A Novel Authentication scheme for Ad hoc Networks

Lakshmi Venkatraman and Dharma P. Agrawal

Center For Distributed and Mobile Computing Department of Electrical and Computer Engineering and Computer Science University of Cincinnati Cincinnati, OH 45221-0030 lvenkatr,dpa @ececs.uc.edu

Abstract Ad hoc Networks are a new generation of networks offering unrestricted mobility without any underlying infrastructure. In these kinds of networks, all the nodes share the responsibility of network formation and management. As their principle application is in catastrophic environments, security is critical. Authentication, integrity and encryption are key issues pertaining to network security. Traditional authentication schemes cannot be effectively used in such decentralized networks. In this paper, we present an end-to-end data authentication scheme that relies on mutual trust between nodes. The basic strategy is to take advantage of the hierarchical architecture that is implemented for routing purposes. We have proposed an authentication scheme that uses TCP at transport layer and a hierarchical architecture at the IP layer so that the number of encryptions needed is minimized, thereby reducing the computational overheads. This also results in substantial savings as each node has to maintain keys for fewer nodes.

I. INTRODUCTION Mobile and Wireless technology is growing at a rapid rate. These advances have resulted in breakthroughs that have made feasible several prospects that were hitherto thought as impossible [1]. Ad hoc networks are a consequence of the ceaseless research efforts in Mobile and Wireless Networks. It is a class of wireless networks where there is no xed infrastructure. Unlike traditional wireless networks, they do not have base stations to coordinate the activities of mobile hosts. Each node acts a router transmitting messages from one node to another. These nodes also need to perform all other functions involved in any network. The hosts are also mobile, therefore the network topology changes frequently. Dynamically changing topology and lack of
This work is supported by the Ohio Board of Regents Doctoral Enhancements Funds.

centralized control makes it very challenging to incorporate various network layers into ad hoc networks. These networks could be extremely useful in military environments and in any scenario where geographical, terrestrial or time constraints make it impossible to have base stations. This could be in battleelds or any other disaster situation where a network needs to be formed on an ad hoc basis without the support of any xed infrastructure. In military applications it is desirable to have a distributed system so that the risk of the entire network being compromised due to a single central authority is taken care of. Wireless networks are more prone to security attacks as all transmissions are carried out using the air medium. They are especially susceptible to attacks of eavesdropping, replay and spoong. These systems therefore need to have buit-in features to withstand these attacks without compromising security in any way. II. MOTIVATION The classication of security services in any network [2] can be given as follows: Condentiality: Ensures that the information in a computer system and transmitted information are accessible for reading only by authorized parties. Encryption: Ensures that the origin of a message is correctly identied, with an assurance that the identity is not false. Integrity: Ensures that only authorized parties are able to modify transmitted information. Modication includes writing, changing status, deleting, creating or replaying of transmitted messages. Access Control: Requires that access to information resources may be controlled by or for the target system.

Availability: Requires that computer system assets be available to authorized parties when needed. In conventional wireless networks, the base stations are xed and share secret keys with the mobile nodes. The base station acts as a certication authority (CA) for the mobile hosts that are in its purview. The CA ought to be a completely trusted entity and issues a digital certicate to any mobile host that needs to be authenticated. The certicate is nothing but a random string encrypted with a key that is known only by the CA. The key used could be the private key of the CA or a key that the CA shares with the receiving node. The CA also encrypts an identier for the host and a time-stamp so that it could be used for a very limited span of time. This requires that the clocks of all the nodes be fairly synchronized. Though this scheme works fairly well in the case of wireless networks with infrastructure, it has several shortcomings that could cause security lapse in ad hoc networks. Some of the attacks [3] that could go undetected are: Repetition that can be logged: An intruder can replay a time-stamped message within the valid time window. Although this could be avoided by using sequence numbers, replay of messages cannot be totally stopped unless the sequence numbers are encrypted. Repetition that cannot be detected: This situation could arise because the original message could have been suppressed/delayed and thus the replay messages arrive at its destination before the original. This is more easily possible in an ad hoc network because the links on a route could break due to node movements. Therefore the message would be buffered in an intermediate node until an alternate route is found. A malicious node listening to the channel could take advantage of such a situation and send messages using the certicate and sequence numbers of the buffered packets. The receiver would then consider the original packets as duplicates and reject them. It would also send acknowledgments to the sender for the replayed packets, but the sender would have no way to know this. This kind of an attack could go undetected. In this paper we have presented a data authentication scheme that addresses these problems. Up to date there are very few security schemes (in

