SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS:
CHALLENGES AND SOLUTIONS
By
YANCHAO ZHANG
A DISSERTATION PRESENTED TO THE GRADUATE SCHOOL
OF THE UNIVERSITY OF FLORIDA IN PARTIAL FULFILLMENT
OF THE REQUIREMENTS FOR THE DEGREE OF
DOCTOR OF PHILOSOPHY
UNIVERSITY OF FLORIDA
2006
Copyright 2006
by
Yanchao Zhang
To my parents and my sister.
First and foremost, I would like to express my sincere gratitude to my advisor, Prof.
Yuguang F~I!:_. for his invaluable guidance, encouragement and support with my years in
Wireless Networks Laboratory (WINET). Prof. Fang has guided my path in the past four
years not only with his intellect and knowledge, but also with thoughtfulness about a young
man's personal growth.
Also would like to acknowledge my other committee members, Prof. Shigang Chen,
Prof. Jose Fortes, Prof. Pramod K~hargonekar, and Prof. Sartaj Sahni, for serving on my
supervisory committee and for their help in various stages of my work and career.
Would not be a sane graduate student without a group of great friends. There are
many whom I would like to thank: Xiang Chen, Wei Liu, Byung-Seo K~im, Jianfeng WZ I!!:_.
Shushan Wen, Hongqyiangf Zhai, Xiaoxia HuI I!!:_. Yun Zhou, Chi 21! 1!!:_. Frank Goergfen, Pan
Li, Rongsheng Hul .I!:_. and Feng Chen. I would like to specially acknowledge my former
WINET colleague and good friend, Prof. Wenjing Lou in Worcester Polytechnic Institute,
for her help and encouragement in my journey.
Finally, I owe a special debt of gratitude to my beloved parents and sister. Without
their love and unwavering support, I would never imagine what I have achieved.
TABLE OF CONTENTS
page
iv
viii
ix
x
ACKNOWLEDGMENTS ..........
LIST OF TABLES ..... . ...._. .
LIST OF FIGURES ..........
ABSTRACT......
CHAPTER
1 INTRODUCTION.
2 ANONYMOUS COMMUNICATIONS IN MOBILE AD HOC NETWORKS .
2.1 Introduction.
2.2 Preliminaries
2.2.1 Basics of ID-Based Cryptography (IBC)
2.2.2 Adversary Model
2.3 MASK( Design ......... ......
2.3.1 Network Model
2.3.2 An....!-, us.. ..s MAC-Layer Communications
2.3.3 A!!...-, usualsI Network-Layer Communications .. ....
2.3.4 Countermeasures against Attacks .. .......
2.3.5 Replenishing Pseudonym/Secret Point Pairs .. ....
2.4 Performance Evaluation
2.4.1 Simulation Setup
2.4.2 Simulation Results
2.5 Related work
2.6 Summary
3 SECURING MOBILE AD HOC NETWORKS WITH CERTIFICATELESS PU
LIC KEYS.
B-
3.1 Introduction ....
3.2 Preliminaries
3.2.1 Notation ...
3.2.2 Related Work.
3.3 Design Goals and System
3.3.1 Design Goals
3.3.2 Network Model
3.3.3 Adversary Model
3.4 IK(M Design .. ..
3.4.1 Overview ...
Models
3.4.2 Network Initialization .
3.4.3 K~ey Revocation.
3.4.4 K~ey Update.
3.4.5 Securingf D-PK(Gs against Pinpoint Attacks
3.4.6 Cis.. .. -!!!; Secret-Sharingf Parameters
3.4.7 Security A!! I1-, -is
3.5 Performance Evaluation
3.5.1 Simulation Setup
3.5.2 Computational Costs.
3.5.3 Comparison in K~ey Revocation
3.5.4 Comparison in K~ey Update
3.5.5 Comparison in Secure Routing .
3.6 Summary
4 SECURE LOCALIZATION IN WIRELESS SENSOR NETWORKS.
4.1 Introduction.
4.2 Vulnerability A! ll .-, -is of Two-Way Time-of-Arrival Localization
4.3 Mobility-Assisted Secure Localization for UWB Sensor Networks ..
4.3.1 Network Model
4.3.2 Overview of SLS
4.3.3 K-Distance: a K-Round Distance Estimation Algorithm
4.3.4 Location Validity Test
4.3.5 Discussion.
4.4 Related Work.
4.5 Summary
5 LOCATION-BASED COMPROMISE-TOLERANT SECURITY MECH-AN I~ils
FOR WIRELESS SENSOR NETWORKS .. ........
5.1 Introduction.
5.2 Preliminaries
5.2.1 Adversary Model
5.2.2 Security Objectives.
5.3 A Location-Based K~ey Management Scheme .........
5.3.1 Pre-Deployment Phase.
5.3.2 Sensor Deployment and Localization
5.3.3 Location-Based Neighborhood Authentication .. ....
5.3.4 Immediate Pairwise K~ey Establishment .. ......
5.3.5 Multi-hop Pairwise K~ey Establishment .. ......
5.4 Effieacy of LBE~s in Attack Mitigation.
5.4.1 CI1** *16 !:- Altering or Rev1~1 I,~in:, Routing Information .. ..
5.4.2 The Sybil Attack
5.4.3 The Identity Replication Attack .. ........
5.4.4 Wormhole and Sinkhole Attacks.
5.5 Location-Based Filtering of Bogus Data
5.5.1 The Bogus Data Injection Attack ..........
5.5.2 Generation and Distribution of Cell K~eys ........
5.5.3 Performing Threshold-Endorsements of Data Reports .. ..
5.5.4 Probabilistic Enroute Filtering of Data Reports ......
5.5.5 E~fieacy and Security A!! 1-, -is .. .. .
5.5.6 Performance Evaluation ......
5.6 Related work ......
5.7 Discussion ......
5.8 Summary ......
6 ATTACK(-RESILIENT SECURE AUTHENTICATION
LESS MESH NETWORKS ........
6.1 Introduction.
6.2 Preliminaries
6.2.1 Security Requirements of WMNs ..
6.2.2 Attacker Model.
6.3 System Models and Notation
6.3.1 Network Model
6.3.2 Trust Model .........
6.3.3 Notation ..........
6.3.4 Trust-Domain Initialization
6.3.5 Pass Model
6.4 Authentication and K~ey Agreement (AK(A) .
.. 94
.. 97
.. 101
. 104
. 105
AND BILLING IN WIRE-
Inter-Domain Authentication and K~ey Agreement
Intra-Domain Authentication and K~ey Agreement
Client-Client Authentication and K~ey Agreement
6.4.1
6.4.2
6.4.3
6.5 Security Enhancements .. .......
6.5.1 Location Privacy Attack .......
6.5.2 Bogus-Beacon Flooding Attack
6.5.3 Denial-of-Access Attack
6.5.4 Bandwidth-Exhaustion Attack .. ...
6.6 Incontestable Billing of Mobile Users .. ...
6.6.1 Billing Basics
6.6.2 Payment Structures .. .
6.6.3 Making Payments .........
6.6.4 Redemption of Payment Records
6.6.5 Security A!! .1-, -is .........
6.7 Discussion.
6.7.1 %.1\ 11 11i-,i Management
6.7.2 Public-K~ey vs. Symmetric-K~ey Cryptography
6.7.3 Incremental Deployment .......
6.8 Summary
7 CONCLUSION AND FUTURE WORK .. ....
REFERENCES. .......... .........
BIOGRAPHICAL SKETCH
LIST OF TABLES
Table page
2-1 Processing timings of cryptographic operations. .. ... .. 25
31 Notation ......... . .. .. 34
3-2 Timings of primitive operations . ..... .. 54
3-3 Comparison of key revocation time ...... .... . 54
3-4 Comparison of key update (t = 5) . .... .. 55
3-5 Comparison of key update (t = 10) ...... .... . 55
4-1 The K-Distance algorithm. ......... ... .. 67
4-2 Testing if a point is inside a |B|-vertex p..El~:_on. ... .. .. .. 70
LIST OF FIGURES
Figure page
2-1 An.....us.... sII route discovery with a route reply generated by the destination
A.4. ............. ........... 16
2-2 A!!l..!.. !!!sual hop-b-, -1!s .p packet forwarding from A.1 to A.4. .. .. .. .. 20
2-3 The comparison between MASK( and AODV. ... ... .. 27
3-1 Average route discovery delay. ....... ... .. 58
3-2 Average data packet delay. ......... .. .. 59
3-3 Packet delivery ratio. ......... .. .. 59
3-4 Average routing load. ......... .. .. 60
4-1 An exemplary two-way ToA localization process, where anchors A, B, C are
determining the location of sensor S. ..... .... . 63
4-2 The topology of an exemplary distance enlargement attack. .. .. .. .. 64
4-3 The time plot of the challenge-response process. .. .. .. .. 67
4-4 Location validity test with three anchors. .... ... .. 69
5-1 Node deployment model. ......... .. .. 89
5-2 The p.. .1 .1 il i ,i p, of filtering one bogus report as a function of the sampling
probability p, and the number p of hops a bogus report travels. .. .. 95
5-3 The comparison of Esum and Eium, as a function of the bogus traffic ratio p,
where ( = 50 and the optimal p,'s are used. ... .. .. .. 98
5-4 Th omaiono Eu ndEu as a function of the bogus traffic ratio p,
where ( = 50 and non-optimal p,'s are used. .. .. . .. 100
5-5 The comparison of Esum and Eium, as a function of the average path length
(, where p = 2 and p, = 0.2. . ..... .. 101
6-1 A typical three-tiered wireless mesh network architecture. .. .. .. .. 107
6-2 An exemplary 5-by-5 hierarchical one-way hash chain. .. .. .. .. .. 127
6-3 An exemplary p~ I, !!!. !!r structure (m 3 3, t 3 2). .. .. .. .. 136
Abstract of Dissertation Presented to the Graduate School
of the University of Florida in Partial Fulfillment of the
Requirements for the Degree of Doctor of Philosophy
SECURITY IN HETEROGENEOUS WIRELESS AD HOC NETWORKS:
CHALLENGES AND SOLUTIONS
By
Yanchao Zhang
August 2006
Chair: Yuguang Fang
M .iI..r Department: Electrical and Computer Engineering
Wireless ad hoc networks have been widely accepted as an indispensable component of
next-generation communication systems to facilitate ubiquitous network access. Although
offering significant benefits, they also provide unique security challenges over their wired
counterparts. Of note are the issues associated with the open network architecture, shared
wireless medium, stringent resource constraints, high network dynamics, lack of trusted
authorities, and so on. In this dissertation, we aim to address a number of challenging
security issues in heterogeneous wireless ad hoc networks, spanning mobile ad hoc networks
(MANETs), wireless sensor networks (WSNs), and wireless mesh networks (WMNs).
Our contributions are mainly fivefold. First, we propose an I!!...-, !!!a ..s on-demand
routing protocol (j!.\sl() to deal with malicious eavesdropping and traffic ..I! I1-, attacks
against MANETs deployed in hostile environments. Second, we design a secure, scalable
ID-based key management scheme for MANETs to enable flexible public-key services with-
out reliance on conventional public-key certificates. Third, we devise a secure localization
scheme to ensure secure location estimates in WSNs despite malicious attacks. Fourth, we
develop a suite of location-based, compromise-tolerant security mechanisms for WSNs. Last,
we present an attack-resilient secure authentication and billing architecture for WMNs.
CHAPTER
INTRODUCTION
Recent years have witnessed a surge of research and development for wireless ad hoc
networks. Unlike conventional infrastructure-supported wireless networks, wireless ad hoc
networks feature rapidly-deployable, self-organizing, self-maintaining capabilities and can
be formed on the fly without relying on any existing infrastructure. In such a network, each
node functions not only as an end host but also as a router forwarding packets to and from
other nodes to enable otherwise impossible multi-hop communications. Wireless ad hoc
networks are naturally well-suited for application scenarios where fixed infrastructures are
often not available or reliable, while fast network establishment and self-maintenance are a
must. As such, they have been widely accepted as an indispensable part of next-generation
communication systems to facilitate ubiquitous network access.
In general, wireless ad hoc networks can be classified into two categories, mobile ad hoc
networks (MANETs) and static ad hoc networks. The former comprise network nodes that
are free to move about randomly and organize themselves arbitrarily. Exemplary application
scenarios of MANETs include tactical military operations, homeland security, emergency
disaster relief and rescue, and so on. Most recently, MANETs have been extended to general
civilian contexts and are often referred to as wireless mesh networks (WMNs) [1], where
mobile users can access the network either through a direct wireless link to a wireless access
point (AP), or through a sequence of intermediate users to an AP that is too far away to
reach. By contrast, static ad hoc networks mainly consist of stationary nodes, that is, fixed
at where they were deployed. The most significant example of this later type is wireless
sensor networks (WSNs) [2], which have attracted extensive attention in both academia
and industry for their broad potential not only in military and homeland security scenarios
but also in general civilian settings.
While offering significant benefits, wireless ad hoc networks are also vulnerable to
unique security challenges as compared to their wired counterparts. Roughly ;1t Ilne:_
risks in wireless ad hoc networks are equal to the sum of the risks of operating a wired
network plus the new risks introduced by weaknesses in wireless protocols. Some of the
major security challenges that a wireless ad hoc network faces include the following:
All old threats to a conventional wired network apply to a wireless ad hoc network.
The shared wireless medium facilitates passive eavesdropping on data communications
and active bogus message injection into the network by attackers.
Early protocol design for wireless ad hoc networks all assumed a friendly and coop-
erative environment. As such, many wireless protocols have inherent security flaws.
Mobile devices are subject to phs!- -i I1 theft or loss, leading to insider attacks launched
by attackers harnessing confidential information extracted from stolen devices.
Intrusion detection is far more difficult, mainly because it is hard to differentiate
anomalies caused by characteristics of wireless channels and those caused by attacks.
There is often lack of an on-line centralized authority or administration.
Mobile devices usually have stringent resource constraints and thus cannot afford
resource-hungry security protocols.
How to model node misbehavior is an essential component in any security protocol
design, as a decent solution designed under one misbehavior model may be less effective
or even completely invalid under another one. In this dissertation, we classify misbehaving
nodes into two classes: malicious and selfish. The objectives of the former are to attack
the proper network operations without consideration of their own gains. Adversarial nodes
often existing in military ad hoc networks are typical examples of such malicious nodes. By
comparison, selfish nodes can be characterized by the intention of maximizing their own
gains or collective gains with collusive nodes from the network community while minimizing
their contributions to it. Selfish nodes are less likely to exist in single-authority-like ad hoc
networks such as military MANETs and WSNs, but are very likely to be present in general
civilian ad hoc networks where nodes may have conflicting interests. For example, in a
WMN, nodes may be reluctant to forward packets to and from the AP for others in order
to save their own resources such as battery life, CPU cycles, or available network bandwidth
[3, 4].
This dissertation contributes to developing novel solutions to a number of challenging
issues in heterogeneous wireless ad hoc networks, involving either malicious nodes or selfish
nodes or both, which are either ignored or not well addressed in the literature. The rest of
this dissertation is structured as follows.
Chapter 2 considers passive eavesdropping and the Illllille~llin~ i:_ attacks launched
against MANETs deployed in hostile environments. To deal with such attacks, we propose
a novel.l!!. ...-, us.. .sI on-demand routing protocol, termed MASK(, which can accomplish both
MAC-layer and network-layer communications without disclosing real IDs of participating
nodes under a rather strong adversarial model. MASK( offers the .... ...-, un!ir-,i of senders, re-
ceivers, and sender-recipient relationships, as well as node unlocatability and untrackability
and end-to-end flow untraceability. It is also resistant to a wide range of attacks. Moreover,
MASK( preserves the high routing efficiency as compared to previous work.
Chapter 3 studies key management, a fundamental problem in securing MANETs. We
present IK(M, an ID-based key management scheme as a novel combination of ID-based
and threshold cryptography. IK(M is a certificateless solution in that public keys of mobile
nodes are directly derivable from their known IDs plus some common information. It thus
eliminates the need for certificate-based authenticated public-key distribution indispens-
able in conventional public-key management schemes. IK(M features a novel construction
method of ID-based public/private keys, which not only ensures high-level tolerance to
node compromise, but also enables efficient network-wide key update via a single broadcast
message. We also provide general guidelines about how to choose the secret-sharing param-
eters used with threshold cryptography to meet desirable levels of security and robustness.
The advantages of IK(M over conventional certificate-based solutions are justified through
extensive simulations. Since most MANET security mechanisms thus far involve the heavy
use of certificates, we believe that our findings open a new avenue towards more effective
and efficient security design for MANETs.
Chapter 4 explores secure localization in WSNs. The proper operations of many sen-
sor networks rely on the knowledge of ph!~-il II sensor locations. However, most existing
localization algorithms developed for sensor networks are vulnerable to attacks in hos-
tile environments. As a result, attackers can easily subvert the normal functionalities of
location-dependent sensor networks by exploiting the weakness of localization algorithms.
In this chapter, we first ..I! I1-,... the security of existing localization techniques. We then
develop a mobility-assisted secure localization scheme for WSNs.
Chapter 5 introduces a suite of location-based compromise-tolerant security mechanisms
for WSNs. Node compromise is a serious threat to WSNs deployed in unattended and hostile
environments. To mitigate the impact of compromised nodes, we design a few location-
based compromise-tolerant security mechanisms. Based on a new cryptographic concept
called pairing, we propose the notion of location-based keys (LBE~s) by binding private
keys of individual nodes to both their IDs and geographic locations. We then develop
an LBK(-based neighborhood authentication scheme to localize the impact of compromised
nodes to their vicinity. We also present efficient approaches to establish a shared key
between any two network nodes. In contrast to previous key establishment solutions, our
approaches feature nearly perfect resilience to node compromise, low communication and
computation overhead, low memory requirements, and high network scalability. Moreover,
we demonstrate the efficacy of LBE~s in counteracting several notorious attacks against
sensor networks. Finally, we propose a location-based threshold-endorsement scheme, called
LTE, to thwart the infamous bogus data injection attack, in which adversaries inject lots of
bogus data into the network. The utility of LTE in achieving remarkable energy savings is
validated by detailed performance evaluation.
Chapter 6 presents a secure authentication and billing architecture for WMNs which are
finding ever-growing acceptance as a viable and effective solution to ubiquitous broadband
Internet access. This chapter addresses the security of WMNs, which is a key impediment to
wide-scale deployment of WMNs, but thus far receives little attention. We first thoroughly
identify the unique security requirements of WMNs for the first time in the literature. We
then propose UPASS, the first known secure authentication and billing architecture for
WMNs. In contrast to a conventional cellular-like solution, UPASS eliminates the need
for establishing bilateral roaming agreements and having realtime interactions between po-
tentially numerous WMN operators. With UPASS in place, each user is no longer bound
to any specific network operator, as he or she ought to do in current cellular networks.
Instead, he or she acquires a universal pass from a third-party broker whereby to realize
seamless roaming across WMN domains administrated by different operators. UPASS sup-
ports efficient mutual authentication and key agreement both between a user and a serving
WMN domain and between users served by the same WMN domain. In addition, UPASS
is designed to be resilient to a wide range of attacks. Morever, the incontestable billing of
mobile users is fulfilled through a lightweight realtime I!!i !**..:.. ni !! protocol built on the
combination of digital signature and one-way hash-chain techniques.
Finally, Chapter 7 concludes this dissertation and points out some future work.
CHAPTER 2
ANONYMOUS COMMUNICATIONS IN MOBILE AD HOC NETWORKS
2.1 Introduction
Mobile ad hoc networks (MANETs) are infrastructureless, autonomous, stand-alone
wireless networks that are receiving growing attention from both academia and industry.
In this chapter, we are concerned with MANETs deployed in hostile environments, such
as those facilitating large-scale theater-wide communications or relatively small-scale com-
munications in MOUT (Military Operations on Urban Terrain). It is obvious that robust
security support is indispensable for the proper functioning of such MANETs.
The shared wireless medium of MANETs introduces abundant opportunities for passive
eavesdropping on data communications. This means that, without ph1-, -il I11-, compromis-
ing a node, adversaries can easily overhear all the MAC frames "flying in the air," each
typically including .l Although end-to-end
and/or link encryption can be enforced to prevent adversarial access to data contents, for
any observed frame, adversaries can still learn not only the network and MAC addresses of
its local transmitter and receiver, but also the network addresses of its end-to-end source
and destination. Such MAC and network address information is currently left bare with-
out protection in the de facto MAC protocol IEEE 802.11 and existing MANET routing
protocols such as AODV [5] and DSR [6].
The leakage of MAC and network addresses may result in a number of severe conse-
quences. First of all, it would facilitate adversarial traffic I!! I1-, -is run to infer network
SWe use the terms p~ II 1:- I" and lI I!!!, s" interchangeably in this chapter.
traffic patterns and/or traffic pattern changes.2 In a tactical military MANET, an abnor-
mal change of the network traffic pattern may indicate a forthcoming action, a chain of
commands, or a state change of network alertness [7]. Its disclosure to adversaries would
thus lead to the failure of urgent military actions. In addition, adversaries are able to
trace any packet backward to its original source or forward to its final destination. This is
also undesirable because in many cases packet sources are critical nodes such as captains
or majors, while packet destinations are nodes commanded to carry out certain military
operations. Moreover, adversaries can locate individual nodes and track their movements.
This is extremely dangerous in that adversaries can easily identify critical network nodes
and then launch directed attacks on them. Most previous proposals such as Ariadne [8] and
ARAN [9] aim to deal with active attacks, which usually involve the launch of denial-of-
service (DOS) or other more i; !-!1.h ," Iooressive attacks on the target network. By contrast,
the aforementioned attacks belong to the category of once-passive-then-active attacks, or
passive attacks for short, which are more subtle, n oi l-!1.1. ," and difficult to detect before
severe damage actually occurs. In this chapter, we seek efficient solutions to such more
dangerous passive attacks.
For ease of presentation, we use the notion "network ID" (or simply "ID") to indicate
both the MAC and network addresses of a mobile node, which should be understandable
from the context. We also define I!!. ...-, !!!!I-,i" as the privacy preservation of network IDs
of mobile nodes and their group membership information, e.g., belonging to nation A or B,
or affiliated with battalion 1 or 2. Although less intuitive, the privacy of node affiliations
is as important as that of node IDs in many security-sensitive environments. For example,
suppose a coalition force of multiple nations is dispatched to carry out a common military
mission. Soldiers of the same nation can form an exclusive MANET among themselves
and thus there would co-exist multiple MANETs in the battlefield. In this case, each node
2 A network traffic pattern consists of triplets
rate>, each describing one flow. A flow can be an end-to-end network flow, then the
address fields are the network addresses of an end-to-end source and destination pair. It
can also be a local link flow, then the address fields are the MAC addresses of a local
transmitter and a receiver.
may want to avoid unnecessary exposure of both its ID and nationality because adversaries
or terrorists may perform selective directed attacks according to not only IDs but also
nationalities. As demonstrated in Section 2.3.2, conventional cryptographic techniques such
as Diffe-Hellman key exchange [10] cannot satisfy this I!!u al-, !!!r-,i requirement and thus fail
to withstand passive attacks.
