Securing wireless ad hoc networks: Part 1 - single and multi-hop ad hoc networks - Embedded.com

Securing wireless ad hoc networks: Part 1 – single and multi-hop ad hoc networks

The term Ad Hoc Networks refers tonetworks which are formed on-the-fly (ad hoc),in other words on anas-needed basis. The term refers to those networks which use a wirelessmedium for communication.

Since a wired ad hoc network would be synonymous with a LAN, theterm ad hoc networks almost always means ad hoc wireless networks andthe two terms are will be used interchangeably throughout this seriesof articles.

The term Mobile Ad Hoc NETworks (MANETs)refers to ad hoc networks in which the nodes forming the ad hoc networkare mobile. Most ad hoc networks allow their nodes to be mobile and aretherefore MANETs.

In other words, these networks are formed on an as-needed basis anddo not require the existence of any infrastructure. This property makesad hoc wireless networks suitable for use in various scenarios likedisaster recovery, enemy battlefields or in areas where user density istoo sparse or too rare to justify the deployment of networkinfrastructure economically. Figure 8.1 below shows some examples of adhoc wireless networks.

Figure8.1 Examples of ad hoc networks

The scenarios and examples shown in Figure8.1 above present a small subset of scenarios where ad hocnetworks may be useful. An ad hoc network may operate in a standalonefashion or may be connected to a larger network like the Internet.Since ad hoc networks have such varied areas of use, it is instructiveto classify them based on certain features.

First, ad hoc networks may be classified on the basis of theirgeographical coverage. Therefore we have ad hoc personal area networks (PANs) ,ad hoc local areanetworks (LANs) and adhoc wide area networks (WANs).

Second, ad hoc networks may be classified based on whether or notnodes in the network are capable of acting as routers. To understandthis classification, realize that the wireless networks that we arelooking at always used the fixed, static, wired infrastructure forrouting.

In traditional wireless networks (TWNs), call routing was achievedby dedicated routing switches of the PSTN and the core GSM network(which consisted of MSCs and GMSCs). Furthermore, since both the PSTNand the core GSM network are wired networks which are static (that is,their network topology almost never changes), it is relatively easy toproactively distribute the network topology information to the routingswitches.

This in turn allows each routing switch to precompute and maintainroutes to other switches, thus facilitating routing. Similarly, inwireless local area networks (WLANs), packet routing is achieved byusing Layer 2 switches and IP routers.

Again, since these routing devices are connected by a wiredinfrastructure and are static, it is relatively easy to proactivelydistribute the network topology information to the routers andswitches.

Ad hoc networks have two major limitations: a) there are nodedicated routing devices (since there is no infrastructure available)and b) the network topology may change rapidly and unpredictably asnodes move. In the absence of any routing infrastructure, the nodesforming the ad hoc networks themselves have to act as routers.

A MANET may therefore be defined as an autonomous system of mobilerouters (and associated hosts) connected by wireless links – the unionof which forms an arbitrary graph.

Given the central importance of routing in ad hoc networks, it isnot surprising that routing forms a basis for classifying ad hocnetworks into two groups: single-hop ad hoc networks and multihop adhoc networks.

Single-hop ad hoc networks are ad hoc networks where nodes do notact as routers and therefore communication is possible only betweennodes which are within each other's Radio Frequency (RF) range. On theother hand, multihop ad hoc networks are ad hoc networks where nodesare willing to act as routers and route or forward the traffic of othernodes.Security in Wireless Ad Hoc Networks
If you look at the basis for two classifications closely; that is, thegeographical coverage and the routing capability of nodes, the twoclassifications are not completely orthogonal. Ad hoc PANs are morelikely to be single hop ad hoc networks since nodes would be closeenough to be within each other's RF range.

On the other hand, ad hoc LANs and ad hoc WANs are more likely torequire nodes to have routing capability and therefore form multihopnetworks. Multihop ad hoc networks and their security is an active areaof research. Single-hop ad hoc networks are now being used commerciallyand one of the most popular single-hop ad hoc wireless standard isBluetooth.

Routing in Multihop Ad Hoc Networks
As we saw in the last section, routing is a huge challenge for multihopad hoc networks. Not surprisingly, ensuring secure routing is an evenbigger challenge. We start by looking at some of the most importantrouting protocols for multihop ad hoc networks, some attacks which canbe launched on routing in ad hoc networks and finally, some possiblesolutions to these attacks.

ProactiveRouting. Proactive routing protocols modify existing link-stateor distance-vector-based routing protocols used in staticinfrastructure routing today to include support for mobility. Mostprotocols in this category use periodic messages to distributeinformation about the current network topology.

