ARTICLE IN PRESS

JID: ADHOC [m3Gdc; March 5, 2016;13:51 ]

Ad Hoc Networks xxx (2016) xxx–xxx

Contents lists available at ScienceDirect

Ad Hoc Networks

journal homepage: www.elsevier.com/locate/adhoc

Trust threshold based public key management in mobile ad

hoc networks

Jin-Hee Cho

a , ∗, Ing-Ray Chen

b , Kevin S. Chan

a Q1

a U.S. Army Research Laboratory, Adelphi, MD 20783, USA b Department of Computer Science, Virginia Tech, Falls Church, VA 22043, USA

a r t i c l e i n f o

Article history:

Received 5 October 2015

Revised 14 January 2016

Accepted 21 February 2016

Available online xxx

Keywords:

Public key management

Mobile ad hoc networks

Trust

Risk

Private key

Public key

Certificate authority

a b s t r a c t

Public key management in mobile ad hoc networks (MANETs) has been studied for sev-

eral decades. However, the unique characteristics of MANETs have imposed great chal-

lenges in designing a fully distributed public key management protocol under resource-

constrained MANET environments. These challenges include no centralized trusted enti-

ties, resource constraints, and high security vulnerabilities. This work proposes a fully dis-

tributed trust-based public key management approach for MANETs using a soft security

mechanism based on the concept of trust. Instead of using hard security approaches, as

in traditional security techniques, to eliminate security vulnerabilities, our work aims to

maximize performance by relaxing security requirements based on the perceived trust. We

propose a composite trust-based public key management (CTPKM) with the goal of max-

imizing performance while mitigating security vulnerability. Each node employs a trust

threshold to determine whether or not to trust another node. Our simulation results show

that an optimal trust threshold exists to best balance and meet the conflicting goals be-

tween performance and security, by exploiting the inherent tradeoff between trust and

risk. The results also show that CTPKM minimizes risk (i.e., information leakout) using an

optimal trust threshold while maximizing service availability with acceptable communi-

cation overhead incurred by trust and key management operations. We demonstrate that

CTPKM outperforms both existing non-trust-based and trust-based counterparts.

Published by Elsevier B.V.

1. Introduction 1

In resource-constrained mobile ad-hoc networks

Q2

2

(MANETs), it is inefficient to employ cryptographic tech- 3

niques for key management due to high computation and 4

communication overhead as well as network dynamics 5

that could require frequent key reassignments. In addi- 6

tion, the unique nature of MANETs does not allow any 7

centralized trusted certificate authority (CA) to deal with 8

all key management operations, including key generation, 9

∗ Corresponding author. Tel.: +1 571 232 3817.

E-mail addresses: jinhee.cho@us.army.mil , jinheechogwb@yahoo.com ,

jinheechogwb@gmail.com (J.-H. Cho), irchen@vt.edu (I.-R. Chen),

kevin.s.chan@us.army.mil (K.S. Chan).

distribution, update, and revocation. Essentially, it is in- 10

feasible to build a system using hard security approaches 11

(e.g., encryption or authentication techniques) to meet the 12

dual goals of performance (i.e., efficiency) and security 13

due to the inherent tradeoff. In this work, we take a soft 14

security approach by applying the concept of trust to meet 15

both performance and security requirements. 16

The concept of “trust ” originally is derived from so- 17

cial science and defined as the degree of a subjective be- 18

lief about the behaviors of a particular entity [1] . Blaze 19

et al. [2] first introduced the term “trust management ” 20

and identified it as a separate component of security ser- 21

vices in networks. They explained that “Trust management 22

provides a unified approach for specifying and interpret- 23

ing security policies, credentials, and relationships. ” Trust 24

http://dx.doi.org/10.1016/j.adhoc.2016.02.014

1570-8705/Published by Elsevier B.V.

Please cite this article as: J.-H. Cho et al., Trust threshold based public key management in mobile ad hoc networks, Ad

Hoc Networks (2016), http://dx.doi.org/10.1016/j.adhoc.2016.02.014

2 J.-H. Cho et al. / Ad Hoc Networks xxx (2016) xxx–xxx

ARTICLE IN PRESS

JID: ADHOC [m3Gdc; March 5, 2016;13:51 ]

management in MANETs is needed when participating 25

nodes, without any previous interactions, desire to estab- 26

lish a network with an acceptable level of trust relation- 27

ships among themselves. 28

Trust management, including trust establishment, trust 29

update, and trust revocation, in MANETs is more challeng- 30

ing than in traditional centralized environments [3] . First 31

of all, collecting trust evidence to evaluate trustworthiness 32

is difficult due to topology changes caused by node mobil- 33

ity/failure. Further, resource constraints often confine trust 34

assessment process only to local information. The dynamic 35

nature and characteristics of MANETs result in uncertain, 36

incomplete trust evidence, which is continuously changing 37

over time [3,4] . Cho et al. [5] comprehensively surveyed 38

trust management in MANETs recognizing that trust orig- 39

inates from various domains including psychology, sociol- 40

ogy, economics, philosophy, organizational theory, and so 41

on. Cho et al. [5] suggested that the following properties be 42

considered when designing trust-based MANET protocols: 43

(1) potential risk; (2) context-dependency; (3) each party’s 44

own interest (e.g., utility/payoff based on rational selfish- 45

ness); (4) learning based on cognition/experience; and (5) 46

system reliability. 47

Trust management has diverse applicability in many 48

decision making situations including intrusion detection 49

[6,7] , authentication, access control, key management, iso- 50

lating misbehaving nodes for effective routing [6,8,9] , and 51

many other purposes [9] . In addition, the concept of mul- 52

tidimensional trust recently has been explored in network- 53

ing and computing research areas and applied in various 54

security services [6,7,10–13] . Bao et al. [6,7] proposed trust- 55

based secure routing and intrusion detection mechanisms 56

for wireless sensor networks by considering multiple di- 57

mensions of trust. Cho et al. [10,11] and Chen et al. [12] 58

proposed trust management protocols for MANETs or de- 59

lay tolerant networks considering multiple trust compo- 60

nents. However, the above works [6,7,10–12] did not con- 61

sider trust-based public key management while assuming 62

a pre-loaded private/public key pair in each node. Very re- 63

cently Mahmoud et al. [13] proposed trust-based secure 64

and reliable routing for heterogeneous multihop wireless 65

networks where competence and reliability of a node are 66

estimated and used to derive the node trust level that can 67

l. 68

d 69

- 70

y 71

d 72

t 73

s 74

75

- 76

77

78

79

80

81

82

83

84

85

aims to achieve: (a) resiliency against misbehaving nodes 86

in the network to maintain minimum security vulnerabil- 87

ity; (b) availability in service provision in the presence of 88

compromised nodes; and (c) efficiency in minimizing com- 89

munication overhead incurred by trust and key manage- 90

ment operations. CTPKM satisfies the requirements of self- 91

organized and distributed key management for MANETs 92

as discussed in [14] : (a) no single point of failure, i.e., 93

no trusted third party is required; (b) resilience with low 94

security vulnerability in the presence of hostile entities, 95

i.e., little exposure of a compromised key; (c) high ser- 96

vice availability, i.e., a sufficient number of valid, correct 97

public keys are kept in each node; and (d) scalability, i.e., 98

low communication overhead for obtaining a valid/correct 99

public key whose corresponding private key is not compro- 100

mised. 101

The contributions of our work are as follows: 102

1. Relative to existing non-trust-based distributed key 103

management algorithms for MANETs without using 104

a centralized trusted [15–19] , our contribution is to 105

develop a CTPKM that allows each node to make lo- 106

cal peer-to-peer trust assessment for distributed de- 107

cision making based on a composite trust metric. 108

We consider multiple dimensions of trust (i.e., com- 109

petence, integrity, and social contact) that are esti- 110

mated based on evidence derived from the charac- 111

teristics of communication, information, and social 112

networking in a MANET. This allows fast and safe 113

propagation of the keys to trustworthy nodes for 114

preserving quality-of-service (QoS). 115

2. Relative to existing trust-based distributed key man- 116

agement algorithms for MANETs without using a 117

centralized trusted CA [20–24] , our contribution is to 118

develop a threshold-based filtering mechanism that 119

can effectively exploit the inherent tradeoff between 120

trust and risk. The end result is that CTPKM is able 121

to identify the optimal trust threshold to be ap- 122

plied at runtime for differentiating trustworthy vs. 123

untrustworthy nodes to maximize key management 124

service availability. 125

3. We conduct a comprehensive performance analy- 126

sis comparing CTPKM with both non-trust-based 127

t 128

e 129

- 130

l 131

f 132

133

2 134

135

l 136

be used in routing decisions. However, Mahmoud et a

[13] assume the existence of a centralized offline truste

party to deal with public key management including is

suance, distribution, and update of a public/private ke

pair to nodes in the network. Our work uses distribute

peer-to-peer trust evaluation for public key managemen

using three trust dimensions capturing the unique aspect

of trust in a MANET.

In this paper, we propose a composite trust-based dis

tributed key management algorithm (CTPKM) for MANETs

without using a centralized trusted CA. Our approach falls

under the category of certificate-based public key man-

agement. The proposed protocol is designed to meet a re-

quired level of security (e.g., the fraction of valid, correct

and uncompromised public keys, and information risk) as

well as to meet performance requirements (e.g., service

availability and communication overhead), without relying

on trusted third parties such as CAs. The proposed protocol

s 137

l 138

e 139

140

Please cite this article as: J.-H. Cho et al., Trust threshold base

Hoc Networks (2016), http://dx.doi.org/10.1016/j.adhoc.2016.02.0

and trust-based counterparts. We demonstrate tha

CTPKM outperforms a non-trust-based baselin

model and two existing trust-based key manage

ment schemes [20,21] , and can identify an optima

operational setting meeting dual conflicting goals o

performance and security.

The rest of the paper is organized as follows. Section

discusses related work. Section 3 describes the system

model including the attack model, trust model, protoco

description, and performance metrics. Section 4 conduct

a comparative performance analysis and reports numerica

results. Section 5 concludes our paper and suggests futur

work.

2. Related work 141

In this section, we discuss existing work in certificate- 142

based public key management for MANETs, and compare 143

d public key management in mobile ad hoc networks, Ad

14

J.-H. Cho et al. / Ad Hoc Networks xxx (2016) xxx–xxx 3

ARTICLE IN PRESS

JID: ADHOC [m3Gdc; March 5, 2016;13:51 ]

a144

F145

( S146

cr147

p148

o149

p150

2151

152

q153

p154

b155

C156

in157

d158

159

p160

e161

li162

a163

th164

is165

tr166

ch167

is168

v169

e170

e171

o172

h173

p174

ca175

u176

o177

th178

C179

a180

w181

e182

is183

a184

p185

fo186

to187

H188

h189

a190

191

e192

st193

w194

ti195

p196

fe197

o198

ce199

e200

a201

w202

th 203

d 204

W 205

M 206

in 207

g 208

th 209

n 210

p 211

w 212

th 213

214

m 215

in 216

a 217

ti 218

o 219

n 220

w 221

tr 222

tr 223

o 224

to 225

lo 226

227

sc 228

n 229

o 230

to 231

C 232

to 233

a 234

235

C 236

p 237

m 238

fo 239

n 240

e 241

is 242

th 243

g 244

b 245

in 246

a 247

e 248

d 249

a 250

2 251

252

sh 253

cr 254

se 255

p 256

th 257

c 258

se 259

in 260

w 261

P

H

nd contrast them with our proposed CTPKM ( Section 2.1 ).

or completeness, we also survey identity-based

ection 2.3 ), threshold-based ( Section 2.2 ), certificate-less

yptography ( Section 2.4 ), and combined ( Section 2.5 )

ublic key management, and provide reasons why these

ther approaches ( Sections 2.2 –2.5 ) are not suitable for

ublic key management for MANETs.

