NS-2 Security Node Document

CSCI 5931 Project 2

System Design Specification

Project 2

Encryption/Decryption functions for NS-2

Class: CSCI 5931

Section 1

Name:

Sam Tran

Tuan Anh Nguyen

Houston - April 25, 2004

1

CSCI 5931 Project 2 System Design Specification

Revision History

Version Completion Date Authors Description

1.0 04/07/2005 Sam Tran Phu Manh Abstract, general design

Tuan Anh Nguyen

Version Completion Date Authors Description

2.0 04/25/2005 Sam Tran Phu Manh Detail design, implementation

Simple demonstrationTuan Anh Nguyen

- 2 -


Acknowledgment

We would like to thank my class mates. During the process of working on the project, we learn many things from them and from their works. We also thank Delta PCLAB for giving us its facility for printing this document.

Finally, we would like to acknowledge our family members for their love, sacrifice and understanding.

- 3 -


Table of contentAcknowledgment.................................................................................................................................................3

I. PROBLEM STATEMENT........................................................................................5

II. INTRODUCTION......................................................................................................6

2.1. PURPOSE........................................................................................................................................................62.2 SCOPE............................................................................................................................................................62.3. INTENDED AUDIENCE....................................................................................................................................6

III. GENERAL DESIGN..................................................................................................7

3.1. APPROACH.....................................................................................................................................................73.2. IMPLEMENTATION PROCESS...........................................................................................................................7

IV. IMPLEMENTATION................................................................................................9

4.1. DETAIL DESIGN..............................................................................................................................................94.2. IMPLEMENTATION........................................................................................................................................104.3. SIMPLE DEMONSTRATION............................................................................................................................10

V. APPENDIX...............................................................................................................12

5.1 NEW PROTOCOL SOURCE CODE FOR NS-2 (C++):........................................................................................125.2 TCL SCRIPT FOR SIMPLE DEMONSTRATION.................................................................................................17

VI. Reference Documents...............................................................................................19

- 4 -


I. Problem Statement

NS-2 is an open source and very popular network simulation system. It provides support for IP

protocols suite and many standard routing protocols for wire and wireless networks.

Implementation of security on NS-2 is necessary in network simulation. However, currently,

NS-2 does not support these features. Our project will aim to solve this issue.

The purpose of the project is to find a way to add encryption/decryption features into network

simulation program NS-2. For the purposes of this analysis, the assumption is that the key is

pre-shared and the encryption/decryption algorithm is illustrative.

- 5 -


II. Introduction2.1. Purpose

The purpose of this System Design Specification (SDS) document is to describe the design

requirements for adding encryption/decryption features into NS-2. This SDS is intended to

ensure that the developers and/or implementers produce an application that fulfills SDS. It will

also serve as training material for any potential new project members to obtain enough

information about the project implementation that they can be efficiently and effectively

integrated into the project team.

2.2 Scope

This design specification document provides the frame work for the implementation process. It

is a blueprint from which we implement the system.

Our project is an add-in component. It requires NS-2 version 2.27 already installed in one

computer. The encryption and decryption algorithm is only illustrative.

2.3. Intended Audience

This document is intended for use by the technical members of the project team, including the

software developers, system testers, and researchers who need to do experiments with NS-2.

SDS plays a pivotal role in the development and maintenance of software systems. During its

lifetime, a given design description is used by project managers, quality assurance staff,

configuration managers, software designers, programmers, testers, and maintainers. Each of

these users has unique needs, both in terms of required design information and optimal

organization of that information. Hence, a design description must contain all the design

information needed by those users.

- 6 -


III. General Design

3.1. Approach

NS-2 is an open source system that is developed using C++ and Tool Control Language

TCL. Researchers can freely add new components to the system to server their own

purposes. The latest version of NS-2 is version 2.28. Within this version, most of the

standard protocols supported. You can find protocol from media access layer protocols

such as CSMA/CD up to application protocols as FTP and HTTP. For routing protocols,

there are unicast and multicast routing protocols for wire network and DSR, DSDV,

AODV for wireless ad-hoc networks. Most of these protocols were developed by

researchers and adopted into standard version of NS-2.

