dept. of computer science & engineering, cuhk1 trust- and clustering-based authentication...
Post on 20-Dec-2015
213 views
TRANSCRIPT
Dept. of Computer Science & Engineering, CUHK 1
Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks
Edith Ngai and Michael R. LyuProceedings 2nd International Workshop on Mobile Distributed Computing (MDC'04), Tokyo , Japan , March 23-26 2004
Dept. of Computer Science & Engineering, CUHK 2
Outline
Introduction Related Work Models Security Operations Simulation Results Conclusion
Dept. of Computer Science & Engineering, CUHK 3
Mobile Ad Hoc Networks
Infrastructure-less Multi-hops Wireless communications Highly mobile Dynamic topology Vulnerable to security attacks
Dept. of Computer Science & Engineering, CUHK 4
Introduction
Certificate-based approach Fully distributed manner Detect false public key certificates Isolate dishonest users Propose a secure, scalable and distributed
authentication service Assure correctness of public key
certification
Dept. of Computer Science & Engineering, CUHK 5
Related Work
Traditional network authentication solutions rely on physically present, trust third-party servers, or called certificate authorities (CAs).
Partially-distributed certificate authority makes use of a (k,n) threshold scheme to distribute the services of the certificate authority to a set of specialized server nodes.
Fully-distributed certificate authority extends the idea of the partially-distributed approach by distributing the certificate services to every node.
Dept. of Computer Science & Engineering, CUHK 6
Related Work (Cont.)
Pretty Good Privacy (PGP) is proposed by following a web-of-trust authentication model. PGP uses digital signatures as its form of introduction. When any user signs for another user's key, he or she becomes an introducer of that key. As this process goes on, a web of trust is established.
Self-issued certificates issue certificates by users themselves without the involvement of any certificate authority.
Dept. of Computer Science & Engineering, CUHK 7
Our Work
Propose a secure public key authentication service in mobile ad hoc networks with malicious nodes
An originally trust-worthy node may become malicious all of a sudden due to the invasion of hackers
Prevent nodes from obtaining false public keys of the others
Based on a network model and a trust model Security operations include public key certification
and trust value update
Dept. of Computer Science & Engineering, CUHK 8
Architecture
Network Model Clustering-based network model for
obtaining a hierarchical organization of the network
Trust Model Trust model with an authentication metric
to maintain the trust values of different nodes
Security operations To detect and isolate malicious nodes
Dept. of Computer Science & Engineering, CUHK 9
The Network Model
Obtain a hierarchical organization Minimize the amount of storage for
communication information Optimize the use of network bandwidth Direct monitoring capability is limited to
neighboring nodes Allow the monitoring work to proceed more
naturally Improve network security
Dept. of Computer Science & Engineering, CUHK 10
The Network Model (Cont.)
Obtaining a hierarchical organization of a network is a well-known and well-studied problem
Related Clustering Techniques Weight-based clustering algorithms Max-Min D-cluster formation Weakly-connected dominating set Adaptive maintenance Zonal algorithm Location-aware clustering
Dept. of Computer Science & Engineering, CUHK 11
The Network Model (Cont.)
Group 1
Group 2
Group 3
Group 4
The network is divided into different regions
Each region with similar number of nodes
Each of the group has a unique group ID
Dept. of Computer Science & Engineering, CUHK 12
The Trust Model
Define a fully-distributed trust management algorithm that is based on the web-of-trust model, in which any user can act as a certifying authority
Use digital signatures as the form of introduction. Any node signs another's public key with its own private key to establish a web of trust
There is no need for any trust root certificates
Rely only on direct trust and groups of introducers in certification
Dept. of Computer Science & Engineering, CUHK 13
The Trust Model (Cont.)
Authentication in ad hoc network without centralized authorities generally depends on a path of trust intermediates.
To evaluate the trusts from the recommendation of other reliable entities, the relying node should be able to estimate the trustworthiness of these entities
Many metrics have been proposed to evaluate the confidence afforded by different paths
Related approaches include metrics for directed graph, PGP’s three levels of trust, and path independence
Dept. of Computer Science & Engineering, CUHK 14
The Trust Model (Cont.)
