Encryption/Decryption functions for NS-2

1
 Problem Statement
NS-2 is an open source and very popular network simulation system. It provides support for IP
protocols suite and many standard routing protocols for wire and wireless networks.
Implementation of security on NS-2 is necessary in network simulation. However, currently, NS-
2 does not support these features. Our project will aim to solve this issue.
The purpose of the project is to find a way to add encryption/decryption features into network
simulation program NS-2. For the purposes of this analysis, the assumption is that the key is
pre-shared and the encryption/decryption algorithm is illustrative.

2
 Introduction
2.1. Purpose

The purpose of this System Design Specification (SDS) document is to describe the design
requirements for adding encryption/decryption features into NS-2. This SDS is intended to
ensure that the developers and/or implementers produce an application that fulfills SDS. It will
also serve as training material for any potential new project members to obtain enough
information about the project implementation that they can be efficiently and effectively
integrated into the project team.

2.2 Scope

This design specification document provides the frame work for the implementation process. It
is a blueprint from which we implement the system.

Our project is an add-in component. It requires NS-2 version 2.27 already installed in one
computer. The encryption and decryption algorithm is only illustrative.

2.3. Intended Audience

This document is intended for use by the technical members of the project team, including the
software developers, system testers, and researchers who need to do experiments with NS-2.

SDS plays a pivotal role in the development and maintenance of software systems. During its
lifetime, a given design description is used by project managers, quality assurance staff,
configuration managers, software designers, programmers, testers, and maintainers. Each of
these users has unique needs, both in terms of required design information and optimal
organization of that information. Hence, a design description must contain all the design
information needed by those users.

3
 General Design
3.1. Approach
NS-2 is an open source system that is developed using C++ and Tool Control Language
TCL. Researchers can freely add new components to the system to server their own
purposes. The latest version of NS-2 is version 2.28. Within this version, most of the
standard protocols supported. You can find protocol from media access layer protocols
such as CSMA/CD up to application protocols as FTP and HTTP. For routing protocols,
there are unicast and multicast routing protocols for wire network and DSR, DSDV,
AODV for wireless ad-hoc networks. Most of these protocols were developed by
researchers and adopted into standard version of NS-2.
In order to experiment security features for network, we need to add security functions
into NS-2. Of course for specific experiments there are specific requirements. The purpose
of this project is only to illustrate a way to add security functions into NS-2
Our approach is to build a new protocol at network layer – IP layer. We also define new
packet format to represent new protocols. The new protocol is represented by a class
derived from built-in class in NS-2. Within new derived class we will add encryption and
decryption for data field in the data packet. We will also implement message digest
generation function to ensure the integrity of data packet during transmission. We consider
our data as plain text. The cryptography algorithm is CESAR cipher
The programming language is C++.
Environment development requirements:
- Personal Computer Windows 2000 professional and later.
- Cygwin Unix Simulation
- NS-2 version 2.27
- C/C++ editor.

3.2. Implementation process

Marc Greis's tutorial shows how to add a new packet protocol to NS-2 (Figure 1). The
new packet class is created in the folder ../apps. After that, the new packet name has
to register to the packet.h. Of course, the makefile has to be modified so that the

4
 new class is complied. At the TCL layer, the new packet must be declared by adding
the name and default packet size value to the ns-default.tcl file. Finally, we have to
make an entry for the new packet in the ns-packet.tcl file. After recompile the ns-2,
we can use the new packet for our simulation (Figure 2).

Figure 1: Flow chart of adding new protocol to NS-2

Figure 1: Flow chart of adding new protocol to NS-2

Figure 2: Screen shot of the new packet (Security_packet) on NS-2

We propose to build a new packet class carrying data. The methods of the class include
some algorithms of encryption and decryption as well as generate messages digest
functions for integrity. Cesar cipher is selected to demo encrypt and decrypt algorithms.
The message digest generator is the hash function in C++. (Note: The proposed
implementation might be extended based on the requirements of the instructor)

5
 Implementation
4.1. Detail design

Figure 3. Logical design of the encryption/decryption system

Hash function:
Using a simple hashing algorithm to get hashed value from a string of plain text. The hash value
will be attached to packet header for data integrity checking. At the other end of communication,
after decryption, the decrypted text will be hashed again to get new hashed value. This new
hashed value will be compared to the value attached within packet header. If they are equal, the
data integrity is ensured and decrypted text is accepted; otherwise the packet is discarded. In
either case, an acknowledge packet will be sent back to sender to inform of the status of the
packet.
The algorithm for the hash function can be any kind of algorithm like SHA-1, MD5. Because the
shortage of time and the complexity of those algorithms, we chose to implement very simple
polynomial algorithm [7] that we collect from the internet.

