0% found this document useful (0 votes)
11 views24 pages

2003 Elsevier Secure Routing in Mobile Wireless Ad Hoc Networks

Uploaded by

chandreshgovind
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
11 views24 pages

2003 Elsevier Secure Routing in Mobile Wireless Ad Hoc Networks

Uploaded by

chandreshgovind
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

Ad Hoc Networks 1 (2003) 151–174

www.elsevier.com/locate/adhoc

Secure routing in mobile wireless ad hoc networks


Siddhartha Gupte *, Mukesh Singhal
Department of Computer Science, University of Kentucky, Lexington, KY 40508, USA

Abstract

We discuss several well known contemporary protocols aimed at securing routing in mobile wireless ad hoc net-
works. We analyze each of these protocols against requirements of ad hoc routing and in some cases identify fallibilities
and make recommendations to overcome these problems so as to improve the overall efficacy of these protocols in
securing ad hoc routing, without adding any significant computational or communication overhead.
Ó 2003 Published by Elsevier B.V.

Keywords: Active attacks; Passive attacks; Wormhole attack; Byzantine failures; Secure routing; Ad hoc networks

1. Introduction incorporate ‘‘route maintenance’’, in order to


provide for the broken routes in case of member
A wireless ad hoc network is a collection of peer node in the route moving out of the range or
nodes coming together and forming a network on- leaving the network. This renders route mainte-
the-fly. These types of networks do not have a well nance quintessential for ad hoc paradigm.
established centralized infrastructure, and indi- The wireless medium as well as non-infrastruc-
vidual member nodes communicate with other ture nature of the ad hoc networks makes them
nodes within the radio range over a wireless increasingly vulnerable to a number of attacks.
channel and with those outside the radio range Unlike wired networks where the attacker needs to
using other nodes as intermediaries. In an ad hoc gain access to the physical medium to launch any
network, neither the network topology nor the kind of attack, in wireless case, an intruder can
membership is fixed, i.e., the nodes keep on mov- easily eavesdrop on the on-going traffic. As there is
ing around and they also come and go from the not any centralized infrastructure, it is very diffi-
network. Thus the traditional wired network cult to have a key distribution center or a trusted
routing protocols cannot be deployed for this certification authority to provide cryptographic
ad hoc paradigm. Taking into consideration both keys and digital certificates to help nodes authen-
changing topology as well as changing mem- ticate themselves.
bership, in addition to route establishment or Next, we briefly discuss two routing protocols,
discovery, ad hoc routing protocols need to namely, AODV and DSR. Most of the secure
routing protocols (SRPs) we discuss are based on
these two routing protocols.
*
Corresponding author.
The ad hoc routing protocols can be classified
E-mail addresses: [email protected] (S. Gupte), sing- into two types, viz., reactive protocols and proac-
[email protected] (M. Singhal). tive protocols. In reactive protocols like AODV

1570-8705/$ - see front matter Ó 2003 Published by Elsevier B.V.


doi:10.1016/S1570-8705(03)00017-9
152 S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174

and DSR, the route discovery is initiated whenever and request id which uniquely identify a request. If
data packets need to be sent, whereas in proactive it has already handled this request, it is dropped.
protocols like DSDV, nodes proactively maintain Otherwise, the node appends its address to the
routes even if no data packets need to be currently Ôroute recordÕ in the route request packet and
sent. forward broadcasts the packet.
In DSR [12], the sender node determines the In the reactive protocol AODV [11], a node
path along which a packet needs to be forwarded discovers or maintains route to a destination if and
for a particular destination. This path is listed in only if it is the initiator of the route to that des-
the data packet header and is referred to as the tination or is an intermediate node on an active
Ôsource routeÕ. Every node in the network stores route to that destination. Otherwise, it does not
route to other nodes in the network by maintain- maintain routing information to that destination
ing a dynamic route cache. A node learns routes to (no promiscuous listening in AODV). AODV
other nodes in one out of two ways––when it itself maintains loop-free routes, even when the local
initiates a route to a particular destination or when connectivity for a node on the route changes. This
the node lies on an active path to that destination. is achieved by maintaining a counter for each
In addition to these, a node may also learn a route node, called a sequence number. This sequence
by overhearing transmissions along the routes of number of a node is incremented every time the
which it is not a part. This is referred to as the local connectivity of the node changes.
promiscuous listening. In AODV, the route discovery is initiated by the
When a node needs to send a packet to another source by generating and broadcasting a route re-
node, it first checks if an entry for the source route quest packet RREQ. The RREQ packet contains
to that destination exists in the route cache. If such sequence numbers for both source as well as des-
an entry already exists, the node inserts the source tination nodes, called source_sequence_num and
route into the header of the data packet. The destination_sequence_num, respectively. When a
source routes into the list of nodes along which node receives a RREQ packet, if the node is itself
the packet needs to be forwarded in order to reach the destination or it has a valid route to that des-
the destination. The sender forwards the packet tination, it determines the freshness of its route
to the first node on the route list. This intermediate table entry (provided such an entry exists) for that
node in turn forwards the packet to the next node destination by comparing the destination_se-
in the list and this continues till the packet reaches quence_num in the RREQ with that of its route
the intended destination. table entry. The node then either responds with a
If the sender does not have a cache entry with route reply RREP (if it itself is the destination or
the source route for that destination, DSR route has a fresh route to that destination) or rebroad-
discovery process is initiated for that destination casts the RREQ to its neighbors. The node makes
node. The sender broadcasts a ÔROUTE RE- an entry for this route request in the route table and
QUESTÕ. This route request is uniquely identified stores the address of the node from which it re-
by the source address, the destination address and ceived this request as the next hop in the route to
the request id. When a node receives this route the source of this request packet. Similarly when a
request, it checks if it itself is the target or if it has node receives a response RREP for the request it
a source route cache entry for the intended desti- stores the address of the node from which it re-
nation. If either of the above two cases holds, the ceived the response RREP as the next hop in the
node responds with a route reply packet to the route to that destination. As the RREP travels
sender. The route reply consists of a Ôroute recordÕ, back to the source, the intermediate nodes for-
which is a list of nodes forming the path from the warding the RREP, update their routing tables
sender to the destination. If the node does not have with a route to the destination. The RREP has a
a source route cache entry to that destination, it field for destination_sequence_num.
checks if it has already processed this request by The rest of the paper is organized as follows: In
checking the source address, destination address Section 2, we discuss different possible attacks on
S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174 153

the routing protocols and in Sections 4–12, we (i) Black holes: The attacker drops all types of
analyze contemporary SRPs with respect to pre- packets both control as well as data. This attack
vention of these attacks. can be prevented by establishing routes free of the
black holes or by precluding such type of nodes
from existing routes.
(ii) Gray holes: The attacker is selective in
2. Possible attacks on routing protocols
dropping packets (drops data packets but not
control messages). This is not so simple attack to
In this paper, we are primarily concerned with
detect. There needs to be some kind of a promis-
the attacks targeting the routing protocols. These
cuous mode of operation in place within the
attacks can be broadly classified into two main
routing protocol wherein nodes can listen to the
categories:
transmissions of the nodes within the radio range.
If a node is found to exhibit such a gray hole be-
1. Passive attacks and
havior, then other nodes need to be alerted about
2. Active attacks.
it. Again some kind of trust hierarchy needs to be
in place such that the reporting node has to have
2.1. Passive attacks
some trust standing, otherwise, it becomes a basis
of yet another attack called blackmail attack
Passive attacks are the attacks in which an at-
where a malicious node may report a benign node
tacker does not actively participate in bringing the
to be misbehaving, thereby launching a denial of
network down. An attacker just eavesdrops on the
service attack against that node.
network traffic as to determine which nodes are
trying to establish routes to which nodes or which
2.2.2. Attacks using modification of protocol mes-
nodes are pivotal to proper operation of the net-
sages fields
work and hence can be potential candidates for
Current routing protocols assume that nodes do
subversion and launching denial of service attacks.
not alter the protocol fields of messages passed
The attacker can then forward this information to
among nodes. Routing protocol packets carry
an accomplice who in turn can use it to launch
important control information that governs the
attacks to bring down the network.
behavior of data transmission in ad hoc networks.
Since the level of trust in a traditional ad hoc
2.2. Active attacks network cannot be measured or enforced, mali-
cious nodes or compromised nodes may partici-
Active attacks are the attacks in which an pate directly in the route discovery and may
attacker actively participates in disrupting the intercept and filter routing protocol packets to
normal operation of the network services. The disrupt communication. Malicious nodes can eas-
attacker drops packets, modifies packets, replays ily cause redirection of network traffic and DOS
packets, fabricates messages or impersonates as attacks by simply altering these fields [7].
some other nodes, nodes rush packets or tunnel For example, in the network illustrated in Fig.
them over high-speed private networks to an ac- 1a, a malicious node M could keep traffic from
complice in other part of the network, etc.

