Crypto, Anonymity, and Privacy Simple Nomad DC214 10Nov2004.
Providing Source Privacy in Mobile Ad Hoc Networksrenjian/pubs/MASS-2009-Source Privacy...
Transcript of Providing Source Privacy in Mobile Ad Hoc Networksrenjian/pubs/MASS-2009-Source Privacy...
Providing Source Privacy in Mobile Ad Hoc Networks
Abstract
Jian Ren Yun Li Tongtong Li
Index Terms
Communication privacy is becoming an essentialsecurity requirement for mission critical communications and communication infrastructure protection.This is especially true for mobile ad hoc networks(MANETs) due to mobility of the communication nodesand the nature of wireless communications. Existingresearch in privacy-preserving communications canlargely be divided into two categories: cryptosystembased techniques and broadcasting-based techniques.The cryptosystem-based techniques include mix-basedsystems and secure multiparty computation-based systems, originating from mixnet and DC-net respectively. All mix-based approaches require a trusted thirdparty to provide the mix and are not quite feasible in MANET. However, DC-net based approachessuffer from transmission collision problem that cannot be easily resolved practically. Broadcasting basedschemes provide communication privacy by mixingthe real messages with dummy packets so that itis infeasible for the adversaries to identify the realpackets and track the message source. However, thetransmission ofdummy messages not only increases theenergy consumption significantly, but also increasesthe network collisions and decreases the packet delivery ratio. In this paper, we first propose a novelunconditionally secure source anonymous message authentication scheme (SAMAS) that enables messagesto be released without relying on any trusted thirdparties. While providing source privacy, the proposedscheme can also provide message content authenticity. We then propose a novel communication protocolfor MANET that can ensure communication privacyof both communication parties and their end-to-endrouting. The proposed protocol can be used for criticalinfrastructure protection and secure file sharing. Thesecurity analysis demonstrates that the proposed protocol is secure against various attacks. The theoreticalanalysis and simulation show that the proposed schemeis efficient and can ensure high message delivery ratio.
978-1-4244-5113-5/09/$25.00 @2009 IEEE
332
Communication anonymity, unconditional security,source privacy, recipient privacy, location privacy,content authenticity, wireless ad hoc network
1. Introduction
Wireless ad hoc networks are increasingly beingused for military communications and dissemination ofcritical information. While end-to-end encryption canprotect the communication content from adversarialaccess and manipulation, it does not conceal theirlocation and the routing information. Without privacyprotection, adversaries can easily learn the identities ofthe communication parties and the relevant informationthat two users are communicating. Adversaries can alsoeasily overhear all the messages, passively eavesdropon communications and perform traffic analysis, routing monitoring and denial-of-service attacks.
For mission critical applications, communicationprivacy is no longer a feature or a service, but an essential security requirement. As an example, in tacticalmilitary communication networks, an abrupt change intraffic pattern or volume may indicate some forthcoming activities. The exposure of such information couldbe extremely dangerous in that adversaries can easilyidentify critical network nodes and then launch directdenial-of-service attacks on them. Communication privacy is also an indispensable security requirement forapplications such as e-voting, e-cash and so on.
Even for our daily life, lacking of anonymity canresult in privacy violation of the regular citizen. Forexample, the adversaries can track your on-line orders,the web sites that you access, the doctors that you visitand many more.
In the past two decades, originated largely fromChaum's mixnet [1] and DC-net [2], a number ofprivacy-preserving communication protocols have beenproposed, including for example, onion routing [3], Kanonymous message transmission [4], Web MIXes [5],Mixminion [6], Mixing email [7], Mixmaster Protocol [8], Crowds [9] and Buses seat allocation [10],to name a few. The mixnet family protocols use a
set of "mix" servers that mix the received packetsto make the communication sources (including thesender and the recipient) ambiguous. They rely onthe statistical properties of background traffic that isalso referred to as the cover traffic to achieve thedesired source privacy. The DC-net family protocols[2], [4], [11], [12] on the other hand, utilize secure multiparty computation techniques. They provide provablesource privacy without relying on trusted third parties.However, to broadcast a message, each party of thegroup that the message sender hides, called the set ofambiguity (SoA) , needs to choose a random position.Even if all parties are honest, there are no effectivenon-interactive means that can enable players to selectdistinct message positions. This means that multipleparties will transmit messages in the same slot. This iscalled the transmission collision problem. There is noexisting practical solution to solve this problem [12].
As the computing, communicating, and cryptographic techniques progress rapidly, increasing emphasis has been placed on developing new efficientand secure anonymous communication schemes andnetwork protocols without relying on trusted thirdparties and free of collision.
In this paper, we first propose a novel unconditionally secure source anonymous message authenticationscheme (SAMAS) scheme that enables messages to bereleased without relying on any trusted third parties.While providing source privacy, the proposed schemecan also provide message content authenticity. We thenpropose a novel communication protocol for MANETthat can ensure communication privacy of the twocommunication parties and their end-to-end communications.
