SECURE ROUTING WITH TIME-SPACE CRYPTOGRAPHY FOR MOBILE AD-HOC NETWORKS

Inwhee Joe College of Information and Communications Hanyang University E-mail: iwjoe@hanyang.ac.kr ABSTRACT This paper describes the design and performance of a secure routing protocol with time-space cryptography for mobile ad-hoc networks. The proposed time-space scheme works in the time domain for key distribution between source and destination as well as in the space domain for intrusion detection along the route between them. For data authentication, it relies on the symmetric key cryptography due to high efficiency and a secret key is distributed using a time difference from the source to the destination. Also, a one-way hash chain is formed on a hop-by-hop basis to prevent a compromised node or an intruder from manipulating the routing information. In order to evaluate the performance of our routing protocol, we compare it with the existing AODV protocol under the same conditions using the ns-2 network simulator. The simulation results show that the proposed protocol provides similar performance in terms of delay and throughput even with the security function. I. INTRODUCTION In recent years, mobile wireless networks have become increasingly important for users of computing systems. There are currently two types of mobile wireless networks: Infrastructured Network and Ad-Hoc Network. The first type refers to a network with any type of infrastructure by installing base stations in cellular networks or access points in wireless local area networks. On the other hand, the second type of mobile wireless networks does not rely on any fixed infrastructure, forming a network in ad-hoc fashion with mobile nodes. While mobile nodes that are far apart depend on others to relay data as routers, those that are within each others radio range communicate through direct wireless links. With lack of a fixed infrastructure and a central trusted entity, security in mobile ad-hoc networks is inherently difficult to achieve, especially due to the need for cooperative network operation. Moreover, any mobile node may compromise routing information or actual data, since if the source and destination nodes are not within the direct radio range the intermediate nodes between them need to relay packets as routers in mobile ad-hoc networks. Also, there are additional security issues that must be considered for mobile ad-hoc networks, such as the vulnerable wireless links, the limited physical protection for each node, and the variability of trust relationships due to the dynamic changes in network topology and membership. In general, security that is specific to mobile ad-hoc networks can be largely classified into two areas: Secure Routing and Key Management. Since each mobile node acts as a router, routing protocols are more vulnerable to attacks in mobile ad-hoc networks. In most routing protocols, routers exchange information on the network topology in order to establish and maintain routes between nodes. Such routing information can be tampered by malicious adversaries who intend to bring the network down. They could be external attackers or compromised nodes inside. Certainly, actual data traffic should be also protected in this relay situation. Hence implementation of secure routing protocol is one of the key security areas in mobile ad-hoc networks. Normally, cryptographic schemes such as digital signature are used to protect both routing information and data traffic. These schemes assume the use of

1 This work was supported by grant No. R08-2003-000-10383-0 from the Basic Research Program of the Korea Science & Engineering Foundation.

1 of 6

key management by a central trusted entity called Certificate Authority (CA) or KDC (Key Distribution Center), which is responsible for key distribution to nodes and establishment of mutual trust relationships between nodes. Introducing any central entity into mobile ad-hoc networks is problematic. That is, if it is tampered, then the entire network can be easily compromised. To improve security in mobile ad-hoc networks in terms of key management, [3] proposes to distribute the key management function to a set of nodes using threshold cryptography. In this paper, we focus on design and performance evaluation of our secure routing protocol for mobile ad-hoc networks. In Section 2 we explain the key concept of the time-space cryptography to provide secure routing against malicious attacks that mobile ad-hoc networks might face. In Section 3 we present a detailed description of the proposed protocol based on AODV. In Section 4 we address performance evaluation results from simulation using the ns-2 network simulator with wireless and mobility extensions. Finally, we conclude the paper by highlighting our contribution. II. TIME-SPACE CRYPTOGRAPHY This section presents our time-space cryptography to provide secure routing against malicious attacks that mobile ad-hoc networks might face. The proposed scheme is named in that it works in the time domain for key distribution between source and destination as well as in the space domain for intrusion detection along the route between them. Even if public key encryption is more powerful and superior in distributing keys, our scheme relies on symmetric key encryption because it is highly efficient and simple to implement. Thus, each node does not require any powerful hardware, thereby leading to a small and light device. Sometimes, limiting the size and weight is very important in terms of portability, especially when a battery is used and it is not easy to replenish as in the battlefield environment. The symmetric key cryptography shares a common secret key between source and destination. The most difficult problem to this approach is how only the source and the destination acquire the shared secret key without disclosing it to the outside. Normally, it is assumed that there is a central trusted entity like

KDC for key distribution with secure communication links. If nodes want to communicate using symmetric key cryptography, first they need to get secret keys from the KDC prior to actual communication. However, introducing the KDC is not appropriate for mobile ad-hoc networks, because there is no fixed infrastructure or central entity according to the nature of the network architecture.

