100%(1)100% нашли этот документ полезным (1 голос)
393 просмотров9 страниц
An ad hoc network is a collection of wireless computers (nodes) communicating among themselves. The Secure Efficient Ad hoc distance vector routing protocol (SEAD) is based on the design of the DSDV. It is robust against multiple uncoordinated attackers creating incorrect routing state in any other node.
An ad hoc network is a collection of wireless computers (nodes) communicating among themselves. The Secure Efficient Ad hoc distance vector routing protocol (SEAD) is based on the design of the DSDV. It is robust against multiple uncoordinated attackers creating incorrect routing state in any other node.
Авторское право:
Attribution Non-Commercial (BY-NC)
Доступные форматы
Скачайте в формате DOC, PDF, TXT или читайте онлайн в Scribd
An ad hoc network is a collection of wireless computers (nodes) communicating among themselves. The Secure Efficient Ad hoc distance vector routing protocol (SEAD) is based on the design of the DSDV. It is robust against multiple uncoordinated attackers creating incorrect routing state in any other node.
Авторское право:
Attribution Non-Commercial (BY-NC)
Доступные форматы
Скачайте в формате DOC, PDF, TXT или читайте онлайн в Scribd
An ad hoc network is a other nodes to relay messages as routers. collection of wireless computers (nodes), Node mobility in an ad hoc network communicating among themselves over causes frequent changes of the network possibly multihop paths, without the topology. Figure 1 shows such an help of any infrastructure such as base example: initially, nodes A and D have a stations or access points. Although many direct link between them. When D previous ad hoc network routing moves out of A’s radio range, the link is protocols have been based in part on broken. However, the network is still distance vector approaches, they have connected, because A can reach D generally assumed a trusted through C, E, and F.Military tactical environment. The Secure Efficient Ad operations are still the main application hoc Distance vector routing protocol of ad hoc networks today. For example, (SEAD), a secure ad hoc network military units (e.g., soldiers, tanks, or routing protocol based on the design of planes), equipped with wireless the Destination-Sequenced Distance- communication devices, could form an Vector routing protocol (DSDV). In ad hoc network when they roam in a order to support use with nodes of battlefield. Ad hoc networks can also be limited CPU processing capability,and used for emergency, law enforcement, to guard against Denial-of-Service and rescue missions. Since an ad hoc (DoS) attacks in which an attacker network can be deployed rapidly with attempts to cause other nodes to relatively low cost, it becomes an consume excess network bandwidth or attractive option for commercial uses processing time, we use efficient one- such as sensor networks or virtual way hash functions and do not use classrooms. Secure ad hoc network asymmetric cryptographic operations in routing protocols are difficult to design, the protocol. It is robust against due to the generally highly dynamic multiple uncoordinated attackers nature of an ad hoc network and due to creating incorrect routing state in any the need to operate efficiently with other node, even in spite of any active limited resources, including network attackers or compromised nodes in the bandwidth and the CPU processing network. capacity, memory, and battery Introduction power(energy) of each individual node Ad hoc networks are a new in the network. Existing insecure ad hoc paradigm of wireless communication for network routing protocols are often mobile hosts (which we call nodes). In highly optimized to spread new routing an ad hoc network, there is no fixed information quickly as conditions infrastructure such as base stations or change, requiring more rapid and often mobile switching centers. Mobile nodes more frequent routing protocol that are within each other’s radio range interaction between nodes than is typical communicate directly via wireless links, in a traditional (e.g., wired and stationary) network. Expensive and service for any security framework. cumbersome security mechanisms can Confidentiality ensures that certain delay or prevent such exchanges of information is never disclosed to routing information, leading to reduced unauthorized entities. Network routing effectiveness, and may consume transmission of sensitive information, excessive network or node resources, such as strategic or tactical military leading to many new opportunities for information, requires confidentiality. possible Denial-of-Service (DoS) attacks Leakage of such information to enemies through the routing protocol. could have devastating consequences. Routing information must also remain Security Goals confidential in certain cases, because the Security is an important issue for information might be valuable for ad hoc networks, especially for those enemies to identify and to locate their security-sensitive applications. To secure targets in a battlefield.Integrity an ad hoc network, we consider the guarantees that a message being following attributes: availability, transferred is never corrupted. A confidentiality, integrity, authentication, message could be corrupted because of and non-repudiation. benign failures, such as radio propagation impairment, or because of malicious attacks on the network. Authentication enables a node to ensure the identity of the peer node it is communicating with. Without authentication, an adversary could masquerade a node, thus gaining Figure 1: Topology change in ad hoc unauthorized