We observe that passive attacks are feasible for two reasons: (1) each node can be
uniquely identified by its network ID, and (2) each node uses the invariant network ID
in both MAC-layer and network-layer communications. Motivated by this observation, we
propose to thwart passive attacks by designing .I!!...-, !!!a .IIs communication protocols. The
fundamental purpose is to realize both efficient MAC-layer and network-layer communi-
cations, while I!!...-, !!in i. 11. all the involved nodes, therefore effectively defeating passive
attacks.
The contribution of this chapter is the design of a novel .I!!. ...-, us.. ..s on-demand rout-
ing protocol, called MASK(, which can simultaneously achieve .l!!....-, us.. ..s MAC-layer and
network-layer communications. The novelty of MASK( lies in the use of dynamic pseudonyms
rather than static MAC and network addresses. MASK( offers both sender and receiver
anonymity as well as sender-receiver relationship anonymity.3 Specifically, although ad-
versaries might observe a packet transmission, they cannot determine real network IDs of
its sender and receiver, nor can they decide if (or when) any two nodes in the network are
communicating. In addition, MASK( ensures node ;, ii/...~rilleilul and :,,,ir,;. 1,;&////.:I:. meaning
that, although adversaries might know some real network IDs and/or group memberships,
they are unable to decide whom and where the corresponding nodes are in the network.
Moreover, MASK( guarantees end-to-end flow :n,,;I~~~I.:.;1I//;. which means that adversaries
cannot trace a packet forward to its final destination or backward to its original source, nor
can they recognize packets belonging to a same ongoing communication flow. Furthermore,
MASK( is as efficient as classical routing protocols such as AODV [5], which is confirmed by
3 For a given packet, a sender can be its original source or local transmitter, and a receiver
can be its final destination or local receiver.
detailed simulation results. It can also withstand a variety of attacks, e.g., message coding,
flow recognition, and timing .l!! II, -i-
2.2 Preliminaries
2.2.1 Basics of ID-Based Cryptography (IBC)
IBC [11] is receiving extensive attention as a powerful alternative to traditional certificate-
based cryptography (CBC) and serves as one of the cryptographic foundations of this dis-
sertation. The main idea of IBC is to make an entity's public key directly derivable from his
publicly known identity information such as his email address. IBC thus completely elimi-
nates the need for public-key distribution realized via conventional public-key certificates.
Although the idea of IBC dates back to 1984 [11], only recently has its rapid development
taken place due to the application of the pairing technique outlined below.
Let GI denote a cyclic additive group of some large prime order q and G2 a cyclic
multiplicative group of the same order. Assume that the Discrete Logarithm Problem
(DLP) is hard4 in both GI and G2. For us, a pairing is a map 8 : G x GI G2~ with the
following properties:
1. Bilinear: V P, Q, R, S E GI,
8(P + Q, R + S) = 8(P, R)8(P, S)8(Q, R)8(Q, S). (2.1)
Consequently, for V a, b e ~, we have
&(aP, bQ) = &(aP, Q)b = 8(P, bQ)a (p, )ab
2. Non-degenerate: If P is a generator of GI, then 8(P, P) E F*, is a generator of G2-
3. Computable: There is an efficient algorithm to compute 8(P, Q) for all P, Q E Gi.
Note that & is also symmetric, i.e., 8(P, Q) = 8(Q, P), for all P, Q E GI, which follows
immediately from the bilinearity and the fact that GI is a cyclic group. Modified Weil
[12, 13] and Tate [14] pairings are examples of such bilinear maps for which the Bilinear
4 t is computationallyi infneaible to extract the integenr ae Z {a|1 4 a 4; q -1}, given
P, Q E GI (respectively, P, Q E G2) such that Q zP (respectively, Q P")
D.:TS -Hellman Problem (BDHP) is believed to be hard. That is, it is believed that, given
< P, zP, yP, zP > for random z, y, z EZ~ and P E GI, there is no algorithm running in ex-
pected polynomial time which can compute e(P, P)"Zy E G2 with non-negligible probability.
We refer to Boneh and Franklin [12, 13] and Barreto et al. [14] for a more comprehensive
description of how these pairing parameters should be selected in practice for efficiency and
security.
2.2.2 Adversary Model
We assume that adversaries can collaborate to passively monitor every radio transmis-
sion on every communication link. In addition, they may compromise any node in the target
network to become an internal adversary. However, we postulate that passive adversaries
cannot compromise an unlimited number of nodes. Neither can they have unbounded com-
putational capabilities to easily invert and read encrypted messages and break the BDHP
assumption. Otherwise, it is believed that there is no workable cryptographic solution.
2.3 MASK Design
In this section, we elaborate the design of MASK(. We start with describing the net-
work model and then discuss how to achieve single-hop MAC-layer communications. Sub-
sequently, we present an on-demand routing protocol to realize !!..... 1mun IIs network-layer
communications. After that, some countermeasures against attacks and a security enhance-
ment based on the secret-sharing technique [15] are introduced.
2.3.1 Network Model
We consider a general case that there co-exist multiple MANETs, each comprising
nodes of the same group. For simplicity, we use a capital letter, such as A, B, or C, to
indicate each MANET and the group it corresponds to. The concrete meanings of groups
may vary across different application contexts. For example, each group or the related
MANET may be related to a troop of a different nation, or a different company or battalion
in the same brigade. Hereafter, we will utilize network A as an example to illustrate our
MASK( design. We denote by A.i the ith node of A for 1 ( i ( NA, where NA is the
number of nodes in A. We assume that each A.i has a unique non-zero network ID IDAi.i
As discussed before, both IDA~i and node A.i's membership in A should be well protected
from adversaries.
Prior to network deployment, a trusted authority (TA) who himself/herself does not en-
ter the network first determines the pairing parameters (q, GI, G2, 8) along with a group-wise
masteI~rL key gA eZ ,. The TA then chooses two collision-resistant cryptographic hash func-
tions: H1, mapping strings to non-zero elements in GI, and H2, mapping arbitrary inputs
to fixed-length outputs, e.g., SHA-1 [16]. Public --, -r. ill parameters < q, GI, G2, 8, H1, H2
are preloaded to each A.i. By contrast, gA should be well safeguarded from unauthorized
access and never be disclosed to ordinary group members dispatched to execute dangerous
military actions.
In MASK(, nodes substitute pseudonyms for real IDs in communications. If a node
uses one pseudonym all the time, it will not help to defend against passive attacks we have
in mind, because the pseudonym will be I!! I1-, .~ .1 the same way as its real ID. Therefore,
each node should use dynamic pseudonyms instead. For this purpose, the TA furnishes
each A.i with a sufficiently large set PSA~i = {PS |,1 ( k ( |pSA~i|} of collision-resistant
1.-'''i ...lun !!-T A pseudonym can be any type of string and collision-resistance means that
all the pseudonyms are different from each other. In addition, each A.i is armed with
a corresponding secret point set as SpA~i = {SP),}) = {gAH1(PS~, ) e Gi (1 ( k (
|pSA~i|). Due to the difficulty of solving the DLP in GI (cf. Section 2.2.1), given any
< PS~,, SP~~ > pair, it is impossible to deduce gA with non-negligible probability.
2.3.2 Anonymous MAC-Layer Communications
In this subsection, we discuss how to achieve .I!!...-, us.. ..s single-hop MAC-layer com-
munications through an .I!!...-, us.. ..s neighborhood authentication protocol.
Anonymous neighborhood authentication. A h ae-s..--:....s..
authentication allows two neighboring nodes of the same group to identify each other se-
. c. He in the sense that each party reveals its group membership to the other only if the
other party is also a group member. This notion bears similarity to the concept of secret
5 If X is a set, |X| means its cardinality.
handshakes introduced by Balfanz et al. [17]. As an example, node A.i might want to
authenticate itself to a neighboring node z, but only if a is also a member of group A.
In addition, if a does not belong to A, the authentication protocol should not help z in
determining either the real ID (IDA~i) of A.i or whether A.i is a member of A or not.
As mentioned in [17], realizing I!!...-, us.. ..s authentication (or secret handshakes) requires
new cryptographic protocols since it cannot be easily accomplished through existing cryp-
tographic tools. For example, authentication techniques based on public-key certificates,
such as authenticated two-party Diffe-Hellman key exchange [10], may inevitably disclose
either real IDs of mobile nodes or their group memberships or both, which are either im-
plied or explicitly embedded in public-key certificates. For instance, for its certificate to be
verified, a node has to tell the other party the authentic public key of the CA (Certificate
Authority) that generates its certificate. Obviously, this would cause the exposure of that
node's group membership, i.e., from which CA it obtains the certificate, no matter whether
the other party belongs to the same group or not. In the following, we illustrate a pairing-
based .I !!. ..-, us.. ..s neighborhood authentication protocol, which is an extension of the secret
handshake scheme introduced in [17] to MANETs.
Without loss of generality, below is shown the authentication process between nodes
A.1 and A.2, where || denotes message concatenation.
A.1 A.2 : PS)7,, ni
A.2 A.1 : PS~, .2, V2 21 = H2(n I1 n2 || 0 || K2,1)
A.1 A.2 : V12 = H2(n I1 n2 || 1 || K1,2)
A.1 starts the protocol by pulling out from PSA.1 an unused pseudonym PS) and locally
broadcasts a MAC frame including PS)~ and a random nonce nl. Upon seeing the request,
A,.2 alsoV drawsY1 anI unIusd, pseudonym PS1 .2 from pSA.2 and then generates a master key as
K2,1 = 8(H1(PSi,), SP).2). After that, A.2 locally broadcasts a reply frame consisting of
PSi2,, a random nonce n2, and a value V2,1 shown above. Upon reception of the reply from
A.2, node A.1 calculates a master key as K1,2 = (H(S 2) P)7)a wllad hek
Gi2,1 H2(a I1 a2 || 0 || K1,2~). According to Eq. (t2.1) and the symmetric property of b, if
and only if both nodes are affiliated with the same group A, could they have
K21= 8(H1(PSi z,), H1(PS 2,))9A
= 8(Hi(PSUA.2), H1(PS x1))9A =K,
As a result, if the verification succeeds, A.1 knows that A.2 must be an authentic group
peer. To authenticate itself to A.2, A.1 returns a value V1,2 shown above. If V1,2 = H2(n I1
n2 || 1 || K2,1), node A.2 can rest assured that A.1 belongs to the same group A as itself.
Notice that the source and destination addresses of the three involved MAC frames should
both be set to be a pre-defined universal address such as all 1's instead of their real network
IDs (MAC addresses in this case).
After a successful three-way handshake, A.1 learns that there is a trustable group
peer in its neighborhood, but has no knowledge of the real ID except one of the public
pseudonyms of A.2. So does A.2. If the authentication fails, which may occur for instance
when one of them is an adversarial impersonator, the legitimate one reveals nothing but a
pseudonym to the impersonator. In addition, an adversarial eavesdropper learns nothing
more than some seemingly random numbers from the protocol execution.
Since A.1 and A.2 have established a shared master key K1,2 = K2,1, they can proceed
to calculate E pairs of shared session key (N/. 0 ) and link identifier (LinklD) as
kf,2 = H2(l n1 112 | 2sq||K1,2)
LZ,2 = H2 81 82 || I2 sq+ 1 ||K 1s,2
where E is a design parameter, and k and L 1(7(F)idct he7hSe n
LinklD, respectively. The collision-resistance of node pseudonyms, H1 and H2 enSUreS
that such < Skey, LinklD > pairs are also collision-resistant meaning that no identical pairs
would be generated by different pairs of nodes or two same nodes with different pairs of
nonces. In addition, each pair is only known to the two nodes which
established it and there is even no apparent relationship among the pairs
generated by two same nodes under the same pair of nonces. Such < kf,2, LZ,2 > pairS are
to be used in an increasing sequence for subsequent data communications between A.1 and
A.2, as will be explained shortly. Whenever established F pairs are used up, A.1 and A.2
are required to automatically increase both nl and n2 by one a~nd generate new F pairs
using the computationally efficient hash function H2. Of course, A.1 and A.2 should have
a simple agreement so as to synchronize the use of such pairs.
Similarly, each node can achieve .I!!. ...-, us.. ..s mutual authentication and establish pair-
wise shared pairs with all its neighboring nodes. Notice that if multiple
nodes simultaneously answer the same request, possible MAC-layer collisions may occur. In
this chapter, we assume the reliable transmissions of authentication requests/replies, which
can be achieved for instance by using a. ra~ndon1 delay for which each node has to wait before
answering an authentication request.
In our design, we leave the decision when and whether a node wants to initiate the
I!!. ., usua lsI neighborhood authentication to the node itself. Ideally, a node should keep
track of its neighbors at all time and should perform the authentication whenever it moves
to a new place or finds new neighbors. In this case, a neighbor discovery/nlaintanence
niechanisni such as the "Hello" messages used in AODV [5] will be necessary. Notice here
that although the "Hello" messages are transmitted periodically, the authentication is done
only once for each neighbor. A node may also choose not to do the authentication while
it is on the constant and fast movement. Another option is that a node only initiates
the authentication on-deniand, e.g., when it receives a route discovery message from an
unauthenticated neighbor. Authentication purely on-deniand could reduce the overhead
caused by running the neighborhood authentication protocol, while at the same time it
would introduce extra delay on the route discovery process.
We would like to point out that I!!...-, us.. ..s neighborhood authentication would incur
additional computational overhead in contrast to other on-deniand routing protocols such
as AODV and DSR, which do not provide either security or .I!!...ar, !ily gua~ra~ntees. How-
ever, mutual authentication between neighboring nodes is indispensable in MANETs, only
by which one node can reject accepting messages front or forwarding messages for unau-
thenticated neighbors. Otherwise, adversaries can easily inject bogus messages into the
network to deplete scarce network resources as well as interrupting proper network fune-
tionalities. In addition, any two neighboring nodes only need to perform authentication
once and subsequent coninunications can be encrypted and authenticated using efficient
symmetric-key algorithms based on established shared Skeys. It will be shown in Section
2.4 that I!!...-, us.. ..s neighborhood authentication can be implemented efficiently without
much degrading the routing efficiency.
Anonymous MAC frame exchange. Based on established shared
pairs, two neighboring nodes can easily realize ........ -,! li.IIs single-hop MAC-layer commu-
nications. In our design, we replace the transmitter and receiver MAC addresses in a
conventional MAC frame with a single LinklD. In fact, we will see later that the same
LinklD also eliminates the necessity of network addresses. In other words, a conventional
MAC frame changes to in
our scheme.
For example, A.1 sends a MAC frame of format < L:;,2 tak: i >, where {msg}K
stands for a message msg encrypted under key K using any symmetric-key encryption
algorithm such as RC6 [18]. That frame can be heard by all its neighboring nodes, among
which only A.2 will accept the frame because of its unique sharing of L:,2 with A.1. A.2
can decrypt the data with the corresponding Skey ki,2. Similarly, A.2 can reply with a
MAC frame < L ~,2 kcaa,~ >. If the MLAC protocol in use is contention-based, such as
the Distributed Coordination Function (DCF) of the IEEE 802.11, conventional RTS-CTS-~
DATA-ACK( frame exchange is also easy to implement based on pairwise shared LinklDs
to alleviate notorious hidden and exposed terminal problems.
Since real IDs of mobile nodes are kept confidential in u.I s !-, us.. .. s neighborhood authen-
tication and subsequent local MAC frame exchange, we have successfully realized anony-
mous single-hop MAC-layer communications. In other words, local transmitter and re-
ceiver I!!...-, un!ir-,i and their relationship I!!ual-, un!ir-,i have been achieved. Also notice that
our I!!. .!.-, us.. ..s neighborhood authentication protocol ensures both node unlocatability and
untrackability at the same time.
2.3.3 Anonymous Network-Layer Communications
Network-layer communications, most likely multi-hop, rely on routing protocols to find
end-to-end routing paths between any source-destination pair and relay packets in a hop-by-
hop manner enroute from the source to the destination. To realize .I !!. .-, us.. ..s network-layer
communications, we present here an .I!!. ..-, usua lsI on-demand routing protocol, called MASK(,
Reverse route table of A 2 Reverse route table of A 3 Target LinklD table of A 4
dest_1d destSeq ps donmdest_1d destSeq p ho
|IDA4 50 PS'A1 IDA4 50 PS 2
Forwarding route table of A 1 Forwarding route table of A 2 Forwarding route table of A 3
dest_1d destSeq Lin lD Llst Lin lD Llst dest_1d destSeq Link D Llst Link D Llst dest_1d destSeq Lin lD Llst Link D Llst
|IDA4 51 null L62IA 51 2~ L2,3 IIDA4 51 L2, L34 T
Figure 2-1: An..n!-, ne- mI route discovery with a route reply generated by the destination
A.4.
to establish a sequence of pairs between any source and destination pair.
In our MASK(, each node maintains the following data structures:
Forwarding route table: A table consisting of entries of format
LinklD-list, next-LinklD)-list>, where dest~id is the real ID of the destination and
destSeq6 is the corresponding node sequence number. The pre-LinkclD-list is the
set of pre-hop LinklDs from which packets destined for dest~id may come, and next-
LinklD-list is the set of next-hop LinklDs to which packets destined for dest~id are
supposed to be forwarded.
Reverse route table: A table consisting of entries of format
Ip :,dv ,,:I,>, based on which route replies are relayed back to the source.
Target LinkclD table: A table consisting of selected LinklDs shared with neighbors.
The current node is the final destination (end-to-end) for the packets bearing the
LinklDs in its target LinklD table.
An appropriate timer is associated with each entry of the above tables and an entry should
be recycled when its timer expires.
Anonymous route discovery. Without loss of generality, we illustrate the anony-
mous route discovery process in MASK( using the simple chain topology shown in Fig. 2-1,
where nodes A.1, A.2, A.3, and A.4 are assumed to be using pseudonyms PS) 7 PS),~~ PS".
and PSi~4, respectively, in their current places. To ease the presentation, we further assume
6 The maintenance of node sequence numbers strictly follows the steps defined in AODV
that each node has finished .I!!...-, us.. ..s mutual authentication using the same pseudonym
with all its neighboring nodes and has established shared pairs with them.
Similar to other on-demand routing protocols, our .l!!...-, us.. ..s route discovery starts
from broadcasting route request messages when a node has a packet to a certain destination
but it does not know a path to that destination. An I!!...-, usua lsI route request (ARREQ)
has the format , where dest_id is the real
ID of the destination, 7 ARREQ_id is a globally unique value that uniquely identifies an
ARREQ, destSeq is set to be the last known sequence number for the destination or to be an
unknown flag if needed, and PS,,, is the active pseudonym of the source. To be consistent
with the aforementioned MASK( packet format, a predefined LinklD such as all 1's should
be used to identify the ARREQ, which is not shown for brevity. In the shown example, the
ARREQ takes the form of . When an intermediate
node, say node A.2, receives an ARREQ message for the first time, it inserts an entry into
its reverse route table where this ARREQ comes from, and then rebroadcasts the ARREQ
after replacing the embedded pseudonym PS),1 with its currently-used one, i.e., PS)~.2
ARRE~s with previously seen ARREQ_ids are simply d:!-I !01. 0' This process continues
until all the nodes in the network have rebroadcasted the ARREQ once.
It is worth noting that in the propagation of ARRE~s, the real IDs of the source and
all the intermediate nodes are concealed, while the real ID of the destination has to be
exposed. In traditional on-demand routing protocols such as AODV [5], the destination
itself and any intermediate node which has a valid routing entry to the destination do not
need to rebroadcast the route request message. However, that design allows adversaries to
identify the destination node easily by monitoring the activities at each node every node
broadcasts the routing request once except the destination and/or some nodes having the
routes to the destination. Therefore, in our design, every node, including the destination
SARREQ_id could be generated by *Ii I ll1-,i!:- a collision-resistant hash function like SHA-
1 [16] on the concatenation of a node's pseudonym, sequence number, and a timestamp.
SNote that ARREQ flooding is supposed to be finished in a limited period so that each
node does not need to keep too many old ARREQ_ids.
and qualified intermediate nodes, needs to rebroadcast the ARREQ message once. This
will effectively hide the whereabout of the destination even though adversaries know that
there is such a node, they will have difficulty to match the dest_id (IDA.4 in this case) to
any of the nodes in the network. Note that the overhead introduced by this modification is
minimal in a route discovery protocol using flooding, every node needs to broadcast once
lir-, 1-- -, except the destination and qualified intermediate nodes. So the extra overheard
introduced is only one or a few more transmissions by the destination and the intermediate
nodes which can reply.
An I!!...-, !!nu als route reply (ARREP) can be generated and sent back to the source
at the destination or at any intermediate node which has a valid route to the destination.
Fig. 2-1 demonstrates the case that a route reply is generated by the destination A.4 itself.
Once receiving an ARREQ toward itself, A.4 can generate an ARREP to be unicasted back
to the source following the reverse route established before. In our design, an ARREP
packet is of format , where LinklD is the next
to be used shared between the destination and the pre-hop node from which the ARREQ
comes, and the corresponding Skey is used to encrypt the packet content so that adversaries
cannot recognize that this is an ARREP corresponding to the previously-observed ARREQ.
In the shownl examnpele anl ARRE~P is in the form of < L ;,4 { ARREP, IDA4, 51}kg~ ,4
As noted before, only the intended receiver A.3 will be able to interpret L ~,4 and decrypt
the packet content accordingly. While for a passive eavesdropper, L ~,4 only appears to be
some meaningless random number, and it has no idea of what the packet is about and to
whom the packet is sent. Moreover, A.4 adds L 4P to its target LinklD table. The reason
of inserting L 40 instead of L ,4 is to prevent adversaries from identifying the relationship
between this ARREP packet and subsequent data packets. Later on, when seeing a packet
identified by L4P,, A.4 knows that it is the end-to-end destination of that packet. An
intermediate node can also generate an ARREP if it has one forward route entry for the
dest_id with destSeq equal to or larger than that contained in the received ARREQ. The
node needs to prepare an ARREP packet to be sent to its pre-hop node as well. Different
from the destination, the intermediate node need not modify its target LinklD table. This
case is straightforward and not shown for lack of space.
