security in mobile ad hoc networks: challenges and solutions

IEEE Wireless Communications • February 200438 1536-1284/04/$20.00 © 2004 IEEE

Broadcast

[[REP,S,CERTd,Ns,t]Kd-

t]Kd-]Ka-],CERTa

A

TO P I C S I N WIRELESS SE C U R I T Y

INTRODUCTIONIn recent years mobile ad hoc networks(MANETs) have received tremendous attentionbecause of their self-configuration and self-main-tenance capabilities. While early research effortassumed a friendly and cooperative environmentand focused on problems such as wireless chan-nel access and multihop routing, security hasbecome a primary concern in order to provideprotected communication between nodes in apotentially hostile environment. Although securi-ty has long been an active research topic in wire-line networks, the unique characteristics ofMANETs present a new set of nontrivial chal-lenges to security design. These challengesinclude open network architecture, shared wire-less medium, stringent resource constraints, andhighly dynamic network topology. Consequently,the existing security solutions for wired networksdo not directly apply to the MANET domain.

The ultimate goal of the security solutions for

MANETs is to provide security services, such asauthentication, confidentiality, integrity,anonymity, and availability, to mobile users. Inorder to achieve this goal, the security solutionshould provide complete protection spanning theentire protocol stack. Table 1 describes the secu-rity issues in each layer. In this article we consid-er a fundamental security problem in MANET:the protection of its basic functionality to deliverdata bits from one node to another. In otherwords, we seek to protect the network connectiv-ity between mobile nodes over potentially multi-hop wireless channels, which is the basis tosupport any network security services. Multihopconnectivity is provided in MANETs throughtwo steps: (1) ensuring one-hop connectivitythrough link-layer protocols (e.g., wireless medi-um access control, MAC); and (2) extendingconnectivity to multiple hops through network-layer routing and data forwarding protocols(e.g., ad hoc routing). Accordingly, we focus onthe link- and network-layer security issues, chal-lenges, and solutions in MANETs in this article.

One distinguishing characteristic of MANETsfrom the security design perspective is the lackof a clear line of defense. Unlike wired networksthat have dedicated routers, each mobile node inan ad hoc network may function as a router andforward packets for other peer nodes. The wire-less channel is accessible to both legitimate net-work users and malicious attackers. There is nowell defined place where traffic monitoring oraccess control mechanisms can be deployed. Asa result, the boundary that separates the insidenetwork from the outside world becomesblurred. On the other hand, the existing ad hocrouting protocols, such as Ad Hoc On DemandDistance Vector (AODV) [1] and DynamicSource Routing (DSR) [2], and wireless MACprotocols, such as 802.11 [3], typically assume atrusted and cooperative environment. As aresult, a malicious attacker can readily become arouter and disrupt network operations by inten-tionally disobeying the protocol specifications.

There are basically two approaches to protect-ing MANETs: proactive and reactive. The proac-tive approach attempts to prevent an attackerfrom launching attacks in the first place, typicallythrough various cryptographic techniques. In

HAO YANG, HAIYUN LUO, FAN YE, SONGWU LU, AND LIXIA ZHANG,UCLA COMPUTER SCIENCE DEPARTMENT

ABSTRACTSecurity has become a primary concern in

order to provide protected communicationbetween mobile nodes in a hostile environment.Unlike the wireline networks, the unique charac-teristics of mobile ad hoc networks pose a num-ber of nontrivial challenges to security design,such as open peer-to-peer network architecture,shared wireless medium, stringent resource con-straints, and highly dynamic network topology.These challenges clearly make a case for buildingmultifence security solutions that achieve bothbroad protection and desirable network perfor-mance. In this article we focus on the fundamen-tal security problem of protecting the multihopnetwork connectivity between mobile nodes in aMANET. We identify the security issues relatedto this problem, discuss the challenges to securitydesign, and review the state-of-the-art securityproposals that protect the MANET link- and net-work-layer operations of delivering packets overthe multihop wireless channel. The completesecurity solution should span both layers, andencompass all three security components of pre-vention, detection, and reaction.

SECURITY IN MOBILE AD HOC NETWORKS:CHALLENGES AND SOLUTIONS

Security has becomea primary concern toprovide protectedcommunicationbetween mobilenodes in a hostileenvironment. Unlikewireline networks,the uniquecharacteristics ofmobile ad hocnetworks pose anumber of non-trivialchallenges to thesecurity design.

IEEE Wireless Communications • February 2004 39

contrast, the reactive approach seeks to detectsecurity threats a posteriori and react accordingly.Due to the absence of a clear line of defense, acomplete security solution for MANETs shouldintegrate both approaches and encompass allthree components: prevention, detection, andreaction. For example, the proactive approachcan be used to ensure the correctness of routingstates, while the reactive approach can be used toprotect packet forwarding operations. As arguedin [4], security is a chain, and it is only as secureas the weakest link. Missing a single componentmay significantly degrade the strength of theoverall security solution.

Security never comes for free. When moresecurity features are introduced into the net-work, in parallel with the enhanced securitystrength is the ever-increasing computation,communication, and management overhead.Consequently, network performance, in terms ofscalability, service availability, robustness, and soon of the security solutions, becomes an impor-tant concern in a resource-constrained ad hocnetwork. While many contemporary proposalsfocus on the security vigor of their solutionsfrom the cryptographic standpoint, they leavethe network performance aspect largely unad-dressed. In fact, both dimensions of securitystrength and network performance are equallyimportant, and achieving a good trade-offbetween two extremes is one fundamental chal-lenge in security design for MANETs.

This article is structured as follows. Wedescribe the attack model in the next section,and then identify the challenges in MANETsecurity design. Next, we overview the state-of-the-art security proposals that protect MANETfrom different types of attacks in the link andnetwork layers, respectively. Lastly, we discussopen challenges and possible future directions inthis area.

ATTACKS

A MANET provides network connectivitybetween mobile nodes over potentially multihopwireless channels mainly through link-layer pro-tocols that ensure one-hop connectivity, and net-work-layer protocols that extend the connectivity

to multiple hops. These distributed protocolstypically assume that all nodes are cooperative inthe coordination process. This assumption isunfortunately not true in a hostile environment.Because cooperation is assumed but notenforced in MANETs, malicious attackers caneasily disrupt network operations by violatingprotocol specifications.