In the proposed protocol, the participants are referred as the nodes and are organized into multipleMANETs. The nodes are further classified into normalnodes and super nodes. A normal node is a networknode that can only communicate with the nodes inthe local MANET. A super node can be a normalnode that can also provide message forward servicesto the other MANETs. It can also be a special nodededicated to providing message forwarding servicesto the other MANETs. Each MANET should havemany normal nodes and multiple super nodes. Theproposed network protocol can be used for criticalinformation distribution, infrastructure protection andsecure file sharing. The security analysis demonstratesthat the proposed protocol is secure against variousattacks. The theoretical analysis and simulation showthat the proposed scheme is efficient and can ensurehigh message delivery ratio.
The rest of this paper is organized as follows. In
333
Section 2, the terminology, assumptions and the previous related works are briefly reviewed. The proposedunconditionally secure source anonymous message authentication scheme (SAMAS) and the security analysis are described in Section 3. In Section 4, we proposean anonymous communication protocol in detail alongwith security analysis and simulation results in SectionV. Finally, Section 6 concludes this paper.
2. Terminology and Preliminary
In this section, we will briefly describe the terminology defined in previous research. Then we willintroduce some cryptographic tools that will be usedin this paper. Finally, we will present a brief overviewof the related works in this area.
2.1. Terminology
Privacy is sometimes referred as anonymity. Communication anonymity in information management hasbeen discussed in a number of previous works [1],[2], [9], [13]-[15]. It generally refers to the state ofbeing not identifiable within a set of subjects. This setis called the set of ambiguity (SoA). Three types ofanonymity were defined in [13]: sender anonymity, recipient anonymity and relationship anonymity. Senderanonymity means that a particular message is notlinkable to any sender and no message if linkable to aparticular sender. Recipient anonymity similarly meansthat a message cannot be linked to any recipient andthat no message is linkable to a recipient. Relationshipanonymity means that the sender and the recipientare unlinkable. In other words, sender and recipientcannot be identified as communicating with each other,though it may be clear they are participating in somecommunications. Relationship anonymity is a weakerproperty than each of sender anonymity and recipientanonymity. The above anonymities are also referredto as the full anonymities, since they guarantee thatan adversary cannot infer anything about the sender,the recipient, or the communication relationship froma transmitted message.
We will start with the definition of unconditionally secure source anonymous message authenticationscheme (SAMAS).
Definition 1 (SAMAS). An SAMAS consists of thefollowing two algorithms:
• generate (m, Yl, Y2,··· , Yn): Given a message mand the public keys Yl, Y2,··· , Yn of the set ofambiguity (SoA) S = {A 1,A2 , · · · ,An}, the actual message sender At, 1 ::; t ::; n, produces an
anonymous message S(m) using her own privatekey Xt.
• verify S(m): Given a message m and an anonymous message S(m), which includes the publickeys of all members in the SoA, a verifier can determine whether S(m) is generated by a memberin the SoA.
The security requirements for SAMAS include:
• Sender ambiguity: The probability that a verifiersuccessfully determines the real sender of theanonymous message is exactly 1/n, where n isthe total number of SoA.
• Unforgeability: An anonymous message schemeis unforgeable if no adversary, given the publickeys of all members of the SoA and the anonymous messages ml, m2,··· .m; adaptively chosen by the adversary, can produce in polynomialtime a new valid anonymous message with nonnegligible probability.
In this paper, the user ID and user public key will beused interchangeably without making any distinguish.
2.2. Modified EIGamal Signature Scheme(MES)
Definition 2 (MES). The modified EIGamal signaturescheme [16] consists ofthe following three algorithms:
Key generation algorithm: Let p be a large prime, 9be a generator of Z;. Both p and 9 are made public.For a random private key x E Zp, the public key y iscomputed from y = gX mod p.
Signature algorithm: The MES can also have manyvariants [17], [18]. For the purpose of efficiency, wewill describe the variant, called optimal scheme. Tosign a message m, one chooses a random k E Z;-l'then computes the exponentiation r = gk mod p andsolves s from
s = rxh(m, r) + k mod (p - 1), (1)
where h is a one-way hash function. The signature ofmessage m is defined as the pair (r, s).
Verification algorithm: The verifier checks whetherthe signature equation g8 = ryrh(m,r) mod p. Ifthe equality holds true, then the verifier accepts thesignature and rejects otherwise.
2.3. Previous Work
The existing anonymous communication protocolsare largely stemmed from either mixnet [1] or DCnet [2]. A mixnet provides anonymity via packet reshuffling through (at least one trusted) "mix". In a
334
mixnet, a sender encrypts an outgoing message and theID of recipient using the public key of the mix. Themix accumulates a batch of encrypted messages, decrypts and reorders these messages, and forwards themto the recipients. An eavesdropper cannot link a decrypted output message with any particular (encrypted)input message. The mixnet thus protects the secrecy ofusers' communication relationships. Recently, Molerpresented a secure public-key encryption algorithmfor mixnet [19]. This algorithm has been adopted byMixminion [6]. However, since mixnet-like protocolsrely on the statistical properties of background traffic,they cannot provide provable anonymity.
