Ad Hoc & Sensor Wireless Networks Vol. 00, pp. 1–26 Reprints available directly from the publisher Photocopying permitted by license only

©2007 Old City Publishing, Inc. Published by license under the OCP Science imprint, a member of the Old City Publishing Group

On Secure Mobile Ad hoc Routing Xu Li1 , Amiya Nayak2 , Isabelle Ryl3 , and David Simplot3 1 SCS,

Carleton Univ., 1125 Colonel By Dr., Ottawa, Canada E-mail: [email protected] 2 SITE, Univ. of Ottawa, 800 King Edward Ave., Ottawa, Canada 3 IRCICA/LIFL, Univ. Lille 1, CNRS UMR 8022, INRIA Futurs, France Received: October 13, 2006. Accepted: June 14, 2007.

Many plain routing protocols have been proposed for mobile ad hoc networks. These protocols all assume cooperative networks and focus only on routing effectiveness and efficiency. However, mobile ad hoc networks are not a friendly environment for various reasons in nature. Routing Protocols without any security feature can put entire network at risk. As security becomes an increasingly important issue, secure mobile ad hoc routing is attracting more and more research attention. In this paper, we make a comprehensive investigation on the issue of network security and conduct an up-to-date survey of secure mobile ad hoc routing protocols. Keywords: Mobile Ad hoc Networks, Routing Protocols, Security, Anonymity, Secure Routing, Anonymous Routing.

1 INTRODUCTION A mobile ad hoc network (MANET) is an infrastructureless environment composed of battery-powered mobile nodes that communicate through radio frequency without centralized administration. Because wireless nodes have limited transmission range, MANET communication relies on multi-hop message relay, which makes routing a primary issue. Research efforts have yielded many well-known plain routing protocols [1,13,16,17,20,22,23] that all assume a perfectly cooperative network. However, MANETs are not such a friendly setting for a variety of reasons in nature. Adverse nodes can freely join the network, listen to and/or interfere with network traffic, and compromise network nodes; selfish nodes can refuse to cooperate and possibly cause various network failures. Since routing protocols are a fundamental tool

1

“aswin62” — 2007/9/21 — 12:41 — page 1 — #1

2

Xu Li et al.

of network-based computation, attacks on insecured routing protocols can disrupt network performance and reliability. In the literature, the concept of security has been properly defined; many security-enabling techniques have been developed for wired networks. Because wired networks and wireless networks share the same security goal, the existing security-enabling techniques can also be applied to MANETs. In the past a few years, a number of secure routing protocols [2,3,9,10,12,14,15,18,21,28,30,33–36] were proposed for MANETs. In this paper, we are going to make a comprehensive investigation on the issue of network security and conduct an up-to-date survey of secure mobile ad hoc routing protocols. The remainder of the paper is organized as follows: Section 2 classifies network attacks and gives some practical attack examples; Section 3 defines the concept of security; Section 4 presents four types of security-enabling techniques that can be employed to support different security services; Section 5 surveys a number of secure mobile ad hoc routing protocols; Section 6 concludes the paper.

2 TAXONOMY OF NETWORK ATTACKS MANETs are vulnerable to various network attacks due to a number of factors such as the broadcast nature of wireless communication medium, multihop communication, node mobility and the lack of infrastructure. Network attacks in MANETs can categorized as passive attacks and active attacks [32]. In practice, they are often combined together by attackers for various purposes (e.g., routing disruption and resource consumption). In the following, we first discuss the two types of attacks and then introduce some practical attack examples. 2.1 Passive attacks A passive attack happens when an attacker unintrusively eavesdrops on network traffic. Its primary goal is to discover valuable information embedded in the messages transmitted over the communication channel. Passive attacks constitute a non-ignorable threat to the security and privacy of the network. If traffic is not cryptographically encoded, attackers will be able to capture confidential information such as credit card number, passwords, configuration data and system logs simply by passive listening. Even if data is encrypted, the traffic analysis on clear control information, for example, routing information, can expose nodes’ identities, disclose the relationship between nodes, or reveal the topology of the network. Using discovered information, a passive attacker may actively interferes with network traffic, resulting in a major disruption of the network.

“aswin62” — 2007/9/21 — 12:41 — page 2 — #2

Secure mobile Ad hoc Routing, SI AINA

3

2.2 Active Attacks An active attack involves the direct intervention of an attacker with network traffic. For instance, an active attackers adversely participate in routing protocols by deliberately replaying, inserting, modifying, or deleting routing packets, leading to protocol disfunction, network congestion, information leakage and the failure of higher-level applications. Active attacks often happen in the following forms or the combination thereof: • Masquerade: In this attack, the attacker impersonates certain legal user to illegally gain some services that are not supposed to be accessed by him. For example, during a route discovery process, the attacker might deceive the sender by replying the route request using the destination’s identity to obtain confidential information such as password. • Replay: In this attack, the attacker intercepts some valid messages, records them, and re-sends them later to the original receiver. For example, an attacker may adversely re-broadcast an old valid route advertisement and then mislead its neighbors in updating their routing tables with stale routing information. • Message Insertion: In this attack, the attacker forges messages (with fake source addresses) and injects them into the network. In most cases, this attack appears as part of another attack, e.g., a blackhole attack. • Message Modification: In this attack, the attacker removes a message from network traffic, alters it adversely, and then re-sends it. For example, the attacker maliciously modifies the routing metric field of every route request message he receives before re-transmitting them, so that his neighbors are most likely to route packets through him, and he might later performs further attacks, e.g., a man-in-the-middle attack. • Message Deletion: In this attack, the attacker adversely removes messages from network traffic. For example, the attacker drops all the messages going through him from a certain source node, causing a communication failure. • Denial-of-Service (DoS): In this attack, the attacker attempts to stop the normal use of network resources by over-consuming them. For example, the attacker frequently floods the entire network to consume network bandwidth and thereby prevents legitimate network traffic. 2.3 Attacks in Practice In practice, attacks are often the combinations of some simple attacks introduced above. Depending on their purposes, practical attacks can be classified as resource consumption attacks or routing disruption attacks. The objective of resource consumption attacks is to stop the normal use of network

“aswin62” — 2007/9/21 — 12:41 — page 3 — #3

4

Xu Li et al.

resources by over-consuming them, as is the case with DoS attacks. Routing disruption attacks aim at disrupting the normal operation of routing protocols by adversely dropping and/or modifying routing packets and fraudulently disseminating incorrect routing information. In what follows, we will introduce some typical routing disruption attacks. • Blackhole Attacks: In this attack, the attacker provides false routing metrics to all possible destinations such that all its neighbors route packets through it, and then, it discards all the packets it receives. The blackhole attack creates a black hole in the network, which attracts and drops packets. A special case of blackhole attack is called grayhole attack. In a grayhole attack, the attacker selectively discards packets, for example, dropping all the data packets except routing packets. • Man-in-the-middle Attacks: In this attack, the attacker is present on the message path linking the sender to the receiver. He monitors all the messages exchanged between the two communicating nodes to obtain any unprotected information, and he may also perform other attacks by impersonating one communicating node while talking with the other. • Wormhole Attacks: This attack requires the collusion of multiple malicious nodes. The attacker records a message at one location in the network, tunnels it to another location, and relays it with the help from the colluding adverse nodes. Since a wormhole attack misleads the sender and the receiver to incorrect knowledge about their distance, discovering routes more than one or two hop long always fail. • Rushing Attacks: It is harmful only when used against the on-demand routing protocols with duplicate suppression mechanisms at each node. In this attack, the attacker broadcasts a forged route request message which makes the legitimate one like a duplicate. If all the neighbors of the destination receive the forged route request from the attacker first, they will discard the genuine one later. Rushing attacks can cause route discovery failure.

