Mukesh Singhal
WIRELESS NETWORK SECURITY 147 MAC, generated by the source using the shared key K ST The Query Sequence Num-
ber,QSEQ, is a monotonically increasing 32 bit sequence number maintained by the source node S for each destination T it has a security association with.QSEQincreases monotonically for every route request generated by S for T, thus allowing T to detect outdated/replayed requests. QSEQis initialized at the establishment of the SA and is generally not allowed to wrap around. The Query IdentifierQIDis a random 32 bit identifier generated by S and is used by the intermediate nodes as a means to identify the request. SinceQIDis an output of a secure pseudo-random number generator and is unpredictable by an adversary, it provides protection against attackers who fabricate requests only to cause subsequent requests to be dropped. SRP MAC is a 96 bit value calculated using the shared keyKSTover IP addresses of the source S and target T and the two identifiersQSEQandQID. It not only validates the integrity of the request but also authenticates the origin of the packet to the target, as the MAC could have been calculated only by the source or the destination node which have the knowledge ofKST.
When an intermediate node receives a route request, and if an SRP header is not present in the route request packet, it drops the packet. Otherwise, the node extracts the IP address of the source and destination as well as theQIDfrom the request and creates an entry for the request in the query table. If an entry already exists for that source destination pair with the sameQID, the request is dropped by the node. Otherwise, the node appends its IP address to the request and rebroadcasts the request. Thus IP addresses of the intermediate nodes keep on accumulating on the route request.
The above situation warrants that theQIDshould be sufficiently random and an adversary with finite computation capacity should not be able to predict it. Otherwise, the attacker can prevent route from being established between the given source and the destination pair, as it would fabricate request packets with thisQIDand the intermediate nodes will not forward the legitimate requests, as an entry already exists in the query table for that particularQID.
When the destination T receives this request packet, it verifies that the packet originated at the node with which it has SA. The destination compares theQSEQwith
SMAX, the maximum query sequence number received from S. IfQSEQ≤SMAX, the
request is outdated/replayed and the destination discards the packet. Else, it calculates the keyed hash of the request field and matches against the SRP MAC. The equality validates the integrity of the request as well as the authenticity of the sender.
The destination broadcasts a route reply to its one-hop neighbors in order to thwart a potentially malicious neighbor from controlling multiple replies. For each valid request, the destination puts the accumulated route in the form of IP addresses of intermediate nodes into the route reply packet. TheQSEQandQIDfields from the route request are copied into the corresponding fields of the reply packet. MAC is calculated to preserve the integrity of the packet in transit. TheQSEQandQIDfields verify the freshness of the packet to the source.
When the source S receives the route reply packet, it checks source and destination addresses, QID andQSEQ and discards the reply if it does not correspond to the currently pending query. Otherwise, it compares the reply IP source-route with the
148 VENKATA C. GIRUKA and MUKESH SINGHAL reverse of the route carried in the reply payload. If the two routes match, MAC is calculated using the replied route, the SRP header fields, andKST. The successful verification confirms that the request did indeed reach the intended destination T and the reply was not corrupted on the way back from T to S. Furthermore, since the reply packet has been routed and successfully received over the reverse of the route it carries, the routing information has not been compromised during the request propagation.
Intermediate nodes also measure the frequency of queries received from their neigh- bors. Intermediate nodes maintain a priority ranking of their neighbors - highest priority to nodes generating requests at the lowest rate and the lowest rating for nodes generating requests with highest rate. In case two packets arrive at the same time, the neighbor whose ranking is higher, is given priority in routing over the one with the lower ranking. The secure routing protocol guarantees the discovery of a correct route, even in the presence of malicious nodes. The protocol obviates the need of a certification authority, thereby suiting itself to the ad-hoc paradigm. The protocol does not necessitate the knowledge of keys of all member nodes. The only requirement of this protocol is that there should be a prior security association between the source and the destination nodes. This kind of a security association is realized through shared secret keys between any two pair of nodes. However, when malicious nodes succeed in subverting benign nodes, the malicious nodes could easily gain access to the shared secret keys. The malicious node can then masquerade as the subverted node and initiate communication with other good nodes with whom the subverted node has a security association.
4.3. ARIADNE
Ariadne [8] is an on-demand secure routing protocol based on the DSR protocol. Ariadne prevents attackers or compromised nodes from tampering with uncompromised routes consisting of benign nodes. It is based on efficient symmetric cryptographic primitives and prevents several types of denial of service attacks. Unlike SRP, Ariadne uses a broadcast authentication protocols TESLA [18], which enables a node to verify that a broadcast packet (like RREQ) received by the node is indeed generated by the initiator of the message. Such a broadcast authentication is essential in defending against impersonation and denial of service attacks. The basic idea of the Ariadne protocol is to insure that the destination node can authenticate the source node, the source node can authenticate every intermediate node on the path from the source to the destination (received by the source in RREP), and malicious nodes cannot tamper with routes in RREQ or RREP by inserting dummy IDs or removing benign node IDs. The idea behind the TESLA protocol is to have a random initial key (kn) for each node from which each node generates a one-way key chain by repeated computation of a one-way hash function (H) such thatkn−1=H(kn)and in general for anyj < i,
kj=Hi−j(ki). A node discloses each key of its one-way key chain in an order that is exactly the reverse of the order in which the node generates the keys. Further, a node publishes its keykiat a timeT0+i∗t, whereT0is the time at whichk0is published, and tis the key publication interval. The rationale behind having a reverse key disclosure schedule is that using a previously known hash chain element, likekj, any other node
WIRELESS NETWORK SECURITY 149