18-05-2013, 11:24 AM
Security in Ad-hoc Networks
Security in Ad-hoc.doc (Size: 352.5 KB / Downloads: 44)
Abstract
Ad-hoc networks are an emerging area of mobile computing. There are various challenges that are faced in the Ad-hoc environment. These are mostly due to the resource poorness of these networks. They are usually set up in situations of emergency, for temporary operations or simply if there are no resources to set up elaborate networks. Ad-hoc networks therefore throw up new requirements and problems in all areas of networking. The solutions for conventional networks are usually not sufficient to provide efficient Ad-hoc operations. The wireless nature of communication and lack of any security infrastructure raise several security problems. In this paper we attempt to analyze the demands of Ad-hoc environment. We focus on three areas of Ad-hoc networks, key exchange and management, Ad-hoc routing, and intrusion detection. The key issues concerning these areas have been addressed here. We have tried to compile solutions to these problems that have been active areas of research.
Introduction
Ad-hoc networks are a new paradigm of wireless communication for mobile hosts. No fixed infrastructure such as base stations as mobile switching .Nodes within each other radio range communicate directly via wireless links while these which are far apart rely on other nodes to relay messages. Node mobility causes frequent changes in topology.
Security Goals
1) Availability:
Ensures survivability despite Denial Of Service ( DOS ) attacks. On physical and media access control layer attacker can use jamming techniques to interfere with communication on physical channel. On network layer the attacker can disrupt the routing protocol. On higher layers, the attacker could bring down high level services e.g.: key management service.
Challenges
Use of wireless links renders an Adhoc network susceptible to link attacks ranging from passive eavesdropping to active impersonation, message replay and message distortion. Eavesdropping might give an attacker access to secret information thus violating confidentiality. Active attacks could range from deleting messages, injecting erroneous messages, impersonate a node etc thus violating availability, integrity, authentication and non-repudiation. Nodes roaming freely in a hostile environment with relatively poor physical protection have non-negligible probability of being compromised. Hence, we need to consider malicious attacks not only from outside but also from within the network from compromised nodes. For high survivability Adhoc networks should have a distributed architecture with no central entities, centrality increases vulnerability. Ad-hoc network is dynamic due to frequent changes in topology. Even the trust relationships among individual nodes also changes, especially when some nodes are found to be compromised. Security mechanism need to be on the fly(dynamic) and not static and should be scalable. Hundreds of thousand of nodes.
Key Management
Cryptographic schemes such as digital signatures are often employed to protect both routing info as well as data. Public key systems are generally espoused because of its upper hand in key distribution. In public key infrastructure each node has a public/private key pair. Public keys distributed to other nodes, while private keys are kept to nodes themselves and that too confidentially. Third party (trusted) called Certification Authority (CA) is used for key management.CA has a public/private key pair, with its public key known to every node and signs certificates binding public keys to nodes. The trusted CA has to stay online to reflect the current bindings, since the bindings could change overtime. Public key should be revoked if the owner node is no longer trusted or is out of network. A single key management service for an Ad-hoc network is probably not a good idea, since it's likely to become Achilles’ heel of the network. If CA is down/unavailable nodes cannot get the current public keys of other nodes to establish secure connection. Also if a CA is compromised, the attacker can sign any erroneous certificates with the private key. Naive replication of CA can make the network more vulnerable, since compromising of a single replica can cause the system to fail. Hence it's more prudent to distribute the trust to a set of nodes by letting these nodes share the key management responsibility.
Secure Routing
The contemporary routing protocols for Adhoc networks cope well with dynamically changing topology but are not designed to accommodate defense against malicious attackers. No single standard protocol. Capture common security threats and provide guidelines to secure routing protocol. Routers exchange network topology informally in order to establish routes between nodes - another potential target for malicious attackers who intend to bring down the network. External attackers - injecting erroneous routing info, replaying old routing info or distorting routing info in order to partition a network or overloading a network with retransmissions and inefficient routing. Internal compromised nodes - more severe detection and correction more difficult Routing info signed by each node won't work since compromised nodes can generate valid signatures using their private keys. Detection of compromised nodes through routing information is also difficult due to dynamic topology of Adhoc networks. Can make use of some properties of adhoc networks to facilitate secure routing. Routing protocols for Adhoc networks must handle outdated routing information to accommodate dynamic changing topology. False routing information generated by compromised nodes can also be regarded as outdated routing information. As long as there are sufficient no. of valid nodes, the routing protocol should be able to bypass the compromised nodes, this however needs the existence of multiple, possibly disjoint routes between nodes. Routing protocol should be able to make use of an alternate route if the existing one appears to have faulted.
