ANEW PRIVACY-ENHANCED AUTHENTICATION SCHEME FORWIRELESS MESH NETWORKS

YONG FENG, MING-YU FAN, CHANG-PING LIU

School of Computer Science and Technology, University of Electronic Science and Technology of ChinaE-MAIL: fybraverguestc.edu..cn, ff98@163 .com, goodlcp120gl26.com

Abstract:In wireless mesh networks (WMNs), preserving

users' privacy is an important but contradictory tosecurity issue. To provide a new solution to thechallenge, we propose an anonymous authenticationscheme based on CPK and blind signature in theelliptic curve domain. The proposed scheme can notonly provide fast and explicit mutual authenticationbetween nodes, but also effectively preserve meshusers' privacy. The analyse result indicates that theproposed scheme successfully satisfies both securityand privacy.

Keywords:Authentication; privacy; blind signature;

combined public key (CPK); wireless mesh networks(WMNs)

1. Introduction

With the advantages of low up-front cost, easynetwork deployment and maintenance, robustness, andreliable service coverage, wireless mesh network (WMN)is increasingly recognized as an ideal and promisingwide-band wireless technology [1]. In WMNs, security isan important issue, and regarded as one of the mainbarriers to wide-scale deployment [2, 3]. In order tocounteract various types of attacks, fast and effectiveauthentication between nodes is fundamental measures [4,5, 6]. Generally there are two types of authentication inWMNs: Firstly, mesh routers (MRs) should authenticate arequesting mesh user (MU) to prevent unauthorizednetwork access. The MU should also authenticate the MRto prevent attacks from bogus MRs. Secondly, the mutualauthentication among MUs is required when a MUforwards another's traffic to form a security routing.

At the same time, privacy is becoming anotherimportant issue in WMNs. MUs enjoy ubiquitous WMNaccess whenever they are in motion or at rest only after

they are convinced of their privacy being fully protected.However, conventional authentication which is based onCertification authority (CA) fails to work well in WV Ns,partly because they don't take user privacy protection intoaccount, partly because it is difficult to adapt them to thefeatures of dynamic network topology and multiple hopsofWMNs.

Recently, several papers [3, 6-9] have been publishedto address the authentication challenges in WMNS. [3]provides a comprehensive security architecture anddiscusses authentication issue in detail. In [6], anauthentication model based on CPK is proposed. [7]proposes an authentication architecture based on (t, n)threshold signature, which improves the ability ofauthentication scheme to resilient attacks at the cost ofhigh communication overhead. However, the aboveschemes focus little attention on user privacy protection.An anonymous certificated based authentication schemecan be found in [8]. In addition, [9] provides ananonymous authentication scheme based on bilinearpairings and restrictive partially blind signature.

In this paper, we propose an anonymousauthentication scheme based on CPK and blind signaturein the elliptic curve domain. The scheme can not onlyprovide fast and explicit mutual authentication betweennodes, but also effectively preserve mesh users' privacy.Moreover, the proposed scheme has the features ofapproved scalability, simple key management, low useroverhead etc.

2. Preliminaries

2.1. Combined Public Key (CPK)

CPK [11, 12] is a ideal solution to the large-scale keymanagement problem, which takes use of a small quantityof "seeds", i.e. public/private key factor matrix (PSK/SSK),to produce almost "infinite" public/private key pairs. InCPK, there is key management center (KMC) that requires

978-1-4244-3425-1/08/$25.00 ©2008 IEEE 265

absolutely security. KMC takes charge of producing thePSK and SSK, where the SSK must be safely conserved inKMC and the PSK is opened. A user's public key can beworked out by anybody who knows the PSK and the user'sidentifier (ID). In contrast, the corresponding private keysare only produced by KMC and safely distributed to users.

CPK is generally constructed on the basis ofidentity-based cryptosystem (IBC) [13] and discretelogarithm problem. For the elliptic curve cryptography(ECC) occupies less resource than RSA on the condition ofsame security, EEC is more suitable for WMNs.

2.2. Blind Signature

Chaum first proposed blind signature cryptosystems[14]. In [17] Wang proposed a blind signature based onelliptic curve, which is regarded as stimulation of Schnorrblind signature [15, 16] in elliptic curve domain. The mainparameters of the blind signature proposed in [17] is ((q,FR, a, b, G, n, h), (d, Q), H()).

