Security of wireless ad-hoc networks

16 downloads 1175 Views 190KB Size Report
Wireless ad-hoc networking introduces a new net- .... crucial to network security, since all other services ... ling” security policy is introduced: A newly man-.
Security of wireless ad-hoc networks Aram Khalili William A. Arbaugh {aram|waa}@cs.umd.edu Computer Science Department University of Maryland College Park, MD 20742, USA

Abstract Wireless ad-hoc networking introduces a new network model with new opportunities and new security challenges. A description of the network model is given, as well as a threat model. Security challenges are discussed and papers relating to wireless ad-hoc security surveyed. Regarding security challenges, particular attention is given to the most important and lacking aspects to improving security: trust establishment, membership control and network availability through routing security. Keywords: Wireless, ad-hoc, security, threat, attack, routing.

1

Introduction

The advent of cheap and unregulated wireless data communication technologies such as Bluetooth [Blu01] or IEEE 802.11[80201] is changing the nature of data communication, network deployment and node mobility. (Consumer) Devices with either built-in or optionally available wireless communication capabilities range from deskside computers and laptops over PDAs and cellphones all the way down to special purpose devices like wireless cameras and microsensors. For many of these devices, mobility is the major service, e.g. cellphones or laptops. Often users want these devices to communicate with fixed networks (e.g. the Internet) or similar devices to access information or exchange it with other users. For reasons of manageability and adminstrative control, (in the civilian world) this has traditonally been done through a communications infrastructure (e.g. cellular phone network) which is built where it is economically feasible. In other areas these services are unavailable. Since the small, mobile, wireless devices are often expected to become nearly ubiquitous, demand for wireless communication should be expected to

be nearly ubiquitous as well. However, in many areas the demand for wireless communication may not be enough to support the infrastructure to provide such communication. For this case devices have been enabled to talk to each other directly and form “ad-hoc” networks to interchange information directly without support from any infrastructure. Even in areas with infrastructure support for wireless communication, users may desire to form ad-hoc networks, e.g. for reasons of cost, convenience, bandwidth or policy (control). These ad-hoc networks, however, need to supply essentially the same services as exist in an infrastructure. One of these services is security, and this paper discusses the new properties and challenges of wireless ad-hoc networks with respect to security services. First, we point out the differences between traditional and ad-hoc network and discuss the general security implications. Next we assess the threat situation for wireless ad-hoc networks. Following this is a more detailed discussion of the critical security services in ad-hoc networks, key management and routing security. Additionally, this paper surveys other publications that relate to security services in wireless ad-hoc networks.

1.1

Properties of Ad-Hoc Networks

The combination of wireless communication and ad-hoc networks creates a new environment with unique properties that affect much of the organization, operation and management of the networks. The following points list the differences between ad-hoc and infrastructure supported networks: There is no fixed topology. Wireless nodes are often small, personal devices, like cell phones, PDAs or even wrist watches. These are very mobile and may move around freely, moving in and out of range of each other. Each node is a router. Each node has a limited

communication range. All nodes outside of this range can only be reached by packet forwarding (assuming packet switched networks).

byzantine faults[LSP82]. Additionally, it is also possible for some nodes not to have users, such as in sensor networks.

Limited energy. Mobile devices generally operate on battery power, which is exhaustible, although the amount of available energy may vary with devices. In order to conserve energy, some devices may enter a sleep or standby mode, during which they may not be reachable and may not observe traffic, or incur a latency of switching back to normal operation. Most wireless devices use spread spectrum communications, which causes the receiving and decoding of the signal to be an expensive operation, usually more expensive than transmitting as well as some complex computations, such as modular exponentiation.

Lack of central administration. The devices that make up an ad-hoc network can come from anywhere. No assumption of central administration or control or prior contact should be made.

Limited CPU and other resources. Many of the devices are expected to be consumer electronics, where price plays a big role in market share. Therefore the devices are expected to have cheap and slow CPUs that may not be able to carry out complex computations in an acceptable timeframe. Further the devices are expected to have limited storage capability, limited network bandwidth and transmission range, and possibly also limited display and user interface capabilities.

1.2

Ad-Hoc Network Constraints

Two important constraints result from these properties. Nodes should not be trusted without proper authentication of the node, the user or both. Centralized services cannot be relied upon, since they may be out of reach or powered down. Of the limited resources CPU and storage capability can be expected to have the largest increases as technology becomes faster and smaller and more energy efficient and Moore’s law stays in effect. Network bandwidth and transmission range are unlikely to improve dramatically with respect to energy consumption at least if radio transmissions are used, since they obey Shannon’s law and limit, and to achieve a higher bandwidth a higher signal-to-noise ratio must be achieved, which requires more transmission power.

1.3

Security Challenges

Transient connectivity and availability. As a result of changing topologies and the need to The wireless ad-hoc security challenges derive from conserve energy, many nodes may not be avail- the characteristics mentioned above. The central able or reachable all of the time. security services of confidentiality, integrity, and availability must still be provided under these conShared physical medium. The transmission ditions. medium is accessible to anyone in range with Current confidentiality mechanisms, which are the appropriate equipment, and physical encryption and access control with authentication, access cannot be restricted. make little provisions for lack of central adminIdentity different from address. In tradi- istration or limited energy. Encryption and autional networks the (network) address doesn’t thentication rely on cryptographic keys, which are necessarily correspond to identity, but it difficult to establish with no common adminstrais often used as such. In ad-hoc networks, tive control. Key generation, management and disaddresses are usually given dynamically with tribution schemes exist, but few fit the (unclear) little consistency, making the use of address trust model of ad-hoc networks or can be efficiently as an identity even more of a security liability. executed on small CPUs with energy constraints. In order to implement access control, there must Physical vulnerability. The mobile wireless de- first be a working identification and authentication vice are often small, hand-held devices that model. can easily be stolen and possibly modified. Integrity solutions suffer from similar problems. Hence the relation of node to owner isn’t sta- Strong integrity protections also require cryptoble, and even if the user authenticates cor- graphic keys. Weaker integrity protections may rectly, the node may have been subverted. De- guard against transmission errors but pose no chalpending on the threat model, this introduces lenge to malicious adversaries.

In availability the situation is even worse. New attacks are possible, such as energy starvation attacks, and known attacks have become much more powerful, such as intercepting communications or placing oneself in-between other nodes either to be in their shortest path or to jam their communications. Network-level availability protections are crucial to network security, since all other services depend on the ability to get packets across the network. All this results in two fundamental problem areas that must be addressed if wireless ad-hoc networks are to have security comparable to traditional networks: The first one is trust establishment, key management and membership control, and the second is network availability and routing security. In this paper, previous work on aforementioned security services with regard to wireless ad-hoc networks will be surveyed, with focus on the crucial areas of key management and routing. Each paper surveyed will be in its own subsection.

