Artificial Intelligence Based Authentication Scheme for Mobile Adhoc Networks

e-mail {barani,a0r2878}@cs.tamu.edu Baranidharan Raman Dept.of.Computer Science Texas A&M University Anu Ramanathan Dept. of Electrical Engg. Texas A&M Univeristy

Abstract
Our security protocol derives inspiration from the MIT-Kerberos authentication scheme in which a client who wants to communicate with some service server, needs a session key and ticket for that particular session. The principles of key distribution is used to provide authentication. Security of transmitted data is achieved using encryption and decryption algorithms. Here we propose to use the RSA algorithm to generate the public and private keys for each session inorder to fulfil the needs of secure transmission. In this project, we aim at developing a security protocol independent of the routing protocol for Mobile Adhoc Networks with added infrastructure to facilitate the key distribution. Here, apart from the issues in traditional wired networks, we take into consideration few more criteria like mobility of the nodes and increased vulnerability to attacks by malicious intruders owing to a single communication channel. The work described achieves secure initial contact between the mobile node and Key Distribution Center. Another achievement of the proposed protocol is that the mobile nodes paying for security are assigned authentication keys dynamically thus, overcoming the problems associated with static passwords in traditional schemes. For this purpose we use Artificial Intelligence puzzles to provide improved authentication.

1.Introduction
Data transmission across any network is highly insecure and this necessitates the development of a system that can authenticate communication between entities. Authentication is not an end in itself, but rather a tool to support both integrity and authorization. Its basic objective is to prevent fraudulent connection requests. Ad-hoc networks, which are on the fly networks hence, are purpose specific, autonomous, dynamic and transient. Adhoc networks support mobility of nodes and have properties such as dynamic topologies, bandwidth-constrained variable capacity link, power constrained operations and limited security[1]. The last property is the issue of this research project. Survivability is a key issue to be taken into consideration in designing a security protocol. The main problem in using traditional techniques of a centralized architecture to achieve network security could lead to a highly susceptible design architecture owing to the fact that if the centralized entity is compromised, it would result in a security failure for the entire network. Therefore, we should aim at a distributed architecture[4] .

2.Related Work
The traditional wired network routing protocols in the wired networks like RIP, OSPF provide minimal security guarantees but the internet protocol on which the they operate namely ipV4, ipV6 which have IPSEC(IPSecurity) as an integral feature. But when it comes to routing protocols in the MANET like DSR, AODV, TORA assumes that the nodes have no malicious content. So there in a lot of security concern when it comes to comes to authenticating MANETs. The security issues of confidentiality, availability and authentication hold well in MANETS too. However apart from passive attacks involving eavesdropping we need to tackle the problem of Denial of Service (DOS) and Distributed DOS (DDOS) and compromised nodes. In environments where there is a centralized services are managed by individual or replicated nodes, compromised nodes are the major threats. Sufatrio and Lam [2] introduce a Minimal Public- Key based Authentication (Min-PKA) for Mobile-IP which secures the registration process and makes use of AuthenticationAuthorization- Accounting (AAA) server nodes. This scheme uses secret And public key based encryption and advocates necessity of multiple protocols in securing these networks. Fasbender et al.[3] introduce the Non-Disclosure Method(NDM) in which every Secure Agent (SA) (node) has a public-private key pair. Suppose a source SRC wants to send its messages to DEST it first encrypts the message using encrypts the message using DESTs public key and then that information with SA1s public key and forwards the packet to SA1 and the packet traverses the network through route SRC-SA1-SA2-SAn- DEST. SA1 knows it has to forward the packet to SA2 but has no idea of location of DEST and SAn knows the location of DEST but not SRC. This way the messages as well as the Location information are secured. Key Management Service introduced by Zhou and Haas [4] introduce a distributes key management service to be applied to MANET. The propasal requires the knowledge of multiple routes to destination (Routing protocols like TORA maintains such information). The ZH proposal as it is called uses a public key- private key pairs of which the public key is certified by the server and the private key is kept secret. The ZH also uses the shared secret keys for establishing secure sessions. The ZH also authenticates and encryption of sessions keys using asymmetric key pairs. In query mode The node requests the publis key of the other nodes and in update mode it advertises its public key. Armando Fox and Steven Gribble [5] have implemented a security protocol based on Kerberos called Charon where all interaction with the KDC is displaced from the client to a proxy. Therefore, the authentication mechanism is implemented as a two-phase handshake where the client uses Charon as a smart router to obtain information from the

