|
|
As previously seen, using message signatures effectively protects the network against identity spoofing attacks, as long as the signature mechanism is not broken. Nodes rely on signatures to identify the real sender of a message, and, with the assumption that all nodes are well-behaving, signed topology information is assumed to be correct. The scenario is hence an ad hoc network with a deployed, working PKI and message signature mechanism.
We conjecture now that an attacker has been able to gain full control – physically, or in any other way – over a trusted node, hence the attacker has now gained a privileged position inside the network. The control messages the attacker can send will be accepted as valid by all other nodes because they are correctly signed, even if these control messages are wrong. The term compromised node designates such a trusted node that has been taken over by the attacker.
We extend the definition of compromised node to a node which may not be under the control of the attacker, but whose private key has been disclosed to the attacker. In some way or other, the attacker has managed to capture the node’s private key, stealing the node’s identity, and can send messages signed on behalf of that node.
In this scenario, any trusted node is no longer trustworthy, because it could send wrong control messages to maliciously perturb the network topology. The question is: “How can we be sure that the information from a node X is correct?” There is no thing such as an “evil bit” [11] that would allow us to distinguish good information from bad.
We can nonetheless increase the odds of distinguishing good nodes from bad ones by adding redundant information in messages, so that the detection of wrong messages is easier. This prevention mechanism aims to prevent nodes being compromised at the outset. We propose a solution based on multiple signatures (ADVSIG) in Chapter 9, and a solution based on geographical information of nodes (SIGLOC) in Chapter 10.
We recall that the model used is an ad hoc network where each node uses public key cryptography to authenticate messages and to preserve their integrity, hence the following solutions presume the use of asymmetric cryptographic schemes. On the other hand, when a shared secret key is used, it is much more difficult to take countermeasures, because the compromised node can masquerade as any other node in the network.
A detection mechanism that can be used in parallel with a cryptographic scheme, but does not require it, is the behavior audit of nodes, to identify misbehaviors. Nodes are monitored to check that they follow the protocol correctly; the duty of monitoring is often distributed among all the nodes. Once a misbehaving node has been detected, the other nodes (the legitimate ones) should take corrective action to prevent the misbehaving node from participating any further in the network. Behavior monitoring is discussed in Chapter 11, as well as our proposed solution for OLSR which uses broadcast of accusation messages.
Table 8.1 resumes these different security architectures, and shows which attacks are assessed by each specific solution.
