Master Thesis Proposal
Evaluation of Routing and Secure routing protocols
in Mobile Ad hoc Networks
under Network Attacks
(or in malicious environment)
By
Tuan Anh Nguyen
School of Science and Computer Engineering
University of Houston – Clear Lake
05/2005
Committee members and signatures
Approved by:
Date:
------------------------------------------------------------Advisor: Dr. T. A. Yang
------------------------------------------------------------Committee member:
------------------------------------------------------------Committee member:
Deans
------------------------------------------------------------------------
1
Table of Contents
1.
2.
3.
4.
5.
6.
7.
8.
Abstract ............................................................................................................... 3
Introduction and background ............................................................................. 4
Statement of problem ........................................................................................ 13
Details of the Proposed Investigation ............................................................... 14
Materials and methods of research................................................................... 15
Summary ........................................................................................................... 16
References ......................................................................................................... 16
Appendices ........................................................................................................ 16
2
1. Abstract
The nature of wireless ad hoc network makes it very vulnerable to attacks. Most
of the attacks target at routing protocols in wireless ad hoc network and most of
the security solutions also target at healing the weakness of routing protocols in
wireless ad hoc network. Many secure routing protocols are proposed to deal
with various kinds of network attacks. But one secure routing protocol can not
guarantee the normal operation of the network in every situation. The objective of
the thesis is to study the performance of some specific secure routing protocols in
various malicious scenarios and to propose an optimal security solution to
improve the performance of these secure routing protocols.
3
2. Introduction and background
a. Overview of Mobile Ad-hoc NETwork – MANET
What is MANET Mobile Ad-hoc NETwork is a set of wireless devices
called wireless nodes that dynamically connect and transfer information.
Wireless nodes can be personal computer with wireless LAN card, laptop,
PDA.
In MANET, any wireless node can be the source of data transmission,
destination of intermediate node. When a wireless node plays the role of
intermediate node, it serves as a router that can receive and forward data
packets to its neighbor closer to the destination node. Due to the nature of
an ad-hoc network, the network topology changes from time to time. A
node is serving the role of router may be get out of the route between
source and destination then the route is disconnected and route discovery
process has to be restarted. Thus the main goal of routing protocol in
MANET is to find a correct route efficiently.
MANET has various potential applications. Some typical examples
include emergency search-rescue operations, meeting events, battle field
communication between moving vehicles.
With the ability to meet the demand of mobile computation, army
application.., MANET has a very bright future.
Picture 2.1 Overview of Mobile Ad-hoc Network
b. Routing protocols in MANETs
Routing protocols in ad hoc mobile wireless network can generally be
divided into 2 groups [5]:
- Table driven: every node in the network maintains complete routing
information about the network by periodically propagating the updates.
Thus when a node needs to send packet, there is no delay for searching
the route throughout the network. This kink of routing protocols
roughly works the same way as that of routing protocols for wired
networks.
- Source initiated (or demand driven): Node just maintains routes to
active destinations that it needs to send data. The routes to active
destinations will expire after sometime of not be used or node does
have data to send.
4
Ad hoc routing protocols
Table-driven
DSDV
Source-initiated on-demand
WRP
AODV
DSR
Picture 2.2 Hierarchy of routing protocols
Here we describe the overview of some of the most common routing
protocols used in mobile ad hoc network
- Table-driven routing protocols
i. Destination Sequence Distance Vector Routing – DSDV
DSDV protocol a distance vector routing protocol is based on Bellman-Ford algorithm.
The Distance Vector algorithm has drawbacks as routing loop and counting to infinity.
However, improvements have been made to Bellman-Ford to ensure loop-free routing
table.
Every node in the network maintains a routing table that contains routes to all other nodes
with metrics as hop counts. Each entry in the routing table also includes sequence number
assigned by the destination. This sequence number allows node to differentiate new
routes from the old ones. Routing table is periodically broadcasted to other nodes to
maintain the consistency of routing tables throughout the network.