DC-net [2], [15] is an anonymous multiparty computation amongst a set of participants, some pairs ofwhich share secret keys. DC-net provides perfect (information theoretic) sender anonymity without requiring trusted servers. In a DC-net, users send encryptedbroadcasts to the entire group, thus achieving receiveranonymity. However, all members of the group aremade aware of when a message is sent, so DC-net doesnot have the same level of sender-receiver anonymity.Also, in DC-net, only one user can send at a time,so it takes additional bandwidth to handle collisionsand contention. Lastly, a DC-net participant fixes itsanonymity vs. bandwidth trade off when joining thesystem, and there are no provisions to rescale that tradeoff when others join the system.
Crowds [9] extends the idea of anonymizer andis designed for anonymous web browsing. However,Crowds only provides sender anonymity. It does nothide the receivers and the packet content from thenodes en route. Hordes [20] builds on the Crowds.It uses multicast services and provides only senderanonymity. The k-anonymous communication protocol introduced in [21] can provide both sender andrecipient anonymity, however, the initialization and keychain distribution are quite complex. The communication overhead is also high.
Recently, message sender anonymity based on ringsignatures was introduced [22]. This approach canenable message sender to generate source anonymousmessage signature with contents authenticity assurance, while hiding the real identity of the messagesender. The major idea is that the message sender (sayAlice) randomly selects n ring members as the SoAon her own without awareness of these members. Togenerate a ring signature, for each member in the ringother than the actual sender (Alice), Alice randomlyselects an input and computes the one-way outputusing message signature forgery. For the trapdoor oneway function corresponding to the actual sender Alice,she needs to solve the "message" that can "glue" the
ring together, and then signs this "message" using herknowledge of the trap-door information. The originalscheme has very limited flexibility and the complexityof the scheme is quite high. Moreover, the originalpaper only focuses on the cryptographic algorithm, therelevant network issues were totally left unaddressed.
In this paper, we first propose an unconditionallysecure and efficient source anonymous message authentication scheme based on the modified EIGamalsignature scheme. This is because the original EIGamal signature scheme is existentially forgeable with ageneric message attack [23], [24]. While the modifiedEIGamal signature (MES) scheme is secure against nomessage attack and adaptive chosen-message attack inthe random oracle model [25].
2.4. Threat Model and Assumptions
We assume the participating MANET nodes voluntarily cooperate with each other to provide ananonymizing service. All nodes are potential message originators of anonymous communications. Theadversaries can collaborate to passively monitor andeavesdrop every MANET traffic. In addition, theymay compromise any node in the target network tobecome an internal adversary, which could be theinternal perpetrators. In this paper, we assume thatpassive adversaries can only compromise a fractionof the nodes. We also assume that the adversaries arecomputationally bounded so that inverting and readingof encrypted messages are infeasible. Otherwise, itis believed that there is no workable cryptographicsolution.
An agent of the adversary at a compromised nodeobserves and collects all the information in the message, and thus reports the immediate predecessor andsuccessor node for each message traversing the compromised node. Assume also that the adversary collectsthis information from all the compromised nodes, anduses it to derive the identity of the sender of a message.The sender has no information about the number oridentity of nodes being compromised. The adversarycollects all the information from the agents on thecompromised nodes, and attempts to derive the trueidentity of the sender.
3. Unconditionally Secure Source Anonymous Message Authentication Scheme(SAMAS)
In this section, we propose an unconditionally secureand efficient source anonymous message authentication
335
scheme (SAMAS). The main idea is that for eachmessage m to be released, the message sender, or thesending node, generates a source anonymous messageauthentication for the message m. The generation isbased on the MES scheme. Unlike ring signatures,which requires to compute a forgery signature for eachmember in the SoA separately. In our scheme, theentire SAMAS generation requires only three steps,which links all non-senders and the message senderto the SAMAS alike. In addition, our design enablesthe SAMAS to be verified through a single equationwithout individually verifying the signatures.
3.1. The Proposed SAMAS Scheme
Suppose that the message sender (say Alice)wishes to transmit a message m anonymously fromher network node to any other node. The SoAincludes n members, AI, A2 , · · · ,An, e.g., S ={AI, A2 , · · · ,An}, where the actual message senderAlice is At, for some value t, 1 ::; t ::; n.
Let p be a large prime number and 9 be a primitiveelement of Z;. Then 9 is also a generator of Z;. Thatis Z; =< 9 >. Both p and 9 are made public andshared by all members in S. Each Ai E S has apublic key Yi = gXi mod p, where Xi is a randomlyselected private key from Z;-I. In this paper, we willnot distinguish between the node Ai and its public keyYi. Therefore, we also have S = {YI'Y2,··· ,Yn}.
