Secure Mobile Ad hoc Routing Xu Li∗ , Amiya Nayak† , Isabelle Ryl‡ , David Simplot‡ and Ivan Stojmenovic† ∗

SCS, Carleton University, Canada, [email protected] SITE, University of Ottawa, Canada, {anayak, ivan}@site.uottawa.ca ‡ LIFL, University of Lille, France, {isabelle.ryl, david.simplot}@lifl.fr †

Abstract In mobile ad hoc networks (MANETs), multi-hop message relay is the common way for nodes to communicate and participate in network operations, making routing a primary issue. The early research efforts on MANET routing focused mainly on effectiveness and efficiency under the assumption of perfectly cooperative networks. However, MANETs may not be such a friendly environment for various reasons. Routing protocols without any security feature may put entire network at risk. As security becomes an increasingly popular topic, secure mobile ad hoc routing is attracting more and more research attention. In this paper, we conduct a survey on the state-of-art work in this field.

1

Introduction

In mobile ad hoc networks (MANETs), routing is a primary issue attracting large amounts of attention. Early research efforts have yielded many well-known routing protocols such as DSDV [1], DSR [2] and AODV [3], which all assume perfectly cooperative network. However, MANETs may not be such a friendly environment due to a number of factors, including the wireless communication medium, multi-hop communication, node mobility, and the lack of infrastructure. For instance, adverse nodes can freely enter the network, listen to network communication, interfere with network traffic and compromise network nodes; selfish nodes can refuse to cooperate and possibly cause various network failure. Since routing protocols are a fundamental tool of network computation, attacks on insecured routing protocols can disrupt network performance and reliability. The concept of security has been properly defined in the literature. Data confidentiality, data integrity, authentication, non-repudiation and access control [4] are five widely recognized standard security services. An additional well known security service is anonymity [5]. More specifically,

21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07) 0-7695-2847-3/07 $20.00 © 2007

there exist four types of anonymity protection, i.e., sender anonymity, receiver anonymity, route anonymity and unlinkability. Depending on requirement, the above security services can be optionally implemented in routing protocols to provide different level of protection. A number of secure ad hoc routing protocols [6, 7, 8, 9, 10, 11, 12, 13, 14, 15] have been proposed in the literature. In this paper (the preliminary version of which was published in [16]), we are going to study some representative ones of them. The rest of the paper is organized as follows: Section 2 discusses the classification of network attacks; Section 3 briefly introduces some basic security-enabling techniques; Section 4 surveys a number of secure ad hoc routing protocols; Section 5 concludes the paper.

2

Taxonomy of Network Attacks

Network attacks can be categorized as passive attacks or active attacks [17]. A passive attack happens when an attacker unintrusively eavesdrops network traffic, and its primary goal is to discover valuable information like node identity and network topology from the messages sent over the communication channel. An active attack typically involves the direct intervention of an attacker with network traffic, e.g., deliberately replaying, inserting, modifying or deleting routing packets, or fraudulently disseminating incorrect routing information. Active attacks can cause, for example, malicious updates on route tables, packets being sent to false destinations, the creation of routing loops and even network congestion.

3

Basic Security-Enabling Techniques

In this section, we will introduce some basic securityenabling techniques. These techniques are considered basic because they often serve as a building block of advanced security mechanisms.

3.1

Cryptography Schemes

The use of cryptography is a must for providing the standard security services [18]. Cryptographic algorithms themselves are public, but the secret parameters (encryption/decryption keys) that they use are known only to the intended ones (senders and/or receivers). According to whether encryption keys are the same as decryption keys, cryptography schemes can be classified as either symmetric or asymmetric [18]. The main advantage of symmetric cryptography is the fast encryption and decryption operation, but its disadvantage is the complex key management. As for asymmetric cryptography, its strength is the ease of key management, while its drawback is the requirement on a relatively larger amount of computation power and time. In practice, a hybrid approach combining both symmetric and asymmetric cryptography is often employed. That is, an asymmetric cryptography scheme is used to distribute the secret key of a symmetric cryptography scheme that is used for the actual data encryption/decryption.

