Ariadne: A Secure OnDemand Routing Protocol for Ad Hoc Networks

1
Ariadne A Secure On-Demand Routing Protocol for
Ad Hoc Networks
EECS 600 Advanced Network Research, Spring 2005
Instructor Shudong Jin March 2, 2005
2
The Big Picture

• Secure and reliable communication is a necessary
  prerequisite for applications
• Little research has been done in a more realistic
  setting in which an adversary may attempt to
  disrupt the communication (in different ways)
• Focus on on-demand (or reactive) routing
  protocols for ad hoc networks

3
This Paper

• Two contributions to the area of secure routing
  protocols for ad hoc networks.
• Give a model for the types of attacks possible in
  such a system, and describe several new attacks
  on ad hoc network routing protocols.
• Present the design and performance evaluation of
  a new on-demand secure ad hoc network routing
  protocol, called Ariadne, that withstands node
  compromise and relies only on highly efficient
  symmetric cryptography.

4
Dynamic Source Routing (Assumed)

• Route Discovery
• Initiated when need a path to a destination, but
  route not available locally
• Route Request (broadcast) and Route Reply
  (unicast back)
• Route Maintenance
• Route Error when retransmissions dont return
  results
• Handle broken links.

5
Overview of TESLA (used) (1)

• Broadcast authentication protocol that adds a
  single message authentication code
• Good for point-to-point communication
• Not enough for group communication.
• Adding clock synchronization (details)
• One-way key chain for authentication
• Each sender chooses random initial key KN,
  generates one-way key chain as Ki HN-i (KN)
• Example schedule for disclosing keys disclose Ki
  at Ti T0 i ? t

6
Overview of TESLA (used) (2)

• Receiver can determine which key is disclosed
• Loose time synchronization(?)
• Sender picks Ki which will not be disclosed until
  ? 2? time passes and add MAC using Ki
• Receiver discard the packet if security condition
  fails
• Need more discussions here
• TESLA security condition
• Ki used to authenticate a packet cannot have been
  disclosed yet
• For example, if arrival time is tr and earliest
  time to disclose Ki is t0 i ? t, then tr ? t0
  i ? t - ? implies Ki is not disclosed yet
• ? is small ? may discard some packets? is large
  ? long delay for authentication

7
Network Models (1)

• Assumptions on protocol layers
• Disregard physical layer jamming
• Network layer
• Links are bidirectional
• Security versus performance tradeoffs (disregard
  MAC layer attacks too)
• Network may drop, corrupt, reorder, or duplicate
  packets in transmission
• Assumptions on node capabilities
• Resource-constrained
• When used with TESLA, all nodes must know ? (max
  time synchronization error)
• Compensate clock drift by re-synchronizing
  periodically

8
Network Models (2)

• Assumptions on security capabilities
• Authentication models
• Pairwise shared secret keys Set up n (n1) / 2
  keys for n nodes
• TESLA Set up shared secret keys between
  communicating nodes, and distribute one authentic
  public TESLA key for each node
• Digital signatures Distribute one authentic
  public key for each node
• Each node has authentic element from Route
  Discovery chain
• Key setup?
• To bootstrap authenticated keys between pairs of
  nodes, Key Distribution Center (KDC) initiates a
  Route Discovery Each node will return a Route
  Reply KDC send keys to each node using the
  returned route

9
Attackers

• Passive
• Eavesdrops
• Threats against privacy/anonymity
• Active
• Injects packets as well as eavesdrops
• Model Active-n-m attacker (more discussions)
• Compromises n good nodes and owns m nodes in the
  network
• Attacker have all keys of compromised nodes and
  distributes it among all its nodes
• Examples Active-0-1, Active-0-x, etc
• Active-VC attacker
• Owns all nodes on a vertex cut
• Partitions the network

