Securing Mobile Ad Hoc Networks using distributed firewall with PKI

secure data transmission in mobile ad hoc networks ppt security in mobile ad-hoc wireless networks challenges and solutions
FreddieWoods Profile Pic
FreddieWoods,Virgin Islands (British),Professional
Published Date:24-08-2017
Your Website URL(Optional)
Comment
Securing Mobile Ad Hoc Networks 1 Abstract The vision of nomadic computing with its ubiquitous access has stimulated much interest in the Mobile Ad Hoc Ne tworking (MANET) technology. These infrastructureless, self-organized networks, which either operat e autonomously or as an extension to the wired networking infrastructure, are expected to support new MANET -based applications. However, the proliferation of this networking paradigm strongly depends on the availability of security provisions, among other factors. The absence of infra- structure, the natur e of the envisioned applications, and the resource-constrained environment pose some new challenges in securing the protocols in ad hoc networking environments. The security require- ments can diff er significantly from those for infrastructure-based networks, while the provision of security enhancements ma y take completely different directions as well. In this chapter, we study the schemes proposed to secur e mobile ad hoc networks. We explain the primary goals of security enhancements, shed light on the c ommensurate challenges, survey the current literature on this topic, and finally introduce our approach to this multifaceted and intriguing topic. 31.1 Introduction Mobile ad hoc networks co mprise freely roaming wireless nodes that cooperatively make up for the absence of fixed infrastructur e; that is, the nodes themselves support the network functionality. Nodes transiently associate with peers that ar e within the radio connectivity range of their transceivers and 1 T his work has been supported in part by the DoD Multidisciplinary University Research Initiative (MURI) progr am administered by the Office of Naval Research under the Grant number N00014-00-1-0564 and by the National Science Foundation grant number ANI-9980521. © 2003 by CRC Press LLC implicitly agree to assist in provision of the basic network services. These associations are dynamically created and torn d own, often without prior notice or the consent of the communicating parties. MANET technology targets netw orks that can be rapidly deployed or formed in an arbitrary environment to enable communications or t o serve a common objective dictated by the supported application. Such networks can be highly heterogeneous, with various types of equipment, usage, transmission, and mobil- ity patterns. Secure communication, an important aspect of any networking environment, becomes an especially significant challenge in ad hoc networks. This is due to the particular characteristics of this new net- working paradigm and due to the fact that traditional security mechanisms may be inapplicable. The absence of a c entral authority deprives the network of the administrative and management services that would otherw ise greatly facilitate its operation. MANET has to rely on continuous self-configuration, especially because o f the highly dynamic nature of the network. Problems such as scheduling, address assignment, prov ision of naming services, and formation of network hierarchy cannot be solved by traditional centraliz ed protocols. Instead, distributed operation is necessary in all aspects of network control, including basic secur ity-related operations, such as the validation of node credentials. In the fully distributed and o pen environment of ad hoc networking, the provision of such services may not only incur a high o verhead, but also provide additional opportunities for misbehaving nodes to harm the network operation. In general, nodes par ticipate in a protocol execution as peers, which implies that potentially any network node can ab use the protocol operation. As a result, it is fairly difficult to identify trustworthy and supportive nodes based on the netw ork interaction. Additionally, determining the protocol or network components that ha ve to be safeguarded is far from straightforward, something that makes the design of adequate security countermeasures even more difficult. Meanwhile, the p ractically invisible (or nonexistent) administrative or domain boundaries make the enforcement of an y security measures an even more complex problem. Migrating nodes may face varying “rules” even when the y run the same application, as they move through different network areas and become associated w ith different groups of nodes. Or, they may lack the ground for the establishment of trust associations, that is, the establishment of some type of a secret, so that cryptographic mechanisms can be employed. Below, we discuss in fur ther detail the vulnerability of mobile ad hoc networks, clarify how security goals may have to be modified, and explain which types of solutions are plausible for different network instances. Althoug h the discussion throughout a great part of the chapter applies to all types of ad hoc networks, it is impor tant to realize that strictly not all solutions can be applied in all ad hoc networking environments. M oreover, it is necessary to emphasize the relative importance of addressing certain security issues, whic h can be considered, to some extent, as prerequisites for solutions to other security problems. In the f ollowing sections, we present the challenges posed by the MANET environment, survey the relevant literatur e, identify the limitations of the proposed approaches, and suggest directions for future solutions. 31.2 Security Goals The overall problem of securing a distributed system comprises the security of the networked environ- ment and the security of each indi vidual network node. The latter issue is important due to the pervasive nature of MANET, which does not allo w us to assume that networked devices will always be under the continuous control of their owners. As a result, the physical security of the node becomes an important issue, leading to the requirement of tamper-resistant nodes 24, if comprehensive security is to be provided. However, security problems manif est themselves in a more emphatic manner in a networked environment, and especially in mobile ad hoc networks. This is why in this work we focus on the network- related security issues. © 2003 by CRC Press LLC Security encompasses a number of attributes that have to be addressed: availability, integrity, authen- tication, confidentialit y, nonrepudiation, and authorization. These goals, which are not MANET-specific only, call for approaches that have to be adapted to the particular features of MANETs. Availability ensur es the survivability of network services despite misbehavior of network nodes; for instance, when nodes e xhibit selfish behavior or when denial-of-service (DoS) attacks are mounted. DoS attacks can be launc hed at any layer of an ad hoc network. For example, an adversary could use jamming to interfere with c ommunication at the physical layer, or, at the network layer, it could disable the routing protocol operation, by disrupting the route discovery procedure. Moreover, an adversary could bring down high-level services. One such target is the key management service, an essential service for imple- mentation of any security framework. Integrity guarant ees that an in-transit message is not altered. A message could be altered because of benign failures, suc h as radio propagation impairments, or because of malicious attacks on the network. Integrity viewed in the c ontext of a specific connection, that is, the communication of two or more nodes, can provide the ass urance that no messages are removed, replayed, reordered (if reordering would cause loss of information), or unlawfully inserted. Authentication enables a node to ensure the identity of the peer node that it is communicating with. Without authentication, an adversary could masquerade a node, possibly gain unauthorized access to resources and sensitive information, and interfere with the operation of other nodes. Confidentiality ensures that certain information is never disclosed to unauthorized entities. Confiden- tiality is required for the protection of sensitive information, such as strategic or tactical military infor- mation. However , confidentiality is not restricted to user information only; routing information may also need to remain c onfidential in certain cases. For example, routing information might be valuable for an enemy to identify and to locate targets on a battlefield. Nonrepudiation ensures that the originator of a message cannot deny having sent the message. Non- repudiation is use ful for detection and isolation of compromised nodes. When node A receives an erroneous messag e from node B, A can use this message to accuse B and convince other nodes that B is compromised. Finally, authorizat ion establishes rules that define what each network node is or is not allowed to do. In many cases, it is r equired to determine which resources or information across the network a node can access. This requir ement can be the result of the network organization or the supported application when, for instance, a group of nodes or a service provider wishes to regulate the interaction with the rest of the network. Anothe r example could be when specific roles are attributed to nodes in order to facilitate network operation. The security of mobile ad hoc networks has additional dimensions, such as privacy, correctness, reliability, and fault t olerance. In particular, the resilience to failures, which in our context can be the result of malicious acts, and the protection of the correct operation of the employed protocols are of critical importanc e and should be considered in conjunction with the security of the mobile ad hoc network. 