Artificial Intelligence Based Authentication Scheme

7/28/2019 Artificial Intelligence Based Authentication Scheme

1/27

Artificial Intelligence Based Authentication Scheme

for

Mobile Adhoc Networkse-mail {barani,a0r2878}@cs.tamu.edu

Baranidharan Raman Anu Ramanathan

Dept.of.Computer Science Dept. of Electrical Engg.

Texas A&M University Texas A&M Univeristy

Abstract

Our security protocol derives inspiration from the MIT-Kerberos authentication scheme in which a client

who wants to communicate with some service server, needs a session key and ticket for that particular

session. The principles of key distribution is used to provide authentication. Security of transmitted data isachieved using encryption and decryption algorithms. Here we propose to use the RSA algorithm to

generate the public and private keys for each session inorder to fulfil the needs of secure transmission.

In this project, we aim at developing a security protocol independent of the routing protocol for Mobile

Adhoc Networks with added infrastructure to facilitate the key distribution. Here, apart from the issues in

traditional wired networks, we take into consideration few more criteria like mobility of the nodes andincreased vulnerability to attacks by malicious intruders owing to a single communication channel.

The work described achieves secure initial contact between the mobile node and Key Distribution Center.

Another achievement of the proposed protocol is that the mobile nodes paying for security are assigned

authentication keys dynamically thus, overcoming the problems associated with static passwords intraditional schemes. For this purpose we use Artificial Intelligence puzzles to provide improved

authentication.

1.Introduction

Data transmission across any network is highly insecure and this necessitates the

development of a system that can authenticate communication between entities.

Authentication is not an end in itself, but rather a tool to support both integrity andauthorization. Its basic objective is to prevent fraudulent connection requests.

Ad-hoc networks, which are on the fly networks hence, are purpose specific,

autonomous, dynamic and transient. Adhoc networks support mobility of nodes andhave properties such as dynamic topologies, bandwidth-constrained variable capacity

link, power constrained operations and limited security[1]. The last property is the issueof this research project.

Survivability is a key issue to be taken into consideration in designing a security protocol.

The main problem in using traditional techniques of a centralized architecture to achievenetwork security could lead to a highly susceptible design architecture owing to the fact

that if the centralized entity is compromised, it would result in a security failure

for the entire network. Therefore, we should aim at a distributed architecture[4] .


2/27

2.Related Work

The traditional wired network routing protocols in the wired networks like RIP, OSPF

provide minimal security guarantees but the internet protocol on which the they operatenamely ipV4, ipV6 which have IPSEC(IPSecurity) as an integral feature. But when it

comes to routing protocols in the MANET like DSR, AODV, TORA assumes that the

nodes have no malicious content. So there in a lot of security concern when it comes to

comes to authenticating MANETs.

The security issues of confidentiality, availability and authentication hold well in

MANETS too. However apart from passive attacks involving eavesdropping we need totackle the problem of Denial of Service (DOS) and Distributed DOS (DDOS) and

compromised nodes. In environments where there is a centralized services are managed

by individual or replicated nodes, compromised nodes are the major threats.

Sufatrio and Lam [2] introduce a Minimal Public- Key based Authentication (Min-PKA)

for Mobile-IP which secures the registration process and makes use of Authentication-Authorization- Accounting (AAA) server nodes. This scheme uses secret

And public key based encryption and advocates necessity of multiple protocols in

securing these networks.

Fasbender et al.[3] introduce the Non-Disclosure Method(NDM) in which every Secure

Agent (SA) (node) has a public-private key pair. Suppose a source SRC wants to send its

messages to DEST it first encrypts the message using encrypts the message usingDESTs public key and then that information with SA1s public key and forwards the

packet to SA1 and the packet traverses the network through route SRC-SA1-SA2--

SAn- DEST. SA1 knows it has to forward the packet to SA2 but has no idea of location

of DEST and SAn knows the location of DEST but not SRC. This way the messages aswell as the Location information are secured.

Key Management Service introduced by Zhou and Haas [4] introduce a distributes keymanagement service to be applied to MANET. The propasal requires the knowledge of

multiple routes to destination (Routing protocols like TORA maintains such information).