Routing table is transmitted throughout the network by two ways. First is full table
transmission and the second is incremental update what is changed since the last full table
transmission. Routes that resulted an improved metric are scheduled for a broadcast at a
later time. The time depends on the average settling time for routes to the particular
destination. Some times there could be a burst of advertisement packets in rapidly
changing environments. The Mobile host delays the advertisement of such routes to avoid
the bursty behavior. It keeps a history of weighted average time that routes to particular
destination fluctuate until the route with the best metric is received.
5
When node first exists in the network, it sends out a broadcast message with its locally
maintained sequence number. The odd sequence numbers are for infinity distance while
even numbers are for normal operation. Node periodically sends out beacon message to
announce its existence. Neighbors receive the message and compare with what they have
in routing table. If the sequence number is bigger of equal and metric is better then
neighbors will update their table with the information contained within the message. The
new information is scheduled to broadcast further and the metric is incremented by one
hop. The information can be advertised when asked for of there is a major change in the
network topology. That’s why protocol is considered as both table-driven and timedriven. Nodes delay the advertisement of the new route, thus they maintain two tables;
one is for forwarding packets and the second one to advertise the routes.
When no broadcast packets are received from the neighbors then the link is considered to
be broken. Any route through that next hope is immediately assigned infinity metric and
assigned an updated sequence number. The sequence numbers generated to indicate
infinite metrics are odd numbers.
ii. Dynamic Source Routing - DSR
c.
Security goals in MANETs
To secure an ad hoc environment, researchers consider the following parameters:
availability, confidentiality, integrity, authentication and non-repudiation.
Availability guarantees the survivability of network services despite of service attacks. A
Denial-of-Service (DoS) is a potential threat at any layer of an ad hoc network. On the
media access control layer an adversary could jam the physical communication channels.
On the network layer disruption of the routing operation may result in a partition of the
network, rendering certain nodes inaccessible. On higher levels an attacker could bring
down high-level services like key management service.
6
Confidentiality ensures that certain information be never disclosed to unauthorized
entities. It is of paramount importance to strategic or tactical military communications.
Routing information must also remain confidential in some cases, because the
information might be valuable for enemies to locate their targets in battlefield.
Integrity ensures that a message that is on the way to destination is never corrupted. A
message could be corrupted because of channel noise or because of malicious attacks on
the network.
Authentication enables a node to ensure the identity of the peer node. Without
authentication, an attacker could masquerade a node, thus gaining access to sensitive
information.
Non-repudiation ensures that the originator of a message cannot deny that it is the real
originator. Non-repudiation is important for detection and isolation of compromised
nodes.
Authorization is important for a node to be sure that the node it gives authority is not an
attacker or a compromised node.
d. Secure routing protocols
Describe the nature of ad hoc network, the weakness of nodes, and the weakness of
routing protocol. The weakness of node mostly is the technical drawback in materials and
production. Hardware technology improves very fast so it limits the effectives based on
hardware limitation. But the situation is not the same with routing protocol. The
weakness in routing protocols stays the same if we don’t do anything to improve it. There
are various solutions to heal the weakness of routing protocols.
i.
Secure Efficient Ad-hoc Distance vector routing protocol - SEAD (improved DSDV)
7
SEAD is based on the design of Destination-Sequenced Distance-Vector (DSDV) routing
protocol. This routing protocol serves the network with limited power nodes and helps to
protect against Denial of Service attacks that cause the nodes to exceedingly consume
network bandwidth and processing time. SEAD achieves this purpose by using efficient
one-way hash functions.
Hu, Perrig and Johnson introduced a table-driven routing protocol based on the DSDV
algorithm [5]. In a table driven routing protocol nodes periodically exchange routing
information with other nodes. SEAD is built on top of the DSDV-SQ version of the
DSDV protocol that outperforms the basic DSDV.
SEAD deals with modification attacks that try to change the routing information during
the update phase of DSDV-SQ protocol. More specifically routing can be disrupted if the
attacker modifies the sequence number and the metric field of the routing table entry. In
SEAD replay attacks are also taken into account as a security threat.