1.4

Other surveys

Two papers address the security problem in ad-hoc networks in a general sense. 1.4.1

The duckling

An early paper on wireless ad-hoc security paper by Stajano and Anderson[SA99] introduces the “Resurrecting Duckling” security policy. It focuses on wireless ad-hoc devices in the consumer electronics market, with some consideration of medical or industrial devices. Stajano and Anderson list some of the properties of ad-hoc networks mentioned in section 1.1. The paper then addresses the security services availability, authenticity, integrity and confidentiality. Under availability attacks, jamming and battery exhaustion are discussed. As a defense to battery exhaustion, a prioritization scheme is suggested, under which auxiliary and non-critical functions are less frequently performed once the energy reserve sinks below some threshold level. In authentication, Stajano and Anderson note the absence of on-line servers (e.g. Kerberos) and state the need for transient security associations because of the transient nature of ad-hoc communication. Borrowing terminology from biology, religion, and some cultures the “Resurrecting Duckling” security policy is introduced: A newly manufactured device is placed in an “pre-birth” state,

waiting for a cryptographic master key to be given to it. When it is turned on, the first key given to the device by physical connection will be accepted as the master authentication key in a process called “imprinting”. This key is likely a symmetric shared secret, due to device constraints. The holder of the master key can then issue and authenticate commands to the imprinted device. When the association between master key holder and device ends, a “death” command is issued and the device returns to an pre-birth state, ready for another imprint. This process is called “reverse metempsychosis”. In case that the master key holder cannot issue a death command (e.g. loss of master key or device), the manufacturer (or “shogun”) should be able to return the device to pre-birth state by an ”escrowed seppuku” process, which is essentially the death command. Once a shared secrect is established, it can be leveraged for integrity protection by keyed MACs. In order to have a certain degree of assurance that the device in question is genuine and not a cloned copy with unknown extra functionality, Stajano and Anderson suggest equipping the device with tamper evident seals. If the device possesses the correct secret key and bears no marks of physical tampering, it should be regarded as the genuine device. Tamper resistance would be more desirable than tamper evidence, but may not be economically justifiable. Public key certificates and signatures are mentioned, but not suggested for reasons of resource limits. An important point that is made is that tampering can occur in any subsystem of the device, which should be regarded in the design of the tamper protection. At last, confidentialty, like integrity, can be achieved using the shared secret set up in the imprinting phase. 1.4.2

Routing Survey

In an unpublished course paper[Lun00], Lundberg recognizes the importance of routing security to overall ad-hoc network security. He starts by listing the goals for secure routing algorithms: guaranteed discovery, fault isolation, small resource footprint, location privacy, self-stabilization/healing and byzantine robustness. Lundberg also mentions some of the ad-hoc network properties from section 1.1. Routing attacks are classfied as passive or active. Passive attacks are eavesdropping attacks and can reveal relationships between nodes (e.g. client/server) or network topologies. Active at-

tacks creating black holes or graph sinks, memory and energy denial of service attacks, and location disclosure/discovery. Lundberg then talks about likely application of ad-hoc networks. Described are home electronics/appliance networks, emergency/rescue operations and military deployments. Described also are two ad-hoc routing schemes, AODV[PRD01] and ZRP[Haa97]. These protocols are analyzed with respect to the stated goals of secure routing algorithms. According to Lundberg, both provide guaranteed discovery and small resource footprint, neither provides self-stabilization, byzantine robustness or fault isolation. An interesting point is that the hierarchial nature of ZRP provides some location privacy by hiding details inside zones to outsiders. Although Lundberg doesn’t recognize it, the same is likely to be true for fault isolation; the effects an attacker can have will be somewhat limited by hiding internal zone information. Possible solutions are discussed. IPSEC fails unless an authentication and keying infrastructure is present, but it can provide protection against outside forging of routes if all pairs in the network have symmetric secrets. This does not, however, protect against insider attack. A scheme called the “Non-Disclosure Method”[FKK96] is cited and explained. It is equivalent to onion-routing[GRS99] known from privacy protocols. Finally, Lundberg points to the diversity coding technique[AGM93] cited in [ZH99].

2

Threat Model

In a discussion about the security of ad-hoc networks, it is important to be aware of the threats to the network. The beginnings of a classification are introduced by Hu[HJP01]. Other papers have not tackled this issue yet. Hu, et al., note that the number and the degree of cryptographic penetration of the network are necessary to characterize the threat to an ad-hoc network. It appears useful to also include the resource capabilities of adversaries in the model, such as computational power w.r.t. the ad-hoc network, transmission and reception abilities (directional antennae, etc.) and possibly mobility.

2.1

Outsider threat

not share any security context with the network. Attacks an outsider can perform include: eavesdropping An outsider can usually listen to traffic, record it and divulge it to anyone they please. denial of service Even with no access to the network or its services, an adversary can still request services, although such requests are likely to be denied at some layer. Since the communication medium is open, it also vulnerable to denial of service attacks by continuously transmitting over it (jamming). protocol attacks Insecure protocols, i.e. protocols without authentication, can be attacked by outsiders. Even some secure/security protocols are vulnerable to outside interference during their setup phase, such as the DiffieHellman key agreement being vulnerable to a man-in-the-middle attack. masquerading/spoofing Protocols with insufficient authentication are vulnerable to masquerading or spoofing by which an outsider may attempt to access network services or gain entrance to the network. cryptanalytic attacks If cryptography is used to protect the network, an outsider can listen to the protected interchanged and try to attack them. Cryptanalytic attacks include active and passive attacks.

2.2

Insider threat

Much harder to defend against than the outsider threat is the insider threat. An insider threat can come from an authorized node that is attempting unauthorized actions, from an outsider masquerading as an authorized node (e.g. through recovering the user’s security context through cryptanalysis), or from an outsider who has taken control of an authorized node. An insider has the same knowledge, abilities and trust that a regular member in the network would have (for simplicity, we leave out the case when only part of the security context is compromised; the rest often follows quickly). All outsider attacks are available to an insider and additional attacks are possible by being able to participate in network functions:

The most obvious and commonly recognized threat confidentiality attacks Through knowing some to ad-hoc networks is that of the outsider. An or all (e.g. single group key) of the confidenoutsider does not belong to the network and does tiality keys, an insider has access to some of

the information of the network and can use or It may also be useful to consider the mobility of share it. an adversary where limiting assumptions on speed or reachbility of certain areas can be made. integrity attacks Through knowing some or all integrity keys, an insider can succesfully modify and possibly forge packets. routing attacks Ad-hoc routing depends to some degree on the cooperation of the nodes in the network. An insider can exploit this through dropping or misrouting packets. Combined with an integrity attack (the ability to modify or forge messages) even more powerful attacks are possible. These will be discussed in the routing section.

2.3

3

Key Management

Key management is an extensively studied area of cryptology and many of its techniques can be applied to wireless ad-hoc networks. Although at this point few are specifically designed for it, some fit the unique constraints better than others. Key management’s goal is to establish a shared secret between all participating parties. There are several methods of achieving this, namely key predisCoalitions, resources and mobil- tribution, key transport, which includes arbitrated keying schemes, and key agreement. ity

In order to completely characterize a threat, it is useful to consider a few more aspects. The number of adversaries, or the size of the adversary coalition, is important, as well as the number of security contexts/identities they have. Denial of service and routing attacks become considerably more powerful with many colluders. For example, several adversaries could encircle a particular node, such as all paths to the node go through one of the adversaries. In that case, they can isolate that node from the rest of the network or mediate all traffic with the network, which can be useful if that node performs an important function, such as running the network’s intrusion detection system or key distribution center. The computation and communication resources of adversaries should also be considered. Certain cryptographic parameters such as key length may be sufficient against nodes that are in the network, but not against more powerful/special purpose devices an adversary may have. This could occur in a military sensor network, when the enemy has detected the network and sends a team with cipherbreaking tools and modern laptops. These would be several orders of magnitude more powerful than the 8- or 16- bit microprocessors that are often used in sensor nodes. Communications equipment can also be important. Adversaries with directional antennae may pick up communications far beyond the range of the devices themselves. With a high powered transmitter, an adversary might be able to reach every node directly, and therefore advertise itself as the shortest route to each node, ensuring that all network traffic may be observed.