In order to experiment security features for network, we need to add security functions

into NS-2. Of course for specific experiments there are specific requirements. The purpose

of this project is only to illustrate a way to add security functions into NS-2

Our approach is to build a new protocol at network layer – IP layer. We also define new

packet format to represent new protocols. The new protocol is represented by a class

derived from built-in class in NS-2. Within new derived class we will add encryption and

decryption for data field in the data packet. We will also implement message digest

generation function to ensure the integrity of data packet during transmission. We consider

our data as plain text. The cryptography algorithm is CESAR cipher

The programming language is C++.

Environment development requirements:

- Personal Computer Windows 2000 professional and later.

- Cygwin Unix Simulation

- NS-2 version 2.27

- C/C++ editor.

3.2. Implementation process

Marc Greis's tutorial shows how to add a new packet protocol to NS-2 (Figure 1). The

new packet class is created in the folder ../apps. After that, the new packet name has

to register to the packet.h. Of course, the makefile has to be modified so that the

- 7 -


new class is complied. At the TCL layer, the new packet must be declared by adding

the name and default packet size value to the ns-default.tcl file. Finally, we have to

make an entry for the new packet in the ns-packet.tcl file. After recompile the ns-2,

we can use the new packet for our simulation (Figure 2).

Figure 1: Flow chart of adding new protocol to NS-2

Figure 1: Flow chart of adding new protocol to NS-2

Figure 2: Screen shot of the new packet (Security_packet) on NS-2

We propose to build a new packet class carrying data. The methods of the class include

some algorithms of encryption and decryption as well as generate messages digest

functions for integrity. Cesar cipher is selected to demo encrypt and decrypt algorithms. The

message digest generator is the hash function in C++. (Note: The proposed implementation

might be extended based on the requirements of the instructor)

- 8 -


IV. Implementation4.1. Detail design

Figure 3. Logical design of the encryption/decryption system

Hash function:Using a simple hashing algorithm to get hashed value from a string of plain text. The hash value

will be attached to packet header for data integrity checking. At the other end of communication,

after decryption, the decrypted text will be hashed again to get new hashed value. This new

hashed value will be compared to the value attached within packet header. If they are equal, the

data integrity is ensured and decrypted text is accepted; otherwise the packet is discarded. In

either case, an acknowledge packet will be sent back to sender to inform of the status of the

packet.

The algorithm for the hash function can be any kind of algorithm like SHA-1, MD5. Because the

shortage of time and the complexity of those algorithms, we chose to implement very simple

polynomial algorithm [7] that we collect from the internet.

Encryption/decryption functions:

For encryption and decryption feature we implement CESAR cipher with pre-shared key of 3.

These cryptographic functions take input as a string of plain text and shift the ASCII value of

each character in the text three positions. Any encryption/decryption algorithm with symmetric

- 9 -

EncryptionCESAR cipher

Key=3

DecryptionCESAR cipher

Key=3

System console

System console

Enc

rypt

ed te

xt +

hash

va

lue

Pla

in te

xt

Enc

rypt

ed te

xt +

hash

va

lue

De

cryp

ted

text

Ack

now

led

gem

ent

Ack

now

led

gem

ent

Hash function

Hash function

Compare hashed value

Sender

Receiver


key can be implemented here. Some examples for encryption/decryption algorithms that can be

implemented are DES, 3DES, EAS, Blowfish.

4.2. Implementation

Hash function:unsigned int Security_packetAgent::hashing(char value[], unsigned int len){ char *word = value; unsigned int ret = 0; unsigned int i; for(i=0; i < len; i++) { int mod = i % 32; ret ^=(unsigned int) (word[i]) << mod; ret ^=(unsigned int) (word[i]) >> (32 - mod); } return ret;}Encryption function:void Security_packetAgent::encryption(char out[]){

int key =3;int i=0;

for (i=0;i<strlen(out);i++){

out[i]=(out[i]+key)%128;}

}Decryption function:void Security_packetAgent::decryption(char out[]){

int key =3;int i=0;


out[i]=(out[i]-key)%128;}

}For full source code, please look at appendix 5.1.

