In this Chapter, we will introduce the background before presenting our path authentication scheme. First we take an overview of basic operation in the Dynamic Source Routing protocol. And further, we illustrate the RAP component more clearly than as we mentioned in related works, and demonstrate the threats which it has to face under our proposed attack model. Thereafter, we describe the HORS which is the efficient broadcast authentication mechanism deployed in our path authentication scheme.
2.1. Basics of Dynamic Source On-Demand Routing Protocol
DSR[7] is a reactive source routing protocol which has lower overhead than proactive routing protocol. On-demand behavior denotes that the route path is discovered when the source node wants to send packets to the destination node. The on-demand behavior causes the less overhead packet when all needed route have been constructed. DSR is mainly composed of two functions: route discovery and route maintenance.
In DSR, the route discovery will be triggered when the node tries to send some data packets to the destination node. We use Figure 2-1 to illustrate the route discovery procedure. The node i try to communicate with the node T, and then broadcast the Route Request with specified target address and the unique identifier.
When the other node received this Route Request, it will discard the request packet if it has seen the identifier before. Otherwise, it appends its own address to the hops list and rebroadcast the Route Request. This procedure will repeat until the Route Request has reached the target node T. When target node T sees the Route Request packet, node T will reverse the routing path list to send back the Route Reply if the
bi-directional link exists or initiate a new route discovery back to initiator node i with piggybacked routing path. The thick line means the reversed route path {T, F2, F1, i}
chosen by the node T. Obviously, there are many routes from the node i to node T.
The intermediate nodes also cache the route path for future use.
Figure 2-1 An example for Dynamic Source Routing protocol (a) node i broadcast the Route Request to discovery the path to target node T. (b) intermediate nodes help rebroadcast the Route Request message and append their own address. (c) target node T reversed the path list and send back to the initiator i
The route maintenance is used for detecting broken links. When the intermediate nodes find the occurrence of the broken link it will send Route Error back to the source for notifying the non-existence about the traveling route path. In this paper, we focus on securing the Route Discovery phase.
2.2. Overview of Rushing Attack Prevention(RAP)
Rushing Attack Prevention (RAP) is a defense component, which is purposed by Hu et al, to aim at the weakness of duplicate-suppression routing request in the on-demand protocol of ad hoc network. This prevention mechanism is mainly composed of two components, which are Secure Neighbor Detection and Randomized Message Forwarding; Secure Neighbor Detection is a component which used to defend a special case of wormhole attack [22] and Active-1-1 attack model which have been defined in Ariadne. It mainly adopted the mutual authentication between both neighbor forwarders in the request route path. As the illustration with the Figure 2-2 below, the redundant messages 1, 2 are used to protect the routing system from
the repeater attack which is a special case of wormhole attack. In this attack scenario, the attacker can introduce the two nodes which actually are not in each others’
communication range as neighbor nodes. It can be applied to generate the rushing behavior. Message 1, 2 can be taken to estimate a maximum bound of the distance between two communication nodes by calculating the delay when the message 2 returns. Message 3 is the route request message of traditional forwarding process and RAP component ask the F1 to piggyback his previous signature in this message.
Therefore, any one compromised node of the path could not modify the route request messages and the one-hop-far rushing behavior can be avoided under this scene. Our proposed idea mainly concentrates on enhancing this route request forwarding process.
Another component of RAP, Randomized Message Forwarding is to choose one request to forward from its collected N route request for the purpose of mitigating the chance that the adversary can dominate the forwarder’s resource by rapidly sending request messages. RAP achieves what it claimed indeed but seems to be vulnerable in our attack model. In next section, we will present this attack model cooperated by several malicious nodes.
