Designing Secure Wireless Mobile Ad hoc Networks - CiteSeerX

2 downloads 287 Views 61KB Size Report
design of security services such as key management and access control presents several difficult problems due to unique characteristics of ad hoc networks.
Designing Secure Wireless Mobile Ad hoc Networks Venkatesan Balakrishnan and Vijay Varadharajan Information and Networked System Security Research Group Department of Computing Macquarie University Sydney Australia {venkat, vijay}@ics.mq.edu.au Abstract In recent years, security in MANET is anticipated as the pre-establishment of specific information among the participating nodes, so that the future communications can be secured through a newly designed protocol, which deploys cryptographic mechanisms over the preestablished information. In this paper we suggest three dimensions to secure the communications in wireless mobile ad hoc networks. Then we demonstrate the issues that might creep out in the security design, when a cryptographic technique alone is involved. Also we suggest how to counter those issues through the combination of trust management with cryptographic mechanisms. Moreover, we propose the need to introduce the notion of heterogeneity resource management in the security design to address the divergence among the nodes, which can be taken advantage to diminish the packet drop attacks. Keywords – Secure routing, Wireless mobile routing, Secure MANET 1.

Introduction

Technological advancement has ultimately manifested wireless communication even in the absence of infrastructure. The feasibility of communications between any two nodes through multi-hop held by the widespread availability of handheld devices has led to the development of ad hoc networks, which is an emerging networking paradigm for mobile nodes. Albeit the low cost and simplicity that enables mobile ad hoc networks to be the better choice over the other networks, the actual deployment of applications is still in its infancy due to the dearth of well-defined secure services. In recent years, security in MANET is anticipated as the pre-establishment of specific information among the participating nodes, so that the future communications can

be secured through a newly designed protocol, which deploys cryptographic mechanisms over the preestablished information. In this paper we demonstrate the hurdles that crops up, if security in mobile ad hoc networks is foreseen only from cryptographic perspective. These mechanisms fail to adjust and accommodate the dynamic changes ensuing in the environment. To handle the dynamic nature of the medium, we argue that the design of secure mobile ad hoc networks should envisage including trust management as another dimension apart from the cryptographic mechanisms. Inclusion of trust management alone cannot guarantee secure communication due to the persisting issues such as packet dropping. In general a packet requested for forwarding might be dropped due to lack of energy reserve or packet error or congestion in the medium. Though a packet can be dropped due to genuine reasons, there is an equivalent probability for it to be dropped by the malicious nodes or selfish nodes, which altogether flees unnoticed even in the presence of both trust management and cryptographic techniques. Hence, intuitively it becomes inevitable to tackle this issue. Alternatively, we suggest a secure design that can integrate heterogeneous resource management in combination with the trust management and the cryptographic mechanisms. Hence, there is always a venture for the integrated design to diminish the issue. As a supplementary it also eradicates the tradition of proposing homogeneous techniques for a heterogeneous environment. Hence, we recommend three dimensions: cryptographic mechanisms, trust management and heterogeneous resource management to achieve an effective design of secure mobile wireless ad hoc networks. In section 2, we discuss the issues that haunt secure design, which solely rests on cryptographic mechanisms. Section 3 addresses the seriousness of the secure design that involves only cryptographic mechanisms and trust management. The security requirements in mobile ad hoc networks and why it has to addressed through the three

dimensional approach is explained in the section 4 followed by the conclusion.