3 DEFINITION OF SECURITY The concept of security has been properly defined in the literature. For example, ITU organization [11] identified five security services: data confidentiality, data integrity, authentication, non-repudiation and access control, which are are widely recognized as standard services that a secure system should provide. Another important security service is anonymity [24]. Depending on requirement, these security services can be implemented optionally or in combination to provide different level of protection.

“aswin62” — 2007/9/21 — 12:41 — page 4 — #4

Secure mobile Ad hoc Routing, SI AINA

5

3.1 Standard Security Service The following gives a clear definition of the five standard security services. 1. Data Confidentiality: It is the property in which the information embedded in network traffic is prevented from unauthorized disclosure. Since one of the main reasons that an attacker can successfully attack network nodes and protocols is the leak of sensitive information such as passwords and configuration data, data confidentiality is a very important property of network security. 2. Data Integrity: It is the property in which the originalness of the information transmitted over the network is ensured. It is often combined with data origin authentication since data integrity alone can not help receivers decide whether the received data are forged or have been tampered with. 3. Authentication: It is the property in which the identity of the connected entity (node) can be confirmed during connection phase (i.e., peer entity authentication), and the source of a message transmitted during the data transfer phase can be verified (i.e., data origin authentication). 4. Non-repudiation: It is the property in which communication participants’ denial of the existence of their involvement in communication is prevented. Non-repudiation together with proper evidence can prevent senders’ attempts of disavowing having sent a message, and prohibit receivers’ intentions of falsely denying having received a message. 5. Access Control: It is the property in which accessible resources, including information, programs, storage space, CPU cycle and communicating devices to name a few, are protected against unauthorized use over communication channels. 3.2 Anonymity Protection The standard security services focus on data/resource protection, while anonymity emphasizes on identity protection. There four types of anonymity protections: 1. Sender anonymity: It hides the identities of message senders so that any node can not tell from whom the message is originated. 2. Receiver anonymity: It protects the identities of message receivers so that any node that sees a message can not tell to whom the message is designated. 3. Route anonymity: It hides routing information so that no one can identify the route connecting two communicating nodes by tracing traffic flows.

“aswin62” — 2007/9/21 — 12:41 — page 5 — #5

6

Xu Li et al.

4. Unlinkability: It protects the communication relationship between two nodes so that no one can tell which node a node is talking to. That is, although a sender and a receiver can be identified as participating in some communication, their connection is still protected.

4 SECURITY-ENABLING TECHNIQUES In this section, we are going to introduce some security-enabling techniques including cryptography schemes, authentication methods, incentive mechanisms and anonymity approaches. Among these techniques, the first three are considered basic since they often serve as a building block of advanced security mechanisms. 4.1 Cryptography Schemes In order for networks to provide the above fundamental security services, the use of cryptography is a must [6]. In any cryptography scheme, there are two types of operations involved, encryption and decryption. Encryption is the process of transforming plaintext, i.e., readable and comprehensible text, into an encoded and unreadable gibberish – ciphertext. The inverse transformation, namely, the process of inverting ciphertext to plaintext, is referred to as decryption. Encryption is used to disguise the real substance of data from unauthorized readers, and thus, it protects data confidentiality. Cryptographic algorithms themselves are public, but the secret parameters (encryption/decryption keys) that they use are known only to the intended ones (senders and/or receivers); based on whether encryption keys are the same as decryption keys, cryptography schemes can be classified as either symmetric or asymmetric. 4.1.1 Symmetric Cryptography Symmetric cryptography schemes use the same secret key for both encryption and decryption. Thus, each entity maintains only one key. For any pair of communicating entities, they should share a secret key beforehand in order to communicate; if a group of more than two entities want to communicate, they have to share the same secret key. There exists basically two types of symmetric cryptographic algorithms: block ciphers and stream ciphers. The former encrypt/decrypt data in multiple rounds, and they operate on a fixed block of bits in each round; the latter perform encryption and decryption bit by bit. Typical examples of block ciphers include Data Encryption Standard (DES) [7] and International Data Encryption Algorithm (IDEA) [19]; Software-optimized Encryption Algorithm (SEAL) [38] and RC4 are the good examples of stream ciphers. The main advantage of symmetric cryptography is its fast encryption and decryption operation. However, this cryptography scheme suffers from the complexity of key management. In a hostile network environment like

“aswin62” — 2007/9/21 — 12:41 — page 6 — #6

Secure mobile Ad hoc Routing, SI AINA

7

mobile ad hoc networks, secret keys can not be distributed over insecure communication channels. Instead, they are most likely to be disseminated offline or with the help from an asymmetric cryptography scheme. 4.1.2 Asymmetric Cryptography Asymmetric cryptography, also known as public key cryptography, is the most recent cryptographic tool that is becoming increasingly popular. The primary point that distinguishes asymmetric cryptography from its symmetric counterpart is that the key used to decrypt ciphertext is different from the key used to encrypt plaintext. Each entity (a network node) has to maintain two keys in an asymmetric cryptography scheme. One, called public key, is available to anyone who needs it, while the other, called private key, is kept secret by the entity itself. If an entity A wants to communicate with another entity B in a secret manner, it just encrypts the messages for B with B’s public key. Because B’s private key is owned and managed by B itself, B is the only one that can successfully decrypt the encoded messages from A and read the contents. The most widely employed asymmetric cryptography is the Rivest Shamir Adleman (RSA) algorithm [27], which is based on the difficulty of performing the factorization of a large number – the product of two primes. In reality, the implementation of asymmetric cryptography needs a set of supporting components for key (certificate) creation, distribution and revocation. Two well-known asymmetric cryptography implementations are Public Key Infrastructure (PKI) [31] and Pretty Good Privacy (PGP) [37]. The main strength of asymmetric cryptography is its ease of key management. As introduced above, only public keys need to be distributed. The communication channel for public key distribution is not necessarily secret. In fact, an authentic channel is adequately effective. However, asymmetric cryptography needs a relatively larger amount of computation power and time compared to symmetric cryptography. In practice, a hybrid approach combining both symmetric and asymmetric cryptography is often employed. That is, an asymmetric cryptography scheme is used to distribute the secret key of a symmetric cryptography scheme which is used for the actual data encryption and decryption. 4.2 Authentication Methods When two nodes communicate in an insecure network like mobile ad hoc networks, having only data confidentiality is not sufficient. It is necessary for the receiver to be able to verify that the received message is identical with the one that is originated from the sender and that the message sender is the same as it claims to be. In other words, authentication is indispensable for securing network communication. Cryptography can be used to support authentication. Depending on the trust relationship between communicating nodes, authentication may be performed through different cryptography schemes. If there is mutual trust between senders and receivers (i.e., sharing a secret), symmetric

“aswin62” — 2007/9/21 — 12:41 — page 7 — #7

8

Xu Li et al.

