SECURITY IN AD HOC NETWORKS

Kingston University London Τίτλος Thesis SECURITY IN AD HOC NETWORKS Όνομα σπουδαστή THRASYVOULOS BARKOUZOS Master of Science in Networking and Dat...
Author: Abigail Burns
6 downloads 0 Views 2MB Size
Kingston University London

Τίτλος Thesis SECURITY IN AD HOC NETWORKS

Όνομα σπουδαστή THRASYVOULOS BARKOUZOS

Master of Science in Networking and Data Communications

THESIS 1

Thesis Title SECURITY IN AD HOC NETWORKS

Dissertation submitted for the Degree of Master of Science in Networking and Data Communications

By THRASYVOULOS BARKOUZOS

SUPERVISOR DR. CHARALAMPOS PATRIKAKIS

KINGSTON UNIVERSITY, FACULTY OF SCIENCE, ENGINEERING AND COMPUTING ΤEI OF PIRAEUS, DEPARTMENTS OF ELECTRONICS AND AUTOMATION

JANUARY 2014

2

Table of Contents 1. Introduction…………………………………………………………………………………………………………………………..5 2. Ad hoc routing protocols……………………………………………………………………………………………………….7 2.1 Where can we use Ad hoc networks? ...................................................................................... 7 2.2 Characteristics of Ad hoc networks.......................................................................................... 8 2.3 MANET's Routing Protocols. .................................................................................................... 9 2.3.1 Destination Sequence Distance Vector (DSDV) protocol .................................................... 10 2.3.2 Dynamic Source Routing ..................................................................................................... 11 2.3.3 Ad hoc On Demand Distance Vector................................................................................... 12 2.3.4 Zone Routing Protocol ........................................................................................................ 13 3. Security-Essentials, Threats and Attacks………………………………………………………………………………15 3.1 Security Goals/Essentials ....................................................................................................... 15 3.2 Threats and Attacks in Ad hoc Networks ............................................................................... 16 3.3 Attacks on Ad hoc networks .................................................................................................. 18 4. Security mechanisms for Ad Hoc networks………………………………………………………………………….22 4.1 Cryptography.......................................................................................................................... 22 4.1.1 Symmetrical Cryptography.................................................................................................. 22 4.1.2 Asymmetrical Cryptography ............................................................................................... 26 4.1.3 Hybrid Cryptosystems: PGP ................................................................................................ 29 4.1.4 Message Authentication Code (MAC) ................................................................................. 30 4.2 Digital Signatures ................................................................................................................... 31 5. Security Policies and Protocols in Ad hoc networks…………………………………………………………….34 5.1 The Resurrecting Duckling ................................................................................................. 34 5.2 ID-Based threshold cryptographic technique .................................................................... 35 5.3 Self-organized PKI .................................................................................................................. 36 5.4 TESLA protocol ....................................................................................................................... 36 5.5 Secure Routing ....................................................................................................................... 37 5.5.1 Secure Aware Routing (SAR) ............................................................................................... 37

3

5.5.2 Secure Routing Protocol (SRP) ............................................................................................ 38 5.5.3

Secure Efficient Ad hoc Distance Vector (SEAD) .......................................................... 39

5.5.4 ARIADNE .............................................................................................................................. 40 5.5.5. Secure Routing Protocol for Ad hoc networks (ARAN) ...................................................... 40 5.5.6

Effective mechanisms against certain attacks ............................................................. 41

6. Simulation and implementation of Black hole attacks………………………………………………………….44 6.1 Simulation .............................................................................................................................. 45

4

Abstract: Security in wireless networks and specifically in Ad hoc networks is a difficult task, because of the characteristics of the particular networks (high mobility, dynamic topology, battery-relied). However based on traditional security algorithms, researchers today have developed a number of security protocols, trying to defend against threats and attacks like Sybil attack, Rush , DoS and Black hole attacks. In this thesis we will try to discuss and review the literature and protocols that refer to the security of ad hoc networks and simulate a black hole attack and discuss, based on literature, for detection and prevention techniques. Key words: Ad hoc networks, security, cryptography, attacks, threats, black hole attack, security protocols, wireless networks, vulnerabilites

1. Introduction Wireless networks are classified as infrastructure-independent networks (wireless networks built upon wired networks) and infrastructure-free networks or ad hoc and sensor networks. Ad hoc networks are decentralized networks, in which every node is also a router, propagating routing discovery information through the network and also collect, monitor and evaluate data. The topology in these networks is changing constantly (due to the high mobility of the nodes), making the design of a routing protocol a challenging task. More and more people are interested in these networks and the use they can have in everyday life and also in emergency and military services. An example of this technology is Intelligent Transport Systems (R.J. Weiland, L.B. Purser, 2000). ITS is currently under development and the main use is for communication between vehicles in a high way road without a centralized infrastructure (T. Taleb et al, 2007). Nevertheless due to the fact that these networks are autonomous and dynamic, some challenges come along with them such as limited bandwidth, variable bit error rate, limited resources and Security. Security in these networks is a complex matter because of the high mobility, dynamic topology and battery independent nature. Over the years asymmetrical and symmetrical cryptography has been developed and used in wireless and wired networks. The rules that these cryptosystems use can be applied to ad hoc networks but because of the character of these networks, alterations to the standard algorithms are essential. Nevertheless, the attacks on wireless networks are constantly adapting to the newly introduced protocols and a robust protocol overcoming different types of attacks is needed. 5

In this paper we will focus on reviewing ad hoc network’s vulnerabilities and proposed solutions. However we will describe some basic protocols first and their functionality in order to understand them better. More specific in chapter 2 we will focus on an explanation of Ad hoc routing protocols (proactive, reactive and hybrid). Also one other important aspect is where these networks are useful, so we will briefly discuss that topic. In chapter 3 we will discuss different form of threats and attacks and later on we will propose solutions and through our simulation discuss the results. The simulation will focus on a certain type of attack (black hole) and by reviewing the literature we will discuss different detection and prevention proposals.

6

2. Ad-hoc Routing Protocols Before reviewing some of their characteristics it is essential to explain briefly what exactly are Ad-hoc networks and where can we use them. So the question arises, what are ad hoc networks? During the last years the wireless technology has met great expansion but it becomes more and more demanding. Users want to be able to connect to Internet at any time and in any place in order to simply browse or book tickets, purchase something online, chat etc. This can happen with the current technology by the use of wifi spots or metropolitan networks or event through mobile networks using 3G or 4G. And this expands every day to inhabitant areas like cities, towns etc. But the “problem” with these technologies is the requirement of a base station and an infrastructure in order to provide the signal to the users. The actual problem occurs when an area lacks of such an infrastructure and may not be able to provide such a technology due to costs. What is needed is a technology to provide this service, in other words, provides a infrastructure-free environment with access to on line services and communication between users. These are the ad hoc networks in which anybody can communicate with each other without the use of a central base station. Ad hoc networks have been researched for a long time but only recently have gained the interest of more people and scientists. Below we will briefly describe where we can use these networks.

2.1 Where can we use Ad hoc networks? In emergency services: When a natural disaster strikes, the need to immediately set up a rescue operation is mandatory. With the technology nowadays robots with microcameras are used in order to go, for example, through rumbles to find survivors and alert the authorities. But what if the infrastructure that operates the communications is damaged? This is where we can use ad hoc networks, by installing these protocols to nodes; they can operate without any infrastructure and in these kind of situations, it is important to be able to establish communication in a short period of time.

7

Also these networks can be used for communication between vehicles in a highway. In literature this is referred also as Intelligent Transportation Systems (ITS) or more specifically as Intelligent Vehicular Networks (InVANETs) (J.K. Hendrik et al, 1994). The main reason of using InVANET is to provide safety and real time information about the road network. Each vehicle equipped with that will be a node and it will be able to send and receive messages through other vehicles using the network and through fixed equipment or roadside equipment. This way safety can be achieved by the form of messages traveling through the wireless network informing vehicles about collision warnings, weather condition, traffic queuing etc. Ad hoc technology can provide access to the network in any situation and in place. Another use of these networks is in Home and Enterprising network. Either it is in Home or office networking or in conferences or Personal Area Networks, the need for quickly communicating between the participants in an office or in home is essential. Of course the Internet can be used to provide this kind of communication or Mobile IP networks but there is no need the data should made these round trips. By connecting the PC's with Ad hoc networks the communication can be instant and without the need of an infrastructure or a base station. Besides that, with the rise of this technology, many researchers use this in Sensor Networks. For example, devices are used to collect data and information about temperature or humidity in an area and propagate the data to central node where a person can assess the results. This can be particularly useful in emergency situations. It is hard to think all the applications of Ad hoc networks can have but some things that come in mind are: establishing wireless P2P networks, use in campus areas or Universities (Virtual Classrooms), use in Military networks, E-commerce (buying a ticket from anywhere) etc.

2.2 Characteristics of Ad hoc networks In order to introduce the routing protocols in these networks we think it’s essential to provide some information about their characteristics as described from MANET (Mobile Ad hoc Networks) working group (S. Corson, J, Macker, 1999). (S. Naski, 2004). One of the most important and obvious characteristic is the dynamic topology. With a few words we can say that nodes communicate with each other in a non-fixed way but with respect to the other nodes in the network. Also asymmetric connections or merging networks are possible with a risk of packer loss. The topology changes constantly due to 8

the high mobility of MANET's and this creates problems like bandwidth limitations, security, overhead etc. In the terms of bandwidth limitations, because the nodes use radio links the capacity is lower than the hardwired links. Another characteristic which can described also as an issue is the fact that the nodes most of the times are battery-relied, thus forwarding messages and signaling traffic can deplete the battery really quick. A typical problem of ad hoc networks is that packets sometimes are moving through the network without any real purpose (are not forwarded in a particular destination). TTL (Time To Live) may resolve this but a more sophisticated solution is required, mainly because of the nature of the network.

2.3 MANET's Routing Protocols. Typically MANET's protocols are divided into on demand protocols also referred as reactive protocols and table driven protocols also referred as proactive protocols. Besides that there also the hybrid protocols in which the good aspects of the two other categories are combined in order to provide a better more sophisticated protocol which can address the different issues that ad hoc networks has. More explaining will be provided below. Table driven protocols uses routing tables which the nodes distribute them in a periodic manner through the network. The tables contain lists of routes and destinations. Two disadvantages of these protocols are the fact that in order to update and maintain these tables it requires a rather large amount of data. Also there is slow reaction when failures occur. On demand protocols send Route Request Packets throughout the network in order to discover a route. The problem with sending constantly flooding messages through the network can cause clogging (E.M. Royer, C-K Toh, 1999).The hybrid protocols combines the advantages of proactive and reactive routing. The initialization of routing is done in a proactive manner and any demand for additional routes is performed through reactive flooding. However there are disadvantages in this method such as the traffic demand depends on gradient of traffic volume. Below we will describe some protocols from each major category (proactive, reactive and hybrid) in order to have an extensive look and understand better how they work.

