security services in group communications over wireless infrastructure, mobile ad hoc, and wireless...

IEEE Wireless Communications • October 20078 1536-1284/07/$20.00 © 2007 IEEE

N1

1.1

1.2 2.2

Bob(victim)

Eve

Thru wired networks

Thru powerful antennas

Alice(attacker)

SE C U R I T Y I N WIRELESS

MO B I L E AD HOC A N D SENSOR NETWORKS

INTRODUCTIONGroup communications refers to either point-to-multipoint (in which a packet is delivered from agroup member to the other members) or multi-point-to-multipoint communications (in whichpackets are sent from multiple members to othermembers simultaneously). The characteristics ofdifferent wireless networks — wireless infra-structure networks (WINs), ad hoc networks(AHNs), and wireless sensor networks (WSNs)— are vastly different in terms of group manage-ment, packet types, and resources. However, onecommon risk among these networks is that allmembers communicating through wireless chan-nels are more insecure and susceptible to numer-ous attacks than wired networks [1–3]. Thus, anattempt to establish secure group communica-tions (SGC) over these networks faces variouschallenges in order to meet security require-ments as specified in Table 1.

The rest of the article is organized as follows.First, various known attacks are presented, fol-lowed by a discussion on group communications,and security requirements and services in secur-

ing group communications. Several proposals forSGC over these different networks are then dis-cussed.

KNOWN ATTACKS IN WIRELESS NETWORKS

Here, we present some known attacks (intensivelydiscussed in [2–5] and sparsely discussed in otherreferences) that pose a significant threat to groupcommunications over wireless networks, and cate-gorize these attacks based on their impacts, includ-ing data integrity and confidentiality, powerconsumption, routing, identity, privacy, and serviceavailability. For example, Figs. 1 and 2 illustratesome of these attacks in a real wireless network.

DATA INTEGRITY ANDCONFIDENTIALITY-RELATED ATTACKS

In general, this type of attack attempts toreveal or compromise the integrity and confiden-tiality of data contained in the transmitted pack-ets.

Denial of service on sensing (DoSS) attack:An attacker tampers with data before it is readby sensor nodes, thereby resulting in false read-ings and eventually leading to a wrong decision.A DoSS attack generally targets physical layerapplications in an environment where sensornodes are located.

Node capture attack: An attacker physicallycaptures sensor nodes and compromises themsuch that sensor readings sensed by compro-mised nodes are inaccurate or manipulated. Inaddition, the attacker may attempt to extractessential cryptographic keys (e.g., a group key)from wireless nodes that are used to protectcommunications in most wireless networks.

Eavesdropping attack: An attacker secretlyeavesdrops on ongoing communications betweentargeted nodes to collect information on connec-tion (e.g., medium access control [MAC]address) and cryptography (e.g., session keymaterials). Although this attack can be classifiedinto other categories such as privacy-related

PITIPATANA SAKARINDR AND NIRWAN ANSARI, NEW JERSEY INSTITUTE OF TECHNOLOGY

ABSTRACT

Group communications in wireless networkshas been facilitating many emerging applicationsthat require packet delivery from one or moresender(s) to multiple receivers. Due to insecurewireless channels, group communications aresusceptible to various kinds of attacks. Althougha number of proposals have been reported tosecure group communications, provisioning secu-rity in group communications in wireless net-works remains a critical and challenging issue.This article presents a survey of recent advancesin security requirements and services in groupcommunications in three types of wireless net-works, and discusses challenges in designingsecure group communications in these networks:wireless infrastructure networks, mobile ad hocnetworks, and wireless sensor networks.

SECURITY SERVICES IN GROUP COMMUNICATIONSOVER WIRELESS INFRASTRUCTURE, MOBILE

AD HOC, AND WIRELESS SENSOR NETWORKS

The authors presenta survey of recentadvances in securityrequirements andservices in groupcommunications inthree types of wireless networks,discussing challengesin designing secure group communications inthese networks.

SAKARINDR LAYOUT 10/3/07 2:35 PM Page 8

IEEE Wireless Communications • October 2007 9

attacks, we group it into this category due to itssevere consequences in the sense that the col-lected cryptographic information may break theencryption keys such that the attacker canretrieve meaningful data.

POWER CONSUMPTION RELATED ATTACKSIn general, this type of attack attempts to exhaustthe device’s power supply, which is one of themost valuable assets in wireless networks. The

worst case would cause a collapse of networkcommunications.

Denial of sleep attack: An attacker tries todrain a wireless device’s limited power supply(especially sensor devices) so that the node’slifetime is significantly shortened. In general,during a sleep period in which there is no radiotransmission, the MAC layer protocol reducesthe node’s power consumption by regulating thenode’s radio communications. Thus, the attacker

n Table 1. Characteristics of possible attacks on SGC over wireless networks.

NetworksCharacteristics

Wireless infrastructurenetworks Mobile ad hoc networks Wireless sensor networks

Central authority Yes No Yes (base stations/data aggregationnodes)

Computation High/varying (basestations/devices) Varying High/very low (base stations/sensors)

Storage High/varying (basestations/devices) Varying High/very low (base stations/sensors)

Power supply High Varying Low

Handoff Yes No (in IPv4) Not likely

Mobility (dynamicmembership) Varying High Varying (likely fixed)

Network topology Varying (likely low dynamic) Highly dynamicVarying (likely highly dynamic due toshort life cycles and unreliability ofnodes)

Message length Varying (depending onapplications) Varying (depending on applications) Relatively short and aggregated

Connectivity Continuous Likely short lived Either shortly periodic or continuous

Direction ofconnections between amember and adesignated controller

(A member — an accesspoint)Duplex

(A member — a designated con-troller)Duplex

(A sensor node — an aggregator)Uniplex for most communicationsDuplex only in certain incidents (e.g.,locating the aggregator)

Key management Centralized/contributory Distributed/contributory Distributed/contributory

Predeterminedinformation Possible Limited–not at all Most likely

Potential cryptography Varying Varying Symmetric/elliptic curve cryptography(ECC)

Additional criteria 1. Key management anddynamic membershipduring a handoff period.

1. All network and key managementtasks should be equally distributed(fairness).2. Network partitions can occurmore frequently and may increasethe number of isolated nodes.3. Multicast routings are updated fre-quently due to a dynamic network.4. Trust relationship can enhancethe performance.

1. The ratio of the length of encryptedmessages to messages should be aslow as possible.2. Trust relationship can enhance theperformance.

Some known attacks

Single point of failure (ataccess points), denial ofservice, collusion, insider,traffic analysis, routing,identity, replay, jamming.

Denial of service, collusion, insider,traffic analysis, routing, identity,replay, jamming, Sybil, wormhole,sinkhole.

Single point of failure (at base stations/data aggregating nodes), denial ofservice, collusion, insider, traffic analy-sis, routing, identity, replay, jamming,Sybil, sinkhole, denial of sleep, denial ofservice on sensing, node capture.


IEEE Wireless Communications • October 200710

attacks the MAC layer protocol to shorten ordisable the sleep period. If the number of power-drained nodes is large enough, the whole sensornetwork can be severely disrupted.

