Bundle Security Protocol Specification…

Security Challenges in Opportunistic Network
Preetam Mukherjee
Centre for Distributed Computing
Jadavpur University
Prof. Chandan Mazumdar
Dept. of Computer Science & Engineering
Jadavpur University
• In regular cases connected networks are used
• But in some cases, networks are connected only by opportunistic
contacts of different network nodes
• These type of networks are called opportunistically connected
networks or opportunistic networks viz.
– Inter-planetary network,
– disaster area network,
– military networks at war time etc.
• Delay and Disruption Tolerant Network (alias DTN) routing schemes
are used to route messages in these networks.
sparse, move quickly,
have different power
saving schemes
intermittent, high
packet drops and
unpredictable delay
• DTN routing scheme overcomes the problems by using
– persistent storage
– opportunistic use of mobility.
• Store-carry-forward approach take messages to their destination.
• Message switching is used instead of packet switching
• Persistent Storage is used instead of transient one
• In Epidemic Routing Protocol messages will spread like an epidemic
of some disease through the network
• Probabilistic routing protocol is given on the basis that real users
are not likely to move around randomly but move in a predictable
fashion based on repeating behavioral patterns
– such that if a node has visited a location several times before, it
is likely that it will visit the location again.
• In Spray and Wait Routing Protocol at first certain copies of the
message are spread in the spray phase and after that if the
destination is not found then all the nodes getting the message go
for direct transmission
• Store-carry-and-forward routing uses two different schemes
– first scheme - only one message is forwarded
– alternate scheme - when messages are forwarded, they are
Efficient Routing Protocol
• Specifically, an efficient routing protocol in this context
– Perform significantly fewer transmissions than epidemic and
other flooding based routing schemes, under all conditions.
– Generate low contention, especially under high traffic loads.
– Achieve a delivery delay that is better than existing single and
multi-copy schemes, and close to the optimal.
– Be highly scalable, that is, maintain the above performance
behavior despite changes in network size or node density.
– Be simple and require as little knowledge about the network as
possible, in order to facilitate implementation.
Threat to DTN
• Use of open networks to transmit data
All the messages are going to intermediate nodes which can be
malicious or Selfish nodes.
– Malicious nodes
have the objective to attack the proper network operations
without considering their own gains.
– Selfish Nodes
can be characterized by the intention of maximizing their own
gains or collective gains with collusive nodes from the network
community while minimizing their contributions to it.
Threat from Malicious nodes
• Messages (or Bundles) Modification: In DTNs, bundles may traverse
over underlying heterogeneous networks. Modification of messages
(or bundles) in transit for malicious purposes is a big security threat.
• Unauthorized Access: Due to the resource-scarcity characteristics of
DTNs, unauthorized access and use of DTN resources can be a
serious concern.
– For example, if an unauthorized application were able to control
some DTN infrastructure (e.g. by attacking a routing control
protocol), the resource consumption could be catastrophic for
the networks.
Threat from Malicious nodes…
• Bundle Injection Threat: Attackers can try to inject fake bundles to
consume precious DTN resources. Further, DTN nodes can
unwittingly be used to assist or amplify resource consumption
– A malicious or defective node can inject spurious packets into
the network.
– Applications can send messages at a rate that they are not
allowed by their policy.
– A malicious or defective node can generate additional
management messages for each bundle sent.
Threat from Malicious nodes…
• General Networking Threats
– DTN conforms an overlay network. Because of that, it needs to
cope with traditional networking attacks which can be passive
(eavesdropping, traffic analysis) or active (traffic modification,
– DTN applications could make use of the security mechanisms
provided by the lower networking layers.
DTN Security Requirements
• Authentication
– In DTNs, it is essential for every intermediate DTN node to have
the capability to verify
• that the data was really sent by an authorized node
• the data was sent at a legitimate rate
• asking for the class of service for which they are granted.
– Such an authentication requirement depends on different
security design goals and can be provided either on
• a hop-by-hop
• end-to-end basis
DTN Security Requirements…
• Confidentiality
– Confidentiality requirement is to ensure that sensitive
information is not revealed to unauthorized third parties during
the bundle propagation process over DTN links.
– objective can be achieved using the end-to-end encryption
• Integrity
– Integrity requirement should ensure that the transmitted
messages can not be altered during the propagation process.
– Lack of integrity protection could result in many attacks
including message modification, falsification, or replay attacks
DTN Security Requirements…
• Privacy/Anonymity
– The network should not reveal the location of the user, nor the
party with which she communicates.
DTN Security Characteristics
Lack of End-to-end Connectivity
• Lack of end-to-end connectivity not only brings challenge to routing
but also makes the existing security solutions unsuitable
• For example, end-to-end confidentiality using traditional encryption
mechanisms requires the multiple-round key agreement between
the sender and the receiver in advance.
– However, in DTNs, such key agreement may not be feasible
since there may be no network connectivity at the time of
sending message
– There-fore, one way, non-interactive key distribution is more
suitable in DTNs.
• The same is true for authentication.
