Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member,

shoulderslyricalAI and Robotics

Nov 21, 2013 (3 years and 6 months ago)

58 views

Authors:
Yanchao

Zhang, Member, IEEE, Wei Liu,
Wenjing

Lou,Member
,


IEEE, and
Yuguang

Fang, Senior Member, IEEE


Source: IEEE TRANSACTIONS ON DEPENDABLE AND SECURE


COMPUTING, 2006


Presenter:

Hsin
-
Ruey
, Tsai




Introduction



Related work



Design goals and system models



IKM design



Performance evaluation


Introduction


MANET: Mobile ad hoc network


Infrastructureless
, autonomous, stand
-
alone wireless networks.



Key management:
Serverless



Two intuitive symmetric
-
key solutions:


1. Preload all the nodes with a global symmetric key.


2. Let each pair of nodes maintain a unique secret that is only




known to those two nodes.


Use public
-
key certificates to authenticate public keys by
binding public keys to the owners’ identities.



Preload each node with all the others’ public
-
key
certificates prior to network deployment.

Certificate
-
based
cryptography(CBC)


Drawbacks: network size,


key update is not in a secure,


cost
-
effective way.


ID
-
based cryptography(IBC)


Eliminate the need for public key distribution and
certificates.

Master
-
key

All/some are shareholders

ID
-
based
private keys

collaboratively
issues

Drawbacks:

1. Compromised nodes more than threshold number,

2. Key update is a significant overheads,

3.How to select the secret sharing parameters,

4.No comprehensive argument about the advantages


of IBC
-
based schemes over CBC
-
based ones.


ID
-
based key management (IKM)


A novel construction method of ID
-
based public/


private keys.






Determining secret
-
sharing parameters used with


threshold cryptography.



Simulation studies of advantages of IKM over


CBC
-
based schemes.

Node
-
specific


not jeopardize
noncompromised

nodes’ private keys
Common element


efficient key updates via a single broadcast message

Each node’s public key and private key is composed of a node
-
specific,
ID
-
based element and a network
-
wide common element.


IKM has performance equivalent to CBC
-
based schemes, denoted by
CKM while it behaves much better in key updates.


Identify pinpoint attacks against shareholders
.


Introduction



Related work



Design goals and system models



IKM design



Performance evaluation

Related work


CBC and (
t
,
n
) threshold cryptography


N is number of nodes. t<=n > N

N nodes

CA’s public key

Divided into n shares

CA’s private key

D
-
CA

Certificate generation and revocation

t D
-
CAs

Tolerate the compromise of up to (t
-
1) D
-
CAs

The failure of up to (n
-
t) D
-
CAs

Pairing Technique



p
,
q

be two large primes


G
1

a
q
-
order subgroup of the additive group of point of
E/
F
p


G
2

a
q
-
order subgroup of the multiplicative group of the
finite field
F*
p^2


e
:

G
1

*G
1

→ G
2



Bilinear: For all
P, Q, R, S
belong to
G
1
,




Consequently, for all
a, b
belong to Z*
q


e(
aP
,
bQ
)=e(
aP
, Q)^b= e(P,
bQ
)^a=e(P, Q)^
ab


e(P+Q, R+S)=

e(P, R)

e(P, S)

e(Q, R)

e(Q, S)


Introduction



Related work



Design goals and system models



IKM design



Performance evaluation


Design goals


MANETs should satisfy the following requirements:




1. Each node is without attack originally.




2. Compromise
-
tolerant.




3. Efficiently revoke and update keys of nodes.




4. Be efficient because of resource
-
constrained.

Network &
Adversary Model


Network Model: special
-
purpose, single
-
authority


MANET consisting of
N

nodes .



Adversary Model:


1. Only minor members are compromised/disrupted.


2. Can’t break any of the cryptographic primitives.


3. Static adversaries.


4. Exhibit detectable misbehavior.


Assumption that adversaries can compromise at most
(t
-
1)
D
-
PKGs and can disrupt no more than
(n
-
t)
D
-
PKGs


(
n

is number of D
-
PKG,
t

is the threshold number)



Introduction



Related work



Design goals and system models



IKM design



Performance evaluation


Network Initialization


PKG generates the paring parameters
(p, q, e)

and selects
an generator
W

of
G
1.