2.2.1. Attacks by dropping packets


In this type of attack, an attacker either selec- A B C D X S A B M C D X
tively or completely drops packets and so succeeds
in disrupting the normal operation of the network. M
Depending on the pattern by which the attacker : Bidirectional link : Bidirectional link
(a) (b)
drops packets, this attack can be further classified
into two types: Fig. 1. Bidirectional link.
154 S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174

reaching X by consistently advertising to B a 2.2.3. Attacks using impersonation


shorter route to X than the route to X , which C is This type of attack using impersonation [7]
advertising. could be launched by an attacker node masquer-
The attacks can be classified as remote redi- ading as another node. The attacker node achieves
rection attacks and denial of service attacks. Next this by misrepresenting its identity by changing its
we look at these attacks. own IP or MAC address to that of some other
(i) Remote redirection with modified route se- node, thereby, masquerading as that node (also
quence number: In remote redirection attacks a referred to as spoofing). This type of an attack
malicious node uses routing protocol to advertise could easily be ameliorated by the use of a stronger
itself as the shortest path to nodes whose packets authentication primitives.
it wants to intercept. Protocols such as AODV
instantiate and maintain routes by assigning 2.2.4. Attacks using fabrication
monotonically increasing sequence numbers to Generation of false routing messages is termed
routes towards a specific destination. In AODV, as fabrication of messages. Such attacks are diffi-
any node may divert traffic through itself by cult to detect. Such type of attacks can be broadly
advertising a route to a node with a destination classified into following three types [7]:
sequence number greater than the authentic (i) Falsifying route error messages: AODV and
value. DSR both have maintenance measures to salvage
Fig. 1a illustrates an example an ad hoc net- broken routes when constituent nodes move or
work. Suppose a malicious node, M, receives the fail. If the destination node or an intermediate
RREQ that originated from S for destination X node along an active path moves or fails, the node
after it is rebroadcast by B during route discovery. which precedes the broken link broadcasts a route
M redirects traffic towards itself by unicasting to B error message to all active neighbors which pre-
a RREP containing a significantly higher destina- cede the broken link. The nodes then invalidate the
tion sequence number for X than the authentic route for this destination in their routing table.
value last advertised by X . A malicious node can succeed in launching a
(ii) Redirection with modified hop count: In denial of service attack against a benign node by
protocols such as AODV, the route length is rep- sending false route error messages against this
resented in the messages by the hop count field. A benign node. Suppose node S has a route to node
malicious node can succeed in diverting all the X via nodes A, B, and C, as in Fig. 1b. A malicious
traffic to a particular destination through itself by node M can launch a denial of service attack
advertising a shortest route (very low hop count) against X by continually sending route error
to that destination. messages to B spoofing node C, indicating a bro-
Once the malicious node has been able to insert ken link between nodes C and X . B receives the
itself between two communicating nodes, it is able spoofed route error message thinking that it came
to do anything with the packets passing between from C. B deletes its routing table entry for X and
them. It can choose to drop packets to perform a forwards the route error message on to A, who
denial of service attack, or alternatively use its then also deletes its routing table entry. If M listens
place on the route as the first step in a man-in-the- and broadcasts spoofed route error messages
middle attack. whenever a route is established from S to X , M can
(iii) Denial of service with modified source routes: successfully prevent data traffic between S and X .
DSR routing protocol explicitly states routes in This type of an attack could be thwarted by
data packets referred to as the source route. In the having stronger authentication schemes in place
absence of any integrity checks on this source wherein the veracity of route error messages can be
route, a malicious node can modify this source authenticated.
route and thereby succeed in creating loops in the (ii) Route cache poisoning in DSR: In DSR, a
network or launching a simple denial of service node can learn routing information by overhearing
attack. transmissions on routes of which it is not a con-
S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174 155

stituent. The node adds this routing information to In case of proactive routing protocols like
its own cache. DSDV, where nodes detect neighbors by sending
The vulnerability is that an attacker could easily HELLO packets, an attacker could tunnel a
exploit this method of learning routes and poison HELLO packet from A to B and from B to A
route caches. If a malicious node M wants to leading A and B to believe that they are neighbors
launch a denial of service attack on node X , it and when in reality they are not. This could lead to
would simply broadcast spoofed packets with no route being established because of wrong
source routes to X via itself. Any neighboring neighborhood perception.
nodes that overhear the packet transmission may The wormhole attacks can be thwarted by
add the route to their route cache. using a notion of packet leashes. A leash is any
(iii) Routing table overflow attack: A malicious information added to a packet to limit the packetÕs
node may attempt to overwhelm the protocol by maximum allowed transmission distance. A geo-
initiating route discovery to non-existent nodes. graphical leash ensures that the recipient of the
The rationale behind this attack is to create so packet is within a certain distance from the sen-
many routes that no further routes could be cre- der. A temporal leash ensures that the packet has
ated as the routing tables of nodes are already an upper bound on its lifetime, thus outing an
overflowing. Proactive routing algorithms attempt upper bound on the distance it can travel, since
to discover routing information even before they the speed of packet cannot be more than that of
are needed, while reactive algorithms create only light. Any of these leashes can thwart a wormhole
when they are needed. This makes proactive al- attack, as they allow the receiver to detect if the
gorithms more vulnerable to table overflow at- packet has traveled more distance than the leash
tacks. allows.

2.2.5. Wormhole attacks


A wormhole is a theoretical distortion of space- 3. Desired properties of a secure routing protocol
time in a network that would link one part of the
network with another through a path that is A SRP should be able to create routes between
shorter in distance or duration than would other- any source destination pair of nodes, even in the
wise be expected. presence of malicious nodes.
In wormhole attacks [15], the attacker receives It should have some provisions to detect mis-
packets at one point in the network and tunnels behaving node or group of nodes working in col-
them to another part of the network and replays lusion with each other. Once such misbehaving
them into the network from that point onwards. node/s are detected, their misbehavior should be
This form of attack does not require the attacker reported to all other legitimate nodes in the net-
to have any knowledge of the cryptographic keys. work. So that other nodes who have routes con-
In case of reactive protocols like DSR and taining these bad nodes can revoke these routes
AODV, this attack could be launched by tunneling and use alternate routes which do not contain
every REQUEST to the target destination node these bad nodes.
directly. When the destinationÕs neighboring nodes There should also be some kind of a trust hi-
hear this REQUEST packet, they follow normal erarchy among the member nodes, so that a group
protocol operation to rebroadcast that REQUEST of malicious nodes do not launch a blackmail at-
packet and then discard any other REQUESTS for tack against a legitimate node by forwarding false
the same route discovery. Thus this prevents dis- misbehavior reports about this good node.
covery of any routes other than those through the In addition to these, the SRP should be pre-
wormhole. This puts the attacker in a position pared to handle situation when malicious nodes do
from where any attack can be launched on the in fact enter an uncompromised route or succeed
network as it practically controls all the routes in subverting a benign node on a route. In case of
discovered after the wormhole. such a subversion, the protocol should be able to
156 S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174

single out the subverted node and preclude it from


all existing routes. Shortest Route
The protocol should be able to maintain confi-
dentiality of the network topology. It should pre-
vent an attacker from knowing which nodes are
bottlenecks in the network or which nodes are
Secure Route
crucial for successful transmission along existing
routes. Otherwise such an attacker could succeed
in launching denial of service attacks by subverting
these crucial nodes.

Fig. 2. Route formation in security aware ad hoc routing: (d)


4. Security aware ad hoc routing protocol (SAR) 
secure node with the required keys; ( ) other nodes in the
network.

The main idea behind the security aware


ad hoc routing protocol [3] is to protect the route
establishment itself, so that no node with ques- The protocol is not very scalable especially
tionable trust level becomes a part of the route. when there are many levels of trust. These many
This protocol introduces the notion of a Trust levels of trust mean those many keys have to be
Hierarchy, where member nodes of the network generated and distributed to nodes. Furthermore,
are classified into different trust levels and these when a node of a particular trust level receives a
trust levels are immutable, i.e., a node with a route request packet of a particular trust level, the
lower trust level cannot change to a higher trust receiving node has no idea as to what level
level on-the-fly. the packet belongs to, so it has to try decrypting
The initiator of the route includes a security the packet with all the available keys. If the packet
metric in the route request. This security metric does not decrypt with any of the available keys,
can be the minimum security/trust level of the the node assumes that it does not have the neces-
node required to participate in the route discovery, sary key and hence the necessary trust level and
suggesting that only those nodes that have this drops the packet. As the route request packets are
minimum security level can take part in the route flooded and this scenario happens at all the nodes,
discovery and other nodes that do not have the a considerable computational overhead is in-
necessary trust level drop the request packets. curred. If a node does not have the necessary trust
This ensures that security aware ad hoc routing privilege, it wastes quintessential CPU cycles on
finds a route with quantifiable guarantee of secu- worthless computation.
rity. This can be realized by having nodes of a trust An obvious solution to this problem is to ap-
level share a key. So a node that does not have a pend a plaintext the trust level of the request
particular trust level will not possess the key for packet, thereby the nodes do not have to spend
that level and hence will not be able to decrypt the crucial CPU cycles in decrypting the packet with
packets encrypted using the key of that level and the available key set. All they got to do is to read
hence would be left with no alternative but to drop this plaintext and make the decision accordingly
the packet thereby precluding itself from the route whether they can decrypt this packet and hence
establishment. participate in the route establishment.
As shown in Fig. 2, the route discovered using The security aware ad hoc routing protocol can
security aware ad hoc routing protocol may not be easily deployed on the top of any of the existing
necessarily be the shortest route between a source routing protocols. We now discuss SAODV [5], a
destination pair. But the discovered route is the variant of this security aware protocol deployed on
most secure in terms of trust levels of the compo- the top of AODV routing protocol. Changes are
nent nodes of the route. made to the route discovery stage of the AODV
S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174 157