The ZH proposal as it is called uses a public key- private key pairs of which the publickey is certified by the server and the private key is kept secret. The ZH also uses the

shared secret keys for establishing secure sessions. The ZH also authenticates and

encryption of sessions keys using asymmetric key pairs. In query modeThe node requests the publis key of the other nodes and in update mode it advertises its

public key.

Armando Fox and Steven Gribble [5] have implemented a security protocol based on

Kerberos called Charon where all interaction with the KDC is displaced from the client to

a proxy. Therefore, the authentication mechanism is implemented as a two-phasehandshake where the client uses Charon as a smart router to obtain information from the


3/27

KDC in the first handshake, while communication between Charon as a client from the

point of view of the KDC occurs in the second handshake.

We derive inspiration for our authentication scheme from the Kerberos authentication

scheme[6] in which a client who wants to communicate with some service server, needs

a session key and ticket for that particular session. The client obtains these from the KDC(Key Distribution Center) by sending the information (Authentication Request) about

itself, the service server it wants to communicate with, the time stamp and a random

number. The KDC responds (Authentication Response) by sending the session key,random number and time stamp, all encrypted with the public key and which can be

decrypted by the client and some more similar information (which is the servers session

private key encrypted using servers public key) which should be forwarded to theservice server and can only be decrypted with service servers public key. The client then

sends the ticket to the service center and the service server decrypts the information to get

the session key and it can use that key to communicate with the client afterwards. TheAuthentication Request and Response along with the Application Request and Response

constitute the basic Kerberos Authentication Protocol.

RSA[7] is a public-key cryptosystem developed by MIT professors: Ronald L. Rivest,Adi Shamir, and Leonard M. Adleman in 1977 in an effort to help ensure internet

security. A cryptosystem is an algorithm that converts input data into an unrecognizable

(encrypted) form and then converts it back to the original (decrypted) form. Theencryption and decryption algorithms may be in accordance with several mathematical

formulae or may be random. The challenge of public-key cryptography is developing a

system in which it is impossible to determine the private key. This is accomplishedthrough the use of a one-way function. With a one-way function, it is relatively easy to

compute a result given some input values. However, it is extremely difficult, nearlyimpossible, to determine the original values if you start with the result. In mathematical

terms, given x, computing f(x) is easy, but given f(x), computing x is nearly impossible.

The one-way function used in RSA is multiplication of prime numbers. It is easy tomultiply two big prime numbers, but for most very large primes, it is extremely time-

consuming to factor them. Public-key cryptography uses this function by building a

cryptosystem which uses two large primes to build the private key and the product of

those primes to build the public key.

In this research project we are dealing with the confidentiality of information between

sender and the receiver and scalability of the Authentication mechanism to large numberof independent Mobile Adhoc Networks

3.Protocol Design

The issue of security in Mobile Ad Hoc Networks needs to be handled more carefully as

opposed to wired networks primarily due to most nodes operating on the promiscuous

mode. The performance of a network security protocol lies in its ability to avert denial ofservice attacks. We aim to develop a reactive protocol which maintains an authenticator


4/27

key distribution center which is kept as invisible as possible to the nodes in the

MANET. We refer to this approach as Invisible KDC.

3.1 Security Goals

To provide a hierarchical security service that permits a certain category of nodes

which will be provided the secure network provision. To provide secure distribution of public and private keys.

To ensure secure communication between the nodes.

We assume that there is a Service Provider who authenticates the users who need to use

the secure network by providing a puzzle solving mechanism to each node requiring

security and also gives it a universally accepted solution which is used for encryption ofthe initial authentication requests.

3.2 Protocol Layers

We aim to develop a security protocol which is built on top of a routing protocol whichis used in Mobile Ad Hoc networks.

Fi

PHSICAL LAYER

DATA LINK LAYER

NETWORK LAYER

TRANSPORT LAYER

SECURITY LAYER

APPLICATION LAYER

Fig 1. PROTOCOL STACK


5/27

3.3 Protocol Details

The protocol employs three stages of authentication in a sequential manner which is

discussed below:

Authentication of the node Securing the Public Key

Secure communication between nodes over the MANET

3.3.1 Hierarchical Architecture of nodes in MANET

There is a 3 level hierarchy of nodes in our secure network domain. Since security comeswith a cost, it makes sense to make the willing clients pay for it while the others need not.

