Security of AdHoc networks

8/7/2019 Security of AdHoc networks

1/45

Security of Ad-Hoc NetworksBy

V.G.Vinod VydiswaranAmreek SinghPrasanna H. Kulkarni


2/45

2

What are Ad Hoc Networks? Networks with no fixed infrastructure

Mobile nodes : communicate withinradio-range directly or through routers

Node mobility implies frequent changein network topology.

Rapidly deployed networks

Relatively low cost


3/45

3

Security Goals Availability

Survive despite DoS attack

Primary concern: Key management service

Confidentiality

Integrity

Authentication

Non-repudiation


4/45

4

Challenges Use of wireless links leads ad hoc

networks susceptible to link attacks

Relatively poor protection, as inbattlefields

So for high survivability, distributed

architecture needed. Dynamic network topology : ROUTING

Scalable security mechanisms


5/45

5

Outline of further talk Scalability considerations

How the network must be scalable

Key Management issues

How to generate secret keys

How to distribute keys secretly

Secure Routing considerations

Issues regarding malicious intruder


6/45

Scalability Concerns


7/45

7

The lack of infrastructure introduces

Introduces vulnerability to DoS attacks in

ad hoc networks. Mobility induces link breakage and channel

errors.

Need of scalability Growing commercial and military

deployments of these networks.


8/45

8

These issues are addressed through alocalized trust model.

Where the functionality of security isdistributed over all networking nodes.

And nodes collaboratively secure the whole

system.


9/45

9

Related works (Kerberos and X.509)

They too use CA.

They gain popularity but they does notwork well with large networks.

Problems The cost of maintaining large centralized servers

may be high.

The CA servers are inviting targets of maliciousattacks.

Multihop communication over the error pronewireless channel exposes the data transmission tohigh loss rates.

It may cause severe wireless channel contentionaround the CA servers.


10/45

10

Localized trust model

Assumptions made Communication between one hop neighboring

node is considered to be more reliable than multi-hop communication.

Each node has atleast K-one hop legitimateneighboring nodes.

Each node is equipped with some localmechanism to identify misbehaving nodes among

its one hop neighborhood.


11/45

11

Localized Trusted Model An entity is trusted, if any K trusted

neighboring entities claim so.

A locally trusted entity is globally accepted. A locally distrusted entity is regarded as

untrustworthy anywhere.

Two imp parameters : K & Tcert Two options to set K Set it as globally fixed parameter

Set it as location dependent.


12/45

12

This uses certificate based authenticationapproach. Each node ID is associated with

< PKi , SKi >

Each node carries a certificate signed with SKi.

PK is assumed to be well known for certificateverification.

Nodes without valid certificates are treated asadversaries and denied from access to any networksuch as pkt forwarding or routing.

When a new mobile node moves to a new location,it exchanges certificate with its new neighbors.

Authenticated nodes help each other forward androute pkt.


13/45

13

Localised certification services Certificates are stamped with expiration time. What happens when node Vi requests new

certificate. Vj returns a partial certificate by applying its share

of SK. By collecting K partial certificates, Vi combines

them and makes its full certificate. As if it were

from CA. Nodes with valid certificates are globally trusted. Adversaries are effectively isolated and their

impact on the overall network is localized.


14/45

14

Self initialization in Traditional

approach At bootstrapping phase of the network.

A dealer sends each node its share of the SK.

New nodes can anytime join, so dealer shouldbe online to handle.

This compromises with system robustnessand security

The dealer would become the single point offailure.


15/45

15

Self Initialization in Local Trust

model Dealer is only responsible to initialize first K nodes.

Initialized nodes initialize other nodes.

Benefits of certification services into each nodes onehop locality: Service availability and robustness against DoS attacks

This models protocols are immune to unreliability ofunderlying transport layer protocols.

By this distributed approach system maintenanceoverhead is balanced over the network.

And hot spots of congestion are avoided.