For a node on the reverse path, say A.3, when receiving an ARREP < L ~,4, { ARREP,
IDA.4, 51}k9. > frOm its next-hop, A.3 will discard it if the embedded destSeq, 51 in this
case, is smaller than that in its reverse route table. Otherwise, A.3 will decrypt the ARREP,
form and transmit a new ARREP < L ,3, {ARREP, IDA.4, 51}k Z~,3 Here
is the next to be used pair shared between A.3 and the pre-hop node
"PS).$" (in fact, node A.2) stored in its reverse route table. A.3 also needs to update its
forwarding route table as follows. If it does not have an entry for IDA.4, a new entry will be
created. Or if the entry for IDA.4 has a smaller destSeq than that in the ARREP, the old
entry will be replaced with the new information, i.e., dest~id, destSeq, pre-LinkclD-list, and
next-LinkclD-list will be set to IDA.4, deStSeq in the ARREP, L ~,3, and L ~4, respectively.
If A.3 already has an entry for IDA.4, and the new destSeq in the ARREP is equal to
the old one, it updates the route entry by appending L ~4 and L ~,3 to the next-LinklD)-list
and pre-LinklD)-list fields of its forwarding route entry, respectively. Therefore, MASK<
may simultaneously maintain several next-hop and pre-hop LinklDs for one dest~id (called
virtual multipath f:, .i 11. ,i~ilIlu in this chapter) in the forwarding route table. This operation
is different from that of AODV [5] in which a node suppresses routing replies with the same
destination sequence number. The reason for adopting this design will be stated in the
subsequent subsection. Also notice that LinklDs inserted into forwarding route tables are
I.h-- I-, a next to the ones used to identify the ARREPs so that adversaries cannot correlate
the ARREPs with subsequent data packets. The above process continues until the ARREP
reaches the source A.1. An exemption in the route reply process is that, in MASK(, since
each node is required to rebroadcast the ARREQ message no matter whether it replies or
not, the ARREPs coming back to an intermediate node which replied before may present
inconsistent state information that may cause routing loops. Therefore, we require that
the intermediate nodes which have already replied ignore the route replies with the same
destSeq.
Notice that in the route reply process, all the ARREP packets are encrypted and
identified by the LinklDs which are only interpretable by the intended local receivers. A
passive eavesdropper might see discrete transmissions everywhere but it will not be able to
tell the content of a particular transmission, neither can it tell who is transmitting and who
A. 53 66 Target LinklD table
23,3
soucedueto he ......, us..negbroo uhetcton htitcnler sth Do
Anonymous packet forwarding. The packet fowrigi AKi oelk
vita igrcuit : switching press ByI looking up! ~in thek forwarding froute. tabe thesorc
pics aracivnd. om LinklD rom thverr nt-ikl-ls fipelins th eie en try fr te dersetination A
paucket is to hen formed- and~ settote et-o neighbors ateictin hat shca lare s the hse LinlD
Ahdsinotedbeore, au packt wish ofd format ,ie where the datapatcarries othe
prtool ndmu applcaetio datwa.dng Depenkt ding on diffren aplcainsh data part can
bera ecirypte and atchentircaeds by the keyg corepondn g to thwrdnre LinklD. When seeing
itk toon randomly selected from its next-LinkclD-list field of the nr forwaredesingroute enr
inke wich then eombded LinkD mantcthes one -of teiheo value ine the pr-LnlDlst. LnIt he
re-unicatsd thefo packet tsof thcosennet hop.ID Followinge thispoessa packt canre finally
preachl the destination whic wil terminat the frading whent fpindting the LinklDr ianit
An examypled ofd ...auth licatn packe et forwrdig sdpictd in t h FigkI. 22inwhich setin
ofh forwarding links (dnoted bydirectional solidines thae ebeden established ea chlabgele
LinklD-Lit randol eet fm s next-LinklD-Llist fields of its forwarding route entryfothdeinin
A.4, respectively. As we can see, due to the random selection of next-hop LinklDs at each
intermediate node, MASK( has the nice ',dG.- mining property that packets of the same
flow may travel through different paths to the destination. This makes it more difficult
for adversaries to correlate observed radio transmissions to acquire actual network traffic
patterns. It also increases the difficulty of adversaries in tracing a packet enroute from its
original source to the final destination. The shortcoming is that, MASK( does not I.h-- I-, a use
the best path, e.g., the shortest-hop path, for packet forwarding, so it may introduce extra
delay and/or delay jitter. However, for security-sensitive MANETs demanding ..I!!u a-, !!!iry
protection, we argue that this tradeoff of routing efficiency for I!!. ...-, un!iry is acceptable. In
addition, we will see in Section 2.4.2 that such random packet forwarding can help improve
the routing performance under heavy traffic load.
When all the next-hop nodes for one destination become unavailable due to mobility
or other reasons, a node needs to locally broadcast an I!!...-, us.. ..s route error (ARRER)
packet of format to inform its up-stream nodes, which is again
identified by a predefined universal LinklD including all 1's. Any neighboring node which
has one of the LinklDs in the received pre-LinkclD-list should remove it from the next-
LinklD-list field of its corresponding forwarding route entry. If its own next-LinklD)-list
becomes empty as well, it should also broadcast a similar ARRER packet. When the source
has no available next-hop LinklDs for the destination, it should restart the .I!!...-, us....s~
routing discovery process.
2.3.4 Countermeasures against Attacks
U~p to now, we have described the basic operations of MASK( with a focus on how to
provide I!!. ...-, un!ir-,i in neighborhood authentication, route discovery, and packet forwarding.
In what follows, we describe some security enhancements and discuss more attacks that
MASK( is able to defend against.
Message coding attack. The M~essage coding attack happens when adversaries can
easily link and trace some packets that do not change their contents or lengths during
transmission. Two countermeasures are designed in MASK( to cope with this kind of attack.
First, random padding on every forwarded packet is used by intermediate nodes to prevent
from the attack resulting from the fixed packet length. Intermediate nodes can randomly
adjust the length and content of the random padding. Second, the per-hop link encryption
method through established pairwise Skeys can be used in MASK( as well. The purpose
here is to make the same packet appear quite different across links.
Flow recognition and message replay attacks. The Flow recognition attack oc-
curs when adversaries can recognize packets related to a same communication flow. Notice
that, in MASK(, a same packet bears completely different and uncorrelated LinklDs when
transmitted across different hops. Therefore, it is not possible to trace a packet by its
LinklD. However, if the packets belonging to a single flow I.h-- I-, a use the same LinklD at a
same hop, adversaries may obtain some useful information. Fortunately, the aforementioned
random packet forwarding can partially mitigate this attack. In fact, an intermediate node
works as a multiplexer which takes inputs from multiple pre-links, mixes them together,
and sends them out to multiple next-links. In addition, we request that two neighboring
nodes automatically change their currently-used shared LinklD either on a per-packet basis
or periodically. In doing so, MASK( leaves adversaries a dynamic set of LinklDs for the
same flow and at each hop. Moreover, dynamic LinklDs at each hop effectively thwart the
message ,a Iplan attack in which adversaries replay an old packet repeatedly to reorganize
the packet forwarding pattern.
Timing analysis attack. Suppose adversaries can divide the monitored area into
small cells. They might ascertain that one source or destination exists in one cell by
observing that no packets go into or come out of that cell while some packets come out of
or go into that cell during a certain time interval. In addition, adversaries might guess that
two consecutive radio transmissions belong to the same communication flow. These attacks
belong to the category of the timing analysis attack.
In MASK(, packets transmitted in the air are only identified by seemingly random
LinklDs. When network traffic load is high and every node is busy in transmitting and
r. i~iino_. all the transmissions will be mixed together, which leads to very difficult timing
I!! I1-, -i- However, when the traffic load is light, several precautions need to be taken
against the alleged timing .!! I1-, -is attack. First, when one destination receives a packet
destined for it, it can forge a packet with a fake LinklD and forward it further. By doing
so, it tries to fool adversaries into believing that one observed radio transmission does not
end at the destination. The destination can also use genuine LinklDs to ask its trustful
neighbors to help further enlarge the suspicious area viewed by adversaries. Second, a
packet needs to wait a random amount of time to be forwarded so that an earlier arriving
packet may be forwarded after a later arrival. Last, even without being involved in any
communications, nodes can send dummy packets [19] with fake LinklDs at random intervals
to increase the difficulty of adversaries in determining the originating and terminating areas
of observed radio transmissions. The purpose here is to introduce more randomness of the
radio transmissions so as to conceal the real network traffic patterns, at the cost of increasing
communication overhead.
2.3.5 Replenishing Pseudonym/Secret Point Pairs
In our MASK(, each node is required to use dynamic pseudonym/secret point pairs.
If the network has a rather long lifetime, however, a node may use up the preloaded
pseudonym/secret point pairs sooner or later. If this occurs, a node can reuse old pairs, star-
ing from the first one. This measure can prevent adversaries from continuously tracking the
movement of individual nodes if there are sufficiently many preloaded pairs. Nevertheless,
it may still offer useful attack clues to powerful adversaries adversaries may roughly ascer-
tain the movement of certain nodes by observing that a pre-recorded pseudonym reappears
in certain network location.
To avoid the above situation and ensure strong .I!!...-, un!iry protection, it is necessary
to introduce the TA functionality into the network whereby mobile nodes can get replenish-
ment of pseudonym/secret point pairs. Since using a single TA is vulnerable to single point
of failure, we propose to employ Shamir' secret-sharing technique [15] to enable a more
scalable, secure solution. To do this, the TA executes the following additional operations
when bootstrapping network A:
1. Determine a (t-1)-degree (1 ( t ( NA) polynomial, h(z) = gA CI izi, with
random coefficients ai in Z~ and gA being the group master key.
2. Select n (t ( n ( NA) nodes from A, either without distinction or by considering node
heterogeneity and choosing ph1-, -il I11-, more secure or computationally more powerful
ones. We call these nodes shareholders, denoted by S'F = {SH.k|1 ( k ( n}.
3. Calculate a shares of gA aS 9k, = h(IDSH.k) and assign it to SH.k.
4. C'1!... --- an arbitrary generator We G I and compute a set of share commitments as
SC = {W~l'ub= 9k~let ~|1 4k ~ n}.
S'F, SC and W are appended to the public system parameters known to every node.
An interesting fact is that, although each SH.k does not have the full knowledge of gA, any
t of them can collectively construct gA, while any less than t cannot. For example, based
on the Lagrange interpolation, shareholders SH.1, SH.2,..., SH.t can determine gA:
gA = =1 Xiyi, where Xi = 1 IDSHj H DSH.i.(23
During network operation, when a node, say A.1, almost runs out of preloaded pseudonym/secret
point pairs, it can get replenishment by sending a request including the list of desired new
pseudonyms to each of t randomly-picked shareholders. Without loss of generality, assume
that shareholders SH.1, SH.2,..., SH.t are selected by A.1. For each pseudonym PS),1 in
the request, each chosen SH.i, generates a partial secret point SP~I) = giH1(PS "A.) sent
back to A.1. To verify the authenticity of each SP~Il, A.1 needs to check if &(SP) ~, W) =
t(Hi(PS) zA~),Wj~Ub). Notice that, due to Eq. (2.1), the two sides of the equation are equal
to the same value 8(H1(PS) z), W)gi if SP~I) is authentic. As a result, if the verification
fails, A.1 knows that there must be something wrong with SH.i2. For example, the reply
from SH.i, might have undergone transmission errors, or even SH.i, itself might have been
ph1-, -ih I11-, or logically controlled by adversaries. A.1 can then request a new partial secret
point from another unselected shareholder. Once obtaining t authentic partial secret points,
A.1 utilizes Eq. (2.3) to calculate the complete secret point:
SP) 1 =C;X S iS~il = gA I(PS (2.4)
Same as before, node A.1 cannot deduce gi from S" l nete ani bai AfomS"7
due to the difficulty in solving the DLP in Gi. It is worth noting that all the requests and
replies should be end-to-end encrypted and authenticated to prevent from adversarial access
and modification. How to fulfill them is beyond the scope of this chapter.
In terms of the choice of the secret-sharing parameters t, n, we have shown in [20] that,
when t = [ni/2], andr n is equael to either 2 N -21 lor 2 A+ 1 the maxirmum seculrity
can be obtained. Currently, we are investigating proactive approaches to further improve
Table 2-1: Processing timings of cryptographic operations.
Item Processing timings
Tate paring 8.5 ms
SHA-1 18.980 MB/s
Computation of pairs 2.4 ms (for 1000 pairs)
RC6 7.111 MB/s
the security of the proposed scheme, e.g., by dynamically adjusting the shareholder set and
the values of t, a to allow dynamic node join/leave without changing gA while maintaining
the highest level of security.
2.4 Performance Evaluation
In this section, we evaluate the routing performance of MASK( through simulations.
2.4.1 Simulation Setup
We implemecnt AS in rr: GloMOaim [21], a popular network simulator for MANETs,
and the pairing implementation is based on MIRACL library [22]. The bilinear map e we use
is the Tate p 1 1 1 :_. with some of the modifications and performance improvements described
in [12, 14]. We use two security parameters, a 160-bit Solinas prime q = 2159 + 2"7 + 1 and
a 512-bit prime p = 12qr 1 (for some r large enough to make p the correct size). Such
bit-length configurations of q, p can deliver a comparable level of security to 1024-bit RSA
cryptography. The elliptic curve E we use is y2 = 3 + x defined over the finite field F,
(denoted by E(F,)). Then GI is a q-order subgroup of the additive group of points of
E(F,), while G2 is a q-order subgroup of the multiplicative group of the finite field F*,.
In addition, we use SHA-1 [16] as the hash function H2 and RC6 [18] as the encryption
method used for ARREPs and data packets.
We evaluate the computational costs of critical cryptographic operations in MASK( on
a Pentium III 1 GHz processor under Windows 2000. For convenience only, we assume the
lengths of node pseudonyms, random nonces, F, and LinklDs (also Skeys) to be 8, 4, 2,
and 20 bytes, respectively. In fact, the impact of larger lengths on the results is negligible.
From Table 2-1, we can see that the most time-consuming operation is the Tate pairing
required by.....l!1!- muns~II neighborhood authentication. Since the pairing is a relatively new
concept, we anticipate that its evaluation cost will be much reduced with the rapid advance
in cryptography. For example, Barreto et al. [23] recently announce an approach to evaluate
the Tata pairing by up to 10 times faster than previous methods, the implementation of
which is underway.
Also note that the Tate pairing only needs to be performed once for a pair of neighboring
nodes, and then the result can be fed into the fast SHA-1 to compute shared
pairs. Supposing a node maintains 0 = 1000 pairs with each neighbor,
the computation of such 1000 pairs only costs around 2.4 ms. Hence, when two neighboring
nodes run out of the established shared pairs, they can generate new F
pairs instantly. Moreover, the hop-b-, -1! I I. link encryption/decryption operations based RC6
are not time-consuming and can be done in a very fast manner. Therefore, although we
introduce some cryptographic operations into MASK( to provide the desirable .I!!...-, un!iry
property, the resulting computation overhead and end-to-end packet delay are affordable.
The pi',1. -i 1-1 I-,er path loss model is the two-ray model. The radio propagation range
for each node is 250 meters and the channel capacity is 2 Mb/s. The base MAC protocol
used is the DCF of IEEE 802.11, with some modifications according to MASK( operations.
We simulate an ad hoc network with 50 nodes uniformly deployed in a 700x700 m2 square
field. To emulate node mobility, we modify the random waypoint model in GloMoSim
library according to [24] in order to guarantee the convergence of average nodal speed
within the simulation time. In particular, initial speeds of nodes are chosen from the steady-
state distribution, and subsequent speeds uniformly from the designated speed range. In
addition, the pause time is set to be zero, meaning that nodes are 1.h-- .-, a moving. CBR
sessions are used to generate network data traffic and various number of sources are used to
simulate different offered load. All the data packets are 512 bytes and are sent at a speed
of 4 packets/second. Each simulation is executed for 15 simulated minutes and each data
point represents an average of ten runs with identical traffic models, but different randomly
generated u.1 ili r-,i scenarios.
In our implementation of MASK(, we use a fixed delay of 150 ps into each node to mimic
the encryption/decryption processing of ARREPs and data packets with RC6 for simplicity.
The purpose is to withstand the aforementioned message coding attack (cf. 2.3.4). In
addition, the random delay method for data packets to be forwarded is also adopted in each
node to thwart the timing analysis attack (cf. 2.3.4), where the random delay is uniformly
distributed between [0, 50] ms. Furthermore, we set the maximum number of next-hop
LinklDs maintained for one destination to be three. We compare the routing performance
of MASK( with classical AODV routing protocol [5] with regard to three commonly-used
metrics:(1) Packet delivery ratio (PDR) -the ratio of data packets successfully delivered
to the destination over those generated at the sources; (2) Average end-to-end 1. IAm: of
data packets -this includes all possible delay caused by buffering during route discovery,
queuing delay at the interface, retransmission delay at the MAC, and propagation delay;
(3) Normalized routing load -the total number of routing control packets i uisl.I
for each delivered data packet. Each hop-wise transmission of a routing control packet is
counted as one transmission.
2.4.2 Simulation Results
Fig. 2-3(a) compares the PDRs of MASK( and AODV under different traffic load.
We can see that MASK( has the similar PDR to AODV under normal traffic load (i.e., 20
sources). The slight difference partly comes from the fact that routing request packets in
MASK( have a higher probability of colliding with and causing the dropping of data packets
than those in AODV due to the simple network-wide flooding of ARRE~s in contrast to the
expanding-ring-search method of AODV [5]. Another reason is that data packets in MASK<
are not 1.h-- .-, a routed along the shortest paths due to the random selection of next-hops
at intermediate nodes, which increases the dropping probability of data packets forwarded
along longer paths. However, MASK( outperforms AODV under heavy traffic load (i.e., 40
0 95
S08
"075
-0-AODV 20 source
0 a MASK 20 sources
--AODV 40 source
--MASK 40 sources
0 65
2 4 6 8 10 12
Amerage nodal speed (m/s)
(a) PDR vs. V.
2 9AODV 40 sources
-A MASK 40 sources
i
0 4 AOV2 ore
0 MASK 20 sources ore
-v OV40 sources
0 2 -A AK40 sources
14 16 2 4 6 8 10 12 14 16 2 4 6 8 10 12 14 16
Amerage nodal speed (m/s) Amerage nodal speed (m/s)
(b) Normalized routing load vs. V. (c) Average packet delay vs. V.
Figure 2-3: The comparison between MASK( and AODV.
sources), where packets are more subject to collisions due to the high level of network con-
gestion. The observed advantage mainly results from the aforementioned virtual multipath
effect in MASK(, that is, MASK( may simultaneously maintain several next-hop LinklDs for
one given destination. If one of the next-hops becomes unreachable due to mobility or colli-
sions or other reasons, a packet could still be forwarded through another available next-hop
rather than being dropped as AODV does. Moreover, the random selection of next-hops at
intermediate nodes acts as a load balancing method for evenly distributing the traffic in the
network. For the same reason, MASK( demonstrates comparable or lower routing overhead
than AODV (see Fig. 2-3(b)) because MASK( conducts the route discovery less frequently
than AODV.
In terms of the average packet delay (Fig. 2-3(c)), MASK( behaves worse than AODV
under normal traffic load as a result of the per-hop random delay, the fixed encryp-
tion/decryption delay, and the delay incurred by the Tate pairing operations. Therefore,
there is a tradeoff between the desired packet delay and the level of I!!. ...-, un!ir-,i. However,
under heavy traffic load, both the virtual multipath effect and the processing delay (in-
cluding the above three) introduced into MASK( can help mitigate the possible MAC-layer
collisions, which contributes to the shown advantage of MASK( over AODV in Fig. 2-3(c).
In summary, our MASK( not only achieves the desirable .I!!...-, un!ir-,i without sacrificing
the routing efficiency, but also helps improve it under heavy traffic load.
2.5 Related work
An....!-, us.. .m communication protocols have been studied extensively in the wired net-
works. Chaum [25] defines a layered object that routes data through a chain of pre-deployed
intermediate nodes called mites. Following their work, Reed et al. propose an interesting
Onion routing protocol [26], in which data is wrapped in a series of encrypted layers to
form an onion by a series of proxies communicating over encrypted channels. The state
of the art of wired networks I!!...-, un!ir-,i can be found in [27]. However, the proposals in
the Internet realm cannot be directly applied to MANETs mainly because the prerequisite
pre-deployed infrastructure such as the well-known mixes is often unavailable in infrastruc-
tureless MANETs.
In contrast, there is little work done to address the .I!!...ar, !!!ily problem and related
issues in the context of MANETs. Jiangf et al. explore the use of mixes in MANETs
[28] by designing a mix discovery protocol that allows coninunicating nodes to choose mix
nodes at run time. As noted before, such mix nodes are either unavailable or unreliable
in MANETs deployed in hostile environments. The same authors also propose to prevent
traffic ..I! II1, -is by using traffic p~ ..1.11s:_. i.e., generating duniny traffic into the network [19],
but their work does not aim to enable !!...... !!!u als coninunications. Most recently, K~ong
and Hong propose an I!!ual!, us....s on-deniand routing protocol, called ANODR [29], to
conceal network IDs of coninunicating nodes. Besides the computationally intensive route
discovery process, ANODR is very sensitive to node 1!!. 1.ilir-,i which leads to a low routing
efficiency, as the authors mentioned. By comparison, our MASK( enables an AODV-like
I!!....-, us.. ..s on-deniand routing protocol with high routing efficiency. In addition, MASK(
addresses .I!!...... us.. .. MAC-layer coninunications, which is left untouched in [29].
2.6 Summary
In this chapter, we propose MASK(, a novel .I!!...... usua ls on-deniand routing protocol,
to enable both .I!!...... us.. ..s MAC-layer and network-layer coninunications so as to thwart
adversarial, passive eavesdropping and the resulting attacks. By a careful design, MASK(
provides the .I!!......un!iry of senders, receivers and sender-receiver relationships, as well as
node unlocatability and untrackability and end-to-end flow untraceability. It is also resilient
to a wide range of attacks. Detailed simulation studies demonstrate that MASK( has com-
parably high routing efficiency to classical AODV routing protocol while achieving the nice
This chapter focuses on dealing with passive attacks and thus there are several unad-
dressed issues in the current MASK( design. First,.s..l! so!- us.. ..s neighborhood authentication
in MASK( relies on pairing operations, which currently have similar computational overhead
to conventional public-key operations. Therefore, adversaries might launch active DoS at-
tacks on target nodes by continuously sending a number of bogus authentication requests,
which is a problem any authentication scheme has to face. Second, the routing information
in the current design is only secured against external adversaries. Once becoming internal
adversaries by compromising certain nodes, adversaries can send bogus routing messages
that are difficult to verify by legitimate nodes. Third, although pairing-based cryptography
is an active research topic 1!n -.-- ..1 I-, -. the inmplenientation on low-end devices is still an open
problem.