Key Agreement in Wireless Ad-hoc Networks
New key agreement scenario
Consider a group of people getting together for an Adhoc meeting in a room and trying to establish a wireless network through their laptops. They trust one another personally, however don't have any a priori shared secret (password) to authenticate one another. They don't want anybody outside the room to get a wind of their conversation indoors. This particular scenario is vulnerable to any attacker who not only can monitor the communication but can also modify the messages and can also insert messages and make them appear to have come from somebody inside the room. This is a classic example of Adhoc network and the most simple way to tackle this example would be through location based key agreement - to map locations to name ladles and then use identity based mechanisms for key agreement. e.g.: participants writing the IP addresses on a piece of paper and passing it around. Then a certificate based key agreement mechanism can be used. These public key certificates can allow participants to verify the binding between the IP address and keys of other participants.
No way to detect and isolate misbehaving nodes
As we observed earlier in section 4.1, misbehaving nodes can affect network throughput adversely in worst-case scenarios. The existing Ad-hoc routing protocols do not include any mechanism to identify misbehaving nodes. It is necessary to clearly define misbehaving nodes in order to prevent false positives. It may be possible that a node appears to be misbehaving when it is actually encountering temporary problem such as overload or low battery. A routing protocol should be able to identify misbehaving nodes and isolate them during route discovery operation.
Easily leak information about network topology
Ad-hoc routing protocols like AODV and DSR carry routes discovery packets in clear text. These packets contain the routes to be followed by a packet. By analyzing these packets any intruder can find out the structure of the network. The attack might use information gained to know which other nodes are adjacent to the target or the physical location of a particular node. Such an attack can be done passively. It can reveal roles of nodes in the network and their location. Intruders can use this information to attack command ad control nodes.
Lack of self-stabilization property
Routing protocols should be able to recover from an attack in finite time. An intruder should not be able to permanently disable a network by injecting a smaller number of mal-informed routing packets. E.g. AODV, however is prone to self-stabilization problems as sequence numbers are used to verify route validity times, and incorrect state may remain stored in the routing tables for a long time.
False misbehavior
False misbehavior can occur when nodes falsely report other nodes as misbehaving. A malicious node could attempt to partition the network by claiming that some nodes following it in the pat h are misbehaving. For instance, node A could report that node B is not forwarding packets when in fact it is. This will cause S to mark B as misbehaving when A is the culprit. This behavior, however, will be detected. Since A is passing messages onto B (as verified by S), then any acknowledgements from D to S will go through A to S, and S will wonder why it receives replies from D when supposedly B dropped packets in the forward direction. In addition, if A drops acknowledgements to hide them from S, the node B will detect this misbehavior and will report it to D.
Implementation
SAR can extend any routing protocol. Here we see how to extend AODV and call it SAODV. Most of AODV’s original behavior such as on-demand discovery using flooding, reverse path maintenance and forward path setup via Route Request and Reply (RREP) messages is retained.
The RREQ (Route REQuest) and the RREP (Route REPly) packets formats are modified to carry additional security information. The RREQ packet has an additional field called RQ_SEC_REQIREMENT that indicates the required security level for the route the sender wishes to discover. This could be a bit vector.
An intermediate node at the required trust level, updates the RREQ packet by updating another new field, RQ_SEC_GUARANTEE field. The RQ_SEC_GUARANTEE field contains the minimum security offered in the route. This can be achieved if each intermediate node at the required trust level performs an ‘AND’ operation with RQ_SEC_GUARANTEE field it receives and puts the updated value back into the RQ_SEC_GUARANTEE field before forwarding the packet.