.1. Certificate-based public key management

Certificate-based public key management approaches re-

uire public keys to be distributed where the receiving

arty should be able to authenticate the received key

ased on the certificate of the public keys. Thus, a trusted

A is required to deal with key management operations

cluding key generation, distribution, revocation, and up-

ate [25] .

For MANETs without trusted CAs, certificate-based ap-

roaches should operate in a self-organized way. Capkun

t al. [15] proposed a certificate-based self-organized pub-

c key management for MANETs by removing the need of

centralized trusted entity for key management. However,

e assumption of being able to create certificate graphs

unrealistic as MANETs suffer from unreliable wireless

ansmission, high security vulnerability, and dynamically

anging topologies. The criteria being used by a user to

sue a public-key certificate of another user are not pro-

ided, even though the existence of a public key is used as

vidence to trust another node. Further, the claimed ben-

fit of low communication cost in the presence continu-

us updates of certificate repositories of users in dynamic,

ostile MANETs is questionable. The authors [20,24] pro-

osed a two-step secure authentication protocol for multi-

st MANETs. In order to deal with key management, they

sed the highest trustworthy node as a CA and the sec-

nd highest trustworthy node as a backup CA. However,

e measurement of trust values is not clearly described.

hauhan and Tapaswe [16] proposed a key management

pproach for MANETs with no trusted third entity. This

ork employs a group leader as a CA to manage key gen-

ration and distribution. However, group leader selection

done randomly, without considering its trustworthiness

nd specific attack behaviors. Dahshan and Irvin [21] pro-

osed a certificate-based public key management scheme

r MANETs where trust is used as authentication metric

represent the assurance of obtaining a valid public key.

owever, this scheme generates high communication over-

ead and delay for a source to obtain a valid public key of

destination.

Huang and Wu [17] proposed a certificate path discov-

ry algorithm for MANETs based on the hierarchical PKI

ructure using multiple CAs with no specific trust frame-

ork. Huang and Nicol [18] proved that the shortest cer-

ficate chain does not guarantee the most trustworthy

ath to obtain the public key of a target node due to dif-

rent trustworthiness observed in each intermediate node

n the certificate chain. In order for public keys and their

rtificates to be managed by trustworthy CAs in the hi-

rarchical public key management structure, Xu et al. [24]

nd PushpaLakshimi et al. [22] used cluster heads as trust-

orthy CAs based on their trust in the system. However,

lease cite this article as: J.-H. Cho et al., Trust threshold based

oc Networks (2016), http://dx.doi.org/10.1016/j.adhoc.2016.02.014

ese works [22,24] still reveal a single point of failure and

id not show specific trust models and attacks considered.

u et al. [19] proposed a key management protocol for

AENTs for efficiency in updating certificates and security

key revocation. They used a special group named “server

roup ” consisting of servers of multicast groups. However,

e selection algorithm of the servers in the server group is

ot discussed. Vinh et al. [23] employed a group head for

ublic key management in a group communication system

here the group head is selected based on trust. However,

is work does not detail the used trust mechanism.

Many studies used certificate-based public key manage-

ent. However, they have brought out practical limitations

cluding high communication overhead or delay [15,21] ,

nd using static trust [20,22–24] to select CAs. In addi-

on, hierarchy-based selection of CAs (e.g., group leaders

r cluster heads) [16–19] also reveals high security vul-

erabilities when the selected CAs are compromised. Our

ork differs from the above works in that we devise a

ust metric considering multiple dimensions of a node’s

ust and leverage it for decision making in the process

f key management and group communication in order

achieve system goals including high service availability,

w communication cost, and low risk.

Existing certificate-based public key management

hemes cited above expose practical limitations, including

eeding a centralized trusted CA [25] , high communication

verhead or delay [15,21] , and using static trust [20,22–24]

select CAs. In addition, hierarchy-based selection of

As (e.g., group leaders or cluster heads) [16–19] can lead

high security vulnerability when the selected CAs are

ttacked and compromised.

Unlike [25] our work does not use a centralized trusted

A. Unlike [16–19] cited above, our work uses a com-

osite trust specifically designed for public key manage-

ent. Peer-to-peer trust evaluation is dynamically per-

rmed over time upon interactions between entities. This

ovel design feature contributes to (1) detecting malicious

ntities that have been compromised over time; and (2)

suing/distributing a public/private key pair to only nodes

at maintain a certain level of trust. This feature also miti-

ates the security vulnerability issue suffered by hierarchy-

ased CA selection schemes [16–19] . Unlike [15,21] which

cur high communication overhead or delay, we develop

threshold-based filtering mechanism that can effectively

xploit the inherent tradeoff between trust and risk in or-

er to achieve system goals including high service avail-

bility, low communication cost, and low risk.

.2. Threshold public key cryptography

Shamir [26] proposed threshold cryptography based on

aring of secrets to generate a private key. In threshold

yptography , the private CA key is distributed over a set of

rver nodes through a ( k , n ) secret sharing scheme. The

rivate CA key is shared between n nodes in such a way

at at least k nodes must cooperate in order to sign the

ertificates. However, a central trusted CA exists to select

rvers as the coordinators for key management, result-

g in a single point of failure. In addition, the inherent

eakness of the secret sharing scheme is the substantial

public key management in mobile ad hoc networks, Ad

4 J.-H. Cho et al. / Ad Hoc Networks xxx (2016) xxx–xxx

ARTICLE IN PRESS

JID: ADHOC [m3Gdc; March 5, 2016;13:51 ]

e 262

n 263

d 264

265

266

- 267

y 268

) 269

d 270

271

- 272

e 273

- 274

, 275

- 276

s 277

- 278

- 279

a 280

e 281

- 282

- 283

284

- 285

- 286

287

288

289

- 290

291

292

) 293

d 294

- 295

e 296

s 297

. 298

, 299

e 300

- 301

302

s 303

- 304

e 305

306

307

- 308

f 309

l. 310

d 311

o 312

- 313

e 314

315

l. 316

t 317

- 318

319

a 320

y 321

322

d 323

d 324

325

- 326

- 327

d 328

- 329

n 330

- 331

e 332

333

334

335

s 336

e 337

338

- 339

o 340

d 341

, 342

s 343

T 344

345

- 346

- 347

; 348

- 349

s 350

y 351

352

353

- 354

- 355

a 356

- 357

g 358

359

d 360

) 361

). 362

t 363

g 364

g 365

t 366

d 367

d 368

o 369

r 370

e 371

- 372

r 373

delay when the set of trustworthy server nodes cannot b

found to generate the private CA key [27,28] . Besides, whe

the CA is compromised, the whole system is compromise

[29] .

2.3. ID-based public key cryptography

Shamir [30] also proposed the concept of ID-based pub

lic key cryptography (ID-PKC) which generates a public ke

based on the ID of the node (e.g., IP or email address

and its corresponding private key generated by a truste

CA. The weakness of the ID-based scheme is well-known

as a key escrow problem which exposes high security vul

nerability when the trusted CA is compromised. To remov

the key escrow problem, several solutions have been pro

posed including ID-based authentication schemes [31,32]

secure private key generation using simple blinding tech

nique in pairing-based cryptography [33] . This approach i

popularly applied in resource-restricted network environ

ments [34] due to low communication overhead by reduc

ing the size of secret information (i.e., ID) to generate

public key. However, these works assumed the existenc

of a trusted entity (or entities) to issue or coordinate pub

lic/private key pairs. This reveals high security vulnerabil

ities when the trusted coordinators are compromised. In

particular, no trust evaluation is considered to reflect dy

namic status of trust in entities where a node can be com

promised over time.

2.4. Certificateless public key cryptography

To cope with the communication overhead incurred in

exchanging certificates, the concept of certificateless pub

lic key cryptography (CL-PKC) is introduced [35] . CL-PKC

is a variant of ID-PKC devised to prevent the key escrow

problem in ID-PKC. CL-PKC uses a trusted third party (TTP

which generates a partial private key to an entity base

on a master key and the entity’s ID. The entity then gen

erates its actual private key based on the partial privat

key provided by the TTP and its secret information. By thi

way the TTP cannot access the private key of an entity

Compared to traditional public key cryptographic systems

CL-PKC does not require the use of certificates to ensur

the authenticity of public keys, leading to less communica

tion cost generated. Due to this lightweight feature, CL-PKC

has been used for securing MANETs [36–38] . However, thi

cryptography reveals security vulnerability in that an at

tacker can fake a user’s public key because the part of th

user’s public key is from the user’s random secret value.

2.5. Hybrid public key management

Some researchers proposed hybrid public key man

agement mechanisms that combine the features o

multiple schemes to meet the requirements. Sun et a

[39] combined ID-based key management with threshol

cryptography without using a centralized third party t

deal with key management. Xu et al. [24] combined cer

tificateless public key cryptography which eliminates th

key escrow problem with threshold cryptography which

does not require a centralized third party. Zhang et a

Please cite this article as: J.-H. Cho et al., Trust threshold base

Hoc Networks (2016), http://dx.doi.org/10.1016/j.adhoc.2016.02.0

[36] proposed an ID-based key management scheme tha

combines ID-based cryptography with threshold cryp

tography to enhance security and reduce communication

cost for key management. Li and Liu [40] also proposed

hybrid key management scheme combining ID-based ke

management and threshold cryptography.

All the hybrid schemes cited above [24,36,39,40] coul

not completely remove the need of a centralized truste

authority because ID-PKC has an inherent escrow problem

and the threshold cryptography requires a trusted third au

thority to select trustworthy multiple key servers that gen

erate the secret shares of a private CA key. If the truste

entity is compromised, the entire system will be vulner

able. In addition, the use of threshold cryptography ca

cause a high delay when generating a key because a suf

ficient number of multiple trustworthy servers may not b

available in dynamic MANETs.

3. System model

We consider a MANET with no centralized trusted CA

that deals with public key management. Nodes are device

carried by a human entity (e.g., a soldier carrying mobil

devices), modeled with heterogeneous characteristics with

different monitoring capability, which affects detection er

rors, group join/leave rates, and different trust levels. T

reflect real human mobility patterns in a MANET, we use

CRAWDAD human mobility trace data collected by KAIST

Daegeon, Korea [41] . In the mobility data set, the location

of 92 human nodes over the university campus of KAIS

were traced by GPS readings per 30 s for a day.

In this work, a public key may have the following sta

tus:: (1) valid/invalid : a key that is expired or not yet ex

pired; (2) correct/incorrect : a key that is genuine or fake

and/or (3) uncompromised/compromised : a key whose cor

responding private key is compromised or not. The statu

of the public key can belong to more than one categor

among three while each category gives a binary status.

3.1. Attack model

We assume if a node is compromised, the node can per

form random attacks [6] with an attack intensity probabil

ity ( P a ) to evade detection. Attack intensity is modeled by

probability parameter, P a , specifying the frequency of trig

gering attacks by an attacker. We consider the followin

attacks in MANETs:

• Packet dropping : A node may drop a packet receive

due to the nature of selfishness (e.g., to save energy

or maliciousness (e.g., to interrupt service availability

This is detected by overhearing to see if a packe

sent to a neighbor for forwarding is actually bein

forwarded. It is not possible to tell if packet droppin

is a problem of competence or integrity. Given tha

there are many attack behaviors that can be detecte

by our protocol design to attribute to integrity, to avoi

double-count we simply attribute packet dropping t

competence. If a node drops packets and the behavio

is observed by a neighbor, this neighbor will decreas

the misbehaving node’s direct competence trust. Fur

thermore, this neighbor when acting as a recommende

d public key management in mobile ad hoc networks, Ad

14

J.-H. Cho et al. / Ad Hoc Networks xxx (2016) xxx–xxx 5

ARTICLE IN PRESS

JID: ADHOC [m3Gdc; March 5, 2016;13:51 ]

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

4 4 4

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

te 473

T 474

a 475

3 476

3 477

478

u 479

in 480

481

482

483

484

485

486

487

488

489

490

491

P

H

will propagate a negative recommendation to other

nodes as indirect evidence against the misbehaving

node. See Section 3.2.3 for the detail of peer-to-peer

trust estimation based on the aggregation of both

direct and indirect evidence.

