2007 ECSIS Symposium on Bio-inspired, Learning, and Intelligent Systems for Security

Authenticated On-Demand Ad Hoc Routing Protocol without Pre-shared Key

Distribution

Youngho Park, Won-Young Lee and Kyung-Hyune Rhee

Division of Electronic, Computer and Telecommunication Engineering,
Pukyong National University
599-1 Daeyon-3Dong Nam-Gu Busan, Republic of Korea, 608-737.
{pyhoya, gwangchi, khrhee}@pknu.ac.kr

Abstract cooperative in a network, and sometimes it is malicious. As

Ad hoc routing is a very fundamental operation on an
ad hoc network, and hence it has been a main target for
an attacker to disrupt an ad hoc network. Therefore, not
only secure communication among nodes but also exchang-
ing some special messages for the purpose of security op-
erations, such as key exchange in ad hoc networks, can-
not help relying on the secure routing protocol. In this pa-
per, we propose an authenticated on-demand ad hoc routing
protocol integrated with a key establishment protocol with-
out pre-shared secret key distribution among ad hoc nodes.
The main advantage of the proposed protocol is that estab-
lishing a route and a session key between a source and a
destination node, when it is needed, can be performed si-
multaneously in authenticated manner through the routing
discovery protocol with no beforehand shared secret key. To
achieve our goal, we apply the notion of ID-based statically
keyed authenticator to Dynamic Source Routing protocol,
so the proposed protocol does not require a public key cer-
tificate as well as pre-shared secret key distribution.
a matter of fact, malicious nodes can fabricate routing infor-
mation and modify routing packets that pass through them.
Subsequently, networks can be fragmented by the wrong
routing information advertised by these nodes.
From an application-layer perspective, attacks to ad hoc
routing protocol are regarded as instances of a Denial-of-
Service(DoS) attack. For example, Dynamic Source Rout-
ing (DSR) protocol[10] utilizes source routes, thereby ex-
plicitly stating routes in packets. This routing information
lacks any integrity check, and hence a simple DoS attack
can be launched by just altering the source routes in the
packet header, such that the packet cannot be delivered to
the destination correctly.
Cryptography is a powerful defense against many types
of attacks. Digital signature and message authentication
code (MAC) based on cryptography[5] can identify and au-
thenticate nodes that participate in the routing. Therefore,
detecting the fabricated and distorted information and pre-
venting nodes from impersonation are possible.
1.1. Challenges

1. Introduction Generally, most cryptographic approaches to secure ad

Ad hoc routing is a collaborative work of nodes in ad hoc
networks because there is no pre-defined network infras-
tructure such as routers and network controllers to maintain
the network. Accordingly, the availability of ad hoc rout-
ing service always depends on the good behavior of nodes
within transmission range of one another. No dependency
on any network infrastructure allows to constitute a flexi-
ble network environment, on the other hand it makes ad hoc
network defenseless to some security threats. In a friendly
environment, we may expect a node to relay packets passing
through it, share information truthfully, and generate pack-
ets only when necessary. However, every node is not always
hoc networks prefer to using symmetric key cryptographic
algorithms due to its computational efficiency. For ex-
ample, HMAC-based scheme or keyed hash function for
authentication is computationally much better than digital
signature-based schemes. However, it generally requires at
most n(n − 1)/2 key distributions complexity for n nodes.
Hence, symmetric key based authentication algorithms are
efficient but requires a rather complex key management op-
eration. What is worse, when we consider the dynamic fea-
ture of ad hoc networks where the number of nodes may in-
crease or decrease due to the mobility of nodes, beforehand
shared key distribution for all nodes may be impractical in
such an ad hoc network environment.