Each router then uses this network topology information to computeand maintain routes to various destinations in the network. The aim ofthese protocols is for each router to have a valid route1 to eachdestination at all times. (This may either be the complete route to thedestination or just the next hop to the destination.)

When used in multihop ad hoc networks where each node is a router,this means that each node aims to know the route to other nodes in thenetwork. The advantage of using these protocols is that when a nodeneeds to send a packet, it can refer to its routing table to find outhow to get the packet there.

This leads to extremely short transmission delays (only as long asit takes to look up the route from the table). On the other hand, theprimary disadvantage of these protocols is that the periodic updatesthat are needed for distributing network topology information costbandwidth and battery life (since nodes have to wake up periodically tobroadcast and process the periodic messages).

Considering the advantages and disadvantages of proactive routingprotocols, we can conclude that these protocols are most suitable in adhoc networks where the number of nodes is small and nodes have limitedmobility.

ReactiveRouting. Unlike proactive routing protocols, where each nodeaims to maintain a route to all other nodes at all times, reactiverouting protocols work by computing a route only when it is needed.

So, when a node has a packet to transmit, it first discovers theroute to the destination (usually by broadcasting messages) and thensends out the message.

Since these protocols do not require periodic transmission ofmessages, one of the primary advantages of using reactive routingprotocols is the savings in bandwidth and battery life as compared toproactive routing protocols. On the other hand, the primarydisadvantage of these protocols is that packets have to wait while thenode tries to find the route to the destination thus leading to longtransmission delays.

Considering the advantages and disadvantages of reactive routingprotocols, we can conclude that these protocols are most suitable forad hoc networks where the network topology is dynamic and/or wherethere are a large number of nodes in the network.Hybrid Routing. Hybrid routing protocols attempt to combine the advantages of proactiveand reactive protocols. A popular example is the Zone Routing Protocol (ZRP) whichworks by dividing the network into zones.

Within a zone, reactive routing protocols are used to cope withfrequent node mobility. Inter-zone messages must be routed via the zonegateway. The zone gateways of all zones form a tier-2 network and useproactive routing among themselves since this tier-2 network is assumedto be relatively static. In summary, tier-1 (zones) uses reactiverouting and tier-2 uses proactive routing.

Routing Attacks
There are quite a few routing protocols for multihop ad hoc datanetworks today that cope well with the dynamically changing topology ofad hoc networks. However, irrespective of which protocol is being usedfor routing, this routing in ad hoc networks is based on cooperationamong nodes in the network.

This cooperation assumes an inherent trust relationship among nodes- which is never a good security approach, as we know. It is thisinherent trusting of other nodes for routing that makes routing anattractive target for attacks.

Attacks on routing protocols can come from either nodes which arenot part of the network (external attacks) or from nodes which are partof the network but which have been compromised (internal attacks). Bothexternal and internal attackers may launch routing attacks by injectingerroneous routing information, replaying old (outdated) routinginformation or by distorting routing information.

Such attacks may lead to unintended network partitioning, excessivetraffic load, loops in the network, inefficient routing and even atotal collapse of the network. Thus, ensuring secure routing inmultihop ad hoc networks is an important consideration.

Internal attacks are especially relevant in ad hoc networks whichare operating in hostile environments like enemy battlefields. It isthis threat of internal attacks that makes ad hoc security an extremelychallenging field.

Realize that attacks launched from internal attackers are muchharder to detect for two important reasons. First, if a node determinesthat the routing information that it has received is invalid, it isdifficult for it to conclude whether the information that it hasreceived became invalid because of changes in the network topology orbecause the sending node was compromised. (This can be done bycomparing the received routing information analytically with thealready available routing information.)

Second, a compromised node would still arguably be able to generatevalid signatures using its private keys, thus making it even harder touse cryptography to detect that it has been compromised.

Secure Routing
Ensuring secure routing in multihop ad hoc networks is a big challengebecause of the reasons we discussed in the previous section. However,there is one feature of ad hoc data networks which helps in achievingsecure routing. This is the existence of multiple (possibly disjoint)paths in these networks which results from each node functioning as arouter too.

This means that as long as there are a sufficient number of valid(non-compromised) nodes in the network, the routing protocol should beable to bypass the compromised nodes. Approaches taken to achievesecure routing may either be cryptographic or non-cryptographic. Wewill look at some examples of each approach later in this series.

An example of a cryptographic approach to secure routing is Authenticated Routing for Ad Hoc Networks(ARAN). ARAN is an on-demand routing protocol which uses a PKC, PKI-based approach where eachnode in the network has a public key and a private key. A certificatauthority (CA) is required to issue certificates to all nodes in thesystem.