9

Figure 1: Ad hoc routing protocols

2.3.1 Destination Sequence Distance Vector (DSDV) protocol DSDV is a table driven routing protocol based on the Bellman-Ford algorithm (C.E Perkins, 1994). It is based on the hop by hop mechanism and it was developed mainly to solve the routing loop problem. Routing loop is formed when an error occurs during the calculation of the route and as a result the path to given node forms a loop (U. Hengartner et al, 2002). Hop by hop means that a routing table is stored, maintained and updated in each node containing information about the next hop and the number of hops that are required for every possible but reachable destination. In order to keep routing tables up to date and maintained, DSDV uses a system of broadcasting in which every node broadcasts route advertisements containing information about the address of which the information came, next hop and hop count to that destination and the last known sequence number originated by that destination (S. Naski, 2004) . Also these update messages are used in order to conserve bandwidth. This is achieved by sending an incremental number with the most recent update which only contains the most recent information about the changing in routes. By doing this it doesn’t have to send full packets every time a change occurs, thus conserving bandwidth. However these constant messages can cause oscillation to the network and to prevent this, messages are sent only after a delay. This solves the oscillation problem and also by sending route update messages constantly it keeps the nodes busy event when some nodes are idle (no need for communication). And when a message arrives to start communication the nodes will be ready to transmit without any delay e.g. for discovering a route. In few words of there

10

are broken links the nodes are notified quickly and the route updates are stable. (C.E. Perkins, P. Bhagwat, 2001).

Figure 2: DSDV

2.3.2 Dynamic Source Routing DSR is an on demand routing protocol or in other words each datagram or packet carried through the network contains information about all the nodes that the packet must be routed. DSR has two important phases, Route Discovery (RD) and Route Maintenance (RM). Also, each node should have Route Cache in which every route to any node exists. When the destination of a packet to node is not already known then RD is triggered and if the topology of a network is changed in a way that the source route cannot recognize the destination anymore then this is where RM intervenes. Besides these two mechanisms there is also a third one, called Route Reply (RR). This is initiated only when the packet has reached its destination node and the route record that was contained in Route Request is written to the RR. In order for the Route Reply to be returned, destination node should have a route all the way to the source node and if the route is contained in the destination node’s route cache then this route will be used. Otherwise, the destination node will check the route’s message header and will reverse

11

the route. In the case of error then the RM is triggered in which error bits are generated and the error hop will be removed from the cache of the node that generated the error packets (D. Johnson et al, 2007). In comparison with the table driven protocols, this protocol is designed to minimize the bandwidth that is consumed by the control mechanisms generated with the table updates that are required in the other approach. So the flooding of the network is eliminated but although it performs well in low-traffic environments in the case of an increased mobility performance degrades in a rapid rate.

Figure 3: DSR protocol

2.3.3 Ad hoc On Demand Distance Vector

AODV (C. Perkins, 2003) is considered to be a reactive protocol because it establishes a route only when needed. However, it uses DSDV hop by hop tables for keeping a record about routing information AODV broadcasts Route Requests (RQ) in neighbor nodes in order to handle route discovery. The RQ’s is flooded through the network until the desired destination is reached. Then the destination node sends a RP in the source node and at the same time destination node creates an entry in the routing table for forward routing.

12

One flaw of this protocol is that if sequence numbers generated from the source are very old and intermediate nodes don’t have the latest destination numbers then stale entries and unpredicted routes may occur. Also a single RQ can lead to multiple RR’s thereby heavy control overhead. Also the AODV protocol can be used in multi cast groups besides symmetrical links (C.E. Perkins, E.M. Royer, 2001).

Figure 4: AODV protocol

2.3.4 Zone Routing Protocol ZR protocol is a hybrid of reactive and proactive protocols. The main purpose of hybrid protocols is to utilize the best features of the two. Such is the ZR protocol. As mentioned before, due to their nature proactive protocols produce high control overhead and reactive protocols can cause latency (due to route discovery). ZR comes to eliminate those issues. A zone is defined around each node which contains the node's neighborhood. Also a proactive and a reactive protocol named Intra-zone Routing Protocol (IARP) and Inter-zone Routing Protocol (IERP) respectively is used for inside routing zones (IARP) and between routing zones (IERP). The mechanism is fairly simple. When a source and a destination is inside the local zone then the proactive routing takes effect using its routing tables and the packet is sent immediately. If the route is beyond the local zone any route discovery occurs reactively. The network is

13

divided in borders in which the source nodes propagate messages to the border nodes (which are exactly k hops away) and the border nodes check its local zone for the destination. If the destination is outside its local zone then it adds its own sequence number to the route request packet and forwards it to its own border nodes. When the destination is reached then a route reply is sent, following the reverse path (Z.J. Haas et al, 2001).

Figure 5: ZRP

14

3. Security-Essentials, Threats and Attacks In this chapter we will examine the security model of wireless networks and ad hoc networks. More specific an introduction in security attributes will be made and then the threats and attacks on wireless and ad hoc networks will be briefly discussed.

3.1 Security Goals/Essentials W. Stalling (2003) and L. Zhou and Z.J. Haas (1999) have established some security requirements for ad hoc networks. These are: 1. Confidentiality: The data floating around a wireless networks is extremely vulnerable and since more and more tools are developed for eavesdropping the need to make the data unreadable from unauthorized users is essential. This is mainly accomplished with the use of cryptographic techniques, which will be discussed in a later chapter. 2. Authentication: This mainly refers to the need that the source of a message is actually the source and not a disguised hacker trying to steal data from the network. 3. Availability: One of the most common attacks in networks is the Denial of Service (DoS) in which nonstop requests are sent to a server and if the server is not properly configured to deal with these attacks, the service is downed. This service can be a communication protocol and if this is hit it may affect phone services and leave out of communication thousands of users. 4. Integrity: When data is propagated through channels it is important to ensure the integrity of the message. In other words, ensure that the message received by the destination is the actual one that has been sent from the source. Many attackers take the message, modify it and resent it to its destination, aiming to get valuable and sensitive information. 5. Non-Repudiation: In terms of digital security, non-repudiation is a service that provides proof of the integrity and origin of the data.

15

Figurer 6: C.I.A.

It is important to mention some criteria mainly about availability as referred by Lundberg (2000). Firstly, the certainty of discovery which means that if a route exists it should be found and leads to the correct node. Also Lundberg mentions isolation in which if a node is “infected” is should be identified and isolated from the rest of the network. Also the routing protocol should be resistant to malicious nodes. Another aspect is that complicated and hard computations should be avoided and preferably the peer nodes should handle these computations. Besides that the location of nodes should be hidden because there are attacks that can get valuable information only by the location of a node. Also if false information is sent via the routing paths resulting to damaging the protocol, the protocol itself should be able to recover during a certain amount of time. This is referred as Self-Stabilization. From this occurred Byzantine Robustness (R. Perlman, 1998) in which the protocol should not only be able to recover from an attack but also be able to function properly.

3.2 Threats and Attacks in Ad hoc Networks Randal K. Nichols and Panos C. Lekkas (2002) arise some questions about wireless attacks such as if the attacks extend beyond CIA (Confidentiality, Integration, Availability) or what kind of defense can we have against those attacks? And how can we go to the offense if we are to neutralize the threats?

16

So to answer these questions they consider adopting the Information Warfare model (W. Schwartau, 1996) in which they state that “IW helps us to define the relationships relative to the security of a wireless communications system; however it is necessary to integrate these concepts with specific measures-such as cryptographic, anti-jamming (A/J), and low probability detection (LPD)-and apply them to commercial and military operations to define the competing design concerns for the problem...” A rather military approach (it is used in these kinds of fields) in which it may give answers but the answers will be under a strict military model. A more human approach refers IW as Information Operations and tries to answer questions by analyzing social networks etc. Note that IW and IO came from the Psychological Warfare. This demands a lot of criticism but it’s not the subject of this paper. So we will try to categorize the type of attacks outside a strict model; instead we will try to compare it with wired attacks and existing wireless attacks. The first and most common attack that comes in mind is that of eavesdropping and tampering information. This can be referred also as active attacks in which the main goal is the information itself. By tampering information and broadcast that through a network, essential information can be revealed about the victim(s). Also by eavesdropping a pattern can be revealed to the attacker that can lead him to accessing valuable data. In this category are also included Denial of Service attacks and Viruses or Trojan horses. Physical attacks can be the second category, in which wiretapping or bugs can be used to monitor users or even acquire information about codes to a safe, leading to actual theft. Also this category can include social hacking or social engineering in which a person can acquire information simply by using its social skills. The third and last category as referred to the Randal K Nichols' paper (2002) is the process of changing the decision ability of a person. This can happen by TV spots, social networks, advertisements etc. In the literature attacks on Ad hoc networks are classified as active or passive attacks (Y.C. Hu, et al, 2003) depending, mainly, if the normal network flow is disturbed or not. Specifically, in passive attacks data are not altered in some way, instead information is obtained silently. Because the network flow is not disturbed, these attacks cannot be detected easily and powerful encryption mechanisms are required in order to prevent these attacks.

17

In active attacks, packets are modified and this can cause disturbance in the network. If the attacks are external the nodes are not part of the network and with a strong encryption these attacks can be prevented. If the attacks are internal then this means that the once legitimate node is now compromised and this can make the detection of the attack difficult. In Wireless networks and specifically Ad hoc networks the process of theft is easier and more attractive to a potential attacker. This is due to the small size of the devices that may be used and the fact that are battery-relied. In contrast to Wired networks in which tampering would actual require physical presence in order to intercept data (e.g installing a bug) or cutting a cable. In wireless networks all it takes is maybe placing an antenna and strong knowledge of these networks and programming. Also because Ad hoc networks may be used in public places, users may fall victims on their own lack of awareness, Meaning, that an attacker may look at your codes from a distance (shoulder surfing) or simply by having a conversation, can reveal information about passwords. Another thing is the fact that many users tend to forget their passwords and are forced to write them down in a paper. By doing this information is fairly easy to access. Below we will address specifically the attacks at Ad hoc networks.

3.3 Attacks on Ad hoc networks Due to the lack of infrastructure these attacks focus mainly on the routing protocols of Ad hoc networks. We will categorize them to four categories: attacks using impersonation, modification, fabrication, and replay (R.H. Khokar, et al, unknown date). Also we will address the DoS attack.

