Network-layer Security of Mobile Ad hoc Networks by UUzgpZav

VIEWS: 50 PAGES: 43

									Network-layer Security of Mobile Ad
          hoc Networks

              Jiangyi Hu
      Advisor: Dr. Mike Burmester
                                   Outline

       Introduction
       Secure routing
             Existing routing protocols
             Routing attacks
             Secure routing protocols
       Cooperation enforcement
             Solutions to enforce cooperation




Network layer security of Manets        2       02/24/2004
                                       Introduction

    Example of Mobile Ad hoc networks


                                                      C
                                       F



                                                 B
                  A


                                   E                      D


Network layer security of Manets             3                02/24/2004
                                   Introduction

 Characteristics of Manet:
             Wireless connection, broadcasting
             Dynamic topology
             Unfriendly environment
             Limited resource




Network layer security of Manets         4        02/24/2004
                                   Introduction
       Advantage
             Ease of deployment
             Fast to deploy
             Decreased dependence on infrastructure


       Application of Manet
             emergency deployments
             search and rescue missions
             military operations
             commercial applications




Network layer security of Manets          5           02/24/2004
                                   Introduction
       Vulnerabilities
             The basic mechanism
             The security mechanism


       Security goals
             Availability
             Confidentiality
             Integrity
             Authentication
             Non-repudiation




Network layer security of Manets         6        02/24/2004
                                   Secure routing
        Existing routing protocols
        Security threats for routing
        Secure routing protocols




Network layer security of Manets          7         02/24/2004
                  Existing routing protocols

           Table driven routing
                DSDV (destination sequenced distance vector)
                CGSR (Clusterhead Gateway Switch Routing)
                WRP (Wireless Routing Protocol)


           On demand routing
                DSR (dynamic source routing)
                AODV (ad-hoc on-demand distance vector)
                TORA (Temporally Ordered Routing Algorithm)




Network layer security of Manets          8                    02/24/2004
                                   DSR

          Dynamic source routing
          Route discovery/Route maintenance
          Every packet have the entire route




Network layer security of Manets     9         02/24/2004
                                            DSR

                                   A
                                    S-A-B-D
                                                  S-A-B-D         D
        S-A-B-D                               B
                        S          S-A
                                                       S-A-B

                   S                S-A-B
                                                                S-C-E-H
                                            S-C-E

                    S               E                                 H
                                                   S-C-E
                                              S-C-E
                                   S-C          S-C-E-H        S-C-E-F

                              C             F
Network layer security of Manets                  10                      02/24/2004
                                   AODV

       Ad-hoc on-demand distance vector routing
       No maintenance of routing table as in DSDV
       Each node remembers only the next hop for
       the route, not the whole route




Network layer security of Manets     11     02/24/2004
                                               AODV

                                                          D
                                           C

                                   B


                                                              F
                        A

                                                                  : Reverse path
                                                      E
                                       S
                                                                  : Forward path




Network layer security of Manets                 12                        02/24/2004
                                   Routing attacks

 Classification:
       External attack vs. Internal attack
       Passive attack vs. Active attack




Network layer security of Manets           13        02/24/2004
                                   Routing attacks
       Attacks for routing:
             Modification
             Fabrication
             Wormhole attack (tunneling)
             Denial of service attack
             Invisible node attack
             The Sybil attack
             Rushing attack
             Non-cooperation


Network layer security of Manets           14        02/24/2004
                                   Modification

       Modify the protocol fields of control messages
       Compromise the integrity of routing
       computation
       Cause network traffic to be dropped,
       redirected to a different destination or take a
       longer route




Network layer security of Manets         15       02/24/2004
                                           Fabrication

       Generating false routing messages, e.g.
       routing error messages
       Can cause denial-of-service


          S                              B                M    C            D


                         : Connected
                         : Connected through multi-hops
                        : Forward false error message



Network layer security of Manets                          16       02/24/2004
                                   Wormhole attack

          Colluding attackers uses “tunnels” between
          them to forward packets
          Place the attacker in a very powerful
          position
          The attackers take control of the route by
          claiming a shorter path




Network layer security of Manets           17        02/24/2004
                                   Wormhole attack

         Example of wormhole attack

                                    tunnel
                                                  N
                         M
                                                              D


           S                                          C


                                      A           B


Network layer security of Manets             18           02/24/2004
                       Denial of service attack

       Adversary floods irrelevant data
       Consume network bandwidth
       Consume resource of a particular node




Network layer security of Manets   19             02/24/2004
                                   Invisible node attack

       Attack on DSR
       Malicious does not append its IP address
       M becomes “invisible” on the path


          S                           B       M      C              D




Network layer security of Manets              20           02/24/2004
                                   The Sybil attack
       Represents multiple identities
       Disrupt geographic and multi-path routing

                                    B

                                         M1



                           M2                         M5

                                   M3          M4




Network layer security of Manets              21           02/24/2004
                                   Rushing attack

       Directed against on-demand routing protocols
       The attacker hurries route request packet to
       the next node to increase the probability of
       being included in a route




Network layer security of Manets          22        02/24/2004
                                   Non-cooperation

       Node lack of cooperation, not participate in
       routing or packet forwarding
       Node selfishness, save energy for itself




Network layer security of Manets           23        02/24/2004
                    Secure routing protocols