3.2

services from other nodes. In a reputation system, nodes are evaluated according to their past behavior; the nodes with high reputation are rewarded by granting their service requests, while those with low reputation are punished by rejecting their service requests.

4

Secure Mobile Ad hoc Routing

Because of the nature of MANETs, achieving routing security is a non-trivial task. In this section, we will illustrate how to secure plain routing protocols using the securityenabling techniques presented in previous section.

4.1

As the name suggests, this type of routing protocols are designed to be secure especially against active attacks. They are usually an aggregation of certain plain routing protocol and a security add-on. Because these protocols use plain routing header, they are still susceptible to passive attacks.

Authentication Methods 4.1.1

When two nodes communicate in an insecure network like MANETs, having only data confidentiality is not sufficient. It is necessary for the receiver to be able to verify that (1) the received message is identical with the one that was originated from the sender, and that (2) the message sender is the same as it claims to be. In another word, authentication is indispensable for securing network communication. Cryptography can be used to support authentication [18]. Depending on the trust relationship between communicating nodes, authentication may be performed by different cryptography schemes. If there is a mutual trust between a sender and a receiver (i.e., sharing a secret), symmetric authentication based on symmetric cryptography, e.g., oneway hash function, can be used; otherwise, asymmetric authentication based on asymmetric cryptography, e.g., digital signature, may be instead applied.

3.3

Active-Attack-Resilient Routing

Incentive Mechanisms

MANET operation relies heavily on the collaboration of network nodes because of the absence of fixed infrastructure and centralized administration. Unfortunately, the wireless nodes with resource constraints are liable to refuse to help others for resource saving purposes. It is necessary for MANETs to have effective mechanisms to encourage node collaboration, identify and isolate selfish (or disoperative) nodes. Two main kinds of incentive mechanisms are pricing and reputation [19]. In a pricing system, a node is paid digital money for the services it offers to other nodes; after earning sufficient amount of digital money, it can buy

21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07) 0-7695-2847-3/07 $20.00 © 2007

Secure Efficient Ad-hoc Distance-vector routing

Secure Efficient Ad-hoc Distance-vector routing (SEAD) [8] is developed on basis of routing protocol DSDV [1]. SEAD is known for its addition of one-way hash chain for authentication on route update messages to the original DSDV. For a random value x, a one-way hash chain is defined as a sequence of hash value, h0 , h1 , h2 , h3 , · · ·, hn , where h0 = x and hi = H(hi−1 ) and 0 < i ≤ n, for some n. In SEAD, each node is required to generate its hash chain at initialization time. The effectiveness of SEAD is grounded heavily on the assumption of the existence of a certain mechanism for a node to distribute an authentic element of its hash chain. The hash-chain-based authentication make SEAD secure against forged route updates. When a node sends a route update, the node assigns one hash value to each entry in that update. If a route update entry is destined for the node itself, it sets the entry’s hash value to hn−i∗m where i is the corresponding sequence number and m is the upper bound of network diameter plus one; otherwise, it sets the entry’s hash value to the hash of the hash value received in the route update entry where it learn that route to the destination. Because of the oneway nature of hash chain, a node receiving any route update can authenticate each entry in the update as long as it has any earlier authentic hash element from the same hash chain. For example, given an authentic hash value hi−3 , a node can authenticate hi by computing H(H(H(hi−3 ) and verifying that the resulting hash value equals hi . Through authentication, each metric in a routing update entry is secured against being maliciously modified. The way it is done is as follows: the sequence number in an entry in