Attacks using Impersonation: In these attacks the attacker assumes the identity of another node thus using its resources and can easily monitor or even intervene in the network. The attacker can achieve this simply by changing its MAC address or IP to that of a node of the network. In order to prevent these attacks strong authentication procedures are required. Two examples of Impersonation attacks are described below.

18

Man-in-the-Middle Attack : Is a type of active eavesdropping in which the attacker communicates with the sender and the receiver and relays messages between them. The victims believe that they are talking with each other over a secure channel, when in fact the attacker controls the conversation.

Sybil Attack : In this attack, the infected node pretends to have multiple identities. In the Sybil attack (R. K. Nichols et al, 2002) an attacker pretends to have multiple identities. A malicious node can behave as if it were a larger number of nodes either by impersonating other nodes or simply by claiming false identities. Sybil attacks are classified into three categories: direct/indirect communication, fabricated/stolen identity, and simultaneity. In the direct communication, Sybil nodes communicate directly with legitimate nodes, whereas in the indirect communication messages sent to Sybil nodes are routed through malicious nodes. An attacker can fabricate a new identity or it can simply steal it after destroying or temporarily disabling the impersonated node. All Sybil identities can participate simultaneously in the network or they may be cycled through.

Attacks using Modification: These attacks focus on the routing and their goal is to disrupt the normal flow of routing. The attackers are trying to modify the messages carried throughout the network, using some techniques described below. Misrouting Attack: The attack is what its name says actually. An infected node sends data to the wrong destination. This can happen if the final destination address of a packet is modified by the attacker. Most of the times the result of this attack is dropping the packet. In literature (I. Khalil, S. Baghi, 2011) this attack is classified as a stealthy attack1 , among others 1

Detour attack: During the route discovery process, the attacker intervenes and adds a number of fake nodes. Because the routing protocols look for the shortest path, the

1

misrouting, power control, identity delegation and colluding collision

19

traffic can easily go through these infected nodes. This can easily lead to a black hole attack. Blackmail attack: If an attacker has access to the blacklist of the infected nodes, then it can change the information and make a non-legitimate node to a legitimate. This can easily divert the traffic to a non-legitimate node. Attack using Fabrication: This attack focuses in generating false routing messages aiming to disturb the normal flow of the network or consume the resources of the nodes. Such attacks are described below. Black Hole: A black hole attack (or a packet drop attack) is similar to DoS attack, in which a router, or in our case a node, instead of propagating packets it discards them. This kind of attack can be fairly difficult to detect in some cases. Specifically, if a router drops packets at a certain time or selectively or every n packets on every t second or even a portion of packets, it is really difficult to detect (Z. Xiaobing et al, 2000). This is also called as a gray hole attack. On the other hand if a node-router drops all packets at once, it can be detected fairly easy by using traceroute. Also if the other nodes notice that the specific router drops packets whenever they arrive at that router, then it can be isolated and redirect the traffic. In Ad hoc networks a node can broadcast that has the shortest path to a destination, thus directing the traffic to that node. If this node is infected and uses specific packet drop techniques it can harm the entire network undetected. In this paper we will focus our simulation in this type of attack, in a later chapter. Routing loop: Routing loop can be a problem to different networks and Ad hoc is no different. This mainly can occur as an error from the routing protocol and this leads to loop between some nodes in the network. For example if node 1 wants to go to node 3 through node 2 and node 2 wants to go to node 3 through node 1 then whenever traffic for node 3 arrives at either node 1 or 2 it will loop between 1 and 2. This can be prevented by using link state protocols like OSPF and in Ad hoc networks DSDV has built in loop prevention. Resource Consumption attack: By sending false information about route requests or discovery or control messages etc. the attacker aims to consume resources, like battery power, bandwidth etc, of nodes in the network.

20

Rushing attack: In this attack the RREQ messages are modified and if one these messages are sent first then all the traffic can be diverted to any path the attacker has chosen

Replay Attacks: In these attacks data are re-sent in order to cause the effect the attacker wants. Wormhole attack: In this attack, an attacker receives packets at one point in the network, forwards them with much less latency through a private network connection that two compromised nodes may have established and relays those packets at another position through the network (Y.C.Hu et al, 2003). This attack is considered very dangerous and difficult to detect as it can selectively forward packets or drop them. Tunneling attack: In this attack two or more nodes collaborate and exchange encapsulated messages along existing data routes. For example, if a Route Request packet is encapsulated and sent between two attackers, the packet will not contain the path traveled between the two attackers. This would falsely make the receiver conclude that the path containing the attackers is the shortest path available (Y.C. Hu, 2006).

DoS Attacks: Finally we have the DoS attacks in which potential attackers aim to prevent the users from using services of the network. In ad hoc networks this attack can be very dangerous due to the constant change of the topology. These attacks can consume resources of the networks such as bandwidth or battery and also can corrupt configuration information, making the network unusable for the users. This attack has impact at the availability of the system (I. Aad, et al, 2004).

21

4. Security mechanisms for Ad Hoc networks. In order to protect data integrity and authentication, message encryption and user authentication are, traditionally, the mechanisms that have been developed to perform this task. Specifically, for the case of data integrity, symmetrical and asymmetric cryptography are most commonly used. For the case of authentication the most common mechanism is digital signatures. Below we will examine some key values of symmetric, asymmetric cryptosystems and digital signatures.

4.1 Cryptography As mentioned there are two types of data encryption techniques. The symmetric cryptography use the same key, a secret key, for encryption and decryption of a message and in the asymmetric cryptography, one key is used to encrypt a message, also known as public key, and one to decrypt, also known as private key. These two keys are related in such a way, that even if the public key is compromised, the private key remains safe and cannot be produced by the public key. We will briefly mention two of the most important algorithms of symmetrical cryptography and one for asymmetrical cryptography. We do this in order to have a better understanding on how the cryptography works and how can it be used in Ad hoc Networks.

4.1.1 Symmetrical Cryptography As mentioned, symmetric cryptography is the method that a shared key is used between the sender and the receiver, which they need to know in advance. A mathematical expression of this technique can be: E K( x) → y D K ( y) → x

E: encryption function D: decryption function K: the shared key X: the plaintext

22

Y: the ciphertext

Data Encryption Standard (DES) (National Institute of Standards and Technology, 1999) The Data Encryption Standard was developed by IBM in the early 1970’s and it was highly influential in the modern cryptographic systems. The final DES code was introduced by the National Security Agency (NSA) of the U.S.A. DES is a block cipher code, meaning that it works with blocks of data instead of bit-bybit and the block size of it is 64 bits. It takes a fixed length string of plaintext and changes it through as series of complicated operations into a ciphertext of the same length. The key that DES uses is 64 bits but only 56 are used by the algorithm; the other 8 bits are used for checking parity and discarded after that operation. The only security of the DES is its secret key and because of that there can be security vulnerabilities (D.R. Stinson, 1995). However we will describe below how DES works with the help of figure 7. As we can see there are the IP and FP permutations in which the one inverses the other. These initial permutations have no cryptographic value, and were included in order to facilitate loading blocks in and out of mid 1970’s 8-bit based hardware. The block is divided into two 32 bit parts and is processed alternately. This criss-crossing is known as the Feistel scheme. This ensures that encryption and decryption process are similar and can simplify implementation mostly in hardware. The only difference between encryption and decryption is that the sub keys are applied in the reverse order when decrypting. The ⊕ symbol is the universal symbol for XOR operation. The F- Function mixes half block together with a part of the key. The outcome of the F- function is then combined with the other half of the block and the two parts are swapped before the next round. After the final round, the halves are swapped. This is a feature of the Feistel structure which ensures that the encryption and decryption operations are similar (A. J Menezes et al ,2001). In each round the right hand side of the block is fed into a functional block (f) together with that round’s sub key. The result of the function is combined with the left hand side of the block. This combination is the new right hand side of the data block. The new left hand side is just the previous right hand side. This can be described mathematically as follows for 1 < i < 16:

23



Figure 7: DES algorithm

For each round of the algorithm a different sub key is used. At the initial stage the parity checking bits are removed and the remaining key bits are permuted according to a fixed permutation. The permuted key is split in two 28-bit parts (C0, D0). They are then individually, cyclically left shifted by one bit. 48 bits of the key’s 56 are chosen for each round. This is accomplished using a fixed permutation that only uses 48 bits of the current key value (M. Luby, C Rhakoff, 1988). DES nowadays is considered to be insecure for different applications. This is mainly because of the 56-bit key size. Triple DES is considered to be more secure, although there are theoretical attacks that tend to disagree with that (R.S Phan, 2004). Recently another cipher has been developed and used named Advanced Encryption Standard (AES). We will analyze this briefly below.

24

Advanced Encryption Standard (AES) AES is based on the Rijndael Cipher (J. Daemen, V. Rijmen 2003) and the principle behind this is known as substitution permutation network and is fast both in hardware and software. AES has a fixed block size of 128 bits and a key size of 128, 192 or 256 bits. It operates on a 4x4 column-major order matrix of bytes and most of the calculations are done in a special finite field. The key size used for an AES cipher specifies the number of repetitions of transformation rounds that convert the input, called the plaintext, into the final output, called the ciphertext. The number of cycles of repetition is as follows:  10 cycles of repetition for 128-bit keys.  12 cycles of repetition for 192-bit keys.  14 cycles of repetition for 256-bit keys. Each round consists of several processing steps, each containing four similar but different stages, including one that depends on the encryption key itself. A set of reverse rounds are applied to transform ciphertext back into the original plaintext using the same encryption key. Briefly, the process of AES is discussed below (J. Kesley et al, 2000). The keys in each round come from Rijndael’s key schedule. AES requires a separate 128-bit round key block for each round plus one more. During the initial round each byte of the is combined with a block of the round key combined with a block of the round key using bitwise xor. When it comes to the rounds we can consider 4 values. The first is SubBytes which is a non linear substitution step where each byte is replaced with another according to a look up table. The second value is Shift Rows which is a transposition step where each row of the state is shifted cyclically a certain number of steps. The third value is Mix Columns in which the four bytes of each column is combined. Finally the fourth value is the process described in the initial round. The Final Round is similar to the previous process without the Mix Columns value. The figures below are to help understand better the AES algorithm. An online example of AES can be found here (http://aesencryption.net/) with .php code explained. AES is considered to be very secure especially against brute force attacks. Although some side channel time attacks have worked against AES, they are not feasible over a network environment. It is not random that US government uses AES algorithm to protect top secret information.

25

Figure 8: AES algorithm

4.1.2 Asymmetrical Cryptography In contrast to symmetric cryptography, asymmetric requires two keys in order to perform its operation. One key is known as public key which is used to encrypt plaintext or to verify a digital signature and the other is known as the secret key which is used to decrypt ciphertext or create a digital signature. The public key is spread among parties whereas the private key is used by an individual. Although two keys are seem to be used there are mathematically linked together and the algorithm that performs this is based on the trapdoor one way function2. Lets see a mathematical expression of this technique.

