An overlay approach to data security in ad-hoc networks☆
Introduction
A common characteristic of mobile ad-hoc networks and application-layer overlay networks is that they do not make a distinction between endsystems and relay systems (routers), that is, endsystems relay traffic for which they are neither the sender nor the receiver. In addition, both types of networks must be able to cope with frequent changes of the network topology and the set of nodes attached to the network. These similarities have stimulated interest in leveraging solutions gained in one type of network to the other. Notably, several studies recently applied application-layer overlay protocol solutions in a mobile ad-hoc context to run ad-hoc routing protocols at the application layer [10], [19] or to realize a multicast service in an ad-hoc network [4], [8], [9], [22].
An advantage of building ad-hoc networks at the application layer is that they are easy to deploy, since there is no need for protocol compatibility at the OS or hardware level. Further, application-layer solutions make it easy to add or customize network services, such as multicast, streaming, or security. The main drawbacks of ad-hoc routing at the application layer is additional overhead for communication and computing and a reduced ability to interact with lower layers of the protocol stack.
This paper presents and evaluates an application-layer overlay solution that addresses data security requirements of applications on backward secrecy (a newly joined member cannot access data transmitted before the member joined) and forward secrecy (a departing member cannot access data that is transmitted after the member left). We present a key management and encryption method, called neighborhood key method, where each node shares a secret key only with its neighbors in the overlay network. The neighborhood key method avoids network wide re-keying operations, without requiring that payload data be re-encrypted at each hop.
The paper presents an overlay routing protocol for ad-hoc networks that organizes nodes in a spanning tree topology and evaluates its performance with the proposed security scheme. Since mobile nodes exchange data only with neighbors in the spanning tree and since the neighborhood key method only requires security associations between neighbors in overlay topology (here: the spanning tree), a node can securely exchange data with all other nodes, while only maintaining security associations with its upstream and downstream neighbors in the spanning tree.
This paper is the first study that presents systematic empirical measurement data showing the performance of application-layer ad-hoc networking, with and without security, on commercially available portable wireless devices (PDAs). The remainder of the paper is structured as follows: In Section 2 we discuss an overlay software system that is the basis for the protocol implementation presented in this paper. In Section 3 we present the neighborhood key method. In Section 4 we present a tree-based ad-hoc routing protocol. In Section 5 we present experiments with mobile nodes that measure the performance of the routing protocol from Section 4 combined with the security mechanisms of Section 3. We provide brief conclusions in Section 6.
Section snippets
Overlay performance in ad-hoc networks
In this section we present an empirical evaluation of the delay and throughput performance of overlay networks in a static-ad network of handheld wireless devices without security mechanisms. All routing and security protocols presented in this paper are realized in an open source software system for application-layer overlay networks called HyperCast [1]. We provide a brief description of the HyperCast software architecture. Then we present the results of measurement experiments that give
Neighborhood key method
This section presents a key management and encryption scheme, called the neighborhood key method, that ensures integrity and confidentiality of application data in overlay networks. Even though our evaluation will focus on ad-hoc networks, the method can be applied to overlays connected to a network infrastructure. We note that the solutions presented in this section are orthogonal to the problem of secure routing, which seeks protection against attacks to the routing protocol [11], [13]. The
A spanning tree protocol for ad-hoc networks
So far we have considered a static ad-hoc network environment. In this section, we describe a protocol that can establish and maintain an overlay network in an environment with mobile nodes. We consider a protocol that maintains a spanning tree topology, and refer to the protocol as Spanning Tree Protocol or SPT protocol. The protocol assumes that the substrate network supports a broadcast operation for sending protocol messages. The target environment for the SPT protocol is a mobile ad-hoc
SPT protocol with data security
In this section we put together all protocols presented in this paper to evaluate how the neighborhood key method performs in an ad-hoc network with mobile nodes that self-organize using the SPT protocol. The experiments are outdoor measurements with PDAs as shown in Fig. 5. The setup of the PDAs is shown in Fig. 16. Six PDAs (A, B, C, D, E, F) are placed in a line with a distance of approximately 90 ft between them. In addition, a person holding a PDA (labeled as M) walks parallel to the fixed
Conclusions
We presented overlay network protocols for ad-hoc networks that ensure forward and backward secrecy for application data. All routing and security functions were realized and evaluated in an operational application-layer overlay network system. Measurement experiments with PDAs shed light on the throughput and delay performance achievable with state-of-the-art handheld wireless devices. While throughput and delay performance of currently available PDAs limit their applicability to low-bandwidth
Acknowledgement
The authors acknowledge the contributions of Josh Zaritsky to an initial version of the neighborhood key method.
