1 Security for Ad Hoc Network Routing
Mar 26, 2015
1
Security for Ad Hoc Network Routing
2
Ad Hoc Networks Properties
Mobile Wireless communication
Medium to high bandwidth High variability of connection
No fixed infrastructure Participants from different administrative
entities Medium to high computation, memory Usually human user with each device
3
Key Establishment Seen So Far SSL/TLS
Assumption: browser can authenticate server’s certificate with its local CA root certificates
Large-group key distribution Assumption: each client already has a
secure connection to key distribution server Challenge in ad hoc networks: establish
keys without any prior trust relationships
4
Problem Definition Goals
Secure, authenticated communication between devices that share no prior context
Demonstrative identification: ensure to human user which other device they are communicating with
No prior context? No CAs or other trusted authorities No PKI No shared secrets No shared communication history
Problem reduces to key establishment Diffie & Hellman taught us how to share secrets…
5
Diffie-Hellman Key Agreement Public values: large prime p,
generator g Alice has secret a, Bob has secret b A B: ga mod p B A: gb mod p Bob: (ga mod p)b mod p = gab mod p Alice: (gb mod p)a mod p = gab mod p Eve cannot compute gab mod p
6
Problem: Man-in-the-middle Attack Mallory can impersonate Alice to Bob, and
impersonate Bob to Alice! A M: ga mod p
M A: gm mod p
M B: gm mod p
B M: gb mod p
Bob: (gm mod p)b mod p = gbm mod p
Alice: (gm mod p)a mod p = gam mod p
7
How Serious is MitM Attack?
Wireless communication is invisible People can’t tell which devices are connected
Neighbor can easily execute MitM attack If neighbor has a faster computer, it can easily
respond faster than the legitimate devices Easy to perform with high success rate!
8
Solution to Man-in-the-Middle Attack Authentication! Public DH values must be authenticated Topic of this lecture
Tradeoffs between security, usability, and transparency to the user
Transparency: Does the user realize she is involved in a key
establishment protocol? Does the user need to realize this?
9
Commitment Schemes
Commitment semantics: Binding Hiding
(c, d) commit( m ) m: message; c: commitment; d: opening value
It is infeasible to find d’ such that (c, d’) reveals m’ ≠ m
Example c = H( m || r ) where r is a random number d = m, r
10
Simple Protocol: String Comparison Public values: large prime p, generator g Alice has secret a, Bob has secret b A B: ga mod p B A: gb mod p Alice and Bob compute: gab mod p Alice’s and Bob’s devices display last 20 bits
of H(gab mod p) and they manually compare them (5 hexadecimal digits), if they match, they both click “ok”
11
Shortcomings of Simple Protocol First, Alice and Bob may not really
compare the strings, but simply click “ok”, how to avoid this?
Knowing ga and gb, attacker can compute gc and gd such that [H(gac )]n
= [H(gbd )]n Complexity: only O(2n/2) operations!
How to prevent this attack?
12
Secure routing in ad hoc network Here we consider DSR as a
showcase. So, we revisit the routing operations
in DSR, and show the possible attacks in these operations, and consider secure ways of preventing these attacks.
13
Dynamic Source Routing (DSR) Flooding is used for the delivery of
control packets, not data packets. The control packets are flooded to
discover routes. Then data packet is sent over the discovered path.
14
Route discovery in DSR
D
E
O
M
J
I
GA
C
F
HK
LN
B
{C}
{C}
{C}
{C}
{C}
C initiate the route discovery by flooding Route Request(RREQ).
Each node appends its id to RREQ when it forwards RREQ.
15
Route discovery in DSR
D
E
O
M
J
I
GA
C
F
HK
LN
B
{C,G}
{C,F}
16
Route discovery in DSR
D
E
O
M
J
I
GA
C
F
HK
LN
B{C,G,I}
{C,F,H}
Node K receives two RREQs. It
may choose the shorter one
(hops).
17
Route discovery in DSR
D
E
O
M
J
I
GA
C
F
HK
LN
B
{C,F,H,K}
18
Route Reply in DSR
When a destination node receives RREQ, it sends a Route Reply(RREP).
RREP is sent by reversing the route appended in the RREQ if the links are bidirectional. If links are unidirectional, the destination
node(D) may need a route discovery. In that case RREP is piggybacked on RREQ from D.
RREP contains the complete path from the sender to the destination.
19
Route reply in DSR
D
E
O
M
J
I
GA
C
F
HK
LN
B
{C,F,H,K,L}
20
Data delivery in DSR
D
E
O
M
J
I
GA
C
F
HK
LN
B{C,F,H,K,L}
Entire nodes on the path are included in the packet header.
That is why it is called source routing.