31.3 Threats and Challenges Mobile ad hoc networks are vulnerable to a wi de range of active and passive attacks that can be launched relatively easily, since all communications tak e place over the wireless medium. In particular, wireless communication facilitates eavesdropping, especially because c ontinuous monitoring of the shared medium, referred to as promiscuous mode, is r equired by many MANET protocols. Impersonation is another attack that becomes more feasible in the w ireless environment. Physical access to the network is gained simply by transmitting with adequat e power to reach one or more nodes in proximity, which may have no means to distinguish the transmissio n of an adversary from that of a legitimate source. Finally, wireless transmissions can be intercept ed, and an adversary with sufficient transmission power and knowledge of the physical and medium ac cess control layer mechanisms can obstruct its neighbors from gaining access to the wireless medium. © 2003 by CRC Press LLC Assisted by these “opportunities” that wireless communication offers, malicious nodes can meaning- fully alter, discard, forge, inject, and replay control and data traffic, generate floods of spurious messages, and, in general, a void complying with the employed protocols. The impact of such malicious behavior can be severe, especially because the c ooperation of all network nodes provides for the functionality of the absent fixed infr astructure. In particular, as part of the normal operation of the network, nodes are transiently associat ed with a dynamically changing, over time, subset of their peers; that is, the nodes within the range of their transceivers, or the ones that provide routing information and implicitly agree to relay their data pac kets. As a result, a malicious node can obstruct the communications of potentially any node in the network, exactly because it is entitled or even expected to assist in the network operation. In addition, freely roaming nodes join and leave MANET subdomains independently, possibly fre- quently, and withou t notice, making it difficult in most cases to have a clear picture of the ad hoc network membership. In othe r words, there may be no ground for an a priori classification of a subset of nodes as trusted to suppor t the network functionality. Trust may only be developed over time, while trust relationships amo ng nodes may also change, when, for example, nodes in an ad hoc network dynamically become affiliated w ith administrative domains. This is in contrast to other mobile networking paradigms, such as Mobile IP o r cellular telephony, where nodes continue to belong to their administrative domain in spite of mobilit y. Consequently, security solutions with static configuration would not suffice, and the assumption that all nodes can be bootstr apped with the credentials of all other nodes would be unrealistic for a wide range of MANET instances. From a slightly diff erent point of view, it becomes apparent that nodes cannot be easily classified as “internal” or “exter nal,” that is, nodes that belong to the network or not; i.e., nodes that are expected to participate and be dedicat ed to supporting a certain network operation and those that are not. In other words, the absenc e of an infrastructure impedes the usual practice of establishing a line of defense, separating nodes int o trusted and nontrusted. As a result, attacks cannot be classified as internal or external either, especially at the netw ork layer. Of course, such a distinction could be made at the application layer, wher e access to a service or participation to its collaborative support may be allowed only to authorize d nodes. In the latter example, an attack from a compromised node within the group, that is, a group node under the control of an adversary, would be considered an internal one. The absence of a central entity makes the detection of attacks a very difficult problem, since highly dynamic large netw orks cannot be easily monitored. Benign failures, such as transmission impairments, path breakages, and dr opped packets, are naturally a fairly common occurrence in mobile ad hoc networks, and, consequently , malicious failures will be more difficult to distinguish. This will be especially true for adversaries that var y their attack pattern and misbehave intermittently against a set of their peers that also changes o ver time. As a result, short-lived observations will not allow detection of adversaries. Moreover, abnormal situations ma y occur frequently because nodes behave in a selfish manner and do not always assist the netw ork functionality. It is noteworthy that such behavior may not be malicious, but only necessary when, for example, a node shuts its transceiver down in order to preserve its battery. Most of the cur rently considered MANET protocols were not originally designed to deal with malicious behavior or other secur ity threats. Thus, they are easy to abuse. Incorrect routing information can be injected by malicious nodes that r espond with or advertise nonexistent or stale routes and links. In addition, compro mised routes, i.e., routes that are not free of malicious nodes, may be repeatedly chosen 2 with the “encouragement ” provided by the malicious nodes themselves. The result is that the pair of communicating e nd-nodes will experience DoS, and they may have to rely on cycles of timeout and new route discovery to find operational routes, with successive query broadcasts imposing additional over- head. Or even wo rse, the end nodes may be easily deceived for some period of time that the data flow is undisrupted, while no actual c ommunication takes place. For example, the adversary may drop a route error message, “hiding” a route breakage, or forge network and transport layer acknowledgments. 2 For instance, the malicious nodes may claim that they possess an inexpensive (short) route to the destination. © 2003 by CRC Press LLC Finally, mobile or nomadic hosts ha ve limited computational capabilities, due to constraints stemming from the nature of the envisioned MANET applications. Expensive cryptographic operations, especially if they have to be perfor med for each packet and over each link of the traversed path, make such schemes implausible for the vast majo rity of mobile devices. Cryptographic algorithms may require significant computation dela ys, which in some cases would range from one to several seconds for low-end devices 5,11. These dela ys, imposed for example by the generation or verification of a single digital signature, affect the data rat e of secure communication. But, more importantly, mobile devices could become ideal targets of DoS attac ks due to their limited computational resources. An adversary could generate bogus packets, forcing the d evice to consume a substantial portion of its resources. Even worse, a malicious node with valid cr edentials could frequently generate control traffic, such as route queries, at a high rate not only to consume band width, but also to impose cumbersome cryptographic operations on a sizable portion of the network nodes. 31.4 Trust Management The use of cryptographic techniques is nec essary for the provision of any type of security services, and mobile ad hoc networks are not an exce ption to this rule. The definition and the mechanisms for security policies, credentials, and trust relationships, i.e., the components of what is collectively identified as trust management, are a prerequisite for any secur ity scheme. A large number of solutions have been presented in the literature for distributed systems, but they cannot be readily transplanted into the MANET context, since they rely on the existence of a netw ork hierarchy and a central entity. Envisioned applications for the ad hoc networking environment ma y require a completely different notion of establishing a trust relationship, while the network operation may impose additional obstacles to the effective implementa- tion of such solutions. For small-scale networks, of the size of a personal or home network, trust can be established in a truly ad hoc manner, since relationships can be static and spor adically reconfigured manually. In such an environment, the owner of a number of devices or appliances can imprint them, that is, distribute their credentials along with a set of rules that d etermine the allowed interaction with and between devices 24. The proposed security policy follo ws a master-slave model, with the master device being responsible for reconfiguring slave devices, issuing c ommands, or retrieving data. The return to the initial state can be performed only by the master device or by some trusted key escrow service. This model naturally lends itself to re present personal area networking, in particular network instances such as Bluetooth 4, in the sense that w ithin a piconet the interactions between nodes can be determined by the security policy. The model can be e xtended by allowing partial control or access rights to be delegated, so that the secure interaction of devices becomes more flexible 25. However, if the control over a node can be delegated, the new mast er should be prevented from eradicating prior associations and assuming full control of the node. A more flexible configuration, independent of initial bindings, can be useful when a group of people wish to form a collaborative computing e nvironment 9. In such a scenario, the problem of establishing a trust relationship can be solved by a