Xiaodong Lin, Rongxing Lu, Haojin Zhu, Pin-Han Ho, Xuemin Shen , Zhenfu Cao

ASRPAKE: AN ANONYMOUS SECURE ROUTING PROTOCOL WITH AUTHENTICATED KEY EXCHANGE FOR WIRELESS AD-HOC NETWORKS

Xiaodong Lin, Rongxing Lu, Haojin Zhu, Pin-Han Ho, Xuemin Shen, Zhenfu Cao

WINC- Paper Summary

2

OUTLINE

Problem

Statement

Motivation

Main Contribution

Paper Details

SLOWSumm

ary

WINC- Paper Summary

3

PROBLEM STATEMENT

In MANET, network is very dynamic and there is no fixed infrastructure, and each node is a host and router in the same time.

In this environment; nodes may not have sufficient protection from malicious attacks.

So providing security and anonymity in such environment is not a straightforward task.

Problem Statement

Motivation

Main Contributio

n

Paper Details SLOW Summ

ary

WINC- Paper Summary

4

MOTIVATION

Because establishing anonymous secure route in a MANET is not a trivial work as that in wired network. Why?

To protect the network from snare attack What is the snare attack? How harmful

could it be?

Problem Statement

Motivation

Main Contributio

n


ary

WINC- Paper Summary

5

MAIN CONTRIBUTION

Providing anonymous route between source and destination with the integration of authenticated key exchange mechanisms to the routing algorithm design.

Problem Statement

Motivation

Main Contributio

n


ary

WINC- Paper Summary

6

ANONYMOUS AUTHENTICATED KEY AGREEMENT PROTOCOL

Group Authentication mechanism where the verifier can be convinced that the message was signed by one member of a certain group

Node need to authenticate a message that came from a certain group

Any node can assign the message on behalf of a set of member including himself

WINC- Paper Summary

7

ANONYMOUS AUTHENTICATED KEY AGREEMENT PROTOCOL

WINC- Paper Summary

8

RING AUTHENTICATION ALGORITHM (TERMINOLOGY)

Elliptic Curve (E): Where over Zp • p is a large prime number• E(Zp) group for the set of solutions (x,y)

ϵ Zp Х Zp

• A generator point P = (xp,yp) it’s order is a large prime number over E(Zp)

• So A subgroup G over E(Zp) is constructed

)(mod32 pbaxxy )(mod0274 23 pba

WINC- Paper Summary

9

RING AUTHENTICATION ALGORITHM (TERMINOLOGY)

Signers U = {U1 , U2, …….,Un } Have a private key X = {x1, x2, …….,xn}

xi ϵ Z*q

Have a public key Y = {x1P, x2P, …….,xnP}

Choose a secure hash function H: G X G→ Z*

q

WINC- Paper Summary

10

RING AUTHENTICATION ALGORITHM (RING SIGN ALGORITHM)

1- Ri = aiP

2- Choose random a ϵ Z*q

3- Computeif Ru = O or Ru = Ri for some I not equal U, go to step

2 else go to step 44- Compute 5- signature of xP → (R1,…Rm,Y1,….Ym,σ)

m

uiiiiu YRxPHaPR

,1

),(

qRxPHxaa uu

m

uiii mod),(

,1

WINC- Paper Summary

11

RING AUTHENTICATION ALGORITHM (VERIFIER SIGN ALGORITHM)

1- Compute for all 1 ≤ i ≤ m 2- Check the equation

),( ii RxPHh )(

1ii

m

ii YhRP

PaxhaPPaPxhaP

RYhaPYhR

YhaPR

YhRYhRYhR

m

uiiiuu

m

uiiiuu

m

uiiiuuii

m

ii

m

uiiiiu

ii

m

uiiiuuuii

m

ii

)(

)(

)()(

,1,1

,11

,1

,11

Proof:

WINC- Paper Summary

12

RING AUTHENTICATION ALGORITHM (ANONYMOUS AUTHENTICATED KEY AGREEMENT PROTOCOL)

Alice Bob

xP

xP, R1 …….Rm ,Y1,….Ym,σ

yP

yP, R1 …….Rm ,Y1,….Ym,σ

k = x(yP) k = y(xP)

