Authenticated AODV Routing Protocol Using One-Time Signature and Transitive Signature Schemes

JOURNAL OF NETWORKS, VOL. 1, NO. 1, MAY 2006 47 Autentcated AODV Routng Protocol Usng One-Tme Sgnature and Transtve Sgnature Scemes Sd Xu Unversty of Wollongong, Wollongong, Australa Emal: sdx86@uow.edu.au Y Mu and Wlly Suslo Unversty of Wollongong, Wollongong, Australa Emal: { ymu, wsuslo }@uow.edu.au Abstract Moble ad oc network (MANET) as been generally regarded as an deal network model for group communcatons because of ts specalty of nstant establsment. However, te securty of MANET s stll a callenge ssue. Altoug tere are some exstng securty scemes suc as ARAN (Autentcated Routng for Ad oc Networks) protocol tat makes use of cryptograpc certfcate to provde end-to-end autentcaton durng routng pases, te overead of securty computaton s stll a serous urdle for real applcaton. In ts paper, we propose a comparatvely effcent sceme to perform ARAN protocol, based on AODV, by usng one-tme sgnature n place of conventonal sgnature, amng at acevng te same level of securty but mproved effcency. We also provde two approaces to andle te autentcaton of gratutous route reply usng delegaton token and transtve sgnature scemes. Index Terms MANET, Routng, AODV, Dgtal Sgnature, One-tme sgnature, Transtve sgnature. I. INTRODUCTION Te Moble Ad oc Networks (MANET) are a specfc type of network. Just as ts name mples, t s formed by moble nodes, suc as laptops and PDAs. Te constructon of te networks s generally mpromptu, terefore, networks can be formed wenever requred and topology s cangng from tme to tme. Ideally, any nodes satsfy general enterng condtons wll be accepted as a legtmate member of te network. Tese propertes make MANET very sutable for group communcatons, n wc, a number of people get togeter, formng a network to sare documents and excange conversatons. On te oter and, te wde-open envronment makes ts network super vulnerable to nsde and outsde attacks [1Error! Reference source not found.]. Especally n te case of routng [2], snce te absence of central control, t s extremely dffcult to prevent nodes from beavng mproperly. Altoug tere exst a large number of MANET routng protocols [3,4,5, 8,11], most of tem were desgned wtout any securty consderatons (generally t s assumed tat all nodes are frendly). Besdes, te resource constrants (bot computaton and bandwdt) of MANET put up great dffcultes over te deployment of securty. Two wdely known reactve routng protocols are AODV (Ad oc On- Demand Dstance Vector Routng) [8] and DSR (Dynamc Source Routng) [5], wc are bot very effcent but are subject to a varety of attacks. To renforce te securty of routng, ARAN [11] makes use of cryptograpc tecnques to offer securty n an open-manage envronment. Snce te securty s based on publc key cryptograpy, te effcency of ARAN s under suspcon. In ts paper, we pursue te advantages of one-tme sgnature, wc s more effcent n sgnng and verfcaton, to replace conventonal dgtal sgnature n protectng routng packets, toug, at te same tme, mantanng te same level autentcaton. In our prevous work [12], we made use of delegaton token to enable te autentcaton of te gratutous reply n route dscovery. In ts paper, we ntroduce anoter approac by usng transtve sgnature sceme ntroduced by Mcal and Rvest [6]. Te rest of te paper s organzed as below. Secton 2 brefly ntroduces te AODV routng protocol and ARAN routng sceme. Secton 3 descrbes te HORS one-tme sgnature sceme and ts key generaton process. Secton 4 explans our sceme used to secure AODV, called autentcated AODV. In secton 5, we ntroduce two approaces to be used to autentcate gratutous route reply. Secton 6 dscusses te securty of our proposal. Te last secton concludes te paper. II. BKGROUNDS In ts secton, we ntroduce te bascs of te AODV routng protocol and te ARAN autentcaton sceme. A. AODV Routng AODV s a smple and effcent on-demand ad oc routng protocol. Bascally, t uses RREQ (route request), RREP (route reply) and RRER (routsue error) messages to accompls route dscovery and mantenance