2. Dimension I: Cryptographic Mechanisms Security is particularly difficult to achieve in mobile ad hoc networks because of the vulnerability of the links, sporadic nature of connectivity, the absence of centralized management authority and the dynamically changing topology. In the absence of a global trusted authority, design of security services such as key management and access control presents several difficult problems due to unique characteristics of ad hoc networks. Furthermore, in ad hoc networks, it is necessary to adapt authorization policies to the changing network population. Consequently, the high level security requirements (authentication, confidentiality, integrity, non-repudiation and availability) in mobile ad hoc networks, which are identical to any other networks becomes unreachable. Until now, most of the proposed works deploying cryptographic techniques includes the usage of certificates [1][5][6] or symmetry key techniques [2][3][4]. Whatsoever the deployed cryptographic techniques might be, they remain indistinguishable at one layer by preestablishing keys or specific information required for key establishment. Later, they make use of the pre-established keys or the pre-established information to design a secure protocol for the communication, which primarily fails to handle the incremental deployment issue. However, the dynamic nature of the network encourages the entry of nodes at any period, which contradicts the basic assumption of having pre-established information. Even if the newly entering node is believed to obtain the secure information for every participating node, well before entering the network from a trusted authority, variably the question of how to establish the newly entering node’s secure information at every participating node remains bizarre. The shared wireless medium further restricts the success of all the proposed techniques. It enables any participating node to operate in promiscuous mode, which at one point opens door for the participating node to discover the key service points. The vulnerability increases if the participating node launches denial of service attack causing the service points to be unavailable. The reasoning relies on the implicit assumption made during the design of secure communication protocol, where the control messages are protected only by integrity mechanism and not by confidentiality mechanism in order to make it lightweight. Moreover, most of the research work remain puzzled when it is comes to the route error generation. They are indecisive whether it is a genuine message or a malicious message. For instance, the approach in [4] either discourages the route replies generated by an intermediate

node or disables route salvation on occurrence of route error to defend denial of service attacks. From the arising issues, it is implicit to introduce techniques to manage the events arising from the dynamic nature of the medium. Though monitoring technique nourishes the node with adequate information before proceeding with the cryptographic mechanisms to secure the communications, any design failing to reflect the dynamic nature of the medium falls short in achieving its target. In the following section, we argue for the need to introduce trust management and demonstrate how the recent works falls short in reflecting those design requirements.

3. Dimension II: Trust Management Nevertheless, the notion of drafting a secure routing model through monitoring technique exists in the MANET for a long time; they are not free from issues. Most of the protocols fail to formalize trust as a computational metric and the protocols, which go a step ahead, remain entangled during the process of capturing and computing trust. Besides, they add overhead and degrade performance by introducing extra recommendation messages, ultimately draining energy resources. Sergio Marti et al. [10], employ mechanisms known as watchdog and pathrater on DSR to detect the misbehavior of nodes and to rate the routes. Despite introducing the notion of monitoring, they fizzle to capture the behaviors in the environment as a computational logic. CONFIDANT protocol [9] running in each node has four components - a) The Monitor, b) The Reputation System, c) The Path Manager and d) The Trust Manager to detect the misbehaving nodes in the network. The idea of exchanging either ALARM messages or warning messages genuinely opens door for the blackmail attack, where a malicious node can report a benign node to be a misbehaving node, due to lack of authenticity. The trust captured is neither dynamic to reflect the malicious and benign behavior of the monitored node, nor displays push-pull behavior to accommodate repenting nodes and exclude compromised nodes. Niki Pissinou et al. [15], assumes to have a prior distribution of trust level of all nodes. The authors fail to address how the trust-metric is varied depending on the situations and interactions. The assumption of prior distribution of trust-level is equivalent to assuming prior distribution of keys, in which case an efficient security could be achieved than the above approach. Pirzada and McDonald in [16] seek to establish trust in pure ad-hoc networks through the situations, taking into account the importance and the utility of the situation as a single factor called weight. Despite the fact that Pirzada et al’s approach differ from the other techniques, it significantly fails to capture and formalize all

perspectives of trust prevailing in the environment. They capture trust with respect to the type of situation and evaluate trust specific to that situation. This only represents the monitoring node’s individualistic view on the monitored node but neither includes any provision to take other neighbor nodes’ view on the monitored node nor the monitored node’s character towards the other neighbor nodes. For instance any node A can be successfully fooled or crashed if either of its two neighbors, say node B and node C, reports each other to be malicious. Hence, it’s crystal clear that the trust captured from an individual’s direct experience alone is not enough to evaluate the monitored node’s character. For this reason, we argue that the trust management should capture and formalize three major perspectives -monitoring node’s direct experience over the monitored node, neighbors’ recommendation on the monitored node and the reputation derived from the interactions between the neighbors that exclude monitoring node’s involvement. Combination of these perspectives facilitates a monitoring node to analyze its neighbors, so that it can categorize its neighbor’s requests correspondingly. Concern to the question of incremental deployment, the captured trust on evaluation can be channeled either for the key management or delegation of services. Integration of trust management and cryptographic mechanism alone cannot proclaim secure communication between any two nodes. Though the dynamic nature of the nodes can be evaluated through the trust management techniques, any node exhibiting packet dropping event remain unclassified from trust management perspective. The packet requested for forwarding might be dropped due to the following reasons: • • • • •