Depending on the security requirements we have a 2 level hierarchy of mobile nodes in

our MANET

Insecure Node

Secure Node

One of the secure nodes will be placed at a higher level in the hierarchy by becoming theKey Distribution Center (KDC). The current protocol implemented assumes that the Key

Distribution Center does not leave the MANET which is not always the case. Our future

work intends to accommodate the leave of the Key Distribution Center from theMANET. All the transactions involving secure nodes are encrypted.

3.3.2 Authentication of the node

Initially when a node requires to initiate a secure transmission, it needs to obtain a publickey from the Key Distribution Center. The KDC replies back with an Artificial

Intelligence puzzle which has multiple solutions. The puzzle is sent encrypted using auniversally distributed key which is distributed to all the secure nodes. The node who is

already authorized by the Service Provider decrypts the puzzle and solves it using the

functions provided to it and returns the computed solution which is encrypted using thesame universal encryption key. This prevents the intermediate nodes from being able to

track a puzzle and its solution.

3.3.2.1 Artificial Intelligence Puzzle

The most prominent AI puzzles like the Rubiks Cube[8], 8 Puzzle problem, 16 puzzleproblem have a specific property that there are multiple paths to the solution, through thestate space using same state space search functions. So a single puzzle solving heuristic

approach can take us to the solution through different paths across the state space. This

property is what we are exploiting in our authentication approach.


6/27

In traditional networks where security is required, every lawful user is given a login name

and password. Though the entry into the network is protected using the password, there isno efficient method to prevent this password from being hacked.

So the KDC gives the puzzle with different initial states and waits for the secure nodes to

give it the mapping function which can be used to generate the encryption key for thenode. If, by faint probability the secure node generates a key which is already in use, then

the KDC does not reply to this message, hence making the secure node send an another

mapping function.

There are several advantages to this approach. We enumerate them all of them here.

Most of the hacking that has been recorded so far in network services is through misuse

of passwords wherein, the malicious user gets to know the lawful users passwords and

uses that to gain entry into the network. In this scheme, though the mobile nodes pay forsecurity service, it does not know the encryption keys assigned to it. This takes place

dynamically.

Another advantage of this approach is that the KDC need not maintain the database ofthe keys required for secure communication thereby, as they can be obtained as when

required from the Key Distribution Center. This can enable the easy leave of the secure

node acting as KDC as no state information is maintained. However the method offinding the leave of KDC is beyond the scope of this paper.

The AI puzzle approach allows the encryption of initial authentication request messagessent to the KDC which enhances the security offered by this authentication scheme

making it more robust.

3.4 Authenticating Control Messages

There are 4 messages specific to our authentication protocol. They are

Authentication Request

Authentication Puzzle Reply

Authentication Message

Authenticating Key.

When a secure node want to send a packet to another node in the network it broadcasts an

Authentication Request Message to the KDC and waits for the KDC to process its request

with the Authentication Reply. In traditional authenticating schemes including protocolslike Kerberos[6] and Charon[5] the initial contact for authentication between the mobile

node and the Key Distribution Center is insecure, which might be acceptable for network

environments where the packets are not monitored in promiscous mode . Also the routediscovery between a node wishing to authenticate itself with the KDC is broadcast which

enables any malicious node to enter into promiscous mode and sniff the reply from the

KDC to the node requesting the encryption keys, which defeats the entire purpose of


7/27

security. So there must be some means of providing this security for the first transaction

between a node wishing authentication and the KDC i.e they must be encrypted.

Our scheme achieves this by encrypting all the messages used for authentication service

using a general solution which is made available to all the secure nodes.

Authentication Request

This is the message sent by the secure node inorder to authenticate itself with the KDC.

Authentication Reply

This is the message that comes from the KDC and contains the Authenticating Puzzle .

Fig2: Authentication of Node

Authentication Message

This is the message that is being sent by the secure node wishing to authenticate itself to

the KDC. It contains the encrypted solution to the puzzle.

Authentication Keys

Acknowledgement of the secure nodes authentication by the KDC along with the keys.

