Title: Ariadne: A Secure OnDemand Routing Protocol for Ad Hoc Networks
1 Ariadne A Secure On-Demand Routing Protocol for
Ad Hoc Networks
EECS 600 Advanced Network Research, Spring 2005
Instructor Shudong Jin March 2, 2005
2The Big Picture
- Secure and reliable communication is a necessary
prerequisite for applications - Little research has been done in a more realistic
setting in which an adversary may attempt to
disrupt the communication (in different ways) - Focus on on-demand (or reactive) routing
protocols for ad hoc networks
3This Paper
- Two contributions to the area of secure routing
protocols for ad hoc networks. - Give a model for the types of attacks possible in
such a system, and describe several new attacks
on ad hoc network routing protocols. - Present the design and performance evaluation of
a new on-demand secure ad hoc network routing
protocol, called Ariadne, that withstands node
compromise and relies only on highly efficient
symmetric cryptography.
4Dynamic Source Routing (Assumed)
- Route Discovery
- Initiated when need a path to a destination, but
route not available locally - Route Request (broadcast) and Route Reply
(unicast back) - Route Maintenance
- Route Error when retransmissions dont return
results - Handle broken links.
5Overview of TESLA (used) (1)
- Broadcast authentication protocol that adds a
single message authentication code - Good for point-to-point communication
- Not enough for group communication.
- Adding clock synchronization (details)
- One-way key chain for authentication
- Each sender chooses random initial key KN,
generates one-way key chain as Ki HN-i (KN) - Example schedule for disclosing keys disclose Ki
at Ti T0 i ? t
6Overview of TESLA (used) (2)
- Receiver can determine which key is disclosed
- Loose time synchronization(?)
- Sender picks Ki which will not be disclosed until
? 2? time passes and add MAC using Ki - Receiver discard the packet if security condition
fails - Need more discussions here
- TESLA security condition
- Ki used to authenticate a packet cannot have been
disclosed yet - For example, if arrival time is tr and earliest
time to disclose Ki is t0 i ? t, then tr ? t0
i ? t - ? implies Ki is not disclosed yet - ? is small ? may discard some packets? is large
? long delay for authentication
7Network Models (1)
- Assumptions on protocol layers
- Disregard physical layer jamming
- Network layer
- Links are bidirectional
- Security versus performance tradeoffs (disregard
MAC layer attacks too) - Network may drop, corrupt, reorder, or duplicate
packets in transmission - Assumptions on node capabilities
- Resource-constrained
- When used with TESLA, all nodes must know ? (max
time synchronization error) - Compensate clock drift by re-synchronizing
periodically
8Network Models (2)
- Assumptions on security capabilities
- Authentication models
- Pairwise shared secret keys Set up n (n1) / 2
keys for n nodes - TESLA Set up shared secret keys between
communicating nodes, and distribute one authentic
public TESLA key for each node - Digital signatures Distribute one authentic
public key for each node - Each node has authentic element from Route
Discovery chain - Key setup?
