<<

. 63
( 87 .)



>>

nications (UCC01), September 2001.
19. Ozge H. Koymen, Volkan Rodoplu, and Teresa H. Meng. “Throughput characteristics of a min-
imum energy wireless network,” in Proceedings of IEEE International Conference on Commu-
nications (ICC01), June 2001.
20. Robin Kravets, Ken Calvert, and Karsten Schwan. “Power-aware communication for mobile
computers,” in Proceedings of Sixth International Workshop on Mobile Multimedia Communi-
cations (MoMuc-6), 1999.
21. Robin Kravets and P. Krishnan. “Power management techniques for mobile communication,” in
Proceedings of 4th Annual International Conference on Mobile Computing and Networking
(MobiCom™98), 1998.
22. Li Li and Joseph Y. Halpern. “Minimum-energy mobile wireless networks revisited,” in Pro-
ceedings of IEEE International Conference on Communications (ICC01), pp. 278“283, 2001.
23. Qun Li, Javed Aslam, and Daniela Rus. “Online power-aware routing in wireless ad-hoc net-
works,” in Proceedings of 7th Annual International Conference on Mobile Computing and Net-
working, 2001.
24. H. Lundgren, D. Lundberg, J. Nielsen, E. Nordström, and C. Tschudin. “A large-scale testbed
for reproducible ad hoc protocol evaluations,” in Proceedings of IEEE Wireless Communication
and Networking Conference (WCNC™02), March 2002.
25. Archan Misra and Suman Banerjee. MRPC: “Maximizing network lifetime for reliable routing
in wireless environments,” in Proceedings of IEEE Wireless Communications and Networking
Conference (WCNC™02), March 2002.
26. Swetha Narayanaswamy, Vikas Kawadia, R. S. Sreenivas, and P. R. Kumar. “Power control in
ad-hoc networks: Theory, architecture, algorithm and implementation of the COMPOW proto-
col,” in Proceedings of European Wireless, pp. 156“162, February 2002.
327
REFERENCES


27. Charles Perkins and Pravin Bhagwat. “Highly dynamic destination-sequenced distance-vector
routing (DSDV) for mobile computers,” in ACM Conference on Communications Architectures,
Protocols and Applications (SIGCOMM™94), pp. 234“244, 1994.
28. Charles E. Perkins and Elizabeth M. Royer. “Ad hoc on-demand distance vector routing,” in Ad
Hoc Networking, Charles Perkins (Ed.), Addison-Wesley, 2000.
29. Ram Ramanathan and Regina Hain. “Topology control of multihop wireless networks using
transmit power adjustment,” in Proceedings of IEEE Infocom, Vol. 2, pp. 404“413, 2000.
30. Volkan Rodoplu and Teresa H.-Y. Meng. “Minimum energy mobile wireless networks. IEEE
Journal on Selected Areas in Communications, 17, 8, 1333“ 1344, August 1999.
31. Elizabeth M. Royer and C.-K. Toh. “A review of current routing protocols for ad-hoc mobile
wireless networks. IEEE Personal Communications Magazine, 46“55, April 1999.
32. Miguel Sanchez, Pietro Manzoni, and Zygmunt J. Haas. “Determination of critical transmission
range in ad-hoc networks,” in Proceedings of Multiaccess Mobility and Teletraffic for Wireless
Communications Workshop, October 1999.
33. Suresh Singh and C.S. Raghavendra. “PAMAS”power aware multi-access protocol with sig-
nalling for ad hoc netowrks.” ACMComputer Communication Review, July 1998.
34. Suresh Singh, MikeWoo, and C. S. Raghavendra. “Power-aware routing in mobile ad hoc net-
works,” in Proceedings of 4th Annual International Conference on Mobile Computing and Net-
working (MobiCom™98), pp. 181“190, 1998.
35. M. Stemm and R. H. Katz. “Measuring and reducing energy consumption of network interfaces
in hand-held devices. IEICE Transactions on Communications, E80-B, 8, 1125“1131, 1997.
36. Ivan Stojmenovic and Xu Lin. “Power aware localized routing in wireless networks.” IEEE
Transactions on Parallel and Distributed Systems, 12, 11, 1122“1133, November 2001.
37. The VINT Project. The ns manual. http://www.isi.edu/nsnam/ns.
38. C.-K. Toh. “Maximum battery life routing to support ubiquitous mobile computing in wireless
ad hoc networks.” IEEE CommunicationsMagazine, 39, 6, June 2001.
39. Roger Wattenhofer, Li Li, Paramvir Bahl, and Yi-Min Wang. “Distributed topology control for
wireless multihop ad-hoc networks,” in Proceedings of IEEE Infocom, pp. 1388“1397, April
2001.
40. JefferyWieselthier, Gam Nguyen, and Anthony Ephremides. “On the construction of
energy-ef_cient broadcast and multicast trees in wireless networks,” in Proceedings of IEEE In-
focom, 2000.
41. Hagen Woesner, Jean-Pierre Ebert, Morten Schlager, and Adam Wolisz. “Power saving mecha-
nisms in emerging standards for wireless LANs: The MAC level perspecitve.” IEEE Personal
Communications, 5, 3, 40“48, June 1998.
42. Jie Wu, Fei Dai, Ming Gao, and Ivan Stojmenovic. “On calculating power-aware connected
dominating sets for ef_cient routing in ad hoc wireless networks.” IEEE/KICS Journal of Com-
munications and Networks, 4, 1, 59“70, March 2002.
43. Ya Xu. Adaptive Energy Conservation Protocols for Wireless Ad Hoc Routing. PhD thesis, Uni-
versity of Southern California, 2002.
44. Ya Xu, John Heidemann, and Deborah Estrin. “Adaptive energy-conserving routing for multi-
hop ad hoc networks.” Technical Report 527, USC/Information Sciences Institute, October
2000.
45. Ya Xu, John Heidemann, and Deborah Estrin. “Geography-informed energy conservation for
ad hoc routing,” in Proceedings of 7th Annual International Conference on Mobile Computing
and Networking, pp. 70“84, July 2001.
CHAPTER 12