Let A is the provider of massage m, and B is signerwith private key d and public key Q=dG. Detailed blindsignature process is given as follows:

stepi: B randomly selects a eR Zn then computes

aG and transmits it to A;step2: A randomly selects blind factory, e Zn ,

then computes A = aG+;iG+Q = (x,y)r=xmodq , c=h(m jr) , c'= c-S , andtransmits c' to B;

step3: B computes s' = a - c'd, and transmits it toA;

step4: Through computing s = s' + y, A can gain theblind signature (c, s) signed by B. For verifying the realityof (c, s), A only needs to check up whether the followingequation (1) holds.

c = h(m II R,(cQ + sG)modn) (1)

3. The proposed scheme

In this section, we propose a privacy enhancedauthentication scheme with the features of security,anonymity, misbehavior traceability as well as efficiency.In the proposed scheme there are four types of partners:key management center (KMC), registration and signingcenter (RSC), MRs and MUs. The KMC takes charge ofgenerating PSK/SSK and CPK private key. And the RSC ismainly responsible for registration of new users andissuance of pseudonym tickets. The schematic diagram of

the proposed scheme is shown in Fig. 1, where digit 1 to 5denotes 5 basic phases respectively.

Mesh User (MU) Mesh Router (MR)- - - - - Wireless Link Wired Link1 User registration2 Authentication by users' real identity3 Pseudonym ticket issuance4 Pseudonym CPK private key issuance5 Authentication by users' pseudonym

Figure 1. Schematic diagram ofthe proposed scheme

The notation used in protocol description is listed asfollows:

PKIDA SKIDA CPK public/private key of mesh node A

{IM}K: Encrypt message m with the symmetric key K

SKIDA (m): Encrypt message m with SK'DAPKIDA (m): Decrypt message m with PKIDA

N,: a nonce selected by an entity x in the scheme: denotes concatenation of two strings.

3.1. Initialization

The KMC and RSC have a shared AES key K thatmust be kept secret, but their unique identifier IDKMC andIDRSc are well-known. At first the KMC selects theappropriate elliptic curve parameters and generates PSKand SSK. Then the KMC computes SKJIDKC and

SKIDRSC , and transmits {SKIDRSC Jt}K to the RSC,where t is a time stamp. Likewise, the RSC selects theelliptic curve based blind signature parameter ((q, FR, a, b,

266

G n, h), (d, Q), Ho), and makes the public key (d, Q) usedfor verifying signature publicly known. Next, the RSCassigns a unique identifier for each MR, and requests theKMC to generate CPK private keys of these identifiers.Finally, the RSC safely transmits each identifier and CPKprivate key to corresponding MR respectively.

3.2. Registration

If a mesh user A intends to gain access to the Internet,firstly A has to register itself to the RSC and takes part inthe authentication scheme. A can select his name ormailbox name as his identifier and submits it to the RSC.After checking up the validity and reality of A's identityinformation, and making sure the identifier is unique, theRSC transmits the verified user identifier, denoted as IDA,to the KMC. The KMC calculates out SKIDA and sends

{SKIDA ,t}K back to the RSC. Finally, the RSC gets

SKIDA through decrypting with K, and returns

SKIDRSC (IDA , SKIDA ) to A securely.

3.3. Pseudonym Ticket Issuance

Figure 2. Pseudonym ticket issuance

For the purpose of protecting privacy, a mesh user Ais allowed to use one or several pseudonyms in theproposed scheme. The pseudonyms can be used to replacethe real ID to implement authentication with MRs or otherMUs when A intends to access the Internet in single hop or

multiple hops way. In our system, one of A's pseudonymsID' can be generated by selecting a secret

number random eR Z*, as shown in the followingequation (2).

ID' = H(ID random) (2)Next, A can apply to the RSC for a pseudonym ticket

of the ID' . The detailed procedure is shown in Fig. 2.So far A obtains the pseudonym ticket (c, s) from the

RSC, and can verify the reality of (c, s) by equation (1) inSection 2.2.

3.4. Pseudonym CPK Private Key Issuance

By submitting the pseudonym ticket (c, s) of ID', Acan apply to the KMC for the CPK private key of ID'.The KMC must checks up the validity of (c, s) and makesure of the uniqueness of ID' through querying the list ofactive ID. Then it appends an expiring date to ID'. Thedetailed procedure is shown in Fig. 3.