• Private key compromise : A node’s private key compro-

mise can occur in the two ways: (1) when the node

itself is compromised and passes its private key to

other compromised nodes or outside attackers to leak

confidential information out; and (2) when a public

key certifier (called a neighborhood trustworthy cer-

tifier, denoted as NTC, to be defined in Section 3.3.1 )

is compromised and leak out a private/public key pair

of the victim node to outside attackers. The outside

attackers can impersonate the victim and obtain access

to confidential information that should be shared

only by group members. This attack can be detected

based on majority voting in our protocol design (see

Section 3.3.3 ). When a private key compromise attack

is detected, the public/private key pairs of the victim

or compromised node will be denounced. If an at-

tacker continues to use the denounced public/private

key pairs, it will be detected and the detection will

attribute to lowering the attacker’s trust in integrity.

Using the trust threshold, a node will decide whether

to believe the received public key is valid, correct,

and/or compromised based on the perceived trust of

the source sending the compromised public key.

• Message modification/forgery : A node may modify/forge

a message received, hindering effective communication,

and/or accurate trust assessment. This attack occurs

when the attacker possesses the private key of the re-

ceiver due to private key compromise. However, when

the corresponding private key compromise attack is de-

tected (explained above), the public/private key pairs

of the sender will be denounced. If an attacker con-

tinues to use the private key to do message modifica-

tion/forgery attack, it will be detected and the detection

will attribute to lowering trust in integrity.

• Fake identity/impersonation : A node may use a fake

identity or multiple identities (i.e., Sybil attack) to

break information confidentiality in communications

between two entities. In particular, a node can imper-

sonate as a victim node whose private key is compro-

mised by distributing the public key and the certificate

of the victim node to its neighbors in order to attract

the victim node’s packets to it. However, when the cor-

responding private key compromise attack is detected

(explained above), the public/private key pairs of the

victim node will be denounced. If an attacker contin-

ues to use the private/public key pairs to do fake iden-

tity attack, it will be detected and the detection will at-

tribute to lowering trust in integrity.

• Fake recommendation dissemination : A node may give a

bad recommendation for a good node while giving a

good recommendation for a bad node in order to de-

ter accurate trust evaluation/decision making. In our

trust metric, recommendations are used as indirect ev-

idence which may be delivered through multiple hops

in MANETs. The correctness of the recommendations is

ensured by unanimous agreement of the intermediate

lease cite this article as: J.-H. Cho et al., Trust threshold based

oc Networks (2016), http://dx.doi.org/10.1016/j.adhoc.2016.02.014

nodes based on their opinions towards the previous for-

warding node (i.e., whether the node is lying or not) in

the route in which the opinions are tagged in the main

message delivered. The receiver can detect fake infor-

mation dissemination attack by checking if there is a

negative opinion for an intermediate node on the path.

If yes, this detection will attribute to low trust in in-

tegrity (see Section 3.2.3 for more details).

• Denial-of- service (DoS) : A malicious node can generate

unnecessary traffic to interrupt service provision in the

system. We considered the DoS attack within the key

management framework. Specifically, a malicious node

can keep requesting public keys of other nodes even if

it already has their valid public keys. Since only trust-

worthy nodes based on the trust threshold criterion are

able to issue, distribute, and obtain key pairs, this DoS

attack can consume network resources to increase de-

lay of system operations, and reduce service availability.

This attack is countermeasured by using a trust thresh-

old for intermediate nodes to ignore public key requests

generated from a node whose trust level is below the

threshold, thus effectively throttling DoS attacks.

• Whitewashing : A malicious node may leave a network

and come back later with a new reputation. In our trust

management protocol, all new nodes joining a network

will start with a trust value of ignorance (i.e., 0.5),

when other nodes assess their trust upon join. For a

new node joining the network, it is allowed to interact

with other nodes to accrue reputation from other nodes

with a given warming-up period. If after this period,

the new node does not reach the trust threshold, it will

be isolated from group activities and cannot obtain a

valid key pair. Once a new node accrues its reputation

over time through interactions with other nodes or ob-

servations by direct neighbors, the increased trust en-

ables the new node to participate in key management

operations.

We summarize how each attack is detected and coun-

rmeasured by the design features of CTPKM in Table 1 .

able 2 summarizes the attack behaviors during the oper-

tion of our key management protocol.

.2. Trust model

.2.1. Dimensions of trust

We consider three trust components to capture the

nique aspects of trust in a MANET with communication,

formation and social networking:

• Competence (C) refers to an entity’s capability to serve

requests in terms of a node’s cooperativeness and avail-

ability. Availability may be affected by network condi-

tions such as link failure, energy depletion, and volun-

tary or involuntary disconnection (i.e., leaving the net-

work). This is measured by the ratio of the number of

positive experiences to the total experiences in packet

forwarding.

• Integrity (I) is the honesty of an entity in terms of at-

tack behaviors discussed in Section 3.1 except packet

dropping behavior. This is measured by the number of

public key management in mobile ad hoc networks, Ad

6 J.-H. Cho et al. / Ad Hoc Networks xxx (2016) xxx–xxx

ARTICLE IN PRESS

JID: ADHOC [m3Gdc; March 5, 2016;13:51 ]

echanis

nodes

based o

nodes

based o

the own

te/publi

vered th

of positi

the pat

e same

trust is

wing a

trust (0

e node’

492

493

- 494

e 495

d 496

- 497

f 498

s 499

e 500

s 501

502

- 503

a 504

d 505

k 506

e 507

h 508

c 509

g 510

t 511

c 512

513

- 514

- 515

f 516

n 517

518

519

- 520

d 521

e 522

523

- 524

- 525

s 526

e 527

- 528

529

e 530

t 531

- 532

- 533

. 534

535

)

536 )

e 537

- 538

y 539

y 540

541

)

Table 1

Attack behavior, detection, and countermeasures.

Attack behavior Detection

Packet dropping Overhearing by a monitoring m

pre-installed in each node

Private key compromise Majority voting by neighboring

the private key compromise

attacker’s integrity

Message modification/forgery Majority voting by neighboring

the private key compromise

attacker’s integrity

Fake identity/Impersonation Checking the integrity of both

issuer (i.e., NTC) of the priva

on trust threshold, T th Fake recommendation

dissemination

A recommendation packet deli

have unanimous agreement

by all intermediate nodes on

Denial-of- service Receiving a large amount of th

from a node whose integrity

Whitewashing After a warming-up period allo

node started with ignorance

interact with other nodes, th

not reach T th

Table 2

Attack behavior for operations.

Operation Attack behavior

Trust assessment Fake information dissemination,

message modification, packet

dropping

Key issuance by a

malicious key

generator

Private key compromise

Public key distribution Compromised public key distribution,

fake identity

Public key request

delegation

Packet dropping, message modification,

identity impersonation

Forwarding a requested

public key

Message modification/forgery by

forwarding a fake public key

Network join Whitewashing

positive experiences over the total experiences related

to protocol compliance.

• Social contact (SC) is defined based on a node’s inher

ent sociability derived from the trust profile availabl

a priori as well as dynamic social behavior measure

by the number of nodes that a node encounters dur

ing a trust update interval T u over the total number o

nodes in the network. If an entity has high SC, it i

more likely to disseminate information quickly to th

network, compared to the ones with low SC. An entity’

mobility pattern will affect this trust component.

In this work, trust is used for making decisions, includ

ing obtaining a certificate of a public key, distributing

public key, requesting a public key of a target node, an

providing a public key requested. The reasons we pic

the above three trust components are (1) with competenc

trust , we assure fast propagation of public keys; (2) wit

integrity trust , we increase the probability that publi

keys propagated are valid/correct with the correspondin

Please cite this article as: J.-H. Cho et al., Trust threshold base

Hoc Networks (2016), http://dx.doi.org/10.1016/j.adhoc.2016.02.0

Countermeasure

m Lowering direct trust in competence by

neighboring nodes (direct evidence); propagation

of low competence to other nodes via

recommendations (indirect evidence)

who detect

n the

Lowering the attacker’s integrity by neighboring

nodes

who detect

n the

Lowering the attacker’s integrity; propagation of

the low integrity via recommendations

er and

c keys based

Lowering the culprit’s integrity; propagation of the

low integrity via recommendations

at does not

ve opinions

h

The recommendation is discarded; lowering the

attacker’s integrity; propagation of the low

integrity via recommendations

requests

below T th

Lowering the attacker’s integrity by neighboring

nodes; propagation of the low integrity via

recommendations

new joining

.5) to

s trust does

The new joining attacker with trust less than T th cannot have a valid pair of its own private/public

key

private key uncompromised; and (3) with social contac

trust , we increase the probability of finding a valid publi

key from nodes having good social networking.

Henceforth, we denote the trust values of node i to

wards node j in trust component X ’s ( = competence, in

tegrity, and social contact) at time t by the notations o

T C i, j

(t) , T I i, j

(t) , and T SC i, j

(t) . We follow the trust computatio

model in our prior work [10] to assess T X i j

(t) at time t .

3.2.2. Objective trust

We assume that a node’s trust profile is available, de

scribing its inherent behavior patterns that can be scale

in [0, 1]. In this work, we generate a node’s initial averag

trust value, called its trust seed, from U ( GB , 1), where U

is a random real number generator function based on uni

form distribution with the lower and upper bounds as in

put and GB is the lower bound for good behavior. There i

a separate trust seed for each trust component X , wher

X = C, I or SC for competence, integrity, or social con

tact respectively. Let S X i

denote the trust seed drawn from

U ( GB , 1) for trust component X of node i . Let P X i (t) be th

actual trust seed drawn from U(S X i

− P d , S X i

+ P d ) at time

with S X i

being the mean and P d being the standard devi

ation of a node’s average behavior from its actual behav

ior to account for behavior variation as a function of time

Then,

P X i (t) = min [ U(S X i − P d , S X i + P d ) , 1] (1

S X i = U(GB, 1) for X = C, I or SC (2

Let T I i (t) denote the “ground truth ” objective trust of nod

i at time t . For X = C (for competence), we have to ac

count for node availability. Hence, T C i (t) is calculated b

the product of P C i (t) with P r , where P r is the link reliabilit

considered for competence trust at time t , as follows:

T C (t) = P C (t) P r (3

i i

d public key management in mobile ad hoc networks, Ad

14

J.-H. Cho et al. / Ad Hoc Networks xxx (2016) xxx–xxx 7

ARTICLE IN PRESS

JID: ADHOC [m3Gdc; March 5, 2016;13:51 ]

For X = I (for integrity), T I i (t) = P I

i (t) if node i is not com- 542

promised at time t . If node i is compromised at time t , 543

T I i (t) depends on how often node i preforms attacks. We 544

assume that a compromised node will perform random at- 545

tacks (on-off attacks) with probability P a (attack intensity) 546

to evade detection. If the compromised node does not per- 547

form attack at time t , its integrity trust T I i (t) is equal to 548

P I i (t) because it is not detectable. If the compromised node 549

performs attack at time t , its integrity trust T I i (t) is decre- 550

mented by P a from the past trust value T I i (t − �t) with a 551

lower bound of zero. Note that in CTPKM, we notate �t 552

with a trust update interval, T u . Summarizing above, for a 553

compromised node, T I i (t) is given by: 554

T I i (t) =

{P I

i (t) if node i / ∈ C

max [ T I i (t − �t) − P a , 0] if node i ∈ C

(4)

Here C is the set of malicious nodes performing attack at 555

time t and �t is the periodic trust update interval T u . In 556

our experiment, we set the percentage of nodes to be com- 557

promised at t = 0 based on P c to test the resiliency of our 558

protocol against increasing malicious node population. 559

Lastly when X = SC (for social contact), we have to ac- 560

count for node dynamic social behavior, so T SC i

(t) is given 561

by the product of P SC i

(t) with ρN

e i (t) , where N

e i (t) is the 562

number of encounters to node i as 1-hop neighbors during 563

the previous T u , and ρ is , as follows: 564

T SC i (t) = ρP SC

i (t ) N

e i (t ) . (5)