access to resource and networks: nodes A, B, C, D, E, and F sensitive information and interfering constitute an ad hoc network.The circle with the operation of other nodes. represent the radio range of node A. The Finally, non-repudiation ensures that the network initially has the topology in (a). origin of a message cannot deny having When node D moves out of the radio sent the message. Non repudiation is range of A, the network topology useful for detection and isolation of changes to the one in (b). Availability compromised nodes. When a node A ensures the survivability of network receives an erroneous message from a services despite denial of service attacks. node B, non-repudiation allows A to A denial of service attack could be accuse B using this message and to launched at any layer of an ad hoc convince other nodes that B is network. On the physical and media compromised. There are other security access control layers, an adversary could goals (e.g., authorization) that are of employ jamming to interfere with concern to certain applications, but we communication on physical channels. will not pursue these issues in this paper. On the network layer, an adversary could disrupt the routing protocol and Routing In Mobile Ad Hoc Networks disconnect the network. On the higher Routing in mobile ad hoc layers, an adversary could bring down networks faces additional problems and high-level services. One such target is challenges when compared to routing in the key management service, an essential traditional wired networks with fixed the destination is known as the metric in infrastructure. There are several well- that table entry. When routing a packet known protocols in the literature that to some destination, the node transmits have been specifically developed to cope the packet to the indicated neighbor with the limitations imposed by ad hoc router, and each router in turn uses its networking environments. The problem own routing table to forward the packet of routing in such environments is along its next hop toward the aggravated by limiting factors such as destination. rapidly changing topologies, high power To maintain the routing tables, consumption, low bandwidth and high each node periodically transmits a error rates [2]. Most of the existing routing update to to each of its neighbor routing protocols follow two different routers, containing the information from design approaches to confront the its own routing table. Each node uses inherent characteristics of ad hoc this information advertised by its networks, namely the table-driven and neighbors to update its own table, so that the source-initiated on-demand its route for each destination uses as a approaches. next hop the neighbor that advertised the smallest metric in its update for that Distance Vector Routing destination; the node sets the metric in A distance vector routing its table entry for that destination to 1 protocol finds shortest paths between (hop) more than the metric in that nodes in the network through a neighbor’s update. A common distributed implementation of the optimization to this basic procedure to classical Bellman-Ford algorithm. As spread changed routing information noted in Section 1, distance vector through the network more quickly is the protocols are easy to implement and are use of triggered updates, in which a efficient in terms of memory and CPU node transmits a new update about some processing capacity required at each destination as soon as the metric in its node. A popular example of a distance table entry for that destination changes, vector routing protocol is RIP [14, 26], rather than waiting for its next scheduled which is widely used in IP networks of periodic update to be sent. Distance moderate size. Distance vector routing vector routing protocols are simple, but can be used for routing within an ad hoc they cannot guarantee not to produce network by having each node in the routing loops between different nodes network act as a router and participate in for some destination. Such loops are the routing protocol. In distance vector eventually resolved by the protocol routing, each router maintains a routing through many rounds of routing table table listing all possible destinations updates in what is known as “counting to within the network. Each entry in a infinity” in the metric for this node’s routing table contains the address destination; to reduce time needed for (identity) of some destination, this this resolution, the maximum metric node’s shortest known distance (usually value allowed by the protocol is in number of hops) to that destination, typically defined to be relatively small, and the address of this node’s neighbor such as 15 as is used in RIP [14, 26]. To router that is the first hop on this shortest further reduce these problems, a number route to that destination; the distance to of extensions, such as split horizon and split horizon with poisoned reverse [14, attacker is that it is able to eavesdrop the 26], are widely used. These extensions, communication between two legitimate however, can still allow some loops, and network participants, inject fabricated the possible problems that can create messages and delete, alter or replay routing loops are more common in captured packets. wireless and mobile networks such as ad Weaker assumptions of external hoc networks, due to the motion of the attackers include the ability to inject nodes and the possible changes in messages but not read them, or read and wireless propagation conditions. replay messages but not inject new ones, or just the ability to read messages. Security Problems with Existing Ad