KMC

PKIaIfC (ID" (c, s), K2, Nm2)c = H(ID' Rx(cQ + sG)mod n)

AND ID' is unique?IF true, THEN

ID = IF ExpiringDatecalculatesSKD

{ID", SKID", Nm2 Nk}K2

Figure 3. Pseudonym CPK private key issuance

In Fig. 3, the first massage includes an AES sessionkey K2 which is selected by MU in order to protect theCPK private key.

3.5. Authentication

MUA MUB

PKIDB (IDA, Na )

PKID (IDB, Na Nb )

Nb p

Figure 4. Authentication process

After accomplishing the phase in Section 3.2 or thesteps in Section 3.3 and 3.4, a mesh user can obtain hisuser identifier or pseudonym, and corresponding CPKprivate key. While optional two MUs intend to authenticate

267

MU RSCPKRSC (ID, Nmj)

aeR Z *

Y~~'~RZ~ PKAMu(aG,Nml,,N,),R Zn(x,y) = axG + 'G + 8Q

r=xmodq c=H(ID' lr)c'=c-85 c',N

S',Nmi s = a-c'dS =s' + y

each other to create trust relation, they can accomplishmutual authentication by the three steps in Fig. 4, wherethe IDA and IDB may be real ID or pseudonym. The mutualauthentication between MUs and MRs, and among MRs issimilar to that shown in Fig. 4. Of course, what MRs useare their real IDs.

4. Analysis of the proposed scheme

4.1. Anonymity

After MUA and the RSC complete mutualauthentication, MUA can obtain a pseudonym ticket issuedby the RSC in the way of blind signature. Because of theessential feature of blind signature cryptosystems, the RSChas no any information about ID[A, so that he cannot link

the real identity of MUA with IDA. In the process of

obtaining the CPK private key SKID, from the KMC,

MUA only submits IDA and pseudonym ticket (c, s)without revealing his real identity IDA. Likewise, the KMCcannot yet link IDA with ID'A. Therefore no one except

MUA knows the real identity of the owner of ID' in theA

whole authentication scheme, i.e. the proposed scheme hasthe strong feature to preserve user privacy.

4.2. Security

For the purpose of to prevent rogue nodes fromabusing the anonymity, the following countermeasures areadopted:1) The RSC conserves all registered user's real IDs, and

a mutual authentication by using real ID between theRSC and MU is mandatory when a MU applies apseudonym ticket every time. That assures that onlyregistered MU can get a ticket successfully. Inaddition, the RSC records every pseudonym ticketapplication, and refuses to issue new ticket for a MUif the application times of the MU are beyond athreshold within a period of time.

2) The KMC preserves all pseudonyms and ticketssubmitted by MUs. While receiving an application togenerate CPK private key, the KMC firstly verifiesthe validity of the pseudonym ticket, then check upwhether the ticket is repeatedly submitted. Thatassures each pseudonym and its corresponding ticketcan only be submitted one time successfully.

3) The KMC appends an expiring date to eachpseudonym submitted by MUs before generating

CPK private key. Therefore the last bits of eachpseudonym received by MUs denote the expiring dateof the pseudonym. Every node can easily recognizewhether a pseudonym is out of date.The most serious threat that CPK system faces is

conclusion attack to SSK. In the proposed scheme, we takefollowing measures to resist conclusion attack:1) With restrict checking about user real identity in

registration phase, mutual authentication inpseudonym ticket issue phase, as well as ticketverification and pseudonym checking in pseudonymCPK private key issue phase, the probability thatbogus nodes obtain admittance to the proposedscheme and purloin CPK private keys is significantlyreduced.

2) The KMC must select proper size of PSK/SSK,e.g. 64 x 32 = 2048 , so that the KMC can standagainst collusion attack of 2048 private keys at most.

3) The KMC periodically renews the security parameters,calculates the new PSK/SSK and makes the PSKpublicly known. Then the KMC computes newprivate keys for every user's real ID, and transmits tousers safely.

4.3. Performance

In this subsection we will analyze the overheadsintroduced by the proposed scheme.1) Computational Overhead: For obtaining a pseudonym

CPK private key, a MU needs to perform two publickey, an ID mapping and two nonce operations. TheRSC performs a public key and a nonce generationoperation, and the KMC does a symmetric and anonce generation operation. Considering a MU hasseveral pseudonyms and every pseudonym may berandomly used some times, the computationaloverhead is acceptable.