a route update message is used to determine a contiguous group of m elements from the corresponding destination node’s hash chain, and then, a particular element in the determined group is used to authenticate the entry. Specifically, for a sequence number i in some route update entry, let k = n/m − i, where n is divisible by m, then the group of m elements will be (hkm , hkm+1 , · · ·, hkm+m−1 ). If the metric value of this entry is j, 0 ≤ j < m, then the element hkm+j is the one to be used to authenticate the route update entry for that sequence number. By using lightweight one-way hash function for authentication, SEAD reduces the risk of the DoS attacks where attackers broadcast a large number of forged route update packets to make nodes spend excess CPU cycle and processing time on verification. Through route update authentication, SEAD is able to detect and eliminate tampered route update packets, and therefore maintain correct routing information at every node even in the presence of active attacks and compromised nodes. However, with this authentication mechanism, if a malicious forwarding node does not increment the routing metric, i.e., hop count, its neighbors may always route packets through it. 4.1.2

CONFIDANT

CONFIDANT [9] is a reputation-based secure routing protocol based on DSR [2]. By CONFIDANT, each node has four components: the monitor, the reputation system, the path manager, and the trust manager. These four components enable a node to detect deliberate malicious behaviors, e.g., no forwarding, unusual traffic attraction, malicious rerouting, lack of error messages, unusually frequent route updates, and silent route change, done by other nodes through observation and reports. For an arbitrary node A, its monitor, M (A), keeps surveiling its neighborhood all the time. When a suspicious event, denoted by e, of certain neighbor, say X, is detected, M (A) informs node A’s reputation system, R(A). To avoid the interference from X’s occasional mistake due to, for example, network congestion, R(A) decreases X’s reputation rating (stored in a rating list) only when e happens more than a maximum number of times. Let us assume that e is performed by X on purpose and that X’s reputation rating is bad. R(A) then passes the information to the path manager of A, P (A), which in turn deletes all the routes that go through X. Then, A’s trust manager T (A) sends an ALARM message to warn other nodes of the malicious node X. The intended receiver of the ALARM message could be either a source, or a destination, or a friend of A. Let us denote the destination of the ALARM message by B. After M (B) receives the ALARM message, it passes the message to T (B). T (B) in turn checks how trustworthy A is and how many similar reports about X have been

21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07) 0-7695-2847-3/07 $20.00 © 2007

received, and then, it processes the message accordingly. After B is certain of the ALARM message from A about X, it passes the information to R(B) which performs an evaluation on X again. To prevent false ALARM messages, authentication mechanisms can be used in the above process. In addition to rating lists, nodes also maintain black lists. Nodes appearing in black lists are avoided during routing, and packets are forwarded only to the nodes that are not contained in black lists. Using this approach, adverse nodes are identified and isolated from the network, and therefore, route robustness is increased, and network throughput is improved. However, because the reputation system takes negative input only, reputation improvement is impossible. 4.1.3

Routing with Self-healing Communities

Self-healing Communities [11] is a general concept applicable to any on-demand routing protocol. By exploring node redundancy at each forwarding step, it improves the resilience of a routing protocol against non-cooperative nodes and disguised packet losses. Consider any arbitrary pair of neighboring nodes A and B in a route from S to D, the nodes residing in the intersection area of the communication ranges of A and B form a self-healing community. As long as there is an cooperative node in each of the self-healing communities along the path, the communication between S and D can carry on. How to locally identify a self-healing community and how to maintain it in the presence of node mobility are the two key issues. Community identification is integrated within route discovery and routing reply processes. During a route discovery process, when a node C receives a RREQ message from a neighbor node P for the first time, it locally records P and the RREQ upstream Q (indicated by the upstream field of the message) of P . And, C also sets P as its own RREQ upstream if it has not received any message from Q during current route discovery process. After that, it updates the upstream field of the message with P and forwards the message by the routing protocol. During a route reply process, after node C receives a RREP message from node E, it checks if it itself is the intended receiver. If yes, it records E as its RREP upstream and forwards the message to its recorded RREQ upstream. Otherwise, it checks if the intended receiver V and the RREQ upstream W of V have been locally stored. If yes, it further checks if V did not correctly forward the RREP or was not correctly acknowledged within a randomly decided time period. If no, and if nobody takes over during this period, C itself will take over, sending the message to W . In a self-healing community, the node that forwards the RREP message is forwarding member; the nodes overhearing three consecutive ACK messages are non-forwarding member. To reconfigure self-healing communities en route, source

