Authors:
Yanchao
Zhang, Member, IEEE, Wei Liu,
Wenjing
Lou,Member
,
IEEE, and
Yuguang
Fang, Senior Member, IEEE
Source: IEEE TRANSACTIONS ON DEPENDABLE AND SECURE
COMPUTING, 2006
Presenter:
Hsin

Ruey
, Tsai
Introduction
Related work
Design goals and system models
IKM design
Performance evaluation
Introduction
MANET: Mobile ad hoc network
Infrastructureless
, autonomous, stand

alone wireless networks.
Key management:
Serverless
Two intuitive symmetric

key solutions:
1. Preload all the nodes with a global symmetric key.
2. Let each pair of nodes maintain a unique secret that is only
known to those two nodes.
Use public

key certificates to authenticate public keys by
binding public keys to the owners’ identities.
Preload each node with all the others’ public

key
certificates prior to network deployment.
Certificate

based
cryptography(CBC)
Drawbacks: network size,
key update is not in a secure,
cost

effective way.
ID

based cryptography(IBC)
Eliminate the need for public key distribution and
certificates.
Master

key
All/some are shareholders
ID

based
private keys
collaboratively
issues
Drawbacks:
1. Compromised nodes more than threshold number,
2. Key update is a significant overheads,
3.How to select the secret sharing parameters,
4.No comprehensive argument about the advantages
of IBC

based schemes over CBC

based ones.
ID

based key management (IKM)
A novel construction method of ID

based public/
private keys.
Determining secret

sharing parameters used with
threshold cryptography.
Simulation studies of advantages of IKM over
CBC

based schemes.
Node

specific
not jeopardize
noncompromised
nodes’ private keys
Common element
efficient key updates via a single broadcast message
Each node’s public key and private key is composed of a node

specific,
ID

based element and a network

wide common element.
IKM has performance equivalent to CBC

based schemes, denoted by
CKM while it behaves much better in key updates.
Identify pinpoint attacks against shareholders
.
Introduction
Related work
Design goals and system models
IKM design
Performance evaluation
Related work
CBC and (
t
,
n
) threshold cryptography
N is number of nodes. t<=n > N
N nodes
CA’s public key
Divided into n shares
CA’s private key
D

CA
Certificate generation and revocation
t D

CAs
Tolerate the compromise of up to (t

1) D

CAs
The failure of up to (n

t) D

CAs
Pairing Technique
p
,
q
be two large primes
G
1
a
q

order subgroup of the additive group of point of
E/
F
p
G
2
a
q

order subgroup of the multiplicative group of the
finite field
F*
p^2
e
:
G
1
*G
1
→ G
2
Bilinear: For all
P, Q, R, S
belong to
G
1
,
Consequently, for all
a, b
belong to Z*
q
e(
aP
,
bQ
)=e(
aP
, Q)^b= e(P,
bQ
)^a=e(P, Q)^
ab
e(P+Q, R+S)=
e(P, R)
e(P, S)
e(Q, R)
e(Q, S)
Introduction
Related work
Design goals and system models
IKM design
Performance evaluation
Design goals
MANETs should satisfy the following requirements:
1. Each node is without attack originally.
2. Compromise

tolerant.
3. Efficiently revoke and update keys of nodes.
4. Be efficient because of resource

constrained.
Network &
Adversary Model
Network Model: special

purpose, single

authority
MANET consisting of
N
nodes .
Adversary Model:
1. Only minor members are compromised/disrupted.
2. Can’t break any of the cryptographic primitives.
3. Static adversaries.
4. Exhibit detectable misbehavior.
Assumption that adversaries can compromise at most
(t