SERVICE AVAILABILITY AND BANDWIDTHCONSUMPTION RELATED ATTACKS

These attacks can, in fact, also be categorized aspower consumption-related attacks. However,since they mainly aim to overwhelm the forward-ing capability of forwarding nodes or consumesparsely available bandwidth, they are more like-ly related to the service availability and band-width consumption concerns, they arehighlighted in this category. If these attacksresult in a denial of service to legitimate mem-bers, they can also be referred to as a variant ofdenial-of-service (DoS) attacks.

Flooding attack: An attacker typically sends alarge number of packets to the access point or avictim to prevent the victim or the whole net-work from establishing or continuing communi-cations.

Jamming (radio interference) attack: Anattacker can effectively cut off wireless connec-tivity among nodes by transmitting continuousradio signals such that other authorized usersare denied from accessing a particular frequencychannel. The attacker can also transmit jammingradio signals to intentionally collide with legiti-mate signals originated by target nodes.

Replay attack: An attacker copies a forward-ed packet and later sends out the copies repeat-edly and continuously to the victim in order toexhaust the victim’s buffers or power supplies, orto base stations and access points in order todegrade network performance. In addition, the

replayed packets can crash poorly designedapplications or exploit vulnerable holes in poorsystem designs.

Selective forwarding attack: A forwardingnode selectively drops packets that have beenoriginated or forwarded by certain nodes, andforwards other irrelevant packets instead.

ROUTING RELATED ATTACKSIn general, these attacks attempt to change rout-ing information, and to manipulate and benefitfrom such a change in various ways.

Unauthorized routing update attack: Anattacker attempts to update routing informa-tion maintained by routing hosts, such as basestations, access points, or data aggregationnodes, to exploit the routing protocols, to fab-ricate the routing update messages, and tofalsely update the routing table. This attackcan lead to several incidents, including: somenodes are isolated from base stations; a net-work is partitioned; messages are routed in aloop and dropped after the time to live (TTL)expires; messages are perversely forwarded tounauthorized attackers; a black-hole route inwhich messages are maliciously discarded iscreated; and a previous key is still being usedby current members because the rekeying mes-sages destined to members are misrouted ordelayed by false routings.

Wormhole attack: An adversary interceptscommunications originated by the sender, copiesa portion of or a whole packet, and speeds upsending the copied packet through a specializedwormhole tunnel such that the copied packetarrives at the destination earlier than the origi-nal packet traversed through normal routes. Thewormhole tunnel can be created by several

n Figure 1. An illustration of mixed attacks in a real wireless network.

Flooding traffic

Scenario: Attacks:Steps:

Bob communicates with a data-sensitive server through hybrid (infrastructure/ad hoc) wireless networks.Eavesdropping, impersonate, flooding, and collusion.1A.1B.2.

3.

4.

Alice has previously compromised N1 by any means.Alternatively, N1 is a colluding attacker that shares information and helps to carry out the attack.Alice may command N1 to start eavesdropping on Bob’s incoming and outgoing packets. If possibly, Alice mayeavesdrop on N1 packets due to insecure wireless channel. This eavesdroppping attack aims to collect more informationabout Bob’s communication with the server D for traffic analysis.Alice floods Bob’s machine or network such that Bob is denied of service. Note that Alice is unlikely to ask a colluding N1to launch the flooding attack because N1 will possibly be caught.Alice impersonates Bob’s identity to falsely gain access, on behalf of Bob, to information authorized by server D to Bob. Note that Bob cannot notify server D due to the effect of the flooding attack and we assume that Bob does not use anout-of-bound channel (e.g. telephone to the server D’s operator).

Legitimate traffic between Bob and Server (at the beginning)Identity-stolen traffic between Alice and Server (thereafter)

N1 is comporomised (Alice can hideattack activities through N1)

Eavesdropping

Flooding

Alice(attacker)

On the commandof AliceRouter Access point 1

Impersonateon behalf of Bob

Node compromisedOR a colluding attacker 1

2

4

N1

2

3

BOB(victim)

Server D

Internetbackbone



means, such as by sending the copied packetthrough a wired network and at the end of thetunnel transmitting over a wireless channel,using a boosting long-distance antenna, sendingthrough a low-latency route, or using any out-of-bound channel, as illustrated in Fig. 2. Thewormhole attack poses many threats, especiallyto routing protocols and other protocols thatheavily rely on geographic location and proximi-ty, and many subsequent attacks (e.g., selectivelyforwarding, sinkhole) can be launched after thewormhole path has attracted a large amount oftraversing packets. Readers are referred to [4]for details and a mechanism to detect such anattack.

Sinkhole attack: An attacker attracts allnodes to send all packets through one or sev-eral of its colluding nodes, called sinkholenode(s), so that the attacker (and its colludinggroup) has access to all traversing packets. Toattract the victimized nodes, the sinkholenode is usually presented as an attractive for-warding node such as having a higher trustlevel, being advertised as a node in the short-est distance or short delay path to a base sta-tion, or a nearest data aggregating node (inWSNs).

IDENTITY RELATED ATTACKS

In general, these attacks cooperate with eaves-dropping attacks or other network-sniffing soft-ware to obtain vulnerable MAC and networkaddresses. They target the authentication entity.

Impersonate attack: An attacker imperson-ates another node’s identity (either MAC or IPaddress) to establish a connection with or launchother attacks on a victim; the attacker may alsouse the victim’s identity to establish a connectionwith other nodes or launch other attacks onbehalf of the victim, as illustrated in Fig. 1.There are several softwares capable of repro-gramming the devices to forge the MAC andnetwork addresses.

Sybil attack: A single node presents itself toother nodes with multiple spoofed identifications(either MAC or network addresses). The attackercan impersonate other nodes’ identities or simplycreate multiple arbitrary identities in the MACand/or network layer. Then the attack posesthreats to other protocol layers; for examples,packets traversed on a route consisting of fakeidentities are selectively dropped or modified; ora threshold-based signature mechanism that relieson a specified number of nodes is corrupted.

n Figure 2. An illustration of routing related and other attacks.

Scenario: Attacks 1:Steps:

Attacks 2:Steps:

Bob (and Denice) communicates with Charlie (and Eve) through a mobile ad hoc network.Sybil, sinkhold, and selectively forwarding attacks.1.1

1.2

1.3

2.1

2.22.32.4

Alice generates multiple fake identifications, and advertises an attractive “low-latency” path consisting of theseidentities to N2. (Sybil attack)Alice advertises this low-latency path to N1, who updates its routing table accordingly. N1 forwards Bob’s packets toCharlie through this low-latency path. (Sinkhole attack)Alice passively eavesdrops all Bob-Charlie’s packets or selectively drops all Bob-Charlie’s packets while still forwardingDenice-Eve’s packets to reduce the possibility of being caught. (Selectively forwarding attack)

Eavesdropping, wormhole, false routing, and collusion attacks.Alice sets up a wormhole tunnel (in this illustration, either thru wired networks or thru powerful antennas) to Gina, acolluding attacker. (Collusion attack)Alice eavesdrops Bob-N1’s packets and copies them. (Eavesdropping attack)Alice forwards the copies to Gina through the wormhole tunnel. (Wormhole attack)Gina forwards the copies to N2. N2 updates the new route between N1 and N2 through this wormhole tunnel. (Falserouting update)

Denice

Charlie

N2

F3 F2F1

N1

1.3

1.1

ATTACKS 1

ATTACKS 21.2 2.2

Bob(victim)

Eve

F1-F3 are identity-faked nodes

Traffic that is forwarded through a low-latency tunnel

2.1

2.3

Thru wired networks

Thru powerful antennas

Original traffic that is forwarded through a normal pathDuplicated traffic is forwarded through a wormhole-tunnel

Gina(a colluding attacker) 2.3

Alice(attacker)

Wormhole tunnel

Internetbackbone



PRIVACY RELATED ATTACKS

In general, this type of attack uncovers theanonymity and privacy of communications and,in the worst case, can cause false accusations ofan innocent victim.

