Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing

Secure Routing for Mobile Ad Hoc Networks
Jing Liu, Fei Fu, Junmo Xiao and Yang Lu PLA University of Science and Technology tongyuanliu@163.com Abstract
Buttyan found out a security flaw in Ariadne[10] and proposed a secure routing protocol, EndairA[19-20], with the ability to resist active-1-1 attacks. But unfortunately we discover an as yet unknown active-01 attack which we call man-in-the-middle attack and EndairA couldn’t resist. Accordingly we propose a new secure routing protocol, EndairALoc. Analysis shows that EndairALoc can resist not only active-1-1 attacks but also the wormhole attack. Furthermore EndairALoc uses pairwise secret keys instead of public keys used in EndairA. Compared with EndairA, EndairALoc can save more energy in the routing establishment.. new secure protocol named EndairA[19-20]. However we find out a new attack that EndairA can’t resist. We call this attack man-in-the-middle attack. Based on EndairA, we propose a new secure routing protocol named EndairALoc, which uses the location information of the node to resist this attack. Analysis result shows that our protocol could resist not only the attacks EndairA could, but also the man-in-the-middle attack and even the wormhole attack. In addition, we utilize the symmetric key mechanism to replace the public key mechanism used in EndairA, which can reduces the energy consumption greatly. In Section 2 of this paper, we introduce an attacker model and EndairA protocol. Section 3 gives the vulnerability of EndairA. Then a new secure routing protocol named EndairALoc is proposed in Section 4. In Section 5 we analyze the security and performance of EndairALoc, and in Section 6 we present our conclusions.

1. Introduction
Wireless Ad-hoc Networks (WANET) is currently a very active area of the academic and industrial research for the foreseeable broad applications. However, it is vulnerable to a wide range of attacks due to the open medium, dynamically changing topology, possible node compromise, difficulty in physical protection, absence of infrastructure and lack of trust among nodes[1-5]. Especially, the routing protocols in MANET bears different kinds of attacks[1,6-8]. In this paper we focus on the designing of secure routing protocols to resist the attacks for WANET. Up to now there are many proposed security protocols, e.g. SRP[9], Ariadne[10], SAODV[11-12], ARAN[13-14], SADSR[15], SEAD[16], and SLSP[17]. Both SRP and Ariadne are improved secure routing protocols based on DSR[18]. SRP requires that the initiator and the target should have a security association between them, while Ariadne needs the security association between the initiator and every node including intermediate nodes and the target. Ariadne is declared to be able to prevent all active-1-1 attacks (This attaker model will be introduced later). In 2005 Buttyan firstly found an active-1-1 attack that SRP and Ariadne couldn’t resist, and proposed a

2. Attacker model and analysis of Endaira
2.1. Attacker Model
In paper [10], the attacker model Active-n-m was firstly introduced. In that paper, the author classified the attacker into two main classes: passive and active. The passive attacker only eavesdrops on the network. It mainly threats against the privacy or anonymity of communication, rather than against the functioning of the network or its routing protocol. An active attacker can inject packets into the network and generally also eavesdrop. So we should lay more emphasis on an active attacker. Then, the author characterizes the attacker based on the number of nodes it owns in the network, and based on the number of those that are good nodes it has compromised. It is assumed that the attacker owns all the cryptographic key information of compromised nodes and distributes it among all its nodes. In the attacker model Active-n-m, n represents the number of nodes the attacker has compromised, and m is the number of the nodes the attacker owned.