To secure the DSDV-SQ protocol, SEAD uses efficient one way hash chains rather than
counting on expensive asymmetric cryptography operations. SEAD assumes some
mechanism for a node to distribute an authentic element of the hash chain. Authors
suggest ensuring the key distribution relying on a trusted entity that signs public key
certificates for each node. Then each node can use its public key to sign hash chain
element and distribute it.
The basic idea behind SEAD is to authenticate the sequence number and metric pair of a
routing table update message using hash chain elements. The receiver of SEAD routing
information also authenticates the sender, ensuring that the routing information originates
from the correct node. To create a one-way hash chain, a node chooses an initial random
value “x” to form the hash chain: h0, h1, … , hn where h0=x and hi=H(hi-1) for 0<i<n for
some
n.
A Hash function takes an input and maps it to a p-bit length output. It is easy to compute
a hash function but infeasible to invert it back. H:{0,1}*→{0,1}
8
p
For example, given an authenticated hi value it is possible to authenticate hi-3 by H( H ( H
(hi-3) ) ) which should be equal to hi.
Each node uses a specific authentic element from its hash chain in each routing update
that it sends about itself (metric 0). Based on this initial element, the one-way hash chain
provides authentication for the lower bound on the metric in other routing updates for that
node. The use of a hash value corresponding to the sequence number and metric in a
routing update entry prevents any node from advertising a route to some destination
claiming a greater sequence number than that destination’s own current sequence number.
Likewise, a node cannot advertise a route better than those for which it has received an
advertisement, since the metric in an existing route cannot be decreased due to the oneway nature of the hash chain. When a node receives a routing update, it checks the
authenticity of the information for each entry in the update using the destination address,
the sequence number and the metric of the received entry, together with the latest prior
authentic hash value received from that destination’s hash chain. Hashing the received
elements the correct number of times (according to the prior authentic hash value) assures
the authenticity of the received information if the calculated hash value and the authentic
hash value match. The source of each routing update message in SEAD must also be
authenticated, since otherwise, an attacker may be able to create routing loops through
the impersonation attack.
ii.
ARIADNE (improved DSR)
A second proposal by Hu, Perrig and Johnson presents an on-demand ad hoc routing
protocol based on DSR, ARIADNE [4]. ARIADNE withstands node compromise and
relies only on highly efficient symmetric cryptography. It also guarantees that the
destination node of a route discovery process can authenticate the originator. The
originator can authenticate each intermediate node on the path to the destination present
in the RREP message and can ensure that no intermediate node can remove a previous
node in the node list in the RREQ or RREP messages.
ARIADNE needs a mechanism to enable each node to share a secret key (i.e., KSD
between source and destination). A TESLA key for each node in the network and an
9
authentic “Route Discovery Chain” element for each node for which this node will
forward RREQ messages must be securely known.
ARIADNE provides a point-to-point authentication of a routing message using a
Message Authentication Code (MAC) and a shared key between the two entities. For
authentication of RREQ packets, ARIADNE uses the TESLA broadcast authentication
protocol. ARIADNE copes with attacks performed by malicious nodes that modify and
fabricate routing information.
In ARIADNE, the basic RREQ mechanism is enriched with eight fields used to provide
authentication and integrity to the routing protocol.
<ROUTE REQUEST, initiator, target, id, time interval, hash chain, node list, MAC list>.
The initiator and target are the address of source and destination nodes respectively. Like
DSR, the initiator sets the id to an identifier that it has not recently been used in initiating
a Route Discovery. The time interval is a TESLA related parameter that is the pessimistic
expected arrival time of the request at the target, accounting for clock skew.
The initiator of the request then initializes the hash chain to MACKSD (initiator, target, ID,
time interval) and the node list and MAC list to empty lists.
When a node A receives a RREQ for which it is not the target, the node checks its local
table of <initiator, id> values from recent requests it has received, to determine if it has
already seen a request from this same Route Discovery. If it has, the node discards the
packet, as in DSR. The node also checks whether the time interval in the request is valid:
that time interval must not be too far in the future, and the key corresponding to it must
not have been disclosed yet. If the time interval is not valid, the node discards the packet.
