1 / 31

Securing Ad Hoc Network Routing Protocols

Securing Ad Hoc Network Routing Protocols. Yih-Chun Hu. April 24, 2008. Attacks Against Routing. Attacker causes packets normally routed through itself to instead use a worse route Example: Fail to advertise a route Attacker receives a packet for forwarding but instead discards it

christopher-wolf
Télécharger la présentation

Securing Ad Hoc Network Routing Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Ad Hoc Network Routing Protocols Yih-Chun Hu April 24, 2008

  2. Attacks Against Routing • Attacker causes packets normally routed through itself to instead use a worse route • Example: Fail to advertise a route • Attacker receives a packet for forwarding but instead discards it • Example: Save own bandwidth or CPU time • Attacker causes packets normally routed elsewhere to instead go through itself • Example: Claim good routes to far-away nodes

  3. Normal Distance Vector Routing • In normal Distance Vector routing, each node maintains a routing table: Example table at A: A B C D

  4. Normal Distance Vector Routing • Computed using Distributed Bellman-Ford: • Each node periodically broadcasts routing table • For each routing table entry received, compare best known route with newinformation To D: 3 hops via B E 2 X X A B C D E D is 1 hop away

  5. Distance Fraud Attack • A very strong attack against distance vector • Attacker claims very short routes to entire network • Disconnects large portions of the network C J G A K S E D B H F

  6. SEAD Threat Model • Attacker cannot replay messages in entirety: • Equivalent to “wormhole” attack • Attackers compromise some network nodes: • Best security if only one node is compromised • Or, if compromised nodes don’t collaborate • Goal: Prevent attackers from affecting routes to non-compromised nodes

  7. My Solution: SEAD To solve distance fraud, authenticate distances For each destination D: • To claim distance m, need authenticator aD,m • Attacker can’t reduce distance m • Next hop can derive its authenticator aD,m+1 • Authenticators should be efficient to verify aD,2 aD,1 aD,0 A B C D

  8. C1 = H(C0) Building Blocks: Hash Chains • Uses a one-way hash function H:{0,1}*→{0,1}ρ • Pick a random C0 • Compute each chain value Ci = Hi(C0) C0

  9. C2 = H(C1) Building Blocks: Hash Chains • Uses a one-way hash function H:{0,1}*→{0,1}ρ • Pick a random C0 • Compute each chain value Ci = Hi(C0) C0 C1

  10. C1 C3 = H(C2) =H(C0) Building Blocks: Hash Chains • Uses a one-way hash function H:{0,1}*→{0,1}ρ • Pick a random C0 • Compute each chain value Ci = Hi(C0) C0 C2 =H(C1) • Given any authentic chain value Ci: • Can compute later values Cj for j > i • Can efficiently verify all values Cj • Hard to generate earlier values Cj for j < i

  11. Hash Chains for Distance Authentication

  12. C0 C1 C2 C3 Distance Authentication Details • Distance vector protocols define a maximum distance k • Each node D: • Generates a hash chain k+1 values long • Distributes ck to allow verification • Then authenticator aD,i = ci • Conceptually change hash chains frequently Distance 0 Distance 1 Distance 2

  13. SEAD Stops (Most) Distance Fraud • Everyone knows C3 • Source D announces C0 for distance 0 • Neighbor C announces C1 fordistance 1 • Attacker B can’t announce lower distance! D C B Distance 0 Distance 1 Distance 2 C0 C1 C2 C3

  14. SequenceNumbers First proposed in DSDV for loop-freedom: • Each node maintains a sequence number • Each node increments its sequence number each time it sends an update about itself • An advertised route is “better” if either: • Has a higher (more recent) sequence number • Sequence numbers equal, and distance is shorter • SEAD also gets loop-freedom, plus a guarantee of fresh distance information

  15. Distance 0 Distance 1 Distance 2 Sequence 3 Sequence 1 Sequence 0 Securing Sequence Numbers • Each node generates a hash chain and distributes the last element (C12) for verification • Each sequence number has 3 hash chain values: • Within a sequence number: • C{0,3,6,9} represent distance 0 • C{1,4,7,10} represent distance 1 • C{2,5,8,11} represent distance 2 • In our example, maximum distance is 3 Sequence 2 C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 C10 C11 C12

  16. Distance 0 Distance 1 Distance 2 Sequence 3 Sequence 1 Sequence 0 SEAD Stops (Most) Distance Fraud • Source D announces C3 for distance 0 sequence 2 • Neighbor C announces C4 fordistance 1 sequence 2 • Attacker B can’t announce lower distance! • Due to inherent flooding, useless to announce lower distance with lower sequence number D C B Sequence 2 C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 C10 C11 C12

