Secured by Fluctuating Topology Using the Fluctuating Topology of MANETs to Secure Key Exchange

Abstract

vanets, iot, and many other acronyms represent exciting new technologies that build upon pervasive computation and communications to achieve their goal. As an underlying communication model, the (mobile) ad hoc network (manet) paradigm is used, which implements a peer-to-peer communication model rather than the more traditional infrastructure model. Of course, privacy, confidentiality, integrity, and security related issues are of utter importance in such contexts as well. In this paper, we wish to present a key exchange technique, which builds upon the inherent characteristic of manets: their fluctuating topology. By splitting key exchange information into multiple parts and spraying them over space or time, the ever-changing topology of the network almost completely removes an active attacker’s success ratio. Algorithms are then simulated, and the results presented and discussed. We further point to future directions and uses for this research.

1. Introduction

Mobile ad hoc networks (manets) are becoming the basic building block in up-and-coming technologies such as vehicular networks (vanets), internet of things (IoT), and many others. What differentiates between these networks and previous, well-studied networks, is their communication model, which is based on a peer-to-peer paradigm, rather than the infrastructured alternative [1]. Manet nodes act as both hosts (receiver and sender) and routers, passing control and data packets throughout the network using any means of communication links available (see [2]). Such capabilities are indispensable in domains where extensive setup is nonexistent or impossible (i.e., disaster zones [3], etc.).

Security of these networks is of utter importance, and depends on context. Closed manets, in which only preauthorized actors can join, are easily protected. Previously distributed keys (out-of-band) can control access to the network, and be used for both integrity and confidentiality [4,5]. Other primitives can be setup to provide anonymity from external eavesdroppers as well. Open manets, however, pose a more difficult problem. Unidentified nodes joining and leaving at will coupled with the peer-to-peer routing paradigm, give an attacker a powerful set of tools for manipulation and tainting of data. It is for this context that we wish to provide confidentiality and integrity.

To accomplish this goal, we must construct a method for in-band key exchange (ke). Probably, the most famous in-band, no trusted-third-party (ttp) key exchange algorithm is the Diffie–Hellman (dh) algorithm [6,7], standardized in [8]. Under dh’s threat model, it is possible to coordinate a symmetric key between two parties with an eavesdropping adversary not being able to deduce that key. It was soon discovered [9], however, that under a more prevalent threat model, where an adversary has the ability to manipulate communication packets, a man-in-the-middle (mitm) attack compromising the confidentiality of future data transmission can be accomplished. Eve can orchestrate two separate exchanges: one between Alice, the sender, and herself, and the other between herself and Bob, the receiver. Thus, all communication from Alice can be decrypted by Eve and re-encrypted for Bob’s use. In this scenario, neither the sender nor the receiver are aware of the mitm, and with the loss of integrity there is a loss of confidentiality as well. Anonymous dh was reduced to providing perfect forward secrecy (pfs—see Section 5.1.3) as a service to other authenticating protocols (i.e., ssl/tls [10], ssh [11], ike [12], and many others).

In this work, we wish to describe spraying Diffie–Hellman (sdh)—a technique for using anonymous dh— yet still provides security primitives. This is accomplished by utilizing the fluctuating topology of manets to combat attackers. Keying material is space sprayed or time sprayed over different, ever-fluctuating in-band paths, causing an active attacker to become passive; albeit, only a probabilistic guarantee is provided, not a provable one. Once keys have been established, spraying is forgone and direct communication commences.

Probabilistic security algorithms, known as Leap of Faith (lof) algorithms, have been identified in [13] and discussed in [14]. Their purpose is not to guarantee security; rather, raise the bar for attackers, minimizing the attack surface to the original exchange. The spraying technique described in this work belongs to this category, and it joins many other protocols functioning within this group (e.g., ssh [11], btns for ipsec [15], opportunistic hip [16,17,18], and others).

The paper is organized as follows. Section 2 sets the stage for the entire paper. It includes the threat model, assumptions made, some definitions, and the simulations set-up that was used at different points throughout the paper. We then proceed, in Section 3, to describe space spraying, the algorithm, and the simulation results. Some claims and proofs on these results are also provided. The same is done in Section 4 for time spraying. A discussion of the results, comparison of the two methods, possible deficiencies, and other practical considerations are given in Section 5. In Section 6, we provide concluding words and future research directions.

Previous Work

Keeping keys secret is the basic requirement for cyrptographic algorithms that wish to secure data transmission. As such, key coordination between communicating parties is the most vulnerable point, regardless if either a symmetric or asymmetric scheme is used. Therefore, secure key coordination is of utter importance in thwarting the many mitm attacks centered around key exposure. Today, key coordination is based on a ttp (e.g., kerberos [19]), on out-of-band coordination techniques (e.g., ssh [20]), on public key infrastructures (pki) [21] (e.g., ssl [22] and tls [10]), or on some combination of the above (e.g., ipsec [23]).

For the manet environment, where self-organization [24] is a basic premise, the network must be operated and managed by the nodes themselves [25]; hence, a static ttp is unsuitable for coordinating and managing keys. Solutions requiring pre-shared certificates, as in [4,26,27], cannot be used.