Suppose m is a message to be transmitted. The private key of the message sender Alice is Xt, 1 ::; t ::; n.To generate an efficient SAMAS for message m, Aliceperforms the following three steps:
1) Select a random and pairwise different k; foreach 1 ::; i ::; n, i i- t and compute r i
gki modp.2) Choose a random k E Zp and compute rt =
gk II y;rihi mod p such that rt i- 1 and rt i- r;i;f=t
for any i i- t, where hi = h(m, ri).3) Compute s = k + L k; + Xtrtht mod (p - 1).
i;f=tThe SAMAS of the message m is defined as
S(m) = (m,S,rl,··· ,rn,s), (2)
where g8 = rl ... rnyr1h1 ... y~nhn mod p, and hi =h(m, ri).
3.2. Verification of SAMAS
A verifier can verify an alleged SAMAS(m, S, rl, . .. ,rn, s) for message m by verifyingwhether the following equation
g8 = rl ... rnyr1h1 ... y~nhn mod p (3)
holds. If equation (3) holds true, the verifier Acceptsthe SAMAS as a valid for message m. Otherwise theverifier Rejects the SAMAS.
In fact, if the SAMAS has been correctly generated,then we have
rl ... rnyr1 h 1••• v;": mod p
gk1 ••• gknyrlhl ... y~nhn mod p
g;21.. k; (gk II y;rihi) (II y~ihi) y;tht mod pi#t i#t
k+L ki+Xtrtht9 i#t mod p
g8 modp.
Therefore, the verifier should always Accept theSAMAS if it is correctly generated without beingmodified.
Remark 1. As a trade-off between computation andtransmission, the SAMAS can also be defined asS(m) = (m,S,rl,··· ,rn,h1 , · · · ,hn,s). In case Sis also clear, it can be eliminated from the SAMAS.
3.3. Security Analysis
In this subsection, we will prove that the proposedSAMAS scheme is unconditionally anonymous andprovably unforgeable against adaptive chosen-messageattack.
3.3.1. Anonymity. In order to prove that the proposedSAMAS is unconditionally anonymous, we have toprove that (i) for anybody other than the members of S,the probability to successfully identify the real senderis lin, and (ii) anybody from S can generate SAMAS.
Theorem 1. The proposed source anonymous messageauthentication scheme (SAMAS) can provide unconditional message sender anonymity.
3.3.2. Unforgeability. The design of the proposedSAMAS relies on EIGamal signature schemes. Signature schemes can achieve different levels of security.Security against existential forgery under adaptivechosen message attack is the maximum level of security.
In this section, we will prove that the proposedSAMAS is secure against existential forgery underadaptive-chosen message attacks in the random oraclemodel [26]. The security of our result is based on thewell-known discrete logarithms problem (DLP), whichassumes that the computation of discrete logarithm inZp for large p is computationally infeasible. In other
336
words, no efficient algorithms are known for nonquantum computers.
We will introduce two lemmas first. Lemma 1, orthe Splitting Lemma, is a well-known probabilisticlemma from reference [25]. The basic idea of theSplitting Lemma is that when a subset Z is "large"in a product space X x Y, it will have many "large"sections. Lemma 2 is a slight modification of theForking Lemma presented in [25]. The proof of thistheorem is mainly probability theory related. We willskip the proof of these two lemmas here.
Lemma 1 (The Splitting Lemma). Let Z C X x Ysuch that Pr[(x, y) E Z] 2:: c. For any a < E, defineW = {(x,y) E X x YI Pr [(x,y') E Z] 2:: E - a},
y'EYand tv = (X x Y) \ W, then the following statementshold:
1) Pr[W] 2:: a.2) V(x, y) E W, PrY'EY[(X, y') E Z] 2:: e - a.3) Pr[WIZ] 2:: a/c.
Lemma 2 (The Forking Lemma). Let A be aProbabilistic Polynomial Time (PPT) Turing machine.Given only the public data as input, if A canfind, with non-negligible probability, a valid SAMAS(m,S,rl,··· ,rn,h1 , · · · ,hn,s) within a boundedpolynomial time T, then with non-negligible probability, a replay of this machine which has control over Aand a different oracle, outputs another valid SAMAS(m,S,rl,··· ,rn,h~,··· ,h~,s), such that hi = h~,
for all 1 :S i :S n, i =1= j for some fixed j.
Theorem 2. The proposed SAMAS is secure againstadaptive chosen-message attack in the random oraclemodel.
Due to page limitation, the proof of this theorem isomitted here.
4. The Proposed Privacy-Preserving Communication Protocol
4.1. Network Model
Keeping confidential who sends which messages, ina world where any physical transmission can be monitored and traced to its origin, seems impossible. Tosolve this problem, in this paper, we consider networkswith multiple MANETs. That is the participating nodesare divided into a set of small subgroups. We classifythe network nodes into two categories, normal nodesand super nodes. A normal node is a network node thatmay not be able to communicate direct with the nodesin other MANETs. A super node can be either a normal
node that can also provide message forward servicesto other MANET nodes. It can also be a special nodededicated to providing message forward services toother MANET nodes. For energy optimization, thenormal nodes can take turn to be the super nodes.
