SRDP: Securing Route Discovery in DSR - PowerPoint PPT Presentation

About This Presentation
Title:

SRDP: Securing Route Discovery in DSR

Description:

SRDP: Securing Route Discovery in DSR Jihye Kim and Gene Tsudik Computer Science Department University of California at Irvine {Jihyek, gts}_at_ics.uci.edu – PowerPoint PPT presentation

Number of Views:65
Avg rating:3.0/5.0
Slides: 24
Provided by: icsUciEdu9
Learn more at: https://ics.uci.edu
Category:

less

Transcript and Presenter's Notes

Title: SRDP: Securing Route Discovery in DSR


1
SRDP Securing Route Discovery in DSR
  • Jihye Kim and Gene Tsudik
  • Computer Science Department
  • University of California at Irvine
  • Jihyek, gts_at_ics.uci.edu

D
B
C
H
E
S
G
F
2
Outline
  • Introduction
  • Secure Route Discovery Protocol (SRDP)
  • Conventional MACs
  • DH-based MACs
  • Accountable-Subgroup Multi-signatures (ASM)
  • Multi-signatures based on Gap Diffie-Hellman
    (GDH) Groups
  • Sequential Aggregate Signatures (SAS)
  • Analysis
  • Conclusion

3
Introduction
  • MANET Characteristics
  • No fixed infrastructure and node mobility
  • Traditional routing protocol cannot be used.
  • Dynamic Source Routing (DSR)
  • Source obtains information of all nodes along a
    path to the destination on-demand.
  • Basic Operations
  • Route Discovery
  • Core function of DSR we will deal with.
  • Data routing
  • Route Maintenance, etc.

4
Route Discovery
  • Route discovery has two stages
  • The source floods the network with ROUTE REQUEST
    (RREQ) and
  • The destination returns a ROUTE REPLY (RREP).

D
B
S-B-C-D
S-B-C
C
S-B
S
S-G-E
S-G-E
RREQ
H
S
E
S
S-G
S-G-E
RREP
G
F
5
Security of Route Discovery
  • Like most network protocols, DSR is designed for
    non-adversarial networks.
  • An adversarial node can easily disrupt the route
    discovery process by adding, deleting, and
    modifying any node in the route.

Need to add Security Features for Route Discovery
6
SRDP Secure Route Discovery Protocol
  • Need following properties

1. Source can authenticate each entry of the path.
2. No intermediate node can remove a previous
node in the node list in the route discovery
packet.
3. Destination (optionally, intermediate nodes)
authenticates source to prevent DoS attacks
7
Related/Previous Work
  • Ariadne Hu, et al. Mobicom 2002
  • Pros
  • Node authentication based on TESLA
  • Very efficient using MACs
  • Cons
  • Loose time synchronization required.
  • No non-repudiation
  • Combined size of MACs depends on route length
  • We want

Non-repudiation No Time Synchronization
Fixed-size Authentication Tag
8
Attacks
  • Active attacker
  • Add, delete and modify the route
  • Possible Attacks
  • The adversary can add or delete a set of
    compromised nodes from the route
  • The adversary can control a sandwiched node list
    closed by attackers

N2
A1
A2
S
D
N3
N4
N1
9
Security Definition (informal)
  • Route Discovery is secure if, for a given a route

1. The source can verify the presence of each
honest node that appears in the route.
2. For all honest nodes appearing in the route,
their view of the route is either the same or, if
not the same, the discrepancy is detected by the
source.
10
Observations
  • RREQ is processed by many nodes
  • RREP is processed by few nodes
  • Minimize overhead in RREQ
  • Shift as much as possible to RREP
  • MACs and signatures take more space than route
    elements
  • Need to minimize bw consumed (reason)
  • Also
  • Minimize state maintained between RREQ/RREP
  • Remember only the route prefix or hash thereof
  • DSR already requires state to be kept