authentication based on symmetric cryptography can be used. In the case of missing trust relationship, asymmetric authentication based on asymmetric cryptography may be applied. The representative symmetric authentication tool is a one-way hash function, while digital signature is a typical asymmetric authentication tool. 4.2.1 One-way Hash Functions A one-way hash function is a transformation algorithm such as MD5 and SHA-1 which takes a variable-sized message as input and returns a fixed-sized digest, called hash value. For a one-way hash function, it is hard to invert a hash value back to the original input message. In addition, hash values can be considered as “digital fingerprints” of the corresponding input messages because it is computationally infeasible to find two different input messages that lead to the same hash value. Due to their one-way and collision-free properties, one-way hash functions can be used for data authentication and integrity check. Since hash functions are public, they should be used only in the case that entities trust each other. For example, the sender encrypts the data with a secret key, hashes the encoded data, attaches the hash value, i.e., Message Authentication Code (MAC), to the original data, and then sends the original data together with the hash value to the receiver [8]. After the receiver receives the message, it encrypts the data with the same secret key, hashes the result, and compares the hash value with the MAC contained in the message. If they are equal, the receiver can be reassured that the data was actually sent from the sender and has not been altered in transit. 4.2.2 Digital Signatures A digital signature is a “stamp” placed by the sender on the data to be transmitted. It is unique to the sender and is difficult for others to forge. Also, any modification to the signed data is detectable. In this sense, a digital signature is the equivalent of a signature made by hand on a paper document. Asymmetric cryptography can be used for generating digital signatures. In practice, the data to be transmitted is first hashed, and the hash value is then encrypted with the sender’s private key. The resulting encoded data is the sender’s digital signature for the data. After the receiver gets the signed data, it hashes the data, decrypts the signature with the sender’s public key, and checks whether the hash value is equal to the decrypted signature. If they are not equal, the receiver can conclude that either the signature or the data was illegitimately modified. Because the private key is owned only by the sender itself, nobody can forge the sender’s digital signature, and the sender can not falsely deny having sent the data. In this case, we can see that the digital signature actually provides authentication, data integrity and non-repudiation simultaneously. Available signature schemes include RSA, Digital Signature Algorithm (DSA), and the Fiat-Shamir scheme.

“aswin62” — 2007/9/21 — 12:41 — page 8 — #8

Secure mobile Ad hoc Routing, SI AINA

9

4.3 Incentive Mechanisms A mobile ad hoc network (MANET) is an open autonomous system. In such an environment, we can not expect that the behaviors of all the network nodes exactly meet the cooperative requirements of network operation. In another word, node misbehaviors are ineluctable. The reasons why nodes misbehave can be multifold. For instance, some nodes may be devised to act incorrectly; some may be compromised to do so. Some nodes probably perform improperly just by accident; and others could violate rules for economic purposes. Besides, proper nodes may occasionally appear to be misbehaving because of the misleading of complex network situations such as network congestion and link breakage. If we ignore occasional mistakes and misunderstandings, node misbehaviors can actually be categorized as attack behaviors and selfish behaviors. The attack behaviors are what we discussed earlier in Section 2, and they are performed by attackers for disruptive purposes; whereas, selfish behaviors are conducted by nodes for profits rather than disruption. As we know, the operation of mobile ad hoc networks relies heavily on the collaboration of nodes because of the lack of fixed infrastructure and centralized administration. Therefore, nodes’ selfish behaviors can break network operation unintentionally. Unfortunately, resource-constrained wireless nodes are liable to show selfishness for resource saving purposes, e.g., saving battery power, CPU cycle, storage space, bandwidth or processing time. It is necessary for MANETs to have an effective mechanism to encourage node collaboration, to identify and isolate selfish (or disoperative) nodes. In the literature, there are two main kinds of such incentive mechanisms: pricing and reputation [29]. 4.3.1 Pricing The idea behind the pricing scheme is quite simple and is inspired by a real-life model. Consider human society. People provide services to others and are paid for their work. The money people earn from work can be used to buy products or services from others at any time, at any location. The money people make in different areas is comparable and exchangeable. Similarly, in computer networks, nodes offer services to others and get paid digital money for their contribution; once they earn enough money, they can then buy services that they want from other service providers. In the pricing scheme, nodes willing to help others can accumulate wealth and in turn gain better service from others, while selfish or malicious node will not earn adequate money because of their frequent denial of service and/or failed service delivery such that they are not able to get expensive services. If some nodes keep behaving selfishly or maliciously, they will be isolated from the network after their money is out. The key problem of the price scheme is that there must exist a centralized authority for accounting. Hence, it may not be the best solution for mobile ad hoc networks.

“aswin62” — 2007/9/21 — 12:41 — page 9 — #9

10

Xu Li et al.

4.3.2 Reputation In a distributed environment, an entity’s reputation is considered the global perception about the entity’s future behavior and is based on the past experience of other entities with the entity. Well-behaving nodes have high reputation; misbehaving nodes have low reputation. In a reputation system, the nodes with high reputation will be rewarded by granting their service requests, while the service requests of the nodes with low reputation are very likely to be rejected due to their unsatisfactory or even bad history. In order to survive (to obtain necessary services), a node should try its best to offer good services to other nodes. However, there are a number of difficulties in reputation systems. Firstly, since a node’s trust information is distributed among other nodes, the problem of trust collection need to be efficiently solved. Secondly, an accurate reputation model is required to truly reflect nodes’ trustworthiness based on the collected trust information. Finally, it is crucial to prevent malicious/selfish nodes from refreshing their reputation by changing their identification from time to time. 4.4 Anonymity Approaches Achieving anonymity is a complex task. It usually involves the combination of several basic security-supporting techniques. In the literature, there are some well-known anonymity approaches, e.g., MIX-nets [4], DC-nets [5], Onion Routing [25] and Crowds [26], proposed for Internet-based communication systems. Among them, MIX-nets and Onion Routing often server as the basis of other anonymous systems, as we will see in Sec. 5.2. 4.4.1 MIX-nets The basic building block of every MIX-net [4] is MIX, which is a special node existing between senders and receivers. It delays, reorders, pads to constant size, or scrambles messages in order to confuse traffic analyzers. Each MIX node is pre-assigned a (PublicKey, PrivateKey) pair, and its public key is available to every other node. All the MIXes constitute certain topology that is known to all the nodes in the network. When a sender wants to communicate with a receiver, it first choses a route through a sequence of MIXes to the receiver. Then, the sender adds padding to the original message and encrypts them together with the receiver’s public key. Afterward, the sender encrypts the encoded message with the public key of each MIX recursively in the reverse order of the MIXes’ appearance in the selected route to the receiver. To resist traffic analysis at each MIX in the route, padding is also appended to the message each time when the message is encrypted. Finally, the multi-layer encrypted message is sent to the first MIX which in turn decrypts the message with its private key, removes the padding, and forwards the one-layer-less message to the next MIX along the route (if the next MIX is not pre-known, the message should define it). Every intermediate MIX processes the message in the same way. After the last MIX

“aswin62” — 2007/9/21 — 12:41 — page 10 — #10

Secure mobile Ad hoc Routing, SI AINA

11

finishes processing the message, it sends the message encrypted only with the receiver’s public key to the receiver. MIX-nets support sender anonymity and resist traffic analysis (note that there is however no sender anonymity from the first MIX). MIX-nets are vulnerable to the collusion by the first MIX and the last MIX in a route. In addition, the application of MIXes requires public key cryptography, so MIX-nets are computationally expensive and slow for message transmission. 4.4.2 DC-nets DC-nets [5] are based on the DC (Dining Cryptographer) problem. The DC problem can be expressed as follows: find a solution which enables one of the three cryptographers to transmit a bit ‘1’ in such a way that all the three get it but no one (except the transmitter) can tell from whom it was sent. To solve this problem, we just arrange the three cryptographers on a circle, and let each of them flip a two-side coin which can be seen only by the cryptographer himself and his right-hand-side neighbor. We require that each cryptographer calculate the XOR of his coin and the coin of his lefthand-side neighbor, and we also require that the one wishing to transmit the bit broadcast the converse of his XOR while the others broadcast just their XOR. If an odd number of 1’s were distributed, then it can be known that a bit ‘1’ was transmitted. To allow more than three participants transmitting longer messages than one bit, the above protocol can be performed in rounds, and each pair of participants shares a chain of secret bits, one bit for each round. In DC-nets, both sender anonymity and receiver anonymity are well maintained, but nodes are vulnerable to message modification attack and DoS attack. In every round of transmission, all the participants are involved, and for every bit transmitted, there are two extra bits that are passed around the circle, therefore, the overhead is quite large. 4.4.3 Onion Routing Onion Routing [25] is an extension to MIX-nets [4]. Its primary objective is not to hide senders and receivers from each other but to protect their communication from others. In Onion Routing, MIXes are called onion routers, and they together form a onion router network. Similar to MIX-nets, Onion Routing requires pre-defined network topology. To setup an anonymous path to the receiver, the sender makes a connection to an onion router which then builds a chain of onion routers using its preknowledge of the network topology and available onion routers. To protect data and routing information, the first onion router constructs a multi-layer encrypted data structure called an onion and sends it through the network. Each layer of the onion defines the next hop in the route. An onion router that receives an onion peels off the topmost layer of the onion, identifies the next hop, and sends the remaining onion to the next onion router. In