To provide key exchange, a number of alternative approaches have been introduced in literature. These include extensions of the pki model via distributed certificate authorities (cas) (e.g., shared secret cryptographic schemes [1,28,29,30] (for a survey see [31,32])), trust routing [33,34], and self-organized pkis (e.g., use of side-channel key exchange [24,35,36] and general pairing techniques [37]). As one of the latter group we specifically reference zrtp [38], a solution that provides protection against mitm attacks, confidentiality, and authentication (if the signaling protocol provides end-to-end integrity protection) in-band. It uses a short authentication string (sas), which users read and compare verbally during the first handshake, and ephemeral dh with hash commitment, to allow for future detection of a mitm.

All methods have their advantages and downsides. Shared secrets have an inherent threshold, k, such that if the attacker(s) is able to compromise more than k shares, the system is insecure. There must also be some initial setup by some ttp to empower the first active members of the manet [32]. Self-organized pkis assume that trust is transitive [36]. For the aforementioned zrtp, prior knowledge of the communicating parties voices must be known. The security is built upon the fact that each party recognizes the other side’s voice for verifying their authenticity. This protocol specifically targets voice data, and will not work for other types of data transfers. In addition, as stated in [39] and shown in [40], overcoming authentication and conducting a mitm attack can be accomplished with voices spoofed with a synthesizer.

2. Preliminaries

2.1. Threat Model

The current work places no limitations on the attacker. Eavesdropping, injecting data into the communication stream or stopping the stream itself are feasible. Thus, for every route under her control, she can drop packets (dos) or taint the data to initiate a mitm attack.

We allow attackers to collude, bringing under their joint control multiple routes. For simplicity’s sake, we will refer to all of the colluding parties as one entity.

2.2. Assumptions and Definitions

To allow for communication, the only prior knowledge assumed is the address of both parties. This address can be in any form: ip address, unique imei embedded in the device, or phone number allocated to the smart node. To avoid collisions, we assume that this address is unique and cannot be spoofed. To justify this assumption, we note that spoofing an address only influences some of the routing tables; not all of them. This allows for the correct delivery of packets not traveling through malicious nodes. Last, no trusted third party (ttp) is available for the coordination or authentication of sender and receiver.

Definition 1.

Let $G=\left(V,E\right)$ be a topology graph of amanetat a specific time, where $V=\left\{v_1,v_2,\cdots ,v_n\right\}$ are the hosts in the network, and $E=V\times V$ are the bidirectional communication links between these hosts.

Let $R=\left\{r_1,r_2,\cdots ,r_n\right\}$ be a noncyclic route ($r_i\ne r_j\forall r_i,r_j\in Rand\left(r_i,r_{i+1}\right)\in E$) in G, between the sender ($r_1$) and receiver ($r_n$). Let $\left|R\right|$ denote the length of the path.

Let $\mathbb{R}$ denote the set of all possible such routes, $\left|\mathbb{R}\right|$ the size of $\mathbb{R}$, and $R^c$ the set of chosen routes from $\mathbb{R}$; implying, $R^c\subseteq \mathbb{R}$.

Let $A=\left\{a_1,a_2,\cdots ,a_w\right\}$, such that $A\subseteq \mathbb{R}$ and $\forall a_i\in A$, $\exists a_{i_p}\in a_i$, which is under the attacker’s control. Let $\left|A\right|$ equal the size of A.

In essence, we define that it suffices for one host, $a_{i_p}$, to come under the attacker’s control for the entire route, $a_i$, to be tainted.

Definition 2.

Let $F=\left\{f_1,f_2,\cdots ,f_m\right\}=\mathbb{R}-A$. That is $F\cup A=\mathbb{R}andF\cap A=Ø$, denoting all the paths not under the attacker’s control. Let $\left|F\right|$ be the size of F.

Based on the above definition, we assume that the manet is such that $\left|A\right|<\left|\mathbb{R}\right|⟹\left|F\right|>0$, meaning that at least one route between the sender and receiver is not under the attacker’s control. That the attacker has not taken over the entire network, for which no leap of faith algorithms can succeed.

2.3. Simulation Parameters

Prior to implementing our algorithm on a real-world manet application (e.g., Serval [3]), we ran multiple preliminary simulations to test its feasibility. In this section, we describe our simulation model.

2.3.1. Random Number Generator

All simulations must have the means of generating random data. Of the many algorithms available (e.g., Mersenne Twister [41]), we chose the combined multiple recursive random number generator (cmrg) algorithm [42], an algorithm that passed a wide range of empirical tests of randomness [43] and is the algorithm of choice in many simulation software (e.g., Arena [44,45]). Of course, similar results should be achieved using all good random number generators.

2.3.2. Mobility Model

The mobility of nodes in the real world exhibits vastly varying behaviors. Some walk, others drive. Some move about randomly, others in specific formations or patterns. Each of these have their own characteristics, and must be modelled accordingly (for a survey see [46]). Due to its prevalence (see, e.g., [47,48,49,50]), in this work, all simulations followed a random walk model, which captures the pattern of people in open spaces or recreational parks. We leave other models to future research.

2.3.3. Routing Algorithm

Network simulation requires that one choose the means by which packets are forwarded on the path to the destination. Being the basis behind ospf [51], implementation of the Dijkstra [52] graph theory best route algorithm using standard dynamic programming techniques, allows us to find the optimal (shortest) route. We randomly chose between multiple paths having similar lengths, classifying one as the better of the bunch. All packets were sent through optimal paths when possible.

