1 / 16

A secure anonymous routing protocol with authenticated key exchange for ad hoc networks

A secure anonymous routing protocol with authenticated key exchange for ad hoc networks. Authors: R. Lu, Z. Cao, L. Wang, and C. Sun Sources: Computer Standards & Interfaces, article in press. Reporter: Chun-Ta Li ( 李俊達 ). Outline. Motivation

vui
Download Presentation

A secure anonymous routing protocol with authenticated key exchange for ad hoc networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A secure anonymous routing protocol with authenticated key exchange for ad hoc networks Authors: R. Lu, Z. Cao, L. Wang, and C. Sun Sources: Computer Standards & Interfaces, article in press. Reporter: Chun-Ta Li (李俊達)

  2. Outline • Motivation • SARPAKE (Secure Anonymous Routing Protocol with Authenticated Key Exchange) protocol • Comments 2

  3. Motivation • Reactive routing (source-initiated on-demand driven) in privacy-vital environment • Anonymity • Authenticated key exchange into the routing algorithm

  4. SARPAKE protocol • Notations

  5. SARPAKE protocol (cont.) • Assumptions

  6. SARPAKE protocol (cont.) • Path discovery phase

  7. SARPAKE protocol (cont.) • Path reverse phase

  8. SARPAKE protocol (cont.) • Data transfer phase

  9. Comments • Security weakness in data transfer phase (non-repudiation is not achieved) (replay attack) [C||CH] [C||CH] Node S Node 1 Node 2 Node D [C’||CH’] C = [M]SK, h=H(C) CH = EPK1(tag#, h) C = [M]SK, h=H(C) CH = EPK2(tag#, h) Intruder C’ = [M’]SK’, h’=H(C’) CH’ = EPKD(tag#, h’) // No one can accuse that Node 2 is guilty because all of nodes are capable of forging this fake messages //

  10. Comments • Even assumption 4 is used, anonymity might not be achieved (Assume that attacker can collect all the communication messages over ad hoc networks and tag# is public)

  11. Comments // Assume that the involved nodes for a specific route are trusted // • Improvement (path discovery phase) || Nonce0n (tag# , Nn, Nonce0n, ?, null, T0)LRT0 (tag# , Nn-1, null, ?, null, Ti)LRTi (tag# , Nn-2, null, ?, null, Tn-1)LRTn-1 (tag# , Nn-1, null, N0, Nonce0n, Tn)LRTn

  12. Comments • Improvement (path reverse phase) Node S Node 1 Node 2 Node D (tag# , NS, NonceS1, N2, Nonce12, T1)LRT1 (tag# , N2, Nonce2D, NS, NonceSD, TD)LRTD CS = EPKS(tag#, NonceS) C2 = EPK2(tag#, Nonce2) CD = EPKS(M ||NonceSD+1) CD = EPKS(M||NonceSD+1) [CD||C1] [CD||CS] [CD||C2] (tag# , N1, Nonce12, ND, Nonce2D, T2)LRT2 (tag# , 0, NonceSD, N1, NonceS1, TS)LRTS C1 = EPK1(tag#, Nonce1) M = DSKS(CD) CD = EPKS(M ||NonceSD+1)

  13. Comments • Improvement (data transfer phase) Node S Node 1 Node 2 Node D C = [M||NonceSD+2]SK, h=H(C||NonceS1+1) CH = EPK1(tag#, h) [C||CH] [C||CH] [C||CH] C = [M]SK, h=H(C||Nonce12+1) CH = EPK2(tag#, h) C = [M]SK, h=H(C||Nonce2D+1) CH = EPKD(tag#, h) H(C||Nonce2D+1) ?= h M||NonceSD+2 = DSK(C)

  14. Comments session key table Node S: KS1, KS2, KSD Node 2: K2S, K21, K2D Node 1: K1S, K12, K1D Node D: KDS, KD1, KD2 • An efficient and secure routing protocol for providing anonymous channel and key exchange in ad hoc networks packet packet packet Node S Node 1 Node 2 Node D hS = H(tag#, KSD) MS = [tag# ||S||D||X=gx||NonseSD) CS = EKSD(MS) packet = [tag# ||hop||hS||CS) (tag# ,ND,NonceSD,?,null,TS)LRTS (tag# ,NS,null,?,null,T1)LRT1 (tag# ,N1,null,?,null,T2)LRT2 hD = H(tag#, KDS) hD ?= hS (tag# ,N2,?,NS,NonceSD,TD)LRTD

  15. Comments • Path reverse phase Node S Node 2 Node D Node 1 session key SK=Xy=gxy MD = [tag# ||S||D||Y=gy||NonceSD+1) CD = EKDS(MD) C2 = EKD2(tag#||Nonce2D) [1||CD||CS] [2||CD||C1] [D||CD||C2] (tag# ,ND, NonceSD,N1, NonceS1,TS)LRTS (tag# ,NS, NonceS1,N2, Nonce12,T1)LRT1 (tag# ,N1, Nonce12,ND, Nonce2D,T2)LRT2 DKSD(CD) to verify NonceSD+1 DK12(C1) to recover tag# DK2D(C2) to recover tag# CS = EK1S(tag#|| NonceS1) C1 = EK21(tag#|| Nonce12) session key SK=Yx=gxy

  16. Comments (cont.) • Data transfer phase Node S Node 1 Node 2 Node D C = ESK(M||NonceSD+2), h=H(C|| NonceS1+1) CH = ES1(tag#||h) [S||C||CH] Verify H(C|| NonceS1+1)?=h h=H(C|| Nonce12+1) [1||C||CH] CH = E12(tag#||h) Verify H(C|| NonceS1+1)?=h h=H(C|| Nonce2D+1) [2||C||CH] CH = E2D(tag#||h) Verify H(C|| Nonce2D+1)?=h M||NonceSD+2 = DSK(C)

More Related