Figure 1. Key Assignment and Disclosure Instead of a distributed approach for the KDC function, we propose the time-space cryptography to provide secrete keys using a time difference in the time domain, based on the TESLA broadcast authentication protocol [4]. Our scheme requires loose time synchronization across the entire network. In the time-space cryptography, each source chooses a key randomly for each time period and publishes it later according to the predefined schedule. When a node is initialized at the system start-up, all the keys will be generated and stored in its key table. Since then, the time has been synchronized with the network and then divided into periodic time intervals T, starting from t0 as shown in Figure 1. For each time interval, each node chooses a key from the key table and remembers its table index for delayed key disclosure. That is, the key Ki is chosen and assigned to the time interval between ti and ti+1. Each source pre-determines a schedule in which each key is disclosed. Let delta be the maximum time synchronization error and td be the maximum end-toend transmission delay including transmission time and propagation delay. Since the destinations clock may be ahead of the sources clock by delta in the worst case, the source will not disclose a key until the

2 of 6

time of at least td + 2 x delta in the future, i.e., it is the maximum time to reach the destination when the synchronization error is considered. Otherwise, the secret key may be exposed to the outside, even before the encoded packet with it arrives at the destination. For example, if a node wants to send a packet during the time interval ti and ti+1, the source picks a secret key Ki to encode the packet using a symmetric key scheme and sends it to the destination. On receipt of the encoded packet, the destination is impossible to decode the packet without the secret key Ki, so it will first store the packet in the buffer. According to the pre-defined schedule, the source discloses its key Ki at a later time larger than the value above by sending the key in a different packet to the destination. Until then, any node cannot decode the previous packet, because its secret key has not been published yet to anybody. Once this key arrives, the destination extracts the corresponding packet and decodes it with the key Ki. Another aspect of our time-space cryptography is to use a one-way hash chain in the space domain from the source to the destination. Every time each node on the route receives a packet, it generates a hash value by applying the hash function to the previous hash value, the previous node address, and its node address. Our hash function is a key-less scheme with a common secret value shared between source and destination instead of an encryption key (e.g., MD5 or SHA-1). After that, this hash value is sent to the next node and so on, until this packet reaches the destination. In addition to the previous hash value, a new hash value is calculated using only two node addresses of the previous and current nodes, thereby forming a hash chain in pair-wise rather than accumulated fashion from the source to the destination as proposed in [1]. In this way, our scheme can provide scalability as the number of nodes in the network grows, it can also reduce the computation time of hash on each node, and further, it can improve the transmission efficiency by removing the overhead of the node list carried in the packet along the way to the destination. If there is an intruder or a compromised node between the source and the destination, it might advertise incorrect routing information by deleting or inserting a node from the discovered route, which causes severe damage to the entire network. The purpose of the hash chain is to detect this situation.

Since the hash chain is formed in the direction from the source to the destination and each hash value is verified hop-by-hop on the way back to the source, no intermediate node can manipulate the node sequence of the route after all. If it happens, the next valid node detects this situation by checking the hash value, and then discards the packet. III. SECURE ROUTING PROTOCOL Mobile ad-hoc networks consist of mobile nodes (each node conceptually consisting of a router, a radio port and one or more host computers). To communicate with mobile nodes that are not within the transmission range, a routing protocol is required for each node. Recently, many routing protocols have been proposed for mobile ad-hoc networks. In general, they can be divided into two main categories: proactive and reactive protocols. In a proactive routing protocol, nodes periodically exchange routing information with other nodes to maintain all the routes on the network beforehand, while in a reactive approach each node attempts to discover a route on demand only when it has a packet to send. Although there is no single standard routing protocol yet for mobile ad-hoc networks, reactive routing protocols are known to perform better than proactive routing protocols in terms of lower overheads [6]. Typical examples of reactive routing protocols include the dynamic source routing (DSR) protocol and the ad-hoc on-demand distance vector (AODV) routing protocol [7]. Even if existing routing protocols are designed to cope well with the dynamic change of network topology, they are insecure against malicious attacks. Our secure routing protocol is based on AODV to provide security for mobile ad-hoc networks using the time-space cryptography described in Section 2. Most routing attacks are caused by malicious injection or modification of routing information. To defend against these attacks, each node should be able to verify the source and the data integrity by means of data authentication. In addition, a one-way hash chain is used to provide secure routing for mobile ad-hoc networks by preventing a compromised node or an intruder from manipulating the route found in the route discovery procedure. If a node is removed or inserted from the discovered route, the hash chain will detect it.

