Provably Secure On-Demand Source Routing in Mobile Ad Hoc Networks by fdh56iuoui


									IEEE TRANSACTIONS ON MOBILE COMPUTING,             VOL. 5,   NO. 11,   NOVEMBER 2006                                                             1533

    Provably Secure On-Demand Source Routing
             in Mobile Ad Hoc Networks
                                                                  ´           ´
                                         Gergely Acs, Levente Buttyan, and Istvan Vajda

       Abstract—Routing is one of the most basic networking functions in mobile ad hoc networks. Hence, an adversary can easily paralyze
       the operation of the network by attacking the routing protocol. This has been realized by many researchers and several “secure”
       routing protocols have been proposed for ad hoc networks. However, the security of those protocols has mainly been analyzed by
       informal means only. In this paper, we argue that flaws in ad hoc routing protocols can be very subtle, and we advocate a more
       systematic way of analysis. We propose a mathematical framework in which security can be precisely defined and routing protocols for
       mobile ad hoc networks can be proved to be secure in a rigorous manner. Our framework is tailored for on-demand source routing
       protocols, but the general principles are applicable to other types of protocols too. Our approach is based on the simulation paradigm,
       which has already been used extensively for the analysis of key establishment protocols, but, to the best of our knowledge, it has not
       been applied in the context of ad hoc routing so far. We also propose a new on-demand source routing protocol, called endairA, and we
       demonstrate the use of our framework by proving that it is secure in our model.

       Index Terms—Mobile ad hoc networks, secure routing, provable security.



R    OUTING is one of the most basic networking functions in
     mobile ad hoc networks. Hence, an adversary can easily
paralyze the operation of the network by attacking the
                                                                                     protocols (e.g., AODV) and source routing protocols (e.g.,
                                                                                     DSR). In this paper, we focus on the route discovery part of on-
                                                                                     demand source routing protocols. However, in [1], we show
routing protocol. This has been realized by many research-                           that the general principles of our approach are applicable to
ers and several “secure” routing protocols have been                                 the route discovery part of other types of protocols too.
proposed for ad hoc networks (see [13] for a survey).                                   At a very informal level, security of a routing protocol
However, the security of those protocols has been analyzed                           means that it can perform its functions even in the presence
either by informal means only, or with formal methods that                           of an adversary whose objective is to prevent the correct
have never been intended for the analysis of this kind of                            functioning of the protocol. Since we are focusing on the
protocol (e.g., BAN logic [4]). In this paper, we present new                        route discovery part of on-demand source routing proto-
attacks on Ariadne, a previously published “secure”                                  cols, in our case, attacks are aiming at making honest nodes
routing protocol [10]. Other attacks can be found in [6].                            receive “incorrect” routes as a result of the route discovery
These attacks clearly demonstrate that flaws can be very                             procedure. We will specify more precisely later what we
subtle and, therefore, hard to discover by informal reason-                          mean by an “incorrect” route.
ing. Hence, we advocate a more systematic approach to                                   Regarding the capabilities of the adversary, we assume
analyzing ad hoc routing protocols, which is based on a                              that it can mount active attacks (i.e., it can eavesdrop,
rigorous mathematical model, in which precise definitions                            modify, delete, insert, and replay messages). However, we
of security can be given and sound proof techniques can be                           make the realistic assumption that the adversary is not all-
developed.                                                                           powerful, by which we mean that it cannot eavesdrop,
   Routing has two main functions: route discovery and                               modify, or control all communications of the honest
packet forwarding. The former is concerned with discover-                            participants. Instead, the adversary launches its attacks
ing routes between nodes, whereas the latter is about                                from a few adversarial nodes that have similar commu-
sending data packets through the previously discovered                               nication capabilities to the nodes of the honest participants
routes. There are different types of ad hoc routing protocols.                       in the network. This means that the adversary can receive
One can distinguish proactive (e.g., OLSR [7]) and reactive                          only those messages that were transmitted by one of its
(e.g., AODV [19] and DSR [14]) protocols. Protocols of the                           neighbors and its transmissions can be heard only by its
latter category are also called on-demand protocols. An-                             neighbors. The adversarial nodes may be connected
other type of classification distinguishes routing table-based                       through proprietary, out-of-band channels and share in-
                                                                                     formation. We further assume that the adversary has
. The authors are with the Laboratory of Cryptography and Systems Security           compromised some identifiers, by which we mean that it
  (CrySyS), Department of Telecommunications, Budapest University of                 has compromised the cryptographic keys that are used to
  Technology and Economics, BME-HIT, PO Box 91, 1521 Budapest,                       authenticate those identifiers. Thus, the adversary can
  Hungary. E-mail: {acs, buttyan, vajda}
                                                                                     appear as an honest participant under any of these
Manuscript received 29 Mar. 2005; revised 13 Oct. 2005; accepted 24 Nov.             compromised identities.
2005; published online 15 Sept. 2006.
For information on obtaining reprints of this article, please send e-mail to:           The mathematical framework that we introduce in this, and reference IEEECS Log Number TMC-0082-0305.                     paper is based on the so-called simulation paradigm [2], [21].
                                               1536-1233/06/$20.00 ß 2006 IEEE       Published by the IEEE CS, CASS, ComSoc, IES, & SPS
1534                                                    IEEE TRANSACTIONS ON MOBILE COMPUTING,     VOL. 5,   NO. 11,   NOVEMBER 2006

This has been successfully used in the analysis of some           2.1    Operation of the Basic Ariadne Protocol
cryptographic algorithms and some cryptographic proto-                   with MACs
cols (see Section 5 for a very brief overview). However, it       Ariadne has been proposed in [10] as a secure on-demand
has never been applied in the context of ad hoc routing           source routing protocol for ad hoc networks. Ariadne comes
protocols.                                                        in three different flavors corresponding to three different
   The main contributions of our work are the following (in       techniques for data authentication. More specifically,
order of believed importance):                                    authentication of routing messages in Ariadne can be based
    1.  the application of the well-established simulation        on TESLA [20], on digital signatures, or on MACs (Message
        approach in a new context (ad hoc routing protocols),     Authentication Codes). We discuss Ariadne with MACs.
   2. the discovery of as yet unknown attacks against                The initiator of the route discovery generates a route
        previously published ad hoc routing protocols, and        request message and broadcasts it to its neighbors. The
   3. the design of a new on-demand source routing                route discovery message contains the identifiers of the
        protocol for mobile ad hoc networks, called endairA,      initiator and the target, a randomly generated request
        which is provably secure in our model and which           identifier, and a MAC computed over these elements with a
        may be of independent interest for practitioners.         key shared by the initiator and the target. This MAC is
   Preliminary results of this work have been presented in        hashed iteratively by each intermediate node together with
[6]. However, in that paper, we considered only a limited         its own identifier using a publicly known one-way hash
adversary that controls a single adversarial node and uses a      function. The hash values computed in this way are called
single compromised identifier, and we did not allow               per-hop hash values. Each intermediate node that receives
parallel protocol runs. In this paper, we extend our              the request for the first time recomputes the per-hop hash
previous results to a more powerful adversary that controls       value, appends its identifier to the list of identifiers
multiple adversarial nodes and uses multiple compromised          accumulated in the request, and computes a MAC on the
identifiers, and we allow the simultaneous execution of any       updated request with a key that it shares with the target.
number of instances of the route discovery protocol. We           Finally, the MAC is appended to a MAC list in the request,
also present two new attacks against Ariadne, as well as          and the request is rebroadcast. The purpose of the per-hop
some extensions to the endairA protocol, which have never         hash value is to prevent removal of identifiers from the
been published before.                                            accumulated route in the route request.
   The rest of the paper is organized as follows: In Section 2,
                                                                     When the target receives the request, it verifies the per-
we present two new attacks on Ariadne. Our goal is to
                                                                  hop hash by recomputing the initiator’s MAC and the per-
motivate the need for a rigorous analysis technique. In
                                                                  hop hash value of each intermediate node. Then, it verifies
Section 3, we introduce our mathematical framework,
                                                                  the MAC of each intermediate node. If all these verifications
which includes a precise definition of security and the
description of our proof technique. In Section 4, we present      are successful, then the target generates a route reply and
endairA, a new on-demand source routing protocol for              sends it back to the initiator via the reverse of the route
ad hoc networks, and we demonstrate the usage of our              obtained from the route request. The route reply contains
framework by proving endairA secure. We report on some            the identifiers of the target and the initiator, the route
related work in Section 5, where we also highlight some           obtained from the request, and the MAC of the target on all
novelties of our modeling approach with respect to pre-           these elements that is computed with a key shared by the
vious applications of the simulation paradigm. Finally, in        target and the initiator. Each intermediate node passes the
Section 6, we conclude the paper.                                 reply to the next node on the route (toward the initiator)
                                                                  without any modification. When the initiator receives the
                                                                  reply, it verifies the MAC of the target. If the verification is
                                                                  successful, then it accepts the route returned in the reply.
We have already published attacks against Ariadne and                Although Ariadne does not specify it explicitly, we will
SRP in [6]. In this section, we present two new attacks           nonetheless assume that each node also performs the
against Ariadne. One of the attacks works on the basic            following verifications when processing route request and
version of the protocol as it appears in [10]; the other one      route reply messages:
demonstrates the insecurity of an optimized version
proposed in [11]. Our main goal in this section is to                .   When a node v receives a route request for the first
demonstrate that attacks against ad hoc routing protocols                time, it verifies if the last identifier of the accumu-
can be very subtle, and therefore, difficult to discover.                lated route in the request corresponds to a neighbor
Consequently, it is also difficult to gain sufficient assur-             of v. If no identifiers can be found in the accumu-
ances that a protocol is free of flaws. The approach of                  lated route, then v verifies if the identifier of the
verifying the protocol for a few number of specific                      initiator corresponds to a neighboring node.
configurations can never be exhaustive, and thus, it is far          .   When a node v receives a route reply, it verifies if its
from being satisfactory as a method for security analysis.               identifier is included in the route carried by the
The attacks presented in this section motivate a more                    reply. In addition, it also verifies if the preceding
rigorous approach for making claims about the security of                identifier (or if there is no preceding identifier, then
ad hoc routing protocols, which is the main theme of this                the identifier of the initiator) and the following
paper.                                                                   identifier (or if there is no following identifier, then