The mathematical expression states that if we have a pair of keys (Kp, Ks) where Kp is the public key and Ks is the secret, Kp can be obtained by a public directory or simply

2

Trapdoor one way function: The idea is that it may be easy to discover the public key but really difficult to compute the private key. And without the private key the decryption is impossible.

26

by broadcasting it through a network. This can be used to encrypt a message (x) and send it to the receiver. The receiver can decrypt it using its own secret key. This method can also be used the other way around but this doesn’t provide confidentiality. The only thing that provides is the digital signature. One of the first asymmetric algorithms that was discovered was from W. Diffie and M. Hellman (1976) and is known as RSA. We will discuss it briefly below.

RSA algorithm The cryptosystem is based on the function f:

Where n is the product of two large prime number and b is the public part of the key together with n. We can divide the process of RSA into three steps: key generation, encryption and decryption. Key generation: We choose two large prime numbers p and q in which we do the math for n=pq. N is used as the modulus for both public and private keys. We compute

where φ is the Euler’s phi function.

We choose a number e>1 so that We calculate the number d so that Choosing small numbers for e can lead to faster calculations but the security can be more vulnerable. The keys that are produced are (n,e) and (n,d). Encryption: Given a number m as the message the encryption message c can be calculated using: Decryption: The message can be decrypted using:

27

RSA can be used also for digital signatures. We can send a signed message with the following way: where m is the message and s is the signature. However this function is rarely used. The most common way to digital signatures is hash functions. Although it is considered secure there are some attacks that can expose the private key. For example if low encryptions exponents are chosen such as e=3 and small values of m, the result of m^e is less than modulus n. In this case the ciphertext can be decrypted using the root of the ciphertext over the integers. Also if a message is sent to e or more recipients and the receivers share the same e, but different n then it’s easy to decrypt the original message using the Chinese remainder theorem (I. K. Salah et al, 2006). Due to its model (deterministic), RSA can be vulnerable to chosen plaintext attacks, by encrypting likely plaintext under the public key and test if they are equal to the ciphertexts.

To avoid these problems, practical RSA implementations typically embed some form of structured, randomized padding into the value m before encrypting it. This padding ensures that m does not fall into the range of insecure plaintexts, and that a given message, once padded, will encrypt to one of a large number of different possible ciphertexts. Standards such as PKCS#1 have been carefully designed to securely pad messages prior to RSA encryption. Because these schemes pad the plaintext m with some number of additional bits, the size of the un-padded message M must be somewhat smaller. RSA padding schemes must be carefully designed so as to prevent sophisticated attacks which may be facilitated by a predictable message structure. So we can see that although asymmetric cryptosystems are considered to be storng cryptographic algorithms they can have weaknesses. A disadvantage of asymmetrical cryptosystem is the computational complexity required to calculate these algorithms. This means in terms of hardware, that a high end implementation is 1500 times slower than a DES implementation as shown by R.K. Nichols and P.C Lekkas (2002). So below we will describe a hybrid algorithm, as described in literature, known as PGP (Pretty Good Privacy) developed by Phil Zimmermann (1991) which aims to use the best features of both symmetric and asymmetric cryptosystems.

28

4.1.3 Hybrid Cryptosystems: PGP In order to solve problems like key management in symmetrical cryptosystems and computational complexity in asymmetrical, a hybrid algorithm can be used. By using this algorithm one can have the advantages of both cryptosystems. One of those variants is PGP. PGP uses a combination of symmetric, asymmetric cryptography, hashing and data compression derived from different algorithms. One of the most important features of PGP is that of compression. When a user encrypts a message, PGP the first thing to do is compress it. By compressing the message disk space is saved along with transmission time. Also it strengthens the security. After that PGP creates the session key which is one-time-only secret key. The pattern that this key is created is totally random. The key and a fast encryption algorithm is used to encrypt the plaintext, which gives us the ciphertext. Once the data is encrypted, the session key is then encrypted to the recipient’s public key. The public key-encrypted session key is sent along with ciphertext to the recipient. Decryption works in the reverse. The recipient’s copy of PGP uses his or hers private key to recover the temporary session key, which PGP then uses to decrypt the conventionally-encrypted ciphertext (P. Zimmermann, 1991). As we see conventional encryption is used to encrypt the plaintext which is 1000 times faster than symmetric encryption. Also public key encryption is used for key distribution and data transmission issues. These two combined gives us an improved algorithm faster than asymmetric systems and more secure than symmetric.

29

Figure 9: A graphical example of how PGP works

4.1.4 Message Authentication Code (MAC) In Ad hoc networks the privacy of the key doesn’t always ensure the integrity of the message. For this purpose Message Authentication Code (MAC) is used. A MAC is small block of data that is attached to a message and the integrity can be verified by the recipient. This resembles to digital signatures, but the difference is that MAC values are generated and verified using the same key (symmetric encryption). In general the mechanism behind message authentication is: The MAC is calculated at the sender taking as parameters the sequence number, the contents of the packet and the secret key known only to the two parties. The MAC then is appended to the message and sent to the recipient. The recipient uses its secret key to calculate a new MAC which will be compared to the MAC’s original message. If the two match then the packet is legitimate. 30

A few algorithms that can perform this operation have been introduced such as HMACSHAI (H. Krawczyk et al, 1997) which is a cryptographic hashed function, UMAC (J. Black et al, 1999) and VMAC3 (T. Krovetz, W. Dai, 2007), which are based on universal hashing.

4.2 Digital Signatures As mentioned in a previous section, digital signatures are a mathematical scheme used for authenticity and non-repudiation. If a signature is valid, ensures that the message sent to a recipient is legitimate and it was not altered in any way during the transmission. Compared with hand written signatures, digital signatures aim to provide the same service (authenticity) but with more security, making them less susceptible to counterfeiting. Cryptographically based digital signatures must be implemented properly in order to be effective. Authenticity and non-repudiation are two important schemes offered by digital signatures, meaning that the signer cannot successfully claim they did not sign a message, and at the same time ensuring that the private key remains secret (M. Branchaud, 1997). A digital signature traditionally consists of a key generation algorithm that produces the key, a signing algorithm that provides the signature using the private key and the message and a signature verifying algorithm that ensures the authenticity and can either reject or accept the message. For example, if A wants to digitally sign a message to B, A uses its private key to encrypt the message. Then the message is sent along with the public key of A. Since A’s key is the only key that can decrypt the message, successful decryption constitutes a Digital Signature Verification meaning that there is no doubt that it is A’s private key that encrypted the message. Digital signed messages may be anything that is represented as a bit string such as emails.

3

UMAC and VMAC’s source code can be found at: http://fastcrypto.org/umac/ and http://www.fastcrypto.org/vmac/ respectively.

31

One way hash function However, this scheme may have some problems. Such as, it can produce a tremendous amount of volume of data which in turn can cause more problems like using a lot of bandwidth. So, in order to solve this problem, one-way hash function was introduced. One-way hash function takes a variable length message and converts it into a fixed output e.g. 256 bits. This is called a digest. This function ensures that if information is slightly changed a different output is produced. RSA and PGP uses strong hash functions as mentioned before (C. Paar, J. Pelzel, 2009). More specifically, PGP generates the message digest through the hush function. Along with the digest, the private key is used to create the signature. Then PGP sends the signature and plaintext together. When the message arrives the recipient uses PGP to compute the digest thus verifying the signature. By doing this there is no way to copy a signature because the slightest change will cause the verification process to fail.

Figure 10: PGP Digital Signature Process

Generally, digital signature can be divided into two steps: Step 1: Message Digest Evaluation: The purpose of this is to ensure integrity Step 2: Digest Signature: When issuing the signature the hashing algorithm and the public key of the issuer is appended with and sent to the recipient. The signature can be verified using the public key of the recipient along with the hashing algorithm. By doing

32

this the recipient ensures that the issuer indeed encrypted the digest using its private key and the message is protected from alteration. But how can we be sure that the sender e.g. named Alice is indeed Alice? And how can Alice be sure that the recipient e.g named Bob is the only one that will see what Alice encrypted? An attacker can pretend that is Alice and Bob cannot verify who actually sends the message.

Digital Certificates Digital certificates ensure that the public key of a recipient is the true key and not a forgery. In real life one can encrypt only the keys that are physically handed to the source but what if its necessary to exchange information with people that one has never met? A certificate is a form of credential that proves the identity of a public key’s owner. Like a passport or an id. The confirmation of the identity is done by the Certificate Authority (CA) which is a trusted third party. As long as the two parties trust the CA then they can verify each others identity. The certificate can contain among other things: The CA’s identity, the owners identity, the owners public key, expiration date of the certification, the CA’s signature of the certification etc. The purpose of the digital signature on a certificate is to state that the certificate information has been attested to by some other person or entity. The digital signature does not attest to the authenticity of the certificate as a whole; it vouches only that the signed identity information goes along with, or is bound to, the public key. Thus, a certificate is basically a public key with one or two forms of ID attached, plus a hearty stamp of approval from some other trusted individual. In order to distribute the certificates with safety among entities, a facility that contains that data is required. These facilities should work as storage repositories, providing security and mechanisms to distribute the certificates. A more simple facility is called Certificate Servers which operates as a storage-only repository and allows users to submit and retrieve digital signatures. Besides that, Public Key Infrastructures are introduced as more structured system and provides the ability to issue, revoke, store, retrieve and trust certificates in the form of Certification Authority (C. Adams, L. Steve, 2003)

33

5. Security Policies and Protocols in Ad hoc networks We described earlier some key elements about cryptography and key distribution techniques used in networks for security management. These techniques can be applied to our system modified to fit our needs. One main problem in Ad hoc networks is key distribution and depending on the application (home networking, military services etc) the needs variant. Besides that, we will focus in Secure Routing techniques developed over the years based on preciously existing protocols or algorithms.