0-7695-2919-4/07 $25.00 © 2007 IEEE 41

DOI 10.1109/BLISS.2007.9
 Alternative solution to key distribution is a key exchange
protocol for establishing a common session key between
nodes when secure communication is needed. Because key
exchange is a peer-to-peer protocol which does not rely
on a key distribution center, we think that key exchange
is suitable for ad hoc environment. However, in order to
exchange keying material between the end-to-end commu-
nicating parties in a multi-hop ad hoc network, the mes-
sages are always routed through ad hoc nodes. Accordingly,
no pre-shared secret key among nodes requires an key ex-
change through an ad hoc routing, and the routing protocol
also has to be protected from attacks in an ad hoc environ-
ment for guaranteeing the authenticity of not only a key ex-
change protocol but also an ad hoc routing protocol.
At this moment, we come to face with some questions.
How can we guarantee the authenticity of the routing in-
formation with no pre-shared secret keys among nodes par-
ticipated in routing protocol. And, how on earth can we
securely establish a session key between any pair of nodes
in a multi-hop ad hoc network without secure routing pro-
tocol yet? One solution to these questions is to use the
non-interactively shared key which can be derived from ID-
based public/private key pair, and then run route discovery
and key establishment protocol concurrently by using these
keys.
1.2. Overview
In this paper, we will enhance the DSR protocol, one of
the on-demand ad hoc routing protocol, in order to guaran-
tee the authenticity and the integrity of the DSR protocol
and support simultaneous key exchange protocol. So, we
name our proposed protocol as ADSR(Authenticated DSR).
We consider the followings as our design goals:
• Route integrity: It must prevent a malicious node from
modifying routing messages.
• Authenticity: Any unauthorized node should not be
able to participate in routing protocol.
• Key establishment: Once completing routing discovery
protocol, the source and the destination node should
establish a session key that can be subsequently used
for secure communication .
In order to achieve our goals, we will apply the notion of
Boyd et al.’s statically keyed authenticator[3] where, just by
using ID-based public key, an entity can make an HMAC-
based authenticator to its communicating partner with no
pre-shared secret key between them. The notion of ID-
based public key is widely used in recent cryptography lit-
erature as an alternative key management solution to the tra-
ditional complex public key certificate management[2]. We
think that it is advantageous to ad hoc network that nodes
42
can perform an authentication protocol based on symmet-
ric key just by using their publicly known identifiers even
though they do not have any pre-shared pair-wise secret key
among them. In our proposed protocol, a node can ver-
ify the authenticity of the received packet by computing the
non-interactively shared secret key using the identifiers con-
tained in the source route field of DSR and by checking the
chained HMAC result appended in packet. Consequently,
the proposed protocol does not require a public key certifi-
cate management and a complex shared key distribution. It
is the our main contribution.
In the last a few years, a variety of secure ad hoc rout-
ing protocols have been proposed[9][4][8]. However, those
protocols require a pre-shared secret key distribution before
constituting an ad hoc network. In fact, [9] and [8] assume
that all nodes share a pair-wise secret key with or their pub-
lic key certificates are publicly known to their neighborhood
nodes in advance, and [4] requires a TESLA key distri-
bution scheme for authenticating routing packets. Conse-
quently, previously proposed protocols are not enough to
satisfy our challenges. Nevertheless, we cannot way which
protocol is the best solution for secure ad hoc network be-
cause of their different operational requirements. Table 1
briefly shows the differences of our proposed ADSR proto-
col and other secure ad hoc routing protocols.
Table 1. Comparison of functions of secure
routing protocols.
pre-shared key auth. node crypto. scheme
SAODV[9] required end-to-end digital signature, hash
Ariadne[4] required all HMAC, TESLA[7]
ARAN[8] not required hop-by-hop digital signature, certificates
ADSR not required all ID-based keys, HMAC
The rest of this paper is organized as follows: In Sec-
tion 2, we briefly introduce a cryptographic assumptions