Traffic analysis attack: An attacker attemptsto gain knowledge of the network, traffic, andnodes’ behaviors. The traffic analysis mayinclude examining the message length, messagepattern or coding, and duration the messagestayed in the router. In addition, the attackercan correlate all incoming and outgoing packetsat any router or member. Such an attack violatesprivacy and can harm members for being linkedwith messages (e.g., religious-related opinionsthat are deemed provocative in some communi-ties). The attacker can also perversely link anytwo members with any unrelated connections.

If a group of attackers collude to launch anytype of attacks, it is referred to as a collusionattack. For example, the colluding group ofattackers orchestrates to collect information tosignificantly exploit the system, masquerade alegitimate member and send out fault messageson behalf of that member, conjointly mountattacks against other members or network enti-ties, or falsely accuse a legitimate member as anattacker.

SECURE GROUP COMMUNICATION SYSTEMS

A group communication system (GCS) consistsof five common operations: initiate, join, leave,partition, and merge. The group is first estab-lished by initial members. Then one or severalprospective members join the group while somemembers leave the group. This is so-calleddynamic membership. A large number of mem-bership changes, referred to as a bulk member-ship change, require a specialized protocoldesign without degrading group performance. Insome scenarios a group can be partitioned intosmaller subgroups or merged into a bigger group.This can also be considered a bulk membershipchange, but the transitions among groups likelyincur overheads. This dynamic membershipaspect requires the GCS to rekey the sessionkeys in order to preserve the key secrecy. ForWSNs, this dynamic membership may not benecessary because the keys are most likely pre-determined prior to deployment [6–8]. In wire-less infrastructure and ad hoc networks, most, ifnot all, GKM schemes require each member tokeep the membership list, thus incurring hugecommunication overhead. However, in a WSN,this list might not be necessary due to storagelimitations of sensor nodes and the provision ofpreselected entities (data aggregating nodes) tokeep track of their members.

SECURITY REQUIREMENTS ANDSECURITY SERVICES IN SGC

This section discusses security requirements andcorresponding security services in securing groupcommunications and mitigating attacks as sum-marized in Tables 1 and 2. Table 3 describes indepth the characteristics of major security ser-vices over wireless networks. Many systems have

been proposed to address the requirements andprovide such services, but only a few promisingsystems are presented here due to space limits.

Group Key Management (GKM): The funda-mental security service in SGC is the provisionof a shared key, the group key. The shared groupkey is used to encrypt a group message, sign themessage, authenticate members and messages,and authorize access to traffic and groupresources. Thus, the strength of SGC largelyrelies on the cryptographic strength of the keysand the key management protocol. A GKMscheme deployed in any secure group communi-cation system should satisfy the followingrequirements:• Key generation is secure.• Imitation of the group key should be infeasible

or computationally difficult.• The group key is securely distributed and only

the legitimate users can receive a valid groupkey.

• Revocation of the group key upon every mem-bership change should be immediate.

• Every membership change must result inrekeying of associated keys.

• A rekeying of the key is secure.Basically, GKM can be categorized into three

types based on how the key is generated: cen-tralized, distributed, and contributory [9, 10]. Arevocation can be performed by limiting the ses-sion period for which the keys are valid. Thenthe session period and remaining period are cal-culated and attached along with keys beforebeing distributed to all members. If keys need tobe rekeyed (with three triggering conditions asdiscussed in Table 3), the key revocation can besent by the designated entity to notify all mem-bers holding these keys, as discussed in [6, 11].

Group authentication: In group communica-tion (one-to-many and many-to-many), a membercan be either the designated sender, the designat-ed receiver, or both. Both users and messagesshould be authenticated to safeguard identityrelated attacks. In some systems a member cer-tificate is issued by the trusted certificate issuingentity along with its validation period. In somesystems the expired certificate is maintained forfurther verifications, as discussed in [9]. Expiredcertificates are compiled into the revocation list,which is distributed to notify all members.

Group authorization and access control: Inany conventional access control mechanism, amember who holds a decrypting key can accessfull contents in a flow (or all flows in an aggre-gated stream). This is referred to as a singleaccess privilege. In many group-oriented applica-tions, group members can be assigned with mul-tiple access privileges. Thus, the stream shouldbe accessed with different access privileges suchthat only members who have an appropriateprivilege can access the corresponding portionsof contents (or flows). This is referred to as mul-tiple access privilege.

Group accounting and nonrepudiation: Anygroup operation executed or a record ofresources utilized by a member should be avail-able for tracking in order to detect any abusiveusage of resources and operations. A nonrepudi-ation service can ensure that the identity of amember whose activities are in dispute can be

A GCS consists offive common operations: initiate,join, leave, partition,and merge. Thegroup is first established by initialmembers. Then, oneor several prospectivemembers join thegroup while somemembers leave thegroup. This is the so-called dynamicmembership.



fully and precisely determined by the designatedentity. In general, the group signature and mem-ber certificate can be used to authenticate thesource and message, and to provide proof of thesource’s activity in case of a dispute.

Group privacy and anonymity: Any informa-tion related to a group message, such as identi-ties of a sender and a receiver, message length,and time, can be protected or hidden to preserve

privacy and anonymity of members. An anony-mous message refers to a message that carriesno information about the senders and receivers.

Group message integrity and confidentiality:Message integrity should be preserved by ensur-ing that the message has not been fabricated(some or all portions of the message have notbeen added, deleted, or modified) or dropped byan unauthorized entity. This can be done by sev-

n Table 2. Security services to countermeasure attacks.