Each of these has benefits and problems in the ad-hoc wireless setting. Key predistribution requires the least communication and computation to establish a common key; a node either has a key, or it doesn’t. However, since no common administrative control is assumed, it is much more likely that the appropriate keys are not preconfigured, hence secure communication is impossible. Arbitrated keying requires less prior configuration but more messages and computation. These protocol often require network synchrony and have a single point of failure in the arbitrator, which is not very practical for wireless ad-hoc networks. To circumvent this, the service may be distributed to several nodes (e.g. in [ZH99]), in which more preconfiguration is required and some of the scheme’s benefits are lost. Replicated services also means that more nodes need to be trusted as arbitrators, and creates more targets for adversaries. The arbitrator often also has an extra communication or computation load, which may deplete its batteries. Infrastructure based wireless networks are more favorable to this approach, since access point service may be assumed to be continuous, and not as power or computation restricted. Finally there are key agreement protocols, which need the least amount of preconfiguration, but carry the highest communications load. This relation is conceptually presented in figure 1.

Figure 1: Number of messages or rounds vs. amount of preconfigured data for several keying strategies

3.1

Key management scheme prop- 3.2 Predistribution erties The earliest, simplest, and most efficient method

Key management schemes can provide several different services. Many of these properties come from Menezes, Vanstone and van Oorschot[MvOV96]. Key synchrony A very basic property that says that all participants in the group keying scheme end up with the same key. Key secrecy Another very basic property that says no principal outside of the group may derive the group key. Key freshness A key is fresh if it is a newly computed key and has not been used before. Perfect forward secrecy A scheme provides perfect forward secrecy iff the compromise of some group key does not give the adversary an advantage in breaking any previous keys. Back traffic protection A scheme provides back traffic protection iff the compromise of some group key does not give the adversary an advantage in breaking any subsequent keys. This property is also known as resistance to known-key attacks. Key independence A scheme has key independence iff it has perfect forward secrecy and back traffic protection. Contribution A key management scheme is contributory if each member contributes a value to the group key. Contribution gives member some assurance of key freshness and secrecy. Key authentication Two different forms of key authentication are often named, implicit and explicit. Implicit key authentication provides that no entity except designated and known ones can gain knowlegde of the key. Explicit key authentication includes proof that the desired parties actually have the intended key (key confirmation).

for group keying is predistributed keying. Unfortunately it is also the least flexible and lacks some desireable properties. In predistribution keying, the group key is given to each member of the group prior to any secure group communication. Problems with this approach are that, once deployed, there is no facility or protocol to change a given key or to change group membership. Group members cannot be evicted (although they may graciously leave and delete their shared key), and new nodes cannot join. There is no facility to retire/refresh a key after a certain time or data limit. If the key is discovered by an outside party, or leaked by an insider, the security of the group communications is completely compromised. In more sophisticated predistribution schemes, subgroup keying is supported, i.e. a subgroup of the total group can compute at key for the subgroup, which members outside this group cannot compute. This trades off computational complexity for flexibility. Blundo, et al[BSH+ 98], establish an information theoretic lower storage bound of  k+t−1 times the key size per user for k-secure tt−1 conference schemes, i.e. a subgroup of t members being secure against collusion of k other members. These approaches are much better suited for adhoc networks as they can excludes nodes from key groups without any necessary communication. The problem that remains is that of no common administrative domain, so the scheme would have to be set up at the formation of the ad-hoc network. This requires that all nodes are present at formation time, unless blank nodes are included in the scheme, whose information could be transmitted to them at join time. It also requires the election of a trusted group leader to generate the scheme and distribute the pieces. This is likely to be a computational and energetic burden, and the necessary trust may not always be established. Blundo’s bound extends the prior result of Blom[Blo85] on j-secure keying. Predistribution schemes are non-contributory, but have implicit authentication. As they have no facility for rekeying, key independence and related concepts do not apply.

Key confirmation Assurance that another party in a keying scheme actually has possession of a key. Usually done by encryption of a known quantity, i.e. nonce or challenge. 3.3 Entity authentication Entity authentication provides assurances of the identity of participants in a keying scheme, usually also of their actual participation.

Key Transport

Key transport occupies a middle ground between key predistribution and agreement. Instead of setting up all keys in advance (which requires advanced knowledge of all communicating parties),

keys are generated by one of the communicating parties and transported to the rest. The simplest method assumes a shared secret to already exist between the parties. This shared secret is used as a key encrypting key (KEK): one party creates a new key, encrypts it using the KEK and sends it to the other parties. Since they share the KEK, they can decrypt the packet and use the decrypted key for further communication with the source and each other. This method has a few flaws. A prior shared secret (the KEK) cannot usually be assumed to exist, and the scheme begs the key question. The key generator and distributor must be trusted. The scheme has no forward secrecy or backtraffic protection if the KEK is discovered or leaked outside the group. The prior secret problem may be solved by a key agreement protocol, at which point this schemes becomes feasible, but the other two problems remain. Nonetheless, the schemes requires few messages to be sent, little computation, is easy to implement, and provides implicit key authentication. Running multiple version of this scheme and combining all keys together increases communication complexity but can provide key contribution and freshness (based on one’s own contribution). Authentication and message replay protection can also be added to the scheme. If a public key infrastructure (PKI) is present, key transport can be implemented by encrypting a chosen key with all the recipients’ public keys. This required valid certificates from trusted certification authority, which is another shaky assumption in ad-hoc networks without common administration. It may be useful to have all nodes share the same keypair to avoid multiple asymmetric encryptions. Public key schemes also require more computation and energy than symmetric schemes. They provide implicit key authentication, integrity and non-repudiation (if no keypairs are shared). Beller and Yacobi[BY93] show a more interesting scheme based on PKI availability. Their scheme allows for a resource disparity between two parties in a key transport setting. Their scheme utilizes the computational differences between RSA and ElGamal encryption/verification (public) and decryption/signing (private), since with carefully chosen parameters RSA public and ElGamal private operations are significantly cheaper. The resulting scheme can have mutual or unidirectional (the key distributor) entity authentication, and mutual or unidirectional (the key receiver) explicit key authentication. A secret can also be transported without the

need for prior keys. This scheme is based on commutative1 encryption schemes. A node A can select a key K to share with another node and encrypt it under another randomly generated key ra . Node B would receive this quantity, generate its own random key rb , encrypt it and send it back to node A. Node A decrypts the quantity using ra and sends the result to B. B decrypts it using rb and recovers K. The exchange takes 3 messages and 4 encryptions/decryptions. An example of a communtative encryption is exponentiation mod p, where decryption is done by exponentiating with the inverse. For such a scheme, a public prime p must first be agreed upon. Another commutative scheme, XOR, is poor choice for this scheme. If XOR is used, the XOR of all three messages yields the secret key. The scheme is known as Shamir’s no-key or three-pass protocol. It provides no authentication, but, if keys are chosen randomly, key independence. Multiple iterations leading to a combination key can also provide contribution.

3.4

Arbitrated protocols

A number of arbitrated group keying protocols have been developed, both using symmetric and asymmetric techniques to establish the shared key. Arbitrated conference keying schemes make use of an arbitrator to create and distribute keys. Arbitrated schemes are usually key transport schemes, i.e. the arbitrator creates and distributes the key to be used by the requesting party(ies). The arbitrator is often called the key distribution center or KDC and aribtrated group keying protocols are sometimes called KDC protocols. Needham and Schroeder provided the baseline for these in their protocol[NS78]. It provides entity authentication through the trusted third party and key confirmation. Needham-Schroeder had a replay vulnerability which Kerberos[NT94] fixed through timestamps and key lifetimes. Kerberos also has an option to allow for key contribution, which could be used to guarantee freshness, however all communicating parties must support the option. Otway-Rees[OR87] is a different arbitrated keying protocol that provides key authentication and freshness but lacks entity authentication and key confirmation. Given a PKI, these schemes can also be implemented using public key cryptosystems. These provide finer grained authentication, integrity and non-repudiation at a substantial computational cost. 1 composable

and independently reversible

In ad-hoc networks arbitrated protocols suffer from the problem that the KDC needs to be online and accessible whenever two devices want to initiate communication. Where nodes may move out of range or power down for energy conservation, this is a difficult service to provide. In a hostile environment, the KDC is a also a prime target for attack, be it compromise, denial of service or otherwise. Zhou and Haas[ZH99] therefore suggest that the keying service be distributed and based on threshold cryptography, which is theoretically feasible but likely to be cost prohibitive on resource constrained devices.