S sends destination D a PROBE message <(S,D, seq#), hop count> at some interval. For each PROBE message, D replies with a PROBE REP packet of the same format. PROBE and PROBE REP messages are both processed following the same self-healing procedure like RREQ and RREP messages. The self-healing communities along the route are reconfigured by monitoring the hop count field. Since PROBE and PROBE REP are both short message, they can be piggybacked on active data traffic.

4.2

Passive-Attack-Resilient Routing

The secure routing protocols discussed in previous section do not protect routing information. This weakness exposes them to the threat from passive attacks (traffic analysis). In order to be immune to traffic analysis, anonymous communication should be enforced by routing protocols. 4.2.1

ANonymous On Demand Routing

ANonymous On Demand Routing (ANODR) [12] is developed using a new concept of “broadcast with trapdoor information”. It borrows the idea of Onion Routing [20] for route discovery. In an anonymous route established by ANODR, neither the sender nor the receiver can identify intermediate nodes; intermediate nodes know nothing about the route. A route discovery process is initiated by a source node by broadcasting a route request (RREQ) packet. To do so, the source node randomly generates a symmetric key Ksrc and computes Ksrc (IDsrc ). Then, it randomly generates a commitment key Kc and computes Kc (IDdest ). The source node then encrypts the combination of IDdest and Kc with the destination’s TESLA key KT , and it generates a globally unique sequence number seqnum and a one-time public key pair (pkone , skone ). The source node then assembles a RREQ packet as follows: (RREQ, seqnum, pkone , KT (IDdest , Kc ), Kc (IDdest ), Onion), where the field RREQ indicates message type and Onion is set to Ksrc (IDsrc ). Finally, the source node broadcast this RREQ packet to its neighbors. During the above process, the source node bookkeeps all the relevant data. When an arbitrary node X receives the RREQ packet, it first checks if it itself is the destination using the following steps: decrypt the KT (IDdest , Kc ) field of the RREQ  and Kc ; packet with its own TESLA key KT to get IDdest  then verify if its own ID is equal to IDdest ; if they are equal, use Kc to decrypt the Kc (IDdest ) field of the RREQ to double check if it is truly the destination. If X is not the intended destination, it randomly generates a symmetric key   , skone ). Then, it exKX and an asymmetric key pair (pkone tracts the Onion from the RREQ packet, and encrypts the combination of the Onion and a random nonce NX with KX , and replaces the original Onion in the packet with the

21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07) 0-7695-2847-3/07 $20.00 © 2007

