Security of Ad-Hoc Networks

By

V.G.Vinod Vydiswaran
Amreek Singh
Prasanna H. Kulkarni
What are Ad Hoc Networks?
 Networks with no fixed infrastructure
 Mobile nodes : communicate within
radio-range directly or through routers
 Node mobility implies frequent change
in network topology.
 Rapidly deployed networks
 Relatively low cost
2
Security Goals
 Availability
 Survive despite DoS attack
 Primary concern: Key management service
 Confidentiality
 Integrity
 Authentication
 Non-repudiation
3
Challenges
 Use of wireless links leads ad hoc
networks susceptible to link attacks
 Relatively poor protection, as in
battlefields
 So for high survivability, distributed
architecture needed.
 Dynamic network topology : ROUTING
 Scalable security mechanisms
4
Outline of further talk
 Scalability considerations
 How the network must be scalable
 Key Management issues
 How to generate secret keys
 How to distribute keys secretly
 Secure Routing considerations
 Issues regarding malicious intruder

5
Scalability Concerns
 The lack of infrastructure introduces
 Introduces vulnerability to DoS attacks in
ad hoc networks.
 Mobility induces link breakage and channel
errors.
 Need of scalability
 Growing commercial and military
deployments of these networks.

7
 These issues are addressed through a
localized trust model.
 Where the functionality of security is
distributed over all networking nodes.
 And nodes collaboratively secure the whole
system.

8
 Related works (Kerberos and X.509)
 They too use CA.
 They gain popularity but they does not
work well with large networks.
 Problems
 The cost of maintaining large centralized servers
may be high.
 The CA servers are inviting targets of malicious
attacks.
 Multihop communication over the error prone
wireless channel exposes the data transmission to
high loss rates.
 It may cause severe wireless channel contention
around the CA servers.

9
 Localized trust model
 Assumptions made
 Communication between one hop neighboring
node is considered to be more reliable than multi-
hop communication.
 Each node has atleast K-one hop legitimate
neighboring nodes.
 Each node is equipped with some local
mechanism to identify misbehaving nodes among
its one hop neighborhood.

10
Localized Trusted Model
 An entity is trusted, if any K trusted
neighboring entities claim so.
 A locally trusted entity is globally accepted.
 A locally distrusted entity is regarded as
untrustworthy anywhere.
 Two imp parameters : K & Tcert
 Two options to set K
 Set it as globally fixed parameter

 Set it as location dependent.

11
 This uses certificate based authentication
approach.
 Each node ID is associated with
 < PKi , SKi >
 Each node carries a certificate signed with SKi.
 PK is assumed to be well known for certificate
verification.
 Nodes without valid certificates are treated as
adversaries and denied from access to any network
such as pkt forwarding or routing.
 When a new mobile node moves to a new location,
it exchanges certificate with its new neighbors.
 Authenticated nodes help each other forward and
route pkt.
12
 Localised certification services
 Certificates are stamped with expiration time.
 What happens when node Vi requests new
certificate.
 Vj returns a partial certificate by applying its share
of SK.
 By collecting K partial certificates, Vi combines
them and makes its full certificate. As if it were
from CA.
 Nodes with valid certificates are globally trusted.
 Adversaries are effectively isolated and their
impact on the overall network is localized.

13
 Self initialization in Traditional
approach
 At bootstrapping phase of the network.
 A dealer sends each node its share of the SK.
 New nodes can anytime join, so dealer should
be online to handle.
 This compromises with system robustness
and security
 The dealer would become the single point of
failure.

14
 Self Initialization in Local Trust
model
 Dealer is only responsible to initialize first K nodes.
 Initialized nodes initialize other nodes.
 Benefits of certification services into each nodes one
hop locality:
 Service availability and robustness against DoS attacks
 This models protocols are immune to unreliability of
underlying transport layer protocols.
 By this distributed approach system maintenance
overhead is balanced over the network.
 And hot spots of congestion are avoided.