5.1 The Resurrecting Duckling This idea came from F. Stajano and R. Anderson (1999) as a metaphor from biology. Specifically they compare the nodes as new born ducklings that imprinted to the first thing they see when they are “born”. This idea came up mainly as a need for authenticity in ad hoc networks where the need to eliminate any central distribution service for certificates or secret keys is mandatory. The concept behind that is, as mentioned, imprinting. When the new duckling is born, the mother duck imprints it through a secure channel in which a shared key is sent in plaintext. This makes the duckling always connected to its mother and cannot communicate with any other device unless it “dies” (e.g. a universal remote control is broken beyond repair) or the mother tells it to die. Since one key is used, symmetrical cryptography can be used to maintain any data private. Later F. Stajano (2000) described a process in which siblings can communicate with each other. He mentions that this can be achieved if the mother can download a security policy from a trusted third party service. This policy can be a control list which indicates some rules about communication between “siblings” (nodes) and who can be in charge of that. This, of course, doesn't make the network truly independent due to its communication with a centralized service. Another proposed solution is, for the mother duckling to issue and sign certificates and use them for communication between the ducklings. This however demands extra power and a need of secure clocks for the mother to be able to control them. Since this concept is focused on low energy consumption, the last proposal (issue

34

certificates) may not be very handy, unless the validation period is short enough that could eliminate the need for secure clocks. This proposal can be very useful in home networks but may not be very effective if used for example in emergency or military services, due to the fact that a master is needed to control the nodes.

5.2 ID-Based threshold cryptographic technique In order to describe what id-based threshold cryptography is we will briefly mention the two separate techniques that form that. ID-based cryptography: This scheme is based on the generation of a public key through a Private-key Generation Service (PKG). The master key is distributed throughout the network and along with the string ID a sender can encrypt the message. For decryption a recipient can obtain the secret key from the PKG corresponding to its identity. For more information about ID-based cryptography one can refer to (D. Boneh, M. Franklin, 2001). Threshold Cryptography: In this scheme a cryptographic operation can be split among multiple users and t users out of total n users can perform the cryptographic process, where as t-1 users cannot (R. Gennaro, et al, 1999). As we notice the use of ID can save bandwidth due to the fact that there is no need to distribute keys from a certification authority and because the ID is much shorter from a public key. Also computational overhead is reduced because there is no need to compute a public key. Also by using a threshold scheme for the PKG can eliminate the need of a CA. The concept behind ID-based threshold cryptosystem is that, initially when the system starts the nodes agree to some parameters like threshold and security. After this, master and private keys are generated for the system. If a node wants to take its private key it must contact the PKG and this service in turn will use node's ID and the master secret key as input to generate the requested private key. For encryption a node uses the master key, the ID of the recipient node and the message plaintext. For decryption the recipient node uses the ciphertext sent from the sender node, its personal secret key and the master public key. In the stage of initial setup the identities can be spoofed and one solution is for the PKG to hand out ID' s only once. This can prevent spoofing because an intruder will be unable to guess the identity of any node in advance (A. Khalili et al, 2003).

35

5.3 Self-organized PKI As mentioned, PKI's are infrastructures used to sign and issue CA's. An idea is proposed from Hubaux et al () for a self organized PKI based on PGP algorithm. In order for a PKI to be self-organized, any special treated node must be eliminated. The basic idea is that every user has a small number of certificates and combining these can give a trusted signature and a versification of a public key, through a chain of trust between the nodes. The algorithm proposed, named “The Shortcut Hunter Algorithm”, uses locally available information to calculate a sub graph of the complete trust graph. The probability of two nodes’ merged certificate lists holds a certificate chain between the two of them was high using a relatively small number of certificates in each node. Of course, this relates to the size of the complete trust graph and the assumption of it to be connected. This offers a scalable solution for the PKI certification distribution problem.

5.4 TESLA protocol The TESLA (Timed Efficient Stream Loss-tolerant Authentication ) protocol was proposed from Perrig et al (2002) as a solution for on line signing certification from a CA, which can lead to high overhead and bandwidth consumption. It is based on two key features. These are one way chains and time synchronization. When one way has functions are applied repeatedly then one way chains are generated and the values are computed by adding the previous in the chain. In order to keep any information secret, the values in the chain are used in the reverse order. Time synchronization can be performed using a corresponding protocol. The main idea behind this is that a message is send to the source containing a note of when the message was sent. This message contains a randomly generated nonce identifying the specific message. When the server receives this message it sends a reply message that contains the sender time and the received nonce. The message is also signed with the server's private key. The operation of the TESLA protocol is pretty simple: It divides the upcoming time into intervals of a specified length. One way chains assign a key to each interval and a time is decided from the sender which states how many intervals should be processed until a key is disclosed. When the message is sent a MAC is appended to each message

36

containing a key of the current time interval. With each message the key from the previously disclosed interval is attached. When the message arrives to its destination it remains to a waiting state. During these the recipient checks the key disclosure schedule and if the packet is late and the scheduled states that the key is disclosed then the packet is dropped. If the key is not disclosed then the packet is trusted and therefore buffered. The server does not use the actual interval key to sign the message. Instead a key is generated from the interval key by applying some known one-way function. This way the key is only used to perform a single operation. Because symmetric cryptography is used to this protocol the implementation can be very efficient but during the setting of time sync vulnerabilities can occur.

5.5 Secure Routing Up next some protocols will be introduced focusing in the sense of secure routing and also mechanisms will be discussed against known attacks.

5.5.1 Secure Aware Routing (SAR) In SAR (S. Yi, et al, 2001) a simple protocol such as AODV is used as a base protocol. As we saw in section 2.3.3, AODV broadcasts RREQ messages through flooding in the network in order to discover the shortest path to a destination. When the packet reaches the destination a RREP message is sent using the reverse path. In SAR the security metric is embedded into the RREQ message in which the path may change according to the metric but with respect to the RREQs. A trust hierarchy is introduced in which some nodes are lower in security and some are higher. If an intermediate node receives a RREQ packet it can process it according to its security trust or authentication level. Thus, if it does not meet the security prerequisites the packet is dropped. Else, if a path can be established, that fulfills the security attributes, a modified RREP message is sent. SAR uses the trust hierarchy in order to divide the nodes into trust levels and give them a minimum security level. Note that the nodes participating in the route discovery process is the ones that the security trust is imposed. Even in the case of multiple paths, SAR will select the shortest route, in respect to the protocol, that satisfies the security metrics. Attacks like modification and fabrication can be prevented with the method of verification of digital signatures. Also by using trust level authentication threats like subversion and interception can be stopped. SAR uses some security metrics as 37

mentioned in Y. Si et al paper and two of them is sequence numbers and timestamps. These two metrics can effectively stop replay attacks. However due to the excessive encrypting and decrypting in each hop, power consumption can be a major drawback in a mobile environment. The routes discovered by SAR are no the shortest by terms of hop count but they are more secure. Only nodes with the required trust level will re route packets but if an infected node becomes trustworthy then the protocol will be vulnerable to all kind of attacks.

5.5.2 Secure Routing Protocol (SRP) SRP (P. Papadimitratos, Z. J. Haas, 2002) is also based to on demand protocols such as AODV. It creates an association between source and destination, referred as Security Association (SA). This connection must exist a priori to the route discovery process. Any intermediate nodes don't use encryption-decryption mechanism to route the packet. Specifically, an extra header is used by the protocol (SRP header) which contains some fields: QSEC (Query Sequence number), QID (Query Identifier number) and a 96 bit MAC field. The intermediate nodes checks for the SRP header and if its missing the RREQ is dropped. Else it is forwarded after extracting QID and of course source and destination addresses. When the packet arrives to its destination, the node first verifies if the packet is originated from the source who it made the association. Then if QSEC>= QMAX the packet is dropped because it is considered to be replayed. Otherwise, the keyed hash of the request fields are calculated and if the output matches the MAC then the message is verified and authenticated. Upon receiving the packet and verifies the authenticity, destination node sends a reply message back to the source. The source QID, QSEC and of course, source and destination addresses. If a match occurs then source calculates the MAC using the SRP fields, the key between source and destination and the replied route. If the two MAC' s are the same then it confirms that the message came from the destination. SRP can be vulnerable to wormhole attacks but is immune to IP spoofing as it secures the binding of the MAC and IP address of the nodes. Also a secure mechanism for route maintenance messages should be considered, because an infected node could harm the routes that it belongs.

38

5.5.3 Secure Efficient Ad hoc Distance Vector (SEAD) SEAD (Y.C. Hu et al, 2002) is based on DSDV protocol (proactive routing) and it focuses in protecting routing updates, by the means of one way hash chains. This approach can prevent an attacker forging new metrics or sequence numbers in the updated packets. The mathematic expression is as follows for a list of hash values calculated from each node:

, 0> ssn then we can assume then the source node will discard the particular entry. The main goal is to determine any modified sequence nubers that have been modified by attackers. The imporant thing in this method is to first call the new function, mentioned above, to store and analyze all the RREP messages. In figure 18 (V. Khandelwal and D. Goyal. 2013) we can see that when the network is under attack, as the number of nodes increases, PDR decreases due to the probability that an infected node has become an intermediate node on a certain route. However when we observe AODV under detection module, PDR is increased showing that this detection mechanism can identify over 70% of malicious node. This technique is efficient enough for detecting malicious nodes but it can add delay due to the pre process function.

Figure 16: Nodes vs Packet Delivery Ratio

In Ad hoc networks several approaches have been investigated throughout the years offering solutions and proposals. A. Patwardhan et al (2005), divide the mechanisms into three categories.   

Audit-based Credit-based Acknowledgement-based

50

In the first category, neighbors monitor the behavior of nodes taking advantage of the omni-propagation of wireless signals. Two methods for packet forward verification are Watchdog and Pathrater (S. Marti et al, 2000). In Watchdog, suppose we have a path between two nodes, source and destination. Intermediate nodes A, B and C are among the S and D. The authors propose that node A cannot send a message to C but can listen the node B's traffic. Therefore node A can tell of node B propagates a message. Also if encryption is not performed separately for each link, then A can see if B has tampered the message. This approach is based on DSR protocol and it can detect alterations or misbehavior at the forward level and not just the link level, nevertheless in cases of collisions (ambiguous and receiver) or partial packet dropping it may non be able to perform optimally. In the Pathrater approach, authors assign a system of rating for the nodes. Each node has ratings for other node in the network and by comparing these ratings an optimum path is selected. This can effectively protect against black hole attacks but it can create extra overhead for the nodes resulting to power consumption. Also a system of monitoring is proposed by Buchegger and Boudec (2005) in which with the use of omni directional antennas the nodes can hear transmissions of the next hop. If within a time frame set by the authors a reply message is not sent then the nodes assume misbehavior. The results are then sent throughout the network. However, the audit based approach has certain drawbacks. Such as, when eavesdropping on the network it can consume a lot of transmission energy. Also if omni directional antennas are used then attackers can cheat their neighbors with fake data forwarding. And as mentioned through our thesis the defense mechanisms must be able to offer authenticity, and this must be applied if monitoring reports are used for protection against black hole attacks. In the credit-based approach, a credit system is used to offer authenticity of the nodes. For example S. Zhong et al (2003) use a centralized infrastructure (Credit Clearance Service) for distributing credits to the nodes. The nodes can use GPRS technology to communicate with this service and for identification they propose a CA as mentioned in a previous section. The logic behind this scheme is that nodes earn or lose credit according to their actions. For example if a node forwards its own messages then it will lose credit, and if it forwards other nodes' messages it will earn credit and so that later be able to forward its own messages. Another proposal (L. Buttyán, J. Hubaux, 2003) mentioned as stimulation mechanism, contains a nuglet counter. All nodes have this counter and the idea behind this is: When a node transmits its own packets, the number