Encryption/decryption functions:
For encryption and decryption feature we implement CESAR cipher with pre-shared key of 3.
These cryptographic functions take input as a string of plain text and shift the ASCII value of
each character in the text three positions. Any encryption/decryption algorithm with symmetric

6
key can be implemented here. Some examples for encryption/decryption algorithms that can be
implemented are DES, 3DES, EAS, Blowfish.

4.2. Implementation
Hash function:
unsigned int Security_packetAgent::hashing(char value[], unsigned int len)
{
char *word = value;
unsigned int ret = 0;
unsigned int i;
for(i=0; i < len; i++)
{
int mod = i % 32;
ret ^=(unsigned int) (word[i]) << mod;
ret ^=(unsigned int) (word[i]) >> (32 - mod);
}
return ret;
}
Encryption function:
void Security_packetAgent::encryption(char out[])
{
int key =3;
int i=0;
for (i=0;i<strlen(out);i++)
{
out[i]=(out[i]+key)%128;
}
}
Decryption function:
void Security_packetAgent::decryption(char out[])
{
int key =3;
int i=0;
for (i=0;i<strlen(out);i++)
{
out[i]=(out[i]-key)%128;
}
}
For full source code, please look at appendix 5.1.

4.3. Simple demonstration

For the demonstration purpose we create a testing scenario with 5 nodes. Node 0, 1 (figure 4)
will send message to node 5 and 4 respectively and from node 5 and 4 back to node 0 and 1.
Each sending node will assume to receive acknowledge packet from receiving node. The script
of this demo is written in TCL language. The message to be sent will be arbitrary and put in

7
script file. For full source code of TCL script please look at appendix 5.2 . The outcome of the
demo will be showed in use console ( figure 5).

Figure 4: NAM for simple demonstration script.

Figure 5: Outcome of simple demo TCL script.

8
 Appendix
5.1 New protocol source code for NS-2 (c++):
//-----------------------------------
// Dated: April 25,2005
// Created: Sam Tran and Tuan Nguyen.
// file name: security_packet.h
//-----------------------------------
#ifndef ns_security_packet_h
#define ns_security_packet_h

#include "agent.h"
#include "tclcl.h"
#include "packet.h"
#include "address.h"
#include "ip.h"

struct hdr_security_packet {
char ret;
double send_time;
double rcv_time; // when security packet arrived at receiver
int seq; // sequence number
char data[128];
unsigned int hashvalue;

// Header access methods

static int offset_; // required by PacketHeaderManager
inline static int& offset() { return offset_; }
inline static hdr_security_packet* access(const Packet* p) {
return (hdr_security_packet*) p->access(offset_);
}
};

class Security_packetAgent : public Agent {

public:
Security_packetAgent();
int seq;
int oneway; // enable seq number and one-way delay printouts
virtual int command(int argc, const char*const* argv);
virtual void recv(Packet*, Handler*);
void encryption(char* out);
void decryption(char* out);
unsigned int hashing (char value[], unsigned int len);
};
#endif // ns_security_packet_h
//-----------------------------------
// Dated: April 25,2005

9
// Created: Sam Tran and Tuan Nguyen.
// file name: security_packet.cc
//-----------------------------------
#include "Security_packet.h"
#include "string.h"

int hdr_security_packet::offset_;
static class Security_packetHeaderClass : public PacketHeaderClass {
public:
Security_packetHeaderClass() :
PacketHeaderClass("PacketHeader/Security_packet",sizeof(hdr_security_packet)) {
bind_offset(&hdr_security_packet::offset_);
}
} class_security_packethdr;

static class Security_packetClass : public TclClass {

public:
Security_packetClass() : TclClass("Agent/Security_packet") {}
TclObject* create(int, const char*const*) {
return (new Security_packetAgent());
}
} class_security_packet;

Security_packetAgent::Security_packetAgent() : Agent(PT_SECURITY_PACKET), seq(0),

oneway(0)
{
bind("packetSize_", &size_);
}

int Security_packetAgent::command(int argc, const char*const* argv)

{

if (argc ==3) {

if (strcmp(argv[1], "send") == 0) {
// Create a new packet
Packet* pkt = allocpkt();
// Access the security packet header for the new packet:
hdr_security_packet* hdr = hdr_security_packet::access(pkt);
// Set the 'ret' field to 0, so the receiving node
// knows that it has to generate an acknowledge packet
hdr->ret = 0;
hdr->seq = seq++;
// Store the current time in the 'send_time' field
hdr->send_time = Scheduler::instance().clock();
// copy date to be sent to header
strcpy(hdr->data, argv[2]);
//----------------hashing------------------------
hdr->hashvalue = hashing(hdr->data,(unsigned int)strlen(hdr->data));