Congestion and contention in the medium Denial of service attack by a malicious node Selfish or greedy behavior to save resources Route error due to mobility Corrupted packet

Since, most of the above reasons are in the lineage of resource management zone, it is a better alternative to include resource management during the security design. The advantage not only lies in handling the packet dropping event but also eradicates the style of proposing homogeneous solutions for a heterogeneous resourceconstrained environment. In the next section, we elaborate the possible benefits of including heterogeneous resource management in the design of secure wireless mobile ad hoc networks.

4. Dimension III: Heterogeneous Resource Management Unlike traditional networks, MANET pre-dominantly hosts heterogeneous nodes. Any security principles designed without taking into account the diversity existing among the nodes, will always lead to holes in the security design or performance degradation. Even if we assume that the major cryptographic techniques provides enough shield to prevent the network against the anticipated threats, history has proved that it always falls short in achieving it due to the evolution of new types of attacks [13][14]. Another dimension, which encompasses the trust management as its core to detect the behaviour of the environment and react, accordingly acts as an additional layer to the cryptographic techniques. Tranquil, there remains an unclear definition where to address the heterogeneity in the security design. Though, it is very likely to include it in trust management layer, its own individualistic parameters necessitates to view it as a separate layer. Indeed, it is quite distinct from the trust management that attributes towards the behaviour of the participating nodes, while the heterogeneity accounts to the potential of the participating nodes. Hence, we refer the third dimension that has to be considered in any security design as, ‘heterogeneity management’. The heterogeneity management validates the psychological view of security – “Security is nothing but peace of mind”. Any security design made for any network boils down to two factors the potential resource available for the design and the role of the network. Similarly, the security level of any individual considered rests on the same two factors: the individual’s potential and the individual’s role in the network. As energy resource is a vital aspect for MANET, it becomes crucial for each node to make its own decision to forward or drop other’s packets and in conjunction it should not motivate a malicious node to launch any new type of attacks. We suggest that for any benign node to remain active and derive services from the network is should commit its fraction of its energy for other nodes as long it drains out of the energy. On contrary, a malicious node have a propensity to drain other nodes energy by launching various types of DOS attacks, which remains a challenge to the proposed approaches. Capturing, a node’s energy level gives an idea of the energy committed for a particular node. Depending on the service derived in turn from that particular node, it is obvious to categorize the node. Here we argue that the integration of heterogeneous resource management with trust management and cryptographic mechanisms has a high probability to provide an efficient secure design. It facilitates a node to analyze its potential and its counterpart’s commitment before contributing its resources for the counterpart.

Followed by the analyses, the node can evaluate the counterpart’s reputation to make decision on the counterpart’s requests. At last, the cryptographic techniques can be deployed to secure the integrity of the messages before it is transmitted to the medium.

5. Conclusion

[10]

[11]

Modelling the third dimension gives an effective defence against most of the DOS attacks, when combined with the other two dimensions. It facilitates a node to perform any analysis depending on its current state of its resources, thereby enhancing trust management layer' s decision more precise and fastidious, finally implementing the preventive shield of cryptographic techniques over it.

[13]

6. References

[14]