secur e key agreement, so that any two or more devices are able to communicate securely. The mutual trust amo ng users allows them to share or establish a password using an offline secure channel or perform a “pre-authentication” step through a localized channel 1. Then, they can execute a password-based au thenticated key exchange over the nonsecure wireless medium. Schemes that derive a shared symmetr ic key could use a two- or a multi-party version of the password authenticated Diffie–Hellman key-exchange algorithm 3. Human judgment and intervention can g reatly facilitate the establishment of spontaneous connectivity among devices. Users can select a shared passw ord or manually configure the security bindings between devices, as seen above. Furthermore, the y could assess subjectively the “security” of their physical and networking environment and then proc eed accordingly. However, human assistance may be impossible for the envisioned MANET environment w ith nodes acting as mobile routers, even though the distinction between an end device and a router ma y be only logical, with nodes assuming both roles. Frequently, © 2003 by CRC Press LLC the sole requirement for t wo transiently associated devices will be to mutually assist each other in the provision of basic net working services, such as route discovery and data forwarding. This could be so since mobile nodes do not necessarily pursue collectively a common goal. As a result, the users of the devices may have no means to establish a trust relationship in the absence of a prior context. However, there is no reason to believe that a more general trust model would not be required in the MANET context. For instance, a node joining a domain may have to present its credentials in order to access an available se rvice and, at the same time, authenticate the service itself. Similarly, two network nodes may wish t o employ a secure mode of multi-hop communication and verify each other’s identity. Clearly, support for su ch types of secure interaction, either at the network or at the application layer, will be needed. A public key c ryptosystem can be a solution, with each node bound to a pair of keys, one publicly known and one p rivate. However, the deployment of a public key infrastructure (PKI) requires the existence of a cer tification authority (CA), a trusted third party responsible for certifying the binding between nodes and pu blic keys. The use of a single point of service for key management can be a problem in the MANET co ntext, especially because such a service should always remain available. It is possible that network partitions or congested links close to the CA server, although they may be transient, could cause significant d elays in getting a response. Moreover, in the presence of adversaries, access to the CA may be obstructed, or the resources of the CA node may be exhausted by a DoS attack. One approach is not to rely on a CA and t hus abolish all the advantages of such a facility. Another approach is to institute the CA in a way that answers the particular challenges of the MANET environment. The former app roach can be based on the bootstrapping of all network nodes with the credentials of every other node. However, such an assumption would dramatically narrow the scope of ad hoc net- working, since it can be applied only to short-lived mission-oriented and thus closed networks. An additional limitation m ay stem from the need to ensure a sufficient level of security, which implies that certificates should be refreshed from time to time, requiring, again, the presence of a CA. Alternatively, it has been sugges ted that users certify the public keys of other users. One such scheme proposes that any group of K nodes may provide a certificate to a requesting node. Such a node broadcasts the request to its one-hop neighborhood, each neighbor provides a partial certificate, and if sufficient K such certificates a re collected, the node acquires the complete certificate 14, 29. Another scheme proposes that eac h node select a number of certificates to store, so that, when a node wants the public key of one of its peers, the two certificate repositories are merged, and if a chain of certificates is discovered, the public key is obtained 13. The solution of a key management facility that meets the requirement of the MANET environment has been proposed in 29. To do so, the proposed instantiation of the public key infrastructure provides increased availab ility and fault tolerance. The distributed instantiation of the certification authority (CA) is equipped with a private/public key pair. All network nodes know the public key of the CA and trust all certificates signed by the CA’s private key. Nodes that wish to establish secure communi- cation with a destination query the CA and retrieve the required certificate, thus being able to authenticate the oth er end, and establish a secret shared key for improved efficiency. Similarly, nodes can request an upda te from the CA, that is, change their own public key and acquire a certificate for the new key. The distributed CA is instantia ted by a set of nodes (servers), as shown in Fig. 31.1, for enhanced availability. Howe ver, this is not done through naïve replication, which would increase the vulnerability of the system, sinc e the compromise of a single replica would be sufficient for the adversary to control the CA. Instead, the tr ust is distributed among a set of nodes that share the key management responsibility. In particular, each of the n servers has its own pair of public/private keys and they collectively share the ability to sign cer tificates. This is achieved with the use of threshold cryptography, which allows any t + 1 out of n parties t o perform a cryptographic operation, while t parties cannot do so. To accomplish this, the private k ey of the service, as a whole, is divided into n shares, with each of the servers holding one share. When a sig nature has to be computed, each server uses its share and generates a partial signature. All partial signatures are submitted to a combiner, a server with the special role to generate © 2003 by CRC Press LLC FIGURE 31.1 The configuration of a key management service comprising n servers. The service, as a whole, has a public/private key pair K/k. The public key K is known to all nodes in the network, whereas the private key k is divided into n shares s , s ,...,s , with one share for each server. Moreover, each server has a public/private key pair 1 2 n K /k and knows the pub lic keys of all nodes. (Reprinted with permission from Zhou, L. and Haas, Z.J., Securing ad i i hoc networks, IEEE Network Magazine, 13(6), Nov./Dec. 1999. © 1999 IEEE.) FIGURE 31.2 The calculat ion of a threshold signature. As an example, the service consists of three servers and uses a (3,2) threshold cr yptography scheme. K/k is the public/private key pair of the service and each server has a share s of the private key . To calculate the threshold signature on a message m, each server generates a partial signature i PS(m, s ) and correc t servers 1 and 3 forward their partial signatures to a combiner c. Even though server 2 fails to i submit a partial signatur e, c is able to generate the signature m (m signed by the service private key k). (Reprinted k with permission from Zhou, L. and Haas, Z.J., Securing ad hoc networks, IEEE Network Magazine, 13(6), Nov./Dec. 1999. © 1999 IEEE.) the certificate signatu re out of the collected partial signatures, as shown in the example of Fig. 31.2. This is possible only with at least t + 1 valid partial signatures. The application of threshold cryptography provides protection from compromised servers, since more than t servers h ave to be compromised before it assumes control of the service. If fewer than t + 1 servers are un der the control of an adversary, the operation of the CA can continue, since purposefully invalid pa rtial signatures, “contributed” by rogue servers, will be detected. Moreover, the service provides the as surance that the adversary will not be able to compromise enough servers over a long period of time. This is done with the help of share refreshing, a technique that allows the servers to calculate new sha res from the old ones without disclosing the private key of the service. The new shares are independent f rom the older ones and cannot be combined with the old shares in an attempt to recover the pr ivate key of the CA. As a result, to compromise the system, all t + 1 shares have to be compromised within one refresh period, which can be chosen appropriately short in order to decrease vulnerabili ty. The vulnerability can be decreased even further, when a quorum of correct servers detects co mpromised or unavailable servers and reconfigures the service, that is, generates and distributes a new set of n' shares, t' + 1 of which need be combined now to calculate a valid signature. It is noteworthy that the pu blic/private key pair of the service is not affected by share refreshing and reconfiguration operations, which are transparent to all clients. © 2003 by CRC Press LLC The threshold cr yptography key management scheme can be adapted further by selecting different configurations of the k ey management service for different network instances. For example, the numbers of servers can be select ed according to the size or the rate of membership changes of the network; for a large number of nodes w ithin a large coverage area, the number of servers should also be large, so that the responsiveness o f the service can be high. Nodes will tend to interact with the closest server, which can be only a few ho ps away, or with the server that responds with the least delay. Another possibility is to alternate among the se rvers within easy reach of the client, something that can happen naturally in a dynamically chang ing topology. This way, the load from queries and updates will be balanced among different servers, and the c hances of congestion near one of the servers will be reduced. At the same time, the storage requir ements can be traded off for interserver communication, by storing at each server a fraction of the entire database. Additionally, the efficient o peration of the CA can be enhanced when it is combined with secure route discovery and data f orwarding protocols. Such protocols could, in fact, approximate the assumption of reliable links betw een servers in 29 even in the presence of adversaries. In particular, two of the protocols 3 that will be discussed below, SRP and SMT, lend themselves naturally to this model. Any two servers can discover and maintain r outes to each other and forward service-related traffic, regardless of whether or not intermediate nodes are trusted. 