1 / 30

A Secure On-Demand Routing Protocol for Ad Hoc Networks

A Secure On-Demand Routing Protocol for Ad Hoc Networks. Allan HUNT Wandao PUNYAPORN Yong CHENG Tingting OUYANG. Introduction. Design. Evaluation & Analysis. Related work. Critical Appraisal of the work. Agenda. Motivation. On demand Ad hoc routing protocol

ida
Télécharger la présentation

A Secure On-Demand Routing Protocol for Ad Hoc Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Secure On-Demand Routing Protocol for Ad Hoc Networks Allan HUNT Wandao PUNYAPORN Yong CHENG Tingting OUYANG

  2. Introduction Design Evaluation & Analysis Related work Critical Appraisal of the work Agenda GZ06 : Mobile and Adaptive Systems

  3. Motivation • On demand Ad hoc routing protocol • Security in Ad hoc protocols. • Attack models • General protocol • Mobility GZ06 : Mobile and Adaptive Systems

  4. Motivation (cont.) • Resource constrained devices (palm) GZ06 : Mobile and Adaptive Systems

  5. Ariadne • Ariadne Protocol • They have based there protocol on the basic operators of DSRs, on demand source routing protocol. • Basic operations of DSR are: • Route discovery • Route maintenance GZ06 : Mobile and Adaptive Systems

  6. Overview of TESLA Basic Operation of Tesla: • Uses a MAC • Picks an initial key at random Kn. • Generates a set of keys Ko – Kn using a one way Hash chain. • Delayed key discloser • For each K there is a release time. • Time synchronization • You have to pick delta to be the maximum delay error between any 2 nodes. All nodes must know this. GZ06 : Mobile and Adaptive Systems

  7. Network Assumptions • They ignore the physical layer • Networks are bidirectional • Attacks on medium access control are disregarded. • Normal network (drop, corrupt, re-order) • Ariadne inherits all assumptions of the broadcast authentication protocol used such as (TESLA). GZ06 : Mobile and Adaptive Systems

  8. Node Assumptions • Resource constrained Nodes. • No asymmetric cryptography. • Loosely synchronized clocks. • No trusted hardware used such as tamperproof modules. GZ06 : Mobile and Adaptive Systems

  9. Security Assumptions • Ariadne relies on the following keys to be set up, depending on which authentication mechanism is used: • Pairwise shared secret key. • Digital signatures. • IfTESLA is used, we assume a mechanism to set up shared secret keys between communicating nodes, and to distribute one authentic public TESLA key for each node. GZ06 : Mobile and Adaptive Systems

  10. Introduction Design Evaluation & Analysis Related work Critical Appraisal of the work Agenda GZ06 : Mobile and Adaptive Systems

  11. Attack Model • Passive • Active • An attacker injects packets into the network • An attack which has compromised nodes is called an Active-VC attacker if it owns all nodes on a vertex cut through the network that partitions the good nodes into multiple sets. • Active-n-m • Active-0-1 • Active-1-x • Active-y-x GZ06 : Mobile and Adaptive Systems

  12. General Attacks on Ad Hoc Network Routing Protocols • Routing disruption attacks • Routing loop • Black hole • Wormhole • Rushing Attack • Resource consumption attacks • Inject extra data packets • Inject extra control packets GZ06 : Mobile and Adaptive Systems

  13. Basic Ariadne Route Discovery • Stage 1 – Target verifies Route Requests • Stage 2 - Target authenticates the data in Route Requests and the sender can authenticate the Route Replies • Stage 3 - Provides a way to verify that no node is missing from the node list. • Assume initiator S performs a Route Discovery for target D. • S and D share the secret keys KSD and KDS for message authentication in each direction GZ06 : Mobile and Adaptive Systems