Attacks

Security services to countermeasure attacks

Authentication Authorization/access control

Accounting/nonrepudiation

Messageconfidentialityand integrity

Privacy/anonymity

Survivability/availability

Denial of serviceon sensing — — — — — Sensing tampering

detection

Node capture — Username,password, ID — e{management

& data} & hash — Node intrusiondetection

Eavesdropping — — — e{management& data} & hash

Source–destinationanonymity

—

Denial of sleep Source & messageauthentication

access controlon routing table group signature e{manage-

ment} & hash — —

Flooding Sourceauthentication — — — —

Early detection for anexcessive amount ofpackets

Jamming — — — e{data} & hash — Jamming detection

Replay — —

Group signature,timestamp, andpacket sequencenumber

e{data withnonce} & hash — —

Selective For-warding

Source &messageauthentication

—


e{data withnonce} & hash — —

Unauthorizedrouting update

Source & messageauthentication

Access controlon routing table

Messagesignature

e{manage-ment} & hash — Loophole and sinkhole

routing detection

Wormhole Sourceauthentication

access controlon routing tableand using direc-tional antenna

—e{management,data withnonce} & hash

— —

Sinkhole Source & messageauthentication

Access controlon routing table — e{manage-

ment} & hash — —

Impersonate Sourceauthentication

Access controllist

Group signatureand time-expiredcertificate

e{management& data} & hash — —

Sybil Sourceauthentication

Access controllist

Group signatureand time-expiredcertificate

e{management& data} & hash — Multiple IDs detection

Traffic Analysis Messageauthentication —


e{data} & hashSource–destinationanonymity

—



Services Characteristics Details

Group keymanagement

Type ofkeymanage-ment

Centralized

• A dedicated entity (e.g. a key manager) generates both long-term and short-term keys, dis-tributes them to associated members, and maintains the key material and lists.• The security of key selection and generation is high, but the key manager carries most of work-loads and becomes a point of target.• In wireless infrastructure and sensor networks, this central entity can be an access point, a basestation, or a dedicated key server.• However, this centralized-based GKM scheme is not applicable to ad hoc networks.

Partiallydistributed

• A group is divided into smaller sub-groups. Some members in each subgroup may temporarilyfunction as a key-generating server.• A key manager has a reduced workload. Still, it is a point of target and the security of key gener-ation is compromised.• The distributed-based GKM scheme is applicable to ad hoc and sensor networks, but not towireless infrastructure networks.

Contributory

• Without a central key server/manager, each member randomly and independently selects its con-tribution based on some key-generating algorithms that are agreed upon by all members duringthe joining process. Then, the contributions are exchanged within a group, and a shared groupkey is identically generated.• The security of key selection and generation is low, but there is no need for a key manager. Allmembers equally share the workloads.• This GKM type is applicable to ad hoc networks, but not to wireless infrastructure (no center)and sensor networks (the complexity of key generation and overheads are too high).

Keysecrecies

Forward secrecy • The forward secrecy ensures that a new joining member cannot use the new key to decrypt allmessages which have been encrypted with the previous key(s).

Backwardsecrecy

• The backward secrecy ensures that a leaving member cannot use the previous key(s) to decryptall messages encrypted with the new key.

Perfect forwardsecrecy

• The perfect forward secrecy ensures that a compromise of a long-term key seed which was usedto generate the present short-term key(s) cannot deprive the secrecy of other previous short-termkeys which have been generated by the compromised long-term key seed.

Key independence • A disclosure of a subset of session keys cannot deprive the secrecy of other subsets of sessionkeys which have been generated by the same long-term key seed.

Key serialization

• In some distributed and contributory-based GKM schemes, the key materials are selected andthe group key is generated by members in an ordered sequence, as discussed in [8]. An attack onany participating member disrupts the whole process. Note that the key materials are actually keyseeds used to generate keys (e.g., primes in RSA or DH)• Instead, some schemes may construct the key by other ways, i.e., broadcasting the key materialsto all members or establishing a key tree, at the expense of communication and storage over-heads. In addition, with insecure wireless channel, these ways may lead to service unavailabilityespecially in ad hoc networks where membership is highly dynamic.

Rekeying

No. of rekey messages • An average number of distributed and received messages per member (or per key manager)should be minimized.

Length of rekeymessages

• Some protocols reduce the number of rekey messages by aggregating multiple messages into asingle message, which in return increases the consumed bandwidth for one transmission. Thus,the performance metric should also determine the bandwidth consumption per message in addi-tion to the number of transmitted messages.

Rekeying process • The rekeying operation should reduce or optimize the computation and time complexity ofrekeying operation with respect to a group size.

Triggeringconditions

Membership • Keys associated with the membership changes must be rekeyed to ensure the key secrecy for theremaining members.

Periodic • To provide a better key secrecy, the rekeying operation is invoked periodically to prevent keysfrom being compromised over time.

Specified • A system enables the rekeying operation for specified incidents, such as upon a detection ofattacks or violations.

Authentica-tion

Message authentication • A system should require a sender to sign a message and a receiver to verify such a message sig-nature on its authenticity as well as integrity.

Userauthenti-cation

• Users should be authenticated upon joining the group, signing the messages, or accessinggroup materials.

Senderviewpoint

• A designated sender may want to multicast a message on behalf of the group to all designatedreceivers without revealing its real identity.

Receiverviewpoint

• A receiver verifies whether the message has been originated by an unspecified group member(not an outsider).• OR a receiver verifies whether the message has been originated by an unspecified but designat-ed sender (not an outsider and not designated receivers).• OR, in a possibly disputable case, a receiver verifies whether the message has been originated bythe specified and designated sender.

Table 3 continued on next page...



eral means, including hashing and signing themessage along with strong encryption keys. In adhoc networks, group members may have differ-ent capabilities and protocols to perform differ-ent levels of encryption on group messages.Thus, some messages may be encrypted withstrong encryption, while others with weakencryption are relatively easily breakable. InWSNs sensor nodes may have similar capabilitiesand protocols that are embedded before deploy-ment. Confidentiality ensures that only autho-rized members can retrieve meaningful datafrom the message.

Group survivability and availability: Anattacker can attack routing hosts (i.e., accesspoints and base stations) to isolate some or allgroup members, or partition the group. Thus, allrouting hosts must be protected to ensure groupsurvivability. However, the attacker can still tar-get a joining procedure (i.e., by flooding the

access point or base station in wireless infra-structure networks and WSNs), thus causing ser-vice unavailability to other legitimate users.Group availability ensures that only authorizedusers can always communicate within the groupby using restricted group resources, and any vio-lation exceeding the limitation of groupresources will be promptly detected.

Table 2 illustrates each discussed attack alongwith security services that can be deployed tomitigate its impact. For example, the impact of aflooding attack may be partially mitigated byauthenticating sources that generate floodingpackets along with early detection of a massiveamount of packets originated by a single source.Thus, flooding packets would be dropped imme-diately once such an attack has been detected.Unauthorized routing update can be detectedand prevented by the following services: authen-ticating both source and message to determine

n Table 3. Characteristic of security services in SGC over wireless networks.

Services Characteristics Details

Accesscontrol

Authorization/access controltechniques

• The group resources (e.g., key seeds, keys, a member list, multicast routing tables, etc.) andgroup messages should be accessible only to authorized members.• The access control list can be used to determine if the member has permission to accessresources and, more specifically, to which resource is accessible.

Dynamic access control

• A system enables the member to dynamically change its request to access resources. Consequently,the system must be able to update access permissions and restrictions with additional mechanismswhen the member’s access privilege changes. Other systems may simply give all members a fixedaccess control privilege per session.

Non-repudiation

Message signature • A system requires messages to be signed or equipped with a membership certificate so that anoriginator (signer) of the message can always be identified.

Timestamp and/or sequence number • Timestamps and/or sequence numbers can be used to limit a validation of certificate or messagesignature, and to prevent replay attacks.

Revocation of certificates

• The expired certificate or misuse of certificate is revoked by the issuer and may be publiclyannounced in the revocation list.• For higher non-repudiation, some systems may keep the expired certificates for future verificationat the expense of storage overhead.