2) Communication Overhead: For obtaining apseudonym CPK private key, a MU and the RSC needfour messages, then the MU and the KMC use twomessages to request and transmit back CPK privatekey.Notice that the traceability refers to trace ticket-reuse

misbehavior in [9]. And the KMC can solve the problemwell by querying the pseudonym ticket list to refuse ticketssubmitted repeatedly in our scheme. Thus our scheme'ssecurity features are similar to these in [9]. Moreover, weadopt elliptic curve cryptographic algorithm in this paper,which is much more efficient than bilinear pair calculationused in [9]. In Table 1, we compare the computation andcommunication overhead of the proposed scheme with that

268

of [9]. The result shows that ours is more efficient.

Table 1. Computation and communicationoverheads comparison

This paper [9]

Ticket private Ticket Ticketissu. key issu. issu. deposit

Pub. key 4 2 5 6/pair oper.

Hash 2 2 7 3oper.

Sym. key 0 4 0 0oper.

Message 4 2 4 4number

5. Conclusion

In this paper, we proposed a privacy enhancedauthentication scheme to secure interactions betweennodes in WMNs. On the one hand, the proposed schemeprovides explicit mutual authentication between nodes; onthe other hand, it allows MUs to anonymously interactwith MRs or other MUs. The analyse in detail shows thatthe proposed scheme successfully satisfies both securityand privacy. In addition, the proposed scheme has thefeatures ofhigh efficiency, simple key management.

[7] X. Lin, R. Lu, X. Shen. "TUA: A Novel Compromise-Resilient Authentication Architecture for Wireless MeshNetworks," IEEE Transactions on Wireless Commun. Vol.7. No. 4, pp. 1389-1398, April 2008.

[8] S. Islam, A. Hamid. etc. "Preserving Identity Privacy inWireless Mesh Networks," Information Networking,ICOIN'08, pp.1-5, Jun.2008.

[9] J. Sun, C. Zhang, Y. Fang. "A Security ArchitectureAchieving Anonymity and Traceability in Wireless MeshNetworks," INFOCOM 2008. pp. 1687-1695, April 2008.

[10] X. Nan, Z. Chen. "A Profile to Network SecurityTechniques," National Defense Industry Press, Beijing,2003.

[11] X. Nan. "Identity Authentication based on CPK," NationalDefense Industry Press, Beijing, 2006.

[12] A. Shamir. "Identity based cryptosystems and signatureschemes," Lecture Notes in Computer Science. Proc.CRYPTP. pp 47-53, 1984.

[13] D. Chaum. "Blind Signatures for untraceable payments,"Advances in Cryptology - Crypto'82, pp. 199-203,Springer-Verlag, 1982.

[14] C. P. Schnorr. "Efficient Identification and SignatureGeneration for Smart Cards." Proceedings of the gth AnnualInternational Cryptology Conference, Springer-Verlag,pp.239-252, Aug. 1989.

[15] D. Pointcheval. "Strengthened Security for BlindSignatures," Eurocrypt'98 Proceedings, Springer-Verlag,pp.391-405, 1998.

[16] F. Zhang, C. Wang, Y. Wang. "Digital Signature and BlindSignature Based on Elliptic Curve," Journal of ChinaInstitute of Commun., Vol. 22 No.8, pp. 22-28, Aug. 2001.

References

[1] Ian F. Akyildiz, X. Wang, W. Wang. "Wireless meshnetworks: a survey," Computer Networks, Elsevier, Vol.47,No.4, pp.445-487, March 2005.

[2] N. B. Salem and J-P. Hubaux, "Securing wireless meshnetworks," IEEE Wireless Communications, vol. 13, no. 2,Apr. 2006.

[3] Y. Zhang, Y. Fang. "ARSA: An Attack- Resilient SecurityArchitecture for Multihop Wireless Mesh Networks," IEEEJournal On Selected Areas In Communications.Vol.24.No.10, pp. 1916-1928, Oct. 2006.

[4] L. Lamport, "Password Authentication with InsecureCommunication," Commun. ACM, vol. 24, no. 11, pp.770-772, 1981.

[5] S. M. Yen and K. H. Liao, "Shared Authentication TokenSecure against Replay and Weak key Attack," IEEE Inform.Proceeding Lett., vol. 62, no.2, pp. 78-80, 1997.

[6] J. Liu, C. Liu. "A Key Management and AuthenticationModel for Ad hoc Network," IEEE PIMRC'07, pp. 1-5,Sept. 2007.

269