3.5

Key agreement

Group key agreement schemes are mostly based on asymmetric techniques. By definition of key agreement, they need to be contributory, i.e. each group member contributes a part to the shared secret and therefore has an assurance that the secret is fresh. Key agreement started out with Diffie and Hellman’s protocol based on discrete logarithms. This scheme can be run for every pair of nodes in a group, and all keys subsequently combined into a group (or a subgroup) key, but this creates n − 1 modular exponentiations per node, and to support subgroups n − 1 key must be maintained. A different approach is to include all nodes into the protocol to generate the group key as the public generator exponentiated by each member’s contribution. This scheme requires synchrony, and the protocol may fail if a member node fails before its share is added. Tsudik et al. have developed a set of protocols based on this extension of DH called CLIQUES[STW98]. Different protocols version distribute computation and communication load differently. And earlier protocol by Burmester and Desmedt[BD95], also based on discrete logs, creates the group key by multiplication instead of exponentiation of the individual shares. This requires less computation. Later, Just and Vaudenay[JV96] add authentication to the BD scheme and generalize it to different operation than multiplication to generate the group key.

3.6

Group EKE and robust GDH

In a paper on ad-hoc key management, N. Asokan and Philip Ginzboorg[AG00] present and analyze an ad-hoc group keying scenario and suggest several approaches to solutions. Their motivating scenario is a meeting of a small number people

with wireless devices in one location without any assumed prior contact or common administrative control, who want to establish a secure group session among themselves. They note that the simple solution of letting users directly pick a shared secret key is unsatisfactory for user interface reasons and discuss the specific services an assumptionless ad-hoc network misses: topological services, infrastructure information services and common administrative services. Asokan and Ginzboorg suggest a new criterion for access control: (relative) location. As a solution to the location problem they offer mapping location to IP addresses and using protocols such as IKE and certificates to verify the binding of key to IP address. They note that a trusted third party with knowledge of the participants location could implement location based access control, and that a physically more secure method (such as wire or infrared) may be used to establish a shared secret before switching to wireless (RF) mode. These services, though, require assumptions that Asokan and Ginzboorg aren’t willing to make for their general case. They discuss human chosen shared secrets, which are expected to be weak, since human tend to use natural language phrases, which have high redundancy. They claim a need to develop a strong shared secret from such an initial weak secret, and discuss desireable properties of such a scheme: perfect forward secrecy, contributory key agreement, tolerance to insertion. The authors cite Bellovin and Merritt’s EKE protocol and show ways of extending the protocol to groups. One such way, electing a group leader that established strong secure connection with each member and picks a common key violates contribution. The scheme they propose elects a leader that collects random information (nonces) from all clients and distributes it to them under the weak key they have chosen. The group key is a hash of the concatenation of all the secrets. In analysis the authors suggest that any quantity to be encrypted under the weak initial shared secret be random, not a well known public key. This may require some computational effort from the node. They note that the intial public key may be transmitted in the clear, however it lacks the weak secret to authenticate it. They cite additional steps in the protocols to convince the participants that some public key E is indeed a well formed public of a particular asymmetric cryptosystem. Next the authors present a multi-party version of password authenticated DH key agreement protocol, and a fault tolerant extension that establishes

shared keys between groups that grow per power of 2 for each round. They cite a method to extend the method to group sizes other than powers of 2 and show a scheme to resolve failures the rounds of the protocols, and analyze its complexity and add a scheme to order nodes. Asokan and Ginzboorg move to discuss security in ad-hoc network in general and note that there are problems, which have not been solved in infrastructred networks, that may obstruct solving security problem in ad-hoc networks. They add that ad-hoc network should only be infrastructureless in an extreme case, and note the the different scenarios should be identified. Concluding they note that password based schemes are utilized in Bluetooth, and that their scheme may be used to improve on that scheme. They note work by others that may extend their work, work on group membership changes, synchrony and resilience to benign faults.

3.7

Threshold cryptography

Zhou and Haas[ZH99] explain their notion of a multihop wireless ad-hoc network and identify potential users. They list the security services necessary to secure these network, availability, integrity, authentication and non-repudiation. The authors define these terms and move on to describe the special characteristics of mobile wireless ad-hoc networks. They note that the transmission medium is easily accessed, mobile units are subject to compromise and theft, that topology, group membership and trust are dynamic, and that network size may range in the thousands of nodes. Zhou and Haas argue that while traditional security mechanisms are necessary for achieving security in ad-hoc wireless networks, they are not sufficient. They claim that the tools that will bring security to the networks are redundancy and distribution of trust. Physical and link layer attacks will not be addressed, the authors state that physical layer defenses have been extensively studied. Zhou and Haas first discuss secure routing. Threats to routing can come from two sources, inside and outside the network. Both can generate false routes, replay old routes, drop/jam route exchanges, but signatures do not defeat insiders. Detection of compromised/malicious nodes through routing information is difficult, since the topology is highly dynamic and changing unpredictable ways. The authors argue that therefore there needn’t be a distinction between false routes and outdated routes, when a route fails, the sender

should simply use an alternate or follow protocol rules to establish a new route. Zhou and Haas also add that diversity coding[AGM93] can be used to exploit redundant routes and avoid retransmissions. Key management is discussed next. Zhou and Haas suggest using a PKI for their easier key distribution, integrity and non-repudiation. After a session key is agreed upon using public key methods, a secret key scheme will be employed to protect traffic. Each node has a public/private key pair, and a trusted CA needs to reside in the network to bind keys to nodes. The CA has to be constantly online and its private key may not be compromised. Both of the properties are hard to achieve in a mobile wireless ad-hoc network, hence the authors suggest replicating the service and distributing the trust. They choose a set of servers to participate in the CA service. Each of those must have the public keys of all the other nodes in the service, such that they can communicate securely. The whole service then has a public/private key pair, which is split according to a (n,k) threshold cryptography scheme, where n nodes participate in the service, but only k nodes are needed for any single transaction to succeed. Hence the service tolerates the compromise of k-1 nodes without failure, even though more than one iteration of the protocol may need to be used. The menthod allows the scheme to tolerate asynchrony. In order to defend against more than k-1 nodes servers being compromised over time, Zhou and Haas suggest a proactive scheme that periodically refreshes the shares of participant servers with new independent (of the old) shares. They also mention a scheme which allows itself to be reconfigured to another (n’,k’) scheme. In related work, the authors discuss secure routing and replicated services. They cite a number of routing papers proposing schemes to provide authenticity and integrity for routing information, protect routing information in byzantine failures, and discuss compromised routers. In replicated services, they cite Rampart, but deem it unsuited for mobile wireless networks for lack of synchrony and performance reasons. They mention a scheme in which a KDC is distributed among a group of servers, where each server and client share a secret key, and the Phalanx system, a quorum data repository, tolerating byzantine failure. Lastly, they mention a scheme that removes compromised servers from the service in a three phase protocol. They claim that none of these schemes tolerate server-hopping adversaries, do not scale,

and some don’t consider establishing shared secrets presumably chooses the right tool for the sitbetween participants. uation, but the continuous assessment of the situation incurs another level of overhead. Concluding, Zhou and Haas note that they analyzed threats to mobile wireless ad-hoc networks and identified the services necessary to achieve se- Hierarchial When the network is organized hierarchially, such as in different clusters, different curity. They state that secure routing and key protocols can be used in different clusters or at management are essential to providing other secudifferent levels of the hierarchy, depending the rity services. They also mention that a prototype particular environment’s characteristics. The of the key management system has been built and organization can also be set up according to deemed feasible. the characteristics of various parts of the network. Hierarchial protocols can have the desireable property of containing network prob4 Routing lems to a subtree of the entire network while leaving the rest untroubled. The disadvanRouting as well as link layer security issues have tage to segmenting the network into separate been largely ignored in protocol designs. Incidenclusters is that the interfaces between them, tally, wireless ad-hoc networks differ from wired sometimes called cluster heads, become critinetworks precisely in link and network layers. cal infrastructure and the network depends on them.