15
 K-bounded coalition offsetting technique:
 Node Vi chooses a coalition of K nodes, typically from its one
hop neighborhood.
 Vi broadcasts the request to K nodes, together with the
node ID of these K nodes.
 Node Vj from set B generate a partial certificate and finally
sends it.
 Upon receiving K partial certificates from set B node Vi
combines them together to generate candidate certificate.
 Finally Vi applies K-bounded coalition offsetting to recover
new certificate.
 One broadcast request and k unicast responses.

16
 Drawback in algorithm:
 If any node from B fails or moves out.
 All other partial certificates are useless.
 Vi has to start the whole process again.

17
 An Optimization: Dynamic coalescing
 Certification from any K nodes in the
neighborhood, instead of being specified
by Vi.
 Rest all is same.

18
 Important issues:
 Information that Vj keeps of Vi.
 Records of Vj concerned Vi.
 If Vj ‘s record does not provide enough info for
Vi.
 May be they meet first time
 Two approaches
 Serve Vi ’s request : prb – roaming adversaries
 Discard request : prb – unfare to legitimate nodes.

19
 Complete Shuffling:
 Vi wants to join the network
 Vj decides to serve
 But it is unsecure for node Vj to return its
share directly to Vi.
 Nodes in B completely shuffle their indvidual
partial shares.
 Each pair in B securely exchanges a shuffling factor Di,j.
 One adds this share and another subtracts this share.
 For node Vj there are K-1 shuffling factors, and it must
apply all of them.

20
 Implementation Issues:
 Design can be implemented in any layer
above MAC layer.
 Application layer is good for several
reasons
 Modifications to lower layer protocols are
avoided.
 Can also achieve maximal independency of the
underlying network.

21
Key management
Primary Features
 Lack of infrastructure – too harsh
 We assume Public key infrastructure
 Certification Authority
 Needs to stay on-line
 Studied replication to increase availability
 Use of distributed trust among group of servers
 Use of Digital Signatures

23
Encrypted Key Exchange
 Derive strong shared key from weak
shared key
 Desired properties
 Forward Secrecy
 Contributory Key Agreement
 Tolerance to disruption attempts

24
ELE ( Contd..)
 Protocol
 2-party
 Non-contributory multiparty
 Contributory multiparty

 Drawback
 E must be random
 Active attacker chooses E such that Msg.2 is prone
to Dictionary Attack

25
Diffie-Hellman Key Exchange
 Protocol:
 2-party
 Multi-party
 Efficient Implementation
 Use of d-cube

26
Eliminating Centralized CA
 Emulate central CA distributed over several
nodes
 Key Management Service
 Totally distributed architecture
 Works from weaker to stronger shared keys
 Works only if one password already shared
 Self-organizing public key infrastructure
 Decentralized PEM, PGP, …

27
Key Management Service
 Primary tier of servers
 Service has one private/public key pair
 Each server has its own private/public
key pair
 Each server giving one share of service
private key
 The private key can also be changed
periodically
28
Public key distribution for
Self-Organizing Systems
 Certificates stored and distributed by
users
 If A believes that given public key is indeed
B’s, A issues public key certificate to B
 Construction of Trust Graphs
 Merging graphs to find path from C to
D, if C wants certificate of D
 Efficient Shortcut Hunter algorithm

29
Future scope
 Use of smart cards for tamper-resistant
information storage
 Dynamic routing information storage
still a problem
 Only node contributing to the benefit of
community allowed to use network

30
Secure Routing
Secure Routing
 Basic Assumptions
 The underlying data link layer provides
reliable transmission on a link basis
 Links are bidirectional
 A one-to-one mapping between Medium
Access Control and IP address exists
 each transmission is received by all
neighbors, which are assumed to operate
in promiscuous (random) mode.

