1 / 36

Security for Ad Hoc Network Routing

Security for Ad Hoc Network Routing. Mobile Wireless communication Medium to high bandwidth High variability of connection No fixed infrastructure Participants from different administrative entities Medium to high computation, memory Usually human user with each device.

nusa
Télécharger la présentation

Security for Ad Hoc Network Routing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security for Ad Hoc Network Routing

  2. Mobile Wireless communication Medium to high bandwidth High variability of connection No fixed infrastructure Participants from different administrative entities Medium to high computation, memory Usually human user with each device Ad Hoc Networks Properties

  3. SSL/TLS Assumption: browser can authenticate server’s certificate with its local CA root certificates Large-group key distribution Assumption: each client already has a secure connection to key distribution server Challenge in ad hoc networks: establish keys without any prior trust relationships Key Establishment Seen So Far

  4. Goals Secure, authenticated communication between devices that share no prior context Demonstrative identification: ensure to human user which other device they are communicating with No prior context? No CAs or other trusted authorities No PKI No shared secrets No shared communication history Problem reduces to key establishment Diffie & Hellman taught us how to share secrets… Problem Definition

  5. Public values: large prime p, generator g Alice has secret a, Bob has secret b A  B: ga mod p B  A: gb mod p Bob: (ga mod p)b mod p = gab mod p Alice: (gb mod p)a mod p = gab mod p Eve cannot compute gab mod p Diffie-Hellman Key Agreement

  6. Mallory can impersonate Alice to Bob, and impersonate Bob to Alice! A  M: ga mod p M  A: gm mod p M  B: gm mod p B  M: gb mod p Bob: (gm mod p)b mod p = gbm mod p Alice: (gm mod p)a mod p = gam mod p Problem: Man-in-the-middle Attack

  7. Wireless communication is invisible People can’t tell which devices are connected Neighbor can easily execute MitM attack If neighbor has a faster computer, it can easily respond faster than the legitimate devices Easy to perform with high success rate! How Serious is MitM Attack?

  8. Authentication! Public DH values must be authenticated Topic of this lecture Tradeoffs between security, usability, and transparency to the user Transparency: Does the user realize she is involved in a key establishment protocol? Does the user need to realize this? Solution to Man-in-the-Middle Attack

  9. Commitment Schemes • Commitment semantics: • Binding • Hiding • (c, d)  commit( m ) • m: message; c: commitment; d: opening value • It is infeasible to find d’ such that (c, d’) reveals m’ ≠ m • Example • c = H( m || r ) where r is a random number • d = m, r

  10. Public values: large prime p, generator g Alice has secret a, Bob has secret b A  B: ga mod p B  A: gb mod p Alice and Bob compute: gab mod p Alice’s and Bob’s devices display last 20 bits of H(gab mod p) and they manually compare them (5 hexadecimal digits), if they match, they both click “ok” Simple Protocol: String Comparison

  11. First, Alice and Bob may not really compare the strings, but simply click “ok”, how to avoid this? Knowing ga and gb, attacker can compute gc and gd such that [H(gac )]n = [H(gbd )]n Complexity: only O(2n/2) operations! How to prevent this attack? Shortcomings of Simple Protocol

  12. Here we consider DSR as a showcase. So, we revisit the routing operations in DSR, and show the possible attacks in these operations, and consider secure ways of preventing these attacks. Secure routing in ad hoc network

  13. Flooding is used for the delivery of control packets, not data packets. The control packets are flooded to discover routes. Then data packet is sent over the discovered path. Dynamic Source Routing (DSR)

  14. {C} {C} {C} {C} {C} Route discovery in DSR A J G C I M B F O H D K L E N C initiate the route discovery by flooding Route Request(RREQ). Each node appends its id to RREQ when it forwards RREQ.

  15. Route discovery in DSR A J G {C,G} C I M B F O {C,F} H D K L E N

  16. Route discovery in DSR A J G C I M B F O {C,G,I} H D K {C,F,H} L E N Node K receives two RREQs. It may choose the shorter one (hops).

  17. Route discovery in DSR A J G C I M B F O H D K L E {C,F,H,K} N

  18. When a destination node receives RREQ, it sends a Route Reply(RREP). RREP is sent by reversing the route appended in the RREQ if the links are bidirectional. If links are unidirectional, the destination node(D) may need a route discovery. In that case RREP is piggybacked on RREQ from D. RREP contains the complete path from the sender to the destination. Route Reply in DSR

  19. Route reply in DSR A J G C I M B F O H D K L E {C,F,H,K,L} N

  20. Data delivery in DSR A J G C I M {C,F,H,K,L} B F O H D K L E N Entire nodes on the path are included in the packet header. That is why it is called source routing.