Characteristicsof signature

Unforgeable • A group of colluded attackers cannot generate a group signature identical to that generated by alegitimate member.

Non-allegeable • A group of colluded attackers cannot generate a group signature by which a group controllerfalsely identifies a legitimate member as an attacker.

Linkable • A group of colluded attackers cannot generate a valid group signature by which a group con-troller cannot identify the identity of any of these attackers.

Secretive • A member’s secret elements can neither be retrieved from a group signature nor from any partof it.

Privacy andAnonymity

Unlinkabilityof anonymouscommunications

Sender • A sender shall not be linked to its sent message to prevent attackers from learning of themessage’s origin.

Receiver • A receiver shall not be linked to the received message to prevent attackers from learning of themessage’s destination.

Sender–receiver • The sender and receiver shall not be linked together to prevent attackers from learning of thesending and receiving ends. They are also relatively anonymous to each other.

Type ofmanagement

Centralized • A system relays messages through a trusted anonymous entity to hide identities of the senderand receiver.

Distributed • A system relays messages through a group of anonymous entities to hide the identities byvarious means such as encapsulating messages.

Securerouting

Management • A system can establish and maintain routing-related information in a centralized or distributedmanner.

Prevention

• Updating routing information (e.g., a membership status and routing paths) must be restrictedto authorized members.• A new routing path should be tested such that any routing black hole and loop are entirelyeliminated.



whether the routing update message is legitimateand originated by an authorized member; enforc-ing access control over a routing table; signingthe routing update message such that messageintegrity is preserved and no attacker has falselymodified the message; encrypting all manage-ment packets (routing update requests andreplies); and any loophole or sinkhole routing,which possibly leads to a denial of service, willbe tested, detected, and fixed prior to actualdeployment.

SGC OVER WIRELESSINFRASTRUCTURE NETWORKS

This section surveys some SGCs that providesecurity protection over wireless infrastructurenetworks.

DeCleene et al. [5] presented a hierarchy-based key management protocol that divides anoperational field into administratively indepen-dent areas. The area key is used to encrypt themessage containing the data key. The data key isa network-wide shared key, and is used toencrypt the data message. When users frequentlymove within areas, the area key is rekeyed,thereby resulting in significant degradation ofgroup performance in terms of processing andcommunication overheads. Thus, several rekey-ing algorithms have been proposed to reduce theneed for rekeying, thus decreasing communica-tion and processing overheads. The delayedrekeying algorithm uses the extra key owner list(EKOL) to store the area keys belonging to theleaving member and that member’s ID. Whenthat member re-enters the area, the area keysare restored. However, once the EKOL is full,the first recorded area keys are discarded tomake room for other members. A member canonly hold a limited number of area keys.

Pros: Low overheads; highly dynamic mem-bership is supported.

Cons: The area keys may be compromisedeasily since the area keys have been repeatedlyreused for often moving members.

Sun et al. [12] matched tree-based key man-agement with the physical cellular network topol-ogy in order to build a topology-matching keymanagement (TMKM) tree. When the usermoves among cells, an efficient handoff mecha-nism handles the relocation of that user in theTMKM tree. Each cell has a corresponding wait-to-be-removed (WTB) list that keeps track ofprevious and current cell members. A relocationof a member between two cells requires a rekey-ing process to preserve the key secrecy. Therekeying process is performed based on informa-tion from the WTB lists of these cells. The keymanager, called the key distribution center(KDC), maintains and updates the WTB lists ofall cells in the network accordingly. The commu-nication overheads incurred by the rekeying pro-cess can be reduced by delivering new keyslocally in the TMKM tree only to members whoneed the rekeyed keys. It was shown that com-munication overheads due to the efficient hand-off rekeying processes using the TMKM treescheme can be reduced as much as 80 percentcompared to those using conventional topology

independent key management (TIKM) treeschemes.

Pros: Low communication overheads.Cons: The scheme does not consider the

overheads incurred by the KDC that could resultin very poor performance in the actual deploy-ment.

Gupta and Cherukuri [1] presented threeschemes: single session key (SSK), different ses-sion key (DSK), and a combination (HYBRID).These schemes are based on location-basedaccess control in which only users who are locat-ed in specific locations can access the services.In the SSK scheme, a base station (BS) assignsthe same session key (sk) to all members. In theDSK scheme, a BS assigns a different sessionkey to each member. In the HYBRID scheme, aBS assigns the same sk to all members who havebeen stable in the cell for more than a specifiedperiod of time; otherwise, it assigns a differentsk to a nonstable member.

Pros: Their simulations of SGC over all cellu-lar networks with high mobility showed that thecommunication overhead using the HYBRIDscheme is lower than that using the DSK andSSK schemes.

Cons: Strict time synchronization is requiredto determine whether a member is classified asstable or nonstable; the scheme did not providea means for base stations to exchange informa-tion on their members; and handoffs, which canincur more overheads, were not addressed.

Westerhoff et al. [13] presented a decentral-ized architecture called mobility support — amulticast-based approach (MOMBASA) toachieve low latency for handoffs with minimumpacket loss as well as secure protocol operations.MOMBASA enables each mobile node to regis-ter with a proxy, called a Mobility-EnablingProxy (MEP), which in turn participates in themulticast group on behalf of the mobile node.The mobile node communicates with the MEPvia unicast, while the MEP communicates withthe multicast group via multicast. Thus, the MEPconverts unicast and multicast packets betweenthe mobile node and the multicast group. Securi-ty analysis shows that MOMBASA is protectedagainst various attacks by using three securitycomponents: packet filtering at access networkboundaries, deployment of an authentication,authorization, and access (AAA) infrastructure,and rate limiting against DoS attacks.

Pros: MOMBASA is provably secure frommany threats; performance degradation due tohandoffs is negligible (low-latency handoff); lesspacket loss; and the workloads among accesspoints and the AAA server are fairly distributed.

Cons: The scheme only considers handoffswhen the MEP is no longer functioning, but notthe case when the membership is highly dynam-ic. When there are messages destined for idlenodes, the MEP associated with these nodes hasto multicast the paging update messages to otherMEPs, thus incurring a significant overhead.

SGC OVER MOBILE AD HOC NETWORKS

This section surveys some SGCs that providesecurity protection specifically over mobile adhoc networks.

The security analysisshows that MOMBASAis protected againstvarious attacks byusing three securitycomponents: packetfiltering at accessnetwork boundaries,deployment of anauthentication,authorization, accesscontrol (AAA) infrastructure, andrate limiting againstDoS attacks.



Kaya et al. [11] proposed a dynamic multicastgroup management protocol that attempts toequally distribute the workload of securing com-munications to all participating members. Groupinformation and associated security services aredisseminated and maintained by all membersthroughout MANETs, and service rights certifi-cates are given by the designated group managerto members for accessing information. Thegroup manager is temporarily selected per ses-sion, and it establishes a physical security tree,authenticates prospective members, updates thesecurity tree per membership change, and han-dles the revocation of certificates. The securitytree is used to securely forward the shared groupkey to members, while the data multicast tree isused to forward the encrypted data messages toauthorized members.

Pros: Communication overheads and latencyof joining/leaving/key revocation processes donot substantially degrade the group performanceas the number and speed of joining/leavingnodes increase.

