Security of AdHoc Networks

1
Security of Ad-Hoc Networks

• By
• V.G.Vinod Vydiswaran
• Amreek Singh
• Prasanna H. Kulkarni

2
What are Ad Hoc Networks?

• Networks with no fixed infrastructure
• Mobile nodes communicate within radio-range
  directly or through routers
• Node mobility implies frequent change in network
  topology.
• Rapidly deployed networks
• Relatively low cost

3
Security Goals

• Availability
• Survive despite DoS attack
• Primary concern Key management service
• Confidentiality
• Integrity
• Authentication
• Non-repudiation

4
Challenges

• Use of wireless links leads ad hoc networks
  susceptible to link attacks
• Relatively poor protection, as in battlefields
• So for high survivability, distributed
  architecture needed.
• Dynamic network topology ROUTING
• Scalable security mechanisms

5
Outline of further talk

• Scalability considerations
• How the network must be scalable
• Key Management issues
• How to generate secret keys
• How to distribute keys secretly
• Secure Routing considerations
• Issues regarding malicious intruder

6
Scalability Concerns
7

• The lack of infrastructure introduces
• Introduces vulnerability to DoS attacks in ad
  hoc networks.
• Mobility induces link breakage and channel
  errors.
• Need of scalability
• Growing commercial and military deployments of
  these networks.

8

• These issues are addressed through a localized
  trust model.
• Where the functionality of security is
  distributed over all networking nodes.
• And nodes collaboratively secure the whole
  system.

9

• Related works (Kerberos and X.509)
• They too use CA.
• They gain popularity but they does not work well
  with large networks.
• Problems
• The cost of maintaining large centralized servers
  may be high.
• The CA servers are inviting targets of malicious
  attacks.
• Multihop communication over the error prone
  wireless channel exposes the data transmission to
  high loss rates.
• It may cause severe wireless channel contention
  around the CA servers.

10

• Localized trust model
• Assumptions made
• Communication between one hop neighboring node is
  considered to be more reliable than multi-hop
  communication.
• Each node has atleast K-one hop legitimate
  neighboring nodes.
• Each node is equipped with some local mechanism
  to identify misbehaving nodes among its one hop
  neighborhood.

11
Localized Trusted Model

• An entity is trusted, if any K trusted
  neighboring entities claim so.
• A locally trusted entity is globally accepted.
• A locally distrusted entity is regarded as
  untrustworthy anywhere.
• Two imp parameters K Tcert
• Two options to set K
• Set it as globally fixed parameter
• Set it as location dependent.

12

• This uses certificate based authentication
  approach.
• Each node ID is associated with
• lt PKi , SKi gt
• Each node carries a certificate signed with SKi.
• PK is assumed to be well known for certificate
  verification.
• Nodes without valid certificates are treated as
  adversaries and denied from access to any network
  such as pkt forwarding or routing.
• When a new mobile node moves to a new location,
  it exchanges certificate with its new neighbors.
• Authenticated nodes help each other forward and
  route pkt.

13
Localised certification services

• Certificates are stamped with expiration time.
• What happens when node Vi requests new
  certificate.
• Vj returns a partial certificate by applying its
  share of SK.
• By collecting K partial certificates, Vi combines
  them and makes its full certificate. As if it
  were from CA.
• Nodes with valid certificates are globally
  trusted.
• Adversaries are effectively isolated and their
  impact on the overall network is localized.

14
Self initialization in Traditional approach

• At bootstrapping phase of the network.
• A dealer sends each node its share of the SK.
• New nodes can anytime join, so dealer should be
  online to handle.
• This compromises with system robustness and
  security
• The dealer would become the single point of
  failure.

15
Self Initialization in Local Trust model

• Dealer is only responsible to initialize first K
  nodes.
• Initialized nodes initialize other nodes.
• Benefits of certification services into each
  nodes one hop locality
• Service availability and robustness against DoS
  attacks
• This models protocols are immune to unreliability
  of underlying transport layer protocols.
• By this distributed approach system maintenance
  overhead is balanced over the network.
• And hot spots of congestion are avoided.