10
 printf("Message sent %s with hashing %d\n",hdr->data,hdr->hashvalue);
// ---------- encrypt the data ---------------
encryption(hdr->data);
//-----------------------------------
// Send the packet
send(pkt, 0);
// return TCL_OK, so the calling function knows that
// the command has been processed
return (TCL_OK);
}
else if (strcmp(argv[1], "start-WL-brdcast") == 0) {
Packet* pkt = allocpkt();

hdr_ip* iph = HDR_IP(pkt);

hdr_security_packet* ph = hdr_security_packet::access(pkt);
strcpy(ph->data, "test");

iph->daddr() = IP_BROADCAST;
iph->dport() = iph->sport();
ph->ret = 0;
send(pkt, (Handler*) 0);
return (TCL_OK);
}

else if (strcmp(argv[1], "oneway") == 0) {

oneway=1;
return (TCL_OK);
}
}

// If the command hasn't been processed by SecurityAgent()::command,

// call the command() function for the base class
return (Agent::command(argc, argv));
}
// -- CESAR encryption function ----------
void Security_packetAgent::encryption(char out[])
{
int key =3;
int i=0;
for (i=0;i<strlen(out);i++)
{
out[i]=(out[i]+key)%128;
}
}
// ---- CESAR decryption ------------------
void Security_packetAgent::decryption(char out[])
{
int key =3;
int i=0;
for (i=0;i<strlen(out);i++)
{

11
 out[i]=(out[i]-key)%128;
}

}
//---------------hashing fucntion-------------
unsigned int Security_packetAgent::hashing(char value[], unsigned int len)
{
char *word = value;
unsigned int ret = 0;
unsigned int i;
for(i=0; i < len; i++)
{
int mod = i % 32;
ret ^=(unsigned int) (word[i]) << mod;
ret ^=(unsigned int) (word[i]) >> (32 - mod);
}
return ret;
}
//-------------------------------
void Security_packetAgent::recv(Packet* pkt, Handler*)
{
// Access the IP header for the received packet:
hdr_ip* hdrip = hdr_ip::access(pkt);

// Access the security packet header for the received packet:

hdr_security_packet* hdr = hdr_security_packet::access(pkt);

// check if in brdcast mode

if ((u_int32_t)hdrip->daddr() == IP_BROADCAST)
{
if (hdr->ret == 0)
{

printf("Recv BRDCAST Security_packet REQ : at %d.%d from %d.%d\n", here_.addr_,

here_.port_, hdrip->saddr(), hdrip->sport());
Packet::free(pkt);

// create reply
Packet* pktret = allocpkt();

hdr_security_packet* hdrret = hdr_security_packet::access(pktret);

hdr_cmn* ch = HDR_CMN(pktret);
hdr_ip* ipret = hdr_ip::access(pktret);

hdrret->ret = 1;

// add brdcast address

ipret->daddr() = IP_BROADCAST;
ipret->dport() = ipret->sport();
send(pktret, 0);

12
 }
else
{
printf("Recv BRDCAST security_packet REPLY : at %d.%d from %d.%d\n", here_.addr_,
here_.port_, hdrip->saddr(), hdrip->sport());
Packet::free(pkt);
}
return;
}
// end of broadcast mode

if (hdr->ret == 0)
{
// Send an 'echo'. First save the old packet's send_time
double stime = hdr->send_time;
//---------decrypt encrypted packet-------------//
char original_data[128];
char encrypted_data[128];
strcpy(encrypted_data,hdr->data); //copy the data of the original packet
strcpy(original_data,hdr->data);
int rcv_seq = hdr->seq;
//----------------show the encrypted packet at receiving node-----------//

char out[105];
unsigned int newhash;
char authenticate_result[50];

// show encryted data then decrytp it and show

decryption(original_data);
newhash=hashing(original_data,strlen(original_data));
if(newhash==hdr->hashvalue)
{
printf("data intergity ensured\n");
strcpy(authenticate_result,"Message_Accepted");
}
else
{
printf("data modified %d\n",newhash);
strcpy(authenticate_result,"MESSAGE_ERRROR-Integrity violation");
}
sprintf(out, "%s recv %d %3.1f %s %s %d", name(), hdrip->src_.addr_ >>
Address::instance().NodeShift_[1],
(Scheduler::instance().clock()-hdr->send_time) * 1000, encrypted_data,
original_data,hdr->hashvalue);
Tcl& tcl = Tcl::instance();
tcl.eval(out);

// Discard the packet

Packet::free(pkt);
// Create a new packet
Packet* pktret = allocpkt();