KDC in the first handshake, while communication between Charon as a client from the point of view of the KDC occurs in the second handshake. We derive inspiration for our authentication scheme from the Kerberos authentication scheme[6] in which a client who wants to communicate with some service server, needs a session key and ticket for that particular session. The client obtains these from the KDC (Key Distribution Center) by sending the information (Authentication Request) about itself, the service server it wants to communicate with, the time stamp and a random number. The KDC responds (Authentication Response) by sending the session key, random number and time stamp, all encrypted with the public key and which can be decrypted by the client and some more similar information (which is the servers session private key encrypted using servers public key) which should be forwarded to the service server and can only be decrypted with service servers public key. The client then sends the ticket to the service center and the service server decrypts the information to get the session key and it can use that key to communicate with the client afterwards. The Authentication Request and Response along with the Application Request and Response constitute the basic Kerberos Authentication Protocol. RSA[7] is a public-key cryptosystem developed by MIT professors: Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman in 1977 in an effort to help ensure internet security. A cryptosystem is an algorithm that converts input data into an unrecognizable (encrypted) form and then converts it back to the original (decrypted) form. The encryption and decryption algorithms may be in accordance with several mathematical formulae or may be random. The challenge of public-key cryptography is developing a system in which it is impossible to determine the private key. This is accomplished through the use of a one-way function. With a one-way function, it is relatively easy to compute a result given some input values. However, it is extremely difficult, nearly impossible, to determine the original values if you start with the result. In mathematical terms, given x, computing f(x) is easy, but given f(x), computing x is nearly impossible. The one-way function used in RSA is multiplication of prime numbers. It is easy to multiply two big prime numbers, but for most very large primes, it is extremely timeconsuming to factor them. Public-key cryptography uses this function by building a cryptosystem which uses two large primes to build the private key and the product of those primes to build the public key. In this research project we are dealing with the confidentiality of information between sender and the receiver and scalability of the Authentication mechanism to large number of independent Mobile Adhoc Networks

3.Protocol Design
The issue of security in Mobile Ad Hoc Networks needs to be handled more carefully as opposed to wired networks primarily due to most nodes operating on the promiscuous mode. The performance of a network security protocol lies in its ability to avert denial of service attacks. We aim to develop a reactive protocol which maintains an authenticator

key distribution center which is kept as invisible as possible to the nodes in the MANET. We refer to this approach as Invisible KDC. 3.1 Security Goals To provide a hierarchical security service that permits a certain category of nodes which will be provided the secure network provision. To provide secure distribution of public and private keys. To ensure secure communication between the nodes. We assume that there is a Service Provider who authenticates the users who need to use the secure network by providing a puzzle solving mechanism to each node requiring security and also gives it a universally accepted solution which is used for encryption of the initial authentication requests. 3.2 Protocol Layers We aim to develop a security protocol which is built on top of a routing protocol which is used in Mobile Ad Hoc networks. Fi Fig 1.

PROTOCOL STACK

APPLICATION LAYER SECURITY LAYER TRANSPORT LAYER NETWORK LAYER DATA LINK LAYER PHSICAL LAYER

3.3 Protocol Details The protocol employs three stages of authentication in a sequential manner which is discussed below: Authentication of the node Securing the Public Key Secure communication between nodes over the MANET

3.3.1 Hierarchical Architecture of nodes in MANET There is a 3 level hierarchy of nodes in our secure network domain. Since security comes with a cost, it makes sense to make the willing clients pay for it while the others need not. Depending on the security requirements we have a 2 level hierarchy of mobile nodes in our MANET Insecure Node Secure Node One of the secure nodes will be placed at a higher level in the hierarchy by becoming the Key Distribution Center (KDC). The current protocol implemented assumes that the Key Distribution Center does not leave the MANET which is not always the case. Our future work intends to accommodate the leave of the Key Distribution Center from the MANET. All the transactions involving secure nodes are encrypted. 3.3.2 Authentication of the node Initially when a node requires to initiate a secure transmission, it needs to obtain a public key from the Key Distribution Center. The KDC replies back with an Artificial Intelligence puzzle which has multiple solutions. The puzzle is sent encrypted using a universally distributed key which is distributed to all the secure nodes. The node who is already authorized by the Service Provider decrypts the puzzle and solves it using the functions provided to it and returns the computed solution which is encrypted using the same universal encryption key. This prevents the intermediate nodes from being able to track a puzzle and its solution. 3.3.2.1 Artificial Intelligence Puzzle The most prominent AI puzzles like the Rubiks Cube[8], 8 Puzzle problem, 16 puzzle problem have a specific property that there are multiple paths to the solution, through the state space using same state space search functions. So a single puzzle solving heuristic approach can take us to the solution through different paths across the state space. This property is what we are exploiting in our authentication approach.