and tools used in our proposed protocol. We present our
proposed protocol in Section 3, and then we analyze the se-
curity and the performance in Section 4.
2. Cryptographic Tool
2.1. Bilinear Diffie-Hellman Assumption
Let G1 and G2 be two cyclic groups of prime order q.
Pairing based cryptosystems make use of a bilinear map
ê : G1 × G1 → G2 between these two groups. The map
satisfies the following properties(We can refer to [2] for un-
derstanding a concrete example of groups G1 , G2 and a bi-
linear map ê between these groups.):
 1. Bilinearity : For P, Q ∈ G1 and a, b ∈ Zq ,
ê(aP, bQ) = ê(P, Q)ab
2. Non-degenerate : The map does not send all pairs in
G1 × G1 to the identity in G2 . Observe that since G1
and G2 are groups of prime order this implies that if P
is a generator of G1 then ê(P, P ) is a generator of G2 .
3. Computable : There is an efficient algorithm to com-
pute ê(P, Q) for any P, Q ∈ G1 .
Bilinear Diffie-Hellman Problem (BDHP) is to compute
ê(P, P )abc ∈ G2 given P, aP, bP, cP ∈ G1  for some
a, b, c ∈ Zq . Bilinear Diffie-Hellman Assumption is the
well-known assumption that it is hard to solve the BDHP
with non-negligible advantage in polynomial time.
2.2. ID-based Statically Keyed Authentica-
tor
Let s ∈ Zq∗ be the master secret of a trusted author-
ity(TA) whose role is to issue an ID-based private key
Si = sQi = sH(i) ∈ G1 derived from the identifier i,
where H : {0, 1}∗ → G1 is an admissible encoding func-
tion for mapping an arbitrary string to a point in G1 . Sup-
pose that a node i wants to send a message m to a node j
in an authenticated manner, and i has no shared secret key
with j but i knows that its desired communicating partner’s
identity is j. The ID-based statically keyed authenticator
for message m can be computed as follows:
1. i computes kij = kdf (ê(Si , Qj )) by using its private
key Si and the identifier j, where kdf is a key deriva-
tion function, and
2. computes Mij = HM ACkij (m). This Mij is the au-
thenticator of node i to node j.
The receiving node j can verify the message authentica-
tor as follows:
1. j computes kji = kdf (ê(Qi , Sj )) by using its private
key Sj and the identifier i , that is, kji = kij and then,
?
2. checks if Mij = HM ACkji (m).
If the verification is hold, then j is assured that the re-
ceived message m was really sent by i. This is the ba-
sic function of ID-based statically keyed authenticator. As
shown in the above procedure, i and j can compute a shared
key kij = kji non-interactively without help of key distri-
bution center. The correctness of kij and kji can be proved
by ê(Si , Qj ) = ê(Qi , Qj )s = ê(Qi , Sj )
43
3. Authenticated Dynamic Source Routing
3.1. Notations and Assumption
In this section, we will present an authenticated DSR ad
hoc routing protocol combined with Elliptic Curve Diffie-
Hellman(ECDH) key exchange protocol[5]. When we de-
scribe our protocol, we will use the notations in Table 2
and assume that G1 is a subgroup of the additive group of
points of an elliptic curve defined over a finite field and G2
is a subgroup of the multiplicative group of a finite field for
bilinear pairing ê : G1 × G1 → G2 .
Table 2. Notations for ADSR
Notation Description
RREQ Route request
RREP Route reply
src, dst source and destination of the routing
message
DHi ∈ G1 Diffie-Hellman key exchange parameter
of the node i
HM AC message authentication code using keyed
hash function
{route} node list for source routes
#seq sequence number of packet
kij a non-interactively shared key between
nodes i and j
HM ACkij () keyed hash function using the key kij
hash() cryptographic one-way hash function
Kij a session key established after key ex-
change between i and j
Basically, our routing protocol message is formed as the
following format:
< type, src, dst, #seq, DH, {routes}, HM AC >
Although we do not put any shared key distribution
mechanism, we at least assume that every node has its ID-
based private key Sid issued off-line by a trusted author-
ity(TA) before participating in the network, where Sid =
sH(id) computed by the TA’s master secret s. This is a kind
of key issuance similar to certificate issuance in traditional
PKI, hence it differs from the shared key distribution.
In the notations in Table 2, a shared key kij for comput-
ing HMAC between node i and node j is not necessarily
established before participating in routing protocol. This
key can be non-interactively computed by both nodes using
ID-based keys and can be used for computing HMAC for
message m according to the procedure in Section 2. So, the