4.1

Routing protocols

The IETF MANET working group is working on several draft routing protocols to manage routing in ad-hoc networks. Roughly, they fall into the following categories:

Many ad-hoc routing protocols have been proposed, e.g. DSR, FSR, DSDV, TORA, ZRP, AODV, OLSR, TBRPF, etc. Many of them are still under development, and some new ones are still being proposed. To go into any detail for each of those protocols goes beyond this survey. Instead, we note that all of them currently ignore routing security after assuming a shared link-layer key which keeps outsiders out of the network, and focus on vulnerabilities of ad-hoc routing protocols in general.

Proactive Proactive schemes try to keep up to date with the topology and routing information in the network. This leads to low latencies and good routes, since the best path, according to the protocol’s metric, should always be known when the node wishes to send a packet. In MANETs, however, this can be difficult and expensive because the information may 4.2 Routing attacks change frequently. Routing attacks aim at interfering with the function of the routing protocol: discovering and mainReactive Reactive schemes only discover routing taining routes to all desired destinations. All routinformation as it is needed, or on-demand. ing attacks rely on appropriate use and composiThis greatly reduces the routing overhead in- tion of several basic attack techniques: curred by proactive protocols at the expense of higher latencies, when routes to a requested Packet interception A malicious node may destination must be discovered before packets eavesdrop on packets not destined for itself can be sent. It can also cause longer routes, and gain various information from it, such as since reactives schemes will continue to use an existence or adjacency of nodes. This is a pasestablished route as long there are no errors, sive attack that is very difficult to detect and even if a shorter route appears later due to prevent. changes in the topology. Packet dropping A malicious node dropping Hybrid Since ad-hoc network can exhibit quite a routing messages could prevent a node from range of topology behavior, routing schemes knowing that another node has become uncould adapt to a current state of the netreachable, and therefore could still receive work, precomputing routes when mobility is traffic destined for it. If it is situated on the low, and waiting for send requests to initiate optimal path between a sender and receiver, route discovery when mobility is high. This a malicious node can force the use of another

route by dropping route discovery packets. In Host resource attack An attacker can try to excertain protocols the malicious node can prehaust a resources of a node through the routvent sender and receiver from communicating ing protocol. Targeted resources could be the at all. CPU or the battery, if the routing protocol contains CPU- and/or energy-intensive operPacket replay If a node isn’t able to forge or even ations like signature verification. Or the redecrypt packets, it may still replay old, outsources could be routing protocol resources, dated messages and hope to confuse the routsuch as buffers or routes. Buffers can be exing protocol or achieve goals similar to forged hausted, and false routes can be continuously messages. In order to replay messages, they be advertised so that they push all legitimate just need to be observed. Position any path is routes out of other node’s route tables. Most not necessary, although it may be necessary to denial of service attacks fall under this catebe in transmission range of the recipient when gory. replaying the message. Route failure A malicious node can cause a cerPacket modification A malicious node may tain route to fail by modifying to use nonexiscause route requests or errors to fail by droptent hops or by dropping its packets. In some ping or modifying the messages. If this is succases one or more instances of this attacks can cessful, and node may think another is unpartition networks that are not actually disreachable when it is. It may also try to fill connected. routing tables with false information. In order to modify a packet, the packet must pass Protocol attacks An adversary can also attack through the malicious node. Is it not enough the routing information available to the routto observe it. ing protocol and prevent it from learning correct information about routes and topologies Packet forgery Forgery is a stronger form of such that a coherent picture of the network modification. It does not require being in a cannot be created. In some protocols routing path between sender and receiver, nor is it loops can be created and packets follow the necessary for a packet to be sent by either loop until their lifetime expires. sender or receiver. A malicious node may forge routing information, either to misroute These routing attacks are one of the reasons that packets to wrong nodes, to artificially congest simply using IPSEC at the network or transport a certain node or part of network, to route layer does not protect ad-hoc networks from capackets through itself and inspect, modify or pable adversaries. We omit the ubiquitous buffer drop them, or to simply fill up all the slots in overflow problems that plague many pieces of sysother nodes’ routing tables. tem software, and are likely to be found in nonOn/Off path In a wireless ad-hoc network nodes security-conscious implementations of routing procan move around, and it is sometimes advanta- tocols. geous for a malicious nodes to interpose themself between (i.e. on the shortest path) two 4.3 Routing Security Schemes nodes that are targets for attacks. Routing security has been most noted by its abUtilizing these basic techniques, one or more ma- sence early in the discussion and research on ad-hoc licious adversaries can implement several different routing protocols. Since then several ad-hoc routattacks on the routing system and lower layers ing protocols that include some security services have been proposed: Ariadne, ARAN, SEAD and (host resources): SRP. Another paper does not present a routing Network congestion Routes are manipulated scheme but methods to identify malicious nodes through modification or forgery such that and mitigate their impact. a specific node or part of the network becomes congested, loses packets and through4.3.1 Watchdog and Pathrater put drops. Alternatively, many routing control or update messages can sent to force other A paper by Marti, et al.[MGLB00] introduces two nodes to respond and send their own updates new techniques extending DSR[JMHJ01] to help such that routing messages drown out higher mitigate routing failures and attacks in ad-hoc netlayer layer traffic. works. In particular, the paper suggests verifying

that the next node in the path continues to propagate the packet on its intended route, and keeping such routing statistics to base further routes on. For their scheme to work it is thus necessary to have a source-routing option. The first scheme, termed watchdog, makes use of the properties of wireless networks: if node B is in node A’s transmission range, then A is usually also in B’s transmission range. Asymmetric links break this scheme. If A forwards a packet to B to be forwarded to another node C, A can listen for B’s transmission to C. A knows that the packet is destined for C, since the protocol is source routed, i.e. the path is carried in the packet. Watchdog has the following limitations: collisions at the verifier or receiver can lead the watchdog to wrong conclusions, malicious nodes can generate false positives (accuse a good node of dropping packets), collusions are possible, and the drop rate can be kept just under watchdog’s threshold rate. Collisions at the verifier can cause it to miss that a packet has been transmitted. Collisions at the receiver can cause the verifier to believe that a packet has been transmitted when it hasn’t. A malicious node can send notice that the next node in the path is bad to the sender of the packet. If the next node isn’t dropping packets, an ACK or reply will come back on the path that the malicious node claims is dropping packets. Therefore malicious accuser may be found out. Two consecutive nodes may collude that the second node drops packets, while the first node doesn’t report this to the sender. The sender can’t use the route, but it not sure which nodes to avoid. Due to collisions and other sources of error, watchdog has a threshold of dropped packets per time period after which it will conclude that a node is dropping packets. A malicious node can stay right under that threshold and avoid detection, however with this method watchdog enforces a minimum bandwith for the node. Pathrater, the second scheme, maintains a per node reliability score. In order to determine the route to an intended recipient, for each path to the destination the reliability score of its nodes is averaged, and the highest is chosen. It is not stated how ties are resolved, but presumably this done by path length. When pathrater learns about a new node, it assigns a default value of 0.5. Pathrater divides time into epochs of 200ms and increments the reliability score of each node on a path on which a packet has been sent in this epoch by 0.01. The maximum value a node can attain thereby is 0.8. If a link/routing failure is detected, the reliablity score of node in the path which cannot be reached

is decremented by 0.05 up to a minimum of 0. Malicious nodes identified by watchdog are assigned a reliability score of -100. A reset timer on malicious nodes is suggested, but has not been studied. The rest of the paper focuses on the performance of the schemes under various conditions. 4.3.2

