SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks. 2010; 3:1–16 Published online in Wiley InterScience (www.interscience.wiley.com). DOI: 10.1002/sec.199

SPECIAL ISSUE PAPER

Secure and robust threshold key management (SRKM) scheme for ad hoc networks K. Hamouid and K. Adi*

O FS

Computer Security Research Laboratory, University Of Quebec in Outaouais, Quebec, Canada

ABSTRACT

PR

O

Securing Mobile ad hoc Networks (MANET) is a challenging task, notably due to the lack of an online infrastructure. In particular, key management in MANET is a problem for which many solutions have been proposed in literature. Unfortunately, these solutions are rather limited in terms of security and availability of keys. In this paper, we propose a secure, robust, and fully distributed scheme for public-key certificate management in MANET. Our scheme, based on threshold cryptography, ensures that the private key of the certificate authority will not be revealed to an adversary, even if the number of compromised shareholders exceeds the threshold of vulnerability, thereby thwarting mobile-adversary attacks. We describe SRKM in detail and, by using security analysis and simulations, show its effectiveness, robustness and security. Copyright © 2010 John Wiley & Sons, Ltd. MANET; certification; security analysis; intruder attacks; availability

TE

*Correspondence

D

KEYWORDS

1. INTRODUCTION

EC

K. Adi, Computer Security Research Laboratory, University Of Quebec in Outaouais, Quebec, Canada. E-mail: [email protected]

N

C

O

R

R

A Mobile ad hoc Network (MANET) is a temporary, selforganized, and large-scale network. Usually, a MANET consists of a collection of mobile wireless nodes, without the aid of a pre-existing infrastructure, used to achieve basic networking functions such as routing. In such an environment, it may be necessary for mobile nodes to rely on some other nodes for relaying messages. This is mainly due to the limited wireless transmitter range of each mobile node in a MANET. Thus a multihop scenario occurs, where the packets sent by the source host are relayed by several intermediate hosts before reaching their destination. Hence, the success of communication in MANET is highly dependent upon the cooperation of other nodes [1]. Currently, ad hoc networks are the subject of constant research, with the aim of improving their deployment. In particular, securing MANET networks is a crucial task and constitutes one of the main obstacles to a large deployment of these networks. MANETs introduce new challenges in the design of security mechanisms, compared to their traditional wired network counterparts. There are several factors for this, such as the lack of an infrastructure or centralized administration, constraints on resources such as power, memory, and bandwidth availability, and dynamic topology, produced by

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

Copyright © 2010 John Wiley & Sons, Ltd.

mobility, and change in the number of active nodes of the network. Efficient and secure key management, providing and managing the basic cryptographic keying material, is the main part of any security architecture used for ensuring confidentiality, integrity, and authentication of communications. These security requirements can be achieved with the use of public key cryptography and certificates. In infrastructure based networks, certificates are issued and managed by the Public Key Infrastructure (PKI), which involves a Certification Authority (CA), which is a Trusted Third Party (TTP) that certifies the authenticity of the binding between a public key and its subject entity. However, centralized PKI architectures are not practical in MANETs, due to the lack of a central authority and other characteristics of this paradigm of network. Depending on a single CA to achieve key management operations for the entire network creates a vulnerable point in a MANET. Compromise of the CA will allow an adversary to sign any certificate, thereby paving the way for impersonation of any node, or for revocation of any certificate [2]. More importantly, in order to perform key management operations, the CA should be available at all times. If the CA is unavailable, then nodes in the network might be unable to update/change keys. Also, new nodes will be unable to obtain certificates. So, secure communications cannot be ensured. 1

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

K. Hamouid and K. Adi

we discuss and analyze the security enhancement of the proposed solution, and in Section 6, we detail our simulation results for the evaluation of the security and efficiency of our scheme. Finally, we conclude the paper in Section 7.

2. RELATED WORK

PR

O

O FS

Key Management is one of the main challenges in securing MANETs, and has been addressed by many authors. In this section, we present an overview of some approaches and schemes for public-key management in MANETs. In Reference [8], Zhou and Haas propose a partially distributed public-key management service for ad hoc networks relying on threshold cryptography. In this scheme, the CA functions are distributed among special nodes called servers. The private key of the distributed CA (used to sign certificates) is shared among n server nodes through an (n, k) secret sharing scheme in which at least k servers are required in order to sign a certificate, while any coalition less than k servers cannot recover the shared private key. To ensure a proactive security for this service, share refreshing is employed, which allows the shareholders to periodically refresh their shares. The solution in Reference [8] achieves availability by replicating certificates in multiple servers, and employs threshold cryptography to thwart various attacks. However, Reference [8] does not elaborate a full description of protocols for maintaining and controlling the access to the distributed CA. Kong et al. [9,10] extend the work of Zhou and Haas by providing a fully distributed CA scheme. Unlike Reference [8], all nodes are servers. A coalition of k one-hop neighbors ensures the local CA functionality and a node receives its public key from its k neighboring nodes. The scheme in Reference [9] improves the CA service availability and reduces multi-hop communication compared to Reference [8]. However, the effectiveness of this technique depends on the assumption that each node must have at least k neighbors with valid key shares. Here, k is a very sensitive parameter which needs to be carefully tuned so that the method may be effective. If the threshold k is much larger than the network degree, nodes will have to keep moving to get certificates. In addition, in the case of large-scale networks the security of this scheme is reduced especially when nodes are not well protected, because the probability to compromise a sufficiently large number of shares increases when more nodes are holding a share of the private CA key. In Reference [1], Wu et al. introduce a key management scheme similar to that of Reference [8]. The aim is to provide an efficient share updating among servers, and to respond quickly to certificate updating. For bandwidth saving and efficient communications, this scheme proposes a special connection between servers that form a special group of the network named multicast server group. In such a way, it is easy to locate the servers when a node needs a certificate.

N

C

O

R

R

EC

TE

The threshold cryptography technique [3,4] seems to be a good solution to the problem of deploying a PKI in a MANET. Following this model, the trust of the CA will be shared by a set of nodes with relatively high physical security and computing power. Thus, these nodes must collaborate to achieve certification operations (e.g., signing a certificate). The private key of the CA (used to sign certificates) is shared among these nodes using a secret sharing scheme. If the threshold configuration scheme is (n, t), then the private key can be recovered by coalition of any t of n nodes, called shareholders or servers, and t represents the threshold. However, the major limitation in threshold cryptography schemes is that their robustness does not scale with the number of network nodes. Since ad hoc nodes have very limited physical protection, they are exposed to several active attacks, especially mobile-adversary attacks [5]. Furthermore, if a node is compromised, its share is exposed to the adversary. Thus, over a long period of time, a mobile adversary might compromise enough shareholders (up to the threshold) so that the system’s secret is disclosed. In order to counter these types of attacks, the share refreshing technique [6] is widely used in most key management solutions proposed in literature. The share refreshing allows nodes to periodically refresh their shares, by creating new shares from old ones. In this technique, the adversary cannot combine new shares with old shares to reconstruct the secret. The period between two consecutive share refreshings represents the vulnerability window [7]. Therefore, it is assumed that the adversary cannot compromise more than t − 1 nodes during the vulnerability window period. Nevertheless, this assumption is not realistic. Indeed, the vulnerability window increases with the number of nodes that share the secret. In addition, some attacks such as Denial of Service attacks slow down servers and increase the vulnerability window. This can create quite a long period during which an adversary can compromise more than t − 1 servers. To address this problem, our contribution is intended to enhance the robustness and security of the (n, t) threshold key management scheme, making it more difficult for mobile adversaries to violate the secrecy of the private key of the certification service, even if they compromise more than t nodes. In this paper, we propose a Secure and Robust Key Management scheme (SRKM), based on threshold cryptography. Our design allows us to reduce below the threshold, the number of shares that can be combined to reconstruct the secret. In other words, if the threshold scheme has the configuration (n, t), we keep only n1 shares in the system where n1 < t , and the rest of the shares will be divided into sub-shares. That way, if the number of compromised nodes exceeds the threshold t, the system will still resist by minimizing he probability of the private key being revealed. The rest of this paper is organized as follows. Section 2 presents the related works in literature. In Section 3 we give an overview of the proposed scheme. Protocol details of the SRKM scheme are described in Section 4. In Section 5

