Unit-4 Security in ad-hoc

networks
Security in ad-hoc networks
Mobile ad hoc networks are a special set of wireless
networks.
They have very particular features such as high
mobility, multi-hop routing and the absence of any fix
infrastructure.
These networks enable the deployment of
communication networks at a low cost.
Security in ad hoc networks is a critical consideration
due to their dynamic and decentralized nature
Motivations and applications fields
With the apparition of mobile telephony services, wireless networks
become an unprecedented success in recent years.
The considerable equipment evolution of equipment and also the
liberation of regulation in the use of radio bands have enabled the
deployment of different architectures that answer the different needs of
the 21st century.
Thus, the development of GSM, UMTS and Wi-Fi technologies enable
users to have advanced means of communication while benefiting from
a comfortable mobility.
In the majority of cases (GSM, WAP, UMTS, Wi-Fi), the communication
is supported by an architecture which is only partially wireless.
The user becomes connected, thanks to a connection without wires, but
via an access point which remains fixed.
Consequently, in order to be connected to the network, the user must
be in the coverage area of one of these access points.
However, such a deployment often comes at a high
price and can cause consequent delay times, while
certain infrastructures do not have vocation to remain
for a long period of time.
In the same way, it is not always technically or
physically possible to deploy an access point in certain
specific geographical locations (difficult access,
devastated zone, etc.)
Wireless network with fixed infrastructure
A solution for this type of problem is to consider a
wireless network where mobility is not only related to
the users but is directly related to the infrastructure.
Such a network is not made up of fixed access points
but is, on the contrary, composed of entirely mobile
entities. These entities (also called nodes) can
communicate with each other using radio waves and
when two of them are too distant to communicate
directly, they use other nodes which are in charge of
relaying the packets from the transmitter to the
destination
Ad hoc network with multi-hop routing
This concept can be seen as a network with a flat
architecture, in the sense where all the communicating
entities are equivalent and could, according to the needs,
sometimes be used as customers (to emit or receive
packets) and sometimes as routers (to relay packets
between two other nodes). Such networks are called ad
hoc networks.
To be adapted to the absence of a fixed router, specific
routing protocols must be employed; this is the reason
why the ad hoc networks (also called MANET for Mobile
Ad Hoc Networks) use a multi-hop routing to convey the
packets.
From the strong mobility of the entities, the routing
protocols also have to be adapted to the important
fluctuations of connectivity.
Applications:
The motivations that lead to the development of applications
for ad hoc networks can be physical.
Historically, these networks were built from a military point of
view. Actually, still today, a lot of research in the field is
financed by the US army and navy.
In another field, the use of sensor networks constitutes an
application that is completely adapted for ad hoc networks.
Indeed, such networks must sometimes be deployed in
inaccessible zones, in which any human intervention must be
reduced to the bare minimum.
Beyond the purely scientific or military fields, the possibilities
offered by ad hoc networks are also of interest to industry.
In the automobile industry for instance, multi-hop
routing is completely adapted for use within a network
made up of vehicles. Considering the vehicles
circulating on a highway, one of the objectives could
be to prevent all the cars approaching a point of the
highway with special conditions (such as traffic jam,
accident)
Finally, more and more applications are motivated by
purely economic aspects. Thus, we can note an
increasing use of ad hoc networks within the context
of citizen’s networks.
Routing protocols
Because of the particular characteristics of ad hoc
networks, the traditional routing protocols cannot be
used in this context. Indeed, the protocols must take
into account the strong mobility of the nodes and the
absence of pre-configured routers.
In general, we can distinguish two main categories of
protocols, according to the way in which the nodes
establish the routes: active and reactive protocols.
 Active Protocols
Proactive routing protocols permanently provide each node
with information about the network topology. This
information is obtained by the periodic flooding of control
packets; from these each node builds its routing table.
Therefore, a node that needs to establish a route towards a
destination applies a path discovery algorithm to the
information contained in routing table.
The main advantage of proactive protocols is that the route
establishment only cause a very slight delay. Indeed, at any
moment each node already has the necessary information to
establish a path towards any other node of the network.
Two proactive routing protocols have been standardized by the
IETF: the Topology Dissemination Based one acts Reverse-Path
Forwarding (TBRPF) and the Optimized Link State Routing
(OLSR).
