Paper— A Key Exchange Approach for Proficient and Secure Routing in Mobile Adhoc Networks A Key Exchange Approach for Proficient and Secure Routing in Mobile Adhoc Networks

— Mobile ad hoc networks (MANETs) are a collection of wireless mobile devices with restricted broadcast range and resources. Communication is achieved by relaying data along appropriate routes that are dynamically discovered and maintained through collaboration between the nodes. Discovery of such routes is a major task, both from efficiency and security point of view. This paper presents a proficient and secure routing, based on asymmetric authentication using key exchange approach (KEA). The proposed mechanism ensures secure routing and quality of service in MANETs and minimizes the network overhead. The KEA mechanism can be effectively used to develop a new routing protocol for Mobile Adhoc Networks which will provide maximum security against all kinds of attacks. In this paper, KEA is compared with other secure routing protocols like EEACK, AODV, and ARIADANE, to evaluate the efficiency of KEA in Ad Hoc Networks. The empirical results show that there is an increase of 20% packet delivery ratio and a reduction of 10% routing overhead.


Introduction
The exponential growth in the development and acceptance of mobile communications in recent years is especially observed in the fields of wireless local area networks, mobile systems, and ubiquitous computing. This growth is mainly due to the mobility offered to users, providing access to information anywhere, user friendliness, and easy deployment [7]. Furthermore, the scalability and flexibility of mobile communications increase users' productivity and efficiency. Dynamic ad hoc networks are formed by a set of mobile terminals placed in a close location that communicate with each other, sharing resources, services or computing time during a limited period of time and in a limited space, following human interaction pattern [2][3] [4].
Dynamics adhoc networks require well defined, efficient and user-friendly security mechanisms. Tasks to be performed include: user identification, their authorization, address assignment, name service, operation, and safety. Generally, wireless networks with infrastructure use Certificate Authority (CA) servers to manage node authentication and trust [5] [9][11] [19]. Although these systems have been used in wireless ad hoc and sensor networks [13], they are not practical because a CA node has to be online (or is an external node) all the time. Moreover, CA node must have higher computing capacity.
Security should be based on the required confidentiality, node cooperation, anonymity, and privacy. Exchanging photos between friends requires less security than exchanging confidential documents between enterprise managers. Moreover, all nodes may not be able to execute routing and/or security protocols. Energy constraints, node variability, error rate, and bandwidth limitations mandate the design and use of adaptive routing and security mechanisms, for any type of devices and scenarios [6].
Dynamic networks with flexible memberships, group signatures, and distributed signatures are difficult to manage [15]. To achieve a reliable communication and node authorization in mobile ad hoc networks, key exchange approach (KEA) for node authorization and user authentication are needed. We propose a secure and proficient secure routing approach using key exchange approach.
The rest of the paper is organized as follows: Section 2 presents the related work on dynamic networks and shows the most well-known security mechanisms that can be applied to them. The proposed secure key exchange approach is described in Section 3. Section 4 presents the experiment evaluation mechanism and performance analysis of our proposal. Finally, Section 5 presents the conclusion and future work.

Related Works
The related literature shows several security methods such as pre-distribution key algorithms [15], symmetric and asymmetric algorithms, intermediate node-based methods [8], and hybrid methods [14]. But these methods are not enough for dynamic networks because they need an initial configuration (i.e., network configuration) or external authorities (for example, central certification authorities).
In [20], Latvakoski et al. explain a communication architecture concept for dynamic systems, integrating application-level dynamic group communication, and ad hoc networking together. A set of methods to enable plug and play, addressing and mobility, peer to peer connectivity and the use of services are also provided.
Liu et al. [18] show how networked nodes can autonomously support and cooperate with each other in a peer-to-peer (P2P) manner to quickly discover and selfconfigure any services available on the disaster area and deliver a real-time capability by self-organizing themselves in dynamic groups to provide higher flexibility and adaptability for disaster monitoring and relief.
K. Liu et al. [16] proposed TWOACK is one of the most important approaches for intrusion detection in MANETs. TWOACK detects misbehaving links by acknowlhttp://www.i-jim.org edging every data packet transmitted over every three consecutive nodes along the path from the source to the destination. Upon retrieval of a packet, each node along the route is required to send back an acknowledgment packet to the node that is two hops away from it down the route. TWOACK is required to work on routing protocols such as Dynamic Source Routing (DSR).
Feeney et al. [21] presented Spontnet, a prototype implementation of a simple ad hoc network configuration utility based on the main ideas of dynamic networks. Spontnet allows users (using face-to-face authentication and short-range link with easily identifiable endpoints) to distribute a group session key without previous shared context and to establish shared namespace. Two applications, a simple web server and a shared whiteboard, are provided as examples of collaborative applications. They use IPSec protocol (used for Virtual Private Networks), applied though internet. Spotnet therefore uses both wired and wireless links and corresponding protocols.
Ariadne [17] is an on-demand routing algorithm based on the Dynamic Source Routing (DSR) protocol [2]. There are several variants of Ariadne, depending on which mode of authentication is used to protect route requests: one uses digital signatures, one TESLA [22], and one uses MACs. The MAC version has an optimized variant that uses iterated MAC computations instead of several independent MACs. In addition to being more efficient, the iterated MAC version has superior security characteristics when compared to the no optimized version.
Elhadi M. S. et al., [1] proposed EAACK known as Enhanced Adaptive Acknowledgment for intrusion-detection system for MANETs. The work majorly targets the Packet-dropping attack which has always been a major threat to the security in MA-NETs. It puts in an effort to prevent the attackers from initiating forged acknowledgment attacks by incorporating digital signatures.
This paper presents a security protocol for routing purposes, based on key exchange as discussed in section-3. It presents three stages for secure routing as, Key acquisition, Neighbor discovery and secure key exchange routing in adhoc protocols for wireless.