2.3.4. Attacker Dispersion

Attackers are randomly placed on the graph, allowing for all possible attacker dispersion scenarios. The number of attackers are a function of the size of the population, with a linear increase in the population entailing a similar increase in the number of attackers.

These attackers are assumed colluding. Knowledge gleaned by one attacker (e.g., intercept of a micro-ke message) and/or spoofing requirements are instantly shared with all others through external means.

2.3.5. Simulation Round

Each round was preset with a specific combination of parameters that we are checking for (see Section 3.3 and Section 4.2). Next, we randomly chose some of the nodes in the network to represent colluding attackers; their specific number a function of predetermined parameter. Last, assuming there is a connection between sender and receiver, $\left|\mathbb{R}\right|>0$, we sprayed the k micro-ke messages documenting whether all $\left(R^c\cap F\ne Ø\right)$, none $\left(R^c\cap A\ne Ø\right)$, or some $\left(R^c\cap A\ne Øand{R}^c\cap F\ne Ø\right)$ of the messages were intercepted. Rounds for which $\left|\mathbb{R}\right|=0$, were discarded.

The actual spraying algorithm was done using either random message spraying or even message spraying algorithm (see Section 3.2). Both techniques were executed on the same network graph so we can get comparable results.

2.3.6. Miscellaneous

All parameter combinations were simulated ${10}^5$ times, and repeated 10 times (for a total of ${10}^6$ simulation rounds) per parameter combination; allowing us to estimate the standard deviation. We recorded the number of times, per ${10}^5$, the attackers were able to completely intercept some, all or none of the micro-ke messages. This was done both for random spray and for even spray (see Section 3.2).

3. Space Spraying

The crux of the Rivest and Shamir’s attack [9] on dh, blocks legitimate data coming from Alice and injects false alternate information for Bob. Utilization of the ever-changing network topology inherent to manets, allows us to revert to the original threat model; namely, remove the attackers ability of injecting rough data for Bob. Under this scenario, dh based confidentiality still holds.

To achieve this we notice that Eve cannot know, a priori, all of the paths between sender, Alice, and receiver, Bob; she cannot predict $\mathbb{R}$. By utilizing more than one path for ke, we increase the probability that we chose a path $R_i\in \left(R^c\cap F\right)$, reducing Eve’s capabilities of manipulating the ke. Only if, by chance, $R^c\subseteq A$, will she succeed in intercepting the entire ke, carrying out a full-scale mitm attack.

3.1. Algorithm

3.1.1. KE Sending Protocol

Given a ke message, msg, that must be transferred from Alice to Bob, Alice must execute the following protocol steps.

• Alice appends a cryptographic hash (i.e., MD5 [53], SHA1 [54], SHA3 [55], etc.) to msg, creating msg’=msg+h(msg). The purpose of this hash is for Bob to be able to confirm that he received all parts of msg (see next step) untainted.
• The derived msg’ is then divided into k smaller parts, $ms{g}_1,ms{g}_2,\cdots ,ms{g}_k$, such that
  • each $ms{g}_i$ is composed of all $\left(c·k\right)+i$ bits of msg’, where $0\le c\le ⌊\frac{\left|ms{g}^{\prime }\right|}{k}⌋$; e.g., $ms{g}_3$ is composed of bits $3,\left(k+3\right),\left(2k+3\right),\cdots$
  • when $\frac{\left|ms{g}^{\prime }\right|}{k}-⌊\frac{\left|ms{g}^{\prime }\right|}{k}⌋=r>0$, the remaining r bits not previously allocated are divided such that bit $\left(k·⌊\frac{\left|ms{g}^{\prime }\right|}{k}⌋\right)+m$ is augmented to $ms{g}_m$; of course, $1\le m\le r<k$.
• Each $ms{g}_i$ is to be sent through a different network route, $R_i\in R^c$, starting with Alice’s immediate neighbors, and making its way to Bob in possibly independent paths.

3.1.2. KE Receiving Protocol

In order to reconstruct the message, Bob must:

• receive all k micro-messages ($ms{g}_i$) so that he can recompose $ms{g}^{\prime }$.
• remove and compare the cryptographic hash h(msg) received with one computed locally to check the integrity of the data.

Under these conditions, Eve must intercept all k micro-messages $\left(R^c\subseteq A\right)$ so as to manipulate the key in such a way so a mitm attack can be carried out. Even one micro-message escaping interception, i.e., $R^c\cap F\ne Ø$, will alert Bob of the possibility of the existence of a mitm. Armed with this knowledge, appropriate measures can be taken (e.g., send a reset message, alert the network of the problem, refuse to accept confidential information, or any other similar measures). This is functionally equivalent to Eve’s capabilities being reduced to eavesdropping; tainting the data is not possible.