Reactive protocols
In large network, the proactive approach cannot be very
powerful, because it is too greedy in bandwidth. That is why
certain protocols are based on another approach, which is
more specific to the field. It is then the case of reactive
protocols which do not keep information about the topology
of the network.
On the contrary, they do not establish a route unless a node
wishes to send a message. They are on-demand routing
protocols. The advantage of these protocols is that the
network is not flooded by the control packets until it is really
necessary.
They are thus less expensive overall in terms of signaling and
energy. On the other hand, the time to establish a route is
somewhat longer than for proactive protocols, especially if
the distance between the source and the destination is great
 Attacks to routing protocols
Because of their particular characteristics, ad hoc networks
offer vulnerabilities which do not exist in wireless
architectures with access points. These vulnerabilities
generate specific attacks against them where the traditional
security measures are ineffective.
The term “attack” indicates an action aiming to compromise
the confidentiality or the integrity of the information
circulating in the network or, generally, to damage its good
performance. In ad hoc networks, we generally distinguish
two categories: passive attacks which are a direct
consequence of wireless technology, where the attacker only
listens to the traffic without influencing the routing process,
and active attacks, where the nodes directly influence the
routing process injecting packets in the network.
 Passive attacks
Because of the nature of the access medium, it is very easy for
an unspecified node to listen to communications without the
knowledge of the participants.
A common attack then occurs when an attacker is in listening
mode (promiscuous listening) in order to collect everything
over the air interface and thus to analyze the traffic.
In this scenario, if we consider the signaling used by the
protocol, a node can of course extract all kinds of strategic
information like the data contents, but also the network
connectivity, the localization of certain nodes, their IP
addresses, MAC, etc.
However, within the ad hoc network environment, its
implementation does not constitute enough protection since
the nodes cannot to start with have confidence in each other in
order to exchange cryptographic keys easily.
Passive attack. The central node receives with discretion
messages from other nodes without emitting any signal
Active attacks
These attacks can target various layer of the OSI
model
Like other types of wireless networks, ad hoc networks
are completely vulnerable to attacks at the level of the
physical layer.
However, because of the routing characteristics in
these networks, it is the third layer which appears the
most vulnerable i.e network layer.
Security mechanisms
the security problems were completely ignored in the
field of ad hoc networks, the majority of research
focusing on improving the performance (output of the
protocols, overhead limitation, etc.). Thereafter, several
mechanisms were planned to increase the robustness of
routing protocols without affecting the performance too
much.
Some of them simply consist of basic optimizations to
the protocols, in order to prolong their use in a hostile
environment. Others, on the other hand, are inspired by
more advanced but also more expensive techniques such
as cryptography to guarantee essential functionalities
like confidentiality and authentification.
 Basic protections
If the specific characteristics of ad hoc networks often
constitute an obstacle to routing security, they can also be
exploited assuming the opposite: to reinforce the data
routing
A simple solution then consists of benefiting from
multiplicity of routes to make a secure transfer.
If a malicious node is identified, the protocol can almost
always find a route which makes it possible to evade it.
Also, it becomes possible to transmit redundant
information through additional routes in order to allow the
recipient to check the integrity of the information sent.
We can thus associate detecting error codes, error
correction, or hashing of the transmitted data.
 Existing tools
The most successful routing protocols are generally
based on traditional tools like the hashing functions and
the symmetric/asymmetric coding mechanisms.
Symmetric coding mechanism includes: Symmetric
encryption or symmetric cryptography, involves the use
of a single key for both the encryption and decryption of
data.
Asymmetric coding mechanism includes: Uses of a pair
of keys for encryption and decryption.
Thus, to guarantee the message authenticity, the most
effective solution consists of providing each node with
secret keys, which are used to cipher and to decipher the
received messages.
Key management architectures
 The traditional mathematical tools can be used to conceive
protected routing protocols.
 Hear are some of the existing solutions and their limits.
 The Resurrecting Duckling: In order to facilitate the key
distribution in an ad hoc network, Franck Stajano and Ross
Anderson proposed a mechanism to exchange a secret key between
two nodes. This model, called the Resurrecting Duckling, is based
on a master/slave relationship and on the concept of impregnation.