WINC- Paper Summary

13

SECURE ROUTING PROTOCOL

System Formulation Local

neighborhood table

Local Route Table

Description of Protocol 1. The key pre-

distribution phase2. Neighborhood

Discovery phase3. Route Discovery

Phase4. The Route Reverse

Phase5. Data Forwarding

Phase

Neighbor Address

Session Key

Life Time

Rt_sequence

Dest_id

Ancenstor

Sucessor

Life Time

WINC- Paper Summary

14

SECURE ROUTING PROTOCOLKEY DISTRIBUTION PHASE

Offline security manager (SM) for identity check and private key redistribution

<G1,G2,e^,q,G,Ppub,H1,SIDA> Where G1: an additive group of prime

order q G2 Multiplicative group with same order

G1 X G1→ G2 be the bilinear pairing H1: {0,1}* → G1 (hash function S is master key; Ppub = sG (public key for SM) IDA: is the ID of A; QIDA = H1(IDA); SIDA = s QIDA

WINC- Paper Summary

15

SECURE ROUTING PROTOCOLNEIGHBOR DISCOVERY PHASE

A→* : n1,xP N1→A; n2,yP, R’1 …….R’m ,Y’1,….Y’m,σ’,

MACsk(N1_addr||n1||n2) A→N1 : R1 …….Rm ,Y1,….Ym,σ,

MACsk(A_addr||n1||n2); sk = xyP If authentication succeeded;

insert |A_Addr|xyP|TN1|, |N1_Addr|xyP|TA| in A,N1 neighborhood table successfully.

WINC- Paper Summary

16

SECURE ROUTING PROTOCOLROUTE DISCOVERY PHASE

Step1 S generates its unique sequence number src_seq# Rt_seqno = H(S_Addr||src_seq#) Select random number a ϵ [1,p-1] to compute ga and H(ga||Ksd||0)

Ksd=e^(H(IDD),SIDs), H(.): one cryptographic hash function. Then source(S) makes Ms

Such that Ms = [IDs,IDD,ga, H(ga||Ksd||0)]

IDD : real identity of D IDS : real identity of S Cs=E(EID MS); using IBE scheme.

ARREQ=<rt_seqno,HopCount,Cs>

WINC- Paper Summary

17


In the End: S adds the entry |rt_seqno|IDD|N|A|?|TS|

First field records the route sequence number Second field records the real identity of the

destination Third field Upstream node (not applicable in

the source) Fourth field Downstream node Fifth field is the timer of the route

WINC- Paper Summary

18


Step2 Upon receiving ARREQ

Check if it is from one of its trusted neighbor nodes based on its sender’s address.(Reject|Accept)

Check for duplicate ARREQ Check if the node is the destination by decypting

CS with the private key of the node. If it has a meaning then I am the destination.

If not broadcast ARREQ after checking that (HopCount--) ≥ 0

WINC- Paper Summary

19


Step2 If the node is the receiver, it parse IDD ,ga ,

H(ga||KSD||0) KSD = e^(H(IDD),SIDs) = e^(H(IDs),SIDd), so

destination authenticate the source S.

WINC- Paper Summary

20

SECURE ROUTING PROTOCOLROUTE REVERSE PHASE

Step1 D makes MD = [IDs,IDD,gb, H(gb||Ksd||1)]

CD = EIDs(MD)ARREP =<rt_seqno,CD,MACKDIn(rt_seqno,CD)>

SKSD = (ga)b.

WINC- Paper Summary

21


Step2 Any node receives the ARREP it check the MAC It search rt_seqno if found it continues else it stop It looks to the upstream of the next node in the

route table and create new hash for sequence number and encrypted.

And then it forward to the next node.

WINC- Paper Summary

22


Step3 When the sender receive the message it

checks the MAC Then it check the rt_seqno, if found it

continue else it stops In the entry found S updates the successor

field along with the timer field. Then use its private key to decrypt message

and pase IDD ,gb , and H( gb||KSD ||1) which must be equal H( gb||e^(H(IDD),SIDs)||1)

WINC- Paper Summary

23

SECURE ROUTING PROTOCOLDATA FORWARDING PHASE

S begin to send data to D Use the session key to encrypt data Examine the route table to find the

downstream node. It encrypts rt_seqno with the session key

between it and the downstream node (RI) and calculate and MAC of the message using the same key

And it sends (RI ,C,MAC KSI1(C))

WINC- Paper Summary

24

SNARE ATTACKVERY IMPORTANT NODE (VIN)

A node may be compromised, then the compromised node may be used to lure a VIN to communicate with then the adversary can easily intercept and eavesdrop any transmission in the network, so the adversary may identify the physical location of the VIN by analyzing some routes. How can we solve this problem?