open literature) proposed for ad hoc networks. The problems related to network security have been identied and the idea of using threshold cryptography has been suggested [4]. Experiments have been performed where authentication of MAC and IP address exchange has been tried [5]. The MANET authentication architecture has also been proposed where the emphasis is on building an hierarchy of trust in order to authenticate the IMEP messages [6]. This would be difcult to implement in practice. This is because in these networks, the nodes are constantly moving and there is no underlying infrastructure. Therefore it may be very difcult to nd common certication authorities for any two communicating nodes. In this paper we introduce an end-to-end data authentication scheme where we have attempted to minimize the encryption so that computational complexity is kept low. This is very signicant in an ad hoc network because power consumption is a vital issue here. Therefore lesser computational overheads would imply lower power consumption. III. AUTHENTICATION STRATEGY Since the authentication strategy presented here is for a hierarchical architecture, a cluster based network has been used. We have therefore discussed clustering in the next subsection. Our assumptions, design criteria and detailed strategy have been put forth in the subsequent subsections. A. Overview of the Clustering Phenomenon The cluster based architecture was devised to minimize the ooding of route discovery packets. The routing protocol that uses this is Cluster Based Routing Protocol, CBRP [7]. This kind of an architecture is most suitable for large networks with several nodes. The entire network is divided into a number of overlapping or disjoint 2-hop-diameter clusters as shown in Figure 1. A cluster head is elected for each cluster to maintain the cluster membership information. A cluster is identied by its cluster Head ID. Each node in the network knows its Cluster Head(s) and therefore knows which cluster(s) it belongs to. A node regards itself as in cluster X if it has bi-directional link to the head of cluster X. In the current implementation of CBRP, the node with lower node ID is elected as cluster head. All the nodes broadcast HELLO messages periodically. The hello messages also contain tables carrying informa-

CH1

CH2

CH3 B

Fig. 1. Example of network divided into clusters

shared by all the nodes belonging to a cluster. This key is generated by the cluster head and distributed to all the cluster members. This key is encrypted with the system public key and broadcast by the head. Each cluster head also has a unique pair of public/private key called head key. This private key is known only to the head that generates it. The corresponding public key is known to all the network nodes. This is done by means of a network wide broadcast that is initiated by each head immediately after it gets elected as the leader. Thus each member node needs to maintain a pair of system keys, a cluster key and a table consisting of cluster ids and the corresponding heads public key. The cluster head has an additional responsibility of storing securely its private key. C.2 Proposed Steps There are three different scenarios where authentication needs to be performed. They are: When a node joins a network for the rst time: This is a trivial case where a strong authentication is done by sending a challenge and receiving a response. The system key pair is used for mutual authentication between the joining node and a existing member of the network. When a new node joins the network and is detected by a cluster head (by means of hello messages), it gets the cluster key and also the table containing the cluster ids and head public keys. When a node leaves a cluster and joins another cluster: This situation arises due to the movement of nodes. When a node moves from a cluster to new one, the new cluster head treats it as any new node joining its cluster. A mutual authentication is performed between the moved node and its new cluster head using the system key pair. The cluster head then gives the node the cluster key for the new cluster. The old cluster purges the entry for this node when it doesnt receive hello message for a certain predened time interval.
When a node from a cluster wishes to communicate with a node belonging to another cluster: This is a complex scenario and our scheme tries to minimize the overhead involved here. For complete condentiality of the message, the entire packet has to be encrypted with a session key. The session key is shared solely by the two parties involved in the communication and

tion about the neighboring nodes and adjacent clusters. These HELLO messages are useful for maintaining uptodate 2-hop topology. An in-depth study of Cluster Based Network has been made [7]. We however focus on studying the authentication scheme that is most optimal for such hierarchical architectures. B. Assumptions The proposed scheme is based on the following assumptions. All the nodes of the network mutually trust one another [8]. This can be safely assumed because the formation of the network itself is after the approval of some governing body. Each network node has sufcient computational power to execute the encryption algorithms and key generation algorithms. Each node has sufcient memory to store the keys. The transport protocol used is TCP [9]. C. Proposed Approach Prior to the explaining our approach, we dene the different key types that are used and the method adopted for the distribution of these keys. C.1 Key Denitions and Distribution Methodology When a node joins the network, it is given a system public key and system private key . This pair of keys is shared by all the nodes of the network. Besides the system key, each node also needs a cluster key. This cluster key is unique to every cluster and a single cluster key is

therefore serves as authentication. But, in cases where the emphasis is on authentication alone and condentiality is not very critical, it is unnecessary to encrypt the whole packet. A small encrypted tag appended to each packet, is sufcient to achieve authentication. In order to prevent the replay problems like those mentioned in section 2, we need to perform strong authentication for each packet, i.e. a series of challenge and response back and forth. It is not feasible to do this for each packet as the delays and packet overhead would be too high. In the next subsection we present our algorithm that offers reliability similar to that achieved by performing strong authentication for each packet.

5. The head then broadcasts the k encrypted values, . All other cluster members could also receive this and buffer the values since these k values could serve as authentication tags for any of the members. The tags are decrypted with the cluster key before they are buffered. They can be used as authentication tags because they have been encrypted with the heads private key. They are also encrypted with the session key to protect them from malicious listeners. 6. If the sender already has unexpired tags that it acquired by listening to earlier broadcasts from head, then it would use the same and not send any request to the head. 7. When a window of w packets is to be sent, the k encrypted tags are used to obtain a permutation of size w. Each of theses w tags are appended to one packet. The window and the format for each packet is shown in Figures 2 and 3 respectively.