The main network-layer operations inMANETs are ad hoc routing and data packetforwarding, which interact with each other andfulfill the functionality of delivering packetsfrom the source to the destination. The ad hocrouting protocols exchange routing messagesbetween nodes and maintain routing states ateach node accordingly. Based on the routingstates, data packets are forwarded by intermedi-ate nodes along an established route to the des-tination. Nevertheless, both routing and packetforwarding operations are vulnerable to mali-cious attacks, leading to various types of mal-function in the network layer. While acomprehensive enumeration of the attacks is outof our scope, such network-layer vulnerabilitiesgenerally fall into one of two categories: routingattacks and packet forwarding attacks, based onthe target operation of the attacks.

The family of routing attacks refers to anyaction of advertising routing updates that doesnot follow the specifications of the routing pro-tocol. The specific attack behaviors are related

� Table 1. The security solutions for MANETs should provide complete pro-tection spanning the entire protocol stack.

Layer Security issues

Application layer Detecting and preventing viruses, worms, maliciouscodes, and application abuses

Transport layer Authenticating and securing end-to-end communicationsthrough data encryption

Network layer Protecting the ad hoc routing and forwarding protocols

Link layer Protecting the wireless MAC protocol and providinglink-layer security support

Physical layer Preventing signal jamming denial-of-service attacks

� Figure 1. The components in the multifence security solution.

Network-layer security solutions

Link-layer security solutions

Sourcerouting

Distance vectorrouting

Misbehaviordetection

Misbehaviorreaction

Link staterouting

Secure ad hoc routingProactive protection through message

authentication primitives

Secure wireless MACReactive protection through

detection and reaction

Secure packet forwardingReactive protection through

detection and reaction

Next-generation WEPModification to existing protocolto fix the cryptographic loopholes

IEEE Wireless Communications • February 200440

to the routing protocol used by the MANET.For example, in the context of DSR [2], theattacker may modify the source route listed inthe RREQ or RREP packets by deleting a nodefrom the list, switching the order of nodes in thelist, or appending a new node into the list [5].When distance-vector routing protocols such asAODV [1] are used, the attacker may advertisea route with a smaller distance metric than itsactual distance to the destination, or advertiserouting updates with a large sequence numberand invalidate all the routing updates from othernodes [6]. By attacking the routing protocols, theattackers can attract traffic toward certain desti-nations in the nodes under their control, andcause the packets to be forwarded along a routethat is not optimal or even nonexistent. Theattackers can create routing loops in the net-work, and introduce severe network congestionand channel contention in certain areas. Multi-ple colluding attackers may even prevent asource node from finding any route to the desti-nation, and partition the network in the worstcase.

There are still active research efforts in iden-tifying and defeating more sophisticated andsubtle routing attacks. For example, the attackermay further subvert existing nodes in the net-work, or fabricate its identity and impersonateanother legitimate node [7]. A pair of attackernodes may create a wormhole [8] and shortcutthe normal flows between each other. In thecontext of on-demand ad hoc routing protocols,the attackers may target the route maintenanceprocess and advertise that an operational link isbroken [5].

In addition to routing attacks, the adversarymay launch attacks against packet forwardingoperations as well. Such attacks do not disruptthe routing protocol and poison the routingstates at each node. Instead, they cause the datapackets to be delivered in a way that is inten-tionally inconsistent with the routing states. Forexample, the attacker along an established routemay drop the packets, modify the content of thepackets, or duplicate the packets it has alreadyforwarded. Another type of packet forwardingattack is the denial-of-service (DoS) attack vianetwork-layer packet blasting, in which theattacker injects a large amount of junk packetsinto the network. These packets waste a signifi-cant portion of the network resources, and intro-duce severe wireless channel contention andnetwork congestion in the MANET.

Recent research efforts have also identifiedthe vulnerabilities of the link-layer protocols,especially the de facto standard IEEE 802.11MAC protocol [3], for MANETs. It is wellknown that 802.11 WEP is vulnerable to severaltypes of cryptography attacks due to the misuseof the cryptographic primitives [9]. The 802.11protocol is also vulnerable to DoS attacks target-ing its channel contention and reservationschemes. The attacker may exploit its binaryexponential backoff scheme to deny access tothe wireless channel from its local neighbors [10,11]. Because the last winner is always favoredamong local contending nodes, a continuouslytransmitting node can always capture the chan-nel and cause other nodes to back off endlessly.

Moreover, backoffs at the link layer can incur achain reaction in upper layer protocols usingbackoff schemes (e.g., TCP’s window manage-ment). Another vulnerability of 802.11 comesfrom the NAV field carried in the request tosend/clear to send (RTS/CTS) frames, whichindicates the duration of channel reservation. Anadversarial neighbor of either the sender or thereceiver may overhear the NAV information andthen intentionally introduce a 1-bit error into thevictim’s link-layer frame by wireless interference.The corrupted frame has to be discarded by thereceiver after error detection. This effectivelyconstitutes another type of DoS attack.

CHALLENGES

One fundamental vulnerability of MANETscomes from their open peer-to-peer architecture.Unlike wired networks that have dedicatedrouters, each mobile node in an ad hoc networkmay function as a router and forward packets forother nodes. The wireless channel is accessibleto both legitimate network users and maliciousattackers. As a result, there is no clear line ofdefense in MANETs from the security designperspective. The boundary that separates theinside network from the outside world becomesblurred. There is no well defined place/infra-structure where we may deploy a single securitysolution.

Moreover, portable devices, as well as thesystem security information they store, are vul-nerable to compromises or physical capture,especially low-end devices with weak protection.Attackers may sneak into the network throughthese subverted nodes, which pose the weakestlink and incur a domino effect of security breach-es in the system.

The stringent resource constraints inMANETs constitute another nontrivial challengeto security design. The wireless channel is band-width-constrained and shared among multiplenetworking entities. The computation capabilityof a mobile node is also constrained. For exam-ple, some low-end devices, such as PDAs, canhardly perform computation-intensive tasks likeasymmetric cryptographic computation. Becausemobile devices are typically powered by batter-ies, they may have very limited energy resources.