ACS ET AL.: PROVABLY SECURE ON-DEMAND SOURCE ROUTING IN MOBILE AD HOC NETWORKS                                                                      1535

                                                                           Since the per-hop hash value and both MACs are correct in
                                                                           msg4 , T will receive a correct request, and returns the
                                                                           following reply:
Fig. 1. Part of a configuration where an Active-1-2 attack against
Ariadne is possible.                                                                       msg5 ¼ ðrrep; T ; S; ðA; Z; DÞ; macT Þ:
                                                                           When the reply reaches the second adversarial node, it will
       the identifier of the target) in the route correspond to
       neighbors of v.                                                     forward the following message to C:
If these verifications fail, then the message is dropped.                        msg6 ¼ ðrrep; T ; S; ðA; Z; B; . . . ; C; Z; DÞ; macT Þ:
Note, however, that the intermediate nodes cannot verify
the MACs of the preceding nodes in the route request and                   Note that B; . . . ; C cannot verify the MAC in msg6 . In
the MAC of the target in the route reply, because they do                  addition, their identifiers are in the route carried by the
not possess the necessary keys for that.                                   reply, and the preceding and following identifiers belong to
                                                                           their neighbors. Therefore, each of them forwards the reply.
2.2 An Attack on Ariadne with MACs                                         Finally, when the first adversarial node receives the reply, it
Let us consider the network configuration illustrated in                   removes B; . . . ; C and one of the Zs from the node list:
Fig. 1. We assume that the adversary controls two adversar-
ial nodes (represented by the black nodes in the figure), and                              msg7 ¼ ðrrep; T ; S; ðA; Z; DÞ; macT Þ:
it uses only a single compromised identifier Z. In [10], an                In this way, S receives the route reply that T sent. This
active adversary that controls x adversarial nodes and uses y              means that the MAC verifies correctly and S accepts the
compromised identifiers is called an Active-y-x adversary.
                                                                           route ðS; A; Z; D; T Þ, which is nonexistent.
Therefore, our adversary is an Active-1-2 adversary.                           It must be noted that in msg6 , the compromised identifier
    We explain the attack when Ariadne is used with
                                                                           Z appears twice in the node list. Note, however, that
standard MACs, but we emphasize that a similar attack
can also be carried out when TESLA is used, or when digital                Ariadne does not specify that intermediate nodes should
signatures are used and, for efficiency reasons, intermediate              check the node list in the reply for repeating identifiers. If
nodes do not verify the signature list in the route request                each honest node checks only that its own identifier is in the
(which is an assumption that is compliant with the                         list and that the preceding and following identifiers belong
description of Ariadne in [10]).                                           to its neighbors, then the attack works. Moreover, a slightly
    S initiates a route discovery process toward T . The first             modified version of the attack would work even if the
adversarial node receives the following route request:                     intermediate nodes checked repeating identifiers in the
                                                                           reply. In that case, the second adversarial node would send
             msg1 ¼ ðrreq; S; T ; id; hA ; ðAÞ; ðmacA ÞÞ:
                                                                           the following reply toward S:
The adversary does not append the MAC of Z to the re-
quest, instead, it puts hA on the MAC list, and rebroadcasts                      msg06 ¼ ðrrep; T ; S; ðA; X; B; . . . ; C; Z; DÞ; macT Þ;
the following request:                                                     where X can be any identifier that is different from the
         msg2 ¼ ðrreq; S; T ; id; hA ; ðA; ZÞ; ðmacA ; hA ÞÞ:              other identifiers in the node list. With nonnegligible
                                                                           probability,1 X is a neighbor of B, and thus, B will pass
Recall that the intermediate nodes cannot verify the MACs                  the reply on, so that the first adversarial node can over-
in the request. Note also that MAC functions based on                      hear it. Then, the adversary can remove the identifiers
cryptographic hash functions (e.g., HMAC [15]) output a
                                                                           X; B; . . . ; C, and send the reply containing the node list
hash value as the MAC, and therefore, hA looks like a MAC.
                                                                           ðA; Z; DÞ to A. A will process the reply, because it contains
Hence, B will not detect the attack, and the following
                                                                           no repeating identifiers and Z is its neighbor. Alterna-
request arrives to the second adversarial node:
                                                                           tively, the first adversarial node may send information
 msg3 ¼ ðrreq; S; T ; id; HðC; . . . ; HðB; hA ÞÞ; ðA; Z; B; . . . ; CÞ;   about the neighborhood of B to the second adversarial
          ðmacA ; hA ; macB ; . . . ; macC ÞÞ:                             node in a proprietary way.
                                                                              This is a very powerful attack (more powerful than the
The adversary removes B; . . . ; C from the node list and the              attack published in [6]), because, despite the usage of the
corresponding MACs from the MAC list. The adversary can
                                                                           per-hop hash mechanism, the adversary manages to shorten
do this in the following way: By recognizing identifier Z in
                                                                           an existing route and, therefore, the initiator will probably
the accumulated route, the adversary knows that the
                                                                           prefer this short route over others (assuming there are other
request passed through the first adversarial node. By
looking at the position of identifier Z in the node list, the              alternative routes between S and T that are not illustrated
adversary will know where hA is on the MAC list. From hA ,                 in Fig. 1). In other words, the adversary is able to divert the
the adversary computes hZ ¼ HðZ; hA Þ and a MAC on                         communication between S and T through itself, and then
ðrreq; S; T ; id; hZ ; ðA; ZÞ; macA Þ, and rebroadcasts the fol-           control it.
lowing request:
                                                                              1. In fact, the probability that X is a neighbor of B is greater than nB =N,
       msg4 ¼ ðrreq; S; T ; id; hZ ; ðA; ZÞ; ðmacA ; macZ ÞÞ:              where N is the number of nodes in the network and nB is the number of B’s
1536                                                                IEEE TRANSACTIONS ON MOBILE COMPUTING,          VOL. 5,   NO. 11,   NOVEMBER 2006

                                                                                Some time after the first adversarial node broadcast the
                                                                             route request, it creates a fake route reply,