“aswin62” — 2007/9/21 — 12:41 — page 11 — #11

12

Xu Li et al.

addition to carrying next hop information, each onion layer contains key seed material from which keys are generated for later decrypting and encrypting data sent forward or backward along the anonymous connection. Once the anonymous connection is established, the data can be transfered in a similar multi-layer encryption way in both directions. When communication ends, the anonymous connection is torn down. This involves the removal of encoded next hop information in each onion router along the path. In order to reduce overhead, Onion Routing uses asymmetric cryptography for establishing communication channels and symmetric cryptography for transmitting data in practice. Because both communicating nodes’ identities and communication content are hidden, and because each onion router in an anonymous connection can only identify its immediate onion router neighbors, Onion Routing resists traffic analysis, eavesdropping, and other attacks from both outside and inside of the onion router network. However, compromised onion routers may still be able to reveal routing information under collusion.

4.4.4 Crowds Crowds [26] is developed for private web browsing. In a Crowds system, nodes are grouped into a number of crowds, each of which issues requests to web servers on behalf of its members, and then, sender anonymity is protected by mixing one’s action within others’. For any node n0 in a crowd, when it wishes to issue a request to a web server, it does not submit the request directly to the server but to a randomly selected member of the crowd, say n1 . After n1 receives the request from n0 , it decides whether to send the request directly to the web server or to another randomly chosen member. For each intermediate node, it processes the request in the same way and remembers its prior and next hop for later backward and forward message transmission. Using this approach, a request message will travel along a path consisting of a sequence of crowd members, n0 , n1 , · · · , ni , and will be finally submitted by ni directly to the web server. Once this path is established, it is used by n0 to communicate with the server, and the subsequent traffic between n0 and the server will be sent out of and received into the crowd always by node ni . Since the submitter ni is a random member of the crowd, sender anonymity is protected; because n0 may also be a node just forwarding the traffic, the collusion of some crowd members can not even tell who is the message originator. Clearly, there is no receiver anonymity in Crowds. From web servers’ view, it is not possible to identify the originator of a request, and sender anonymity is thus accomplished. However, by eavesdropping on nodes’ in-coming and out-going traffic within a crowd, an attacker can find who is the sender, and therefore, there is actually no sender anonymity from local eavesdropper. Crowds are also vulnerable to internal DoS attacks.

“aswin62” — 2007/9/21 — 12:41 — page 12 — #12

Secure mobile Ad hoc Routing, SI AINA

13

5 SECURE MOBILE AD HOC ROUTING Because of the nature of MANETs, achieving routing security is a non-trivial task. In this section, we will illustrate, through some exiting secure routing protocols, how to secure plain routing protocols using the security-enabling techniques presented in previous sections. 5.1 Active-Attack-Resilient Routing As the name suggests, this type of routing protocols are designed to be secure especially against active attacks. They are usually an aggregation of certain plain routing protocol and a security add-on. Because these protocols use plain routing header, they are still susceptible to passive attacks. 5.1.1 Secure Efficient Ad-hoc Distance-vector routing Secure Efficient Ad-hoc Distance-vector routing (SEAD) [10] is developed on basis of routing protocol DSDV [22]. SEAD is known for its addition of one-way hash chain for authentication on route update messages to the original DSDV. For a random value x, a one-way hash chain is defined as a sequence of hash value, h0 , h1 , h2 , h3 , · · · , hn , where h0 = x and hi = H (hi−1 ) and 0 < i ≤ n, for some n. In SEAD, each node is required to generate its hash chain at initialization time. The effectiveness of SEAD is grounded heavily on the assumption of the existence of a certain mechanism for a node to distribute an authentic element of its hash chain. Hash-chain-based authentication makes SEAD secure against forged route updates. When a node sends a route update, it assigns one hash value to each entry in that update. If a route update entry is destined for the node itself, it sets the entry’s hash value to hn−i∗m where i is the corresponding sequence number and m is the upper bound of network diameter plus one; otherwise, it sets the entry’s hash value to the hash of the hash value received in the route update entry where it learn that route to the destination. Because of the one-way nature of hash chain, a node receiving a route update is able to authenticate each entry in the update as long as it has any earlier authentic hash element from the same hash chain. For example, given an authentic hash value hi−3 , a node can authenticate hi by computing H (H (H (hi−3 ) and verifying that the resulting hash value equals hi . Through authentication, each metric in a routing update entry is secured against being maliciously modified. The way it is done is as follows: the sequence number in an entry in a route update message is used to determine a contiguous group of m elements from the corresponding destination node’s hash chain, and then, a particular element in the determined group is used to authenticate the entry. Specifically, for a sequence number i in some route update entry, let k = n/m − i, then the group of m elements will be (hkm , hkm+1 , · · · , hkm+m−1 ). If the metric value of this entry is j , 0 ≤ j < m, then the element hkm+j is the one to be used to authenticate the route update entry for that sequence number.

“aswin62” — 2007/9/21 — 12:41 — page 13 — #13

14

Xu Li et al.

By using lightweight one-way hash function for authentication, SEAD reduces the risk of the DoS attacks where attackers broadcast a large number of forged route update packets to make nodes spend excess CPU cycle and processing time on verification. By route update authentication, SEAD is able to detect tampered route updates and maintain correct routing information at every node even in the presence of active attacks and compromised nodes. However, if a malicious forwarding node does not increment the routing metric (hop count), its neighbors may always route packets through it. 5.1.2 Authenticated Routing for Ad-hoc Networks Authenticated Routing for Ad-hoc Networks (ARAN) [28] is designed on top of AODV [23]. It requires that there exist a trusted authority issuing certificate to every node in the network. Nodes’ certificates are used to authenticate the nodes themselves to other nodes during route construction process. To initiate a route discovery, a source node broadcasts a route request packet signed with its private key. The route request message contains the destination ID, a certificate of the source, a nonce, and a timestamp. The nonce and timestamp together ensure the freshness of the packet. If a node receives a route request packet directly from the source, it just signs the packet with its own private key, appends its certificate to the packet, and then re-broadcasts the packet. If a node receives a route request packet from a non-source node, it first validates the certificate contained in this packet. If the certificate is valid, the node uses the public key in the certificate to verify the signature of the packet. If the signature is valid too, the node records the reverse route, removes both the signature and certificate of the prior hop, singes the packet, attaches its own certificate to the packet, and then forwards the packet to its neighbors. When the request reaches the destination, the destination signs a route reply packet and sends it back to the source along the reverse route. The route reply packet is forwarded by each intermediate node in the same way as a route request packet except that each node unicasts the route reply to the node from which it received the corresponding route request. Route error packets are also signed by their initiators; a nonce and timestamp are used in each route error packet as well to ensure the freshness of the packet. Because ARAN is based on public key cryptography, it is robust against almost all known attacks. However, since public key cryptography requires amounts of computation power and processing time, ARAN is vulnerable to the DoS attacks where attackers floods the network with forged routing packets for which signature verification is needed. 5.1.3 CONFIDANT CONFIDANT [2] is a reputation-based secure routing protocol based on DSR [13]. By CONFIDANT, each node has four components: the monitor, the reputation system, the path manager, and the trust manager. These four components enable a node to detect deliberate malicious behaviors, e.g., no