The wireless medium and node mobility posesfar more dynamics in MANETs compared to thewireline networks. The network topology is high-ly dynamic as nodes frequently join or leave thenetwork, and roam in the network on their ownwill. The wireless channel is also subject to inter-ferences and errors, exhibiting volatile character-istics in terms of bandwidth and delay. Despitesuch dynamics, mobile users may request foranytime, anywhere security services as they movefrom one place to another.

The above characteristics of MANETs clearlymake a case for building multifence security solu-tions that achieve both broad protection and desir-able network performance. First, the securitysolution should spread across many individualcomponents and rely on their collective protec-tion power to secure the entire network. Thesecurity scheme adopted by each device has towork within its own resource limitations in terms

Unlike wired net-works that havededicated routers,each mobile node inan ad hoc networkmay function as arouter and forwardpackets for othernodes. The wirelesschannel is accessibleto both legitimatenetwork users andmalicious attackers.


of computation capability, memory, communica-tion capacity, and energy supply. Second, thesecurity solution should span different layers ofthe protocol stack, with each layer contributingto a line of defense. No single-layer solution ispossible to thwart all potential attacks. Third,the security solution should thwart threats fromboth outsiders who launch attacks on the wire-less channel and network topology, and insiderswho sneak into the system through compromiseddevices and gain access to certain system knowl-edge. Fourth, the security solution shouldencompass all three components of prevention,detection, and reaction, that work in concert toguard the system from collapse. Last but notleast, the security solution should be practicaland affordable in a highly dynamic and resource-constrained networking scenario.

A MULTIFENCE SECURITY SOLUTION

In this section we review the state-of-the-artsecurity proposals for MANETs. Because multi-hop connectivity is provided in MANETsthrough distributed protocols in both the net-work and link layers, the ultimate multifencesecurity solution naturally spans both layers, asillustrated in Fig. 1.

There are basically two approaches to secur-ing a MANET: proactive and reactive. Theproactive approach attempts to thwart securitythreats in the first place, typically through vari-ous cryptographic techniques. On the otherhand, the reactive approach seeks to detectthreats a posteriori and react accordingly. Eachapproach has its own merits and is suitable foraddressing different issues in the entire domain.For example, most secure routing protocolsadopt the proactive approach in order to securerouting messages exchanged between mobilenodes, while the reactive approach is widely usedto protect packet forwarding operations.

Due to the absence of a clear line of defense,a complete security solution for MANETs shouldintegrate both proactive and reactive approach-es, and encompass all three components: preven-tion, detection, and reaction. The preventioncomponent deters the attacker by significantlyincreasing the difficulty of penetrating the sys-tem. However, the history of security has clearlyshown that a completely intrusion-free system isinfeasible, no matter how carefully the preven-tion mechanisms are designed. This is especiallytrue in MANETs, consisting of mobile devicesthat are prone to compromise or physical cap-ture. Therefore, the detection and reaction com-ponents that discover the occasional intrusionsand take reactions to avoid persistent adverseeffects, are indispensable for the security solu-tions to operate in the presence of limited intru-sions.

In the MANET context, the prevention com-ponent is mainly achieved by secure ad hoc rout-ing protocols that prevent the attacker frominstalling incorrect routing states at other nodes.These protocols are typically based on earlier adhoc routing protocols such as DSR [2], AODV[1], and Destination-Sequenced Distance Vector(DSDV) [12], and employ different cryptograph-ic primitives (e.g., HMAC, digital signatures,

hash chains) to authenticate the routing mes-sages. The detection component discovers ongo-ing attacks through identification of abnormalbehavior exhibited by malicious nodes. Such mis-behavior is detected either in an end-to-endmanner, or by the neighboring nodes throughoverhearing the channel and reaching collabora-tive consensus. Once an attacker node is detect-ed, the reaction component makes adjustmentsin routing and forwarding operations, rangingfrom avoiding the node in route selection to col-lectively excluding the node from the network.

NETWORK-LAYER SECURITYThe network-layer security designs for MANETsare concerned with protecting the network func-tionality to deliver packets between mobilenodes through multihop ad hoc forwarding.Therefore, they seek to ensure that the routingmessage exchanged between nodes is consistentwith the protocol specification, and the packetforwarding behavior of each node is consistentwith its routing states. Accordingly, the existingproposals can be classified into two categories:secure ad hoc routing protocols and secure packetforwarding protocols. Before we describe thesesecurity solutions in detail, we first introduceseveral cryptographic primitives for messageauthentication, the essential component in anysecurity design, and analyze the trade-offs behindthem.

Message Authentication Primitives — There are threecryptographic primitives widely used to authenti-cate the content of messages exchanged amongnodes.

HMAC (message authentication codes).1 Iftwo nodes share a secret symmetric key K, theycan efficiently generate and verify a messageauthenticator hK(⋅) using a cryptographic one-way hash function h. The computation is veryefficient, even affordable for low-end devicessuch as small sensor nodes. However, an HMACcan be verified only by the intended receiver,making it unappealing for broadcast messageauthentication. Besides, establishing the secretkey between any two nodes is a nontrivial prob-lem. If the pairwise shared key is used, a totalnumber of

keys will be maintained in a network with nnodes. SRP for DSR [13] takes this approachwith pairwise shared keys.

Digital signature. Digital signature is basedon asymmetric key cryptography (e.g., RSA),which involves much more computation over-head in signing/decrypting and verifying/encrypt-ing operations. It is less resilient against DoSattacks since an attacker may feed a victim nodewith a large number of bogus signatures toexhaust the victim’s computation resources forverifying them. Each node also needs to keep acertificate revocation list (CRL) of revoked cer-tificates. However, a digital signature can be ver-ified by any node given that it knows the publickey of the signing node. This makes digital sig-nature scalable to large numbers of receivers.Only a total number of n public/private key pairs

n n⋅ −( )12

1 In network literature,MAC normally refers tothe medium access con-trol protocol at the linklayer. To avoid ambiguity,we use MAC to refer tolink-layer medium accesscontrol, and HMAC torefer to keyed hashing formessage authentication.

