Security in Heterogeneous Wireless Ad Hoc Networks: Challenges and Solutions

Material Information

Security in Heterogeneous Wireless Ad Hoc Networks: Challenges and Solutions
ZHANG, YANCHAO ( Author, Primary )
Copyright Date:


Subjects / Keywords:
Authentication ( jstor )
Beacons ( jstor )
Broadcasting industry ( jstor )
Cryptography ( jstor )
Geodetic position ( jstor )
Network security ( jstor )
Professional license revocation ( jstor )
Puzzles ( jstor )
Sensors ( jstor )
Simulations ( jstor )

Record Information

Source Institution:
University of Florida
Holding Location:
University of Florida
Rights Management:
Copyright Yanchao Zhang. Permission granted to University of Florida to digitize and display this item for non-profit research and educational purposes. Any reuse of this item in excess of fair use or other copyright exemptions requires permission of the copyright holder.
Embargo Date:
Resource Identifier:
649810200 ( OCLC )


This item has the following downloads:

zhang_y ( .pdf )









































































































































































Full Text






Copyright 2006

Yanchao Zhang

To my parents and my sister.

First and foremost, I would like to express my sincere gratitude to my advisor, Prof.

Yuguang F~I!:_. for his invaluable guidance, encouragement and support with my years in

Wireless Networks Laboratory (WINET). Prof. Fang has guided my path in the past four

years not only with his intellect and knowledge, but also with thoughtfulness about a young

man's personal growth.

Also would like to acknowledge my other committee members, Prof. Shigang Chen,

Prof. Jose Fortes, Prof. Pramod K~hargonekar, and Prof. Sartaj Sahni, for serving on my

supervisory committee and for their help in various stages of my work and career.

Would not be a sane graduate student without a group of great friends. There are

many whom I would like to thank: Xiang Chen, Wei Liu, Byung-Seo K~im, Jianfeng WZ I!!:_.

Shushan Wen, Hongqyiangf Zhai, Xiaoxia HuI I!!:_. Yun Zhou, Chi 21! 1!!:_. Frank Goergfen, Pan

Li, Rongsheng Hul .I!:_. and Feng Chen. I would like to specially acknowledge my former

WINET colleague and good friend, Prof. Wenjing Lou in Worcester Polytechnic Institute,

for her help and encouragement in my journey.

Finally, I owe a special debt of gratitude to my beloved parents and sister. Without

their love and unwavering support, I would never imagine what I have achieved.








LIST OF TABLES ..... . ...._. .

LIST OF FIGURES ..........





2.1 Introduction.
2.2 Preliminaries
2.2.1 Basics of ID-Based Cryptography (IBC)
2.2.2 Adversary Model
2.3 MASK( Design ......... ......
2.3.1 Network Model
2.3.2 An....!-, us.. ..s MAC-Layer Communications
2.3.3 A!!...-, usualsI Network-Layer Communications .. ....
2.3.4 Countermeasures against Attacks .. .......
2.3.5 Replenishing Pseudonym/Secret Point Pairs .. ....
2.4 Performance Evaluation
2.4.1 Simulation Setup
2.4.2 Simulation Results
2.5 Related work
2.6 Summary



3.1 Introduction ....
3.2 Preliminaries
3.2.1 Notation ...
3.2.2 Related Work.
3.3 Design Goals and System
3.3.1 Design Goals
3.3.2 Network Model
3.3.3 Adversary Model
3.4 IK(M Design .. ..
3.4.1 Overview ...


3.4.2 Network Initialization .
3.4.3 K~ey Revocation.
3.4.4 K~ey Update.
3.4.5 Securingf D-PK(Gs against Pinpoint Attacks
3.4.6 Cis.. .. -!!!; Secret-Sharingf Parameters
3.4.7 Security A!! I1-, -is
3.5 Performance Evaluation
3.5.1 Simulation Setup
3.5.2 Computational Costs.
3.5.3 Comparison in K~ey Revocation
3.5.4 Comparison in K~ey Update
3.5.5 Comparison in Secure Routing .
3.6 Summary