48 JOURNAL OF NETWORKS, VOL. 1, NO. 1, MAY 2006 operatons. It also utlzes sequence numbers to prevent routng loops. Routng decson makng s based on sequence numbers and routes mantaned n eac node s routng table. Te routng operatons of AODV generally consst of two pases: route dscovery and route mantenance. Route dscovery s performed troug broadcastng RREQ message. Wenever a node needs to send data packets to a destnaton, t frst cecks f t as an exstng route n te routng table. If not, te source node wll ntate a RREQ and broadcast ts request to all te negbours. Ten negbourng nodes wll update ter routng table accordng to te receved message. Wen RREQ reaces te destnaton, a RREP wll be generated by te destnaton node as a response to RREQ. Te RREP wll be transmtted back to te orgnator of RREQ n order to nform te route. If an ntermedate node as an actve route towards destnaton, t can reply te RREQ wt a RREP, wc s called Gratutous Route Reply. Te ntermedate node wll also send an RREP to destnaton node. Te RREP wll be sent n reverse route of RREQ f a bdrectonal lnk exsts. Route mantenance s performed wt two addtonal messages: Hello and RRER messages. Eac node broadcast Hello messages perodcally to nform negbours about ts connectvty. Te recevng of Hello message proves tat tere s an actve route towards te orgnator. Eac forwardng node sould keep track of ts contnued connectvty to ts actve next ops. If a lnk to te next op cannot be detected durng a perod of tmeout, a RRER message wll be broadcasted to nform te loss of connectvty. On recevng ts RRER, usually a local repar wll be performed just for mantenance. Te expred route wll be deleted after te confrmaton of ts unavalablty. From te securty pont of vew, AODV requres at least two securty attrbutes: sender autentcaton at eac recevng node and routng message ntegrty. Message ntegrty s of te most concern n AODV routng. In route request broadcastng pase, eac node as to ceck te orgnator sequence number n te RREQ packet wt te one recorded n ts routng table, and updates ts routng table to te newest one; n route reply pase, nstead of ceckng orgnator sequence number, eac node ceck te destnaton sequence number and keeps t up-to-date. Any explots of cangng sequence number wll result n routng loops. Besdes message alteraton, spoofng s also a serous attack. A node forward RREP mgt clam tself to be someone else, msleadng te recevng nodes falsely recordng te fake dentty as te next op towards destnaton. Ts s anoter way of dsruptng topology by creatng route loops. B. ARAN ARAN was proposed by Sanzgr et al n 2002, targetng to combat attacks ncludng unautorzed partcpaton, spoofed route sgnalng, alteraton of routng messages, replay attacks, etc. Smlar to oter secure routng protocols, ARAN s also a securty addson over on-demand routng protocols. It provdes autentcaton, message ntegrty and non-repudaton as part of mnmal securty polcy for ad oc envronment. ARAN stands for Autentcated Routng for Ad oc Networks. It s motvated to detect and protect aganst malcous actons by trd partes and peers n an ad oc envronment. ARAN s a securty sceme, wc can be appled to any on-demand routng protocols. It takes te advantages of PKI based dgtal sgnature sceme to provde securty features ncludng autentcaton, message ntegrty and non-repudaton. ARAN conssts of tree stages: a prelmnary certfcaton process, a mandatory end-to-end autentcaton stage and an optonal stage provdng secure sortest pat. To deploy tese tree stages, ARAN requres te use of a trusted certfcate server T and publc key cryptograpy. Eac node, before enterng te network, must request a certfcate from T, and wll receve exactly one certfcate after securely autentcatng ter denttes to T. Routng operatons of ARAN are performed usng tree data structures: route dscovery packet (RDP), reply packet (REP), and error packet (ERR). Eac of tem contans necessary routng nformaton as well as te publc key certfcate. Wen a node wants to ntate a route dscovery, t creates a sgned RDP and broadcasts t to te next op. Te next op node verfes te orgnator's sgnature. If t s autentc, t adds ts own certfcate and sgns te wole packet agan. Te followng op node performs te same operaton, owever, after te verfcaton of all te sgnatures of te receved RDP t replaces prevous op node's sgnature wt ts own. Operatons repeated untl te packet reaces te target. Wen te target node receves ts RDP, t reples wt a REP. Ts packet s n te same format of RDP, contanng destnaton's sgnature and certfcate. Eac forwardng node verfes te sgnature, removes prevous op node's sgnature, and ten adds ts own outsde te packet. If ts route reply reaces te orgnator, t s guaranteed tat te route found s autentc. Te autentcaton sceme provded by ARAN defends aganst explots usng modfcaton, fabrcaton and mpersonaton. However, te use of publc key cryptograpy s very costly. Te computatonal overead caused by sgnature generaton and verfcaton brngs tremendous burden for moble nodes. A group of malcous nodes may explot ts vulnerablty to launc a deny-of-servce attack by smply broadcastng large number of RDP packets. Te recevng nodes ave to exaust ter computatonal resources to verfy te sgnature and ten generate new ones. In addton, te extra bandwdt used to transmttng certfcate s also anoter burden. III. PRELIMINARIES In ts secton, we ntroduce te one-tme sgnature sceme to be used n te constructon of our autentcaton sceme.