31.5 Secure Routing The secure operation of the MANET r outing protocol is of central importance because of the absence of a fixed infrastructure. Instead, nodes are transiently associated and will cooperate with virtually any node, including those that could pot entially disrupt the route discovery and data forwarding operations. In particular, the disruption of the r oute discovery may be an “effective” means to systematically obstruct the flow of data. Adversaries can r espond with stale or corrupted route replies or broadcast forged control packets in order to obstruct the propagation of legitimate queries and routing updates. However, the usual practice for secur ing Internet routing protocols 19 cannot be applied in the MANET context. The schemes pr oposed to secure Internet routing rely mainly on the existence of a line of defense, separating the fixed r outing infrastructure from all other network entities. This is achieved by distributing a set of public keys/c ertificates, which signify the authority of the router to act within the limits of the employed protocol (e.g ., advertise certain routes), and allow all routing data exchanges to be authenticated, not repudiated, and protected from tampering. However, such approaches cannot combat a malicious router disseminating inc orrect topological information. More importantly, they are not applicable in the MANET cont ext because of impediments such as the absence of a fixed infrastructure and a central entity. Although the appropriate desig n could provide increased assurances of the availability of an online certification authority (CA), the use o f digital signatures and the hop-by-hop validation of control traffic may not be practical. First, mobile nodes lac k sufficient computational power, as discussed above, and second, the interaction with the CA c ould become a limiting factor. In order to verify the correctness of the discovered routes, a node wi ll have to acquire and validate the credentials of the responding nodes. Clearly, at least one route to the se rver has to be discovered before the node can contact the node instituting the CA server. But the p roblem is that, in the presence of adversaries, forged replies would still require the server’s response t o be validated. Another important limitation arises from the frequently changing topology and network membership , which would incur frequent queries addressed to the CA. In addition, congested links close t o the server, although they may be transient or intermittent, could result in significant delays or even t otal failure to provide the certification services. Even relatively small delays may render the validation process obsolete. 3 Any two servers of the key management service have a mutual security binding. © 2003 by CRC Press LLC The protection of the route discovery process has been regarded as an additional Quality-of-Service (QoS) issue 28, b y choosing routes that satisfy certain quantifiable security criteria. In particular, nodes in a MANET subnet ar e classified into different trust and privilege levels. A node initiating a route discovery sets the soug ht “security” for the route, that is, the required minimum trust level for nodes participating in the q uery/reply propagation. Nodes at each trust level share symmetric encryption and decryption keys. I ntermediate nodes of different levels that cannot determine whether the required QoS parameter can be satisfied or decrypt in-transit routing packets drop them. This scheme provides pro- tection (e.g., integrity) of the routing protocol traffic against adversaries outside a specific trust level. An extension of the Ad Hoc On-demand Distance Vector (AODV) 20 routing protocol has been proposed 10 in o rder to protect the routing protocol messages. The Secure-AODV scheme assumes that each node has the c ertified public keys of all network nodes, since intermediate nodes validate all in-transit routing pac kets. The basic idea is that the originator of a control message appends an RSA signature 23 and the last e lement of a hash chain 15, i.e., the result of n consecutive hash calculations of a random number . As the message traverses the network, intermediate nodes cryptographically validate the signature and the hash v alue, generate the k-th element of the hash chain, with k being the number of traversed hops, and place it in the packet. Route replies are provided either by the destination or by intermediate nodes that have an active route to the sought destination. A second proposal t o secure AODV makes use of public key cryptography as well and operates in two stages, an end-to-end au thentication, and an optional secure shortest path discovery 7. First, a signed route request propagat es to the sought destination, which returns a signed response to the querying node. At each hop, for either dir ection, the receiving node validates the received control packet and forwards it after signing it. A t the second stage, a “shortest path confirmation” packet is sent towards the destination, while now intermediat e nodes sign the message in an onion-like manner in order to disallow changes of the path length. 31.5.1 The Secure Routing Protocol The Secure Routing Protocol (SRP) 17 for mobile ad hoc netw orks provides correct end-to-end routing information over an unknown, frequently chang ing network, in the presence of malicious nodes. It is assumed that any two nodes that wish to employ SRP ha ve a Security Association (SA), such as a symmetric shared secret key. Communication takes place over a br oadcast medium, and it is assumed that malicious nodes, which may concurrently corrupt the route disc overy, cannot collude during a single route discovery. Moreover, we assume that nodes have a single data link int erface, with a one-to-one correspondence between data link and IP addresses. Under these assumptions, the protocol is proven robust. SRP provides one or more route replies, the c orrectness of which is verified by the route “geometry” itself, while compromised and invalid routing information is discarded. The route request packets veri- fiably propagate to the destination, and route replies ar e returned to the querying node strictly over the reversed route, as accumulated in the route request pac ket. In order to guarantee this crucially important functionality, SRP employs explicit interaction w ith the network layer; i.e., the IP-related functionality. Moreover, a number of novel features allow SRP t o safeguard the route discovery operation, as explained below. The Neighbor Lookup Protocol The Neighbor Lookup Protocol (NLP) is an integ ral part of SRP responsible for the following tasks: (i) It maintains a mapping of Medium Access Contr ol and IP layer addresses of the node’s neighbors, (ii) it identifies potential discrepancies, such as the use o f multiple IP addresses by a single data-link interface, and (iii) it measures the rates at which control pac kets are received from each neighbor, by differentiating the traffic primarily based on Medium Access Contr ol addresses. The measured rates of incoming control packets are provided to the routing protocol as w ell. This way control traffic originating from nodes that selfishly or maliciously attempt to overload the network can be discarded. © 2003 by CRC Press LLC Basically, NLP e xtracts and retains the 48-bit hardware source address for each received (overheard) frame along with the e ncapsulated IP address. This requires a simple modification of the device driver 27, so that the data link a ddress is “passed up” to the routing protocol with each packet. With nodes operating in promiscuous mode, the extraction of such pairs of addresses from all overheard packets leads to a reduction in the use o f the neighbor discovery and query/reply mechanisms for medium access control address resolution. Each node updates its neighbor table by retaining both addresses. The map- pings between data-link and ne twork interface addresses are retained in a table as long as transmissions from the corresponding neig hboring nodes are overheard; a timeout period is associated with each entry removed from the table upon expiration. NLP issues a notification t o SRP in the event that according to the content of a received packet: (i) a neighbor used an IP addr ess different from the address currently recorded in the neighbor table, (ii) two neighbors used the same IP addr ess (that is, a packet appears to originate from a node that may have “spoofed” an IP addr ess), (iii) a node uses the same medium access control address as the detecting node (in that case, the data link addr ess may be “spoofed”). Upon reception of