4.1 Introduction.
4.2 Vulnerability A! ll .-, -is of Two-Way Time-of-Arrival Localization
4.3 Mobility-Assisted Secure Localization for UWB Sensor Networks ..
4.3.1 Network Model
4.3.2 Overview of SLS
4.3.3 K-Distance: a K-Round Distance Estimation Algorithm
4.3.4 Location Validity Test
4.3.5 Discussion.
4.4 Related Work.
4.5 Summary


5.1 Introduction.
5.2 Preliminaries
5.2.1 Adversary Model
5.2.2 Security Objectives.
5.3 A Location-Based K~ey Management Scheme .........
5.3.1 Pre-Deployment Phase.
5.3.2 Sensor Deployment and Localization
5.3.3 Location-Based Neighborhood Authentication .. ....
5.3.4 Immediate Pairwise K~ey Establishment .. ......
5.3.5 Multi-hop Pairwise K~ey Establishment .. ......
5.4 Effieacy of LBE~s in Attack Mitigation.
5.4.1 CI1** *16 !:- Altering or Rev1~1 I,~in:, Routing Information .. ..
5.4.2 The Sybil Attack
5.4.3 The Identity Replication Attack .. ........
5.4.4 Wormhole and Sinkhole Attacks.
5.5 Location-Based Filtering of Bogus Data
5.5.1 The Bogus Data Injection Attack ..........
5.5.2 Generation and Distribution of Cell K~eys ........
5.5.3 Performing Threshold-Endorsements of Data Reports .. ..

5.5.4 Probabilistic Enroute Filtering of Data Reports ......

5.5.5 E~fieacy and Security A!! 1-, -is .. .. .
5.5.6 Performance Evaluation ......
5.6 Related work ......
5.7 Discussion ......
5.8 Summary ......


6.1 Introduction.
6.2 Preliminaries
6.2.1 Security Requirements of WMNs ..
6.2.2 Attacker Model.
6.3 System Models and Notation
6.3.1 Network Model
6.3.2 Trust Model .........
6.3.3 Notation ..........
6.3.4 Trust-Domain Initialization
6.3.5 Pass Model
6.4 Authentication and K~ey Agreement (AK(A) .

.. 94
.. 97
.. 101
. 104
. 105


Inter-Domain Authentication and K~ey Agreement
Intra-Domain Authentication and K~ey Agreement
Client-Client Authentication and K~ey Agreement


6.5 Security Enhancements .. .......
6.5.1 Location Privacy Attack .......
6.5.2 Bogus-Beacon Flooding Attack
6.5.3 Denial-of-Access Attack
6.5.4 Bandwidth-Exhaustion Attack .. ...
6.6 Incontestable Billing of Mobile Users .. ...
6.6.1 Billing Basics
6.6.2 Payment Structures .. .
6.6.3 Making Payments .........
6.6.4 Redemption of Payment Records
6.6.5 Security A!! .1-, -is .........
6.7 Discussion.
6.7.1 %.1\ 11 11i-,i Management
6.7.2 Public-K~ey vs. Symmetric-K~ey Cryptography
6.7.3 Incremental Deployment .......
6.8 Summary


REFERENCES. .......... .........


Table page

2-1 Processing timings of cryptographic operations. .. ... .. 25

31 Notation ......... . .. .. 34

3-2 Timings of primitive operations . ..... .. 54

3-3 Comparison of key revocation time ...... .... . 54

3-4 Comparison of key update (t = 5) . .... .. 55

3-5 Comparison of key update (t = 10) ...... .... . 55

4-1 The K-Distance algorithm. ......... ... .. 67

4-2 Testing if a point is inside a |B|-vertex p..El~:_on. ... .. .. .. 70

Figure page

2-1 sII route discovery with a route reply generated by the destination
A.4. ............. ........... 16

2-2 A!!l..!.. !!!sual hop-b-, -1!s .p packet forwarding from A.1 to A.4. .. .. .. .. 20

2-3 The comparison between MASK( and AODV. ... ... .. 27

3-1 Average route discovery delay. ....... ... .. 58

3-2 Average data packet delay. ......... .. .. 59

3-3 Packet delivery ratio. ......... .. .. 59

3-4 Average routing load. ......... .. .. 60

4-1 An exemplary two-way ToA localization process, where anchors A, B, C are
determining the location of sensor S. ..... .... . 63