JOURNAL OF NETWORKS, VOL. 1, NO. 1, MAY 2006 49 A. HORS As we observed, snce ARAN use publc key cryptograpy to protect routng process, te tme delay of sgnature generaton and verfcaton s sgnfcant. In general, sgnfcant tme delay at eac op causes unacceptable route acquston latency. Tus, we are lookng for some dgtal sgnature scemes tat mantan all te trats of conventonal DSS, but are effcent enoug n sgnature generaton and verfcaton. Te very frst one-tme sgnature sceme was ntroduced by Lamport n 1979 [7], to sgn just 1 bt nformaton. In 2002, Reyzn et al [10] proposed an onetme sgnature sceme, wc s bot effcent n sgnng and verfcaton, and generatng sort sgnatures. Ts resultng sceme s called HORS, wc stands for Has to Obtan Random Subset. Te major operaton n sgnature generaton s usng a ased message to obtan a random subset to form te sgnature. HORS stands for Has to Obtan Random Subset. It was proposed by Reyzn et al [10] n 2002, motvated to provde an effcent sgnng algortm. HORS conssts of tree algortms: key generaton, sgnng and verfcaton. HORS Key Generaton On constructng ts sceme, several securty parameters are predefned. To sgn b-bt messages, we frstly pck t and k suc tat t 2 b and ten coose a k securty parameter l, and a one-way as functon f tat operates on l-bt strngs. To generate publc key, randomly generate l-bt strng (s 1, s 2,, s t ). Let v = f(s ) for 1 t. Te resultng publc key s PK = (k, v 1, v 2,, v t ), prvate key s SK = (k, s 1, s 2,, s t ). HORS Sgnature Generaton To sgn a message m, wt secret key SK = (k, s 1, s 2,, s t ), frstly let = as(m); ten splt nto k substrngs 1, 2,, k, of lengt log 2 t bts eac; fnally, nterpret eac j as an nteger j for 1 j k. Te resultng sgnature s σ = (s 1, s 2,, s k ). HORS Sgnature Verfcaton Te verfcaton s te same as te sgnature generaton. Suppose te verfer as te message m, sgnature σ = (s 1, s 2,, s k ), and publc key PK = (k, v 1, v 2,, v t ). Frstly, let = as(m); ten splt nto k substrngs 1, 2,, k, of lengt log 2 t bts eac and nterpret eac j as an nteger j for 1 j k. If for eac j, 1 j k, f(s j ) == v j, accept te sgnature; oterwse, reject te sgnature. In HORS, te publc key component can be used multple tmes. Sgnature generaton requres only one call to as functon. Verfcaton requres k calls to as functon. One mpressve advantage of HORS s te sorter sgnature sze. For ter most effcent constructon, te sgnature sze can be reduced to 20480 bts. B. One-Tme Key Generaton for Routng Here, we descrbe te HORS one-tme key generaton process. Notatons: (),, () one way functon Sgn Kn conventonal dgtal sgnature generated by node n <>K n one-tme sgnature generated by node n Ancor: Secret key components P 2: Secret key components P 1 : Secret key components P 0: Generaton n (x 1 ) n (x 2 ) n (x 3 ) n (x t ) 2 (x 1) 2 (x 2) 2 (x 3) 2 (x t) 1 (x 1 ) 1 (x 2 ) 1 (x 3 ) 1 (x t ) 0 (x 1) 0 (x 2) 0 (x 3) 0 (x t) Fgure 1. Secret key components as can. Key Can generaton: Suppose tat te decson as been made regardng securty parameters l, k and t accordng to message lengt b. 1. Eac node cooses t secret key components x j (j=1,,t) at random. 2. Eac node creates a n as can of lengt t (see Fgure 1): 3. Publc key components are obtaned troug a one-way functon, namely v = (x ). We assume tat s a as functon for smplcty. 4. Publc key components are dsclosed perodcally. Generatng a set of one-tme keys to sgn routng messages as been dscussed by Zang n 1998 [15]. Two scemes called caned one-tme sgnature sceme (COSP) and ndependent one-tme sgnature sceme (IOSP) were proposed. Tese two scemes actvate us to generate our novel sceme. IV. AUTHENTICATED AODV ROUTING PROTOCOL Based on te one-tme sgnature sceme descrbed above, we propose a securty adds-on for AODV, wc contanng ARAN s autentcated routng features. Ts proposed protocol wll provde followng securty propertes: 1. Te target node can autentcate te orgnator; 2. Eac recevng node can autentcate ts prevous op from wc te routng message comng; 3. Eac ntermedate node can autentcate te sender for updatng ts routng table entry; 4. Te op count value s protected usng as can. It cannot be reduced by a malcous node, Usage