Fig 3. Securing the public and Private key

S1

N1

N3 S2

KD

C

N2Req1

Req1

Rep1Rep1

S1

N1

N3 S2

KD

C

N2Req2

Req2

Rep2Rep2


8/27

3.5 Securing the public and private key

The KDC on receiving the solution from the node, verifies if it is the correct one and

returns back the public and private keys of the node which is encrypted using the solution

sent by the node. The possibility of an intermediate node being able to snoop the public

key based on the solution is lower here due the presence of multiple solutions for acertain puzzle. This public key which is obtained by the node is used for further

communication.

3.6 Invisible KDC

The most common security threat to a centralized scheme of service as we have here isthe Denial of Service (DoS) attack. This can occur if the malicious node knows about the

whereabouts of the centralized service. So it is necessary to protect the location

information of the KDC. So we do not send the authenticating packet to address of thenode acting as KDC as it is not made available. Only the node acting as KDC knows that

it is the KDC and this information is hidden from all nodes in the network including theneighbours. The KDC identifies the broadcast packet sent to it by means of special

information added to the standard DSR Header.

3.7 Secure Communication between nodes over the MANET

Inorder to communicate with another node (B) securely, the node (A) which has been

authenticated with the Key Distribution Center will contact it to obtain the session key. If

the node (B) has not yet authorized itself with the KDC, then the KDC uses a pushmechanism to send its keys using the puzzle solving method described above. The public

key of node B is sent by the KDC to node A encrypted using As public key. This can bedecrypted by using As private key. The public key of B is in turn used to encrypt the

information which needs to be sent to node B. This can be decrypted only using the

private key of node B which is not accessible to the other nodes. The encryption anddecryption mechanism is carried out using the RSA algorithm which is discussed in the

appendix.

Fig 4: Secure Communication between nodes

S1

N1

N3 S2

KD

C

N2

EncryptedPacket

Encrypted

Packet


9/27

3.8 Handling Mobility of the KDC

We assume that initially there is a node which is elected as the KDC among the group of

nodes which require security in the network. In addition to this, all the nodes in the secure

network will run the KDC software, but will not reply to any of the AuthenticationRequests sent by incoming nodes unless it has been elected as the KDC. The present

protocol assumes that the KDC does not leave the MANET.

4. Optimizations

There are 2 optimizations that will make our protocol more efficient.

Optimization 1

We have joined the 2 phases of route request and authentication by sending a single

broadcast packet to achieve the same. This is being achieved by making both thedestination as well as the KDC reply to this broadcast.

Optimization 2

Since the initiation of the packet transfer can be delayed due to the authentication

process, we make a slight modification to traditional security schemes. We start

transmitting the packets as soon as we have a route to the destination and start encryptinga packet as soon as we get the keys. This is based on the assumption that a part of the

data transfer cannot make any sense to anyone who snoops in-between.

5. Simulation

To evaluate the performance of the security protocol, we simulated it using the Network

Simulator provided by University of California, Berkeley. The simplified version of theprotocol was implemented in Java inorder to compute the overhead involved in the

encryption scheme used in the protocol. It was observed that the average overhead due to

the RSA algorithm used for encryption and decryption of the packets sent was 3.2 timesthe size of a normal data packet. The security protocol has been implemented over DSR

as the routing protocol, though it can be built on any other routing protocol.

Our simulations were run for increasing number of nodes in the MANET for 20 seconds.

We simulate a network with N nodes where N/2 of them generate packets using a CBRsource. The odd numbered nodes send packets to the even numbered ones. The nodesinitially complete the process of authentication before they begin the transmission of

packets.

The parameters which are of interest to us to evaluate the performance of our proposed

scheme are :


10/27

(i) The increase in the packet size due to the RSA algorithm used for encryption and

decryption.(ii) The aggregate throughput of the secure network as the number of nodes is

increased.

(iii) The aggregate throughput of the network as we increase the number of nodes that

require secure data transmission while keeping the total number of nodes aconstant.

(iv) The control overhead incurred by implementing the new protocol.

As we increase the number of nodes from 4 to 50 in the network, the throughput of the

scheme drastically falls, which is shown in fig 5.

Fig 5.