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

Q1

D

SRKM scheme for ad hoc networks

2

Security Comm. Networks. 2010; 3:1–16 © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/sec.199

Q1

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

K. Hamouid and K. Adi

Q1

PR

O

O FS

which puts into question the large scale applicability of the approach. In our previous results related to key management [20], we proposed a public key management scheme for certification in MANET. The work is based on threshold cryptography which allows the certification service to work under two different structures. The first structure is a simple (n, t) sharing, where all networking nodes act as CA servers. The second structure is a 2 − Levels(n, t) sharing, where the number of CA servers is reduced and all networking nodes are divided into several groups, each group cooperatively performing all operations (e.g., partial certificate issuing) of a CA server. The passage from the first structure to the second depends on the network size. This scheme enhances the robustness and resistance against CA server failures, but does not take into account the service latency and availability requirements. Furthermore, there is no mechanism for certificate signing or for handling scalability in terms of the adaptation of the key management system to network changes.

D

3. THE PROPOSED SCHEME: SECURE AND ROBUST KEY MANAGEMENT (SRKM) In this section we describe our key management scheme for MANET relying on threshold cryptography. We start by detailing our assumptions about the network, and then give an overview of our fully distributed SRKM architecture.

N

C

O

R

R

EC

TE

Another threshold cryptography based scheme has been proposed by Zhu et al. [11]. Their scheme called Autonomous Key Management (AKM) provides a selforganizing and fully distributed key management service. This scheme introduces a hierarchy of key shares to handle MANETs with a large number of nodes, and adds the ability to issue certificates with different levels of assurance. The nodes and their shares can be regarded as the leaves of a tree structure. If there are few nodes in the network, AKM is similar to Reference [9]. However, when the number of share-holders reaches a certain level, the nodes split into smaller regional groups that set up a new regional key. Signed certificates with regional keys have less assurance than those signed with the CA key. The authors also propose two algorithms, which can be used independently from the hierarchical structure, to protect certification services in ad hoc networks. AKM increases the robustness and intrusion tolerance. However, this benefit is obtained at the price of a costly increase in communications. In Reference [12], Raghani et al. propose a distributed CA scheme which follows the same principle as in Reference [9] when a node obtains the certification service by communicating with its one-hop neighboring nodes. With such an approach, when the node degree reduces below the threshold, there is a substantial increase in the certification service delays. To address this problem, the proposed scheme provides a dynamic support for distributed CA by allowing it to dynamically adjust the threshold value when required, and thereby resulting in the reduction of certification service delays. Therefore, the authors propose a suite of network monitoring protocols for identifying situations where the node degree varies and thus dynamically adjusts the threshold value. Another similar solution that provides dynamic threshold is presented in Reference [13]. This scheme easily and efficiently enables the dynamic increase of the threshold in response to the needed security level and availability of servers. Robin Doss et al. [14] propose a security architecture that combines both the threshold cryptography technique and clustering. The distributed architecture aims to be adapted to large-scale networks with dynamic and frequent topology changes. They assume that the entire network is divided into geographically adjacent groups called clusters. Each cluster is managed by a special node called cluster-head (CH). Certificates are signed by the distributed CA formed by CH nodes which constitute a virtual network sharing the private key of the CA. Similar schemes based on clustering are presented in References [15,16]. Hubaux et al. [17,18] propose a Self-organized publickey management scheme. They follow a different approach by using a trust architecture similar to PGP [19] with a distributed certificate server. In this architecture, each node issues certificates for nodes it trusts. When two nodes need to communicate, they merge their certificate repositories, and try to find a verifiable chain of certificates. The effectiveness of this approach depends on the certificate repository creation mechanism. Moreover, the distributed storage of certificates produces a significant additional cost,

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

SRKM scheme for ad hoc networks

Security Comm. Networks. 2010; 3:1–16 © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/sec.199

3.1. System model and assumptions 3.1.1. Definitions and notations. In the following section, we give some definitions and notations used in this paper.


Server nodes: member nodes of the network, which form the distributed CA service. Each server node has its own share of the private CA key and participates in the process of issuing certificates.
Real server node: a server node that holds one part of the private key, and can generate a partial certificate upon request, without the aid of other server nodes.
Virtual server node: a server node which is requested for certificates like other real server nodes. Unlike real servers, a virtual server does not have a share of the private key, it has only a sub-share of the key share, and cannot issue a partial certificate with only this sub-share, it needs the collaboration of other nodes called Assistant server nodes.
Assistant server node: member in the network that holds a sub-share and collaborates with the virtual server node to issue a partial certificate. Assistant server nodes are grouped into classes. Nodes belonging to the same class may combine their sub-shares to 3

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112








R




N

C

O

R

3.1.2. Network model. The proposed Key Management scheme can be applied to large-scale and asynchronous Mobile ad hoc Networks. There is no bound on message-delivery time and messageprocessing time. Nodes in the network communicate with each other via insecure wireless links, and multi-hop communications are provided by existing ad hoc routing protocols. Furthermore, the size of the network may change dynamically due to nodes joining and leaving operations. We assume that each node is able to discover its one-hop neighboring nodes. However, there are no assumptions on the number of neighbors of each node. Let N be the size of the network at a given moment. In our architecture, each node has a public/private key pair (Ki , Ki−1 ) and the certification service is provided by a distributed CA that has a private/public key pair (SK, PK). All nodes in the network know the public-key of the distributed CA, and trust any certificate issued by it. Each node that shares the private CA key holds one share (part of the key). The nodes can arbitrarily move, leave or join the network. 4

O FS

O

PR




3.1.3. Adversary model. We briefly discuss the break-ins assumed in this work. We also describe the various adversary models for which our proposal provides an effective solution. An adversary is a malicious node trying to compromise many nodes in order to break the security of the system. At any time, a network node is either correct or compromised. A compromised node might stop collaborating, arbitrarily deviate from the specifications of its protocols (byzantine behavior), disclose and/or change the private or public information stored locally. So, when a node is being compromised, an adversary can obtain all private information stored by this node, including its share of the CA’s private key. A coalition of compromised nodes can conspire to launch a collaborative attack. In particular, compromised nodes can combine their shares to reconstruct the CA’s private key. However, we assume that an adversary has no knowledge of the details of the internal structure of the security system, so that he cannot attack the shareholders selectively. To test the security of our scheme, we consider the following adversary models. The first two models were defined in References [10,7]. Furthermore, we have defined two other models which give more power to the adversary.


Model 1. During the entire lifetime of the network, the

TE




EC




K. Hamouid and K. Adi

create a partial certificate. Each class contains exactly one virtual server. Window of Vulnerability: this concept is defined in Reference [7] to determine time intervals during which an adversary must compromise as many servers as necessary in order to learn the secret. Thus, a window of vulnerability extends from the start of one execution of the share refreshing task to the end of the next execution. Nodes Apportionment Coefficient (NAC): is a parameter according to which we can determine the best partitioning (real servers vs. virtual servers) appropriate for the required security level (time to find the private CA key) and the required latency level (certificate service delays). The NAC is defined as the ratio of the number of real servers to the set of virtual servers. To maximize security, the NAC must be reduced, but for minimizing the latency, the NAC must be maximized. The best NAC determines the optimal settings of both security and latency. SK, PK: are respectively the private and public keys of the CA service used to sign and verify public-key certificates. ki−1 , ki : are respectively the private and public keys of node i. SKij : is a sub-share of share i, held by the assistant server node j. CERTi : is the public-key certificate of node i. certij : is a partial certificate issued by server node j for node i. certij,l : is a partial certificate issued by assistant server node l belonging to class Cj . The partial certificate is addressed to node i. (A → B : M) : means that entity A sends the message M to entity B.

