Professional Documents
Culture Documents
1.2. Overview
Table 1. Comparison of functions of secure
In this paper, we will enhance the DSR protocol, one of routing protocols.
the on-demand ad hoc routing protocol, in order to guaran- pre-shared key auth. node crypto. scheme
tee the authenticity and the integrity of the DSR protocol SAODV[9] required end-to-end digital signature, hash
and support simultaneous key exchange protocol. So, we Ariadne[4] required all HMAC, TESLA[7]
name our proposed protocol as ADSR(Authenticated DSR). ARAN[8] not required hop-by-hop digital signature, certificates
We consider the followings as our design goals: ADSR not required all ID-based keys, HMAC
42
1. Bilinearity : For P, Q ∈ G1 and a, b ∈ Zq , 3. Authenticated Dynamic Source Routing
ê(aP, bQ) = ê(P, Q)ab
3.1. Notations and Assumption
2. Non-degenerate : The map does not send all pairs in
G1 × G1 to the identity in G2 . Observe that since G1 In this section, we will present an authenticated DSR ad
and G2 are groups of prime order this implies that if P hoc routing protocol combined with Elliptic Curve Diffie-
is a generator of G1 then ê(P, P ) is a generator of G2 . Hellman(ECDH) key exchange protocol[5]. When we de-
scribe our protocol, we will use the notations in Table 2
3. Computable : There is an efficient algorithm to com- and assume that G1 is a subgroup of the additive group of
pute ê(P, Q) for any P, Q ∈ G1 . points of an elliptic curve defined over a finite field and G2
is a subgroup of the multiplicative group of a finite field for
Bilinear Diffie-Hellman Problem (BDHP) is to compute
bilinear pairing ê : G1 × G1 → G2 .
ê(P, P )abc ∈ G2 given P, aP, bP, cP ∈ G1 for some
a, b, c ∈ Zq . Bilinear Diffie-Hellman Assumption is the
well-known assumption that it is hard to solve the BDHP Table 2. Notations for ADSR
with non-negligible advantage in polynomial time. Notation Description
RREQ Route request
2.2. ID-based Statically Keyed Authentica- RREP Route reply
tor src, dst source and destination of the routing
message
DHi ∈ G1 Diffie-Hellman key exchange parameter
Let s ∈ Zq∗ be the master secret of a trusted author-
of the node i
ity(TA) whose role is to issue an ID-based private key
HM AC message authentication code using keyed
Si = sQi = sH(i) ∈ G1 derived from the identifier i, hash function
where H : {0, 1}∗ → G1 is an admissible encoding func- {route} node list for source routes
tion for mapping an arbitrary string to a point in G1 . Sup-
#seq sequence number of packet
pose that a node i wants to send a message m to a node j
kij a non-interactively shared key between
in an authenticated manner, and i has no shared secret key nodes i and j
with j but i knows that its desired communicating partner’s
HM ACkij () keyed hash function using the key kij
identity is j. The ID-based statically keyed authenticator
hash() cryptographic one-way hash function
for message m can be computed as follows:
Kij a session key established after key ex-
change between i and j
1. i computes kij = kdf (ê(Si , Qj )) by using its private
key Si and the identifier j, where kdf is a key deriva-
tion function, and
Basically, our routing protocol message is formed as the
following format:
2. computes Mij = HM ACkij (m). This Mij is the au-
thenticator of node i to node j. < type, src, dst, #seq, DH, {routes}, HM AC >
The receiving node j can verify the message authentica- Although we do not put any shared key distribution
tor as follows: mechanism, we at least assume that every node has its ID-
based private key Sid issued off-line by a trusted author-
1. j computes kji = kdf (ê(Qi , Sj )) by using its private ity(TA) before participating in the network, where Sid =
key Sj and the identifier i , that is, kji = kij and then, sH(id) computed by the TA’s master secret s. This is a kind
of key issuance similar to certificate issuance in traditional
?
2. checks if Mij = HM ACkji (m). PKI, hence it differs from the shared key distribution.
