Towards provable security for ad hoc routing protocols
Proceedings of the 2nd ACM workshop on Security of ad hoc and sensor networks - SASN '04
We propose a formal framework for the security analysis of on-demand source routing protocols for wireless ad hoc networks. Our approach is based on the well-known simulation paradigm that has been proposed to prove the security of cryptographic protocols. Our main contribution is the application of the simulation approach in the context of ad hoc routing. This involves a precise definition of a real-world model, which describes the real operation of the protocol, and an ideal-world model,
... l-world model, which captures what the protocol wants to achieve in terms of security. Both models take into account the peculiarities of wireless communications and ad hoc routing. Then, we give a formal definition of routing security in terms of indistinguishability of the two models from the point of view of honest parties. We demonstrate the usefulness of our approach by analyzing two "secure" ad hoc routing protocols, SRP and Ariadne. This analysis leads to the discovery of as yet unknown attacks against both protocols. Finally, we propose an ad hoc routing protocol that can be proven secure in our model. * Technical Report. Available on-line at http://eprint.iacr.org/ under report number 2004/159. Deviations from the standard simulation approach Now, we overview the main differences between our model and the models proposed so far for the analysis of cryptographic protocols in the context of the simulation approach. Communication model. One main difference lies in the underlying network model. As we mentioned above, most of the models proposed so far assume that the protocol participants communicate via the Internet (or some similar asynchronous network). Such a network is easily modelled as a single buffer, in which participants place messages, and from which these messages are eventually delivered to their intended recipients. This may be a good model for ad hoc networks if we want to abstract away the multi-hop nature of communications. However, routing protocols are inherently related to the multi-hop operation of the network, and hence, we cannot abstract this away. As a consequence, a single buffer is not an appropriate network model for wireless ad hoc networks. The peculiarities of wireless networks that we have to deal with include the broadcast nature of radio communications, which allows a party to overhear the transmission of a message that was not destined to him. On the other hand, a radio transmission can be received only in a certain range around the sender. The size of this range mainly depends on the power at which the sender sent the message. For practical reasons, the nodes in an ad hoc network should usually limit their transmission power, which means that messages are received only in a limited neighborhood of their senders. In fact, this is why the communication must be multi-hop in wireless ad hoc networks. Adversary model. In the models that are based on the Internet assumption, the adversary has the power to control the network buffer. In particular, the adversary can read all messages, it can modify messages before delivering them, and it can delete messages from or place fake messages in the buffer. This is an appropriate model, because in Internet-like networks, having access to some special network elements, such as routers, allows the adversary to have this level of control. On the other hand, in wireless ad hoc networks, an adversary can have a similar level of control over the communications only if it is physically present everywhere. In many applications, this is considered to be very costly, and hence, unrealistic. Therefore, in line with other related papers (e.g., ), we assume that the adversary has communication capabilities comparable to those of an average node in the ad hoc network. In our model, the network is represented by a graph, where the vertices are the network nodes (including those controlled by the adversary) and there is an edge between two vertices if the corresponding nodes can hear each other's transmission. Just like any other node, an adversarial node can hear only those messages that were transmitted by a neighboring node in the graph. Similarly, the transmission of an adversarial node is heard only by its neighbors in the graph. Model of computation. In the models that are based on the Internet assumption, usually the adversary schedules the activities of the honest parties. This is a good model, because many protocols are message driven, meaning that a party becomes active only if it receives some messages. Then, the messages are processed, some output messages are generated, and the party goes back to sleep and starts waiting for new input messages. Hence, by controlling the network and deciding which messages are delivered and when, essentially, the adversary schedules the activities of the honest parties.