Due to the absenceof a clear line of

defense, a completesecurity solution for

MANETs shouldintegrate bothproactive and

reactive approaches,and encompass allthree components:

prevention, detection,and reaction.


need be maintained in a network of n nodes.SAODV [6] and ARAN [7] take the digital sig-nature approach.

One-way HMAC key chain. Many crypto-graphic one-way functions exist such that giventhe output f(x), it is computationally infeasible tofind the input x. By applying f(⋅) repeatedly onan initial input x, one can obtain a chain of out-puts f i(x). These outputs can be used in thereverse order of generation to authenticate mes-sages: a message with an HMAC using fi(x) asthe key is proven to be authentic when thesender reveals fi–1(x). TESLA [14] is one suchhash-chain-based protocol commonly used toauthenticate broadcast messages. SEAD forDSDV [15], Ariadne for DSR [5], and packetleashes [8] for wormhole attacks all take thisapproach.

The computation involved in one-way key-chain-based authentication is lightweight, andone authenticator can be verified by large num-bers of receivers. However, these benefits comeat a certain cost. First, hash-chain-based authen-tication requires clock synchronization at granu-larities that may need special hardware support.Second, receivers need to buffer a message toverify them when the key is revealed. The delayin the verification of routing messages maygreatly decrease the responsiveness of the rout-ing protocol. If immediate authentication isdesired, very tight clock synchronization andlarge storage are necessary (e.g., TIK [8]). Third,the release of the key involves a second round ofcommunication. The timer has to be carefullygauged according to the specific context. Finally,the storage of the hash chain is nontrivial forlong chains, as required by scenarios with largerekeying intervals.

SECURE AD HOC ROUTINGThe secure ad hoc routing protocols take theproactive approach and enhance the existing adhoc routing protocols, such as DSR and AODV,with security extensions. In these protocols, eachmobile node proactively signs its routing mes-sages using the cryptographic authenticationprimitives described above. This way, collabora-tive nodes can efficiently authenticate the legiti-mate traffic and differentiate theunauthenticated packets from outsider attackers.However, an authenticated node may have been

compromised and controlled by the attacker.Therefore, we have to further ensure propercompliance with the routing protocols even foran authenticated node. In the following, wedescribe how different types of routing protocolsare secured.

Source Routing — For source routing protocolssuch as DSR, the main challenge is to ensurethat each intermediate node cannot removeexisting nodes from or add extra nodes to theroute. The basic technique is to attach a per-hopauthenticator for the source routing forwarderlist so that any altering of the list can be immedi-ately detected (or after the key is disclosed forHMAC key-chain-based authentication).

A secure extension of DSR is Ariadne [5]. Ituses a one-way HMAC key chain (i.e., TESLA)for the purpose of message authentication.Through key management and distribution, areceiver is assumed to possess the last releasedkey of the sender’s TESLA key chain. Take thefollowing example for an illustration. The sourcenode S uses source routing to connect to thedestination D through three intermediate nodesA, B, and C. The protocol establishes a hashchain at the destination,

H(C, H(B, H(A, HMACKSD (S,D)))),

where HMACKSD(M) denotes message M ’sHMAC code generated by a key shared betweenS and D. The well-known one-way hash functionH authenticates the contents in the chain, andHMACKSD(S,D) authenticates the source-desti-nation relation. The propagation of the routerequest (RREQ) and route reply (RREP) mes-sages is described in Fig. 2, where * denotes alocal broadcast and HMACKX(⋅) denotes HMACcode generated on node X.

At the destination, D can compute mSbecause information of pS is contained in pC. Ddynamically computes hC’s value according tothe explicit node list embedded in pC, then com-pares this hC to the one embedded in pC forforgery detection. At the RREP phase, there isno need to generate separate authenticationcode for every RREP packet. By trapdoor com-mitment, any forwarder X already committed theone-way function outputs mX = HMACKX(⋅) atthe RREQ phase; then at the RREP phase thecommitment mX → KX is fulfilled by revealingkey KX.

Distance Vector Routing — For distance vectorrouting protocols such as DSDV and AODV,the main challenge is that each intermediatenode has to advertise the routing metric correct-ly. For example, when hop count is used as therouting metric, each node has to increase thehop count by one exactly. A hop count hashchain [6, 15] is devised so that an intermediatenode cannot decrease the hop count in a routingupdate. Note that a hash chain for this purposedoes not need time synchronization, which isdifferent from one-way HMAC key chain forauthentication.

Assuming the maximum hop count of a validroute is n, a node generates a hash chain oflength n every time it initiates an RREP mes-sage,

� Figure 2. The sequence of secure routing message exchange in Ariadne.

S : pS = (RREQ,S,D), mS = HMACKSD(pS)S→* : (pS,mS)A : hA = H(A,mS), pA = (RREQ,S,D,[A],hA,[]), mA = HMACKA(pA)A→* : (pA,mA)B : hB = H(B,hA), pB = (RREQ,S,D,[A,B],hB,[mA]), mB = HMACKB(pB)B→* : (pB,mB)C : hC = H(C,hB), pC = (RREQ,S,D,[A,B,C],hC,[mA,mB]), mC = HMACKC(pC)C→* : (pC,mC)D : pD = (RREP,D,S,[A,B,C],[mA,mB,mC]), mD = HMACKDS(pD)D→C : (pD,mD,[])C→B : (pD,mD,[KC])B→A : (pD,mD,[KC,KB])A→S : (pD,mD,[KC,KB,KA])


h0,h1,h2 …, hn,

where hi = H(hi–1) and H(⋅) is a well-knownone-way hash function. The node then adds hx =h0 and hn into the routing message, withHop_Count set to 0. Note that hn andHop_Count are authenticated with an authenti-cator according to the adopted authenticationstrategy discussed at the beginning of this sec-tion.

When a node receives an RREQ or RREPpacket, it first checks whether

hn = Hn–Hop_Count(hx),

where Hm(h0) denotes the result of applying H(⋅)m times on hx.