The throughput obtained in packets/s for the new scheme is compared with various

schemes to understand the overhead incurred to achieve a high level of security in the

network. Table 1 shows the aggregate throughput achieved for a completely secure

network which requires all nodes to be authenticated.

NO: OF NODES DSR ENCRYPTION KERBEROS NEW SCHEME

0 0 0 0 0

4 316.2 126.2 125.5 127.5

8 318 140.5 137.85 102.7

10 319.25 156.8 143.05 77.55

12 317.55 145.65 136.07 54.8

16 312 139.7 143.2 36.75

20 283.05 120.6 112.25 27.2

30 288.35 78.3 52.95 14.05

40 252.4 56.7 29.5 8.7

50 253.55 46.3 21.1 7.15

Table 1:Comparison of Aggregate Throughput (in packets/s) of Various protocols as

the no: of nodes increases for a Completely Secure Network

Aggregate Throughput vs. No: of nodes for a

Completely Secure Network

0

100

200

300

400

0 20 40 60

No: of nodes

Aggregate

Throughputin

Packets/s

DSR

Encryption

Kerberos

New Scheme


11/27

It is expected that the throughput would be highest for the case without any

authentication and security requirements as opposed to the other schemes whichintroduce additional overhead in the form of authentication requests, replies and bigger

packet sizes owing to encryption of data. The simple encryption scheme employs mere

encryption and decryption of the packets that are sent which results in an increase in the

packet size and leads to an increase in the contention in the network, thereby causing adrop in throughput as opposed to DSR. The next scheme which we implemented was

Kerberos which uses the concept of public and private keys to authenticate nodes in a

network. This has an additional broadcast to obtain the keys from the Key DistributionCenter followed by a reply from the KDC with the keys in addition to the increase in

packet size observed in the Simple Encryption scheme. The additional broadcast and

reply increase the contention still further, which increases the number of packets droppedand throughput is expected to be lower than the Simple Encryption scheme. The main

disadvantage of this scheme is that the KDC is known to all nodes in the network and the

transmission of keys is done in an insecure manner. We overcome the problem oflocating the KDC using the concept of invisible KDC by broadcasting the authentication

request and using an invalid source address field while sending the replies from the KDC.The problem of insecure transmission is overcome in our new scheme that employs client

puzzle authentication to initially authenticate a node in the network and then sends thekeys to it. In addition to the overhead introduced in the Kerberos scheme, we have an

additional broadcast for the node which sends the puzzles solution and the final reply

with the keys for the secure session. This further adds to the contention and increase inpacket drops results which is responsible for the lower throughput.

We observe that the throughput initially increases when the no: of nodes is increased asthe link bandwidth utilization increases. But when the no: of nodes is increased still

further, the contention increases between the nodes and the throughput falls as expectedfrom IEEE 802.11. It is also observed that the new scheme has the lowest throughput

owing to the overhead involved in providing the security, while the simple encryption

scheme performs better in terms of throughput owing to a lower overhead. Therefore, thegreater the degree of security we aim to provide, the higher is the overhead incurred and

poorer is the performance in terms of throughput. So there is a trade off between the

achievable level of security and the aggregate throughput.

The next set of simulations were run for the same network with the total number of nodes

fixed at 30 and the performance was evaluated as we increase the no: of secure nodes in

the network i.e those nodes which require authentication. The results observed are shownin Fig 6 and Table 2.


12/27

Fig 6

NO: OF SECURE NODES KERBEROS NEW SCHEME

1 75.2 27.1

2 70.35 26.55

4 65.4 23.8

8 60.75 19.35

12 55.6 15.4

15 52.95 14.05

Table 2:Comparison of Aggregate Throughput (in packets/s) of Kerberos and New

Scheme as the no: of secure nodes increases

As the number of secure nodes is increased, there will be an increase in the number ofcontrol messages sent owing the broadcasts of authentication requests and replies to

client puzzles. This increases the contention for bandwidth and thereby increases the no:

of packet drops which in effect is responsible for a drop in throughput. This is observedin fig 6.

Fig 7.