Prior to network deployment, there should be anadministrator. The administrator is responsible for theselection of security parameters and a group-wisemaster key Sa E Z;. The group master key shouldbe well safeguarded from unauthorized access andnever be disclosed to the ordinary group members. Theadministrator then chooses a collision-resistant cryptographic hash function h, mapping arbitrary inputs tofixed-length outputs on Zp, e.g., SHA-l [27].
The administrator assigns each super node a sufficiently large set of collision-free pseudonyms that canbe used to substitute the real IDs in communicationsto defend against passive attacks. If a super node usesone pseudonym continuously for some time, it willnot help to defend against possible attacks since thepseudonym can be analyzed in the same way as itsreal ill. To solve this problem, each node should usedynamic pseudonyms instead. This requires each supernode to sign up with the administrator, who will assigneach super node a list of random and collision-resistantpseudonyms:
utA = {idf,··· ,id:}.
In addition, each super node will also beassigned a corresponding secret set: Y A{gsGh(idt), ... ,gsGh(id~)}.
4.2. Anonymous Local MANET Communication
To realize anonymous network-layer communications, obviously there should be no explicit information(such as the message sender and recipient addresses)in the message content. All of the information relatedto addresses, including the destination MANET wherethe recipient resides, should be embedded into theanonymizing message payload.
Prior to network deployment, the administratorneeds to select a set of security parameters for theentire system, including a large prime p, and a generator 9 of Z;. The network nodes AI, A2 , · · · ,Anand the corresponding public keys YI, Y2, . .. ,Yn ofthe n participating network nodes, where Xi E Zp, isa randomly selected private key of node Ai, and Yi iscomputed from Yi = gXi mod p.
A normal node only communicates to other nodesin the same MANET. The communication betweentwo normal nodes in different MANETs has to be
337
forwarded through the supper nodes in the respectedlocal MANETs. Each message contains a nonce (N), amessage flag (mF), a recipient flag (rF) and a secretkey. The nonce is a random number that is used onlyonce to prevent message replay attack. The recipientflag enables the recipient to know whether he is thetargeted receiver or the forwarding node. The secretkey is used to encrypt the message payload usingsymmetric encryption algorithm.
More specifically, for a node Ai to transmit amessage m anonymously to a node Aj in the sameMANET, through the nodes A i+I , · · · ,Aj - I , wherej > i + 1, node Ai generates a new message M(i,j)defined in the equation (4),
where for l = i + 1,··· .i, Ni is a nonce, mF" is amessage flag, rF" is a recipient flag, sk; is the secretkey used for one time message encryption, and II standsfor message concatenation.
When the node A i+I receives the message packet,the node decrypts the first block of the received message using its private key corresponding to pki+1. Afterthat, the node will get the recipient flag and messageflag with the instruction for the subsequent actions.
The amount of traffic flow that a node creates as theinitiator is concealed in the traffic that it forwards sincethe overall traffic that it receives is the same as thetraffic that it forwards. In addition to the balanced traffic, the message is encrypted with the private key thatonly the recipient can recover. While the intermediatenodes can only view the instruction of the messageallowed. The sender's message is indistinguishable byother nodes. The sender and the recipient are thushidden amongst the other nodes. It is infeasible forthe adversary to correlate messages using traffic analysis and timing analysis due to message encryption.Therefore, perfect obscure of its own messages can beassured. Detailed security analysis will be presentedlater on.
In the proposed protocol, a node's joining and leaving in the MANET is straightforward. When a nodewishes to join a MANET, it only needs a copy of thepublic keys of the nodes in the local MANET whereit would like to join. A node can leave the MANETwithout doing anything.
Remark 2. When the message is delivered to therecipient's local MANET, if the super node is closeenough to the recipient node, then the super node cansimply broadcast the message. In this case, the messageformat in equation (4) can be adjusted accordingly.
M(i,j)M(i + 1,j)
M(j - 1,j)
pki+1(Ni+I , mFi+1,rFi+1, ski+I)llski+1(M(i + 1,j))pki+2(Ni+2 , mFi+2 , rFi+2 , ski+2)llski+2 (M (i + 2,j))
(4)
4.3. Anonymous Communications betweenTwo Arbitrary Super Nodes
In the previous subsection, we present the mechanism that allows two arbitrary nodes to communicateanonymously within the same MANET. This includescommunications between two super nodes in the sameMANET. For any two arbitrary super nodes in differentMANETs to communicate anonymously, we will firstintroduce the concept of anonymous authentication, orsecret handshake by Balfanz et al. [28]. Anonymousauthentication allows two nodes in the same group toauthenticate each other secretly in the sense that eachparty reveals its group membership to the other partyonly if the other party is also a group member. Nonmembers are not able to recognize group members. Secret handshake has been applied in anonymous routingin mobile ad hoc networks [29].