4.3. Simple demonstration

For the demonstration purpose we create a testing scenario with 5 nodes. Node 0, 1 (figure 4)

will send message to node 5 and 4 respectively and from node 5 and 4 back to node 0 and 1.

Each sending node will assume to receive acknowledge packet from receiving node. The script

of this demo is written in TCL language. The message to be sent will be arbitrary and put in

- 10 -


script file. For full source code of TCL script please look at appendix 5.2 . The outcome of the

demo will be showed in use console ( figure 5).

Figure 4: NAM for simple demonstration script.

Figure 5: Outcome of simple demo TCL script.

- 11 -


V. Appendix5.1 New protocol source code for NS-2 (c++):

//-----------------------------------// Dated: April 25,2005// Created: Sam Tran and Tuan Nguyen.// file name: security_packet.h//-----------------------------------#ifndef ns_security_packet_h#define ns_security_packet_h

#include "agent.h"#include "tclcl.h"#include "packet.h"#include "address.h"#include "ip.h"

struct hdr_security_packet {char ret;double send_time;

double rcv_time; // when security packet arrived at receiver int seq; // sequence number

char data[128];unsigned int hashvalue;

// Header access methodsstatic int offset_; // required by PacketHeaderManagerinline static int& offset() { return offset_; }inline static hdr_security_packet* access(const Packet* p) {

return (hdr_security_packet*) p->access(offset_);}

};

class Security_packetAgent : public Agent {public:

Security_packetAgent(); int seq;

int oneway; // enable seq number and one-way delay printoutsvirtual int command(int argc, const char*const* argv);virtual void recv(Packet*, Handler*);void encryption(char* out);void decryption(char* out);unsigned int hashing (char value[], unsigned int len);

};#endif // ns_security_packet_h//-----------------------------------// Dated: April 25,2005

- 12 -


// Created: Sam Tran and Tuan Nguyen.// file name: security_packet.cc//-----------------------------------#include "Security_packet.h"#include "string.h"

int hdr_security_packet::offset_;static class Security_packetHeaderClass : public PacketHeaderClass {public:

Security_packetHeaderClass() : PacketHeaderClass("PacketHeader/Security_packet",sizeof(hdr_security_packet)) {

bind_offset(&hdr_security_packet::offset_);}

} class_security_packethdr;

static class Security_packetClass : public TclClass {public:

Security_packetClass() : TclClass("Agent/Security_packet") {}TclObject* create(int, const char*const*) {

return (new Security_packetAgent());}

} class_security_packet;

Security_packetAgent::Security_packetAgent() : Agent(PT_SECURITY_PACKET), seq(0), oneway(0){

bind("packetSize_", &size_);}

int Security_packetAgent::command(int argc, const char*const* argv){

if (argc ==3) {

if (strcmp(argv[1], "send") == 0) { // Create a new packet Packet* pkt = allocpkt(); // Access the security packet header for the new packet: hdr_security_packet* hdr = hdr_security_packet::access(pkt); // Set the 'ret' field to 0, so the receiving node // knows that it has to generate an acknowledge packet hdr->ret = 0; hdr->seq = seq++; // Store the current time in the 'send_time' field hdr->send_time = Scheduler::instance().clock(); // copy date to be sent to header strcpy(hdr->data, argv[2]); //----------------hashing------------------------ hdr->hashvalue = hashing(hdr->data,(unsigned int)strlen(hdr->data));

- 13 -


printf("Message sent %s with hashing %d\n",hdr->data,hdr->hashvalue); // ---------- encrypt the data --------------- encryption(hdr->data); //----------------------------------- // Send the packet send(pkt, 0); // return TCL_OK, so the calling function knows that // the command has been processed return (TCL_OK); } else if (strcmp(argv[1], "start-WL-brdcast") == 0) { Packet* pkt = allocpkt(); hdr_ip* iph = HDR_IP(pkt); hdr_security_packet* ph = hdr_security_packet::access(pkt); strcpy(ph->data, "test"); iph->daddr() = IP_BROADCAST; iph->dport() = iph->sport(); ph->ret = 0; send(pkt, (Handler*) 0); return (TCL_OK); }

else if (strcmp(argv[1], "oneway") == 0) { oneway=1; return (TCL_OK); } } // If the command hasn't been processed by SecurityAgent()::command, // call the command() function for the base class return (Agent::command(argc, argv));}// -- CESAR encryption function ----------void Security_packetAgent::encryption(char out[]){

int key =3;int i=0;


out[i]=(out[i]+key)%128;}

}// ---- CESAR decryption ------------------void Security_packetAgent::decryption(char out[]){

int key =3;int i=0;