51

of nodes (n) that is required to reach a certain destination is estimated. If the nuglet counter is greater or equal to n then the node has permission to send the packet and the counter is decreased by n. Also when an intermediate node forwards a packet then its nuglet counter is increased by one. These two methods mentioned can protect against black hole attacks and also offer authenticity and integrity but the use of a centralized infrastructure can create high overhead issues and also one of MANET's characteristics as described in section 2.2 is the lack of such an infrastructure and the autonomous nature. So by using an infrastructure it violates the nature of MANET's. In the acknowledgement-based scheme the basic idea is to send acknowledgements back to the source that the packet has been received. K. Liu et al (2007) describe the 2ACK scheme in which for example, if there are three nodes N1, N2, N3 and the N1 transmits a packet to N3, it requires an acknowledgement sent back to verify the reception of the packet. This 2ACK scheme takes place for every triplet inside the network. Also a list of ID's of data packets that are sent but have not answered is maintained in order to detect misbehavior. This scheme is proactive like credit based schemes, therefore high overhead is expected. S. Lee et al (2002) introduced CREQ and CREP, which is abbreviation for route confirmation request and route confirmation reply, in order to avoid black hole attacks. The scheme is that an intermediate node sends, besides the RREP messages to the source node, CREQ messages to its neighbour node (next hop). The next hop node checks its table for a route to the destination and if the route exists it sends an CREP message back to the source. When the source node receives the CREP, it compares it with the RREP and if the paths are matched then the source nodes determines that the route is safe. However, if two consecutives nodes work in collusion the black hole may not be able to be avoided. A solution to this problem can be if the source nodes wait for RREP messages from more than two nodes. When the RREP's arrive, the source nodes look if there is a shared hop or not. If not then the route is not safe and it waits for other RREP's to arrive in order to discover a safe route. Although the waiting time can provide a solution against black hole attacks it can also be a drawback and introduce higher routing overhead (M. Al-Shurman et al, 2004).

52

Conclusions In this thesis we examined the security vulnerabilities of ad hoc networks. The idea was to first, introduce ad hoc networks and its characteristics and then based on the current cryptography schemes, discuss proposed solutions against different type of attacks. Four protocols from each category of the ad hoc routing protocols are introduced and briefly discussed (AODV, DSR, DSDV and Zone Routing) mentioning their security vulnerabilities and issues. Standard routing protocols lack of security, such as AODV and although many have tried to apply these cryptographic methods to MANET's protocols and have succeded into preventing from tampering information in routing, the results showed that it made them vulnerable to simple DoS attacks (M. Jackobsson et al, 2003). So, we can see that a protocol which has strong cryptographic security is needed along with resistance in DoS attacks. That is only one of the issues in security in these networks and if we considered the amount of security issues in wireless networks, in general, we can assume that these issues are higher in MANET's. Further on, an introduction on certain type of attacks is made, and we divide them in four categories (attacks using impersonation, modification, fabrication, and replay). As mentioned throughout our thesis the security mechanisms are based in the CIA (Confidentiality, Integrity, Availability) and based on that we introduce cryptography and analyze two algorithms from symmetrical and asymmetrical cryptography and PGP from the hybrid cryptography. The introduction of digital signatures and certification authorities are essential because some protocols for secure routing in ad hoc networks use these techniques in order to provide an efficient solution but often with a cost in overhead. Cryptography is essential for the security protocols in ad hoc networks because many protocols as we have seen, are based on either symmetrical, asymmetrical or hybrid systems. TESLA protocol or SAR are based on these cryptosystems and are discussed in order to understand the mechanisms behind these protocols. In the last chapter of our thesis we perform a simulation of a certain attack (black hole) with NS-2 and by reviewing the literature we discuss different detection and prevention mechanisms. Black hole attack can affect the overall connectivity of a network and in our simulation we noticed that the Packet Drop Ratio increases dramatically when the network is infected. Different schemes like anomaly detection and time delay for RREP packets are discussed and we try to determine and efficient solution, taking in mind the battery-relied nature and dynamic topology of ad hoc networks. A robust protocol with low cost in traffic route and battery life can be an ideal protocol but due to the complexity of these networks it is hard to design and implement it in a true network environment. Nevertheless , the future looks promising, because few years back there

53

was only a handful of secure protocols and today there are more than thirty and each and every one tries to overcome the security issues of the ad hoc networks.

54

References

A. Bhattacharyya, A. Banerjee, D. Bose, H. N. Saha, D. Bhattacharjee, “Different types of attacks in Mobile ADHOC network: Prevention and mitigation techniques”, Department of Computer Science & Engineering, Institute Of Engineering & Management, Saltlake, 2011 A. J. Menezes, P. C. Oorschot, S. A. Vanstone, Handbook of Applied Cryptography (Fifth ed.). p. 251. ISBN 0849385237, 2001 A. Khalili , J. Katz , W. A. Arbaugh , “Toward Secure Key Distribution in Truly AdHoc Networks”. Tech. rep., University of Maryland (College Park), 2003. A. Patwardhan, J. Parker, A. Joshi, M. Iorga, and T. Karygiannis, “Secure Routing and Intrusion Detection in Ad Hoc Networks,” in IEEE International Conference on Pervasive Computing and Communications, pp. 8–12, 2005. A. Perrig, R. Canetti, J. D. Tygar, D. Song, P ERRIG “The TESLA Broadcast Authentication Protocol” Tech. rep., UC Berkley, IBM Research, 2002. C. Adams, L. Steve “Understanding PKI: concepts, standards, and deployment considerations . Addison-Wesley Professional. pp. 11-15 , 2003 C. E. Perkins Nokia Research Center, E. Belding-Royer, University of California, Santa Barbara, S. Das, University of Cincinnati, “Ad hoc on demand Distance Vector Routing (AODV)”, The Internet Society, 2003 C. E. Perkins, E. M. Royer “The Ad Hoc On-Demand Distance- Vector Protocol”. ch. 6, pp. 173–219. 2001 C. E. Perkins , P. Bhagwat, “DSDV Routing over a Multihop Wire- less Network of Mobile Computers. In Perkins [20], 2001, ch. 3, pp. 53–74. [9]D. Johnson, Rice University, Y. Hu, UIUC, D. Maltz, Microsoft Research, “The Dynamic Source Routing Protocol (DSR) for Mobile Ad Hoc Networks for IPv4”, IETF Trust, 2007, C. E. Perkins IBM, T.J. Watson Research Center Hawthorne, Pravin Bhagwat Computer Science Department University of Maryland College Park, “Highly Dynamic Destination-Sequenced Distance-Vector Routing for Mobile Combuters”, 1994

55

C. Paar, J. Pelzl, "Introduction to Public-Key Cryptography" , Chapter 6 of "Understanding Cryptography, A Textbook for Students and Practitioners". (companion web site contains online cryptography course that covers public-key cryptography), Springer, 2009. C. S. R. Murthy and B. S. Manoj, Ad Hoc Wireless Networks: Architectures and Protocols, Prentice Hall PTR, 2004 D. Boneh, “Twenty years of attacks on the RSA cryptosystem”, Notices of the American Mathematical Society (AMS), Vol. 46, No. 2, pp. 203-213, 1998 D. Boneh, M.Franklin. “Identity-Based Encryption from the Weil Pairing”. In J. Killian, editor, Advances in Cryptology, CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 213-229, Sprineger Verlag, August 2001 D. R. Stinson “Cryptography Theory and Practice”. CRC Press LLC, 1995. E. M. Royer, C.-K. Toh, , “A Review of Current Routing Protocols for Ad Hoc Mobile Wireless Networks”, University of California, Santa Barbara & Georgia Institute of Technology, 1999 F. Stajano, R. Anderson, “The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks”, University of Cambridge Computer Laboratory, AT&T Laboratories Cambridge, 1999 F. Stajano, “The Resurrecting Duckling — what next?” In Security Protocols, 8th International Workshop Proceedings B. Christianson, B. Crisp, and M. Roe, Eds., Springer-Verlag Berlin Heidelberg. Lecture Notes in Computer Science, 2000 G. Simson (1991-12-01). PGP: Pretty Good Privacy. O'Reilly & Associates http://nsnam.isi.edu/nsnam/index.php/Main_Page H. Krawczyk, M. Bellare, and R. Canetti, "HMAC: KeyedHashing for Message Authentication", RFC2104, 1997. I. Aad, J.-P. Hubaux, E. W. Knigthly, “Denial of Service Resilience in Ad Hoc Networks”, School of Computer and Communication Sciences Swiss Federal Institute of Technology (EPFL), Lausanne, Switzerland, 2004

56

I. K. Salah, A. Darwish, S. Oqeili, “Mathematical Attacks on RSA Cryptosystem ” I. Khalil and S. Bagchi, “Stealthy Attacks in Wireless Ad Hoc Networks: Detection and Countermeasure”, IEEE TRANSACTIONS ON MOBILE COMPUTING, 2011 J. Black, S. Halevi, H. Krawczyk, T. Krovetz, and P. Rogaway. CRYPTO '99 Paper: "UMAC: Fast and Secure Message Authentication". Advances in Cryptology CRYPTO '99. Lecture Notes in Computer Science, vol. 1666, Springer-Verlag, pp. 216233 , 1999 J. Daemen, V. Rijmen, (9/04/2003). "AES Proposal: Rijndael" . National Institute of Standards and Technology. p. 1. Retrieved 21 February 2013. J. K. Hedrick, M. Tomizuka and P. Varaija (1994). ‘Control issues in automated highway systems’ IEEE Control Systems Magazine, 14(6):21-32 J. Kelsey, S. Lucks, B. Schneier, M. Stay, D. Wagner, and D. Whiting, “Improved Cryptanalysis of Rijndael”, Fast Software Encryption, pp213-230, 2000 J . Lundberg, “Routing Security in Ad Hoc Networks”. Tech. Rep. Tik- 110.501, Helsinki University of Technology, 2000. J. P. Hubaux, L. Buttyan, S. Capkun “The Quest for Security in Mobile Ad Hoc Networks. In Proceedings of the ACM Symposium on Mobile Ad Hoc Networking and Computing 2001. K. Liu, J. Deng, P. Varshney, K. Balakrishnan, “An Acknowledgment-Based Approach for the Detection of Routing Misbehavior in MANETs,” IEEE Transactions on Mobile Computing, 6(5), pp. 536-550, 2007. K. Sanzgiri, B. Dahill, B. N. Levine, C. Shields, and E. M. Belding- Royer, A Secure Routing Protocol for Ad hoc Networks, The 10th IEEE Intl. Conf. on Network Protocol (ICNP), Nov. 2002. L. Buttyán, and J. Hubaux, “Stimulating cooperation in self-organizing mobile ad hoc networks,” Mobile Networks and Applications, 8(5), pp. 579-592, 2003. L. Zhou, Z. J. Haas “Securing Ad Hoc Networks. IEEE Network 13, 6, 24–30, 1999