Then the node sets

hx = H(hx).

Finally, the node increments the Hop_Countby 1, updates the authenticator, and forwardsthe route discovery packet.

This approach provides authentication for thelower bound of tbe hop count, but does not pre-vent a forwarder from advertising the same hopcount as the one from another forwarder. In [8],a more complicated mechanism called a hashtree chain is proposed to ensure a monotonicallyincreasing hop count as the routing update tra-verses the network. One general limitation ofthe above approaches is that they can only beused to protect discrete metrics. For continualmetrics that take noninteger values, the one-waychain is ineffective.

Link State Routing — Secure Link State Routing(SLSP) [16] is a link state routing protocol forad hoc networks. Its operations are similar toInternet link state routing protocols (e.g., OpenShortest Path First, OSPF): each node seeks tolearn and update its neighborhood by NeighborLookup Protocol (NLP) and periodically floodsLink State Update (LSU) packets to propagatelink state information. NLP is responsible for:• Maintaining mappings between MAC and IP

addresses of a node’s neighbors• Identifying potential discrepancies, such as the

use of multiple IP addresses on a single link• Measuring the control packet rates from each

neighborNeighbors use one-hop hello messages to discov-er each other, and connectivity is assumed to belost if a hello message is not received within atimeout.

A node collects LSUs from all over the net-work in order to construct the global topologyand calculate the route to any destination. Basedon NLP, one LSU packet is constructed for eachneighbor. Each LSU packet contains a sequencenumber and a hop count. Like DSR and AODV,duplicate LSU packets with previously seensequence numbers are suppressed. The hopcount determines the packet’s time to live sothat an LSU packet only travels within a zone, asin hybrid routing protocols like ZRP. An LSUreceiving node adds a link to its global topologyonly if two valid LSUs from both nodes of thelink are received. Thus, one malicious nodealone cannot inject false link information suc-cessfully.

SLSP adopts a digital signature approach inauthentication. NLP’s hello messages and LSUpackets are signed with the sender’s privatekey. Any verif ier can use the public keyvouched for by the sender’s valid certificate toverify a message’s veracity. A certificate canbe delivered to verifiers by either attachmentto an LSU packet or dedicated public key dis-tribution (PKD) packets. SLSP also employsvarious rate control mechanisms, such as timeto live and rate throttle, in its NLP/LSU/PKDcomponents. Thus, SLSP is less vulnerable toDoS attacks.

Other Routing Protocols — ARAN [7] ensures thateach node knows the correct next hop on a routeto the destination by public key cryptography.We illustrate the message exchange in ARANusing a simple example shown in Fig. 3. Eachmessage is signed, and the sender’s certificate isattached to prove the authenticity of its publickeys. A source S floods the network with asigned RREQ packet. Upon receiving the firstcopy of RREQ, a node sets up state of a reversepath, pointing to the node from which it receivesthe RREQ. It then signs and broadcasts thepacket. Upon receiving the RREQ, the destina-tion D signs an RREP and unicasts it back onthe reverse path. Each node along the reversepath signs the RREP and sends it to the nexthop, which verifies the signature of the previoushop, until S receives the RREP. Thus, the dis-covered path is the one along which the firstcopy of RREQ reaches D from S; each node onthis path knows the correct next hop, but not thewhole path. It does not use any metric such ashop count, so the discovered path may not beoptimal.

� Figure 3. The sequence of secure routing message exchange in ARAN.

Broadcast

[[REP,S,CERTd,Ns,t]Kd-]Kb-],CERTb

[[REP,S,CERTd,Ns,t]Kd-]Ka-],CERTa [[REP,S,CERTd,Ns,t]Kd-]Kc-],CERTc

[REP,S,CERTd,Ns,t]Kd-

[[RDP,D,CERTs,Ns,t]Ks-]Kc-],CERTc[[RDP,D,CERTs,Ns,t]Ks-]Ka-],CERTa

[[RDP,D,CERTs,Ns,t]Ks-]Kb-],CERTb[RDP,D,CERTs,Ns,t]Ks-

S

Unicast

C DA B

For distance vectorrouting protocols

such as DSDV andAODV, the mainchallenge is that

each intermediatenode has to

advertise the routingmetric correctly. Forexample, when hopcount is used as therouting metric, each

node has to increasethe hop count by

one exactly.


Reference [17] proposes to flood both routerequests and route replies in order to defendagainst Byzantine failures. When a source Sneeds a route to a destination D, it signs andfloods an RREQ throughout the network, asshown in Fig. 4. When D receives the first copyof the request, it signs and floods an RREP thatcarries a route list so each intermediate hop canappend its identifier. When a node receives thereply, it computes the total cost of the path ascontained in the route list of RREP. If the costis smaller than that of any previously receivedRREP, it verifies the packet, appends its ownidentifier to the route list, signs the packet, andbroadcasts it. Finally, when S receives a reply, itcan verify that it is from D and each hop in theroute list is signed properly. Different fromARAN where only one possibly nonoptimal pathis discovered, here S may receive multiple repliesfor different routes. Each route contains the fulllist of intermediate nodes and has a total cost. Scan choose the one with minimum cost or small-est hop count for real data delivery.

SECURE PACKET FORWARDINGThe protection of routing message exchange isonly part of the network-layer security solutionfor MANET. It is possible for a malicious nodeto correctly participate in the route discoveryphase but fail to correctly forward data packets.The security solution should ensure that eachnode indeed forwards packets according to itsrouting table. This is typically achieved by thereactive approach because attacks on packet for-warding cannot be prevented: an attacker maysimply drop all packets passing through it, eventhough the packets are carefully signed. At theheart of the reactive solutions are a detectiontechnique and a reaction scheme, which aredescribed as follows.

Detection — Because the wireless channel is open,each node can perform localized detection byoverhearing ongoing transmissions and evaluat-ing the behavior of its neighbors. However, itsaccuracy is limited by a number of factors suchas channel error, interference, and mobility. Amalicious node may also abuse the security solu-tion and intentionally accuse legitimate nodes.In order to address such issues, the detectionresults at individual nodes can be integrated andrefined in a distributed manner to achieve con-sensus among a group of nodes. An alternativedetection approach relies on explicit acknowl-edgment from the destination and/or intermedi-ate nodes to the source so that the source canfigure out where the packet was dropped.

