Secure Routing Protocol with Malicious Nodes ... - Semantic Scholar

22nd International Conference on Advanced Information Networking and Applications - Workshops

Secure Routing Protocol with Malicious Nodes Detection for Ad hoc Networks Chu-Hsing Lin1, Wei-Shen Lai2, Yen-Lin Huang1, Mei-Chun Chou1 1

Department of Computer Science and Information Engineering, Tunghai University, Taiwan, 2 Department of Information Management, Chienkuo Technology University, Taiwan, 1 E-mail: {chlin,g942803,g96350011}@thu.edu.tw 2 E-mail: [email protected] many research focus on how to provide efficient [1, 2] and secure [3-6] communication in ad hoc networks. In this paper, we focus on the ARIADNE protocol [1], an ad hoc on-demand secure routing protocol, in which it can withstand node compromised and relies only on symmetric cryptography. However, in ARIADNE only the source and the destination nodes can verify the correctness of the established route. The intermediate nodes which participating the Route Discovery phase can’t get any verified route from it. Furthermore, if some malicious nodes modify the replying information, only the sender can detect the problem but can’t find which nodes are naughty. In this paper, we will resolve the above problems of ARIADNE and enhance its performance.

Abstract An ad hoc network is a highly dynamic routing network cooperated by a set of wireless mobile nodes without any assistance of centralized access point. ARIADNE is a well-known secure on-demand ad hoc network routing protocol. After finishing the Route Discovery protocol, it just finds one route for the source and the destination nodes. However, the intermediate nodes can’t use that route to transmitting data for themselves. For reducing the Route Discovery broadcast packets and reusing the valid route for increasing the packet delivery ratio, we present a new secure on-demand routing protocol based on ARIADNE, called I-ARIADNE. We design the authentication mechanism for the intermediate nodes to verify the route information and reuse it for another route discovery request. Such design can reduce the broadcast packets. Later, they can use that route for transmitting data to other nodes on it. From simulation results, by using our protocol the performance of the entire network environment will be enhanced.

2. Basic Operation of ARIADNE 2.1. Terminology In order to understand the route information, we list all the notations as follows: S, D, A, B, C S is the initiator, and D the target. A, B, and C are the intermediate nodes. an one way hash function. H( ) K SD and K DS the shared keys between S and D. (for each direction of communication) the TESLA time interval with the ti TESLA key currently used. the TESLA key of node A in time KAti

Introduction Ad-hoc network is a computer network in which the communication links are wireless and the devices on it communicate directly with each other. This allows all wireless devices within range of each other to discover and communicate in peer-to-peer fashion without involving central access points. An ad-hoc network tends to feature a small group of devices all in very close proximity to each other. Performance degrades as the number of devices grows, and a large ad-hoc network quickly becomes difficult to manage. Ad hoc network routing protocols are challenging to design, and secure ones are even more. There are

978-0-7695-3096-3/08 $25.00 © 2008 IEEE DOI 10.1109/WAINA.2008.47

MAC K Ati (M )

interval ti . the Message Authentication Code

(MAC) of the message M with KAti .

MA

the MAC value computed by node A.

1272

Authorized licensed use limited to: TUNG HAI UNIVERSITY. Downloaded on March 19, 2009 at 03:11 from IEEE Xplore. Restrictions apply.

SK S and PK S

α = RReq , S , D , id , ti

SIGNSKS (M )

private key and public key of node S in the asymmetric cryptography. the signing of the message M with

E PK D (M )

private key of node S. the encrypted value with public key of

h1 = H ( A, h0 ) M A = MACK A (α , h1 , ( A), ( ti * M A = α , h1 , ( A), ( M A )

RReq RRep RVal RErr

node D. denotes the route request. denotes the route reply. denotes the route validate. denotes the route error.

h2 = H ( B, h1 ) M B = MACK B (α , h2 , ( A, B ), (M A )) ti * M B = α , h2 , ( A,B ), ( M A , M B )

h0 = MAC K SD (α ) * M S = α , h0 , ( ), (

) M AS = β , M D , (KCti , K Bti , K Ati )