Cryptographic solutions can be Hoc Routing Protocols employed to prevent the impact of The main assumption of the external attackers by mutual previously presented ad hoc routing authentication of the participating nodes protocols is that all participating nodes through digital signature schemes [14]. do so in good faith and without However, the underlying protocols maliciously disrupting the operation of should also be considered since an the protocol [11, 12]. However, the attacker could manipulate a lower level existence of malicious entities cannot be protocol to interrupt a security disregarded in any system, especially in mechanism in a higher level. Although open ones like ad hoc networks. The these attacks are a significant part of a RPSEC IETF working group has complete threat assessment, our analysis performed a threat analysis that is focuses only on network-layer threats applicable to routing protocols employed and countermeasures. Internal attackers in a wide range of application scenarios have the capabilities of the strongest [13]. According to this work, the routing outside attacker, as they are legitimate function can be disrupted by internal or participants of the routing process. external attackers. An internal attacker Having complete access to the can be any legitimate participant of the communication link they are able to routing protocol. An external attacker is advertise false routing information at defined as any other entity. As we have will and force arbitrary routing decisions previously noted, we consider denial-of- on their peers [15]. One of the most service attacks that target the utilized difficult to detect problems in routing is wireless medium, such as frequency that of Byzantine failures. These failures jamming, outside the scope of our threat are the result of nodes that behave in a model. Two commonly used way that does not comply with the countermeasures against jamming are protocol. The reasons for the erroneous frequency hopping spread spectrum behavior could be software or hardware (FHSS) and direct sequence spread faults, mistakes in the configuration, or spectrum (DSSS) [45]. Furthermore, malicious compromises. Attempts to outside the scope of our threat model are solve the problem of Byzantine failures transport layer attacks, such as session have been proposed for both hijacking, and application layer attacks, infrastructures [16] and infrastructure such as repudiation-based attacks and less networks [17]. Based on this threat user information disclosure. The analysis and the identified capabilities of strongest assumption for an external the potential attackers, we will now discuss several specific attacks that can target the operation of a routing protocol in an ad hoc network. 1• Location disclosure [18]: Location disclosure is an attack that targets the privacy requirements of an ad hoc network. Through the use of traffic analysis techniques [19], or with simpler probing and monitoring approaches an attacker is able to A wormhole attack performed by discover the location of a node, or even the colluding malicious nodes A and B. structure of the entire network. 1• Blackmail [21]: This attack is 2• Black hole [15]: In a black hole attack a relevant against routing protocols malicious node injects false route replies to that use mechanisms for the the route requests it receives advertising identification of malicious nodes and itself as having the shortest path to a propagate messages that try to destination. These fake replies can be blacklist the offender. An attacker fabricated to divert network traffic through may fabricate such reporting the malicious node for eavesdropping, or messages and try to isolate legitimate simply to attract all traffic to it in order to nodes from the network. The security perform a denial of service attack by property of non-repudiation can dropping the received packets. prove to be useful in such cases since 3• Replay [13]: An attacker that performs a it binds a node to the messages it replay attack injects into the network routing generated [22]. traffic that has been captured previously. • Denial of service: Denial of service This attack usually targets the freshness of attacks aim at the complete disruption of routes, but can also be used to undermine the routing function and therefore the poorly designed security solutions. whole operation of the ad hoc network. 4• Wormhole [20]: The wormhole attack is Specific instances of denial of service one of the most powerful presented here attacks include the routing table since it involves the cooperation between overflow [18] and the sleep deprivation two malicious nodes that participate in the torture [23]. In a routing table overflow network. One attacker, say node A, captures attack the malicious node floods the routing traffic at one point of the network network with bogus route creation and tunnels them to another point in the packets in order to consume the network, say to node B, that shares a private resources of the participating nodes and communication link with A. Node B then disrupt the establishment of legitimate selectively injects tunneled traffic back into routes. The sleep deprivation torture the network (see Figure 1). The connectivity aims at the consumption of batteries of a of the nodes that have established routes specific node by constantly keeping it over the wormhole link is completely under engaged in routing decisions. the control of the two colluding attackers. 