a secure anonymous routing protocol with authenticated key exchange for ad hoc networks
DESCRIPTION
A secure anonymous routing protocol with authenticated key exchange for ad hoc networks. Authors: R. Lu, Z. Cao, L. Wang, and C. Sun Sources: Computer Standards & Interfaces, article in press. Reporter: Chun-Ta Li ( 李俊達 ). Outline. Motivation - PowerPoint PPT PresentationTRANSCRIPT
A secure anonymous routing protocol with authenticated key exchange for ad hoc networks
Authors: R. Lu, Z. Cao, L. Wang, and C. Sun
Sources: Computer Standards & Interfaces, article in press.
Reporter: Chun-Ta Li (李俊達 )
22
Outline Motivation SARPAKE (Secure Anonymous Routing Protocol
with Authenticated Key Exchange) protocol Comments
3
Motivation Reactive routing (source-initiated on-demand
driven) in privacy-vital environment Anonymity
Authenticated key exchange into the routing algorithm
4
SARPAKE protocol Notations
5
SARPAKE protocol (cont.) Assumptions
6
SARPAKE protocol (cont.) Path discovery phase
7
SARPAKE protocol (cont.) Path reverse phase
8
SARPAKE protocol (cont.) Data transfer phase
9
Comments Security weakness in data transfer phase
(non-repudiation is not achieved) (replay attack)
Node S Node DNode 1 Node 2[C||CH] [C||CH]
[C’||CH’]C = [M]SK, h=H(C)
CH = EPK1(tag#, h)
C = [M]SK, h=H(C)
CH = EPK2(tag#, h)Intruder
C’ = [M’]SK’, h’=H(C’)
CH’ = EPKD(tag#, h’)
// No one can accuse that Node 2 is guilty because all of nodes are capable
of forging this fake messages //
10
Comments Even assumption 4 is
used, anonymity might not be achieved (Assume that attacker can collect all the communication messages over ad hoc networks and tag# is public)
Comments Improvement (path discovery phase)
11
|| Nonce0n
(tag# , Nn, Nonce0n, ?, null, T0)LRT0
(tag# , Nn-1, null, ?, null, Ti)LRTi
(tag# , Nn-2, null, ?, null, Tn-1)LRTn-1
(tag# , Nn-1, null, N0, Nonce0n, Tn)LRTn
// Assume that the involved nodes for a specific route are trusted //
12
Comments Improvement (path reverse phase)
(tag# , N2, Nonce2D, NS, NonceSD, TD)LRTD
Node S Node DNode 1 Node 2
C2 = EPK2(tag#, Nonce2)
CD = EPKS(M||NonceSD+1)
[CD||C2]
(tag# , N1, Nonce12, ND, Nonce2D, T2)LRT2
C1 = EPK1(tag#, Nonce1)
CD = EPKS(M ||NonceSD+1)
[CD||C1]
(tag# , NS, NonceS1, N2, Nonce12, T1)LRT1
CS = EPKS(tag#, NonceS)
CD = EPKS(M ||NonceSD+1)
[CD||CS]
(tag# , 0, NonceSD, N1, NonceS1, TS)LRTS
M = DSKS(CD)
13
Comments Improvement (data transfer phase)
Node S Node DNode 1 Node 2
C = [M||NonceSD+2]SK,
h=H(C||NonceS1+1)
CH = EPK1(tag#, h)[C||CH]
C = [M]SK,
h=H(C||Nonce12+1)
CH = EPK2(tag#, h)
[C||CH]
C = [M]SK,
h=H(C||Nonce2D+1)
CH = EPKD(tag#, h)
[C||CH]
H(C||Nonce2D+1) ?= h
M||NonceSD+2 = DSK(C)
14
Comments An efficient and secure routing protocol for providing
anonymous channel and key exchange in ad hoc networksNode S Node DNode 1 Node 2
hS = H(tag#, KSD)
MS = [tag# ||S||D||X=gx||NonseSD)
CS = EKSD(MS)
packet = [tag# ||hop||hS||CS)
(tag# ,ND,NonceSD,?,null,TS)LRTS
packet packet packet
(tag# ,NS,null,?,null,T1)LRT1
(tag# ,N1,null,?,null,T2)LRT2
hD = H(tag#, KDS)hD ?= hS
(tag# ,N2,?,NS,NonceSD,TD)LRTD
Node S: KS1, KS2, KSD
Node 1: K1S, K12, K1D
Node 2: K2S, K21, K2D
Node D: KDS, KD1, KD2
session key table
15
Comments Path reverse phase
Node S Node DNode 1 Node 2
[D||CD||C2]
session key SK=Xy=gxy
MD = [tag# ||S||D||Y=gy||NonceSD+1)
CD = EKDS(MD)
C2 = EKD2(tag#||Nonce2D)
DK2D(C2) to recover tag#
C1 = EK21(tag#|| Nonce12)
[2||CD||C1]
DK12(C1) to recover tag#
CS = EK1S(tag#|| NonceS1)
[1||CD||CS]
DKSD(CD) to verify
NonceSD+1
session key SK=Yx=gxy
(tag# ,N1, Nonce12,ND, Nonce2D,T2)LRT2
(tag# ,NS, NonceS1,N2, Nonce12,T1)LRT1
(tag# ,ND, NonceSD,N1, NonceS1,TS)LRTS
16
Comments (cont.) Data transfer phase
Node S Node DNode 1 Node 2
[S||C||CH]
C = ESK(M||NonceSD+2), h=H(C|| NonceS1+1)CH = ES1(tag#||h)
CH = E12(tag#||h)
[1||C||CH]
CH = E2D(tag#||h)[2||C||CH]
Verify H(C|| Nonce2D+1)?=h
M||NonceSD+2 = DSK(C)
Verify H(C|| NonceS1+1)?=h
h=H(C|| Nonce12+1)
h=H(C|| Nonce2D+1)
Verify H(C|| NonceS1+1)?=h