This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Multicast streams are the dominant application traffic pattern in many mission critical ad-hoc networks. The limited computation and communication resources, the large scale deployment and the unguaranteed connectivity to trusted authorities make known security solutions for wired and single-hop wireless networks inappropriate for such application environment. This paper promotes a novel Tiered Authentication scheme for Multicast traffic (TAM) for large scale dense ad-hoc networks. Nodes are grouped into clusters. Multicast traffic within the same cluster employs one-way chains in order to authenticate the message source. Cross-cluster multicast traffic includes a message authentication codes (MACs) that are based on a set of keys. Each cluster uses a unique subset of keys to look for its distinct combination of valid MACs in the message in order to authenticate the source. TAM combines the advantages of the secret information asymmetry and the time asymmetry paradigms and exploits network clustering to reduce overhead and ensure scalability. The numerical and analytical results demonstrate the performance advantage of TAM in terms of bandwidth overhead and delivery delay
Index Terms-Multicast communications, message authentication, ad-hoc networks.
An ad-hoc network is a wireless network formed by wireless nodes without any help of infrastructure. In such a network, the nodes are mobile and can communicate dynamically in an arbitrary manner. The network is characterized by the absence of central administration devices such as base stations or access points. Furthermore, nodes should be able to enter or to leave the network easily. In these networks, the nodes act as routers. They play an important role in the discovery and maintenance of the routes from the source to the destination or from a node to another one. This is the principal challenge to such a network. If link breakages occur, the network has to stay operational by building new routes. The main technique used is the multi-hopping which increase the overall network capacity and performances. By using multi-hopping, one node can deliver data on behalf of another one to a determined destination. Thus, the problem of range radio is solved. An ad-hoc network represents a system of wireless nodes that can self-organize freely and dynamically into arbitrary and temporary network topology. On one hand, they can be quick deployed anywhere at any time as they eliminate the complexity of infrastructure setup. On the other hand, other problems arise, such as route errors or higher overhead, caused by the mobility of nodes. In order to avoid some designing bugs or problems, it is necessary to analyze the designed protocols formally before protocols are deployed or applied. Considering the particularities of ad-hoc networks, the secure traits are different from the traditional security such as secrecy and authenticity. Formal analysis methods have used for many years in cryptographic protocols, however, there are no mature theories and methods in ad-hoc network. The results obtained from the investigation may consist of various types of data such as numerical data, photographs, sounds, and videos. In this case, although it is useful to have the data that other members obtained, it seems difficult for a mobile host to have replicas of all the data. An ad-hoc network consists of mobile platforms (e.g., a router with multiple hosts and wireless communications devices) herein simply referred to as "nodes" which are free to move about arbitrarily. The nodes may be located in or on airplanes, ships, trucks, cars, perhaps even on people or very small devices, and there may be multiple hosts per router.
An ad-hoc network is an autonomous system of nodes. The system may operate in isolation, or may have gateways to and interface with a fixed network. In the latter operational mode, it is typically envisioned to operate as a "stub" network connecting to a fixed internetwork. Stub networks carry traffic originating at and/or destined for internal nodes, but do not permit exogenous traffic to "transit" through the stub network. Nodes are equipped with wireless transmitters and receivers using antennas which may be omni directional (broadcast), highly directional (point-to-point), possibly steerable, or some combination thereof. At a given point in time, depending on the nodes positions and their transmitter and receiver coverage patterns, transmission power levels and co-channel interference levels, a wireless connectivity in the form of a random, multihop graph or "ad hoc" network exists between the nodes. This ad hoc topology may change with time as the nodes move or adjust their transmission and reception parameters. There are a number of possible application areas for ad-hoc network. These can range from simple civil and commercial applications to complicated high risk emergency services and battlefield operations. Below are some significant examples including civil, emergency and military domains.