1)
D

PKGs and can disrupt no more than
(n

t)
D

PKGs
(
n
is number of D

PKG,
t
is the threshold number)
Introduction
Related work
Design goals and system models
IKM design
Performance evaluation
Network Initialization
PKG generates the paring parameters
(p, q, e)
and selects
an generator
W
of
G
1.
H
1
:
hash function maps binary strings to nonzero
elements in
G
1
.
K
p
1
,K
p
2
:
belong to
Z*
q
and are master

secretes.
W
p
1
=K
p
1
W, W
p
2
=K
p
2
W
PKG preloads parameters
(p, q, e, H
1
, W, W
p
1
, W
p
2
)
to each
node while
K
p
1
,K
p
2
should never be disclosed to any single
node.
Secret Sharing
Enable key revocation and update.
PKG performs a
(t, n)

threshold secret sharing of
K
p
2
.
(t
nodes number of threshold)
(n
D

PKGs )
(N
nodes)
PKG
n D

PKGs
distributes
functionality to n
D

PKGs
reach threshold
t
PKG preloads to D

PKG:
(verifiable)
t
elements
Lagrange interpolation
Lagrange coefficient
K
P
2
can then be reconstructed by
computing
g(0)
with at least
t
elements
.
Generation of ID

Based
Public/Private Keys
node

specific
phase

specific
Our IKM is composed of a number of continuous,
nonoverlapping
key update phases, denoted by
p
i
for 1
i
< M, where M is the maximum possible phase index.
p
i
is associated with a
unique binary string,
called a phase salt,
salt
i
Vary across key

update phases
Remain unchanged and
be kept confidential to A
itself
Due to the difficulty of solving the
DLP
in G
1
, it is
computationally infeasible to derive the network
mastersecrets
KP1 and KP2 from an arbitrary number
of public/private key pairs
Cannot deduce the private
key of any
noncompromised
node.
Key Revocation
Misbehavior Notification
B
accuses A
timestamp
shared key with V
communication overhead
resilient
Key Revocation
Revocation Generation
If over threshold
diagnose
joint efforts of
t
D

PKGs
t
D

PKGs in with smallest IDs
(leader)
generates
partial revocation
revocation leader
accumulate
d
all the D

PKGs in
generates
partial revocation
sends
sends
revocation leader
D

PKGs
sends the accumulated
accusations
response after
verify accusation
Complete
revocation
Key Revocation
Partial
revocations
Complete
revocation
Revocation leader
denote the t D

PKGs participating in
revocation generation
It is possible that one or several members of A are unrevoked compromised nodes
which might send wrongly computed partial revocations.
Revocation leader
check
If not equivalent
Check each node
Floods to each node
Key Revocation
If D

PKGs in do not receive a correct
revocation against A in a certain time
revocation leader itself
is a compromised
node
second lowest ID
succeeds as the
revocation leader
As long as there is at least one
noncompromised
D

PKG in and there are at least t
noncompromised
D

PKGs in , a valid
accusation against node A can always be
generated.
Key Update
Public key:
Private key:
(B just performs two hash operations)
needs the collective efforts of t D

PKGs in
randomly selects
(t

1)
other
nonrevoked
D

PKGs
send request
these
t
D

PKGs
including Z itself
A
generate a partial common private

key element
check
Key Update
To propagate securely to all the
nonrevoked
nodes,
we use a variant of the self

healing group key
distribution scheme
: set of nodes revoked
until phase
p
i
Z broadcasts
maximum number of
compromised nodes
PKG picks M distinct degree
polynomials, denoted by
and M distinct degree polynomials
is a point on
E=
F
p
, its x

coordinate can
be uniquely determined from its y

coordinate.
Key

Update Parameters
Revoked node
IKM design
Choosing Secret

Sharing Parameter
t, n
They can only do is to attempt to compromise or disrupt
randomly picked nodes with the expectation that those nodes
happen to be the D

PKGs.
Compromise and disrupt up to
N
c
>=t and
N
d
>=n

t+1
nodes
P
r
c
and
P
r
d
as the probabilities that at least
t
out of
N
c
compromised nodes
and
(n

t+1)
out of
N
d
disrupted nodes happen to be D

PKGs
Introduction
Related work
Design goals and system models
IKM design
Performance evaluation
Performance evaluation
CKM
vs
IKM
GloMoSim
, a popular MANET simulator, on a desktop
with an Intel P4 2.4GHz processor and 1 GB memory
Performance evaluation
Comments 0
Log in to post a comment