Aggregate Throughput vs. No: of authenticated

nodes

0

20

40

60

80

0 5 10 15 20

No: of authenticated nodes

AggregateThrouput

inPackets/s

Kerberos

New Scheme

No: of broadcasts vs. No: of nodes for a Completely

Secure Network

0

20

40

60

80

100120

140

160

0 4 8 10 12 16 20 30 40 50

No: of nodes

No:ofbroadca

sts

Kerberos

New Scheme


13/27

Then, the control overhead incurred by the protocol is measured for the Kerberos scheme

and the New scheme. There is a significant increase in the number of broadcasts in ournew scheme as opposed to Kerberos owing to the Client Puzzle Authentication which we

have added.

6. Conclusions and Future Work

The scheme implemented here has a distinct advantage over Kerberos as it ensures that

the keys used for authentication are also delivered in a secure manner to the nodes toavoid malicious nodes from spoofing it. It is also routing protocol independent. We

observe that increasing the levels of authentication in a network is obtained at cost of

decrease in throughput. There exists a trade off between the level of security and thethroughput obtained. In this protocol, we have assumed that the KDC does not leave.

This can be improved by incorporating a leader election mechanism which can elect a

new node as the KDC when the existing one leaves and still maintain the invisibility ofthe KDC.

References

1. Signalling and Routing Security in Mobile and Ad Hoc Networks Vesa Karpijokihttp://www.hut.fi/~vkarpijo/iwork00/

2. Sufatrio & Lam, K.-Y., Scalable Authentication Framework for Mobile-IP (SAFe IP),

Internet draft, IETF, November 1999. [referred 24.3.2000]

3. Fasbender, A. et al., Variable and Scalable Security: Protection of Location

Information in Mobile IP., Mobile Technology for the Human Race,IEEE 46th Vehicular Technology Conference, 1996

4. Zhou, L. & Haas, Z., Securing Ad Hoc Networks., 1998. [referred 13.2.2000]

< http://www.ee.cornell.edu/~haas/Publications/network99.ps

5. Security On the Move: Indirect Authentication Using Kerberos Armanda Fox andSteven Gribble.

6. http://web.mit.edu/kerberos/www/

7. http://www.cyberlaw.com/rsa.html

8. R. Korf. Finding optimal solutions to Rubik's Cube using pattern databases. In AAAINational Conference, pages 700-705, 1997.


14/27

Appendix A

RSA Algorithm

The challenge of public-key cryptography is developing a system in which it isimpossible to determine the private key. This is accomplished through the use of a one-

way function. With a one-way function, it is relatively easy to compute a result given

some input values. However, it is extremely difficult, nearly impossible, to determine theoriginal values if you start with the result. In mathematical terms, given x, computing f(x)

is easy, but given f(x), computing x is nearly impossible. The one-way function used inRSA is multiplication of prime numbers. It is easy to multiply two big prime numbers,

but for most very large primes, it is extremely time-consuming to factor them. Public-key

cryptography uses this function by building a cryptosystem which uses two large primes

to build the private key and the product of those primes to build the public key.

The RSA Algorithm consists of the following steps:

The first step involved in this is the generation of two large p,q which are

relatively prime. This is used to compute the values of N ,E ,D ,PHI which are defined as

follows:

N= pq

PHI = (p-1)(q-1)

Next we find a number E (public exponent), D using the Extended Euclidean Algorithm

such that it is relatively prime to PHI and D satisfies the condition

E*D = 1 mod PHI.

The pair (N,E) is called the public key and D is called the private key. Here it is essentialthat the primes p,q are kept a secret or are destroyed. Once the keys are generated, the

next step is to compute the cipher text from the plain text message m which is done as

follows:

C = ME

mod N

The original message is recovered using the private key D

M = CD

mod N

Therefore, since only the service server has the value of D, none but the service servercan decrypt the message. Since we know that D, E are related, the algorithm will

correctly recover the original message, which happens as follows:

CD

mod n = (( ME

mod N )D

) mod N = M.

Now for an attacker to be able to find the message, it would be required to compute thevalue of p,q once N is got. But since multiplication of big prime numbers is a one-way


15/27

function, it is nearly impossible to get the private key. This algorithm reduces to

generation of the primes p,q and this is done using random numbers generated which are

tested using Fermats test for their primeness.