Thus, during an initialization phase (before its introduction within
the network), a slave node must be “impregnated” by its main node
(possibly the owner) by physical contact (e.g. electric).
 At the time of this contact, a secret key is exchanged confidentially.
SUCV: Montenegro and Castellucia developed another
approach called SUCV (Statistically Unique
Cryptographically Verifiable identifiers and addresses) in
which each node builds an address based on its public key.
Each node generates a public/private key pair and then
chooses its address, calculating it from the public key,
using a cryptographic hashing function. The authors
propose two mechanisms. In the first one, the IPv6
addresses of a node correspond to the complete result of
the hashing function on the public key. In the other
approach, only the 64 least significant bits correspond to
the result of the hashing function. Thus, if an attacker
wishes to compromise a given SUCV, it will have to carry
out 263 (roughly 4.8*1018) tests to find a key public whose
print is identical to that of this SUCV.
Architecture of distributed certificates: To solve the constraints
induced by the absence of a centralized infrastructure, Zhou and
Haas imagined taking benefits from the intrinsic characteristics of
ad hoc networks in order to conceive a new certificated
management approach.
They imagined a system of key certification where the authority is
not only given to one fixed entity but on the contrary is distributed
among several nodes of the network. In this manner, the
certification service obtained is defined by a distributed
certification authority that has a pair of public/private keys. The
public key is known by each node of the network and enables them
to check with confidence any certificate signed with the private key.
The private key is not known by any particular node, but is in fact is
partially distributed on several nodes called contributors. Thus, a
client node that wishes to obtain the public keys of the other clients
or to launch updates to change its own public key has to emit a
request to the certification service.
PGP approach: Another solution [HUB 01] proposes using the
traditional online certification model considering the concept
of certificate graphs as a starting point (the tops of the graph
represent the public keys of the users while the terminals
represent the certificates) of the PGP (Pretty Good Privacy)
protocol.
In this model, each node signs the certificates of the
participants in which it has confidence, according to its own
criteria. The certificates rest on a transitive confidence, i.e. if A
trusts B and B trusts C, then A trusts C. However, differing from
PGP, the certificates are stored and then distributed by the
nodes themselves and not by an online server. Thus, each node
has a “local certificate register”. Thereafter, when two nodes
mutually wish to check their identities, they merge their
respective register with the idea of finding a certificate chain
which binds them in a trust relationship.
TESLA: The TESLA (Timed Efficient Stream Loss-tolerant
Authentication) protocol was conceived to allow an
authentification of a multicast flow source which tolerates
losses. The basic TESLA principle is the following: the
transmitter of a message has associated a code of message
authentification (MAC) obtained using a secret key that
will be revealed only after a certain amount of time. The
mechanism begins by creating MAC keys.
In order to do this, the transmitter generates a series of
keys K1, K2,..., Kt using a hashing function in one sense. It
first generates a random key and calculates the following
keys by applying the hashing function successively. Then,
it generates the MAC keys using another hashing function.
The use of two distinct hashing functions is a precaution
taken by the authors to further reinforce the security.
 Protections using asymmetric
cryptography
The protocols detailed in this section generally assume the existence
of a management system and distribution of pre-established keys.
To prevent the risk of usurpation in a network, the protocol must be
able to guarantee node authentification. In order to do this, the
coding mechanisms seem to be most effective.
SAODV: Secure Ad hoc On-demand Distance Vector, Zapata and
Asokan developed a protocol dedicated to the security of the AODV
protocol, called SAODV.
The principal idea of SAODV consists of using signatures to
authenticate the majority of the fields of the Route_Request and
Route_Reply packets and use hashing chains to protect the integrity
of the hop counter. Thus, SAODV constitutes an extension of AODV
with signatures, in order to repel “identity usurpation” attacks.
SAODV requires the presence of a certification
authority in order to check the signed packets, thus
ensuring their authenticity.
This protocol ensures a good authentification of
control messages as well as a good integrity.
In addition, in the case where there would be several
attacker allies, a tunnel attack can always be launched
and the hop number can even be decreased at the
arrival, in a transparent way for the other nodes.