50 JOURNAL OF NETWORKS, VOL. 1, NO. 1, MAY 2006 but could be ncreased more tan one or retaned uncanged, as n SAODV [14]. To aceve securty features lsted above, we frstly assume te exstence of an offlne CA, wc ssues certfcate for eac node wen enterng te network. Tus, eac node possesses a publc key and prvate key par. Te conventonal dgtal sgnature wll stll be used to provde sender autentcaton, wereas te one-tme sgnature wll offer end-to-end autentcaton. A. Publc Key Handlng Te publc key n our proposed protocol s dssemnated n two dfferent ways. One ams at provdng keys for autentcaton among negbors. Anoter one tres to enable sender autentcaton durng message transmsson. End-to-end autentcaton s aceved troug negbor autentcaton. Eac node wll generate a set of one-tme keys as descrbed n secton 3.1. Te one-tme publc key components are dstrbuted locally among negbors. Snce one-tme keys can only be used once or lmted tmes, nodes need to update ter one-tme publc keys perodcally. To guarantee tat eac negborng node as an autentc copy of node s publc key, te very frst publc key, ancor, s dstrbuted safely durng system setup. Wen a node enters te network, t sgns ts ancor and broadcasts to ts negbors, along wt ts certfcate. Tus, successve one-tme publc keys can be dstrbuted n a more effcent manner by usng Hello message, wc s broadcasted perodcally. Te verfcaton of updates s stragtforward. For example, te frst secret key SK 1 s (k, n (x 1 ), n (x 2 ), n (x 3 ),, n (x t )). Te correspondng publc key PK 1 s (k, n+1 (x 1 ), n+1 (x 2 ), n+1 (x 3 ),, n+1 (x t )). Te second secret key SK 2 s (k, n (x 1 ), n (x 2 ), n (x 3 ),, n (x t )), tus te correspondng publc key PK 2 s (k, n (x 1 ), n (x 2 ), n (x 3 ),, n (x t )), wc can be verfed by asng once and comparng to PK 1. On te oter and, sender autentcaton s aceved troug conventonal dgtal sgnature. Te sender s publc key s contaned n ts certfcate wc s obtaned wen enterng te network. B. System Setup Ts pase s used for ntal key dstrbuton (see Fgure 2). Suppose wen a moble node enters te network, t s soon nformed about te securty parameters agreed n ts network. It ten cooses ts secret key components and generates a as can accordng to secton 3.1. Ten t performs as follows: C. Route Dscovery Route Dscovery s performed as n Fgure 3. Wen te orgnator (S) ntates a route dscovery to a certan destnaton, t smply generates a sgnature over te N: Coose secret key component SK Construct as can Te frst publc key component PK 1 s te Ancor Fgure 2. Intal key dstrbuton and autentcaton (n System Setup) RREQ, usng conventonal dgtal sgnature. RREQ: RREP: S A B C D S: So = SgnS<RREQ, top as, op count> S *: So, CertS A: op count = 1 A *: So, <(So)>KA, CertS B: op count = 2 B *: So, < 2 (So)>KB, CertS C: op count = 3 C *: So, < 3 (So)>KC, CertS D: ceck (MAX_HOP_COUNT HOP COUNT) (So ) = top as Sd = SgnS<RREP, top as, op count> D C: Sd, CertD C B: Sd, <(Sd)>KC, CertD B A: Sd, < (Sd)>KB, CertD A S: Sd, < (Sd)>KA, CertD Fgure 3. Route Request and Route Reply Upon te frst op node (A) receves te RREQ, t frstly verfes te sgnature of te orgnator. If te sgnature s fne, te negborng node ases te receved message S o agan and generates ts own sgnature over t. Ts tme, te sgnature s generated usng HORS one-tme sgnature sceme. Ten te wole message s re-transmtted to second