node i can compute the key kij without any share of the
destination node and send a message m with authenticator
Mij = HM ACkij (m) to the destination node j. Of course,
the destination node can also verify the Mij by using the
non-interactively established key kji .
However, due to the static feature of this key, it is not rec-
ommended to use the key for another cryptographic purpose
such as confidentiality between the source and the destina-
tion. Hence, we need an additional key exchange protocol
to establish a session key between the end-to-end nodes.
3.2. Route Discovery with Key Exchange
To clarify and understand our protocol, we assume the
route in the topology, S - 1 - 2 - D, shown in the figure 1
as an example. Detailed protocol is presented in the boxed
description.
Figure 1. Example topology for route discov-
ery.
Suppose that the node S wants to find a path to the desti-
nation node D and establish a shared secret key. S first ini-
tiates a route request message(RREQ) including its Diffie-
Hellman key exchange parameter DHS and HMAC for
static fields in the routing message using non-interactively
shared key kSD , and S broadcasts RREQ message to the
network. Each neighbor node x receiving this RREQ mes-
sage appends its identifier to source route field and updates
the HMAC by using the key kxD , and then forwards the
RREQ to its neighbors. Through this process, the route re-
quest packet reaches the destination node in the end.
When the destination node D receives the RREQ, it com-
putes every key kiD , where i is the identifier index in the
route field, and verifies HMAC chains. If the RREQ is ver-
ified as valid, then D computes session key KSD by using
its session random value and DHS included in route re-
quest packet, and sends route reply message(RREP) to S.
This RREP will reversely pass through the nodes specified
in the source route field of RREQ. At this moment, D also
appends not only its Diffie-Hellman parameter DHD corre-
sponded to KSD but also HMAC for the RREP using kSD .
A concrete protocol is described in the following boxed pro-
tocol description.
Note that keys used for computing HMAC in RREQ
of the source node and RREP of the destination node are
different shared keys. For the source node, it initially
44
has no shared key with the destination, so it uses a non-
interactively shared key kSD . On the other hand, the des-
tination D can derive a session key KSD , which will be
shared with S, from DHS and its session random rD , and D
computes HMAC MS by using the KSD . When D replies
to S, D appends its Diffie-Hellman parameter DHD into
the RREP so that S can compute the session key KSD .
Therefore, the MD acts not only as an authenticator of D
to S but also as a key confirmation message at the same
time because if MD is verified as valid, it means that S and
D successfully agreed session key KSD .
Protocol: ADSR Route Discovery Protocol.
1. S → ∗ : { RREQ, S, D, #seq, DHS , (), MS };
where DHS = rS P ∈ G1 , for rS ∈ Zq∗ and P ∈ G1 , and
MS = HM ACkSD ({RREQ,S,D, #seq, DHS }).
2. 1 → ∗ : { RREQ, S, D, #seq, DHS , (1), M1 };
where M1 = HM ACk1D (MS , 1).
3. 2 → ∗ : { RREQ, S, D, #seq, DHS , (1, 2), M2 };
where M2 = HM ACk2D (M1 , 1).
4. D checks the RREQ and verifies chained HMAC:
?
M2 = HM ACk2D (HM ACk1D (HM ACkSD ({RREQ, S, D,
#seq, DHS }), 1), 2).
If valid, D chooses rD ∈ Zq∗ , and then computes
KSD = hash(rD · DHS ) = hash(rD rS P )
5. D → 2 : { RREP, D, S, #seq, DHD , (2, 1), MD };
where DHD = rD P ∈ G1 , and
MD = HM ACkSD (HM ACKSD ({RREP, D, S, #seq,
DHD (2, 1)})).
6. 2 → 1 : { RREP, D, S, #seq, DHD , (2, 1), MD };
7. 1 → S : { RREP, D, S, #seq, DHD , (2, 1), MD };
8. S checks RREP and computes KSD = hash(rS DHD )
= hash(rS rD P ), and verifies MD :
?
MD = HM ACkSD (HM ACKSD ({RREP, D, S, #seq,
DHD (2, 1)})).
If valid, S accepts the route and the session key
KSD = hash(rS ḊHD ) = hash(rD rS P ).
4. Protocol Analysis
4.1. Security
Because we aimed at authenticated routing and integrity
of routing messages, we intuitively analyze our protocol
focusing on these requirements.
Remarks According to [3], the authors proved that ID-
based statically keyed authenticator can be used to translate
an unauthenticated protocol to an authenticated protocol if
the Bilinear Diffie-Hellman Assumption holds.
Theorem 1 Assuming the security of statically keyed au-
thenticator and HMAC, ADSR is a secure routing protocol.
Proof : We informally prove this proposition with heuristic
manner. Suppose that there are n intermediate nodes, de-
noted 1, 2, ..., n, between a source node S and a destination