                                                                                 msg3 ¼ ðrrep; S; T ; id; ð. . . ; A; X; B; Y ; . . .Þ; macS...A Þ;
                                                                             and sends it to B in the name of Y . Since B has processed
                                                                             the route request, it is in a state where it is ready to receive a
Fig. 2. Part of a configuration where an Active-2-2 attack against the
                                                                             corresponding route reply. In addition, Y is a neighbor of B,
optimized version of Ariadne is possible.
                                                                             and B is on the node list in msg3 . Therefore, B accepts the
                                                                             reply. Note that msg3 contains the MAC macS...A , which was
2.3 An Optimized Version of Ariadne
                                                                             computed by A on the route request, but B does not notice
In [11], an optimized version of Ariadne is proposed, which
                                                                             this because intermediate nodes are not supposed to verify
does not use a per-hop hash value and a MAC list in the
                                                                             MACs in route reply messages (as those are normally
route request. Instead, a single MAC is updated by the
                                                                             computed with a key shared by the initiator and the target
intermediate nodes iteratively. In this optimized version of
                                                                             of the route discovery).
Ariadne, the route request rebroadcast by the ith inter-
                                                                                Next, B forwards msg3 to X. The second adversarial
mediate node Fi has the following form:
                                                                             node overhears this transmission, since it is a neighbor of B.
            ðrreq; S; T ; id; ðF1 ; . . . ; FiÀ1 ; Fi Þ; macFi Þ;            In this way, the second adversarial node learns macS...A , and
                                                                             now it can generate a route request message,
where macFi is a MAC computed by Fi with the key that it
shares with T on the route request that it received                               msg4 ¼ ðrreq; S; T ; id; ð. . . ; A; X; Y Þ; macS...AXY Þ;
from FiÀ1 :
                                                                             by first computing the MAC macS...AX on
             ðrreq; S; T ; id; ðF1 ; . . . ; FiÀ1 Þ; macFiÀ1 Þ;
                                                                                            ðrreq; S; T ; id; ð. . . ; A; XÞ; macS...A Þ;
with the convention that macF0 ¼ macS .
                                                                             with the compromised key of X, and then computing the
   The authors of [11] proposed this optimized version
                                                                             MAC macS...AXY on
because it is more efficient than the basic protocol in terms
of computational and communication overhead. First, there                                ðrreq; S; T ; id; ð. . . ; A; X; Y Þ; macS...AX Þ;
is no need anymore for the per-hop hash mechanism, since
the MACs computed by the intermediate nodes can play the                     with the compromised key of Y . This request is broadcast
same role as the per-hop hash values in the original                         by the second adversarial node, and it is processed by D
protocol. Second, route requests are shorter, because they                   and all subsequent nodes.
do not contain a per-hop hash value and they contain only a                      Since the iterated MAC verifies correctly at the target T ,
single MAC instead of a MAC list.                                            it creates a route reply:
   Incidentally, and independently of the authors’ intent,                         msg5 ¼ ðrrep; S; T ; id; ð. . . ; A; X; Y ; D; . . .Þ; macT Þ;
the optimized version also prevents the attack described in
the previous section because the adversary cannot access                     where macT is a MAC computed on the reply with the key
the MACs of the intermediate nodes in the same way that it                   shared by S and T . When this reply reaches the second
can in the case of a MAC list and, therefore, MACs cannot                    adversarial node, it modifies it as follows:
be removed from the route request at the adversary’s will.
                                                                                 msg6 ¼ ðrrep; S; T ; id; ð. . . ; A; X; C; Y ; D; . . .Þ; macT Þ;
One may be tempted to believe that the optimized version
of Ariadne is more robust than the original one, but                         and sends it to C. Since C cannot verify the MAC in the
unfortunately, it is also vulnerable to attacks.                             reply, it does not notice the modification made by the
                                                                             second adversarial node. In addition, C has not received any
2.4 An Attack on the Optimized Version of Ariadne
                                                                             reply yet and, therefore, it accepts msg6 and forwards it to
Let us consider the network configuration illustrated in                     X. Then, the first adversarial node removes C from the node
Fig. 2. Now, we assume an Active-2-2 adversary, meaning                      list and sends the original msg5 to A. At the end, S receives
that the adversary controls two adversarial nodes (the black                 the same reply sent by T . Therefore, the MAC verifies
nodes in the figure) and uses two compromised identifiers
                                                                             correctly and S accepts the route ðS; . . . ; A; X; Y ; D; . . . ; T Þ,
X and Y .
                                                                             which is nonexistent.
   S initiates a route discovery toward T . The first
                                                                                 Just as in the case of the attack described in Section 2.2,
adversarial node receives the following route request:
                                                                             the adversary managed to shorten an existing route
            msg1 ¼ ðrreq; S; T ; id; ð. . . ; AÞ; macS...A Þ:                between the initiator and the target despite the usage of
                                                                             the iterative MAC technique.
The adversary follows the protocol and rebroadcasts the
following message:
                                                                             3    THE PROPOSED FRAMEWORK
         msg2 ¼ ðrreq; S; T ; id; ð. . . ; A; XÞ; macS...AX Þ:
                                                                             The attacks in the previous section (and those in [6]) clearly
Both B and C receive msg2 and rebroadcast the appropriate                    show that security flaws in ad hoc routing protocols can be
route request messages, but those are not rebroadcast by the                 very subtle. Consequently, making claims about the
second adversarial node.                                                     security of a routing protocol based on only informal

ACS ET AL.: PROVABLY SECURE ON-DEMAND SOURCE ROUTING IN MOBILE AD HOC NETWORKS                                                1537

arguments is dangerous. In this section, we propose a                    We model the ad hoc network (in a given instance of
mathematical framework, which allows us to define the                time) as an undirected graph GðV ; EÞ, where V is the set of
notion of routing security precisely and to prove that a             vertices and E is the set of edges. Each vertex represents
protocol satisfies our definition of security. It is important to    either a single nonadversarial node or a set of adversarial
emphasize that the proposed framework is best suited for             nodes that can share information among themselves by
proving that a protocol is secure (if it really is), but it is not   communicating via direct wireless links or via out-of-band
directly usable to discover attacks against routing protocols        channels. The former is called a nonadversarial vertex,
that are flawed. We note, however, that such attacks may be          while the latter is called an adversarial vertex. The set of
discovered indirectly by attempting to prove that the                adversarial vertices is denoted by V Ã , and V Ã & V .
protocol is secure and examining where the proof fails.                  There is an edge between two nonadversarial vertices if
Indeed, that is the way in which we discovered the attacks           the corresponding nonadversarial nodes established a
on Ariadne described in the previous section.                        wireless link between themselves by successfully running
   Before indulging in the description of the proposed               the neighbor discovery protocol. Furthermore, there is an
framework, we give a high-level overview of our approach             edge between a nonadversarial vertex u and an adversarial
here. Our framework is based on the simulation paradigm              vertex và if the nonadversarial node that corresponds to u
[2], [21]. In this approach, two models are constructed for          established a wireless link with at least one of the
the protocol under investigation: a real-world model, which          adversarial nodes that correspond to và . Finally, there is
describes the operation of the protocol with all its details in      no edge between two adversarial vertices in G. The
a particular computational model, and an ideal-world model,          rationale is that edges represent direct wireless links, and
which describes the protocol in an abstract way, mainly              if two adversarial vertices uà and và were connected, then
focusing on the services that the protocol should provide.           there would be at least two adversarial nodes, one
One can think of the ideal-world model as a description of a         corresponding to uà and the other corresponding to và , that
specification and the real-world model as a description of           could communicate with each other directly. That would
an implementation. Both models contain adversaries. The              mean that the adversarial nodes in uà and và could share
real-world adversary is an arbitrary process, while the              information via those two connected nodes, and thus, they
abilities of the ideal-world adversary are usually con-              should belong to a single vertex in G.
strained. The ideal-world adversary models the tolerable                 This model can capture the situation when all the
imperfections of the system; these are attacks that are              adversarial nodes are connected via out-of-band channels.
unavoidable or very costly to defend against, and hence,             In that case, there is a single adversarial vertex in G, which
they should be tolerated instead of being completely                 is connected to all the nonadversarial vertices such that the
eliminated. The protocol is said to be secure if the real-           corresponding nonadversarial nodes can communicate with
world and the ideal-world models are equivalent, where the           the adversarial nodes via direct wireless links. In addition,
equivalence is defined as some form of indistinguishability          our model can also capture the more general situation when
(e.g., statistical or computational) from the point of view of       there are multiple disjoint sets of adversarial nodes that can
the honest protocol participants. Technically, security of the       communicate via out-of-band channels only within their
protocol is proven by showing that the effects of any real-          sets; in that case, each of those sets are represented by an
world adversary on the execution of the real protocol can be         adversarial vertex in G. The attacks presented in Section 2
simulated by an appropriately chosen ideal-world adversary           belong to this latter case, because they are carried out
in the ideal-world model.                                            without any out-of-band communication between the
   In the rest of this section, we describe the construction         adversarial nodes.
of the real-world model and the ideal-world model, we                    We assume that nodes are identified by identifiers in the
                                                                     neighbor discovery protocol and in the routing protocol.
give a precise definition of security, and we briefly
                                                                     The identifiers are authenticated during neighbor discovery
discuss a proof technique, which can be used to prove
                                                                     and therefore, the possibility of a Sybil attack [8] is
that a given routing protocol satisfies our definition. We
                                                                     excluded. We also assume that wormholes [12] are detected
begin the description of the models by introducing two
                                                                     at the neighbor discovery level, which means that nodes
important notions: configurations and plausible routes.              that are not within each other’s radio range are not able to
3.1 Configurations and Plausible Routes                              run the neighbor discovery protocol successfully. Hence,
                                                                     the edges in E represent pure radio links.
As we mentioned earlier, the adversary launches its attacks
                                                                         We assume that the adversary has compromised some
from adversarial nodes that have similar communication               identifiers, by which we mean that the adversary has
capabilities to the nonadversarial nodes. In addition, we            compromised the cryptographic keys that are necessary to
allow the adversarial nodes to communicate with each other           authenticate those identifiers. We assume that all the
via out-of-band channels. We make the observation that if            compromised identifiers are distributed to all the adversar-
some adversarial nodes are allowed to share information in           ial nodes and they are used in the neighbor discovery
real-time via out-of-band channels, then essentially they can        protocol and in the routing protocol. On the other hand, we
appear as a single “super node” to the rest of the network.          assume that each nonadversarial node uses a single and
In particular, they can establish out-of-band “tunnels”              unique identifier, which is not compromised. We denote the
between themselves that would be transparent to the route            set of all identifiers by L and the set of the compromised
discovery mechanism and, hence, impossible to discover by            identifiers by LÃ .
any means (at least at the level of routing). Our model takes            Let L : V ! 2L be a labeling function that assigns a set
this fact into consideration as follows.                             of identifiers to each vertex in G in such a way that, for
1538                                                               IEEE TRANSACTIONS ON MOBILE COMPUTING,           VOL. 5,   NO. 11,   NOVEMBER 2006