ARAN: The creators of the ARAN (A Secure Routing
Protocol for Ad Hoc Networks) also chose to use
cryptography with public keys to secure the routes ARAN is
an on-demand protocol, which provides an authentification
service hop by hop using a public key infrastructure. It thus
supposes the existence of an authentification server whose
role is to manage the certificates and whose public key is
known by all participants.
Before entering the network, each node must identify itself
to the server and must request a certificate which will be
used to sign the messages that it will send. This certificate
contains the IP address of the node, its public key, a first
stamp which gives an account of the creation date of the
certificate, and a second stamp which indicates its expiry
date.
In a traditional way, this certificate is then signed by
server and must be regularly updated.
The goal of ARAN is to secure the route discovery
mechanism from node to node.
Thus, when a node wishes to send a message, it generates,
signs, then sends a RDP (Route Discover Packet). \
Thereafter, each intermediate node receiving this packet
checks the certificate of the preceding node, adds its own
certificate and resends the packet. Once this packet
arrives, the destination node checks the certificate and
answers in unicast, using a REP (Reply Packet) message
which is checked node by node.
The ARAN protocol also specifies how to protect the
route maintenance mechanism.
When an intermediate node detects that a route is
broken, it sends a Route Error (ERR) packet to the
upstream next node (in the direction of the source).
This packet includes the addresses of the source and
destination nodes, the certificate of the intermediate
node as well as a nonce and a timestamp
When comparing ARAN and SAODV, it should be
noted that in spite of an authentification from node to
node and from end to end, ARAN does not bring a
significant benefit in security terms over SAODV
(which only provides an end to end authentification).
Protections using symmetric cryptography
Papadimitratos and Haas proposed a protected routing protocol,
SRP (Secure Routing Protocol), which is especially adapted to the
characteristics of the DSR ( Dynamic Source Routing)protocol and
the interzone routing protocol (ZRP). Thus, they conceived SRP
(Server Routing Protocol) as an extension to the header of the
Route_Request and Route_Reply packets. SRP uses sequence
numbers in the interior of the requests to guarantee their freshness.
 However, this sequence number can only be checked at the
destination.
Moreover, it establishes security associations between the
communicating nodes only. This association is then used to
authenticate the Route_Request and Route_Reply packets through
the MAC.
SAR: The SAR (Security-Aware ad hoc Routing) protocol [YI 02] is
also based on the symmetric encryption process. In the beginning it
was elaborated to prevent “black hole” attacks which consist of
removing all the packets at the malicious node level.
ARIADNE: Considering the disadvantages of the asymmetric coding
process, Hu, Perrig and Johnson developed a protected routing
protocol, ARIADNE [HU 02], inspired by the traditional DSR
protocol and based on ciphering symmetric coding mechanisms.
The idea was to propose a protocol which could be implemented on
powerful portables as well as on personal assistants, which is why
the authors chose to associate it with three methods of
authentification, in order to adapt it to the calculation capacities of
the nodes:
1-use of a shared key between each pair of nodes
2-use of a shared key between each pair of communicating nodes
combined with an authentification by diffusion.
3-use of digital signatures.
Protection against data
modification
in order to guarantee the data integrity, the hashing
chains are a very effective tool offering a very
satisfactory protection with lower costs compared to
the previously detailed cryptographic approaches.
Thus, the SEAD protocol proposes to reinforce the
DSDV protocol security by using the hashing chains. It
enables the prevention of possible attack that
artificially increment the hop numbering in the
signaling packet header.
In addition to their work on the SRP(Server Routing
Protocol ), Papadimitratos and Haas also developed a
mechanism intended to secure the link state routing
protocols, called SLSP (Secure Link State Protocol)
 In the case of SEAD, the protocol uses the digital signatures
as well as the one sense hashing chains to guarantee the
integrity of the link state updates. SLSP can be used alone, in
an independent manner or as an interzone routing protocol
(IARP), which is a component of the ZRP(Zone Routing
Protocol).
The SRP comprises four principal mechanisms:
1- a neighbor monitoring protocol (NLP)
2-a key distribution protocol (PKD)
3-a link state update protocol (LSU)
4- a DoS type prevention attack mechanism.
