SAODV

Secure Ad hoc On-Demand Distance Vector (SAODV) Routing

Manel Guerrero Zapata
<manel.guerrero-zapata@nokia.com> Nokia Research Center Mobile Networks Laboratory

Introduction

Securing routing messages vs data messages.

Using symmetric vs asymmetric cryptosystems. So, what is SAODV?
An

extension to AODV

Uses

asymmetric cryptography to secure AODV's routing messages.

Security Requirements

Import authorization: Route information will be imported only if it concerns to the node that is sending the information. Source authentication: To be able to verify that the node is the one it claims to be.
Integrity: To be able to verify the received routing information has not been altered. Data authentication: The combination of the two last ones.

Security Attacks in AODV (1/2)

1

Impersonate a node S by forging a RREQ with its address as a originator address. When forwarding a RREQ generated by S to discover a route to D, reduce the hop count field to increase the chances of being in the route path between S and D, so it can analyze the communication between them. A variant of this is to increment the destination sequence number to make the other nodes believe that this is a 'fresher' route. Impersonate a node D by forging a RREP with its address as a destination address.

A malicious node M impersonate a node by forging a RREP that claims that the node is the destination and, to increase the impact of the attack, claims to be a network leader of the subnet SN with a big sequence number and send it to its neighbors. In this way it will became (at least locally) a blackhole for the whole subnet SN.

Security Attacks in AODV (2/2)

5

Selectively, do not forward certain RREQs and RREPs, do not reply certain RREPs Or, and do not forward certain data messages. This kind of attack is specially hard to even detect because transmission errors have the same effect. A malicious node M forges a RERR message pretending it is the node S and sends it to its neighbor D. The RERR message has a very high destination sequence number dsn for one of the unreachable destinations (U). This might cause D to update the destination sequence number corresponding to U with the value dsn and, therefore, future route discoveries performed by D to obtain a route to U will fail (because U's destination sequence number will be much smaller than the one stored in D's routing table. Generating a RREP with a maximum destination sequence number. And many more.

SAODV Digital Signatures

Digital signatures are used to protect the non-mutable data in the RREQ and RREP messages. (Solves attacks #1 & #3) Problem: Replies generated by intermediate nodes. Solutions:
They

don't

Double

Signature Extension Messages

SAODV Hash Chains

Hash chains are used in SAODV to authenticate the hop count of the AODV routing messages (not only by the end points, but by any node that receives one of those messages). This solves the attack #2. A hash chain is formed by applying a one way hash function repeatedly. Every time a node wants to send a RREQ or a RREP it generates a random number (seed). Sets Max_Hop_Count to the TimeToLive value in the IP header, and Hash to the seed value. Then, it calculates Top_Hash by hashing seed Max_Hop_Count times. Top_Hash = hMax_Hop_Count(seed)

Hash = seed

Every time a node receives a RREQ or a RREP it verifies the hop count of the message. Before rebroadcasting a RREQ or forwarding a RREP, a node hashes one time the Hash value in the Signature Extension.
Hash = h(Hash)

Top_Hash == hMax_Hop_Count Hop_Count(seed)

What about RERR messages?

They have a huge amount of mutable information.

It is not relevant if it is a generated or forwarded RERR. A node sending a RERR signs the whole message and nodes receiving verify the signature. Nodes do not update dsn from a RERR (solves attack #6).

Rebooting and Sequence Numbers

Nobody tells me what is my dsn (solves attack #7).

If I have memory I will remember my dsn after rebooting. Otherwise I wait. No cyclic sequence numbers. And once I have reached the maximum seq num, I should probably get new key pair (to avoid reply attacks).

Analysis

Hop count authentication by using hash chains is not perfect: A malign node might forward a message without increase the hop count.

More secure approaches are too expensive, and they don't solve tunneling attacks.

Tunneling attacks are not solved by SAODV. But, who can solve them?

Theoretically, misbehaving detection schemes. But not in practice.

Misbehaving Detection & Obscurity

It is hard to distinguish misbehaving from transmition failures and other events.

It has no real means to guarantee the integrity and authentication of the routing messages!

Obscurity is not the way to obtain security. There is no such thing as a tampering resistant device. We want open standards.

Future Work

Try to reduce the processing power requirements of SAODV due to the use of asymmetric cryptography. Add SAODV extension to the NRC-AODV implementation (done by me). NRC-AODV has all the basic AODV features, and was tested in the first AODV interoperability test. (NRC stands for Nokia Research Center)

Thanks To:

N. Asokan: He has contributed to the saodv draft with several improvements and corrections. He suggested the use of hash chains to authenticate the hop count and, that intermediate nodes should sign the lifetime of the RREPs. Everybody who has been discussing SAODV with me or Asokan.
To you: For your attention.

More Info

The SAODV draft:http://ant.eupvg.upc.es/~tarom/saodv.ht m Me: <manel.guerrero-zapata@nokia.com>

RREQ (Single) Signature Extension

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Hash Function | Max Hop Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Top Hash | ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Signature | ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Hash | ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

RREP (Single) Signature Extension

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Hash Function | Max Hop Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Top Hash | ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Signature | ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Hash | ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

RREQ Double Signature Extension

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Hash Function | Max Hop Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |R|A| Reserved |Prefix Sz| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Top Hash | ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Signature | ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Signature for RREP | ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Hash | ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

RREP Double Signature Extension

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Hash Function | Max Hop Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Top Hash | ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Signature | ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Old Lifetime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Signature of the new Lifetime | ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Hash | ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

RERR Signature Extension

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Signature | ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

RREP-ACK Signature Extension

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Signature | ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+