Key Exchange Approach
In adhoc routing protocol nodes exchange information to their neighbourhood and construct a virtual network for data packet routing to their desired destination. Such information can be easily targeted by any malicious adversary who intentionally want to disrupt the functionality of the network. Attackers generally inject erroneous routing information externally to repeat previous routing messages, or modify the valid routing information and eventually bring the network down. Sometimes due to internal attacks, it causes severe damages as these nodes are not up to their initial commitments. Such nodes can also send erroneous information to modify the local view of the network. Usually it is very difficult to identify the internal attacker, since they already have some sort of credentials that everybody believes.
Our proposed targets are both, external and internal attacks which can exist in the network due to malicious nodes. It identifies these attacks based on the three security mechanisms as, Certificate Acquisition, Secure Route Discovery and Secure Data Routing. It uses Certificate Authority (CA) certificate to identify the internal attackers and use both symmetric and asymmetric cryptography for securing from external attackers. To prevent routing information from forged or tampered we use CA certificate for encrypting the messages.

Key Acquisition
Establishing security association between the mobile nodes is the most difficult part in ad hoc network. The difficulty is due to the nature of mobile ad hoc networks where predefined architecture for the security one cannot use. Most work related to security association and key distributions has not been addressed well in most of the previous secure routing protocols. One simple solution is described in [12] for the existence of security association between source and destination nodes. A group key exchange is described in [14] which is based on a strong sharing key, but this approach required a static group node and in dynamic network where the node joins and leaves very frequently. The group key should be updated in the process for all the nodes.
In [23][24] describes another security association process among the nodes which uses asymmetric cryptography where any node in the network can issue certificate for new nodes. This is a strong approach in sense of that it does not have any single point failure in the network. But it still can have vulnerability attacks as to authenticate a new node and issue a certificate which is risky if malicious nodes are already present in the network.
In KEA protocol, to have an initial security association among the node we also distribute the certificates. But these certificates are obtained from a trusted certified authority (CA), and it has to be loaded to each node I prior to join the network. This will be an offline process where each node by providing its identity to CA needs to obtain its certificate. In this approach if any node tries to posses an invalid certificate illegally can be identified and isolated easily.
The certificate issued by the CA for a node N consists of CA public key as CA pub_key , node address as N add , public key as N pub_key and private key as N pvt_key . The certificate is represented as, We assume that all the valid nodes in the network obtain this certificate before joining the network. This process of acquiring certificate provides the basic identification to the node and prevents it from internal malicious nodes.

Secure Routing Process
Neighbor Discovery: The proposed KEA approach performs a neighbor discovery broadcasting a "Hello" message with in a restricted communication range. This mechanism reduces the power consumption required for distance broadcasting. Source node receives reply only from the nodes which are 1-hop away from the source. In exchange of "Hello" message it receives that node public key and a message signature for identification of the node authentication. The entire process is described in the Algorithm-1.