The scheme consists of a set of super nodes,an administrator who creates groups and enrolls super nodes in groups. For this purpose, the administrator will assign each super node A a set of
·dA ·dA h . I epseudonyms I I,··· , IT' were T IS a arge s -curity parameter. In addition, the administrator alsocalculates a corresponding secret set {gsa h(idt) modp, ... , gsah(id~) mod p} for super node A, where Sais the group's secret and h is a hash function. Thepseudonyms will be dynamically selected and used tosubstitute the real IDs for each communications. Thismeans that two super nodes A and B can know eachother's group membership only if they belong to thesame group.
When the super node A wants to authenticate to thesuper node B, the following secret handshake can beconducted:
1) A ----+ B: Super node A randomly selects anunused pseudonym idt and a random nonce NI,then sends idt,NI to super node B.
2) B ----+ A: Super node B randomly selects an unused pseudonym idf and a random nonce N 2 , then sends idf,N 2 , Vo -
h(KBAllidtllidfIINIIIN2110) to super node A,where K B A = gsah(idt)·h(idf) mod p.
3) A ----+ B: Super node A sends VIh(KABllidtllidfIINIIIN2111) to super node B,
338
where KAB = gsah(idf)·h(idt) mod p.
Since KBA = KAB, A can verify Vo by checking
whether YO ~ h(KABllidtllidfIINIIIN2110). If the verification succeeds, then A knows that B is an authenticgroup peer. Similarly, B can verify A by checking
whether VI ~ h(KBAllidtllidfIINlIIN2111). If theverification succeeds, then B knows that A is also anauthentic group peer. However, in this authenticationprocess, neither super node A, nor super node B canget the real identity of the other node. In other words,the real identities of super node A and super node Bremain anonymous after the authentication process.
4.4. Anonymous Communication between TwoArbitrary Normal Nodes
As mentioned before, there should be no explicitexposure about the addresses of the message senderand recipient. To transmit a message, the sender firstrandomly selects a local super node and transmits themessage to the super node according to the mechanismdescribed before. On receiving the message, the localsuper node first determines the destination MANETID by checking the message recipient flag rF, eithero or 1. If it is 0, then the recipient and the supernode are in the same MANET. The message can beforwarded in the recipient node using the previouslydescribed mechanism. If rF is 1, then the recipient isin a different MANET, The super node forwards themessage to a super node in the destination MANETas described in the previous subsection. Finally, whenthe super node in the recipient's local MANET receivesthe message, the communication again becomes localMANET communications. The message can now betransmitted in the same way that the sender and therecipient are in the same MANET.
While providing message recipient anonymity, themessage can also be encrypted so that only the message recipient can decrypt the message. The proposedanonymous communication is quite general and canbe used in a variety of situations for communicationanonymity in MANET, including anonymous file sharing.
4.5. Security Analysis
In this subsection, we will analyze anonymity, impersonation attack and replay attack of the proposedanonymous communication protocol. However, dueto page limitation, we will only present our majorresults without providing proof here. The proof willbe provided in the full paper.
4.5.1. Anonymity. We will first prove that the proposed communication protocol can provide both message sender and the recipient anonymity in the localMANET communications.
Theorem 3. It is computationally infeasible for anadversary to identify the message sender and recipientin the local MANET. Therefore, the proposed anonymous communication protocol provides both senderand recipient anonymity in the local MANET.
For any two normal nodes in different MANETsto communicate anonymously, the communication canbe broken into three segments: the communication between the sender and a local super node in the messagesender's local MANET, the communication betweentwo super nodes in the corresponding MANETs, andthe communication between the recipient super nodeand the recipient. Theorem 3 has assured the communication anonymity between a super node and a normalnode in the local MANETs. Therefore, we only need toensure anonymity between two super nodes in differentMANETs in order to achieve full anonymity betweenthe sender and recipient.
We already described before that each super nodeis being assigned a large set of pseudonyms. A dynamically selected pseudonym will be used for eachcommunications. The pseudonyms do not carry theuser information implicitly. Therefore, the adversarycannot get any information of the super nodes fromthe network. This result can be summarized into thefollowing theorem.
Theorem 4. The proposed communication protocol can provide both message sender and recipientanonymity between any two super nodes.
Corollary 1. The proposed anonymous communicationprotocol can provide full anonymity for any sender andrecipient in the MANETs.
4.5.2. Impersonation Attacks. For an adversaryelected to perform impersonation attack to a normalnode, he needs to be able to conduct forgery attack.We already proved in Theorem 2 that this is infeasible.
339
Therefore, we only need to consider whether it isfeasible for an adversary to forger a super node.
For an adversary to impersonate as a super node,he needs to be able to authenticate himself witha super node A. This requires the adversary A tocompute gsOidA.idt mod p, where idA is the identityof the adversary and idt is the ith pseudonym of thesuper node A. However, since the adversary does notknow the master secret Se, he is unable to computegsoh(idA).h(idt) mod p and impersonate as a supernode. Therefore, we have the following theorem.
Theorem 5. It is computationally infeasible for a PPTadversary A to impersonate as a super node.
