01-01-2013, 12:18 PM
On the Security of Route Discovery in MANETs
On the Security of Route Discovery.pdf (Size: 403.99 KB / Downloads: 19)
INTRODUCTION
ROUTING is a basic functionality for multihop mobile ad
hoc networks (MANETs). These networks are decentralized,
with nodes acting both as hosts and as routers,
forwarding packets for nodes that are not in transmission
range of each other. Several route discovery algorithms
have been proposed in the literature (see, e.g., [1], [2], [3],
[4], [5]). These focus mainly on efficiency issues such as
scalability with respect to network size, traffic load,
mobility, and on the adaptability to network conditions
such as link quality and power requirements. Some of the
proposed routing algorithms also address security issues
(e.g., [6], [7], [8], [9], [10], for a survey, see [11]), but their
security is restricted to rather weak adversary models.
There are several reasons for this, the most important one
being that it is hard to model a formal security framework
that captures all the basic security aspects of a MANET.
Several attempts have been made to address the security
of MANET route discovery more robustly, the most recent
one being introduced in a series of papers by Buttya`n and
Vajda [12] and Acs et al. [13], [14], [15], [16]. In these works,
the authors develop a formal idealization and simulation
framework that adapts ideas from the secure reactive systems
approach [17] and universally composable security approach
[18] to the realm of MANET applications.
The Source Routing Protocol (SRP)
SRP [3] is an on-demand source routing protocol that
captures the basic features of reactive routing. In SRP, route
requests generated by a source S are protected by Message
Authentication Codes (MACs) computed using a key shared
with the target T. Requests are broadcast to all the neighbors
of S. Each neighbor that receives a request for the first time
appends its identifier to the request and rebroadcasts it.
Intermediate nodes do the same. The MAC in the request is
not checked because only S and T know the key used to
compute it. When this request reaches the target T, its MAC
is checked by T. If it is valid, then it is assumed by the target
that all adjacent pairs of nodes on the path of the route
request are neighbors. Such paths are called valid or plausible
routes. The target T replaces the MAC of a valid route
request with an MAC computed with the same key that
authenticates the route. This is then sent back (upstream) to
S using the reverse route. For example, a route request that
reaches an intermediate node Xj is of the form
The ABV Model
The security framework used by Acs et al. [15] is based on
the simulation paradigm for protocol security, which was
envisioned early by Beaver [21] and Beaver and Haber [22]
in the context of information-theoretic security. That
culminated in two standing (and related) approaches in
the (standard) complexity-theoretic security model, developed
independently as the secure reactive systems approach
by Pfitzmann and Waidner [17] and Backes and Waidner
[23] and as the universally composable security framework by
Canetti [18].
These approaches compare executions of a protocol in
a real-world model to its executions in an ideal-world model
that is controlled by the functionality F, which captures
formally the goals that is supposed to achieve. In the real
world, the adversary is modeled as a traditional Byzantine
adversary of the Dolev-Yao model [24], i.e., it is able to
schedule and tamper with all communication channels to
provide inputs to honest parties and observe their outputs,1
and coordinate the actions of all corrupted parties.
Additionally, the adversary is capable of interacting with
other sessions of the protocol that may be executing
concurrently.2 The ideal-world adversary mimics the
behavior of the real-world one to allow for simulations of
real-world protocol executions in the ideal world. In order
that be secure in this framework, the effects on the
execution of in the real-world model by any real-world
adversary A should be indistinguishable from those of an
appropriately chosen ideal-world adversary A0 in the idealworld
model.
The Adversary
It is sometimes suggested that adversarial nodes should be
bound by the same constraints as nonadversarial nodes, for
example, have similar communication capabilities [15]. This
may be the case for some applications, but it is not realistic.
Although, it may seem reasonable to assume that the
resources of adversarial nodes are (polynomially) bounded,
allowing for the constraints on ubiquitous applications, it is
unreasonable to assume that adversarial nodes cannot use
more powerful transmitters than nonadversarial nodes, say
transmitters that are 50 percent more powerful than the
norm,5 if with such means they can compromise the system.
That being said, it is technically possible and may be
convenient in some cases to restrict the communication
capability of nodes in a simulation-based security model
such as the UC framework or reactive systems, as
demonstrated by the ABV communication model.