The control packets consume the limited bandwidth and can also cause collisions with data packets, especially when the network is scaled in terms of number of nodes. Therefore, an efficient routing protocol that can cope with high network density while using a small number of routing control packets is highly desirable. The physical addressing implemented by the data link layer handles the addressing problem locally. If a packet passes the network boundary, then another addressing system to help distinguish the source and destination systems. The network layer adds a header to the packet coming from the upper layer that, among other things, includes the logical addresses of the sender and receiver. When independent networks or links are connected to create inter networks (network of networks) or a large network, the connecting devices (called routers or switches) route or switch the packets to their final destination. One of the functions of the network layer is to provide this mechanism.The main objectives of transport layer protocols include setting up and maintaining end-to-end connections, reliable end-to-end delivery of data packets, flow control, and congestion control. The two most important protocols in the transport layer are: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).TCP provides reliable, in-order delivery of a stream of bytes making it suitable for applications like file transfer and email. The protocol is optimized for reliability of delivery rather than timely delivery. As a consequence, TCP can sometimes incur significant delays while waiting for out-of-order packets (usually called segments) or retransmissions of lost segments, and it is not particularly suitable for real time applications such as voice over IP (VoIP).UDP allows communicating nodes to exchange short messages, also known as datagram. The protocol does not guarantee delivery reliability and ordering of data grams in the way that TCP does. Datagram may arrive out of order, be duplicated or go missing without notice. Avoiding the overhead of checking whether every packet actually arrives makes UDP faster and more efficient, at least for applications that do not require guaranteed delivery, such as broadcasting, video streaming and VoIP.Initially, when a TCP connection is initiated between source and destination, TCP enters a slow-start phase. In this phase, the congestion window (i.e. the number of segments transmitted per acknowledgment received) is increased for every received acknowledgment (ACK).
The window size is increased by the number of segments acknowledged. This behaviour effectively doubles the window size each round trip time. Therefore, there is an exponential increase in the congestion window. This happens until either an ACK is not received for some segments or a predetermined threshold value is reached. Once the threshold is reached, the window size increases by one for every round-trip time. This phase is known as the congestion avoidance phase where progression of window size is linear. The increase continues until a loss is perceived. On detecting a loss, the source node infers congestion and evokes the congestion control algorithm by reducing the window size. Using the congestion control mechanism, TCP has been shown to perform well in wired networks. In wireless networks, e.g. MANETs, TCP is faced with performance degradation due to its inability to differentiate packet loss due to congestion from the loss due to frequent route breaks, the presence of stale routing information, a high channel error rate and frequent network partitions.The termÂ unicastÂ is contrasted with the term broadcastÂ which means transmitting the same data to all possible destinations. Another multi-destination distribution method, multicast sends data only toÂ interested destinations by using special address assignments. Unicast messaging is used for all network processes in which a private or unique resource is requested. Certain network applications which are mass-distributed are too costly to be conducted with unicast transmission since each network connection consumes computing resources on the sending host and requires its own separate network bandwidth for transmission. Such applications include streaming media of many forms.Â Internet radio stations using unicast connections may have high bandwidth costs. These terms are also used byÂ streaming content providers' services. Unicast based media servers open and provide a stream for each unique user. Multicast-based servers can support a larger audience by serving content simultaneously to multiple users.In computer networking broadcasting refers to transmitting aÂ packetÂ that will be received by every device on the network.Â In practice, the scope of the broadcast is limited to a broadcast domain. A message is in contrast toÂ unicastÂ addressing in which a host sends datagrams to another single host identified by a unique IP address.Not all network technologies support broadcast addressing; for example, neitherÂ X.25Â norÂ frame relayÂ have broadcast capability, nor is there any form of Internet-wide broadcast. Broadcasting is largely confined to Local area network (LAN) technologies, most notably Ethernet andÂ token ring, where the performance impact of broadcasting is not as large as it would be in a wide area network. The successor toÂ Internet protocol versionÂ (IPv4),Â IPv6 also does not implement the broadcast method, so as to prevent disturbing all nodes in a network when only a few may be interested in a particular service. Instead it relies onÂ multicastÂ addressing a conceptually similarÂ one-to-many routing methodology. However, multicasting limits the pool of receivers to those that join a specific multicast receiver group. Both Ethernet and IPv4 use an all-onesÂ broadcast addressÂ indicate a broadcast packet. Token Ring uses a special value in theÂ IEEE802.2 control field. Broadcasting may be abused to perform aÂ DOS-attack.