3 of 6

For data authentication, our time-space scheme uses the symmetric key cryptography due to its high efficiency. It requires that each pair of nodes share a common secret key between them for point-to-point communication. To verify the source and the integrity of routing information, a message authentication code (MAC) is generated with a secret key shared between the source and the destination. That is, the source takes an outgoing packet and computes a fixed-size string known as a MAC by applying an authentication algorithm (e.g., HMAC) to the packet with the secret key. Once the MAC code is created, the source appends it to the original packet and then sends as one packet to the destination. On the receipt of the packet, the destination recomputes a MAC code just as in the source and compares it with the received MAC. If they match, then the destination can be sure of the source and the integrity of the packet. To set up a common secret key between the source and the destination for data authentication, our timespace cryptography works in the time domain such that the source supplies it to the destination after the encoded packet with this key arrives at the destination in the worst case of synchronization errors. When a node has data to send, it first initiates a route discovery procedure in order to find a route to the destination node prior to actual data transmission. The discovery procedure is based on flooding, i.e., a source node broadcasts a route request (RREQ) packet to its neighbor nodes and then these nodes rebroadcast it until it reaches its destination. Before broadcasting the packet, the source node chooses a secret key from the key table to be assigned to the current time interval. With this key, the source computes a MAC code using the HMAC hash function over the RREQ packet and appends it to the packet. On receipt of the packet, the destination holds it in the buffer until its key arrives. After a specified delay, the source node discloses the corresponding secret key by distributing it to the destination node in a key distribution (KDIS) packet. In our secure routing protocol, the RREQ packet has the same format of the original RREQ packet in AODV except for the following three fields appended to it: Time Interval Index, MAC Code, and Hash Value. The Time Interval Index field (e.g., 4 bytes) indicates the time interval corresponding to the secret

key that is used for this RREQ packet. The MAC Code field (e.g., 20 bytes) is obtained by evaluating the HMAC hash function based on SHA-1 with the secret key over the RREQ packet excluding the mutable Hop Count and Hash Value fields. Likewise, the Hash Value field (e.g., 16 bytes) is also computed using SHA-1 to form a one-way hash chain and it is replaced with a new hash value on a hop-by-hop basis. As shown in Figure 2, the format of the KDIS packet is similar to the RREQ packet. However, since the KDIS packet is used to distribute a secret key to the destination, it contains the actual Key Value of the secret key and the corresponding Key Interval Index. The Type field is set to 5 as a new packet type added to AODV. The Hop Count field indicates the number of hops from the source to the destination. The Destination IP Address field indicates the IP address of the destination, while the Originator IP Address field indicates the IP address of the source. Because the source has not found a route to the destination yet, it broadcasts a KDIS packet based on flooding like RREQ.

Figure 2. KDIS Packet Format When the destination receives a KDIS packet, it extracts the secret key from this packet and then the corresponding RREQ packet from the buffer. After that, the destination node re-computes its MAC code with this key just as in the source node and compares it with the received MAC in the RREQ packet. If they match, the destination node can verify the source origin and data integrity of the RREQ packet, because the scope of the MAC code covers all the immutable fields of the RREQ packet including the source IP address. Once the data authentication of the RREQ packet is confirmed, the destination node responds with a route response (RREP) packet in a

4 of 6

unicast transmission mode, thereby notifying the source node of a discovered route. In our secure routing protocol, the RREP packet has the same format of the original RREP packet in AODV except for the Hash Value field appended to it. Likewise, the Hash Value field is replaced with a new hash value on a hop-by-hop basis along the route back to the source.

In response to the RREQ packet, the destination node D creates a RREP packet and sends it to node C after placing a new hash value h4 in the Hash Value field of this packet. Once the RREP packet is received by node C in the unicast mode, a hash value is computed locally using the stored hash value h3 and compared to the received hash value h4 of the RREP packet. If they match, node C ensures that there is no intrusion or compromise for the route from node C to D. After that, node C forwards the RREP packet with the hash value h3 in it to node B, and releases the buffer for the hash values h2 & h3. Likewise, node B also computes a hash value and compares it with the received hash value h3 of the RREP packet. If they match, node B ensures the route from node B, C to D at this point. This process repeats until the RREP packet arrives at the source. Finally, it can be ensured that there is no intrusion or compromise for the entire route from the source to the destination. IV. SIMULATION