3.2. Spraying Methodology

The last step of the sending protocol (Section 3.1.1) describes the dispersion of $ms{g}^{\prime }$ through different routes starting from Alice’s adjacent neighbors. This dispersion (or spraying) is dependent upon the choice of routes for each $ms{g}_i$ from among available routes, $\mathbb{R}$. Choosing routes, $R^c\subseteq \mathbb{R}$, can be done by having Alice randomly select some path for each $ms{g}_i$ (“random spray”). As random choice allows for both $ms{g}_i$ and $ms{g}_j$ to be sent through the same $R_h\in R^c$, if follows that $\left|R^c\right|\le k$ even when $k\le \left|\mathbb{R}\right|$. Alternatively, she can evenly spread all micro-messages among available paths, picking as many distinct routes as possible (“even spray”). Hence, if $k\le \left|\mathbb{R}\right|$ then $\left|R^c\right|=k$.

Intuitively, random spray should have a higher secure channel setup success rate. This can be explained by the fact that if there are any insecure routes, $A\ne Ø$, there is a higher chance that they will be included in $R^c$ if one was forced to evenly spread micro-messages [56].

To illustrate the differences between these two schemes, we analyze a topology in which all paths from Alice to Bob are distinct. Such a topology can be defined such that $\forall R_i,R_j\in \mathbb{R}$ only $R_{i_1}=R_{j_1}$ and $R_{i_{\left|R_i\right|}}=R_{j_{\left|R_j\right|}}$. For all other hosts on each of the paths, $R_{i_d}\ne R_{j_s}$, where $2\le d<\left|R_i\right|$ and $2\le s<\left|R_j\right|$.

The probability that the communication will not be compromised (whether a secure channel is actually setup or an attack attempt is detected and thwarted) for random spray is given by

$$P=1-{\left(\frac{\left|A\right|}{\left|\mathbb{R}\right|}\right)}^k$$

(1)

This is based on the probability that at least one $ms{g}_i$ will get through some $f_j\in F$ to alert Bob as to the existence of mitm $\left(R^c\cap F\ne Ø\right)$.

For even spray, under the same topology scenario, the probability for noncompromise is

$$P=1-\left\{\begin{array}{cc}0\hfill & k>\left|A\right|\hfill \\ \frac{\left({\displaystyle \genfrac{}{}{0pt}{}{\left|A\right|}{k}}\right)\left({\displaystyle \genfrac{}{}{0pt}{}{\left|F\right|}{0}}\right)}{\left({\displaystyle \genfrac{}{}{0pt}{}{\left|\mathbb{R}\right|}{k}}\right)}\hfill & k\le \left|A\right|\hfill \end{array}\right.$$

(2)

As an example, we fix the parameters such that $k=4$ ($ms{g}^{\prime }$ is divided into four micro-messages), $\left|\mathbb{R}\right|=6$ (Alice has six paths to choose from), of which $\left|A\right|=2$ and $\left|F\right|=4$. If we assume random spread, there is a

$${\left(\frac{4}{6}\right)}^4=\frac{256}{1296}=19.75\%$$

(3)

chance of all micro-messages escaping capture, so that $R^c\cap A=Ø$, and (based on Equation (1)) 98.77% for any positive result $\left(R^c\cap F\ne Ø\right)$.

For the same parameter values with even spread, the chances that $R^c\cap A=Ø$ drops to

$$\frac{\left(\genfrac{}{}{0pt}{}{2}{0}\right)\left(\genfrac{}{}{0pt}{}{4}{4}\right)}{\left(\genfrac{}{}{0pt}{}{6}{4}\right)}=\frac{1\ast 1}{15}=6.67\%$$

(4)

Full compromise, requiring Eve to capture all micro-ke messages, cannot be achieved with even spread (i.e., $P_{noncompromise}=1$, based on Equation (2)) for the given scenario. Random spread, however, would allow for a

$${\left(\frac{2}{6}\right)}^4=\frac{16}{1296}=1.23\%$$

(5)

chance of being compromised.

The converse case, in which for the same six path options $\left|A\right|=4$ and $\left|F\right|=2$, would produce opposite results. There is a ${\left(\frac{4}{6}\right)}^4=19.75\%$ probability of being fully compromised with random spread, with a detection probability of $79\%$. This, compared to a probability of

$$\frac{\left(\genfrac{}{}{0pt}{}{4}{4}\right)\left(\genfrac{}{}{0pt}{}{2}{0}\right)}{\left(\genfrac{}{}{0pt}{}{6}{4}\right)}=\frac{1\ast 1}{15}=6.67\%$$

(6)

for fully compromising the communication, and a high probability of

$$\frac{\left(\genfrac{}{}{0pt}{}{4}{3}\right)\left(\genfrac{}{}{0pt}{}{2}{1}\right)}{\left(\genfrac{}{}{0pt}{}{6}{4}\right)}+\frac{\left(\genfrac{}{}{0pt}{}{4}{2}\right)\left(\genfrac{}{}{0pt}{}{2}{2}\right)}{\left(\genfrac{}{}{0pt}{}{6}{4}\right)}=\frac{4\ast 2}{15}+\frac{6\ast 1}{15}=\frac{14}{15}=93.33\%$$

(7)

detection of attack for even spread. Without random spread, however, success is impossible (i.e., $P_{noncompromise}=0$). Therefore, although random spread increases the possibility of being attacked, it leaves the possibility of success open (≈1.23%).