In the notations in Table 2, a shared key kij for comput-
If the verification is hold, then j is assured that the re- ing HMAC between node i and node j is not necessarily
ceived message m was really sent by i. This is the ba- established before participating in routing protocol. This
sic function of ID-based statically keyed authenticator. As key can be non-interactively computed by both nodes using
shown in the above procedure, i and j can compute a shared ID-based keys and can be used for computing HMAC for
key kij = kji non-interactively without help of key distri- message m according to the procedure in Section 2. So, the
bution center. The correctness of kij and kji can be proved node i can compute the key kij without any share of the
by ê(Si , Qj ) = ê(Qi , Qj )s = ê(Qi , Sj ) destination node and send a message m with authenticator
43
Mij = HM ACkij (m) to the destination node j. Of course, has no shared key with the destination, so it uses a non-
the destination node can also verify the Mij by using the interactively shared key kSD . On the other hand, the des-
non-interactively established key kji . tination D can derive a session key KSD , which will be
However, due to the static feature of this key, it is not rec- shared with S, from DHS and its session random rD , and D
ommended to use the key for another cryptographic purpose computes HMAC MS by using the KSD . When D replies
such as confidentiality between the source and the destina- to S, D appends its Diffie-Hellman parameter DHD into
tion. Hence, we need an additional key exchange protocol the RREP so that S can compute the session key KSD .
to establish a session key between the end-to-end nodes. Therefore, the MD acts not only as an authenticator of D
to S but also as a key confirmation message at the same
3.2. Route Discovery with Key Exchange time because if MD is verified as valid, it means that S and
D successfully agreed session key KSD .
To clarify and understand our protocol, we assume the
route in the topology, S - 1 - 2 - D, shown in the figure 1 Protocol: ADSR Route Discovery Protocol.
as an example. Detailed protocol is presented in the boxed 1. S → ∗ : { RREQ, S, D, #seq, DHS , (), MS };
description. where DHS = rS P ∈ G1 , for rS ∈ Zq∗ and P ∈ G1 , and
MS = HM ACkSD ({RREQ,S,D, #seq, DHS }).
2. 1 → ∗ : { RREQ, S, D, #seq, DHS , (1), M1 };
where M1 = HM ACk1D (MS , 1).
3. 2 → ∗ : { RREQ, S, D, #seq, DHS , (1, 2), M2 };
where M2 = HM ACk2D (M1 , 1).
4. D checks the RREQ and verifies chained HMAC:
?
M2 = HM ACk2D (HM ACk1D (HM ACkSD ({RREQ, S, D,
#seq, DHS }), 1), 2).
Figure 1. Example topology for route discov- If valid, D chooses rD ∈ Zq∗ , and then computes
ery. KSD = hash(rD · DHS ) = hash(rD rS P )
5. D → 2 : { RREP, D, S, #seq, DHD , (2, 1), MD };
where DHD = rD P ∈ G1 , and
Suppose that the node S wants to find a path to the desti- MD = HM ACkSD (HM ACKSD ({RREP, D, S, #seq,
nation node D and establish a shared secret key. S first ini- DHD (2, 1)})).
tiates a route request message(RREQ) including its Diffie- 6. 2 → 1 : { RREP, D, S, #seq, DHD , (2, 1), MD };
Hellman key exchange parameter DHS and HMAC for 7. 1 → S : { RREP, D, S, #seq, DHD , (2, 1), MD };
static fields in the routing message using non-interactively
8. S checks RREP and computes KSD = hash(rS DHD )
shared key kSD , and S broadcasts RREQ message to the = hash(rS rD P ), and verifies MD :
network. Each neighbor node x receiving this RREQ mes- ?
MD = HM ACkSD (HM ACKSD ({RREP, D, S, #seq,
sage appends its identifier to source route field and updates
DHD (2, 1)})).
the HMAC by using the key kxD , and then forwards the
If valid, S accepts the route and the session key
RREQ to its neighbors. Through this process, the route re-
KSD = hash(rS ḊHD ) = hash(rD rS P ).
quest packet reaches the destination node in the end.