In traditional networks where security is required, every lawful user is given a login name and password. Though the entry into the network is protected using the password, there is no efficient method to prevent this password from being hacked. So the KDC gives the puzzle with different initial states and waits for the secure nodes to give it the mapping function which can be used to generate the encryption key for the node. If, by faint probability the secure node generates a key which is already in use, then the KDC does not reply to this message, hence making the secure node send an another mapping function. There are several advantages to this approach. We enumerate them all of them here. Most of the hacking that has been recorded so far in network services is through misuse of passwords wherein, the malicious user gets to know the lawful users passwords and uses that to gain entry into the network. In this scheme, though the mobile nodes pay for security service, it does not know the encryption keys assigned to it. This takes place dynamically. Another advantage of this approach is that the KDC need not maintain the database of the keys required for secure communication thereby, as they can be obtained as when required from the Key Distribution Center. This can enable the easy leave of the secure node acting as KDC as no state information is maintained. However the method of finding the leave of KDC is beyond the scope of this paper. The AI puzzle approach allows the encryption of initial authentication request messages sent to the KDC which enhances the security offered by this authentication scheme making it more robust. 3.4 Authenticating Control Messages There are 4 messages specific to our authentication protocol. They are Authentication Request Authentication Puzzle Reply Authentication Message Authenticating Key. When a secure node want to send a packet to another node in the network it broadcasts an Authentication Request Message to the KDC and waits for the KDC to process its request with the Authentication Reply. In traditional authenticating schemes including protocols like Kerberos[6] and Charon[5] the initial contact for authentication between the mobile node and the Key Distribution Center is insecure, which might be acceptable for network environments where the packets are not monitored in promiscous mode . Also the route discovery between a node wishing to authenticate itself with the KDC is broadcast which enables any malicious node to enter into promiscous mode and sniff the reply from the KDC to the node requesting the encryption keys, which defeats the entire purpose of

security. So there must be some means of providing this security for the first transaction between a node wishing authentication and the KDC i.e they must be encrypted. Our scheme achieves this by encrypting all the messages used for authentication service using a general solution which is made available to all the secure nodes. Authentication Request This is the message sent by the secure node inorder to authenticate itself with the KDC. Authentication Reply This is the message that comes from the KDC and contains the Authenticating Puzzle .
N1 Req1 Req1 N2 S1 Rep1 N3 S2 Rep1
KD C

Fig2: Authentication of Node Authentication Message This is the message that is being sent by the secure node wishing to authenticate itself to the KDC. It contains the encrypted solution to the puzzle. Authentication Keys Acknowledgement of the secure nodes authentication by the KDC along with the keys.
N1 Req2 Req2 N2 S1 Rep2 N3 S2 Rep2
KD C

Fig 3. Securing the public and Private key

3.5 Securing the public and private key The KDC on receiving the solution from the node, verifies if it is the correct one and returns back the public and private keys of the node which is encrypted using the solution sent by the node. The possibility of an intermediate node being able to snoop the public key based on the solution is lower here due the presence of multiple solutions for a certain puzzle. This public key which is obtained by the node is used for further communication. 3.6 Invisible KDC The most common security threat to a centralized scheme of service as we have here is the Denial of Service (DoS) attack. This can occur if the malicious node knows about the whereabouts of the centralized service. So it is necessary to protect the location information of the KDC. So we do not send the authenticating packet to address of the node acting as KDC as it is not made available. Only the node acting as KDC knows that it is the KDC and this information is hidden from all nodes in the network including the neighbours. The KDC identifies the broadcast packet sent to it by means of special information added to the standard DSR Header. 3.7 Secure Communication between nodes over the MANET Inorder to communicate with another node (B) securely, the node (A) which has been authenticated with the Key Distribution Center will contact it to obtain the session key. If the node (B) has not yet authorized itself with the KDC, then the KDC uses a push mechanism to send its keys using the puzzle solving method described above. The public key of node B is sent by the KDC to node A encrypted using As public key. This can be decrypted by using As private key. The public key of B is in turn used to encrypt the information which needs to be sent to node B. This can be decrypted only using the private key of node B which is not accessible to the other nodes. The encryption and decryption mechanism is carried out using the RSA algorithm which is discussed in the appendix. Fig 4: Secure Communication between nodes
N1

N2 S1

KD C

Encrypted Packet

N3

S2

Encrypted Packet

3.8 Handling Mobility of the KDC We assume that initially there is a node which is elected as the KDC among the group of nodes which require security in the network. In addition to this, all the nodes in the secure network will run the KDC software, but will not reply to any of the Authentication Requests sent by incoming nodes unless it has been elected as the KDC. The present protocol assumes that the KDC does not leave the MANET.