Of course, manets are self-evolving, and have ever-changing topologies. Paths are anything but distinct. They are bound to cross, join, or split anywhere between Alice and Bob. The only real choice Alice can make, however, is which path the micro-ke message will begin on. Therefore, we must turn to simulation in order to deduce the effectiveness of the spraying techniques.

3.3. Simulation Results

As alluded to in Section 2.3, we used 640 different value combinations to test the proposed methodology. These included the following,

• population size varied between 100 and 900 nodes in increments of 100;
• percent of colluding attackers, taking the values of 1%, 2%, 3%, 4%, and 5%;
• number of micro-ke messages, k; instantiated to either 2, 3, 4, or 5; and
• the allowable communication distance fluctuated from $\frac{3}{10}$ of the network physical size to $\frac{6}{10}$ of that value.

The simulation outcomes were consistent with the hypothesis put forth by [57]; mainly, results that require all k micro-ke’s to behave similarly, whether negative (i.e., complete intercept ($R^c\subseteq A$)) or positive (i.e., full success ($R^c\subseteq F$)) increase with random spray and decrease with even spray. This was true for all combinations tested. The converse case, in which we see better results with random spray when compared to even spray, was true for the intermediate situation where $0<\left|R^c\cap A\right|<k$ (i.e., some, but not all, of the k micro-ke messages were intercepted). These results were accompanied with relatively low standard deviation values, which lends credibility to these conclusion.

Allowing for only population size to fluctuate, we observed that, although complete mitm ($R^c\subseteq A$) decreases for both random and even spray (“randomBad” and “evenBad” in Figure 1, respectively), they seem to asymptotically level off at an equivalent value, the value of which is a function of the other parameters. That is, that the advantage of random spray decreases or is entirely lost as the population size increases (see first claim in Section 3.4).

We observed that for any given set of fixed parameters with only the percentage of attacker fluctuating, the probability that $R^c\subseteq A$ increases for both random and even spray, with random spray generating a marginally worse result. For the few instances where even spray appeared worse (higher on the graph), the results are close enough (well within one standard deviation) such that they can easily be attributed to simulation randomness. Some examples can be seen in Figure 2.

It does appear, however, that with higher attacker ratios the benefit of even spray increases. We propose that this is because, by evenly spreading the micro-ke message on multiple paths, the probability that $R^c\cap F\ne Ø$ increases. Albeit, with the direct cost of inducing a Denial-of-Service (dos) attack. The probability that $R^c\cap A=Ø$ also decreases, implying at least some micro-ke parts will be captured preventing a complete ke. This can be seen in Figure 3, with “EvenDetect” and “RandomDetect” shown for even spread and random spread, respectively.

Increasing the number of micro-ke messages, with all other parameters remaining fixed, has a drastically positive effect on attack prevention (i.e., attacks decrease). The difference between random and even spread is barely distinguishable (with random spread performing slightly better), well within one standard deviation, which can be attributed to randomness. Examples are shown in Figure 4.

One cannot discern any major distinction between even and random spread (something outside one standard deviation) when fixing all parameters and allowing only the density of the population to fluctuate (a sample of results can be seen Figure 5). There is, however, a noticeable decrease in the possibility of attack that comes with an increase in density, but that also levels off at some point.

3.4. Insights

The main factor causing random and even spray to differ is the ratio of micro-ke messages to available paths between Alice and Bob, $\frac{k}{\left|R\right|}$. Therefore, a change in network population size or network density (as a function of network physical area) would have a directly influence on the efficiency of the spraying methodologies.

This is easily explained by noticing that with an increase in network population or density, assuming random positioning, the expected number of neighbors each node has will increase as well. As a direct consequence, the probability that random spray would assign more than one micro-ke piece to any specific neighbor will decrease. As this happens, we would expect that random spray would start mimicking even spray with an ever increasing probability. With similar initial neighbor assignments for the micro-ke messages, similar final results are to be expected.

Claim 1.

The distinction between the two spraying methods would disappear with an increase in node population size.

Proof. 

Let n be the number of nodes that are within range of the initial source. Let k be defined as the number of micro-ke message parts the original message will be broken up to.

Assume that $n\ge k$. Then, the number of equally likely ways of randomly assigning the k micro-ke messages to the available n nodes (random spray) is $n^k$.

The number of ways that the k message parts can be spread over the available n nodes, without any two or more parts being assigned to any one node (even spray), is the number of permutation of n objects taken k at a time:

$$P_{n,k}=\frac{n!}{(n-k)!}$$

(8)

Then, the probability of a random spray producing an even spray, $r\Rightarrow s$, is given by

$$P\left(r\Rightarrow s\right)=\frac{P_{n,k}}{n^k}=\frac{\frac{n!}{(n-k)!}}{n^k}$$

(9)

Equation (9) is known in the classical probability literature as the Birthday Problem [58].

For a fixed k, let us examine this probability as n gets larger.

Using Stirling’s Formula [58], we calculate that our probability is approximately

$$P\left(r\Rightarrow s\right)\approx \frac{\frac{\sqrt{2\pi n}{\left(\frac{n}{e}\right)}^n}{\sqrt{2\pi (n-k)}{\left(\frac{n-k}{e}\right)}^{n-k}}}{n^k}$$

(10)

manipulating Equation (10), we get

$$\begin{array}{ccc}\hfill P\left(r\Rightarrow s\right)& \approx & \sqrt{\frac{n}{n-k}}{\left(\frac{1}{e}\right)}^k\frac{n^{n-k}}{{\left(n-k\right)}^{n-k}}\hfill \\ & =& e^{-k}{\left(\frac{n}{n-k}\right)}^{n-k+0.5}\hfill \end{array}$$

which is clearly an increasing function in n for a given fixed k.