16/27

Appendix B

Java Simulator

A Java simulator was written to implement a simplified version of our security protocolinorder to gain a better understanding of the Encryption-Decryption mechanism and to

estimate the overhead incurred. The class files used are given below.

// Generation of Prime Numbers used to generate the Public and Private Keys

import java.io.*;import java.lang.*;

import java.util.*;

public class primeDetect

{

public static long generatePrime(){

long primesList[] = {3, 5, 7, 11, 13, 17, 19, 23, 29,

31,37,41,43,47,53,59,61,67,71,73,79,83,89,97};long primeNum=0; // The Prime Number Generated

int i;

boolean primeGen =true; // Flag that determines whether or not PrimeNumber hasbeen Generated

boolean testSucc = false;while (primeGen == true)

{

primeNum =1993+(long)( Math.random()*1997);System.out.println("Math.random()= "+Math.random());

if (primeNum % 2 ==0 )

primeNum++;

for (i=0;i


17/27

return primeNum; // Generated Prime Number

}

// Fermats Test for Prime Numbers

public static boolean fermatTest(long primeNum,long[] primesList)

{for(int i = 0;i < 24;i++)

{

if(modulus(primesList[i],primeNum-1,primeNum) != 1)return true;

}

return false;}

// Computes Large exponential computations

public static long modulus(long a, long b, long n)

{

long temp[] = new long[64];for(int i = 0; i < 64; i++)

temp[i] = 0;

temp[0] = a % n;for(int i = 1; i < 64; i++)

temp[i] = (temp[i-1] * temp[i-1]) % n;long bTemp = b;

long product = 1;

for(int i = 0; i < 64; i++){

if((bTemp & 1) == 1)

product = (product * temp[i]) % n;

bTemp = bTemp >> 1;}

return product;

}

//Computes the GCD of the 2 Numbers

public static long GCD(long u, long v)

{

long tempGCD=1,temp,rem;if(u


18/27

u=v;

v=temp;}

rem = u % v;

if(rem==0)

tempGCD=v;else

GCD(v,tempGCD);

return tempGCD;}

}

// Encrypts the Character to be sent

import java.io.*;import java.util.*;

import java.lang.*;

public class encryption{

static long n,e;

static long encrypt;

public static int encrypt(long m,long n,long e)

{encrypt=primeDetect.modulus(m,e,n);

return (int)encrypt; // Encrypted Value}

}

// Decrypts the encryted value of the character that is received

import java.io.*;

import java.lang.*;

public class decryption

{

static long n,d;

static long decrypt;

public static long decrypt(long m,long n,long d)

{decrypt=primeDetect.modulus(m,d,n);

return decrypt; //Decrypted Value

}}


19/27

Appendix C

Modifications to DSR source code (in Network simulator)

The following files in ns-2 were modified to implement the protocol: dsragent.cc

hdr_sr.h

packet.h

mobilenode.h

mobilenode.cc

Modifications made to dsragent.cc

Method : recv(

SRPacket p2(packet, srh);p2.dest = ID((Address::instance().get_nodeaddr(iph->daddr())),::IP);

p2.src = ID((Address::instance().get_nodeaddr(iph->saddr())),::IP);

//if( (srh->KDC_req_rep_==4) && (p2.dest==net_id) ){

cout


20/27

iph1->saddr() = Address::instance().create_ipaddr(net_id.getNSAddr_t(),RT_PORT);

iph1->sport() = RT_PORT;cmnh1->ptype() = PT_DSR;

cmnh1->size() = size_ + IP_HDR_LEN; // add in IP header

cmnh1->num_forwards() = 0;

srh1->init();

srh->route_KDC() = 3;

srh->route_request()=1;sendOutRtReq(rrp,4);

}

// if( (srh->route_KDC()==3) && (p2.dest==net_id) ){

if( (srh->KDC_req_rep_==3) && (p2.dest==net_id) ){

cout


21/27

p1.dest = ID((Address::instance().get_nodeaddr(iph-

>daddr())),::IP);p1.src = ID((Address::instance().get_nodeaddr(iph->saddr())),::IP);

cout


22/27

{

if (p.dest == net_id || p.dest == IP_broadcast){ // this packet is intended for us