))

M BA = β , M D , (K Cti , K Bti )

M CB = β , M D , (K Cti )

h3 = H (C , h2 ) M C = MACK C (α , h3 , ( A, B, C ), (M A , M B )) ti * M C = α , h3 , ( A,B,C ), (M A , M B , M C )

2.2. ARIADNE Protocol

M D = MAC K DS ( β ) M DC = β , M D , ( )

β = RRep, D, S , ti, ( A, B, C ), (M A , M B , M C )

Figure 1. ARIANDE protocol As shown in the Figure 1, node S and D are the communicating nodes. In route request, node S computes h0 , the computation of the MAC of message α, with K SD so that only D can verify the route message. The intermediate node updates the Route request to the node list, replaces the hash chain, and appends a MAC of the MAC list using TESLA key. Node A appends its own address to the node list, computes hash chain with its own address, h1 , and M A with KAti and broadcasts M A* . When D gets the route

ARIADNE, an on-demand secure routing protocol, relies on symmetric cryptography to provide security against willful active attackers. It prevents attackers from altering uncompromised routes consisting of uncompromised nodes. ARIADNE ensures end-to-end authentication of a routing message by using a shared key between the two parties and the MAC. Nevertheless, it relies on the TESLA [7] to broadcast authentication message in a routing. TESLA is based on loose time synchronization among nodes. It is used as the broadcast authentication system in a secure routing protocol. The design of ARIADNE is based on DSR. Similar to DSR [8], it consists of two basic parts, route discovery and route maintenance. ARIADNE makes use of efficient combination of one way hash function and shared keys. It assumes that the sender and the receiver share a secret key for message authentication. The sender includes a MAC computed with an end-toend key and the destination verifies the authenticity and freshness of the request using the shared key. Prehop hashing mechanism, a one-way hash function used to verify that no hop is omitted, is also used in ARIADNE. In case of any dead link, a RErr message is sent back to the initiator. Errors are seen just as regular data packets and the intermediate nodes remove route that use dead links in the selected path. ARIADNE provides a strong defense against attacks that modify and fabricate routing information. When it is used with an advanced version of TESLA, it is immune to wormhole attacks. However, it is still vulnerable to selfish node attack. General security mechanisms are very reliable but key exchanges are complicated, making ARIADNE infeasible in the current ad hoc environments.

request, it computes M D , the computation of the MAC of β, with K DS , so that only S can verify the route reply. The Route reply is returned to the sender of the Route request along the source route. Node D unicasts the Route reply and collects TESLA keys, KCti , KBti , KAti , along the path. When S gets the Route reply,

it can verify the correctness by using KDS and TESLA keys.

2.3. Drawbacks of ARIADNE In ARIADNE, only the sender and the destination node can verify the node list and the correctness of the established route. It is not reasonable that the intermediate nodes consume their resource to help set up the route but without getting any reward. Furthermore, if some malicious nodes modify the replying information, only the sender can detect the error, but the sender can’t specify which nodes are bad.

1273


message repeatedly till the receiver gets it. When receiver gets the route request message, it can verify the hash value to confirm that the routing message sending by the sender by decrypting the message using the share key between the sender and the receiver. The receiver signs the replying message using its secret key, then unicasts the replying message along the path from the node list. Each node along the path collects the TESLA keys. After the replying message, each node participating in the route discovery, including the intermediate nodes and the sender, can confirm the genuineness of the replying message by using the public key of the receiver.