Continuing, we get

$$\begin{array}{c}\hfill \begin{array}{ccc}P\left(r\Rightarrow s\right)& \approx & e^{-k}{\left(\frac{1}{1-\frac{k}{n}}\right)}^n{\left(\frac{n}{n-k}\right)}^{-k+0.5}\hfill \\ & =& e^{-k}{\left(1-\frac{k}{n}\right)}^{-n}{\left(\frac{n}{n-k}\right)}^{-k+0.5}\hfill \end{array}\end{array}$$

(11)

Taking limits of Equation (11), we get

$$\begin{array}{c}\hfill \begin{array}{c}\hfill \underset{n\to \infty }{lim}P\left(r\Rightarrow s\right)\\ \hfill =& e^{-k}\underset{n\to \infty }{lim}{\left(1-\frac{k}{n}\right)}^{-n}\underset{n\to \infty }{lim}{\left(\frac{n}{n-k}\right)}^{-k+0.5}\hfill \\ \hfill =& e^{-k}{e}^{k}1=1\hfill \end{array}\end{array}$$

(12)

Thus as n gets larger, we would expect the results for both random and even spray to asymptotically approach each other. □

Claim 2.

A decrease in the network area with the associated increase in node density would cause both spraying methods to behave similarly.

Proof. 

An increase in network density would give the sender more direct neighbors to choose from. Using the same analysis of previous claim, random spray should start mimicking even spray, eradicating any discernible difference between them. □

These results are clearly observed in the simulation results of Figure 1 and Figure 5 for first and second claims, respectively.

4. Time Spraying

As an alternative to spraying micro-ke messages over the network (space spraying of Section 3), it is possible to spread them over time. By refraining from transmitting $ms{g}_{i+1}$ immediately after $ms{g}_i$, we reach the same result of having the network evolve enough so that attackers are circumvented by the new routes created. To carry out a complete mitm, for each $f_m\in F$ chosen for $ms{g}_i$, $f_m$ must be an element of A at the time $ms{g}_i$ was sent. This greatly increases the difficulty for an attacker to succeed.

4.1. Algorithm

4.1.1. KE Sending Protocol

The sending protocol is similar to what is described in Section 3.1.1 for space spraying, with the third step replaced by the following step.

• Each $ms{g}_i$ is to be sent though a random optimal path starting with time t, and with a delay of $\Delta$ between them. Thus, $ms{g}_1$ is sent at time t, $ms{g}_2$ is sent at time $t+\Delta$; in general, $ms{g}_i$ is sent at time $t+(i-1)\Delta$. For more information regarding $\Delta$, see Section 4.2.

4.1.2. KE Receiving Protocol

The receiving is similar to what was described for space spraying in Section 3.1.2.

As in space spraying, Eve must intercept all k micro-messages ($ms{g}_i$) so as to change the data. Bob will be alerted to the possible mitm if even one micro-message escapes interception, if $F\cap R^c\ne Ø$; this is functionally equivalent to Eve’s capabilities being reduced to eavesdropping, losing the ability of tainting the data.

4.2. Simulation Results

To simulate time spraying the following parameters were passed to NS3 [59], a well-known network simulation tool:

• population size varied from 250 to 500 in increments of 50;
• colluding attacker were set at either 3%, 4%, or 5% of population size;
• number of micro-ke messages, k; $ms{g}^{\prime }$ was split into 3, 4, or 5 parts;
• the time between micro-ke messages, $\Delta$, was fixed at 4 s; and
• the transmission strength of nodes was set to the default provided by NS3.

As seen in Figure 6, the density of the nodes has direct positive influence on the success off an attacker. Regardless of whether we used three micro-messages (Figure 6a), four micro-messages (Figure 6b), or five micro-messages (Figure 6c), and whether their were 3%, 4%, or 5% attackers, the overall trend was similar. Albeit, the overall results of the four and five micro-messages are an order of magnitude better than three micro-messages.

To investigate the cause of the huge jump between three and four micro-messages, we decreased the number of messages ($k=2$) and increased $\Delta$ (to 20 s). In Figure 7, one can clearly see that the success mitm rate has decreased to the same order of magnitude as for the four and five micro-messages of Figure 6.

This leads us to the conclusion that it is not the number of micro-messages that has the major positive effect on time spraying success. Rather, it is the amount of time allowed to lapse between each of the micro-ke messages that has the required effect.

This result can be attributed to the rate of topology change before a contaminated optimal path becomes obsolete. At the walking speed of 1–2 m/s, it takes time for the topology to change, and exploiting that time frame is required. For other, faster-changing networks (e.g., vanets), the $\Delta$ value will be much smaller.

5. Discussion

5.1. Benefits of Spraying

Spraying ke remedies some of the deficiencies in related manet algorithms. This includes required prior knowledge, user intervention, and the lack of forward security.

