher exposure leads to greater risk
of being exposed to malicious nodeHigh exposure corresponds to low
trust levelExposure metric is a function of mobility, speed, path
length, etc. Minimizing the exposure favors shorter paths and nodes
with less mobility
Trust Metric Specification (contd.)
Organizational hierarchyHierarchy represents the security,
importance, and capability of the mobile nodesWe assume
predetermined organizational hierarchy which does not change with
timeIn the absence of organizational hierarchy, nodes are assumed
to be at the same levelThe level of hierarchy reflects the level of
trust
TARP Parameters Specifications
TARP
Software Hardware Power Exposure Credit Hierarchy
NONE
Encry1
Encry2
Encry3
CPU RAM
Busy
Not Busy
Low
High
Low
Med
High
VeryHigh
Mobile
Fixed
Bad
Good
Private
Officer
Captain
General
average
-
10
TARP Illustration
: General
: Officer
: Private
A BSource Destination
Data
TARP Illustration
: General
: Officer
: Private
A B
“Only officers or higher ranking
nodes participate.”
Source Destination
Route Reply
Route Request
do nothingLow power
do nothingHigh Exposure
%70%75
%30
%45
%55 %65
%80
%72%75
%40
do nothingWeak Encryption
do nothingLess Hierarchy ranking
do nothingBad credit history
TARP Protocol Design GoalOn the fly determination of feasible
paths
Find route based on user specified confidence levelFind path
with highest level of security
Optimization of resource usageAdvertise resource availability to
neighboring nodes
Routing metric to be exchangedAdvertise the following metrics:
power, hardware, software configuration, credit history, exposure,
hierarchy, etc.
TARP Protocol Design Goal (contd.)
Graceful network performance degradationUse heuristic techniques
to reduce the amount of exchanged control messages.
2
13
4
5
6 7
8
9
10
Neighbors of node 1
Neighbors of node 6 Neighbors of node 9
Resource message
updates for node 1
Resource message
updates for node 9
Scope of the resource message update exchange protocol
TARP Protocol Design Goal (contd.)
Trusted path computation:Path selection based on:
Security (trust level/credit history)Efficiency (resource
availability)
Performance objective while computing trust-based paths
Better network throughput Less path request blocking
probability
Security Use the Internet Key Exchange (IKE) protocol during the
protocol message exchange to protect against intruder attacks
TARP Implementation Progress
Implementation from “scratch”Static network Dynamic network
OPNET simulation toolPerformance evaluationCompare TARP to SAR
performance Large-scale analysis2 Ph.D. students
-
11
References
Mobile Ad Hoc Networking, (S. Basagni, M. Conti, S. Giordano, I.
Stojmenovic, eds.), IEEE Press/Wiley 2004
Security for Mobility, Chris Mitchell, John O'Reilly, William
Webb. IEE Publishers, 2004H Yang, Y. Luo, F Ye, S Lu, and L Zhang,
“Security in mobile ad hoc networks: Challenges and solutions”
(2004). IEEE Wireless CommunicationsP. Papadimitratos and Z. Haas,
“Secure Routing for Mobile Ad Hoc Networks”, CNDS proceedings
2002.P. Michiardi and R. Molva, “Core: A Collaborative Reputation
mechanism to Enforce Node Cooperation in Mobile Ad Hoc Networks”,
IFIP proceedings 2002.L. Buttyan and J. P. Hubaux, “Nuglets: A
Virtual Currency to Stimulate Cooperation in Self-Organized Ad Hoc
Networks”, Technical Report DSC/2001/001 Swiss Federal Institute of
Technology, 2001.H. Yang, X. Meng and S. Lu, “Self-Organized
Network-Layer Security in Mobile Ad Hoc Networks”, ACM MOBICOM
Wireless Security Workshop 2002.S. Buchegger and J. Y. Le Boudec,
“Nodes Bearing Grudges: Towards Routing Security, Fairness and
Robustness in Mobile Ad Hoc Networks”, 10th Euromicro Workshop on
Parallel, Distributed and Network-based Processing 2002.S.
Bandyopadhyay et al., “A Game-Theoretic Analysis on the Conditions
of Cooperation in a Wireless Ad Hoc Network”, 2005.J. Cai, U.
Pooch, “Allocate Fair Payoff for Cooperation in Wireless Ad Hoc
Networks Using Shapley Value”, Proceedings of the 18th
International Parallel and Distributed Processing Symposium (IPDPS
2004)Haijin Yan and David Lowenthal, “Towards Cooperation fairness
in Mobile Ad Hoc Networks”, WCNC 2005.
Thank you!
/ColorImageDict > /JPEG2000ColorACSImageDict >
/JPEG2000ColorImageDict > /AntiAliasGrayImages false
/DownsampleGrayImages false /GrayImageDownsampleType /Bicubic
/GrayImageResolution 600 /GrayImageDepth -1
/GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages false
/GrayImageFilter /DCTEncode /AutoFilterGrayImages true
/GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict >
/GrayImageDict > /JPEG2000GrayACSImageDict >
/JPEG2000GrayImageDict > /AntiAliasMonoImages false
/DownsampleMonoImages false /MonoImageDownsampleType /Bicubic
/MonoImageResolution 600 /MonoImageDepth -1
/MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages false
/MonoImageFilter /CCITTFaxEncode /MonoImageDict >
/AllowPSXObjects false /PDFX1aCheck false /PDFX3Check false
/PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true
/PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ]
/PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [
0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile ()
/PDFXOutputCondition () /PDFXRegistryName (http://www.color.org)
/PDFXTrapped /Unknown
/Description >>> setdistillerparams>
setpagedevice