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

Q1

D

SRKM scheme for ad hoc networks

number of nodes that an adversary can break or control is less than the threshold t.
Model 2. At most t − 1 nodes are compromised within each vulnerability window.
Model 3. Within each vulnerability window, an adversary is able to compromise up to t nodes.
Model 4. There is no limit on the number of compromised nodes within each vulnerability window.

As we can see, the adversary models 3 and 4 are more powerful than the first two. To be more secure and robust, our scheme should be able to protect against these two adversaries.

3.2. Overview of SRKM The proposed scheme is based on the (n, t) threshold cryptography. In such a system, the distributed CA is formed by n server nodes and the certificates can be issued by a coalition of t server nodes. Unlike other standard threshold schemes [8,9,1], SRKM is based on the following: Among the n servers of the (n, t) threshold cryptosystem, some shares (part of the CA private key) of some servers are in fact shared by assistant server nodes according to an (m, k) secret sharing. Thus, those assistant servers hold subparts of a part of the CA private key (shares of the share). This way, only some server nodes (less than t) hold parts (shares) of the CA’s private key. The rest of the nodes are grouped into classes Ci , (i = 1, . . . , n2 ), each one represented by a virtual server node which virtually holds one share (SKi ). In fact, the share (SKi ) is shared among Security Comm. Networks. 2010; 3:1–16 © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/sec.199

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

K. Hamouid and K. Adi

Q1

because among t compromised nodes there are those who are virtual servers or assistant servers belonging to different classes, and thus their shares cannot be combined. Recall that with other threshold schemes [8,9], if t compromised nodes reveal their shares, then the security is broken and the CA’s private key is revealed. However, SRKM scheme effectively protects against mobile-adversary attacks, thus enhancing the security and robustness of the Key management service based on threshold cryptography.

O FS

3.3. Basic operations and cryptography primitives We briefly discuss the various techniques and basic operations employed in our work.

PR

O

3.3.1. The secret sharing. In the SRKM scheme, the sharing and reconstruction protocols of the CA’s private-key rely on the famous Shamir’s secret sharing scheme [21] in which a secret value S can be shared among n players based on polynomial interpolation such that at least t players are required to reconstruct the secret, while any coalition of less than t players cannot gain any information about the secret. The parameter t represents the threshold. The secret S is split into n shares (s1 , . . . , sn ) as follows: Let f(x) be a random polynomial of degree t − 1 such as

EC

TE

nodes of the class Ci according to an (m, k) secret sharing Pi = (SKi1 , . . . , SKim ). Two different classes correspond to two different secret sharing, if Ci and Cj , are two different classes in the system, then the sharing of these classes are respectively Pi and Pj with Pi = Pj . This means that a share from Pi cannot be combined with another share from Pj to rebuild the CA’s private key. If a given node requests server nodes for a certificate, each one generates a partial certificate. For a virtual server node, it will have to rebroadcast the request to nodes of its class (assistant servers), and then form a coalition of k nodes from this class so that it can create a partial certificate (see Figure 1). The nodes in the network are divided into three categories:

D

Figure 1. Overview of SRKM.


Real server nodes: is the set of servers that really have

N

C

O

R

R

a key part (share). This set of nodes is denoted by R = {r1 , . . . , rn1 } where n1 is the number of real servers.
Virtual server nodes: is the set of virtual servers denoted by V = {v1 , . . . , vn2 } where n2 is the number of virtual servers. Each virtual server belongs to a given class and shares the corresponding key share with other members of its class.
Assistant server nodes: each node of this category holds a sub-share of a share of the CA’s private key. These nodes are divided into classes Ci = {ci1 , . . . , cim , i = 1, . . . , n2 } and each class corresponds to a share (SKi ). When a virtual server is being compromised or leaves the class, another assistant server from its class will be elected to replace the former virtual server. Therefore, the role of virtual server can be played by any member in its class.

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

SRKM scheme for ad hoc networks

Real servers, virtual servers, and assistant servers are physical entities in the network (wireless and mobile nodes). So, within a threshold configuration (n, t), there is no n shares in the system, but only n1 shares held by the real server nodes, where (0 < n1 < t). So, a mobile adversary can never discover the private key SK having t compromised nodes within a vulnerability window, Security Comm. Networks. 2010; 3:1–16 © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/sec.199

f (x) = S + a1 x + · · · + at−1 xt−1

Secret shares are obtained by si = f (i), i = 1 . . . n. For simplicity, we assume that i is an integer. The secret S can be obtained from any subset of t shares. Without loss of generality, we mark this subset by
t f (1), . . . , f (t). We reconstruct the secret S by : S = f (i)Li (0), where Li (0) is the Lagrange coefficient i=1 such as

 (x − xj ) j=i Li (x) =  j=i

(xi − xj )

Using Shamir’s secret sharing provides perfect security and extensibility: given t − 1 or less shares, those shares do not supply any further information regarding the secret and additional shares may easily be created. 3.3.2. Certification service. In SRKM, when a node requests a certificate, a coalition of t server nodes is formed on the fly. Each real server node ri which receives the request generates a partial signature on the certificate using its share (SKi ). While a virtual server vi will broadcast the request to assistant servers in its class, it must collect k − 1 valid sub-shares from its class and then combine them with its sub-share in order to issue the corresponding partial certificate. Once the requester node collects t valid partial certificates, it can combine them to obtain its public-key certificate 5

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

SRKM scheme for ad hoc networks

K. Hamouid and K. Adi

signed by the CA service. This certificate is verified by the CA’s public-key (PK). Note that the private key (SK) will never be discovered (still unknown to all nodes in the network) when t nodes cooperate to sign a certificate. This guarantees the confidentiality of the CA’s private key.

PR

O

O FS

3.3.3. Share updating. In order to provide a proactive security against break-ins and attacks, and to prevent the adversary from learning the secret, we employ the share refreshing technique [6]. The term proactive refers to the fact that it is not necessary for a breach of security to occur before secrets are refreshed, the refreshing is done periodically (and hence, proactively). The adversary cannot combine new shares with old ones to discover the secret. This technique relies on the following Homomorphic property. If (s1 , . . . , sn ) is an (n, k) sharing of S and (s1′ , . . . , sn′ ) is an (n, k) sharing of S ′ , then (s1 + s1′ , . . . , sn + sn′ ) is the an (n, k) sharing of S + S ′ , if we set S ′ = 0, then we get a new (n, k) sharing of S.

4. DETAILS AND PROTOCOLS

N

C

O

R

R

EC

TE

In our system, we assume a TA (an off-line Trusted Authority) only at the bootstrapping phase of the network in order to bootstrap the initial nodes that will form the certification service by generating the (n, t) secret sharing system. After this phase, and for the rest of the network lifetime, there is no need for a TA and new nodes joining the network are self initialized by using existing network members. Note that the (n, t) threshold configuration is fixed by a TA and it will not be changed during the network lifetime like in most threshold schemes [1,8--10]. The assumption of an off-line TA at the bootstrapping phase will not affect the efficiency of our system since when the environment changes (e.g., some nodes join or leave), the current nodes cooperate and adjust accordingly by themselves, which allows our solution to be adaptable to scalable environments without a TA. Based on that, the system initialization process is carried out in two phases : server nodes bootstrapping and assistant server nodes bootstrapping. In the first phase, the TA creates an (n, t) sharing (SK1 , SK2 , . . . , SKn ) and privately distributes these shares to n nodes where (n < N) and N is the network size (Figure 2(a)). The n initialized nodes will split into real servers and virtual servers. In the second phase, the assistant server nodes are self-initialized and thus the TA is not required. These nodes will be grouped into classes. Nodes of each class will receive a sub-share of the share related to their class (Figure 2(b)).

