Securing reactive routing protocols in MANETs using PKI

(PKI-DSR)

Benamar KADRI1, Mohammed FEHAM1, Abdallah M’HAMED2

1/ STIC Lab., Department of telecommunications, University of Tlemcen, Tlemcen, Algeria

2/ National Institute of Telecommunications, Evry, France

Abstract

Mobile Ad hoc Networks are deployed in many new domestic and public applications, rising to new requirements in terms of performance and efficiency. However due to their nature, some usual network services as routing and security are not carried out as well as expected. Securing routing protocols is one of these challenging tasks, since security is not natively implemented in ad hoc routing, and the extensions given in literature are complex and vulnerable against several attacks. Therefore in this paper we propose an implementation of Public Key Infrastructure (PKI) exploiting the route discovery and route reply mechanisms of reactive routing protocols to publish self-issued certificates in a distributed fashion. These certificates are used by mobile nodes to secure communications, ensure authentication, integrity, confidentiality and detect attacks in mobile ad hoc networks. Our proposed scheme is simple and utilizes the underlying protocol as a support for certificate publishing; therefore it does not affect the performance of the network. In addition, all the operations in our scheme are done in the network layer making it useful for heterogeneous networks since it has no any additional relation with other network layers as MAC and PHY.

Key words: MANETs, Security, PKI, key management, DSR, PKI-DSR, Routing.

I. Introduction

Future prevision for Mobile Ad hoc networks (MANETs) predicts fast growth and large emerging of these networks in our life, ranging from peace use for rescue in catastrophic environments such as in seism to sensor networks deployed in battlefields, in order to collect information about the enemy army or to connect soldiers [1,2].

A MANET can be easily deployed without the need of any infrastructure or other management authority, in the way that network nodes collaborate between themselves to accomplish habitual services as routing or security without needing any specified nodes or centralized servers, making these services more challenging to be carried out in MANETs [3].

On the other hand, MANETs are by nature very open to basically anyone having the proper hardware and knowledge of the network stack, exposing the whole network to potential attackers willing to modify data or disrupt the network services. Another problem is the no existence of centralized authority, responsible of cryptographic keys distribution, or security management like in wired networks which makes its management harder to be carried out [4]. Therefore, new mechanisms must be developed to ensure security in MANETs, tacking into account their specificity as the topology changing and the used medium as well as the nature of the involved devices which are in general handled devices with limited capacities [5].

This paper treats the aspect of securing routing in MANETs by the development of a new mechanism to secure reactive routing protocols and deploy Public Key Infrastructure (PKI). The proposed scheme uses the operations of reactive protocols such as route discovery and route reply to publish certificates over the network which are used after to secure the routing protocol by means of digital signatures and symmetric encryption. The use of symmetric encryption and digital signature gives for our design the possibility to detect lot of attacks, since there is no way for an attacker to infiltrate into the process of routing or data forwarding over the network.

The remainder of this paper is organized as follow; we first give an overview of the existed strategies of routing protocols in section 2. Section 3 is devoted to the problematic of security in MANETs and the most known attacks against them, followed by a brief state of the art of existed methods for securing routing protocols in MANETs. Section 5 is dedicated to the presentation of our method for securing reactive routing protocol based on PKI its strategies, underlying requests, packets format, security services and protocols, we also present an implementation of our scheme over DSR called PKI-DSR, by which we evaluation the influence of our scheme on the network performance. In section 6 we give a brief analysis of our proposed scheme concerning the most known attacks against routing. Lastly, we conclude our paper by giving some future extensions of this work.

II. Routing protocols

Due to the specificity of MANETs conventional routing protocols can not be directly applied, thus new protocols are developed and other are derived from the conventional ones to ensure routing in MANETs. Regarding the nature and the strategy of routing we can differentiate three categories of routing protocols:

Proactive routing protocols: these protocols are derived from the conventional ones, by permanently keeping a routing table in which is kept the whole network state. The routing tables are maintained by periodically exchanging routing information, in this way a node can immediately find routes when needed. On the other hand, there is a constant traffic generated for routing tables maintenance, which adds a great overhead in high mobility network where the topology changes frequently. The most known proactive protocols are OLSR (Optimized Link State Routing) [6] and DSDV (Dynamic Destination- Sequenced Distance-Vector) [7].

Reactive protocols: These protocols are the privilege of ad hoc networks, they are based on source routing, in which the route is obtained when needed by flooding the whole network with a route discovery request in order to establish a route to a given node. Examples of these protocols are DSR (Dynamic Source Routing) [8] and AODV (Ad hoc On-demand Distance Vector routing)[9]. These protocols may congest or block the network during the process of route discovery; however some protocols as DSR have proven its efficiency for ad hoc networks.

Hybrid protocols: these protocols try to overcome the shortcomings encountered in the previous protocols by dividing the whole network in regions called clusters to simplify the network management, and use a proactive strategy inside clusters and a reactive one for routing outside the clusters. Two known examples of hybrid routing protocols exist which are ZRP (Zone Routing Protocol) [10] and CBRP (Cluster Based Routing Protocol) [11].

III. Security in MANETs

Security in MANETs is a permanent need, since MANETs have no boundaries and the transmission range of the network may exceeds the area where the network is deployed exposing the network to numerous attacks, which are not easily detected such as eavesdropping [12].

Another problem is the no existence of centralized authority, responsible of the distribution of cryptographic keys or the management of the Public Key Infrastructure, as in conventional networks [13]. Furthermore, their heavy reliance on inter-node communication to ensure routing, allows a big range of attacks against routing protocols by malicious intermediate nodes as well as data modification and denial of service attacks.