node D. Each statically authenticated key kiD to node D
is computed by kiD = ê(Si , QD )(i ∈ {S, 1, 2, ..., n}), and
the HMAC-chain where each kiD was used can become
the authenticator between node i and node D according to
[3]. Difference in our ADSR is that the value in HMAC
field, when D received RREQ, is a chained result where the
HMAC of just previous-hop is taken as an input to HMAC
computation during each intermediate node, i.e., Mn =
HM ACknD (HM ACkn−1D (....(HM ACk1D (MS , 1), ...))).
The destination node D verifies the HMAC chain by com-
puting every ID-based static key of the node specified in
the source route field in RREQ. In order for an adversary to
break this routing protocol, the adversary must be able to
reconstruct the HMAC chain not being detected by the D.
Therefore, if the adversary knows at least one of the static
keys along the path from S to n, it can easily break the
protocol. However, it is infeasible for an adversary to find
an ID-based statically shared key if we assume the security
of ID-based static keys under the Bilinear Diffie-Hellman
Assumption.
Another aspect of our ADSR is authenticated session
key establishment between a source node and a destination
node after performing a routing discovery protocol between
them.
Theorem 2 ADSR is able to support to establish an authen-
ticated session key between the source and the destination
nodes.
Proof : When we detach the Diffie-Hellman parameter and
HMAC from our ADSR, it can be viewed as an authenti-
cated key establishment protocol in itself using statically
keyed authenticator. When we detach the Diffie-Hellman
parameter and HMAC from the RREQ and RREP, it can
be viewed as an authenticated key exchange protocol
using statically keyed authenticator of [3]. The authors of
[3] proved that the key exchange using this authenticator
formed with ID-based key pair can become an SK-secure
key agreement protocol[1]. According to their analysis,
we can know that ID-based statically keyed authentica-
tor can be used for constructing an authenticated protocol.
4.2 Operational Overhead
The use of statically keyed authenticator has the benefit
that it can get ride of the requisite for key distribution mech-
anism for establishing a pair wise key among nodes in ad-
vance. The main complexity of a secret key cryptosystem
comes from a secret key management which has at worst
45
n(n − 1)/2 complexity. Most of secure routing protocols
based on HMAC assumed that every node has pair-wise
pre-shared secret keys as compared in Table 1 in Section
1.2. However, this assumption may be impractical depend-
ing on ad hoc application scenarios. From the cryptographic
operational viewpoint, our approach is an intermediate solu-
tion between symmetric key based scheme and asymmetric
key based scheme because our solution uses ID-based pub-
lic and private key pair but HMAC using a symmetrically
shared key is used for authentication and integrity of rout-
ing protocol not by digital signature.
Another advantage of ADSR is that it can reduce com-
munication complexity between source node and destina-
tion node by concurrently running key exchange protocol
with routing protocol. In the meantime, key exchange and
secure routing are separately handled. Since key exchange
is an end-to-end protocol between communicating parties, it
cannot help relying on underlying routing protocol and the
routing protocol must be secured as a matter of course. So,
we think that simultaneous establishment of routes and ses-
sion key between a source node and a destination node are
more efficient than that of routing then key establishment.
4.3. Simulated Performance
To simulate and evaluate ADSR, we used NS2 simulator.
We modified the original DSR source code in the NS2.
Note that we are intended to estimate the overhead bur-
dened to the basic DSR protocol if we translate the DSR
to ADSR. We think that it is not interesting to compare the
performance difference between our ADSR and other se-
cure routing protocols because each protocol has different
operational requirements and assumptions depending on its
underlying cryptographic scheme as described in Section
1.2.
Figure 2. Packet delivery ratio of DSR and ADSR.
Figure 2,3,4 show the simulated performance of of
ADSR as compared with the basic DSR protocol. For
longer pause time greater than 500 second, both protocols
almost converge to 100% of PDR(Packet delivery ratio) be-
cause the longer pause time makes the node stationary and
hence the routes among nodes may become static during the