“aswin62” — 2007/9/21 — 12:41 — page 14 — #14

Secure mobile Ad hoc Routing, SI AINA

15

forwarding, unusual traffic attraction, malicious rerouting, lack of error messages, unusually frequent route updates, and silent route change, done by other nodes through observation and reports. For an arbitrary node A, its monitor, M(A), keeps surveilling its neighborhood all the time. When a suspicious event, denoted by e, of certain neighbor, say X, is detected, M(A) informs node A’s reputation system, R(A). To avoid the interference from X’s occasional mistake due to, for example, network congestion, R(A) decreases X’s reputation rating (stored in a rating list) only when e happens more than a maximum number of times. Let us assume that e is performed by X on purpose and that X’s reputation rating is bad. R(A) then passes the information to the path manager of A, P (A), which in turn deletes all the routes that go through X. Then, A’s trust manager T (A) sends an ALARM message to warn other nodes of the malicious node X. The intended receiver of the ALARM message could be either a source, or a destination, or a friend of A. Let us denote the destination of the ALARM message by B. After M(B) receives the ALARM message, it passes the message to T (B). T (B) in turn checks how trustworthy A is and how many similar reports about X have been received, and then, it processes the message accordingly. After B is certain of the ALARM message from A about X, it passes the information to R(B) which performs an evaluation on X again. To prevent false ALARM messages, authentication mechanisms such as PGP[37] can be used in the above process. In addition to rating lists, nodes also maintain black lists. Nodes appearing in black lists are avoided during routing, and packets are forwarded only to the nodes that are not contained in black lists. Using this approach, adverse nodes are identified and isolated from the network, and therefore, route robustness is increased, and network throughput is improved. However, because the reputation system takes negative input only, reputation improvement is impossible. 5.1.4 Routing with Self-healing Communities Self-healing Communities [15] is a general concept applicable to any ondemand routing protocol. By exploring node redundancy at each forwarding step, it improves the resilience of a routing protocol against non-cooperative nodes and disguised packet losses. A self-healing community in a route is defined as the set of nodes in the intersection area of the communication ranges of two neighboring intermediate nodes. As long as there is a cooperative node in each self-healing communities in the route, the communication between the source and the destination can carry on. How to locally identify a self-healing community and how to maintain it in the presence of mobility are the key issues. Community identification is integrated within route discovery and routing reply processes. During a route discovery process, when a node C receives a RREQ message from a neighbor node P for the first time, it locally records P

“aswin62” — 2007/9/21 — 12:41 — page 15 — #15

16

Xu Li et al.

and the RREQ upstream Q (indicated by the upstream field of the message) of P . And, C also sets P as its own RREQ upstream if it has not received any message from Q during current route discovery process. After that, it updates the upstream field of the message with P and forwards the message by the routing protocol. During a route reply process, after node C receives a RREP message from node E, it checks if it itself is the intended receiver. If the answer is yes, C records E as its RREP upstream and forwards the message to its recorded RREQ upstream. Otherwise, it checks if the intended receiver V and the RREQ upstream W of V have been locally stored. If yes, it further checks if V did not correctly forward the RREP or was not correctly acknowledged within a randomly decided time period. If no, and if nobody takes over during this period, C itself will take over, sending the message to W . In a self-healing community, the node that forwards the RREP message is forwarding member; the nodes overhearing three consecutive ACK messages are non-forwarding member. To reconfigure self-healing communities en route, source S sends destination D a PROBE message <(S,D, seq#), hop_ count> at some interval. For each PROBE message, D replies with a PROBE_REP packet of the same format. PROBE and PROBE_REP messages are both processed following the same self-healing procedure like RREQ and RREP messages. The selfhealing communities along the route are reconfigured by monitoring the hop count field. Since PROBE and PROBE_REP are both short message, they can be piggybacked on active data traffic. 5.1.5 Secure Position Aided Ad hoc Routing Secure Position Aided Ad hoc Routing (SPAAR) [3] is an integration of the greedy forwarding technique and a secure neighborhood management mechanism. It assumes that each node is issued a certificate by a trusted authority. It improves security, efficiency, and performance in MANET routing by protecting node position information. An arbitrary node N periodically broadcasts a HELLO message carrying its certificate within its communication range. A receiver node verifies N ’s certificate and stores N ’s information in its neighbor table (if the certification is valid). Node N meanwhile also receives HELLO message from other nodes and establishes its own neighbor table. It then generates an asymmetric group key pair for neighborhood communication. The public key is made available to its recognized neighbors, while the private key is kept as a secret. Periodically, node N locally broadcasts a table update message, encrypted with its public group key. This message contains the current position and the transmission range of N as well as a sequence number reflecting the freshness of the information. After receiving the table update message from N, a receiver node updates N’s entry in its neighbor table accordingly. For a node that does not receive a table update message from N after a predefined timeout period, it considers that N has been out of its one-hop neighborhood and deletes the

“aswin62” — 2007/9/21 — 12:41 — page 16 — #16

Secure mobile Ad hoc Routing, SI AINA

17

entry of N in its neighbor table. To save bandwidth, table update messages can be piggybacked on routing messages. When a node S wants to find a path to a node T , it locally broadcasts a RREQ message carrying the ID and location of T , its distance to T and a RREQ sequence number. When a node C receives the RREQ message, it records the node from which it receives the message and forwards the message to a neighbor closer to T than itself. Before forwarding, it may update the message with the new location of T if it has any. If no neighbors are closer, or if C itself is not closer to T than its prior hop, it simply drops the message. This process is repeated until T is reached. Note that, at each hop, the message is transmitted secretly using the the corresponding group encryption key. Upon receiving the RREQ message, T constructs a RREP message containing the RREQ sequence number, its current location, its velocity, signed with private key and encrypted with its public group key. Then it sends the message back to the source S along the backward path. During the route reply process, encryption and authentication is performed at every hop, and each intermediate node remembers the node from which they receives the RREP message. After S receives the RREP message, it verifies the validity of the message through the signature of T and the included RREQ sequence number. If the verification is passed, S stores the information of T in its local destination table, and then a secure pass from S to T is successfully established. 5.2 Passive-Attack-Resilient Routing The secure routing protocols discussed in previous section do not protect routing information. This weakness exposes them to the threat from passive attacks (traffic analysis). In order to be immune to traffic analysis, anonymous communication should be enforced by routing protocols. 5.2.1 ANonymous On Demand Routing ANonymous On Demand Routing (ANODR) [14] is developed using a new concept of “broadcast with trapdoor information”. It borrows the idea of Onion Routing [25] for route discovery. In an anonymous route established by ANODR, neither the sender nor the receiver can identify intermediate nodes; intermediate nodes know neither source/destination nor prior/next hop. A route discovery process is initiated by a source node by broadcasting a route request (RREQ) packet. To do so, the source node randomly generates a symmetric key Ksrc and computes Ksrc (IDsrc ). Then, it randomly generates a commitment key Kc and computes Kc (IDdest ). The source node then encrypts the combination of IDdest and Kc with the destination’s TESLA key KT , and it generates a globally unique sequence number seqnum and a one-time public key pair (pk one , sk one ). The source node then assembles a RREQ packet as follows: (RREQ, seqnum, pk one , KT (IDdest , Kc ), Kc (IDdest ), Onion), where the field RREQ indicates message type and Onion is set to Ksrc (IDsrc ). Finally,

“aswin62” — 2007/9/21 — 12:41 — page 17 — #17

18

Xu Li et al.