Otherwise, the node modifies the request by appending its own address (A) to the node
list in the request, replacing the hash chain field with H [A, hash chain], and appending a
MAC of the entire REQUEST to the MAC list. The node uses the TESLA key K Ai to
compute the MAC, where i is the index for the time interval specified in the request.
Finally, the node rebroadcasts the modified RREQ, as in DSR. When the target node
10
receives the RREQ, it checks the validity of the request by determining that the keys from
the time interval specified have not been disclosed yet, and that the hash chain field is
equal to:
H [hn , H [hn-1 , H [ . . . , H [h1 , MACKSD (initiator, target, id, time interval) ]..] ] ] where
hi is the node address at position i of the node list in the request, and where n is the
number of nodes in the node list. If the target node determines that the request is valid, it
returns a RREP to the initiator, containing eight fields: <ROUTE REPLY, target, initiator,
time interval, node list, MAC list, target MAC, key list>.
Figure – ARIADNE route discovery
The target, initiator, time interval, node list, and MAC list fields are set to the
corresponding values from the RREQ, the target MAC is set to a MAC computed on the
preceding fields in the reply with the key KDS, and the key list is initialized to the empty
list. The RREP is then returned to the initiator of the request along the source route
obtained by reversing the sequence of hops in the node list of the request.
An intermediate node that forwards the RREP waits till it is able to disclose its key from
the time interval specified. Afterwards it appends its key from that time interval to the
key list field in the reply and forwards the packet according to the source route indicated
in the packet.
When the originator receives a RREP, it verifies that each key in the list is valid, that the
target MAC is valid, and that each MAC in the MAC list is valid. After the success of
this tests the node accepts the RREP.
In order to avoid the injection of invalid route errors into the network by any node other
than the one on the sending end of the link specified in the error message, each node that
encounters a broken link adds TESLA authentication information to the error message.
On the other hand TESLA authentication is delayed, so all the nodes on the return path
buffer the error but do not consider it until it is authenticated. Later, the node that saw the
11
broken link discloses the key and sends it over the return path, which enables nodes on
that path to authenticate the buffered error message.
ARIADNE is secure against the wormhole attacks only in its advanced version that uses
the TIK (TESLA with Instant Key disclosure) protocol that allows for very accurate time
synchronization between the nodes of the network. It can also detect anomalies in routing
traffic flows in the network.
e.
Attacks on Wireless Ad-hoc Network
Attack in wireless as attack to network in general can be divided into 2 groups – passive
and active. With passive attacks, the attacker just collect the information from the data
transmission over the network without causing any damage to network while active
attackers try to disrupt the normal operation of nodes in the network or try to damage data
or even try to bring the whole network down.
The purpose of passive attacks is military, commercial or just for curiosity.
The purpose of the active attack is also military, commercial sometime just practical
pranks to show off the technical ability. Especially, a node with technical problem can be
considered an attacker though it indeliberately disrupts data transmission.
Here we don’t go into details of purpose of the attacks. We just focus on technical aspects.
i.
Passive attacks:
This kind of attack targets at collecting valuable information from the network. The
information includes the data transferred, the identification of communicating nodes, net
work topology and more.
ii. Active Attacks
1. Power consumption attack
Mostly based on DOS attack.
2. Routing attacks
- Malicious node introduce false information, confuses the routing procedure. By doing
that, it can degrades the performance of the network.
- Malicious node claims that it has the best path to a destination then it attracts all
traffics and discards the traffic.
- Malicious node can request for non-exist address and causes the network flooded by
these RREQs. These RREQs consume the bandwidth and degrade the performance.
Denial Of Service – DOS
2 typical kinds of DOS attacks are radio jamming and battery exhaustion [4]
Impersonation
Fabrication
Blackhole
Wormhole
12
3. Statement of problem
The mobile ad hoc network is a new model of wireless communication and increasingly
gains attention from industry. As in general networking environment, mobile ad-hoc net
works have to deal with various security threats. Due to the nature of dynamic network
topology, routing in mobile ad-hoc network play a vital role for the performance of the
networks. It is understandable that most of security threats target at routing protocols –
the weakest point of mobile ad-hoc network. There are various study and research in this
field in attempt to propose more secure protocols. However, there is not a complete
routing protocol that can entirely secure the operation of one network in every situation.