4. Optimizations
There are 2 optimizations that will make our protocol more efficient. Optimization 1 We have joined the 2 phases of route request and authentication by sending a single broadcast packet to achieve the same. This is being achieved by making both the destination as well as the KDC reply to this broadcast. Optimization 2 Since the initiation of the packet transfer can be delayed due to the authentication process, we make a slight modification to traditional security schemes. We start transmitting the packets as soon as we have a route to the destination and start encrypting a packet as soon as we get the keys. This is based on the assumption that a part of the data transfer cannot make any sense to anyone who snoops in-between.

5. Simulation
To evaluate the performance of the security protocol, we simulated it using the Network Simulator provided by University of California, Berkeley. The simplified version of the protocol was implemented in Java inorder to compute the overhead involved in the encryption scheme used in the protocol. It was observed that the average overhead due to the RSA algorithm used for encryption and decryption of the packets sent was 3.2 times the size of a normal data packet. The security protocol has been implemented over DSR as the routing protocol, though it can be built on any other routing protocol. Our simulations were run for increasing number of nodes in the MANET for 20 seconds. We simulate a network with N nodes where N/2 of them generate packets using a CBR source. The odd numbered nodes send packets to the even numbered ones. The nodes initially complete the process of authentication before they begin the transmission of packets. The parameters which are of interest to us to evaluate the performance of our proposed scheme are :

(i) (ii) (iii) (iv)

The increase in the packet size due to the RSA algorithm used for encryption and decryption. The aggregate throughput of the secure network as the number of nodes is increased. The aggregate throughput of the network as we increase the number of nodes that require secure data transmission while keeping the total number of nodes a constant. The control overhead incurred by implementing the new protocol.

As we increase the number of nodes from 4 to 50 in the network, the throughput of the scheme drastically falls, which is shown in fig 5. Fig 5.

Aggregate Throughput vs. No: of nodes for a Completely Secure Network

400 Aggregate Throughput in Packets/s 300 200 100 0 0 20 40 60 No: of nodes DSR Encryption Kerberos New Scheme

The throughput obtained in packets/s for the new scheme is compared with various schemes to understand the overhead incurred to achieve a high level of security in the network. Table 1 shows the aggregate throughput achieved for a completely secure network which requires all nodes to be authenticated.
NO: OF NODES 0 4 8 10 12 16 20 30 40 50 DSR ENCRYPTION KERBEROS NEW SCHEME 0 0 0 0 316.2 126.2 125.5 127.5 318 140.5 137.85 102.7 319.25 156.8 143.05 77.55 317.55 145.65 136.07 54.8 312 139.7 143.2 36.75 283.05 120.6 112.25 27.2 288.35 78.3 52.95 14.05 252.4 56.7 29.5 8.7 253.55 46.3 21.1 7.15

Table 1:Comparison of Aggregate Throughput (in packets/s) of Various protocols as the no: of nodes increases for a Completely Secure Network

It is expected that the throughput would be highest for the case without any authentication and security requirements as opposed to the other schemes which introduce additional overhead in the form of authentication requests, replies and bigger packet sizes owing to encryption of data. The simple encryption scheme employs mere encryption and decryption of the packets that are sent which results in an increase in the packet size and leads to an increase in the contention in the network, thereby causing a drop in throughput as opposed to DSR. The next scheme which we implemented was Kerberos which uses the concept of public and private keys to authenticate nodes in a network. This has an additional broadcast to obtain the keys from the Key Distribution Center followed by a reply from the KDC with the keys in addition to the increase in packet size observed in the Simple Encryption scheme. The additional broadcast and reply increase the contention still further, which increases the number of packets dropped and throughput is expected to be lower than the Simple Encryption scheme. The main disadvantage of this scheme is that the KDC is known to all nodes in the network and the transmission of keys is done in an insecure manner. We overcome the problem of locating the KDC using the concept of invisible KDC by broadcasting the authentication request and using an invalid source address field while sending the replies from the KDC. The problem of insecure transmission is overcome in our new scheme that employs client puzzle authentication to initially authenticate a node in the network and then sends the keys to it. In addition to the overhead introduced in the Kerberos scheme, we have an additional broadcast for the node which sends the puzzles solution and the final reply with the keys for the secure session. This further adds to the contention and increase in packet drops results which is responsible for the lower throughput. We observe that the throughput initially increases when the no: of nodes is increased as the link bandwidth utilization increases. But when the no: of nodes is increased still further, the contention increases between the nodes and the throughput falls as expected from IEEE 802.11. It is also observed that the new scheme has the lowest throughput owing to the overhead involved in providing the security, while the simple encryption scheme performs better in terms of throughput owing to a lower overhead. Therefore, the greater the degree of security we aim to provide, the higher is the overhead incurred and poorer is the performance in terms of throughput. So there is a trade off between the achievable level of security and the aggregate throughput. The next set of simulations were run for the same network with the total number of nodes fixed at 30 and the performance was evaluated as we increase the no: of secure nodes in the network i.e those nodes which require authentication. The results observed are shown in Fig 6 and Table 2.