- 14 -


out[i]=(out[i]-key)%128;}

}//---------------hashing fucntion-------------unsigned int Security_packetAgent::hashing(char value[], unsigned int len){ char *word = value; unsigned int ret = 0; unsigned int i; for(i=0; i < len; i++) { int mod = i % 32; ret ^=(unsigned int) (word[i]) << mod; ret ^=(unsigned int) (word[i]) >> (32 - mod); } return ret;}//-------------------------------void Security_packetAgent::recv(Packet* pkt, Handler*){ // Access the IP header for the received packet: hdr_ip* hdrip = hdr_ip::access(pkt); // Access the security packet header for the received packet: hdr_security_packet* hdr = hdr_security_packet::access(pkt);

// check if in brdcast mode if ((u_int32_t)hdrip->daddr() == IP_BROADCAST) { if (hdr->ret == 0) { printf("Recv BRDCAST Security_packet REQ : at %d.%d from %d.%d\n", here_.addr_, here_.port_, hdrip->saddr(), hdrip->sport()); Packet::free(pkt); // create reply Packet* pktret = allocpkt();

hdr_security_packet* hdrret = hdr_security_packet::access(pktret); hdr_cmn* ch = HDR_CMN(pktret); hdr_ip* ipret = hdr_ip::access(pktret); hdrret->ret = 1; // add brdcast address ipret->daddr() = IP_BROADCAST; ipret->dport() = ipret->sport(); send(pktret, 0);

- 15 -


} else { printf("Recv BRDCAST security_packet REPLY : at %d.%d from %d.%d\n", here_.addr_, here_.port_, hdrip->saddr(), hdrip->sport()); Packet::free(pkt); } return; }// end of broadcast mode if (hdr->ret == 0) { // Send an 'echo'. First save the old packet's send_time double stime = hdr->send_time; //---------decrypt encrypted packet-------------// char original_data[128]; char encrypted_data[128]; strcpy(encrypted_data,hdr->data); //copy the data of the original packet strcpy(original_data,hdr->data); int rcv_seq = hdr->seq; //----------------show the encrypted packet at receiving node-----------// char out[105]; unsigned int newhash; char authenticate_result[50];

// show encryted data then decrytp it and show decryption(original_data); newhash=hashing(original_data,strlen(original_data)); if(newhash==hdr->hashvalue) {

printf("data intergity ensured\n");strcpy(authenticate_result,"Message_Accepted");

} else {

printf("data modified %d\n",newhash);strcpy(authenticate_result,"MESSAGE_ERRROR-Integrity violation");

} sprintf(out, "%s recv %d %3.1f %s %s %d", name(), hdrip->src_.addr_ >> Address::instance().NodeShift_[1],

(Scheduler::instance().clock()-hdr->send_time) * 1000, encrypted_data, original_data,hdr->hashvalue); Tcl& tcl = Tcl::instance(); tcl.eval(out);

// Discard the packet Packet::free(pkt); // Create a new packet Packet* pktret = allocpkt();

- 16 -


// Access the header for the new packet: hdr_security_packet* hdrret = hdr_security_packet::access(pktret); // Set the 'ret' field to 1, so the receiver won't send // another echo hdrret->ret = 1; // Set the send_time field to the correct value hdrret->send_time = stime; hdrret->rcv_time = Scheduler::instance().clock(); hdrret->seq = rcv_seq; strcpy(hdrret->data, authenticate_result);//save data to new packet // Send the packet back to the originator send(pktret, 0); } else { char out[105]; // showing at originator node when packet comes back sprintf(out, "%s recv %d %3.1f %s _ %d", name(), hdrip->src_.addr_ >> Address::instance().NodeShift_[1],