Lack of End-to-end Connectivity…
• Lack of end-to-end connectivity is also a challenge to public key
certificate revocation.
– In a traditional Public Key Infrastructure (PKI), the most
commonly adopted certificate revocation scheme is through
Certificate Revocation List (CRL), which is a list of revoked
certificates stored in central repositories prepared by the
Certificate Authorities (CAs).
– However, in DTNs, the nodes may suffer from delayed or
frequent loss of connectivity to CRL servers.
– Therefore, distributed CRL distribution or periodical public key
updating is preferred in DTNs
• Due to high mobility, each network link becomes available only for a
short period of time.
• When a message is large, it may not be possible to send the entire
message at once.
• One possible solution - to split the message into smaller pieces and
let each become its own bundle, or “fragment bundle”, and send
some pieces of a large message through the current link and rest of
the message through another link later to make the best use of
limited resources.
• Due to fragmentation, traditional authentication scheme, e.g., the
sender generates the signature over an entire message, may not
work well
– since the intermediate receiver cannot authenticate any of the
received fragments if it has not yet received the entire message.
• To address this problem, one approach called “toilet paper” was
– make each fragment self-authenticating by attaching a signature
to the end of each fragment separately.
• serious performance issue
– signatures are typically large
– the intermediate nodes have to spend more computational
efforts on verifying a growing number of signatures and take
precious bandwidth.
• Another major concern
• DTN nodes receive, check and forward a large number of bundles in
a limited time
– bandwidth restriction and computational consumption are
critical issues
• Security operations such as authentication are regarded as a
necessity to protect precious DTN resources from unauthorized
access and use
• Security mechanisms will themselves inevitably introduce extra
computation and transmission overheads.
• The resource consumption to support security can introduce denial
of service (DoS) opportunities for attackers
Bundle Accumulation
• Due to store-carry-and-forward propagation feature, the bundles
may be accumulated at some intermediate nodes
• The accumulation of bundles is equivalent to the accumulation of
computational, storage and transmission costs
– For example, an intermediate bundle forwarder may
contemporarily receive, store and authenticate multiple bundles
from different senders before these bundles are forwarded to
the next hop
– Authentication operation normally involves computationally
expensive operations such as signature verification, the
accumulated authentication related security operations may
introduce large computational overhead
• which makes the conventional security solutions unsuitable
for DTNs
Solution to Security Challenges
Bundle Security Protocol Specification
• The Delay Tolerant Networking Research Group (DTNRG) has
proposed an Internet draft on bundle security protocol specification
to provide
– data authentication,
– data integrity and
– data confidentiality
services for bundles conveyed in DTNs.
• The specification describes three IPsec style security blocks or
headers that can be added to bundles to provide different security
Bundle Security Protocol Specification…
• Security blocks
The “Bundle Security Protocol Specification” defines three types of
security blocks that may be included in a bundle
– the Bundle Authentication block(BAB)
– the Payload Integrity block (PIB)
– The Payload Confidentiality block (PCB)
Bundle Security Protocol Specification…
• Each security block contains the security-source (which is one that
applies the cryptographic operation, protecting the bundle) and the
security-destination information and a ciphersuite.
– The ciphersuite defines the algorithms that should be used to
process the received security headers.
– The security-sender and the ciphersuite information together
determine the keys that should be used
– Different combinations of three security blocks can be used
Bundle Authentication block(BAB)
• BAB assure the authenticity and integrity of the bundle along a single hop
from forwarder to intermediate receiver
• BAB is computed at every sending bundle agent and checked at every
receiving bundle agent on every hop along the way from the source to the
Hop by Hop Authentication of Bundle Authentication Block
Bundle Authentication block(BAB)…
• BAB can be a message authentication code (MAC) computed with
either digital signature scheme (e.g. RSA signature) or symmetric
key based hash function.
• If the received hash does not match the hash calculated at the
receiver, the bundle is discarded
Bundle Authentication block(BAB)…
• Currently bundle security specification defines only one mandatory
ciphersuite for BAB
– based on shared secrets using long-term pre-shared-symmetric
keys for the BAB-HMAC ciphersuite
Payload Integrity Block (PIB)
• The PIB is used to assure the authenticity and integrity of the bundle from
the PIB security-source, which creates the PIB, to the PIB securitydestination, which verifies the PIB authenticator.
• PIB has two operational modes - end-to-end mode and hop-by-hop mode
Two Operation Mode (Hop-by-Hop/End-to-End) for Bundle Integrity Block
Payload Integrity Block (PIB)…
• BAB protects a bundle on a “hop-by-hop” basis but PIB protects on
a (sort of) “end-to-end” basis, whenever both are present the BAB
must form the “outer” layer of protection
– BAB always be calculated and added to the bundle after the PIB
has been calculated and added to the bundle
• In additional to “end-to-end” mode, PIB can also provide “hop-byhop” security in case that the ciphersuite allows (e.g. using the
digital signatures to provide message authentication).