Protection against “tunnel” attacks
 Protection against tunnel attacks in ad hoc networks is crucial to
ensure the security and integrity of the network. A tunnel attack occurs
when an attacker sets up a malicious node to intercept and redirect
traffic between two legitimate nodes, giving the attacker access to
sensitive information.
 Here are some measures to protect against tunnel attacks:
 Secure Routing Protocols: Use secure routing protocols, such as
AODV (Ad hoc On-Demand Distance Vector) or DSR (Dynamic Source
Routing), which include authentication mechanisms to verify the
legitimacy of nodes and prevent tunneling attacks.
 Intrusion Detection Systems (IDS): Deploy IDS to detect and
respond to malicious activities, including tunneling attacks. IDS can
identify abnormal traffic patterns and raise alerts for further
investigation.
 Encryption: Encrypt data transmission between nodes using
protocols like TLS (Transport Layer Security) or IPsec (Internet
Protocol Security) to protect against eavesdropping and
tampering.
 Node Authentication: Implement strong node authentication
mechanisms, such as digital signatures or certificates, to verify
the identity of nodes and prevent unauthorized access.
 Packet Filtering: Use packet filtering techniques to identify and
block malicious packets that could be part of a tunneling attack.
 Secure Initialization: Ensure that nodes are securely initialized
and configured to prevent them from being compromised and
used in tunneling attacks.
 Network Segmentation: Divide the network into segments and
apply access control measures to restrict communication
between segments, reducing the impact of tunneling attacks.
 Traffic Analysis: Regularly monitor network traffic for anomalies
and suspicious patterns that may indicate a tunneling attack in
progress.
Key Management in ad-hoc network
 Key management in ad hoc networks is crucial for ensuring secure
communication among nodes. In these networks, nodes dynamically
form a network without the need for a fixed infrastructure. This
dynamic nature poses unique challenges for key management, as
nodes may join or leave the network frequently, and the network
topology can change rapidly.
 Key management in ad hoc networks involves several key aspects:
 Key Establishment: Nodes need to establish cryptographic keys to
secure their communication. This can be done using various methods
such as pre-shared keys, public key cryptography, or key agreement
protocols.
 Key Distribution: Once keys are established, they need to be
distributed to nodes securely. In ad hoc networks, this can be
challenging due to the lack of a centralized authority. Key distribution
schemes should be robust to node mobility and network changes.
 Key Revocation: Nodes may become compromised or leave the network,
necessitating the revocation of their keys. Key revocation mechanisms ensure
that compromised or outdated keys are no longer used for communication.
 Key Updates: Over time, keys may need to be updated to ensure security. Key
update mechanisms should be efficient and not disrupt network
communication.
 Scalability: Key management schemes should be scalable to large networks
with a varying number of nodes. They should be able to handle frequent
changes in the network topology.
 Authentication: Nodes need to authenticate each other to ensure that they
are communicating with legitimate nodes. This is typically done using digital
signatures or message authentication codes.
 Secure Routing: Secure routing protocols are needed to establish secure
paths between communicating nodes. These protocols should protect against
various attacks, such as route discovery attacks and packet modification.
 Overall, key management in ad hoc networks is a complex and challenging
task due to the network's dynamic nature. Effective key management schemes
are essential for ensuring the security and reliability of communication in ad
hoc networks.
The threshold cryptography technique
The approach given in [ZHO 99] aims to solve the problems
induced by the absence of infrastructure within ad hoc and
sensor networks, making use of a public key infrastructure
(PKI) very difficult.
To establish secure communications between nodes within a
wired network using a PKI, each node holds public and
private keys, provided by the certification authority (CA). The
CA holds similarly public and private keys (K, k). The CA is
always available within the network, because both the public
and private keys of each network node have to be updated
periodically, in order to decrease the risk of malicious attacks.
The CA is also in charge of revoking the public key of an
untrusted node.
Within an ad hoc network, having only one CA represents a
vulnerability point. Indeed, if it not available, nodes are
unable to prove the authenticity of the public keys of the
peering nodes and consequently cannot establish secure
communications between them. Attackers can also use this
vulnerability to compromise the entire network.
