Securing Mobile Ad Hoc Networks with

Certificateless Public Keys

Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member,

IEEE, and Yuguang Fang, Senior Member, IEEE

Source: IEEE TRANSACTIONS ON DEPENDABLE AND SECURE

COMPUTING, 2006

Presenter: Hsin-Ruey, Tsai

Introduction

Related work

Design goals and system models

IKM design

Performance evaluation

IntroductionMANET: Mobile ad hoc network

Infrastructureless, autonomous, stand-alone wireless networks.

Key management: Serverless

Two intuitive symmetric-key solutions:

1. Preload all the nodes with a global symmetric key.

2. Let each pair of nodes maintain a unique secret that is only

known to those two nodes.

Use public-key certificates to authenticate public keys by binding public keys to the owners’ identities.

Preload each node with all the others’ public-key certificates prior to network deployment.

Certificate-based cryptography(CBC)

Drawbacks: network size,

key update is not in a secure,

cost-effective way.

ID-based cryptography(IBC)Eliminate the need for public key distribution and

certificates.

Master-key

All/some are shareholders

ID-based private keyscollaboratively

issues

Drawbacks: 1. Compromised nodes more than threshold number,2. Key update is a significant overheads, 3.How to select the secret sharing parameters,4.No comprehensive argument about the advantages of IBC-based schemes over CBC-based ones.

ID-based key management (IKM)A novel construction method of ID-based public/

private keys.

Determining secret-sharing parameters used with

threshold cryptography.

Simulation studies of advantages of IKM over

CBC-based schemes.

Node-specific not jeopardize noncompromised nodes’ private keys Common element efficient key updates via a single broadcast message

Each node’s public key and private key is composed of a node-specific, ID-based element and a network-wide common element.

IKM has performance equivalent to CBC-based schemes, denoted by CKM while it behaves much better in key updates.

Identify pinpoint attacks against shareholders.

Introduction

Related work

Design goals and system models

IKM design

Performance evaluation

Related workCBC and (t, n) threshold cryptography N is number of nodes. t<=n > N

N nodes

CA’s public key

Divided into n shares

CA’s private key

D-CA

Certificate generation and revocation

t D-CAs

Tolerate the compromise of up to (t-1) D-CAs

The failure of up to (n-t) D-CAs

Pairing Technique p, q be two large primesG1 a q-order subgroup of the additive group of point of

E/Fp

G2 a q-order subgroup of the multiplicative group of the finite field F*p^2

e : G1 *G1 → G2

Bilinear: For all P, Q, R, S belong to G1,

Consequently, for all a, b belong to Z*q

e(aP, bQ)=e(aP, Q)^b= e(P, bQ)^a=e(P, Q)^ab

e(P+Q, R+S)=e(P, R)

e(P, S) e(Q, R)e(Q, S)

Introduction

Related work

Design goals and system models

IKM design

Performance evaluation

Design goalsMANETs should satisfy the following requirements:

1. Each node is without attack originally.

2. Compromise-tolerant.

3. Efficiently revoke and update keys of nodes.

4. Be efficient because of resource-constrained.

Network & Adversary ModelNetwork Model: special-purpose, single-authority

MANET consisting of N nodes .

Adversary Model: 1. Only minor members are compromised/disrupted.

2. Can’t break any of the cryptographic primitives.

3. Static adversaries.

4. Exhibit detectable misbehavior.Assumption that adversaries can compromise at most (t-1)

D-PKGs and can disrupt no more than (n-t) D-PKGs

(n is number of D-PKG, t is the threshold number)

Introduction

Related work

Design goals and system models

IKM design

Performance evaluation

Network InitializationPKG generates the paring parameters (p, q, e) and selects

an generator W of G1.

H1: hash function maps binary strings to nonzero

elements in G1.Kp1,Kp2: belong to Z*q and are master-secretes.

Wp1=Kp1W, Wp2=Kp2W

PKG preloads parameters (p, q, e, H1, W, Wp1, Wp2) to each node while Kp1,Kp2 should never be disclosed to any single node.

Secret SharingEnable key revocation and update.PKG performs a (t, n)-threshold secret sharing of Kp2. (t nodes number of threshold) (n D-PKGs ) (N nodes)

PKG

n D-PKGs

distributes functionality to n D-PKGs reach threshold t

PKG preloads to D-PKG:

(verifiable)

t elements

Lagrange interpolation

Lagrange coefficient

KP2 can then be reconstructed by computing g(0) with at least t elements.

Generation of ID-Based Public/Private Keys

node-specific

phase-specific

Our IKM is composed of a number of continuous, nonoverlapping key update phases, denoted by pi for 1 i < M, where M is the maximum possible phase index.

pi is associated with aunique binary string, called a phase salt, salti

Vary across key-update phases

Remain unchanged and be kept confidential to A itself

Due to the difficulty of solving the DLP in G1, it is computationally infeasible to derive the network mastersecrets KP1 and KP2 from an arbitrary number of public/private key pairs

Cannot deduce the private key of any noncompromised node.

Key RevocationMisbehavior Notification

Baccuses A

timestamp

shared key with V

communication overhead resilient

Key RevocationRevocation Generation

If over threshold

diagnose

joint efforts of t D-PKGs

t D-PKGs in with smallest IDs (leader)

generates

partial revocation

revocation leaderaccumulated

all the D-PKGs in

generates

partial revocation

sends

sends

revocation leader

D-PKGs

sends the accumulated accusations

response after verify accusation

Complete revocation

Key RevocationPartial revocations

Complete revocation

Revocation leader

denote the t D-PKGs participating in revocation generationIt is possible that one or several members of A are unrevoked

compromised nodes which might send wrongly computed partial revocations.Revocation leader

check

If not equivalent

Check each node

Floods to each node

Key RevocationIf D-PKGs in do not receive a correct revocation against A in a certain time

revocation leader itself is a compromised node

second lowest IDsucceeds as the revocation leader

As long as there is at least one noncompromised D-PKG in and there are at least t noncompromised D-PKGs in , a valid accusation against node A can always be generated.

Key UpdatePublic key:

Private key:

(B just performs two hash operations)

needs the collective efforts of t D-PKGs in

randomly selects (t-1) other nonrevoked D-PKGs

send request

these t D-PKGs including Z itselfA

generate a partial common private-key element

check

Key UpdateTo propagate securely to all the

nonrevoked nodes, we use a variant of the self-healing group key distribution scheme

: set of nodes revoked until phase piZ broadcasts

maximum number of compromised nodes

PKG picks M distinct degree polynomials, denoted by

and M distinct degree polynomials

is a point on E=Fp, its x-coordinate can be uniquely determined from its y-coordinate.

Key-Update Parameters

Revoked node

IKM designChoosing Secret-Sharing Parameter t, n

They can only do is to attempt to compromise or disrupt randomly picked nodes with the expectation that those nodes happen to be the D-PKGs.

Compromise and disrupt up to Nc >=t and Nd >=n-t+1 nodes

Prc and Prd as the probabilities that at least t out of Nc compromised nodes and (n-t+1) out of Nd disrupted nodes happen to be D-PKGs

Introduction

Related work

Design goals and system models

IKM design

Performance evaluation

Performance evaluationCKM vs IKMGloMoSim, a popular MANET simulator, on a desktop

with an Intel P4 2.4GHz processor and 1 GB memory

Performance evaluation