Securing Ad Hoc Network Routing Protocols

1
Securing Ad Hoc Network Routing Protocols
Yih-Chun Hu
April 24, 2008
2
Attacks Against Routing

• Attacker causes packets normally routed through
  itself to instead use a worse route
• Example Fail to advertise a route
• Attacker receives a packet for forwarding but
  instead discards it
• Example Save own bandwidth or CPU time
• Attacker causes packets normally routed elsewhere
  to instead go through itself
• Example Claim good routes to far-away nodes

3
Normal Distance Vector Routing

• In normal Distance Vector routing, each node
  maintains a routing table

Example table at A
A
B
D
C
4
Normal Distance Vector Routing

• Computed using Distributed Bellman-Ford
• Each node periodically broadcasts routing table
• For each routing table entry received, compare
  best known route with new information

To D 3 hops via B
E
2
X
X
B
A
D
C
E
D is 1 hop away
5
Distance Fraud Attack

• A very strong attack against distance vector
• Attacker claims very short routes to entire
  network
• Disconnects large portions of the network

J
C
G
A
K
S
E
D
B
H
F
6
SEAD Threat Model

• Attacker cannot replay messages in entirety
• Equivalent to wormhole attack
• Attackers compromise some network nodes
• Best security if only one node is compromised
• Or, if compromised nodes dont collaborate
• Goal Prevent attackers from affecting routes to
  non-compromised nodes

7
My Solution SEAD

• To solve distance fraud, authenticate distances
• For each destination D
• To claim distance m, need authenticator aD,m
• Attacker cant reduce distance m
• Next hop can derive its authenticator aD,m1
• Authenticators should be efficient to verify

aD,0
aD,1
aD,2
A
B
D
C
8
Building Blocks Hash Chains

• Uses a one-way hash function H0,1?0,1?
• Pick a random C0
• Compute each chain value Ci Hi(C0)

C0
9
Building Blocks Hash Chains

• Uses a one-way hash function H0,1?0,1?
• Pick a random C0
• Compute each chain value Ci Hi(C0)

C1
C0
10
Building Blocks Hash Chains

• Uses a one-way hash function H0,1?0,1?
• Pick a random C0
• Compute each chain value Ci Hi(C0)

C0
C2
H(C1)

• Given any authentic chain value Ci
• Can compute later values Cj for j gt i
• Can efficiently verify all values Cj
• Hard to generate earlier values Cj for j lt i

11
Hash Chains for Distance Authentication
12
Distance Authentication Details

• Distance vector protocols define a maximum
  distance k
• Each node D
• Generates a hash chain k1 values long
• Distributes ck to allow verification
• Then authenticator aD,i ci
• Conceptually change hash chains frequently

Distance 0
Distance 1
Distance 2
13
SEAD Stops (Most) Distance Fraud

• Everyone knows C3
• Source D announces C0 for distance 0
• Neighbor C announces C1 for distance 1
• Attacker B cant announce lower distance!

D
C
B
Distance 0
Distance 1
Distance 2
C0
C1
C3
C2
14
Sequence Numbers

• First proposed in DSDV for loop-freedom
• Each node maintains a sequence number
• Each node increments its sequence number each
  time it sends an update about itself
• An advertised route is better if either
• Has a higher (more recent) sequence number
• Sequence numbers equal, and distance is shorter
• SEAD also gets loop-freedom, plus a guarantee of
  fresh distance information

15
Securing Sequence Numbers

• Each node generates a hash chain and distributes
  the last element (C12) for verification
• Each sequence number has 3 hash chain values
• Within a sequence number
• C0,3,6,9 represent distance 0
• C1,4,7,10 represent distance 1
• C2,5,8,11 represent distance 2

• In our example, maximum distance is 3

Sequence 2
C0
C1
C3
C2
C5
C4
C6
C7
C9
C8
C10
C12
C11
16
SEAD Stops (Most) Distance Fraud

• Source D announces C3 for distance 0 sequence 2
• Neighbor C announces C4 for distance 1 sequence 2
• Attacker B cant announce lower distance!
• Due to inherent flooding, useless to announce
  lower distance with lower sequence number

D
C
B
Sequence 2
C0
C1
C3
C2
C5
C4
C6
C7
C9
C8
C10
C12
C11
17
SEAD Neighbor Authentication