Define the authentication metric as a continuous value between 0.0 and 1.0
A direct trust is the trust relationship between two nodes in the same group
A recommendation trust is the trust relationship between nodes in different groups
Apply some equations to calculate and combine the trust values of the trust relationships on different paths
Update the trust tables accordingly
Dept. of Computer Science & Engineering, CUHK 15
Assumptions
There is an underlying clustering algorithm in the network
Nodes are divided into groups with unique IDs Each node keeps exchanging information
about which groups the other nodes belong to Each node is able to monitor the behavior of
its group members and obtain their public keys
Each node keeps a trust table for storing trust values of other nodes
Dept. of Computer Science & Engineering, CUHK 16
Security Operations
Public key certification It allows a node to obtain the public key
of another node securely A node sends request messages to
certain number of introducers for the public key certificates of the target node
Trust value update It updates the trust value of a node
based the trust values and relationships built up with other nodes in the network
Dept. of Computer Science & Engineering, CUHK 17
Authentication in our network relies on the public key certificates signed by some trustable nodes, called introducers i1, i2, …, in
A trust path is formed by a recommendation trust relationship and a direct trust relationship
Public Key Certification
Whole Network
Group A Group B Group C Group D
s t ini1 i2
… … …
…
…
Direct trust
Recommendationtrust
…
...
Dept. of Computer Science & Engineering, CUHK 18
Operations of Node
Select introducers Send request
messages to introducers
Collect and decrypt the messages
Compare the certificates, isolate dishonest nodes
Calculate trust value of the new node
Dept. of Computer Science & Engineering, CUHK 19
Trust Value Update
Direct trust relationship means to believe an entity in its capability with respect to the given trust class
Recommendation trust expresses the belief in the capability of an entity to decide whether another entity is reliable in the given trust class and in its honesty when recommending third entities
s denotes the requesting node t denotes the target node Nodes i1, i2, …, in are the introducers Each Vs, i* and Vi*, t form a pair to make up a single
trust path from s to ti1
in
i2
…
s t
Vs,i1
Vs,i2
Vs,in
Vi1,t
Vi2,t
Vin,t
Dept. of Computer Science & Engineering, CUHK 20
Trust Value Update (Cont.)
Compute the new trust relationship from s to t of a single path
Combine trust values of different paths to give the ultimate trust value of t
Insert trust value Vcom to the trust table of s
1221 )1(1 VVVV
,
1 1
1 (1 )i
i
m n
ncom i j
i j
V V
i1
in
i2
…
s t
Vs,i1
Vs,i2
Vs,in
Vi1,t
Vi2,t
Vin,t
Dept. of Computer Science & Engineering, CUHK 21
Simulation Set-Up
Network simulator Glomosim
Evaluate the effectiveness in providing secure public key authentication in the presence of malicious nodes
Simulation Parameters
Network # of nodes 40
# of groups 4
% of trustable nodes at initialisation p
% of malicious nodes m
Public key request
Max # of introducers for each request 3
Min # of reply for each request 1
Simulation Time 10000s
# of query cycles 20
# of requests per cycle 40
Dept. of Computer Science & Engineering, CUHK 22
Metrics
Successful rate % of public key requests that lead to a correct
conclusion Failure rate
% of public key requests that lead to an incorrect conclusion
Unreachable rate % of public key requests that cannot be made
due to not enough number of introducers
Dept. of Computer Science & Engineering, CUHK 23
Ratings to % of Malicious Nodes
Ratings to % of Malicious Nodes
0
1020
3040
50
6070
8090
100
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
% of Malicious Nodes
Ratin
g (%
)
Successful rate
Failure rate
Unreachable rate
Dept. of Computer Science & Engineering, CUHK 24
Comparison on Successful Rate
Successful Rate to % of Malicious Nodes
0
1020
3040
50
6070
8090
100
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
% of Malicious Nodes
Succ
essf
ul R
ate
(%)
Dept. of Computer Science & Engineering, CUHK 25
Comparison on Failure Rate
Failure Rate to % of Malicious Nodes
0
10
20
30
40
50
60
70
80
90
100
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
% of Malicious Nodes
Failu
re R
ate (%
)
Dept. of Computer Science & Engineering, CUHK 26
Conclusions
We developed a trust- and clustering-based public key authentication mechanism
We defined a trust model that allows nodes to monitor and rate each other with quantitative trust values
We defined the network model as clustering-based The proposed authentication protocol involved new
security operations on public key certification, update of trust table, discovery and isolation on malicious nodes
We conducted security evaluation We compared with the PGP approach to
demonstrate the effectiveness of our scheme