The threshold cryptography proposes a more flexible
approach: the new key management service having the
configuration (n,t+1) consists of n special nodes, called
servers, available in the ad hoc network, and sharing the
ability to generate certificates for the other nodes. t+1 valid
partial signatures are required to construct a valid complete
signature.
Each server i holds its public and private keys (Ki, ki), and
stores the public keys of the other network members,
particularly those of the other servers. This configuration
allows server nodes to establish a secure link between them.
Each server generates a partial signature of a node’s certificate
and sends it to a combiner, which needs at least t+1 partial
signatures to generate the complete signature. The maximum
number of compromised servers at any period of time must
be equal to t: with t compromised servers, the combiner is still
able to generate a valid signature.
The combiner is also able to verify the validity of a partial
signature (PS) sent by a server. If a PS is revealed to be
erroneous, the combiner rejects it and continues collecting
t+1 valid PSs.
this operation of signature construction, having a (3,2)
configuration in which server 2 was compromised.
There, the combiner was able to generate the signature of the
certificate of the node m (Certm).
Self-managed PKI
 A self-managed PKI, dedicated to operating within ad hoc networks,
where each node establishes certificates for nodes it trusts. If two
entities want to communicate securely, without knowing each other,
they exchange their certificates lists and try to create a trust chain
between them. For example, when two nodes A and B want to
communicate together and they trust node C, a trust chain between
A and B can be created through node C (as for the PGP protocol,
which stipulates that “the friends of my friend are my friends”).
 Local database construction mechanisms are used in [HUB 01] to
contain the node certificates, so that any pair of nodes in the
network can establish a trust chain between them, with a high
probability, even if the size of the local databases is small compared
to the number of nodes in the ad hoc network.
 Key agreement technique within MANETs
The context of this approach is a small group of people, participating in
a conference within a room for an ad hoc meeting following an
asymmetric encryption model; these people want to exchange
confidential data during the meeting.
The principle of the key agreement protocol, assuming that all
members trust each other, consists of sharing a weak password, from
which another password will be generated and will constitute the
session encryption key of the group.
secret: only nodes knowing the weak password should be able to
deduce the session key;
– contributing agreement: the generated session key should be
composed of the contributions of the participants of the secure
communications session;
– tolerance to attacks: attacks taken into account are those consisting of
injecting erroneous messages in the network, but not attacks which
modify or delete messages sent by other nodes.
Cryptographic identifiers
Cryptographic identifiers [MON 02] are generated and
held by the nodes of ad hoc networks, in order to
prove their identities to nodes communicating with
them, without the need of any trust administration.
These identifiers are statistically unique and
cryptographically verifiable, which means that it is
very difficult that two entities hold the same identifier,
and that it is possible to check the validity of an
identifier by an entity, thanks to cryptographic
techniques.
The cryptographic identifier, called CBID, is defined as:
CBID = hmac_sha1_128(sha1(imprint),sha1(PK)) where:
– PK is the public key of the identifier generator;
– imprint is a random value of 64 bits;
– hmac and sha1 are two hash functions.
The basic idea of the crypto-based identifiers is to establish
a strong cryptographic relation between their components
(private and public keys). A node announces its identity to
the other nodes, by proving that it holds the private key
associated with its public key, which is used for its CBID
generation.
The resurrecting duckling technique
This technique [FRA 99] is based on a metaphor inspired by
biology, describing the behavior of a duckling emerging from
its egg, and recognizing as its mother the first mobile object
which emits a sound. This phenomenon is called “imprinting”.
Similarly, an entity recognizes as its owner (its controller) the
first entity which sends it a secret key (during the
communication session). The sending of the secret key
between equipment and its owner is carried out directly (via an
electrical contact), thus avoiding any cryptographic operation
or ambiguities concerning the identities of the intervening
entities. However, at the same time, this kind of
authentication makes the Resurrecting Duckling technique
restricted to a specific kind of applications and not suitable for
a large deployment of ad hoc networks.
The equipment controller sends it, in a secure manner,
any information to determine its behavior with the
other nodes of the network (security policies, access
control list, etc.). The equipment can thus
communicate with the other entities of the network,
but cannot be controlled by them. The targeted
application, detailed in [FRA 99], is a medical
application on which equipment is for example a
thermometer held by the patients, and the controllers
are the PDAs of the doctors.