3.2.3. Subjective trust 565

Node j ’s trust values for component X ’s evaluated by 566

node i is computed based on the aggregation of both direct 567

and indirect evidences. Trust of node j (trustee: trusted 568

party) evaluated by node i (trustor: trusting party) in trust 569

component X is: 570

if ( ∣∣R j

∣∣ > 0) ∧ (HD (i, k ) ≥ T C) (6)

571 T X i, j (t) = αT D −X

i, j (t) + (1 − α) T ID −X

i, j (t) ;

572 else T X i, j (t) = γ T X i, j (t − �t) ;T

i573

T i

574

1575

co576

a577

ce578

p579

io580

b581

tr582

o583

584

tr585

w586

ti587

im588

lo589

o590

w591

already examined in [10] . The correctness of the recom- 592

mendations is ensured by referring to direct opinions of re- 593

ferral recommenders (forwarding the original recommen- 594

dation) attached to the original message with any detec- 595

tion error of the intermediate nodes forwarding the rec- 596

ommendation [10] . 597

In (6) , α and 1 − α are the weights for direct and indi- 598

rect evidence respectively where α is set between 0 and 599

1. We observe that when the weight ( α) for direct evi- 600

dence is low, high trust accuracy is observed, or vice-versa. 601

This is because only correct recommendations based on 602

unanimous agreement by all intermediate nodes passing 603

the recommendation are used as indirect evidence while 604

new direct evidence cannot be collected easily due to node 605

mobility. When no correct recommendations are received 606

from recommenders k ’s located within TC hops from node 607

i and this is detected by node i based on the direct opin- 608

ions of intermediate nodes attached to the recommenda- 609

tion, trust decays with a decay factor γ over �t , the peri- 610

odic trust update interval T u . However, due to the collusion 611

of compromised nodes, detection errors can be introduced 612

and false recommendations may be considered. In the trust 613

metric used in this work, the false detection can be mini- 614

mized by requiring the unanimous agreement of all inter- 615

m 616

ti 617

618

j 619

T i

620

T i

W 621

H 622

c 623

e 624

m 625

e 626

o 627

n 628

P i

w 629

n 630

P i

P 631

ρ 632

1 633

n 634

635

c 636

T i

P

H

D −X , j

(t) is direct trust based on direct observations and

ID −X , j

(t) is indirect trust based on recommendations from

-hop neighbors of node j . R j is a set of recommendations

rrectly received from node j ’s 1-hop neighbors. The avail-

bility of recommendations (| R j | > 0) is affected by the re-

ipt of the correct recommendations that are affected by

acket dropping behaviors and integrity (i.e., attack behav-

rs) of a node. HD ( i , k ) is the number of hop distances

etween nodes i and k where node i is a requestor (the

ustor) and node k is a 1-hop neighbor and recommender

f node j (the trustee).

In order for the new indirect evidence to be used for

ust update, recommender node k for node j should exist

ithin TC hops from node i and the correct recommenda-

on should arrive safely at node i where TC is the max-

um number of hop distances, called a trust chain, al-

wed to collect recommendations from 1-hop neighbors

f node j . We will use the optimal TC identified in this

ork, but do not investigate this in detail because this is

lease cite this article as: J.-H. Cho et al., Trust threshold based

oc Networks (2016), http://dx.doi.org/10.1016/j.adhoc.2016.02.014

ediate nodes about the correctness of the recommenda-

on delivered.

The direct trust (based on direct observations) of node

evaluated by node i on trust component X at time t , D −X , j

(t) , is computed as:

D −X , j

(t) =

{P D −X

i, j (t) if HD (i, j) == 1

γ T X i, j

(t − �t) otherwise (7)

hen nodes i and j encounter as 1-hop neighbors (i.e.,

D (i, j) == 1 ) during the time period (t − �t) , node i can

ollect direct evidence based on its own observations or

xperiences P D −X i, j

(t) . When nodes i and j are distant with

ore than 1 hop distances, node i relies on its past experi-

nce to assess the direct trust of node j . P D −X i, j

(t) for X = C

r I is computed based on the positive experience over the

egative experience associated with X as:

D −X , j

(t) =

{r

r+ s if r + s > 0

0 otherwise (8)

here r is the number of positive experiences and s is the

umber of negative experiences.

D −SC , j

(t) =

{ρP SC

j (t) N

e j

0 otherwise (9)

SC j

(t) is given from the available trust profile and N

e j

and

are explained in (5) ; N

e j

can be directly observed by

-hop neighbors of node j . Note that 1-hop neighbors of

ode j are to forward recommendations to node i .

The indirect trust of node j evaluated by node i on trust

omponent X at time t , T ID −X i, j

(t) , is obtained by:

ID −X , j

(t) =

⎧ ⎨

⎩

∑

k ∈ R j T X

k, j (t)

| R j | if | R j | > 0

γ T X i, j

(t − �t) otherwise

(10)

public key management in mobile ad hoc networks, Ad

8 J.-H. Cho et al. / Ad Hoc Networks xxx (2016) xxx–xxx

ARTICLE IN PRESS

JID: ADHOC [m3Gdc; March 5, 2016;13:51 ]

j | 637

o 638

t, 639

- 640

- 641

642

o 643

a 644

s 645

- 646

- 647

648

649

f 650

o 651

y 652

, 653

- 654

n 655

656

657

e 658

- 659

- 660

e 661

d 662

p 663

) 664

e 665

s 666

667

- 668

669

e 670

- 671

s 672

673

e 674

675

676

t 677

y 678

t 679

e 680

681

e 682

y 683

684

n 685

y 686

t 687

a 688

r 689

ll 690

s 691

s 692

d 693

694

n 695

a 696

o 697

a 698

o 699

- 700

o 701

e 702

e 703

e 704

l 705

- 706

. 707

r 708

. 709

- 710

d 711

e 712

- 713

- 714

ll 715

716

717

e 718

o 719

o 720

e 721

722

723

)

f 724

r 725

y 726

s 727

728

y 729

f 730

t 731

- 732

- 733

a 734

- 735

n 736

737

- 738

d 739

- 740

741

)

e 742

e 743

r 744

n 745

- 746

e 747

will check the trustworthiness of the NTC in integrity trust 748

When node i receives correct recommendations with | R

> 0, node i uses the average of the recommendations t

derive the overall indirect trust. If R i is an empty se

node i will use its past experience T X i, j

(t − �t) , with de

cay weighted by γ , due to no correct recommendations re

ceived.

In this work, we use a trust threshold, T th , for a node t

make a routing decision with the goal of safe delivery of

message without being modified by untrustworthy node

on a path the message travels [8] . This mechanism is ap

plied when a recommendation is delivered from recom

menders for a trustee to a trustor.

3.3. Composite trust-based public key management

In this section, we discuss the core operations o

CTPKM as illustrated by Fig. 1 . Each mobile entity is able t

communicate with other entities using public/private ke

pairs obtained through CTPKM. Given a trust threshold T tha node will assume a certain amount of risk to communi

cate with another node whose trust level is no less tha

T th .

3.3.1. Key generation

In CTPKM, each node generates its own public/privat

key pairs periodically but the key pair should be certi

fied by a trusted third party which generates the certifi

cate of the public key. Since CTPKM does not assume th

existence of a trusted third party, each node needs to fin

the most trustworthy third party node among its 1-ho

neighbors, called neighborhood trustworthy certifier (NTC

which can certify the self-issued private/public keys. Th

reason a node chooses NTC among its 1-hop neighbor

is due to resource constraint and security vulnerability in

MANETs which do not allow trusted third parties. This cer

tification process mitigates a compromised node to obtain

its public/private key because NTC issues the certificat

only when the requesting node is evaluated as trustwor

thy based on whether NTC’s trust in the requesting node i

no less than a given trust threshold. Now we discuss how

NTC issues a certificate to a node requesting the certificat

of its public/private key pair.

3.3.2. Public key certificate issuance

Each node i asks NTC m , a node having the highest trus

value among i ’s 1-hop neighbors, to certify the public ke

it generates. The minimum condition to be an NTC is tha

the NTC must have at least a trust value no less than th

given trust threshold ( T th ) for integrity trust (i.e., T I i,m

(t) ≥T th ). Thus, if i cannot find any 1-hop neighbors who hav

a trust value no less than T th , it cannot obtain a valid ke

pair.

After an NTC, m , receives i ’s request for the certificatio

of i ’s key pair, it decides whether to issue the public ke

certificate based on i ’s trustworthiness, in integrity trus

using T th (i.e., T I m,i

(t) ≥ T th ). That is, there should be

mutual trust relationship between a certificate requesto

and an issuer in integrity trust. The requesting node i wi

not be able to obtain the certificate of its public key if it

integrity trust level is below T th . Recall that trust value

are dynamically changing over time. The trust threshol

Please cite this article as: J.-H. Cho et al., Trust threshold base

Hoc Networks (2016), http://dx.doi.org/10.1016/j.adhoc.2016.02.0

T th affects the protocol performance as follows. If a low

T th is used, even a relatively untrustworthy node ca

issue and certify the public key to others. As a result,

malicious NTC can disseminate many fake public keys s

as to generate unnecessary communication, resulting in

waste of network resources. Besides, a malicious NTC wh

generates the private key can perform private key com

promise attacks and intercept information which is sent t

the originally intended recipient. If either the NTC or th

victim node of the public key is compromised, then th

compromised NTC or the victim node can leak the privat

key to other attackers as well. Hence, using an optima

trust threshold for all decisions associated with key man

agement is critical to mitigating the security vulnerability

NTC also issues an expiration time of the new key pai

where the expiration time-stamp is part of the certificate

A node updates its public/private key pair when the expi

ration time is reached or when its private key is detecte

as compromised. Intuitively, the longer the expiration tim

the lower the security, revealing high security vulnerabil

ity. However, the longer expiration time allows lower com

munication cost. We assume a fixed expiration time for a

nodes’ certified key pairs in this work.

3.3.3. Public key distribution

After a node obtains its public key certificate, the nod

disseminates the public key along with the certificate t

a subset of its 1-hop neighbors whose trust values are n

less than T th for all three trust components. That is, nod

i will disseminate its public key packet to a neighbor m

which should meet the following conditions:

T X i,m

(t) ≥ T th (11

where T X i,m

(t) , with X = C, I or SC , is a measured trust o

node m evaluated by node i for competence, integrity, o

social contact trust, respectively. Node i also periodicall

disseminates its public key to its current 1-hop neighbor

who satisfy the above conditions.

Since nodes are mobile, if a node has a high mobilit

rate, it may have more chances to obtain public keys o

other nodes (being affected by the degree of social contac

trust), and vice-versa. Selecting the right set of neighbor

ing nodes is critical to revealing less security vulnerabil

ity while obtaining uncompromised public keys. When

public key is distributed to a compromised node, the com

promised node may perform a data forgery or modificatio

attack by forwarding a fake pubic key.