                                                                                    1.   j1 þ j2 þ . . . þ jk ¼ n,
                                                                                    2.   f‘Ji þ1 ; ‘Ji þ2 ; . . . ; ‘Ji þji g  Lðvi Þ (1 i k), where
                                                                                         Ji ¼ j1 þ j2 þ . . . þ jiÀ1 if i > 1 and Ji ¼ 0 if i ¼ 1,
                                                                                    3.   ðvi ; viþ1 Þ 2 E ð1 i < kÞ.
                                                                              Intuitively, the definition above requires that the sequence
                                                                              ‘1 ; ‘2 ; . . . ; ‘n of identifiers can be partitioned into k sub-
                                                                              sequences of length ji (condition 1) in such a way that each
                                                                              of the resulting partitions is a subset of the identifiers
Fig. 3. Illustration of a configuration. Adversarial vertices uà and và are
                                                                              assigned to a vertex in V (condition 2) and, in addition,
represented by solid black dots. Labels on the vertices are identifiers
used by the corresponding nodes. Note that adversarial vertices are not       these vertices form a path in G (condition 3).
neighboring.                                                                       As an example, let us consider again the configuration in
                                                                              Fig. 3. It is easy to verify that
every vertex v 2 V nV Ã , LðvÞ is a singleton and it contains
                                                                                             ð‘1 ; ‘2 ; ‘3 ; ‘4 ; ‘5 Þ ¼ ðA; X; Y ; G; CÞ
the noncompromised identifier ‘ 2 LnLÃ that is used by
the nonadversarial node represented by vertex v and, for                      is a plausible route, because it can be partitioned into four
every vertex v 2 V Ã , LðvÞ, contains all the compromised                     partitions fAg, fX; Y g, fGg, and fCg, such that fAg  LðaÞ,
identifiers in Là .                                                           fX; Y g & Lðuà Þ, fGg  LðgÞ, and fCg  LðcÞ, and vertices a,
     A configuration is a triplet ðGðV ; EÞ; V à ; LÞ. Fig. 3                 uà , g, and c form a path in the graph. In this example, k ¼ 4,
illustrates a configuration, where the solid black vertices                   j1 ¼ 1, j2 ¼ 2, j3 ¼ 1, and j4 ¼ 1; furthermore, J1 ¼ 0,
are the vertices in V Ã and each vertex is labeled with the set               J2 ¼ j1 ¼ 1, J3 ¼ j1 þ j2 ¼ 3, and J4 ¼ j1 þ j2 þ j3 ¼ 4.
of identifiers that L assigns to it. Note that the vertices in V Ã
are not neighboring.                                                          3.2 Real-World Model
     We make the assumption that the configuration is static                  Next, we need to define a computational model that can be
(at least during the time interval that is considered in the                  used to represent the possible executions of the route
analysis). Thus, we view the route discovery part of the                      discovery part of the routing protocol. We will base this
routing protocol as a distributed algorithm that operates on                  model on the well-known concept of interactive Turing
this static configuration.                                                    machines. One may find the following models too tedious,
     Intuitively, the minimum that one may require from the                   but we emphasize that this level of detail is indispensable
route discovery part of the routing protocol is that it returns               for a precise definition of security in the simulation
only existing routes. Our definition of routing security is                   approach.
built on this intuition. We understand that security of                          The real-world model that corresponds to a configura-
routing may be viewed more broadly, including other                           tion conf ¼ ðGðV ; EÞ; V Ã ; LÞ and adversary A is denoted by
issues such as detecting and avoiding nodes that drop data                    Sysreal , and it is illustrated in Fig. 4a. Sysreal consists of a
                                                                                  conf;A                                          conf;A
packets. However, we deliberately restrict ourselves to the                   set fM1 ; . . . ; Mn ; A1 ; . . . ; Am ; H; Cg of interacting Turing
minimum requirement, because it is already challenging to                     machines, where the interaction is realized via common
properly formalize that.
                                                                              tapes. Each Mi represents a nonadversarial vertex in V nV Ã
     Now, we state more precisely what we mean by an
                                                                              (more precisely, the corresponding nonadversarial node),
existing route. If there were no adversary, then a sequence
                                                                              and each Aj represents an adversarial vertex in V Ã (more
‘1 ; ‘2 ; . . . ; ‘n (n ! 2) of identifiers would be an existing route,
                                                                              precisely, the corresponding adversarial nodes). H is an
given that each of the identifiers ‘1 ; ‘2 ; . . . ; ‘n are different
and there exists a sequence v1 ; v2 ; . . . ; vn of vertices in V             abstraction of higher-layer protocols run by the honest
such that ðvi ; viþ1 Þ 2 E for all 1 i < n and Lðvi Þ ¼ f‘i g for             parties and C models the radio links represented by the
all 1 i n. However, the situation is more complex due to                      edges in E. All machines, apart from H, are probabilistic.
the adversary that can use all the compromised identifiers                       Each machine is initialized with some input data, which
in LÃ . Essentially, we must take into account that the                       determines its initial state. In addition, the probabilistic
adversary can always extend any route that passes through                     machines also receive some random input (the coin flips to
an adversarial vertex with any sequence of compromised                        be used during the operation). Once the machines have
                                                                              been initialized, the computation begins. The machines
identifiers. This is a fact that our definition of security must
                                                                              operate in a reactive manner, which means that they need
tolerate since, otherwise, we cannot hope that any routing
                                                                              to be activated in order to perform some computation.
protocol will satisfy it. This observation leads to the
                                                                              When a machine is activated, it reads the content of its
following definition:
                                                                              input tapes, processes the received data, updates its
Definition 1 (Plausible Route). Let ðGðV ; EÞ; V Ã ; LÞ be a                  internal state, writes some output on its output tapes,
  configuration. A sequence ‘1 ; ‘2 ; . . . ; ‘n of identifiers is a          and goes back to sleep (i.e., starts to wait for the next
  plausible route with respect to ðGðE; V Þ; V Ã ; LÞ if each of the          activation). Reading a message from an input tape removes
  identifiers ‘1 ; ‘2 ; . . . ; ‘n is different and there exists a sequence   the message from the tape, while writing a message on an
  v1 ; v2 ; . . . ; vk (2 k n) of vertices in V and a sequence                output tape means that the message is appended to the cur-
  j1 ; j2 ; . . . ; jk of positive integers such that                         rent content of the tape. Note that each tape is considered

ACS ET AL.: PROVABLY SECURE ON-DEMAND SOURCE ROUTING IN MOBILE AD HOC NETWORKS                                                             1539

Fig. 4. Interconnection of the machines in (a) Sysreal and (b) Sysideal .
                                                  conf;A          conf;A

as an output tape for one machine and an input tape for                         singleton, in others it may contain several routes. If
another machine. The machines are activated in rounds by a                      no route is found, then routes ¼ ;.
hypothetic scheduler (not illustrated in Fig. 4). In each                            In addition to reqi and resi , H can access the
round, the scheduler activates the machines in the                              tapes extj . These tapes model an out-of-band
following order: A1 ; . . . ; Am ; H; M1 ; . . . ; Mn ; C. In fact, the         channel through which the adversary can instruct
order of activation is not important, apart from the                            the honest parties to initiate route discovery pro-
requirement that C must be activated at the end of the                          cesses. The messages read from extj have the form
                                                                                ð‘ini ; ‘tar Þ, where ‘ini ; ‘tar 2 L are the identifiers of the
round. Thus, the round ends when C goes back to sleep.
   Now, we describe the operation of the machines in more                       initiator and the target, respectively, of the route
                                                                                discovery requested by the adversary. When H
                                                                                reads ð‘ini ; ‘tar Þ from extj , it places a request
   .    Machine C. This machine is intended to model the                        ðci ; ‘tar Þ in reqi , where i is the index of the machine
        broadcast nature of radio communications. Its task is                   Mi that has identifier ‘ini assigned to it (see also the
        to read the content of the output tape of each                          description of how the machines Mi are initialized).
        machine Mi and Aj and copy it on the input tapes of                     In order for this to work, H needs to know which
        all the neighboring machines, where the neighbor                        identifier is assigned to which machine Mi ; it
        relationship is determined by the configuration conf.                   receives this information as an input in the initi-
        Clearly, in order for C to be able to work, it needs to                 alization phase.
        be initialized with some random input, denoted by                   .   Machine Mi (1 i n). These machines represent
        rC , and configuration conf.                                            the nonadversarial vertices in V nV Ã . The operation of
   .    Machine H. This machine models higher-layer                             Mi is essentially defined by the routing algorithm.
        protocols (i.e., protocols above the routing protocol)                  Mi communicates with H via its input tape reqi and
        and, ultimately, the end-users of the nonadversarial                    its output tape resi . Through these tapes, it receives
        devices. H can initiate a route discovery process at                    requests from H for initiating route discoveries and
        any machine Mi by placing a request ðci ; ‘tar Þ on                     sends the results of the discoveries to H, as
        tape reqi , where ci is a sequence number used to                       described above.
        distinguish between different requests sent to Mi                            Mi communicates with the other protocol ma-
        and ‘tar 2 L is the identifier of the target of the                     chines via its output tape outi and its input tape ini .
        discovery. A response to this request is eventually                     Both tapes can contain messages of the form
        returned via tape resi . The response has the form                      ðsndr; rcvr; msgÞ, where sndr 2 L is the identifier of
        ðci ; routesÞ, where ci is the sequence number of the                   the sender, rcvr 2 L [ fÃg is the identifier of the
        corresponding request, and routes is the set of                         intended receiver (Ã meaning a broadcast message),
        routes found. In some protocols, routes is always a                     and msg 2 M is the actual protocol message. Here,
1540                                                      IEEE TRANSACTIONS ON MOBILE COMPUTING,           VOL. 5,   NO. 11,   NOVEMBER 2006