the source node broadcast this RREQ packet to its neighbors. During the above process, the source node bookkeeps all the relevant data. When an arbitrary node X receives the RREQ packet, it first checks if it itself is the destination using the following steps: decrypt the KT (IDdest , Kc ) field of the RREQ packet with its own TESLA key KT to get IDdest and Kc ; then verify if its own ID is equal to IDdest ; if they are equal, use Kc to decrypt the Kc (IDdest ) field of the RREQ to double check if it is truly the destination. If X is not the intended destination, it randomly generates a symmetric key KX and an asymmetric key pair (pk one , sk one ). Then, it extracts the Onion from the RREQ packet, and encrypts the combination of the Onion and a random nonce NX with KX , and replaces the original Onion in the packet with the encryption result. Afterward, it replaces the pk one in the packet with pk one . Finally, it forwards the modified RREQ packet to its neighbors. In this process, X bookkeeps all the necessary data such as pk one , (pk one , sk one ), and KX . When the RREQ packet reaches the destination, the destination sends a RREP packet back to the source. Firstly, the destination generates a random nonce Kseed and encrypts Kseed with the pk one extracted from the RREQ packet. Secondly, it uses a trapdoor one-way function with Kc , Onion, and Kseed as input. The output of the function is denoted by Kseed (Kc , Onion). Afterward, the destination assembles the RREP packet which has the following format: (RREP, (Kseed )pk one , Kseed (Kc , Onion)), where RREP indicates message type. Finally, it broadcasts the RREP packet. When a node X receives the RREP packet, it first decrypts (Kseed )pk one with the backuped (during route request process) one-time private key sk one to get Kseed . Then, it recovers Kc and Onion from the Kseed (Kc , Onion) field of the RREP packet using Kseed . Afterward, X decrypts the Onion with KX (corresponding to sk one ) and checks whether NX (corresponding to sk one ) is equal to the first field of the decryption result. If so, it knows that it is in the anonymous route and continues packet processing; otherwise, it simply discards the packet. If X is in the anonymous route, then X peels off the topmost layer of the Onion, and removes the first field of the result, and then  gets a resulting onion Onion . Afterward, X computes Kseed = f (Kseed )  (f is a one-way function) and encrypts Kseed with the prior hop’s one-time  public key pk one . Next, X computes Kseed (Kc , Onion ) through a trapdoor  )pk one , one-way function. Finally, it replaces the (Kseed )pk one field with (Kseed   and the Kseed (Kc , Onion)) field with Kseed (Kc , Onion )), and then broadcasts the modified RREP packet to its neighbors. We should mention that the Kseed in the original RREP is the route pseudonym for X and its next hop to exchange  data packets while Kseed is the route pseudonym for X and its prior hop to exchange data packets. When the source node receives the RREP packet, it can verify whether the destination has received the RREQ packet using the Kc in the RREP packet and its backuped one. Then an anonymous route is successfully established.

“aswin62” — 2007/9/21 — 12:41 — page 18 — #18

Secure mobile Ad hoc Routing, SI AINA

19

5.2.2 A Dynamic Mix Route Algorithm The dynamic Mix route algorithm [12] (referred to as DMRA in the following) is an application-layer algorithm built on the top of an underlying routing protocol. It borrows the idea of MIX-nets [4] for anonymous data transfer. It assumes that there are a number of MIX nodes supporting anonymous communication in the network, and that each MIX node has an asymmetric key pair. Any established anonymous routes is through a sequence of MIX nodes. In DMRA, every MIX node periodically broadcasts a MIX advertisement (MADV) message to claim its existence. A MADV message includes the initiator’s ID, a sequence number and a hop count. The initiator’s ID and the sequence number together uniquely identify a MADV message. The hop count indicates how far the message receiver is from the message initiator. A node may receive a MADV message from different MIX nodes, or it may receive a MADV message from the same MIX node multiple times, but it re-broadcasts only the one that is with minimal hop count and is received for the first time. In this case, a MADV message will not flood the entire network. Instead, it covers only a limited area. A node increments the hop count field of a MADV message before it re-broadcasts the message. By listening MADV messages, a node can find the closest MIX node. The MIX node closest to a node is taken by the node as its dominator. Because network topology is changing, a node’s dominator changes accordingly. When a source node wishes to set up an anonymous connection to a destination node, it sends a route request (RREQ) message to its dominator or a randomly selected MIX node, which in turn forwards the message to the destination. This process is finished using the underlying routing protocol, and the RREQ message is encrypted with the destination’s public key. After the destination receives the RREQ message, it sends its dominator a destination registration (DREG) message if it is not yet registered with its dominator. A DREG message includes the initiator’s ID and a sequence number. From then on, the destination periodically sends to its dominator a DREG message, and it each time increments the sequence number. Every MIX node maintains a list of registered nodes, denoted by l. Each entry of l consists of a node ID and a corresponding DREG sequence number. For a MIX node, if it does not receive a DREG message from certain registered node for a pre-configured period of time, it removes the node from its l. As long as its l is not empty, the MIX node keeps periodically broadcasting a route update (RUPD) message throughout the network. A RUPD message includes the initiator’s ID, a sequence number, a node list, and a path list. The node list is just the initiator’s l; the path list contains the routes to the nodes in the node list. Denote the node list and path list of a RUPD message respectively by nl and pl. When a node X receiving a RUPD message, it checks if it has some enqueued data packets that are designated to certain nodes in the nl. If so, it

“aswin62” — 2007/9/21 — 12:41 — page 19 — #19

20

Xu Li et al.

copies the corresponding MIX routes in the pl and uses the reverse MIX routes to deliver those data packets. Note that X may learn multiple distinct Mix routes to the same destination from the RUPD messages that it has received through different paths. If X is a MIX node, it checks if any node in the nl carries a higher DREG sequence number and updates its l accordingly. Then X appends its own ID to each entry of the path list and re-broadcasts the RUPD message. For the same RUPD message, X re-broadcasts it only once. In [12], the authors pointed out that the sender and receiver anonymity may be broken by attackers through global observation, and that attackers may learn route information during the MIX route update process. To reduce the risk, they suggested source nodes send dummy messages to confuse attackers and also make use of discovered multiple routes to deliver data packets. Besides, since RUDP messages are transmitted in plaintext, attackers can find who are involved in communication as communicating end although they may not find exactly who is talking to whom. And, if a node’s dominator is compromised, the node will lose sender and/or receiver anonymity. 5.2.3 Secure Distributed Anonymous Routing Secure Distributed Anonymous Routing (SDAR) protocol [18] is a combination of basic DSR [13], Onion Routing [25], and a trust management system. The Onion routing technique ensures sender and receiver anonymity, while the trust management system exclude untrusted nodes from being included in established paths. As proven in [18], SDAR is also secured against active attacks except for DoS attacks. For an arbitrary node A apearing in a SDAR route, it monitors the behaviors of its prior hop P and its next hop N . With the help from specially formatted routing messages, A can identify malicious message modification and malicious message dropping performed by P and S. Based on its past experience and observation with P and S, A evaluates their trustworthiness. By this means, node A is able to classify its neighbors into different trust levels and assign them different community keys accordingly. The community keys are symmetric cryptographic keys that are used for message encryption between A and its neighbors during a route request process, such that only the neighbors at the specified trust level can hear the communication and has the chance of being included in the established path. When a source node S wants to find a path to a destination T , it first generates a temporary public key pair (TPK,TPS) and a symmetric key KS . Then it encrypts KS and the identity IDT of T together with the public key PK T of T , and encrypts TSK, a sequence number SEQ, its own identity IDS and its digital signature together with KS . For easy presentation, the two encryption results are denoted respectively by DataI and DataII . Afterward, S encrypts the combination of DataI and DataII with the community key corresponding to a specified trust requirement TRUSTREQ. Then it encapsulates the final