5.1.1. Prior Knowledge

A key issue when selecting a protocol for a specific architecture is the prior knowledge each communicating party is required to have. On the one extreme, pre-shared key (psk) protocols, e.g., [60], or pre-sharing of certificates, e.g., [4,5], require that the keying material be correlated by-hand out-of-band. This scheme is perfectly suitable for vpns where parties meet and setup a network. The same is true for trust pkis (or pairing techniques, in general), unless trust is allowed to be transitive. When parties have never previously met, as in our model, (e.g., A tells B about C), one cannot count on B and C having pre-shared keying material for communication exchange; therefore, this scheme is excluded.

The same is true for zrtp. Using sas for authentication requires that both parties recognize each other prior to session setup. Therefore, a referral system is precluded. This, besides the voice spoofing techniques stated in [39] and shown in [40], overcomes authentication.

sdh can utilize the fluctuation in the network topology to detect, with high probability, the existence of a mitm attack; terminating the connection if needed. This, without prior cooperation between communicating parties.

5.1.2. User Intervention

Requiring a user to actively participate in the security of a protocol or application, is widely accepted as a problem. For most humans, usability is of uttermost importance, and trusting them with a product’s security merely means that they are less likely to do so.

In zrtp, for example, for every new conversation the voices of both parties must be recognized (via the sas mechanism) for the shared secret to be generated and authenticated. Device pairing techniques require a manual, conscious operation, with many people naturally inclined not do so. On the contrary, sooner or later it gets viewed as a burden, and done away with. This, obviously, totally voids the ability of these protocols to detect mitm.

For spraying, user intervention is not required. The protocol detects mitm automatically, inducing preventive actions as seen fit. Override, of course, is also viable if the user so deems, but this is external to the protocol and can be acceptable in certain situations.

5.1.3. Forward Secrecy

Session keys, and by extension the data they protect, can remain confidential even in the event that long-term keying material is compromised. This is known as perfect forward secrecy (pfs) [26], and is exhibited (and normally implemented) by ephemeral dh. The independent generation of the symmetric, unique, one-time key during the handshake by each of the parties, allows them to refrain from transmitting it over the communication medium. Therefore, each session must be cracked separately, and compromising one session does not influence the others. Under these definitions, sdh adheres to pfs, as it reduces to the ephemeral dh algorithm.

5.2. Cost and Shortcomings of SDH

5.2.1. Overhead

All features, be it security, authenticity, reliability, etc., regardless of effectiveness, come at some cost. sdh is no different, and comes with two cost factors: size of handshake data and length of paths taken.

As $msg$ is divided into multiple packets, the optimum packet size is not used. As the same amount of payload is sent, the overhead increases in a linear fashion as a direct function of k.

For example, suppose we had an overhead of

$$\rho =\frac{headers}{data+headers}$$

(13)

then, by splitting $msg$ into k micro-messages, we get an increase by a factor of k

$${\rho }^{\prime }=\frac{k\ast headers}{data+k\ast headers}$$

(14)

as the overall data sent is constant, but each $ms{g}_i$ has its own header.

The difference between Equations (14) and (13), ${\rho }^{\prime }-\rho$, is the direct additional overhead incurred, but there are indirect costs as well. As multiple paths are used for each $ms{g}_i$, only one would actually take the known optimal path between communicating parties. All others are forced into possibly suboptimal paths, adding to the total work incurred by the protocol. Of course, there is a direct correlation between the level of security achieved and the overhead incurred. Choosing a large k for dividing $msg$, allows for increasing $\left|R^c\right|$. We leave exact calculations for the optimal k as a function of $\left|R\right|$ to future research.

5.2.2. Bottlenecks

Vulnerable convergence points around the communicating parties is the basic premise behind sdh; hence, the spraying embedded in the algorithm. It is perfectly reasonable, however, that topological bottlenecks exist, creating additional venerability points on the transmission path. The convergence of all paths to a single link or node, creates a convenient location for the attacker to compromise the network. As a simple such scenario, imagine x inter-city connection points, through which all traffic must pass when traversing from one city to the next. These x points constitute a vulnerability, regardless of the multiple paths sdh started with.

In [61,62], a linear algorithm is proposed to discover bottlenecks in an olsr [63]-based manet. This is quite useful, but must be further extended for other routing protocols as well.

5.2.3. Single Side Mitigation

sdh exhibits an interesting phenomenon: single side mitigation. Spraying is done on the sender’s side, without any further control over which paths any $ms{g}_i$ will take once sent. As all $ms{g}_i$’s are targeting the same destination, it is quite possible that paths will converge long before it is reached. This lends to the observation that although an attacker close to the sender is neutralized, an attacker near the receiver, however, will still have the ability intercept communications with much less effort. Thus, it would seem that the algorithm’s security properties are influenced by Eve’s position.

This, however, might not be a major problem. As all ke algorithms (including dh) require the receiver to respond with some unforeseen data, the receiver simply needs to employ the same spraying technique on its side to neutralize potential local attackers. Now, for an attack to succeed, we must have colluding attackers strategically placed near two moving targets; a feat difficult to execute “on the fly”.

We leave the investigation of this phenomena (“single side mitigation”) to future research.