AD HOC NETWORKS SECURITY

PIETRO MICHIARDI and REFIK MOLVA




12.1 INTRODUCTION

An ad hoc network is a collection of wireless mobile hosts forming a temporary network
without the aid of any established infrastructure or centralized administration. In such an
environment, it may be necessary for one mobile host to enlist the aid of other hosts in
forwarding a packet to its destination, due to the limited range of each mobile host™s wire-
less transmissions. Mobile ad hoc networks (MANETs) do not rely on any fixed infra-
structure but communicate in a self-organized way.
Security in a MANET is an essential component for basic network functions like pack-
et forwarding and routing: network operation can be easily jeopardized if countermea-
sures are not embedded into basic network functions at the early stages of their design.
Unlike networks using dedicated nodes to support basic functions like packet forwarding,
routing, and network management, in ad hoc networks those functions are carried out by
all available nodes. This very difference is at the core of the security problems that are
specific to ad hoc networks. As opposed to dedicated nodes of a classical network, the
nodes of an ad hoc network cannot be trusted for the correct execution of critical network
functions.
If an a priori trust relationship exists between the nodes of an ad hoc network, entity
authentication can be sufficient to assure the correct execution of critical network func-
tions. A priori trust can only exist in a few special scenarios like military networks and
corporate networks, where a common, trusted authority manages the network, and it re-
quires tamper-proof hardware for the implementation of critical functions. Entity authen-
tication in a large network, on the other hand, raises key management requirements. An
environment where a common, trusted authority exists is called a managed environment.

329
Mobile Ad Hoc Networking. Edited by Basagni, Conti, Giordano, and Stojmenovic.
ISBN 0-471-37313-3 © 2004 Institute of Electrical and Electronics Engineers, Inc.
330 AD HOC NETWORKS SECURITY


