an authentication service based on trust and clustering in wireless ad hoc networks: description and...
Post on 19-Dec-2015
216 views
TRANSCRIPT
An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks:
Description and Security Evaluation
Edith C.H. Ngai and Michael R. Lyu
Department of Computer Science and EngineeringThe Chinese University of Hong Kong
5 Jun 2006The IEEE International Conference on Sensor Networks, Ubiquitou
s, and Trustworthy Computing (SUTC 2006)
Dept. of Computer Science & Engineering, CUHK 2
Outline
Introduction Related Work Architecture and Models Trust- and Clustering-Based
Authentication Service Simulation Results Conclusion
Dept. of Computer Science & Engineering, CUHK 3
Mobile Ad Hoc Network An ad-hoc network (of wireless nodes) is a
temporarily formed network, created, operated and managed by the nodes themselves.
It is also often termed an infrastructure-less, self-organized, or spontaneous network.
Dept. of Computer Science & Engineering, CUHK 4
Mobile Ad Hoc Network
Connected with wireless communication Dynamic Topology Nodes are often mobile Vulnerable to security attacks Applications
– Military: for tactical communications– Rescue missions : in times of natural disaster– Commercial use: for sales presentations or
meetings
Dept. of Computer Science & Engineering, CUHK 5
Vulnerabilities
Security in wireless ad hoc network is hard to achieve due to the vulnerabilities of its links, limited physical protection, and the absence of centralized management point
Unlike conventional networks, nodes of ad hoc networks cannot be secured in locked cabinets
Risk in being captured and compromised Wireless communications are vulnerable to
eavesdropping and active interference
Dept. of Computer Science & Engineering, CUHK 6
Security Mechanisms Popular network authentication architecture
include X. 509 standard and Kerberos systems Pretty Good Privacy (PGP) functions by
following a web-of-trust model and using digital signatures
Authentication service establishes the valid identities of communicating nodes
In reality, a node may turn from trustworthy to malicious under a sudden attack
We provide a secure authentication service that can defend against malicious nodes
Dept. of Computer Science & Engineering, CUHK 7
Related Work
Partially-distributed certificate authority by Zhou and Hass
Mobile Certificate Authority (MOCA) by Yi and Kravets
Fully-distributed certificate authority by Kong et. al.
Dept. of Computer Science & Engineering, CUHK 8
Related Work
Pretty Good Privacy (PGP) – following a web-of-trust authentication model
Self-issued certificates by Hubaux et. al.– distribute certificates by users themselves without
the involvement of any certificate authority
Dept. of Computer Science & Engineering, CUHK 9
Our Work
Propose a secure public key authentication service in mobile ad hoc networks with malicious nodes
Prevent nodes from obtaining false public keys of the others
Engage a network model and a trust model Design security operations including public
key certification, identification of malicious nodes, and trust value update
Dept. of Computer Science & Engineering, CUHK 10
Trust- and Clustering-Based Authentication Service Architecture
Dept. of Computer Science & Engineering, CUHK 11
The Network Model Clustering-based network model obtains a
hierarchical organization of a network Limit direct monitoring capability to
neighboring nodes Allow monitoring work
to proceed more naturally Improve network security
Dept. of Computer Science & Engineering, CUHK 12
The Trust Model
This model uses digital signatures as its form of introduction. Any node signs another's public key with its own private key to establish a web of trust
Define the authentication metric as a continuous value between 0.0 and 1.0
Define a direct trust relationship as the trust relationship between two nodes in the same group and a recommendation trust as the trust relationship between nodes of different groups.
Dept. of Computer Science & Engineering, CUHK 13
Clustering Structure Maintenance Maintain a balanced clustering structure for
supporting our trust model and security operations
Adapt to the mobility of nodes Handle leave and join of nodes from one
cluster to another Each node requests for the cluster ID of its
neighboring nodes periodically In each cycle, a node collects this information
and updates its cluster ID
Dept. of Computer Science & Engineering, CUHK 14
Clustering Structure Maintenance
A node joins the neighbouring cluster with minimum size only if it leaves the original cluster or the sizes of the neighbouring clusters are not within a certain range
Dept. of Computer Science & Engineering, CUHK 15
Evolution of Cluster Size
Cluster Size to Round in Approach 3
0
10
20
30
40
0 1 2 3 4 5 10 15 20 25 30 35
No. of Round
No.
of n
odes cluster 14
cluster 19
cluster 27
cluster 30
It keeps balance cluster sizes
Dept. of Computer Science & Engineering, CUHK 16
Authentication Service1. Public key
certification2. Identification of
malicious nodes3. Trust value
update
Selects a number of trustable nodes as introducers
Sends out request messages to introducers
Collects and compares all the public key certificates received
Selects the public key of t with majority votes
Discovers malicious introducer?
Isolates malicious introducer
Calculates trust value of t
Updates trust table
Dept. of Computer Science & Engineering, CUHK 17
Public Key Certification Authentication in our network relies on the public key
certificates signed by some trust-worthy nodes Nodes in the same group always know each other
better by means of their monitoring components and their short distances
Every node is able to request for the public key certificates of other new nodes
Nodes in the same cluster are assumed to know each other by means of their mutual monitoring components
Dept. of Computer Science & Engineering, CUHK 18
Public Key Certification We focus on public
key certification, where s and t belong to different groups
Nodes, which are in the same cluster as t and have already built up a trust relationship with s, can be introducers
Dept. of Computer Science & Engineering, CUHK 19
Public Key Certification
Send request to neighbors if target node in same cluster
Send request to introducers if target node in different cluster
Dept. of Computer Science & Engineering, CUHK 20
Identification of Malicious Nodes
Identify malicious neighboring nodes by monitoring their behaviors
Identify introducers who provide public key certificates different from the others
Identify a target node as malicious if the trust values provided from the introducers indicate that
Dept. of Computer Science & Engineering, CUHK 22
Parameters Setting Network simulator
Glomosim Evaluate the effecti
veness in providing secure public key authentication in the presence of malicious nodes
Dept. of Computer Science & Engineering, CUHK 23
Simulation Metrics Successful
rate Fail rate Unreachable
rate False-positive
error rate False-negative
error rate
Possible Cases with 3 Introducers
Dept. of Computer Science & Engineering, CUHK 24
Effectiveness of Neighbor Monitoring
Rates to No. of Cycles with n=40, r=100, (left) m=0.3 (right) m=0.7
Dept. of Computer Science & Engineering, CUHK 25
Isolation of Malicious Nodes
Rates to No. of Cycles with n=40, r=100, and Isolation of Suspicious Nodes in Cases 2,3,4,6,7 (left) m=0.3 (right) m=0.7
ID Cases0 Not enough
Introducers 1 OOO2 OOX3 OXX4 XXX5 OO6 OX7 XX8 O9 X10 No Reply
Dept. of Computer Science & Engineering, CUHK 26
Isolation of Malicious Nodes
Rates to No. of Cycles with n=40, r=100, and Isolation of Suspicious Nodes in Cases 2,4,7
(left) m=0.3 (right) m=0.7
ID Cases0 Not enough
Introducers 1 OOO2 OOX3 OXX4 XXX5 OO6 OX7 XX8 O9 X10 No Reply
Dept. of Computer Science & Engineering, CUHK 27
Conclusions We developed a trust- and clustering-based public key
authentication mechanism We defined a clustering-based network model with a
balanced structure and a trust model that allows nodes to monitor and rate each other with quantitative trust values
The authentication protocol proposed involves new security operations on public key certification, update of trust table, discovery and isolation of malicious nodes
We conducted security evaluation to demonstrate the effectiveness of our solution