2 3• Routing table poisoning: Routing protocols maintain tables which hold information regarding routes of the network. In poisoning attacks the malicious nodes generate and send fabricated signaling traffic, or modify legitimate messages from other nodes, in order to create false entries that provide security for ad hoc routing. in the tables of the participating nodes. For However, this classification is only example, an attacker can send routing indicative since a lot of solutions can be updates that do not correspond to actual classified into more than one category. changes in the topology of the ad hoc As we will see in the rest of this paper, network. Routing table poisoning attacks most proposals follow similar can result in selection of non-optimal routes, approaches to solve the problems of creation of routing loops, bottlenecks and insecure ad hoc routing protocols even partitioning certain parts of the hindering extensive classification network. attempts. 4 Secure Ad hoc Routing Secure Routing Protocol (SRP) There exist several proposals that The Secure Routing Protocol attempt to architect a secure routing (SRP) is a set of security extensions that protocol for ad hoc networks, in order to can be applied to any ad hoc routing offer protection against the attacks protocol that utilizes broadcasting as its mentioned in the previous section. These route querying method [26]. The authors proposed solutions are either completely mention specifically DSR as a new stand-alone protocols, or in some particularly appropriate protocol for cases incorporations of security incorporating their proposed security mechanisms into existing ones (like extensions. The operation of SRP DSR and AODV). As we will see, the requires the existence of a security design of these solutions focuses on association (SA) between the source providing countermeasures against node initiating a route query and the specific attacks, or sets of attacks. destination node. This security Furthermore, a common design principle association can be utilized in order to in all the examined proposals is the establish a shared secret key between the performance-security trade-off balance. two, which is used by SRP.The SRP Since routing is an essential function of protocol, appends a header (SRP header) ad hoc networks, the integrated security to the packet of the basis routing procedures should not hinder its protocol. The source node sends a route operation. Another important part of the request with a query sequence (QSEQ) analysis is the examination of the number that is used by the destination in assumptions and the requirements that order to identify outdated requests, a each solution depends on. Although a random query identifier (QID) that is protocol might be able to satisfy certain used to identify the specific request, and security constraints, its operational the output of a keyed hash function, as requirements might thwart its successful shown in Figure 4. The input to the employment.In order to analyze the function is the IP header, the header of proposed solutions in a structured way the basis protocol, and the shared secret we have classified them into five between the two nodes. categories; solutions based on asymmetric cryptography, solutions based on symmetric cryptography, hybrid solutions, reputation-based solutions and a category of mechanisms that they correspond to the active query, compares the IP source route with the reverse of the route in the payload of the reply, and if they match it calculates the MAC. Although the authors do not encourage the optimization of intermediate node replies to a route SRP Packet Header: the input to the query as a severe vulnerability, they keyed hash function is the IP header, the propose an extension to SRP that header of the basis protocol, and the implements this functionality. They shared secret. accomplish this by defining groups of The mutable fields of the request, nodes with shared secrets. Route like the accumulated addresses of the maintenance is realized in SRP by route intermediate nodes, are transmitted in error messages that are source-routed the clear. The intermediate nodes along the prefix of the path that they broadcast the query to their neighbors, report as broken. When the notified node after updating their routing tables. The receives a route error packet it compares query is dropped in case it has the same the route taken by the packet with the QID with an entry in an intermediate prefix of the corresponding route. node’s routing table. Furthermore, all However this approach cannot guarantee nodes maintain a priority ranking of their that a malicious node did not fabricate neighbors according to the rate of the the route error packets. SRP consists of generated route queries. Nodes that several security extensions that can be generate a low rate of queries have a applied to existing ad hoc routing higher priority. This guarantees that the protocols providing end-to-end routing protocol is responsive [26]. The authentication. The operational destination confirms that the query is not requirement of SRP is the existence of a outdated or replayed through the QSEQ, security association between every and verifies its integrity and authenticity source and destination node. The through the calculation of the keyed security association is used to establish a hash. In response to a valid route query shared secret between the two nodes, the destination node generates a number and the non-mutable fields of the of replies with different routes, at most exchanged routing messages are as many as its number of neighbors. protected by this shared secret. Secure Efficient Ad hoc Distance This mechanism is an additional Vector Routing (SEAD) protection against malicious nodes that The Secure Efficient Ad hoc