Like all other network communication protocols, inour proposed protocol, an adversary may choose todrop some of the messages. However, if the immediatepredecessor and the successor nodes are honest andwilling to cooperate, then the messages being dropped,and the substitution of the valid messages with thedummy messages can be effectively tracked using theprovided message flags.
An adversary that is elected as a super node mayrefuse to forward messages across the MANETs andthus block the anonymous communications betweenthe sender and the receiver. This attack can be hardto detect if the sender does not have the capabilityto monitor all network traffic. However, the sendercan randomly select the super nodes for each datatransmission. If the nonce is properly generated, whena packet is lost, the recipient should be able to know.
4.5.3. Message Replay Attacks. The message replayattack occurs when an adversary can intercept thecommunication packet, correlate the message to thecorresponding sender and recipient, and retransmit it.We have the following theorem.
Theorem 6. It is computationally infeasible for an adversary to successfully modify/reply an (honest) node'smessage.
5. Performance Analysis and SimulationResults
In this section, we will provide simulation resultsof our proposed protocol on energy consumption,communication delay and message delivery ratio. Forenergy consumption, we provide simulations for boththe normal nodes and the super nodes. For wirelesscommunications, due to collision and packet drop, itis very challenging to assure high messages deliveredratio. However, our simulation results demonstrate
0.8 -+- interval =60s
0.7 --e- interval = 90s-4.- interval = 120s
~ 0.6 -- interval =150s ,,,"" '''' "''' / 1:::lo~ 0.5
0. '1""='----'- - ----'-- - ---'--- - --'---- ---'
16 r--c------,--~--~-----,
-+- interval = 60s14 --e- interval =90s
-4.- interval =120s~ 12 -- interval =150s:::lo~ 10>.~ 8 f " : " " ' " ' '' '' '' ''~~='' '' ' '' '' '' '' : ' ' ' ' ' "":/'1cw 6,......."',' , " " " " " '~.;,;.;.E~.,.. " .~..........4
4
2L---'---- - -'---- - -'---- - '----- -----'8 10 12 14 16
Number of nodes in each MANET8 10 12 14 16
Number of nodes in each MANET
8 10 12 14 16Number of nodes in each MANET
,
-......; -..;'?"-"1""-... ~"" T -,
-"'-
"'\
\-+- interval =60s--e- interval =90s-4.- interval =120s-- interval =150s
(b) Energy consumption of super nodes1
0.98
0.995o~[l:
~ 0.99.:!:Qjo
0.985
8 10 12 14 16Number of nodes in each MANET
0.1 L---'---__"----_-----'__----'-__--'
0.1
(a) Energy consumption of normal nodes
0.24 -+- interval =60s
0.22 --e- interval = 90s-4.- interval =120s
~ 0.2 -- interval =150sco~ 0.18f/l
~ 0.16 f " " ' '' ' '' ' '' ':' '' ''I '' '' •.-s.~ ' '' " " " " , ,, ,, 1Qj00.14
(c) Communication delay (d) Message delivery ratio
Figure 1. Simulation results of the proposed secure routing scheme
that the proposed protocol can achieve high messagedelivery ratio .
Our simulation was performed using NS2 on Linuxsystem. In the simulation, the target area is a squarefield of size 2000 x 2000 meters . There are 64 ringslocated in this area. The number of the nodes on eachring, Le., the ring length, is set to be from 7 to 16 inour simulation. The message generation interval is setto be four different values: 60 seconds , 90 seconds,120 seconds and 150 seconds in our simulation forcomparison. The messages transmitted in the networkare 512 bytes long.
6. Conclusion
In this paper, we first propose a novel and efficientsource anonymous message authentication scheme(SAMAS) that can be applied to any messages . Whileensuring message sender privacy, SAMAS can alsoprovide message content authenticity. To provide provable communication privacy without suffering fromtransmission collusion problem, we then propose anovel privacy-preserving communication protocol forMANETs that can provide both message sender andrecipient privacy protection. Security analysis shows
that the proposed protocol is secure against various attacks . Our performance analysis and simulation resultsboth show that the proposed protocol is efficient andpractical. It can be applied for secure routing protectionand file sharing .
References
[1] D. Chaum, "Untraceable electronic mail, return addresses, and digital pseudonyms," Communications ofthe ACM, vol. 24, pp. 84-88, February 1981.
[2] D. Chaum, "The dinning cryptographer problem: Unconditional sender and recipient untraceability," Journalof Cryptology, vol. I, no. I, pp. 65-75, 1988.
[3] M. Reed, P. Syverson, and D. Goldschlag, "Anonymousconnections and onion routing," IEEE J. on SelectedAreas in Coomunications, vol. 16, no. 4, pp. 482-494,1998.
[4] L. von Ahn, A. Bortz, and N. Hopper, "k-anonymousmessage transmission," in Proceedings of CCS, (Washington D.C., USA.), pp. 122-130,2003.
[5] O. Berthold, H. Federrath , and S. Kopsell , "WebMIXes: A system for anonymous and unobservableInternet access," Lecture Notes in Computer Science,pp. 115-129, 2001.