D

4.1. System initialization

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

Q1

4.1.1. Servers bootstrapping. In this phase, the TA performs the following operations:


Create a random polynomial of degree t − 1: f (x) = SK + a1 x + · · · + at−1 xt−1 (mod p) where p is a large 6

Figure 2. Nodes bootstrapping: (a) Server bootstrapping (b) Assistant server class bootstrapping.

prime number and SK is the shared private key of the certification service.
Calculate and send to each node i the corresponding share of (SK) : SKi = f (i)(mod p) for simplicity i is assumed to be an integer and nodes to be initialized range from 1 . . . n.
Identify sets R and V (the servers can be selected on various criteria such as power or connectivity of networking nodes).

4.1.2. Assistant server class bootstrapping. From this stage on, the TA is no longer required. The n nodes that have been initialized in the first bootstrapping phase will be split into real servers (R) and virtual servers (V). All nodes not belonging to (R) are grouped into classes Ci where |Ci | = m, each class containing exactly one node from (V) and the share of this node will be shared again among members of its class (assistant servers). Classes are formed so that each assistant server must be able to communicate with the virtual server of its class Security Comm. Networks. 2010; 3:1–16 © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/sec.199

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

K. Hamouid and K. Adi

EC

R

O FS

Figure 3. Sharing tree.

Table I. Example of apportionment of 15 nodes at the initialization phase. V

C2

C4

C8

1 3 5

2 4 8

2 6 7 13

4 10 12 15

8 9 11 14

PR

O

R

Once all classes are formed, each virtual server creates an (m, k) sharing of its share SKi and privately sends the created sub-shares SKij (j = 1 . . . m) to nodes in its class. We denote this procedure by class sharing which is described by the following :

TE

Algorithm 1 class creation 1: TTL = 0 ; ReqQueue =
; Ci =
; Ni , Nj : Nonce; h : hash function; 2: for each node i ∈ V do 3: ClassReqi = [IDi , ClassID, Ni , CERTi ]k−1 ; i 4: i → ALL : {ClassReqi , [h(IDi , ClassID, Ni )]k−1 , CERTi }; i 5: end for 6: for each node j (j ∈ / R ∪ V, j ∈ / Cl : l = 1 . . . n2 ) do 7: if j receive non-duplicate ClassReqi then 8: Authenticate node i; 9: ReqQueue = ReqQueue + ClassReqi ; 10: end if 11: while not receivej ACK do 12: if TTL = 0 (TTL Expired) then 13: process ClassReqi in ReqQueue Heading; 14: initialize (TTL); 15: ClassReplyj = [IDj , IDi , ClassID, Nj , Ni , CERTj ]k−1 ;

Q1

D

(there must be a path between the two nodes). The class creation algorithm is described below. According to this algorithm, the class creation process consists of both request and reply phases. Each virtual server initiates a new class and broadcasts the ClassReqi request to create its class. It attaches a nonce Ni and its certificate CERTi . Any request received by node j not belonging to any class will be put in a local queue (ReqQueue). This node picks one request from the queue and then responds to the sender (virtual server) by a ClassReplyj , which includes a TTL that will be decreased by intermediate nodes. If the TTL expires, another request in the queue will be processed. When a virtual server receives ClassReplyj , it first authenticates the reply and then adds the node j to its class Ci = Ci ∪ {j} if |Ci | < m.


Step 1: ∀vi ∈ V , vi creates a random polynomial gi (x) = SKi + bi1 x + · · · + bik−1 xk−1 (mod p).


Step 2: calculate an (m, k) sharing (SKi1 , . . . , SKim ) for the share SKi where SKij = gi (cij )(mod p).


Step 3: ∀cij ∈ Ci (j = 1, . . . , m) distribute SKij to node cij .


Step 4: vi keeps a sub-share from SKi and deletes the rest of SKi and all related information.

j

j → i : {ClassReplyj , [h(IDj , IDi , ClassID, Nj , Ni )]k−1 , TTL, j CERTj }; end if end while end for for each node i ∈ V do if i receive non-duplicate ClassReplyj and |Ci | < m then Authenticate node j; if TTL > 0 then Ci = Ci ∪ {j}; i → j : {[ACK, IDj , IDi , ClassID, Nj ], [h(ACK, IDj , IDi , ClassID, Nj )]k−1 , i CERTi }; else i → j : Error TTL Expired; end if end if end for

By executing the class sharing procedure for each class, we get a sharing tree which has two levels as is shown in Figure 3. The first level of the tree consists of (n, t) sharing of the private CA key, while the second level is the (m,k) sharing of the shares that are virtually held by the virtual servers. Figure 2 illustrates an example of an ad hoc network that consists of 15 nodes. In Figure 2(b), assistant server nodes are grouped into classes in order to divide the shares of the virtual servers. In this example, these shares are SK2 , SK4 , SK8 , which will be shared respectively by classes C2 , C4 , C8 . At the final stage of the initialization process, nodes are divided into three sets R, V, and C (C = ∪Ci ) as shown in Table I.

Security Comm. Networks. 2010; 3:1–16 © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/sec.199

7

C

N

17: 18: 19: 20: 21:

O

R

16:

22: 23: 24: 25:

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

SRKM scheme for ad hoc networks

26: 27: 28: 29: 30:

4.2. Share refreshing We enhance the robustness of our scheme by periodically updating the shares based on the share refreshing technique discussed in Section 3.3.3. In SRKM, our protocol of share

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

K. Hamouid and K. Adi

k 

SKij′ lj (0)

R

SKi′ =

R

EC

O FS

O

TE

updating allows refreshing shares and sub-shares without the need for rebuilding and sharing out the virtual shares again (see Figure 4). Let (SK1 , . . . , SKn ) be the (n, t) sharing of SK, then we ′ ′ ′ can get a new sharing
n(SK1 , . . . , SKn ) of SK where SKi = SKi + Si and Si = j=1 kj (i), according to that, each node p ∈ R ∪ V creates kp (x) = 0 + cp1 x + · · · + cpt−1 xt−1 =
t−1 c xi where cpi are random coefficients. Node p sends i=1 pi kp (r) to each node r ∈ R ∪ V (r = p). After receiving kp (r) (p = 1 . . . n : p = r) from n nodes, each real server
n denoted r can calculate its new share (SKr′ = SKr + j=1 kj (r)). Now, we will show how assistant servers can refresh their sub-shares. First, we assume that (Si1 , . . . , Sim ) is the (m, k) sharing of
Sk i computed on the polynomial λi (x). Therefore, S = λ (r)l (0). If we assume that λi (x) = i r=1 i
r
m m λ (r) = Sir λ (x) then λ (r) = il i l=1 il l=1 Based on that, assistant servers can compute their new sub-shares as follows: each node in V denoted vi sends Si =
n k (v ) (p ∈ R ∪ V ) to each assistant server in each p i p=1 class. Each assistant server in this class denoted cij generates λij (x) = Si + ej1 x + · · · + ejk−1 xk−1 and then sends λij (cir ) to cir (r = 1 . . . m/r = j) in the same class. Therefore, each assistant server cij ∈ Ci computes its new sub-share (SKij′ =
m SKij + r=1 λir (cij )). The new sub-shares (SKij′ ) are valid only if they verify the following equation:

becomes impossible to discover the invalid partial certificate. Consequently, compromised nodes that assign false partial certificates cannot be unmasked. This has a negative impact on the certification service. Some threshold signature schemes based on the standard DSS [22] are also proposed. Nevertheless, DSS based schemes require the computation of the inverse of secrets, and such an operation is very costly for MANETs. The threshold signature scheme proposed in Reference [23] seems to be more efficient and it relies on the DLP. Indeed, it does not require the computation of the inverse of secrets and can resist several attacks. However, this scheme is not appropriate for the SRKM architecture. Furthermore, it requires the presence of a TA to distribute shares to newly added nodes in the network. To handle this problem, we modify the scheme suggested in Reference [23] so that it adapts to the requirements of SRKM. Let p and q be two large prime numbers satisfying q/(p − 1), and Gq be a subgroup of Zp with order q, g is a generator in Gq . Let m be the message sent in the certification request which includes the identity of the requester node as well as its public key, h(.) is one-way hash function, and PK = gSK is the public key of the certification service and SK is the corresponding private key used in certificate signing process. First, the requester node i selects any subgroup in R ∪ V of size t. Without loss of generality, let B = {j | j = 1 . . . t} be this subset of nodes. When each node j in B receives the certification request, it generates a partial signature. There are two cases to generate a partial signature as j ∈ B is a real or virtual server. (1) Assigning certificates in case of real servers: On the basis of the above assumptions, if node j ∈ R (real server) is in B then; j broadcasts a public value rj = gej within subset B where ej ∈ Zq is a random number. Node j also broadcasts PKj = gSKj .lj (0) (mod p) within subset B where SKj is the secret share of node j. Then, j assigns a partial certificate for node i as:

PR

Figure 4. Share refreshing.