When the destination node D receives the RREQ, it com-
4. Protocol Analysis
putes every key kiD , where i is the identifier index in the
route field, and verifies HMAC chains. If the RREQ is ver-
4.1. Security
ified as valid, then D computes session key KSD by using
its session random value and DHS included in route re-
Because we aimed at authenticated routing and integrity
quest packet, and sends route reply message(RREP) to S.
of routing messages, we intuitively analyze our protocol
This RREP will reversely pass through the nodes specified
focusing on these requirements.
in the source route field of RREQ. At this moment, D also
appends not only its Diffie-Hellman parameter DHD corre-
Remarks According to [3], the authors proved that ID-
sponded to KSD but also HMAC for the RREP using kSD .
based statically keyed authenticator can be used to translate
A concrete protocol is described in the following boxed pro-
an unauthenticated protocol to an authenticated protocol if
tocol description.
the Bilinear Diffie-Hellman Assumption holds.
Note that keys used for computing HMAC in RREQ
of the source node and RREP of the destination node are Theorem 1 Assuming the security of statically keyed au-
different shared keys. For the source node, it initially thenticator and HMAC, ADSR is a secure routing protocol.
44
Proof : We informally prove this proposition with heuristic n(n − 1)/2 complexity. Most of secure routing protocols
manner. Suppose that there are n intermediate nodes, de- based on HMAC assumed that every node has pair-wise
noted 1, 2, ..., n, between a source node S and a destination pre-shared secret keys as compared in Table 1 in Section
node D. Each statically authenticated key kiD to node D 1.2. However, this assumption may be impractical depend-
is computed by kiD = ê(Si , QD )(i ∈ {S, 1, 2, ..., n}), and ing on ad hoc application scenarios. From the cryptographic
the HMAC-chain where each kiD was used can become operational viewpoint, our approach is an intermediate solu-
the authenticator between node i and node D according to tion between symmetric key based scheme and asymmetric
[3]. Difference in our ADSR is that the value in HMAC key based scheme because our solution uses ID-based pub-
field, when D received RREQ, is a chained result where the lic and private key pair but HMAC using a symmetrically
HMAC of just previous-hop is taken as an input to HMAC shared key is used for authentication and integrity of rout-
computation during each intermediate node, i.e., Mn = ing protocol not by digital signature.
HM ACknD (HM ACkn−1D (....(HM ACk1D (MS , 1), ...))). Another advantage of ADSR is that it can reduce com-
The destination node D verifies the HMAC chain by com- munication complexity between source node and destina-
puting every ID-based static key of the node specified in tion node by concurrently running key exchange protocol
the source route field in RREQ. In order for an adversary to with routing protocol. In the meantime, key exchange and
break this routing protocol, the adversary must be able to secure routing are separately handled. Since key exchange
reconstruct the HMAC chain not being detected by the D. is an end-to-end protocol between communicating parties, it
Therefore, if the adversary knows at least one of the static cannot help relying on underlying routing protocol and the
keys along the path from S to n, it can easily break the routing protocol must be secured as a matter of course. So,
protocol. However, it is infeasible for an adversary to find we think that simultaneous establishment of routes and ses-
an ID-based statically shared key if we assume the security sion key between a source node and a destination node are
of ID-based static keys under the Bilinear Diffie-Hellman more efficient than that of routing then key establishment.
Assumption.
4.3. Simulated Performance
Another aspect of our ADSR is authenticated session
key establishment between a source node and a destination To simulate and evaluate ADSR, we used NS2 simulator.
node after performing a routing discovery protocol between We modified the original DSR source code in the NS2.
them. Note that we are intended to estimate the overhead bur-
dened to the basic DSR protocol if we translate the DSR
Theorem 2 ADSR is able to support to establish an authen-
to ADSR. We think that it is not interesting to compare the
ticated session key between the source and the destination
performance difference between our ADSR and other se-
nodes.
cure routing protocols because each protocol has different
Proof : When we detach the Diffie-Hellman parameter and operational requirements and assumptions depending on its
HMAC from our ADSR, it can be viewed as an authenti- underlying cryptographic scheme as described in Section
cated key establishment protocol in itself using statically 1.2.
keyed authenticator. When we detach the Diffie-Hellman
parameter and HMAC from the RREQ and RREP, it can
be viewed as an authenticated key exchange protocol
using statically keyed authenticator of [3]. The authors of
[3] proved that the key exchange using this authenticator
formed with ID-based key pair can become an SK-secure
key agreement protocol[1]. According to their analysis,
we can know that ID-based statically keyed authentica-
tor can be used for constructing an authenticated protocol.
45
other on-demand ad hoc routing protocols.
Acknowledgement
46