encryption result. Afterward, it replaces the pkone in the  . Finally, it forwards the modified RREQ packet with pkone packet to its neighbors. In this process, X bookkeeps all the   , skone ), and KX . necessary data such as pkone , (pkone When the RREQ packet reaches the destination, the destination sends a RREP packet back to the source. Firstly, the destination generates a random nonce Kseed and encrypts Kseed with the pkone extracted from the RREQ packet. Secondly, it uses a trapdoor one-way function with Kc , Onion, and Kseed as input. The output of the one-way function, is denoted by Kseed (Kc , Onion). Afterward, the destination assembles the RREP packet which has the following format: (RREP , (Kseed )pkone , Kseed (Kc , Onion)), where RREP indicates message type. Finally, it broadcasts the RREP packet. When a node X receives the RREP packet, it first decrypts the (Kseed )pkone with the backuped (during route request process) one-time private key skone to get Kseed . Then, it recovers Kc and Onion from the Kseed (Kc , Onion) field of the RREP packet using Kseed . Afterward, X decrypts the Onion with KX (corresponding to skone ) and checks whether NX (corresponding to skone ) is equal to the first field of the decryption result. If so, it knows that it is in the anonymous route and continues packet processing; otherwise, it simply discards the packet. If X is in the anonymous route, then X peels off the topmost layer of the Onion, and removes the first field of the result, and then gets a resulting onion Onion . Af = f (kseed ) (f is a one-way terward, X computes Kseed  with the prior hop’s one-time function) and encrypts Kseed   . Next, X computes Kseed (Kc , Onion ) public key pkone through a trapdoor one-way function. Finally, it re
)pkone , and the places the (Kseed )pkone field with (Kseed  Kseed (Kc , Onion)) field with Kseed (Kc , Onion )), and then broadcasts the modified RREP packet to its neighbors. We should mention that the Kseed in the original RREP is the route pseudonym for X and its next hop to exchange  is the route pseudonym for X and data packets while Kseed its prior hop to exchange data packets. When the source node receives the RREP packet, it can verify whether the destination has received the RREQ packet using the Kc in the RREP packet and its backuped one. Then an anonymous route is successfully established. 4.2.2

Secure Distributed Anonymous Routing

Secure Distributed Anonymous Routing (SDAR) protocol [14] is a combination of basic DSR [2], Onion Routing [20], and a trust management system. The Onion routing technique ensures sender and receiver anonymity, while the trust management system exclude untrusted nodes from being included in established paths. As proven in [14], SDAR is also secured against active attacks (except DoS attacks).

During a SDAR routing process, an arbitrary node A monitors its prior hop P and its next hop N . With the help from specially formatted routing messages, A can identify malicious message modification and malicious message dropping performed by P and S. Based on its past experience and observation with P and S, A evaluates their trustworthiness. By this means, node A is able to classify its neighbors into different trust levels and assign them different community keys accordingly. The community keys are symmetric cryptographic keys that are used for message encryption between A and its neighbors during a route request process, such that only the neighbors at the specified trust level can hear the communication and has the chance of being included in the established path. When a source node S wants to find a path to a destination T , it first generates a temporary public key pair (T P K,T P S) and a symmetric key KS . Then it encrypts KS and the identity IDT of T together with the public key P KT of T , and encrypts T SK, a sequence number SEQ, its own identity IDS and its digital signature together with KS . For easy presentation, the two encryption results are denoted respectively by DataI and DataII . Afterward, S encrypts the combination of DataI and DataII with the community key corresponding to a specified trust requirement T RU ST REQ. Then it encapsulates the final encryption result, T P K and T RU ST REQ together in a RREQ message, and broadcasts the message to its neighbors. When a node C receives a RREQ message for the first time, it checks if it itself is intended next hop by finding the community key corresponding to the trust requirement T RU ST REQ in the message. If yes, it decrypts the message using the key and further checks if it is the destination by decrypting DataI with its private key and comparing IDT with its own identity. If they do not equal, C appends its own encrypted (with T P K) information to the RREQ message, including a randomly generated session key KC , its identity IDC and its digital signature. Then, it encrypts the message with the community key shared with the neighbors whose trust levels meet the T RU ST REQ claimed by the source node, then broadcasts the message locally. When the destination T receives the RREQ message, it obtains KS from DataI and use it to decrypt DataII to extract T SK and SEQ; then it verifies the freshness of the message using SEQ, and retrieves the session keys and identities of all the intermediate nodes using T SK. Integrity check is performed during above process. Afterward, it encapsulates the session keys and node identities in the forward order in a RREP message, and performs a multi-layered encryption on the message with the session keys in the backward order (similar to Onion routing), and sends the message to the node from which it received the RREQ message. Each intermediate node that receives the route reply message removes one layer of encryption using