0-7695-2909-7/07 $25.00 © 2007 IEEE DOI 10.1109/SNPD.2007.223

314

Qid.) 8) R1->S: Figure 3.R1R2. it could not function well. Analysis of EndairA S R1 R2 D 1) 2) 3) 4) 5) 6) Figure 1.S. SigDSigR2).S. D checks route list in the request to make sure that the last node in route list is its neighbor. and is popular in Internet. The man-in-the-middle attack is an indirect attack. (rrep. the initiator and intermediate nodes insert their own digital signatures into route request packet.D. Qid. Qid. 2) R1-> *: (rreq. A is an attacker. However.S. To generate the route reply packet. which could delete the preceding node’s signature to forge a non-existent route. the target node would copy the signatures in the request packet into the reply packet. If not.R1R2. The initiator of the route discovery is S. He also proved that EndairA could overcome the vulnerability of Ariadne. Qid.S.D. R2->* : (rreq. SigR2 and SigR1 are digital signatures of D. then the initiator accepts the route.) There are two main differences between EndairA and Ariadne.D. Qid. but only introduce overhead. The initiator of the route discovery firstly generates a route request message and broadcasts it to its neighbors. D->R2 : (rrep. First. 7) A-> R1 : (rrep. Second. the author of EndairA. signatures are only generated after the target node generates route reply.D.S.Qid). R1. In fact. SigD). which makes R1 and R2 take the other as a neighbor in mistake. An operation example of EndairA and format of EndairA messages. Otherwise D will generates a route reply and sends it back to the initiator via the reverse of the route obtained from the route request.D. SigDSigR2).R1). Vulnerabilities of endaira (1) R1 (2) A (1) R2 (2) Figure 2.D. Qid. S R1 A R2 D 1) S -> * : (rreq.S. If these verifications fail. Qid is a randomly generated query identifier. the more powerful the attacker is. SigDSigR2SigR1. R1 ->* : (rreq. Qid. there are no per-hop hashing. SigD is the signature of D computed over the message fields that precede the signature. S -> * : (rreq.D. in EndairA. 3. SigD.D.D. Qid.R1R2.S.D. 5) D->R2 : (rrep.D. 4) R2-> * : (rreq.S. Otherwise. D discards the request. It is implied that the more the nodes compromised are. Qid. SigDSigR2SigR1. It appends its identifier to the list of identifiers accumulated in the request and re-broadcasts it.S. Consequently these nodes could participate in the network activities pretending legal nodes.D. R2->R1: (rrep. and that the preceding and following identifiers on the route belong to neighboring nodes.S. the operation of EndairA is illustrated. a randomly generated request identifier Qid. 2. If all these verifications are successful.R1). Each intermediate node that receives the reply verifies that its identifier is in the route list carried by the reply. Qid.D. we find out an active-0-1 attacker EndairA not resistant against. The attacker A forwards packets between R1 and R2 without modification. Qid. respectively. The man-in-the-middle Model. 6) R2->A(R1):(rrep. SigD). Each signature is computed over the message fields that precede the signature. R1->S : (rrep.S.R1R2. this attack can make two nodes beyond the communication scope take the other as neighbor.2. 3) A -> * : (rreq. R1 and R2 are valid communicating nodes Figure 2 shows the procedure of the man-in-themiddle attack. and we call it man-in-the-middle attack. in Ariadne. and R2. If so. In Figure 1.S. the target is D. SigDSigR2).R1).The attacker copies the cryptographic key information of the compromised node to the other malicious nodes it owned. Ariadne uses perhop hashing to prevent removal of identifiers from the accumulated route in the route request. When the target D receives the request. and the intermediate nodes are R1 and R2. then it verifies all the signatures in the reply.Qid).S.D. and passed to the next node on the route(towards the initiator). An example of the man-in-the-middle attack against EndairA Figure 3 shows an example of the man-in-themiddle attack against EndairA. Buttyan.R1R2. it is signed by the intermediate node. When the initiator receives the route reply. it is extremely simple and intuitive”. In mobile ad hoc networks.R1R2. Each intermediate node receives the request for the first time. The route discovery message contains the identifiers of the initiator and the target. In EndairA.R1R2.R1R2). We assume that a malicious node locates between the intermediate nodes 315 .R1R2). declared “Besides being provably secure against an Active-1-1 adversary (and most probably against an Active-1-x adversary too). However. In Paper[19-20] it is described in detail how Ariadne was vulnerable to an active-1-1 attacker. then the reply is discarded. it verifies if the first identifier in the route carried by the reply belongs to a neighbor.S. Qid.