When tamper-proof hardware and strong authentication infrastructure are not avail-
able, for example, in an open environment where a common authority that regulates the
network does not exist, any node of an ad hoc network can endanger the reliability of ba-
sic functions like routing. The correct operation of the network requires not only the cor-
rect execution of critical network functions by each participating node but it also requires
that each node performs a fair share of the functions. The latter requirement seems to be a
strong limitation for wireless mobile nodes in which power saving is a major concern. The
threats considered in the MANET scenario are thus not limited to maliciousness; a new
type of misbehavior called selfishness should also be taken into account to eliminate
nodes that simply do not cooperate.
With lack of a priori trust, classical network security mechanisms based on authentica-
tion and access control cannot cope with selfishness, and cooperative security schemes
seem to offer the only reasonable solution. In a cooperative security scheme, node misbe-
havior can be detected through the collaboration between a number of nodes, assuming
that a majority of nodes do not misbehave.
The rest of the chapter is organized as follows. Section 12.2 presents the recent re-
search that has been done in order to come up with secure routing protocols for ad hoc
networks that cope with threats that are specific to the ad hoc environment. All of the pre-
sented secure protocols, however, do not take into account the node selfishness problem,
which is detailed in Section 12.3. Recent solutions to combat the lack of node cooperation
are presented in Section 12.3. The basic requirement of a large number of proposed secu-
rity scheme is the presence of a key distribution mechanism managed by a trusted author-
ity that takes part in the initialization phase of the network. Recent advances in order to
provide an automated key management scheme that does not require the presence of any
external infrastructure or bootstrap phase where keys are distributed are presented in Sec-
tion 12.4. In Section 12.5, currently available security mechanisms implemented in the
data link layer are detailed and analyzed. Furthermore, Section 12.5.3 focuses on a discus-
sion about the relevance for the ad hoc environment of security mechanisms implemented
in the data link layer.


12.2 SECURE ROUTING

Routing protocols for ad hoc networks are challenging to design. Wired network protocols
(such as BGP) are not suitable for an environment where node mobility and network
topology rapidly change. Such protocols also have high communication overhead because
they send periodic routing messages even when the network is not changing. So far, re-
searchers in ad hoc networking have studied the routing problem in a nonadversarial net-
work setting, assuming a reasonably trusted environment. However, unlike networks using
dedicated nodes to support basic functions like packet forwarding, routing, and network
management, in ad hoc networks, those functions are carried out by all available nodes.
This very difference is at the core of the increased sensitivity to node misbehavior in ad
hoc networks, and the current proposed routing protocols are exposed to many different
types of attacks.
Section 12.2.1 presents and classifies the threats that a misbehaving node can perpe-
trate to jeopardize the network operation. Recent research brought up the need to take into
account node misbehavior at the early stages of the routing protocol design. Current ef-
forts in secure routing protocol design are outlined and analyzed in Section 12.2.2.
331
12.2 SECURE ROUTING


12.2.1 Exploits Allowed by Existing Routing Protocols
Current ad hoc routing protocols are basically exposed to two different types of attacks:
active attacks and passive attacks. An attack is considered to be active when the misbe-
having node has to bear some energy costs in order to perform the threat, whereas passive
attacks are mainly due to lack of cooperation, with the purpose of saving energy selfishly.
Nodes that perform active attacks with the aim of damaging other nodes by causing net-
work outages are considered to be malicious whereas nodes that perform passive attacks
with the aim of saving battery life for their own communications are considered to be self-
ish.
Malicious nodes can disrupt the correct functioning of a routing protocol by modifying
routing information, by fabricating false routing information, and by impersonating other
nodes. Recent research studies [10] also brought up a new type of attack that goes under
the name of wormhole attack. On the other side, selfish nodes can severely degrade net-
work performance and eventually partition the network (X) by simply not participating to
the network operation.

12.2.1.1 Threats Using Modification. Existing routing protocols assume that
nodes do not alter the protocol fields of messages passed among nodes. Malicious nodes
can easily cause traffic subversion and denial of service (DoS) by simply altering these
fields. Such attacks compromise the integrity of routing computations. By modifying
routing information, an attacker can cause network traffic to be dropped, be redirected to a
different destination, or take a longer route to the destination, thus increasing communica-
tion delays.

12.2.1.2 Threats Using Impersonation. Since current ad hoc routing protocols do
not authenticate routing packets, a malicious node can launch many attacks in a network
by masquerading as another node (spoofing). Spoofing occurs when a malicious node
misrepresents its identity in order to alter the vision of the network topology that a benign
node can gather. As an example, a spoofing attack allows one to create loops in routing in-
formation collected by a node with the result of partitioning the network.