[1] V. Varadharajan, R. Shankaran, and M. Hitchens, "Security for cluster based ad hoc networks," in Elsevier Computer Communications, vol. 27(5), pp. 488-501, Mar 2004. [2] Y. C. Hu, A. Perrig, and D. B. Johnson, "Packet Leashes: A Defense against Wormhole Attacks in Wireless Networks," presented at IEEE INFOCOM 2003, vol. 3, pp. 1976-1986, Apr 2003. [3] Y. C. Hu, A. Perrig, and D. B. Johnson, "Ariadne:: A Secure On-demand Routing Protocol for Ad Hoc Networks," presented at Proceedings of the 8th annual international conference on Mobile computing and networking, Atlanta, Georgia, USA, pp. 12-23, 2002. [4] P. Papadimitratos and Z. J. Haas, "Secure Routing for Mobile Ad hoc Networks," presented at SCS Communication Networks and Distributed Systems Modeling and Simulation Conference, San Antonio TX, Jan 2002. [5] M. G. Zapata and N. Asokan, "Securing Ad hoc Routing Protocols," presented at International Conference on Mobile Computing and Networking. Proceedings of the ACM workshop on Wireless security, Atlanta, GA, USA, pp. 1-10, Sep 2002. [6] K. Sanzgiri, B. Dahill, B. N. Levine, C. Shields, and E. M. Belding-Royer, "A Secure Routing Protocol for Ad Hoc Networks," presented at 10th IEEE International Conference on Network Protocols (ICNP' 02), Paris, France, pp. 78-87, Nov 2002. [7] H. Deng, W. Li, and D. P.Agrawal, "Routing Security in Wireless Ad Hoc Networks," in IEEE Communications Magazine, vol. 40(10), pp. 70- 75, Oct 2002. [8] S. Yi, P. Naldurg, and R. Kravets, "Security-aware ad hoc routing for wireless networks," presented at Proceedings of the 2nd ACM International Symposium on Mobile Ad hoc Networking & Computing, Long Beach, CA, USA, pp. 299302, 2001. [9] S. Buchegger and J. Y. L. Boudec, "Performance analysis of the CONFIDANT protocol," presented at Proceedings of the 3rd ACM international symposium on Mobile ad hoc

[12]

[15]

[16]

[17]

[18]

[19]

[20] [21]

[22]

networking & computing, Lausanne, Switzerland, pp. 226236, Jun 2002. S. Marti, T. J. Giuli, K. Lai, and M. Baker, "Mitigating Routing Misbehavior in Mobile Ad Hoc Networks," presented at Proceedings of the 6th annual international conference on Mobile Computing and Networking (MOBICOM), Boston, Massachusetts, United States, pp. 255-265, 2000. Yih-Chun Hu and David B. Johnson, “Exploiting Congestion Information in Network and Higher Layer Protocols in Multihop Wireless Ad Hoc Networks,” presented at Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS' 04), pp. 301-310, 2004. Y. C. Hu and A. Perrig, "A Survey of Secure Wireless Ad Hoc Routing," in IEEE Security and Privacy, vol. 2(3), pp. 28 – 39, May 2004. N. Milanovic, M. Malek, A. Davidson, and V. Milutinovic, "Routing and Security in Mobile Ad Hoc Networks," in IEEE Computer, vol. 37(2), pp. 61- 65, Feb 2004. H. Yang, H. Luo, F. Ye, S. Lu, and L. Zhang, "Security in Mobile Ad Hoc Networks: Challenges and Solutions," in IEEE Wireless Communications, vol. 11(1), pp. 38- 47, Feb 2004. N. Pissinou, T. Ghosh, and K. Makki, "Collaborative TrustBased Secure Routing in Multihop Ad Hoc Networks," presented at Third International IFIP-TC6 Networking Conference, Athens, Greece, 2004. A. Pirzada and C. McDonald, "Establishing Trust In Pure Ad-hoc Networks," presented at Proceedings of the 27th conference on Australasian computer science, Dunedin, New Zealand, 2004. D. B. Johnson, D. A. Maltz, and J. Broch, "DSR: the dynamic source routing protocol for multihop wireless ad hoc networks," in Ad hoc Networking, C. E.Perkins, Ed.: Addison-Wesley Longman Publishing Co., Inc. Boston, MA, USA, 2001, pp. 139 - 172 C. E. Perkins, E. M. Royer, S. R. Das, and M. K. Marina, "Performance Comparison of two On-demand Routing Protocols for Ad hoc Networks," IEEE Personal Communications, vol. 8(1), pp. 16 - 28, Feb 2001. E. M. Royer and C. K. Toh, "A review of current routing protocols for ad hoc mobile wireless networks," IEEE Personal Communications, vol. 6(2), pp. 46 - 55, Apr 1999. A. D. Wood and J. A. Stankovic, "Denial of Service in Sensor Networks," in IEEE Computer, vol. 35(10), pp. 5462, Oct 2002. A.Perrig, R.Canetti, D.Song, and J. D. Tygar. "Efficient and Secure Source Authentication for Multicast", In Network and Distributed System Security Symposium, NDSS ’01, pages 35–46, Feb 2001. Marsh S., Formalizing Trust as a Computational Concept. Ph.D. Thesis. Department of Computer Science, University of Stirling, 1994.