the notification, the routing protocol discards the packet bearing the address that violated the aforementioned policies. Even though NLP d oes not rely on cryptographic validation, it thwarts adversaries from presenting themselves at the r outing layer as more than one node. This would have been possible if different IP addresses were inse rted in or used as the source address of the control traffic the adversary relays or originates. Howev er, the effectiveness of NLP relies on the fact that medium access control addresses are either hardwired or ma y be changed only with substantial latency. In the former case, NLP can provide very strong assuranc es; in the latter one, it will be a significant line of defense, deterring, for example a malicious node fr om flooding the network with spurious traffic. In any case, we should note that it is not of interest for SRP whether a r elay node indeed presented itself with its “actual” IP address, but 4 whether the node participated in the discovery of the route. The Basic Secure Route Discovery Procedure The querying node maintains a Query Sequence number, Q for each destination it securely commu- seq, nicates with. The mo notonically increasing sequence number allows the destination to detect outdated route requests. A t the same time, route requests are assigned a pseudorandom Query Identifier, Q , ID which is used by int ermediate nodes. Q is statistically indistinguishable from a random number and ID thus unpredictable b y an adversary with limited computational power. As a result, broadcasted fabricated requests will fail t o cause subsequent legitimate queries to be dropped as previously seen, if, for example, the forged packets carry a higher sequence number. Both Q and Q are placed in the SRP header, along with a Message Authentication Code (MAC) ID seq that covers the shar ed key, K , and the protocol header. Fields that are updated as the packet propagates S,T towards the destination, such as the accumulated addresses, are excluded from the MAC calculation. Nodes compar e the last entry in the accumulated route to the IP datagram source address, which belongs to the neig hboring node that relayed the request. If there is a mismatch, or NLP provides a notification that the r elaying neighbor violated one of the enforced policies, the query is dropped. Otherwise the Q and the source and destination addresses are placed in the query table, so that ID previously seen qu eries are discarded. “Fresh” route requests are rebroadcasted, with intermediate nodes inserting their IP address in the request packet. The destination validat es the integrity and freshness of queries originating from nodes it is securely associated with. I t generates a number of replies that does not exceed the number of its neighbors, so that a malicious ne ighbor does not control more than one route. The reversed accumulated route serves as the source rout e of the reply packet, which is identified by Q and Q . The appended MAC covers ID seq the SRP header, inc luding the source route. This way the source can be provided with evidence that the 4 The special case o f using the address of a node already on the path is equivalent to any other malicious alteration of the control traffic, which the adversary could do in the first place. Of course, such a duplicate address will be perceived as a loop and the route will be readily discarded. © 2003 by CRC Press LLC request had reached the d estination and, in conjunction with the source route, that the reply was indeed returned along the reverse of the discovered route. As the reply pr opagates along the reverse route, each intermediate node simply checks whether the source address of the r oute reply datagram is the same as the one of its downstream node, as determined by the route reply ; if not, the reply is discarded. Ultimately, the source validates the reply by first checking whether it corresponds to a pending query. Then, it is sufficient to validate the MAC, since the IP source- route already provides the (reversed) route itself. Priority-Based Query Handling In order to guarant ee the responsiveness of the routing protocol, nodes maintain a priority ranking of their neighbors ac cording to the rate of queries observed by NLP. The highest priority is assigned to the nodes gener ating (or relaying) requests with the lowest rate and vice versa. Quanta are allocated proportionally to the priorities, and low-priority queries that are not serviced are eventually discarded. Within each class, queries are serviced in a round robin manner. Selfish or malicious nodes that broadcast requests at a v ery high rate are throttled back, first by their immediate neighbors and then by nodes farther fr om the source of potential misbehavior. Nonmalicious queries, that is, queries originating from benig n nodes that regulate in a nonselfish manner the rate of query generation, will be affected only for a per iod equal to the time it takes to update the priority (weight) assigned to a misbehaving neig hbor. In the mean time, the round robin servicing of requests provides the assurance that benign requests will be relayed even amid a “storm” of malicious or extraneous requests. The Route Maintenance Procedure The route-error pac kets are source-routed to the end node along the prefix of the route that is being reported as broken. The intermediate upstream nodes, with respect to the point of breakage, check whether the sourc e address of the route error datagram is the same as the one of their downstream node as reported in the b roken route. Then, if there is no notification from NLP that the relaying neighbor violated one of the e nforced policies, they relay the packet towards the source. In this case, NLP prevents an adversary that d oes not belong to the route, but lies at a one-hop distance from it, from generating an error message, since an inconsistency with the addresses already used (during the route discovery) by the actual downstream neighbor will be detected. The notified sour ce compares the source-route of the error message to the prefix of the corresponding active route. This wa y, it verifies that the provided route error message refers to the actual route and that it is not gener ated by a node that is not part of the route. The correctness of the feedback (i.e., whether it reports an actual fail ure to forward a packet) cannot be verified, though. As a result, a malicious node ly ing on a route can mislead the source by corrupting error messages generated by another node or b y masking a dropped packet as a link failure. However, it can harm only the route it belongs to, something that was possible in the first plac e if it simply dropped or corrupted the data packets. The SRP Extension The basic operation of SRP can be extended in order to allow for nodes other than the destination to provide route replies. This would be possible only under additional trust assumptions, when, for example, nodes sharing a co mmon objective belong to the same group and mutually trust all the group members. In particular, this could be the case when all group members share a secret key. Under this assumption, a querying node appends to each query an additional MAC calculated with the group key, whic h we call Intermediate Node Reply Token (INRT). The functionality of SRP remains as described abov e, with the following addition: each group member maintains the latest query identifier seen from each of its peers and can thus validate both the freshness and origin authenticity of queries generated from other group nodes. If a node other than the soug ht destination receives such a valid query, it can respond to the request if it has knowledge of a route to the destination in question. However, the correctness of such a route is © 2003 by CRC Press LLCconditional upon the c orrectness of the second portion of the route, which is provided by the intermediate node. This functionalit y can be provided independently from and in parallel with the one relying solely on the end-to-end security associations. For example, it could be useful for frequent intragroup communi- cation; any two members can benefit fr om the assistance of their trusted peers, which may already have useful routes. 31.6 Secure Data Forwarding The frequent interaction with a CA and the fr equent use of computationally expensive cryptographic tools are restrictive assumptions, especially for secur e data-forwarding schemes. Such protocols must also take into account the inherent limitations of the MANET paradig m, exploit its features, and incorporate widely accepted and evaluated techniques in order t o be efficient and effective. Moreover, a secure routing protocol is a prerequisite for an effective secur e data-forwarding scheme. The above Secure Routing Protocol (SRP) for mobile ad hoc networks satisfies the above-stated goals. However, SRP or any other underlying routing p rotocol cannot guarantee that the nodes along a correctly discovered route will, indeed, relay the data as e xpected. An adversary may misbehave in an intermittent manner, that is, provide correct r outing information during the route discovery stage, and later forge or corrupt data packets during the data f orwarding stage. This is exactly the function that is required by any secure data forwarding p rotocol; to secure the flow of data traffic in the presence of malicious nodes, after the rout es between the source and the destination have been discovered. One of the solutions targeting the MANET e nvironment proposes two mechanisms that (1) detect misbehaving nodes and report such events and (2) maintain a se t of metrics reflecting the past behavior of other nodes 16. To alleviate