WINC- Paper Summary

25

SNARE ATTACKVERY IMPORTANT NODE (VIN)

A node may be compromised, then the compromised node may be used to lure a VIN to communicate with then the adversary can easily intercept and eavesdrop any transmission in the network, so the adversary may identify the physical location of the VIN by analyzing some routes. How can we solve this problem?

WINC- Paper Summary

26

DECOY MECHANISMVERY IMPORTANT NODE (VIN)

Decoy: a person or advice used as a source of distraction.

In MANET, several nodes can serve as Decoys in order to protect the VIN

VIN chooses n nodes to be decoys D1 to Dn

Each decoy shares a secret key with the VIN When VIN receives a request from a legitimate

user S, V may randomly choose one Decoy D i to answer this request and asks Di to establish an active route corresponding to the request.

WINC- Paper Summary

27

DECOY MECHANISMVERY IMPORTANT NODE (VIN)

To do that MV = [IDS,IDV,gb, H(gb||KSV||1)]

SKSV = gab

DRREP=<ESi(IDDi,IDS,rt_seqno,MV,SKSV),HopCount> Any decoy node will try to decrypt with session

key. Decoy node will encrypt Mv with source public

key after receiving DRREP Then it form ARREP =<rt_seqno,CV,MACKDIn(rt_seqno,CV)>

WINC- Paper Summary

28

ANONYMOUS AND SECURITY ANALYSIS

First ASRPAKE maintains the end to end anonymity

of a route provided that not all the intermediate nodes along the route are in collusion.

Secondly, We can examine the security of ASRPAKE in

terms of the following mechanisms Known session key security Forward Secrecy No key compromise impersonation No unknown key share

WINC- Paper Summary

29

SLOWSTRENGTHS, LIMITATIONS, OPPORTUNITIES, WEAKNESSES

Limitations All the intermediate nodes must be in

collusion. If the network was very dynamic, I think

this routing table, because this scheme not converge

An offline security manager must be exist which is not an applicable in a self-configurable network

Problem Statement

Motivation

Main Contributio

n


ary

WINC- Paper Summary

30


Strengths They modify anonymous authenticated key

agreement protocol to provide a security level on demand by tuning number of chosen signing group.

They introduce the decoy mechanism and the snare attack.

Problem Statement

Motivation

Main Contributio

n


ary

WINC- Paper Summary

31


Weakness They didn’t explain how the snare attack

actually route. They didn’t justify the timers fields in the

route table or neighbor table, how they must be tuned to gain high performance.

They didn’t analyze the complexity of their algorithms nor providing the overhead of anonymous property w.r.t to normal routing

Problem Statement

Motivation

Main Contributio

n


ary

WINC- Paper Summary

32


Opportunities Improve route efficiency while preserving

the security and anonymity(author suggestion)

Modify the scheme to relax the assumption that all the intermediate nodes are in collusion.

Problem Statement

Motivation

Main Contributio

n


ary

WINC- Paper Summary

33

SUMMARY

In this paper they have done the following Proposed a ring anonymous authenticated

key agreement protocol Then an anonymous security routing

protocol Then they introduce a snare attack and

proposed the decoy mechanism to defend against this attack

Problem Statement

Motivation

Main Contributio

n


ary

WINC- Paper Summary

34

Feel free to ask any question?

ANY QUESTIONS ?

WINC- Paper Summary

35

REFERENCE

ASRPAKE: An Anonymous Secure routing protocol with authenticated key exchange for wireless ad-hoc networks

WINC- Paper Summary

36

THANK YOU

Documents

Xiaodong Lin, Rongxing Lu, Haojin Zhu, Pin-Han Ho, Xuemin Shen , Zhenfu Cao