       M denotes the set of all possible protocol messages,                   any messages from other machines). This essentially
       which is determined by the routing protocol under                      means that we assume that the adversary is
       investigation.                                                         nonadaptive; it cannot initiate new route discoveries
           When Mi is activated, it first reads the content of                as a function of previously observed messages. We
       reqi . For each request ðci ; ‘tar Þ received from H, it               intend to extend our model with adaptive adver-
       generates a route request msg, updates its internal                    saries in our future work.
       state according to the routing protocol, and, then, it           As can be seen from the description above, each Mi
       places the message ðLðMi Þ; Ã; msgÞ on outi , where          should know its own assigned identifier and those of its
       LðMi Þ denotes the identifier assigned to machine Mi .       neighbors in G. Mi receives these identifiers in the initializa-
           When all the requests found on reqi have been            tion phase. Similarly, each Aj receives the identifiers of its
       processed, Mi reads the content of ini . For each            neighbors and the set LÃ of compromised identifiers.
       message ðsndr; rcvr; msgÞ found on ini , Mi checks if            In addition, the machines may need some cryptographic
       sndr is its neighbor and rcvr 2 fLðMi Þ; Ãg. If these        material (e.g., public and private keys), depending on the
       verifications fail, then Mi ignores msg. Otherwise,          routing protocol under investigation. We model the dis-
       Mi processes msg and updates its internal state. The         tribution of this material as follows: We assume a
       way this is done depends on the particular routing           function I, which takes only random input rI , and it
       protocol in question.                                        produces a vector IðrI Þ ¼ ðpub ; 1 ; . . . ; n ; Ã Þ. The compo-
           We describe the initialization of Mi after describ-      nent pub is some public information that becomes known to
       ing the operation of machines Aj .                           all Aj and all Mi . i becomes known only to Mi (1 i n),
   .   Machine Aj (1 j m). These machines represent                 and à becomes known to all Aj (1 j m). Note that the
       the adversarial vertices in V Ã . Regarding its com-
                                                                    initialization function can model the out-of-band exchange
       munication capabilities, Aj is identical to any
                                                                    of initial cryptographic material of both asymmetric and
       machine Mi , which means that it can read from inà      j   symmetric cryptosystems. In the former case, pub contains
       and write on outà much in the same way as Mi can
                                                                    the public keys of all machines, while i contains the private
       read from and write on ini and outi , respectively. In
       particular, this means that Aj cannot receive mes-           key that corresponds to the noncompromised identifier
       sages that were sent by machines that are not                LðMi Þ, and à contains the private keys corresponding to
       neighbors of Aj . It also means that “rushing” is not        the compromised identifiers in LÃ . In the latter case, pub is
       allowed in our model (i.e., Aj must send its                 empty, i contains the symmetric keys known to Mi , and Ã
       messages in a given round before it receives the             contains the symmetric keys known to the adversary (i.e.,
       messages of the same round from other machines).             all Aj ).
       We intend to extend our model and study the effect               Finally, all Mi and all Aj receive some random input in
       of “rushing” in our future work.                             the initialization phase. The random input of Mi is denoted
           While its communication capabilities are similar         by ri , and that of Aj is denoted by rà .               j
       to that of the nonadversarial machines, Aj may not               The computation ends when H reaches one of its final
       follow the routing protocol faithfully. In fact, we          states. This happens when H receives a response to each of
       place no restrictions on the operation of Aj apart           the requests that it placed on the tapes reqi (1 i n). The
       from being polynomial-time in the security para-             output of Sysreal is the sets of routes found in these
       meter (e.g., the key size of the cryptographic               responses. We will denote the output by Outreal ðrÞ, where      conf;A
       primitives used in the protocol) and in the size of          r ¼ ðrI ; r1 ; . . . ; rn ; rà ; . . . ; rà ; rC Þ. In addition, Outreal will
                                                                                                 1            m                            conf;A
       the network (i.e., the number of vertices). This allows
                                                                    denote the random variable describing Outreal ðrÞ when r is  conf;A
       us to consider arbitrary attacks during the analysis.
                                                                    chosen uniformly at random.
       In particular, Aj may delay or delete messages that it
       would send if it followed the protocol faithfully. In        3.3 Ideal-World Model
       addition, it can modify messages and generate fake
                                                                    The ideal-world model that corresponds to a configuration
                                                                    conf ¼ ðGðV ; EÞ; V Ã ; LÞ and adversary A is denoted by
           In addition, Aj may send out-of-band requests to
                                                                    Sysideal , and it is illustrated in Fig. 4b. One can see that the
       H by writing on extj as described above. This gives
                                                                    ideal-world model is very similar to the real-world one.
       the power to the adversary to specify who starts a
       route discovery process and toward which target.             Here, just as in the real-world model, the machines are
       Here, we make the restriction that the adversary             interactive Turing machines that operate in a reactive
       initiates a route discovery only between nonadver-           manner and they are activated by a hypothetic scheduler
       sarial machines, or in other words, for each request         in rounds. The tapes work in the same way as they do in the
       ð‘ini ; ‘tar Þ that Aj places on extj , ‘ini ; ‘tar 2 LnLÃ   real-world model. There is only a small (but important)
       holds.                                                       difference between the operation of Mi0 and Mi and that of
           Note that each Aj can write several requests on          C 0 and C. Below, we will focus on this difference.
       extj , which means that we allow several parallel                Our notion of security is related to the requirement that
       runs of the routing protocol. On the other hand, we          the routing protocol should return only plausible routes.
       restrict each Aj to write on extj only once, at the very     The differences between the operation of Mi0 and Mi , and C 0
       beginning of the computation (i.e., before receiving         and C, will ensure that this requirement is always satisfied

ACS ET AL.: PROVABLY SECURE ON-DEMAND SOURCE ROUTING IN MOBILE AD HOC NETWORKS                                                                               1541

in the ideal-world model. In fact, the ideal-world model is                                 Note that C 0 does not attach plausibility flags to
meant to be ideal exactly in this sense.                                                 messages that are placed on the tapes inà . Hence, the
   The main idea is the following: Since C 0 is initialized                              input and the output tapes of all Aj contain
with conf, it can easily identify and mark those route reply                             messages of the same format as in the real-world
messages that contain nonplausible routes. A marked route                                model, which makes it easy to “plug” a real-world
reply is processed by each machine Mi0 in the same way as a                              adversary into the ideal-world model.
nonmarked one (i.e., the machines ignore the marker)                               Before the computation begins, each machine is initi-
except for the machine that initiated the route discovery
                                                                                alized with some input data. This is done in the same way
process to which the marked route reply belongs. The
initiator first performs all the verifications on the route                     as in the real-world model. The computation ends when H
reply that the routing protocol requires and, if the message                    reaches one of its final states. This happens when H receives
passes all these verifications, then it also checks if the                      a response to each of the requests that it placed on the tapes
message is marked as nonplausible. If so, then it drops the                     reqi 1 i n. The output of Sysideal is the sets of routes
message; otherwise, it continues processing (e.g., returns                      returned in these responses. We will denote the output by
the received route to H). This ensures that, in the ideal-
                                                                                Outideal ðrÞ, where r ¼ ðrI ; r1 ; . . . ; rn ; rà ; . . . ; rà ; rC Þ. Outideal
                                                                                    conf;A                                       1            m              conf;A
world model, every route reply that contains a nonplausible
route is caught and filtered out by the initiator of the route                  will denote the random variable describing Outideal ðrÞ                  conf;A
discovery.2                                                                     when r is chosen uniformly at random.
   Now, we describe the operation of Mi0 and C 0 in more
                                                                                3.4 Definitions of Routing Security
                                                                                Now, we are ready to introduce our definition of secure
   .     Machine Mi0 (1 i n). The main difference between                       routing:
         Mi0 and Mi is that Mi0 is prepared to process                          Definition 2 (Statistical Security). A routing protocol is said
         messages that contain a plausibility flag. The mes-
                                                                                   to be statistically secure if, for any configuration conf and any
         sages that are placed on tape in0i have the form
         ðsndr; rcvr; ðmsg; pfÞÞ, where sndr, rcvr, and msg are                    real-world adversary A, there exists an ideal-world adversary
                                                                                                               s                   s
         defined in the same way as in the real-world model,                       A0 , such that Outreal ¼ Outideal , where ¼ means “statis-
                                                                                                        conf;A        conf;A
         and pf 2 ftrue, false, undefg is the plausibility flag,                   tically indistinguishable.”   3