Localized detection. Reference [18] proposeswatchdog to monitor packet forwarding on top ofsource routing protocols like DSR. It assumessymmetric bidirectional connectivity: if A canhear B, B can also hear A. Since the whole pathis specified, when node A forwards a packet tothe next hop B, it knows B’s next hop C. It thenoverhears the channel for B’s transmission to C.If it does not hear the transmission after a time-out, a failure tally associated with B is increased.If the tally exceeds a threshold bandwidth, Asends a report packet to the source notifying B’smisbehavior.

Reference [19] follows the same concept butworks with distance vector protocols such asADOV. It adds a next_hop field in AODV pack-ets so that a node can be aware of the correctnext hop of its neighbors. It also considers moretypes of attacks, such as packet modification,packet duplication, and packet jamming DoSattacks. Each independent detection result issigned and flooded; multiple such results fromdifferent nodes can collectively revoke a mali-cious node of its certificate, thus excluding itfrom the network.

ACK-based detection. The fault detectionmechanism proposed in [17] is based on explicitacknowledgments. The destination sends backACKs to the source for each successfullyreceived packet. The source can initiate a faultdetection process on a suspicious path that hasrecently dropped more packets than an accept-able threshold. It performs a binary searchbetween itself and the destination, and sends outdata packets piggybacked with a list of interme-diate nodes, also called probes, which shouldsend back acknowledgments. The source sharesa key with each probe, and the probe list is“onion” encrypted. Upon receiving the packet,each probe sends back an ACK, which is encrypt-ed with the key shared with the source. Thesource in turn verifies the encrypted ACKs andattributes the fault to the node closest to thedestination that sends back an ACK.

Reaction — Once a malicious node is detected,certain actions are triggered to protect the net-work from future attacks launched by this node.The reaction component typically is related tothe prevention component in the overall securitysystem. For example, the malicious node mayhave its certificate revoked, or be chosen withsmaller probability in future forwarding paths.Based on their scope, the reaction schemes canbe categorized as global reaction and end-hostreaction. In the former scheme, all nodes in thenetwork react to a malicious node as a whole. In

� Figure 4. The sequence of secure routing message exchange in a Byzantine-resilient routing protocol.

Broadcast

[[[[S,D,seq]Kd-,C]Kc-,B]Kb-,A]Ka- [[[S,D,seq]Kd-,C]Kc-,B]Kb- [[S,D,seq]Kd-J,C]Kc- [S,D,seq]Kd-

[S,D,seq]Ks- [S,D,seq]Ks- [S,D,seq]Ks- [S,D,seq]Ks-

S C DA B

A malicious node ispossible to correctlyparticipate in theroute discoveryphase but fails tocorrectly forwarddata packets. Thesecurity solutionshould ensure thateach node indeedforwards packetsaccording to itsrouting table.


other words, the malicious node is excludedfrom the network. On the other hand, in theend-host reaction scheme, each node may makeits own decision on how to react to a maliciousnode (e.g., putting this node in its own blacklistor adjusting the confidentiality weight of thisnode).

Global reaction. The reaction scheme in [19]falls into the global reaction category. It is basedon the URSA certification framework [20]. Oncemultiple nodes in a local neighborhood havereached consensus that one of their neighbors ismalicious, they collectively revoke the certificateof the malicious node. Consequently, the mali-cious node is isolated in the network as it cannotparticipate in the routing or packet forwardingoperations in the future.

End-host reaction . The pathrater in [18]allows each node to maintain its own rating forevery other node it knows about. A node slow-ly increases the rating of well-behaved nodesover time, but dramatically decreases the ratingof a malicious node that is detected by itswatchdog. Based on the rating, the sourcealways selects the path with the highest averagerating. Clearly each node may have a differentopinion about whether another node is mali-cious, and each has its independent reactionaccordingly. Reference [17] extends this ideawith security protection of the routing mes-sages, as discussed earlier.

LINK-LAYER SECURITYLink-layer security solutions protect the one-hopconnectivity between two direct neighbors thatare within the communication range of eachother through secure MAC protocols. We use802.11, the de facto standard MAC protocol forMANETs, to illustrate the link-layer securityissues.

IEEE 802.11 MAC — The vulnerability of theIEEE 802.11 MAC to DoS attacks was recentlyidentified. The attacker may exploit its binaryexponential backoff scheme to launch DoSattacks [10, 11]. Reference [10] uses simula-tions to show that implementing a fair MACprotocol is a necessary but insufficient tech-nique to solve the problem. A more robustMAC protocol with fairness guarantees isrequired to secure the MANET link-layer oper-ations. Recently a security extension to 802.11was also proposed in [11]. It follows the reac-tive approach and seeks to detect and handlesuch MAC-layer misbehaviors. The original802.11 backoff scheme is slightly modified inthat the backoff timer at the sender is providedby the receiver instead of setting an arbitrarytimer value on its own. When a malicious nodeselects a small backoff value or does not backoff at all, the receiver can detect such misbe-haviors by checking the deviation between theactual transmission schedule and the expectedschedule. The receiver then reacts by penaliz-ing the misbehaving node and assigning largerbackoff values to it.

The NAV field carried in the RTS/CTSframes exposes another vulnerability to DoSattacks [21]. Since the attacker in the localneighborhood is aware of the duration of the

ongoing transmission, it may transmit a fewbits within this period to incur bit errors in avictim’s link-layer frame via wireless interfer-ence. Because the attacker can disrupt a legiti-mate frame of thousands or even tens ofthousands of bits with little effort, the powerconsumption battle favors the adversary siderather than the legitimate node side. To thebest of our knowledge, it remains unclear howto defeat such resource consumption DoSattacks in MANETs.

IEEE 802.11 WEP — It is well known that the IEEE802.11WEP protocol [3] is vulnerable to attacksof two categories:• Message privacy and message integrity attacks

[2]. These attacks are based on various mech-anisms such as short IV, linear cyclic redun-dancy check (CRC)-32 checksum, and keystream recovery by known plaintext attacks.