Jörg Liebeherr received the Ph.D. degree in Computer Science from the Georgia Institute of Technology in 1991. After a Postdoc at the University of California, Berkeley, he joined the Department of Computer Science at the University of Virginia in 1992. From 1997 to 1998 he was an Associate Professor in the Department of Electrical Engineering at Polytechnic University. Since Fall 2005, he is with the Department of Electrical and Computer Engineering of the University of Toronto as the Nortel
References (27)
- et al.
Secure routing in wireless sensor networks: attacks and countermeasures
Ad Hoc Networks (Elsevier)
(2003) - HyperCast website, 2005....
- The spanning tree protocol, Design Documents, 2005. Available from:...
- D. Aguayo, J. Bicket, S. Biswas, G. Judd, R. Morris, Link-level measurements from an 802.11b mesh network, in:...
- et al.
Effective location-guided overlay multicast in mobile ad hoc networks, Group communications in ad hoc networks
International Journal of Wireless and Mobile Computing
(2005) - et al.
Implementation experience with manet routing protocols
ACM Sigcomm Computer Communications Review
(2002) - D.S.J. De Couto, D. Aguayo, J. Bicket, R. Morris, A high-throughput path metric for multi-hop wireless routing, in:...
- R. Draves, J. Padhye, B. Zill, Comparison of routing metrics for static multi-hop wireless networks, in: Proceedings of...
- M. Ge, S.V. Krishnamurthy, M. Faloutsos, Overlay multicasting for ad hoc networks, in: Proceedings of Third...
- C. Gui, P. Mohapatra, Efficient overlay multicast for mobile ad hoc networks, in: Proceedings of IEEE Wireless...
A survey of secure wireless ad hoc routing
IEEE Security and Privacy
Cited by (21)
Trusted storage mechanism of distributed electric energy data based on blockchain
2020, Chinese Journal of Network and Information SecurityLightweight mobile ad hoc network authentication scheme based on blockchain
2020, Chinese Journal of Network and Information SecurityElements of Application-Layer Internetworking for Adaptive Self-Organizing Networks
2019, Proceedings of the IEEETrust security mechanism for maritime wireless sensor networks
2017, Concurrency and Computation: Practice and Experience
Jörg Liebeherr received the Ph.D. degree in Computer Science from the Georgia Institute of Technology in 1991. After a Postdoc at the University of California, Berkeley, he joined the Department of Computer Science at the University of Virginia in 1992. From 1997 to 1998 he was an Associate Professor in the Department of Electrical Engineering at Polytechnic University. Since Fall 2005, he is with the Department of Electrical and Computer Engineering of the University of Toronto as the Nortel Chair of Network Architecture and Services. He has served on editorial boards and program committees of several journals and conferences in computer networking. He was elected Member-at-Large of the IEEE Communications Society Board of Governors from 2003 to 2005, and chair of the IEEE Communications Society Technical Committee on Computer Communications from 2004 to 2005.
Guangyu Dong received the B.S. degree from University of Science and Technology, Hefei, China and the M.E. degree in computer science from the Chinese Academy of Sciences, Beijing. From 2003 to 2005, he was with the Department of Computer Science at the University of Virginia, and conducted research on peer-to-peer and overlay networks. He received an MCS degree from the University of Virginia in 2005. He is currently with Microsoft Corporation.
- ☆
The research in this report was done while the authors were with the University of Virginia. The research is supported in part by the National Science Foundation under grant ANI-0085955.