Fig 6

Aggregate Throughput vs. No: of authenticated nodes

Aggregate Throuput in Packets/s 80 60 40 20 0 0 5 10 15 20 No: of authenticated nodes Kerberos New Scheme

NO: OF SECURE NODES 1 2 4 8 12 15

KERBEROS 75.2 70.35 65.4 60.75 55.6 52.95

NEW SCHEME 27.1 26.55 23.8 19.35 15.4 14.05

Table 2:Comparison of Aggregate Throughput (in packets/s) of Kerberos and New Scheme as the no: of secure nodes increases As the number of secure nodes is increased, there will be an increase in the number of control messages sent owing the broadcasts of authentication requests and replies to client puzzles. This increases the contention for bandwidth and thereby increases the no: of packet drops which in effect is responsible for a drop in throughput. This is observed in fig 6. Fig 7.
No: of broadcasts vs. No: of nodes for a Completely Secure Network
160 140 120 100 80 60 40 20 0 0 4 8 10 12 16 20 30 40 50 No: of nodes

No: of broadcasts

Kerberos New Scheme

Then, the control overhead incurred by the protocol is measured for the Kerberos scheme and the New scheme. There is a significant increase in the number of broadcasts in our new scheme as opposed to Kerberos owing to the Client Puzzle Authentication which we have added.

6. Conclusions and Future Work

The scheme implemented here has a distinct advantage over Kerberos as it ensures that the keys used for authentication are also delivered in a secure manner to the nodes to avoid malicious nodes from spoofing it. It is also routing protocol independent. We observe that increasing the levels of authentication in a network is obtained at cost of decrease in throughput. There exists a trade off between the level of security and the throughput obtained. In this protocol, we have assumed that the KDC does not leave. This can be improved by incorporating a leader election mechanism which can elect a new node as the KDC when the existing one leaves and still maintain the invisibility of the KDC.

References
1. Signalling and Routing Security in Mobile and Ad Hoc Networks Vesa Karpijoki http://www.hut.fi/~vkarpijo/iwork00/ 2. Sufatrio & Lam, K.-Y., Scalable Authentication Framework for Mobile-IP (SAFe IP), Internet draft, IETF, November 1999. [referred 24.3.2000] <http://search.ietf.org/internet-drafts/draft-rio-mobileip-safe-mip-00.txt> 3. Fasbender, A. et al., Variable and Scalable Security: Protection of Location Information in Mobile IP., Mobile Technology for the Human Race, IEEE 46th Vehicular Technology Conference, 1996 4. Zhou, L. & Haas, Z., Securing Ad Hoc Networks., 1998. [referred 13.2.2000] < http://www.ee.cornell.edu/~haas/Publications/network99.ps 5. Security On the Move: Indirect Authentication Using Kerberos Armanda Fox and Steven Gribble. 6. http://web.mit.edu/kerberos/www/ 7. http://www.cyberlaw.com/rsa.html 8. R. Korf. Finding optimal solutions to Rubik's Cube using pattern databases. In AAAI National Conference, pages 700-705, 1997.

Appendix A
RSA Algorithm The challenge of public-key cryptography is developing a system in which it is impossible to determine the private key. This is accomplished through the use of a oneway function. With a one-way function, it is relatively easy to compute a result given some input values. However, it is extremely difficult, nearly impossible, to determine the original values if you start with the result. In mathematical terms, given x, computing f(x) is easy, but given f(x), computing x is nearly impossible. The one-way function used in RSA is multiplication of prime numbers. It is easy to multiply two big prime numbers, but for most very large primes, it is extremely time-consuming to factor them. Public-key cryptography uses this function by building a cryptosystem which uses two large primes to build the private key and the product of those primes to build the public key. The RSA Algorithm consists of the following steps: The first step involved in this is the generation of two large p,q which are relatively prime. This is used to compute the values of N ,E ,D ,PHI which are defined as follows: N= pq PHI = (p-1)(q-1) Next we find a number E (public exponent), D using the Extended Euclidean Algorithm such that it is relatively prime to PHI and D satisfies the condition E*D = 1 mod PHI. The pair (N,E) is called the public key and D is called the private key. Here it is essential that the primes p,q are kept a secret or are destroyed. Once the keys are generated, the next step is to compute the cipher text from the plain text message m which is done as follows:
E C = M mod N

The original message is recovered using the private key D

D M = C mod N

Therefore, since only the service server has the value of D, none but the service server can decrypt the message. Since we know that D, E are related, the algorithm will correctly recover the original message, which happens as follows: CD mod n = (( ME mod N ) D ) mod N = M. Now for an attacker to be able to find the message, it would be required to compute the value of p,q once N is got. But since multiplication of big prime numbers is a one-way

function, it is nearly impossible to get the private key. This algorithm reduces to generation of the primes p,q and this is done using random numbers generated which are tested using Fermats test for their primeness.