C.3 Algorithm Figure 1 shows a network with three clusters. Nodes A, B and their respective cluster heads, CH1 and CH3, are marked. The cluster head acts as the certication authority for all its members. If A wishes to communicate with B, the following steps are to be performed for data authentication and integrity. 1. The two communicating parties, A and B, exchange a session key that is only valid for one TCP session. This is exchanged after mutual authentication for which their corresponding heads act as CAs. The heads keys are used for secretly exchanging session keys. The Cluster Heads then decrypt and transmit the session key to their corresponding members who are involved in the session. 2. When a node wants to establish a session with another node, it also sends this request to the head. 3. The head generates a set of k random prime numbers, ( , , ... ), that are fairly large. The value of k could be as small as 16 or 32. 4. The k numbers are encrypted rst with the heads private key and then with the cluster key. Along with each number a time-stamp is encrypted so that they could be used for a limited amount of time. Therefore, each cluster head has a table containing where is encryption using cluster key, is encryption using the heads private key and is the corresponding timestamp.

8. When the receiver receives the packets with tags appended, it should be able to verify the origin and authenticity of the tags. A function called check is used for this purpose. The tags are input to the function, and the output of the function is a value that is unique for each set of input. Since the tags are prime numbers the check function could be as simple as the product of the decrypted tags. It would be unique. 9. The sender applies the check function to the tags, considering m at a time (the number m can be decided according to the application). This function is computed as , and so on. 10. The output of the function is encrypted. The highest sequence number among these m packets is also encrypted along with the value obtained from the check function. The session key is used for this encryption. The packet containing the computed checks is as shown in Figure 4 11. When the receiver receives the packets, it also com-

P1

P2

P3
Fig. 2. Example of a Window of w Packets

Pw

TAG

HEADER AND DATA

Fig. 3. Format of a Packet

Ecrypt(
Check(0 - (m-1) ), Seq Num )

Ecrypt(
Check(m - (2m-1), Seq Num )

Ecrypt(
Check((w-m) - (w-1) ), Seq Num )

Fig. 4. A packet containing the checks for the tags

putes the check function of the received tags. The computed value is compared with that sent by the sender. If they match the sender accepts, else the sender could identify that some tags are invalid. 12. Since the check function is computed for every m packets the receiver could even narrow down the search for unauthentic packets to a range of m. The checksum eld of the TCP header is also encrypted with session key so that any tampering of data during transit would be detected by computing checksum. IV. E VALUATION OF O UR S CHEME In this section we have evaluated the performance of our scheme. The advantages and limitations of the proposed approach have been identied.

tion helps in verifying that the source of these tags is authentic and its not a listener trying to use the tags that were obtained by listening. Since the check function also has the encrypted sequence numbers for which its valid, the packets cannot be replayed. Even if the same pattern of tags and check function are reused, the sequence numbers would not match. If the sequence numbers are replayed, they would be rejected as duplicates. Moreover the session key results in additional security.
The encryption of the checksum eld helps in ensuring data integrity. The cluster head needs to compute the tags once and could use it for all its cluster members. This reduces the number of encryptions to a great extent. The tags are also broadcast and therefore transmission delay is also reduced.

A. Advantages
Since the tags are encrypted with the heads private key, they serve as authentication tags. The check func-

Each node needs to maintain the keys of just the cluster heads. This results in much lesser memory usage. B. Limitations and Future Work The limitations of the proposed scheme are: The cluster head needs to generate random prime numbers periodically.
The permutation of tags need to be obtained so that a tag could be appended to each packet. Each node should be capable of running an algorithm that generates a random pattern of a specied length.

A session key should be generated for each session.

We hope to reduce the computational complexity involved so that power consumption decreases. The cluster head needs to be a powerful node in order to perform all its functions. Therefore we need to devise a clustering scheme whereby the leaders are chosen based on their computational strength. R EFERENCES
[1] D. P. Agrawal, Future directions in mobile computing and networking systems, Mobile Computing and Communications Review, vol. vol. 3, pp. 1318, oct 1999. [2] Bruce Schneier, Applied Cryptography, pp. 173, Second edition. [3] William Stallings, Cryptography and Network Security : Principles and Practice, pp. 299353, Second edition. [4] Z.J. Haas L. Zhou, Securing ad hoc networks, IEEE Network Magazine, vol. vol. 13, nov/dec 1999. [5] James Binkley, Authenticated ad hoc routing at the link layer for mobile systems, http://citeseer.nj.nec.com/cachedpage/121413/1. [6] M. S. Corson Stuart Jacobs, Manet authentication architecture, http://www.ietf.org/internet-drafts/draft-jacobs-imepauth-arch-00.txt, aug 1998. [7] Mingliang Jiang, Jinyang Li, and Y.C. Tay, Cluster based routing protocol, http://cram.comp.nus.edu.sg/cbrp/draft-ietfmanet-cbrp-spec-01.txt, aug 1999. [8] M. Singhal and D. P. Agrawal, A distributed connectivity algorithm for ad hoc networks, in Proceedings of the Symposium of High Performance Computing and Interconnection Networks, oct 1998, vol. vol. 4, pp. 146149. [9] Behrouz A. Forouzan, TCP/IP Protocol Suite, pp. 271318.