As the future research, we will first incorporate some intrusion detection capabilities
into MASK( to defend against not only passive attacks but also active DoS-type attacks such
as those mounted on neighborhood authentication. In addition, we will plan to combine
MASK( with other secure routing protocols such as [8, 9] to ensure both routing~l! ..iso, !!!ily
and strong routing security. Finally, we will seek theoretical proofs to show the resilience
of MASK( to rigorous adversarial crypir .I! II, -i-
CHAPTER 3
SECURING MOBILE AD HOC NETWORKS WITH CERTIFICATELESS PUBLIC
K(EYS
3.1 Introduction
In this chapter, we are concerned with key nlana~genent, the foundation on which to
build any other security niechanisni for MANETs.
Conventional key nlana~genent techniques may either require an online trusted server or
not. The infrastructureless nature of MANETs precludes the use of server-based protocols
such as K~erberos [30]. We therefore focus on discussing serverless approaches from here
on. There are two intuitive syninetric-key solutions, though neither is satisfactory. The
first one is to preload all the nodes with a global syninetric key, which is vulnerable to any
point of conipronlise: if any single node is compromised, the security of the entire network
is breached. Assuming a network of N nodes, the other solution is to let each pair of nodes
maintain a unique secret that is only known to those two nodes. This approach suffers from
three main drawbacks making it also unsuitable for MANETs. First, it lacks scalability
because it is difficult to establish pa~irwise syninetric keys between existing nodes and
I!, ;-.-1-, -i !.1 nodes. Second, securely updating the overall N(N 1)/2 keys in the network
is a nontrivial (if not impossible) task, as the size of the network increases. Last, it requires
each node to store (N 1) keys, which may represent a significant storage overhead in a
large network. Syninetric-key techniques are also coninonly criticized for not supporting
efficient digital signatures because each key is known to at least two nodes. This renders
public-key solutions more appealing for MANETs, which are the theme of this chapter.
There has been a rich literature on public-key nlana~genent in MANETs, see [31, 32,
33, 34, 35, 36] for example. These schemes all depend on certificate-based cryptogra~phy
(CBC), which uses public-key certificates to authenticate public keys by binding public
keys to the owners' identities. A main concern with CBC-based approaches is the need
for certificate-based public-key distribution. One naive method is to preload each node
with all the others' public-key certificates prior to network deployment. This approach can
neither scale well with the increasing network size, nor handle key update in a secure and
cost-effective way. Another approach of on-demand certificate retrieval may cause both
unfavorable communication latency and often tremendous communication overhead, which
will be justified via simulations in Section 3.5.5.
As a powerful alternative to CBC, ID-based cryptography (IBC) [11] has been gaining
momentum in recent years. It allows public keys to be derived from entities' known iden-
tity information, thus eliminating the need for public-key distribution and certificates. This
nice feature has inspired a few IBC-based certificateless public-key management schemes
for MANETs such as [37, 38, 39, 20]. The basic idea is to let some [37, 38, 20] or all network
nodes [39], called shareholders, share a network master-key using threshold cryptography
[15, 40] and collaboratively issue ID-based private keys. There, however, remain many is-
sues to be satisfactorily resolved. First of all, the security of the whole network is breached
when a threshold number of shareholders are compromised. Second, updating ID-based
public/private keys requires each node to individually contact a threshold number of share-
holders, which represents a significant communication overhead in a large-scale MANET.
Third, except our preliminary result in [20], none of existing proposals consider how to
select the secret-sharing parameters used with threshold cryptography to achieve desirable
levels of security and robustness. Last, there is no comprehensive quantitative argument
about the advantages of IBC-based public-key management schemes over CBC-based ones.
In this chapter, we address all the above concerns by devising an ID-based key manage-
ment scheme, called IKM, for special-purpose MANETs administered by a single authority.
MANETs of this type have long been recognized and will continue to be one of the ma-
jor application categories of wireless ad hoc networking techniques. Typical examples are
those deployed in military battlefield operations and homeland security scenarios. Our
major contributions are as follows:
*A novel construction method of ID-based public/private keys. In IK(M, each
node's public key as well as private key is composed of a node-specific, ID-based
element and a network-wide common element. Node-specific key elements ensure
that the compromise of arbitrarily many nodes does not jeopardize the secrecy of
non-compromised nodes' private keys; common key elements enable very efficient
network-wide public/private key updates via a single broadcast message. We also
discuss enfcient key agreement, public-key encryption, and digital signatures based
on such public/private keys.
Determining secret-sharing parameters used with threshold cryptography.
Similar to [37, 38, 39], we apply threshold cryptography to distribute a network
master-key among some shareholders. Different from them, we identify devastating
pinpoint attacks against shareholders and propose the corresponding countermeasure
based on .I!!...-, us.. ..s routing [41]. In addition, we discuss how to choose the secret-
sharing parameters for meeting desirable levels of security and robustness.
Simulation studies of advantages of IKM over CBC-based schemes. By
detailed simulations, we show that IK(M has equivalent performance to CBC-based
schemes, denoted by OKM,~ with regard to key revocation, while behaves much better
in key updates. Furthermore, we demonstrate that IK(M is able to turn an elegant
CK(M-based secure routing protocol [42] into a much more efficient one.
Since most existing MANET security mechanisms rely on the heavy use of certificates,
we believe that our findings open a new avenue towards more effective, efficient security
designs.
The rest of the chapter is organized as follows. In Section 3.2, we define the notation
to be used and survey the related work. Next we present design goals and the network and
adversary models in Section 3.3, followed by a detailed illustration of the IK(M design in
Section 3.4. Then the simulation-based comparative study of our IK(M and CK(M is given
in Section 3.5, and this chapter is finally concluded in Section 6.8.
3.2 Preliminaries
In this section, we first define the notation to be used in the rest of this chapter, and
then survey the related work.
3.2.1 Notation
For clarity, Table 3-1 lists some important notation whose concrete meanings will be
further explained where they appear for the first time.
3.2.2 Related Work
Here we only discuss prior art that is more germane to our work, and refer to [43] for
a more comprehensive survey.
The seminal paper by Zhou and Hass [31] -11:_:_. -rs using CBC and (t, n)-threshold
cryptography [15, 40] in MANETs. Let N be the overall number of nodes and t, a be two
integers Iri-T-, i!!:_. L 4 n < N. In [31], prior to network deployment, the CA's public key is
Table 3-1: Notation
p, q two large primes
GI1, G2 cyclic groups of order q
a pairing s.t. & : GI x GI G ,6
H1 mapping strings to non-zero elements in GI1
the network node set, |9| N
R the D-PK(G set, |0| n
IDA network ID of node A
t, a secret-sharing parameters
g(x) (t 1)-degree polynomial
Av(x)-s Lagfrangfe coefficients
IDA key revocation against node A
KP1, KP2 two distinct network master secrets
W generator of GI1
WP1, WP2 WPi = KP1W E GI1,WP2 = KP2W E GI1
kA,B symmetric key shared between A and B
pi ith key update period, for1 i M
KCA/ --1 node-specific public-key and private-key elements of node A
Kc,i/KC, common public-key and private-key elements in phase pi
salt unique binary string associated with pi
KCA,Pi A,1 public/private keys of node A in phase pi
KP2 the D-PK(G V's secret share of KP2
*Y revocation threshold
F mapping a given node ID to /9 D-PK(G IDs
h hash function such as SHA-1 [16]
{m~lc message m encrypted under key k, with a symmetric-key primitive
[m]l message m with its ID-based signature generated under private key K:
furnished to each node, while its private key is divided into n shares, each uniquely assigned
to one of a chosen nodes called D-CAs hereafter. During network operation, any t D-CAs
can jointly perform certificate generation and revocation based on their secret shares, while
any less than t D-CAs cannot. Yi and K~ravets [34] proposes to select computationally
more powerful and ph1-, -ih I11-, more secure nodes as D-CAs. Both schemes can tolerate the
compromise of up to (t -1) D-CAs so that adversaries cannot reconstruct the CA's private
key, and the failure of up to (n t) D-CAs so that there are 1.h-- .-, R at least t functional
D-CAs.
Different from [31, 34], URSA [32, 36] is a (t, N)-threshold scheme in which each of the
N nodes is a D-CA. The advantage of URSA is the increased service availability in that a
certificate can now be generated or revoked by any t nearby nodes, and URSA can tolerate
the failure of up to (N t) D-CAs. The disadvantage, however, is that the compromise of
any t out of N nodes would expose the CA's private key and thus result in loss of overall
--, -r~i., security [34]. In addition, as noted in [44], URSA is vulnerable to the Sybil attack
[45] because an adversary can take as many identities as necessary to collect enough shares
and reconstruct the CA's private key. Other security problems of URSA are .I!! I1-,.. .1 in
[33, 46].
All the above schemes are based on RSA [47], either explicitly [32, 36] or implicitly
[31, 34, 35]. By comparison, the scheme [33] relies on DSA [48] and threshold cryptography,
and has much worse communication efficiency than RSA-based schemes. The reason is that,
to tolerate the compromise of up to ( 1) D-CAs, the DSA-based scheme needs to contact
(2t 1) D-CAs for generating a new certificate, while RSA-based approaches only involve
t D-CAs [33]. Please refer to [39] for simulation studies of the communication inefficiency
of DSA-based approaches.
The aforementioned CBC-based schemes are all targeted for single-authority MANETs
as what we have in mind. Another notable line of approaches such as [44, 49] is to let each
node act as a CA to issue certificates to other nodes. While maybe suitable for authority-less
civilian networks, they are less fit for single-authority MANETs under consideration.
Despite its attractive features, IBC has not received deserved attention as a powerful
tool to secure MANETs until recently. K~halili et al. [37] -11:_:_. -r using IBC and threshold
cryptography in MANETs, but their work is conceptual. Deng et al. [38] present an ID-
based key management scheme for author' -, -1k m MANETs, thus is less applicable to single-
authority MANETs we aim at. Bohio and Miri [50] propose to use ID-based keys for secure
broadcast, but their work is not intended for efficient key management. Our preliminary
work [20] also addresses the secure application of IBC to MANETs. In addition, Zhang
et al. develop MASK( [41, 51], an IBC-based .I!!...-, us.. ..s on-demand routing protocol for
MANETs.
The closest work to ours is ID-GAC [39], in which Saxena et al. present an elegant
IBC-based access control scheme for ad hoc groups such as MANETs. ID-GAC is basically
a (t, N)-threshold scheme, in which, prior to deployment, each of the N nodes is furnished
with a share of a master-key. Although having high-level service availability as URSA
[36], ID-GAC suffers from the same undesirable security drawback mentioned above. In
contrast, our IK(M is a (t, n)-threshold scheme, similar to [31, 34]. At a first glance, IK(M is
less robust than ID-GAC because it only tolerates the failure of up to (n t) shareholders
instead of (N t) in ID-GAC. However, this also means that IK(M is more secure than ID-
GAC because the fewer shareholders make it feasible to spend more in safeguarding them,
for instance, by enclosing them in high-quality tamper-resistant devices and/or putting
them under better monitoring. In addition, our IK(M incorporates an additional defense
line by making shareholders indistinguishable from common nodes via .I!!...-, us.. ..s routing
[41]. Furthermore, even when t or more shareholders are compromised and the master-key
is exposed, our novel public/private key construction method guarantees that private keys
of non-compromised nodes remain safe. This is in contrast to the overall loss of security
in ID-GAC (see Section 3.4.7). Moreover, achl nonI-c~VI~LIompomse node~ in ID-GAC nee~ds
to individually contact t shareholders for key update. In contrast, our IK(M is much more
efficient in both computation and communication by updating public/private keys of all the
non-compromised nodes via a single broadcast message. As an addition, ID-GAC suffers
from the Sybil attack as URSA, while our IK(M does not.
3.3 Design Goals and System Models
In this section, we present our design goals as well as network and adversary models.
3.3.1 Design Goals
From our point of view, a sound key management scheme for MANETs should sat-
isfy the following requirements. First, it must not have single point of compromise and
failure because mobile nodes deployed in hostile environments are subject to either logical
or phs-i I attacks. Second, it should be compromise-tolerant, meaning that the com-
promise of certain number of nodes does not harm the communication security between
non-compromised nodes. Third, it should be able to efficiently and securely revoke keys
of compromised nodes once detected and update keys of non-compromised nodes. Last, it
should be efficient in terms of storage, computation, and communication, as mobile nodes
are usually very resource-constrained It is worth stressing that communication efficiency is
far more important an issue in MANETs than in wireline networks, as wireless transmission
of a bit can require over 1000 times more energy than a single 32-bit computation (see [52]).
We thus must seek ways to reduce communications related to key management as much as
possible.
3.3.2 Network Model
We consider a special-purpose, single-authority MANET consisting of N nodes, de-
noted by a set notation W (| W| = N). The network size N may be dynamically changing
with node join, leave, or failure over time. Depending on different applications, N may
range from several tens to several thousands or even more. Each node Ae W has a unique
ID, denoted by IDA and assumed to be its network-layer address as usual.
We assume that each node has limited transmission and reception capabilities. Two
nodes out of transmission range of each other can communicate via a sequence of interme-
diate nodes in a multihop fashion. Since all the nodes belong to a single authority and thus
have common interests, node selfishness [4] is not worrysome in that each node is ready to
forward packets not destined for itself. Nodes may freely move in the network, but do not
continuously move so rapidly as to make the flooding of every data packet the only feasible
routing protocol. This is a common assumption made about node mobility by nearly all
MANET schemes. We further assume that nodes are capable of performing public-key op-
erations, which is reasonable for the targeted application scenarios, though symmetric-key
operations should be used instead whenever possible.
Our IK(M is independent of the -na.1. Fl-, inr:, transport, routing, or MAC protocols. How-
ever, we do assume that, whenever needed, a valid unicast route can be established between
any two nodes. This can be achieved through many existing secure routing protocols, such
as ARAN [42]. It is worth pointing out that, similar to almost all the other existing secure
routing schemes, ARAN is built upon conventional certificates. In later Section 3.5.5, we
will show that it can be easily converted into a much more efficient scheme based on our
IK(M.
3.3.3 Adversary Model
Our intention here is to devise a sound key management scheme for MANETs, so we
just consider attacks aimed at key management itself. Mitigating denial-of-service attacks,
such as p~!~in-o I1-1 I-,er jawinnrin:_. MAC-layer misbehavior, or routing disruption, though
important, is beyond the chapter scope.
Attacks can be mounted by a single adversary or collaborative ones. We differentiate
between node compromise and disruption attacks. By saying that a node is compromised,
we mean that adversaries have complete control over it, including learning or modifying
its secret information, changing its intended behavior, and so on. In contrast, disrupting
a node means that adversaries can only disrupting communication to that node, e.g., by
interfering with wireless signals to and from it, but cannot read the secret information stored
on it. Therefore, node disruption attacks are less severe than node compromise attacks.
However, we assume that adversaries cannot compromise or disrupt an unlimited number
of nodes so that legitimate nodes are 1.h-- .-, a the majority. Neither can they break any of
the cryptographic primitives on which we base our design. In addition, we assume static
instead of leanimi1,.: adversaries [53].
We further assume that compromised nodes will eventually exhibit detectable mis-
behavior. There is unlikely to be a valid security solution if compromised nodes remain
I' I--!11." As [32, 36], we assume an efficient misbehavior detection scheme such as [3] or
[54]. One of our main objectives is to drive identified compromised nodes out of the network
by revoking their keys. Hereafter we use compromised nodes to indicate those which have
been compromised and identified, unless otherwise stated.
There are n distributed authorities called D-PKGs in our IK(M, similar in role to the
distributed CAs (D-CAs) in conventional CK(M [31, 32, 33, 34, 35, 36]. The D-PK(Gs differ
from common nodes only in that each of them knows a share of a network master-secret.
Similar to [31, 32, 33, 34, 35, 36], our IK(M works properly on the assumption that adversaries
can compromise at most ( 1) D-PK(Gs and can disrupt no more than (n -t) D-PK(Gs. For
the sake of simplicity, we refer to this assumption as the t-limited assumption. Note that
this t-limited assumption only needs to hold in each predetermined time period rather than
the whole network lifetime, if proactive secret sharing [55] is used to periodically refresh
secret shares of the D-PK(Gs.
3.4 IKM Design
This section presents our IK(M design. We first provide an overview of IK(M in Sec-
tion 3.4.1, and then describe the key predistribution phase in Section 3.4.2. Next we discuss
how to achieve efficient key revocation and update in Sections 3.4.3 and 3.4.4, respectively.
Section 3.4.5 presents our method of protecting the D-PK(Gs from devastating pinpoint
attacks, and Section 3.4.6 gives general guidelines as to how to select the secret-sharing
parameters t, n. Finally, the security of IK(M is .I!! I1-,.. .1 in Section 3.4.7.
3.4.1 Overview
In IK(M, each node should carry an authentic ID-based public/private key pair at any
time as a proof of its group membership. With such key pairs, nodes can realize mutual
authentication, key agreement, public-key encryption, and digital signatures, among other
security services. IK(M consists of three phases: key predistribution, revocation, and update.
K~ey predistribution is a one-time process occurring during network initialization, where
a Private K~ey Generator (PK(G), essentially a trusted authority, determines a set of --, -r. ill
parameters and preloads every node with appropriate keying materials. In addition, the
PKG~ distributes its functionality to n D-PK'~s selected among the N nodes to enable secure
and robust key revocation and update during network operation.
To minimize the damage from node compromise, it is a must to explicitly revoke public
keys of compromised nodes. During network operation, if suspecting that a peer, say A,
has been compromised, a nl~ode send a signedu aCc~Ucusation agaCinstl A toU someI D-PK~s. The
accused A is diagnosed as compromised when the number of accusations against it reaches a
predefined revocation threshold, denoted by y, in a certain time window. At that point, the
network enters the key revocation phase in which the D-PK(Gs jointly issue a key revocation
against A.
As a common practice [36], public/private keys of mobile nodes need to be updated
at intervals for many reasons, e.g., preventing from crypi .I! I1-, -i- The key update phase
may occur either periodically according to a prescribed time period, or reactively when the
number of revoked nodes attains some predetermined threshold. During this phase, each
non-revoked node can update its public key autonomously and its private key via a single
broadcast message. This is enabled by our novel public/private key construction method.
Our scheme can also ensure that compromised nodes, once revoked, cannot get their keys
updated, thus isolated from the network.
Due to the shared wireless medium, adversaries are easy to find the whereabouts of
D-PK(Gs based on their network IDs leaked in routing and data packets [41]. This renders
the D-PK(Gs particularly vulnerable to devastating pinpoint attacks. As a natural defense,
we propose to make the D-PK(Gs indistinguishable from common nodes via .I!!...-, us...mI
routing [41]. This measure allows us to provide general guidelines about how to choose the
secret-sharing parameters t, a for achieving desirable levels of security and robustness.
3.4.2 Network Initialization
For a single-authority MANET under consideration, it is reasonable to assume a trusted
PK(G to bootstrap the network, which itself is not part of the resulting network.
Generation of pairing parameters. To bootstrap the network, the PK(G does the
following operations:
1. Generate the pairing parameters (q, GI, G2, P, H1) (cf. Section 2.2.1), where P is
an arbitrary generator of GI, and H1 is a hash function mapping given strings to
non-zero elements in Gi.
2. Pick two distinct random numbers KP1, KP2 EZ~ as network master-secrets. Set
WP1 = KplW and WP2 = KP2W, respectively.
The parameters (q, 8, H1, W, WP1, WP2) are public knowledge preloaded to each node, while
KP1 and KP2 should never be disclosed to any single node.
Secret sharing. To enable key revocation and update during network operation,
it is necessary to introduce the PK(G functionality into the network. In our design, only
knowledge of KP2 is introduced into the network to ensure high-level compromise tolerance
(.I!! I1-,.. .1 in Section 3.4.7). To avoid single point of compromise and failure, the PK(G
performs a (t, n)-threshold secret sharing of KP2 by first determining a random polynomial,
g(2) = KP !i (mod q). It then randomly selects a subset OC c of size n of
nodes as D-PK(Gs (t ( n < |9|I =N). IThen "the PKG assigns to each V E la secret share
computed,, as K2 = g(IDy). Based on Lagrange interpolation, any subset ~A C of size t
can co-determine the polynomial:
g Ls = V\s)KP2 (mod q),(31
veA
where Av(z) = s'v D 2, is called a Lagrange coefficient. The PK(G's master
secret KP2 can then be reconstructed by computing g(0). However, any subset of R of size
(t 1) or smaller does not suffice to do so. To enable verifiable secret ;1h Iinr:_. the PK(G
also calculates a set of values {Wf2V = K2WV enT r } preloaded to each D-PKG.IT Due to the
difficulty in solving the DLP in GI, all the other D-PK(Gs cannot deduce the secret share
K$2 of D-PKG~ V fromI Wf 2. lThe I~s of alll Ilthe D-PKI~s are~t knolwnI toiiI each~ node to make
key revocation and update feasible, and the choice of t, a will be discussed in Section 3.4.6.
Generation of ID-based public/private keys. One of our essential design points
is how to construct an ID-based public/private key pair for each node A,- be it a D-PKG
or common node. Our IK(M is composed of a number of continuous, non-overlapping key
update phases, denoted by pi for 1 ( i < M~, where M~ is the maximum possible phase
index. Such pi-s may not of the same length in time and thus do not require nodes to be
time-synchronized for them either. Each pi is associated with a unique binary -ri !:_ called
a phase salt and denoted by salt. Prior to deployment, the PK(G issues a random number
salt to each node which, in turn, can subsequently generate salti = salti-1 +1 (1 < i ( M~)
by itself with an efficient hash function h such as SHA-1 [16].
In IK(M, each public/private key pair is both node-l;* .:I. and phase-l;.. .W. and node
A's key pair valid only during phase pi is denoted by < KCA~p AI > ah fK]p n
KWl~ comprises a node-specific element and a phase-specific element, common to all the
nodes, both in Gi. In particular,
KCA,p, IA, ps~) = (H1(IDA), Hl(salti))
KC- := (K ,i K) = (KP1H1(IDA), KP2Hl(salti)).
Initially, the PK(G issues < KCA~p A,1 > to node A which can acquire < KCA~pi, 1iC-
(1
convenience, hereafter we refer to < K,4 Kg- > as common public-key and private-key
elements of phase pi, and < KCA, 1C~ > as node-specific public-key and private-key elements
of node A. The former pair varies across key-update phases, while the later pair remains
unchanged during network lifetime and should be kept confidential to A itself.