Ariadne

Hu et al.[HJP01] also aim to address routing security and introduce a new routing protocol Ariadne based on unoptimized DSR. They introduce DSR and outline its vulnerabilities. In this they describe wormhole attacks, in which two colluding nodes establish a private, possibly out-of-band, channel between them and modify routes to go through this link or covertly forward information over it. In our classification we view this as a special case of the route modification attack. They also introduce an adversary model based on the number of adversaries and whether they possess cryptographic keys (byzantine failures) or not. The authors note that most other protocols simply require a single MAC-layer key, with which gives no protection against byzantine failures. Therefore Hu et al. require each pair of nodes to share a unique predistributed secret. This secret seeds a PRNG that generates directional confidentiality and integrity keys between each pair. They do not provide a method for generating or distributing these pairwise secrets, though they consider a KDC-based scheme in the appendix. Further, each node has a TESLA broadcast authentication key chain. Also assumed is time synchronization with a bounded clock difference. Even though confidentiality keys are set up, they are not explicity used in the Ariadne protocol. The protocol relies on the integrity/authentication keys and the TESLA authentication scheme by Perrig et al.[PSTC00]. Messages are sent with authentication codes under the TESLA keys, which are generated from a reversed one-way function chain. Each key is valid for a certain time interval and is disclosed (upon request) only after the time interval is finished and the key is invalid. This introduces a delay into MAC verification. In the basic Route Discovery message defined by the scheme it turns out that only the final receiver can authenticate the source’s original message, since the authentication key used by the source is a secret between source and destination. This allows attackers to flood the network with false routing requests to consume bandwidth and energy. The source also sets a hash chain to a

value computable only for source and destination and chooses a time interval, which is a conservative estimate on the arrival time at the destination. On intermediate hops TESLA authentication is used. Intermediate nodes append their identity to the packet and the hash chain and authenticate the packet with the TESLA key of the arrival time interval chosen by the sender. These TESLA-MACs are also not verified by the intermediate nodes. This avoids the penalty of waiting for at least the next time interval at each hop and allows for route authentication at the destination, but it permits fake or spurious requests to propagate to the destination, and the destination actually does not verify the intermediate TESLA-MACs, but leaves this to the source upon receipt of the Route Reply. Instead, the destination checks the hash chain and makes sure that the intermediate MAC keys have not been disclosed yet, and commits them by signing the MAC list with the destination-source secret. On return through the same path, the intermediate nodes must wait if the time interval specified by the source has not expired, then add their TESLA key for that interval to the Reply packet such that the sender can then verify the MACs of the outgoing Request packets. Even though these keys may now be known through out the network, new signatures cannot be inserted, because the destination commited them in the Reply. To successfully modify the Reply packet, the original authenticator must still hold, and the work factor of such an attack is equivalent to forging the MAC without knowledge of the key. Route Error packets work similarly, except that no end-to-end keys are used since Route Errors are one-to-many instead of one-to-one communication. Hu et al. then address that outgoing Route Request are unauthenticated, and can therefore be flooded into the network to waste bandwidth. In a pre-publication version of the paper the TESLA mechanism was deemed too expensive due to the time delay. That version of the paper advocated a Merkle and Winternitz[Mer87] one-time signature scheme as an additional authentication mechanism for intermediate nodes. The scheme works much like TESLA, except there is no time-delay disclosure and it requires more key material to be set up a priori. Each MW-key can only be used once, its first usage already ends the usage period so it need not be withheld anymore. In the published version of the paper TESLA is suggested as a viable authentication mechanism, either in the regular timeinterval manner, or as a one-time signature scheme where the time interval is zero.

The possible attacks of adversaries against Ariadne are considered next. An active adversary can create or modify packets, but as she lacks the proper authentication keys, these will be dropped by other nodes. Multiple active adversary can create a wormhole attack, and Ariadne lacks a defense against this attack, because the cited solution requires a stronger time synchronization. An attacker with the key material of a single node can create bogus Route Request to flood the network. The authors suggest that Route Requests be rate limited in such a case. Multiple attacker with single key material can create a wormhole attack TIK does not defend against. As a remedy, authenticated GPS coordinates could be used to thwart this attack. Multiple attacker with multiple keys can insert nodes into routes and create routing errors this way. Ariadne also considers attackers that control a vertex cut of the network. As TESLA authentication key are eventually disclosed by their holder, vertex cut attackers can drop Route Requests signed with onetime signatures from one side of the network, wait until the keys are revealed and their masquerade as these nodes on the other side of the network. 4.3.3

ARAN

ARAN[DLRS01] (Authenticated Routing for Adhoc Networks) is more an authentication scheme than a routing protocol. It relies on public key certificates and trusted common certificate authority/ies to provide this authentication. It roughly defines a path discovery method, but does not specify how routing information is kept in the packets nor at the nodes (e.g. by full source route or next hop). ARAN defines 2 levels of authentication, an end-to-end authentication service which includes hop-by-hop authentication for only the current hop (previous ones are discarded), and an all-to-end authentication service (Shortest Path Confirmation), in which all hop-by-hop authentications are retained and the packets are also reencrypted under the destination’s public key. In both cases the relevant certificates are included in the packet; two certificates for the end-to-end case, n for the all-to-end case, where n is the number of nodes the packet has visited. Certificates, particularly of the X.509 kind, are often large, e.g. several kilobytes in size, which is a huge packet overhead and consumes much energy for transmission. This makes both methods quite expensive for energy constrained devices, as are often found in ad-hoc networks.

Computationally both methods are about equal: End-to-end authentication involves a signature verification (public key operation) and a signature generation (private key operation) at each hop. All-to-end authentication uses a signature generation (private key operation) and an encryption (public key operation). In all-to-end authentication, the encryption is done after the signature. This has the effect that the packet cannot be authenticated until the destination is reached. A better way to do this would be to reverse the protections, i.e. to encrypt under the destination public key first, then to sign it with the node’s private key. This would add another signature verification to each hop, but it would prevent adversaries from propagating huge unverifiable packets throughout the network. The information revealed by encrypting before signing is minimal, it merely shows where the packet immediately came from, which should be provided by the link layer anyway. Both methods use a nonce and a timestamp to prevent replay, packets are rejected if a nonce appears twice with the same timestamp. Time synchronization is not addressed, but it is not clear that the network needs to be tightly synchronized, as storage of nonces can be traded off for tight synchronization. Properly used ARAN prevents modification and masquerading attacks. The end-to-end method does not prevent addition or deletion of nodes in a Route Discovery, but prevents unauthorized nodes from flooding the network with Route Discoveries. The all-to-end method (SRC) prevents addition or deletion of nodes in the route, because the nodes to not have plaintext access to the route, but allows unauthorized flooding of the network with large packets. ARAN also includes a signed route error message. The message specifies a broken route between source and destination rather than a broken link between two (previous) neighbors. It is not clear why. The error message is also specified to contain the certificate of the recipient node. This is likely a typo as it is useless, and sending the certificate of the error reporting node is in step with the rest of the messages. ARAN also does not specify what is done upon receipt of a route error. It is conceivable that a malicious insider sends a route error for a route it is not part of. This should be verified by the recipient before adjusting any routing entries. The route error message also contains timestamp and nonce. The last part of ARAN is a certificate revo-

cation message by the certification authority. It merely contains a revocation identifier and the revoked cert, signed by the CA. The message is rebroadcast by everybody in the network and presumably stored locally to prevent continuous retransmissions. There is clearly a race condition between issue and receipt of the revocation, and due to dynamic connectivity, the window of opportunity can be large. The authors note, though, that the upper bound on the window of opportunity is the lifetime of the certificate, which should be chosen accordingly. 4.3.4