When node i disseminates its public key and the certifi

cate to a subset of 1-hop neighbors based on (11) (calle

“trustworthy 1-hop neighbors ” hereafter), the packet con

sists of the following items:

[ C NT C i K i,pub

, K i,pub ] (12

C NT C i K i,pub

is the certificate of node i ’s public key signed by th

NTC’s digital signature including the information on th

node ID (node i ), the NTC’s ID, and expiration time fo

the valid period of the public key. Note that the notatio

NTC i is the NTC who issues the certificate of node i ’s pub

lic key and K i , pub is node i ’s public key. The receiving nod

d public key management in mobile ad hoc networks, Ad

14

J.-H. Cho et al. / Ad Hoc Networks xxx (2016) xxx–xxx 9

ARTICLE IN PRESS

JID: ADHOC [m3Gdc; March 5, 2016;13:51 ]

anagem

w749

co750

ta751

ci752

ch 753

it 754

(1 755

n 756

P

H

Fig. 1. Distributed key m

ith T th to ensure the authenticity of K i , pub . If the NTC is

mpromised, it can perform a private key compromise at-

ck by leaking the private key generated to other mali-

ous nodes. Integrity trust check of the NTC minimizes the

lease cite this article as: J.-H. Cho et al., Trust threshold based

oc Networks (2016), http://dx.doi.org/10.1016/j.adhoc.2016.02.014

ent process in CTPKM.

ance of this attack. Node i distributes this information to

s selected 1-hop neighbors in the clear, in as specified in

2) , because node i may not know the public keys of its

eighbors upon entry. This may reveal the vulnerability to

public key management in mobile ad hoc networks, Ad

10 J.-H. Cho et al. / Ad Hoc Networks xxx (2016) xxx–xxx

ARTICLE IN PRESS

JID: ADHOC [m3Gdc; March 5, 2016;13:51 ]

message forgery attacks by which a malicious node may 757

intercept the information and send a fake key and certifi- 758

cate to the intended receivers. To minimize this vulnera- 759

bility, our protocol design ensures the authenticity of the 760

disseminated public key and certificate via the agreement 761

of the receivers towards the opinions of the authenticity of 762

the key pair based on a majority voting mechanism (i.e., if 763

the majority of voters agree, then the public key and cer- 764

tificate are considered authentic). Unless more than a ma- 765

jority of the receivers are compromised, this ensures the 766

authenticity of the received key and certificate. We con- 767

sider the extra communication overhead caused by this au- 768

thenticity check in our performance metric. 769

Some nodes may not have the public key of a particu- 770

lar node it wants to communicate with because it has not 771

encountered the node as a 1-hop neighbor. In this case, 772

a node can request the target node’s public key from its 773

trustworthy 1-hop neighbors based on (11) . If any of the 774

trustworthy 1-hop neighbors ( m ) has the public key of the 775

target node (TN), then it will provide the public key to 776

node i . Whether or not to provide the public key of the TN 777

depends on m ’s assessment toward node i (requestor) in 778

integrity trust (i.e., T I m,i

(t) ≥ T th ). If node m decides to pro- 779

vide the public key of TN, the returning message includes 780

the following items: 781

[ C NT C TN

K TN,pub , K T N,pub , ID m

] K i,pub (13)

Node m returns the public key of the TN, K TN , pub , the 782

TN’s public key certificate C NT C TN K TN,pub

, and its ID ( ID m

). The 783

message is encrypted by K i , pub , the public key of node i . 784

When the requestor receives this message, it will save the 785

public key of TN if m satisfies (11) . 786

If m does not have the public key of the TN, it will for- 787

ward the request message to its trustworthy 1-hop neigh- 788

bors ( m

′ ’s) that meet (11) . The delegated request message 789

has the following format: 790

[ C NT C i K i,pub

, K i,pub , ID T N ] K m ′ ,pub (14)

C NT C i K i,pub

is the public key certificate of node i , certified 791

by the NTC of node i , NTC i . ID TN is the ID of the TN, and 792

K m

′ ,pub is the public key of node m

′ who is a trustworthy 793

1-hop neighbor of m . Node m

′ receiving the delegated re- 794

quest message from m decrypts the message with its pri- 795

vate key, checks if it has the public key of the TN, and 796

checks if the requestor, node i , passes the integrity test 797

(i.e., T I m

′ ,i (t) ≥ T th ). If yes, then it sends the public key of 798

TN to the original requestor (node i ) by a returning mes- 799

sage following the format specified in (13) . 800

If an intermediate node forwarding the request message 801

is uncooperative, the request message can be dropped; 802

therefore, many nodes may not have valid public keys. A 803

malicious 1-hop neighbor may even provide incorrect pub- 804

lic keys. Therefore, the trust threshold ( T th ) affects how 805

many valid, correct and uncompromised public keys a 806

- 807

f 808

- 809

- 810

811

and mitigating security vulnerability (reducing the use of 812

a compromised public key). In CTPKM, when a trustwor- 813

thy intermediate node that meets (11) has a valid public 814

key of the TN, it can provide the public key of the TN to 815

the requestor. This reduces communication overhead sig- 816

nificantly in key distribution. 817

Key revocation and update : The private/public keys of 818

a node will be revoked after the valid period expires. Since 819

the certificate includes the information on expiration time, 820

key revocation due to time expiration will be implicitly 821

known to other nodes in the network. Before the valid pe- 822

riod is past, a node’s 1-hop neighbors can serve as veri- 823

fiers and apply majority voting to detect if the node’s pri- 824

vate key is compromised. If a verifier had once interacted 825

with another node claiming it to be the target node, then 826

the verifier suspects the target node’s private key has been 827

compromised, and will vote against it. If the private key 828

is deemed compromised (when the majority of the neigh- 829

bors vote against it), the node, being as the owner of the 830

private key, must notify the key compromise event to all 831

nodes in the network. We consider the extra communica- 832

tion overhead caused by this key revocation procedure in 833

our performance metric. If the owner of the key itself is 834

compromised and does not disseminate the key compro- 835

mise message, its neighbors will decrease the trust value 836

of the node to hinder the node from reissuing a new pub- 837

lic/private key pair. In CTPKM, if a node does not main- 838

tain a certain level of trust, it cannot obtain the certificate 839

of its public key. Therefore, there is a very low chance for 840

an untrustworthy node to issue its public key with a valid 841

certificate. 842

3.4. Metrics 843

To examine the impact of attack intensity and ratio of 844

attackers on trust accuracy, we define the following metric: 845

• Trust bias ( B

X ) refers to the difference (absolute value) 846

between ground truth trust values and estimated trust 847

values in trust property X . In this paper, we apply the 848

optimal trust chain length ( TC ) protocol design [10] ex- 849

plained in Section 3.2 to minimize the trust bias. Given 850

the optimal TC , the trust bias of node j evaluated by 851

node i is measured by: 852

B

X = | T X i (t) − T X i, j (t) | (15)

T X i

(t) indicates the ground truth trust value of node i 853

in trust component X , as explained in Section 3.2.2 . The 854

measured trust of node i evaluated by node j , T X i, j

(t) , is 855

computed in Equations (6) –( 10 ). 856

CTPKM is built on top of the optimal TC protocol design 857

and is measured by the following performance metrics: 858

• Fraction of correct public keys ( F) refers to the aver- 859

age number of valid, correct and uncompromised public 860

keys kept in each node over the total number of mem- 861

ber nodes in the network, computed by: 862

)

- 863

node can use. In our proposed CTPKM, we show there ex

ists an optimal T th under which a sufficient number o

valid, correct and uncompromised public keys are gen

erated while reducing communication overhead (not for

warding the public key requests to untrustworthy nodes)

Please cite this article as: J.-H. Cho et al., Trust threshold base

Hoc Networks (2016), http://dx.doi.org/10.1016/j.adhoc.2016.02.0

F =

∑ LT t=0

∑

i ∈ M

∑

j ∈ M, j � = i K i, j (t)

| M|| M − 1 | LT (16

where K i, j (t) = 1 if node i has the valid, correct and un

compromised public key of node j ; 0 otherwise. M is a 864

d public key management in mobile ad hoc networks, Ad

14

J.-H. Cho et al. / Ad Hoc Networks xxx (2016) xxx–xxx 11

ARTICLE IN PRESS

JID: ADHOC [m3Gdc; March 5, 2016;13:51 ]

865

866

867

868

869

870

871

872

873

874

875

876

877

878

879

880

881

882

883

884

885

886

887

888

889

890

891

892

893

894

895

896

897

898

899

900

901

902

903

904

905

906

4907

908

si909

sc910

T911

a912

4 913

914

u 915

th 916

m 917

a 918

id 919

d 920

in 921

ta 922

a 923

a 924

d 925

926

w 927

K 928

9 929

d 930

A 931

1 932

w 933

o 934

b 935

936

a 937

o 938

tr 939

li 940

c 941

ti 942

in 943

p 944

in 945

a 946

p 947

o 948

h 949

e 950

(i 951

a 952

P 953

e 954

955

p 956

W 957

g 958

c 959

o 960

to 961

o 962

o 963

d 964

4 965

966

e 967

b 968

p 969

o 970

P

H

set of legitimate members in the network. The entire

mission time is denoted as LT (lifetime).

• Service availability ( A ) refers to the ratio of the aver-

age time period that a node’s valid, correct and uncom-

promised public key is kept by other nodes over the en-

tire session time, calculated by:

A =

∑

i ∈ M

∑

j ∈ M, j � = i A i, j

| M|| M − 1 | LT (17)

where A i , j is the time duration node i has the valid,

correct and uncompromised public key of node j . This

metric implies how much time each node keeps an-

other node’s valid, correct and uncompromised public

key during the entire session time.

• Information risk ( R ) indicates the average number of

packet transmissions using a compromised public key

during the entire session, LT . Consider that each node

sends a message to another node for which it keeps the

public key in every group communication interval ( T g ).

The information risk exposed by sending messages us-

ing a compromised public key is computed by:

R =

T g

LT

LT ∑

t=0

∑

i ∈ M

∑

j ∈ C, j � = i R i, j (t) (18)

where R i, j (t) = 1 if node i keeps a compromised pub-

lic key of node j ; 0 otherwise. C is the set of legiti-

mate members whose private keys are compromised. If

a node’s private key is detected as compromised, the

node is prohibited from group communication until its

key is re-issued.

• Communication cost ( C) counts the number of hop

messages per time unit (i.e., second ) caused by CTPKM,

computed by:

C =

∑ LT t=0 C total (t)

LT (19)

with

C total (t) = C te (t) + C km

(t) + C gc (t)

C km

(t) = C ki (t) + C kd (t) + C kr (t)

C te ( t ) is the number of hop messages caused by trust

evaluation accounting for the cost for each node to pe-

riodically (in every T u ) disseminate the trust values of

its 1-hop neighbors to nodes located within the trust

chain length ( TC ) [10] . C km

( t ) is the number of hop mes-

sages caused by key management. C gc ( t ) is the cost for

group communication by all member nodes. C km

( t ) con-

sists of three cost components: key issuance ( C ki ( t )), key

distribution ( C kd ( t )), and key revocation ( C kr ( t )). C kd ( t )

includes the cost for a public key to be distributed

to trustworthy 1-hop neighbors and requesting nodes,

and the cost for authenticating the public key by 1-hop

neighbors.

. Simulation results

This section shows numerical results obtained from

mulation. We first explain the experimental setup and

hemes to be compared against the proposed CTPKM.

hen we conduct a comparative performance experiments

nd demonstrate numerical results with analysis.

lease cite this article as: J.-H. Cho et al., Trust threshold based

oc Networks (2016), http://dx.doi.org/10.1016/j.adhoc.2016.02.014

.1. Experimental setup

Our simulation is conducted using an event driven sim-

lator SMPL [42] . Table 3 gives the set of parameters and

eir default values for defining the simulation environ-

ent. We use the optimal trust chain length (i.e., T C = 4 )

nd (α, γ ) = (0 . 1 , 0 . 95) where α is a weight for direct ev-

ence, 1 − α is a weight for indirect evidence, and γ is a

ecay factor. This setup environment is used for maximiz-

g trust accuracy (or minimizing trust bias) while main-

ining acceptable communication overhead due to trust

ssessment. The optimal TC and ( α, γ ) parameter settings

re determined following our prior work [10,43] and the

etail is not repeated here.

To model the mobility patterns of nodes in a MANET,

e use CRAWDAD human mobility traces collected by

AIST [41] with N = 92 nodes. To ensure the availability of

2 nodes’ mobility data, we take the initial 4 h of mobility

ata in order to trace available locations of all 92 nodes.

node may leave or join the network with the interval of

/μ = 4 h and 1 /λ = 1 h, respectively. Due to sparse net-

ork connectivity, we scale down the operational area in

rder for nodes to have a sufficient level of interactions

ased on the radio range given ( R = 250 m ).