16

• K-bounded coalition offsetting technique
• Node Vi chooses a coalition of K nodes, typically
  from its one hop neighborhood.
• Vi broadcasts the request to K nodes, together
  with the node ID of these K nodes.
• Node Vj from set B generate a partial certificate
  and finally sends it.
• Upon receiving K partial certificates from set B
  node Vi combines them together to generate
  candidate certificate.
• Finally Vi applies K-bounded coalition offsetting
  to recover new certificate.
• One broadcast request and k unicast responses.

17

• Drawback in algorithm
• If any node from B fails or moves out.
• All other partial certificates are useless.
• Vi has to start the whole process again.

18

• An Optimization Dynamic coalescing
• Certification from any K nodes in the
  neighborhood, instead of being specified by Vi.
• Rest all is same.

19

• Important issues
• Information that Vj keeps of Vi.
• Records of Vj concerned Vi.
• If Vj s record does not provide enough info for
  Vi.
• May be they meet first time
• Two approaches
• Serve Vi s request prb roaming adversaries
• Discard request prb unfare to legitimate
  nodes.

20

• Complete Shuffling
• Vi wants to join the network
• Vj decides to serve
• But it is unsecure for node Vj to return its
  share directly to Vi.
• Nodes in B completely shuffle their indvidual
  partial shares.
• Each pair in B securely exchanges a shuffling
  factor Di,j.
• One adds this share and another subtracts this
  share.
• For node Vj there are K-1 shuffling factors, and
  it must apply all of them.

21

• Implementation Issues
• Design can be implemented in any layer above MAC
  layer.
• Application layer is good for several reasons
• Modifications to lower layer protocols are
  avoided.
• Can also achieve maximal independency of the
  underlying network.

22
Key management
23
Primary Features

• Lack of infrastructure too harsh
• We assume Public key infrastructure
• Certification Authority
• Needs to stay on-line
• Studied replication to increase availability
• Use of distributed trust among group of servers
• Use of Digital Signatures

24
Encrypted Key Exchange

• Derive strong shared key from weak shared key
• Desired properties
• Forward Secrecy
• Contributory Key Agreement
• Tolerance to disruption attempts

25
ELE ( Contd..)

• Protocol
• 2-party
• Non-contributory multiparty
• Contributory multiparty
• Drawback
• E must be random
• Active attacker chooses E such that Msg.2 is
  prone to Dictionary Attack

26
Diffie-Hellman Key Exchange

• Protocol
• 2-party
• Multi-party
• Efficient Implementation
• Use of d-cube

27
Eliminating Centralized CA

• Emulate central CA distributed over several nodes
• Key Management Service
• Totally distributed architecture
• Works from weaker to stronger shared keys
• Works only if one password already shared
• Self-organizing public key infrastructure
• Decentralized PEM, PGP,

28
Key Management Service

• Primary tier of servers
• Service has one private/public key pair
• Each server has its own private/public key pair
• Each server giving one share of service private
  key
• The private key can also be changed periodically

29
Public key distribution for Self-Organizing
Systems

• Certificates stored and distributed by users
• If A believes that given public key is indeed
  Bs, A issues public key certificate to B
• Construction of Trust Graphs
• Merging graphs to find path from C to D, if C
  wants certificate of D
• Efficient Shortcut Hunter algorithm

30
Future scope

• Use of smart cards for tamper-resistant
  information storage
• Dynamic routing information storage still a
  problem
• Only node contributing to the benefit of
  community allowed to use network

31
Secure Routing
32
Secure Routing

• Basic Assumptions
• The underlying data link layer provides reliable
  transmission on a link basis
• Links are bidirectional
• A one-to-one mapping between Medium Access
  Control and IP address exists
• each transmission is received by all neighbors,
  which are assumed to operate in promiscuous
  (random) mode.