protocol in the form of additional fields to the mation and can discard such malevolent replies.
RREQ and RREP packets. Both RREQ and This is realized through the existence of a security
RREP packets have two additional fields, viz., RQ_ association (SA) between the pair of end nodes,
SEC_REQUIREMENT (RP_SEC_REQUIRE- i.e., source and destination without the interme-
MENT is the corresponding one in RREP) and diate nodes having to cryptographically validate
RQ_SEC_GUARANTEE (RP_SEC_GUARAN- the control traffic. Such a security association is
TEE is the corresponding one for RREP). assumed to exist priori to the route initiation. This
RQ_SEC_REQUIREMENT value in the RREQ protocol assumes that this SA can be achieved
is set by the route initiator and is immutable, i.e., through a shared key KST between the source S and
no intermediate node can change this field in target T . This is a strong assumption given the
transit. This value indicates the minimum security nature of ad hoc networks. It is as good as as-
rating that an intermediate node should possess in suming a SA through a shared secret among two
order to be part of the route. When an interme- strangers.
diate node receives a RREQ packet, it checks the The source S initiates the route discovery by
RQ_SEC_REQUIREMENT field and compares putting together a route request packet as shown
the value to its own security rating (i.e., the trust in Fig. 3.
level). If the nodeÕs security rating is more than The SRP adds an additional header called SRP
RQ_SEC_REQUIREMENT, the node forwards header to the underlying routing protocol packet.
the packet, otherwise the node drops the packet. The SRP header is as shown in Fig. 4.
When an intermediate node decides to forward the The query sequence number, QSEQ , is a mono-
request, the RQ_SEC_GUARANTEE is set to a tonically increasing 32 bit sequence number
value which indicates the maximum security level maintained by the source node S for each desti-
afforded by the discovered paths. This field is nation T it has a security association with. It in-
useful in the case where route discovery comes up creases monotonically for every route request
with a route which is more secure than the one generated by S for T , thus allowing T to detect
requested by the initiator. outdated/replayed requests. QSEQ is initialized at
Since the security aware ad hoc routing proto- the establishment of the SA and is generally not
col tries to implement the trust level among nodes allowed to wrap around.
by having a key for every trust level, another cause
for concern is the nature of ad hoc networks,
where membership keeps on changing, i.e., nodes
0123456789 0123456789 0123456789 01234567890
come and go regularly. Hence fresh keys have to TYPE RESERVED
be generated and distributed every time any new
node comes in or a node goes out, thus augment- QUERY IDENTIFIER

ing the computational overhead. If the keys are QUERY SEQUENCE NUMBER
not generated afresh when a member node leaves SRP MAC
the network, there is a likelihood that this node
might give the keys to a malicious node or give a Fig. 3. Route request packet.
higher trust level keys to a node with a lower trust
level.
0123456789012345678901234567890
IP HEADER
5. Secure routing protocol
BASIC ROUTING PROTOCOL PACKET
The SRP [2] attempts to guarantee that the
SRP HEADER
node initiating the route discovery will be able to
differentiate between the legitimate replies and the
replies meant to provide false topological infor- Fig. 4. SRP header.
158 S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174

The query identifier QID is a random 32 bit The equality validates the integrity of the request
identifier generated by S and is used by the inter- as well as the authenticity of the sender.
mediate nodes as a means to identify the request. The destination broadcasts a route reply to its
Since QID is an output of a secure pseudo-random one hop neighbors in order to thwart a potentially
number generator and is unpredictable by an ad- malicious neighbor from controlling multiple re-
versary, it providing protection against attackers plies. For each valid request, the destination puts
who fabricate requests only to cause subsequent the accumulated route in the form of IP addresses
requests to be dropped. of intermediate nodes into the route reply packet.
SRP MAC is a 96 bit value calculated using the The QSEQ and QID fields from the route request are
shared key KST over IP addresses of the source S copied into the corresponding fields of the reply
and target T and the two identifiers QSEQ and QID . packet. MAC is calculated to preserve the integrity
It not only validates the integrity of the request but of the packet in transit. The QSEQ and QID fields
also authenticates the origin of the packet to the verify the freshness of the packet to the source.
target, as the MAC could have been calculated by When the source S receives the route reply
the node that has the knowledge of KST and packet, it checks source and destination addresses,
knowledge of KST is only with the node that has QID and QSEQ and discards the reply if it does not
security association with the target. correspond to the currently pending query. Other-
When an intermediate node receives such a wise, it compares the reply IP source-route with
route request, it checks if an SRP header is present the reverse of the route carried in the reply pay-
or not. If not present, the packet is discarded, load. If the two routes match, MAC is calculated
otherwise the node extracts the IP address of the using the replied route the SRP header fields and
source and destination as well as the QID from KST . The successful verification confirms that the
the request and creates an entry for the request in request did indeed reach the intended destination
the query table. If an entry already exists for the T and the reply was not corrupted on the way back
request that source destination pair with the same from T to S. Furthermore, since the reply packet
QID , the request is dropped by the node. Other- has been routed and successfully received over the
wise, the node appends its IP address to the reverse of the route it carries, the routing infor-
request and rebroadcasts the request. Thus IP mation has not been compromised during the re-
addresses of the intermediate nodes keep on ac- quest propagation.
cumulating on the route request. Intermediate nodes also measure the frequency
The above situation warrants that the QID of queries received from their neighbors. Inter-
should be sufficiently random and an adversary mediate nodes maintain a priority ranking of their
with finite computation capacity should not be neighbors––highest priority to nodes generating
able to predict it. Otherwise, the attacker can requests at the lowest rate and the lowest rating for
prevent route from being established between the those with highest rate. In case when two packets
given source destination pair, as it would fabricate arrive at the same time, the neighbor whose
request packets with this QID and the intermediate ranking is high, is given a priority in routing over
nodes will not forward the legitimate requests the one with the lower ranking.
when they get to them as an entry already exists in This SRP guarantees the discovery of a correct
the query table for that particular QID . route, even in the presence of malicious nodes. The
When the target T receives this request packet, protocol obviates the need of a certification au-
it verifies that the packet has originated from the thority, thereby suiting itself to the ad hoc para-
node with which it has SA. QSEQ is then compared digm. The protocol also does not necessitate the
with SMAX , the maximum query sequence number knowledge of keys of all member nodes. The only
received from S. If QSEQ 6 SMAX , the request is requirement of this protocol is that there should be
considered to be outdated/replayed and is dis- a prior security association between the two nodes
carded. Else the keyed hash of the request field is that need to communicate with each other. This
calculated and matched against the SRP MAC. kind of a security association is realized through
S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174 159

shared secret keys between any two pair of nodes. stage. It is a lightweight stage and does not de-
However, when malicious nodes succeed in sub- mand too many resources.
verting benign nodes, the malicious nodes could
easily gain access to the shared secret keys. The 6.1.1.1. Preliminary certification. ARAN uses a
malicious node can then masquerade as the sub- trusted certificate server T . Before entering the
verted good node and initiate communication with ad hoc network, each node has to request a cer-
other good node with whom the subverted good tificate from T . In case of node A, the certificate
node has a security association. looks as shown below:
T ! A : CertA ¼ ½IPA ; KAþ ; t; eKT 
The certificate contains the IP address of A, the
6. Routing using pre-deployed security infrastruc-
public key of A, a timestamp t of when the certif-
ture
icate was created, and a time e at which the cer-
tificate expires. These variables are concatenated
We assume the existence of certain amount of
and signed by T . All nodes must maintain fresh
security infrastructure. The type of ad hoc envi-
certificates with the trusted server and must know
ronment that we are dealing with here is called
T Õs public key.
managed-open environment. A managed-open
environment assumes that there is an opportunity
6.1.1.2. End-to-end authentication. End-to-end au-
for pre-deployment. That is nodes wishing to
thentication verifies whether the intended destina-
communicate can exchange initialization parame-
tion was reached. In this stage, the source trusts
ters beforehand, perhaps within the security of an
the destination to choose the return path.
infrastructured network where session keys may be
(i) Source node: The source node A broadcasts a
exchanged or through a trusted third party like a
route discovery packet (RDP) and thus initiates
certification authority.
the route discovery to destination X .
A ! broadcast : ½RDP; IPX ; CertA ; NA ; tKA
6.1. ARAN protocol in managed-open environment
The RDP includes a packet type identifier
ARAN or authenticated routing for ad hoc (‘‘RDP’’), the IP address of the destination (IPx ),
networks [7] detects and protects against malicious AÕs certificate (CertA ), a nonce NA , and the current
actions by third parties and peers in ad hoc envi- time t, all signed with AÕs private key. Each time
ronment. ARAN introduces authentication, mes- node A performs route discovery, it monotonically
sage integrity and non-repudiation to an ad hoc increases the nonce. Nodes store the nonce they
environment. have last seen with its timestamp.
ARAN is composed of two distinct stages. The (ii) Intermediate node: Each node keeps track of
first stage is simple and requires little extra work the predecessor node from which it received the
from peers beyond traditional ad hoc protocols. RDP packet. It then forwards the RDP to each of
Nodes that perform the optional second stage in- its neighbors, signing the contents of the message.
crease the security of their route, but incur addi- This signature prevents spoofing attacks that may
tional cost for their ad hoc peers who may not alter the route or form loops. Let AÕs neighbor be B.
comply (e.g., if they are low on battery resources). B ! broadcast
ARAN makes use of cryptographic certificates : ½½RDP; IPX ; CertA ; NA ; tKA KB ; CertB
for the purposes of authentication and non-repu-
If a node has already seen the (NA , IPA ) tuple, it
diation.
drops the RDP packet. Otherwise, it forwards the
packet to its neighbors. Upon receiving the
6.1.1. Stage 1 broadcast, BÕs neighbor C validates the signature
Stage 1 contains a preliminary certification with the given certificate. C then rebroadcasts the
stage and a mandatory end–end authentication RDP to its neighbors, first removing BÕs signature.
160 S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174