α = RReq , S , D , id , ti h0 = MAC K SD (α ) * M S = α , h0 , ( ), (

)

h1 = H ( A, h0 ) M A = MACK A (α , h1 , ( A), (

M

* A

ti

= α , h1 , ( A), ( M A )

M AS = β ' , M D , (K Bti , K Ati )

))

h2 = H ( B, h1 ) M B = MACK B (α , h2 , ( A, B ), (M A )) ti * M B = α , h2 , ( A,B), (M A , M B )

β '= RRep , D, S , ti , ( A, B ), (M A , M B )

( )

M BA = β′, MD , K Bti

M CB = β , M D , (K Cti )

h3 = H (C , h2 ) M C = MACK C (α , h3 , ( A, B, C ), (M A , M B )) ti M C * = α , h3 , ( A,B,C ), (M A , M B , M C )

M D = MACK DS ( β ) M DC = β , M D , ( )

β = RRep , D, S , ti, ( A, B, C ), (M A , M B , M C )

α = RReq , S , D , id , ti

Figure 2. Attacks of ARIADNE In the Figure 2, the node B modified the replying message β by erasing the information of node C, but the node A can’t find the error and still unicasts it to node S. Only the node S can detect the message has been modified, however, it can’t specify that which the bad node is.

h0 = SIGN SK (α ) γ = E PK (h0 ) * M S = α , h0 ,γ , ( ), ( ) S

D

h1 = H ( A, h0 ) M A = MACK A (α , h1 , ( A), ( ti * M A = α , h1 ,γ , ( A), (M A )

M AS = β , M D , (KCti , K Bti , K Ati )

))

M BA = β , M D , (KCti , K Bti )

h2 = H ( B, h1 ) M B = MACK B (α , h2 , ( A, B ), (M A )) ti * M B = α , h2 , γ , ( A,B ), ( M A , M B )

3. Design of I-ARIADNE

M CB = β , M D , (KCti )

h3 = H (C, h2 ) M C = MACK C (α , h3 , ( A, B, C ), (M A , M B )) ti * M C = α , h3 , γ , ( A,B,C ), ( M A , M B , M C )

There are various security mechanisms for routing protocols in ad hoc networks. For data integrity and user authentication, MAC and own-way hash function are used. In this chapter we present the famous protocol, ARIADNE that relies only on highly efficient symmetric cryptography, and we also analyze the disadvantages of ARIADNE.

M D = SIGNSK D ( β ) M DC = β , M D , ( )

β = RRep, D, S , ti, ( A, B, C ), (M A , M B , M C )

Figure 3. Route discovery As shown in Figure 3, the node S computes h0

using its secret key SKS and encrypts h0 by the public key of node D. The intermediate nodes A, B, and C compute the hash values and MAC values progressively. When node D receives the route request, it checks the signature by using the public key of node S and decrypts the route message using its private key to confirm the originality of the route message. After confirming the route request, node D prepares for replying. Node D signs the replying message with its private key and unicasts it along the path. The intermediate nodes along the path, node A, B, and C, collect the TESLA keys, KA , KB and KC . Each node

3.1. Route Discovery In the ARIADN protocol, it can only ensure the secure route from the source to the destination, but not between any two immediate nodes. We want to spend just a little more computations and make secure the paths between the immediate nodes. We propose the enhancement for the ARIADNE and called it the IARIADNE. In I-ARIADNE protocol, all of the participating nodes can detect which malicious node modified the route information. Therefore, at the next time period, all nodes on the routing path can trust the route information and thus reuse it for another route discovery phase. We let the sender compute the h0 by using its private key and hence later on each node participating the route discovery can authenticate h0 that is computed by the sender. In order to verify the route message by the receiver, the sender also encrypts h0 using the share key between sender and receiver. Besides, the intermediate nodes compute the hash values and MAC values, and broadcast the route

ti

ti

ti

participating in the route discovery can confirm the originality of the replying message by using the public key of node D. After the above stage, in order to let not only both the sender and the receiver know the established secure path but also the intermediate nodes can ensure the security of the path, the source node unicasts the validate message. The validate message includes sender, receiver, initial hash value, nodes list and TESLA keys. In this phase, we make the intermediate nodes to check the hash chain value by h0 , verifying the MAC value using TESLA keys, so that each

1274


intermediate node bidirectionally.

