1 / 26

Securing Mobile Ad Hoc Networks with Certificateless Public Keys

Securing Mobile Ad Hoc Networks with Certificateless Public Keys. Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member , IEEE, and Yuguang Fang, Senior Member, IEEE Source: IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, 2006

ronni
Download Presentation

Securing Mobile Ad Hoc Networks with Certificateless Public Keys

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Securing Mobile Ad Hoc Networks withCertificateless Public Keys Authors: Yanchao Zhang, Member, IEEE, Wei Liu, WenjingLou,Member, IEEE, and Yuguang Fang, Senior Member, IEEE Source: IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, 2006 Presenter:Hsin-Ruey, Tsai

  2. Introduction • Related work • Design goals and system models • IKM design • Performance evaluation

  3. Introduction • MANET: Mobile ad hoc network Infrastructureless, autonomous, stand-alone wireless networks. • Key management: Serverless Two intuitive symmetric-key solutions: 1. Preload all the nodes with a global symmetric key. 2. Let each pair of nodes maintain a unique secret that is only known to those two nodes.

  4. Certificate-based cryptography(CBC) • Use public-key certificates to authenticate public keys by binding public keys to the owners’ identities. • Preload each node with all the others’ public-key certificates prior to network deployment. • Drawbacks: network size, key update is not in a secure, cost-effective way.

  5. ID-based cryptography(IBC) • Eliminate the need for public key distribution and certificates. ID-based private keys collaboratively issues Master-key Drawbacks: 1. Compromised nodes more than threshold number, 2. Key update is a significant overheads, 3.How to select the secret sharing parameters, 4.No comprehensive argument about the advantages of IBC-based schemes over CBC-based ones. All/some are shareholders

  6. ID-based key management (IKM) • A novel construction method of ID-based public/ private keys. • Determining secret-sharing parameters used with threshold cryptography. • Simulation studies of advantages of IKM over CBC-based schemes. Each node’s public key and private key is composed of a node-specific, ID-based element and a network-wide common element. Node-specific  not jeopardize noncompromised nodes’ private keys Common element  efficient key updates via a single broadcast message Identify pinpoint attacks against shareholders. IKM has performance equivalent to CBC-based schemes, denoted by CKM while it behaves much better in key updates.

  7. Introduction • Related work • Design goals and system models • IKM design • Performance evaluation

  8. Related work • CBC and (t, n) threshold cryptography N is number of nodes. t<=n > N CA’s private key CA’s public key Divided into n shares D-CA N nodes t D-CAs Certificate generation and revocation Tolerate the compromise of up to (t-1) D-CAs The failure of up to (n-t) D-CAs

  9. Pairing Technique • p, q be two large primes • G1 a q-order subgroup of the additive group of point of E/Fp • G2 a q-order subgroup of the multiplicative group of the finite field F*p^2 • e : G1 *G1 → G2 • Bilinear: For all P, Q, R, S belong to G1, Consequently, for all a, b belong to Z*q e(aP, bQ)=e(aP, Q)^b= e(P, bQ)^a=e(P, Q)^ab e(P+Q, R+S)= e(P, S) e(P, R) e(Q, R) e(Q, S)

  10. Introduction • Related work • Design goals and system models • IKM design • Performance evaluation

  11. Design goals • MANETs should satisfy the following requirements: 1. Each node is without attack originally. 2. Compromise-tolerant. 3. Efficiently revoke and update keys of nodes. 4. Be efficient because of resource-constrained.