32
Basic Terminology
 Source S
 Destination T
 Message Authentication Code (MAC)
 Shared Key ( KS,T )
 Route Request {QS,T; n1, n2, …, nk}
 Route Reply {RS,T; n1, n2, …, nk}

33
Sample Network

Fig: Example Topology: S wishes to discover route to T in presence of

two malicious nodes M1 and M2
34
Scenarios
 Scenario 1:
 M1 receives {QS,T; S}, it attempts to mislead S
by generating {RS,T; S, M1, T}
 M1 does not have KS,T , so cannot generate valid
MAC
 False reply packet --- discarded by S
 Scenario 2:
 M1 discards request packets arriving from its
neighbors, e.g. from node 1.
35
Scenarios
 Scenario 3:
 M1 sees {QS,T; S,1,M1}
 T generates reply for {QS,T; S,1,M1,5,4,T}
 M1 receives {RS,T; S,1,M1,5,4,T}
 It tampers with its contents and relays {RS,T; S,1,M1,Y,T}
--- Y is any invented sequence of nodes
 Scenario 4:
 M1 sees {QS,T; S,2,3}
 It corrupts accumulated route to {QS,T; S,X,3,M2}
 Reply over {T, M2,3,X,S} ---X is invalid IP

36
Scenarios
 Scenario 5:
 In order to consume network resources, M1 replays route
requests
 Query identifiers recorded at intermediate nodes (Query
Sequence Number)
 Scenario 6:
 M1 observes few route requests from S and fabricates
several queries with subsequent query identifiers
 Goal is to make intermediate nodes store these
identifiers and discard upcoming valid identifiers
 Very low probability of correct guess on query identifiers
in encrypted form.

37
Scenarios
 Scenario 7:
 M1 attempts to forward {QS,T; S, M*} i.e. it spoofs IP
address
 S would accept {QS,T; S, M*,1,4,T} route
 Scenario 8:
 M1 attempts to return a number of replies, each with
different spoofed IP address, Mi, Mi+1, …, Mi+j
 This would lead S to believe that there are many paths to
T, while actually each is controlled by M1
 But M1 cannot generate replies. So S safely discards all
above packets.

38
Scenarios
 Scenario 9:
 Nodes colluded during 2 phases of a route discovery of a
single path.
 When M1 receives a route request, it tunnels it to M2 i.e.
discover a route to M2 and send the request
encapsulated in data packet
 Then M2 broadcasts this request with path between M1
and M2 falsified as {QS,T;S,M1,Z,M2}
 T sends reply for this on {S,M1,Z,M2}
 M2 sends this reply message to M1 via tunneled path.
 M1 forwards it to S.
 Thus S thinks of a false route as a correct route.

39
SRP Header

40
SRP Header
 Query Identifier QID:
 32 bit quantity
 Used by intermediate nodes as a means to identify the
request.
 It is generated by a secure pseudorandom number
generator.
 Message Authentication Code MAC:
 96 bit long field
 Generated by a one-way hash function
 Inputs to hash function are
 Entire IP Header
 Route Request Packet
 Shared Key KS,T

41
SRP Header
 Type:
 Depends on the type of node
 For S, it denotes that packet is Request
 For T, it denotes that packet is Reply
 Query Sequence Number Qseq:
 32 bit quantity
 Set initially at the establishment of Security Association
 Increases monotonically
 Cannot wrap round (connection reestablishment in case
of wrapping round)

42
Conclusions
 Ad Hoc networks pose an interesting
problem in networking with dynamic
routing and highly insecure working
environment
 Need of Secure, Scalable, Reliable and
Efficient algorithms for Key
management and Routing

43
Bibliography
 Securing Ad Hoc Networks – L.Zhou, Z.J.Haas
 Key Agreement in Ad Hoc Networks – N.Asokan,
P.Ginzboorg
 Quest for Security in Mobile Ad Hoc Networks –
J.P.Hubaux, L.Buttyar, S.Capkun
 Providing Robust and Ubiquotous Security support for
Mobile Ad Hoc Networks – H.Luo, J.Kong, S.Lu, et al.
 Mitigating Routing misbehaviour – S.Marti, T.J.Guili,
K.Lai, M.Baker
 Secure Routing in Mobile Ad Hoc Networks –
P.Papadimitratos, Z.J.Haas

44
Thank You …

for your presence and

patient hearing

45