/* if(cmh->next_hop_ == IP_BROADCAST) {

cout route_reply())

cout next_hop() = MAC_BROADCAST;cmnh->addr_type() = NS_AF_ILINK;

// if(srh->KDC_req_rep_ == 1)

// srh->route_request() = 0;


23/27

// cmnh->encrypted_ = sh1.packet_encrypted(); // encrypting the packets.

cout encrypted_ = sh1.packet_encrypted();

if(cmnh->encrypted_)cmnh->size_=(int)(cmnh->size_ * 3.2); // 3.2 times the

// unencrypted value

}

else

{ // forward according to source routecmnh->xmit_failure_ = XmitFailureCallback;

cmnh->xmit_failure_data_ = (void *) this;

cmnh->next_hop() = srh->get_next_addr();

cmnh->addr_type() = srh->get_next_type();srh->cur_addr() = srh->cur_addr() + 1;

// cmnh->encrypted_ = sh1.packet_encrypted(); // encrypting the packets.if(node_->is_secureNode())

cmnh->encrypted_ = sh1.packet_encrypted();

if(cmnh->encrypted_)cmnh->size_=(int)(cmnh->size_ * 3.2); // 3.2 times the

// unencrypted value

}

Method: getRouteForPacket()

//------------------------ Authentication Packet ----------------------------------

SRPacket auth_req;

//-----------------------------------

/*

Source Request Packet Generation*/

//------------------------ Authentication Packet ----------------------------------

auth_req = rrp;

// cmnh->route_KDC()=1;


24/27

if(node_->is_secureNode())

if(node_->has_authenticated() == -1) {sendOutRtReq(auth_req,4);

// node_->set_authentication();

// cout route_KDC() = 1;

//---------------------------------------------------------------------

Method:returnSrcRteForOutsideDomainToRequestor()

/------------------------ Authentication Packet ----------------------------------

// cmnh->route_KDC()=1;

cout is_KDC() == 1) {

// auth_rep = p_copy;

// hdr_sr *auth_srh = (hdr_sr*)auth_rep.pkt->access(off_sr_);new_srh->route_KDC() = 2;

cout


25/27

// hdr_sr *auth_srh = (hdr_sr*)auth_rep.pkt->access(off_sr_);

new_srh->route_KDC() = 4;cout


26/27

inline int& packet_encrypted() { return encrypted_;}

// --------------------------------------------------------------------------

}

Modification to packet.h

struct hdr_cmn {

/*

other Parameters*/

//------------------------- Modified for Kerberos ------------------------

int KDC_req_rep_;// KDC_req_rep_ = 1 for requesting Authenticating

// & getting Public Key & Private Key// KDC_req_rep_ = 2 for reply from KDC

int encrypted_;// set to 1 to indicate encrypted

//--------------------- end of Modifications.------------------------------

/*other methods

*/

//-------------------added ----------------------inline int& route_KDC(){ return (KDC_req_rep_); }

//--------------------------------------------------

}

Modifications made to Mobile Node.cc

// -------------- KDC -------------------------

else if (strcmp(argv[1],"kdcNODE") == 0) {

//base_stn_ = (MobileNode*)

//TclObject::lookup(argv[2]);kdc_node_ = atoi(argv[2]);

return TCL_OK;

}


27/27

else if (strcmp(argv[1],"secureNODE") == 0) {//base_stn_ = (MobileNode*)

//TclObject::lookup(argv[2]);

is_secure_node_ = atoi(argv[2]);

return TCL_OK;}

// --------------------------------------------------------

Modifications to Mobile Node .h

class MobileNode : public Node

{

// -------------------- KDC ---------------------inline int is_secureNode() {return is_secure_node_; }

inline void set_kdc() {kdc_node_ =1;}inline void set_secure_node() { is_secure_node_ =1; }

inline void set_authentication() { has_authenticated_ =1;}

inline int is_KDC() {return kdc_node_; }inline int has_authenticated() {return has_authenticated_; }

// --------------------------------------------------------

/*other Methods

*/

// ------------------ KDC ------------------------

int kdc_node_;int is_secure_node_;

int has_authenticated_;

// ----------------------------------------------------

};

Artificial Intelligence Based Authentication Scheme

Documents