anonymous communications in mobile ad hoc networks yanchao zhang, wei liu and wenjing lou presented...

Anonymous Communications in

Mobile Ad Hoc Networks

Yanchao Zhang, Wei Liu and Wenjing Lou

Presented byVivian Bates and Kevin Walker

2

Outline I Introduction

II Preliminaries and Models

III MASK System Model

IV Performance Evaluation

V Related Work

VI Conclusion

3

Definitions• MANETs

• Mobile Ad hoc NETwork• Ad hoc communication

• Allows devices anytime and anywhere to establish communication without the aid of a central infra structure

• Anonymous communication• Sender and/or receiver identities hidden from outside observers

• Traffic analysis• A passive attack when an adversary observes network traffic in order to infer

sensitive information about applications and/or the system• Pairing

• Creation or exchange of a link key between two devices. • Link key

• Authentication key used to establish a link between devices

4

Basic Mobile Ad Hoc

Start

Nodes send signal to find the number of other nodes within range

Synchronizing between nodes

Sender node send messages to receiving node

receiving node ready

Communication begins

Termination Process

Stop

Receiving nodeSend backReady signal

Is Wait for

sometime

NoYes

5

Mobile Ad Hoc Networks(MANETs)

SELF-CONFIGURATION A system configures its own network-based services

and applications in response to the needs of user and the environment of the system

SELF-MAINTENANCE Dynamic routing Point-to-point link failure covered

6

Mobile Ad Hoc Networks(MANETs)

Personalcell phones laptops

Military military battlefields operations (tanks,planes and soldiers)

Civilianmeeting roomsboats and small aircraftssport stadiums

Emergencyhomeland security scenariospolice and firefightersrescue missions

7

Military Traffic Analysis

Frequent communications — can denote planning

Rapid, short, communications — can denote negotiations

A lack of communication — can indicate a lack of activity, or completion of a finalized plan

Frequent communication to specific stations from a central station — can highlight the chain of command

Who talks to whom — can indicate which stations are 'in charge' and which aren't, which further implies something about the personnel associated with each station

Who talks when — can indicate which stations are active in connection with events, which implies something about the information being passed and perhaps something about the personnel/access of those associated with some stations

Who changes from station to station, or medium to medium — can indicate movement, fear of interception

9

Counter Measurements to Prevent Interception or

Detection LPI/LPD Communication Techniques

Spread spectrum modulation Effective power control Directional antennas

Traffic Padding End to End Encryption and/or Link

Encryption on Data Traffic

10

MASKAn Anonymous On-Demand

Routing Protocol

A novel anonymous on-demand routing protocol Based on a cryptographic concept termed MASK

Anonymous neighborhood authentication Based on dynamically changing pseudonyms of nodes

not real identifiers or network-layer addresses and /or MAC addresses Anonymous route discovery and data forwarding

Based on pairwise shared link identifiers (LinkIDs) between neighbors

11

Preliminaries and ModelsPairing Concept

Bilinearity

Non-degeneracy

Computability

Let G1,G2 be two groups of the same prime order qView G1 as an additive group and G2 as a multiplicative group

Pairing is a computable bilinear map f : G1 x G1 ----> G2 satisfying the following properties:

12

Adversarial Model

Active Visible attacks

Radio jamming DoS attacks

Countermeasures: frequency hopping

Passive Invisible attacks

Eavesdropping Inject a small amount of small packets for better traffic analysis

Countermeasures: spread spectrum, traffic padding, LPI/LPD communication techniques

13

Network Model

Nodes within transmission range

Wireless links are symmetric

Each MAC interface is set for “promiscuous” mode

Each node can manipulate source addresses

14

Performance EvaluationCryptographic Implementation

1. Anonymous neighborhood authentication

2. Hop by hop link encryption/decryption of routing replies (ARREPs) and data packets

• Tate pairing bilinear map f• SHA-1 (hash function H1 and H2) for collision

resistance• RC6 (symmetric algorithm)• The computational overhead and end to end packet

delay are affordable.– 1000 pairs costs 2.4 ms– New established shared < S Key, LinkID> pairs can generate

new pairs instantly.– Hop-by-hop link encryption/decryption are not time consuming

15

Communication Performance of MASK with AODV

• MASK– Network wide flooding of

ARREQs– Packets not always routed

along the shortest paths

• AODV– **Expanding ring search method

20 packet loads: MASK and AODR similar

• MASK– **Virtual multi-path

(simultaneously maintaining several pre-hops and next-hops for one given destination)

