1 / 21

Efficient Security Mechanisms for Routing Protocols

Efficient Security Mechanisms for Routing Protocols. Yih-Chun Hu, Adrian Perrig, David B. Johnson Presented by Yuzheng Zhou for CSC774. Secure Routing mechanisms in MANET. Most previous secure routing mechanisms use standard digital signatures

carys
Télécharger la présentation

Efficient Security Mechanisms for Routing Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient Security Mechanisms for Routing Protocols Yih-Chun Hu, Adrian Perrig, David B. Johnson Presented by Yuzheng Zhou for CSC774

  2. Secure Routing mechanisms in MANET • Most previous secure routing mechanisms use standard digital signatures • Public key cryptography is expensive, especially for MANET. • Symmetric cryptography much more efficient • Link state routing • Distance vector routing: SEAD works, but is still vulnerable for several attacks • This paper propose four mechanisms addressing secure distance vector/ path vector routing.

  3. Roadmap • Distance vector routing and attacks • Previous work - SEAD • Four mechanisms based on symmetric cryptography • Securing distance vector protocols • Hash tree chain • Tree-authenticated one-way chains • Skiplists • Securing path vector protocols • Cumulative authentication • Conclusion and future work

  4. Distance vector routing • Finds shortest paths between nodes in the network • Each router maintains a routing table list for all possible destinations address / distance (metric) / first hop • Periodically transmits a routing update to each of its neighbor routers sequence / distance (metric)

  5. Attacks to Distance Vector Routing • Advertising short distances (blackhole) • Claim longer distances • Injecting routing loops • Inject a large number of route updates

  6. Previous work: SEAD • SEAD (k=5, n=3) • Attacks • Same distance fraud • Hash chain verification as long as O(ks) • DoS attack for the nodes missing several routing updates

  7. Review: Merkle hash tree • To verify v2, need v3’, m01, m47, and verify

  8. Mechanism I: Hash Tree Chains • Prevent same-distance fraud • A hybrid between a hash tree and a one-way chain • One-way chain property enforce that nodes cannot decrease the distance metric (as in SEAD) • Hash tree property is used to authenticate the node id.

  9. Hash Tree Chains (cont..)

  10. Mechanism II: Tree-authenticated one-way chains • Speed up authentication of revived routing update • O(ks)  O (k +log(s))

  11. Tree-authenticated one-way chains (cont..) Tree-authenticated one-way chains • Use a new hash chain for each sequence number • All the hash chains are organized as a merkle hash tree • To authenticate anchor, following the path to the root of the hash tree • To authenticate update, using the anchor

  12. MW-chains (prepare for skiplists) • Provides instant authentication and low storage overhead for signatures • This one-way chain contains a list of values-heads • Between any two heads are a set of signature branches and a set of checksum branches • Sender uses a checksum chain that moves in the opposite direction of the signature chains, to prevent an attacker from forging an earlier message

  13. MW-chains (cont..)

  14. Mechanism III: Skiplists • Goal: Prevent DoS attacks, speed up hash chain authentication • Method: • Skip many steps in a virtual hash chain • Skipchains can be embedded inside skiplists • Represented by a MW-chain capable of signing enough bits to ensure security • A new head is chosen by hashing the head of this step • Anchor of this skipchain is computed • Sign this new anchor

  15. Skipchains

  16. Path vector routing • Each routing update includes a list of routers on the route • Choose a route with the shortest recorded route • Authenticate each hop the routing update has traversed as recorded in the path • Assure no hops were removed from that recorded path

  17. Path vector routing (cont..) • Traditional way of authentication: • Each node inserts an authenticator in the packet, recipient individually verify each authenticator • Network overhead of carrying a MAC for each node in the path • Cumulative authentication • A single MAC together with an ordered list of nodes traversed by the packet

  18. Mechanism IV: Cumulative Authentication • Each packet maintains a path authenticator and an address list • When packet traverses a node, the node append its address to the address list • Authenticate its position by replacing the path authenticator with a MAC computed over the received path authenticator and the packet’s immutable fields

  19. Cumulative Authentication (cont..) Example: to authenticate packet p, each node authenticate using a MAC shared with target T

  20. Conclusions and future work • Summary • Presented four new mechanisms for secure distance vector and path vector routing protocols • Based on symmetric cryptography • Use Merkle hash tree and M-W chain • Future Work • Decrease the overhead

  21. Thank you!Q & A

More Related