340
[6] G. Danezis, R. Dingledine, and N. Mathewson,"Mixminion: design of a type III anonymous remailerprotocol," IEEE Symposium on Security and Privacy,pp. 2-15, 2003.
[7] C. Giilcii and G. Tsudik, "Mixing email with babel,"in Proceedings of the Symposium on Network andDistributed System Security, (San Diego, CA), 1996.
[8] U. Moller, L. Cottrell, P. Palfrader, and L. Sassaman,"Mixmaster protocol," July 2003. Version 2.
[9] M. Reiter and A. Rubin, "Crowds: anonymity for webtransaction," ACM Transactions on Information andSystem Security, vol. 1, no. 1, pp. 66-92, 1998.
[10] A. Beimel and S. Dolev, "Buses for anonymous message delivery," J. Cryptology, vol. 16, pp. 25-39, 2003.
[11] S. Goel, M. Robson, M. Polte, and E. Sirer, "Herbivore:A Scalable and Efficient Protocol for Anonymous Communication," Tech. Rep. 2003-1890, Cornell University,Ithaca, NY, February 2003.
[12] P. Golle and A. Juels, "Dining cryptographers revisited," in Advances in Cryptology - Eurocrypt 2004,LNCS 3027, pp. 456-473, 2004.
[13] A. Pfitzmann and M. Hansen, "Anonymity,unlinkability, unobservability, pseudonymity,and identity management a proposal forterminology." http://dud.inf.tu-dresden.de/literatur/Anon_Terminology_vO.31.pdf, Feb. 15 2008.
[14] A. Pfitzmann and M. Waidner, "Networks without userobservability-design options.," in Advances in Cryptology - EUROCRYPT, Lecture Notes in ComputerScience Volume 219, pp. 245-253, 1985.
[15] M. Waidner, "Unconditional sender and recipient untraceability in spite of active attacks," in Advances inCryptology - EUROCRYPT, Lecture Notes in ComputerScience Volume 434, pp. 302-319, 1989.
[16] D. Pointcheval and J. Stem, "Security arguments fordigital signatures and blind signatures," Journal ofCryptology, vol. 13, no. 3, pp. 361-396, 2000.
[17] L. Ham and Y. Xu, "Design of generalized EIGamaltype digital signature schemes based on discret logarithm," Electronics Letters, vol. 30, no. 24, pp. 20252026, 1994.
[18] K. Nyberg and R. A. Rueppel, "Message recovery forsignature schemes based on the discrete logarithm problem," in Advances in Cryptology - EUROCRYPT, Lecture Notes in Computer Science Volume 950, pp. 182193, 1995.
[19] B. Moller, "Provably secure public-key encryption forlength-preserving chaumian mixes," in Proceedings ofCT-RSA 2003, LNCS 2612, pp. 244-262, April 2003.
341
[20] C. Shields and B. N. Levine, "A protocol for anonymous communication over the Internet," in Proceedingsof the 7th ACM Conference on Computer and Communication Security (D. Gritzalis, ed.), (Athens, Greece),ACM Press, 2000.
[21] P. Wang, P. Ning, and D. S. Reeves, "A k-anonymouscommunication protocol for overlay networks," in ASIACCS07, (Singapore), March 20-22, 2007.
[22] R. Rivest, A. Shamir, and Y. Tauman, "How to leaka secret," in Advances in Cryptology-ASIACRYPT,Lecture Notes in Computer Science, vol 2248/2001,Springer Berlin 1 Heidelberg, 2001.
[23] T. A. EIGamal, "A public-key cryptosystem and asignature scheme based on discrete logarithms," IEEETransactions on Information Theory, vol. 31, no. 4,pp. 469-472, 1985.
[24] S. Goldwasser, S. Micali, and R. Rivest, "A digital signature scheme secure against adaptive chosen-messageattacks," SIAM J. Comput., vol. 17, pp. 281-308, April1988.
[25] D. Pointcheval and J. Stem, "Security proofs for signature schemes," in Advances in Cryptology - EUROCRYPT, Lecture Notes in Computer Science Volume1070, pp. 387-398, 1996.
[26] M. Bellare and P. Rogaway, "Random oracles arepractical: A paradigm for designing efficient protocols,"in CCS'93, pp. 62-73, 1993.
[27] F. P. 180-1, "Secure hash standard." http://itl.nist.gov/fipspubs/fipsI80-l.htm, Apr. 1995.
[28] D. Balfanz, G. Durfee, N. Shankar, D. Smetters,J. Staddon, and H. C. Wong, "Secure handshakes frompairing-based key agreements," in IEEE Symposium onSecurity & Privacy, (Oakland, CA), May 2003.
[29] Y. Zhang, W. Liu, W. Lou, and Y. Fang, "MASK:Anonymous on-demand routing in mobile ad hoc networks," IEEE Transactions on Wireless Communications, vol. 5, pp. 2376-2385, September 2006.