13
 // Access the header for the new packet:
hdr_security_packet* hdrret = hdr_security_packet::access(pktret);
// Set the 'ret' field to 1, so the receiver won't send
// another echo
hdrret->ret = 1;
// Set the send_time field to the correct value
hdrret->send_time = stime;

hdrret->rcv_time = Scheduler::instance().clock();
hdrret->seq = rcv_seq;
strcpy(hdrret->data, authenticate_result);//save data to new packet
// Send the packet back to the originator
send(pktret, 0);
}
else
{
char out[105];
// showing at originator node when packet comes back

sprintf(out, "%s recv %d %3.1f %s _ %d", name(), hdrip->src_.addr_ >>

Address::instance().NodeShift_[1],
(Scheduler::instance().clock()-hdr->send_time) * 1000, hdr->data, hdr-
>hashvalue);
Tcl& tcl = Tcl::instance();
tcl.eval(out);
// Discard the packet
Packet::free(pkt);
}
}

5.2 TCL script for simple demonstration

#-----------------------------------
# Dated: April 25,2005
# Created: Sam Tran and Tuan Nguyen.
# File name: security_packet.cc
#-----------------------------------
#Create a simulator object
set ns [new Simulator]

#Define different colors for data flows (for NAM)

$ns color 1 Blue
$ns color 2 Red

#Open a trace file

set nf [open out.nam w]
$ns namtrace-all $nf

#Define a 'finish' procedure

proc finish {} {

14
 global ns nf
$ns flush-trace
close $nf
exec nam out.nam &
exit 0
}

#Create four nodes

set n0 [$ns node]
set n1 [$ns node]
set n2 [$ns node]
set n3 [$ns node]
set n4 [$ns node]
set n5 [$ns node]

#Create links between the nodes

$ns duplex-link $n0 $n2 5Mb 10ms DropTail
$ns duplex-link $n1 $n2 5Mb 10ms DropTail
$ns duplex-link $n2 $n3 1.5Mb 10ms DropTail
$ns duplex-link $n3 $n4 5Mb 10ms DropTail
$ns duplex-link $n3 $n5 5Mb 10ms DropTail

#Set Queue Size of link (n2-n3) to 100

$ns queue-limit $n2 $n3 100

$ns duplex-link-op $n0 $n2 orient right-down

$ns duplex-link-op $n1 $n2 orient right-up
$ns duplex-link-op $n2 $n3 orient right
$ns duplex-link-op $n3 $n4 orient right-up
$ns duplex-link-op $n3 $n5 orient right-down

#Define a 'recv' function for the class 'Agent/Security_packet'

Agent/Security_packet instproc recv {from rtt mess originmess hash} {
$self instvar node_
puts "node [$node_ id] received packet from \
$from with trip-time $rtt ms - contend: $mess - decrypted $originmess -hash: $hash"
}

#Create two security agents and attach them to the nodes n0 and n2
set p0 [new Agent/Security_packet]
$ns attach-agent $n0 $p0
$p0 set class_ 1

set p1 [new Agent/Security_packet]

$ns attach-agent $n1 $p1
$p1 set class_ 1

set p2 [new Agent/Security_packet]

$ns attach-agent $n4 $p2
$p2 set class_ 2

15
set p3 [new Agent/Security_packet]
$ns attach-agent $n5 $p3
$p3 set class_ 2

#Connect the two agents

$ns connect $p0 $p3
$ns connect $p1 $p2

#Schedule events

for {set i 1} {$i < 2} {incr i} {

set result [expr $i /2]
$ns at $result "$p0 send itisalongmessageIcansend"
$ns at [expr $result + 0.02] "$p1 send Itisashotermessage"
$ns at [expr $result + 0.04] "$p2 send test3"
$ns at [expr $result + 0.06] "$p3 send test4"
}
$ns at 1.0 "finish"

#Run the simulation

$ns run

Reference Documents
[1]. SDS Outline, The University of Texas at Austin, 1999.
from the World Wide Web: http://www.cs.utexas.edu/
[2]. Nguyen Viet Phuong, Vu Tat Dat, Nguyen Anh Tuan, Dinh Ngoc Lan, Elevator Simulation
System System Design Specification, 2003.
[3]. Matt Bishop, Computer Security: Art+Science, Publisher Addison Wesley
[4]. Jess Garms and Daniel Somerfield, Professional Java Security ,Wrox Press Ltd.
[5]. Marc Greis (2005). Tutorial for the network simulator ns. Retrieved 3/28/05 from:
http://www.isi.edu/nsnam/ns/tutorial/index.html
[6]. Free Information Society (2005). Hash Table Class. Retrieved 4/4/05 from:
http://www.freeinfosociety.com/computers/programs/cpp/hashtable.h

[7] Hash function implemented in C++ with polynomial algorithm. Retrieved 4/14/05 from
http://wikisource.org/wiki/Polynomial_hash_function.

16