Group key management within ad hoc
networks
Multicast transmission is an efficient and suitable
mechanism for group-oriented applications such as
audio-video conferences. The IP multicast model
defined by Deering [DEE 91] is an extension of the IP
model. It defines the notions of group, addressing
scheme and group adhesion protocol. The group is
itself dynamic; one entity can join or leave the group at
any time.
A multicast group is open, so an entity can send
packets to a multicast group without belonging to it.
Multicast group addresses form a sub-set of IP addresses (class
D in IPv4 and prefix FF00::/8 in IPv6). Some multicast groups
are permanent with fixed and known addresses. Other groups
are temporary and thus hold dynamically allocated addresses.
The group adhesion protocol IGMP (Internet Group
Management Protocol) [DEE 91] operates between nodes and
their multicast routers. It allows a node to inform its multicast
router that it wants to receive the flow for a given multicast
group.
Thus, the router periodically queries its local network to detect
nodes still belonging to multicast groups. Based on the IGMP, a
multicast router is able to define which multicast traffic should
be sent to its local network.
Multicast routers use this IGMP information, associated with
the multicast routing protocols (e.g. MOSPF [MOY 94], PIM
[DEE 94] within wired networks, and MOLSR [LAO 03],
MAODV [ROY 00] within ad hoc environments).
The lack of security within the multicast
communication model is one of the factors which has
limited its deployment within large-scale networks,
particularly concerning business-oriented
applications.
This limitation is a major motivation for many
research initiatives whose goal is to establish a secure
architecture of groupcommunications and avoid any
malicious attack.
Security services for group
communications
Security services are related to the multicast data sent
by the source and to the identities of the group
participants.
We distinguish five main properties:
(1) Data confidentiality. This property ensures that
only authorized members can access the multicast
flow sent by the source. To enforce this property, a
symmetric key is used by the source to encrypt data,
and by the receivers to decrypt them. This key is called
the Traffic Encryption Key (TEK).
(2) Forward and backward secrecies. A member having
left the multicast group should no longer be able to
decrypt the multicast flow sent after its departure
(Forward Secrecy).
Similarly, an entity joining a multicast group should not
be able to decrypt the multicast flow sent before its
group attendance (Backward Secrecy).
It is thus mandatory to trigger a TEK renewal process
after each addition or withdrawal of an entity in the
multicast group.
A new traffic encryption key is thus renewed and
distributed to all the multicast group members (with the
new member in the case of entity addition, or only the
remaining members in the case of entity withdrawal).
(3) Access control of the group members. This security
service guarantees that the adhesion to the multicast
group is ensured via an ACL (Access Control List),
containing all the entities authorized to join the group.
(4) Source authentication. This security property
ensures that the group members authenticate the
identity of the group source for every received
multicast flow. This service essentially guarantees the
non-repudiation of the source.
(5) Group authentication. This security property
requires the group members to check that the source
of transmitted data belongs to the multicast group.
Security challenges of group
communications within MANETs
The characteristics of ad hoc networks, the security level to
establish and the types of the multicast applications to secure
require several constraints and challenges to be taken into
account:
1-the use of wireless links eases passive attacks (such as network
sniffing) and active attacks (such as message alterations).
2-the lack of a fixed infrastructure is one of the main
characteristics of an ad hoc network. This characteristic
eliminates any possibility of establishing a centralized reference
that is responsible for the management of the different security
services. The lack of a fixed infrastructure thus implies the
inapplicability of a centralized security model, such as the one
used for the PKI, which is hardly applicable within these
environments.
3-The size and dynamics of the multicast group can be very high
within ad hoc networks. Indeed, we cannot control the number of
group members or the adhesion frequency to the group. The
security mechanisms should face these parameters and thus be
adapted to the dynamics and scalability of MANETs.
4-The mobility of ad hoc networks should be considered in the
design of secure group communication architectures within these
networks. When a node is moving in the network, it can lose its
connectivity to its group without leaving it. Thus, it should not be
obliged to re-authenticate itself every time it moves away from its
multicast group.
5-A group key management protocol within MANETs should also
consider the security requirements of multicast applications.