– **Random selection of next-hops ( load balancing method)

• AODV– Unreachable next-hops are

dropped

»

40 packet loads: MASK outperforms AODR

** advantage

16

(Fig b) Average Nodal SpeedMASK is comparable or lower routing overhead than AODV( **conducts route discovery less frequently than AODV)

(Fig c) Average Packet DelayMASK behaves worst than AODV under normal traffic load(per-hop random delay,fixed encryption/decryption delay,Tate pairing operation)

MASK recorded an advantage over AODV under heavy traffic load(the virtual multi-path effect and processing delay helped to mitigate the possible MAC layer collisions

** Advantage

Routing Performance Continued

17

MASK OBJECTIVES Sender and relationship anonymity

Concealment of who is sending or receiving a particular packet (end to end communication)

Concealment of who is talking to who(point to point transmission)

Untraceability and unlocatability A particular packet can not be traced back to its source or to its destination

Anonymous neighborhood authentication Neighboring nodes to achieve mutual authentication without disclosing

their real identifiers

Low cryptographic overhead and high routing efficiency Utilizing pairing,efficient hash functions and symmetric –key algorithms Routing efficiency comparable to AODV protocol

Resistance to a wide range of adversarial attacks Message coding, flow recognition, and timing analysis

18

MASK ACHIEVEMENTS {Strong} Sender and relationship anonymity

Concealment of who is sending or receiving a particular packet (end to end communication)

Concealment of who is talking to who(point to point transmission) {Flowed under a strong adversarial model} Untraceability and

unlocatability A particular packet can not be traced back to its source or to its destination

{Pairwise secret <SKEY, LinkID> pairs prevented detection} Anonymous neighborhood authentication

Neighboring nodes to achieve mutual authentication without disclosing their real identifiers

{Comparable routing performance with the classic AODV protocol} Low cryptographic overhead and high routing efficiency

Utilizing pairing,efficient hash functions and symmetric –key algorithms Routing efficiency comparable to AODV protocol

{Immune } Resistance to a wide range of adversarial attacks Message coding, flow recognition, and timing analysis

19

Instead of using on demand route discovery ,cryptographic “trapdoor” that would guarantee unconditional anonymity

MASK provided conditional anonymity utilizing the destination ‘s identifier in ARREQs to achieve much better routing efficiency

tradeoff

Internal adversaries residing on forward path may know the sender and/or receiver identifiers of a particular packet but can not match the identifier to a particular node.

MASK ACHIEVEMENTS CONTINUED

20

WIRED NETWORKS

Chaum Mixes-a layered object that route data through a chain of pre deployed intermediate nodes.

ReedOnion routing protocol-data wrapped in a series of encrypted layers

AD HOC NETWORKS

Jiang Traffic Padding- generated dummy traffic into the network

Kong and HongANODR- an anonymous on demand routing protocol using “trapdoor”

Related Work

21

MASK System Model

• Bootstrapping – Trust authority determines MASK system parameters– <G1, G2, f, H1, H2>

•G1, G2 => q-order cyclic groups•f => bilinear mapping function•H1, H2 => collision-resistant cryptographic hash functions

– Nodes are blind to the system master key, g.

22

Anonymous Neighborhood Authentication

• Two neighboring nodes can have a trustable relationship without revealing their real identifiers or party membership.

• Three conventional approaches in large-scale MANETs.– Network-Wide Shared Key – vulnerable to single

node compromise.– Each node shares pairwise keys with all other nodes

– lack of scalability…too many keys to bootstrap!– Nodes have mutual authentication based on public-

key certificates – could disclose identity or party membership based on the CA who issues the certificate.

23

MASK System Model

• Nodes use dynamically changing pseudonyms instead of real identifiers.

• Trust Authority supplies– PSi => set of collision-resistant

pseudonyms.– Si => secret point set– Discrete Logarithm Problem is

believed to be hard.•Given P and Q within a set, hard to find

and integer n such that Q=nP

24


• All is not lost! MASK allows us to establish pairwise shared link keys and link identifiers based on system parameters.– i.e. the TA does not have to issue all the

nodes a key, they can create their own.

25


• Alice and Bob communicate with a random pseudonym picked from their set.

1. Alice needs to be authenticated and Bob sees this.2. Bob calculates a session key based on Alice’s pseudonym

and the secret point corresponding to his pseudonym, and an authenticator based on the key and the two random nonces.