op. From now on, tere are two sgnatures. One s over S o, anoter s over te as of S o. Once te second op node (B) receves ts double sgned RREQ, t frstly verfes te pervous op (A) usng publc key of A (wc mgt receve troug Hello messages). If te one-tme sgnature s fne, B ases S o one more tme and creates a sgnature over te as to replace te sgnature of A. Ten ts new message s broadcasted to next op negbors. Notce tat te verfcaton of conventonal sgnature could be delayed. Only f bot conventonal sgnature and one-tme sgnature are fne, does B update ts routng table entry accordng to RREQ. Tese operatons repeated untl RREQ reaces te destnaton. Wen RREQ reaces te destnaton, te destnaton node performs verfcatons te same as eac ntermedate node. Ten a RREP s generated and sgned te same as RREQ. Eac ntermedate node wll transmt t back to te orgnator troug te reverse route and same operatons are performed along te route. V. HANDLING GRATUITOUS ROUTE REPLY In AODV, gratutous route reply enables an ntermedate node to reply RREQs wc t as an actve route towards te destnaton. Ts feature s optonal n AODV, toug turnng on ts feature wll gly enance te effcency of routng dscovery. However, to enable ts feature, addtonal tecnque s needed. Te

JOURNAL OF NETWORKS, VOL. 1, NO. 1, MAY 2006 51 A B: <A, Token A > Token A = <A, B, Pr a, r a, t a >K a Fgure 4. Delegaton Token conceptual dea s tat snce we used dgtal sgnature to protect eac routng message at eac op, for an ntermedate node to reply RREQs nstead of te destnaton, te ntermedate node sould be able to sgn te RREQ properly on bealf of te destnaton. A. Delegaton Usng Token To solve ts problem, we borrow te dea from proxy sgnature proposed by Varadarajan et al. [14], n wc delegaton s enabled by usng a warrant. Te warrant appears as a delegaton token, contanng te denttes of prmary sgner and proxy sgner, te prvlege (Pr a ) gven to proxy sgner, an dentfer (r a ) used by prmary sgner, and a tmestamp (t a ). Ts delegaton token s sgned by te prmary sgner. We smplfy above delegaton token nto tree felds (See Fgure 4): te destnaton's dentty, an dentfer r a and a tmestamp t a. It s possble because te token does not need to be desgnated to certan nodes. Any node tat as receved te token from a target s automatcally proved to be avng an actve route towards te target. Oterwse, t would not be able to obtan ts token. Te token s sgned by te creator usng our IOS sgnature for our sceme. Te token enabled routng process s sown n Fgure 5. If te gratutous route reply opton s turned on, nodes broadcastng RREQs must create tokens for gratutous route reply delegaton. Te wole message ncludng te token wll be sgned agan, usng te same publc key as sgnng te token. Ten, te orgnator broadcast te RREQ as usual. Upon recevng te RREQ, node processes te autentcaton as normal. Ten t cecks te tmestamp to see f te token as expred. If te token s vald, te nodes wll store te token for future use. Te orgnator frstly cecks f ts RREP was created by destnaton or by ntermedate node. If t s a gratutous route reply, te orgnator cecks te tmestamp to determne f te route s stll actve. Ten te token and te RREP wll be autentcated as descrbed before. B. Delegaton Usng Transtve Sgnature Scemes References In ts secton, we ntroduce anoter approac for enablng delegaton by usng transtve sgnature sceme. Transtve sgnature sceme was frstly envsoned by Mcal and Rvest [6] n 2002. It was orgnally used to dynamcally buld an autentcated grap, edge by edge. Te sgner, avng secret key sk and publc key pk, can at any tme pck a par, j of nodes and create a sgnature of {, j}, tereby addng edge {, j} to te grap. In addton, gven a sgnature of an edge {, j} and a sgnature of an S A B C D RREQ: S: S o = <RREQ, op