C ! broadcast (i) Source: The source begins by broadcasting a


Shortest Path Confirmation (SPC) message to its
: ½½RDP; IPX ; CertA ; NA ; tKA KC ; CertC
neighbors (the same variables are used as in stage
(iii) Destination node: Eventually the message 1).
reaches the destination X . The destination then
A ! broadcast
replies to the first RDP for a given source and
nonce pair. It unicasts a reply (REP) back to the : SPC; IPX ; CertX ; ½½IPX ; CertA ; NA ; tKA KX þ
source along the reverse path. The route discovered
The SPC message begins with the SPC packet
in such a manner may not be the shortest route.
identifier (‘‘SPC’’), X Õs IP address and certificate.
X ! D : ½REP; IPA ; CertX ; NA ; tKX  The source concatenates a signed message con-
taining the IP address of X , its certificate, a nonce
(iv) Intermediate node for REP: Intermediate and timestamp. This signed message is encrypted
nodes keep track of the predecessor node or the with X Õs public key so that other nodes cannot
node from which it received the RDP. So that modify the contents.
when the intermediate node receives an REP for (ii) Intermediate node: A neighbor B that re-
the same source-nonce pair, it knows where to ceives the message, rebroadcasts the message after
route the REP packet. including its own cryptographic credentials on the
top of already accumulated cryptographic cre-
D ! C : ½½REP; IPA ; CertX ; NA ; tKX  KD ; CertD
dentials (onion signing). B signs the encrypted
C validates DÕs signature, removes the signature, portion of the received SPC, includes its own cer-
and then signs the contents of the message before tificate, and re-encrypts with the public key of X .
unicasting the RDP to B. This public key can be obtained in the certificate
forwarded by A.
C ! B : ½½REP; IPA ; CertX ; NA ; tKX  KC ; CertC
B ! broadcast
A node checks the signature of the previous hop as : SPC; IPX ; CertX ; ½½½½IPX ; CertA ; NA ; tKA KX þ KB ;
the REP is returned to the source. This avoids
CertB KX þ
attacks where malicious nodes instantiate routes
by impersonation and replay of X Õs message. Nodes receiving the SPC packet create an entry in
(v) Source node: When the source receives the their routing table for that particular source-nonce
REP, it verifies that the correct nonce was returned pair in order to duplicate packets. The entry also
by the destination as well as the destinationÕs sig- serves to route the reply packet from the destina-
nature. Only the destination can answer an RDP tion along the reverse path.
packet. Other nodes that already have paths to the (iii) Destination node: Once the destination X
destination cannot reply for the destination. Be- receives the SPC, it checks that all the signatures
cause only the destination can send REPs, loop are valid. X replies to the first SPC it receives and
freedom is guaranteed. also any SPC with a shorter recorded path. X
ARAN requires that nodes keep one routing sends a Recorded Shortest Path (RSP) message to
table entry per source–destination pair that is the source through its predecessor D. The onion-
currently active. This is certainly more costly than like signing of messages tells the destination which
per-destination entries in non-secure ad hoc rout- path is the shortest. However, the overhead is
ing protocols. more as the destination has to store all the SPCs in
order to decide which one is the shortest.
6.1.2. Stage 2 X ! D : ½RSP; IPA ; CertX ; NA ; routeKX 
Stage 2 starts only after Stage 1 is over. This is
because the destination certificate is required in The source eventually receives the packet and
Stage 2. This stage is primarily used for discovery verifies that the nonce corresponds to the SPC it
of shortest path in a secure fashion. originally generated.
S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174 161

The onion-like signing of messages prevents T ! broadcast : ½revoke; CertR KT 


nodes in the middle from changing the path in
Any node receiving this message rebroadcasts it to
several ways. First, to increase the path length of
its neighbors. Revocation notices need to be stored
the SPC, malicious nodes require an additional
until the revoked certificate would have expired
valid certificate. Second, malicious nodes cannot
normally. Any neighbor of the node with the re-
decrease the recorded path length or alter it be-
voked certificate needs to reform routing as nec-
cause doing so would break the integrity of the
essary to avoid transmission through the now
encrypted data.
untrusted node.
This method is not fail-safe. If an untrusted
6.2. Route maintenance node, whose certificate is being revoked, is the only
link between two parts of an ad hoc network, it
ARAN is an on-demand protocol. Nodes keep may not propagate the revocation message to the
track of whether routes are active. When no traffic other part––leading to a partitioned network.
has occurred on an existing route for that routeÕs To detect this situation and to hasten the
lifetime, the route is simply de-activated in the propagation of revocation notices, when a node
route table. Data received on an inactive route meets a new neighbor, it can exchange a summary
causes nodes to generate an Error (ERR) message of its revocation notices with that neighbor. If
that travels the reverse path towards the source. these summaries do not match, the actual signed
Nodes also use ERR messages to report links in notices can be forwarded and rebroadcast to re-
active routes that are broken due to node move- start propagation of the notice.
ment. All ERR message must be signed. For a
route between source A and destination X , a node
B generates the ERR message for its neighbor C as
7. Mitigating routing misbehavior
follows:
B ! C : ½ERR; IPA ; IPX ; CertC ; NB ; tKB Misbehaving nodes can disrupt normal opera-
tion of the network and thus reduce network
This message is forwarded along the path towards throughput and result in poor robustness. Marti
the source without modification. A nonce and et al. [8] propose a technique to identify and isolate
timestamp ensures the ERR message is fresh. Be- such nodes by installing a watchdog and a pathr-
cause messages are signed, malicious nodes cannot ater on each node in the ad hoc network. The
generate ERR messages for other nodes. Non- protocol assumes support for promiscuous mode
repudiation provided by the signed ERR message of operation for the nodes. This helps the nodes
allows a node to be verified as the source of each supervise each others operation. The other as-
ERR message that it sends. A node which trans- sumption is that the underlying ad hoc routing
mits a large number of ERR messages, whether the protocol is DSR. It is possible to extend the
ERR messages are valid or fabricated, should be mechanism to other routing protocols as well.
avoided.
7.1. Mechanism
6.3. Key revocation
The watchdog identifies misbehaving nodes,
ARAN attempts a best effort key revocation while the pathrater avoids routing packets through
that is backed up with limited time certificates. In these nodes. When a node forwards a packet, the
the event that a certificate needs to be revoked, the nodeÕs watchdog verifies that the next node in the
trusted certificate server, T , sends a broadcast path also forwards the packet. The watchdog does
message to the ad hoc group that announces the this by listening promiscuously to the next nodeÕs
revocation. Calling the revoked certificate CertR , transmissions. If the next node does not forward
the transmission appears as: the packet, then it is considered to be misbehaving.
162 S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174

The pathrater uses this knowledge of misbehaving 1


2
nodes to choose the network path that is most 1
S A B D
likely to deliver packets or in other words avoids
selecting routes having misbehaving nodes.
Fig. 6. Ambiguous collisions. X: packets arriving simulta-
neously (collisions).
7.2. Watchdog

The watchdog attempts to detect misbehaving listening to B to forward a packet. A does not
nodes. Fig. 5 illustrates the operation of the know if the collision was caused by forwarding a
watchdog works. Node A cannot directly send packet as it should or if B never forwarded the
packets to node C, but it can send the packets to B packet and the collision was caused by other nodes
and then listen in on node BÕs traffic. Thus, when A in AÕs neighborhood. Because of this uncertainty, A
transmits a packet for B to be forwarded to C, A should instead continue to watch B over a period
can often tell if B really transmitted the packet to of time.
node C. If encryption is not performed separately
for each link, then A can also tell if B has tampered 7.3.2. Receiver collision
with the payload or the header. In the receiver collision problem, node A can
The watchdog maintains a buffer of recently only tell whether B sends the packet to C, but it
sent packets and comparing each overheard packet cannot tell if C receives it. If a collision occurs at C
with the packet in the buffer to see if there is a when B first forwards the packet, A only sees B
match. If so, the packet in the buffer is removed forwarding the packet and assumes that C suc-
and forgotten by the watchdog, since it has been cessfully receives it. Thus, B could skip retrans-
forwarded. If the packet has remained in the buffer mitting the packet and evade detection as shown in
for longer than a certain timeout, the watchdog Fig. 7.
increments a failure tally for the node responsible
for forwarding the packet. If the tally exceeds a 7.3.3. False misbehavior
certain threshold, it infers that the node is misbe- False misbehavior can occur when nodes falsely
having and sends a message to the source notifying report other nodes as misbehaving. A malicious
it of the misbehaving node. node could attempt to partition the network by
The watchdog might not detect misbehaving claiming that some nodes following it in the path
nodes in presence of (1) ambiguous collisions, (2) are misbehaving. For instance, node A could re-
receiver collisions, (3) limited transmission power, port that node B is not forwarding packets when in
(4) false misbehavior, (5) collusion between fact it is. This will cause S to mark B as misbe-
neighboring nodes and (6) partial dropping. having when A is the culprit. This behavior, how-
ever, will be detected eventually. Since A is passing
7.3. Analysis of watchdog’s weaknesses messages onto B (as verified by source S), then any
acknowledgements from D to S will go through A
7.3.1. Ambiguous collision to S, and S will wonder why it receives replies from
The ambiguous collision problem prevents A D when supposedly B dropped packets in the for-
from overhearing transmissions from B. As Fig. 6 ward direction. In addition, if A drops acknowl-
illustrates, a packet collision occurs at A while it is edgements to hide them from S, the node B will

S A B D

S A B C D
Promiscuous listening

Fig. 5. Operation of watchdog. Fig. 7. Receiver collision.