SEAD

SEAD[HJP02] is a routing protocol based on authenticating DSDV. Authentication is done in two forms. First, SEAD requires a broadcast authentication scheme, such as TESLA, HORS or TIK to authenticate data origin (of static data). Alternatively, prior pairwise secrets or group keys could be used. Second, SEAD uses hash chains to authenticate dynamic data, i.e. sequence numbers and routing metrics (e.g. hop counts). The (authenticated) ends of each node’s hash chain are to be present at each node in the network. SEAD requires a maximum value m for the routing metric to construct the hash chains. This is not unreasonable, since some distance vector protocols define some (small) value to represent infinity in order to shorten the count-to-infinity problem. An upper bound on the maximum value would be the number of nodes in the network (plus one). For one routing update a hash chain of length m is required. Since there are many routing updates to be sent, SEAD uses a long hash chain and divides it into groups of m values. Each group corresponds to a particular routing update (and sequence number). In a new routing update, a node A lists itself with a metric of 0 and the start of the first (or current) hash group (m hashes away from the authenticated hash chain end). The node sends this routing update and sequence number to its neighbors. In their next routing update, the neighbors will copy the sequence number of A’s routing update, increment the metric to node A, and hash the hash chain value corresponding to the old metric. Since hashing the hash chain value corresponds to increasing the metric by one, the metric cannot be decreased, as the hash functions are one-way. A malicious or faulty node could to neglect to increment the metric, claiming to have the same distance to the node as their neighbor, or it could

arbitrarily increase the metric up to the maximum m. To verify a metric i from some node, the hash chain value hashed m − i times must equal the authenticated hash chain end. When a new routing update (with a new sequence number) is sent, another hash chain group is used (the previous one in the total hash chain). Its hash chain end is the first element of the hash chain used in the last routing update (and sequence number). A node can distribute this with the new routing update. The hash value can be authenticated by hashing it m times and comparing to the previous hash chain end. 4.3.5

SRP

the path are possible, though it would be simple to check the route for mutiple occurences of the same address and delete all intermediate addresses. SRP deals with this by replying to a set number of route requests at the destination to provide some routing diversity. Since path length is a criterion by which the source chooses a route to the destination, artificially lengthened routes are less likely to be chosen than unmodified ones. It should be noted that due to the propagation control via the query identifier, the diversity of the routes that arrive at the destination are somewhat limited. Removing the destination from each route, the set of all possible discovered routes is a tree. When a destination receives a route request, it checks the MAC to verify the source. If the check fails, the request is dropped. Otherwise the destination puts the query sequence and identifier and route into a route reply and sends it along the reverse route to the source. A MAC covers all these values, so that a route set in a route reply cannot be tampered with. To provide some routing diversity a destination will reply to several route requests up to some chosen maximum. On arrival of a route reply at the source, it verifies the MAC and checks that the route in the packet is the reverse of the route the packet took to get to the source. If both conditions hold, the route is added to the node’s tables. SRP also include a facility for intermediate route replies. If an intermediate possesses a route to the destination and has a shared secret with the source, it can generate an intermediate route reply by appending its route to the destination to route in the route request and a MAC in the key shared with the source. Since the source and the intermediate node share a security association, SRP deems the intermediate node trustworthy to generate intermediate route replies. Obviously, byzantine intermediate nodes can generate invalid routes. SRP specifies a route error packet, but does not use authentication for it. It is merely verified that the source of the route error message actually lies in the route it claims to have a broken link on. Masquerading allows malicious nodes to fake such messages. A route error message is routed along the reverse route from the broken link to the source of the packet.

SRP[PH02] also introduces authentication to adhoc routing. Similar to ARAN, it can extend different base routing protocols, although source routed protocols seem heavily favored. It supplies a route request, route reply and route error messages. SRP assumes the existence of shared secrets between all pairs of communicating nodes and leverages this for MAC authentication, such that fake route requests are not accepted at the destination and routes set in route replies cannot be modified. Route requests include the source and destination addresses, a query sequence number and a query identifier. The query sequence number provides an ordering on route requests and the query identifier is a random nonce. These values provide replay protection and propagation control. A query which matches the source, destination and query identifier of a recently seen query will be dropped. A query with a sequence number less than the current sequence number for that node will also be dropped. In addition to these fixed fields, a route request also records the route it takes. Since that portion of the packet is dynamic and not available at the source, it is not included in the MAC calculation, which uses the shared secret between source and destination. As consequences, route requests cannot be authenticated by intermediate nodes so fake route requests can flood the network and the route as recorded in the packet can be modified by adversaries. If the tampered route is an invalid route, the corresponding route reply to this route request will not reach the source and not generate an invalid route in its routing tables. However, if the route is valid (each hop of the route is valid), the 5 Intrusion Detection request may arrive at the source and be accepted as a route to the destination. In this manner, a route Zhang and Lee[ZL00] describe how intrusion deteccan be arbitrarily lengthened and even loops inside tion(ID) is affected by the characteristics of wire-

less networks. They give an introduction to wireless networks and intrusion detection and highlight the central assumptions in ID, that user/process actions are observable and that valid and invalid user/process behavior or valid and invalid system state can be distinguished. They divide ID into two branches, misuse and anomaly detection, and discuss their motivations, advantages and disadvantages. Next Zhang and Lee list the ID critical differences of wired and wireless networks that impede using ID methodology developed on wired networks for wireless ones. In wired networks, network traffic based ID systems can be placed at opportune places in the topology where they can observe all connections crossing network boundaries. In a mobile wireless network, such a traffic concentration spot is unlikely, since nodes are spread out and often not in direct radio distance of each other. Further, communication pattern in wireless networks differ, as communication cost models change. Therefore the models developed for wired networks cannot be applied to wireless networks. Also, as wireless networks and particularly their topology are very volatile, it is difficult to distinguish anomalous or malicious behavior from normal but erratic behavior. Concluding this section, they list the challenges that must be met in order to develop useful wireless ID: finding a set of measures that distinguishes valid from invalid behavior or state in wireless networks, implementing the appropriate measures to gather this data, and building a model that uses the accumulated data to detect intrusions. Zhang and Lee propose a distributed ID architecture with independent agent running on every node. The agents collect local data, but may exchange information with agents on other nodes. Response is configurable locally and globally, interagent communications shall be secured by a “secure communication module” and provide a “highconfidence communication channel”, for which no details are given. In spite of their secure communication module, the authors note that distributing intrusion rule updates securely and reliably is never easy. Building on this, they advocate a mainly anomaly-based, cooperative ID system that utilizes a majority voting scheme to determine whether the “network is under attack”. In order to detect anomalies in routing tables updates, Zhang and Lee postulate a GPS device in every node to record movements. They note that route updates from other notes may be forged and can not be trusted. The following measures are

correllated: distance travelled, direction and velocity (as measured by GPS), the percentage of changed routes and the percentage of change in the sum of hops of all routes. It is not clear why the sum was selected. A normal profile of this correllation is built during a training process. During operation, collected data is compared against this profile. Zhang and Lee note that the profile can be adapted to the training data to an arbitrary degree of precision. However, the degree to which the training data approximates normal operation is more difficult to control. Zhang and Lee further state that this model is minimal, in that it uses only routing table and position information, regardless of routing and transport protocols used. For specific protocols, other features can be added to the profile that would increase its performance. They note that analyses of such data could indicate which information should be kept in routing tables to make ID more effective. Intrusion detection in other services is to follow similar ways. Features, such as the number of requests, the number of services requested, the number of nodes requesting services, etc. can be measured per time epoch, and normal profiles to be compared against can be built from trace data or from training periods. Zhang and Lee also make a case for application-level ID, because of the lack of firewalls in wireless networks, and because more information on the state of the applications is available at the higher layers than at the network or system call layers that ID systems traditionally use. However, this requires ID modules to be developed for each application that is to be monitored, or the development of an ID API that applications need to be developed for.

