•   When: Thursday, July 13, 2017 from 11:00 AM to 01:00 PM
•   Speakers: Eric J. Swankoski
•   Location: ENGR 4201
•   Export to iCal

The open nature of mobile ad hoc networks (MANETs) makes them vulnerable to denial-of-service attacks. With no well-defined access points, network perimeter, or centralized authority, these networks are susceptible to attacks from one or more authorized nodes (insiders) or malicious external entities (outsiders). Mitigation methods for such attacks are critically important, and in this work we explore the use of network capabilities to enforce a deny-by-default network access control policy. While capabilities can minimize the damage caused by malicious adversaries, the aforementioned characteristics of MANETs also complicate the operation of capabilities. Traditional network capability mechanisms are not designed to cope with frequent route changes. The problem is not well-studied, either for unicast-based or multicast-based MANET communication.

For unicast networks, we have developed EPIC (Efficient Path-Independent Capabilities), a method which combines reverse-disclosure hash chains, identity-based cryptography, and per-packet verification to support the establishment of destination-controlled path-independent capabilities and to show how they can be efficiently operated and maintained in a high mobility environment. EPIC decouples the capability from any particular route, allowing for a seamless transition from one authorized route to another between a source and destination. We have also developed RAC (Route-Adaptive Capabilities), which uses the same basic building blocks of EPIC but combines the high security of route-dependent capabilities with dynamic route reconfiguration to maintain high efficiency and performance. For multicast networks, we have developed EPIC-M (Multicast), which builds on the core aspects of EPIC to provide capability functionality in multicast networks. EPIC-M uses the building blocks of EPIC, but also utilizes threshold cryptography (partial digital signatures) to facilitate capability establishment and decouple capability establishment and maintenance from multicast routing and membership operations. We show through simulations that EPIC, RAC and EPIC-M can operate efficiently in well-behaved networks while also minimizing network disruption caused by malicious entities in hostile or unsecured networks.