can

trust

δ = RVal, S , D, id , ti, h0 ( A, B, C ), (K C , K B , K A ti

δ

δ

ti

ti

the

secure

path

We have conducted extensive simulations to evaluate the performance of I-ARIADNE, and compare it with ARIADNE. We implement the simulation on NS2. The traffic is constant bit rate (CBR). Each flow does not change its source and destination for the lifetime of a simulation run. Each source node transmits data packet at four 512-byte data packets per second. The mobility model is with a pause time 30 seconds. The network size and the respective network areas are shown in Table 1. The size and the area are selected so that the node density is approximately constant, which would properly reflect the scalability of routing protocols. Table 1. Network sizes and network areas Size Area (m2) Size Area (m2) 100 1400 × 1400 800 4000 × 4000 200 2000 × 2000 1000 4500 × 4500 400 2800 × 2800 1200 4900 × 4900 600 3500 × 3500 1400 5300 × 5300

) δ

δ

Figure 4. Route validation In Figure 4, the node S unicasts the validate message to make sure that each node in the routing path gets h0 and TESLA keys. Each node receiving the validate message can confirm the hash values and MAC values and trust the nodes in the routing path, so that it can also trust the path bidirectionally. Then the routes between the intermediate nodes are also secure and trustworthy bidirectional.

3.2. Secure Route Maintenance Route maintenance in our protocol is similar to ARIADNE. The start node runs route discovery over the I-ARIANDE. Because of previous route discovery, all of the nodes trust with each other. Then the new route created is based on this relationship. A node forwarding a packet to the next node along the secure route returns a RErr to the start node. Based on the secure and bidirectional routes, the intermediate nodes have been verified with each other. When the node received the RErr, it will first check the correctness of RErr with TESLA key of the sender. Then, the node which received RErr will try to find a new route to the node after the next one. It starts route discovery locally. As in previous work, the secure route has been set up, and the nodes in the secure route are trusted with each other. When the route is broken, the node which received RErr will broadcast the route request packet. Due to the local route repair, the node only needs to find the new route between the neighbor segments. From the experiments, we find that the number of broadcast packets will be decreased dramatically. When a new node joins the secure route that has been established, it only needs a local route discovery to its neighbor nodes. As the node gets the RReq and checks its routing table that if it already has the secure route to the destination node in RReq. If not, it will rebroadcast the route request. If it has the route, it will unicast the route request to the destination node. Therefore, by using this it will decrease the number of broadcast packets.

4.2. Performance Comparison of I-ARIADNE with ARIADNE First, we studied the scalability of I-ARIADNE in network with 100 to 1,400 nodes. Second, we studied the performance of I-ARIADNE when the pause time from 0 to 100 seconds. The number of CBR flows is 20 in both simulation sets. Finally, we studied the performance of I-ARIADNE when the number of flows increased from 20 to 60 in networks with 400 nodes. In the simulations, we collected data for three metrics, namely, control overhead, packets delivery ratio, and end-to-end delay. Each data point in the graphs is averaged over 10 simulation runs, each with different seed. 4.2.1. Scalability

In this series of simulation, we analyze the performance of I-ARIADNE when the network size varies from 100 nodes to 1,400 nodes. The main purpose of routing hierarchy in MANETs is to reduce the routing overhead. It shows that control overhead in I-ARIADNE reduces significantly in Figure 5. (a). In Figure 5. (b), we observe that I-ARIADNE shows higher packets delivery ratio even for networks with 1,000 nodes. The route in I-ARIADNE usually lasts longer and reused, therefore there are more data packets delivered in the larger scale. In Figure 5. (c), IARIADNE does not reduce the end-to-end delay. In order to build up the secure route, it costs a little time for encryptions, digital signature mechanism, and the verification in third phase of I-ARIADNE.

4. Performance Evaluation 4.1. Simulation Setup

1275


(a)

(a)

(b)

(b)

(c) Figure 5. Scalability evaluation. (a) Control Overhead. (b)

(c) Figure 6. Mobility evaluation. (a) Control Overhead. (b)

Packet Delivery Ratio. (c) End-to-end Delay

Packet Delivery Ratio. (c) End-to-end Delay.