H
1
:

hash function maps binary strings to nonzero


elements in
G
1
.


K
p
1
,K
p
2
:
belong to

Z*
q
and are master
-
secretes.


W
p
1
=K
p
1
W, W
p
2
=K
p
2
W


PKG preloads parameters
(p, q, e, H
1
, W, W
p
1
, W
p
2
)
to each
node while
K
p
1
,K
p
2

should never be disclosed to any single
node.

Secret Sharing


Enable key revocation and update.


PKG performs a

(t, n)
-
threshold secret sharing of
K
p
2
.


(t

nodes number of threshold)

(n

D
-
PKGs )
(N

nodes)


PKG

n D
-
PKGs


distributes
functionality to n
D
-
PKGs

reach threshold
t

PKG preloads to D
-
PKG:

(verifiable)

t

elements

Lagrange interpolation

Lagrange coefficient

K
P
2

can then be reconstructed by
computing
g(0)
with at least
t

elements
.

Generation of ID
-
Based
Public/Private Keys

node
-
specific

phase
-
specific

Our IKM is composed of a number of continuous,
nonoverlapping

key update phases, denoted by
p
i

for 1
i

< M, where M is the maximum possible phase index.

p
i

is associated with a

unique binary string,
called a phase salt,
salt
i

Vary across key
-
update phases

Remain unchanged and
be kept confidential to A
itself

Due to the difficulty of solving the
DLP

in G
1
, it is
computationally infeasible to derive the network
mastersecrets

KP1 and KP2 from an arbitrary number
of public/private key pairs

Cannot deduce the private
key of any
noncompromised

node.

Key Revocation


Misbehavior Notification

B

accuses A

timestamp

shared key with V

communication overhead

resilient

Key Revocation


Revocation Generation

If over threshold

diagnose

joint efforts of
t

D
-
PKGs

t

D
-
PKGs in with smallest IDs


(leader)

generates

partial revocation

revocation leader

accumulate
d

all the D
-
PKGs in

generates

partial revocation

sends

sends

revocation leader

D
-
PKGs

sends the accumulated
accusations

response after
verify accusation

Complete
revocation

Key Revocation

Partial
revocations

Complete
revocation

Revocation leader

denote the t D
-
PKGs participating in
revocation generation

It is possible that one or several members of A are unrevoked compromised nodes
which might send wrongly computed partial revocations.

Revocation leader

check

If not equivalent

Check each node

Floods to each node

Key Revocation

If D
-
PKGs in do not receive a correct
revocation against A in a certain time

revocation leader itself
is a compromised
node

second lowest ID

succeeds as the
revocation leader

As long as there is at least one
noncompromised

D
-
PKG in and there are at least t
noncompromised

D
-
PKGs in , a valid
accusation against node A can always be
generated.

Key Update


Public key:



Private key:

(B just performs two hash operations)

needs the collective efforts of t D
-
PKGs in

randomly selects
(t
-
1)

other
nonrevoked

D
-
PKGs

send request

these
t

D
-
PKGs
including Z itself

A

generate a partial common private
-
key element

check

Key Update


To propagate securely to all the
nonrevoked

nodes,
we use a variant of the self
-
healing group key
distribution scheme

: set of nodes revoked
until phase
p
i

Z broadcasts


maximum number of
compromised nodes

PKG picks M distinct degree
polynomials, denoted by

and M distinct degree polynomials


is a point on
E=
F
p
, its x
-
coordinate can
be uniquely determined from its y
-
coordinate.

Key
-
Update Parameters

Revoked node

IKM design


Choosing Secret
-
Sharing Parameter

t, n


They can only do is to attempt to compromise or disrupt
randomly picked nodes with the expectation that those nodes
happen to be the D
-
PKGs.

Compromise and disrupt up to
N
c

>=t and
N
d

>=n
-
t+1
nodes

P
r
c

and
P
r
d

as the probabilities that at least
t

out of
N
c

compromised nodes
and
(n
-
t+1)

out of
N
d

disrupted nodes happen to be D
-
PKGs


Introduction



Related work



Design goals and system models



IKM design



Performance evaluation


Performance evaluation


CKM
vs

IKM


GloMoSim
, a popular MANET simulator, on a desktop
with an Intel P4 2.4GHz processor and 1 GB memory

Performance evaluation