Securing Mobile Ad Hoc Networks with Certificateless Public Keys

1. Securing Mobile Ad Hoc Networks withCertificateless Public Keys Authors: Yanchao Zhang, Member, IEEE, Wei Liu, WenjingLou,Member, IEEE, and Yuguang Fang, Senior Member, IEEE Source: IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, 2006 Presenter:Hsin-Ruey, Tsai

2. Introduction • Related work • Design goals and system models • IKM design • Performance evaluation

3. Introduction • MANET: Mobile ad hoc network Infrastructureless, autonomous, stand-alone wireless networks. • Key management: Serverless Two intuitive symmetric-key solutions: 1. Preload all the nodes with a global symmetric key. 2. Let each pair of nodes maintain a unique secret that is only known to those two nodes.

4. Certificate-based cryptography(CBC) • Use public-key certificates to authenticate public keys by binding public keys to the owners’ identities. • Preload each node with all the others’ public-key certificates prior to network deployment. • Drawbacks: network size, key update is not in a secure, cost-effective way.

5. ID-based cryptography(IBC) • Eliminate the need for public key distribution and certificates. ID-based private keys collaboratively issues Master-key Drawbacks: 1. Compromised nodes more than threshold number, 2. Key update is a significant overheads, 3.How to select the secret sharing parameters, 4.No comprehensive argument about the advantages of IBC-based schemes over CBC-based ones. All/some are shareholders

6. ID-based key management (IKM) • A novel construction method of ID-based public/ private keys. • Determining secret-sharing parameters used with threshold cryptography. • Simulation studies of advantages of IKM over CBC-based schemes. Each node’s public key and private key is composed of a node-specific, ID-based element and a network-wide common element. Node-specific  not jeopardize noncompromised nodes’ private keys Common element  efficient key updates via a single broadcast message Identify pinpoint attacks against shareholders. IKM has performance equivalent to CBC-based schemes, denoted by CKM while it behaves much better in key updates.

7. Introduction • Related work • Design goals and system models • IKM design • Performance evaluation

8. Related work • CBC and (t, n) threshold cryptography N is number of nodes. t<=n > N CA’s private key CA’s public key Divided into n shares D-CA N nodes t D-CAs Certificate generation and revocation Tolerate the compromise of up to (t-1) D-CAs The failure of up to (n-t) D-CAs

9. Pairing Technique • p, q be two large primes • G1 a q-order subgroup of the additive group of point of E/Fp • G2 a q-order subgroup of the multiplicative group of the finite field F*p^2 • e : G1 *G1 → G2 • Bilinear: For all P, Q, R, S belong to G1, Consequently, for all a, b belong to Z*q e(aP, bQ)=e(aP, Q)^b= e(P, bQ)^a=e(P, Q)^ab e(P+Q, R+S)= e(P, S) e(P, R) e(Q, R) e(Q, S)

10. Introduction • Related work • Design goals and system models • IKM design • Performance evaluation

11. Design goals • MANETs should satisfy the following requirements: 1. Each node is without attack originally. 2. Compromise-tolerant. 3. Efficiently revoke and update keys of nodes. 4. Be efficient because of resource-constrained.

12. Network & Adversary Model • Network Model: special-purpose, single-authority MANET consisting of N nodes . • Adversary Model: 1. Only minor members are compromised/disrupted. 2. Can’t break any of the cryptographic primitives. 3. Static adversaries. 4. Exhibit detectable misbehavior. • Assumption that adversaries can compromise at most (t-1) D-PKGs and can disrupt no more than (n-t) D-PKGs (n is number of D-PKG, t is the threshold number)

13. Introduction • Related work • Design goals and system models • IKM design • Performance evaluation

14. Network Initialization • PKG generates the paring parameters (p, q, e) and selects an generator W of G1. • H1: hash function maps binary strings to nonzero elements in G1. • Kp1,Kp2: belong to Z*q and are master-secretes. Wp1=Kp1W, Wp2=Kp2W PKG preloads parameters (p, q, e, H1, W, Wp1, Wp2) to each node while Kp1,Kp2 should never be disclosed to any single node.

15. Secret Sharing • Enable key revocation and update. • PKG performs a (t, n)-threshold secret sharing of Kp2. (t nodes number of threshold) (n D-PKGs ) (N nodes) PKG distributes functionality to n D-PKGs Lagrange interpolation reach threshold t t elements Lagrange coefficient n D-PKGs PKG preloads to D-PKG: KP2 can then be reconstructed by computing g(0) with at least t elements. (verifiable)

16. Generation of ID-Based Public/Private Keys pi is associated with a unique binary string, called a phase salt, salti Our IKM is composed of a number of continuous, nonoverlapping key update phases, denoted by pi for 1 i < M, where M is the maximum possible phase index. node-specific phase-specific Remain unchanged and be kept confidential to A itself Vary across key-update phases Due to the difficulty of solving the DLP in G1, it is computationally infeasible to derive the network mastersecrets KP1 and KP2 from an arbitrary number of public/private key pairs Cannot deduce the private key of any noncompromised node.

17. Key Revocation • Misbehavior Notification B accuses A shared key with V timestamp communication overhead resilient

18. Key Revocation • Revocation Generation If over threshold diagnose joint efforts of t D-PKGs t D-PKGs in with smallest IDs (leader) all the D-PKGs in generates generates partial revocation partial revocation sends sends revocation leader sends the accumulated accusations revocation leader accumulated D-PKGs response after verify accusation Complete revocation

19. Key Revocation Revocation leader Partial revocations Complete revocation denote the t D-PKGs participating in revocation generation It is possible that one or several members of A are unrevoked compromised nodes which might send wrongly computed partial revocations. check Revocation leader Floods to each node If not equivalent Check each node

20. Key Revocation If D-PKGs in do not receive a correct revocation against A in a certain time revocation leader itself is a compromised node As long as there is at least one noncompromised D-PKG in and there are at least t noncompromised D-PKGs in , a valid accusation against node A can always be generated. second lowest ID succeeds as the revocation leader

21. Key Update • Public key: • Private key: (B just performs two hash operations) needs the collective efforts of t D-PKGs in randomly selects (t-1) other nonrevoked D-PKGs these t D-PKGs including Z itself A send request generate a partial common private-key element check

22. Key Update • To propagate securely to all the nonrevoked nodes, we use a variant of the self-healing group key distribution scheme Key-Update Parameters : set of nodes revoked until phase pi maximum number of compromised nodes Z broadcasts PKG picks M distinct degree polynomials, denoted by and M distinct degree polynomials is a point on E=Fp, its x-coordinate can be uniquely determined from its y-coordinate. Revoked node

23. IKM design • Choosing Secret-Sharing Parametert, n They can only do is to attempt to compromise or disrupt randomly picked nodes with the expectation that those nodes happen to be the D-PKGs. Compromise and disrupt up to Nc >=t and Nd>=n-t+1 nodes Prc and Prd as the probabilities that at least t out of Nc compromised nodes and (n-t+1)out of Nd disrupted nodes happen to be D-PKGs

24. Introduction • Related work • Design goals and system models • IKM design • Performance evaluation

25. Performance evaluation • CKM vs IKM • GloMoSim, a popular MANET simulator, on a desktop with an Intel P4 2.4GHz processor and 1 GB memory

26. Performance evaluation