Appendix B Java Simulator

A Java simulator was written to implement a simplified version of our security protocol inorder to gain a better understanding of the Encryption-Decryption mechanism and to estimate the overhead incurred. The class files used are given below. // Generation of Prime Numbers used to generate the Public and Private Keys import java.io.*; import java.lang.*; import java.util.*; public class primeDetect { public static long generatePrime() { long primesList[] = {3, 5, 7, 11, 13, 17, 19, 23, 29, 31,37,41,43,47,53,59,61,67,71,73,79,83,89,97}; long primeNum=0; // The Prime Number Generated int i; boolean primeGen =true; // Flag that determines whether or not PrimeNumber has been Generated boolean testSucc = false; while (primeGen == true) { primeNum =1993+(long)( Math.random()*1997); System.out.println("Math.random()= "+Math.random()); if (primeNum % 2 ==0 ) primeNum++; for (i=0;i<24;i++) { if (((int)primeNum % primesList[i])==0) { testSucc=false; break; } testSucc=true; } if(testSucc) primeGen = fermatTest(primeNum,primesList); }

return primeNum; // Generated Prime Number } // Fermats Test for Prime Numbers public static boolean fermatTest(long primeNum,long[] primesList) { for(int i = 0;i < 24;i++) { if(modulus(primesList[i],primeNum-1,primeNum) != 1) return true; } return false; } // Computes Large exponential computations public static long modulus(long a, long b, long n) { long temp[] = new long[64]; for(int i = 0; i < 64; i++) temp[i] = 0; temp[0] = a % n; for(int i = 1; i < 64; i++) temp[i] = (temp[i-1] * temp[i-1]) % n; long bTemp = b; long product = 1; for(int i = 0; i < 64; i++) { if((bTemp & 1) == 1) product = (product * temp[i]) % n; bTemp = bTemp >> 1; } return product; } //Computes the GCD of the 2 Numbers public static long GCD(long u, long v) { long tempGCD=1,temp,rem; if(u<v) { temp=u;

u=v; v=temp; } rem = u % v; if(rem==0) tempGCD=v; else GCD(v,tempGCD); return tempGCD; } } // Encrypts the Character to be sent import java.io.*; import java.util.*; import java.lang.*; public class encryption { static long n,e; static long encrypt; public static int encrypt(long m,long n,long e) { encrypt=primeDetect.modulus(m,e,n); return (int)encrypt; // Encrypted Value } } // Decrypts the encryted value of the character that is received import java.io.*; import java.lang.*; public class decryption { static long n,d; static long decrypt; public static long decrypt(long m,long n,long d) { decrypt=primeDetect.modulus(m,d,n); return decrypt; //Decrypted Value } }

Appendix C
Modifications to DSR source code (in Network simulator) The following files in ns-2 were modified to implement the protocol: dsragent.cc hdr_sr.h packet.h mobilenode.h mobilenode.cc Modifications made to dsragent.cc Method : recv(<argument>

SRPacket p2(packet, srh); p2.dest = ID((Address::instance().get_nodeaddr(iph->daddr())),::IP); p2.src = ID((Address::instance().get_nodeaddr(iph->saddr())),::IP); // if( (srh->KDC_req_rep_==4) && (p2.dest==net_id) ){ cout<<"Got the keys atlast "<<net_id.addr<<endl; node_->set_authentication(); srh->KDC_req_rep_=0; } if( (srh->KDC_req_rep_==2) && (p2.dest==net_id) ){ cout<<"Got the keys atlast "<<net_id.addr<<endl; // node_->set_authentication(); //Kerberos authentication ends here // --------------------- KDC_req_rep_ = 3 Added here ---------------------SRPacket rrp; rrp.dest = p2.src; rrp.src = net_id; rrp.pkt = allocpkt(); hdr_sr *srh1 = (hdr_sr*)rrp.pkt->access(off_sr_); hdr_ip *iph1 = (hdr_ip*)rrp.pkt->access(off_ip_); hdr_cmn *cmnh1 = (hdr_cmn*)rrp.pkt->access(off_cmn_); iph1->daddr() = Address::instance().create_ipaddr(p2.src.getNSAddr_t(),RT_PORT); iph1->dport() = RT_PORT;