O

j=1

C

4.3. Certificate issuing

N

In SRKM, the certificate of the node i denoted CERTi is issued by a coalition of any t honest server nodes. Each node j in this coalition generates a partial signature certificate on the i’s certificate and then obtains a partial certificate denoted by certij . These partial certificates are then combined to rebuild a valid certificate signed by the certification service. In order to provide a threshold cryptography based certification service, several threshold signature algorithms have been proposed in literature. In Kong et al.’s scheme [9], a certification service relying on RSA is provided. However, their method does not allow verifying whether a partial certificate is valid before combining it with other partial certificates of the coalition. Thus, if within a collection of t partial certificates there is one that is invalid, it

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

Q1

D

SRKM scheme for ad hoc networks

8

certij = SKj lj (0) + ej E (mod q)

t

where E = h(mR) and R = j=1 rj The node i can verify the validity of the partial certificate with the following: gcertij =? PKj rjE (mod p) Once t partial certificates are verified, node i combines them to reconstruct its certificate as CERTi =

t 

certij

j=1

This way, (R, CERTi ) is considered as the certification service signature on the certificate of node i. Other nodes might verify this certificate using the public key of the service (PK) by the following: gCERTi =? PK.RE (mod p) Security Comm. Networks. 2010; 3:1–16 © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/sec.199

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

K. Hamouid and K. Adi

Q1

(2) Assigning certificates in case of virtual servers: if j ∈ V (virtual node) is in B, then j selects any subset of size k − 1 in its class denoted by Cj . Let Bj = {cj1 . . . cjk−1 } be a subset of assistant servers, then j rebroadcasts the certification request within subset Bj . Each node in Bj , denoted by cjl (including virtual server j), receiving the request, comsk .l (0) putes rjl = gejl and Xl = g jl cjl , where ejl is a random number and then sends them to server j. The latvirtual k ter computes the product rj = l=1 rjl and sends it to all

certij =

k 

certij,l

l=1

TE

A certificate assigned by a virtual server can be verified by the equation defined above (gcertij =? PKj rjE (mod p))

new node will act as real server (get a new share), virtual server (initiate a new class) or assistant server by joining an existing class. In our work, we rely on a dynamic mechanism to assign a role to new nodes depending on the current state of the threshold cryptosystem (current value of NAC, size of classes, etc.). This means that the role to be assigned to new nodes is unpredictable. For example, a new node cannot act as real server if the NAC exceeds the required security level (the security of the underlying key management system decreases as the number of real servers increases). The log-on algorithm (Algorithm 2) describes how to assign a special role to a new node i. The process is also illustrated in (Figure 5). If the NAC does not affect the required security level, then the new node i will act as real server. Else i will verify whether the availability in the shares reconstruction at each class is satisfied: there may be classes with a small size. If the size of a class is less than k, the latter will fail to reconstruct its share and thus the new node i must join this class. If the size of a class is greater or equal to k, then new node i will join this class only if there is no other class with a size less than k. Now, if the latency level and the availability in all classes are satisfied, the new node i will initiate a new class. After a number of nodes have joined the network, system settings may change as follows:

O

Note that the partial certificates assigned by assistant servers are not sent to the requester node i, and they cannot be combined with other partial certificates assigned by nodes in R or by nodes belonging to different classes. If the virtual server j collects k − 1 partial certificates from Bj , then it can compute a partial certificate to be sent to the requester node i, which can combine it with other partial certificates assigned by nodes in R.

Figure 5. Possible status of a new node in joining process.

PR

certij,l = SKjl lcjl (0)lj (0) + ejl E (mod q)

O FS

l (0)

D

k

nodes in B. It also broadcasts PKj = l=1 Xlj within B. Finally, each node in Bj computes a partial certificate for the requester node i, and then sends it to the virtual node j

EC

4.4. Handling scalability and topology changing

N

C

O

R

R

Ad hoc networks may consist of a large number of nodes. The size of the network can change frequently and the speed of change may increase as new nodes join the network. In SRKM design, we adopt a fully distributed approach. In that approach, each node collaborates in the process of certification service by carrying out a particular role (real server, virtual server or assistant server). Thus, if a new node joins the network, it must be given a role, and participate in the certification process as all other members of the network. Nevertheless, a node may stop cooperating when it is compromised or it leaves the network. This may degrade the performance of the security system if multiple nodes do not cooperate. The change in topology due to the dynamic movement of nodes may also affect the performance of the system (for instance, when a class fails to reconstruct its key share because several of its members have moved and have become unreachable by the virtual server of this class). To handle scalability and topology changes, we propose scalable reconfiguration and dynamic support in the security system.

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

SRKM scheme for ad hoc networks

(n, t) −→ (n′ , t) | n′ > n (new real or virtual servers). V −→ V ′ | |V ′ | > |V | (new virtual servers). C −→ C′ | |C′ | > |C| and C = ∪Ci (new classes). When the new node i is accepted as a real server, it can get its share of the CA’s private key without the need for any TA. A group of t servers (virtual or real) may cooperate to generate a new key share and send it to new node i as follows:

4.4.1. Joining the network (log-on). This operation allows new nodes to join the network and become a correct participant in the certification service. The


i Sends a request getShareReq to a group of t servers

Security Comm. Networks. 2010; 3:1–16 © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/sec.199

9

i → j : (getShareReq, CERTi , IDi ) where j ∈ R ∪ V , for simplicity let j = 1 . . . t.

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

SRKM scheme for ad hoc networks

K. Hamouid and K. Adi


Each server j receiving the request and deciding to


If i is a real server node (i ∈ R), it will simply be

serve it, will send back to node i : Pji = f (j)lj (i) + ψ
j t(mod p) where ψj is a shuffling factor such as ψ = 0. j=1 j

removed from the set of real servers and the threshold configuration (n, t) changes to (n − 1, t). The NAC decreases as real servers leave the network, increasing the latency parameter.
If i is a virtual server (i ∈ V ), another assistant server from the same class as i will be elected to replace the virtual server. The favored node is the one which has the highest connectivity with other members of its class.
If i is an assistant server (i ∈ Ci ), the threshold configuration (m, k) changes to (m − 1, k).