16/45

16

K-bounded coalition offsetting technique: Node Vi chooses a coalition of K nodes, typically from its one

hop neighborhood.

Vi broadcasts the request to K nodes, together with thenode ID of these K nodes.

Node Vj from set B generate a partial certificate and finallysends it.

Upon receiving K partial certificates from set B node Vicombines them together to generate candidate certificate.

Finally Vi applies K-bounded coalition offsetting to recovernew certificate.

One broadcast request and k unicast responses.


17/45

17

Drawback in algorithm:

If any node from B fails or moves out.

All other partial certificates are useless.

Vi has to start the whole process again.


18/45

18

An Optimization: Dynamic coalescing

Certification from any K nodes in the

neighborhood, instead of being specifiedby Vi.

Rest all is same.


19/45

19

Important issues:

Information that Vj keeps of Vi.

Records of Vj concerned Vi. If Vj s record does not provide enough info for

Vi.

May be they meet first time

Two approaches Serve Vi s request : prb roaming adversaries

Discard request : prb unfare to legitimate nodes.


20/45

20

Complete Shuffling: Vi wants to join the network Vj decides to serve

But it is unsecure for node Vj to return itsshare directly to Vi. Nodes in B completely shuffle their indvidual

partial shares. Each pair in B securely exchanges a shuffling factor Di,j. One adds this share and another subtracts this share. For node Vj there are K-1 shuffling factors, and it must

apply all of them.


21/45

21

Implementation Issues:

Design can be implemented in any layerabove MAC layer.

Application layer is good for severalreasons

Modifications to lower layer protocols areavoided.

Can also achieve maximal independency of theunderlying network.


22/45

Key management


23/45

23

Primary Features Lack of infrastructure too harsh

W

e assume Public key infrastructure Certification Authority

Needs to stay on-line

Studied replication to increase availability

Use of distributed trust among group of servers

Use of Digital Signatures


24/45

24

Encrypted Key Exchange Derive strong shared key from weak

shared key

Desired properties

Forward Secrecy

Contributory Key Agreement

Tolerance to disruption attempts


25/45

25

ELE ( Contd..) Protocol

2-party

Non-contributory multiparty Contributory multiparty

Drawback

E must be random

Active attacker chooses E such that Msg.2 is proneto Dictionary Attack


26/45

26

Diffie-Hellman Key Exchange Protocol:

2-party

Multi-party

Efficient Implementation

Use of d-cube


27/45

27

Eliminating Centralized CA Emulate central CA distributed over several

nodes

Key Management Service

Totally distributed architecture

Works from weaker to stronger shared keys

Works only if one password already shared

Self-organizing public key infrastructure

Decentralized PEM, PGP,


28/45

28

Key Management Service Primary tier of servers

Service has one private/public key pair

Each server has its own private/publickey pair

Each server giving one share of service

private key The private key can also be changed

periodically


29/45

29

Public key distribution for

Self-Organizing Systems Certificates stored and distributed by

users If A believes that given public key is indeed

Bs, A issues public key certificate to B

Construction of Trust Graphs

Merging graphs to find path from C toD, if C wants certificate of D

Efficient Shortcut Hunter algorithm


30/45

30

Future scope Use of smart cards for tamper-resistant

information storage

Dynamic routing information storagestill a problem

Only node contributing to the benefit of

community allowed to use network


31/45

Secure Routing


32/45

32

Secure Routing Basic Assumptions

The underlying data link layer provides

reliable transmission on a link basis Links are bidirectional

A one-to-one mapping between MediumAccess Control and IP address exists

each transmission is received by allneighbors, which are assumed to operatein promiscuous (random) mode.