• Use any efficient, secure neighbor
  authentication, or
• can also use all-pairs O(n2) keys for
  authentication
• Each node maintains a neighbor table
• Node A adds node B when A hears a distance 0
  advertisement for B with fresh sequence number
• Triggers As advertisement, for which B hears a
  distance 0 advertisement for A
• A and B now include symmetric authenticators(e.g.
  , HMAC) for each other in each update
• Stop after missing 3 consecutive sequence numbers

18
SEAD Loop-Freedom

• SEAD is loop-free unless attacker is in the loop
• Correctness argument
• Suppose there is a loop
• The (sequence number, distance) always gets
  strictly better at the next hop unless
• The next hop is an attacker, or
• The attacker forged the next-hop in the routing
  update
• But each next-hop is authenticated
• Therefore, the loop either terminates or there is
  an attacker in the loop

19
Simulation Methodology

• ns-2 simulator with Monarch wireless extensions
• Random waypoint mobility model
• 20 sources, 4 packets per second per source
• 10 different simulation runs at each pause time
• Under attack by a single attacker
• DSDV attacker claims distance 0 everywhere
• SEAD attacker performs same distance fraud

700m 700m 50 nodes
20
Packet Delivery Ratio SEAD vs DSDV
21
Other Approaches to Secure Routing

• Hop-by-hop authentication (verifies identity of
  neighbor, but neighbor give any
  distance)Kumar, Baker and Atkinson, Malkin
• Limit routes based on full knowledge of original
  wired network topology Smith et al.
• SAODV secures hop count with a hash chain, but
  uses a new chain for each sequence number, and
  uses expensive digital signatures

22
Remaining Problems in SEAD

• Same Distance Fraud
• Attacker replays distance and authenticator
• Solution Bind forwarding node to authenticator
• Denial-of-Service attack
• Claim a very high sequence number
• Solution One chain per sequence number
• Larger metric spaces
• Verifying even one sequence number may be
  expensive (e.g., latency or policy metrics)
• Solution Cheaper hash chain traversal

23
Bind Authenticator to Forwarding Node

• For each destination D and distance m
• Split the single authenticator aD,m into many
  node-specific authenticators
• For each possible forwarding node F, there exists
  an associated authenticator aD,m,F
• Properties of node-specific authenticators
• Attacker cant replay another nodes
  authenticator
• Next hop can derive its authenticator for
  distance m1

24
Building Blocks Hash Trees

• Merkle Tree allows authentication of a collection
  of values given a single authentic value

Distribute root to all verifiers
P H(L R)
bi H(bi)
bi
25
Hash Tree Chains

• I developed the hash tree chain

bj H(ci j)
bj H(bi)
26
Using Hash Tree Chains

• One step in the chain corresponds to a distance
• Each bi corresponds to a forwarding node
• Attacker must produce its bi to replay distance

C0
C1
C3
C2
bj H(c1 j)
bj H(c0 j)
27
Remaining Problems in SEAD

• Same Distance Fraud
• Attacker replays distance and authenticator
• Solution Bind forwarding node to authenticator
• Denial-of-Service attack
• Claim a very high sequence number
• Solution One chain per sequence number
• Larger metric spaces
• Verifying even one sequence number may be
  expensive (e.g., latency or policy metrics)
• Solution Cheaper hash chain traversal

28
Skipchains

• We want to efficiently skip over many elements of
  a hash chain
• Suppose you had an efficient, chained one-time
  signature scheme
• Each step in the chain allows you to sign one
  value
• Intuition
• Each step represents a length n segment of hash
  chain
• Sign the anchor of the segment using that step

29
Skipchains

• Each vi corresponds to a length n segment of the
  hash chain hi,n-1, hi,n-2, , hi,0 where hi,j
  Hn-j(vi)
• Represent hash chain step k by hëk/nû, k mod n
• Sign hëk/nû, 0 with vëk/nû to allow verification

30
Skipchain Properties

• Behaves like a long one-way chain
• Divides hash chain into blocks of n elements
• Use signature chain to skip n steps at low cost

31
Skipchain Properties

• Behaves like a long one-way chain
• Divides hash chain into blocks of n elements
• Use signature chain to skip n steps at low cost

32
BACKUP SLIDES
33
Additional Optimizations in DSDV

• Weighted Settling Time
• Track average time (across multiple sequence
  numbers) between first route and best route
• Delay advertisements by that amount
• But allows attacker to rush routing data
• Speeding the spread of broken route information
• Increment sequence number when reporting an
  infinite distance
• But SEAD cannot authenticate it

34
Overhead Ratio of SEAD to DSDV
35
Projection Test Slide
D
E
G