- To bootstrap authenticated keys between pairs of
nodes, Key Distribution Center (KDC) initiates a
Route Discovery Each node will return a Route
Reply KDC send keys to each node using the
returned route
9Attackers
- Passive
- Eavesdrops
- Threats against privacy/anonymity
- Active
- Injects packets as well as eavesdrops
- Model Active-n-m attacker (more discussions)
- Compromises n good nodes and owns m nodes in the
network - Attacker have all keys of compromised nodes and
distributes it among all its nodes - Examples Active-0-1, Active-0-x, etc
- Active-VC attacker
- Owns all nodes on a vertex cut
- Partitions the network
10Attacks on Ad Hoc Routing Protocols (1)
- Routing disruption attacks Cause legitimate
packet to be routed in dysfunctional ways - Forge routing packets
- To create routing loop
- To create black hole, all packets are dropped, or
gray holes - To cause a node to use detours (suboptimal
routes) - To partition the network
- Gratuitous detours Using virtual nodes, make a
longer route - Blackmail a good node
- Causing other good nodes to add that node to
their blacklists, thus avoiding that node in
routes - Rushing attack
- Targeted against on-demand routing protocols with
duplicate suppression - Disseminates Route Requests quickly, suppressing
any later legitimate Route Requests - Wormhole
- Pair of attacker nodes A and B linked via a
private network connection, short circuiting the
normal flow of routing packets (a virtual vertex
cut)
11Attacks on Ad Hoc Routing Protocols (2)
- Resource consumption attacks Injects extra
packets - Data packets
- Consumes bandwidth, especially over detours or
loops - Control packets
- Consumes more bandwidth/computational resources
for processing and forwarding such packets - Active-VC attacker can extract max resources
- Forward only routing packets and not data packets
12Notations in Ariadne
- A, B are principals
- KAB, KBA denote the secret MAC keys between A and
B - MACKAB (M) denotes the computation of MAC of
message M using MAC key KAB
13Ariadne Design Goals
- Resilience against Active-1-x and Active-y-x
attackers - Relatively easy against Active-0-x
- Network-wide shared secret key limits packet
replaying - Packet leashes prevents wormhole/rushing attacks
14Ariadne Route Discovery
- Target authenticates Route Requests
- Initiator includes a MAC with KSD
- Can verify authenticity and freshness
- Data Authentications
- Initiator authenticates nodes in Route Reply
- Target authenticates nodes in Route Request and
return only legitimate paths - Three alternative techniques TESLA, digital
signatures, standard MACs (read more details in
the paper) - Per-hop hashing
- Authentication of data is not sufficient
- One-way hash functions to verify that no hop was
omitted
15Route Discovery with TESLA (1)
- Assumptions
- Every pair A, B share MAC key KAB, KBA
- Every node has a TESLA one-way key chain
- All nodes know an authentic key of every node
- No intermediate node can remove a previous node
in the node - Two stages of Route Discovery
- Initiator floods Route Request
- Target returns Route Reply
- Ariadne provides the following properties
- The target node can authenticate the initiator
(using a MAC with a key shared between the
initiator and the target) - The initiator can authenticate each entry of the
path in the ROUTE REPLY - No intermediate node can remove a previous node
in the node list in the REQUEST or REPLY
16Route Discovery with TESLA (2)
- Route Request
- Eight fields ltRoute Request, initiator, target,
id, time interval, hash chain, node list, MAC
listgt, details - Initiator initializes hash chain to
MACKSD(initiator, target, id, time interval) - Intermediate node A receives the request checks
ltinitiator, idgt and checks time interval - If sees it before, discard it as in DSR
- Check if Time Interval is valid.
- It must not be too far in the future and key
corresponding to it must not be disclosed yet - If any condition fails, discard the request
- If all conditions hold, A appends its address to
node list, replaces hash chain with HA, hash
chain, appends MAC of entire Request with TESLA
key KAi to MAC list - Target checks validity of Request
- By determining that the keys are not disclosed
yet and that the hash chain is equal to Hnn,
Hnn-1, H,Hn1, MACKSD(initiator, target, id,
interval) - If Request is valid, target returns a Route Reply
17Route Discovery with TESLA (3)
- Route Relay
- ltRoute Reply, target, initiator, time interval,
node list, MAC list, target MAC, key listgt,
details - Target sends the packet to the initiator along
the route in node list - An intermediate node waits until it can disclose
its key and then append its key - The initiator verifies that
- Each key is valid
- target MAC is valid
- Each MAC in MAC list is valid
18Ariadne Route Maintenance
- Send Route Error when delivery to next hop fails
after a limited number of attempts - Does not consider attackers not sending Errors
- To prevent unauthorized node from sending Errors,
sender authenticates Errors - Route Error packet ltRoute Error, sending
address, receiving address, time interval, error
MAC, recent TESLA keygt - More details on route maintenance
19Ariadne Evaluation
- Section 7
- Tables and figures
20Discussions