11
Recap DSR
S
RREQ0 RREQh, ( )
If it it new, process RREQ and cache Sid
B
RREP2 RREPh
RREQ1 RREQh, (B)
C
If it it new, process RREQ and cache Sid
RREP1 RREPh
RREQ2 RREQh, (B, C)
D
RREP0 RREPh
12
Generic SRDP
S
Verify
RREQ0 RREQh, ( )
If it it new, process RREQ and cache Sid and
prefix
B
RREP2 RREPh, ( )
RREQ1 RREQh, (B)
Fetch and verify route prefix
If it it new, process RREQ and cache Sid and
prefix
C
RREP1 RREPh, ( )
Fetch and verify route prefix
RREQ2 RREQh, (B, C)
D
RREP0 RREPh, ( )
Verify
13
Conventional MACs
S
B
C
D
Fast, but requires pre-shared keys doesnt
provide non-repudiation
14
MACs based on Diffie-Hellman
S
B
C
D
No pre-shared keys, relatively expensive
doesnt provide non-repudiation
15
Accountable-Subgroup Multi-SignaturesMicali,
Ohta and Reyzin ACM CCS01 ( Based on Schnorr
signatures )
S
B
C
D
  • Note that state must be kept after RREQ ? bad!
  • But, note that RREP processing is very lightweight

16
Multi-signatures based on GDH Groups Boneh,
Gentry, Shacham, and Lynn Eurocrypt03
S
valid DDH triple
B
C
D
17
Sequential Aggregate Signatureswith RSA
Lysyanskaya, Micali, Reyzin, and Shacham
Eurocrypt04
S
B
Y
C
N
Y
D
N
18
Analysis
  • Auth. tag generation cost of an intermediate node
  • Can be done off-line or re-used from earlier
    RREQ processing
  • Auth. Tag verification cost of the source
  • r is the number of nodes in the route list

Op. type DH ASM GDH SAS
Exponentiations 2 1 0 1
Scalar mult-ns 0 0 1 0
Exponent size p for both q ?? n
Op. type DH ASM GDH SAS
Exponentiations 2 2 0 r
Scalar mult-ns 0 0 2 0
Exponent size p for both q 160 ?? constant e.g., 3
19
Some Experimental Results
  • Generation and Verification costs (msec) for
    route of length 10

Key size Key size Generation Generation Generation Generation
p or n (bits) q (bits) DH ASM GDH SAS
1024 160 20.08 2.13 7.14 4.29
2048 224 131.53 10.25 22.78 26.10
Key size Key size Verification Verification Verification Verification
p or n (bits) q (bits) DH ASM GDH SAS
1024 160 20.00 4.47 89.00 2.53
2048 224 132.97 17.96 256.30 7.92
20
Conclusion
  • SRDP severely limits the range of possible
    attacks on DSR Route Discovery by combining
    prefix caching and backward authentication
  • ASM-based aggregated signatures seem to be best
    suited
  • More experimentation needed to compare with
    Ariadne
  • Clearly, MACs are cheaper but extra bandwidth is
    costly!
  • Ultimately hard to compare since non-repudiation
    is not offered in Ariadne

21
End
22
Forward vs Backward Authentication
  • Partial route in RREQ is accumulated
    incrementally (via flooding) until destination is
    reached
  • RREP confirms the route by re-visiting it (via
    unicast) in reverse order.

RREQ
  • A node cannot know whether it will be on the
    eventual route.
  • It sees only partial route information, the
    prefix.

RREP
  • A node can include its authentication tag in the
    eventual route.
  • All nodes view of the route should be exactly
    the same.

1. Cache the prefix of RREQ
2. Check the prefix of RREQ
3. Compute the authentication tag on RREP via
efficient signature aggregation mechanism
23
Schnorr Signature Scheme re-cap
  • System-wide parameters p, q, g, h()
  • p,q primes, p-1kq, g generator, h(.) hash
    fn.
  • Signers public key y g X mod p
  • Signers secret key x
  • Signature generation s (e,s) where
  • r randomly selected from Zq
  • e h(m,gr)
  • s (xe r) mod q x h(m,gr) r mod q
  • Signature Verification h ( m, gs y-e ) ?
    e
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "SRDP: Securing Route Discovery in DSR" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!