6

Conclusion

Wireless, mobile ad-hoc networks are a new paradigm in networking technologies. We have shown how they differ from previous paradigms and that security solutions from these often do not apply or provide the same security in ad-hoc networks. We have identified major threats to security in ad-hoc network and crucial objectives to securing them. Finally we have surveyed some of the published and available research in the area.

References [80201]

IEEE 802.11 Working Group. http://grouper.ieee.org/groups/

802/11/main.html, November 2001.

[Haa97]

Zygmunt Haas. A new routing protocol for the reconfigurable wireless networks. In Proceedings of the IEEE International Conference on Universal Personal Communications, volume 2, pages 562–566, October 1997.

[AG00]

N. Asokan and Phillip Ginzboorg. Key Agreement in Ad-hoc Networks. Computer Communications Review (to appear), 2000.

[AGM93]

E. Ayanoglu, C. Gitlin, and J. Mazo. Diversity coding for transparent self- [HJP01] healing and fault-tolerant communication networks, 1993.

[BD95]

M. Burmester and Y. Desmedt. A secure and efficient conference key dis- [HJP02] tribution system. In A. D. Santis, editor, Advances in Cryptology - EuroCrypt ’94, volume 950 of Lecture Notes in Computer Science, pages 275–286. Springer-Verlag, 1995.

[Blo85]

R. Blom. An optimal class of sym- [JMHJ01] David B. Johnson, David A. Maltz, Yih-Chun Hu, and Jorjeta G. Jetcheva. metric key generation systems. In AdThe Dynamic Source Routing Protocol vances in Cryptology (EUROCRYPT for Mobile AdHocNetworks. Internet’84), number 209 in Lecture Notes Draft, draft-ietf-manet-dsr-05.txt, in Computer Science, pages 335–338. March 2001. Springer Verlag, 1985.

[Blu01]

Bluetooth SIG. http://www. [JV96] bluetooth.com, November 2001.

[BSH+ 98] Carlo Blundo, Alfredo De Santis, Amir Herzberg, Shay Kutten, Ugo Vaccaro, and Moti Yung. Perfectly Secure Key Distribution for Dynamic Confer- [LSP82] ences. Information and Computation, 146(1):1–23, 1998. [BY93]

M. J. Beller and Y. Yacobi. FullyFledged two-way Public Key Authentication and Key Agreement for Low- [Lun00] Cost Terminals. Electronic Letters, 29:999–1001, May 1993.

[DLRS01] Bridget Dahill, Brian Levine, Elizabeth Royer, and Clay Shields. A Se- [Mer87] cure Routing Protocol for Ad Hoc Networks. Technical Report UM-CS-2001037, University of Massachusetts, August 2001. [FKK96]

[GRS99]

Yih-Chun Hu, David B. Johnson, and Adrian Perrig. Secure On-Demand Routing Protocols in Ad Hoc Networks. Unpublished, 2001. Yih-Chun Hu, David Johnson, and Adrian Perrig. SEAD: Secure Efficient Distance Vector Routing for Mobile Wireless Ad Hoc Networks. In Workshop on Mobile Computing Systems and Applications. IEEE, June 2002.

Mike Just and Serge Vaudenay. Authenticated Multi-Party Key Agreement. In ASIACRYPT’96: Advances in Cryptology, volume 1163 of LNCS, pages 36–49. Springer Verlag, 1996. Leslie Lamport, R. Shostak, and M. Pease. The Byzantine Generals Problem. ACM Transaction on Programming Languages and Systems, 4(3):382–401, July 1982. Janne Lundberg. Routing Security in Ad Hoc Networks. http://www.tml.hut.fi/~jlu/ netsec/netsec-lundberg.ps, 2000. Ralph C. Merkle. A digital signature based on a conventional encryption function. In Carl Pomerance, editor, Advances in Cryptology - CRYPTO ’87, volume 293 of LNCS, pages 369– 378. Springer Verlag, 1987.

A. Fasbender, D. Kesdogan, and O. Kubitz. Variable and scalable se[MGLB00] Sergio Marti, T. J. Giuli, Kevin Lai, curity: Protection of location informaand Mary Baker. Mitigating Routing tion in mobile ip, 1996. Misbehavior in Mobile Ad Hoc NetDavid Goldschlag, Michael Reed, and works. In Proceedings of the Sixth anPaul Syverson. Onion routing. Comnual ACM/IEEE International Conmunications of the ACM, 42(2):39–41, ference on Mobile Computing and Net1999. working, pages 255–265, 2000.

[MvOV96] Alfred J Menezes, Paul C. van [ZH99] Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press, October 1996. [ZL00] [NS78] Roger M. Needham and Michael D. Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM, 21(12):993–999, 1978. [NT94]

B. Clifford Neuman and Theodore Ts’o. Kerberos: An authentication service for computer networks. IEEE Communications, 32(9), September 1994.

[OR87]

D. Otway and O. Rees. Efficient and timely mutual authentication. ACM Operating Systems Review, 21(1):8–10, January 1987.

[PH02]

Panagiotis Papadimitratos and Zygmunt Haas. Secure Routing for Mobile Ad hoc Networks. In Communication Networks and Distributed Systems Modeling and Simulation Conference, January 2002.

[PRD01]

Charles E. Perkins, Elizabeth M. Royer, and Samir R. Das. Ad hoc On-Demand Distance Vector (AODV) Routing. Internet-Draft, draft-ietfmanet-aodv-08.txt, March 2001.

[PSTC00] Adrian Perrig, Dawn Song, D. Tygar, and Ran Canetti. Efficient authentication and signature of multicast streams over lossy channels. In 2000 IEEE Symposium on Security and Privacy, pages 56–70, May 2000. [SA99]

Frank Stajano and Ross Anderson. The Resurrecting Duckling: Security Issues for Ad-Hoc Wireless Networks. In B. Christianson, B Crispo, and M. Roe, editors, Security Protocols, 7th International Workshop Proceedings, Lecture Notes in Computer Science. Springer Verlag, 1999.

[STW98]

Michael Steiner, Gene Tsudik, and Michael Waidner. CLIQUES: A New Approach to Group Key Agreement. In International Conference on Distributed Computing Systems, pages 380–387, May 1998.

L. Zhou and Z. Haas. Securing Ad Hoc Networks. IEEE Network Magazine, 13(6), November/December 1999. Yongguang Zhang and Wenke Lee. Intrusion Detection in Wireless AdHoc Networks. In Proceedings of the Sixth Annual International Conference on Mobile Computing and Networking (MobiCom 2000). ACM, August 2000.