count, PK S, Token S>K S Token S = < S, PK S, r S, t S>K S S *: So A: op count = 1 A *: S o, (S o), <(S o)>k A B: op count = 2 B *: S o, 2 (S o), < 2 (S o)>k B C: op count = 3 C *: S o, 3 (S o), < 3 (S o)>k C RREP: C: ceck (MAX_HOP_COUNT-Hop_Count) ( S o)=top_ Has S C = <RREP, Top_ Has, Hop_Count, PK C, Token D>K D Token T = < D, PK D, r D, t D>K D C B: S C B A: S C, 2 (S C), < 2 (S C)>K B A S: S C, 3 (S C), < 3 (S C)>K A Fgure 5. Token enabled route Request and Gratutous Route Reply. edge {j, k}, anyone n possesson of te publc key can create a sgnature of te edge {, k}. We make use of te transtve sgnature sceme proposed by Mcal and Rvest [6] to construct our desgn. Setup Eac node n te network agrees wt te followng parameters: - large prme p and q suc tat q dvdes p - two generates g and of subgroup G q of order q Z * p suc tat te base-g logartm of modular p s nfeasble for oters to compute. Ten eac node n does te followed: 1. randomly coose two values x and y from Z * p ; 2. compute α = xmod q and β = ymod q ; 3. x y compute v = g mod p; 4. broadcast α and β to node s negbors. 5. upon te recept of α j and β j from eac negbor, node compute: α = x x j j β = y y and j j 6. node records n ts memory te quadruple: ( v, vj, αj, β j ) Sgn To sgn te pat between node A and node B, node B must ave receved α A, β A, and v A from node A. Ten node B computes te sgnature as: α AB = xa xb and β = y y AB A B Node B publses te quadruple as te sgnature:

52 JOURNAL OF NETWORKS, VOL. 1, NO. 1, MAY 2006 ( va, vb, α AB, β AB) Verfy Any node can verfy te prevous sgnature by ceckng: αab βab va = vbg Pat Composng Wen te next op node C receves te sgnature between node A and node B, t frstly verfes te valdty of te sgnature n order to ensure tat node B does ave an actve route towards node A. Ten node C can generate a transtve sgnature over te receved one so as to ncorporate tself nto te pat. Gven sgnature ( va, vb, α AB, β AB), node C retreves te quadruple ( vb, vc, αbc, β BC) and computes te new transtve sgnature ( va, vc, α, β ) as: α = αab αbc and = xa xc β = βab βbc = ya yc Te sgnature for te pat from node A to node C s: ( va, vc, α, β ) Te use of te transtve sgnature sceme to enable te route aggregaton as one bg beneft. It enables te autentcaton of bot orgnator and gratutous repler n one sgnature. In delegaton by warrant, te token s sgned wt te routng packet by te gratutous repler. Tus, te autentcaton of te gratutous repler as to be done by verfyng te conventonal sgnature, and te token wc s sgned usng conventonal sgnature sceme as to be verfed at te same cost. By usng transtve sgnatures, te orgnator and repler can be autentcated at te same tme. However, te use of te transtve sgnature sceme to enable gratutous reply autentcaton requres te cost of excangng publc key quadruples and computng te pat sgnatures between negborng nodes. It s consdered to be te major drawback of ts applcaton. VI. DISCUSSION AND IMPROVEMENT Te most outstandng pont of ts sceme s te effcency of one-tme sgnature generaton and verfcaton at eac op. Te same as HORS [10], eac tme, key generaton requres t evaluaton of one-way functon. Te secret key sze s lt bts, and te publc key sze s f l t bts, were f l s te lengt of te one-way functon output on nput of lengt l. Te sgnature s kl bts long. Tere s a tradeoff between t and k, snce te publc key sze wll be lnear n t, and te sgnature sze and verfcaton tme wll be lnear n k. Te securty of ts sceme stems from te system setup pase. In ts pase, a conventonal dgtal sgnature s used to guarantee te autentcty of te frst publc key component. Ts can be aceved troug usng publc key certfcate ssued by an offlne CA, namely, eac node must present a credtable dentty wen enterng te network. Te