  21. Promiscuous listening Data delivery is unicast. So packets have next hop’s IP address and MAC address. When next hop node’s MAC layer receives a frame, it compares destination MAC address with its MAC address. Since they do not match, MAC layer discards the frame. To avoid it, MAC layers use the promiscuous listening. In this case, MAC layer delivers frames to its network layer regardless of matching destination address with its MAC address. Data delivery in DSR

  22. Excessive Route Discovery floods Modifying discovered routes: By dropping nodes By altering the node list Sending bogus ROUTE ERRORs Failing to send ROUTE ERROR for broken route Failing to forward packets Attack model in DSR

  23. The solutions explained here are based on the following paper. “Ariadne: A Secure On-Demand Routing Protocol for Ad Hoc Networks,” Y.-C. Hu, A. Perrig, A.B. Johnson, Wireless Network 11, 21-38, 2005 Ariadne

  24. Can use any of three types of authentication: Pairwise shared keys: But requires setting up O(n2) keys Digital signatures and asymmetric key setup: But uses expensive asymmetric cryptography Time-delayed broadcast authentication (TESLA): But requires time synchronization Ariadne requires only one of these types: Each appropriate for different circumstances Ariadne Authentication Requirements

  25. On-demand protocols discover routes using flooding An attacker can use this to flood the network: A solution: rate-limit Discoveries when forwarding But attacker can forge claimed Discovery initiator ROUTE REQUEST Flooding Attack ROUTE REQUEST “from A” ROUTE REQUEST “from B” ROUTE REQUEST “from C” X ROUTE REQUEST “from D” ROUTE REQUEST “from E”

  26. Solution: Node uses a one-way hash chain: Authenticates the true source of ROUTE REQUEST Disclose a new element per Discovery Each element can be used only once Excessive ROUTE REQUEST Floods

  27. One-Way Hash Chains Cn-1 Cn Ci+1 C0 C1 Ci Cn-1=H(Cn) C0= H(C1) Ci=H(C1+1) • Pick random Cn and public one-way function H • Ci=H(Ci+1) • Infeasible to derive Ci from Cj (j<i) • Efficiently authenticate Ci using Cj (j<i): Cj=Hi-j(Ci)

  28. Each node uses a one-way hash function H which is known to every node. Each node picks a random Cn which is secret value and compute each chain value Ci = Hn-i(Cn). So each node has its own hash chain. Publicize C0 to every node like a public key. Every time a node sends a RREQ message, it includes the next Ci starting from C0. Using Hash Chains

  29. Attacker can drop or alter nodes on this list Can prevent discovery of a correct route Hop Drop Attack S S, A S, B S, B, C A B C S D

  30. Initiator S and Target D share (or generate) KSD S adds Message Authentication Codeh0 = MAC(KSD, request id) to ROUTE REQUEST MAC can only be computed by S and D Each hop computes hi = H(node address || hi-1) B needs h0 to drop A but can’t derive from h1 Preventing Hop Drop h0 h1 h2 A B C S D

  31. In an Ariadne ROUTE REQUEST: h0 = MAC(KSD, request id) Target can compute h0 hi = H(node address || hi-1) Target can reconstruct each hi Target can thus detect hop drop Preventing Hop Drop h0 h1 h2 h3 A B C S D

  32. Attacker can insert arbitrary nodes into node list Instead of attacker’s node address Or in addition to attacker’s node address Can prevent discovery of a correct route Node List Corruption S S,A S,A,Z S,A,Z,C A B C S D

  33. When using shared keys between all node pairs: Each node F forwarding a REQUEST packet p: Computes a MAC over p using the key it shares with the target Includes it in hi as hi = H(F || MAC(KFD,p)|| hi-1) Only that F and the target can compute this Route Authentication using Shared Keys h0 h1 h2 h3 A B C S D

  34. In an Ariadne ROUTE REQUEST: As before, target can recompute h0 hi = H(F || MAC(KFD,p)|| hi-1) Target can reconstruct each hi Target can detect bogus nodes in node list If received hi is valid, return authenticated REPLY S,A,B,C,D MAC(KSD, S,A,B,C,D) Route Authentication using Shared Keys h0 h1 h2 h3 A B C S D

  35. Attacker could send forged ROUTE ERRORs to break good routes that are in use Solution: Authenticate ROUTE ERRORs If using pairwise shared keys: Authenticate ERROR to original source of packet Authenticating ROUTE ERRORs

  36. ROUTE ERRORs can be only an optimization: Malicious nodes might refuse to send them To ensure Ariadne does not persistently use non-working routes: Sources may use multipath routing Each packet is acknowledged end-to-end,preferably using the reverse path Sender should more often choose routes that successfully deliver packets Never fully stop using an apparently good route: Short-term Denial-of-Service would otherwise result in permanent crippling of that route Secure Route Maintenance

More Related