4.2.2. Mobility

4.2.3. Capability

In this series of simulation, the simulations are run on networks with 100 nodes in the area of 1,400 × 1400 m2 and with pause time varying from 0 to 180 seconds. In Figure 6. , we observe that the more frequent nodes move the more control overhead IARIADNE has. The ARIADNE and I-ARIADNE have comparable packet delivery ratios. In order to build up the secure route, it costs a little time for some validations in I-ARIADNE.

This series of simulations analyze the performance of I-ARIADNE when the number of CBR flow increases. The simulations are run on networks with 400 nodes in the area of 2,800 × 2,800 m2. The number of CBR flow increases from 20 to 60. In Figure 7. (a), we observe that I-ARIADNE saves more control packets per flow compared to ARIADNE. This is mainly because I-ARIADNE reuses secure route frequently thus conducts less route discoveries.

1276


In Figure 7. (b), the packet delivery ratio drop as the number of flow increases because the network becomes more congested. However, I-ARIADNE still shows the higher packet delivery ratio. In Figure 7. (c), as the same reason as previous simulation, IARIADNE costs more time than ARIADNE.

security on asymmetric cryptography and has more benefit than ARIADNE. I-ARIADNE is based on the basic operation of the DSR protocol and the ARIADNE. From the experiments, the security mechanisms we designed are promising because of the reusability of the secure routes. We compare I-ARIADNE with ARIADNE and evaluate the performance of them. We find that the IARIADNE has better performance in scalability, mobility and capability, but it costs more time to keep the secure route. From analyzing the results of the evaluations, the little cost in time is worthy to have the merits in security and routes reusability. The design of a secure routing protocol is an important and challenging task based on the unique characteristics of an ad hoc network. We have considered kinds of attacks, but in the future we will conduct more simulations to endorse the proposed protocol. Acknowledgement This work was supported in part by Taiwan Information Security Center (TWISC), National Science Council under grants NSC-95-2218-E-001001, NSC-95-2218-E-011-015, iCAST NSC96-3114P-001-002-Y and NSC95-2221-E-029-020-MY3.

(a)

References [1]A. Perrig, R. Canetti, D. Song, and J. D. Tygar, “Efficient and Secure Source Authentication for Multicast”, Proceedings of Network and Distributed System Security Symposium, NDSS 2001, February 2001. [2]Y. C. Hu, A. Perrig, and D. B. Johnson, “Efficient Security Mechanisms for Routing Protocols”, Proceedings of the Tenth Annual Network and Distributed System Security Symposium, NDSS 2003. [3]Y. C. Hu, A. Perrig, and D. B. Johnson, “ARIADNE: A Secure OnDemand Routing Protocol for Ad Hoc Networks”, MobiCom’02, September 23-26,2002, Atlanta, Georgia, USA. [4]Y. C. Hu, A. Perrig, and D. B. Johnson, “Packet Leashes: A Defense against Wormhole Attacks in Wireless Networks”, IEEE Infocom 2003. [5]Y. C. Hu, D. B. Johnson, and A. Perrig, ”SEAD: Secure Efficient Distance Vector Routing for Mobile Wireless Ad Hoc Networks,” Ad Hoc Networks Journal, 1, 2003, pages 175-192. [6]Y. C. Hu, A. Perrig, and D. B. Johnson, ”Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols”, ACM Workshop on Wireless Security (WiSe 2003). [7]A. Perrig, R. Canetti, D. Tygar, and D. Song, “Efficient Authentication and Signing of Multicast Stream over Lossy Channel,” IEEE Symposium on Security and Privacy, May 2000, pp. 56-73. [8]D.B. Johnson and D.A. Maltz, “Dynamic Source Routing in Ad Hoc Wireless Networks”, Mobile Computing, vol.353, Kluwer Academic, 1996.

(b)

(c) Figure 7. Capability evaluation. (a) Control Overhead. (b) Packet Delivery Ratio. (c) End-to-end Delay.

5. Conclusions This paper presented the design and evaluation of IARIADNE, it is an enhancement for the ARIADNE routing protocol. Our proposed scheme rests its

1277