sgnature verfcaton and generaton may be neffcent, but snce ts message s broadcasted locally, t sould be practcal for eac node. Te update of publc key component s done along wt Hello message, wc s broadcasted perodcally. Snce te publc key component comes from a as can, te verfcaton s stragtforward te prevous publc key component s used to autentcate te new one. Te trustwortness of te new publc component depends totally on te securty of one-way as functon and te dgtal sgnature over ancor. Te ancor s used only once. It s replaced by newly comng publc key component after te frst Hello message s broadcasted. In ts way, nodes only need to do one as to autentcate new publc key component eac tme, wc s muc more effcent tan asng repeatedly back to ancor. Sender autentcaton s performed wt some compromse of effcency, usng conventonal DSS. Ts metod s muc more secure tan n SAODV, because n SAODV, te orgnator smply sgns on ts own publc key wtout te support of PKI. Attackers can easly forge RREQ and RREP packets durng transmsson. On te oter and, te effcency can be enanced to some degree troug te way tat eac node verfes conventonal dgtal sgnature after broadcastng routng packets. Terefore, tese wll be no verfcaton delay. Only bot conventonal sgnature and one-tme sgnature s fne, wll te routng table entry be updated. Double sgnng over te receved message does not provde more securty tan sngle sgnature from cryptograpc pont of vew. Neverteless, t provdes non-repudaton op-by-op, wc can be sued as an evdence for future ntruson detecton. Ts tougt comes from ARAN. It s consdered as mpractcal because te use of conventonal sgnature scemes. If tere s a tecnque to produce even sorter sgnature n more effcent manner, ts sceme can be extended to allow eac node to sgn on te receved messages. One sgnfcant drawback of one-tme sgnature s tat t can sgn only predefned number of messages, wc, n our sceme, s lmted by te sze of as can n. We generally consder t s not a serous problem, because nodes n MANET are moble devces wc are leavng and enterng te network frequently. Consequently, te as can wll be refresed. In ts sense, we can set n to a proper value accordng to network scale and average actve tme of nodes. VII. CONCLUSION Ts paper presented a novel sceme to mplement ARAN protocol based on AODV routng protocol. However, t s more effcent tan orgnal ARAN n sgnature generaton and verfcaton by usng HORS one-tme sgnature n place of conventonal dgtal sgnatures. We enable te protectons for gratutous route reply feature, under te concept of proxy sgnature s

JOURNAL OF NETWORKS, VOL. 1, NO. 1, MAY 2006 53 delegaton by warrant, as well as te route aggregaton usng transtve sgnature scemes. Te warrant ere s represented as a token, wc contans creator s dentty and publc key, and s sgned by te creator. Te securty of our sceme needs to be enforced by performng conventonal dgtal sgnature. Wt te elp of asymmetrc cryptograpy or publc key certfcate, we can ensure te autentcty of moble nodes and te secure dstrbuton of ntal keys. Hence, te securty of sub-sequental keys can be guaranteed by one way as can. [13] V. Varadarajan, P. Allen, and S. Black. An Analyss of te Proxy Problem n Dstrbuted Systems (pdf). In Proceedngs of te IEEE Symposum on Securty and Prvacy, 1991, pages 255-275, May 1991. [14] M. G. Zapata. Secure Ad oc On-Demand Dstance Vector (SAODV) Routng. IETF INTERNET DRAFT, MANET workng group, Nov. 2004. draft-guerrero-manet-saodv- 02.txt. [15] K. Zang. Effcent Protocols for Sgnng Routng Messages (pdf). In Symposum on Network and Dstrbuted Systems Securty (NDSS '98), 1998. REFERENCES [1] A. Burg. Ad Hoc Network Specfc Attacks (pdf). In Semnar. Ad oc networkng: concepts, applcatons, and securty, Tecnsce