         which indicates whether msg is a route request                            Intuitively, statistical security of a routing protocol
         (pf ¼ undef), or it is a route reply and it contains                   means that the effect of any real-world adversary in the
         only plausible routes (pf ¼ true), or it contains a                    real-world model can be simulated “almost perfectly” by an
         nonplausible route (pf ¼ false). When machine Mi0                      ideal-world adversary in the ideal-world model. Since, by
         reads ðsndr; rcvr; ðmsg; pfÞÞ from in0i , it verifies if               definition, no ideal-world adversary can achieve that a
         sndr is its neighbor and rcvr 2 fLðMi0 Þ; Ãg. If these                 nonplausible route is accepted in the ideal-world model, it
         verifications are successful, then it performs the                     follows that no real-world adversary can exist that can
         verifications required by the routing protocol on msg                  achieve that a nonplausible route is accepted with non-
         (e.g., it checks digital signatures, MACs, the route or
                                                                                negligible probability in the real-world model because, if
         route segment in msg, etc.). In addition, if msg is a
                                                                                such a real-world adversary existed, then no ideal-world
         route reply that belongs to a route discovery that
                                                                                adversary could simulate it “almost perfectly.” In other
         was initiated by Mi0 , then Mi0 also checks if pf ¼ false.
                                                                                words, if a routing protocol is statistically secure, then it can
         If so, then Mi0 drops msg; otherwise, it continues
                                                                                return nonplausible routes only with negligible probability
         processing it. If msg is not a route reply or Mi0 is not
                                                                                in the real-world model. This negligible probability is
         the initiator, then pf is ignored. The messages
                                                                                related to the fact that the adversary can always forge the
         generated by Mi0 have no plausibility flag attached
         to them, and they are placed in outi .                                 cryptographic primitives (e.g., generate a valid digital
   .     Machine C 0 . Just like C, C 0 copies the content of the               signature) with a very small probability.
         output tape of each Mi0 and Aj onto the input tapes                    3.5    Proof Technique
         of the neighboring machines. However, before
         copying a message ðsndr; rcvr; msgÞ on any tape                        In order to prove the security of a given routing protocol, one
         in0i , C 0 attaches a plausibility flag pf to msg. This is             has to find the appropriate ideal-world adversary A0 for any
         done in the following way:                                             real-world adversary A such that Definition 2 is satisfied.
         -                                             0
              If msg is a route request, then C sets pf to undef.               Due to the constructions of our models, a natural candidate is
         -    If msg is a route reply and all routes carried by
                                                                                   3. Two random variables are statistically indistinguishable if the L1
              msg are plausible with respect to the configura-                  distance of their distributions is negligibly small. In fact, it is possible to
              tion conf, then C 0 sets pf to true.                              give a weaker definition of security, where instead of statistical indis-
         -    Otherwise, C 0 sets pf to false.                                  tinguishability, we require computational indistinguishability. Two random
                                                                                variables are computationally indistinguishable if no feasible algorithm can
                                                                                distinguish their samples (although their distribution may be completely
    2. Of course, marked route reply messages can also be dropped earlier       different). Clearly, statistical indistinguishability implies computational
during the execution of the protocol for other reasons. What we mean is that    indistinguishability, but not vice versa, therefore, computational security is
if they are not caught earlier, then they are surely removed at latest by the   a weaker notion. In this paper, we will only use the concept of statistical
initiator of the route discovery to which they belong.                          security.
1542                                                               IEEE TRANSACTIONS ON MOBILE COMPUTING,            VOL. 5,   NO. 11,   NOVEMBER 2006

A0 ¼ A. This is because, for any configuration conf, the
operation of Sysreal can easily be simulated by the operation
of Sysideal , assuming that the two systems were initialized
with the same random input r. In order to see this, let us
assume for a moment that no message is dropped due to its
plausibility flag being false in Sysideal . In this case, Sysreal
                                    conf;A                   conf;A
and Sysideal are essentially identical, meaning that, in each
step, the state of the corresponding machines and the content
of the corresponding tapes are the same (apart from the
plausibility flags attached to the messages in Sysideal ). Since
                                                  conf;A                      Fig. 5. An example of the operation and messages of endairA. The
the two systems are identical, Outreal ðrÞ ¼ Outideal ðrÞ
                                  conf;A        conf;A                        initiator of the route discovery is S, the target is T , and the intermediate
                                                         s                    nodes are A and B. id is a randomly generated request identifier. sigA ,
holds for every r, and thus, we have Outreal ¼ Outideal .4
                                        conf;A    conf;A                      sigB , and sigT are digital signatures of A, B, and T , respectively. Each
  However, if some route reply messages are dropped in                        signature is computed over the message fields (including the signatures)
Sysideal due to their plausibility flags being set to false, then             that precede the signature.
Sysreal and Sysideal may end up in different states and
   conf;A      conf;A                                                         4.1 The Basic endairA Protocol
their further steps may not match each other, since those                     The operation and the messages of endairA are illustrated
messages are not dropped in Sysreal (by definition, they
                               conf;A                                         in Fig. 5. In endairA, the initiator of the route discovery
have already successfully passed all verifications required                   process generates a route request, which contains the
by the routing protocol). We call this situation a simulation                 identifiers of the initiator and the target, and a randomly
                                                                              generated request identifier. Each intermediate node that
failure. In case of a simulation failure, it might be that
                                                                              receives the request for the first time appends its identifier
Outreal ðrÞ 6¼ Outideal ðrÞ. Nevertheless, the definition of
   conf;A         conf;A                                                      to the route accumulated so far in the request and
statistical security can still be satisfied, if simulation failures           rebroadcasts the request. When the request arrives to the
occur only with negligible probability. Hence, when trying                    target, it generates a route reply. The route reply contains
to prove statistical security, one tries to prove that for any                the identifiers of the initiator and the target, the accumu-
                                                                              lated route obtained from the request, and a digital
configuration conf and adversary A, the event of dropping a
                                                                              signature of the target on these elements. The reply is sent
route reply in Sysideal due to its plausibility flag being set to
                  conf;A                                                      back to the initiator on the reverse of the route found in the
false can occur only with negligible probability.                             request. Each intermediate node that receives the reply
   Note that if the above statement cannot be proven, then                    verifies that its identifier is in the node list carried by the
the protocol can still be secure because it might be possible                 reply and that the preceding identifier (or that of the
to prove the statement for another ideal-world adversary                      initiator, if there is no preceding identifier in the node list)
A0 6¼ A. In practice, however, failure of a proof in the case of              and the following identifier (or that of the target, if there is
A0 ¼ A usually indicates a problem with the protocol and,                     no following identifier in the node list) belong to neighbor-
often, one can construct an attack by looking at where the                    ing nodes. Each intermediate node also verifies that the
proof failed.                                                                 digital signatures in the reply are valid and that they
                                                                              correspond to the following identifiers in the node list and
                                                                              to the target. If these verifications fail, then the reply is
4      ENDAIRA: A PROVABLY SECURE                    ON-DEMAND                dropped. Otherwise, it is signed by the intermediate node,
       SOURCE ROUTING PROTOCOL                                                and passed to the next node on the route (toward the
Inspired by Ariadne with digital signatures, 5 we designed a                  initiator). When the initiator receives the route reply, it
routing protocol that can be proven statistically secure. We                  verifies if the first identifier in the route carried by the reply
call the protocol endairA (which is the reverse of Ariadne)                   belongs to a neighbor. If so, then it verifies all the signatures
because, instead of signing the request, we propose that                      in the reply. If all these verifications are successful, then the
intermediate nodes should sign the route reply. In the next                   initiator accepts the route.
section, we describe the operation of the basic endairA                          The proof of the following theorem illustrates how the
protocol and we prove it to be statistically secure. We                       framework introduced in Section 3 can be used in practice.
discuss possible extensions and variants of endairA in                        Theorem 1. endairA is statistically secure if the signature scheme
Section 4.2.                                                                    is secure against chosen message attacks.
                                                                              Proof. We provide only a sketch of the proof. We want to
   4. In fact, in this case the two random variables have exactly the same
distribution.                                                                   show that for any configuration conf ¼ ðGðV ; EÞ; V Ã ; LÞ
   5. Ariadne with digital signatures is similar to Ariadne with MACs           and any adversary A, a route reply message in Sysideal is
presented in Section 2, with the difference that instead of computing MACs,
the intermediate nodes digitally sign the route request before rebroadcast-     dropped due to its plausibility flag set to false with
ing it.                                                                         negligible probability.