Figure 3. Hash Chain Example Figure 3 shows an example of how to form a RREQ hash chain from the source to the destination and a RREP hash chain from the destination to the source. First of all, the source node S initializes the Hash Value field to h0 as the first value of the RREQ hash chain, and then it broadcasts a RREQ packet with h0 in it. The hash value is obtained by evaluating the SHA-1 hash function, H, over the RREQ packet without the mutable Hop Count field. When node A receives the RREQ packet from the source node, it computes a hash value again by applying the same SHA-1 hash function H over the source IP address, its IP address, and the previous hash value h0. After that, node A replaces the previous hash value h0 with a new hash value h1 and then, it re-broadcasts the RREQ packet with h1 in it. The hash values h0 and h1 are kept in the buffer of node A, until the RREP packet arrives from the destination. Likewise, the next node B generates a new hash value h2 through the previous hash value h1 to form a hash chain. Note that our scheme works in pair-wise fashion in that the hash function takes as one pair two node addresses of the previous and current nodes. This process of hash chain continues until the RREQ packet reaches the destination.

The objective of simulation is to evaluate our secure routing protocol with time-space cryptography for mobile ad-hoc networks. The proposed protocol was validated using the ns-2 network simulator with wireless and mobile extensions. For the time interval T of 1 sec, we measure two performance parameters such as delay and throughput. The average delay is the end-to-end delay (seconds) measured at the application layer from the source to the destination, while the throughput is the total bits per second successfully delivered to the final destination.

Figure 4. Performance of our Routing Protocol

5 of 6

In order to evaluate the performance of our routing protocol, we attempt to compare it with other existing protocols by simulation under the same conditions. Since our secure routing protocol is based on AODV as one of typical ad-hoc routing protocols, AODV was selected to be a final player for comparison study. Figure 4 presents the performance of our secure routing protocol in terms of average delay as a function of throughput, while Figure 5 presents the performance of AODV. The simulation results show that both of the routing protocols maintain very similar performance by providing around the 7 msec of average delay. Even if the proposed protocol adds a security function to the existing AODV protocol, it does not affect the performance significantly because this security function of authentication and hash chain works only in the route discovery phase.

due to its high efficiency and a secret key is distributed using a time difference from the source to the destination. In addition, a one-way hash chain is formed on a hop-by-hop basis to prevent a compromised node or an intruder from manipulating the route found by the route discovery procedure. We have also presented simulation results using the ns-2 network simulator with wireless and mobility extensions. The performance of the proposed protocol is similar to that of AODV in terms of delay and throughput. REFERENCES [1] Y. Hu, A. Perrig, and D.B. Johnson, Ariadne: A Secure On-Demand Routing Protocol for Ad Hoc Networks, Proceedings of ACM MobiCom, pp. 12-23, September 2002. [2] H. Krawczyk, M. Bellare, and R. Canetti, HMAC: Keyed-Hashing for Message Authentication, IETF RFC 2104, February 1997. [3] L. Zhou and Z.J. Haas, Securing Ad Hoc Networks, IEEE Network Magazine, Vol. 13, No. 6, pp. 24-30, November/December 1999. [4] A. Perrig, R. Canetti, J.D. Tygar, and D. Song, The TESLA Broadcast Authentication Protocol, Cryptobytes, Vol. 5, No. 2, pp. 2-13, Summer/Fall 2002. [5] Y. Hu, D.B. Johnson, A. Perrig, SEAD: Secure Efficient Distance Vector Routing for Mobile Wireless Ad Hoc Networks, Proceedings of IEEE Workshop on Mobile Computing Systems & Applications, pp. 3-13, June 2002. [6] S. Lee and C. Toh, A Simulation Study of TableDriven and On-Demand Routing Protocols for Mobile Ad Hoc Networks, IEEE Network Magazine, Vol. 13, No. 4, pp. 48-54, July/August 1999. [7] C. Perkins, E. Belding-Royer, and S. Das, Ad Hoc On-Demand Distance Vector (AODV) Routing, IETF RFC 3561, July 2003. [8] I. Joe, SCTP with an Improved Cookie Mechanism for Mobile Ad-Hoc Networks, Proceedings of IEEE GLOBECOM, December 2003.

Figure 5. Performance of AODV V. CONCLUSIONS In this paper, we have discussed the design and performance of a novel secure routing protocol with time-space cryptography for mobile ad-hoc networks. The key idea in the proposed time-space scheme is that it works in the time domain for key distribution between source and destination as well as in the space domain for intrusion detection along the route between them. Our secure routing protocol is based on AODV to provide security for mobile ad-hoc networks using the time-space cryptography. For data authentication, the symmetric key encryption is used

6 of 6