According to the application type, different security requirements
may emerge. For example, a free software distribution application
follows the 1 to n multicast model. Transmitted flows are publicly
available, and consequently the authentication of the source is
more important than the confidentiality of the sent data.
Comparison metrics
In order to compare group key management protocols
in ad hoc networks, we define the following
comparison metrics: constraints and pre-requisites of
the protocols, their real applicability, the supported
security services (authentication, confidentiality and
integrity of data, revocation of malicious nodes, etc.),
scalability in terms of computation, storage and
communication overheads, and finally the
vulnerabilities and efficiency against bottlenecks.
Approach for Group Key management
 1-Centralized approach: Within this approach, group key
management is centralized around a unique entity in the network.
We divide this approach into two families: with and without a key
pre-distribution phase.
 These protocols configure entities by pre-distributing a set of keys
for each node off-line (before the deployment of the multicast
session). These keys allow a node to decrypt the multicast flow sent
by the source or to obtain the traffic encryption key sent by the
source when the key renewal process will be triggered. Key
predistribution is used within the GKMPAN [ZHU 04] and CKDS
[MOH 04] protocols, because of the lack of fixed infrastructure
within MANETs.
 The GKMPAN protocol: GKMPAN [ZHU 04] is based on a phase of
key pre-distribution to all the group members. It also has several key
renewal phases under the responsibility of a key server.
The CKDS protocol: CKDS (Combinatorial Key Distribution Scheme)
[MOH 04] is an applicative layer group key management protocol
within MANETs. The key distribution in CKDS is based on the
combinatory based system EBS (Exclusion Basis System) [MOR 03],
associated with the CAN (Content Addressable Network) [RAT 01].
During the key pre-distribution phase, each node in CKDS holds k keys
(known keys) and does not know m keys (unknown keys).
The LKHW protocol: LKHW [PIE 03] is a secure multicast
communication protocol, based on the LKH key distribution protocol
[WON 98] associated with the direct diffusion technique. LKHW is
dedicated to operating within wireless sensor networks (WSNs).
LKHW actors are the source of the group and the sensors. The sensors
can provide data required by the source, which is responsible for their
collection. Sensors have low physical capacities, in terms of both
communication and computation. The key distribution process is
based on LKH, and the key renewal uses the direct diffusion technique,
optimizing energy consumption. The security services ensured by
LKHW are confidentiality, integrity and data authentication.
 2-Distributed approach: Group key management within a
distributed approach is under the responsibility of all group
members, which cooperate to share a secret group key. Protocols
belonging to this approach are those defined by Chiang et al. [CHI
03] and DMGSA [KON 06], both presented hereafter.
 Chiang et al. propose a distributed group key management protocol
within MANETs [CHI 03], based on the GPS measures (latitude,
longitude and altitude) associated with the GDH (Group Diffie
Hellman) key exchange protocol [ING 82]. At protocol initialization,
each ad hoc node generates its public key. Then, each node
distributes its GPS localization and its public key to all the group
entities.
 Due to the exchanged information, each group node knows the
topology of the entire network. When a source aims to send
multicast data to all the group members, it builds the minimal
multicast tree, using the Prüfer algorithm [PRU 18]. This algorithm
computes a Prüfer number, suitable to code a multicast tree, basing
itself on the degrees3 of the group members.
 3-Decentralized approach: The decentralized approach divides the
multicast group into sub-groups or clusters. Each cluster is managed
separately by a local controller responsible for the management and the
security of members of its sub-group. Two families of protocols can be
distinguished in this decentralized approach.
 The first family of decentralized protocols uses a local traffic encryption
key for each cluster. We call this protocol family local TEK protocols.
Local controllers generate and distribute the local TEKs to their local
members. Upon receiving the multicast flow sent by the source, the local
controller decrypts it with the appropriate key, re-encrypts it with the
local keys corresponding to their clusters, and forwards it to their local
members.
 The second family of decentralized protocols uses only one traffic
encryption key for all the group members. We call this protocol family
common TEK protocols. The source of the group uses the TEK to encrypt
the multicast flow and the members to decrypt it. Thus, the intermediary
encryption and decryption operations of the multicast flow are not
required. The principal issues of this family are to send the TEK securely
and without delay to all the group members, and to define the TEK
renewal period for all the group members.