S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174 163

detect this misbehavior and will report it to desti- Table 1


nation D. Maximum and minimum network throughput with both
watchdog and pathrater on
Maximum Minimum
7.3.4. Limited transmission power
A misbehaving node that can control its trans- 0 s pause time 88.6 75.2
60 s pause time 95.0 73.9
mission power can circumvent the watchdog. A
node could limit its transmission power such that
the signal is strong enough to be overheard by the
1.0. This ensures that when calculating path rates,
previous node but too weak to be received by the
if all other nodes are neutral nodes (rather than
true recipient.
suspected misbehaving nodes), the pathrater picks
the shortest length path. The pathrater increments
7.3.5. Multiple colluding nodes
the ratings of nodes on all actively used paths by
Multiple nodes in collusion can mount a more
0.01 at periodic intervals of 200 ms. An actively
sophisticated attack. For example, B and C from
used path is one on which the node has sent a
Fig. 5 could collude to cause mischief. In this case,
packet within the previous rate increment interval.
B forwards a packet to C but it does not report to
The maximum value a neutral node can attain is
A when C drops the packet. Because of its limita-
0.8. We decrement a nodeÕs rating by 0.05 when we
tion, it may be necessary to disallow two consec-
detect a link break (a node not forwarding packets)
utive untrusted nodes in a routing path.
during packet forwarding and the node becomes
unreachable. The lower bound rating of a ‘‘neu-
7.3.6. Partial dropping
tral’’ node is 0.0. The pathrater does not modify the
A node can circumvent the watchdog by drop-
ratings of nodes that are not currently in active use.
ping packets at a lower rate than the watchdogÕs
In the simulations [8], a highly negative value
minimum misbehavior threshold.
(say 100) is assigned to nodes suspected of mis-
behaving by the watchdog mechanism. Some of
7.4. Pathrater
the results of the simulations are as shown in the
table given below. When the pathrater calculates
In addition to the watchdog, each node also runs
the path metric, negative path values indicate the
a pathrater. It combines the knowledge of misbe-
existence of one or more suspected misbehaving
having nodes with link reliability data to pick the
nodes in the path. If a node is marked as misbe-
most reliable route. Each node maintains a rating
having due to a temporary malfunction or incor-
for every other node it knows about in the network.
rect accusation, it would be preferable if it were
It calculates a path metric by averaging the node
not permanently excluded from routing. There-
ratings in the path. This metric is chosen because it
fore, nodes that have negative ratings should have
gives a comparison of the overall reliability of dif-
their ratings slowly increased or set back to a non-
ferent paths and allows pathrater to emulate the
negative value after a long timeout.
shortest length path algorithm when no reliability
As shown in Table 1, the pause time of zero
information has been collected, as explained below.
indicates that the nodes are in a constant motion
If there are multiple paths to the same destination,
and there is no pause time before and in between
the path with the highest metric is chosen. Since the
node movement. However, a pause time of 60 s
pathrater depends on knowing the exact path a
indicates that there is a pause time of 60 s before
packet has traversed, it must be implemented on the
and in between node movement.
top of a source routing protocol.
The pathrater assigns ratings to nodes according
to the following algorithm. When a node in the 8. Self-securing ad hoc wireless networks
network becomes known to the pathrater (through
route discovery), the pathrater assigns it a ‘‘neu- Since wireless ad hoc networks are devoid of
tral’’ rating of 0.5. A node always rates itself with a any fixed infrastructure, it is cumbersome to have
164 S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174

any third party trusted certification authority in However, it is always possible that the node is new
place. However this problem is overcome by dis- and it does not have any record for a particular
tributing the onus of certification on individual node. For such a situation, it is suggested that the
member nodes [10]. node should not send its share of the certificate to
The protocol suggests a localized trust model to the requesting node since it does not have any re-
distribute the function of a trusted third party cord on the requesting node. If the requesting node
Certification Authority (CA) to individual member is not able to garner the certificate shares from the
nodes within the network. In the localized trust threshold number of other nodes in its one-hop vi-
model, a node is trusted if any k (threshold) trusted cinity, it should move to a new location where it is
entities claim so within a certain time period. likely to get the certificate shares. But mobility may
These certifying entities are generally the nodeÕs not always be possible given the nature of the
one-hop neighbors. Once a node is trusted by its wireless ad hoc networks, that the network might be
local community, it is globally accepted as a trus- deployed in a hostile environment.
ted node; otherwise it is considered untrustworthy The assumption ‘‘ It is not very difficult to detect
in the entire network. If a node could not find k misbehaving nodes within the radio range ’’, given
neighbors in certain location, it may roam to meet the nature of the technology available, viz.,
more nodes or wait for new nodes to move in. Watchdog and Global Intrusion detection, cannot
The certificate signing key SK is distributed to always be possible. It has been shown that the
each node of the network. Each node carries a watchdog solution of operating the node in pro-
partial certificate signed with its share of certificate miscuous mode falls apart when two or more mis-
signing key SK . A valid certificate signed by SK is behaving nodes are working in collusion. When a
obtained by combining together partial certificate node perceives that an intrusion is in progress on
shares from k (threshold) number of nodes. A itself, only then it will issue a request for other nodes
node trying to establish route with some other to detect if a similar nature of intrusion is taking
node should have a valid certificate. Nodes with- place on them as well. A misbehaving node could
out valid certificates are treated as adversaries and easily deny an intrusion in itself thereby thwarting
are precluded from using network resources. A any global intrusion mitigation procedure.
node Vi requests new certificate from any coalition
of k (threshold) nodes, typically among its one hop
neighbors. When any node receives this request, it 9. ARIADNE
checks its records on Vi . A record typically consists
of a distributed Certificate Revocation list (CRL) ARIADNE [1] prevents attackers/compromised
and/or direct monitoring data available on Vi . If nodes from disrupting uncompromised routes
the node is found to be legitimate, the neighboring comprising of benign nodes.
node responds with a partial certificate by apply- The motive behind this protocol is to thwart
ing its share of SK . Otherwise, the request for active attackers who inject packets into the network
certificate is dropped. The requesting node Vi then and who also eavesdrop. The active attackers are
combines the k partial certificates that it receives to classified as active-n-m, where n is the number of
generate a complete certificate. These certificates nodes it has compromised and m is the number of
carry expiration time, after which a node has to nodes it owns, e.g., active-0-1 (owns 1 node), active-
acquire a new certificate because the old one is not 0-x (owns x nodes), active-1-x (compromised 1 node
valid any more. A broken or a misbehaving node and distributes cryptographic information like se-
that is detected by its neighbor will not be able to cret key to x  1 other nodes). A node trusts only
get its certificate renewed, once it current certifi- itself for acquiring information as to which all
cate expires. nodes in the network are malicious, thus thwarting
If a particular node has no record (neither good any blackmail attacks where an attacker fabricates
nor bad) for node, according to this architecture, it information making a benign node appear mali-
should not respond with its share of the certificate. cious.
S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174 165

It is assumed that the sender trusts the desti- may have already disclosed, based on loose time
nation with which it communicates, with respon- synchronization between nodes. Let D be the
sibility of authenticating intermediate nodes. Thus maximum time synchronization error between any
enabling the destination to launch blackmail at- two nodes and this value must be known to all
tacks against intermediate nodes, so the sender nodes.
maintains a separate blacklist on all destinations it When a packet authenticated with TESLA is
is communicating with. received, the receiver first verifies the TESLA se-
The ARIADNE protocol makes use of TESLA curity condition that the key Ki used to authenti-
broadcast authentication protocol which is dis- cate this packet cannot yet have been disclosed. If
cussed next. the packet arrival time at the receiver is tr , and the
receiver knows that the earliest time the sender
9.1. TESLA discloses the key Ki is t0 þ i  t where t0 is the time
when K0 is disclosed by the sender. The receiver
When TESLA [1] is used for authentication, needs to verify that for TESLA time interval t,
each sender chooses a random initial key KN and tr ( ðt0 þ i  t  DÞ, thus implying that Ki has not
generates a one-way key chain by repeated com- yet been published. Otherwise, sender may have
putation of a one-way hash function H , KN being already disclosed Ki and some attacker may have
the starting value of the function such that, forged the packet contents, and hence the packet is
discarded. If the check is successful the receiver
KN 1 ¼ H ½KN ; KN 2 ¼ H ½KN 1 ; . . . ;
buffers the packet and waits for the sender to
Ki ¼ H ½Kiþ1  ¼ HN i ½KN  disclose Ki . When the receiver receives Ki , it first
To compute any previous key from key Ki where authenticates Ki and then authenticates the stored
j < i a node uses the equation packets.
This ARIADNE protocol makes an assumption
Kj ¼ Hij ½Ki 
that the initiator S who performs a route discovery
The above mentioned equation is used by any to target D shares secret keys KSD and KDS re-
node to authenticate any received value on the spectively, for message authentication in each di-
hash chain. If the computed value matches previ- rection. The design of this ARIADNE protocol
ous known authentic key value then the received can be divided into three stages.
key is authentic.
Each node discloses each key of its one-way key 9.2. ARIADNE protocol
chain in a particular order, which is exactly reverse
of the order in which the keys were generated. For 9.2.1. Target authenticates ROUTE REQUESTS
example if the keys were generated by a node in the To communicate with some destination node D
order KN ; KN 1 ; . . . ; K1 ; K0 then the node discloses in the network, the initiator node S generates and
them in the order K0 ; K1 ; . . . ; KN . The rationale floods ROUTE REQUEST packets throughout
behind having the key disclosure schedule to be the network. In order to enable target D to au-
reverse of the key generation schedule is that KN of thenticate sender S, S includes a MAC computed
a node is known to all other nodes and in such a over a timestamp with KSD , into the route request
situation they should be able to authenticate any packet. The target can then verify authenticity and
subsequent keys that are disclosed. The use of one- freshness of the request.
way hash function allows K0 ; K1 ; . . . ; KN 1 to be
authenticated using KN but KN cannot be authen- 9.2.2. Authentication of data in ROUTE RE-
ticated using any other key value. Hence the key QUESTS and ROUTE REPLIES using TESLA
disclosure schedule and key generation schedule Every node has a TESLA one-way hash chain
should be reverse. and that all other nodes know an authentic key of
The TESLA to a fair extent relies on the re- the TESLA chain of every other node. The route
ceiverÕs ability to determine which keys a sender request packet consists of eight fields (ROUTE
166 S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174