iph1->saddr() = Address::instance().create_ipaddr(net_id.getNSAddr_t(),RT_PORT); iph1->sport() = RT_PORT; cmnh1->ptype() = PT_DSR; cmnh1->size() = size_ + IP_HDR_LEN; // add in IP header cmnh1->num_forwards() = 0; srh1->init(); srh->route_KDC() = 3; srh->route_request()=1; sendOutRtReq(rrp,4); } // if( (srh->route_KDC()==3) && (p2.dest==net_id) ){ if( (srh->KDC_req_rep_==3) && (p2.dest==net_id) ){ cout << "Got the Puzzle Solved " << net_id.addr<< "src req " << srh>route_request()<<endl; if(node_->is_KDC() == 1) { SRPacket p1(packet, srh); p1.dest = ID((Address::instance().get_nodeaddr(iph->daddr())),::IP); p1.src = ID((Address::instance().get_nodeaddr(iph->saddr())),::IP); cout << " I am the KDC " << net_id.addr << "GOT "<<srh>KDC_req_rep_<<endl; handlePacketReceipt(p1); } } /* if( (srh->KDC_req_rep_==4) && (p2.dest==net_id) ){ cout << endl; cout << endl; cout << " AUTHENTICATED" << net_id.addr << endl; cout << endl; cout << endl; } */ if(cmh->next_hop() ==MAC_BROADCAST){ if (srh->KDC_req_rep_ == 1) { printf("%d) I got Authentication Request \n",net_id.addr); // // srh->route_KDC() = 2; sendOutBCastPkt(packet); if(node_->is_KDC() == 1) { SRPacket p1(packet, srh);

p1.dest = ID((Address::instance().get_nodeaddr(iph>daddr())),::IP); p1.src = ID((Address::instance().get_nodeaddr(iph->saddr())),::IP); cout << " I am the KDC " << net_id.addr << endl; handlePacketReceipt(p1); } } if (srh->KDC_req_rep_ == 2) { cout << "Received Authentication message " <<net_id.addr << endl; node_->set_authentication(); } */ if(srh->KDC_req_rep_==3){ cout << "Got the Puzzle Solved inside" << net_id.addr<<endl; if(node_->is_KDC() == 1) { SRPacket p1(packet, srh); p1.dest = ID((Address::instance().get_nodeaddr(iph->daddr())),::IP); p1.src = ID((Address::instance().get_nodeaddr(iph->saddr())),::IP); cout << " I am the KDC " << net_id.addr << "GOT "<<srh>KDC_req_rep_<<endl; handlePacketReceipt(p1); } } } if (cmh->KDC_req_rep_ ==1) printf("%d) I have received a packet\n",net_id.addr); assert(cmh->size() >= 0); SRPacket p(packet, srh); p.dest = ID((Address::instance().get_nodeaddr(iph->daddr())),::IP); p.src = ID((Address::instance().get_nodeaddr(iph->saddr())),::IP); /* other stuffs */ else if (srh->valid() == 1)

/*

{ if (p.dest == net_id || p.dest == IP_broadcast) { // this packet is intended for us /* if(cmh->next_hop_ == IP_BROADCAST) { cout << "SrcReq " << srh->route_request(); } */ //----removed now /* cout << "PACKET ================= >> RECEncrypted " << cmh->encrypted_ << " "; */ /* if(srh->route_request() || srh->route_reply()) cout << "Route Request/Reply Packet " << endl; */ //-----removed now // if (srh->KDC_req_rep_ ==1) // printf("\n%d) I got Authentication Request inside \n",net_id.addr) ; cout << endl; if (srh->KDC_req_rep_ == 2) { cout << "Received Authentication message " <<net_id.addr << endl; // node_->set_authentication(); } if(!(srh ->KDC_req_rep_)) handlePacketReceipt(p); goto done; }

Method : sendOutPacketWithRoute(<argument>) // ------------------------------- Encrypting the packet -------------------if (srh->route_request()) { // broadcast forward cmnh->xmit_failure_ = 0; cmnh->next_hop() = MAC_BROADCAST; cmnh->addr_type() = NS_AF_ILINK; // if(srh->KDC_req_rep_ == 1) // srh->route_request() = 0;

//

cmnh->encrypted_ = sh1.packet_encrypted(); // encrypting the packets. cout << "Sending Source Request " << srh->KDC_req_rep_ << endl; if(node_->is_secureNode()) cmnh->encrypted_ = sh1.packet_encrypted(); if(cmnh->encrypted_) cmnh->size_=(int)(cmnh->size_ * 3.2); // 3.2 times the // unencrypted value