It is obvious that the man-in-themiddle attack is an active-0-1 attack. which can resist the man-in-the-middle and even wormhole-attack. location information in the reply packet. LD is the location information of D. 4) D->R2 : (rrep. LD is the location information of D. the target is D. it discards the packet. D) as a valid route. R2 wants to forward the route reply packet to R1 after appending its signature. It is assumed that a man-in-the-middle attack exists in the route. 4. As shown in Figure 5. and forwards it to R1 without modification in step 7.Qid.D. When finally the initiator S receives the route reply packet.S.S. as far as we know. and only the intermediate nodes could be malicious.D. It appends its identifier to the list of identifiers accumulated in the request and re-broadcasts it.R1R2. When the initiator receives the route reply. 3) R2->* : (rreq. After receiving this packet.MACDSMACR2S) 6) R1->S:(rrep. EndairALoc 316 . we propose a new secure routing protocol named EndairALoc.S. EndairALoc uses pairwise secret keys instead of public keys used in EndairA. S would find the route invalid and discard it. S accepts the non-existent route (S. An operation example of EndairALoc and format of EndairALoc messages.Qid. R1 checks the route list in the packet to verify both the preceding node R2 and the following node S are its neighbors. MACDSMACR2SMACR1S) neighbors.D. it would find the distance between R2 and R1 beyond the transmission range and discard the route. The route discovery message contains the identifiers of the initiator and the target. the target D generates a route reply and sends it back to the initiator via the reverse of the route obtained from the route request. there are no secure routing protocols which can resist the wormhole attack[22-24]. Furthermore. But in EndairALoc.D. Instead. The assumptions are: 1) Cryptographic key system is ideal. If all these verifications are successful. Analysis of security and performance 5.Qid.Qid).Qid.D. without regard to its security. the initiator continues to verify another important feature.R1R2. Security Analysis Besides the capabilities of resisting the man-in-themiddle attack and the wormhole attack. Since the distance between LR2 and LR1 is beyond the transmission range. The wormhole attack model Furthermore. Each intermediate node that receives the reply packet does not verify the route list.S.S..R1R2). R2. MACDS is the message authentication code of D and can only be verified by S. 5. 3) The initiator and the target are valid. then passed the reply packet to the next node on the route(towards the initiator).A2) represents the wormhole along which A1 and A2 collaborate to make R1 and R2 take the other as a neighbor.R1R2.Qid. the dashed line between the two collaborated nodes (A1. However.MACDS). it is clear that EndairA can not resist it.S. If all the neighbor nodes in location information list are in the communication scope.D. LDLR2. If successful. It can easily destroy the correct route discovery without the capture of valid nodes. LD . Qid is a randomly generated query identifier. Figure 4 describes the operation of EndairALoc. In step 6. 2) All nodes pre-share symmetrical pairwise keys to construct message authentication code(MAC). so it can prolong the life of networks greatly. R1. R1 adds its signature to the packet and forwards it to S successively. it appends a message authentication code (MAC) for itself and the initiator and its location information to the reply packet.LDLR2LR1. 5) The wireless transmission range is constant. the attacker A intercepts it.R1).R1 and R2. After verifying R1 as its neighbor and the signatures in the packet. and only two nodes in the transmission range can send and receive data directly. Each intermediate node receives the request for the first time. So EndairALoc can resist the wormhole attack. Otherwise the initiator discards it. 5) R2->R1: (rrep. 4) The nodes could get its location information by some location systems[21]. Otherwise. MACDS is the message authentication code of D for S. After receiving the request. it verifies all the MACs in the reply packet. when the initiator S checks the location list (LDLR2LR1) in the reply packet. a randomly generated request identifier Qid. 1) S -> * : (rreq. A new secure routing protocol In order to solve the vulnerabilities of EndairA. S R1 A1 A2 R2 D Figure 4. The initiator of the route discovery is S. it checks the location information list (LDLR2LR1). 2) R1->* : (rreq. and the intermediate nodes are R1 and R2.1. S accepts the corresponding route list in the reply. The initiator of the route discovery firstly generates a route request message and broadcasts it to its Figure 5.