33/45

33

Basic Terminology Source S

Destination T

Message Authentication Code (MAC)

Shared Key ( KS,T )

Route Request {QS,T; n1, n2, , nk} Route Reply {RS,T; n1, n2, , nk}


34/45

34

Sample Network

Fig: Example Topology: S wishes to discover route to T in presence oftwo malicious nodes M1 and M2


35/45

35

Scenarios Scenario 1:

M1 receives {QS,T; S}, it attempts to mislead S

by generating {RS,T; S, M1, T} M1does not have KS,T , so cannot generate

valid MAC

False reply packet --- discarded by S

Scenario 2: M1discards request packets arriving from its

neighbors, e.g. from node 1.


36/45

36


M1 sees {QS,T; S,1,M1}

T generates reply for {QS,T; S,1,M1,5,4,T} M1 receives {RS,T; S,1,M1,5,4,T}

It tampers with its contents and relays {RS,T; S,1,M1,Y,T}--- Y is any invented sequence of nodes

Scenario 4: M1 sees {QS,T; S,2,3}

It corrupts accumulated route to {QS,T; S,X,3,M2}

Reply over {T, M2,3,X,S} ---X is invalid IP


37/45

37


In order to consume network resources, M1 replays routerequests

Query identifiers recorded at intermediate nodes (QuerySequence Number)

Scenario 6: M1 observes few route requests from S and fabricates

several queries with subsequent query identifiers

Goal is to make intermediate nodes store theseidentifiers and discard upcoming valid identifiers

Very low probability of correct guess on query identifiersin encrypted form.


38/45

38


M1 attempts to forward {QS,T; S, M*} i.e. it spoofs IP

address

S would accept {QS,T; S, M*,1,4,T} route

Scenario 8: M1 attempts to return a number of replies, each with

different spoofed IP address, Mi, Mi+1, , Mi+j This would lead S to believe that there are many paths

to T, while actually each is controlled by M1 But M1cannot generate replies. So S safely discards all

above packets.


39/45

39


Nodes colluded during 2 phases of a route discovery of asingle path.

When M1 receives a route request, it tunnels it to M2 i.e.discover a route to M2 and send the requestencapsulated in data packet

Then M2broadcasts this request with path between M1and M2 falsified as {QS,T;S,M1,Z,M2}

T sends reply for this on {S,M1,Z,M2} M2 sends this reply message to M1 via tunneled path.

M1 forwards it to S.

Thus S thinks of a false route as a correct route.


40/45

40

SRP Header


41/45

41

SRP Header Query Identifier QID:

32 bit quantity Used by intermediate nodes as a means to identify the

request. It is generated by a secure pseudorandom number

generator.

Message Authentication Code MAC: 96 bit long field Generated by a one-way hash function Inputs to hash function are

Entire IP Header Route Request Packet Shared Key KS,T


42/45

42

SRP Header Type:

Depends on the type of node

For S, it denotes that packet is Request For T, it denotes that packet is Reply

Query Sequence Number Qseq: 32 bit quantity

Set initially at the establishment of Security Association

Increases monotonically

Cannot wrap round (connection reestablishment in caseof wrapping round)


43/45

43

Conclusions Ad Hoc networks pose an interesting

problem in networking with dynamic

routing and highly insecure workingenvironment

Need of Secure, Scalable, Reliable and

Efficient algorithms for Keymanagement and Routing


44/45

44

Bibliography Securing Ad Hoc Networks L.Zhou, Z.J.Haas

Key Agreement in Ad Hoc Networks N.Asokan,P.Ginzboorg

Quest for Security in Mobile Ad Hoc Networks J.P.Hubaux, L.Buttyar, S.Capkun

Providing Robust and Ubiquotous Security support forMobile Ad Hoc Networks H.Luo, J.Kong, S.Lu, et al.

Mitigating Routing misbehaviour S.Marti, T.J.Guili,K.Lai, M.Baker

Secure Routing in Mobile Ad Hoc Networks P.Papadimitratos, Z.J.Haas


45/45

45

Thank You

for your presence andpatient hearing

Security of AdHoc networks

Documents

Transcript of Security of AdHoc networks