Securing Mobile Ad Hoc Networks with
Certificateless Public Keys
Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member, IEEE, and Yuguang Fang, Senior Member, IEEE
Source: IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, 2006
Presenter: Hsin-Ruey, Tsai
Introduction
Related work
Design goals and system models
IKM design
Performance evaluation
IntroductionMANET: Mobile ad hoc network Infrastructureless, autonomous, stand-alone wireless networks.
Key management: Serverless Two intuitive symmetric-key solutions: 1. Preload all the nodes with a global symmetric key. 2. Let each pair of nodes maintain a unique secret that is only known to those two nodes.
Use public-key certificates to authenticate public keys by binding public keys to the owners’ identities.
Preload each node with all the others’ public-key certificates prior to network deployment.
Certificate-based cryptography(CBC)
Drawbacks: network size, key update is not in a secure, cost-effective way.
ID-based cryptography(IBC)Eliminate the need for public key distribution and
certificates.
Master-key
All/some are shareholders
ID-based private keyscollaboratively
issues
Drawbacks: 1. Compromised nodes more than threshold number,2. Key update is a significant overheads, 3.How to select the secret sharing parameters,4.No comprehensive argument about the advantages of IBC-based schemes over CBC-based ones.
ID-based key management (IKM)A novel construction method of ID-based public/ private keys.
Determining secret-sharing parameters used with threshold cryptography.
Simulation studies of advantages of IKM over CBC-based schemes.
Node-specific not jeopardize noncompromised nodes’ private keys Common element efficient key updates via a single broadcast message
Each node’s public key and private key is composed of a node-specific, ID-based element and a network-wide common element.
IKM has performance equivalent to CBC-based schemes, denoted by CKM while it behaves much better in key updates.
Identify pinpoint attacks against shareholders.
Introduction
Related work
Design goals and system models
IKM design
Performance evaluation
Related workCBC and (t, n) threshold cryptography N is number of nodes. t<=n > N
N nodes
CA’s public key
Divided into n shares
CA’s private key
D-CA
Certificate generation and revocation
t D-CAs
Tolerate the compromise of up to (t-1) D-CAs
The failure of up to (n-t) D-CAs
Pairing Technique p, q be two large primesG1 a q-order subgroup of the additive group of point of E/Fp
G2 a q-order subgroup of the multiplicative group of the finite field F*p^2
e : G1 *G1 → G2
Bilinear: For all P, Q, R, S belong to G1, Consequently, for all a, b belong to Z*q
e(aP, bQ)=e(aP, Q)^b= e(P, bQ)^a=e(P, Q)^ab
e(P+Q, R+S)=e(P, R)
e(P, S) e(Q, R)e(Q, S)
Introduction
Related work
Design goals and system models
IKM design
Performance evaluation
Design goalsMANETs should satisfy the following requirements: 1. Each node is without attack originally. 2. Compromise-tolerant. 3. Efficiently revoke and update keys of nodes. 4. Be efficient because of resource-constrained.
Network & Adversary ModelNetwork Model: special-purpose, single-authority MANET consisting of N nodes .
Adversary Model: 1. Only minor members are compromised/disrupted. 2. Can’t break any of the cryptographic primitives. 3. Static adversaries. 4. Exhibit detectable misbehavior.Assumption that adversaries can compromise at most (t-1)
D-PKGs and can disrupt no more than (n-t) D-PKGs (n is number of D-PKG, t is the threshold number)
Introduction
Related work
Design goals and system models
IKM design
Performance evaluation
Network InitializationPKG generates the paring parameters (p, q, e) and selects
an generator W of G1.
H1: hash function maps binary strings to nonzero elements in G1.Kp1,Kp2: belong to Z*q and are master-secretes. Wp1=Kp1W, Wp2=Kp2W
PKG preloads parameters (p, q, e, H1, W, Wp1, Wp2) to each node while Kp1,Kp2 should never be disclosed to any single node.
Secret SharingEnable key revocation and update.PKG performs a (t, n)-threshold secret sharing of Kp2. (t nodes number of threshold) (n D-PKGs ) (N nodes)
PKG
n D-PKGs
distributes functionality to n D-PKGs reach threshold t
PKG preloads to D-PKG:
(verifiable)
t elements
Lagrange interpolation
Lagrange coefficientKP2 can then be reconstructed by
computing g(0) with at least t elements.
Generation of ID-Based Public/Private Keys
node-specific
phase-specific
Our IKM is composed of a number of continuous, nonoverlapping key update phases, denoted by pi for 1 i < M, where M is the maximum possible phase index.
pi is associated with aunique binary string, called a phase salt, salti
Vary across key-update phases
Remain unchanged and be kept confidential to A itself
Due to the difficulty of solving the DLP in G1, it is computationally infeasible to derive the network mastersecrets KP1 and KP2 from an arbitrary number of public/private key pairs
Cannot deduce the private key of any noncompromised node.
Key RevocationMisbehavior Notification
Baccuses A
timestamp
shared key with V
communication overhead resilient
Key RevocationRevocation Generation
If over threshold
diagnose
joint efforts of t D-PKGs
t D-PKGs in with smallest IDs (leader)
generates
partial revocation
revocation leaderaccumulated
all the D-PKGs ingenerates
partial revocation
sends
sendsrevocation
leader
D-PKGs
sends the accumulated accusations
response after verify accusation
Complete revocation
Key RevocationPartial revocations
Complete revocation
Revocation leader
denote the t D-PKGs participating in revocation generationIt is possible that one or several members of A are unrevoked
compromised nodes which might send wrongly computed partial revocations.Revocation leader
check
If not equivalent
Check each node
Floods to each node
Key RevocationIf D-PKGs in do not receive a correct revocation against A in a certain time
revocation leader itself is a compromised node
second lowest IDsucceeds as the revocation leader
As long as there is at least one noncompromised D-PKG in and there are at least t noncompromised D-PKGs in , a valid accusation against node A can always be generated.
Key UpdatePublic key:
Private key:(B just performs two hash operations)
needs the collective efforts of t D-PKGs in
randomly selects (t-1) other nonrevoked D-PKGs
send request
these t D-PKGs including Z itselfA
generate a partial common private-key elementchec
k
Key UpdateTo propagate securely to all the
nonrevoked nodes, we use a variant of the self-healing group key distribution scheme
: set of nodes revoked until phase piZ broadcasts
maximum number of compromised nodes
PKG picks M distinct degree polynomials, denoted by
and M distinct degree polynomials
is a point on E=Fp, its x-coordinate can be uniquely determined from its y-coordinate.
Key-Update Parameters
Revoked node
IKM designChoosing Secret-Sharing Parameter t, n
They can only do is to attempt to compromise or disrupt randomly picked nodes with the expectation that those nodes happen to be the D-PKGs.
Compromise and disrupt up to Nc >=t and Nd >=n-t+1 nodes
Prc and Prd as the probabilities that at least t out of Nc compromised nodes and (n-t+1) out of Nd disrupted nodes happen to be D-PKGs
Introduction
Related work
Design goals and system models
IKM design
Performance evaluation
Performance evaluationCKM vs IKMGloMoSim, a popular MANET simulator, on a desktop
with an Intel P4 2.4GHz processor and 1 GB memory
Performance evaluation