SRDP: Securing Route Discovery in DSR

1. SRDP: Securing Route Discovery in DSR Jihye Kim and Gene Tsudik Computer Science Department University of California at Irvine {Jihyek, gts}@ics.uci.edu D B C H E S G F

2. Outline • Introduction • Secure Route Discovery Protocol (SRDP) • Conventional MACs • DH-based MACs • Accountable-Subgroup Multi-signatures (ASM) • Multi-signatures based on Gap Diffie-Hellman (GDH) Groups • Sequential Aggregate Signatures (SAS) • Analysis • Conclusion

3. Introduction • MANET Characteristics • No fixed infrastructure and node mobility • Traditional routing protocol cannot be used. • Dynamic Source Routing (DSR) • Source obtains information of all nodes along a path to the destination on-demand. • Basic Operations • Route Discovery • Core function of DSR we will deal with. • Data routing • Route Maintenance, etc.

4. Route Discovery • Route discovery has two stages: • The source floods the network with ROUTE REQUEST (RREQ) and • The destination returns a ROUTE REPLY (RREP). D B S-B-C-D S-B-C C S-B S S-G-E S-G-E RREQ H S E S S-G S-G-E RREP G F

5. Security of Route Discovery • Like most network protocols, DSR is designed for non-adversarial networks. • An adversarial node can easily disrupt the route discovery process by adding, deleting, and modifying any node in the route. Need to add Security Features for Route Discovery

6. SRDP: Secure Route Discovery Protocol • Need following properties: 1. Source can authenticate each entry of the path. 2. No intermediate node can remove a previous node in the node list in the route discovery packet. 3. Destination (optionally, intermediate nodes) authenticates source to prevent DoS attacks

7. Related/Previous Work • Ariadne [Hu, et al. Mobicom 2002] • Pros: • Node authentication based on TESLA • Very efficient using MACs • Cons: • Loose time synchronization required. • No non-repudiation • Combined size of MACs depends on route length • We want: Non-repudiation No Time Synchronization Fixed-sizeAuthentication Tag

8. Attacks • Active attacker • Add, delete and modify the route • Possible Attacks • The adversary can add or delete a set of compromised nodes from the route • The adversary can control a sandwichednode list closed by attackers N2 S A1 N3 N4 A2 D N1

9. Security Definition (informal) • Route Discovery is secure if, for a given a route: 1. The source can verify the presence of each honest node that appears in the route. 2. For all honest nodes appearing in the route, their view of the route is either the same or, if not the same, the discrepancy is detected by the source.

10. Observations • RREQ is processed by many nodes • RREP is processed by few nodes • Minimize overhead in RREQ • Shift as much as possible to RREP • MACs and signatures take more space than route elements • Need to minimize bw consumed (reason) Also: • Minimize state maintained between RREQ/RREP • “Remember” only the route prefix or hash thereof • DSR already requires state to be kept

11. Recap: DSR S RREQ0 = [ RREQh, ( ) ] If it it new, process RREQ and cache Sid B RREP2 = [ RREPh ] RREQ1 = [ RREQh, (B) ] C If it it new, process RREQ and cache Sid RREP1 = [ RREPh ] RREQ2 = [ RREQh, (B, C) ] D RREP0 = [ RREPh ]

12. Generic SRDP S Verify RREQ0 = [ RREQh, ( ) ] If it it new, process RREQ and cache Sid and prefix B RREP2 = [ RREPh, ( ) ] RREQ1 = [ RREQh, (B) ] Fetch and verify route prefix If it it new, process RREQ and cache Sid and prefix C RREP1 = [ RREPh, ( ) ] Fetch and verify route prefix RREQ2 = [ RREQh, (B, C) ] D RREP0 = [ RREPh, ( ) ] Verify

13. Conventional MACs S B C D Fast, but requires pre-shared keys & doesn’t provide non-repudiation

14. MACs based on Diffie-Hellman S B C D No pre-shared keys, relatively expensive & doesn’t provide non-repudiation

15. Accountable-Subgroup Multi-SignaturesMicali, Ohta and Reyzin [ACM CCS’01] ( Based on Schnorr signatures ) S B C D • Note that state must be kept after RREQ  bad! • But, note that RREP processing is very lightweight

16. Multi-signatures based on GDH Groups Boneh, Gentry, Shacham, and Lynn [Eurocrypt’03] S valid DDHtriple B C D

17. Sequential Aggregate Signatureswith RSA Lysyanskaya, Micali, Reyzin, and Shacham [Eurocrypt’04] S B Y C N Y D N

18. Analysis • Auth. tag generation cost of an intermediate node * Can be done off-line or re-used from earlier RREQ processing • Auth. Tag verification cost of the source * r is the number of nodes in the route list

19. Some Experimental Results • Generation and Verification costs (msec) for route of length 10

20. Conclusion • SRDP severely limits the range of possible attacks on DSR Route Discovery by combining prefix caching and backward authentication • ASM-based aggregated signatures seem to be best suited • More experimentation needed to compare with Ariadne • Clearly, MACs are cheaper but extra bandwidth is costly! • Ultimately hard to compare since non-repudiation is not offered in Ariadne

21. End

22. A node cannot know whether it will be on the eventual route. It sees only partial route information, the prefix. A node can include its authentication tag in the eventual route. All nodes’ view of the route should be exactly the same. Forward vs Backward Authentication • Partial route in RREQ is accumulated incrementally (via flooding) until destination is reached • RREP confirms the route by re-visiting it (via unicast) in reverse order. RREQ RREP 1. Cache the prefix of RREQ 2. Check the prefix of RREQ 3. Compute the authentication tag on RREP via efficient signature aggregation mechanism

23. Schnorr Signature Scheme re-cap • System-wide parameters: p, q, g, h() • p,q – primes, p-1=kq, g – generator, h(.) – hash fn. • Signer’s public key: y = g X mod p • Signer’s secret key: x • Signature generation:σ= (e,s) where: • r – randomly selected from Zq • e = h(m,gr) • s = (xe + r) mod q = [ x h(m,gr) + r ] mod q • Signature Verification: h ( m, gs y-e ) = ? = e