The attacker sends fake ping request with the source IP-address of the victim computer. The victim computer is flooded by the replies from all computers in the domain. In computer networking, multicast is the delivery of a message orÂ information to a group of destination computers simultaneously in a single transmission from the source. Copies are automatically created in other network elements, such as routers, but only when the topology of the network requires it.Multicast is most commonly implemented in IP multicast, which is often employed inÂ Internet protocol(IP) applications ofÂ streaming media and Internet television. In IP multicast the implementation of the multicast concept occurs at the IP routing level, whereÂ routers create optimal distribution paths forÂ datagrams Â sent to a multicast destination address At the data link layerÂ multicast Â describes one-to-many distribution such as Ethernet multicast addressing, Asynchronous transfer modeÂ (ATM) point-to-multipoint virtual circuits (P2MP).Cluster analysisÂ orÂ clusteringÂ is the task of assigning a set of objects into groups (calledÂ clusters) so that the objects in the same cluster are more similar (in some sense or another) to each other than to those in other clusters.In each cluster, one (or multiple) node is selected as gateway that is responsible for handling all traffic to or from the nodes in this cluster. If a node wants to communicate with another node in a different cluster, it first needs to send data to the gateway. Inter-cluster communication depends on the interconnection structure to connect different clusters. If an infrastructure network is applied as the interconnection structure, IPsec could be used to provide security using tunnel, authentication and encryption mechanisms. If the interconnection structure is an ad hoc network, more security problems will appear, for example, intermediate nodes could drop packets or modify routing information to launch a variety of attacks.
2. Related Work
Ad-hoc networks are becoming an effective tool for many mission critical applications such as troop coordination in a combat field, situational awareness, etc. These applications are characterized by the hostile environment by the multicast-style of communication traffic. Therefore, authenticating the source and ensuring the integrity of the message traffic become a fundamental requirement for the operation and management of the network. However, the limited computation and communication resources, the large scale deployment and the unguaranteed connectivity to trusted authorities make known solutions for wired and single-hop wireless networks inappropriate. This paper presents a new Tiered Authentication scheme for Multicast traffic (TAM) for large scale dense ad-hoc networks. TAM combines the advantages of the time asymmetry and the secret information asymmetry paradigms and exploits network clustering to reduce overhead and ensure scalability. Multicast traffic within a cluster employs a one-way hash function chain in order to authenticate the message source. Cross-cluster multicast traffic includes message authentication codes (MACs) that are based on a set of keys. Each cluster uses a unique subset of keys to look for its distinct combination of valid MACs in the message in order to authenticate the source..
In the paper proposed a distributed hierarchical key management scheme in which nodes can get their keys updated either from their parent nodes or a threshold of sibling nodes. The dynamic node selection process is formulated as a stochastic problem and the proposed scheme can select the best nodes to be used as PKGs from all available ones considering their security conditions and energy states. This scheme is used to improve the network security and maximizing network problem. The key update process of the proposed scheme is decreases the complexity. The key update process can be divided into offline and online components .Node properties are used to select the best node.
The paper proposed two efficient schemes, TESLA and EMSS for secure lossy multicast streams. TESLA, short for Time Efficient Stream Loss-tolerant Authentication, offers sender authentication, strong loss robustness, high scalability, and minimal overhead, at the cost of loose initial time synchronization and slightly delayed authentication. EMSS, short for Efficient Multi-chained Stream Signature, provides non-repudiation of origin, high loss resistance, and low overhead, at the cost of slightly delayed verification. The sender and receiver agree on a secret key which is used in conjunction with a message authenticating code (MAC) to ensure authenticity of each packet.