the d etrimental effects of packet dropping, nodes choose the “best” route, comprised of relatively well-beha ved nodes; i.e., nodes that do not have a history of avoiding forwarding packets. Among the ass umptions in the above-mentioned work are a shared medium, bidirectional links, use of source ro uting (i.e., packets carry the entire route that becomes known to all intermediate nodes), and no colluding malicious no des. Nodes operating in promiscuous mode overhear the transmissions of their succ essors and may verify whether the packet was forwarded intact to the downstream node. Upon detection of a misbehaving node, a report is generated, and nodes update the rating of the reported misbeha ving node. The ratings of nodes along a well-behaved route are periodically incremented, while rece ption of a misbehavior alert dramatically decreases the nodes rating. When a new route is required, the source node calculates a path metric equal to the average of the ratings of the nodes in each of the route replies and selects the route with the highest metric. A different approach is to provide incentiv e to nodes so that they comply with protocol rules, i.e., properly relay user data. The concept of fictitious cur rency is introduced in 6, in order to endogenize the behavior of the assumed greedy nodes, whic h would forward packets in exchange for currency. Each intermediate node purchases from its predecessor the r eceived data packet and sells it to its successor 5 along the path to the destination. Eventually, the d estination pays for the received packet. This scheme assumes the existence of an overlaid geographic r outing infrastructure and a Public Key Infrastructure (PKI). All nodes are preloaded with an amount o f currency, have unique identifiers, and are associated with a pair of private/public keys. Finally, the cr yptographic operations related to the currency transfers are performed by a physically tamper-resistant module. Another approach appropriate for MANET, whic h departs significantly from the two above-mentioned schemes, is presented below. Low-cost cryptograph y is used to protect the integrity and origin authenticity 5 An alternative implementation, with each packet car rying a purse of fictitious currency from which nodes remove their reward, has been proposed as well. © 2003 by CRC Press LLCof exchanged data, without placing any overhead at intermediate nodes. Moreover, the feedback that determines the “secu rity” of the chosen paths originates only from trusted destinations, thus allowing “safe” inferences on the quality of the paths. Finally, the reliability and fault tolerance of data transmissions is enhanced significantly. 31.6.1 Secure Message Transmission Protocol The Secure Message Transmission (SMT) protocol 18 is a network-layer secure and fault-tolerant data- forwarding scheme, tailored to the MANET characteristics. In short, SMT is provided with routing information by a protocol such as SRP. This allows SMT to de termine a set of diverse paths connecting the source and the destination, as shown in the example o f Fig. 31.3. Then, it introduces limited transmission redundancy across the paths, by dispersing a messag e into N pieces, so that successful reception of any M-out-of-N pieces allows the reconstruction of the original message at the destination. Each piece, transmitted over one path, is equipped with a cr yptographic header that provides origin authentication, integrity, and replay protection. Upon reception of a number of pieces, the destination informs the source of which pieces, and thus routes, were intact. In order to enhance the robustness of the feedback mechanism, the small-sized acknowledgments, also p rotected by a cryptographic header, are maximally dispersed, so that successful reception of one piec e is sufficient. If less than M pieces of the message were received, the source retransmits the remaining piec es over the intact routes, or in general the ones deemed as more “secure.” If too few pieces were ackno wledged or too many messages remain outstanding, the protocol adapts its operation by determining a diff erent path set, reencoding undelivered messages, and reallocating pieces over the path set. Otherwise, it proceeds with subsequent message transmissions. SMT exploits MANET features such as the topological r edundancies, interoperates widely with accepted techniques such as on-demand route discovery and source routing, relies on a security associ- ation only between the source and the destination, and mak es use of highly efficient symmetric-key cryptography. Moreover, the routing decisions are made by the q uerying node, based on the feedback that the destination and the underlying secure routing protocol pr ovide. At the same time, no additional processing overhead is imposed on intermediate nodes, which do not perform any cryptographic oper- ation but simply relay the message pieces. However, the use o f multiple paths and the resultant greater number of nodes involved in the forwarding of a single messag e can be admittedly considered as the price to pay in order to achieve the sought robustness. On the one hand, SMT’s robustness can be enhanced by the adaptation of parameters such as the number of paths, and the ratio of the numbers of transmitted to r equired pieces, termed as the redundancy or dispersion factor. On the other hand, in a low-risk environment w ith limited malicious failures, the same parameters can be adjusted, so that the imposed transmissio n overhead is reduced to a level close to that of a single-path scheme. An additional element that co ntributes to the flexibility of SMT is that different algorithms can be implemented for the selection of the path set, based on different metrics and interpretations of the network feedback. SMT can yield 100% s uccessful message reception even in a highly adverse environment, when, for example, 20% of the netw ork nodes are malicious, while keeping the message and computation overhead low. The two communicating end nodes make use of the Active P ath Set (APS), comprising diverse paths that are not deemed failed. The sender invokes the underly ing route discovery protocol, updates its network topology view, and then determines the APS for a specific destination. This model can be extended to multiple destinations, with one APS per destination. At the receiver’s side, the APS is used for the transmission of the feedback, but if links are not b idirectional, the destination will have to determine its own “reverse” APS. The dispersion of messages, which is performed by the inf ormation dispersal algorithm (IDA) 22, is coupled to the APS characteristics through an appropriat e selection of the dispersion algorithm parameters. For example, in low connectivity conditions (small n umber of disjoint paths), the sender © 2003 by CRC Press LLCpath 3 Source path 2 Destination path 1 FIGURE 31.3 The S ecure Message Transmission Protocol makes use of multiple diverse paths connecting the source and the destination. In particular, the Active Path Set (APS) contains paths that have not been detected as failed, either due to path breakage or because of the presence of an adversary on the path. FIGURE 31.4 For an APS with three paths, the source can disperse each message into three pieces and transmit them across APS. The dest ination responds to each message M with an acknowledgment ACK , notifying explicitly k k which pieces were r eceived. This feedback allows the source to quickly update the rating of the APS paths and retransmit lost pieces across the operational paths if the message cannot be reconstructed at the destination. may increase the r edundancy factor in order to provide increased assurance and possibly low transmission delay. The adaptation of the protocol is the result of the interplay among the following parameters: 1. K, the (sought) cardinality of APS 2. k, the S,T-c onnectivity, i.e., the maximum number of S→T node-disjoint paths from the source (S) to the destination (T) 3. r, the redundancy factor of the IDA encoding 4. x, the maximum number of malicious nodes –1 Clearly, the condition for suc cessful reception is x ≤ K × (1 – r ) , which demonstrates the coupling among choices of parameters. In particular, K can be det ermined as a function of r, so that the probability of successful transmission is maximized. (Not e that K is equal to N when one message piece is allocated per path.) In order to do so, the source star ts by determining an APS of the k shortest, in number of hops, node disjoint paths. Then, let P be the soug ht probability of successful reconstruction of a dispersed message. P can GOAL GOAL be provided from the ap plication layer and may correspond to the features of the supported application, for example. Give n P and k, the node calculates the required redundancy factor, r , for a given or GOAL GOAL estimated fraction of present adversaries. The source disperses outgoing messages with the redundancy value closest to r , with M and N selected to minimize the transmission overhead. GOAL Once dispersed, the message pieces are transmitted across APS. If N k, the node selects the N paths of the APS with the hig hest rating. If the receiver cannot reconstruct the message, the source retransmits the pieces that we re not received, according to the feedback provided by the destination. Message pieces are retransmitted by SMT a maximum number of times, Retry , which is a protocol selectable param- MAX eter. If all retransmissio ns fail, the message is discarded. This way, limited retransmissions enhance the efficiency of SMT b y alleviating the overhead from retransmitting the entire amount of data. On the other hand, SMT d oes