Cons: The scheme did not discuss how thegroup manager is selected as well as the transi-tions of group information between the new andold group managers. The simulation tried toillustrate the impact of dynamic membershipwith a very small number of nodes, and theresults may not be valid for a large group.

Striki and Baras [9] presented a Merkle tree-based user authentication scheme by construct-ing dynamic distributed central authorities (CAs)based on Merkle trees, and then equipping theseCAs with two key generation protocols: 2d-Octo-pus and Tree-Based Group Diffie-Hellman(TGDH)-based 2d-Octopus. It has been empha-sized that incorporating user authentication andkey distribution algorithms in a collaborativemanner into SGC yields a scalable and efficientkey management protocol in MANETs.

Pros: The modified Merkle tree-based schemewith TGDH-based 2d-Octopus has lower com-munication and processing overheads than thatwith 2d-Octopus and another existing protocol,one-way function tree (OFT), as the size of thegroup increases.

Cons: The scheme did not discuss how thisintegration of authentication and key distribu-tion could better protect SGC against variousthreats, such as DoS and collusion attacks.

Balachandran et al. [10] proposed a key agree-ment scheme for SGC over MANETs, referredto as the Chinese Remainder Theorem andDiffie-Hellman (CRDTH) scheme, which aimsto solve two problematic issues in ad hoc envi-ronments: key serialization and absence of acentral authority in MANETs. The key manage-ment in this scheme is a contributory-basedGKM. All members exchange their contributedkey share by using the Diffie-Hellman keyexchange mechanism, and then the membersindependently but mutually generate the groupkey based on the Chinese remainder theorem(CRT).

Pros: The scheme can equally distribute thecomputational workloads to all members. Thescheme requires only one round of broadcast torekey the group key for a leaving process andtwo rounds for an initial key formation process

(during group formation) and a joining process.No a priori knowledge and member serializationare required. Highly dynamic membership issupported.

Cons: The authors only suggested how thescheme would be compromised rather than vali-dating the security of the scheme.

Lazos and Poovendran [14] presented therouting-aware key distribution (RAwKey) prob-lem and proposed an optimal solution that mini-mizes energy expenditure caused by the rekeyingprocess in an energy-constrained wireless ad hocnetwork. The key idea is to construct an energy-efficient key distribution scheme (operating atthe application layer) for SGCs over ad hoc net-works by gathering cross-layer information fromthe physical layer (i.e., the node transmissionpower) and the network layer (i.e., the multicastrouting tree).

Pros: The performance of the optimal energy-efficient solution for rekeying does not substan-tially change as the group size varies, and thecross-layer algorithm can obtain a suboptimalsolution with low complexity.

Cons: The complexity of the scheme is stillrather high, and the efficiency for actual deploy-ment remains a great challenge.

SGC OVER WIRELESS SENSOR NETWORKS

This section covers SGCs that provide securityprotection over WSNs.

Zhu et al. [6] proposed a key managementprotocol, called a localized encryption andauthentication protocol (LEAP), for large-scaledistributed sensor networks. The protocol isdesigned based on two observations: differentpacket types exchanged among sensor nodesrequire different security services, and a singlekey management scheme may not be suitable forvarious security requirements. The proposedscheme uses four types of keys for fundamentalsecurity services (e.g., authentication and accesscontrol) to secure communications. These fourtypes of keys include a pair-wise key usedbetween a sensor node and the base station, apair-wise key used between a pair of two sensornodes, a shared cluster key used among all sen-sor nodes in the same cluster, and the group keyused among all sensor nodes. Thereafter, thescheme provides security services that can miti-gate several attacks. For example, authenticationof one-hop broadcast communications amongnodes with one-way key chains can mitigate theimpersonation attack, and a timestamp is used toexpire keys to prevent node capture and sybilattacks.

Pros: Low communication overheads; thescheme is energy efficient.

Con: The scheme did not discuss the powerconsumption of sensor nodes in deploying someof the proposed security mechanisms.

Yu and Guan [7] proposed a group-based keypredistribution scheme by partitioning the net-work into hexagonal grids with a specified size.Nodes are then divided into groups, and eachgroup is placed into a grid in such a way that thenumber of neighbors of a node is minimized,thereby reducing power consumption. Thescheme classifies communications of sensor

The LEAP protocol isdesigned based ontwo observations:

different packettypes exchanged

among sensor nodesrequire different

security services, anda single key

managementscheme may not be

suitable for various security

requirements.



nodes into two types: intergroup and in-group.The secret matrix G is shared by all groups, andeach group is distinctively assigned a secretmatrix A. Each node selects correspondingly acolumn from matrix G and a row from matrix A.Thus, two nodes in the same group can computethe pair-wise key used to secure in-group com-munications. Furthermore, a number of secret Bmatrices are selectively assigned to groups insuch a way that any two neighboring groupsshare a portion of the secret matrices. Then thetwo neighboring groups determine which of theshared secret B matrices they share in order togenerate the shared keys. Upon key generation,two nodes in neighboring groups mutually agreeon which rows will be selected from these previ-ously selected B matrices. Thus, they can com-pute the pair-wise key used to secure intergroupcommunications.

Pros: The scheme provisions a high degree ofconnectivity, which is defined as the fraction ofthe size of the largest connected componentsover the size of the entire sensor network. Fur-thermore, the connected components define agraph in which any two nodes can always find aroute between them. The scheme incurs lowstorage overhead, and offers a better safeguardagainst node capture attacks than several exist-ing schemes.

Cons: The optimal grid size may not be pre-cisely determined, thus possibly resulting in twoincidents: the inter-group keys may not be gen-erated if the grid size is too small, and the powerconsumption is relatively high if the grid size istoo large. The computational and time complexi-ties might be substantial.

Zhang and Cao [8] proposed a set of pre-distributed and local collaboration-basedgroup rekeying (PCGR) schemes to mitigatethe node capture attack and the DoSS attack.The basic-PCGR (B-PCGR) scheme was firstproposed with the assumption that the futuregroup keys can be preloaded into the sensornodes before deployment. Thus, the futurekeys must be protected by encryption withsome polynomials, which are kept by someone-hop neighboring nodes. Thus, the B-PCGR scheme requires all sensor nodes tocollaborate with each other to retrieve theirencrypted future keys, and detect and protectthemselves against any attempt to compromisenodes. However, the B-PCGR scheme has twolimitations: an attacker can retrieve the poly-nomials by searching only one-hop neighbornodes of the victim, and to successfully stagean attack requires compromising only a smallnumber of one-hop neighbor nodes. To over-come the first limitation, the cascading PCGR(C-PCGR) scheme is proposed to distributethe polynomial shares to two- or three-hopneighboring nodes. To overcome the secondlimitation, the random-variance-based PCGR(RV-PCGR) scheme is proposed to add ran-dom variance numbers to the polynomials tostrengthen the polynomials in order to make itmore difficult for the attacker to retrieve theencrypted future keys.

Pros: The schemes can effectively protectSGC against node capture and DoSS attacks.