Therefore, any routing protocol developed for MANETs must natively implement security during design; although all the widely used routing protocols for MANETs do not consider security issues and suppose that all the network’s nodes fairly participate in the routing operation without any malicious intention which is not always true in reality, in addition, outsider intruders can perform some attacks as Denial of Service attacks, data modification or simply eavesdropping the exchanged data.

III.1 Security risks in MANETs

In this section, we try to give an idea using simulation about the risks to which the exchanged data are exposed over a MANET. To do so, we have deployed 25 and 50 mobile nodes in the area of 670*670 m2, we have also chosen 10% of them to be intruders performing some attacks such as data modification. We have also used some CBR (Constant Bit Rate) connections with packet length of 512 bytes to emulate traffic over the network; other simulation parameters are listed in table 1. We have used as simulation tool ns2 [14], which is recognized as one of the most powerful tool for wireless and wired networks simulations.

Parameters / Values
Network size / 670*670 m2
Number of Nodes / 25, 50
Max speed / 20 m/s
Wait Time / 60 s
CBR connections / 4,5,6,7,8
Routing protocol / DSR
Number of attackers / 10%
Simulation time / 600s

Table 1 Simulation parameters

Figure 1 Number of altered packets

forwarded by each node

Figure.1 gives the average number of altered packets forwarded by each mobile node in the network with the absence of any security or intrusion detection mechanism. As we can see the number of altered packet is very high according to the number of CBR connections which is only five connections, we observe also that the number of altered packets gets high when the number of nodes is small this is because each node in a small network forward more data, which gives to the attacker more opportunity to alter and modify packets. From these simulations we can predict the danger that makes any attacker in the network, since each node in the network forwards a great portion of data giving him the ability to control and eavesdrop the majority of the exchanged data over the network.

III.2 Routing attacks

Large variety of attacks against MANETs exists, hence in this section we try to present a no exhaustive list of routing attacks:

Black Hole: This attack is usually executed against reactive protocols by injecting route reply advertising the attacker as having the shortest path, which forces the data flow to pass by the attacker in order to modify or simply to eavesdrop the exchanged traffic [15]. It can also be used to pretend that the attacker is the legitimate node.

Replay: The attacker here injects into the network routing information that has been captured previously to perturb the functioning of routing in the network or to advertise the attacker as legitimate node and perform black hole attack [12]. This attack can only be executed against poorly designed routing protocols, since any additional security mechanism like digital signature can stop this attack.

Blackmail: This attack is performed against routing protocols that are based on node behaviour to identify malicious nodes [16], which are kept in a black list to be used for route selection. The attacker usually fabricates such messages against legitimate nodes. A mechanism of digital signature and PKI are useful against these attacks.

Routing table poisoning: This attack is performed against table driven routing protocols, in the way that the attacker diffuse false routing information to its neighbours in order to disturb or block the traffic over the network. The attacker can also inject false routing information to attract all the network traffic to him in order to modify or simply eavesdropping the data flow [16].

Denial of service attacks: these attacks try to stop the traffic over the network by the disruption of the routing function in the network [17].

III.3 Securing routing protocols

In literature there are a lot of methods to secure routing protocols by adding new security issues over the existed routing methods used by these protocols. In this section we try to give an overview of some of these secured routing protocols:

The Secure Routing Protocol (SRP): is a set of security extensions that can be applied to any ad hoc routing protocol that utilizes broadcasting as its route querying method [18]. It uses a security association between the source and the destination in order to share a secret key to encrypt traffic over the discovered route.

The Authenticated Routing for Ad hoc Networks (ARAN): proposed in [19], is a stand-alone solution for securing on demand routing protocols in ad hoc networking using asymmetric cryptography and certificates to ensure both authentication and non-repudiation. It needs the existence of a trusted certificate authority to deliver certificates.

Secure Ad hoc On-demand Distance Vector (SAODV): is a security extension applied to the AODV protocol [20]. The proposed extensions utilize digital signatures and hash chains in order to secure route discovery, by applying digital signature on specific fields of the header of routing packets, the goal of this proposal is to ensure the authentication of the discovered routes.

The Secure Link State Routing Protocol (SLSP): has been proposed in [21] to provide secure proactive routing for mobile ad hoc networks. It secures the discovery and the distribution of link state information using public key cryptography, to avoid the burden due to the deployment of a certificate authority, nodes broadcast their certificate during flooding routing information which guaranties in someway the authentication of routing messages.

IV. Public Key Infrastructure (PKI)

A PKI is a set of components that manage digital certificate as publishing, distribution, renewal and revocation in a given community or network. A PKI is essentially composed of Certificate Authority (CA), Registration Authority (RA) and Certificate Revocation List (CRL). Depending on the application and the environment where a PKI is deployed all or only a sub set of these components are used. The most important component of a PKI is the certificate authority since it is the trusted party which signs and certifies certificates. A certificate is an electronic document which binds peaces of information (name, serial numbers, address, IP and MAC address) signed by the certificate authority. The current version of certificate is X.509 V3, however according to the requirement of each system new fields can be added to allow a perfect identification within the community, for example in a wireless ad hoc network we can add IP or MAC address [13], to be used in order to directly localize the corresponding node without the need of any other servers or infrastructure.

PKI is recognized as the most effective tool providing authentication and non repudiation in conventional networks, however providing such infrastructure for MANETs is a challenging task due to the nature of these networks. In literature there is lot of proposed solution such as partially distributed certificate proposed in [22] and fully distributed certificate proposed in [23], however in recent works there is new proposed solution exploiting some new aspects as clustering in order to simplify the management of PKI services [13].

For securing routing protocols in MANETs, it seems that PKI is a very powerful tool to guaranty authentication and data integrity using digital signature, however the problematic is how to distribute certificates and how to keep them secure.