Due to the difficulty of solving the DLP in GI, it is computationally infeasible to de-
rive the network master-secrets Kpl and KP2 from an arbitrary number of public/private
key pairs [12, 13]. It means that, no matter how many key pairs adversaries acquire from
compromised nodes, they cannot deduce the private key of any non-compromised node.
Therefore, our IK(M exhibits the desirable compromise-tolerant property. The advantage
of our key construction method in facilitating key update can be seen in Section 3.4.4. In
addition, the resulting higher-level resilience to the compromise of D-PK(Gs than the con-
ventional key construction method [39, 20] is to be .!! I1-, .~ .1 in Section 3.4.7. Furthermore,
we refer to the readers to [56] for the use of such public/private keys in key agreement, key
agreement, encryption/decryption, and signature generation/verification.
Our IK(M allows dynamic node join at any time and thus ensures high network scal-
I1.1111-,i. Suppose a new node X joins the network at phase p The PK(G just needs to
pre-eqluip X withr public systems parameters a~nd < K~X,pi P:,i >
Generation of key-update parameters. Let to be the maximum number of com-
promised nodes the network can tolerate. To realize broadcast-based public/private key up-
dates, the PK(G picks M~ distinct 2te-degree polynomials, {li(z) = EtoolC mdq}=,.,
with li,; E Z and Mlr distinct t'c-degree polynomrials, {ug = EyoiP md )i1,.,
with ui,j EZ ~. Since Kg'1 is a point on E/F,, its 2-coordinate (denoted as [Kg'i]">
can be uniquely determined from its y-coordinate (denoted as [Kg'1]"). The PK(G then
constructs {vi(z) = [Ky l]" ui(z)}i=1,...,M/, which are given to each node A along with
Summary. To summarize, each node has the following cryptographic materials be-
fore network deployment:
Pairing parameters: (q, e, H1, W, WP1, WP2)*
Public and private keys: < WA:P,p IA,1P
Phase salt: salt.
Key-update parameters: {vi(z), li(IDA> i=1,...,M.r
In addition to the above materials, eah -PK Ve holds a/ sere shr K$2" an values--"-~
{ W / = KV Tu2/ r
3.4.3 Key Revocation
K~ey revocation comprises three subprocesses: misbehavior ii, l..HG.,//..<. revocation gen-
eration, and revocation : ..I;
Misbehavior notification. Upon detection of node A's misbehavior, node B gener-
ates a signed accusation [IDA, sB] -1 against A, where ss is a timestamp for withstanding
B,pi
message replay attacks. The revocation- needs-" to'-'- be sen tte -Ps to report A's mis-
behavior. The naive flooding of the accusation is insecure because it may alert the accused
A to temporarily behave normally. By doing so, it attempts to make the number of ac-
cusations against it below the predefined revocation threshold y to avoid being revoked.
Therefore, B should unicast the accusation secretly to the D-PK(Gs. The next question is
to which,1 D-K\ the~ ac~,,,cusatio issent The following approach is adopted in IK(M.
During network initialization, the PK(G furnishes each node with a function 7 that
maps each node ID to the IDs of p distinct D-PK(Gs. More formally, for node Ae E ,
F(IDA) = {IDx, |1 ; j 4; P, Xj E R, Xj f A}. There are many possible ways to construct
such a function. One simple approach is to divide the node set WI into n dli 10i! node
sets, each associated with p D-PK(Gs. However, the condition that must be satisfied is that
the node set a D-PK(G belongs to should not be associated with itself. In our IK(M, node
B is required to send the accusation in an encrypted form { [IDA, sB e- ks,y, to each
B,pi
Ve F (IDA), where ks~v is the shared key with V that can be derived using the method
given in [56].
The~ value of /9 determLinesI~ thel tradeoffI between~ rl~DI~inCe toU D-PKG~ conipronlise and
coninunication overhead. The smaller /3, the lower the related coninunication overhead,
the less resilient the network is-'- to te cniprnlie o D-PKs and vieves. ciialy
in one extreme case that /9 = 1, the coninunication overhead is the lowest, while the
conmpronlise of a D-PK(G, say IDx, (X1 E R) which has not been revoked, would allow all
the accused whose IDs are mapped by 7 to IDx, to escape revocation. In another extreme
case that /9 = n, the network shows perfect resilience to D-PK(G conipronlise, while the
related coninunication overhead is the highest. Therefore, /9 should be carefully chosen in
practice to strike a good balance between these two metrics.
Revocation generation. Upon receipt of an accusation from B, a D-PK(G will
simply drop it if the accuser itself has been revoked. Otherwise, the D-PK(G saves the
accusation after decrypting it and verifying B's signature. To prevent an unrevoked com-
promised node from falsely accusing legitimate nodes, a node is diagnosed as compromised
only when the number of accusations against it reaches the network-wide revocation thresh-
old y in one key update phase or a~ny other predetermined time window. The choice of y is
application-sppecific and determines the tradeoff between tolerance of false accusations and
compromise detectability: a larger y means higher-level tolerance of false accusations but
lower compromise detectability, and vice versa.
Once the revocation threshold is attained, a key revocation against node A needs to
be generated and published. In IEl(f, to generate a revocation needs the joint efforts of t
D-PK(Gs. For simplicity, we assume that, among F(ID4), the D-PK(G with the smallest ID
acts as the role of revocation leader. We distinguish between two cases. If /S 3 t, each of
the t D-PK(Gs in F(ID4) with smallest IDs generates a partial revocation (shown below)
sent to the revocation leader. If /9 < t, all the D-PK(Gs in F(ID4) should generate a partial
revocation and send it to the revocation leader. In addition, the revocation leader sends
which responds with a partial revocation after verifying the accusations.
For ease of presentation,- let ACD denot th t D-PK~s participating in revocation
generation. Each V e A generates a partial' revo--Catio KV Hi(ID4 accumulated at- the'
revocation leader. The revocation leader can construct a complete revocation from these
partial revocations through Lagrange interpolation, which is an application of pairing-based
threshold signatures [57, 13]. In particular, a complete revocation is derived as
IDA = C V(0)KP2H(IDA) = K.P2H1(IDA)~ (mo1d q),
veA
where Av(0)-s are Lagrange coefficients defined in Eq. (3.1). It is possible that one or several
members of ~A are unrevoked compromised nodes which might send wrongly computed
partial revocations. To detect this, the revocation leader checks whether the following
equation holds.
8(IDA, W) = (H1(IDA), WP2) (3.2)
Ifso i knolws that~l tisl reoctVUionlII I isUrl~lll authnti andll ollther (t 1) D-PK~~s ga~ve correctly
partial revocations. The equation should hold for a valid revocation because
8(IDA, W) = 8(KP2H1(IDA), W)
= 8(H1(IDA), W)KP2 (8 iS bilinear)
= 8(H1(IDA), KP2W) (8 is bilinear)
= 8(H1(IDA), WP2) (P2 = KP2 ).
The revocation leader then floods < IDA, IDA > throughout the network to inform others
that A has been compromised.
If Eq. (3.2) does not hold, the revocation leader knows that at least one of the partial
revocations is incorrect. Our IK(M allows the pinpoint identification of the misbehaving
D-PK(G(s). To do this, for- each receir ve K$H1(IDA), the revocation leader harnesses
the~ prloadedU~ W/2 to check whether the equation c;(K$2H1(IDA), W) = 8(H1(IDA), WP2)
holds. The check should succeed for a valid partial revocation because WpV2 = KpV2W and
& is bilinear. Otherwise, the revocation leader considers V misbehaving and then issues a
signedU aCc~Ucusation agaCinstl it. After idetifrlyll~ing ll misbehavlingVI D-PK1~s in ~A, the revocation
leader solicits the corresponding number of new partial revocations from D-PK(Gs in R \ A,
calculates a complete revocation, and verifies it as before. Continuing this process, the
revocation leader can form a correct revocation against A, as long as there are at least I
well-behaved D-PK(Gs in R.
Our IK(M can well handle the situation that the revocation leader itself is a compro-
mised node. If other D-PK(Gs in F(IDA) do not receive a correct revocation against A
in certain time, they would consider the revocation leader misbehaving and publish signed
accusations against it. Then the D-PK(G in F(IDA) with the second lowest ID succeeds as
the revocation leader and restarts the revocation generation process. We can see that, as
long as there is at least one non-compromised D-PK(G in F(IDA) and there are at least t
non-compromised D-PK(Gs in R, a valid accusation against node A can I.h-- I-, a be generated.
In addition, our pinpoint identification mechanism will deter the D-PK(Gs compromised yet
unrevoked from offering invalid partial revocations to avoid being easily caught. There-
fore, we expect that a valid revocation will be generated most likely in one round. Also
notice that, since whether a D-PK(G provides a wrong partial revocation and whether the
revocation leader behaves normal are both publicly verifiable, compromised but unrevoked
D-PK((s dare not falsely accuse the revocation leader or other D-PK((s in order to avoid
being identified.
Revocation verification. Upon reception of IDA, every node verifies it by checking
if Eq. (3.2) holds. If so, it should record IDA in its memory and refuse to interact with node
A in future time. In our IK(M, each node needs to store the IDs of all the revoked nodes.
Assuming that each node ID is of 16 bytes, it costs a node about 4 K(B to store 250 IDs of
compromised nodes, which is believed to be an acceptable overhead given the increasingly
low memory price. Some space-efficient data storage techniques such as Bloom filters [58]
may be used to reduce the storage overhead. However, we do not further investigate this
issue for lack of space.
In rare cases, the revoked A and/or its conspirators may be the sole connections between
parts of the network. Since they would not further propagate the revocation, there might be
some legitimate nodes which cannot receive the revocation. Fortunately, this problem can
be greatly mitigated by node mobility. In particular, we require each node to store received
revocations for a certain amount of time. When a node meets a new neighbor, it can
exchange its stored revocations with that neighbor. If that neighbor offers some unknown
revocations, it records the revoked node IDs after verifying those revocations. Since a
node can dump stored revocations after a while, the related storage overhead should be
affordable.
3.4.4 Key Update
To withstand crypton I! .h i and limit any potential damage from compromised keys, it
is a common practice [31, 32, 33, 34, 35, 36] to employ relatively frequent key update. A new
key update phase pi 1 starts either when phase pi lasts for more than a predetermined time
threshold, or when the number of nodes revoked in pi has attained a prescribed threshold.
In IK(M, each node B can update its public key autonomously by computing Keypi~ .
(H1(IDB), Hl(saltiy1)), where salt 1 = salt +1. In other words, B just performs two hash
operations, one for generating the phase salt for piay and the other for computing the
new common public-key element. By contrast, generating the common private-key element
Kg': = K'P2Hi(salti+1) needs the collective efforts of t D-PKGs in S1. For simplicity, wfe
assume that Z E a initiates phase pi 1, tholughI in1 pL~ractic thel D-PK~~s shouldU take turns
to act as this role to balance their resource usage. Z randomly selects (t 1) other non-
revoked D-PK(Gs from R and sends a request to each of them. Let ~A denote these t D-PK(Gs
including Z itself. Each V e A uses its secret share to generate a partial common private-
key elemen-t K$2Hl(saltiy1) accumulated at Z which, in turn, constructs the complete
Kg- usingf Lagrangfe interpolation, Kg,~: = C,-,4 r" Av(0)K$2H(salti41) = KP2Hil(saltiy1).
Notice that Kg': is self-authenticating in that every node can check its authenticity by
checking if the following equation holds.
ir( c-:, W) = (H l~saltzy1), WIP2) (3.3)
It is also possible that some D-PK(Gs in ~A might be compromised yet unrevoked nodes.
The method used in revocation generation can be employed as well to deal with this case.
As long as there are at least t non-compromised D-PK(Gs in R, a valid Kg': can 1.h-- .-, a be
generated.
To propagate Kgi: securely to all the non-revoked nodes, we use a variant of the self-
healing group key distribution scheme by Liu et al. [59]1 Let A C W denote the set of
nod s rv okedu untrl il it ph s i (IincludII ingp D-PKG~ Z broadcasts the following message:
Be3 := {IDx }XeAU ( 8/2) = /2z~j~)U + Iz) j=1,...,i,
where j(z~) = nXeA (" IDx). When a non-revoked node, say B, receives this message,
it derives Zdg(IDB) = i(l(DB)ui(IDB) + 14(IDB). Since B knows vi(z), 14(IDB), and
(y(I-)) 0ti (cf. Sec~tion 3.4..2), it can get u4i(Il~) = "(IDad-li(ID") a~nd then" [Kg']
vi(IDB) + ui(IDB). Subsequently, node B computes [Kg 1]" using the elliptic curve E/F,,
thusc ~ncn~fnstrutn the completeKg Ir- n the similar way, all the other non-revoked nodes
can derive Kg'1 and finish key update. Any revoked node X e A, however, cannot compute
ni(I7nx) andl thuse Kg' because (i(IDx) = 0. In addition, as long as the number of
compromised nodes is no more than tC, i.e., |A 4; tc|, the compromised nodes cannot jointly
determine Kg'1 either, as shown in [59].
The above key-update method provides the self-healing capability in the sense that
any: non-revoked node can recover Kg'7 for any phase pj (j < i), of which it did not receive
the key-update broadcast message due to reasons such as I! .1.11117,i channel errors, and
temporary network partitions. Consider node BI again as an example. It can get Ky', in
the similar wayn~ as obtaining Ky'. This nice feature, however, is achieved at the cost of
increased communication overhead. Therefore, if either this self-healing capability is not
required or reliable broadcast can be guaranteed, the broadcast message By~ can change to
{IDx}XEhi U (di 2) = ~i 2)Ui(2 +i(2)}, where i(z() = nXeA (a IDx) and As CAn
represents the set of new nodes needed to be revoked in phase pi. In doing so, the broadcast
communication overhead can be reduced.
3.4.5 Securing D-PKGs against Pinpoint Attacks
Similar to [31, 34, 35], our IK(M relies on the validity of the t-limited assumption
mentioned in Section 3.3.3. However, if adversaries have the entire network lifetime to
SI Kg' can be viewed as a group key to be distributed to non-revoked group members.
amount attacks, they~ may~ compromise, or disrupt enug D-PK~s sooner or later. As a
well-known countermeasure, Herzberg et al. [55] propose to periodically refresh secret
shares without changing the original secret, in such a way that any information learned
by adversaries about individual shares becomes obsolete after the shares are refreshed. In
addition, they present techniques to periodically and securely recover shares not refreshed
propeI rly to withstandU U- D-PK disruption attacks. Their techniques are either adopted or
no:__ -r -1.1 by [31, 34, 35]. To deal with long-term adversaries, we also -II:_:_. -r to incorporate
such proactive secret-sharing techniques in our IK(M.
Proactive secret-sharing techniques are valid as long as adversaries are t-limited in
each predefined time period. Nearly all previous proposals simply make this assumption
without efforts to justify it. In our opinion, without precaution, the t-limited assumption
is difficult to hold for MANETs deployed in hostile environments. The reason is that the
Irs of, the D-PKs are public knowledge to every node, and adversaries can easily get this
information, e.g., by compromising a single node. In common MANET routing protocols
such as AODV [5] and DSR [6], node IDs are left bare without any protection. The shared
wireless medium renders adversaries to perform passive eavesdropping and easily locate the
D-PK(Gs based on their IDs leaked in routing and data packets. As a result, adversaries
can launch pinpoint compromise or disruption attacks on the locked D-PK(Gs. This type of
severe pinpoint attacks resulting from the unique characteristics of MANETs are reported
in [29, 41]. Obviously, we have to seek efficient ways to thwart such pinpoint attacks to
make the t-limited assumption reasonable.
Assume that adversaries have no ways (e.g., traffic ..I! I1-, -iR) to distinguish between the
D-K\ and,,, non-D-PKGr nodes other than from their IDs. We propose to eliminate the
pinpoint attacks by MASK(, the .l!!..-, usua sI on-demand routing protocol for MANETs pre-
sented in Chapter 2. As stated before, MASK( guarantees that, given a node ID, adversaries
cannot ascertain whom and where the corresponding node is. For our purpose, this means
that, even given the list of D-PK(G IDs, adversaries cannot determine which nodes are the
D-PK(Gs based on passive eavesdropping of node IDs. Therefore, the pinpoint attacks are
effectively defeated. Also note that the same method can be used to eliminate pinpoint
attacks on the D-CAs in [31, 34, 35].
3.4.6 Choosing Secret-Sharing Parameters
Now we discuss how to select the secret-sharing parameters t, a for a good tradeoff
between security and robustness, namely, the resilience to the compromise and disruption
of D-PK(Gs, respectively. For a fixed n, the larger t, the more secure the network is because
adversaries need to compromise more D-PK(Gs to learn KP2, the less robust the network
is in1 thlat adversaries needU toU Udis~rup fewerL D-PKs to make KP2 irrecoverable, and vice
versa. To strike a good balance between them, it is often wise to let t = [ ], as l: :_ -r 0. 1
in [15, 40]. The next question is, given the network size N, how we decide the value of a
to achieve desired levels of security and robustness.
With our MASK( in place, adversaries cannot distinguish between the D-PK(Gs and
common nodes based on passive eavesdropping. What they can only do is to attempt
to compromise or disrupt randomly-picked nodes with the expectation that those nodes
hlappen toU be thel D-PKUs. Assume that adversaries can surreptitiously compromise and
disrupt up to Nc 3 t and Nd 3 n-t+1 nodes, respectively, in each proactive secret-sharing
time period without being detected. We define Prc and Prd as the probabilities that at
least t out of Nc compromised nodes and (n t + 1) out of Nd disrupted nodes happen to
be D-PK(Gs. In particular,
Prc = C Ne-) ndPr N-i
where t = [g]. In practice, we want both probabilities to as low as possible. Prior to
dep~loyment,~ ~lthe PKG can use the enumerative method to determine the values of t, a for
obtaining appropriate values of Prc and Prd, i.e., meeting desirable levels of security and
robustness. For example, when N = 50, Nc = 5, and Nd = 7, we have Prc = 1.19 x 10-4
and Prd = 8.53 x 10-s if a = 10 and thus t = 5; when N = 50, Nc = 10, and Nd = 14, we
have Prc = 1.8 x 10-s and Prd = 7.88 x 10-4 if a = 20 and thus t = 10. Obviously, the
success probabilities of such random attacks are pretty low.
During network operation, the network size N may be changing with node join, leave,
or failure over time. Accordingly, the parameters t, n and the D-PK(G set should be adjusted
to maintain desirable levels of security and robustness. This can be easily realized through
verifiable secret redistribution by Wong et al. [60] to redistribute the PK(G's master key
KP2 frOM a (t, n) Structure tO a (t n ) One.
3.4.7 Security Analysis
Here we briefly compare the security of our IK(M with CK(M such as [31, 34] and
previous IBC-based schemes [39, 20] (referred to as o-IKMl). In o-IK(M, the PK(G only has
one master secret KP2 jointly shared by n chosen D-PK(Gs in a (t, n)-threshold fashion.
Each node A has a public/private key pair (H1(IDA || exp), KP2H1(IDA || exp)), where
ezp indicates the key expiration time. To renew its private key before it expires, A needs to
individually contact t out of a D-PK(Gs for partial private keys, based on which to construct
a complete one via Langrange interpolation. As usual, our discussion is from the viewpoint
of key management instead of cryptographic algorithms themselves.
Since all three approaches are (t, n)-threshold schemes, they have the same level of
security as long as the t-limited assumption holds. However, they differ in the worst-
case scenario where adversaries manage to compromise at least t distributed CAs (D-CAs
for short) in CK(M, or t D-PK(Gs in IK(M or o-IK(M. In that situation, adversaries are
able to construct the CA's private key in CK(M, or the PK(G's master secret Kp2 in IK(M
or 0-IK(M. For both CK(M and our IK(M, adversaries cannot deduce the private key of
any non-compromised node, be it a D-CA (or D-PK(G) or common node. Therefore, the
communication security between non-compromised nodes is still guaranteed. In contrast,
the exposure of Kp2 in O-IK(M would result in loss of overall -1-, -r ll security because it
permits adversaries to derive all the private keys of all the compromised or non-compromised
nodes ever used since the network formation. This means that adversaries would be able to
freely read encrypted messages observed in the past or future, and forge any node's digital
signature.
In summary, our IK(M is at least as secure as conventional CK(M, but outperforms
o-IK(M in the worst-case scenario.
3.5 Performance Evaluation
In this section, we compare the proposed IK(M with conventional CK(M via simulations.
As mentioned in Section 3.2.2, DSA-based CK(M solutions have much worse communication
efficiency than RSA-based ones under the same security level. Therefore, we focus on
comparing IK(M with RSA-based CK(M, which is implemented mainly based on [32, 36]
with the number of D-CAs set to n instead of N. As discussed before, our IK(M is more
secure than 0-IK(M [39, 20] under the same secret-sharing parameters (t, n). In addition,
the communication and computation overheads of 0-IK(M are the same as those of IK(M
with regard to key revocation, but are much higher in terms of key update because 0-IK(M
requires that each node individually contact t out of a D-PK(Gs for key update. Since the
advantages of our IK(M over o-IK(M are quite obvious, we do not offer the simulation results
of their comparison for lack of space.
3.5.1 Simulation Setup
The comparison is done within GloMoSim [21], a popular MANET simulator, on a
desktop with an Intel P4 2.4GHz processor and 1 GB memory. Although such a powerful
machine may not be available in some application scenarios, it should be appropriate for the
comparative study of IK(M and CK(M. To avoid causal implementation errors and guarantee
fair comparison, all the cryptographic primitives are built using MIRACL [22], a standard
cryptographic library.
For CK(M, the underlying CBC is RSA with a 1024-bit modulus for sufficient security.
An RSA public key consists of an ordered pair (s, e) where s is the modulus, and e is the
public exponent. A common value for the public exponent is e = 216 + 1, which is the
value we use for all public exponents. Note that this is in favor of CK(M because RSA
encryption and signature verification can be made very fast with e = 216 +1 than a random
exponent. Therefore, an RSA public key would require 128 bytes for the modulus and 3
bytes for the public exponent, resulting in a total size of 131 bytes. In addition, an RSA
signature consists of a single 1024-bit value. For simplicity, we assume that a node ID is of
16 bytes and that certificate expiration time can be encoded in 2 bytes. An RSA certificate
< IDA, (n, e), exp, CA's signature > will be totally 277 bytes in length.