Unverstät Müncen, Nov. 2003. [2] Y. C. Hu, D. Jonson, and A. Perrg. SEAD: Secure Effcent Dstance Vector Routng for Moble Wreless Ad Hoc Networks (pdf). In 4 t IEEE Worksop on Moble Computng Systems and Applcatons (WMCSA 02), June 2002, pages 33, June 2002. [3] Y. C. Hu, A. Perrg, and D. Jonson. Aradne: A Secure On-demand Routng Protocol for Ad Hoc Networks (pdf). In Proc. M MOBICOM, Sep, 2002. [4] Y. C. Hu, A. Perrg and D. B. Jonson. Rusng Attacks and Defense n Wreless Ad Hoc Network Routng Protocols (pdf). In Proc. te 2003 M worksop on Wreless, Sep. 2003. [5] D. B. Jonson, D. A. Maltz and Y. C. Hu. Te Dynamc Source Routng Protocol for Moble Ad Hoc Networks (DSR). IETF INTERNET DRAFT, MANET workng group, July. 2004. draft-etf-manet-dsr0.txt. [6] S. Mcal and R. Rvest. Transtve Sgnature Scemes. In B. Prneel, edtor, Topcs n Cryptology CT-RSA 2002, volume 2271 of Lecture Notes n Computer Scence, pages 236-243 Sprnger-Verlag, 2002. [7] L. Lamport. Constructng dgtal sgnature from a one way functon. Tecncal Report CSL-98, SRI Internatonal, October 1979. [8] C. E. Perkns, E. M. Royer, and S. R. Das. Ad Hoc On- Demand Dstance Vector (AODV) Routng. IETF INTERNET DRAFT, MANET workng group. Feb. 2003. Draft-etf-manet-aodv3.txt. [9] A. Perrg. Te BBa one-tme sgnature and broadcast autentcaton protocol. In 8 t M Conference on Computer and Communcaton Securty, page 28-37. M, November 508, 2001. [10] L. Reyzn and N. Reyzn. Better Tan BIBA: Sort One- Tme Sgnatures Wt Fast Sgnng and Verfyng. In Proc. 7 t Australasan Conference on Informaton Securty and Prvacy, LNCS 2384, Apr. 2002. [11] K. Sanzgr, B. Dall, B. N. Levne, C. Selds, and E. M. Royer. A Secure Routng Protocol for Ad Hoc Networks (pdf). Tecncal Report: UM-CS-2002-032, 2002. [12] S. Xu, Y. Mu, and W. Suslo. Secure AODV Routng Protocol Usng One-Tme Sgnature. In Proc. 1 st Internatonal Conference on Moble Ad-oc and Sensor Networks (MSN 2005). Sprnger, LNCS 3794. Dec. 2005. Sd Xu was born Cengdu, Cna on November 1, 1978. Se receved B.S. (Bacelor of Engneerng) from te Unversty of Electronc Scence and Tecnology of Cna n 2001 and M. S. (Master of Informaton Systems) from te Unversty of Wollongong n 2004. Se s currently a canddate of Master of Computer Scence by researc n te Unversty of Wollongong. Y Mu receved s PD from te Australan Natonal Unversty n 1994. He was prevously wt te Scool of Computng and IT at te Unversty of Western Sydney as a lecturer and te Department of Computng at Macquare Unversty as a senor lecturer. He as been wt te Unversty of Wollongong snce 2003. Hs current researc nterests nclude network securty, electronc commerce securty, wreless securty, access control, computer securty, and cryptograpy. He also prevously worked at quantum cryptograpy, quantum computers, atomc computatons, and quantum optcs. Hs nterest n oter felds ncludes Internet computng, clent/server software and web tecnology. Y Mu as served n program commttees of a number of nternatonal conferences and edtoral boards of several nternatonal Journals. He s a senor member of te IEEE and a member of te IR. Wlly Suslo receved a P.D. n Computer Scence from Unversty of Wollongong, Australa. He s currently a assocate professor at te Scool of Informaton Tecnology and Computer Scence of te Unversty of Wollongong. He s te coordnator of Network Securty Researc Laboratory at te Unversty of Wollongong. Hs researc nterests nclude cryptograpy, nformaton securty, computer securty and network securty. Hs man contrbuton s n te area of dgtal sgnature scemes, n partcular fal-stop sgnature scemes and sort sgnature scemes. He as served as a program commttee member n a number of nternatonal conferences. He was te general car of ISP 2003. He s a member of te IR.