not assume the role of a transport or application layer protocol; its goal is to © 2003 by CRC Press LLC promptly detect and tolerate failures and thus adapt its operation to remain effective and efficient (see Fig. 31.4). The transmissio n of data is continuous over the APS, with retransmissions placed at the head of the queue, upon reception of the feedback. The continuous usage of the APS allows SMT to update quickly its assessment on the quality of the paths. For each successful or failed piece, the rating of the corre- sponding path is incr eased or decreased, respectively. When the rating drops below a threshold, the path is discarded. The path rating is also d ecreased slowly as time goes by in order to reduce the chance of using a stale path. Moreover, the simultaneous routing over a number of paths, if not the entire APS, provides the oppor tunity for low-cost probing of the paths. In particular, the source can easily tolerate the loss of a piece that was transmitted over a low-rated path. 31.7 Discussion The fast development of mobile ad hoc netw orking technology over the last few years, with satisfactory solutions to a number of technical problems, supports the vision of widely deployed mobile ad hoc networks with self-organizing f eatures and without the necessity of a preexisting infrastructure. In this context, the secure operation of such infrastructureless networks becomes a primary concern. Neverthe- less, the provision of secur ity services is dependent on the characteristics of the supported application and the networked enviro nment, which may vary significantly. At one extreme, we can think of a library or an Internet café, whic h provides short-range wireless connectivity to patrons, without any access - constraint other than the location of the mobile device. At the other extreme, a military or law enforce ment unit can make use o f powerful mobile devices capable of performing expensive cryptographic operations. Such devices would communicate only with other trusted devices. Between these two ends o f the spectrum, a multitude of MANET instances will provide different services, assume different modes of interaction and trust models, and admit solutions such as the ones surveyed above. Moreover , it is probable that instead of a clear-cut distinction among network instances, devices and users with var ious security requirements will coexist in a large, open, frequently changing ubiquitous network. In this context, an impor tant related issue is the IP addressing scheme employed in the MANET environment. The common assumption that node cr edentials, e.g., certificates, are bound to IP addresses may need to be revisited, sinc e one can imagine that roaming nodes will join MANET subdomains, and IP addresses will be assig ned dynamically (e.g., DHCP 8 or IPv6 auto-configuration 26) or even randomly (e.g., Zero-Configuration 12). A type of ad hoc networ k with particular requirements is a sensor network, which requires multi-hop communication throughout a netw ork of hundreds or even thousands of nodes, with relatively infrequent topological changes. It is expected that a single organization will undertake the deployment and admin- istration of these networ ks. Moreover, sensing devices have very limited computational capabilities, network transmission rates are relatively low, and communications are mostly data driven. These require- ments may affect in differ ent ways the design of security measures for sensor networks, as demonstrated by the schemes proposed in the literature. One of the proposals to secure sensor networks provides a protocol for data authentication, integrity, and freshness and a lightw eight implementation of an authenticated broadcast protocol 21. The scheme targets a restricted, infrastr ucture-oriented environment, with a trusted central entity instituted by a set of base stations. Sensor nodes c ommunicate only with a base station, which broadcasts messages towards the sensors. The base station and all nodes initially possess a symmetric encryption and authentication key, which secures the exc hanged traffic, while later, the base station periodically broadcasts the key that was used to authenticate transmissions during the last period. An approach that has similarities but targets a mo re general setting proposes a key management scheme for sensor networks 2. The focus is o n resource-constrained large sensor networks, comprising nodes that are assumed tamper r esistant and equipped with a secret group key. Similarly to the previous scheme, the use of symmetric key cr yptography is proposed as the only feasible, low-cost solution. However, © 2003 by CRC Press LLCfrequent rekeying, that is, periodic regeneration of the single key that is used to encrypt all data trans- mitted by sensors, is proposed to protect it from possible compromise. In order to make this reconfig- uration operation efficient, the sensors are organized into clusters with a two-hop diameter, while clusterheads are elect ed and form a backbone. Then, from a subset of the backbone, a randomly elected node generates the new key. The simplified tr ust models of sensor networks, which, nonetheless, lead to efficient solutions, may not necessarily be usable in othe r ad hoc networking instances. The circumstantial coexistence of disparate nodes, or the requir ement of fine-grained trust relationships, call for solutions that can adapt to specific contexts and support the corresponding application. However, although the requirements of the appli- cation are expected t o dictate the characteristics of the required security mechanisms, some aspects of security, such as c onfidentiality, may not be different at all in the MANET context. Instead, the greatest challenge is to safeguard the basic network operation. In particular, the secur ing of the network topology discovery and data forwarding is a prerequisite for the secure operation of mobile ad hoc networks in any adverse environment. Furthermore, the protection of the functionality of the networking protocols will be in many cases orthogonal to the security require- ments and the secur ity services provided at the application layer. For example, a transaction can be secured when the tw o communicating end nodes execute a cryptographic protocol based on established mutual trust, with the ad versary being practically unable to attack the protocol. But this does not imply that the nodes ar e secure against denial of service attacks; the adversary can still abuse the network protocols, and in fact, do it with little effort compared to the effort needed to compromise the crypto- graphic protocol. The self-organizing netw orking infrastructure has to be protected against misbehaving nodes, with the use of low-cost cr yptographic tools, under the least restrictive trust assumptions. Moreover, the overhead stemming fr om such security measures should be imposed mostly, if not entirely, on nodes that communicate in a secure manner and that directly benefit from these security measures. Further- more, we believe that the salie nt MANET features and the unique operational requirements of these networks call for secur ity mechanisms that are primarily present at, and closely interwoven with, the network-layer operation, in order to realize the full potential of this promising new technology. References 1 D. Balfanz, D.K. Smetters, P. Stuart, H. C. Wang, Talking to Strangers: Authentication in Ad Hoc Networks, Network and Distributed System Security Symposium, San Diego, CA, Feb. 2002. 2 S. Basagni, K. Herrin, E. Rosti, and D. Bruschi, Secure Pebblenets, 2nd MobiHoc, Long Beach, CA, Oct. 2001. 3 S.M. Bello vin and M. Merritt, Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks, Proceedings of the IEEE Symposium on Security and Privacy, May 1992. 4 Bluetooth Special Interest Group, Specifications of the Bluetooth System, http://www.blue- tooth.com. 5 M. Brown, D. Cheung, D. Hankerson, J.L. Hernadez, M. Kirkup, and A. Menezes, PGP in Con- strained Wireless Devices, Proceedings of 9th USENIX Symposium, Denver, CO, Aug. 2000. 6 L. Buttyan and J .P. Hubaux, Enforcing Service Availability in Mobile Ad Hoc WANs, 1st MobiHoc, Boston, MA, Aug. 2000. 7 B. Dahill, B.N. Levine, E. Royer, and C. Shields, A Secure Routing Protocol for Ad Hoc Networks, Technical Report UM-CS-2001–037, EE&CS, University of Michigan, Ann Arbor, Aug. 2001. 8 R. Droms, Dynamic Host Configuration Protocol, IETF RFC 2131, Mar. 1997. 9 L.M. Feene y, B. Ahlgren, and A. Westerlund, Spontaneous Networking: An Application-Oriented Approach to Ad Hoc Networking, IEEE Communications Magazine, Jun. 2001, pp. 176–181. 10 M. Guerrero, Secure AODV, Draft sent to the manetitd.nrl.navy.mil mailing list. 11 V. Gupta and S. Gupta, Securing the Wireless Internet, IEEE Communications Magazine, Dec. 2001, pp. 68–74. © 2003 by CRC Press LLC12 M. Hattig, Ed., Zero-conf IP Host Requirements, Draft-ietf-zeroconf-reqts-09.txt, IETF MANET Working Group, Aug. 2001. 13 J.P. Hubaux, L. Buttyan, and S. Capkun, The Quest for Security in Mobile Ad Hoc Networks, 2nd MobiHoc, Long Beach, CA, Oct. 2001. 14 J. Kong, P. Z erfos, H. Luo, S. Lu, and L. Zhang, Providing Robust and Ubiquitous Security Support for Mobile Ad-Hoc Networks, IEEE ICNP (International Conference on Network Protocols) 2001, Riverside, CA, Nov. 2001. 15 L. Lamport, Password authentication with insecure communication, Comm. of ACM, 24, 770–772, 1981. 16 S. Marti, T .J. Giuli, K. Lai, and M. Baker, Mitigating Routing Misbehavior in Mobile Ad Hoc Networks, 6th MobiCom, Boston, MA, Aug. 2000. 17 P. Papadimitr atos and Z.J. Haas, Secure Routing for Mobile Ad Hoc Networks, SCS Communication Networks and D istributed Systems Modeling and Simulation Conference (CNDS 2002), San Antonio, TX, Jan. 27–31, 2002. 