For our IK(M, the bilinear map e we use is the Tate pairing [14]. q is a 160-bit Solinas
prime 2159 + 2"7 + 1 and p is a 512-bit prime equal to 12qr 1 (for some r large enough to
make p the correct size). Such choices of q, p deliver a comparable level of security to 1024-
bit RSA [12, 13]. The elliptic curve E we use is y2 = 3 + x defined over F. The ID-based
signature primitive [M~]K- used is the one outlined in [56], in which a signature consists
A,pi
of one element of GI and one element of Z Since the former is a point on E/Fz, only the
y-coordinate needs to be transmitted because the 2-coordinate can be easily derived using
E. Therefore, an ID-based signature is of 84 bytes. This point compression technique is
also used in transmitting key revocations and common private-key components, both being
elements in Gi. Moreover, the hash function SHA-1 [16] and the symmetric-key encryption
primitive RC6 [18] are used wherever applicable.
We simulate a MANET with 50 nodes deployed in a 700x700 m2 square field.2 The
ph1-, -i I1-1 I-, er path loss model is the two-ray model. The node transmission range is 250
meters and the channel capacity is 2 Mb/s. The MAC protocol used is the Distributed
Coordination Function (DCF) of the IEEE 802.11. For simplicity, the underlying routing
protocol is AODV [5] instead of our MASK( [20]. Nodes initially are uniformly distributed
and node mobility are emulated according to the random waypoint model [6]. We run
simulations for constant node speeds of 5, 10, and 15 m/s, with pause time fixed to 5
seconds. In addition, we use 20 CBR connections with random source and destination pairs
throughout the simulations. All the data packets are 512 bytes and are sent at a speed of
4 packets/s.
3.5.2 Computational Costs
We present the computational costs of outstanding primitive operations in CK(M and
IK(M in Table 3-2. As compared to RSA operations, the pairing evaluation is currently
a relatively expensive operation, which by far takes the most running time of an IBC
algorithm. However, since the pairing is a relatively new technique, we anticipate that
its evaluation cost will be much reduced with the rapid advance in cryptography. For
example, Barreto et al. [23] recently announce an approach to evaluate the Tate pairing by
up to 10 times faster than previous methods, the implementation of which is underway. In
2 Note that for the simulated network size, it may be feasible to preload each node with
all the others' public keys. However, it should be understood that this choice is just for
illustration purpose and also to ensure a fair comparison with ARAN [42] which uses the
same network size.
54
Table 3-2: Timings of primitive operations
Primitive Time
(ms)
RSA key generation 526.5
RSA encryption/verfication (e = 216 + 1) 0.26:
RSA decryption/signing 5.08
Modular exponentiation (mK 1HOd N) 16.89
Map-to-point H1(-) 2.6
Scalar multiplication in GI1 3.3
Modular exponentiation in G,2 2.4
Pairingf 11.0
ID-based signing (with pre-coluputation) 5.7
ID-based signature verification 35.5
Table 3-3: Conipa~rison of key revocation time
threshold t = 5 threshold t = 10
Speed (In/s) IEhi (sec) C'Khi (sec) IEhi (sec) C'Khi (sec)
5 3.344 3.179 8.563 8.323
10 3.356 3.220 8.577 8.387
15 3.362 3.235 8.586 8.401
addition, the pairing computation can be much accelerated by using dedicated cryptogra~phic
hardware. For instance, it is reported in [61] that the Tate pairing can be calculated in
about~l 6 nIs onI ai modernLI FPG- --'- A. Despite its computational inefficiency, are will see below
that our IK(M still outperfornis CK(M in almost all aspects because of its certificateless
nature.
3.5.3 Comparison in Key Revocation
Here we compare IK(M with CK(M with regard to key revocation. We use 20 CBR
sessions as background !! e.-" to simulate more realistic scenarios. Two sets of secret-
sharing parameters (t, n) are simulated: (5, 10) and (10, 20). The revocation process of
CK(M is inmpleniented as similar to that of our IK(M. For simplicity, are set the revocation
threshold y equal to t and each accusation is sent to /S = 1 D-PK(G in IK(M or D-CA in
CK(M. In other words, when the number of accusations against one specific node reaches
y = t at a D-PK(G or D-CA, that D-PK(G or D-CA sends the accumulated accusations to
other random (t 1) out of (n 1) D-PK(Gs or D-CAs which, in turn, send back partial
revocations after verifying the received accusations. To avoid possible MAC-layer collisions
Table 3-4: Comparison of key update (t = 5)
IK(M: threshold t = 5 CK(M: threshold t = 5
Speed (m/s) T ime (sec) Overhead T ime (sec) Overhead
(packet) (packet)
5 3.173 352 271.088 18556
10 3.182 674 271.965 20846
15 3.189 1328 273.443 22400
Table 3-5: Comparison of key update (t = 10)
IK(M: threshold t =10 CK(M: threshold t =10
Speed (m/s) T ime (sec) Overhead T ime (sec) Overhead
(packet) (packet)
5 8.187 662 275.289 37078
10 8.194 1286 276.952 45438
15 5 071582 279.978 1; ".Ill
resulting from returned partial revocations, the revocation leader uses a fixed delay of one
second between contacting two different D-PK(Gs.
Table 3-3 gives the one-time key revocation time of IK(M and CK(M for t = 5 and 10,
accusations to (t 1) peers, until the last node in the network receives and verifies the final
complete revocation. All packet transmission and cryptographic processing time has been
included. As we can see, although our IK(M is slightly inferior to CK(M, both can finish a key
revocation in a very short duration. This demonstrates the feasibility of real-time public-
key revocations in MANETs. We can also observe that, the larger the threshold t, the more
time it takes to finish the revocation process, which is quite intuitive. In addition, node
mobility has little impact on the revocation time in that the revocation process only involves
the transmission of 2(t 1) unicast packets and one network-wide broadcast packet for the
final revocation. Such a small amount of traffic can be transmitted before the network
topology changes significantly and thus some unicast routes break due to node mobility.
3.5.4 Comparison in Key Update
In this subsection, we demonstrate the advantage of our IK(M over CK(M in terms of
key update. Again, 20 CBR sessions are used to emulate normal traffic scenarios. For our
IK(M, the key update process starts when one D-PK(G sends a key update request to other
random (t 1) D-PK(Gs,3 and finishes when all the network nodes receive and verify the
broadcasted common private-key component. For CK(M, the key update process lasts from
when the first node starts contacting t random D-CAs for key update until the last node
finishes its key update through t random D-CAs. To avoid traffic collisions at the D-CAs, a
fixed interval of 5 seconds is inserted between two consecutive key updates by two different
nodes.4
We are interested in two metrics: one-time key update time, including packet trans-
mission time and all cryptographic processing time, and key update overhead in number of
packets, which counts all the key requests/replies and the incurred routing control packets.
Tables 3-4 and 3-5 compare our IK(M with CK(M with regard to these two metrics for t = 5
and 10, respectively. Since a key update process in IK(M is similar to a key revocation
process, it can be finished in a similarly short period. In contrast, key update in CK(M
requires a relatively great amount of time and incurs a significantly larger overhead. In
addition, the key update time and overhead of both schemes increase with the threshold t,
which is of no surprise.
3.5.5 Comparison in Secure Routing
A most important use of public-key techniques in MANETs is to secure routing proto-
cols. As noted in [42], most existing secure routing schemes for MANETs rely on the use of
public keys and certificates without explicitly discussing how to perform certificate distri-
bution. By contrast, a recent work, called ARAN [42], accounts for certificate distribution.
ARAN is an elegant scheme because it is essentially a secured version of classic AODV [5]
and thus preserves many nice features of AODV. However, using ID-based public/private
keys in place of certificate-based ones can turn ARAN into a much more efficient solution,
which is shown as follows.
3 The 1-s sending interval is still used.
4 We have tried different interval values and the chosen one can guarantee that almost
all the nodes can successively finish their key update within the simulation time.
Due to space limitations, we refer to [42] for detailed descriptions of ARAN. For ease
of presentation, we denote the original ARAN by ARAN-CK(M and the modification with
our IK(M by ARAN-IK(M. Regarding the overall routing process, ARAN-IK(M is the same as
ARAN-CK(M. Their difference lies in the structures and cryptographic processing of rout-
ing control packets, including route discovery/reply/error packets. For example, assuming
a source and destination pair of nodes X and Y, a typical route discovery packet (RDP)
in ARAN-CK(M is of format < ((RDP, IDy, Nx)x-1)A-1crt, CetCertA >. Here, (m)x-
stands for message m with its RSA signature generated under node X's RSA private key
X-l; Nx is a monotonically increasing sequence number set by X; certx is the RSA certifi-
cate of source X (see Section 3.5.1 for the certificate format); certA is the RSA certificate
of an intermediate node A attached when A forwards the RDP of X to its own neighbors.s
Considering the RDP format < RDP, IDy, Nx, IDx, IDA > in AODV [5], ARAN-CK(M
adds 778 bytes to the RDP. Suppose the network is in key update phase pi. In ARAN-IK(M,
the RDP changes to < [[RDP, IDy, Nxic-1 <- IDx, IDA >. Therefore, ARAN-IK(M
X,pi A,pi
increases the RDP in AODV by 168 bytes because of the two ID-based signatures. The
routing reply and error packets in ARAN-CK(M are modified similarly.
We run simulations to compare the routing performance of ARAN-CK(M and ARAN-
IK(M. The results generated with AODV are also provided as the baseline. Again, 20
CBR sessions are used in the simulations and each simulation is executed for 15 simulated
minutes. In our simulation results, each data item represents an average of ten runs with
identical traffic models, but with different mobility scenarios.
We use four key performance metrics to evaluate the performance. Average route
discovery 1. I/,:o measures the average latency from the time of sending a RDP to receiving
the first corresponding route reply. Average data packet 1. IAtti measures the average time
from the sending of a data packet by a CBR source until its reception at the corresponding
CBR destination. This includes all possible delay caused by buffering during route discovery,
5 Node IDs are included in certificates. Please refer to [42] on how the RDP is processed
in a hop-b-, -1!heI manner.
58
550- ~AODV
-1: -11-1-11
E 45 *
S25 *
S20 *
~15.
10 *o
S5.
5 1 15
Node Speed (m/s)
Figure 3-1: Average route discovery delay.
queuing delay at the interface, retransmission delay at the MAC layer, and propagation and
transmission delay at the ph1-, -il I1 layer. Packet delivery ratio (PDR) measures the ratio of
the data packets delivered to the destination to those generated by the CBR sources. Finally,
normalized routing load measures the average amount of routing packet byte transmitted
per delivered data packet byte. Each hop-wise transmission of a routing packet byte is
counted as one transmission.
The advantages of ARAN-CK(M over AODV in the presence of malicious nodes have
been demonstrated in [42]. For simplicity, we just compare the performance of AODV,
ARAN-CK(M, and ARAN-IK(M when all the nodes in the network are well-behaved or
benign. Note that, no matter whether there are malicious nodes or not, the operations
of both ARAN-CK(M and ARAN-IK(M remain the same. Therefore, as long as we can
show that ARAN-IK(M outperforms ARAN-CK(M in the simulated scenarios, it will also
demonstrate better performance than the latter and thus AODV in the face of malicious
nodes. In all our simulation results, AODV 1.h- .-, a outperforms both ARAN-CK(M and
ARAN-IK(M. This is of no surprise because there are no efforts at all made in AODV to
deal with routing attacks. We will focus on discussing the difference between ARAN-CK(M
and ARAN-IK(M.
Fig. 3-1 compares the average route discovery delay of ARAN-CK(M and ARAN-IK(M
under three 1!!. 1.ilir-,i scenarios. We can observe that ARAN-IK(M 1.h- .-, s exhibits shorter
route discovery delay than ARAN-CK(M. The key reason is that routing discovery and reply
700
S20
10 1
Node Speed (m/s)
Figure 3-2: Av-erage datar packeet i
10i 15
Node Speed (m/s)
Figure 3-3: Packet delivery ratio.
packets in ARAN-CK(M are of much larger sizes than those of ARAN-IK(M. As a result,
routing packets in ARAN-CK(M are more subject to loss due to collisions with other data
or routing packets during their transmission. When a source does not receive a route reply
packet after sending the RDP for a while, it has to resend the RDP, which worsens the
situation. This contributes to the shown advantage of ARAN-IK(M over ARAN-CK(M. In
addition, the performance difference between ARAN-IK(M and ARAN-CK(M becomes more
and more significant with the increase of node mobility. For example, when the node speed
is 15 m/s, the route discovery delay of ARAN-IK(M is about 390.08 ms, representing a
saving of about 28 percent as compared to the 540.32 ms delay of ARAN-CK(M. That is
because high mobility means that routes will break more frequently, so accordingly route
discovery needs to be performed more frequently. Since more routing packets are involved,
1~ I AODV
5 10 15
Node Speed (m/s)
Figure 3-4: Average routing load.
their probabilities of colliding with other traffic become increasingly higher in ARAN-CK(M
than in ARAN-IK(M.
Fig. 3-2 plots the average data packet delay vs. node speed. As we can see, ARAN-
IK(M has a significant advantage over ARAN-CK(M in all three mobility scenarios. In
particular, when the node speed is 5 or 10 or 15 n1/s, the data packet delay of ARAN-
CK(M is about 4.68 or 7.86 or 8.04 times longer than that of ARAN-IK(M. This result is
partly due to the shorter route discovery delay ARAN-IK(M has than ARAN-CK(M, which
results in shorter delay caused by buffering at the network layer. Another more important
reason is that MAC-layer frames in the IEEE 802.11, including RTS/CTS/DATA/ACK(, are
more subject to collisions with the MAC frames of routing packets in ARAN-CK(M than
in ARAN-IK(M because the former has much larger-sized routing packets. The situation
deteriorates with the increase in node mobility and thus the increase in the number of
routing packets. As a result, data packets in ARAN-CK(M experience much longer quueuing
and retransmission delay at the MAC layer.
Fig. 3-3 shows the PDRs of AODV, ARAN-IK(M, and ARAN-CK(M for three mobility
scenarios. In all cases, ARAN-IK(M demonstrates performance close to AODV and higher
than ARAN-CK(M. This mainly results from the fact that a smaller portion of data packets
are dropped in ARAN-IK(M than in ARAN-CK(M due to attainment of the retransmission
limit at the MAC layer. The ultimate reason, however, is still because of the larger-sized
routing packets in ARAN-CK(M. Finally, the normalized routing load of ARAN-IK(M and
ARAN-CK(M are shown in Fig. 3-4. For node speeds of 5 or 10 or 15 n1/s, ARAN-CK(M
has a. routing load 3.1 or 3.7 or 4.1 times higher than that of ARAN-IK(M for the larger
sizes of routing packets.
To sunina~rize, our IK(M has significant advantages over conventional CK(M in secure
routing protocol design, a fundamental component in MANET security.
3.6 Summary
k~ey nlana~genent is a fundamental, challenging issue in securing MANETs. This chap-
ter presents IK(M, a secure, lightweight, scalable ID-based key nlana~genent scheme for
MANETs. As a novel combination of ID-based and threshold cryptogra~phy, IK(M is a. cer-
tificateless solution that permits public keys of mobile nodes to be directly derivable from
their known network IDs and some other coninon information. It thus obviates the need for
public-key distribution a~nd thus certificates inherent in conventional public-key solutions.
Our IK(M is characterized by a. novel method of constructing ID-based public/private keys,
which not only guarantees high-level resilience to node compromise attacks but also fa~cil-
itates very efficient network-wide key update by a. single broadcast message. In addition,
we give general guidelines on choosing the secret-sha~ring parameters for achieving desir-
a~ble levels of security a~nd robustness. The significant advantages of IK(M over conventional
certificate-based solutions have been confirmed by extensive simulation results.
Most existing security niecha~nisnis for MANETs thus fa~r involve the heavy use of
public-key certificates. In this regard, we believe that the findings of this chapter would
have much influence on the research paradigm of the whole coninunity a~nd stimulate many
other fresh research outcomes. As our future work, we will seek efficient solutions based on
IK(M to a variety of challenging security issues in MANETs such as intrusion detection and
secure routing.
CHAPTER 4
SECURE LOCALIZATION IN WIRELESS SENSOR NETWORKS
4.1 Introduction
Wireless sensor networks (WSNs) have attracted a lot of attention recently due to
their broad applications in both military and civilian operations. Many WSNs are deployed
in unattended and often hostile environments such as military and homeland security op-
erations. Therefore, security mechanisms providing (~iC..nn.1.011.11-,i, authentication, data
integrity, and non-repudiation, among other security objectives, are vital to ensure proper
network operations.
Many WSNs require sensor nodes to know their ph1-, -il I1 locations. Examples include
those for target detection and tr l~ine:. precision navigation, search and rescue, geographic
routing, security surveillance, and so on. Driven by this demand, many localization schemes
have been proposed in recent years, with most assuming the existence of a few anchors that
are special nodes knowing their own locations, e.g., via GPS or manual configuration. These
proposals can be divided into two categories: range-based such as [62, 63] and range-l;..
[64, 65]. The former are characterized by using absolute point-to-point distance (range) or
angle estimates in location derivations, while the latter depend on messages from neigfhbor-
ing sensors and/or anchors. Range-based solutions can provide more accurate locations, but
have higher hardware requirements for performing precise range or angle measurements. By
contrast, although having lower hardware requirements, range-free approaches only guaran-
tee coarse-grained location accuracy. In this chapter, we focus on range-based approaches
and leave the investigation on range-free ones as the future work.
We observe that almost all existing range-based proposals were designed for benign
scenarios where nodes cooperate to determine their locations. As a result, they are ill-
suited for unattended and often hostile settings such as tactical military operations and
homeland security monitoring. Under such circumstances, attackers can easily subvert
the normal functionalities of WSNs by exploiting the weakness of localization algorithms
(a) No attacks. (b) dos is reduced.
(c) dos is enlarged.
Figure 4-1: An exemplary two-way ToA localization process, where anchors A, B, C are
determining the location of sensor S.
[66, 67]. In this chapter, we do not intend to provide brand-new localization techniques for
WSNs. Instead, we focus on .I! I1-,. i!:_: and enhancing the security of existing approaches
when applied in adversarial settings.
The rest of this chapter is structured as follows. We start with ..I! I1-,. b!:_: the vulner-
I1.1111-,i of existing approaches in Section 4.2. Next, we present a novel 1!!. 1.ilir-,i-assisted
secure localization scheme (SLS) in Section 4.3. We then review related work in Section 4.4
and summarize this chapter.
4.2 Vulnerability Analysis of Two-Way Time-of-Arrival Localization
Popular range-based localizat ion techniques include Received- Signal- St rengt h-Indicator
(RSSI), Angle-of-Arrival (AoA), Time-of-Arrival (ToA), and Time-Difference-of-Arrival (TDoA).
Readers are referred to [63] for a nice review. Among these techniques, ToA is the most
commonly used one whose requirement for fine time resolution can be satisfied by the ultra-
wideband (UWB) technique [68]. Therefore, our study focuses on a two-way ToA approach,
which is illustrated with Fig. 4-1.
In the shown example, anchors A, B, and C intend to determine the 2-D location of
sensor S. To do so, A transmits at time tl a challenge to sensor S which immediately
echoes a response received by A at time t2. Anchor A can then estimate its distance to S
as dAS M (2 1l)c/2, where c is the speed of light. In the same way, B and C can obtain
distance estimates to S, denoted by dBs and dos, respectively. Let (XA, YA), (XB, YA),
(Xc, Yo ) be the known locations of A, B, and C, and (Xs, Ys) be S's location to be decided.
C Sece chnattacker 2
Figure 4-2: The topology of an exemplary distance enlargement attack.
Assume that A is the leader which collects des and dos and then sets up the following
equations :
fA = dAs (Xs XA) yS A
fs = des s Xe2 yS- B (4.1)
/c = dos (Xs Xc)2 yS C
If there is no measurement error, fA, B, and fc are all equal to zero, and (Xs, Ys) is
the common intersection point of the three circles defined by the above equations. Since
measurement errors inevitably exist in reality, however, (Xs, Ys) will be somewhere in the
intersection area formed by the three circles, as shown in Fig. 4-1(a). It can be obtained
via the Minimum Mean-Square Error (11:ljl1-3) method [62], i.e., minimizing F(Xs, Ys)=
f f+/ + ff
The above process is vulnerable to distance reduction and enlargement attacks, in
which attackers attempt to reduce and enlarge distance estimates, respectively, so as to
maliciously increase the location inaccuracy. For example, attackers can impersonate sensor
S to answer anchor C's challenge before S does, and then jams the later genuine response
from S. As a result, dos would be intentionally reduced. In addition, Fig. 4-2 shows the
topology of an exemplary distance enlargement attack, where the two circles indicate the
transmission ranges of anchor C and attacker 2, respectively. In this attack, the challenge
from C is correctly received by attacker 1, but not by sensor S whose reception activities
are interfered by attacker 2. Subsequently, attacker 1 sends the unmodified challenge via a
secret channel to attacker 2 which, in turn, forwards the challenge to sensor S after some
time. Sensor S will consider it a challenge from anchor C and respond to it. In doing so,
attackers can increase the challenge-response time difference measured at C and thus the
distance estimate dos. Both distance reduction and enlargement attacks may make the
location estimate of sensor S far from its true location, as can be seen from Fig. 4-1(b) and
Fig. 4-1(c), respectively. To satisfy the requirement for high location accuracy by many
WSN applications, we must therefore seek ways to mitigate the impact of such attacks.
4.3 Mobility-Assisted Secure Localization for UWB Sensor Networks
In this section, we present a mobility-assisted secure localization scheme (SLS) for
WSNs. To ease our illustration, we focus on how to ensure secure 2-D location estimates,
but SLS can be easily extended to the 3-D case.
4.3.1 Network Model
We consider a WSN that consists of randomly-deployed sensor nodes, e.g., via random
aerial scattering. Sensor localization is normally done during the network initialization
phase, in which we assume that a set of anchors, denoted by ~A, perform coordinated group
movement across the whole sensor field. Typical examples of anchors are mobile robots or
Unmanned Aerial Vehicles (UAVs) flying at low levels. The number of anchors, denoted
by n, = |~A|, should be at least three for determining a 2-D location. Intuitively, the more
anchors (i.e., distance estimates) are available, the more precise location estimates are at
the cost of increased communication and computational overhead. We also indicate anchor
i by Ai for is { 1,..., n}.
Each Ai is assumed to know its own location (XAi,YA,) at any time and place through
GPS" receivers- or other means In addition, there is I.h-- I-, R a leader in ~A that takes charge
of the localization process. In practice, each anchor should take turns to act as the leader
to balance their resource usage. For convenience, however, we assume Al to be 1.h-- .-, a the
anchor leader hereafter. We further assume that anchors and sensor nodes have the same
transmission range ro.
