320 likes | 519 Views
Self-Organized Network-Layer Security in Mobile Ad Hoc Networks. Hao Yang(UCLA) Xiaoqiao Meng(UCLA) Songwu Lu(UCLA). The Network. No central controller Dynamic connections Error-prone routing. The Problem. False routing data easily supplied Advertise false route w/ small distance metric
E N D
Self-Organized Network-Layer Security in Mobile Ad Hoc Networks Hao Yang(UCLA) Xiaoqiao Meng(UCLA) Songwu Lu(UCLA)
The Network • No central controller • Dynamic connections • Error-prone routing
The Problem • False routing data easily supplied • Advertise false route w/ small distance metric • Advertise route update w/ large sequence # • Spoof IP, inform that healthy link is broken • Intentional packet drop • Flood net w/ packets
The Solution • Think of a neighborhood crime watch • Portions of a global secret • Temporary Tokens
The Design • Coherence, unity • Network-level solution • Self-organization (vs. centralized) • Tolerance of compromised nodes • Isolate attackers • Decrease overhead w/ good behavior
The Assumptions • Nodes operating in promiscuous mode • Lower layers already secured • Not concerned w/ packet contents • Cryptography is secure
AODV • Ad-hoc On-demand Distance Vector • Path discovery on demand • Route request w/ destination sequence # • Intermediate node replies or asks as well • Broken link • Send news flash through net • Nodes may ask for new route as necessary
Neighbor Verification • Token = <OwnerID; signingTime; expirationTime;> • Issued from each nearby neighbor w/ secret key by polynomial order k-1 • If k neighbors verify node, token is issued • Other neighbors allowed to be compromised
Security Enhanced Routing Protocol • Amended AODV • Add next-hop field in Route Reply Packet • Routing info now broadcast (vs. unicast) • Nodes maintain routing tables for neighbors • Only tokens, token revocation must be encrypted • Reduce overhead
Neighbor Monitoring • SID – Single Intrusion Detection • Routing Update Misbehavior • Compare route updates of neighbors • New entry correct if & only if sequence # of entries are the same & hop count has incremented • Packet Forwarding Misbehavior • Promiscuous mode, next hop field, watchdog
Intrusion Reaction • Token Revocation List • Bridge between verification & monitoring
Conclusion (Or: the effects of emulating real life) • Pros • Prevents attacks collaborated within neighborhood • Requires little organization • Rewards for good behavior • Cons • Passive monitoring demands energy • Need strong node density to succeed
LEAP: Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks Sencun Zhu (GMU) Sanjeev Setia (GMU) Sushil Jajodia (GMU)
Overview • Works for static networks with laptop class base station • Symmetric keys used on nodes • Initial key loaded prior to deployment • Initial key destroyed as soon as network deployed and activated. • For D neighbors need D pair wise keys, D cluster keys, a group key and an individual key.
4 Keys • Individual Key • This key is created for between the node and the base station • Used to send private data between the base and node to send personalized instructions/data
4 Keys (Cont.) • Group keys • Key used by base station to broadcast to entire ad hock network. • Re-keying must be made easy in case of a compromised node requires re-keying the group
4 Keys (Cont.) • Cluster Key • Key created between a node and it neighbors during initial deployment of the network • Pair wise shared key • Key shared between a node and it immediate neighbor to provide source authentication and group re-keying
Authentication • Base Station authenticated via μTESLA • Every node can forward a message but must authenticate the sender via pair wise keys to prevent attacks
Defenses • HELLO attack – nodes do not have network wide authentication therefore unable to flood the network • Sinkhole/Wormhole attack – only possible during the first few minutes of network deployment because of assumed static network
An Authentication Framework for Hierarchical Ad Hoc Sensor Networks Mathias Bohge (Rutgers) Wade Trappe (Rutgers)
Overview • Includes a three-tiered, hierarchical model consisting of: sensor, forwarding, access point tiers • Certification using Tesla vs. RSA • Entity authentication • Roaming and handoff • Authenticating data origin • Performance and security evaluation
Three-Tiered Hierarchical Model • Addresses the limitations of flat topology • SN tier (of sensor nodes) • FN tier (of forwarding nodes) • AP tier (of access points) • Application tier (the Internet)
Certification • PGP and X.509 certification systems • Rely on public key cryptography • Unsuitable for low-powered devices • Should not have to verify an RSA sig. • Tesla • Enables low-powered nodes to perform source authentication
Certification (cont.) • Initial certificates • Certificates are used as a form of initial trust • Third party initial certification • Access points have high computing power and power resources, and can thus validate and perform RSA-signatures • Sensor nodes are issued a cert. and key, to use to authenticate to the application. One key per application.
Certification (cont.) • Runtime certificates • No more shared keys • Use trust relationships between the application and the nodes to create new trust relationships • Certificates must be renewed to disconnect misbehaving nodes
Entity Authentication • Access point • Authentication of access point is basis for authenticity in the network • Forwarding nodes • Mobile devices, must maintain flexible authentication • Only authenticate if a sensor node wants to connect in Assured Mode
Entity Authentication (cont.) • Sensor Nodes • Sensor node sends request to application • If application verifies sensor certificate, a shared secret is established with the access point and the sensor node • Sensor now has a secret with the access point and the application
Roaming and Handoff • Sensor nodes may want to connect to a new access point • Any assured mode connections with forwarding nodes must be re-established • Data will at first be blocked by the new access point, until the access point can obtain the Tesla cert. from the application, and complete the handoff (the point at which the sensor can validate the new access point’s certificate, and vice-versa)
Authenticating data origin • Weak Mode • More flexible • Cannot determine who delivered the packat to the access point • No certainty that the packet was not copied by a misbehaving node • Assured Mode • Provides authentication along the path of the packet
Evaluation • Security • Not impossible for intruders to send packets across the network, but uninteresting • Internet access is limited by the access point, unauthorized nodes cannot access the Internet • Packets can still be deleted in the wired part of the network
Evaluation (cont.) • Performance • Adaptability • Network can deal with topology changes using the handoff procedure • Facilitates establishment of new trust relationships without application intervention • Does not burden the application • Scalability • Resources required by sensors does not change