“aswin62” — 2007/9/21 — 12:41 — page 20 — #20

Secure mobile Ad hoc Routing, SI AINA

21

encryption result, TPK and TRUSTREQ together in a RREQ message, and broadcasts the message to its neighbors. When a node C receives a RREQ message for the first time, it checks if it itself is intended next hop by finding the community key corresponding to the trust requirement TRUSTREQ in the message. If the answer is yes, C decrypts the message using the key and further checks if it itself is the destination by decrypting DataI with its private key and comparing IDT with its own identity. If they do not equal, C appends its own encrypted (with TPK) information to the RREQ message, including a randomly generated session key KC , its identity IDC and its digital signature. Then, it encrypts the message with the community key shared with the neighbors whose trust levels meet the TRUSTREQ claimed by the source node, then broadcasts the message locally. When destination node T receives the RREQ message, it obtains KS from DataI and uses KS to decrypt DataII and extract TSK and SEQ; then it verifies the freshness of the message using SEQ and retrieves the session keys and identities of all the intermediate nodes using TSK. Integrity check is performed during above process. Afterward, T encapsulates the session keys and node identities in the forward order in a RREP message, and performs a multi-layered encryption on the message with the session keys in the backward order (similar to Onion routing), and sends the message to the node from which it received the RREQ message. Each intermediate node that receives the RREP message removes one layer of encryption using its session key and then locally broadcasts the message. Finally, source node S receives the message and obtains from it the complete route information including the session keys and identities of all the intermediate nodes. With route information, S then transmits application data to T following the same procedure as RREP messages. 5.2.4 On-Demand Anonymous Routing The On-Demand Anonymous Routing (ODAR) protocol [30] provides node, link and path anonymities in ad hoc networks based on Bloom filters and the Diffie-Hellman algorithm. The use of Bloom filters additionally gives ODAR the storage-, processing- and communication-efficiencies, making it suitable in the ad hoc network environments. A prime number q and its primitive root g is first published in the network. Then every node A generates a private random value XA < q, called private key, and computes a public value YA , called public key, using the equation YA = g XA mod q. There is a centralized key server in the network, which claims its presence by periodically propagating its public key in the network. During each propagation process, a route from the key server to every single node is constructed. This route can be later used by the node to sends the key server its own public key and request the key server for others’ public keys.

“aswin62” — 2007/9/21 — 12:41 — page 21 — #21

22

Xu Li et al.

When a node S wants to establish a path to a node T , it first gets the public key YT of T from the key server using the pseudonym of T . Then S generates a session pseudonym (a temporary public key) Ys for itself based on a temporary private key Xs by the Diffie-Hellman algorithm, and computes the session key KsT = YsXT shared T . After that, S computes a session pseudonym sh(T + 1)KsT for T based on a secure hash function sh and the session key KsT , and sends a route request carrying Ys and sh(T + 1)KsT (recognizable only by S and T respectively). Each receiver node I computes KsI and sh(I + 1)KsI , and checks if it itself is the destination by comparing sh(I +1)KsI and sh(T +1)KsT . If no, it inserts its pseudonym (which is the secure hash result of a secret random number) into the bloom filter embedded in the request message and rebroadcasts the message; otherwise, it sends back a route reply to S carrying the aggregated bloom filter and sh(T + 2)KsT and Ys . Once source node S receives the route reply, a path connecting T is established. S can not see the identities of intermediate nodes because the path is expressed in the form of a bloom filter with node pseudonyms. During data transfer phase, each data packet is attached the bloom filter describing the entire route, and a node forwards a data packet only when its own pseudonym is in the bloom filter. In ODAR, since routing does not rely on the real identity of nodes but their pseudonyms, both end-host anonymity and intermediate node anonymity are protected. However, ODAR may generate long messages since the bloom filter describing the entire route must be attached. 5.2.5 Ad Hoc On-Demand Position-based Private Routing Ad Hoc On-Demand Position-based Private Routing (AO2P) [33] is based on greedy routing. It achieves route anonymity by the use of pseudo IDs. During route discovery process, Senders’ position is not exposed at all, while intermediate nodes’position information is protected by a hop reply contention mechanism. This protocol does not have full anonymity because the position of the receiver can not be completely protected (the matching between a node and its position is hidden to all the nodes but the sender though) due to the nature of position-based routing. The protocol requires that a number of trusted position servers be distributed in the network. For a node N , it defines as the home region of N as the set of position services within a geographic area determined by a global hash function of N ’s ID. N updates its home region with its location and an random authentication code when necessary, and the home region of N records the location update time. Any node can find the location of N by inquiring N ’s home region. Message encryption and authentication are needed during location update and acquisition. Since it is not possible that multiple nodes exist at some location at the same time, the combination of a location and location update time uniquely identify a node, and its hash result is called destination challenge information.

“aswin62” — 2007/9/21 — 12:41 — page 22 — #22

Secure mobile Ad hoc Routing, SI AINA

23

When a node S wants to establishes a path to T , it first finds via the secure position management system the information of T : location, authentication code, and challenge information. Afterward, it generates a temporary ID and a temporary MAC address for itself and locally broadcasts a RREQ message containing its temporary ID, T ’s location, its distance to T , Time-to-Live (TTL) and T ’s challenge information. After receiving the RREQ message from S, a node C checks if it itself is the destination by examining the embedded destination challenge information. If no, C classifies itself into a predefined contention level according to its progress to the destination. All the neighbors of S processes the RREQ message of S in this way and contents for the wireless communication channel to sends S a hop rely message, which carries the sender’s temporary ID and temporary MAC address. The contention mechanism used by the protocol is Elimination Yield-Nonpreemptive Priority Multiple Access (EY-NPMA), a channel access mechanism designed for HiperLAN/1 (a family of specification developed by the ETSI for wireless LAN technology). This mechanism ensures that the neighbor N closest to the destination T win the contention. Then, S confirms N ’s reply, and N responds to S’s confirmation by sending back an ACK message. Once getting the ACK message, S takes N as next hop and records N ’s temporary ID and MAC address in the local routing table. Afterward, node N broadcasts a RREQ message for T as source node in the same way. This process is repeated hop by hop until the destination T is reached. After receiving the confirmation from its previous hop, destination T finds the authentication code according to the destination position contained in the RREQ message, encrypts the code with its private key, includes the encryption result into a RREP message, and then sends the message through the reverse path back to source S. After receiving the RREP message, S verifies it actually reaches T by decrypting the information carried by the message with the T ’s public key and comparing the authentication code with the one it obtained previously from the home region of T . Successful destination verification indicates that an anonymous path linking S to T is established. Then application data can be transmitted following the temporary ID and temporary MAC address in the routing tables along the route. During both route discovery phase and data transfer phase, when a failure occurs, error messages are sent to the source S by the node that detects the failure. In AO2P, all the messages are encrypted and authenticated to ensure security. Because communication is based on pseudo ID and MAC address, and because hop selection does not require the exposure of intermediates’ location, route anonymity is protected. Similarly, sender anonymity is achieved as well. The position of the destination node is transmitted as clear information, although the matching between ID and position is hidden. In order to to protect destination’s position information, the authors suggest to use reference point instead of the exact location of a destination during route discovery. However, destination anonymity is still not accomplished in a complete sense.

“aswin62” — 2007/9/21 — 12:41 — page 23 — #23

24

Xu Li et al.

6 CONCLUSIONS Mobile ad hoc networks (MANETs) are a hostile environment where both active attacks and passive attacks may happen and secure routing protocols should consequently be applied. A secure mobile ad hoc routing protocol is expected to be able to offer the five basic security services, i.e., date confidentiality, data integrate, authentication, non-repudiation and access control [11]. Furthermore, in highly confident communication scenarios such as battle fields and doctor-patient conversations, another important security service, i.e., anonymity, is also needed. In this paper, we broadly investigated MANET security and surveyed ten secure mobile ad hoc routing protocols including [2,3,10,12,14,15,18,28,30,33]. Our study shows that secure ad hoc routing is achievable at the expense of messages, time and computation power, and that the overhead stems mainly from the computation complexity of the cryptographic algorithms employed in constantly repeated routing procedures. In geographic routing, route discovery is grounded on the knowledge of destination’s location information, which obviously contradicts the definition of anonymity. The routing nature restricts anonymity accomplishment in this class of routing protocols. It is difficult or even impossible for geographic routing protocols to obtain full anonymity.