Clustering has been found to be an effective means of resource management for MANET regarding network performance, routing protocol design, Quality of Service (QoS) and network modeling though it has yet to be refined to satisfy all the issues that might be faced by choosing this approach. Scalability is of particular interest to ad hoc network designers and users and is an issue with critical influence on capability and capacity. Where topologies include large numbers of nodes, routing packets will demand a large percentage of the limited wireless bandwidth and this is exaggerated and exacerbated by the mobility feature often resulting in a high frequency of failure regarding wireless links. By this paper present a comprehensive survey and classification of recently published clustering algorithm, which they classify based on their objectives. They survey different clustering algorithm for MANET's; highlighting the defining clustering, the design goals of clustering algorithms, advantages of clustering for ad hoc networks, challenges facing clustering including cost issues and classifying clustering algorithms as well as discussion on the objectives and features of various clustering schemes presented in a comprehensive survey of the related literature.
Unlike the wire line networks, the unique characteristics of mobile ad hoc networks a number of nontrivial challenges to security design, such as open peer-to-peer network architecture, shared wireless medium, stringent resource constraints, and highly dynamic network topology. In this paper focus on the problem of protecting the multihop network connectivity between mobile nodes in a MANET. In this paper identify the security issues related to this problem, discuss the challenges to security design, and review proposals that protect the MANET link-layer and network-layer operations of delivering packets over the multi hop wireless channel.
Design of a suitable routing protocol is difficult for mobile ad hoc networks due to its inherent dynamism and frequent topology change. Multicasting is even more complex because it requires transmission of an information to various destinations at approximately same time, if possible. Active research work in this field has resulted in a variety of proposals based on tree or mesh structures. This paper presents a state-of-the-art overview of multicast routing protocols for ad hoc networks.
Detecting and preventing viruses, worms, malicious codes and application abuses
Authenticating and securing end-to-end communications
Protecting the ad-hoc routing and forwarding protocols
Protecting the wireless MAC protocol and providing link-layer security support
Preventing signal jamming denial-of-service attacks
Table 2.1 Security Issues in Network layers
Security in wireless ad hoc networks is hard to achieve due to the vulnerability of its links, limited physical protection, and the absence of a centralized management point. Consequently, novel approaches are necessary to address the security problem without sacrificing the essential properties of the wireless ad hoc network. Similar to other distributed systems, security in wireless ad_hoc networks usually relies on the use of key management mechanisms. In this paper present a distributed public key authentication service to protect the network containing malicious and colluding nodes. These models allow mobile hosts to monitor and rate each other with an authentication metric. By this paper proposed a new system of public key certification in conjunction with a trust value update algorithm. Our authentication service is able to discover and isolate malicious and colluding nodes in the network. Finally, it perform security evaluation on the proposed solution. Simulate a network containing malicious nodes and measure a number of metrics with various security operations to demonstrate the effectiveness of the scheme.
3.1. SYSTEM MODEL
An ad-hoc network is a collection of autonomous nodes that together set up a topology without the support of a physical networking infrastructure. Depending on the applications, an ad-hoc network may include up to a few hundreds or even a thousand nodes. Communications among nodes are via multihop routes using Omni directional wireless broadcasts with limited transmission range. In the system model considered in this paper, nodes are grouped into clusters. The clusters formation can be based on location and radio connectivity It is assumed that clusters are established securely by using pre-distributed public keys employing a robust trust model or applying identity based asymmetric key-pair cryptographic methods and that a proper key management protocol is followed in order to perform reclustering when needed Clustering is a popular architectural mechanism for enabling scalability of network management functions. It has been shown that clustered network topologies better support routing of multicast traffic and the performance gain dominates the overhead of creating and maintaining the clusters .Each cluster is controlled by a cluster-head, which is reachable to all nodes in its cluster, either directly or over multi-hop paths. Figure 3.1 shows an articulation of an example clustered network. Nodes that have links to peers in other clusters would serve as gateways. The presence of gateways between two clusters implies that the heads of these clusters are reachable to each other over multi-hop path and that these two clusters are considered neighbours. If a node moves out its current cluster and joins another, it is assumed that the associated cluster-heads will conduct a handoff to update each other about the change in membership of their clusters; other cluster-heads will not be involved in the handoff events outside their clusters.