5.2.4. Availability

The benefit achieved by sdh negatively effects dos. With even one micro-ke message captured, a handshake re-start is required. As previously stated (Section 3.3), even spray is more prone to this problem than random spray. Therefore, it is a conscious decision that an implementer (or user) will need to make; whether availability or confidentiality and integrity is of higher importance.

In addition, having multiple micro-messages sent for each handshake packet on unreliable links, increases the probability that some will naturally get dropped or lost. This further reduces the availability of the system. We believe, however, that as sdh is only executed during the handshake process, which is almost instantaneous (with all other transmissions being routed normally); this deficiency should not greatly impact availability. We leave the exact drop rates for future experimentation.

5.2.5. Other Shortcomings

As sdh is a LoF algorithm, it cannot guarantee authentication; rather, it hardens the existing infrastructure, complicating an attacker’s task. This implies that one is not guaranteed as to the identity of this communication partner. We assumed that by fixing network addresses, we can circumvent network routing attacks. With routing information prevalent and constantly updated by all, this assumption is mostly true. The probability of being able to taint everyone’s information, all of the time, is small. Theoretically speaking, however, if an attacker were able to do that, the sdh does not provide authenticity. This, however, is the basic premise of all LoF algorithms, and is not a deficiency of sdh specifically. To achieve authentication of parties as well, we must incorporate mechanisms that will operate above the actual connection. We leave that to further research.

5.3. Comparison of Space vs. Time

Both space and time spraying generally possess the same positive characteristics; namely, there in no need for prior knowledge, user intervention is not required, the property of pfs, and they can be used for all types of data communications. Similarly, they suffer from similar shortcomings, including overhead costs, the lack of authentication, and prone to dos attacks. Space or time spraying do, however, differ on two points: bottlenecks and user patience.

5.3.1. Bottlenecks

Space spraying, as mentioned in ([64], §4.2), is weakened when a bottleneck exists in the network topology. Since these bottle necks require all traffic between parties to pass through these nodes, an attacker can compromise the connection. Although time spraying suffers from the same weakness, it imposes another requirement on an attacker attempting to situate herself as a bottleneck. She must retain this vulnerable position over time. Being a bottle neck for some of the ke-micro messages does not constitute a vulnerability. As ke-micro messages disperse over time, retaining hold of the bottle neck for some of the handshake further reduces attack likelihood. Of course, it is possible that the attacker can retain hold of the vulnerable node over time (e.g., were only x-intercity connection points exist), but it is still an improvement over space spraying, which is vulnerable to temporary bottlenecks as well.

5.3.2. User Patience

Users are quite impatient. They expect a response time of less than two seconds (61%) and are willing to tolerate a response time of four seconds (49%) [65]. Thus, waiting 20 s for a connection, although marginally acceptable today might be unacceptable in the future. Although users are willing to wait when they perceive that an operation should take time, connection times are not within this scope. Users have accustomed to almost instant connections and might not be willing to forgo this privilege.

For manets base on people’s movements, we do not see manet topology fluctuation rate increase in the future. Therefore, time spraying contains an inherent flaw that might inhibit its acceptance in the long run; it requires time. There are futuristic manets, however, that might contain the property of quick topology change (e.g., vehicular ad hoc networks, also known as vanets). For those networks time spraying might be viable.

5.4. Practical Considerations

There are numerous practical considerations that have to be taken into account before our proposal can be fully implemented. For one, sdh is not a communication protocol, but rather a security add-on. Therefore, the specific details of a pre-existing protocol’s handshake must be hammered out. Some already have dh exchange embedded within, making our technique just a communication tweak. Others, might need an additional, transparent layer beneath, or prior to, the handshake, to use sdh. Still, others might want to add sdh to the actual handshake, so as to take advantage of the technique suggested.

Another practical issue is with the movement of the network nodes within a given time frame. For the purpose of the simulations, it was assumed—at least for space spraying—that the delivery of the micro-KE is instant; i.e., the topology does not fluctuate during this time frame. This, of course, might not be the case. A link might disappear during the spray, causing some micro-KE message to get lost. To alleviate this problem, either timers or some other backup mechanism (e.g., secret sharing techniques [1,29]) must be introduced into the system. These types of problems are out of the scope of this paper, and are left to future research.

6. Conclusions and Future Research

In this paper, we presented a technique for hardening an anonymous leap of faith ke handshake. This is accomplished by either spraying keying material over network space or over time, allowing for an automated multipath transfer as a consequence of network topology fluctuation. The resulting effect is in “raising the bar” for attackers before they can orchestrate a full mitm attack.

The novelty of the work can be summarized as accomplishing ke in line, without prior knowledge or some external trusted third party (ttp, ca or otherwise). It allows the manet to be open to all and self-configuring, as expected. This is in stark contrast to other previous solutions in which at least one of these conditions is not met.

As pointed to in the paper, cost estimation, single side mitigation, and routing guarantees require more work. Also, incorporation of these techniques into running scenarios for extraction of real-time data would be beneficial. These issues coupled with the implementation with specific protocols is left for future research.

Last, we note that the results shown might be a function of the mobility model used (see Section 2.3.2), with other models possibly achieving different results. We specifically note vanets in which the average speed does not match that of walking people, allowing for a smaller $\Delta$ (see Section 4.2). We leave investigation of these topics to future research as well.