21
Data delivery in DSR
Promiscuous listening Data delivery is unicast. So packets have next
hop’s IP address and MAC address. When next hop node’s MAC layer receives a
frame, it compares destination MAC address with its MAC address. Since they do not match, MAC layer discards the frame.
To avoid it, MAC layers use the promiscuous listening. In this case, MAC layer delivers frames to its network layer regardless of matching destination address with its MAC address.
22
Attack model in DSR
Excessive Route Discovery floods
Modifying discovered routes: By dropping nodes
By altering the node list
Sending bogus ROUTE ERRORs
Failing to send ROUTE ERROR for broken route
Failing to forward packets
23
Ariadne
The solutions explained here are based on the following paper. “Ariadne: A Secure On-Demand Routing
Protocol for Ad Hoc Networks,” Y.-C. Hu, A. Perrig, A.B. Johnson, Wireless Network 11, 21-38, 2005
24
Ariadne Authentication RequirementsCan use any of three types of authentication: Pairwise shared keys:
But requires setting up O(n2) keys
Digital signatures and asymmetric key setup: But uses expensive asymmetric cryptography
Time-delayed broadcast authentication (TESLA): But requires time synchronization
Ariadne requires only one of these types: Each appropriate for different circumstances
25
ROUTE REQUEST Flooding Attack
On-demand protocols discover routes using flooding
An attacker can use this to flood the network: A solution: rate-limit Discoveries when forwarding But attacker can forge claimed Discovery initiator
X
ROUTE REQUEST “from A”
ROUTE REQUEST “from B”
ROUTE REQUEST “from C”
ROUTE REQUEST “from D”
ROUTE REQUEST “from E”
26
Excessive ROUTE REQUEST Floods Solution: Node uses a one-way hash
chain: Authenticates the true source of ROUTE
REQUEST
Disclose a new element per Discovery Each element can be used only once
27
One-Way Hash Chains
Pick random Cn and public one-way function H Ci=H(Ci+1) Infeasible to derive Ci from Cj (j<i) Efficiently authenticate Ci using Cj (j<i): Cj=Hi-j(Ci)
C1
Cn-1=H(Cn)
C0 Ci
Ci=H(C1+1)
Ci+1
C0= H(C1)
Cn-1 Cn
28
Each node uses a one-way hash function H which is known to every node.
Each node picks a random Cn which is secret value and compute each chain value Ci = Hn-i(Cn). So each node has its own hash chain.
Publicize C0 to every node like a public key.
Every time a node sends a RREQ message, it includes the next Ci starting from C0.
Using Hash Chains
29
Hop Drop Attack
Attacker can drop or alter nodes on this list
Can prevent discovery of a correct route
S A B DCS S, A S, B S, B, C
30
Initiator S and Target D share (or generate) KSD
S adds Message Authentication Codeh0 = MAC(KSD, request id) to ROUTE REQUEST
MAC can only be computed by S and D Each hop computes hi = H(node address ||
hi-1) B needs h0 to drop A but can’t derive from h1
Preventing Hop Drop
S A B DCh0 h1 h2
31
In an Ariadne ROUTE REQUEST: h0 = MAC(KSD, request id)
Target can compute h0
hi = H(node address || hi-1) Target can reconstruct each hi
Target can thus detect hop drop
Preventing Hop Drop
S A B DCh0 h1 h2 h3
32
Node List Corruption
Attacker can insert arbitrary nodes into node list
Instead of attacker’s node address
Or in addition to attacker’s node address
Can prevent discovery of a correct route
S A B DCS S,A S,A,Z S,A,Z,C
33
When using shared keys between all node pairs:
Each node F forwarding a REQUEST packet p: Computes a MAC over p using the key it shares
with the target Includes it in hi as hi = H(F || MAC(KFD,p) || hi-1) Only that F and the target can compute this
Route Authentication using Shared Keys
S A B DCh0 h1 h2 h3
34
In an Ariadne ROUTE REQUEST: As before, target can recompute h0
hi = H(F || MAC(KFD,p) || hi-1) Target can reconstruct each hi
Target can detect bogus nodes in node list
If received hi is valid, return authenticated REPLY
Route Authentication using Shared Keys
S A B DCh0 h1 h2 h3
S,A,B,C,D MAC(KSD, S,A,B,C,D)
35
Authenticating ROUTE ERRORs
Attacker could send forged ROUTE ERRORs to break good routes that are in use
Solution: Authenticate ROUTE ERRORs If using pairwise shared keys:
Authenticate ERROR to original source of packet
36
Secure Route Maintenance ROUTE ERRORs can be only an optimization:
Malicious nodes might refuse to send them To ensure Ariadne does not persistently use
non-working routes: Sources may use multipath routing Each packet is acknowledged end-to-end,
preferably using the reverse path Sender should more often choose routes that
successfully deliver packets Never fully stop using an apparently good route:
Short-term Denial-of-Service would otherwise result in permanent crippling of that route