Fig.3.1 Ad-hoc Network Cluster
3.2 TRUST AND THREAD MODEL
Nodes are assumed to have public key certificates or assigned identity-based asymmetric keys generated by a common trusted authority. These public keys can be used to form clusters securely and bootstrap TAM. Alternatively, if public key certificates are not suitable, TAM may employ a robust technique to bootstrap mutual trust among the individual nodes. To eliminate any need for interaction with the authority to retrieve the public key of some nodes in the network. TAM bootstrapping will be needed at the time sessions are established and during the formation of a new cluster. Basically, as detailed in the source uses asymmetric cryptography to deliver the session keys to the main players in the authentication process. All nodes are to be preloaded with a known one-way hash cryptographic function. The function should be proven secure with extremely low probability that an adversary can determine the input to the function given its output.
3.3 SYSTEM MODULES
3.3.1 Formation of Cluster
The constrains are used to form the cluster are location and radio connectivity. The min-max-k cluster algorithm are used to form a cluster.Intra-cluster means grouping the similar nodes within the cluster according to radius and degree of the node.Inter-cluster means grouping the all cluster heads, the gateways are used to transmit the data from one cluster to another cluster .Estimates of the number of clusters Nch and the size of the node population per cluster Nc are needed. For that we refer to the analysis of , which answers a number of important questions about the properties of k-hop clustering. The following highlights the subset that is relevant to TAM. Two options are discussed based on the assumption on the deployment area and the clustering process.Random cluster-head selection- In a homogeneous network in which no node is pre-designated as a cluster-head, the clustering process is sometimes based on a randomized and distributed procedure. Basically, every node nominates itself as a cluster-head with a probability p. Therefore,
The average number of clusters Nch = [1/p]
The average number of a cluster Nc = [N Ã- p]
3.3.2 Key Generation
In intra cluster one way hash function chain are used to generate the key. In inter cluster TAM protocol is used to generate the MAC. Then MAC generate the secret key.
3.3.3 Source Authentication
Intra Cluster Source Authentication-Grouping nodes into clusters enables having a reasonably tight bound on the end-to-end delay of packet delivery and will thus enable the use of a time asymmetry based authentication scheme. Intra-cluster authentication in TAM is based on TESLA Inter-cluster multicast traffic will be authenticated differently as explained below. A source node generates a chain of one-time-use keys using the hash function, e.g., MD5, SHA-1, etc., and shares only that last generated key, Kl, with the receivers. A message can be authenticated only when the used key in the chain is revealed. To verify the authentication key, the receiver recursively applies the cryptographic hash function until reaching Kl. In reality, the receiver can stop when reaching a key that has been used before. A key cannot be used outside its designated time interval and the message will be ignored if the MAC is based on an expired key. Consequently, clock synchronization is required to make sure that the source and destination have the same time reference for key expiration. Therefore, TAM favors small cluster diameters as will be shown shortly. The approach has two distinct advantages, namely:The MAC overhead is small; basically a single MAC is used per every multicast packet for all receivers.A missed key in a lost packet would not obstruct the authentication process since a receiver can refer back to Kl.In TAM, the concern about the authentication delay is generally addressed by the fact that the cluster includes just a subset of the network nodes. The maximum end-to-end delay experienced by an intra-cluster multicast will be mostly dependent on the cluster radius. By controlling the radius of the cluster at the time of cluster formation, i.e., deciding the distance in terms of the number of hops between a member node and the cluster-head it will be possible to tackle this issue. Furthermore, clustering will make it more feasible to synchronize the clock of the nodes in the cluster with some reasonable accuracy. It is well known that for distributed clock synchronization schemes the accuracy diminishes with in