3. After receiving Bob’s reply, Alice can calculate the session key and authenticate Bob based on his authenticator.

4. Alice sends out a similar authenticator to Bob.5. We have anonymous authentication between Alice and

Bob!

26


• After a successful handshake, Alice and Bob can compute Г pairs of shared session keys and link identifiers based on the previous key used, the two random nonces, and a sequence number.

• The collision resistant hash functions and bilinear mapping ensure unique pairs within the network.

• There is no apparently relationship between the key/identifier pairs between two nodes with the same random nonces due to the hashes.

27


• Each node keeps a neighbor table filled with each neighbor’s key, link identifier, and current pairwise sequence number.

• Each pairwise set of nodes needs to have a simple agreement on how to synchronize the use of the key/link identifier pairs.

• When Г pairs have been used, Alice and Bob need to increment their nonces by one and generate another set of Г pairs.– Synchronization of the pairs is implicitly

guaranteed via this mechanism.

28


• Since only the TA can link a given pseudonym to a node, the eavesdropper Trudy learns nothing of importance.– Trudy is blind to party membership, real

identifiers, and the party itself.– Trudy cannot calculate the shared

key/link identifier pair either.• Anonymous Authentication has been

achieved!

29

Anonymous Route Discovery

• Basic System Setup– Each node has

• Neighbor table• Forwarding route table –

– <dest_id, destSeq, pre-link, next-link>• Reverse route table

– <dest_id, destSeq, pre-hop-pseudonym>• Target link table

– Current node is the final destination for the packets bearing the link identifiers in this table.

30


• Anonymous Route Requests (ARREQ)– <ARREQ, ARREQ_id, dest_id, destSeq,

PSx>– ARREQ_id is a globally unique identifier

for this request.– destSeq is the last known sequence

number for the destination.– PSx is the active pseudonym of the

source.

31


• C receives an ARREQ for the first time– It inserts an entry into its reverse route table with the

source of the ARREQ– Rebroadcasts the ARREQ after changing the

pseudonym field to its own.• ARREQs with previously seen ARREQ_ids are simply

discarded.• This continues until all nodes have broadcast the ARREQ,

including the destination.– This prevents the destination being singled out as the

one who did not broadcast the ARREQ.

32


• Anonymous Route Replies (ARREP)– <LinkID, {ARREP, dest_id, destSeq}SKey> – LinkID is the next to be used link identifier

between the current node and the next hop.

– {ARREP, dest_id, destSeq}SKey is encrypted with a symmetric cipher. So only the node with the corresponding LinkID will be able to decrypte by retrieving the corresponding key from its neighbor table.

– Any intermediate node may also send an ARREP if it contains a fresh entry in its forwarding route table for the dest_id.

33

Anonymous Data Forwarding

• Packet format: <next-LinkID, MASK payload>– When forwarding data, nodes randomly select a next hop from

their forwarding route table for the destination. This continues at each node until the packet reaches its destination.

– This random routing allows packets of the same flow to travel through different paths to the destination node which will confuse adversaries who are trying to acquire network traffic patterns.

– MASK does not always use the best path and may introduce extra delay. However, for security sensitive applications, its worth it.

– Nodes use anonymous route error packets to inform the network to remove next-link information for nodes that have left the network.

Attacks against MASK

35

Message Coding Attack

• When adversaries can easily link and trace packets that do not change their contents or lengths during transmission.

• MASK Countermeasures– Random padding is applied to every

forwarded packet. Each node has discretion on the amount of padding.

– Encryption between different links will make the packet appear different on different links.

36

Flow Recognition and Message Replay Attacks

• When adversaries can recognize packets that belong to a same ongoing communication flow or replay older messages.

• MASK Countermeasures– Uncorrelated LinkIDs between different hops– Multipath packet forwarding diffuses the path– LinkIDs between two nodes are changed on a

per-packet basis, or at least periodically.– Message replay attacks are thwarted by the

dynamically changing LinkIDs.

37

Timing Analysis Attack

• Adversaries can divide the network into smaller areas to ascertain whether a source or destination is in a particular area by observing that certain packets do not come into or out of that area during a certain time interval.– Heavy traffic load helps prevent this

• MASK Countermeasures– Destination nodes can forward forged packets

with fake LinkIDs.– Nodes can randomly send out forged dummy

packets with fake LinkIDs for misdirection.

anonymous communications in mobile ad hoc networks yanchao zhang, wei liu and wenjing lou presented...

Documents