  17. SEAD Neighbor Authentication Use any efficient, secure neighbor authentication, or can also use all-pairs O(n2) keys for authentication: • Each node maintains a neighbor table • Node A adds node B when A hears a distance 0 advertisement for B with fresh sequence number • Triggers A’s advertisement, for which B hears a distance 0 advertisement for A • A and B now include symmetric authenticators(e.g., HMAC) for each other in each update • Stop after missing 3 consecutive sequence numbers

  18. SEAD Loop-Freedom SEAD is loop-free unless attacker is in the loop Correctness argument: • Suppose there is a loop • The (sequence number, distance) always gets strictly better at the next hop unless: • The next hop is an attacker, or • The attacker forged the next-hop in the routing update • But each next-hop is authenticated • Therefore, the loop either terminates or there is an attacker in the loop

  19. Simulation Methodology • ns-2 simulator with Monarch wireless extensions • Random waypoint mobility model • 20 sources, 4 packets per second per source • 10 different simulation runs at each pause time • Under attack by a single attacker: • DSDV: attacker claims distance 0 everywhere • SEAD: attacker performs same distance fraud 700m×700m 50 nodes

  20. Packet Delivery Ratio: SEAD vs DSDV

  21. Other Approaches to Secure Routing • Hop-by-hop authentication (verifies identity of neighbor, but neighbor give any distance)[Kumar], [Baker and Atkinson], [Malkin] • Limit routes based on full knowledge of original wired network topology [Smith et al.] • SAODV secures hop count with a hash chain, but uses a new chain for each sequence number, and uses expensive digital signatures

  22. Remaining Problems in SEAD • “Same Distance” Fraud: • Attacker replays distance and authenticator • Solution: Bind forwarding node to authenticator • Denial-of-Service attack: • Claim a very high sequence number • Solution: One chain per sequence number • Larger metric spaces: • Verifying even one sequence number may be expensive (e.g., latency or policy metrics) • Solution: Cheaper hash chain traversal

  23. Bind Authenticator to Forwarding Node For each destination D and distance m: • Split the single authenticator aD,m into many node-specific authenticators • For each possible forwarding node F, there exists an associated authenticatoraD,m,F Properties of node-specific authenticators: • Attacker can’t replay another node’s authenticator • Next hop can derive its authenticator for distance m+1

  24. Building Blocks: Hash Trees • Merkle Tree allows authentication of a collection of values given a single authentic value: Distribute root to all verifiers P = H(L || R) b’i = H(bi) bi

  25. b0 b0 ’ ci ci+1 Hash Chain: b01 b1 ’ b1 Hash Tree Chain: ci+1 ’ b2 b2 b23 ci ’ b3 b3 Hash Tree Chains • I developed the hash tree chain: b’j = H(bi) bj = H(ci|| j)

  26. ’ b0 Distance 0 Distance 1 b0 ’ b0 b0 b0 b0 b1 ’ ’ ’ Distance 0 Distance 1 Distance 2 b1 b01 b01 b1 b1 b1 b1 ’ ’ c0 c1 c2 b23 b23 b2 b2 b2 b2 ’ ’ b23 b23 b3 b3 b3 b3 Using Hash Tree Chains • One step in the chain corresponds to a distance • Each bi corresponds to a forwarding node • Attacker must produce its bi to replay distance C0 C1 C2 C3 bj = H(c1|| j) bj = H(c0|| j)

  27. Remaining Problems in SEAD • “Same Distance” Fraud: • Attacker replays distance and authenticator • Solution: Bind forwarding node to authenticator • Denial-of-Service attack: • Claim a very high sequence number • Solution: One chain per sequence number • Larger metric spaces: • Verifying even one sequence number may be expensive (e.g., latency or policy metrics) • Solution: Cheaper hash chain traversal

  28. Skipchains • We want to efficiently skip over many elements of a hash chain • Suppose you had an efficient, chained one-time signature scheme • Each step in the chain allows you to sign one value • Intuition: • Each step represents a length n segment of hash chain • Sign the anchor of the segment using that step

  29. Skipchains • Each vi corresponds to a length n segment of the hash chain: hi,n-1, hi,n-2, …, hi,0 where hi,j = Hn-j(vi) • Represent hash chain step k by hëk/nû,k mod n • Sign hëk/nû, 0 with vëk/nû to allow verification

  30. Received value Known authentic value Skipchain Properties • Behaves like a long one-way chain • Divides hash chain into blocks of n elements • Use signature chain to skip n steps at low cost

  31. From Generate Skipchain Properties • Behaves like a long one-way chain • Divides hash chain into blocks of n elements • Use signature chain to skip n steps at low cost

More Related