21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07) 0-7695-2847-3/07 $20.00 © 2007

its session key and locally broadcasts the message. Finally, the source node S receives the message and gets the complete information of the routes, i.e., the session keys and identities of all the intermediate nodes. With the route information, S can transmits application data to T following the same procedure as RREP messages. 4.2.3

On-Demand Anonymous Routing

The On-Demand Anonymous Routing (ODAR) protocol [15] provides node, link and path anonymities in ad hoc networks based on Bloom filters and the Diffie-Hellman algorithm. The use of Bloom filters additionally gives ODAR the storage-, processing- and communication-efficiencies, making it suitable in the ad hoc network environments. Because routing does not rely on the real identity of nodes but their pseudonyms, both end-host anonymity and intermediate node anonymity are protected. A prime number q and its primitive root g is first published in the network. Then every node A generates a private random value XA < q, called private key, and computes a public value YA , called public key, using the equation YA = g XA mod q. There is a centralized key server in the network, which claims its presence by periodically propagating its public key in the network. During each propagation process, a route from the key server to every single node is constructed. This route can be later used by the node to sends the key server its own public key and request the key server for other nodes’ public keys. When a node S wants to establish a path to a node T , it first gets the public key YT of T from the key server using the pseudonym of T . Then S generates a session pseudonym (a temporary public key) Ys for itself based on a temporary private key Xs by the Diffie-Hellman algorithm, and computes the session key KsT = YsXT shared T . After that, S computes a session pseudonym sh(T + 1)KsT for T based on a secure hash function sh and the session key KsT , and sends a route request carrying Ys and sh(T + 1)KsT (recognizable only by S and T respectively). Each receiver node I computes KsI and sh(I + 1)KsI , and checks if it itself is the destination by comparing sh(I + 1)KsI and sh(T + 1)KsT . If no, it inserts its pseudonym (which is the secure hash result of a secret random number) into the bloom filter embedded in the request message and rebroadcasts the message; otherwise, it sends back a route reply to S carrying the aggregated bloom filter and sh(T + 2)KsT and Ys . Once source node S receives the route reply, a path connecting T is established. S can not see the identities of intermediate nodes because the path is expressed in the form of a bloom filter with node pseudonyms. During data transportation phase, each data packet is attached the bloom filter. A node forwards a data packet only when it finds its pseudonym in the bloom filter.

5

Conclusions

Mobile ad hoc networks (MANETs) are a hostile environment where secure routing protocols should be applied. A secure routing protocol is expected to be able to offer the five basic security services, i.e., date confidentiality, data integrate, authentication, non-repudiation and access control [4]. In addition, in highly confident communication scenarios such as battle fields and doctor-patient conversation, another important security service, anonymity, is also needed. In this paper, we discussed network attack classification, investigated basic security-enabling techniques, and surveyed six secure ad hoc routing protocols [8, 9, 11, 12, 14, 15]. Our study shows that, although secure routing is a complex task, it is achievable at the cost of messages, time and computation power. Security overhead stems mainly from the computation complexity of the cryptographic algorithms employed in constantly repeated routing procedures. There is a class of so-called geographic routing protocols, i.e., GFG [21], that relies on node position information for route discovery. Although none of the surveyed secure routing protocols in this paper belongs to this class, the security mechanisms they use against active attacks are applicable to them. Nevertheless, because the nature of geographic routing protocols conflicts the definition of anonymity , e.g., GFG requires the knowledge of destination’s location, violating receiver anonymity, it will be difficult or even impossible for them to achieve full anonymity.

Acknowledgments This article has been financially supported by NSERC Collaborative Research and Development Grant CRDPJ 319848-04.