Before network deployment, we assume that the network planner picks a sufficiently
long secret KC, and loads each sensor S with a secret key Ks = hlc(IDs). Here, ID, is the
unique identifier of node S, h indicates a fast hash function such as SHA-1, and hlc(Ml)
refers to the message integrity code (MIC) of message M~ under key KC. We further postulate
that each anchor knows the network secret K: and is trusted and unassailable to attackers
during the node localization phase which usually does not last too long. This assumption is
reasonable in that anchors are usually much fewer than sensor nodes, so we can spend more
on them by enclosing them in high-quality tamper-resistant enclosures and putting them
under perfect monitoring. How to deal with compromised anchors is part of our ongoing
work.
4.3.2 Overview of SLS
After sensor nodes are deployed, anchors are instructed to perform strategic group
movement along pre-planned routes to localize all the sensor nodes. Anchors are required
to I.h-- I-, a maintain an n,-vertex p..1~-,:_on with the longest distance between any two vertices
no larger than ro. This means that anchors and sensors inside the p..1~-,:_on can directly com-
municate with each other. To localize a node, say S, anchors first measure their respective
distance to S with a modified two-way ToA approach, called K-Distance. The anchor leader
Al then collects all the distance estimates whereby to derive a MMSE location estimate.
Subsequently, Al runs a validity test on the location estimate to detect possible attacks.
Unlike traditional localization methods such as AHLos [62], our mu~ l~ilir-, I--10.. 1 ap-
proach does not require each sensor node to accurately measure distances to anchors and
do the MMSE estimation. Instead, each node just needs to answer the challenges from
anchors, and the tasks of time (distance) measurement and location derivation are shifted
to resource-rich anchors. This is highly desirable for lowering the requirements on sensor
hardware and thus the manufacturing costs. In the rest of this section, we will detail the
operations of SLS with a to-be-localized sensor node S as an example.
4.3.3 K-Distance: a K-Round Distance Estimation Algorithm
To obtain a distance estimate to node S, anchor Ai first calculates Ks = hic(IDs) based
on the preloaded network secret KC. It then executes the K-Distance algorithm outlined in
Table 4-1. Ai begins with sending to S an 1-bit random nonce Nj and starts a timer
when the last bit of Nj is sent. Upon receiving Ni, node S needs to immediately echo Nj
concatenated by another 1-bit random nonce Myj picked by itself. Next, S sends to Ai a
MIC, v = hKs(Ni || Myj), where || means message concatenation.
Table 4-1: i i K-Distance alg~orithm.
1: T =
?: for (:i=Ij=1;J K1 ii-j+ )do
3: Ai sends a ra~ndorn .. nonce NyJ to S
4i: S respo~nds with Ny a~nd another randlorn nonce Myi
As siiets tj t:: irne elapses between chlallengr e andi response
6i: S sends to Aia. number v,::: I~ihiy // n4)
7: f K ) v then /*by Ai*/
9: T U{ti
10: end if
11: esnd for
12: tAiS = median(T)
13: return d~sS = cj s /*c is thlelight I'
last bit o~f N
t,,
first bito / ||M s t bit ofN, || M
t,,, tbrm tp~
Figure 4-3: 'i .. timet i of Ith echallengfe-response proc~ess.
When receiving the last bit of the response, Ai stops the timer and sets tj equal to
the elapsing time. It then uses Ks to compute a MIC on Nj and Myj. If the result is not
equal to v which arrives later, Ai considers the response a bogus one and simply ignores it.
Otherwise, it believes that the response indeed came from S, and proceeds to calculate the
one-way signal propagation time as tp,y = (tj t r'oc t;Sro ttrn)/2. Here, t r'oc represents
the time duration from when the last bit of the response hits the antenna of Ai until the
response is completely decoded (cf. Fig. 4-3); isroc is the time duration from when the last
bit of the challenge reaches the antenna of S until S transmits the first bit of the response.
t, oc and ifroc, are device-dependent and usually are constant or vary in a tiny scale. Both
can be pre-determined and preloaded to Ai to calibrate the time measurements to certain
precision. Assume that transmission links from S to anchors have a bandwidth of b b/s.
Then the response transmission time term is approximately equal to seconds.
The above process offers strong defense against distance reduction attacks in the sense
that attackers cannot reduce tp,y and thus the distance estimate up,4j. One reason is that
the MIC check ensures that an authentic response can only be sent by node S. Another
important reason is that nothing can travel faster than light so that attackers are unable
to make the challenge arrive at S earlier than it should.
Attackers, however, can still launch the distance enlargement attack, i.e., enlarging t,,4
and thus the distance estimate. To mitigate this attack, we require Ai to perform K times
of distance measurements. The motivation is that attackers might not be able to actively
affect all K time measurements and thus distance estimates. It is also worth noting that
our method can help mitigate sporadic measurement errors. K is a design parameter that
determines the tradeoff between algorithm overhead and resilience to distance enlargement
attacks and measurement errors. Assume that all the K time measurements are stored in
an initially empty set T. The next question is how to securely use them. The naive use
of the average is insecure because attackers can easily make the calculated average quite
different from the true one by merely enlarging one time measurement to be sufficiently
large.
A, A
d* d*
d -- i-
(a N masreen eros () eaurmet rrrseis. c)d~s s nlrgd
Fiue44 Loato vaidit tet ihhreanhos
Asponedot n 6],te eda i sfr epaemn fr h aeag, oK-itac
uethmeinoKtime mesreetst calclt S1Frbevt nyeasm
betweo en [t r-1emr+)] t is eas y to) Mesueeth t K-Dirstaneist vunral t inl dA is ta en-agd
geneal, f mtimemeauremet were eoinvlargdt Less either trem ainnchanedo cane
measurement. It is obviou that theda meian maetho rcamn tolrat the enlargemen sof up ito
abus th halfa of th time measurements. t aclt ~slFI rvt ny easm
A s th en calcul ate dfS llos and sh xendsi to anhor leader At a mesagven of formait
{owad.gS Le dtgS) K, wh) eroe {} meanstflt enyting atas Mwithu key IC. Upon replce ipto
fis Whe noicpe that there migttak exi rejst othrmehdssc as Least Maedian ~j Squre (LMS)
togen dal wth outlers (distancel etimo ats enlarged inour cO-ase). Hrowevr, he are less
cmpautametionall effcvient than the median method.cntlrt h nlreeto pt
Table 4-2: Testing if a point is inside a |B|-vertex p..1~-,:_on.
Inputs: B: an anchor set, (Xs, Ys): a location estimate
Output: 0 if outside, else
2: for (i = 1, j = |B|; i ( |B|; j = i + +) do
3: if ((((Y, C Ys)&&(Y, > Ys)) || ((Y, > Ys)&&(Y, < Ys)))
5: a =!u
6: end if
7: end for
8: return n
it, Al decrypts dAss and checks its authenticity via the preloaded IC. Once obtaining all n,
distance estimates, Al can then derive a MMSE location estimate (Xs, Ys).
4.3.4 Location Validity Test
The median approach may be enough for withstanding less powerful attackers. How-
ever, if K assumes a small value, attackers launch persistent attacks, and m is greater than
K+, some distance estimates used for deriving (Xs, Ys) might have still been enlarged,
leading to the invalidity of (Xs, Ys). Therefore, we require Al to run a validity test on
(xs, Ys).
Consider first the simple case that there are no measurement errors. If all the n,
distance estimates were not enlarged by attackers, (X,, Y,) should be exactly the intersection
point of n, circles {(( XA,)2 ~ YAi)2 diS Ha}~n,. To test the validity of
(Xs, Ys), Al merely needs to check whether (Xs, Ys) is inside the n,-vertex p ..1~-,:_on formed
by all the anchors. The underlying logic is very simple. If attackers want to make S appear
to be at any location other than its true location, they have to enlarge certain distance
measurements, while at the same time reduce some others so as to keep the resulting location
estimate inside the p..1l-,:_on. As mentioned before, however, our K-Distance algorithm can
prevent attackers from launching distance reduction attacks. Therefore, anchors can be
assured that the location estimate is trustable as long as it resides in the n,-vertex p..1~-,:_on.
We refer to Fig. 4-4(a) for an example with three anchors (n, = 3).
To determine the inclusion of a point inside a p ..1~-,:_on, we select the ,not-Iracing method
for its simpleness and computational efficiency. This method works by starting at the
point in question and drawing a straight line in any direction. If the number of times
the ray intersects the p..1l-,:_on edges is odd, the starting point is inside the p..1l-,:_on and
is outside otherwise. This is easy to understand intuitively. Each time the ray crosses
a p..1-,:_on edge, its in-out parity changes because each edge 1.h- .-, < separates the inside
of a p..1-,:_on from its outside. Eventually, any ray must end up beyond and outside the
bounded p..1l-,:_on. Therefore, if the point is inside, the sequence of crossings "->" must
be: in->out-> --in->out, and there are an odd number of them. Similarly, if the point
is outside, there are an even number of crossings in the sequence: out-> -in->out.
Table 4-2 gives the pseudo-code implementation for the ray-tracing method, which uses a
horizontal ray extending to the left of (Xs, Ys) and parallel to the negative x-axis.
In practical scenarios, however, time measurement errors and thus distance estimate
errors occur inevitably. The n, circles centered at anchors will therefore not have a common
intersection point, but form an intersection area in which the location estimate is located,
as shown in Fig. 4-4(b). This would introduce room for distance enlargement attacks.
Consider again the three-anchor example in Fig. 4-4(c). Suppose the distance estimate
dA3S was maliciously enlarged, while dArs and dAss are just a little larger than the actual
distances due to measurement errors. It is obvious that, by adjusting the level of enlarging
dA3S, attackers might be able to freely enlarge the intersection area of the three circles and
thus make the MMSE distance estimate (though still inside the triangle) deviate much from
the true location. Fortunately, we can alleviate this issue by imposing certain reasonable
constraints. Let 6 be the two-sided maximum allowable measurement error with respect
to distance estimates. Now (Xs, Y,) should reside in the intersection area of n, rings,
{(dAiS 6)2 ( (2 XAi)2 ~ YAi)2 4 (dAiS 621 Ha}~n, (see Fig. 4-4(b)). This
means that, in addition to performing the point-inclusion test, Al needs to check whether
the inequality | dA ss -Ji ~ ~~ XI) yS-Yg2 6 hold s for each dAi s. If so, (X,, Y,)
is considered valid and invalid otherwise.
With our method in place, attackers might only be able to enlarge any dASs a little bit
to make the resulting (Xs, Ys) appear to be valid, leading to tolerable location imprecision.
However, if they enlarge dASs by a relatively large amount, the resulting (Xs, Ys) will be
identified as invalid. One such example is shown in Fig. 4-4(c). Therefore, although our
method cannot completely eliminate distance enlargement attacks, which is believed to
be impossible for any security mechanism, it does constrain the impact of attackers to a
tolerable level.
If (Xs, Ys) does not pass either the point-inclusion test or the 6-error check, Al re-
computes a MMSE location estimate based on any (n, 1) distance estimates and checks
its validity via these two tests. If all the sets of (n, -1) distance estimates are traversed and
still no valid location estimate is generated, Al tries the sets of (n, 2) distance estimates.
Al continues this process until either a valid (Xs, Ys) is found or all the 3-degree subsets
of n, distance estimates are examined (3 is the minimum number of distance estimates
required to derive a 2-D location estimate). If the latter case occurs without yielding a valid
location estimate, Al may consider that the localization process was attacked and should
take certain actions, e.g., reporting this abnormality to the control center, as stipulated by
concrete WSN applications.
If a valid (Xs, Ys) is derived, anchor Al transmits it securely to node S in a message,
{Xs, Ys, hKs(Xs || Ys)}Ks. Upon receiving it, node S uses the preloaded secret key K~s to
decrypt (Xs, Ys) and compute a MIC. If the result matches with what Al sent, S considers
(Xs, Ys) trustable and saves it for subsequent use.
4.3.5 Discussion
Overhead analysis. So far we have elaborated the operations of SLS, by which a
valid location estimate can be obtained despite the presence of attacks as long as there are
at least three unattacked distance estimates. The desirable security improvement does not
come for free. Specifically, the K-Distance algorithm requires each anchor to obtain K dis-
tance estimates instead of one as in previous schemes. Besides the tunability of K, however,
K-Distance can not only mitigate distance enlargement attacks, but also smooth sporadic
measurement errors in the first place. Also note that, if some distance estimates were
maliciously enlarged, Al may need to perform the MIMSE estimation for up to CE~ 3'~
times. In practical scenarios, n, should be carefully chosen to be a small number that can
guarantee a certain level of resilience to attacks while not incurring too much overhead.
For instance, when n, = 5 anchors are used, SLS can tolerate two (40 percent) maliciously
enlarged distance estimates that are not filtered by K-Distance. Then Al needs to calculate
at most 16 distance estimates. Since anchors have more powerful computational capacities
than sensor nodes and node localization is a one-time process, we believe such overhead to
be acceptable for security-sensitive WSNs.
Other applications. In addition to securely localizing sensor nodes, SLS can find
uses in many other applications. One example is critical asset tracking. Many organiza-
tions, particularly defense contractors, have parts and equipment of a sensitive, secure, or
hazardous nature. These parts need to be monitored and audited to record their move-
ments and who had access to them, as proof that they have not been tampered with or
viewed by unauthorized personnel. We can accomplish this task by deploying a tracking
infrastructure composed of a set of anchors and attaching to critical assets some sensors
that are difficult to remove without being detected. Anchors and sensors communicate with
each other through wireless links. SLS can then be used by anchors to keep tracking the
locations of critical assets (in fact, attached sensors).
4.4 Related Work
In this section, we briefly review some important work that is closely related to this
chapter. Brands and Chaum [70] propose a TOA-based distance bounding protocol that
can be used to verify the proximity of two devices connected by a wired link. Sastry et al.
[71] present a similar distance bounding approach based on ultrasound and RF signals to
verify the presence of a wireless device in a region of interest. In [72], Waters and Felten
propose a scheme that uses round-trip time-of-flight RF signals to prove the locations of
tamper-resistant devices. Their scheme cannot be directly applied in UWB sensor networks
because individual sensors are usually not tamper-resistant due to cost limitations. More
recently, Lazos and Poovendran [66] present an approach to secure range-free sensor local-
ization techniques [64, 65]. By contrast, this chapter concentrates on securing range-based
localization techniques [62, 63]. The closest work to our SLS can be found in [67], in which a
scheme called Verifiable Multilateration (VM) is proposed for secure positioning of wireless
devices. However, SLS differs significantly from VM in several major aspects. First, SLS is
able to mitigate the impact of attacks and sporadic measurement errors in the first place,
which is a nice property not provided by VM. Second, VM calculates location estimates
on the basis of three anchors or triangles. By contrast, we consider a more general case
by using an n,-vertex publ-:_on formed by n, anchors for n, 3 3, which allows for higher
location accuracy. Last, we propose to utilize mobile anchors instead of static anchors,
which can greatly reduce the number of required anchors.
4.5 Summary
How to ensure secure localization is one of the challenging issues in securing WSNs.
In this chapter, we present SLS, a novel mobility-assisted secure localization algorithm that
can furnish sensor nodes with secure, accurate locations despite the presence of attacks. As
the future research, we plan to extend our approach to range-free localization techniques.
CHAPTER 5
LOCATION-BASED COMPROMISE-TOLERANT SECURITY MECHANIS:\!S FOR
WIRELESS SENSOR NETWORKS
5.1 Introduction
A future WSN is expected to consist of hundreds or even thousands of sensor nodes.
This renders it impractical to monitor and protect each individual node from either ph1-, -i I1
or logical attack. It is also unrealistic and uneconomical to enclose each node in tamper-
resistant hardware. Thus, each node represents a potential point of compromise. Once
compromising certain nodes and acquiring their keying material, adversaries can launch
various insider attacks. For example, they might spoof, alter or replay routing information
to interrupt the network routing [73]. They may also launch the Sybil attack [45, 74], where
a single node presents multiple identities to other nodes, or the i,1. iillu replication attack,
in which clones of a compromised node are put into multiple network places [74]. Moreover,
adversaries may inject bogus data into the network to consume the scarce network resources
[75, 76]. This situation poses the demand for compromise-tolerant security design. That is,
the network should remain highly secure even when a number of nodes are compromised.
Although a lot of solutions such as [77, 78, 79, 80, 81, 82, 83, 84, > ".] have been proposed
for securing WSNs, most of them do not provide adequate resilience to node compromise
and the resulting attacks.
Many WSNs have an intrinsic property that sensor nodes are stationary, i.e., fixed
at where they were deployed. This property has pl1 I-,. .1 an important role in many WSN
applications such as target tracking [86] and geographic routing [87]. By contrast, its great
potential in securing WSNs has so far drawn little attention. Based on this observation,
we propose a suite of location-based compromise-tolerant security mechanisms for WSNs
in this chapter. Our main contributions are summarized as follows.
First, we propose the novel notion of location-based keys (LBE~s) based on the afore-
mentioned pairing technique (cf. Section 2.2.1). In our scheme, each node holds a private
key bound to both its ID and geographic location rather than merely its ID as in conven-
tional schemes. To the best of our knowledge, this is the first such effort in the context of
WSNs.
Second, we design a novel node-to-node neighborhood authentication protocol based
on LBE~s. It helps achieve the desirable goal of localizing the impact of compromise nodes
(if any) to their vicinity, which is a nice property absent in most previous proposals.
Third, we present efficient approaches to establish pairwise shared keys between any two
nodes that are either immediate neighbors or multi-hop away. Such keys are fundamental
in providing security support for WSNs [78, 79, 80, 81, 82, 83, 84, > ".] In contrast to
previous proposals, our approaches feature low communication and computation overhead,
low memory requirements and good network scalability. More important, our approaches
show perfect resistance to node compromise in that pairwise shared keys between non-
compromised nodes I.h-- I-, remain secure, no matter how many nodes are compromised.
Fourth, we demonstrate how LBE~s can act as efficient countermeasures against some
notorious attacks against WSNs. These include the Sybil attack [73, 74], the identity
replication attack [74], wormhole and sinkhole attacks [73], and so on.
Last, we develop a location-based threshold-endorsement scheme (LTE) to thwart the
aforementioned bogus data injection attack [75, 76]. Detailed performance evaluation shows
that LTE can achieve remarkable energy savings by detecting and dropping bogus traffic at
their early transmission stages. Moreover, our LTE has a much higher level of compromise
tolerance than previous work [75, 76].
The rest of this chapter is structured as follows. Section 5.2 introduces the crypto-
graphic basis, the adversary model and the security objectives of this chapter. Next we
detail a location-based key management scheme, including key generation, authentication
and shared-key establishment. This is followed by a detailed illustration of using LBE~s in
combating various attacks. Section 5.5 presents the LTE scheme and evaluates its perfor-
mance. We then survey related work in Section 5.6, discuss the use of symmetric-key vs.
public-key cryptography in Section 6.7, and summarize this chapter.
5.2 Preliminaries
5.2.1 Adversary Model
Adversaries in WSNs can be classified as either external or internal adversaries. The
former do not have authentic 1:0- inr:, material whereby to participate in network operations
as legitimate nodes. They might just passively eavesdrop on radio transmissions or actively
inject bogus data or routing messages into the network to consume the network resources.
Once in full control of certain nodes, external adversaries can become internal ones to be
able to launch more subtle attacks like those mentioned in Section 5.1. Internal adversaries
are generally more difficult to defend against than external ones for their possession of
authentic keying material. We further assume that adversaries have much more powerful
resources regarding energy, communication and communication capacities than ordinary
sensor nodes. They might also communicate and collaborate over a high-bandwidth and
low-latency channel invisible to legitimate sensor nodes. However, we do assume that
adversaries cannot compromise an unlimited number of sensor nodes. Neither can they
break any cryptographic primitive on which we base our design. Otherwise, there is unlikely
to be any feasible security solution.
5.2.2 Security Objectives
We aim to provide confidentiality, authentication, data integrity, and non-repudiation,
four essential security objectives. We also intend to offer both '.:d -loo. t, and end-to-end
security guarantees, both of which are indispensable for security-sensitive WSNs [73]. By
definition, link-layer security indicates the security of radio links between neighboring nodes.
It is a prerequisite to prevent external adversaries from accessing or modifying or faking
radio transmissions. In contrast, end-to-end security refers to the communication security
between a pair of source and destination nodes, e.g., a data I:_:::egation point (AP) to
a higher-level AP or the sink [73]. We achieve link-layer security by immediate pairwise
keys shared between neighboring nodes and end-to-end security by multi-hop pairwise keys
shared between end-to-end sources and destinations.
5.3 A Location-Based Key Management Scheme
This section presents a location-based key management scheme for WSNs, including
the generation and distribution of LBE~s, a secure LBK(-based neighborhood authentication
scheme, and methods for establishing both immediate and multi-hop pairwise shared keys.
5.3.1 Pre-Deployment Phase
We examine a large-scale WSN consisting of hundreds or even thousands of sensor
nodes. We assume that all the nodes have the same transmission range R and communicate
via bi-directional wireless links. Nodes perform a collaborative monitoring of the designated
sensor field and report the sensed events to the distant sink, which is a data collection center
with sufficiently powerful processing capabilities and resources. We further assume that each
node A has a unique, integer-valued and non-zero ID, denoted by IDA. In view of the cost
constraints, nodes are assumed to be not tamper-resistant in the sense that adversaries
can extract all the keying material and data stored on a compromised node. However, we
postulate that the sink is trustworthy and unassailable, as is commonly assumed in the
literature [78, 79, 80, 81, 82, 83, 84, .]~
Prior to network deployment, we assume that a trusted authority (TA) does the fol-
lowing operations:
1. Generate the pairing parameters (q, GI~, G2 W, H) (cf. Section 2.2.1), where W is
an arbitrary generator of GI, and H is a hash function mapping given strings to
non-zero elements in Gi.
2. Ob.. .. --- h, mapping arbitrary inputs to fixed-length outputs, e.g., SHA-1 [16].
3. Pick a random IcneZ~ as the network master secret and set Wpub = IC -
4. Calculate for each node A an ID-based key (IBK( for short), IK~A = IcH(IDA) E Gi.
Each node A is preloaded with the public -1-,-r. parameters (q,GI,G2,8, H, h,W, Wpub)
and its private IK~A. It is important to note that it is computationally infeasible to deduce
ac from either (W, Wpub) or any (ID, IBK() pair like (IDA, IK~A), due to the difficulty of
solving the DLP in GI (cf. Section 2.2.1). Therefore, even after compromising an arbitrary
number of nodes and their IBE~s, adversaries are still unable to calculate the IBE~s of non-
compromised nodes.