} else { // forward according to source route cmnh->xmit_failure_ = XmitFailureCallback; cmnh->xmit_failure_data_ = (void *) this; cmnh->next_hop() = srh->get_next_addr(); cmnh->addr_type() = srh->get_next_type(); srh->cur_addr() = srh->cur_addr() + 1; // cmnh->encrypted_ = sh1.packet_encrypted(); // encrypting the packets. if(node_->is_secureNode()) cmnh->encrypted_ = sh1.packet_encrypted(); if(cmnh->encrypted_) cmnh->size_=(int)(cmnh->size_ * 3.2); // 3.2 times the // unencrypted value }

Method: getRouteForPacket(<arguments>)

//------------------------ Authentication Packet ---------------------------------SRPacket auth_req; //----------------------------------/* Source Request Packet Generation */ //------------------------ Authentication Packet ---------------------------------auth_req = rrp; // cmnh->route_KDC()=1;

if(node_->is_secureNode()) if(node_->has_authenticated() == -1) { sendOutRtReq(auth_req,4); // node_->set_authentication(); // cout << "Authentication message generated by " << net_id.addr << endl; } //-----------------------------------------------------------------------------------

Method: sendOutRtReq(<argument>) //----------- Setting the Authentication Request Bit---------------------if(node_->is_secureNode()) if(node_->has_authenticated() == -1) srh->route_KDC() = 1; //--------------------------------------------------------------------Method:returnSrcRteForOutsideDomainToRequestor(<arguments>) /------------------------ Authentication Packet ---------------------------------// cmnh->route_KDC()=1; cout << "LOOK HERE =>>>> " << old_srh->KDC_req_rep_ << endl; if((old_srh->KDC_req_rep_ == 1)) { // // if(node_->is_KDC() == 1) { auth_rep = p_copy; hdr_sr *auth_srh = (hdr_sr*)auth_rep.pkt->access(off_sr_); new_srh->route_KDC() = 2; cout<<"Setting information on header"<<new_srh->route_KDC(); new_srh->route_reply() =1; cout << "Sending Authenticating Message " << net_id.addr << endl; } } else if((old_srh->KDC_req_rep_ == 3)) { // if(node_->is_KDC() == 1) { auth_rep = p_copy;

//

hdr_sr *auth_srh = (hdr_sr*)auth_rep.pkt->access(off_sr_); new_srh->route_KDC() = 4; cout<<"Setting information on header"<<new_srh->route_KDC(); new_srh->route_reply() =1; cout << "Sending the Keys " << net_id.addr << endl; }

} else new_srh->route_reply() = 1; //-----------------------------------------------------------------------------------

Modifications made to hdr_sr.h //------------------------- Modified for Kerberos -----------------------struct hdr_sr { /* other Parameters */ int KDC_req_rep_; // KDC_req_rep_ = 1 for requesting Authenticating // & getting Public Key // KDC_req_rep_ = 2 for reply from KDC // KDC_req_rep_ = 3 for getting Private Key int encrypted_; // set to 1 to indicate encrypted //--------------------- end of Modifications. -----------------------------/* other methods */ // --------------------------- Added for authentication -------------------inline int& route_KDC() {return KDC_req_rep_;} inline void set_encryption() { encrypted_ = 1; }

inline int& packet_encrypted() { return encrypted_;} // -------------------------------------------------------------------------} Modification to packet.h struct hdr_cmn { /* other Parameters */ //------------------------- Modified for Kerberos -----------------------int KDC_req_rep_; // KDC_req_rep_ = 1 for requesting Authenticating // & getting Public Key & Private Key // KDC_req_rep_ = 2 for reply from KDC int encrypted_; // set to 1 to indicate encrypted //--------------------- end of Modifications.-----------------------------/* other methods */ //-------------------added ---------------------inline int& route_KDC(){ return (KDC_req_rep_); } //-------------------------------------------------} Modifications made to Mobile Node.cc // -------------KDC -------------------------

else if (strcmp(argv[1],"kdcNODE") == 0) { //base_stn_ = (MobileNode*) //TclObject::lookup(argv[2]); kdc_node_ = atoi(argv[2]); return TCL_OK; }

else if (strcmp(argv[1],"secureNODE") == 0) { //base_stn_ = (MobileNode*) //TclObject::lookup(argv[2]); is_secure_node_ = atoi(argv[2]); return TCL_OK; } // -------------------------------------------------------Modifications to Mobile Node .h class MobileNode : public Node { // -------------------KDC --------------------inline int is_secureNode() {return is_secure_node_; } inline void set_kdc() {kdc_node_ =1;} inline void set_secure_node() { is_secure_node_ =1; } inline void set_authentication() { has_authenticated_ =1;} inline int is_KDC() {return kdc_node_; } inline int has_authenticated() {return has_authenticated_; } // -------------------------------------------------------/* other Methods */ // -----------------KDC ------------------------

int kdc_node_; int is_secure_node_; int has_authenticated_; // ---------------------------------------------------};