2004. “Security in Wireless Sensor Networks. From above. Energy Consumption for Different Cryptographic Algorithms Algorithms Publickey(RSA. the stale route request or reply packets with the stale Qid will be detected and discarded by the initiator.” Communications of the ACM.” in 7th International Workshop on Security Protocols. Wagner. while public key mechanism is chosen in EndairA. J. Furthermore.” in Vehicular 317 . sequence number. The result shows that the energy consumption of public key arithmetic is orders of magnitude more powerful than symmetrical key arithmetic. References [1] Y. 2003. and A. 2004. so they would lead to more communication and energy consumption. [5]L.pp. “Stealth attacks on ad-hoc wireless networks. symmetrical key mechanism is utilized in EndairALoc to decrease the computation consumption. [2]F. In order to prevent this attack.53-57.” in 1st ACM Workshop Security of Ad Hoc and Sensor Networks. Hu. Wetzel. each node takes a few actions. Qid is unique for one route request and is generated randomly by the initiator of the route discovery. no. vol. was proposed. 2004. 7. Fortunately. "New Secure Routing in Ad Hoc Networks: Study and Evaluation of Proposed Schemes".” ACM Mobile Computing and Communications Review (MC2R). Messerges. B. “A Secure Design for a General Purpose.-P. it is concluded that EndairALoc enhances the security of the routing protocol without introducing more energy consumption and is more suitable for the network with constrained energy. Inkinen. [6]K. EndairALoc uses the symmetrical key mechanism instead of the public key mechanism. 47. Stankovic.SHA. in the process of route request. [4]A. et al.IDEA) Hash(MD5. [7]M. no. A small number of malicious nodes will not result in serious influence on the route establishment. 5.AES.C. Multihop Ad Hoc Wireless Network. 2) Malicious nodes discard route request or reply packets: EndairALoc belonging to secure DSR protocols could obtain several replies according to one route request. Performance Evaluation Secure routing protocols add the security function to the normal routing protocols. Furthermore. Studies in [22] compared the energy consumption of public key arithmetic and symmetrical key arithmetic in quantity. Yener. Therefore. Virginia. The analysis result shows that our protocol not only retains the security of EndairA but also could resist the man-in-the-middle attack and even the wormhole attack. D. Stajano. Hubaux. S. Jakobsson. any malicious modification will be found out by the initiator after it receives the reply packet. Telecommunications Software and Multimedia. Perrig. a new secure routing protocol. “The Resurrecting Duckling: Security Issues in Ad-Hoc Wireless Networks. Table 1.HMAC) Consumption 100∼500mJ 2∼5uJ 0.ECDSA) Secret-key(DES. The verification of the message authentication code and location information increases the computation consumption of the initiator and the latency of the route discovery.retains the security of EndairA. It is well known that asymmetric algorithms consume much more energy than other cryptographic algorithms do. But because of the message authentication code used.no. 1. “A survey of secure wireless ad hoc routing. S.DSA. 2.” Security & Privacy Magazine. Self-Organizing. R.2. so the energy consumption in the route discovery is decreased greatly. [3]T. the consumption is not very high on the whole. Buttyán and J. 6. “Report on a Working Session on Security in Wireless Ad Hoc Networks. 28-39. Fairfax. pp. Anderson. and so on. The analysis is as following: 1) Malicious nodes alter the control information and location information: the control information includes identity. named EndairALoc.5∼1uJ 6. vol. Conclusions This paper firstly presents a new attack named manin-the-middle attack on EndairA. 3) Replay attack: malicious nodes broadcast stale route request or reply packets to the network. March 2003. And nodes only need to generate message authentication codes in the process of route reply. as listed in Table1. Berlin 1999. Perrig. there are several replies according to one route request. On the other side. Therefore.