33
Basic Terminology

• Source S
• Destination T
• Message Authentication Code (MAC)
• Shared Key ( KS,T )
• Route Request QS,T n1, n2, , nk
• Route Reply RS,T n1, n2, , nk

34
Sample Network
Fig Example Topology S wishes to discover route
to T in presence of two malicious nodes M1 and M2
35
Scenarios

• Scenario 1
• M1 receives QS,T S, it attempts to mislead S
  by generating RS,T S, M1, T
• M1 does not have KS,T , so cannot generate valid
  MAC
• False reply packet --- discarded by S
• Scenario 2
• M1 discards request packets arriving from its
  neighbors, e.g. from node 1.

36
Scenarios

• Scenario 3
• M1 sees QS,T S,1,M1
• T generates reply for QS,T S,1,M1,5,4,T
• M1 receives RS,T S,1,M1,5,4,T
• It tampers with its contents and relays RS,T
  S,1,M1,Y,T --- Y is any invented sequence of
  nodes
• Scenario 4
• M1 sees QS,T S,2,3
• It corrupts accumulated route to QS,T S,X,3,M2
  
• Reply over T, M2,3,X,S ---X is invalid IP

37
Scenarios

• Scenario 5
• In order to consume network resources, M1 replays
  route requests
• Query identifiers recorded at intermediate nodes
  (Query Sequence Number)
• Scenario 6
• M1 observes few route requests from S and
  fabricates several queries with subsequent query
  identifiers
• Goal is to make intermediate nodes store these
  identifiers and discard upcoming valid
  identifiers
• Very low probability of correct guess on query
  identifiers in encrypted form.

38
Scenarios

• Scenario 7
• M1 attempts to forward QS,T S, M i.e. it
  spoofs IP address
• S would accept QS,T S, M,1,4,T route
• Scenario 8
• M1 attempts to return a number of replies, each
  with different spoofed IP address, Mi, Mi1, ,
  Mij
• This would lead S to believe that there are many
  paths to T, while actually each is controlled by
  M1
• But M1 cannot generate replies. So S safely
  discards all above packets.

39
Scenarios

• Scenario 9
• Nodes colluded during 2 phases of a route
  discovery of a single path.
• When M1 receives a route request, it tunnels it
  to M2 i.e. discover a route to M2 and send the
  request encapsulated in data packet
• Then M2 broadcasts this request with path between
  M1 and M2 falsified as QS,TS,M1,Z,M2
• T sends reply for this on S,M1,Z,M2
• M2 sends this reply message to M1 via tunneled
  path.
• M1 forwards it to S.
• Thus S thinks of a false route as a correct route.

40
SRP Header
41
SRP Header

• Query Identifier QID
• 32 bit quantity
• Used by intermediate nodes as a means to identify
  the request.
• It is generated by a secure pseudorandom number
  generator.
• Message Authentication Code MAC
• 96 bit long field
• Generated by a one-way hash function
• Inputs to hash function are
• Entire IP Header
• Route Request Packet
• Shared Key KS,T

42
SRP Header

• Type
• Depends on the type of node
• For S, it denotes that packet is Request
• For T, it denotes that packet is Reply
• Query Sequence Number Qseq
• 32 bit quantity
• Set initially at the establishment of Security
  Association
• Increases monotonically
• Cannot wrap round (connection reestablishment in
  case of wrapping round)

43
Conclusions

• Ad Hoc networks pose an interesting problem in
  networking with dynamic routing and highly
  insecure working environment
• Need of Secure, Scalable, Reliable and Efficient
  algorithms for Key management and Routing

44
Bibliography

• Securing Ad Hoc Networks L.Zhou, Z.J.Haas
• Key Agreement in Ad Hoc Networks N.Asokan,
  P.Ginzboorg
• Quest for Security in Mobile Ad Hoc Networks
  J.P.Hubaux, L.Buttyar, S.Capkun
• Providing Robust and Ubiquotous Security support
  for Mobile Ad Hoc Networks H.Luo, J.Kong, S.Lu,
  et al.
• Mitigating Routing misbehaviour S.Marti,
  T.J.Guili, K.Lai, M.Baker
• Secure Routing in Mobile Ad Hoc Networks
  P.Papadimitratos, Z.J.Haas

45
Thank You

• for your presence and patient hearing