  14. Ariadne Route Discovery Using TESLA • A ROUTE REQUEST packet contains eight fields (ROUTE REQUEST, initiator, target, id, time interval, hash chain,node list, MAC list) • The initiator of the REQUEST then initializes the hash chain to MACKSD(initiator, target id, time interval) • The hash chain for the target node H[n,H[n-1 ,H[1,MACKSD(initiator, target id, time interval)]..]]] • A ROUTE REPLY packet also contains eight fields (ROUTE REPLY, target, initiator, time interval, node list, MAC list, target MAC, key list) GZ06 : Mobile and Adaptive Systems

  15. Ariadne Route Maintenance Using TESLA • To prevent unauthorized Route Error Messages, we authenticate a sender. • A ROUTE ERROR packet in Ariadne contains six fields (ROUTE ERROR,sending address, receiving address, time interval, error MAC,recent TESLA key) • It should handle the possible memory consumption attack. GZ06 : Mobile and Adaptive Systems

  16. Introduction Design Evaluation & Analysis Related work Critical Appraisal of the work Agenda GZ06 : Mobile and Adaptive Systems

  17. Evaluation • Modified Simulation Model • Increased packet size to reflect the additional fields necessary for authenticating • Modified Route Discovery and Maintenance • Adjusted re-transmission timeouts for Route Requests to compensate for the delay • Disallowed the use of prefixes of routes in the Route Cache GZ06 : Mobile and Adaptive Systems

  18. Evaluation - Packet Delivery Ratio 4.66% less PDR than DSR-NoOpt in maximum Ariadne outperforms DSR-NoOpt at lower level of mobility GZ06 : Mobile and Adaptive Systems

  19. Evaluation - Packet Overhead Ariadne has 41.7% lower packet overhead than DSR-NoOpt GZ06 : Mobile and Adaptive Systems

  20. Evaluation - Byte Overhead Ariadne has 26.19% higher byte overhead than DSR-NoOpt GZ06 : Mobile and Adaptive Systems

  21. Evaluation – Path Optimality DSR-NoOpt performs slightly better than Ariadne GZ06 : Mobile and Adaptive Systems

  22. Evaluation – Average Latency Ariadne always has consistently lower latency than DSR-NoOpt GZ06 : Mobile and Adaptive Systems

  23. Security Analysis • Active-0-x • Bogus messages • Wormhole and rushing attacks • Active-1-x • Prevent two nodes from communicating • Replace MAC or keys in the Route Request • Active-y-x • Attempt to force the initiator to repeatedly initiate Route Discoveries • Resist Active-VC? • No solution provided GZ06 : Mobile and Adaptive Systems

  24. Introduction Design Evaluation & Analysis Related work Critical Appraisal of the work Agenda GZ06 : Mobile and Adaptive Systems

  25. Related Work • Periodic protocols • Much overhead introduced (storage, bandwidth, control and delay) • Protocols that use asymmetric crypto. • Computationally expensive to sign and verify • Possible DoS attacks • High network bandwidth usage • Protocols that use network-wide symmetric keys • Single-node compromise GZ06 : Mobile and Adaptive Systems

  26. Introduction Design Evaluation & Analysis Related work Critical Appraisal of the work Agenda GZ06 : Mobile and Adaptive Systems

  27. Conclusions • Achievements • Security against various types of attacks • Efficient symmetric cryptography • General • trusted hardware, powerful processors not needed • Overall Performance • Compared to optimized DSR: less efficient • Compared to unoptimized DSR: better in some metrics (e.g. packet overhead) GZ06 : Mobile and Adaptive Systems

  28. Critical Appraisal • Key Setup • Methods: Pre-deployed, KDC, CA • Fixed nodes. Circular dependency. Centralized. • Clock synchronization. • Circular dependency • Resource constrained. Insecure • Maximum end-to-end delay • How to choose adaptively GZ06 : Mobile and Adaptive Systems

  29. Critical Appraisal (cont.) • Delay and Buffer Size • Slow responsiveness • Resource constrained • Intermediate nodes authentication • Authentication on demand • Remaining Security Issues • Passive eavesdropper • Inserting data packets attack • Non-participating attacker • Single layer security scheme GZ06 : Mobile and Adaptive Systems

  30. Thanks for your attention! Any questions?

More Related