18 P. Papadimitratos and Z.J. Haas, Secure Message Transmission in Mobile Ad Hoc Networks, sub- mitted for publication. 19 P. Papadimitratos and Z.J. Haas, Securing the Internet Routing Infrastructure, IEEE Communica- tions Magazine, 40(10), Oct. 2002. 20 C.E. Perkins, E.M. Royer, and S.R. Das, Ad hoc On-Demand Distance Vector Routing, Draft-ietf- manet-aodv-08.txt, IETF MANET Working Group, June, 2001. 21 A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J.D. Tygar, SPINS: Security Protocols for Sensor Networks, Pr oc. 7th Ann. Intl. Conf. Mobile Computing and Networks (MobiCom 2001), Rome, Italy, 2001, pp. 189–199. 22 M.O. Rabin, Efficient dispersal of information for security, load balancing, and fault tolerance, Journal of ACM, 36, 335–348, 1989. 23 R. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital signatures and public key cryptosystems, Comm. of ACM, 21, 120–126, 1978. 24 F. Stajano and R. Anderson, The Resurrecting Duckling: Security Issues for Ad Hoc Wireless Networks, Security Protocols, 7th International Workshop, LNCS, 1999. 25 F. Stajano, The R esurrecting Duckling – What Next? Security Protocols, 8th International Workshop, LNCS, 2000. 26 S. Thomson and T . Narten, IPv6 Stateless Address Autoconfiguration, IETF RFC 1971, www.ietf.org. 27 G.R. Wright and W. Stevens, TCP/IP Illustrated, Vol. 2, The Implementation, Addison-Wesley, Reading, MA, 1997. 28 S. Yi, P. N aldurg, and R. Kravets, Security-Aware Ad-Hoc Routing for Wireless Networks, UIUCDCS-R-2001–2241 Technical Report, Aug. 2001. 29 L. Zhou and Z.J. Haas, Securing Ad Hoc Networks, IEEE Network Magazine, Nov./Dec. 1999. © 2003 by CRC Press LLC Security Issues in Ad Hoc Networks Abstract In this chapt er, we discuss issues and survey current solutions in securing ad hoc wireless networks. The characteristics of ad hoc networks render the trust a host could place on other hosts and a network more precarious than in a c onventional network. Any viable security approach ought to address trust concerns for specific applications. As examples, we look at three specific issues and their current proposed solutions: a transient association as host ac cess control policy for mobile appliances, link-by-link and end-to-end authentication for secur ing routing in open networks, and split control for a centralized service or distributed services for survivable services in a rapidly changing network. 32.1 Introduction Numerous task forces are for med on a need basis, such as a search committee for the president of a university, or a military deplo yment in a foreign country. A logical communication vehicle for these task forces is a mobile ad hoc wir eless network because it does not require a prior physical infrastructure (i.e., wired network) 1. Task for ces have valuable assets such as transcripts of a search committee meeting or a program that controls the mo vement of tanks. These resources could come under attack, from both within and without, with malicious intention or through mere carelessness. © 2003 by CRC Press LLC To protect netw orks from adversaries, we investigate security issues in Ad Hoc Networks (AHNs), based on our kno wledge in securing wired networks. AHNs are prone to the same types of attacks as wired networks. F urthermore, the openness of wireless communication media and node mobility make AHNs more vulner able than traditional networks to attacks. Anyone with a scanner can monitor traffic from the comfort of his or her home or the ease of a street corner. With a powerful jamming machine, an attacker can reduce the channel availability or even shut down communication channels 24. Wired networks ar e built over time. They reflect security policies of organizations. Trust between entities, an essential element of a security policy, is also built over time. System administrators support network operations suc h as implementing security policies. In comparison, AHNs are built quickly and as needed. Trust and policies ma y be put together in a hurry. Mobility and some physical features (e.g., small size) of nodes make them more easily compromised and lost than those in wired networks. Different AHNs ha ve different initial contexts and requirements for security depending on applications. However, they all shar e one characteristic: no fixed infrastructure. The lack of infrastructure support leads to the absenc e of dedicated machines providing naming and routing service. Every node in an AHN becomes a router. Thus network operations have higher dependence on individual nodes than in wired networks. The mobilit y of nodes brings constant change in network topology and membership, making it impractical to provide traditional, centralized services 1,24. In this chapter, we look at security challenges presented in ad hoc mobile wireless networks and how they are addressed cur rently. In Section 32.2 Introduction to Security, we introduce security requirements and traditional security mechanisms. We describe security requirements specific to AHNs and the par- ticular challenges in imple menting security mechanisms in AHNs in Section 32.3. We then present some of the current wo rk in the research community in attempting to address these challenges in the rest of the chapter. In Section 32.4, we sketch an access control model that defines what access nodes can have to each other. We then describe routing security issues and some proposed solutions in Section 32.5 Routing Security. The state of the art in implementing traditional security mechanisms is explained in Section 32.6 Key Distr ibution. We conclude with a discussion of future work in Section 32.7 Future Directions. 32.2 Introduction to Security 1 “Security is the possibility of a system withstanding an atta ck.” During the 20th century, we refined our requirements for security and mechanisms to satisfy the m. There are two types of security mechanisms: preventative and detective 17. The majority of the preventive mechanisms have cryptography as a building component. 32.2.1 Security Requirements The goal of system security is to have co ntrolled access to resources. The key requirements for networks are confidentiality, authentication, integr ity, nonrepudiation, and availability 10,17. We define them as follows: • Availability: no interruption of services • Confidentiality: no unauthorized divulge of information • Authentication: knowing the identity of a communicating party or the source of a piece of infor- mation • Integrity: no unauthorized modification of resources • Nonrepudiation: nondeniability of committed actions 1 Discussion with Shaoying, Liu. © 2003 by CRC Press LLC Traditionally, w e categorize the attacks that computer and network systems experience in four broad categories: interruption, interception, modification, and fabrication 19. Interruption renders a resource unavailable, inter ception discloses classified information, modification changes the attributes of a resource, and fabrication creates a false resource. Security controls a re put in place to deter attacks, therefore providing system-desired security services. A security mechanism follows three steps — identification, authentication, and authorization — to control access to r esources. Identification names entities. Authentication checks that an entity is who or what it claims to be. Authorization either grants or refuses access rights based on some security policies, which are a part of an organization policy. Policies define access control rules and translate the trust that we place on entities into access control decisions. 32.2.2 Cryptography Basis Preventive security controls are ofte n protocols that utilize cryptography. Cryptographic algorithms are functions that transform information to conceal it 12. There are three types of cryptographic algorithms: hash, secret-key cryptography, and public-key cryptography. Hash algorithms do not use keys. Secret- key cryptography uses one key. Public-key cryptography uses two keys. A hash algorithm is a one-way function that maps a messa ge of any size into a fixed size digest (see Fig. 32.1). Message digests are finge rprints of messages. A hash function is considered secure if it is computationally infeasible to find a corresponding message given a fingerprint, or to find one message that has the same fingerprint as a g iven message, or to find two arbitrary messages that have the same fingerprint 12. Secret-key cryptography makes use of a pair of functions: encryption and decryption (see Fig. 32.2). The encryption function uses a ke y to mangle a message. The message before encryption is called plaintext. The encrypted message is called ci phertext. The decryption function uses the same key to unmangle the ciphertext. The key is a shared secret between communicating entities. Secret-key encryp- tion provides confidentiality, as only those entities knowing the secret can uncover the plaintext messages. Public-key cryptography uses a pair of keys, a public key and a private key, which are uniquely –1 associated with each other (see Fig. 32.3). Each entity has a key pair, K , K , where K is the public E E E –1 key of entity E, and K is E’s privat e key. The private key is only known to the owner, while the public E key is widely publicized. Public key encr yption uses a public key for encryption and a private key for message digest message hash FIGURE 32.1 Hash function uses no k ey. plaintext encryption ciphertext key ciphertext plaintext decryption FIGURE 32.2 Secret-key cryptography uses one k ey. © 2003 by CRC Press LLC

Advise: Why You Wasting Money in Costly SEO Tools, Use World's Best Free SEO Tool Ubersuggest.