Node i can compute its share as SKi = tj=1 Pji .
If j is a virtual server, it rebroadcasts the request to

k assistant server from its class. For simplicity let {cj1 , . . . , cjk } be this set, then each node cjl in this set, sends back to j the following:

l=1

O FS

where

gj (cjl ).lcjl (0).lj (i) + ψjl


k

ψjl = ψj


Thus, j sends to i the following:

l=1

N

C

O

R

R

EC

TE

Algorithm 2 Log-on 1: i: the new node; k: class threshold; t: global threshold; m: number of class shareholders according to the threshold scheme (m, k); 2: min Size= m; 3: for each new node i do 4: if NAC 0 do 10: if recieve(ClassStatusRep) then 11: if ClassStatusRep.Size < min Size then 12: min Size = ClassStatusRep.Size; 13: ClassID = ClassStatusRep.ClassID; 14: end if 15: end if 16: end while 17: if min Size < k then 18: joinClass(ClassID); 19: else 20: if min Size < m and |R ∪ V | ≥ t then 21: joinClass(ClassID); 22: end if 23: end if 24: else 25: createClass(Ci ); 26: Ci = Ci ∪ {i}; 27: V = V ∪ {i}; 28: end if 29: end for

4.4.3. Roaming. As mentioned above, the topology of the ad hoc network may frequently change due to the dynamic movement of nodes. Therefore, a node that belongs to a particular class may move far from its class, to the point that it becomes unreachable by the virtual server of its class. If multiple nodes in the same class do the same thing, the class may fail to reconstruct its share. In order to improve the availability at the class level with a high mobility of nodes, we propose a mechanism that allows nodes to dynamically change their class as they move away from their current classes. Thus if a moving node detects that it is disconnected from its class (there is no path between this node and the virtual server of its class), it must change its class by joining another one. Then, this node tries to find an available class. The process is similar to the Log-on operation as described above, except that here the node seeks only to join a class, and it will not change roles (it remains an assistant server). When the node finds an available class, it gets a sub-share from the new class by contacting the corresponding virtual server, and deletes its old sub-share. This way, availability in classes is balanced as the nodes of various classes move.

O

gj (cjl ).lcjl (0).lj (i) + ψjl (mod q)

PR

k 

D

Pji =

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

Q1

4.4.2. Leaving the network. In SRKM when a node i leaves the network, it causes a change in the system configuration, then there are different cases: 10

5. DISCUSSION Current research work in key management can only handle small networks. When the number of nodes increases, most of them become either inefficient or insecure [11]. Security is an important issue in the design of key management in MANET, especially when secret sharing techniques and threshold cryptography are used. In these systems, the security of the key management system depends on the secrecy of the shared key, which depends in turn on the correctness (non-compromised) of members that share the secret (shareholders). The main limitation of previous threshold schemes is that they tolerate until the threshold number of corruptions. If a number of malicious members equal to or higher than the threshold reveal their shares to an adversary, then the secret key is compromised. Therefore, using secret sharing in ad hoc networks demands more security as network nodes typically exhibit physical vulnerabilities, leaving them exposed to attacks that are likely to compromise many of them. Security Comm. Networks. 2010; 3:1–16 © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/sec.199

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

K. Hamouid and K. Adi

Q1

6. SIMULATION RESULTS We realized our simulation by developing a prototype using the MATLAB environment. Our focus is to evaluate the performance of the proposed scheme in order to demonstrate that it is suitable for MANETs and to test the robustness of our scheme against break-ins and compromised nodes.

O FS

6.1. Simulation parameters

D

PR

O

The simulation was conducted with ad hoc networks of sizes ranging from 100 to 200 nodes which are randomly dispersed in a 1 km2 region, and each node has a transmission range (σ). Two nodes are neighbors if the distance between them falls within the transmission range. We assume that nodes have the same hardware characteristics and processing power, and are configured by wireless communication interfaces of 22 Mbps transmission rate. Furthermore, we assumed no bandwidth restrictions and no wireless channel error as one can deal with these issues modularly at different layers. The mobility model used in our simulation is the random waypoint mobility pattern [24], in which a node starts by staying in one position for a certain period of time (i.e., a pause time). Once this time expires, the node chooses a random destination in the simulation area and a speed, and then it moves to the chosen destination at the selected speed. Once there, the node pauses for a specified time period before starting the process again. In our experiment, pause time ranges from 5 to 20 s and node speed is uniformly distributed between 0 and 20 m/s. During the simulation, we are interested in the following metrics; Successful Certification Ratio, Average Certification Delay, and Security.

O

R

R

EC

TE

To cope with this kind of risk and prevent key revealing to an adversary, share refreshing [6] is used. However, such a defense is not effective for large scale and highly dynamic networks because the period for refreshing all shares increases with the number of shareholders, and the mobility of the nodes. Hence the probability to compromise a sufficiently large number (up to the threshold) of shares increases with the number of nodes. Let N be the size of the network and let T be the vulnerability window. Then T will increase with N. Beyond a certain value of N, the adversary may have enough time to get t shares and discover the private key. Unfortunately, previous threshold schemes are affected by a major challenge: their robustness does not scale with the network size and topology changing. To mitigate these risks, our scheme provides more security by keeping the secrecy of the shared key even if there are a large number of compromised shareholders (more than the threshold). Let x be the number of compromised shareholders that the adversary attacked within a period T. We assume that the adversary cannot analyze the network traffic so that he cannot attack the shareholders selectively (nodes hide their roles from the adversaries). We define a vulnerability metric denoted by vul(x) which is the probability of the secret key being compromised, when x shareholders are compromised. Relying on this metric, we compare the robustness of our scheme versus the (n, t) previous schemes [8,1,9]. As shown in Table II, the previous schemes can only resist against adversaries of model 1 and 2 (Section 3.1.3) while our scheme provides protection against adversaries with more capabilities as defined by models 3 and 4. If x = t, then the adversary can recover the secret in previous schemes, but he cannot in our scheme, because these t compromised shareholders hold different shares of different classes (real server, virtual server, assistant server) and a share from a given class cannot be combined with a share from another class. Furthermore, in our scheme, the expected number of shareholders that an adversary would have to compromise in order to recover the secret is in the best case: x = n1 + k ∗ (t − n1 ). With this number, the probability to recover the secret is defined as :

C

Pr =

n1  Cni 1 (Cmk )t−i i=0

CNx

N

Based on that, the number of shareholders that an adversary must compromise to be sure to recover the secret is : x = (t − 1)m + k which is much larger than threshold t. Here m is the size of a sharing class and k is its threshold and N = m ∗ (t − n1 ) + n1

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

SRKM scheme for ad hoc networks

6.2. Successful certification ratio measurement This measures the ratio of the number of successful certification services (including issuance and renewal) to the total number of certification requests. We denote by µ the successful certification ratio. µ=

Number of successfully issued certificates Total number of requests for certificate issuance

In SRKM, a certificate is successfully issued when a node receives t or more valid partial certificates.

Table II. Vulnerability of some schemes versus SRKM. Compromised nodes

vul (x ) in partially distribued schemes

vul (x ) in fully distributed schemes

vul (x ) in SRKM

x
0 1 1 1

0 1 1 1

0 0 0 0,1

Security Comm. Networks. 2010; 3:1–16 © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/sec.199

11

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

K. Hamouid and K. Adi

C

O

R

R

EC

PR D

TE

6.2.1. Network partitioning impact. We first examine the impact of the network connection on the performance of the certification service. The network connection depends on the transmission range of nodes (σ). When σ is very low, many nodes in the network may be disconnected from each other. Thus, in some situations a certification service might fail to issue certificates because the requesting node cannot reach at least t server nodes in order to combine their partial certificates. We evaluate the impact of σ with a network of 100 nodes and the threshold configuration set to t = 10, n = 20, and NAC = 0.81. We compare our SRKM scheme with the fully distributed scheme of Kong [9] with the same simulation parameters. Figure 6 shows that the certification success ratio decreases when the transmission range of nodes reduces. However, we find that under the SRKM scheme, the availability of certification services is relatively stable. Indeed, we have more than 65% of successfully issued certificates with networking nodes having a transmission range of 100 m or more. However, in Kong’s scheme, the availability of certification services is very weak when the transmission range of nodes is less than 160 m.

O

Figure 6. Successful certification ratio versus transmission range (), N = 100, t = 10, n = 20.