Initial values for each trust component are seeded with

random variable selected from the range in [ GB , 1] based

n uniform distribution where GB is the lower bound. The

ust values are also affected by network conditions and

nk reliability ( P r ) in competence and the number of en-

ountered entities by node j (N

e j ) in social contact. The ini-

al estimated trust value at time t = 0 is set to 0.5, imply-

g ignorance (complete uncertainty). We report the im-

act of key design parameters on the four metrics defined

Section 3.4 . We vary three key design parameters to ex-

mine their effects: (1) the trust threshold ( T th ); (2) the

ercentage of compromised nodes ( P c ); and (3) the degree

f the attack intensity ( P a ). In order to model attackers’ be-

aviors in Section 3.1 , P c and P a are the key design param-

ters. If a node is selected as compromised based on P c .e., P c fraction of nodes is compromised), it will perform

ny attacks described in Section 3.1 with the probability

a . The scenarios that a malicious node performs attack are

xplained in detail in Section 3.1 .

We allow a 30 min warm-up period ( T w

) for peer-to-

eer trust evaluation to reach a sufficiently accurate level.

e use a 5 min trust update interval ( T u ) and a 2 min

roup communication interval ( T g ). For group communi-

ations among legitimate member nodes, each node sends

ut a packet to all nodes whose public keys are available

it. Each data point shown is based on the average of 50

bservations of performance data collected during the 4 h

f simulation time. All results are shown with 95 % confi-

ence interval (CI) for each data point.

.2. Schemes for performance comparison

We compare CTPKM with a baseline scheme and two

xisting schemes. The baseline scheme is a non-trust-

ased key management which follows all key management

rocedures in CTPKM except for trust management. The

ther two existing schemes are selected from the class of

public key management in mobile ad hoc networks, Ad

12 J.-H. Cho et al. / Ad Hoc Networks xxx (2016) xxx–xxx

ARTICLE IN PRESS

JID: ADHOC [m3Gdc; March 5, 2016;13:51 ]

s well, u

is a we

gement

vior, cal

yment t

m its ac

d 971

s 972

973

974

975

s 976

977

e 978

- 979

- 980

f 981

982

d 983

d 984

. 985

f 986

g 987

988

989

- 990

991

t 992

e 993

994

t 995

, 996

ll 997

e 998

- 999

10 0 0

d 1001

e 1002

t 1003

e 1004

d 1005

g 1006

1007

s 1008

d 1009

1010

n 1011

n 1012

- 1013

f 1014

s 1015

t 1016

1017

n 1018

c 1019

e 1020

s 1021

- 1022

- 1023

- 1024

e 1025

t 1026

- 1027

t 1028

o 1029

d 1030

e 1031

- 1032

s 1033

c 1034

- 1035

o 1036

1037

1038

1039

- 1040

- 1041

- 1042

1043

1044

n 1045

n 1046

Table 3

System parameters and default values.

Parameters Meaning

GB Lower bound of the probability that a node behave

α A weight to consider direct evidence while (1 − α)

γ A trust decay factor

T th Trust threshold used in the operations of key mana

TC Length of a trust chain

P a Probability that an attacker exhibits malicious beha

T w Warm up period in the beginning of network deplo

T u Trust update interval

ρ A constant to normalize the social contact trust

LT The total simulation time

T g Group communication time interval

P r Probability that a link is reliable for transmission

P c Percentage of compromised nodes in a network

R Wireless radio range

N Total number of nodes in a network

1/ λ Average time interval a node joins a network

1/ μ Average time interval a node leaves a network

P d Standard deviation of a node’s average behavior fro

certificate-based public key management [20,21] , discusse

in Section 2.1 . The two existing key management protocol

are selected for performance comparison against CTPKM

for the following reasons:

• The two existing key management schemes fall within

the class of certificate-based public key management a

CTPKM for fair performance comparison.

• As CTPKM, both schemes use the concept of trust as th

basis of decision making such as selecting a trustwor

thy CA [20] and authenticating the certificate of a pub

lic key of a target node based on the web of trust o

intermediate nodes in the certificate path [21] .

• Chang and Kuo’s work [20] represents a centralize

public key management with the existence of a truste

party as is often assumed in many existing works

Dahshan and Irvin’s work [21] follows the concept o

the web of trust as is often used in many existin

works to ensure accurate trust assessment of entities in

traditional security services such as PGP.

We explain how they are implemented in detail as fol

lows:

• Trust-based back-up CA/CA key managemen

(TBA/CA) [20] : This work uses trust to select th

CA and back-up CA (BCA) for key management in

MANETs. We tailor it to fit the network environmen

targeted in this work for fair comparison. In TBA/CA

the most trustworthy node with the highest overa

trust value (assuming an equal weight for the thre

trust components) becomes the CA and the next high

est trustworthy node becomes the BCA. When the CA

is leaving, the BCA takes the role of the new CA an

accordingly a new BCA is selected. Like CTPKM, th

trust metric is based on the combination of direc

and indirect evidence. However, the indirect evidenc

used in this scheme is based on the derived measure

trust with all nodes (except the target node) servin

as the recommenders. This is in contrast to CTPKM

which uses only 1-hop neighbors of the target node a

the recommenders where indirect evidence is derive

Please cite this article as: J.-H. Cho et al., Trust threshold base

Hoc Networks (2016), http://dx.doi.org/10.1016/j.adhoc.2016.02.0

Value

sed in deriving ground truth trust, P X i

0.8

ight to consider indirect evidence 0.1

0.95

and group communication 0.3

4

led attack intensity 0.5

o establish initial trust 30 min

5 min

5

4 h

2 min

0.99

20%

250 m

92

1 h

4 h

tual behavior accounting for behavior variation over time 0.05

based on the recommender’s direct experience in

order to avoid any impact of compromised nodes o

the source of indirect recommendation [10] . Also i

TBA/CA, the CA maintains all key pairs and dissemi

nates a key pair to the intended owner regardless o

the status of the owner node (whether the node i

compromised or not). We apply equal weight to direc

and indirect evidence.

• Key management in web of trust (KMiWoT) [21] : I

this scheme, each node issues a pair of private/publi

keys and gets a certificate issued by a neighbor nod

who believes there is a binding between this node’

ID and its public key. To compute the trust of a tar

get node, a node first finds a certificate chain of pub

lic keys, the last of which is the public key of the tar

get node under trust evaluation. Then the trust valu

of the target node is computed by the product of trus

values of the intermediate nodes on the path of the cer

tificate chain. Essentially trust in KMiWoT means trus

in the certificate authenticating a public key belongs t

a particular node. A node can obtain the authenticate

public key of a target node via two ways: (1) the nod

itself issues a certificate to the target node who had re

quested its public key to be certified; (2) the node find

a certificate chain leading to the target node’s publi

key. Trust estimation relies on the existence of a cer

tificate chain to obtain authenticated public keys. If n

certificate chain is found, trust will not be updated.

4.3. Comparative performance analysis

In this section, we compare the performance of CTPKM

with non-trust-based and trust-based counterparts includ

ing NTB, TBA/CA [20] , and KMiWoT [21] under varying pa

rameter values including trust threshold ( T th ), the percent

age of compromised nodes, and attack intensity ( P a ).

4.3.1. Effect of trust threshold

First we examine the impact of a trust threshold T th o

the trust bias and four performance metrics as discussed i

d public key management in mobile ad hoc networks, Ad

14

J.-H. Cho et al. / Ad Hoc Networks xxx (2016) xxx–xxx 13

ARTICLE IN PRESS

JID: ADHOC [m3Gdc; March 5, 2016;13:51 ]

( T th ) on

S1047

tr1048

a1049

fe1050

1051

tr1052

tu1053

≈1054

ti1055

is 1056

p 1057

c 1058

is 1059

p 1060

d 1061

th 1062

is 1063

fr 1064

P

H

Fig. 2. Effect of trust threshold

ection 3.4 . In Fig. 2 , we compare the performance of three

ust-based approaches, CTPKM, KMiWoT, and TBA/CA as

ll trust-based schemes use a trust threshold as a design

ature.

Fig. 2 (a) shows trust bias in competence ( B C ) of three

ust-based schemes. When T th < 0.4, B C is somewhat fluc-

ating but the overall performance is ordered as CTPKM

TBA/CA > KMiWoT. The high inaccuracy of trust estima-

on in KMiWoT is because peer-to-peer trust estimation

lease cite this article as: J.-H. Cho et al., Trust threshold based

oc Networks (2016), http://dx.doi.org/10.1016/j.adhoc.2016.02.014

trust bias and performance.

only possible when each node has the certificate of a

eer’s public key. In KMiWoT, a node can issue a certifi-

ate of a peer’s public key only when the peer’s trust value

higher than a given trust threshold. Thus, if a node’s

ublic key certificate is not available, trust cannot be up-

ated. In addition, when two nodes are apart with more

an 1-hop distance, the trust of a trustor toward a trustee

calculated based on the sum of trust values obtained

om multiple paths (if available) where each trust value is

public key management in mobile ad hoc networks, Ad

14 J.-H. Cho et al. / Ad Hoc Networks xxx (2016) xxx–xxx

ARTICLE IN PRESS

JID: ADHOC [m3Gdc; March 5, 2016;13:51 ]