57

M. Al-Shurman, S-M. Yoo, and S. Park, “Black Hole Attack in Mobile Ad Hoc Networks,” ,ACM Southeast Regional Conf. 2004. M. Branchaud, “A Survey of Public-key Infrastructures”, Department of Computer Science, McGill University, Montreal, 1997 M. Luby, C. Rackoff. "How to Construct Pseudorandom Permutations from Pseudorandom Functions", SIAM Journal on Computing 17 (2): 373–386, doi:10.1137/0217022 , ISSN 0097-5397 , April 1988 P. Michiardi and R. Molva, “CORE: A Collaborative Reputation Mechanism to Enforce Node Cooperation in Mobile Ad Hoc Networks”, IFIP-Communication and Multimedia Security Conference 2002. P. N. Raj, Prashant B. Swadas. “DPRAODV: A Dynamic Learning System Against Blackhole Attack in AODV Based MANET”, IJCSI International Journal of Computer Science Issues, 2:54-59, 2009 P. Papadimitratos and Z. J. Haas, Secure Routing for Mobile Ad hoc Networks, In Proc. of the SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002), Jan. 2002. P. Zimmermann, Phil (1991-06). "Why I Wrote PGP", Retrieved in September 2013 R.C Phan , “Related-Key Attacks on Triple-DES and DESX Variants”, In Topics in Cryptology - The Cryptographer’s Track at RSA Conference (CT-RSA ’04), 2004 R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Secure Distributed Key Generation for Discrete-Log Based Cryptosystems. Eurocrypt, 1999. R. H. Khokkar, A. Ngadi, S. Mandala, “A review of current routing attacks in mobile ad hoc networks”, International Journal of Computer Science and Security, volume (2) issue (3), unknown date R. Perlman, “Network layer protocols with byzantine robustness”, MIT, August 1998 R. K. Nichols, P. C. Lekkas. “Wireless Security Models, Threats, and Solutions. McGraw–Hill, 2002. ISBN: 0-07-138038-8.

58

S. Buchegger and J. Boudec, “Nodes Bearing Grudges: Towards Routing Security, Fairness, and Robustness in Mobile Ad Hoc Networks”, Proc. of the 10th Euromicro Workshop on Parallel, Distributed and Network-based Processing, Canary Islands, Spain, 2002 S. Buchegger and J.-Y. L. Boudec, “Self-policing mobile ad-hoc networks by reputation systems,” IEEE Communications Magazine, pp. 101-107, 2005. S. Corson, J. Macker. “MANET: Routing Protocol Performance Issues and Evaluation considerations”, RFC 2501, IETF Network Working Group, January 1999. S.Kurosawa, H.Nakayama. Detecting Blackhole Attack on AODV- based Mobile Ad Hoc Networks by Dynamic Learning Method. In International Journal of Network Security, pages 338-346, Nov 2007. S. Lee, B. Han, and M. Shin, “Robust Routing in Wireless Ad Hoc Networks,” 2002 Int’l. Conf. ,Parallel Processing Wksps., Vancouver, Canada, Aug. 18–21, 2002. S. Marti, T. J. Giuli, K. Lai, and M. Baker, “Mitigating routing misbehaviour in mobile ad hoc networks,” in Proceedings of the 6th Annual international Conference on Mobile Computing and Networking (MobiCom), pp. 255-265, 2000. S. Naski, “Performance of Ad Hoc Routing Protocols: Characteristics and Comparison”, Helsinki University of TechnologyTelecommunications Software and Multimedia Laboratory, 2004 S. Yi, P. Naldurg, R. Kravets, “A Security-Aware Routing Protocol for Wireless Ad Hoc Networks ”, Dept. of Computer Science University of Illinois at Urbana-Champaign Urbana, 2001 S. Zhong, J. Chen, and Y. R. Yang, “Sprite: A simple cheat-proof, credit-based system for mobile ad-hoc networks,” in IEEE INFOCOM, pp. 1987-1997, 2003. T. Krovetz and W. Dai, "VMAC: Message Authentication Code using Universal Hashing". CFRG Working Group. IETF. Retrieved 2010-08-12 , 2007 U.S. DEPARTMENT OF COMMERCE/National Institute of Standards and Technology, Data Encryption Standard (DES), October 1999. As viewed in September 2013 from: http://csrc.nist.gov/publications/fips/fips463/fips46-3.pdf

59

U. Hengartner, S. Moon, R. Mortier, C. Diot, “Detection and Analysis of Routing Loops in Packet Traces”, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurement, IMW '02, pp 107-112, ACM ,New York, USA, 2002 . V. Khandelwal, D. Goyal, “BlackHole Attack and Detection Method for AODV Routing Protocol in MANETs”, International Journal of Advanced Research in Computer Engineering & Technology (IJARCET), Volume 2, Issue 4, April 2013 W. Diffie, M. Hellman, "New directions in cryptography". IEEE Transactions on Information Theory 22 (6): 644-654 , 1976 W. Du, J. Deng, Y. S. Han, and P. K. Varshney, A Pairwise Key Pre- distribution Scheme for Wireless Sensor Networks, ACM CCS 2003, Oct. 2003, pp. 42-51. W. Schwartau, ed, Information Warfare: Cyberterrorism: Protecting your personal security in the electronic age, Thunder's Mouth Press, 2nd ed, (1996) (ISBN 1560251328). W. Stallings, Cryptography and Network Security: Principles and Practices, 3rd edition, Prentice Hall, 2003. Y. -C. Hu, A. Perrig, and D. B. Johnson, Packet Leashes: “A Defense against Wormhole Attacks in Wireless Networks”, Infocom 2003 Y. -C. Hu, D. B. Johnson, A. Perrig, Ariadne: A Secure On-Demand Routing Protocol for Ad Hoc Networks, Mobicom’02, 2002. Y. -C. Hu, D. B. Johnson, A. Perrig, “Efficient Security Mechanisms for Routing Protocols”, The 10th Annual Network and Distributed System Security Symp. (NDSS),. TIK protocol, Feb. 2003 Y. -C. Hu, D. B. Johnson, A. Perrig, Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols, WiSe 2003, 2003. STINSON, D. R. Cryptography Theory and Practice. CRC Press LLC, 1995.ISBN: 0-8493-8521-0. Y. -C Hu, D. B. Johnson, A. Perrig “SEAD: Secure Efficient Distance Vector Routing for Mobile Wireless Ad Hoc Networks.” Tech. Rep., Rice University, University of California, Berkeley, 2002.

60

Z. J. Haas, M. R. Pearlman, “ZRP A Hybrid Framework for Routing in Ad Hoc Networks”, ch. 7, pp. 221–253, 2001, Z. Xiaobing, "Malicious packet dropping: how it might impact the TCP performance and how we can detect it". Icmp: 263. 2000 Figure 1 taken from: http://www.eexploria.com/routing-protocols-in-manets Figure 4 taken from: http://www.cse.wustl.edu/~jain/cis788-99/ftp/adhoc_routing Figure 6 taken from: http://ki.stei.itb.ac.id/2013/10/30/mitigation-strategy-32-langkahlangkah-mudah-blok-ip-address-dari-dalam-network-dengan-konfigurasi-router Figure 7 taken from: http://en.kioskea.net/contents/134-introduction-to-encryption-withdes Figure 8 taken http://www.embeddedintel.com/technology_applications.php?article=119

from:

Figure 9 taken from: http://commons.wikimedia.org/wiki/File:PGP_diagram.svg Figure 10 taken from: http://www.data-processing.hk/pgp-0 Figure 11 taken from: http://www.hcis-journal.com/content/1/1/4/figure/F1

61

APPENDICES

62

Below we will describe the changes we made in aodv.h and aodv.cc in the ns2 folder, in order to perform our simulation.

In aodv.h we added the following lines in order to define the blackhole attackers:

nsaddr_t malicious1; nsaddr_t malicious2; nsaddr_t malicious3;

In aodv.cc we added the following code to initialize the attackers:

if(strcmp(argv[1], "blackhole1") == 0) { malicious1= index; printf("malicious %d", malicious1); return TCL_OK; } if(strcmp(argv[1], "blackhole2") == 0) { malicious2=index; printf("malicious %d", malicious2); return TCL_OK; } if(strcmp(argv[1], "blackhole3") == 0) { malicious3= index;

63

printf("malicious %d", malicious3); return TCL_OK; }

AODV::AODV(nsaddr_t id) : Agent(PT_AODV), btimer(this), htimer(this), ntimer(this), rtimer(this), lrtimer(this), rqueue() { index = id; seqno = 2; bid = 1; LIST_INIT(&nbhead); LIST_INIT(&bihead); malicious1=999; malicious2=999; malicious3=999;

For the malicious nodes to generate fake route replies we added the following lines:

....// Just to be safe, I use the max. Somebody may have // incremented the dstseqno.

64

seqno = max(seqno, rq->rq_dst_seqno)+1; if (seqno%2) seqno++;

sendReply(rq->rq_src,// IP Destination 1,// Hop Count index,// Dest IP Address seqno,// Dest Sequence Num

MY_ROUTE_TIMEOUT,// Lifetime rq->rq_timestamp)// timestamp Packet::free(p); } //blackhole attackers

else if(index==malicious1) { seqno = max(seqno, rq->rq_dst_seqno)+1; if (seqno%2) seqno++;

sendReply(rq->rq_src,// IP Destination 1,// Hop Count rq->rq_dst, seqno, MY_ROUTE_TIMEOUT,

65

rq->rq_timestamp);// timestamp //rt->pc_insert(rt0->rt_nexthop); Packet::free(p);} else if(index==malicious2) { seqno = max(seqno, rq->rq_dst_seqno)+1; if (seqno%2) seqno++;

sendReply(rq->rq_src,// IP Destination 1,// Hop Count rq->rq_dst, eqno, MY_ROUTE_TIMEOUT, rq->rq_timestamp);// timestamp //rt->pc_insert(rt0->rt_nexthop); Packet::free(p); } else if(index==malicious3) { seqno = max(seqno, rq->rq_dst_seqno)+1; if (seqno%2) seqno++;

sendReply(rq->rq_src,// IP Destination 1// Hop Count

66

rq->rq_dst, seqno, MY_ROUTE_TIMEOUT, rq->rq_timestamp);// timestamp //rt->pc_insert(rt0->rt_nexthop); Packet::free(p); }

Lastly the following blue color code disables the send (error).