4-2 The topology of an exemplary distance enlargement attack. .. .. .. .. 64

4-3 The time plot of the challenge-response process. .. .. .. .. 67

4-4 Location validity test with three anchors. .... ... .. 69

5-1 Node deployment model. ......... .. .. 89

5-2 The p.. .1 .1 il i ,i p, of filtering one bogus report as a function of the sampling
probability p, and the number p of hops a bogus report travels. .. .. 95

5-3 The comparison of Esum and Eium, as a function of the bogus traffic ratio p,
where ( = 50 and the optimal p,'s are used. ... .. .. .. 98
5-4 Th omaiono Eu ndEu as a function of the bogus traffic ratio p,

where ( = 50 and non-optimal p,'s are used. .. .. . .. 100

5-5 The comparison of Esum and Eium, as a function of the average path length
(, where p = 2 and p, = 0.2. . ..... .. 101

6-1 A typical three-tiered wireless mesh network architecture. .. .. .. .. 107

6-2 An exemplary 5-by-5 hierarchical one-way hash chain. .. .. .. .. .. 127

6-3 An exemplary p~ I, !!!. !!r structure (m 3 3, t 3 2). .. .. .. .. 136

Abstract of Dissertation Presented to the Graduate School
of the University of Florida in Partial Fulfillment of the
Requirements for the Degree of Doctor of Philosophy


Yanchao Zhang

August 2006

Chair: Yuguang Fang
M .iI..r Department: Electrical and Computer Engineering

Wireless ad hoc networks have been widely accepted as an indispensable component of

next-generation communication systems to facilitate ubiquitous network access. Although

offering significant benefits, they also provide unique security challenges over their wired

counterparts. Of note are the issues associated with the open network architecture, shared

wireless medium, stringent resource constraints, high network dynamics, lack of trusted

authorities, and so on. In this dissertation, we aim to address a number of challenging

security issues in heterogeneous wireless ad hoc networks, spanning mobile ad hoc networks

(MANETs), wireless sensor networks (WSNs), and wireless mesh networks (WMNs).

Our contributions are mainly fivefold. First, we propose an I!!...-, !!!a ..s on-demand

routing protocol (j!.\sl() to deal with malicious eavesdropping and traffic ..I! I1-, attacks

against MANETs deployed in hostile environments. Second, we design a secure, scalable

ID-based key management scheme for MANETs to enable flexible public-key services with-

out reliance on conventional public-key certificates. Third, we devise a secure localization

scheme to ensure secure location estimates in WSNs despite malicious attacks. Fourth, we

develop a suite of location-based, compromise-tolerant security mechanisms for WSNs. Last,

we present an attack-resilient secure authentication and billing architecture for WMNs.


Recent years have witnessed a surge of research and development for wireless ad hoc

networks. Unlike conventional infrastructure-supported wireless networks, wireless ad hoc

networks feature rapidly-deployable, self-organizing, self-maintaining capabilities and can

be formed on the fly without relying on any existing infrastructure. In such a network, each

node functions not only as an end host but also as a router forwarding packets to and from

other nodes to enable otherwise impossible multi-hop communications. Wireless ad hoc

networks are naturally well-suited for application scenarios where fixed infrastructures are

often not available or reliable, while fast network establishment and self-maintenance are a

must. As such, they have been widely accepted as an indispensable part of next-generation

communication systems to facilitate ubiquitous network access.

In general, wireless ad hoc networks can be classified into two categories, mobile ad hoc

networks (MANETs) and static ad hoc networks. The former comprise network nodes that

are free to move about randomly and organize themselves arbitrarily. Exemplary application

scenarios of MANETs include tactical military operations, homeland security, emergency

disaster relief and rescue, and so on. Most recently, MANETs have been extended to general

civilian contexts and are often referred to as wireless mesh networks (WMNs) [1], where

mobile users can access the network either through a direct wireless link to a wireless access

point (AP), or through a sequence of intermediate users to an AP that is too far away to

reach. By contrast, static ad hoc networks mainly consist of stationary nodes, that is, fixed

at where they were deployed. The most significant example of this later type is wireless

sensor networks (WSNs) [2], which have attracted extensive attention in both academia

and industry for their broad potential not only in military and homeland security scenarios

but also in general civilian settings.