(Scheduler::instance().clock()-hdr->send_time) * 1000, hdr->data, hdr->hashvalue); Tcl& tcl = Tcl::instance(); tcl.eval(out); // Discard the packet Packet::free(pkt); }}

5.2 TCL script for simple demonstration

#-----------------------------------# Dated: April 25,2005# Created: Sam Tran and Tuan Nguyen.# File name: security_packet.cc#-----------------------------------#Create a simulator objectset ns [new Simulator]

#Define different colors for data flows (for NAM)$ns color 1 Blue$ns color 2 Red

#Open a trace fileset nf [open out.nam w]$ns namtrace-all $nf

#Define a 'finish' procedureproc finish {} {

- 17 -


global ns nf $ns flush-trace close $nf exec nam out.nam & exit 0}

#Create four nodesset n0 [$ns node]set n1 [$ns node]set n2 [$ns node]set n3 [$ns node]set n4 [$ns node]set n5 [$ns node]

#Create links between the nodes$ns duplex-link $n0 $n2 5Mb 10ms DropTail$ns duplex-link $n1 $n2 5Mb 10ms DropTail$ns duplex-link $n2 $n3 1.5Mb 10ms DropTail$ns duplex-link $n3 $n4 5Mb 10ms DropTail$ns duplex-link $n3 $n5 5Mb 10ms DropTail

#Set Queue Size of link (n2-n3) to 100$ns queue-limit $n2 $n3 100

$ns duplex-link-op $n0 $n2 orient right-down$ns duplex-link-op $n1 $n2 orient right-up$ns duplex-link-op $n2 $n3 orient right$ns duplex-link-op $n3 $n4 orient right-up$ns duplex-link-op $n3 $n5 orient right-down

#Define a 'recv' function for the class 'Agent/Security_packet'Agent/Security_packet instproc recv {from rtt mess originmess hash} {

$self instvar node_puts "node [$node_ id] received packet from \

$from with trip-time $rtt ms - contend: $mess - decrypted $originmess -hash: $hash"}

#Create two security agents and attach them to the nodes n0 and n2set p0 [new Agent/Security_packet]$ns attach-agent $n0 $p0$p0 set class_ 1

set p1 [new Agent/Security_packet]$ns attach-agent $n1 $p1$p1 set class_ 1


- 18 -



#Connect the two agents$ns connect $p0 $p3$ns connect $p1 $p2

#Schedule events

for {set i 1} {$i < 2} {incr i} {set result [expr $i /2]$ns at $result "$p0 send itisalongmessageIcansend" $ns at [expr $result + 0.02] "$p1 send Itisashotermessage"$ns at [expr $result + 0.04] "$p2 send test3"$ns at [expr $result + 0.06] "$p3 send test4"

}$ns at 1.0 "finish"

#Run the simulation$ns run

VI. Reference Documents

[1]. SDS Outline, The University of Texas at Austin, 1999.

from the World Wide Web: http://www.cs.utexas.edu/

[2]. Nguyen Viet Phuong, Vu Tat Dat, Nguyen Anh Tuan, Dinh Ngoc Lan, Elevator Simulation System System Design Specification, 2003.

[3]. Matt Bishop, Computer Security: Art+Science, Publisher Addison Wesley

[4]. Jess Garms and Daniel Somerfield, Professional Java Security ,Wrox Press Ltd.

[5]. Marc Greis (2005). Tutorial for the network simulator ns. Retrieved 3/28/05 from: http://www.isi.edu/nsnam/ns/tutorial/index.html

[6]. Free Information Society (2005). Hash Table Class. Retrieved 4/4/05 from: http://www.freeinfosociety.com/computers/programs/ cpp/hashtable.h

[7] Hash function implemented in C++ with polynomial algorithm. Retrieved 4/14/05 fromhttp://wikisource.org/wiki/Polynomial_hash_function.

- 19 -

http://wikisource.org/wiki/Polynomial_hash_function

http://www.freeinfosociety.com/computers/programs/cpp/hashtable.h

http://www.freeinfosociety.com/computers/programs/cpp/hashtable.h

http://www.isi.edu/nsnam/ns/tutorial/index.html

http://www.cs.utexas.edu/

NS-2 Security Node Document

Documents

Transcript of NS-2 Security Node Document