// add in route resolve function (AODV::rt_resolve(Packet *p) ) else { Packet *rerr = Packet::alloc(); structhdr_aodv_error *re = HDR_AODV_ERROR(rerr); /* * For now, drop the packet and send error upstream. * Now the route errors are broadcast to upstream * neighbors - Mahesh 09/11/99 */

assert (rt->rt_flags == RTF_DOWN); re->DestCount = 0; re->unreachable_dst[re->DestCount] = rt->rt_dst;

67

re->unreachable_dst_seqno[re->DestCount] = rt->rt_seqno; re->DestCount += 1; #ifdef DEBUG fprintf(stderr, "%s: sending RERR...\n", __FUNCTION__); #endif if((index==malicious1)||(index==malicious2)|| (index==malicious3)); else sendError(rerr, false);

drop(p, DROP_RTR_NO_ROUTE);

The following scenario is the blackhole.tcl which simulates the attack using three infected nodes:

set val(chan) Channel/WirelessChannel ;# channel type set val(prop) Propagation/TwoRayGround ;# radio-propagation model set val(netif) Phy/WirelessPhy ;# network interface type set val(mac) Mac/802_11 ;# MAC type set val(ifq) Queue/DropTail/PriQueue ;# interface queue type set val(ll) LL ;# link layer type set val(ant) Antenna/OmniAntenna ;# antenna model

68

set val(ifqlen) 50 ;# max packet in ifq set val(nn) 25 ;# number of mobilenodes set val(rp) AODV ;# routing protocol set val(x) 1186 ;# X dimension of topography set val(y) 584 ;# Y dimension of topography set val(stop) 100.0 ;# time of simulation end set val(t1) 0.0 ; set val(t2) 0.0 ;

#Create a ns simulator set ns [new Simulator]

#Setup topography object set topo [new Topography] $topo load_flatgrid $val(x) $val(y) create-god $val(nn)

#Open the NS trace file set tracefile [open out.tr w]

69

$ns trace-all $tracefile

#Open the NAM trace file set namfile [open out.nam w] $ns namtrace-all $namfile $ns namtrace-all-wireless $namfile $val(x) $val(y) set chan [new $val(chan)];#Create wireless channel

#=================================== # Mobile node parameter setup #=================================== $ns node-config -adhocRouting $val(rp) \ -llType $val(ll) \ -macType $val(mac) \ -ifqType $val(ifq) \ -ifqLen $val(ifqlen) \ -antType $val(ant) \ -propType $val(prop) \

70

-phyType $val(netif) \ -channel $chan \ -topoInstance $topo \ -agentTrace ON \ -routerTrace ON \ -macTrace ON \ -movementTrace ON

#=================================== # Nodes Definition #=================================== #Create 25 nodes set n0 [$ns node] $n0 set X_ 663 $n0 set Y_ 484 $n0 set Z_ 0.0 $ns initial_node_pos $n0 20

71

$n0 start set n1 [$ns node] $n1 set X_ 466 $n1 set Y_ 407 $n1 set Z_ 0.0 $ns initial_node_pos $n1 20 set n2 [$ns node] $n2 set X_ 791 $n2 set Y_ 406 $n2 set Z_ 0.0 $ns initial_node_pos $n2 20 set n3 [$ns node] $n3 set X_ 668 $n3 set Y_ 393 $n3 set Z_ 0.0 $ns initial_node_pos $n3 20 set n4 [$ns node] $n4 set X_ 558 $n4 set Y_ 320 $n4 set Z_ 0.0

72

$ns initial_node_pos $n4 20 set n5 [$ns node] $n5 set X_ 781 $n5 set Y_ 317 $n5 set Z_ 0.0 $ns initial_node_pos $n5 20 set n6 [$ns node] $n6 set X_ 650 $n6 set Y_ 40.0 $n6 set Z_ 0.0 $ns initial_node_pos $n6 20 set n7 [$ns node] $n7 set X_ 671 $n7 set Y_ 194 $n7 set Z_ 0.0 $ns initial_node_pos $n7 20 set n8 [$ns node] $n8 set X_ 761 $n8 set Y_ 234 $n8 set Z_ 0.0 $ns initial_node_pos $n8 20

73

set n9 [$ns node] $n9 set X_ 476 $n9 set Y_ 117 $n9 set Z_ 0.0 $ns initial_node_pos $n9 20 set n10 [$ns node] $n10 set X_ 714 $n10 set Y_ 121 $n10 set Z_ 0.0 $ns initial_node_pos $n10 20 set n11 [$ns node] $n11 set X_ 825 $n11 set Y_ 140 $n11 set Z_ 0.0 $ns initial_node_pos $n11 20 set n12 [$ns node] $n12 set X_ 509 $n12 set Y_ 34 $n12 set Z_ 0.0 $ns initial_node_pos $n12 20 set n13 [$ns node]

74

$n13 set X_ 687 $n13 set Y_ 36 $n13 set Z_ 0.0 $ns initial_node_pos $n13 20 set n14 [$ns node] $n14 set X_ 822 $n14 set Y_ 51 $n14 set Z_ 0.0 $ns initial_node_pos $n14 20 set n15 [$ns node] $n15 set X_ 373 $n15 set Y_ 271 $n15 set Z_ 0.0 $ns initial_node_pos $n15 20 set n16 [$ns node] $n16 set X_ 903 $n16 set Y_ 255 $n16 set Z_ 0.0 $ns initial_node_pos $n16 20 set n17 [$ns node] $n17 set X_ 908

75

$n17 set Y_ 344 $n17 set Z_ 0.0 $ns initial_node_pos $n17 20 set n18 [$ns node] $n18 set X_ 600 $n18 set Y_ 180 $n18 set Z_ 0.0 $ns initial_node_pos $n18 20 set n19 [$ns node] $n19 set X_ 455 $n19 set Y_ 479 $n19 set Z_ 0.0 $ns initial_node_pos $n19 20 set n20 [$ns node] $n20 set X_ 350 $n20 set Y_ 434 $n20 set Z_ 0.0 $ns initial_node_pos $n20 20 set n21 [$ns node] $n21 set X_ 263 $n21 set Y_ 306

76

$n21 set Z_ 0.0 $ns initial_node_pos $n21 20 set n22 [$ns node] $n22 set X_ 261 $n22 set Y_ 209 $n22 set Z_ 0.0 $ns initial_node_pos $n22 20 set n23 [$ns node] $n23 set X_ 240 $n23 set Y_ 115 $n23 set Z_ 0.0 $ns initial_node_pos $n23 20 set n24 [$ns node] $n24 set X_ 313 $n24 set Y_ 29 $n24 set Z_ 0.0 $ns initial_node_pos $n24 20

#$ns at 0.0 "[$n1 set ragent_] blackhole1" #$ns at 0.0 "[$n7 set ragent_] blackhole2" #$ns at 0.0 "[$n13 set ragent_] blackhole3"

77

#=================================== # Multiple blackhole nodes #===================================

$ns at 0.0 "[$n1 set ragent_] blackhole1" $ns at 0.0 "[$n7 set ragent_] blackhole2" $ns at 0.0 "[$n13 set ragent_] blackhole3"

#=================================== # Generate movement #=================================== $ns at 0 " $n21 setdest 150 150 40 " $ns at 0 " $n20 setdest 150 150 40 "

78

#$ns at 5 " $n6 setdest 650 490 40 " #=================================== # Agents Definition #=================================== #Setup a UDP connection set udp0 [new Agent/UDP] $ns attach-agent $n21 $udp0 set null1 [new Agent/Null] $ns attach-agent $n18 $null1 $ns connect $udp0 $null1 $udp0 set packetSize_ 1500

#Setup a CBR Application over UDP connection set cbr0 [new Application/Traffic/CBR] $cbr0 attach-agent $udp0 $cbr0 set packetSize_ 1000 $cbr0 set rate_ 1.0Mb $cbr0 set random_ null $ns at 1.0 "$cbr0 start" $ns at 20.0 "$cbr0 stop"

79

#Setup a UDP connection set udp1 [new Agent/UDP] $ns attach-agent $n20 $udp1 set null2 [new Agent/Null] $ns attach-agent $n18 $null2 $ns connect $udp1 $null1 $udp1 set packetSize_ 1500

#Setup a CBR Application over UDP connection set cbr1 [new Application/Traffic/CBR] $cbr1 attach-agent $udp1 $cbr1 set packetSize_ 1000 $cbr1 set rate_ 1.0Mb $cbr1 set random_ null $ns at 20.0 "$cbr1 start" $ns at 40.0 "$cbr1 stop" #Setup a UDP connection set udp3 [new Agent/UDP] $ns attach-agent $n11 $udp3 set null3 [new Agent/Null]

80

$ns attach-agent $n18 $null3 $ns connect $udp3 $null1 $udp3 set packetSize_ 1500

#Setup a CBR Application over UDP connection set cbr2 [new Application/Traffic/CBR] $cbr2 attach-agent $udp3 $cbr2 set packetSize_ 1000 $cbr2 set rate_ 1.0Mb $cbr2 set random_ null $ns at 40.0 "$cbr2 start" $ns at 60.0 "$cbr2 stop" set udp4 [new Agent/UDP] $ns attach-agent $n17 $udp4 set null4 [new Agent/Null] $ns attach-agent $n18 $null4 $ns connect $udp4 $null4 $udp4 set packetSize_ 1500

81

#Setup a CBR Application over UDP connection set cbr4 [new Application/Traffic/CBR] $cbr4 attach-agent $udp4 $cbr4 set packetSize_ 1000 $cbr4 set rate_ 1.0Mb $cbr4 set random_ null $ns at 60.0 "$cbr4 start" $ns at 100.0 "$cbr4 stop"

#=================================== # Applications Definition #===================================

#=================================== # Termination #=================================== #Define a 'finish' procedure proc finish {} { global ns tracefile namfile

82

$ns flush-trace close $tracefile close $namfile exec nam out.nam & exit 0 } for {set i 0} {$i < $val(nn) } { incr i } { $ns at $val(stop) "\$n$i reset" } $ns at $val(stop) "$ns nam-end-wireless $val(stop)" $ns at $val(stop) "finish" $ns at $val(stop) "puts \"done\" ; $ns halt" $ns run

83

84

85