• Probabilistic cipher key recovery attacks suchas the Fluhrer-Mantin-Shamir attack [22].These attacks are based on the fact that theinitial output in the RC4 key stream is dispro-portionally affected by a small number of keybits, particularly the prefix and postfix parts ofthe key [23].Fortunately, the recently proposed 802.11i/

WPA [24] has mended all obvious loopholes inWEP. Future countermeasures such as RSN/AES-CCMP [24] are also being developed toimprove the strength of wireless security. We donot provide more details here because thesecryptographic problems are not unique to ad hocnetworks, and have been extensively studied inthe context of wireless LANs.

OPEN CHALLENGES

The research on MANET security is still in itsearly stage. The existing proposals are typicallyattack-oriented in that they first identify severalsecurity threats and then enhance the existingprotocol or propose a new protocol to thwartsuch threats. Because the solutions are designedexplicitly with certain attack models in mind,they work well in the presence of designatedattacks but may collapse under unanticipatedattacks. Therefore, a more ambitious goal forad hoc network security is to develop a multi-fence security solution that is embedded intopossibly every component in the network,resulting in in-depth protection that offers mul-tiple lines of defense against many both knownand unknown security threats. This new designperspective is what we call resiliency-orientedsecurity design.

We envision the resiliency-oriented securitysolution as possessing several features. First, thesolution seeks to attack a bigger problem space.It attempts not only to thwart malicious attacks,but also to cope with other network faults dueto node misconfiguration, extreme networkoverload, or operational failures. In some sense,all such faults, whether incurred by attacks ormisconfigurations, share some common symp-toms from both the network and end-user per-spectives, and should be handled by the system.Second, resiliency-oriented design takes aparadigm shift from conventional intrusion pre-

The research onMANET security is

still in its earlystage. The existing

proposals are typicallyattack-oriented in

that they firstidentify several

security threats andthen enhance the

existing protocol orpropose a new

protocol to thwartsuch threats.


vention to intrusion tolerance. In a sense, cer-tain degrees of intrusions or compromised/cap-tured nodes are the reality to face, not theproblem to get rid of, in MANET security. Theoverall system has to be robust against thebreakdown of any individual fence, and its per-formance does not critically depend on a singlefence. Even though attackers intrude through anindividual fence, the system still functions, butpossibly with graceful performance degradation.Third, as far as the solution space is concerned,cryptography-based techniques just offer a sub-set of toolkits in a resiliency-oriented design.The solution also uses other noncrypto-basedschemes to ensure resiliency. For example, itmay piggyback more “protocol invariant” infor-mation in the protocol messages, so that allnodes participating in the message exchangescan verify such information. The system mayalso exploit the rich connectivity of the networktopology to detect inconsistency of the protocoloperations. In many cases, routing messages aretypically propagated through multiple paths andredundant copies of such messages can be usedby downstream nodes. Fourth, the solutionshould be able to handle unexpected faults tosome extent. One possible approach worthexploring is to strengthen the correct operationmode of the network by enhancing more redun-dancy at the protocol and system levels. At eachstep of the protocol operation, the design makessure what it has done is completely along theright track. Anything deviating from valid oper-ations is treated with caution. Whenever aninconsistent operation is detected, the systemcan raise a suspicion flag and query the identi-fied source for further verification. This way,the protocol tells right from wrong because itknows right with higher confidence, not neces-sarily knowing what is exactly wrong. The designstrengthens the correct operations and may han-dle even unanticipated threats in runtime opera-tions. Next, the solution may also take acollaborative security approach, which relies onmultiple nodes in a MANET to provide anysecurity primitives. Therefore, no single node isfully trusted. Instead, only a group of nodes willbe trusted collectively. The group of nodes canbe nodes in a local network neighborhood or allnodes along the forwarding path. Finally, thesolution relies on multiple fences, spanning dif-ferent devices, different layers in the protocolstack, and different solution techniques, toguard the entire system. Each fence has allfunctional elements of prevention, detection/ver-ification, and reaction.

The above mentioned resiliency-orientedMANET security solution poses grand yet excit-ing research challenges. How to build an effi-cient fence that accommodates each device’sresource constraint poses an interesting chal-lenge. Device heterogeneity is one importantconcern that has been largely neglected in thecurrent security design process. However, mul-tifence security protection is deployed through-out the network, and each individual fenceadopted by a single node may have differentsecurity strength due to its resource constraints.A node has to properly select security mecha-nisms that fit well into its own available

resources, deployment cost, and other complex-ity concerns. The security solution should notstipulate the minimum requirement a compo-nent must have. Instead, it expects best effortfrom each component. The more powerful acomponent is, the higher degree of security orresiliency it has. Next, identifying the systemprinciples of how to build such a new-genera-tion of network protocols remains unexplored.The state-of-the-art network protocols are alldesigned for functionality only. The protocolspecification fundamentally assumes a fullytrusted and well-behaved network setting for allmessage exchanges and protocol operations. Itdoes not anticipate any faulty signals or ill-behaved nodes. We need to identify new princi-ples to build the next-generation networkprotocols that are resilient to faults. There onlyexist a few piecemeal individual efforts. Finally,evaluating the multifence security design alsooffers new research opportunities. The effec-tiveness of each fence and the minimal numberof fences the system has to possess to ensuresome degree of security assurances should beevaluated through a combination of analysis,simulations, and measurements in principle.However, it is recognized that the current eval-uation for state-of-the-art wireless security solu-tions is quite ad hoc. The community still lackseffective analytical tools, particularly in a large-scale wireless network setting. The multidimen-sional trade-offs among security strength,communication overhead, computation com-plexity, energy consumption, and scalability stillremain largely unexplored. Developing effectiveevaluation methodology and toolkits will proba-bly need interdisciplinary efforts from researchcommunities working in wireless networking,mobile systems, and cryptography.

REFERENCES[1] C. Perkins and E Royer, “Ad Hoc On-Demand Distance

Vector Routing,” 2nd IEEE Wksp. Mobile Comp. Sys.and Apps., 1999.