Figure 3. Normalized routing load of DSR and ADSR.
Figure 4. Average End-to-End delay of DSR and ADSR.
pause time, on the other hand ADSR has less PDR than the
basic DSR protocol in the case of shorter pause time scenar-
ios less than 200 ms. As shown in the figures, we could find
that ADSR almost has the same NRL(Normalized routing
load) compared with the basic DSR protocol, so that ADSR
does not make a heavy burden on the basic routing protocol
on the whole when the pause time is more than 200 ms.
5. Conclusion
In this paper, we proposed an authenticated DSR com-
bined with key exchange protocol, named ADSR. The main
contribution of ADSR is ensuring authentication and in-
tegrity of routing protocol, and establishing a session key at
the same time without any pre-shared key among nodes. To
achieve our goal, we applied the notion of statically keyed
authenticator derived from ID-based keys of each pair of
nodes. Our proposed protocol is an intermediate approach
between secret key cryptography and public key cryptogra-
phy because the authentication of routing protocol is based
on the HMAC not the digital signature although we use an
ID-based public key variant. So, the initial computational
overhead of ADSR is greater than that of HMAC based ap-
proach using pre-shared secret key but less than digital sig-
nature based approach. Moreover, our ADSR does not re-
quire not only a beforehand shared key distribution but also
public key certificate management. Although we assumed
DSR as our underlying routing protocol in this paper, we
expect that our design concept can be applied similarly to
46
other on-demand ad hoc routing protocols.
Acknowledgement
This research was supported by the MIC of Korea, un-
der the ITRC support program supervised by the IITA(IITA-
2006-C1090-0603-0026)
References
[1] M. Bellare, R. Canetti and H. Krawczyk, “A modular
approach to the design and analysis of authentication
and key exchange protocols”, Proceedings of the 30th
Annual ACM Symposium on Theory of Computing,
pp.419–428, 1998.
[2] D. Boneh and M. Franklin, “Identity based encryption
from the Weil pairing”, Proceedings of Advances in
Cryptology - CRYPTO ’01, Lecture Notes In Com-
puter Science 2139, Springer-Verlag, pp. 213–229,
2001.
[3] C. Boyd, W. Mao and K. G. Paterson, “Key Agree-
ment Using Statically Keyed Authenticators”, Pro-
ceedings of Applied Cryptography and Network Se-
curity, Lecture Notes in Computer Science 3089,
Springer, pp.248–262, 2004.
[4] Y. Hu, A. Perrig, D. B. Johnson. “Ariadne: A secure
On-Demand Routing Protocol for ad hoc Networks”,
Proceedings of the Eighth ACM International Confer-
ence on Mobile Computing and Networking (Mobi-
Com 2002), pp.12-23, 2002
[5] A. Menezes, P. van Oorschot and S. Vanstone, “Hand-
book of Applied Cryptography”, CRC Press, 1997.
[6] B. Park, J. Myung and W. Lee, “LSRP: A lightweight
secure routing protocol with low cost for ad-hoc
networks”, Proceeding of the International Confer-
ence on Information Networking(ICOIN’05), Lecture
Notes on Computer Science 3391, Springer, pp.160–
169, 2005.
[7] A. Perrig, R. Canetti, J. D. Tygar and D. Song, “Effi-
cient Authentication and Signing of Multicast Streams
over Lossy Channels”, Proceedings of IEEE Sympo-
sium on Security and Privacy, pp.56–73, 2000.
[8] K. Sanzgiri, D. LaFlamme, B. Kahill and B. N.
Levine, “Authenticated routing for ad hoc networks”,
Proceedings of the 10th IEEE International Confer-
ence on Network Protocols, pp.78–87, 2002.
[9] M. G. Zapata and N. Asokan, “Securing ad hoc rout-
ing protocols”, Proceedings of the 3rd ACM workshop
on Wireless security WiSE ’02, pp.1–10, 2002.
[10] “The Dynamic Source Routing Protocol for Mobile
Ad Hoc Networks (DSR)”, IETF MANET Working
Group Internet-Draft, July 2004.