computed based on the product of trust values of all in- 1065

termediate nodes on the path [21] . Under a highly dy- 1066

namic environment such as MANETs, a path between two 1067

nodes may not exist. In addition, even if there exists any 1068

path between two distant nodes, the product of trust val- 1069

ues of all intermediate nodes can decay trust values too 1070

quickly, which leads to high inaccuracy of trust estimation 1071

(i.e., high trust bias) in KMiWoT as shown in Fig. 2 (a). The 1072

trends of the trust biases in the other two dimensions are 1073

similar, thus we do not show them due to space constraint. 1074

In Fig. 2 (b), we compare the fraction of correct pub- 1075

lic keys ( F) of the three trust-based key management 1076

schemes under varying T th . KMiWoT performs comparably 1077

or better than CTPKM and TBA/CA under T th ≤ 0.2. When 1078

T th > 0.2, the performance order is as CTPKM > TBA/CA > 1079

KMiWoT. In particular, it is noticeable that KMiWoT crashes 1080

when T th > 0.3 because of high trust bias. The low perfor- 1081

mance of TBA/CA compared to CTPKM is because TBA/CA 1082

does not filter recommendations (i.e., indirect trust evi- 1083

dence) while CTPKM only uses recommendations filtered 1084

from trustworthy sources based on T th . In Fig. 2 (c), we 1085

compare service availability ( A ) performances of the three 1086

schemes. Similar to the trends observed in Fig. 2 (b), when 1087

T th > 0.3, the performance order is observed as CTPKM > 1088

TBA/CA > KMiWoT due to high trust bias in KMiWoT and 1089

unfiltered recommendations used in TBA/CA. 1090

In Fig. 2 (d), we compare the performance of the three 1091

schemes in information risk ( R ). In all cases, lower infor- 1092

mation risk is observed as T th increases because a high 1093

trust threshold only allows public key generation and dis- 1094

tribution of highly trustworthy nodes. When T th > 0.1, we 1095

observe significantly high performance of CTPKM in infor- 1096

mation security, compared to the other two schemes, with 1097

the performance order of CTPKM ≥ KMiWoT > TBA/CA. 1098

TBA/CA shows the highest information risk because it can- 1099

not deal with the case that a CA or back-up CA is com- 1100

promised. KMiWoT also shows a higher information risk 1101

than CTPKM because of high trust bias. In Fig. 2 (e), we 1102

compare the communication overhead ( C) of the three 1103

schemes and observed the performance order of KMi- 1104

WoT > CTPKM > TBA/CA. Although KMiWoT performs the 1105

best among three in C, its performances in F and A are 1106

very low, which offsets the merit of KMiWoT compared to 1107

CTPKM. 1108

For the next two sections, we vary the percentage 1109

of compromised nodes, P c , and the degree of attack in- 1110

tensity, P a , and investigate their impact on the perfor- 1111

mance metrics. In order to use the same trust thresh- 1112

old in all schemes for fair comparison, we chose 0.3 as 1113

the trust threshold even though an optimal trust thresh- 1114

old can be differently selected in each scheme. We set 1115

P a = 0 . 5 and P c = 0 . 2 unless they are varied for sensitivity 1116

1117

1118

e 1119

, 1120 ) 1121

- 1122

1123

- 1124

ble to TBA/CA because more compromised nodes will deter 1125

each node from obtaining accurate trust evidence. We ob- 1126

serve that KMiWoT performs the worst among three due 1127

to the way of trust estimation using excessive trust decay 1128

over space and a lack of paths existing between nodes that 1129

have each other’s public key certificates. In Fig. 3 (b), we 1130

compare the fraction of correct public keys ( F) of the three 1131

trust-based schemes and one non-trust based scheme. The 1132

performance order is NTB > CTPKM > TBA/CA ≈ KMiWoT. 1133

Although NTB performs the best among three in this met- 1134

ric, it loses its advantage because it incurs high informa- 1135

tion risk (see Fig. 3 (d)). Compared to the performance of 1136

TBA/CA and KMiWoT, CTPKM performs significantly bet- 1137

ter with the minimum information risk exposed. Fig. 3 (c) 1138

shows the performance comparison of the four schemes 1139

in service availability ( A ) with the performance order of 1140

CTPKM ≥ NTB ≈ KMiWoT > TBA/CA overall. With the same 1141

reason discussed in Fig. 2 (d) and (e), the performance or- 1142

der in information risk ( R ) is as CTPKM > KMiWoT > 1143

TBA/CA > NTB in Fig. 3 (d) while the performance order 1144

in communication cost ( C) is KMiWoT > NTB > CTPKM > 1145

TBA/CA in Fig. 3 (e). KMiWoT incurs the least communica- 1146

tion overhead because it leverages the existence of public 1147

key certificates for trust estimation which does not intro- 1148

duce extra communication overhead. Also, it does not per- 1149

form trust assessment in the absence of the public key cer- 1150

tificates. 1151

4.3.3. Effect of attack intensity 1152

Lastly this section demonstrates the performance of the 1153

four schemes as the attack intensity, P a , varies. In Fig. 4 (a), 1154

we observe a similar trend of trust bias in competence 1155

of the three trust-based schemes like Fig. 3 (a), with the 1156

performance order of CTPKM ≥ TBA/CA > KMiWoT. In 1157

Fig. 4 (a), as the attack intensity ( P a ) increases, CTPKM sig- 1158

nificantly outperforms its trust-based counterparts partic- 1159

ularly when P a > 0.4. When P a ≤ 0.4, TBCA/BA performs 1160

better than CTPKM because TBCA/BA uses more trust ev- 1161

idence at the expense of a high communication overhead 1162

(since it uses recommendations from all nodes in the net- 1163

work) and can achieve a high accuracy of trust estimation 1164

when the attack intensity is low. On the other hand, when 1165

the attack intensity is high, P a > 0.4, it helps CTPKM accu- 1166

rately estimate trust because an attacker will consistently 1167

exhibit the same bad behavior. 1168

In Fig. 4 (b), the trends of performance comparison in 1169

F are similar to those in Fig. 3 (b). However, one noticeable 1170

difference is that NTB drops its performance with the high- 1171

est attack intensity, 1, because NTB has no defense feature 1172

against high attack intensity. This is also clearly supported 1173

by the highest information risk ( R ) in NTB with the high- 1174

est attack intensity, as observed in Fig. 4 (d). 1175

d 1176

- 1177

- 1178

r 1179

o 1180

1181

- 1182

, 1183

g 1184

analysis.

4.3.2. Effect of percentage of compromised nodes

This section shows the performance comparison of th

four schemes as the percentage of compromised nodes

P c , varies. Fig. 3 (a) shows trust bias in competence ( B C

for the three trust-based schemes. In Fig. 3 (a), as P c in

creases, more compromised nodes exist in the network. In

this case, CTPKM performs better than or at least compara

Please cite this article as: J.-H. Cho et al., Trust threshold base

Hoc Networks (2016), http://dx.doi.org/10.1016/j.adhoc.2016.02.0

The performance trends in information risk ( R ) an

communication overhead ( C) in Fig. 4 (c) and (e) are sim

ilar to those in Fig. 3 (c) and (e). With DoS attacks, a com

promised node can keep requesting public keys of othe

nodes even if it already has their public keys in order t

increase traffic which can waste the network resource. A

trust-based key management scheme would make a de

cision for key management operations such as issuance

distribution, request, and update based on the requestin

d public key management in mobile ad hoc networks, Ad

14

J.-H. Cho et al. / Ad Hoc Networks xxx (2016) xxx–xxx 15

ARTICLE IN PRESS

JID: ADHOC [m3Gdc; March 5, 2016;13:51 ]

ed nod

n1185

C1186

n1187

q1188

p1189

in1190

a1191

su1192

n1193

T1194

c 1195

ti 1196

1197

se 1198

si 1199

th 1200

te 1201

g 1202

p 1203

in 1204

P

H

Fig. 3. Effect of percentage of compromis

ode’s trust. Therefore, an accurate trust protocol such as

TPKM can ignore requests issued from “untrustworthy ”

odes, thereby effectively thwarting DOS attacks. Conse-

uently, CTPKM is relatively insensitive to the increased

ercentage of compromised nodes P c or increased attack

tensity P a in communication cost as shown in Figs. 3 (e)

nd 4 (e), respectively. However, a non-trust-based scheme

ch as NTB will serve all requests even from compromised

odes because it does not use trust for decision making.

his causes a significant traffic increase as P c or P a in-

lease cite this article as: J.-H. Cho et al., Trust threshold based

oc Networks (2016), http://dx.doi.org/10.1016/j.adhoc.2016.02.014

es ( P c ) on trust bias and performance.

reases, as demonstrated in Figs. 3 (e) and 4 (e), respec-

vely.

In TBA/CA and KMiWoT, we do not observe much

nsitivity of the performance over varying attack inten-

ty. Although KMiWoT has slightly better performance

an CTPKM in information risk when the attack in-

nsity is high, the information risk ( R ) of KMiWoT in

eneral is too high. A reason is that KMiWoT performs

oorly in the fraction of correct public keys ( F), as shown

Fig. 4 (b).

public key management in mobile ad hoc networks, Ad

16 J.-H. Cho et al. / Ad Hoc Networks xxx (2016) xxx–xxx

ARTICLE IN PRESS

JID: ADHOC [m3Gdc; March 5, 2016;13:51 ]

Fig. 4. Effect of attack intensity ( P a ) on trust bias and performance.

5. Conclusions 1205

- 1206

- 1207

e 1208

1209

o 1210

y 1211

- 1212

- 1213

t 1214

1215

The design of the proposed trust metric and trust- 1216

based key management scheme properly reflects the de- 1217

- 1218

: 1219

d 1220

d 1221

y 1222

r 1223

- 1224

a 1225

- 1226

n 1227

In this paper, we proposed a CTPKM for MANETs. Con

sidering three different trust dimensions, namely, compe

tence, integrity, and social contact, CTPKM enables a nod

to make decisions while interacting with others based on

their trust levels. We devised four performance metrics t

analyze the impact of our trust threshold based public ke

management design on security vulnerability (i.e., informa

tion risk), availability (i.e., fraction of valid, correct and un

compromised public keys and service availability), and cos

(i.e., communication cost).

Please cite this article as: J.-H. Cho et al., Trust threshold base

Hoc Networks (2016), http://dx.doi.org/10.1016/j.adhoc.2016.02.0

sirable properties of trustworthy systems for MANET envi

ronments [5] discussed in Section 2 in the following way

(1) the use of a trust threshold adjusts potential risk an

thus mitigates the impact of risk; (2) trust is measure

based on node behavioral evidence in the context of ke

management; (3) a node decides whether to trust othe

nodes in the process of key management operations in or

der to maximize the distribution of valid public keys; (4)

node learns other nodes’ trust over time based on past ex

perience in addition to new evidence; and (5) our desig

d public key management in mobile ad hoc networks, Ad

14

J.-H. Cho et al. / Ad Hoc Networks xxx (2016) xxx–xxx 17

ARTICLE IN PRESS

JID: ADHOC [m3Gdc; March 5, 2016;13:51 ]

enhances both security and performance, leading to a high 1228

system reliability. 1229

We conducted a comparative performance analysis of 1230

our proposed CTPKM against a counterpart non-trust- 1231

based scheme and two existing trust-based key manage- 1232

ment schemes. We found that CTPKM with a trust thresh- 1233

old design to filter untrustworthy messages or operations 1234

can minimize security vulnerability while achieving high 1235

availability, without incurring high communication cost. In 1236

this work, we assumed a single threshold for node trust- 1237

worthiness classification. As a future work direction, we 1238

plan to investigate more sophisticated fuzzy failure crite- 1239

ria as in [44–46] to further enhance CTPKM performance. 1240

Acknowledgments 1241

This work is supported in part by the U.S. Army Re- 1242

search Laboratory and the U.S. Army Research Office un- 1243

der contract no. W911NF-12-1-0445. This research was also 1244

partially supported by the Department of Defense (DoD) 1245

through the office of the Assistant Secretary of Defense 1246

for Research and Engineering (ASD (R&E)). The views and 1247

opinions of the author(s) do not reflect those of the DoD 1248

or ASD (R&E). 1249

References 1250

[1] K.S. Cook, Trust in society, Russell Sage Foundation Series on Trust, 1251 vol. 2, New York, 2003. 1252

[2] M. Blaze, J. Feigenbaum, J. Lacy, Decentralized trust management, Q3 1253 in: Proceedings of IEEE Symposium on Security and Privacy, 1996, 1254 pp. 164–173. 1255

[3] L. Eschenauer, V.D. Gligor, J. Baras, On trust establishment in mobile 1256 ad hoc networks, in: Proceedings of 10th International Security Pro- 1257 tocols Workshop, Cambridge, UK, vol. 2845, 2002, pp. 47–66. 1258

[4] J.S. Baras, T. Jiang, Managing trust in self-organized mobile ad hoc Q4 1259 networks, in: Proceedings of 12th Annual Network and Distributed 1260 System Security Symposium Workshop, San Diego, CA, 2005. 1261

[5] J.-H. Cho, A. Swami, I.-R. Chen, A survey of trust management in mo- 1262 bile ad hoc networks, IEEE Commun. Surv. Tutor. 13 (4) (2011) 562–1263 583. 1264

[6] F. Bao, I.-R. Chen, M. Chang, J.-H. Cho, Trust-based intrusion detec- 1265 tion in wireless sensor networks, in: IEEE International Conference 1266 on Communication, Kyoto, Japan, 2011, pp. 1–6. 1267

[7] F. Bao, I.-R. Chen, M. Chang, J.-H. Cho, Hierarchical trust manage- 1268 ment for wireless sensor networks and its applications to trust- 1269 based routing and intrusion detection, IEEE Trans. Netw. Service 1270 Manag. 9 (2) (2012) 161–183. 1271

[8] I.-R. Chen, F. Bao, M. Chang, J.-H. Cho, Trust management for 1272 encounter-based routing in delay tolerant networks, in: IEEE Global 1273 Communications Conference, Miami, Florida, USA, 2010, pp. 1–6. 1274

[9] R.B. Bobba, L. Eschenauer, V. Gligor, W. Arbaugh, Bootstrapping 1275 security associations for routing in mobile ad hoc networks, in: 1276 IEEE Global Communications Conference, San Francisco, CA, 2003, 1277