       SRP (Secure Routing Protocol)
       ARAN (Authenticated Routing for Ad hoc
       Networks)
       Ariadne
       SEAD (Secure Efficient Ad hoc Distance
       vector routing )
       Cope with wormhole attack



Network layer security of Manets   24      02/24/2004
                                   SRP

          Assume a shared secret key between the
          source node and the destination node
          Verification of the route request/reply packet
          using MAC (Message Authentication Code)
          Identities of intermediate nodes accumulated
          in the route request packet




Network layer security of Manets     25          02/24/2004
                                   ARAN

       Requires a trusted certification authority
       Every node forwards a route request or a
       route reply must verify it and sign it
       Asymmetric cryptography is costly in terms of
       CPU and energy usage




Network layer security of Manets     26         02/24/2004
                                                            ARAN
Example of ARAN:

S          [RDP,IPD, CertS, NS, t]KS- , CertS
                                                          B            [[RDP,IPD, CertS, NS, t]KS- , CertS ] KB- , CertB         C
    [[REP,IPS , CertD , NS , t]KD-, CertD ]KB- , CertB           [[REP,IPS , CertD , NS , t]KD-, CertD ]KC- , CertC




                                                         [[RDP,IPD, CertS, NS, t]KS- , CertS ] KC- , CertC




                   : broadcast                                                                 [REP,IPS , CertD , NS , t]KD-, CertD

                   : unicast




                                                                D
Network layer security of Manets                                         27                                        02/24/2004
                                   Ariadne
         Each node generates a one-way key chain
         (K0,K1,…Ki,…Kn) and publishes the keys in reverse
         order from generation
         The sender picks Ki which will still be secret at the time
         the receiver receives the packet
         When a receiver receives a packet, it first verifies Ki is
         still secret, then it buffers the packet and waits for the
         sender to publish key Ki
         Need time synchronization




Network layer security of Manets       28               02/24/2004
                                   SEAD
       Based on Destination-Sequence Distance
       Vector Protocol (DSDV)
       Uses one-way hash chain (h0 ,h1,…hi,…hn )
       Use a hash value corresponding to the
       sequence number and metric in a routing
       update
       Attacker can never forge better sequence
       number or better metric



Network layer security of Manets     29     02/24/2004
                   Cope with wormhole attack

       Geographic leash
             Ensures that the recipient of the packet is within a
             certain distance from the sender
       Temporal leash
             Ensures that the packet has an upper bound on its
             lifetime




Network layer security of Manets      30                 02/24/2004
                   Cooperation enforcement
     Introduction
     Solutions
            Currency based
            Local monitoring




Network layer security of Manets   31    02/24/2004
                   Cooperation enforcement
       Currency based
             Nuglets
             Sprite
       Local monitoring
             Watchdog and path rater
             Confidant
             CORE
             Token-based




Network layer security of Manets   32    02/24/2004
                                   Nuglets
       Nuglets ---- a virtual currency
       Packet purse model
             Sender pay nuglets in advance
             Intermediate node takes nuglets for forwarding
             service
       Packet trade mode
             Intermediate nodes “buys” the packet from the
             previous one and “sells” it to the next one




Network layer security of Manets       33              02/24/2004
                                             Nuglets

                                         Advantage                Disadvantage
    Packet                         deters nodes from        difficult to estimate the
    purse                          sending useless data and number of nuglets that
                                   overloading the network  are required
    model

    Packet     source does not have to                        can not prevent nodes
    trade mode know in advance the                            from overloading the
                                   number of nuglets          network
                                   required




Network layer security of Manets                       34                  02/24/2004
                                   Sprite

       Uses credit to provide incentive to selfish
       nodes
       Nodes keep receipt to get payments from the
       Credit Clearance Service (CCS)
       Credit that a node receives depends on
       whether its forwarding is successful or not




Network layer security of Manets      35        02/24/2004
                     Watchdog and path rater

          A node's watchdog Listens promiscuously to the
          next node's transmissions
          If a node does not forward, it is misbehaving
          The path rater choose the best path from watchdog
          ratings

         S                         A                        B        C     D


                           : Connected
                           : Connected through multi-hops
                           : Forwarding
                           : Listening

Network layer security of Manets                                36       02/24/2004
                                   Confidant

   Consists of:
         Monitor
         Reputation System
         Path Manager
         Trust Manager




Network layer security of Manets        37     02/24/2004
                                   Confidant

       Detects malicious nodes
             by means of observation or reports about several
             types of attacks
       Allows nodes
             to route around misbehaved nodes
             to isolate misbehaved nodes from the network




Network layer security of Manets        38            02/24/2004
                                   CORE

 Basic components:
       Reputation table
             stored in each node
             the reputation value of each node
       Watchdog mechanism
             detect misbehavior nodes




Network layer security of Manets     39          02/24/2004
                                   Token-based

       Each node has to have a token
       Local neighbors monitor
       The token is renewed via multiple neighbors
       The period of validity of a node’s token is
       dependent on how long it has stayed and how
       well it has behaved




Network layer security of Manets         40      02/24/2004
                                   Token-based

   Composed of:
        Neighbor verification
        Neighbor monitoring
        Intrusion reaction
        Security enhanced routing protocol




Network layer security of Manets         41      02/24/2004
                                   Summary
       Introduction
       Secure routing
             Existing routing protocols
             Security attacks
             Defenses
       Node cooperation
             Currency based
             Local monitoring



Network layer security of Manets       42    02/24/2004
Thank you!

								
To top