Cons: Rekeying is very limited due to a limit-

ed number of reusable future keys. A prioriknowledge of group operations (e.g., a set offuture keys, a key generating function, and groupjoining/leaving processes) is required, and thusany real-time adaptation of these group opera-tions cannot be performed online. The collabo-ration of nodes is required, but in many sensornetworks such collaboration may not be possibleat all and also may cause unnecessary powerconsumption.

Huang et al. [15] proposed a secure level keyinfrastructure for multicast (SLIMCAST) to pro-tect data confidentiality via hop-by-hop re-encryption and mitigate the DoS-based floodingattack through an intrusion detection and dele-tion mechanism. The SLIMCAST protocoldivides a group routing tree into levels andbranches in a clustered manner. Communica-tions among nodes in each level in each branchof the group tree are protected by a level keysuch that only the local level key is rekeyed dur-ing joining and leaving processes. SLIMCASTenables an upstream node to aggregate datapackets from its downstream children nodes, andthen re-encrypts the aggregated packet with thelevel keys this node shares with its parent nodes.The re-encrypted packet is then sent upstreamtoward a base station. Furthermore, duplicatepackets from the sibling nodes will be discardedto reduce redundant bandwidth and power con-sumption.

Pros: Low communication overheads andpower consumption. Performance does not sub-stantially degrade as the group size increases.

Cons: The performance is degraded (i.e., highpower consumption) when membership changesare massive.

Wadaa et al. [2] proposed an energy-efficientprotocol to provision anonymity in WSNs. Theprotocol divides the network into clusters. Twoactivities are defined in each cluster: intraclusteractivity (i.e., data generation) and interclusteractivity (i.e., data transmission). For intraclusteractivities inside a cluster, a node periodically col-lects and formulates the sensor readings, andthen reports to the designated entity, called thetransaction instance manager. The manager col-lects all node reports and formulates the transac-tion instance report (TIR). For interclusteractivities, all managers send the TIR to the sinknode (i.e., a base station) through neighboringmanagers in a hop-by-hop manner. Then theprotocol formulates the anonymity problem, andidentifies and eliminates the minimum numberof nodes that cause the maximum loss of sensorreadings.

Pros: Energy-efficient. Performance does notsubstantially degrade as the group size increases.

Cons: The scheme did not analyze or provesubstantially the anonymity level per transmis-sion.

Karlof and Wagner [3] discussed attacks thatcan disrupt group routing in WSNs. The surveyarticle illustrates how each attack is executed,and describes the existing mechanisms in miti-gating the attacks.

Note that SGCs proposed for the above threetypes of networks may be adapted to other typesof wireless networks, but consideration of suchadaptation is beyond the scope of this article.

The B-PCGR schemehas two limitations:an attacker canretrieve the polynomials bysearching only 1-hopaway neighboringnodes of the victim,and to successfullystage an attackrequires compromisingonly a small number of 1-hop neighboring nodes.



OPEN CHALLENGESHere, we outline some challenges that should betackled, and define future research directions onSGC over wireless networks.

Integration of security services. As illustratedin Table 2, most attacks can be greatly mitigatedby the fundamental security services. Thus, it is

still the greatest challenge to design an energy-efficient scheme that integrates more securityservices to satisfy various security requirements,particularly authentication, access control, andnonrepudiation (via group signatures), withoutincurring significant overheads.

Deployment of SGC in heterogeneous wire-less networks. With higher demand for more

n Table 4. Comparison of SGC over wireless networks.

SchemesCharacteristics

Wireless infrastructure networks Mobile ad hoc networks Wireless sensor networks

[5] [12] [1] [13] [11] [9] [10] [14] [6] [7] [8] [15] [2]

Keymanagement

Hierar-chical-based

Topology-matchingtree

Area-basedandbatchrekeying

N/A1Ad hocgroup key(AGK)

Tree-basedgroupDiffie-Hell-man(TGDH)

Chineseremain-der andDiffie-Hellman

Routing-awarekey dis-tribution

Cluster-based keys

Group-basedkey

Locallygroup-based keyand keypredistri-bution

Cluster-basedtree(levelandbranch)

N/A

Authentication N/A N/A Userauth.

Key andmessageauth.

Certificate-based PK2

auth.

ID-baseduser auth.& Merkletree-baseddata auth.

N/A N/A

Source andmessageone-waykeychain-based andchallenge-responseauth.

N/A N/A

MAC sig.and one-waysequencenumber

N/A

Authorization/access control N/A N/A Location-

basedPacketfiltering Certificate N/A N/A N/A N/A N/A N/A N/A N/A

Accounting/nonrepudiation N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Yes N/A

Messageintegrity andconfidentiality

Yes N/A Yes Yes Yes Yes Yes Yes N/A N/A N/A Yes N/A

Privacy/anonymity N/A N/A

Privacyof user’slocation

N/A N/A N/A N/A N/A N/A N/A N/A N/A

Yes(virtualinfra-structure)

Survivability/availability N/A N/A N/A N/A Yes (quick

recovery) Yes N/A N/A Yes Yes Yes N/A Yes

Attackprevention3

N/A N/AEaves-drop-ping

DoS,identity,replay,sourceaddressspoofing

Messagemodifica-tion, replay

Imperson-ate, collu-sion

N/A N/A

Wormhole,sinkhole,Sybil, DoS,replay,insider

Nodecapture

Nodecapture,eaves-dropping,DoSS

Nodecapture,Sybil

DoS,trafficanalysis

Reducingcommunicationoverheads

Yes

Yes (usinglocalityto reducecomm.complexity)

Yes(withHYBRIDscheme)

N/A

Yes (usinglocality toreducecomm.complexity)

Yes N/A Yes

Yes (usinglocality toreducecomm.complexity)

N/A Yes Yes Yes

Reducingprocessingoverheads

Yes Yes

Yes(withHYBRIDscheme)

N/A N/A Yes Yes N/A Yes N/A Yes Yes N/A

Handling highmobility Yes Yes Yes Yes Yes N/A Yes Yes N/A N/A N/A Yes N/A

Handlinghandoffs

Yes(butneedsbackchan-nels)

Yes N/A Yes N/A N/A N/A N/A N/A N/A N/A N/A N/A

Steadyperformancevs. group size

N/A Yes N/A N/A Yes Yes N/A Yes N/A N/A N/A Yes N/A

Scalable Yes Yes N/A N/A Yes Yes Yes Yes N/A N/A N/A Yes Yes

Energy-efficient N/A N/A N/A N/A N/A N/A N/A Yes N/A N/A N/A Yes Yes

1 N/A: Information not available about the characteristic OR the characteristic is not likely possible or not applicable.2 PK: Public key.3 Only specified attacks discussed in the respective references are listed here even though each of these schemes may mitigate other attacks as well.



functionalities in wireless devices, an SGCscheme should be able to be deployed in hetero-geneous wireless networks, including cellularnetworks, wireless LANs, wireless ad hoc net-works, and WSNs, and support communicationsover a hybrid of wireless and wired networks.

Optimization of group performance withrespect to overheads and limited resources. Tobe efficient, a scheme should optimize group per-formance subject to overheads (communication,processing, and storage) and limited resources(memory, bandwidth, and power supply).

Extension to IPv6 wireless networks. An IPv6wireless network seems to be a promising next-generation network, and some work is address-ing end-to-end built-in security. Future researchon SGC is engineered to support IPv6 wirelessnetworks.