A secure protocol can protect the network against one specific type of attack but can not
protect for other kinds.
Many researches have been done to evaluate the performance of secure routing protocols
in comparison with normal routing protocols. The purpose of these researches is to
discover the additional cost of adding security feature into non-secure routing protocols
in various scenarios. The additional cost includes delay in packet transmission, the low
rate of data packets over the total packets sent and many more factors.
However, in the real world, there are no ideal working environments. There are always
threats and malicious actions affecting the performance of mobile ad-hoc network. Thus
studying the performance of secure routing protocols in malicious environments is a need
in order to exhaustively evaluate the performance of these routing protocols. In the thesis
I will implement 2 secure routing protocol: secure efficient distance vector routing SEAD and a secure on demand routing protocol ARIADNE in OPNET simulation
environment. I also create malicious scenarios in OPNET by implementing several
attacking scenarios.
13
By implementing secure routing protocols and running these routing protocols in
malicious environments, I hope that I will discover the weaknesses of these secure
routing and propose a solution to heal the weaknesses or to improve the performance of
these secure routing protocols.
4. Details of the Proposed Investigation
One of method to conduct the research in this field is to simulate the performance of
these secure routing protocols. Fortunately, there are various computer simulation
software that help doing this kink of research such as NS-2, OPNET, Glomosim ..
In this thesis, I will implement 2 secure routing protocols SEAD and ARIADNE in
OPNET simulation environment. I will run standard routing protocols – AODV and
DSDV (already built-in protocols in OPNET simulation) to create the base line
performance then I will run secure versions of these routing to compare the performance
against the base lines.
The next step I will run these secure routing protocols in malicious environments and
compare with their performance in previous step in order to unveil the weaknesses of
these routing protocols.
Based on performance analysis of these secure routing protocols, I will propose a solution
to improve the performance of these routing protocols.
Time table
-
Implement secure routing protocols such as SEAD and ARIADNE in OPNET
simulation environment.
-
Running routing and secure routing protocols in benign environments to get
baseline performance.
14
-
Running secure routing protocols in various malicious scenarios.
-
Study the affects of scenarios in the performance of secure routing protocols
-
Propose a solution to routing protocols to get better performance.
5. Materials and methods of research
The thesis is heavily based on the implementation and experiment in a simulation
environment. OPNET is chosen as a simulation environment. Specifically,
OPNET developer will be exploited to create experiment scenarios. OPNET has
several already implemented routing protocols such as AODV, DSDV, DSR,
TORA but nothing for secure routing protocols. Security routing protocols SEAD
and ARIADNE will be implemented using Application Programming Interface of
OPNET development kit and C language embedded in it.
a. Experiments
b. Experimental Environment
i.
NS-2
ii.
OPNET
c. Environment Setup
d. Proposed Schedule:
Study simulation tool and environment
Implement routing protocols for research.
Implement and simulate the attacks
Analyze the results
Conclusion
Report and defend.
15
6. Summary
7. References
[1] On Vulnerability and protection of Ad hoc On Demand Distance Vector Protocol
Weichao Wang, Yi L, Bharat Bhargava – Purdue University
[2] Steal Attack on Adhoc Wireless Networks
Mrkus Jakobsson, Susanne Wetzel and Bulent Yener
[3] Security in Ad-hoc Routing Protocols
Frederic Martin, Houy-Sy Thao, Magnus Thylander – National University of
Singapore
[4] Security in wireless ad-hoc networks – The handbook of Ad hoc wireless network
Amitabh Mishra, Ketan M. Nadkarni – Virginia polytechnic Institute and State
University.
[5] A review of current routing protocols for ad hoc mobile wireless networks
Elizabeth M. Royer – University of California Santa Barbara
Chai-Keong Toh – Georgia Institute of Technology
[6] SEAD secure efficient distance vector routing for mobile wireless ad hoc
networks
Yih-Chun Hu, David B.Johnson, Adrian Perrig. – Carnegie Mellon University and
Rice University Houston.
8. Appendices
Byzantine:
16