10
Attacks on Ad Hoc Routing Protocols (1)

• Routing disruption attacks Cause legitimate
  packet to be routed in dysfunctional ways
• Forge routing packets
• To create routing loop
• To create black hole, all packets are dropped, or
  gray holes
• To cause a node to use detours (suboptimal
  routes)
• To partition the network
• Gratuitous detours Using virtual nodes, make a
  longer route
• Blackmail a good node
• Causing other good nodes to add that node to
  their blacklists, thus avoiding that node in
  routes
• Rushing attack
• Targeted against on-demand routing protocols with
  duplicate suppression
• Disseminates Route Requests quickly, suppressing
  any later legitimate Route Requests
• Wormhole
• Pair of attacker nodes A and B linked via a
  private network connection, short circuiting the
  normal flow of routing packets (a virtual vertex
  cut)

11
Attacks on Ad Hoc Routing Protocols (2)

• Resource consumption attacks Injects extra
  packets
• Data packets
• Consumes bandwidth, especially over detours or
  loops
• Control packets
• Consumes more bandwidth/computational resources
  for processing and forwarding such packets
• Active-VC attacker can extract max resources
• Forward only routing packets and not data packets

12
Notations in Ariadne

• A, B are principals
• KAB, KBA denote the secret MAC keys between A and
  B
• MACKAB (M) denotes the computation of MAC of
  message M using MAC key KAB

13
Ariadne Design Goals

• Resilience against Active-1-x and Active-y-x
  attackers
• Relatively easy against Active-0-x
• Network-wide shared secret key limits packet
  replaying
• Packet leashes prevents wormhole/rushing attacks

14
Ariadne Route Discovery

• Target authenticates Route Requests
• Initiator includes a MAC with KSD
• Can verify authenticity and freshness
• Data Authentications
• Initiator authenticates nodes in Route Reply
• Target authenticates nodes in Route Request and
  return only legitimate paths
• Three alternative techniques TESLA, digital
  signatures, standard MACs (read more details in
  the paper)
• Per-hop hashing
• Authentication of data is not sufficient
• One-way hash functions to verify that no hop was
  omitted

15
Route Discovery with TESLA (1)

• Assumptions
• Every pair A, B share MAC key KAB, KBA
• Every node has a TESLA one-way key chain
• All nodes know an authentic key of every node
• No intermediate node can remove a previous node
  in the node
• Two stages of Route Discovery
• Initiator floods Route Request
• Target returns Route Reply
• Ariadne provides the following properties
• The target node can authenticate the initiator
  (using a MAC with a key shared between the
  initiator and the target)
• The initiator can authenticate each entry of the
  path in the ROUTE REPLY
• No intermediate node can remove a previous node
  in the node list in the REQUEST or REPLY

16
Route Discovery with TESLA (2)

• Route Request
• Eight fields ltRoute Request, initiator, target,
  id, time interval, hash chain, node list, MAC
  listgt, details
• Initiator initializes hash chain to
  MACKSD(initiator, target, id, time interval)
• Intermediate node A receives the request checks
  ltinitiator, idgt and checks time interval
• If sees it before, discard it as in DSR
• Check if Time Interval is valid.
• It must not be too far in the future and key
  corresponding to it must not be disclosed yet
• If any condition fails, discard the request
• If all conditions hold, A appends its address to
  node list, replaces hash chain with HA, hash
  chain, appends MAC of entire Request with TESLA
  key KAi to MAC list
• Target checks validity of Request
• By determining that the keys are not disclosed
  yet and that the hash chain is equal to Hnn,
  Hnn-1, H,Hn1, MACKSD(initiator, target, id,
  interval)
• If Request is valid, target returns a Route Reply

17
Route Discovery with TESLA (3)

• Route Relay
• ltRoute Reply, target, initiator, time interval,
  node list, MAC list, target MAC, key listgt,
  details
• Target sends the packet to the initiator along
  the route in node list
• An intermediate node waits until it can disclose
  its key and then append its key
• The initiator verifies that
• Each key is valid
• target MAC is valid
• Each MAC in MAC list is valid

18
Ariadne Route Maintenance

• Send Route Error when delivery to next hop fails
  after a limited number of attempts
• Does not consider attackers not sending Errors
• To prevent unauthorized node from sending Errors,
  sender authenticates Errors
• Route Error packet ltRoute Error, sending
  address, receiving address, time interval, error
  MAC, recent TESLA keygt
• More details on route maintenance

19
Ariadne Evaluation

• Section 7
• Tables and figures

20
Discussions

• Comments from students