  12. Network & Adversary Model • Network Model: special-purpose, single-authority MANET consisting of N nodes . • Adversary Model: 1. Only minor members are compromised/disrupted. 2. Can’t break any of the cryptographic primitives. 3. Static adversaries. 4. Exhibit detectable misbehavior. • Assumption that adversaries can compromise at most (t-1) D-PKGs and can disrupt no more than (n-t) D-PKGs (n is number of D-PKG, t is the threshold number)

  13. Introduction • Related work • Design goals and system models • IKM design • Performance evaluation

  14. Network Initialization • PKG generates the paring parameters (p, q, e) and selects an generator W of G1. • H1: hash function maps binary strings to nonzero elements in G1. • Kp1,Kp2: belong to Z*q and are master-secretes. Wp1=Kp1W, Wp2=Kp2W PKG preloads parameters (p, q, e, H1, W, Wp1, Wp2) to each node while Kp1,Kp2 should never be disclosed to any single node.

  15. Secret Sharing • Enable key revocation and update. • PKG performs a (t, n)-threshold secret sharing of Kp2. (t nodes number of threshold) (n D-PKGs ) (N nodes) PKG distributes functionality to n D-PKGs Lagrange interpolation reach threshold t t elements Lagrange coefficient n D-PKGs PKG preloads to D-PKG: KP2 can then be reconstructed by computing g(0) with at least t elements. (verifiable)

  16. Generation of ID-Based Public/Private Keys pi is associated with a unique binary string, called a phase salt, salti Our IKM is composed of a number of continuous, nonoverlapping key update phases, denoted by pi for 1 i < M, where M is the maximum possible phase index. node-specific phase-specific Remain unchanged and be kept confidential to A itself Vary across key-update phases Due to the difficulty of solving the DLP in G1, it is computationally infeasible to derive the network mastersecrets KP1 and KP2 from an arbitrary number of public/private key pairs Cannot deduce the private key of any noncompromised node.

  17. Key Revocation • Misbehavior Notification B accuses A shared key with V timestamp communication overhead resilient

  18. Key Revocation • Revocation Generation If over threshold diagnose joint efforts of t D-PKGs t D-PKGs in with smallest IDs (leader) all the D-PKGs in generates generates partial revocation partial revocation sends sends revocation leader sends the accumulated accusations revocation leader accumulated D-PKGs response after verify accusation Complete revocation

  19. Key Revocation Revocation leader Partial revocations Complete revocation denote the t D-PKGs participating in revocation generation It is possible that one or several members of A are unrevoked compromised nodes which might send wrongly computed partial revocations. check Revocation leader Floods to each node If not equivalent Check each node

  20. Key Revocation If D-PKGs in do not receive a correct revocation against A in a certain time revocation leader itself is a compromised node As long as there is at least one noncompromised D-PKG in and there are at least t noncompromised D-PKGs in , a valid accusation against node A can always be generated. second lowest ID succeeds as the revocation leader

  21. Key Update • Public key: • Private key: (B just performs two hash operations) needs the collective efforts of t D-PKGs in randomly selects (t-1) other nonrevoked D-PKGs these t D-PKGs including Z itself A send request generate a partial common private-key element check

  22. Key Update • To propagate securely to all the nonrevoked nodes, we use a variant of the self-healing group key distribution scheme Key-Update Parameters : set of nodes revoked until phase pi maximum number of compromised nodes Z broadcasts PKG picks M distinct degree polynomials, denoted by and M distinct degree polynomials is a point on E=Fp, its x-coordinate can be uniquely determined from its y-coordinate. Revoked node

  23. IKM design • Choosing Secret-Sharing Parametert, n They can only do is to attempt to compromise or disrupt randomly picked nodes with the expectation that those nodes happen to be the D-PKGs. Compromise and disrupt up to Nc >=t and Nd>=n-t+1 nodes Prc and Prd as the probabilities that at least t out of Nc compromised nodes and (n-t+1)out of Nd disrupted nodes happen to be D-PKGs

  24. Introduction • Related work • Design goals and system models • IKM design • Performance evaluation

  25. Performance evaluation • CKM vs IKM • GloMoSim, a popular MANET simulator, on a desktop with an Intel P4 2.4GHz processor and 1 GB memory

  26. Performance evaluation

More Related