[2] D. Johnson and D. Maltz, “Dynamic Source Routing inAd Hoc Wireless Networks,” Mobile Computing, T.Imielinski and H. Korth, Ed., Kluwer, 1996.

[3] IEEE Std. 802.11, “Wireless LAN Medium Access Control(MAC) and Physical Layer (PHY) Specifications,” 1997.

[4] B. Schneier, Secret and Lies, Digital Security in a Net-worked World, Wiley, 2000.

[5] Y. Hu, A. Perrig, and D. Johnson, “Ariadne: A SecureOn-demand Routing Protocol for Ad Hoc Networks,“ACM MOBICOM, 2002.

[6] M. Zapata, and N. Asokan, “Securing Ad Hoc RoutingProtocols,” ACM WiSe, 2002.

[7] B. Dahill et al., “A Secure Protocol for Ad Hoc Net-works,“ IEEE ICNP, 2002.

[8] Y. Hu, A. Perrig, and D. Johnson, “Packet Leashes: ADefense against Wormhole Attacks in Wireless Net-works,” IEEE INFOCOM, 2002.

[9] N. Borisov, I. Goldberg, and D. Wagner, “InterceptingMobile Communications: The Insecurity of 802.11,”ACM MOBICOM, 2001.

[10] V. Gupta, S. Krishnamurthy, and M. Faloutsos, “Denialof Service Attacks at the MAC Layer in Wireless Ad HocNetworks,” IEEE MILCOM, 2002.

[11] P. Kyasanur, and N. Vaidya, “Detection and Handling ofMAC Layer Misbehavior in Wireless Networks,” DCC, 2003.

[12] C. Perkins, and P. Bhagwat, “Highly Dynamic Destina-tion-Sequenced Distance-Vector Routing (DSDV) forMobile Computers,” ACM SIGCOMM, 1994.

[13] P. Papadimitratos, and Z. Haas, “Secure Routing forMobile Ad Hoc Networks,” CNDS, 2002.

[14] A. Perrig et al., “The TESLA Broadcast Authentication Pro-tocol,“ RSA CryptoBytes, vol. 5, no. 2, 2002, pp. 2–13.

The solution relies onmultiple fences,spanning differentdevices, differentlayers in the protocolstack, and differentsolution techniques,to guard the entiresystem. Each fencehas all functionalelements ofprevention, detection/verification, andreaction.


[15] Y. Hu, D. Johnson, and A. Perrig, “Sead: Secure Effi-cient Distance Vector Routing for Mobile Wireless AdHoc Networks,” IEEE WMCSA, 2002.

[16] P. Papadimitratos and Z. Haas, “Secure Link StateRouting for Mobile Ad Hoc Networks,” IEEE Wksp.Security and Assurance in Ad Hoc Networks, 2003.

[17] B. Awerbuch et al., “An On-Demand Secure Routing Pro-tocol Resilient to Byzantine Failures,” ACM WiSe, 2002.

[18] S. Marti et al., “Mitigating Routing Misbehavior inMobile Ad Hoc Networks,” ACM MOBICOM, 2000.

[19] H. Yang, X. Meng, and S. Lu, “Self-Organized Network LayerSecurity in Mobile Ad Hoc Networks,” ACM WiSe, 2002.

[20] J. Kong et al., “Providing Robust and Ubiquitous SecuritySupport for Mobile Ad-Hoc Networks,” IEEE ICNP, 2001.

[21] G. Noubir and G. Lin, “Low-Power DoS Attacks in DataWireless LANs and Countermeasures,” ACM MobiHoc,Poster Session, 2003.

[22] A. Stubblefield, J. Ioannidis, and A. Rubin, “Using theFluhrer, Mantin, and Shamir Attack to Break WEP,”NDSS, 2002.

[23] S. Fluhrer, I. Mantin, and A. Shamir, “Weakness in theKey Scheduling Algorithm of RC4,” 8th Annual Wksp.Sel. Areas in Cryptography, 2001.

[24] IEEE Std. 802.11i/D30, “Wireless Medium Access Con-trol (MAC) and Physical Layer (PHY) Specifications:Specification for Enhanced Security,” 2002.

ADDITIONAL READING[1] J. Hubaux, L. Buttyan, and S. Capkun, “The Quest for Secu-

rity in Mobile Ad Hoc Networks,” ACM MobiHoc, 2001.

BIOGRAPHIESHAO YANG ([email protected]) received his B.S. degreefrom the University of Science and Technology of China in

1998 and his M.S. degree from the Chinese Academy ofSciences in 2001. Since then he has been pursuing hisPh.D. degree in the Computer Science Department at theUniversity of California at Los Angeles (UCLA). His researchinterests include wireless networking, network security, anddistributed systems.

HAIYUN LUO ([email protected]) received his B.S. degreefrom the University of Science and Technology of China in1998 and his M.S. degree from UCLA in computer sciencein 2000. He is currently a Ph.D. candidate in the UCLAComputer Science Department. His research interestsinclude wireless networking and mobile computing, securi-ty, and large-scale distributed systems.

FAN YE ([email protected]) is currently a Ph.D. candidate inthe UCLA Computer Science Department. His researchinterests include wireless sensor networks, wireless networksecurity, and computer networks.

SONGWU LU ([email protected]) is currently an assistant pro-fessor in the UCLA Computer Science Department. Hereceived both his M.S. and Ph.D. degrees from the Univer-sity of Illinois at Urbana-Champaign. He received an NSFCAREER award in 2001. His research interests include wire-less networking, mobile systems, sensor networks, andwireless network security.

LIXIA ZHANG ([email protected]) is currently a professor inthe UCLA Computer Science Department. She received herPh.D. degree from Massachusettes Institute of Technolo-gy. Her research interests include architecture and proto-cols for large-scale and high-speed networks, protocoldesign, implementation and analysis, and wireless sensornetworks.

Developingeffective evaluation

methodology andtoolkits will probablyneed interdisciplinaryefforts from researchcommunities working

in wirelessnetworking, mobile

systems, andcryptography.

security in mobile ad hoc networks: challenges and solutions

Documents