References [1] C. E. Perkins and P. Bhagwat. “Highly Dynamic Destination-Sequenced Distance-Vector Routing (DSDV) for Mobile Computers”. In Proc. of ACM SIGCOMM, pp. 234-244, 1994 [2] D. B. Johnson and D. A. Maltz. “Dynamic source routing in ad hoc wireless networks”. Mobile computing (ed., T. Imielinski and H. Korth), Kluwer Academic, pp. 153-181, 1996 [3] C. E. Perkins and E. M. Royer. “Ad hoc On-Demand Distance Vector Routing”. In Proc. of IEEE WMCSA, pp. 90-100, 1999 [4] ITU-T. “X.800 (03/91) Security Architecture for Open Systems Interconnection for CCITT Applications”. [5] A. Pfitzmann and M. Waidner. “Networks Without User Observability – Design Options”. In Proc. of EUROCRYPT, LNCS 219, 1985

21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07) 0-7695-2847-3/07 $20.00 © 2007

[6] P. Papadimitratos and Z. J. Haas. “Secure Routing for Mobile Ad hoc Networks”. In Proc. of SCS CNDS, pp. 193-204, 2002 [7] Y. Hu, A. Perrig, and D. B. Johnson. “Ariadne: A Secure On-Demand Routing Protocol for Ad Hoc Networks”. In Proc. of ACM MobiCom, pp. 12-23, 2002 [8] Y. Hu, D.B. Johnson, and A. Perrig. “SEAD: Secure Efficient Distance Vector Routing in Mobile Wireless Ad Hoc Networks”. In Proc. of IEEE WMCSA, pp. 313, 2002 [9] S. Buchegger and J. L. Boudec. “Nodes Bearing Grudges: Towards Routing Security, Fairness, and Robustness in Mobile Ad Hoc Networks”. In Proc. of EUROMICRO-PDP, pp. 404-410, 2002 [10] L. Venkatraman and D.P. Agrawal. “Strategies for enhancing routing security in protocols for mobile ad hoc networks”. Jour. of Parallel and Distributed Computing, 63(2):214-227, 2003 [11] J. Kong, X. Hong, Y. Yi, J. Park, J. Liu, and M. Gerla. “A Secure Ad-hoc Routing Approach using Localized Self-healing Communities”. In Proc. of ACM MobiHoc, pp. 254-265, 2005. [12] J. Kong and X. Hong. “ANODR: anonymous on demand routing with untraceable routes for mobile ad-hoc networks”. In Proc. of ACM MobiCom, pp. 291-302, 2003 [13] Y. Zhang, W. Liu, and W. Lou. “Anonymous Communications in Mobile Ad Hoc Networks”. In Proc. of IEEE INFOCOM, vol. 3, pp. 1940-1951, 2005. [14] A. Boukerche, K. EI-Khatib, X. Li, and L. Korba. “An Efficient Secure Distributed Anonymous Routing Protocol for Mobile and Wireless Ad Hoc Networks”. Elsevier Jour. of Computer Communications, 28(10): 11931203, 2005. [15] D. Sy, R. Chen, and L. Bao. “ODAR: On-Demand Anonymous Routing in Ad Hoc Networks”. In Proc. of IEEE MASS, pp. 267-276, 2006. [16] X. Li. “Secure and Anonymous Routing in Wireless Ad-hoc Networks”. MCS thesis, Univ. of Ottawa, 2005. [17] L. Venkatraman and D.P. Agrawal. “A novel authentication in ad hoc networks”. In Proc. of IEEE WCNC, vol. 3, pp. 1268-1273, 2000 [18] A. W. Dent and C. J. Mitchel. User’s Guide To Cryptography And Standards, Artech House, 2004. [19] B. Strulo, J. Farr, and A. Smith. “Securing Mobile Ad hoc Networks - A Motivational Approach”. BT Technology Journal, 21(3):81-89, 2000 [20] M. Reed, P. Syverson, and D. Goldschlag. “Proxies for anonymous routing”. In Proc. of ACSAC, 1995. [21] P. Bose, P. Morin, I. Stojmenovic, and J. Urrutia. “Routing with Guaranteed Delivery in Ad Hoc Wireless Networks”. In Proc. of ACM DIALM, pp. 48-55, 1999.