CONCLUSIONS

The number of applications of group communica-tions over wireless networks has been steadilyincreasing, such as group-oriented military systems(in-the-field commander conference over wirelessdevices) and education systems (teacher lecturesin a distance learning classroom). However, com-munications over wireless channels is, by nature,insecure and easily susceptible to various kinds ofattacks. Much existing work has attempted toincorporate security into such communications.

To better understand SGC over wireless net-works, we have presented known attacks thatcan severely disrupt or even shut down groupcommunications in wireless networks. The wehave discussed necessary security requirements,and illustrated fundamental security services tomeet these requirements and safeguard the com-munications against these attacks. We havedemonstrated that several attacks can be pre-vented and mitigated by the proposed securityservices. We have also reported several existingworks on SGC over three types of wireless net-works: wireless infrastructure networks, mobilead hoc networks, and wireless sensor networks,as summarized in Table 4. With respect to limit-ed computation capability and scarce wirelesschannels, these works basically attempt to reducecommunication and processing overheads, andto fend off some particular attacks. To completethe survey on SGC over wireless networks, wehave presented some open challenges that stillneed to be overcome.

REFERENCES[1] S. K. S. Gupta and S. Cherukuri, “An Adaptive Protocol

for Efficient and Secure Multicasting in IEEE 802.11Based Wireless LANs,” Proc. IEEE WCNC 2003, vol. 3,Mar. 2003, pp. 2021–26.

[2] A. Wadaa et al., “On Providing Anonymity in WirelessSensor Networks,” Proc. 10th Int’l. Conf. Parallel andDistrib. Syst., July 2004, pp. 411–18.

[3] C. Karlof and D. Wagner, “Secure Routing in WirelessSensor Networks: Attacks and Countermeasures,” Else-vier’s Ad Hoc Networks J., Special ssueI on Sensor Net-work Applications Protocols, vol. 1, no. 2–3, Sep. 2002,pp. 293–315.

[4] R. Maheshwari, J. Gao, and S. R. Das, “DetectingWormhole Attacks in Wireless Networks Using Connec-tivity Information,” Proc. IEEE INFOCOM ’07, Mar.2007.

[5] B. Decleene et al., “Secure Group Communications forWireless Networks,” Proc. IEEE MILCOM 2001, vol. 1,Oct. 2001, pp. 113–17.

[6] S. Zhu, S. Setia, and S. Jajodia, “LEAP: Efficient SecurityMechanisms for Large-Scale Distributed Sensor Net-works,” Proc. 10th ACM Conf. Computer and Commun.Security, Oct. 2003, pp. 62-72.

[7] Z. Yu and Y. Guan, “A Robust Group-Based Key Man-agement Scheme for Wireless Sensor Networks,” Proc.IEEE WCNC ’05, vol. 4, Mar. 2005, pp. 1915–20.

[8] W. Zhang and G. Cao, “Group Rekeying for FilteringFalse Data in Sensor Networks: a Predistribution andLocal Collaboration-Based Approach,” Proc. IEEE INFO-COM ’05, vol. 1, Mar. 2005, pp. 503–14.

[9] M. Striki and J. Baras, “Towards Integrating Key Distri-bution with Entity Authentication for Efficient, Scalableand Secure Group Communication in MANETs,” Proc.IEEE ICC ’04, vol. 7, June 2004, pp. 4377–81.

[10] R. K. Balachandran et al., “CRTDH: An Efficient KeyAgreement Scheme for Secure Group Communicationsin Wireless Ad Hoc Networks,” Proc. IEEE ICC ’05, vol.2, May 2005, pp. 1123–27.

[11] T. Kaya et al., “Secure Multicast Groups on Ad Hoc Net-works,” Proc. ACM SASN ’03, Oct. 2003, pp. 94–103.

[12] Y. Sun, W. Trappe, and K. J. Ray Liu, “A Scalable Mul-ticast Key Management Scheme for HeterogeneousWireless Networks,” IEEE/ACM Trans. Net., vol. 12, no.4, Aug. 2004, pp. 653–66.

[13] L. Westerhoff et al., “Security Analysis and Concept forthe Multicast-Based Handover Support ArchitectureMOMBASA,” Proc. IEEE GLOBECOM 2004, vol. 4, Dec.2004, pp. 2201–07.

[14] L. Lazos and R. Poovendran, “Cross-Layer Design forEnergy-Efficient Secure Multicast Communications inAd Hoc Networks,” Proc. IEEE ICC 2004, vol. 6, June2004, pp. 3633–39.

[15] J.-H. Huang, J. Buckingham, and R. Han, “A Level KeyInfrastructure for Secure and Efficient Group Communi-cation in Wireless Sensor Networks,” Proc. 1st Int’l.Conf. on Security and Privacy for Emerging Areas inCommun. Net., Sep. 2005, pp. 249–60.

BIOGRAPHIESPITIPATANA SAKARINDR ([email protected]) received a B.E degreefrom King Mongkut’s Institute of Technology Ladkrabang,Bangkok, Thailand, in 1999, and an M.S. degree in com-puter engineering from the New Jersey Institute of Tech-nology (NJIT), Newark, in 2002. He is currently pursuing aPh.D. in electrical eengineering at NJIT. His current researchfocuses on various aspects of network security, includingsecurity-integrated quality of service, trust and reputationmodels, anonymous networks, and cryptography.

NIRWAN ANSARI ([email protected]) received a B.S.E.E.(summa cum laude) from NJIT in 1982, an M.S.E.E.degree from the University of Michigan, Ann Arbor, in1983, and a Ph.D. degree from Purdue University, WestLafayette, Indiana, in 1988. He joined NJIT’s Departmentof Electrical and Computer Engineering as an assistantprofessor in 1988, and has been a full professor since1997. He has also assumed various administrative posi-tions including the Newark College of Engineering’s Asso-ciate Dean for Research and Graduate Studies at NJIT. Heauthored Computational Intelligence for Optimization(Springer, 1997, translated into Chinese in 2000) with E.S. H. Hou, and edited Neural Networks in Telecommuni-cations (Springer, 1994) with B. Yuhas. His currentresearch focuses on various aspects of broadband net-works and multimedia communications. He has also con-tributed approximately 300 technical papers includingover 100 refereed journal/magazine articles. He is a SeniorTechnical Editor of IEEE Communications Magazine, andalso serves on the editorial board of Computer Communi-cations, ETRI Journal, and Journal of Computing andInformation Technology. He was the founding generalchair of the First IEEE International Conference on Infor-mation Technology: Research and Education; was instru-mental, while serving as its Chapter Chair, in rejuvenatingthe North Jersey Chapter of the IEEE CommunicationsSociet,y which received the 1996 Chapter of the YearAward and a 2003 Chapter Achievement Award; servedas Chair of the IEEE North Jersey Section and in the IEEERegion 1 Board of Governors during 2001–2002; and hasserved on various IEEE committees.

The number of applications of groupcommunications overwireless networkshas been steadilyincreasing However,communications overwireless channels isinsecure and easilysusceptible to variouskinds of attacks.


security services in group communications over wireless infrastructure, mobile ad hoc, and wireless...

Documents