Each node signs the routing messages using its private key. Thisallows nodes which receive the routing messages to ensure theauthenticity of the messages. Signing each routing message preventsagainst external routing attacks since (arguably) external nodes willnot be able to modify signed messages or inject valid new messages.

However, this protection comes at the cost of the increasedprocessing overhead that is required by every node for signing everyrouting message. Also, note that ARAN protects only against attacksfrom external nodes. ARAN does not protect against attacks frominternal nodes which have been compromised.Another example of a cryptographic approach to secure routing isSecurity-aware Ad Hoc Routing (SAR). Instead of PKC, it uses Symmetric Key Cryptography (SKC).Each node in the network is assigned a trust level. Also, nodes at eachtrust level share symmetric encryption keys.

A node initiating route discovery can specify the sought trust levelfor the route; that is, the required minimum trust level for nodesparticipating in routing. Only nodes at this trust level (which knowthe correct key) can participate in the routing of this message.Intermediate nodes of different levels cannot decrypt or modifyin-transit routing messages.

Thus, by specifying the minimum trust level, the initiating nodeensures that the message is routed only by nodes which know the secretshared key. Again, this protection comes at the cost of the increasedprocessing overhead that is required by every node for encrypting therouting message.

However, the infrastructure overhead may be a little less for thisscheme because of the use of SKC as opposed to PKC in ARAN. An exampleof a noncryptographic approach to ensure secure routing is suggested bySergio Marti et al.(Mitigating RoutingMisbehaviour in Mobile Ad Hoc Networks) They propose the use ofwatchdogs and pathraters in the ad hoc network.

The watchdog identifies misbehaving nodes while the pathrater avoidsrouting packets through these nodes. When a node forwards a packet tothe next hop, it also takes on the role of a watchdog to verify thatthe next node in the routing path (to whom it forwarded the packet)also forwards the packet correctly.

The watchdog does so by listening promiscuously to the next node'stransmission. If the next node does not forward the packet correctly,then we can conclude that it is misbehaving and has therefore probablybeen compromised. (This scheme can beextended so that the system is tolerant of up to N packets not beingforwarded by a misbehaving node so as to accommodate the dynamic natureof the ad hoc network. )

Thus, each node in the network takes on the role of a network toensure that the next hop is routing correctly. Note that the use ofthis approach assumes that per-link encryption is not being used sinceuse of per-link encryption would not allow a watchdog to listenpromiscuously to the packets transmitted from other nodes.

The information collected by the watchdogs is used by path-raters.Just like the watchdog, each node in the network also takes on the roleof a pathrater at the appropriate time. The pathrater combines theinformation collected from the watchdog with the routing tableinformation to select the most robust routing links.

Although this is an interesting approach to prevent routing attacksfrom internal nodes, it is not free from weaknesses. A node may not beable to detect misbehaving nodes because of multiple reasons. Theexistence of hidden nodes in the wireless medium allows for thepossibility of collisions at the watchdog or the receiver (the nextrouting hop) which may corrupt the information collected by thewatchdog.

Also, even though this approach may help prevent internal routingattacks which aim to modify routing paths, it does not prevent againstinternal routing attacks which aim to partition the network. Amalicious node can achieve this by reporting false information from itswatchdog. More sophisticated attacks can be launched by colludingcompromised nodes.

(Editor's note: For more onembedded security, check out the cover story in the Octoberissue of Embedded SystemsDesign Magazine: Embedded systems security has moved to theforefront.

Next in Part 2: Key establishment and authentication.

Thisarticle is excerpted from “Bulletproofwireless security,” by Praphul Chandra, with permission fromElsevier/Newnes which hold the copyright. It is a part of thepublisher's Communications Engineering Series.

Praphul Chandra currently works asa senior research scientist at HPLabs, India, which focuses on “technological innovation foremerging countries.”

Recent articles on security onEmbedded.com:
Securingwireless MCUs is changing embedded systems design
Stateof security technology: embedded to enterprise
Securiingmobile and embedded devices: encryptioon is not security
Guidelinesfor designing secure PCI PED EFT terminals
Overcomingsecurity issues in embedded systems
Buildingmiddleware for security and safety-critical applications
Securityconsiderations for embedded operating systems
Diversityprotects embedded systems
Aproactive strategy for eliminating embedded software vulnerabilities
Understandingelliptic curve cryptography
Securingad hoc embedded wireless networks with public key cryptography

Aframework for considering security in embedded systems
Calculatingthe exploitability of your embedded software
Badassumptions lead to bad security

Securingembedded systems for networks
Implementingsolid security on a Bluetooth product
Smartsecurity improves battery life
Howto establish mobile security
Ensuringstrong security for mobile transactions
Securingan 802.11 network

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.