N

6.2.2. Threshold value impact. The threshold value t might have a very important impact on both security, and the availability of certification services. A very large threshold value ensures high security, but the availability and latency requirements may not be satisfied, because the requesting node must collect a large number of valid partial certificates. However, in some situations, some server nodes may be compromised or unavailable, thus the requesting node may fail to reconstruct a valid certificate. If t is small, it becomes easy for a node to construct its certificate but the security aspect is compromised. We are interested in the impact of the threshold value on the successful certification ratio. We compare our SRKM

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

Q1

O FS

SRKM scheme for ad hoc networks

12

Figure 7. Successful certification ratio versus threshold t (a) N = 200, n = 50,  = 100 m (b) N = 200, n = 50,  = 180 m.

scheme and Kong’s fully distributed scheme. Figure 7 shows the success ratio by varying the threshold t. In SRKM, increasing the threshold does not have a greater impact on the success ratio compared with Kong’s scheme, in which the success ratio becomes very weak when t is more than 10. The threshold selection is influenced by various factors such as network density, node speed, node transmission range, etc. For instance, from Figure 7(a) and 7(b), when the threshold is set to 45, the success ratio increases from 35 to 90% with transmission ranges of 100 m and 180 m, respectively. Therefore, in SRKM we can increase the threshold to enhance the security without influencing on the availability.

6.2.3. Successful certification ratio in the presence of compromised nodes. Now, we are interested in evaluating the robustness of our scheme with the presence of compromised nodes. As part of this experiment, we note that a compromised node is characterized by unpredictable behavior, which means that it may not respond, sign false certificates or respond correctly to the request. Figure 8 shows that the performance of SRKM does not degrade quickly when the number of compromised nodes increases, and the Security Comm. Networks. 2010; 3:1–16 © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/sec.199

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

K. Hamouid and K. Adi

Q1

to achieve security objectives in our system remain within the acceptable standards imposed by MANET environments.

C

N

512 768

1024

1280 1536 1792 2048

O

R

R

EC

Security and robustness are both important factors to consider when implementing efficient and highly available key management services for ad hoc environments Security has a price, and in most cases this leads to an additional cost in terms of computation and bandwidth consumption. Therefore, it is important to consider computational costs due to the limited computation power of nodes. Our intention in this experiment is to demonstrate that authentication delays and computation costs needed

Key length (bits)

O FS

O

TE

6.3. Computational overhead and certification delay

D

successful certification ratio stays mostly stable until 50% of compromised nodes in the network for which the success ratio is 80%. Thus, SRKM remains robust even if the number of compromised nodes increases, enhancing then the availability of certification services.

6.3.1. Computational overhead. In order to evaluate the impact of the computation overhead on the latency of the certification generating process, we implemented our signature algorithm in MATLAB. We used a Pentium IV 1.1 Ghz machine. In this experiment, we consider different values of different settings, e.g., key length and threshold. Our cost measurements in Table III show that our algorithm has low requirements on the computational power of nodes. We denote by (RS P.Cert) and (VS P.Cert) the computation costs for partial certificates by real servers and virtual servers, respectively. We also note that the computation delay increases with the key length and the threshold. However, the performance of computation overhead is acceptable for typical scenarios. In our case, the expensive step in terms of computation is the partial certificate creation and especially those of virtual servers. Indeed, generating a partial certificate with a virtual server entails more computation than the generation of the same certificate with a real server, because it requires the computation of k assistant servers from the same class as the virtual server. However, as shown in Table III, the time for generating a partial certificate by a virtual server is approximately equivalent to that of a real server, the reason being that the computations for partial certificates by assistant servers are carried out in parallel, and the delay for combining these partial certificates by the virtual sever is negligible. Therefore, the use of classes of sharing in our system does not considerably affect the certification process delay compared to standard (n, t) threshold schemes. We also analyze and compare the computation overheads of our (n, t)-threshold scheme with Kong’s [10] scheme for the generation of a certificate signature. This comparison is based on the quantity of computations required to generate a signature [25]. These are mainly composed of modular

PR

Figure 8. Successful certification ratio versus compromised nodes rate, N = 150,  = 150 m.

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

SRKM scheme for ad hoc networks

Table III. Computational costs. Threshold

RS P.Cert (ms)

VS P.Cert (ms)

Combine Cert (ms)

15 30 15 30 15 30 15 30 15 30 15 30 15 30

10 19 20 30 34 36 43 51 58 61 66 73 76 78

11 21 22 30 36 39 48 56 63 69 74 79 85 90

0.53 0.57 0.58 0.58 0.60 0.63 0.75 0.76 0.79 0.86 0.89 0.91 0.95 0.98

Security Comm. Networks. 2010; 3:1–16 © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/sec.199

13

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

SRKM scheme for ad hoc networks

K. Hamouid and K. Adi

Table IV. Computational overheads of the proposed scheme versus URSA scheme. Schemes

# of modular multiplication computations # of modular exponential computations # of hash calculation

P. certificate signing Certificate signing

t 2t

1 t +1

0 0

URSA Total

3t

t +2

0

P. certificate signing Certificate signing

2t 0

2 0

1 0

Total

2t

2

1

O FS

SRKM


n

i=1

(CSRepi − CSReqi ) Tint

R

ACD =

EC

PR D

TE

6.3.2. Average certification delay measurement. The computation cost values obtained previously are used in our MATLAB simulation of the SRKM scheme in order to evaluate the total delay for generating a complete certificate by considering communication overhead. The Average Certification Delay (ACD) is measured as the time delay between the certificate service request (CSReq) and the certificate service reply (CSRep), averaged over the simulation time. This depends on the time complexity of the algorithm used for generating a signature.

O

exponential computations and modular multiplication computations which are the most expensive operations affecting the performance of any algorithm. It is also assumed that other residual additional computational overhead can be ignored. As shown in Table IV the total computations required in Kong’s scheme is greater than in our scheme, especially in terms of modular exponential computations.

N

C

O

R

As part of this experiment, we assume nodes with wireless communication interfaces of 22 Mbps (which is similar to actual technologies for PDA devices). In practice, the average size of a public key certificate is 5 KB. We also assume that the average size of a certificate request propagated to the CA servers in question is 1 KB. Based on these settings, we measure the average delay of certification under different configurations of node apportionment (number of real servers vs. virtual servers), which depends on the fixed parameter NAC (Section 3.1.1) and threshold settings where n = 15% of N, t = 2n/3 and k = 2m/3 (see Sections 3.1.1 and 3.2 for notation). With these settings, the threshold increases with the network size, and thus we only vary the network size to observe if the performance declines with the increase of both the network size and the threshold. As results of this experiment, the Figure 9 shows that both the NAC and threshold are the important parameters which may affect the certification delays. On the one hand, the ACD increases with the threshold, while on the other hand the NAC is inversely proportional to the ACD, which means that when there are more real servers in the network,

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

Q1

14

Figure 9. Average certification delay, N = 150,  = 150 m.

the ACD is reduced. In summary, with typical values of NAC and threshold, the computation and communication delays in our system are acceptable to fit MANET.

6.4. Security evaluation The proposed key management scheme is intended to work securely against malicious attacks that aim at revealing the system’s secret key by combining secret shares of compromised nodes. The revealed secret key can then be used by an adversary to impersonate a benign node. Therefore, our scheme is designed to enhance the security of the system’s secret key even if there is a large number of compromised shareholders that can exceed the threshold. To evaluate the security and the robustness enhancement, we base our simulation on the vulnerability metric defined in Section 5 denoted by vul(x) which is the probability to recover the system’s secret key when x compromised shareholders reveal their secret shares. In this example, we set x = k × t. As shown in Figure 10, NAC is proportional to vul(x), which means that vul(x) increases when the NAC increases. In other words, the system’s secret key is easily compromised when there are more real servers in the network. For example, when NAC= 0.1, we have vul(x) = 6.19 × 10−28 , but when we set NAC= 0.87, vul(x) increases to 4.6 × 10−5 . Security Comm. Networks. 2010; 3:1–16 © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/sec.199

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

K. Hamouid and K. Adi

Q1

able to securely accomplish certification operations with the presence of compromised nodes; the private key of the service remains unknown to all, even if the number of compromised nodes exceeds the threshold of vulnerability. In doing so, our technique exceeds existing threshold cryptography based schemes. Simulation results show the effectiveness and the security of our proposed scheme.