5.3.2 Sensor Deployment and Localization
After loaded with the keying material, sensor nodes can be deployed in various ways
such as ph:~-i I installation or random aerial scattering. There are also many methods
to localize each node, i.e., furnishing each node with its geographic location. We consider
the following two sensor localization techniques, which accordingly differ in their ways of
generating LBE~s for individual nodes. The final outcome of either approach is that each
node A possesses its location denoted by IA and an LBK( LKA = IcH(IDA I A), where ||
denotes message concatenation.
Range-based localization. In this approach, we assume that a group of mobile
robots are dispatched to sweep across the whole sensor field along pre-planned routes.
Mobile robots have GPS capabilities as well as more powerful computation and communi-
cation capacities than ordinary nodes. The leading robot is also equipped with the network
master secret Ic. To localize a node, say A, mobile robots run the secure range-based lo-
calization protocol given in Chapter 4 or [67] to first measure their respective absolute
distance to node A and then co-determine IA, the location of A. Subsequently, the leading
robot calculates LKIA = IcH(IDA I A). It then generates IK~A = IcH(IDA) and sends
< {LKA I A IKA IlKA(LKA~ I A) > to A. Henceforth, {M~)k means encrypting message
M~ with key k, and hk(M~) refers to the message integrity code (MIC) of message M~ under
key k.
Upon receipt of the message, node A first uses its preloaded IBK( IK~A to decrypt LKIA
and IA and then regenerates the MIC. If the result matches with what the robot sent, A
saves LKIA and IA for subsequent use. Following this process, all the nodes can be furnished
with their respective location and LBK(. After that, mobile robots leave the sensor field and
the leading robot should securely erase ac from its memory. During subsequent network
operations, node addition may be necessary to maintain good network connectivity. The
localization of new nodes can be done in the same manner.
The assumption underlying this approach is that adversaries do not launch active and
explicit pinpoint attacks on mobile robots at this stage which usually does not last too long.
However, they may still perform relatively passive attacks such as message eavesdropping
or strategic channel inference to disturb the localization process [67]. This assumption is
reasonable in that mobile robots are much fewer than ordinary sensor nodes and hence
we can spend more on them by enclosing them in high-quality tamper-proof hardware and
putting them under super monitoring. Adversaries may also want to temporarily avoid
active and explicit attacks that may easily expose themselves. After the localization phase,
adversaries are free to launch all kinds of attacks.
Range-free localization. By contrast, the range-free localization approach does
not rely on exact distance or range measurements. Instead, we assume that there are
some special nodes called anchors knowing their own locations. All the non-anchor nodes
autonomously derive their locations based on information from the anchors and neighboring
nodes via secure range-free localization techniques such as [66, 88, 89].
The LBE~s are also generated on the nodes' own. To enable this, each node A is
preloaded with the network master secret Ic whereby to generate its LBK( LKA = IcH(IDA I
IA). As LEAP [90], this approach takes advantage of the fact that sensor nodes deployed in
security-sensitive environments are usually designed to withstand break-in attacks at least
for a short interval when captured by adversaries. Specifically, we assume that an adversary
needs a time interval at least Tmin to successfully compromise a node, and each node takes
some time less than Tmin to finish localization and generation of its LBK(. In addition,
each node should be programmed to securely erase ac from its memory after Tmin of its
deployment. In the case of subsequent node addition, new nodes can get their locations
and LBE~s in the same way.
5.3.3 Location-Based Neighborhood Authentication
By definition, neighborhood authentication means the process that any two neighboring
nodes validate each other's network membership. This process is fundamental in supporting
many security services in WSNs. For example, a node should only accept messages from and
forward messages to authenticated neighbors. Otherwise, external adversaries can easily
inject bogus broadcast messages into the network or swindle network secret information
from legitimate nodes.
During the post-deployment phase, each node is required to discover nd perform mutual
authentication with neighboring nodes, which is a normal process in many existing security
solutions for sensor networks. In our scheme, each node will think of another node as an
authentic neighbor if and only that node is within its transmission range R and also hokis
the correct corresponding LBK(. We take the following concrete example to explain the
neighborhood authentication process.
1. 4 -> : ID 4, 1 ZA
2. B ->A : IDBln, s, a,(n he ( 4| ne || 1)
3. 4 ->B :hK (nA 4 | ne || 2)
Suppose node A wishes to discover and authenticate neighboring nodes once having its
location and LBK(. To do so, 24 locally broadcasts an authentication request including its
ID ID4, location 14 and a random nonce n 4. Upon receipt of such a request, node B first
needs to ascertain that the claimed location 14 is in its transmission range by verifying if
the Euclidean distance ||14 ls|| ; R. This check is the baseline defense against the attack
that adversaries surreptitiously tunnel authentication messages between B and a virtually
non-neighboring node. Without the location check, B and that victim will falsely believe
that they are neighbors because both possess an authentic LBK( whereby to successfully
finish the following authentication process.
If the inequality does not hold, node B simply discards the authentication request.
Otherwise, B calculates a shared key as Ky 4A = #(La, H(ID4 || 14)). It then unicasts a
reply to node A including its ID and location, a random nonce us, and a MIC computed
as hKB (nA 4 | ne || 1). Upon receiving the reply, node 4 also first checks if the inequality
||14 -1| I ; RI~ holds. If so, it proceeds to derive a shared key as K4A,B = #(LK4,A H(IDB ||
Ig)) whereby to reconmpute the MIC. If the result is equal to what B sent, node 4 considers
B an authentic neighbor. Subsequently, A returns to node B a new MIC computed as
hKA (nA 4 | ne || 2). Upon receipt of it, B uses KB 4 to regenerate the MIC and compares
the result with what it just received. If they are equal, B regards node A as an authentic
neighbor as well.
The above process is valid because, if and only if both A and B have a correct LBK(,
K~A,B is equal to KB,A due to the following equations.
KA,B = 8(LKA, H(IDB || Is))
= (icH(ID A I A), H(IDB || Is))
= (H(IDA I A), ICH(IDB || Ig)) (5.1)
= (ICH(IDB || Ig), H(IDA I A))
= (LKB, H(IDA I A)) = KB,A
The second and third lines hold for the bilinearity of 8 and the fourth line holds by the
symmetry of 8 (cf. Section 2.2.1).
Using the above -hou -;-In-,i handshake, all the nodes can achieve mutual authentication
with neighboring nodes. Note that if multiple nodes simultaneously respond to the same
authentication request, possible MAC-layer collision may happen. We resort to effective
MAC-layer mechanisms to resolve this issue. For example, it can be alleviated through
MAC-layer retransmission or by using a random jitter delay for which each node has to
wait before answering an authentication request.
In our scheme, new nodes can be added freely to maintain necessary network con-
nectivity, especially when some existing nodes die out because of power shortage or other
reasons. A new node is also required to execute the authentication protocol once localized
properly.
Security analysis. Our location-based authentication scheme is secure against var-
ious malicious attacks. For example, in a location forgery attack, an adversary might send
an authentication request with a forged location within node B's range. Since the adversary
does not hold the LBK( corresponding to the forged location, he or she cannot successfully
finish the authentication procedure and thus deceive B into believing that he or she is an
authentic neighbor. Adversaries might as well launch the tunnelling of authentication mes-
sages attack by tunnelling authentication messages received at one location of the network
over an invisible, out-of-band and low-latency channel to another network location which
is typically multi-hop away. By doing so, they attempt to make two victim nodes far away
from each other believe that they are authentic neighbors. This attack is infeasible with
our scheme in that each node will simply deny authentication requests from nodes that are
not ph!~-il sh11-, within its transmission range. In addition, an adversary might put into the
vicinity of a legitimate node, I-, B, a replica of one compromised node at other distant loca-
tions. Most purely ID-based authentication schemes are vulnerable to this attack because,
without dependence on any central authority [79, 74], the victim B has great difficulty in
differentiating between legitimate authentication requests and malicious ones from replicas
of a compromised node. With our scheme in place, node B will simply ignore the replica's
authentication request because the replica should not appear in its transmission range.
It is worth pointing out that, as any other security solution, our scheme itself cannot
prevent a compromised node or its replicas from achieving mutual authentication with
its legitimate neighbors. However, it can guarantee that the compromised node or its
replicas receive nothing more than some random numbers, public IDs and locations from
legitimate nodes. This ensures that the compromised node cannot impersonate its legitimate
neighbors to other nodes. Therefore, our location-based authentication scheme can reduce
the impact of a compromised node from the otherwise network-wide scale to its vicinity,
more specifically, within a circle with radius 27E centered at its current location. This makes
it far more easier to devise efficient localized intrusion detection mechanisms.
One may worry that adversaries might mount the denial-of-service attack by continu-
ously sending bogus authentication requests or replies to allure legitimate nodes into endless
processing of such messages. In our opinion, this attack is in fact less worrisome. The rea-
son is that the number of neighbors of any node is limited in reality. Therefore, abnormally
many authentication requests or replies are highly likely an indicator of malicious attacks.
Under such situations, we assume that there are efficient mechanisms available for legitimate
nodes to report such an abnormality to the sink.
5.3.4 Immediate Pairwise Key Establishment
Link-layer security schemes demand an efficient method to establish pairwise shared
keys between neighboring nodes. Henceforth, we refer to such keys as immediate pairwise
keys (or IPE~s for short). With IPE~s, messages exchanged between neighboring nodes can
be encrypted and authenticated via efficient symmetric-key algorithms.
Note that after a successful three-way handshake, two neighboring nodes, say 4 and B,
have established a shared key K4A,B = KB 4. Adversaries, be they external or internal, may
overhear the authentication messages, but cannot deduce the shared key for the lack of the
LBE~s of 4 and B. From K4A,B, 4 and B can derive various shared session keys for different
security purposes by feeding K4A,B into the hash function h. For example, they can use
ko = h(K4A,B || 0) for message encryption and ki = h(K4A,B || 1) for message authentication.
In the similar way, each node can establish IPE~s with all its legitimate neighbors after the
neighbor discovery and authentication phase.
Since the IPE~s are by-products of the neighborhood authentication process, there is no
extra 1:- -, -i -1 151i-!!!!. !!r coninunication and computation overhead. In addition, our IPK<
establishment method has perfect resistance to node compromise because the IPE~s are built
upon the private LBE~s of individual nodes. No matter how many nodes are compromised,
the LBE~s of non-conipromised nodes II.h- I-, a remain secure, and so do the IPE~s established
between them.
5.3.5 Multi-hop Pairwise Key Establishment
In addition to the IPE~s, a node may need to establish pairwise shared keys with other
nodes that are multi-hop away. We call such keys as multi-hop pairmise keys (or MPE~s for
short) that are required for securing end-to-end traffic.
Assume that nodes LT and V are multi-hop apart and the routing path between them
has been established using the underlying routing protocol. To establish an MPK(, ET and
V execute the following protocol.
1. ET V : IDer,1r,ncrH(IDr || Irr)
2. V LT IDy-,1-, nxH(ID- || ly-)
Here, nr, nx- EZ~ are randoni private numbers chosen by nodes LT and V, respectively. At
the conclusion of the protocol, node V calculates
K (r = ~(L~-, nx-H(IDer || Ir) + ncH(IDer || Ir))
= (icH(IDy- || ly), (nx- + nr)H(IDer || Ir)).
Likewise, node LT computes
Ker,4 = ~(LKr, ncH(IDy- || ly) + nsH(IDy- || ly))
= (icH(IDer || Ir), (ncr + ns)H(IDy- || ly)).
If both nodes are legitimate and have followed the protocol correctly, by the bilinearity and
syninetry of 4,
Kur,4 = K rr = ~(H(IDer || Ir), H(IDy- || ly))(;q,+,z)'F
Based on the MPK( Ker,4, nodes LT and V can derive various shared session keys for different
security purposes as before.
Discussion. If possible, the two protocol niessa~ges can p~i:_:_-Jback on the routing
messages used to establish the routing path between LT and V. In doing so, the related
coninunication overhead can be much reduced. In addition, there is no need for LT and V
to further exchange messages to prove to the other the knowledge of the MPK(. Any future
niessa~ges encrypted and authenticated with the MPK( or the derivative session keys can
implicitly achieve the same effect.
Our MPK( establishment protocol is a simple adaptation of the provably secure ID-
based key a~greenient protocol [91]. Any third party may overhear the plaintext niessa~ges
exchanged between LT and V, but cannot derive the MPK( Kur,4 without knowing the LBE~s
of LT or V. This protocol also has perfect resilience against node compromise because of
the dependence of the MPE~s on the nodes' private LBE~s.
5.4 Efficacy of LBKs in Attack Mitigation
In this section, we show how the proposed LBE~s can act as effective and efficient
countermeasures against several notorious attacks against WSNs.
5.4.1 Spoofing, Altering or Replaying Routing Information
Without precaution, external adversaries are able to spoof, alter or replay routing
niessa~ges. By doing so, they attempt to create routing loops, cause network partitions,
incur false error messages, and so on [73].
As mentioned before, neighboring nodes are required to perform mutual authentica-
tion based on their private LBE~s. Since each node only processes routing messages front
authenticated neighbors, external adversaries can be prevented from entering the network
and distributing phony routing messages. The remaining problem is how to defend against
internal adversaries or compromised nodes in possession of authentic keying material. It
is believed that there is no cryptographic way that can prevent them from manipulating
routing information. However, our location-based neighborhood authentication scheme can
constrain the impact of compromised nodes to a small range centered at their original lo-
cations. In other words, internal adversaries cannot utilize the acquired to inr:, material at
one place to launch routing attacks at another distant place. What they can only possibly
do is to continue misbehaving at "the scene of the crime," i.e., a small range around the
location of the compromised node. If doing so, they might run a high risk of being detected
by legitimate nodes if effective localized misbehavior detection mechanisms are available.
5.4.2 The Sybil Attack
The Sybil attack happens when a malicious node behaves as if it were a large number
of nodes, e.g., by impersonating other nodes or simply claiming multiple forged IDs and/or
locations. As pointed out in [73, 74], this attack is extremely detrimental to many impor-
tant WSN functions, such as routing, fair resource allocation, misbehavior detection, data
I: :_regfation, and distributed storage.
With our scheme in place, when a malicious node intends to impersonate a legitimate
node, it does not have the authentic LBK( and thus cannot successfully finish mutual au-
thentication with other legitimate nodes. For the same reason, a malicious node cannot
claim forged IDs and/or locations without being detected. Therefore, the Sybil attack is
effectively defeated.
5.4.3 The Identity Replication Attack
The identity replication attack [74] takes place when adversaries put multiple replicas
of a compromised node in different geographic locations. It may lead to the inconsistence of
the network routing information, as well as jeopardizing other important network functions.
Conventional defenses often involve a central authority, e.g., the sink, that either keeps a
record of each node's location [74], or centrally counts the number of connections a node
has and revokes those with too many connections [79]. These solutions require node-to-
node authentication and pairwise key establishment to be performed through the central
authority, thereby causing significant communication overhead and the lack of scalability.
This attack is no longer feasible when our location-based neighborhood authentication
scheme is applied. The replicas of a compromised node will be prevented from entering
the network by legitimate nodes at locations other than the neighborhood of the compro-
mised node. Our countermeasure is totally self-organizing and does not involve any central
authority, hence it is rather lightweight and highly scalable in contrast to previous solutions.
5.4.4 Wormhole and Sinkhole Attacks
Wormhole [73, 92] and sinkhole [73] attacks are two notorious attacks against WSN
routing protocols that are difficult to withstand, especially when the two are used in com-
bination.
In the wormhole attack, instead of compromising any node, collaborative adversaries
first create a wormhole link, essentially an out-of-band and low-latency channel, between
two distant network locations. They then tunnel routing messages recorded at one location
via the wormhole link to the other, leading to the chaos of the routing operations. Hu
et al. [92] presented a technique called packet leashes to withstand the wormhole attack.
It requires extremely tight time synchronization and is thus infeasible for most WSNs, as
noted in [73]. In contrast, each node in our scheme only accepts routing messages from
authenticated neighbors and will discard those tunnelled from distant locations. Therefore,
the wormhole attack is effectively and efficiently thwarted.
In the sinkhole attack, compromised nodes attempt to attract all the traffic from their
surrounding nodes by announcing a high-quality route to the sink or some other destina-
tions. For example, adversaries create an invisible and fast channel between two compro-
mised nodes A and B residing in distant network regions. Node A claims that it is one
hop or a few hops away from B or other nodes close to B. By doing so, A aims to be se-
lected by legitimate surrounding nodes as a packet relay to B or other nodes in that region.
Fortunately, our scheme can withstand such sinkhole attacks against minimum-hop routing
protocols. For instance, upon seeing A's advertisement of a single-hop path to node B, a
legitimate node can immediately find out that A is malicious by noting that the distance
between A and B is far more larger than the normal transmission range 78. In addition,
geographic routing protocols such as [87] have been identified in [73] as promising solutions
resistant to sinkhole and wormhole attacks. The reason is that they construct the rout-
ing topology on demand using only localized interactions and geographic information. To
apply such schemes, however, the location information advertised from neighboring nodes
must be authenticated. We provide such a guarantee by the LBE~s and the location-based
neighborhood authentication scheme.
We note that our scheme itself cannot prevent the sinkhole attacks against routing
protocols with routing metrics such as remaining energy or end-to-end ra 11 Il1.11117. The
major reason is that the authenticity of these information is very difficult to verify by
cryptographic means alone. As far as we know, the related countermeasure thus far remains
an open challenging issue, and is an interesting topic worthy of further study.
5.5 Location-Based Filtering of Bogus Data
In this section, we first describe the bogus data injic-tio~n attack. We then present a
location-based threshold-endorsement scheme (LTE) as the countermeasure. At last, we
evaluate the performance of LTE in terms of energy savings.
5.5.1 The Bogus Data Injection Attack
As mentioned before, neighborhood mutual authentication is sufficient to prevent ex-
ternal adversaries from injecting bogus data into the network, but will fail in the presence
of internal adversaries. By a single compromised node, internal adversaries can induce ar-
bitrary and seemingly authentic data reports into the network. Without precaution, this
kind of attack may do a lot of damage to the network, e.g., causing false alarms or net-
work traffic congestion. Even worse, it can deplete the precious energy of relaying nodes
on any forwarding path to the sink, which is often tens or even hundreds of hops away
from the sources of data reports. It is, therefore, important to design effective and efficient
countermeasures against this attack.
Since there is no way of hindering internal adversaries from injecting bogus data, we
attempt to figure out ways to mitigate their impact. Our first goal is to filter bogus
data reports as early as possible before they reach the sink. Our second goal is to detain
adversaries from freely fabricating the originating locations of injected bogus data reports.
89
coo o ooo ooo
0 0 aoo oo a
:O OOO OOi O O O
ooo 0000 0
OOO D OOOO OOO OO
(xo oo)
Figure 51 Nod delymn modl
We cheveth fistgoa b a o trsoldenorsmn mehd Tha is dtrpr
shul b c-sgnd y ode or i tlo b consdee auhni.Arprihu
muc geaer ificltyininecingseemnl authd dplyentcyt bogu at eprs a he o
hae to hv coprmie airt least by noe intheahd of nlyorsmne as before. Ta s a
Whul e fulfi teseod b objective by embeddingthred loationinomtion ofadt report 'sou
corigntigaeai hejit endorsement itlb rgreda carrioes Tod dinjctar bogu data reported that
otrignaes fromg at certi areaand can survive the fitrigby egaiotimate intermediate nodes
adersar ields must acual compromise at least t nodes, hnoldng ksteyn material pofe thatare.
Evnso hey c-ann popety uiiz theacuired kemayin material esto fae dat airport tatin seem to
onrigionatee from othe fareias. Anote-rbenefi svis tatonce I detrmining tat esoearre ihvin
repo rtsatre unficltere bogu onjesth e sinkl caun pinpin ythi originatin aepresas and then
tae specficl rhemedactons.betv yebdigtelctinifraino aarpr'
Brgael fow we detai howa to actall sreaize the aboverigb ideas. ae nemeit nd
5.5.2ae Genertio andull Distroibu tio ofas Cel Koeys odn ei mtra ht
Tv o, tenal lcan tion-baed thr cyiesod-keyndorsmenter propose dth e nortio ofa cell ke
For nthe sake ofhe simplicity, we asue that sthet snorc fiteld is a Mr x Nrretage whosei
lower-left corner is at location (Xo, Yo). The sensor field is divided into M~N square cells of
equal side length r. Each cell is labelled with a pair of integers < m, a >, for 1 ( m ( M~
and 1 ( n ( N. Prior to deployment, (Xo, Yo) and r are preloaded to each node. Also note
that our LTE can be easily extended for use with any other node deployment model.
We define the cell key of cell < m, a > as Km,n, = IcH(m || n), which shall be used
to endorse any report originating from that cell. The next question is how to distribute
Km,n, to nodes in cell < m, a >. Let ID~,, denote the ith node with location l~,, in cell
< m, a >. The naive method of letting each ID~,, hold one copy of Km,n, obviously suffers
from single node compromise. Instead, we propose to utilize the secret-sharing technique
[15] to assign a share of Km,n, to each IDL~,, The purpose is to make Km,n, reconstructible
by any t nodes in cell < m, a >, while irrecoverable by any less than t of them. To do this,
prior to network deployment, the TA additionally generates a (t 1)-degree polynomial,
F(2) = El Fp 23 G with coefficients Fy randomly selected from GI. I t also selects
another system parameter c ( r whose use is explained shortly. We consider the following
two cases of cell-key share distribution, depending on whether node localization is range-
based or range-free (cf. Section 5.3.2).
Range-based cell-Key distribution. In this approach, the leading robot is preloaded
with the polynomial F(z). In addition to determining a node's location, it decides that
node's present cell by simple geometric calculations. Consider node IDL,, as an ex-
ample. Its location I ,,, i.e., (XA~,,,YA~,), will satisfy (m 1)r ( XL,, -Xo < mr
andl (no 1) ,-Yo < ur. Then the leading robot derives Km,n, = IcH(m || n)
and a set of authenticators Vm,nI, = {vJ, I,,| ir J I t 1}, where v~i,) = 8(Km,~,,n, )
and v$~, = (H(Fy || n || n), W1) for 1 i. j 6 t 1 Note that it just needs to
do these computations once for each cell. Next, the leading robot calculates KLi,n
t- H(Fy || mr || n)(DLn, || Im i" +3$IIL~ Em~ OI GI, eferred to as node Iln,,,'s share of
K~m,,. Finally, KL,, and Vm,n are securely sent to node ID~,, along with Pm" and its LBK<
(cf. Section 5.3.2).
G I denotes the set GI \ {0} where O is the identity element of Gi.
|