1278 [11279

1280 1281

[11282 1283 1284

[11285 1286 1287

[11288 1289 1290

[11291 1292 1293

[15] S. Capkun, L. Buttya, J.-P. Hubaux, Self-organized public-key manage- 1294 ment for mobile ad hoc networks, IEEE Trans. Mobile Comput. 2 (1) 1295 (2003) 52–64. 1296

[16] K.K. Chauhan, S. Tapaswe, A secure key management system in 1297 group structured mobile ad hoc networks, in: 2010 IEEE Interna- 1298 tional Conference on Wireless Communications, Networking and In- 1299 formation Security, Beijing, China, 2010, pp. 307–311. 1300

[17] H. Huang, S.F. Wu , An approach to certificate path discovery in mo- Q5 1301 bile ad hoc networks, in: 1st ACM Workshop on Security of Ad Hoc 1302 and Sensor Networks, 2003. 1303

[18] J. Huang, D. Nicol, A calculus of trust and its application to PKI and 1304 identity management, in: ACM 8th Symposium on Identity and Trust 1305 on the Internet, Gaithersburg, MD, USA, 2009. 1306

[19] B. Wu, J. Wu, E. Fernandez, S. Magliveras, Secure and efficient key 1307 management in mobile ad hoc networks, in: Proceedings of 19th 1308 IEEE International Parallel and Distributed Processing Symposium, 1309 Denver, CO, 2005. 1310

[20] B.-J. Chang, S.-L. Kuo, Markov chain trust model for trust-value anal- 1311 ysis and key management in distributed multicast MANETs, IEEE 1312 Trans. Vehic. Technol. 58 (5) (2009) 1846–1863. 1313

[21] H. Dahshan, J. Irvin, A robust self-organized public key management 1314 for mobile ad hoc networks, Secur. Commun. Netw. 3 (1) (2010) 16– 1315 30. 1316

[22] R. PushpaLakshmi, A. Kumar, R. Rahul, Mobile agent based compos- 1317 ite key management scheme for MANET, in: 2011 International Con- 1318 ference on Emerging Trends in Electrical and Computer Technology, 1319 Tamil Nadu, India, 2011, pp. 964–969. 1320

[23] N.V. Vinh, M.-K. Kim, H. Jun, N.Q. Tung, Group-based public- 1321 key management for self-securing large mobile ad-hoc networks, 1322 in: International Forum on Strategic Technology, 2007, pp. 250– 1323 253. 1324

[24] L. Xu, X. Wang, J. Shen, Strategy and simulation of trust cluster 1325 based key management protocol for ad hoc networks, in: 4th Inter- 1326 national Conference on Computer Science and Education, Nanning, 1327 China, 2009, pp. 269–274. 1328

[25] S. Kent, Privacy Enhancement for Internet Electronic Mail: Part II: 1329 Certificate-Based Key Management, Technical Report, Network Work- 1330 ing Group, 1993. 1331

[26] A. Shamir, How to share a secret, Commun. ACM 22 (1979) 612–613. 1332 [27] Y.G. Desmedt, Threshold cryptography, Eur. Trans. Telecommun. 5 (4) 1333

(1994) 449–458. 1334 [28] L. Zhou, Z.J. Haas, Securing ad hoc networks, IEEE Netw. Mag. 13 (6) 1335

(1999) 24–30. 1336 [29] H. Dahshan, J. Irvine, A trust based threshold cryptography key man- 1337

agement for mobile ad hoc networks, in: IEEE 70th Vehicular Tech- 1338 nology Conference, Anchorage, AK, USA, 2009, pp. 1–5. 1339

[30] A. Shamir, Identity-based cryptosystems and signature schemes, in: 1340 CRYPTO’84, 1984, pp. 47–53. 1341

[31] A. Boudguiga, M. Laurent, Key-escrow resistant ID-based authentica- 1342 tion scheme for IEEE 802.11s mesh networks, in: IEEE Wireless Com- 1343 munications and Networking Conference (WCNC’11), 2011, pp. 784– 1344 789. 1345

[32] A. Boudguiga, M. Laurent, An EAP ID-based authentication method 1346 for wireless networks, in: International Conference for Internet 1347 Technology and Secured Transactions (ICITST’11), 2011, pp. 232– 1348 239. 1349

[33] Z. Zhao, Z. Zhao, X. Tang, Y. Liu, A new ID-based blind signature from 1350 bilinear pairings, in: IET International Conference on Wireless, Mo- 1351 bile and Multimedia Networks, 2006, pp. 1–4. 1352

[34] F.R. Yu, H. Tang, P.C. Mason, F. Wang, A hierarchical identity based 1353 key management scheme in tactical mobile ad hoc networks, IEEE 1354 Trans. Netw. Service Manag. 7 (4) (2010) 258–267. 1355

[35] S.S. Al-Riyami, K.G. Paterson, Certificateless public key cryptography, 1356 in: 9th International Conference on the Theory and Application of 1357

1358 [3 1359

1360 1361

[3 1362 1363 1364 1365

[3 1366 1367 1368 1369

[3 1370 1371 1372

P

H

pp. 1511–1515. 0] J.-H. Cho, A. Swami, I.-R. Chen, Modeling and analysis of trust man-

agement with trust chain optimization in mobile ad hoc networks, J.

Netw. Comput. Appl. 35 (3) (2010) 1001–1012. 1] J.-H. Cho, M. Chang, I.-R. Chen, A. Swami, Trust Management VI, IFIP

Advances in Information and Communication Technology, vol. 374, Springer, Berlin Heidelberg, pp. 52–67.

2] I.-R. Chen, F. Bao, M. Chang, J.-H. Cho, Dynamic trust management for delay tolerant networks and its application to secure routing,

IEEE Trans. Parallel Distrib. Syst. 25 (5) (2014) 120–1210.

3] M. Mahmoud, X. Lin, X. Shen, Secure and reliable routing protocols for heterogeneous multihop wireless networks, IEEE Trans. Parallel

Distrib. Syst. 26 (4) (2015) 1140–1153. 4] E.D. Silva, A.D. Santos, L. Albini, M. Lima, Identity-based key manage-

ment in mobile ad hoc networks: Techniques and applications, IEEE

Wireless Commun. 15 (5) (2008) 46–52.

lease cite this article as: J.-H. Cho et al., Trust threshold based

oc Networks (2016), http://dx.doi.org/10.1016/j.adhoc.2016.02.014

Cryptology and Information Security, vol. 2894, 2003, pp. 452–473. 6] Y. Zhang, W. Liu, W. Lou, Y. Fang, Securing mobile ad hoc networks

with certificateless public keys, IEEE Trans. Depend. Secure Comput.

3 (4) (2006) 386–399. 7] A .M. Arokiaraj, A . Shanmugam, ACS: An efficient address based cryp-

tography scheme for mobile ad hoc networks security, in: Inter- national Conference on Computer and Communication Engineering,

2008, pp. 52–56. 8] Y. Zhang, W. Liu, W. Lou, Y. Fang, Y. Kwon, AC-PKI: anonymous and

certificateless public-key infrastructure for mobile ad hoc networks,

in: IEEE International Conference on Communications (ICC’05), vol. 5, 2005, pp. 3515–3519.

9] H. Sun, X. Zheng, Z. Deng, An identity-based and threshold key man- agement scheme for ad hoc networks, in: International Conference

on Networks Security, Wireless Communications and Trusted Com-

puting, Wuhan, Hubei, China, 2009, pp. 520–523. 1373

public key management in mobile ad hoc networks, Ad

18 J.-H. Cho et al. / Ad Hoc Networks xxx (2016) xxx–xxx

ARTICLE IN PRESS

JID: ADHOC [m3Gdc; March 5, 2016;13:51 ]

- 1374 ) 1375

1376 - 1377

Q6 1378

s 1379 1380

- 1381 c 1382

1383 - 1384 ) 1385

1386 - 1387 - 1388

1389 - 1390 ) 1391

1392

e 1393 e 1394 e 1395 s 1396 e 1397 . 1398 - 1399 r 1400 p 1401 n 1402 - 1403 - 1404 e 1405 e 1406 e 1407 e 1408 n 1409

1410

e 1411 d 1412 e 1413 - 1414 e 1415 e 1416 y, 1417 - 1418 y 1419 s 1420 - 1421 d 1422 a 1423 tt 1424 e 1425

1426

- 1427 1428

d 1429 r- 1430 e 1431 l 1432 . 1433 - 1434 h 1435 - 1436 - 1437 g 1438 - 1439

r- 1440 1441

[40] L.-C. Li, R.-S. Liu, Securing cluster-based ad hoc networks with distributed authorities, IEEE Trans. Wireless Commun. 9 (10) (2010

3072–3081. [41] Dartmouth University, Mobility traces data from crawdad (a commu

nity resource for archiving wireless data at Dartmouth). [42] M.H. MacDougall, Simulating Computer Systems, Computer System

Series, The MIT Press, 1987.

[43] J.-H. Cho, I.-R. Chen, P. Feng, Effect of intrusion detection on reliability of mission-oriented mobile group systems in mobile ad ho

networks, IEEE Trans. Reliab. 59 (1) (2010) 231–241. [44] I.-R. Chen, F. Bastani, Effect of artificial-intelligence planning

procedures on system reliability, IEEE Trans. Reliab. 40 (3) (1991364–369.

[45] F.B. Bastani, I.-R. Chen, T. Tsao, Reliability of systems with fuzzyfailure criterion, in: Annual Reliability and Maintainability Sympo

sium, Anaheim, CA, 1994, pp. 4 42–4 48.

[46] I.-R. Chen, F. Bastani, T. Tsao, On the reliability of AI planning software in real-time applications, IEEE Trans. Knowl. Data Eng. 7 (1

(1995) 4–13.

Jin-Hee Cho received the B.A. degree from th

Ewha Womans University, Seoul, Korea and thM.S. and Ph.D. degrees in computer scienc

from the Virginia Tech. Since 2009, she ha

been working as a computer scientist at thU.S. Army Research Laboratory, Adelphi, MD

Her research interests include wireless mobile networks, mobile ad hoc networks, senso

networks, secure group communications, groukey management, network security, intrusio

detection, performance analysis, trust manage

ment, cognitive networks, social networks, dynamic networks, and resource allocation. Sh

received the best paper awards in IEEE TrustCom09 and BRIMS13. Shreceived the 2015 IEEE Communications Society William R. Bennett Priz

in the Field of Communications Networking. She is selected to receive thPresidential Early Career Award for Scientists and Engineers (PECASE) i

2016. She is a senior member of the IEEE and a member of the ACM.

Please cite this article as: J.-H. Cho et al., Trust threshold base

Hoc Networks (2016), http://dx.doi.org/10.1016/j.adhoc.2016.02.0

Ing-Ray Chen received the B.S. degree from th

National Taiwan University, Taipei, Taiwan, anthe M.S. and Ph.D. degrees in computer scienc

from the University of Houston. He is a pro

fessor in the Department of Computer Sciencat Virginia Tech. His research interests includ

mobile computing, wireless systems, securittrust management, intrusion detection, and re

liability and performance analysis. He currentlserves as an editor for IEEE Communication

Letters, IEEE Transactions on Network and Ser

vice Management, The Computer Journal, anSecurity and Network Communications. He is

recipient of the 2015 IEEE Communications Society William R. BennePrize in the field of Communications Networking. He is a member of th

IEEE and ACM.

Kevin S. Chan received the B.S. degree in electrical and computer engineering (ECE)/EPP from

Carnegie Mellon University (Pittsburgh, PA) anthe Ph.D. degree in ECE and MSECE from Geo

gia Institute of Technology (Atlanta, GA). His a research scientist with the Computationa

and Information Sciences Directorate at the U.S

Army Research Laboratory (Adelphi, MD). Previously, he was an ORAU postdoctoral researc

fellow at ARL. His research interests are in network science, with past work in dynamic net

works, trust and distributed decision makinand quality of information through ARL’s Net

work Science Collaborative Technology Alliance and Network and Info

mation Sciences International Technology Alliance.

d public key management in mobile ad hoc networks, Ad

14