ACS ET AL.: PROVABLY SECURE ON-DEMAND SOURCE ROUTING IN MOBILE AD HOC NETWORKS                                                                        1543

     In what follows, we will refer to nonadversarial                                         has no adversarial neighbor, it could have received msg00
  machines with their identifiers. Let us suppose that the                                    only from a nonadversarial machine. However, the only
  following route reply is received by a nonadversarial                                       nonadversarial machine that would send out msg00 is
  machine ‘ini in Sysideal :
                     conf;A                                                                   ‘jþqþ1 . This would mean that A is a common adversarial
                                                                                              neighbor of ‘j and ‘jþqþ1 , which contradicts the assump-
  msg ¼ ðrrep; ‘ini ; ‘tar ; ð‘1 ; . . . ; ‘p Þ; ðsig‘tar ; sig‘p ; . . . ; sig‘1 ÞÞ:
                                                                                              tion of Case 2. This means that our original assumption
      Let us suppose that msg passes all the verifications                                    cannot be true, and hence, the adversary must have
  required by endairA at ‘ini , which means that all                                          forged the signature of a nonadversarial machine.
  signatures in msg are correct, and ‘ini has a neighbor                                           It should be intuitively clear that, if the signature
  that uses the identifier ‘1 . Let us further suppose that                                   scheme is secure, then the adversary can forge a
  msg has been received with a plausibility flag set to false,                                signature only with negligible probability and, thus, a
  which means that ð‘ini ; ‘1 ; . . . ; ‘p ; ‘tar Þ is a nonplausible                         route reply message in Sysideal is dropped due to its
  route in conf. Hence, msg is dropped due to its                                             plausibility flag set to false only with negligible prob-
  plausibility flag being false.                                                              ability. Nevertheless, we sketch how this could be
      Recall that, by definition, adversarial vertices cannot                                 proven formally. The proof is indirect. We assume that
  be neighbors. In addition, each nonadversarial vertex                                       there exist a configuration conf and an adversary A such
  has a single and unique noncompromised identifier                                           that a route reply message in Sysideal is dropped due to
  assigned to it. It follows that every route, including                                      its plausibility flag set to false with probability  and
  ð‘ini ; ‘1 ; . . . ; ‘p ; ‘tar Þ, has a unique meaningful partition-                        then, based on that, we construct a forger F that can
  ing, which is the following: Each noncompromised                                            break the signature scheme with probability =n. If  is
  identifier, as well as each sequence of consecutive                                         nonnegligible, then so is =n and, thus, the existence of F
  compromised identifiers, should form a partition.                                           contradicts the assumption about the security of the
      Let P1 ; P2 ; . . . ; Pk be the unique meaningful partition-                            signature scheme.
  ing of the route ð‘ini ; ‘1 ; . . . ; ‘p ; ‘tar Þ. The fact that this                            The construction of F is the following: Let puk be an
  route is nonplausible implies that at least one of the                                      arbitrary public key of the signature scheme. Let us
  following two statements holds:
                                                                                              assume that the corresponding private key prk is not
       .  Case 1. There exist two partitions Pi ¼ f‘j g and                                   known to F , but F has access to a signing oracle that
          Piþ1 ¼ f‘jþ1 g such that both ‘j and ‘jþ1 are                                       produces signatures on submitted messages using prk.
          noncompromised identifiers and the correspond-                                      F runs a simulation of Sysideal , where all machines are
          ing nonadversarial vertices are not neighbors.                                      initialized as described in the model, except that the
     . Case 2. There exist three partitions Pi ¼ f‘j g,                                       public key of a randomly selected nonadversarial
          Piþ1 ¼ f‘jþ1 ; . . . ; ‘jþq g, and Piþ2 ¼ f‘jþqþ1 g such                            machine ‘i is replaced with puk. During the simulation,
          that ‘j and ‘jþqþ1 are noncompromised and                                           whenever ‘i signs a message m, F submits m to the
          ‘jþ1 ; . . . ; ‘jþq are compromised identifiers, and                                oracle and replaces the signature of ‘i on m with the one
          the nonadversarial vertices that correspond to ‘j                                   produced by the oracle. This signature verifies correctly
          and ‘jþqþ1 , respectively, have no common adver-                                    on other machines later, since the public verification key
          sarial neighbor.                                                                    of ‘i is replaced with puk. By assumption, with
     We show that in both cases, the adversary must have                                      probability , the simulation of Sysideal will result in a
  forged the digital signature of a nonadversarial machine.                                   route reply message msg such that all signatures in msg
     In Case 1, machine ‘jþ1 does not sign the route reply,                                   are correct and msg contains a nonplausible route. As we
  since it is nonadversarial and it detects that the identifier                               saw above, this means that there exists a nonadversarial
  that precedes its own identifier in the route does not                                      machine ‘j such that msg contains the signature sig‘j of
  belong to a neighboring machine. Hence, the adversary                                       ‘j , but ‘j has never signed (the corresponding part of)
  must have forged sig‘jþ1 in msg.                                                            msg. Let us assume that i ¼ j. In this case, sig‘j is a
     In Case 2, the situation is more complicated. Let us                                     signature that verifies correctly with the public key puk.
  assume that the adversary has not forged the signature of                                   Since ‘j did not sign (the corresponding part of) msg, F
  any of the nonadversarial machines. Machine ‘j must                                         did not call the oracle to generate sig‘j . This means that F
  have received                                                                               managed to produce a signature on a message that
                                                                                              verifies correctly with puk. Since F selected ‘i randomly,
  msg0 ¼ ðrrep; ‘ini ; ‘tar ; ð‘1 ; . . . ; ‘p Þ; ðsig‘tar ; sig‘p ; . . . ; sig‘jþ1 ÞÞ       the probability of i ¼ j is n and, hence, the success

  from an adversarial neighbor, say, A, since ‘jþ1 is com-                                    probability of F is =n.                                    t
  promised and, thus, a nonadversarial machine would not                                      Besides being provably secure, endairA has another
  send out a route reply message with sig‘jþ1 . In order to                               significant advantage over Ariadne (and similar protocols):
  generate msg0 , machine A must have received                                            it is more efficient, because it requires less cryptographic
                                                                                          computation overall from the nodes. This is because in
                  msg00 ¼ ðrrep; ‘ini ; ‘tar ; ð‘1 ; . . . ; ‘p Þ;                        endairA, only the processing of the route reply messages
                          ðsig‘tar ; sig‘p ; . . . ; sig‘jþqþ1 ÞÞ                         involves cryptographic operations, and a route reply
                                                                                          message is processed only by those nodes that are in the
  because, by assumption, the adversary has not forged the                                node list carried in the route reply. In contrast to this, in
  signature of ‘jþqþ1 , which is noncompromised. Since A                                  Ariadne, the route request messages need to be digitally
1544                                                                        IEEE TRANSACTIONS ON MOBILE COMPUTING,    VOL. 5,   NO. 11,   NOVEMBER 2006