and I.19.vol. “Analyzing the Energy Consumption of Security Protocols.no. on Local Computer Networks. 2004. Hu and D. 2001. C. Vajda.” IEEE Journal on Selected Areas in Communications."Secure Ad hoc On-Demand Distance Vector (SAODV) Routing". Haas. 2003.C. [23]Y. [16]Y. 11.” in SLPED’03. November 2006. Visegrád. vol. of the 27th Annual IEEE Conf. pp. September 2006.ietf. [21]Ad Hoc Positioning System(APS). Ilghami. Hu. “secure link state routing for mobile ad hoc networks. of ACM workshop on wireless Security. Papadimitratos. of 2002 IEEE International Conference on Network Protocols (ICNP).3. [11]M.Technology Conference.G. L. no. et al. No. A.2. Hu. Hungary. [20]G. July 13-14. pp. J.2111. Potlapally. [24]L. et al. “Secure routing for mobile ad hoc networks. O.598-610. Ács.” in Proc.txt. Ghazizadeh.2731. Ad hoc [17]P. Buttyán. “Provably Secure On-demand Source Routing in Mobile Ad Hoc Networks.” in Proc. [8]G. Buttyán.. “Provable Security of On-Demand Distance Vector Routing in Wireless Ad Hoc Networks. HAAS. [13]K sanzgiri.” Networks. [25]N.ac. “A secure routing protocol for Ad Hoc networks. May 2003. Wagner. 2005. In GLOBECOM 2001 IEEE Global Telecommunications Conference. [18]D.2103. Karlof and D.2005.edu/guerrero/papers/draftguerrero-manet-saodv-06. D.” IEEE Transactions on Mobile Computing. Johnson. “Towards provable security for ad hoc routing protocols”. pp.175-192. Johnson. Sirin. 5. Buttyan.COM 2002). [19]L.2003. Ács. Hu. Perrig. B. [10]Y. Zapata. Nov 2002.” at the 1st IEEE International Workshop on Sensor Network Protocols and Applications. and E. 2003. http://personals.2. Perrig. Oct 2003. 2005. Zapata.” in Proc. in Proc. GA.org/internet-drafts/draftietf-manet–dsr -10. Johnson. and Y. B. and D. Vol. D.” in Proc. PAPADIMITRATOS.txt. [12]M. “Ariadne: a secure on-demand routing protocol for ad hoc networks.” in: Proc.” http://www. “Packet leashes: a defense against wormhole attacks in wireless networks. Maltz. Vajda. [14]K sanzgiri.” In: Proc. and I. of the 22nd Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM). of the 2003 Symposium on Applications and the Internet Workshops (SAINT'03 Workshops).3.Atlanta. pp. A. “The dynamic source routing protocol for mobile ad hoc networks. pp.C. Johnson.. “Authenticated Routing for Ad hoc Networks. Atlanta.2002. L.2926-2931. and A.” in Network and Distributed System Security Symposium.2002. and I. “Security — aware adaptive dynamic source routing protoco1.23-28. 2002. vol. “Securing ad hoc routing protocol.C. B Dahill et al.” in Proc. 2002. of the SCS Communication Networks and Distributed Systems Modelling and Simulation Conf. Perrig. and D. 19761986. on Mobile Computing and Networking (MOBI. [22]C. [15]S. Z..upc. “Secure Routing in Sensor Networks: Attacks and Countermeasures. Vajda. “Using Directional Antennas to Prevent Wormhole attacks. [9]P. of the Eighth ACM Int1 Conf. San Antonio. Sep. 2005. 2003 318 .G. Evans.pp.B. and Z. “SEAD: secure efficient distance vector routing for mobile wireless ad hoc networks. of the 2nd ACM Workshop on Security of ad hoc and Sensor Networks.” Second European Workshop on Security and Privacy in Ad Hoc and Sensor Networks (ESAS 2005). pp.B.23. Hu. pp.

Sign up to vote on this title
UsefulNot useful