Figure 2-2 Secure Neighbor Detection for rushing attack prevention
2.3. Cooperative Attack Routing Disruption Threats
We are going to present a specific attack model to which the RAP is still
vulnerable. This type attack is a special subset cases of Active-x-y attacker model mentioned in Ariadne. We need to more precisely separate this one from Active-n-n attacker model because it is helpful to evaluate the robustness of the routing protocol and to discuss the problem the RAP might miss. We denote the Cooperative-n Attack model as that the attackers were positioned consecutively in the same forwarding route path and they can cooperatively disrupt the routing protocol, like the rushing attack or fabrication to the routing information. Figure 2-3 shows the Cooperative-2 attack model and we use this model to identify the security concern which is absent in RAP. In this attack scenario, node M1 and node M2 are malicious nodes who try to mislead the Route Discovery phase. Due to the lack of the ability to verify the initiator’s identity for node F in the same route request path, the cooperative attackers can take advantage of this weakness to fabricate a faked route request to rush the successive forwarder F. Secure Neighbor Detection provided the forwarding node F the hopping authentication ability by concatenating the piggyback signature which was two hops far from the forwarding node F itself. However, in RAP, node M1 and node M2 can cooperatively cheat the node F with forwarding a lot of forged route requests from nodes f1~f3. Node F is still under the rushing attack threat. Moreover, cooperative attackers can inject some faked hops into the route request message and this could poison the node F’s or other nodes’ route cache to mislead the whole routing system.
S: initiator D: target fn: forged nodes Mn: malicious nodes
Figure 2-3 Cooperative attackers to reveal the disruption attack threats
2.4. An extremely efficient authentication mechanism: HORS
As the above section 1.2.3 mentioned, we need an instantly-verifiable authentication mechanism for path authentication. We apply a so far most efficient broadcast authentication mechanism to our scheme. We first review the detail of the HORS then we will make a little change in our proposed scheme.
HORS keep the fast signing and verifying speed which benefited from the hash operation of symmetric authentication mechanisms, such like RIPEMD-160 and SHA-1 etc. It also possesses the wonderful feature of asymmetric authentication as the public-key system. We are going to explain the three phases, key-pair generation, signing and verification in HORS. Before generating the signature for a particular message, sender must have its own private-public key pair; the key-pair generation is described in Figure 2-4.
Figure 2-4 Key-pair generation for authentication in HORS
Sender first generate a total t random number as its own secret keys: SK=(S1, S2,
…,St), we called SK as private slices. In the Figure 2-4, “H” means the public hash operation which is used to verify the signature as follows: PK = (V1,V2, …,Vt), V1=H(S1), …, Vt=H(St). PK is named public slices. Considering a simple phenomenon about the sender-receiver message authentication procedure and PK is assumed available for every communication partners with distribution in advance; if a sender wants to transmit a message M to the receiver and attach its signature to message M, the sender will do the follows:
(1) Split the hash value of M into k substrings of length log(t), k < t (2) Interpret k substrings into k integers as index values
(3) Select a k-elements subset from t private slices as signature of M according to k index values of (2)
When the receiver obtained the k private slices, the receiver can verify the signature by checking if the hash values of k private slices equal the correspondingly public slices. Through the security consideration, the sender should also determine when to republish its new public slices which named rekeying procedure. In general, HORS
apply a fabulous feature that is releasing the partial private slices to achieve approximately the asymmetric authentication characteristic in public key system.
Besides, HORS possesses extremely efficient signing and verifying capacity, requiring only a couple of simple cryptographic hash operations.
2.5. Summary
Even the secure version of DSR [23] which provided the properties of end-to-end authentication for using a shared MAC key was still vulnerable to routing disruption attacks. Ariadne only supplied the initiator with the ability to check the integrity of route path until the route reply message received. However, the intermediate nodes in Ariadne could not instantly authenticate the previous hop in route discovery because TESLA authentication mechanism requires clock synchronization, Zapata [14] even point that it might be an unrealistic requirement for ad hoc network. Without instantly-authenticating ability for each entry of the path, any routing protocol could be vulnerable under modification, impersonation and fabrication attack to the routing information. Instead of TESLA, the instantly-verifiable authentication protocol HORS which is fastest in current one-time authentication schemes can be applied well between hops in the route path for path authentication. HORS also keep efficient processing speed for the signing and verifying procedure with the simple hash operation. RAP brought a piggyback signature concept to defend one compromised node against the routing disruption attacks in the route path. However, we will present a more strict attack model which could reveal the rushing attack or spurious routing messages again.