REQUEST, initiator, target, id, time interval, hash Target MAC is a MAC calculated over above
chain, node list, MAC list). five fields with the key KDS . Key list is left empty to
Initiator and Target being set to addresses of be initialized by the intermediate nodes.
source and destination, respectively. ÔIdÕ is set to The REPLY is then returned to the initiator
an identifier that has not been recently used in along the source route which is the reverse of the
route discovery. The ÔTime IntervalÕ is set to TE- sequence of hops in the node list in the RE-
SLA time interval at the pessimistic arrival time of QUEST. The node forwarding the route REPLY
the request at the target, with maximum possi- waits until it is able to disclose the key for the
ble clock offset/skew and maximum transmission specified time interval. It has to store the REPLY
delay. in a buffer till then. The node then appends the key
The hash chain field is initialized by the initiator to the key list field in the REPLY and forwards the
to the MACKSD calculated over initiator, target, packet according to the source route in the packet.
id, time interval. Node list and MAC list are left The waiting delays do not add significant compu-
uninitialized, to be initialized later by the inter- tation overhead but adds storage overheads. Given
mediate and target nodes. the limited memory resources available on the ad
When an intermediate node A receives a hoc nodes such storage overhead is a cause of
ROUTE REQUEST, the node checks its local concern.
table (initiator, id). If it finds an entry for the When the initiator receives the REPLY, it
same route discovery, it discards the REQUEST, checks if the keys in the key list are valid, target
else the node A verifies the time interval of the MAC is valid and each MAC in the MAC list is
REQUEST. If the time interval is too much in valid. If all these are valid only then will it accept
the future or the key corresponding to it has the route REPLY.
been disclosed, the REQUEST is discarded. Else
the node appends its address A to the node list in 9.2.3. Per-hop hashing
the REQUEST, the hash chain field is replaced An attacker could attempt to remove a node
by H (A, old hash chain). The node then ap- from the node list in the REQUEST. One-way
pends a MAC of the entire request to the MAC hash functions ensure that no hop is omitted,
list. The MAC is calculated using key Ki where hence called per-hop hashing. To change or re-
ÔiÕ is the time interval mentioned in the RE- move a previous hop, the attacker must be able to
QUEST. The node then rebroadcasts the modi- invert the one-way hash function which is com-
fied REQUEST. putationally infeasible given the limited computa-
When the target node receives the REQUEST, tional capacity of nodes in mobile wireless ad hoc
it determines whether the keys corresponding to networks. We have seen in the previous section,
the time interval mentioned in the REQUEST when an intermediate node A receives a ROUTE
have not been disclosed yet, and the hash chain REQUEST, it appends its address A to the node
field is equal to list in the REQUEST, the hash chain field is re-
placed by H (A, old hash chain), where H is the
H ½gn ; H ½gn1 ; H ½. . . ; H ½g1 ; one-way hash function and A is the address of the
MACKsd ðinitiator target; id; time intervalÞ . . . node A. Since it is computationally almost im-
possible to invert this one-way hash function, a
gi : node address of node at position i and n: malicious node who might succeed in removing the
number of nodes in the node list address of any previous node from the node list, it
If above two conditions are satisfied, the RE- would not be able to remove that nodeÕs address
QUEST is deemed valid and the target constructs from the hash chain field. In this way the attacker
a REPLY to the initiator. The REPLY consists of would be thwarted as the computed hash chain
following fields: target, initiator, time interval, field would not be the same as the hash chain in
node list, MAC list fields are set to the corre- the field and hence the REQUEST would be dis-
sponding fields from the received REQUEST. carded.
S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174 167

9.3. Route maintenance in ARIADNE the least, thus, discovering the route which
has least likelihood of having a faulty link in
An intermediate node attempting to forward a it. The protocol consists of the following three
packet to the next hop along the source route will phases:
return a route ERROR to the original sender if
and only if it is unable to deliver the packet to the (i) Route discovery with fault avoidance,
next hop after a fixed finite number of retrans- (ii) Byzantine fault detection,
missions. (iii) Link weight management.
In order to prevent unauthorized nodes from
sending false ERROR messages, the protocol
requires the original sender to authenticate the 10.1. Route discovery with fault avoidance
ERROR messages using TESLA. The protocol
however does not guard against attackers not In the route discovery both the route RE-
sending ERRORs in case of a genuinely broken QUEST and RESPONSE are flooded. The RE-
route. SPONSE is flooded in order to prevent any
ARIADNE does not guard against passive at- single adversary from stopping route establish-
tackers eavesdropping on the network traffic. ment. Digital signatures are used to authenticate
ARIADNE does not prevent an attacker from the source so that malicious nodes do not initi-
inserting data packets. ARIADNE is vulnerable ate route discovery and consume valuable net-
to active-1-1 attacker that lies along the discovered work resources. The source creates the route
route, who does not forward packets and does REQUEST and signs it. The request consists of
not generate ERROR if it encounters a broken source, destination, a sequence number and link
link. weight list. There is no route caching. When an
intermediate node receives a route request, it
checks its valid request list to see if there is a
10. On demand secure routing protocol resilient to matching request in the list for the same source.
Byzantine failures If there is no matching request and the sourceÕs
signature is valid, it rebroadcasts the request,
In this protocol [6], the emphasis is on surviv- else the request is dropped. When the destination
ability of routes under situations where an inter- receives a request from the source for the first
mediate node or group of nodes are known to be time, it checks the source signature on the re-
malicious and may attempt ‘‘Byzantine’’ attacks quest. It then constructs and signs the response
such as creation of routing loops, misrouting of consisting of source, destination, a response se-
packets along non-optimal (unnecessarily long) quence number and the weight list from the re-
paths or selective dropping of packets (black or quest packet.
gray holes). When an intermediate node receives a response,
Instead of laying the blame of a route failure on it computes the total weight of the path by sum-
a single misbehaving node, the protocol [6] incul- ming weights of all the links that constitute the
pates a link and thus the two nodes forming the path. If the total weight is less than any of the
link. This can ameliorate routing misbehaviors previous responses for that particular request, it
wherein two adjacent nodes are colluding with checks the signature on the response header and
each other and dropping packets. Every link be- every hop listed on the packet. If the whole of the
tween two adjacent nodes has certain weight as- packet is verified, the node appends its identifier to
sociated with it. When a link is found to be faulty, the end of the packet signs the new packet and
the weight associated with that link is multiplica- broadcasts it.
tively increased. When multiple routes are dis- When the source receives the response, the
covered for a particular destination, the initiating verifications performed are the same as those at
node selects the route whose sum of link weights is intermediate nodes. If the path is better than the
168 S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174

best path received so far, the source updates the and does not disconnect nodes so the threat of
route used to send packets to the particular des- false positives is neutralized. When the losses
tination. exceed the threshold, the protocol attempts to
This type of route discovery attempts to find the locate the faulty link.
route having lowest sum of link weights, thereby Source specifies a dynamic list of intermediate
selecting a route which is least likely to have a nodes on the route, each of which must send an
faulty link on it. Faulty links have more link ack for the successfully received packet, in addi-
weight and get automatically precluded from route tion to the destination. These nodes are called
discovery. probes. The probes divide the route into non-
In spite of this fault avoiding route discovery, if overlapping continuous intervals. When a fault is
a faulty link happens to be a part of a route may detected on an interval, a new probe is inserted in
be because no alternate routes with lower link between that interval.
weights were discovered, a fault detection mecha- This probe insertion and interval subdivision
nism will be invoked after log n faults where n is continues till the faulty interval narrows down to a
the length of the route. single faulty link. Due to binary search, the faulty
link is detected after log n faults occur n being the
total number of nodes on the route.
10.2. Byzantine fault detection We illustrate the fault detection mechanism
with the help of Fig. 8a–c. As shown in Fig. 8a,
This Byzantine fault detection uses adaptive suppose a faulty link exists at ÔX Õ. When fault rate
probing technique which identifies a faulty link exceeds the threshold level, the source node S in-
after log n faults have occurred where n is the vokes the fault detection mechanism. S arbitrarily
length of the route. selects probes P 1 and P 2 along the route to desti-
The protocol requires the destination to re- nation D, thereby diving the route into intervals
turn an ack to the source for every successfully S–P 1, P 1–P 2, P 2–D. Both the probes P 1 and P 2
received data packet. If no valid acks received are supposed to send ÔacksÕ to the source. S re-
during the time out, it assumes that the packets ceives ack from P 1 but does not get the ack from
were lost in transit (malicious or non-malicious). P 2 as there is a broken link between P 1 and P 2.
Loss rate less than a fixed threshold is tolerable Since S does not receive ack from P 2, it assumes
and may vary with every route and is chosen by that the faulty link exists between the interval P 1–
the source. Source keeps track of number of P 2.
losses on the path. If this number exceeds the So S inserts new probe P 3 along the interval
threshold, a binary search on the path is ini- P 1–P 2 as shown in Fig. 8b. S now receives acks
tialized, assuming a faulty link exists on the from P 1 and P 3 but not from P 2 as the faulty link
source–destination route. Protocol avoids loss lies in the P 3–P 2 interval. So S assumes that a