12.2.1.3 Threats Using Fabrication. The notation “fabrication” is used when re-
ferring to attacks performed by generating false routing messages. Such kinds of attacks
can be difficult to identify as they come as valid routing constructs, especially in the case
of fabricated routing error messages claiming that a neighbor can no longer be contacted.

12.2.1.4 Wormhole Attack. A more subtle type of active attack is the creation of a
tunnel (or wormhole) in the network between two colluding malicious nodes linked
through a private network connection. This exploit allows a node to short-circuit the nor-
mal flow of routing messages, creating a virtual vertex cut in the network that is con-
trolled by the two colluding attackers.

12.2.1.5 Lack of Cooperation. A selfish node that wants to save battery life for its
own communication can endanger the correct network operation by simply not participat-
ing in the routing protocol or by not executing the packet forwarding (this attack is also
known as the black hole attack) . Current ad hoc routing protocols cannot cope with the
selfishness problem and network performances severely degrade as a result.
332 AD HOC NETWORKS SECURITY


12.2.2 Secure Routing Protocols
Current efforts toward the design of secure routing protocols are mainly oriented to reac-
tive (on-demand) routing protocols such as DSR [12] or AODV [13], in which a node at-
tempts to discover a route to some destination only when it has a packet to send to that
destination. On-demand routing protocols have been demonstrated to perform better with
significantly lower overheads than proactive routing protocols in many scenarios since
they are able to react quickly to topology changes, yet are able to reduce routing overhead
in periods or areas of the network in which changes are less frequent. It is possible to find,
however, interesting security solutions for proactive routing protocols that are worthwhile
mentioning.
Common to the secure routing protocols proposed in the literature is the type of attack
they address: major efforts are made to find countermeasures against active attacks per-
formed by malicious nodes that aim at intentionally disrupt the routing protocol execu-
tion, whereas the selfishness problem is not addressed. Furthermore, the prerequisite for
all the available solutions is a managed environment. In such scenarios, nodes wishing to
communicate may be able to exchange initialization parameters beforehand; for example,
within the security of a dedicated network where session keys may be distributed or
through a trusted third party.
In the following, the major secure routing protocols for ad hoc networks will be out-
lined and analyzed.

12.2.2.1 SRP. The Secure Routing Protocol (SRP) [1], proposed by Papadimitratos
and Haas, is conceived of as an extension that can be applied to a multitude of existing re-
active routing protocols. SRP combats attacks that disrupt the route discovery process and
guarantees the acquisition of correct topological information: a node initiating a route dis-
covery is able to identify and discard replies providing false routing information or avoid
receiving them.
The underlying assumption is the existence of a security association (SA) between the
source node (S) and the destination node (T). The trust relationship could be instantiated,
for example, by knowledge of the public key of the other communicating end. The two
nodes can negotiate a shared secret key (KS,T) and then, using the SA, verify that the prin-
cipal that participated in the exchange was indeed the trusted node.
SRP copes with noncolluding malicious nodes that are able to modify (corrupt), replay,
and fabricate routing packets. Based on the dynamic source routing protocol (DSR) SRP re-
quires the addition of a six-word header containing unique identifiers that tag the discovery
process, and a message authentication code (MAC). In order to initiate a route request
(RREQ), the source node has to generate a MAC using a keyed hash algorithm that accepts
as input the entire IP header, the basis protocol RREQ packet, and the shared key KS,T.
The intermediate nodes that relay the RREQ toward the destination measure the fre-
quencies of queries received from their neighbors in order to regulate the query propaga-
tion process: each node maintains a priority ranking that is inversely proportional to the
queries rate. A node that maliciously pollutes network traffic with unsolicited RREQs will
be served last (if not ignored) because of its low priority ranking.
Upon reception of a RREQ, the destination node verifies the integrity and authenticity
of the RREQ by calculating the keyed hash of the request fields and comparing them with
the MAC contained in the SRP header. If the RREQ is valid, the destination initiates a
route replay (RREP) using the SRP header, the same way the source did when initiating
333
12.2 SECURE ROUTING


<<

. 63
( 87 .)



>>