• The MAC can be verified by any node between the PIB securitysource and the PIB security-destination that has access to the
cryptographic keys and revocation status information
• Currently, there is only a mandatory ciphersuite for PIB defined in
the latest bundle security specification, which is based on digital
signatures using RSA with SHA256
Payload Confidentiality Block (PCB)
• The PCB indicates that some parts of the bundle have been encrypted at
the PCB security-source in order to protect the bundle content while in
transit to the PCB security-destination.
• PCB normally provide confidentiality on an end-to-end basis.
Bundle Confidentiality Block
Payload Confidentiality Block (PCB)…
• The only mandatory ciphersuite for PCB defined in bundle security
specification is using RSA for key transport and AES for bulk
Use of Policy Based Routing
• All DTN nodes should provide atleast very rudimentary support for
policy-based routing
• simple DTN nodes
– the policy could be just to forward all received bundles
• computationally more powerful nodes
– perform more complicated policy decisions based on the
current resource consumption state of the network
• Policy can be applied for
– the authentication of the bundle
– the time-to-live information attached to the bundle
– the route the bundle has travelled so far etc.
Use of Policy Based Routing…
• A security architecture is needed in which security services can be
provided both on hop-by-hop and end-to-end basis, and
additionally between two intermediary nodes in the middle of a
• For example
– A gateway of a sensor network could function as a securitysender by encrypting the bundles sent by the computationally
less powerful sensor nodes to Internet residing recipients
– An Internet connected DTN node could function as a securitydestination and authenticate all received bundles using its
ability to fetch public keys and check certificate revocation lists
from the Internet before forwarding the bundles to the real
recipient which might not have Internet connectivity
Solution of Fragmentation
Authentication issue
• Partridge presents a few solution proposals for fragment
authentication problem
• Cumulative authentication - Each fragment fi is authenticated by
calculating a hash over all the previous fragments including the
current fragment f1 . . . fi
– The amount of work required from the receiver is less than in
toilet paper approach, since only one signature per set of
received fragments has to be verified
– does not reduce computational work of sender or the amount
of traffic
– assumption: fragments are received in order which might not be
the case always
Solution of Fragmentation Authentication issue…
• The second proposal by Partridge is to authenticate fragments using
function definitions.
• This approach finds a suitable iv for an authentication function A so
that for each fragment f1. . . fn the output value of the
authentication function calculated over the iv and the fragment fi is
that fragment’s sequence number i:
A(iv, f1) = 1, A(iv, f2) = 2, . . . , A(iv, fn) =n
• If it is possible to find an authentication function which has a small
representation and a small iv, then it will become more efficient to
sign the representation of the function and iv and send them
instead of sending separate signed hashes for each fragment.
• If the iv is large and thus using this function is not more efficient
than the toilet paper approach.
Identity-Based Cryptography
• Identity-based cryptography (IBC) is a relatively new cryptographic
method that enables message encryption and signature verification
using the public identifier, such as email address, of the target as a
• Eliminating the need for public-key certificates and their
management makes IBC much more appealing for securing DTNs,
where the need to transmit and check certificates has been
identified as a significant limitation.
Threat from Selfish Nodes
• “Each individual node is ready to forward packets for others”
This hypothesis, however, might be easily violated in the presence
of selfish nodes or even malicious ones, which may choose to save
their precious wireless resources by refusing to serve as bundle
• challenging for researchers in applications of DTNs such as
– vehicular DTNs and
– social networks,
which are decentralized and distributed over a multitude of devices
that are controlled and operated by individuals.
Solution to Selfishness
• This selfishness issue can be limited by adopting an incentive
scheme for forwarding of others messages.
• Incentive schemes, fall into two categories:
– reputation-based scheme
– credit-based scheme
• Reputation-based schemes rely on individual nodes to monitor
neighboring nodes’ traffic and keep track of each others’ reputation
so that uncooperative nodes are eventually detected and excluded
from the networks
• Credit-based schemes introduce some form of virtual currency to
regulate the packet-forwarding relationships among different nodes
Problems with utilizing established
schemes for the case of DTN
• The previously reported incentive schemes, which were proposed
for conventional mobile ad hoc networks, may not be suitable for
• for the following two reasons
– Firstly, a common assumption that a full end-to-end path
between source and destination can be determined before data
forwarding occurs.
– Secondly, the schemes are designed mainly for single copy
forwarding. However, multi-copy forwarding or even flooding is
often adopted to enhance the reliability of DTN communication
Problems with utilizing established
schemes for the case of DTN…
• Reputation-based schemes which are working for other kind of
network can not work for the case of DTN,
– challenge of monitoring the message forwarding, during the
store-carry-and-forward process
– challenge to efficiently and effectively propagate the reputation
• Existing credit-based incentive schemes use two different ways to
realize such kind of credits:
– game theory based schemes
– security protocol based schemes.
– But most of these schemes always assume that an end-to-end
path exists and is determined before the data forwarding
End Note
• Providing security for opportunistic routing is really a challenging
• Most of the existing security mechanisms used for different other
types of networks are not suitable for the case DTN due to its
unusual characteristics
• There is a scope for doing plenty of work in this issue especially in
the customization of existing security mechanisms for DTN

similar documents