S D

(a) P1 P2

S D

(b) P1 P3 P2

S D
(c) P1 P3 P4 P2

Fig. 8. (a) Step 1: Fault on P 1–P 2 interval. P 1 and P 2––probes; X ––faulty link. (b) Step 2: P 3––new inserted probe; P 3–P 2––faulty
interval. (c) Step 3: P 4––new inserted probe; P 3–P 4––faulty link.
S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174 169

faulty link exists on the interval P 3–P 2 and inserts data advertised by its neighbor router to update its
a new probe P 4 in the P 3–P 2 interval as shown in own table in such a way that its route for every
Fig. 8c. Now S receives acks from P 1 and P 3 but destination uses as the next hop the router which
not from P 4 and P 2, so S assumes that a broken advertises the smallest metric for that destination.
link exists along P 3–P 4. However P 3–P 4 is a sin- The router then sets the metric in its table entry for
gle link with P 3 and P 4 being adjacent nodes, that destination to one more than the metric from
P 3–P 4 link is faulty. This link is sent as input to that neighbor routerÕs update. In order to dispense
link weight management mechanism. fresh routing information through the network
without delay, a concept of ‘‘triggered’’ updates
was introduced. In a triggered update, a router
10.3. Link weight management transmits a new update as soon as the metric in its
table entry for a destination changes. It does not
When a faulty link is detected, a multiplicative wait for its next scheduled periodic update.
increase scheme is used to double its weight. More As an adaptation to the wireless ad hoc para-
is the weight, less is the probability of that link digm, DSDV [13] a sequence number is added to
being on any further routes. the table entry. The sequence number prevents the
So far we have looked at secured routing pro- formation of loops caused by out of order updates.
tocols for reactive or on-demand protocols. We Every node maintains an even sequence number in
now discuss a SRP for proactive protocols. its routing table entry and includes it in every
update it sends. This sequence number is the most
recent one the node knows for that destination.
11. Securing distance vector routing protocol using Whenever a routing update is received, the
SEAD newly advertised route for a destination is pre-
ferred if the sequence number for the destination
Distance vector routing protocol [14] finds in the update is more than the corresponding one
shortest route between nodes of a network using in the routing table entry for that destination. Else
distributed implementation of Bellman–Ford al- if the sequence numbers are equal and the new
gorithm. In this protocol, each router maintains a metric is lower than the corresponding metric in
routing table having an entry for every possible the routing table, the routing table entry corre-
destination within the network. Each entry in the sponding to that destination is updated to reflect
routing table holds a destination identifier, the the new route with lower metric else the update for
distance to the destination in terms of hop count, that destination is ignored. Whenever a broken
also referred to as metric and the identity of the link to a neighbor is encountered, the node sets the
next hop neighbor router on this shortest route to metric for that neighbor as a destination to infinity
the destination. in the corresponding entry and the sequence
When a packet needs to be routed to a desti- number is set to the next odd sequence number
nation node, the table entry for the corresponding and a new route update is created to advertise this
destination is looked up and the packet is routed information. DSDV sends updates both periodi-
to the first hop neighbor router on that route. The cally as well as triggered. These updates can be
neighbor router in turn looks up its entry for the either the whole routing table (full dump) or only
corresponding destination and routes the packet to those table entries which correspond to the desti-
its first hop neighbor on the route to that desti- nations for which route has changed since the last
nation and so on. full dump. A triggered update is sent when either
In order to maintain the consistency and the metric for a destination changes or when the
freshness of the routing tables on each individual sequence number changes. In the later case, it is
nodes, each node periodically transmits a routing called DSDV-SQ.
update to each of its neighbor routers, having data A malicious node may send updates advertising
from its routing table. Each router in turn uses this lower hop count for certain destinations to its
170 S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174

neighboring nodes. The neighbors would be fooled authenticate the entry with hash chain element
into believing that this malicious node has the hkmþj1 . However, this hash chain element is not
shortest path to those destinations, and so they known to the attacker as it is not released yet and
would make this malicious node as the first hop for it cannot be calculated from hkmþj as the hash
routes to those destinations. Thus this malicious function cannot be inverted. Hence any attempt to
node would be able to launch denial of service decrease the metric of a particular routing table
attacks against those destinations by having all entry would be thwarted as the attacker will not
routes to them through itself. It can then selec- have the necessary hash chain element to authen-
tively drop packets and wreak a havoc in the ticate the resulting metric.
network. This is prevented by SEAD which is When a node in SEAD sends a routing update,
discussed next. the node includes one hash value with every entry
in that update. In case of an entry for itself, the
node sets the address to its own node address,
11.1. SEAD metric to zero, the sequence number to its own
sequence number and the hash value to the first
In SEAD [4], the receiver of the routing update element in the group of its own hash chain ele-
authenticates the sender. One-way hash functions ments corresponding to that sequence number. If a
are used to secure routing in SEAD, since they are node lists an entry for some other destination in its
computationally efficient as compared to public update, it sets the destination address to that
key cryptography or secret key paradigms. When a nodeÕs address, the metric and the sequence num-
node sends a routing update about itself (metric 0), ber to the corresponding values in its routing
it uses a single next element from its hash chain. table for that destination node and the hash value
An attacker cannot generate any value in the hash is set to the hash of the hash value of the routing
chain of the node which the node is going to use in update entry from which it learned the route to
the future as it is impossible to invert a one-way that destination. The role played by sequence
hash function. Another node can only increase the number and metric in selecting the hash value
metric in the routing update but cannot decrease for routing update entry prevents any node from
it. For each entry in the routing update for a route advertising a route to a destination claiming a
to some other destination, the hash chain of that greater sequence number than that destinationÕs
destination allows the metric in that entry to be current sequence number due to one-way hash
authenticated by the receiving nodes. SEAD, functions.
through authentication secures the lower bound When a node receives a routing update, de-
on the metric in each update. pending upon the sequence number and metric in
It is assumed that an upper bound can be placed the received entry and the sequence number and
on the diameter of the ad hoc network, and let this metric of the prior authentic hash value for that
bound be denoted my m  1. Thus all metrics in destination, it decides how many times the hash
any routing update are less than m. If a nodeÕs value in the newly received update entry needs to
hash chain sequence is as follows h0 ; h1 ; be hashed so that it should be same as the prior
h2 ; h3 ; . . . ; hn , and n is divisible by m, then for a authentic hash value. If the two hash values are
sequence number i in routing update entry, let found to be equal, the entry is authentic and gets
k ¼ n=m  i. If the metric of the route update entry processed else it is dropped.
is j, 0 6 j < m, then the element hkmþj from the SEAD, however, cannot prevent the same dis-
hash chain list is used to authenticate the routing tance attack where a node receives an advertise-
table entry for that sequence number and that ment for a particular sequence number and metric
metric. Suppose an attacker receives a routing and then it readvertises the same sequence number
update having metric j for a particular entry. The and metric. This is because SEAD only secures the
attacker decides to decrease the metric for that lower bound on the metric ensuring the node does
entry to say j  1 then the attacker will have to not reduce the metric.
S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174 171

12. An optimized inter-router authentication scheme neighbor on receiving this challenge, generates a
new challenge for the node which sent it the pre-
Lakshmi and Agrawal [18] present another reply. This new challenge along with the string
classification of attacks on routing protocols––in- obtained by encrypting the earlier challenge is sent
ternal and external attacks. External attacks are by the neighboring node to the node that sent the
launched by nodes which do not belong to the challenge. If the nodes are interacting for the first
network and the internal attacks are launched by time, then certified public keys are also exchanged.
the nodes belonging to the network which have The node then sends the reply and the encrypted
been compromised. new challenge. The authentication would fail if
Lakshmi and Agrawal [18] introduce a low any of the constituent nodes of the route fails to
overhead authentication scheme among ad hoc prove its network membership, i.e., prove the
network nodes, that are being part of an active knowledge of the private key whose counterpart
route. The scheme relies on public key cryptogra- public key is certified by the governing authority.
phy. The scheme assumes the existence of a cen- If the authentication fails, then the node which
tralized governing authority, which is responsible discovers an intruder sends a purgereplyroute
for creation of the ad hoc network and is the only message to all members of the route to erase all
entity that has the system private key. Each node entries for this particular route from their route
in the network is given a private/public key pair by table.
the governing authority along with the systemÕs
public key. The governing body stores the system
private key securely and uses it to sign the public 13. Conclusions
keys of member nodes. The governing authority is
not mobile and is considered to be more trust- We have analytically discussed contemporary
worthy by the member nodes. SRPs for wireless mobile ad hoc networks. A
The authentication scheme is discussed with summary of the key attributes of these protocols
respect to the ad hoc on demand routing proto- is presented in Table 2. We have identified areas
col, AODV. The authentication scheme is applied where some further work needs to be done. Es-
only to the response messages RREP. This effec- pecially the problem of tracking and eliminating
tively reduces the overhead as the response is not misbehaving nodes that are part of an already
flooded but follows only a particular path from existing route and the problem of preventing
the destination to the source. This path or route partitioning of the network. These problems as-
is called the authenticated route. This scheme is sume monumental proportions especially in the
a three-way communication between adjacent case of ad hoc networks as there is no central
nodes on the authenticated route as shown in governing authority. In ad hoc networks, indi-
Fig. 9. vidual nodes act as routers, forwarding packets to
A node sends a pre-reply to its neighbor indi- the nodes in their radio range. If a node is
cating that it wishes to send a reply to the neighbor compromised or fails, then the routes through
node. The pre-reply contains a challenge for the that node are in jeopardy. There is a need for a
neighbor. This challenge is a random string. The mechanism to salvage the routes in case of node
failure or node subversion. The nodes in an
ad hoc are moving and if a node which is con-
stituent of a number of routes moves from its
Pre-Reply + challenge 1 position rendering the routes broken, resulting in
S Encrypt(challenge 1) + D partitioning of the network where one part of the
challenge 2 network is not accessible from the other. The
future research in the field of secure routing
Reply + Encrypt(challenge 2)
should be directed towards ameliorating the
Fig. 9. Three-way communication during route reply. above two problems.
172 S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174