attempt to modify route replies. A route Distance vector (SEAD) is a secure ad reply consists of the path from the hoc network routing protocol based on source to the destination, the QSEQ and the design of the Destination-Sequenced QID numbers. The integrity and Distance-Vector (DSDV) algorithm [21]. authenticity of the reply is ensured In order to find the shortest path between through the same method as the route two nodes, the distance vector routing request, namely with a message protocols utilize a distributed version of authentication code (MAC). The source the Bellman-Ford algorithm [5]. The node checks the QSEQ and QID SEAD routing protocol employs the use numbers of the reply in order to verify of hash chains to authenticate hop counts authenticate the source of each routing and sequence numbers. Applying update. repeatedly a one-way hash function to a The first method requires clock random value creates a hash chain. The synchronization between the nodes that elements of such a chain are used to participate in the ad hoc network, and secure the updates of the routing employs broadcast authentication protocol. SEAD requires the existence of mechanisms such as TESLA [27]. The an authentication and key distribution second method requires the existence of scheme in order to authenticate one a shared secret between each pair of element of a hash chain between two nodes. This secret can be utilized in nodes. Given this authenticated element, order to use a message authentication a node is able to verify later elements in code (MAC) between the nodes that the chain [21]. must authenticate a routing update When a node transmits a routing message. In SEAD every node that update it includes one value from the participates in the ad hoc network has a hash chain for each entry in the update hash chain. The elements of the hash message. Moreover, it includes the chain are used in succession to address of the destination node (or its authenticate the entries in the transmitted own address if the update concerns routing messages, given that an initial itself), the metric and the sequence authenticated element exists. The hash number of the destination (from its chains have a finite size and must be routing table), and a hash value equal to generated again when all their elements the hash of the hash value received when have been used. it learned the route to the destination. This hash value can be authenticated by the nodes that receive this routing update since they have an already authenticated element of the same hash chain. As noted by the authors of the protocol, this mechanism allows other nodes to only increase the metric in a routing update, but not to decrease it. In order to avoid denial of service attacks, a receiving node can specify the exact number of hashes it is willing to perform for each Conclusion authentication. A node that receives a This survey has presented the routing update, verifies the most well known protocols for securing authentication of each entry of the the routing function in mobile ad hoc message. The hash value of each entry is networks. The analysis of the different hashed the correct number of times and proposals has demonstrated that the it is compared to the previously inherent characteristics of ad hoc authenticated value. Depending on this networks, such as lack of infrastructure comparison the routing update is either and rapidly changing topologies, accepted as authenticated, or discarded. introduce additional difficulties to the The SEAD routing protocol proposes already complicated problem of secure two different methods in order to routing. The comparison we have volume 353. Kluwer Academic completed between the surveyed Publishers, 1996. protocols indicates that the design of a [8] M. G. Zapata. Internet Draft: Secure secure ad hoc routing protocol Ad hoc On-Demand Distance Vector constitutes a challenging research (SAODV)Routing. problem since already existing generic [9]S. Buchegger, and J.-Y. Le Boudec, solutions, like IPSec, cannot be “Performance Analysis of the successfully applied. Additionally, the CONFIDANT Protocol (Cooperation Of flexibility of ad hoc networks enables Nodes: Fairness In Dynamic Ad hoc them to be deployed in diverse NeTworks),” Proc. 3rd Symp. Mobile Ad application scenarios. hoc Networking and Computing (MobiHoc 2002), ACM Press, 2002, pp. References 226-236. [1] J. Lundberg, “Routing Security in Ad [10] J. Kong, P. Zerfos, H. Luo, S. Lu, hocNetworks,”http://citeseer.nj.nec.com/ and L. Zhang, “Providing Robust and 400961.html. Ubiquitous Security Support for Mobile [2] B. R. Smith, S. Murphy, and J. J. Ad hoc Networks”, Proc. 9th Int’l. Conf. Garcia-Luna-aceves. Securing distance- on Network Protocols (ICNP), 2001. vector routing protocols. In Proceedings of Symposium on Network and Distributed System Security, pages 85–92, Los Alamitos, CA, February 1997. The Internet Society, IEEE Computer Society Press. [3] T. Aura. Internet Draft: Cryptographically Generated Addresses (CGA).http://www.ietf.org/proceedings/ 04mar/I-D/draftietf-send-cga-05.txt, February 2004. [4] E. M. Belding-Royer. Report on the AODV interop.http://www.cs.ucsb.edu/~ ebelding/txt/interop.ps, June 2002. [5] Y.-C. Hu, A. Perrig, and D. B. Johnson. Rushing attacks and defense in wireless ad hoc network routing protocols. In Proceedings of the 2003 ACM workshop on Wireless security, pages 30–40. ACM Press, 2003. [6] V. Jacobson, C. Leres, and S. McCanne. TCPDUMP group’srelease 3.8.3. http://www.tcpdump.org/. [7] D. B. Johnson and D. A. Maltz. Dynamic Source Routing in Ad Hoc Wireless Networks. In Imielinski and Korth, editors, Mobile Computing,