A Judgment Mechanism for Key Revocation

1. A Judgment Mechanism for Key Revocation • Abstract • In this paper we present a new key-revocation scheme for ad hoc network environments with the following characteristics: • Distributed: Our scheme does not require a permanently available central authority. • Active: Our scheme incentivizes rational (selfish but honest) nodes to revoke malicious nodes. • Robust: Our scheme is resilient against large numbers of colluding malicious nodes (30% of the network for a detection error rate of 15%). • Detection error tolerant: Revocation decisions fundamentally rely on intrusion detection systems (IDS). Our scheme is active for any meaningful IDS (IDS error rate < 0.5) and robust for an IDS error rate of up to 29%. • Several schemes in the literature have 2 of the above 4 characteris-tics (characteristic 4 is typically not explored). This work is the first to possess all four, making our revocation scheme well-suited for environments such as ad hoc networks, which are very dynamic, have significant bandwidth-constraints, and where many nodes must operate under the continual threat of compromise. Steffen Reidt, s.reidt@rhul.ac.uk Mudhakar Srivatsa, msrivats@us.ibm.com Shane Balfe, s.balfe@rhul.ac.uk • Motivation and Overview • One of the most widely cited methods for achieving revocation in MANETs has been the use of quorum-based decision making using k-out-of-n threshold signatures. Setting this threshold parameter high, whilst intuitively an astute security decision, may inadvertently result in a malicious node never being revoked. Setting it too low may result in a malicious adversary compromising a relatively small fraction of the total number of nodes and gaining control of the network by being able to revoke at will. • To avoid the shortcomings of quorum-based revocation, the concept of node suicide was recently introduced by Clulow et al. Unfortunately, for the type of heterogeneous, coalition networks envisaged in future military or emergency response scenarios, it may be unreasonable to assume that each node will value the network’s utility more than its own. • To overcome the barrier of selfishness in suicide-based revocation schemes, we propose our scheme that is motivated by a macabre real-life observation: a belief in “afterlife” can be an incentive to sacrifice oneself if there is a sufficient promise of reward. Part 1: The Judgment Mechanism To incentivize nodes to commit suicide, a periodically available Trust Authority (TA) rewards a node for a justified suicide by reincarnating (reactivating) and thus rewarding the node for its actions. To support this function, we develop a judgment mechanism that can be used by our TA to enable it to make probabilisticly correct decisions by posthumously interrogating neighborhood nodes who witnessed (the events leading to) the suicide. We show that our judgment system is secure (cannot be abused by an adversary) for node-level IDS error rates of 10,15,20,25%, if the ratio of malicious to honest nodes is at most 38,31,22,11%, respectively (see figure).Our analysis shows how both smaller IDS errors and a greater network density yield an accelerated revocation process, resulting in a more resilient and reliable network free from undesirable nodes. Part 2: The Revocation Game We analyze, whether our incentive for honest nodes to revoke is sufficient , and if so, how quickly honest nodes will revoke malicious nodes. We take a game-theoretic approach (using a descending price auction) and show that our scheme provides rational (honest but selfish) nodes with incentive to suicide. The figures show for an IDS with asymptotic accuracy (left) the risk acceptance (middle) and the probability that the malicious node gets revoked (right). N = number of honest nodes in the neighborhood of a malicious node.