Table 2
A summary of secure routing protocols
Name of protocol Features
Security aware ad hoc routing (a) Classifies nodes into different immutable trust levels.
(b) Route Initiator specifies minimum trust level for a route and only the nodes with that trust
level or higher can participate in the route.
(c) Can be implemented by distributing keys for each trust level.
(d) Not very scalable but has the potential of, precluding malicious nodes from route discovery.
Secure routing protocol (a) This protocol assumes a security association between source and destination nodes.
(b) Intermediate nodes do not need to cryptographically validate the control traffic.
(c) Adds a SRP header to the base routing protocol (DSR or AODV) request packet. SRP header
has three important fields––QSEQ which helps prevent replay of old outdated requests, QID a
random number which helps prevent fabrication of requests, and a SRP MAC which ensures
integrity of the packets in transit.
ARAN (a) Assumes managed-open environment, where there is a possibility for pre-deployment of
infrastructure. Consists of two distinct stages.
(b) The first stage is the certification and end-to-end authentication stage. Here the source gets a
certificate from the trusted certification server, and then using this certificate, signs the request
packet. Each intermediate node in turn signs the request with its certificate. The destination
then verifies each of the certificates, thus the source gets authenticated and so do the inter-
mediate nodes. The destination node then sends the reply along the route reverse to the one in
the request, reply signed using the certificate of the destination.
(c) The second stage is a non-mandatory stage used to discover the shortest path to the desti-
nation, but this stage is computationally expensive.
Watchdog and pathrater (a) Watchdog is a component run on each node. It makes the nodes operate in promiscuous mode
which makes them listen to the transmissions of their one-hop neighbors. Thereby a node can
keep track of which packets were successfully transmitted by the subsequent node and which
were not. So that it can retransmit them. However if the node is dropping all the packets, then
it is considered malicious and its behavior is reported to the ÔpathraterÕ.
(b) Watchdog has some obvious disadvantages. Most obvious of them are––watchdog can be
deceived by two neighboring nodes colluding together and the other being the need of a buffer
to store the transmitted packets until they are transmitted by the subsequent node in the
route.
(c) Pathrater is a component running on each node, which maintains a rating for every other
node in the network. These ratings are used as metrics while selecting a path for data trans-
mission.
ARIADNE (a) ARIADNE prevents attackers/compromised nodes from disrupting uncompromised routes
comprising of benign nodes.
(b) Uses highly efficient symmetric key cryptography.
(c) ARIADNE does not guard against passive attackers eavesdropping on the network traffic.
(d) ARIADNE does not prevent an attacker from inserting data packets.
(e) ARIADNE is vulnerable to active-1-1 attacker that lies along the discovered route, who does
not forward packets and does not generate ERROR if it encounters a broken link.
Secure on-demand routing (a) This protocol attempts to ensure survivability of routes under situations where intermediate
protocol node or group of nodes are known to be malicious.
(b) Instead of laying the blame of a route failure on a single misbehaving node, the protocol
inculpates a link and thus the two nodes forming the link.
(c) Fault detection is carried out through insertion of probes. When a fault is encountered on a
route, the initiator arbitrarily chooses few nodes along the route to be probes. Now these
probes are sent a control message to which they need to send an ÔackÕ. The probe beyond
which the acks do not come through, the interval between this particular probe and the
subsequent probe on the route is considered to be faulty and one more probe is inserted
in between this interval. Again the control messages are sent and again the probes got to
send acks. This whole process repeats till the faulty interval is reduced to a link between two
nodes.
S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174 173

Table 2 (continued)
Name of protocol Features
Self securing ad hoc networks (a) The function of a trusted third party certification authority is distributed to individual.
(b) In the localized trust model, a node is trusted if any k (threshold) trusted entities claim so
within a certain time period. These certifying entities are generally the nodeÕs one-hop
neighbors. Once a node is trusted by its local community, it is globally accepted as a trusted
node, otherwise, considered untrustworthy in the entire network.

SEAD (a) One-way hash functions are used to secure routing in SEAD, since they are computationally
efficient as compared to public key cryptography or secret key paradigms.
(b) An attacker cannot generate any value in the hash chain of the node which the node is going
to use in the future as it is impossible to invert a one-way hash function.
(c) Another node can only increase the metric in the routing update but cannot decrease it.
(d) When a node in SEAD sends a routing update, the node includes one hash value with every
entry in that update.

14. Uncited references the 6th Annual ACM/IEEE International Conference on


Mobile Computing and Networking, August 2000.
[9] L. Zhou, Z.J. Haas, Securing ad hoc networks, IEEE Net-
[9,16,17]. works, Special Issue on Network Security 13 (6) (1999) 24–30.
[10] H. Luo, J. Kong, P. Zerfos, S. Lu, L. Zhang, Self-securing
ad hoc wireless networks, in: Seventh IEEE Symposium on
References Computers and Communications (ISCCÕ02), in press.
[11] C.E. Perkins, E.M. Royer, Ad-hoc on-demand distance
[1] Y.-C. Hu, A. Perrig, D.B. Johnson, ARIADNE: a secure on- vector (AODV) routing, in: The Second IEEE Workshop
demand routing protocol for ad hoc networks, in: MobiCom on Mobile Computing Systems and Applications, New
2002, Atlanta, GA, USA, September 23–28, 2002. Orleans, LA, USA, February 1999.
[2] P. Papadimitratos, Z.J. Haas, Secure routing for mobile [12] J. Broch, D.B. Johnson, The Dynamic Source Routing
ad hoc networks, in: SCS Communication Networks and Protocol for Mobile Ad Hoc Networks, IETF Internet
Distributed Systems Modeling and Simulation Conference Draft, October 1999.
(CNDS 2002), San Antonio, TX, January 27–31, 2002. [13] C. Perkins, P. Bhagwat, A highly dynamic destination-
[3] S. Yi, P. Naldurg, R. Kravets, A security-aware ad hoc sequenced distance vector routing (DSDV) for mobile
routing protocol for wireless networks, in: The 6th World computers, in: ACM SIGCOMM 1994 Conference on
Multi-Conference on Systemics, Cybernetics and Infor- Communications Architectures, Protocols and Applica-
matics (SCI 2002), 2002. tions, 1994, pp. 234–244.
[4] Y.-C. Hu, D.B. Johnson, A. Perrig, SEAD: secure efficient [14] R.V. Boppana, S. Konduru, An adaptive distance vector
distance vector routing for mobile wireless ad hoc net- routing algorithm for mobile, ad hoc networks, in:
works, in: Proceedings of the 4th IEEE Workshop on Proceedings of the Twentieth Annual Joint Conference of
Mobile Computing Systems & Applications (WMCSA the IEEE Computer and Communications Societies (IN-
2002), IEEE, Calicoon, NY, June 2002, pp. 3–13. FOCOM 2001), 2001, pp. 1753–1762.
[5] M.G. Zapata, Secure Ad hoc On-Demand Distance Vector [15] Y.-C. Hu, A. Perrig, D.B. Johnson, Wormhole detection in
(SAODV) Routing, Internet-Draft draft-guerrero-manet- wireless ad hoc networks, Technical Report TR01-384,
saodv-00.txt, August 2002. First published in the IETF Rice University, Department of Computer Science.
MANET Mailing List (October 8, 2001). [16] A. Perrig, R. Canetti, J.D. Tygar, D. Song, Efficient
[6] B. Awerbuch, D. Holmer, C. Nita-Rotaru, H. Rubens, An authentication and signing of multicast streams over lossy
on-demand secure routing protocol resilent to Byzantine channels, in: IEEE Symposium for Security and Privacy,
failures, in: ACM Workshop on Wireless Security (WiSe), May 2000, pp. 56–73.
Atlanta, GA, September 28, 2002. [17] A. Perrig, R. Canetti, D. Song, J.D. Tygar, Efficient and
[7] K. Sanzgiri, B. Dahill, B.N. Levine, C. Shields, E.M. secure source authentication for multicast, in: Network and
Belding-Royer, A secure routing protocol for ad hoc Distributed Security Symposium, NDSS Õ01, February
networks, in: Proceedings of 2002 IEEE International 2001, pp. 35–46.
Conference on Network Protocols (ICNP), November [18] V. Lakshmi, D.P. Agrawal, An optimized inter-router
2002. authentication scheme for ad hoc networks, in: Proceedings
[8] S. Marti, T.J. Giuli, K. Lai, M. Baker, Mitigating routing of the 13th International Conference of Wireless Commu-
misbehavior in mobile ad hoc networks, in: Proceedings of nications, Calgary, Canada, 9–11 July 2001, pp. 129–146.
174 S. Gupte, M. Singhal / Ad Hoc Networks 1 (2003) 151–174

Siddhartha Gupte is currently pursuing bile computing, computer networks, computer security, and
Ph.D. degree in Computer Science at performance evaluation. He has published over 160 refereed
University of Kentucky. His research articles in these areas. He has co-authored three books titled
interests include wireless networks se- ‘‘Data and Computer Communications: Networking and In-
curity, distributed computing and ternetworking’’, CRC Press, 2001, ‘‘Advanced Concepts in
computer security. He finished his Operating Systems’’, McGraw-Hill, New York, 1994 and
Bachelor of Engineering with high first ‘‘Readings in Distributed Computing Systems’’, IEEE Com-
class from University of Mumbai in puter Society Press, 1993. He is a Fellow of IEEE. He is cur-
June 1999. He finished his Master of rently serving in the editorial board of ‘‘IEEE Transactions on
Computer and Information Science Knowledge and Data Engineering’’ and ‘‘IEEE Transactions on
from Cleveland State University in Computers’’. From 1998 to 2001, he served as the Program
December 2000. Director of Operating Systems and Compilers Program at
National Science Foundation.

Mukesh Singhal is a Full Professor and


Gartener Group Endowed Chair in
Network Engineering in the Depart-
ment of Computer Science at The
University of Kentucky, Lexington.
From 1986 to 2001, he was a faculty in
Computer and Information Science at
The Ohio State University. He re-
ceived a Bachelor of Engineering
degree in Electronics and Communi-
cation Engineering with high dis-
tinction from Indian Institute of
Technology, Roorkee, India, in 1980
and a Ph.D. degree in Computer Sci-
ence from University of Maryland, College Park, in May 1986.
His current research interests include distributed systems, mo-

You might also like