decreased node population however, the size of the cluster affect the overhead of the inter-cluster authentication protocol of TAM and will thus be subject to trade-off as explained next.Inter Cluster Source Authentication -Authentication based on time asymmetry requires clock synchronization and thus does not suit large networks. For inter-cluster multicast traffic, TAM applies a strategy based on secret information asymmetry and engages the cluster heads in the authentication process. Basically, the source "s" that belongs to Cluster i will send the multicast packets to the heads of all clusters that have designated receivers. For example, if the members of the multicast group for s are residing in clusters g, h, j, and k, node s sends the message to CHg, CHh, CHj, and CHk. These cluster heads will then forward the message to the receivers in their respective clusters. The rationale is that the MAC will be associated with the cluster rather than the nodes and thus the overhead is reduced significantly. In other words, the multicast from s consists of multiple multicasts; (1) from s to all relevant cluster heads, (2) a distinct multicast within each of the target clusters to relay the message to designated receivers. This can also be advantageous if node mobility is to be dealt with.
4. Performance analysis
4.1 Effect of Network Size
Fig4.1.1 Bandwidth Overhead vs No.of Nodes
Fig4.1.1.demonstrates the performance advantage of TAM in terms of the bandwidth overhead. The graph shows that when using a MAC combination, rather than a single MAC per node, TAM introduces a minimal overhead that slightly grows as the number of nodes increases. However, using a single MAC per node boosts the overhead substantially. The bandwidth overhead for TAM under a single MAC per node is significantly more than the baseline with MAC combinations. This indicates the dominance of the effect of the MAC size on performance. It is worth noting that the single MAC per node imposes prohibitive overhead if a flat topology is pursued and is not shown since the scale of the y-axis will not allow the other curves to be visible. In summary, TAM enables boosting the network resilience to collusions if desired, an option that is practically infeasible for the baseline approach.
Fig.4.1.2 Total delay vs No.of nodes
Fig4.1.2 shows the time until all receivers get the multicast packet. Due to the assumption of a d-balanced tree, the flat topology involves the least delay that increases at a very slow pace when the network grows. The delay for TAM is slightly higher given the multi-step operation, i.e., intra and inter-cluster. Nonetheless, TAM significantly outperforms the baseline for the case of a single MAC per node. When considering both Figure 6.5 and 6.6, TAM clearly stands out as a practical approach for collusion resistance authentication.
Fig4.2.1. Bandwidth Overhead vs MAC size
4.2 Effect of the MAC Size and Count
Fig4.2.1. shows the scalability of TAM with respect to the size of the digital signature. Longer signatures are usually pursued as a means for boosting the cryptographic strength of the security solution. TAM scales very well, even when a single MAC per node is used. The overhead grows almost exponentially for the flat approach.
5. Conclusions and Future Work
In recent years there has been a growing interest in the use of ad-hoc networks in security-sensitive applications such as digital battlefield, situation awareness, and border protection. The collaborative nature of these applications makes multicast traffic very common. Securing such traffic is of great importance, particularly authenticating the source and message to prevent any infiltration attempts by an intruder. Contemporary source authentication schemes found in the literature either introduce excessive overhead or do not scale for large networks. This paper has presented TAM, which pursues a two tired hierarchical strategy combining both time and secret-information asymmetry in order to achieve scalability and resource efficiency. The performance of TAM has been analyzed mathematically and through simulation, confirming its effectiveness. In addition, the effect of the various parameters has been studied and guidelines have been highlighted for picking the most suitable configuration in the context of the particular application requirements; most notably having a cluster radius of 2 or 3 hops appears to be the most suitable for TAM. The future version of the project is to provide security to increase the node and increase the cluster size.