ACKNOWLEDGMENTS This article has been partially supported by NSERC Collaborative Research and Development Grant CRDPJ 319848-04 and by a grant from CPER NordPas-de-Calais/FEDER TAC COM¹DOM. Partial literature survey was done by Xu Li when he was a Masters student at PARADISE laboratory, University of Ottawa in 2005.

REFERENCES [1] Bose, P., Morin, P., Stojmenovic, I., J. Urrutia. (1999). Routing with Guaranteed Delivery in Ad Hoc Wireless Networks. In Proc. of ACM DIALM, pp. 48–55. [2] Buchegger, S., Boudec, J. L. (2002). Nodes Bearing Grudges: Towards Routing Security, Fairness, and Robustness in Mobile Ad Hoc Networks. In Proc. of EUROMICRO-PDP, pp. 404–410. [3] Carter, S., Yasinsac, A. (2002). Secure Position Aided Ad hoc Routing. In Proc. of IASTED CNN, pp. 329–334. [4] Chaum, D. (1981). Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. Communications of the ACM, 24(2): 84–88. [5] Chaum, D. (1988). The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability. Jour. of Cryptography, 1(1): 65–75. [6] Dent, A. W., Mitchel, C. J. (2004). User’s Guide To Cryptography And Standards, Artech House.

“aswin62” — 2007/9/21 — 12:41 — page 24 — #24

Secure mobile Ad hoc Routing, SI AINA

25

[7] FIPS PUB. (1999). Data Encryption Standard (DES). Retrieved data, from http:// csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf. [8] FIPS PUB. (2002). The Keyed-Hash Message Authentication Code (HMAC). Retrieved data, from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf. [9] Hu, Y., Perrig, A., Johnson, D. B. (2002). Ariadne: A Secure On-Demand Routing Protocol for Ad Hoc Networks. In Proc. of ACM MobiCom, pp. 12–23. [10] Hu, Y., Johnson, D.B., Perrig, A. (2002). SEAD: Secure Efficient Distance Vector Routing in Mobile Wireless Ad Hoc Networks. In Proc. of IEEE WMCSA, pp. 3–13. [11] ITU-T. (1991). X.800 (03/91) Security Architecture for Open Systems Interconnection for CCITT Applications. Retrieved data, from http://fag.grm.hia.no/IKT7000/litteratur/paper/ x800.pdf. [12] Jiang, S., Vaidya, N., Zhao, W. (2004). A mix route algorithm for mix-net in wireless ad hoc networks. In Proc. of IEEE MASS, pp. 406–415. [13] Johnson, D. B., Maltz, D. A. (1996). Dynamic source routing in ad hoc wireless networks. Mobile computing (ed., T. Imielinski and H. Korth), Kluwer Academic, pp. 153–181. [14] Kong, J., Hong, X. (2003). ANODR: anonymous on demand routing with untraceable routes for mobile ad-hoc networks. In Proc. of ACM MobiCom, pp. 291–302. [15] Kong, J., Hong, X., Yi, Y., Park, J., Liu, J., Gerla, M. (2005). A Secure Ad-hoc Routing Approach using Localized Self-healing Communities. In Proc. of ACM MobiHoc, pp. 254–265. [16] Kuhn, F., Wattenhofer, R., Zhang, Y., Zollinger, A. (2003). Geometric ad-hoc routing: Of theory and practice. In Proc. of ACM PODC, pp. 63–72. [17] Leong, B., Mitra, S., Liskov, B. (2005). Path vector face routing: Geographic routing with local face information. In Proc. of IEEE ICNP. [18] Li, X. (2005). Secure and Anonymous Routing in Wireless Ad-hoc Networks. M.C.S. thesis, University of Ottawa, Ottawa, Canada. [19] MediaCrypt AG. (2005). International Data Encryption Algorithm – Technical Description. Retrieved data, from http://www.mediacrypt.com/_pdf/IDEA_Technical_Description _0105.pdf. [20] Murthy, S., Aceves, J. J. G. (1996). An Efficient Routing Protocol for Wireless Networks. ACM/Baltzer Jour. on Mobile Networks and Applications, 9(2):183–197. [21] Papadimitratos, P., Hass, Z. J. (2002). Secure Routing for Mobile Ad hoc Networks. In Proc. of SCS CNDS, pp. 193–204. [22] Perkins, C. E., Bhagwat, P. (1994). Highly Dynamic Destination-Sequenced DistanceVector Routing (DSDV) for Mobile Computers. In Proc. of ACM SIGCOMM, pp. 234–244. [23] Perkins, C. E., Royer, E. M. (1999). Ad hoc On-Demand Distance Vector Routing. In Proc. of IEEE WMCSA, pp. 90–100. [24] Pfitzmann, A., Waidner, M. (1985). Networks Without User Observability – Design Options. In Proc. of EUROCRYPT, LNCS 219. [25] Reed, M., Syverson, P., Goldschlag, D. (1995). Proxies for anonymous routing. In Proc. of ACSAC, pp. 95–104. [26] Reiter, M. K., Rubin, A. D. (1998). Crowds: Anonymity for Web Transactions. ACM Tran. on Information and System Security, 1(1): 66–92. [27] Rivest, R., Shamir, A., Adleman, L. (1978). A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, 21(2): 120–126. [28] Sanzgiri,K., Dahill, B., Levine, B., Shields, C., Belding-Royer, E. M. (2002). A Secure Routing Protocol for Ad Hoc Networks. In Proc. of IEEE ICNP, pp. 78–87. [29] Strulo, B., Farr, J., Smith, A. (2003). Securing Mobile Ad hoc Networks - A Motivational Approach. BT Technology Journal, 21(3):81–89.

“aswin62” — 2007/9/21 — 12:41 — page 25 — #25

26

Xu Li et al.

[30] Sy, D., Chen, R., Bao, L. (2006). ODAR: On-Demand Anonymous Routing in Ad Hoc Networks. In Proc. of IEEE MASS, pp. 267–276. [31] The Open Group. (1997). Architecture for Public-Key Infrastructure (APKI) – Draft 1. Retreived data, from http://archive.opengroup.org/public/tech/security/pki/apki_1-0.ps. [32] Venkatraman, L., Agrawal, D.P. (2003). Strategies for enhancing routing security in protocols for mobile ad hoc networks. Jour. of Parallel and Distributed Computing, 63(2):214–227. [33] Wu, X., Bhargava, B. (2005). AO2P: Ad Hoc On-Demand Position-Based Private Routing Protocol. IEEE Tran. on Mobile Computing, 4(4): 335–348. [34] Yi, S., Naldurg, P., Kravets, R. (2001). Security-Aware Ad Hoc Routing Protocol for Wireless Networks. In Proc. of ACM MobiHoc, pp. 299–302 [35] Zapata, M. G., Asokan, N. (2002). Securing Ad Hoc Routing Protocols. In Proc. of ACM WISE, pp. 1–10 [36] Zhang, Y., Liu, W., Lou, W. (2005). Anonymous Communications in Mobile Ad Hoc Networks. In Proc. of IEEE INFOCOM, vol. 3, pp. 1940–1951. [37] Zimmermann, P. R. (1995). The Official PGP Users Guide. MIT Press. [38] Rogaway, P., Coppersmith, D. (1998). A software-optimized encryption algorithm. Jour. of Cryptology, 11(4): 273–287.

“aswin62” — 2007/9/21 — 12:41 — page 26 — #26