O FS

ACKNOWLEDGMENT This research is supported by a research grant from the Natural Science and Engineering Council of Canada. Figure 10. vul (x ) versus NAC, N = 150,  = 150 m, x = k × t .

D

PR

1. Wu B, Wu J, Fernandez EB, Ilyas M, Magliveras S. Secure and efficient key management in mobile ad hoc networks. Journal of Network and Computer Applications 2007; 30(3): 937–954, http://dx.doi.org/10.1016/ j.jnca.2005.07.008. 2. Anjum F, Mouchtaris P. Security for Wireless Ad Hoc Networks. Wiley Sons, 2007.Q2 3. Menzes A, van Oorschot P, Vanstone S. Handbook of Applied Cryptography. CRC Press: Boca Raton, 1997. 4. Desmedt Y. Threshold cryptography. European Transactions on Telecommunications 1994; 5(4): 449–457. 5. Ostrovsky R, Yung M. How to withstand mobile virus attacks (extended abstract). PODC ’91: Proceedings of the tenth annual ACM symposium on Principles of distributed computing, ACM: New York, NY, USA, 1991; 51–59, http://doi.acm.org/10.1145/112600.112605. 6. Herzberg A, Jarecki S, Krawczyk H, Yung M. Proactive secret sharing or: how to cope with perpetual leakage. CRYPTO ’95: Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology, Springer-Verlag: London, UK, 1995; 339– 352. 7. Zhou L, Schneider FB, Renesse RV. Apss: proactive secret sharing in asynchronous systems. ACM Transactions on Information System Security 2005; 8(3): 259–286, http://doi.acm.org/10.1145/1085126.1085127. 8. Zhou L, Haas Z. Securing ad hoc networks. Network IEEE 1999; 13(6): 24–30, 10.1109/65.806983. 9. Kong J, Zerfos P, Luo H, Lu S, Zhang L. Providing robust and ubiquitous security support for mobile ad-hoc networks. ICNP ’01: Proceedings of the Ninth International Conference on Network Protocols, IEEE Computer Society: Washington, DC, USA, 2001; 251–260. 10. Luo H, Kong J, Zerfos P, Lu S, Zhang L. Ursa: Ubiquitous and robust access control for mobile ad hoc networks. IEEE/ACM Transactions on Networking 2004; 12: 1049– 1063.

N

C

O

R

R

EC

TE

Finally, from Figures 10 and 9 we can note that the proportion of real servers to virtual servers determined by the NAC parameter is a tradeoff between robustness and availability. The increase of the number of real servers in the network provides high availability and a node can construct its digital certificate within the QoS requirements or specified authentication delay time, but the security condition may not be satisfied. To enhance security, we have to reduce the number of real servers and increase the number of virtual servers. Therefore, the NAC is selected according to the required level of security and service latency. We have shown through simulation results that our scheme provides significant improvement in terms of security and robustness for key management compared to the most popular key management schemes proposed in the literature. Furthermore, the simulation results also show that improving the security in our scheme does not substantially affect other aspects such as latency in the certification delivery. In fact, our costs measurements show that computation overhead and the certification delays remains acceptable for typical scenarios of ad hoc networks. As a future work, we plan to evaluate the performance of SRKM scheme by taking into account two additional parameters: limited wireless bandwidth and channel errors. These two parameters may have a significant impact on the performance of any key management scheme for MANETs. The impact of channel errors can be analyzed by considering the relation between certification failure rate and wireless channel error rate.

O

REFERENCES

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

SRKM scheme for ad hoc networks

7. CONCLUSION

In this paper we have presented SRKM: a secure and robust key Management scheme in order to provide a fully distributed certification service in ad hoc environments. We have based our design on the threshold cryptography technique. The main focus in our proposal is to enhance the robustness and security in key management against compromised nodes which might reveal the shared secret key of the service. The key management service must be Security Comm. Networks. 2010; 3:1–16 © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/sec.199

15

Q2

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

K. Hamouid and K. Adi

PR

O

O FS

ˇ 17. Capkun S, Butty´an L, Hubaux JP. Self-organized publickey management for mobile ad hoc networks. IEEE Transactions on Mobile Computing 2003; 2(1): 52–64, http://dx.doi.org/10.1109/TMC.2003.1195151. 18. Hubaux JP, Butty´an L, Capkun S. The quest for security in mobile ad hoc networks. MobiHoc ’01: Proceedings of the 2nd ACM international symposium on Mobile ad hoc networking & computing, ACM: New York, NY, USA, 2001; 146–155. 19. Zimmermann PR. The official PGP user’s guide. MIT Press: Cambridge, MA, USA, 1995. 20. Hamouid K, Adi K. Robust key management scheme for certification in mobile ad-hoc networks. 14th IEEE Symposium on Computers and Communications July 2009. 21. Shamir A. How to share a secret. Communication ACM 1979; 22(11): 612–613. 22. Digital signature standard (dss). National institute for standards and technology. 1998. 23. Li CM, Hwang T, Lee NY. Threshold-multisignature schemes where suspected forgery implies traceability of adversarial shareholders. Advances in CryptologyEUROCRYPT, vol. 950, Springer-Verlag, 1994; 194– 204.Q2 24. Johnson DB, Maltz DA. Dynamic source routing in ad hoc wireless networks. Mobile Computing, Kluwer Academic Publishers, 1996; 153–181.Q2 25. Hwang M LIC, Lu E. A practical (t, n) threshold proxy signature scheme based on the rsa cryptosystem. IEEE Transactions on Knowledge and Data Engineering 2003; 15(6).Q3

N

C

O

R

R

EC

TE

11. Zhu B, Bao F, Deng RH, Kankanhalli MS, Wang G. Efficient and robust key management for large mobile ad hoc networks. Comput. Netw. 2005; 48(4): 657–682, http://dx.doi.org/10.1016/j.comnet.2004.11.023. 12. Raghani S, Toshniwal D, Joshi R. Dynamic support for distributed certification authority in mobile ad hoc networks. ICHIT ’06: Proceedings of the 2006 International Conference on Hybrid Information Technology, IEEE Computer Society: Washington, DC, USA, 2006; 424– 432, http://dx.doi.org/10.1109/ICHIT.2006.127. 13. Pietro RD, Mancini LV, Zanin G. Efficient and adaptive threshold signatures for ad hoc networks. Electronic Notes in Theoretical Computer Science 2007; 171(1): 93–105, http://dx.doi.org/10.1016/j.entcs.2006.11.012. 14. Ghalwash A, Youssif A, Hashad S, Doss R. Self adjusted security architecture for mobile ad hoc networks (manets). 6th IEEE/ACIS International Conference on Computer and Information Science July 2007; 682–687, 10.1109/ICIS.2007.163. 15. Ho LK, Bum HS, Sook SH, Sun HC, Sangkeun L. Authentication protocol using threshold certification in hierarchical-cluster-based ad hoc networks. Journal of Information Science and Engineering 2007; 23(2): 539– 567. 16. Ngai ECH, Lyu MR. An authentication service based on trust and clustering in wireless ad hoc networks: description and security evaluation. SUTC ’06: Proceedings of the IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing Vol 1 (SUTC’06), IEEE Computer Society: Washington, DC, USA, 2006; 94–103, http://dx.doi.org/10.1109/ SUTC.2006.26.

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

Q1

D

SRKM scheme for ad hoc networks

16

Security Comm. Networks. 2010; 3:1–16 © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/sec.199

Q2

Q2

Q3

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

K. Hamouid and K. Adi* . . . . . . . . xxx–xxx

N

C

O

R

R

EC

TE

D

PR

O

O FS

Secure and robust threshold key management (SRKM) scheme for ad hoc networksQ4

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

Q4

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112