Algorithm 1: Secure Neighbor Node Identification Mechanism
Node V start Neighbor discovery Process ! NeighborNodes (V)

Method1: NeighborNodes (V)
Assignment: Msg = "Hello". V broadcast Msg in the network periodically to discover the secure neighbor nodes. // min_node -is the minimum number of neighbor node to be discover This process is performed by the node periodically to update their route and node key table. It will also remove the node whose Timestamp (Ts) value is above the permitted time limit.
Secure Route Discovery: The KEA is capable of determining secure route by identifying each node message signature received during neighbor discovery of each individual node. The mechanism for secure node identification for authenticity and for the secure route discovery is described in Algorithm-2.

Algorithm 2: Secure Route Discovery Mechanism
Using the method NeighborNodes (V) each node maintains a set of nodes and its public keys in its Route_Nodes and Nodes_key Table. To initiate a secure route Source Node S calls method ! Init_RouteRequest(S)

Method1: Init_RouteRequest( Node S)
Assignment: Msg = "RREQ". S Reads all the Nodes from its Route_Node On receiving the route reply from the destination, source node caches the path into its Route_Table for data routing.
On successful completion of secure route discovery, Source node sends data packet on the optimal route stored in the routing table based on the number of hop count.
Generally AODV [10] protocol maintains only one route from source to destination. In our scheme we also maintain the same, as multi-route discovery expense more overhead of storing more route information.

Simulation Methodologies
To better investigate the performance of KEA under different types of attacks, we propose two case settings to simulate different types of misbehaviors or attacks.
• Case-1: In this case, we simulated a basic packet dropping attack where malicious nodes simply drop all the packets that they receive. The objective of this case is to test the performance of the protocol against the existing secure protocols. • Case-2: In this case it is designed to test protocol performances against false misbehavior report, where malicious nodes always drop the packets that they have received and send back a false misbehavior report whenever it is possible.

Simulation Setup
Experiment simulation is performed using Glomosim Simulator[x] to evaluate the performance KEA approach. It provides scalable and parameter driven environment for wireless protocol simulation. We compare the performance of KEA with AODV [10], ARIADANE [17] and EAACK (DSA) [1] for the evaluation. In order to perform the simulation we have taken the default wireless setting of Glomosim and with the setup parameters mentioned in Table-1. For each case, we ran each network scenario two times and calculated the average performance. In order to measure and compare the performances of our proposed approach, we continue to adopt the following two performance metrics.
A. Packet Delivery Ratio: Packet delivery ratio (PDR) defines the total number of data packets received against the total number of data packets sent by the source node.
B. Routing Overhead: Routing overhead calculation based on the total number of control packets is originated and forwarded by the protocols during the entire communication processes, such as RREQ, RREP, RERR and ACK.

Performance Evaluation
To provide a comparison performance analysis for a better insight of our simulation results, detailed simulation data are presented for Case -1 and Case-2 in Table 2.
In case-1the malicious nodes drop all the packets that pass through it, whereas in case-2 we set all malicious nodes to send out false misbehavior report to the source node whenever it is possible. Figure-2 and 3 shows the simulation results of packet delivery ratio comparison for case -1 and 2. Figure-4 and 5 shows the Routing overhead comparison for case-1 and 2. Figure-2 and 3 shows the case-1 and 2 packet delivery ratios for KEA and other approaches. In both the cases KEA shows high PDR and AODV shows low. KEA shows an improvisation of 20% in PDR in case-1 and 18% in case-2 in comparison to EEACK. The improvement is achieved due to the Secure Neighbor Node Identification Mechanism, which helps KEA a secure route to deliver high number packets.  Figure-4 and 5 shows the case-1and 2 routing overhead comparison for KEA and other approaches. EEACK shows the low and AODV shows the highest overhead when compared to others with increasing malicious nodes. Whereas KEA shows 10% high overhead in comparison to EEACK as it is broadcasting a "Hello" message at the initial route discovery process to find the authenticate nodes.

Conclusion
Packet-dropping attack has always been a major threat to the security in MANETs. Due to overheads caused by implementing security in ad hoc networks, security and QoS must be considered together. We proposed a new Key Exchange Approach for proficient and secure routing protocol for mobile ad hoc networks. KEA authenticates the routing messages using digital signatures based on asymmetric cryptography. The KEA is capable of determining secure route. Security of the route is established through a message signature received during neighbor node discovery. The mechanism for secure node identification for authenticity and for the secure route discovery helps in improvising the throughput of PDR during communication. The empirical result shows a 20% high PDR with a bearable of 10% increase in routing overhead. In future work we optimize our approach to reduce more routing overhead compared to others.