signed by all intermediate nodes; however, due to the way a                          request message and to maintain information that is
route request is propagated, this means that each node in                            required by the rate limiting mechanism.
the network must sign each and every route request.                                     Finally, we note that endairA can be optimized with
                                                                                     respect to communication overhead by replacing the
4.2   Practical Extensions to the Basic endairA                                      signature list in the route reply with a single aggregate
      Protocol                                                                       signature (e.g., [3]) computed by the intermediate nodes
Note that in our model presented in Section 3, we made the                           iteratively in a similar way as in the case of the iterated
assumption that the nodes are static (at least during the                            MAC technique in the optimized version of Ariadne. The
period of time that is analyzed). The proof of security of                           details of this optimization and its security analysis are left
endairA relies on this assumption. More precisely, in the                            for future work.
proof, we show that if a route is returned by endairA to an
honest node, then that route must exist in the graph that
                                                                                     5   RELATED WORK
represents the network with overwhelming probability.
Moreover, once a route has been returned, it remains valid                           There are several proposals for secure ad hoc routing
forever, because the graph does not change. This means that                          protocols (see [13] for a recent overview). However, most of
under the assumption of static nodes, the basic endairA                              these proposals come with an informal security analysis
protocol is not vulnerable to replay attacks. However, if we                         with all the pitfalls of informal security arguments. In this
relax this assumption, and we allow the nodes to move,                               section, we report on a few exceptions, where some
then the basic protocol has a problem. In that case, when a                          attempts are made to use formal methods for the verifica-
                                                                                     tion of ad hoc routing protocols.
node initiates a route discovery process and the adversary
                                                                                        In [23], the authors try to reach a goal similar to ours but
receives a route request, it can replay an old route reply,
                                                                                     with a different approach. They propose a formal model for
and if that reply reaches the initiator, then it will be
                                                                                     ad hoc routing protocols with the aim of representing
accepted, despite the fact that it may contain outdated
                                                                                     insider attacks (which correspond to our notion of adver-
information (i.e., a route that does not exist anymore due to
                                                                                     sarial nodes). Their model is similar to the strand spaces
the mobility of the nodes).                                                          model [9], which has been developed for the formal
   Fortunately, we can easily extend the basic endairA                               verification of key exchange protocols. Routing security is
protocol to mitigate this problem. All we need to do is to                           defined in terms of a safety and a liveness property. The
require the target of the route discovery to insert the                              liveness property requires that it is possible to discover
random request identifier id (received in the route request)                         routes, while the safety property requires that discovered
in the route reply. Hence, in the extended endairA protocol,                         routes do not contain adversarial nodes. In contrast to this,
the route reply that is passed from intermediate node Fi to                          our definition of security allows the protocol to return
node FiÀ1 looks as follows:                                                          routes that pass through adversarial nodes because it seems
                                                                                     to be impossible to guarantee that discovered routes do not
       ðrrep; S; T ; id; ðF1 ; . . . ; Fn Þ; ðsigT ; sigFn ; . . . ; sigFi ÞÞ:
                                                                                     contain any adversarial node, given that adversarial nodes
    Now, when the initiator receives a route reply, it also                          can behave correctly and follow the routing protocol
verifies if it received back the request identifier that it sent                     faithfully. Our definition of security corresponds to the
in the route request. This makes it practically impossible for                       informal definitions given in [18] and [10].
the adversary to successfully replay an old route reply that                            Another approach, presented in [17], is based on a formal
belongs to a previous route discovery process. Of course,                            method, called CPAL-ES, which uses a weakest precondi-
when nodes are allowed to move, it is possible that a route                          tion logic to reason about security protocols. Unfortunately,
reply contains a nonexistent route even if there was no                              the work presented in [17] is very much centered around
attack at all. In order to alleviate this problem, the time                          the analysis of SRP [18] and it is not general enough. For
                                                                                     instance, the author defines a security goal that is specific to
interval within which the initiator accepts a reply with a
                                                                                     SRP, but no general definition of routing security is given.
specific request identifier should be appropriately limited.
                                                                                     In addition, the attack discovered by the author on SRP is
    Another problem with the basic endairA protocol is that
                                                                                     not a real attack, because it essentially consists of setting up
it is vulnerable to malicious route request flooding attacks.
                                                                                     a wormhole between two nonadversarial nodes, and SRP is
This is because the route request messages are not
                                                                                     not supposed to defend against this. In our opinion,
authenticated in any way and, hence, an adversary (even
                                                                                     wormhole attacks are attacks against the neighbor discov-
without compromising any identity) can initiate route                                ery mechanism and not against routing (although they
discovery processes in the name of honest nodes. These                               affect routing). On the other hand, the advantage of the
forged route discovery processes will be carried out                                 approaches of [17] and [23] is that they can be automated.
completely, including the flooding of the route requests in                             We must also mention that in [18], SRP has been
the whole network, because only the impersonated initia-                             analyzed by its authors using BAN logic [4]. However,
tors can detect that they are forged. In order to prevent this,                      BAN logic has never been intended for the analysis of
the route request can be digitally signed by the initiator, and                      routing protocols. It has been developed for verifying
rate limiting techniques similar to the one used for Ariadne                         authentication properties, and there is no easy way to
[10] can be applied with endairA too. Naturally, such                                represent the requirements of routing security in it. In
extensions put more burden on the nodes, since now they                              addition, BAN logic assumes that the protocol participants
also need to verify the initiator’s signature in each route                          are trustworthy [5]. This assumption does not hold in the

ACS ET AL.: PROVABLY SECURE ON-DEMAND SOURCE ROUTING IN MOBILE AD HOC NETWORKS                                                          1545

typical case that we are interested in, namely, when there        6     CONCLUSION AND FUTURE WORK
are adversarial nodes in the network controlled by the
                                                                  The main message of this paper is that attacks against ad
adversary that may not follow the routing protocol
                                                                  hoc routing protocols can be subtle and difficult to discover
                                                                  by informal reasoning about the properties of the protocol.
   Another set of papers deal with provable security for
                                                                  We demonstrated this by presenting novel attacks on
cryptographic algorithms and protocols (see Parts 5 and 6 of
                                                                  Ariadne. Another message is that it is possible to adopt
[16] for a survey of the field). However, these papers are not
                                                                  rigorous techniques developed for the security analysis of
concerned with ad hoc routing protocols. The papers that
                                                                  cryptographic algorithms and protocols, and apply them in
are the most closely related to the approach we used in this
                                                                  the context of ad hoc routing protocols in order to gain more
paper are [2], [22], and [21]. These papers apply the
simulation paradigm for different security problems: [2]          assurances about their security. We demonstrated this by
and [22] deal with key exchange protocols, and [21] is            proposing a simulation based framework for on-demand
concerned with security of reactive systems in general and        source routing protocols that allows us to give a precise
secure message transmission in particular. To the best of         definition of routing security, to model the operation of a
our knowledge, we are the first to apply the notions of           given routing protocol in the presence of an adversary, and
provable security and use the simulation-based approach in        to prove (or fail to prove) that the protocol is secure. We
the context of routing protocols for wireless ad hoc              also proposed a new on-demand source routing protocol,
networks. The main novelties of our model with respect            endairA, and we demonstrated the usage of the proposed
to the models proposed so far for the analysis of crypto-         framework by proving that it is secure in our model.
graphic protocols are the following:                              Originally, we developed endairA for purely illustrative
                                                                  purposes; however, it has some noteworthy features that
  .    Our communication model does not abstract away             may inspire designers of future protocols. In this paper, we
       the multihop operation of the network. In addition,        focused on on-demand source routing protocols, but similar
       we model the broadcast nature of radio communica-          principles can be applied to other types of protocols too [1].
       tions, which allows a node to overhear the transmis-       In our future work, we intend to automate parts of the
       sion of a message that was not intended for him. We        proofs.
       also take into account that a radio transmission can
       usually be received only in a limited range around
       the sender.                                                ACKNOWLEDGMENTS
  .    In contrast to previous models, where the adversary        The work presented in this paper has partially been
       has full control over the communications of the            supported by the Hungarian Scientific Research Fund
       honest nodes, in our model, the adversary can hear         (T046664). The first author has been further supported by
       only those messages that were transmitted by               the HSN Lab. The second author has been supported by
       neighboring nodes and, similarly, the transmissions        IKMA and by the Hungarian Ministry of Education
       of the adversary are heard only by its neighbors.             ¨
                                                                  (BO2003/70). The authors are thankful to Markus Jakobsson
  .    In our model, it is a hypothetic scheduler, and not
                                                                  and Jean-Pierre Hubaux for their comments on earlier
       the adversary, that schedules the activities of the
                                                                  versions of this paper. They also give special thanks to one
       honest nodes. In addition, this activation is done in
                                                                  of the anonymous reviewers who encouraged them to
       rounds. This leads to a sort of synchronous model,
       where each participant is aware of a global time           prove the security of the optimized version of Ariadne; this
       represented by the current round number. However,          led to the discovery of the attack presented in this paper.
       this knowledge has never been exploited in our analysis.
       The advantage is that we can retain the simplicity of      REFERENCES
       a synchronous model, without arriving at conclu-           [1]                     ´
                                                                        G. Acs, L. Buttyan, and I. Vajda, “Provable Security of On-
       sions that are valid only in synchronous systems.                Demand Distance Vector Routing in Wireless Ad Hoc Networks,”
  .    The simulation-based approach requires the defini-               Proc. European Workshop Security and Privacy in Ad Hoc and Sensor
       tion of an ideal-world model, which focuses on what              Networks (ESAS), July 2005.
                                                                  [2]   M. Bellare, R. Canetti, and H. Krawczyk, “A Modular Approach to
       the system should do, and it is less concerned about             the Design and Analysis of Authentication and Key Exchange
       how it is done. As a consequence, the ideal-world                Protocols,” Proc. ACM Symp. Theory of Computing, 1998.
       model usually contains a trusted entity that provides      [3]   D. Boneh, C. Gentry, H. Shacham, and B. Lynn, “Aggregate and
                                                                        Verifiably Encrypted Signatures from Bilinear Maps,” Advances in
       the intended services of the system in a “magical”               Cryptology—Proc. Eurocrypt ’03, 2003.
       way. In our model, the role of this trusted entity is      [4]   M. Burrows, M. Abadi, and R. Needham, “A Logic of Authentica-
       played by C 0 , which marks route reply messages that            tion,” ACM Trans. Computer Systems, vol. 8, no. 1, pp. 18-36, Feb.
       contain nonplausible routes. In addition, we do not              1990.
                                                                  [5]   M. Burrows, M. Abadi, and R. Needham, “Rejoinder to Nessett,”
       limit the capabilities of the ideal-world adversary,             ACM Operating Systems Rev., vol. 24, no. 2, pp. 39-40, Apr. 1990.
       but those are the same as the capabilities of a real-      [6]           ´
                                                                        L. Buttyan and I. Vajda, “Towards Provable Security for Ad Hoc
       world adversary. Consequently, and in contrast to                Routing Protocols,” Proc. ACM Workshop Security in Ad Hoc and
                                                                        Sensor Networks (SASN), Oct. 2004.
       other models, the tolerable imperfections (unavoid-        [7]   T. Clausen and P. Jacquet, “Optimized Link State Routing Protocol
       able vulnerabilities) of the system are not captured in          (OLSR),” Internet Request for Comments 3626, Oct. 2003.
       the capabilities of the ideal-world adversary, but they    [8]   J.R. Douceur, “The Sybil Attack,” Proc. First Int’l Workshop Peer-to-
       are embedded in the definition of the plausible route.           Peer Systems (IPTPS), 2002.

To top