While offering significant benefits, wireless ad hoc networks are also vulnerable to

unique security challenges as compared to their wired counterparts. Roughly ;1t Ilne:_

risks in wireless ad hoc networks are equal to the sum of the risks of operating a wired

network plus the new risks introduced by weaknesses in wireless protocols. Some of the

major security challenges that a wireless ad hoc network faces include the following:

All old threats to a conventional wired network apply to a wireless ad hoc network.
The shared wireless medium facilitates passive eavesdropping on data communications
and active bogus message injection into the network by attackers.
Early protocol design for wireless ad hoc networks all assumed a friendly and coop-
erative environment. As such, many wireless protocols have inherent security flaws.
Mobile devices are subject to phs!- -i I1 theft or loss, leading to insider attacks launched
by attackers harnessing confidential information extracted from stolen devices.
Intrusion detection is far more difficult, mainly because it is hard to differentiate
anomalies caused by characteristics of wireless channels and those caused by attacks.
There is often lack of an on-line centralized authority or administration.
Mobile devices usually have stringent resource constraints and thus cannot afford
resource-hungry security protocols.

How to model node misbehavior is an essential component in any security protocol

design, as a decent solution designed under one misbehavior model may be less effective

or even completely invalid under another one. In this dissertation, we classify misbehaving

nodes into two classes: malicious and selfish. The objectives of the former are to attack

the proper network operations without consideration of their own gains. Adversarial nodes

often existing in military ad hoc networks are typical examples of such malicious nodes. By

comparison, selfish nodes can be characterized by the intention of maximizing their own

gains or collective gains with collusive nodes from the network community while minimizing

their contributions to it. Selfish nodes are less likely to exist in single-authority-like ad hoc

networks such as military MANETs and WSNs, but are very likely to be present in general

civilian ad hoc networks where nodes may have conflicting interests. For example, in a

WMN, nodes may be reluctant to forward packets to and from the AP for others in order

to save their own resources such as battery life, CPU cycles, or available network bandwidth

[3, 4].

This dissertation contributes to developing novel solutions to a number of challenging

issues in heterogeneous wireless ad hoc networks, involving either malicious nodes or selfish

nodes or both, which are either ignored or not well addressed in the literature. The rest of

this dissertation is structured as follows.

Chapter 2 considers passive eavesdropping and the Illllille~llin~ i:_ attacks launched

against MANETs deployed in hostile environments. To deal with such attacks, we propose

a novel.l!!. ...-, us.. .sI on-demand routing protocol, termed MASK(, which can accomplish both

MAC-layer and network-layer communications without disclosing real IDs of participating

nodes under a rather strong adversarial model. MASK( offers the .... ...-, un!ir-,i of senders, re-

ceivers, and sender-recipient relationships, as well as node unlocatability and untrackability

and end-to-end flow untraceability. It is also resistant to a wide range of attacks. Moreover,

MASK( preserves the high routing efficiency as compared to previous work.

Chapter 3 studies key management, a fundamental problem in securing MANETs. We

present IK(M, an ID-based key management scheme as a novel combination of ID-based

and threshold cryptography. IK(M is a certificateless solution in that public keys of mobile

nodes are directly derivable from their known IDs plus some common information. It thus

eliminates the need for certificate-based authenticated public-key distribution indispens-

able in conventional public-key management schemes. IK(M features a novel construction

method of ID-based public/private keys, which not only ensures high-level tolerance to

node compromise, but also enables efficient network-wide key update via a single broadcast

message. We also provide general guidelines about how to choose the secret-sharing param-

eters used with threshold cryptography to meet desirable levels of security and robustness.

The advantages of IK(M over conventional certificate-based solutions are justified through

extensive simulations. Since most MANET security mechanisms thus far involve the heavy

use of certificates, we believe that our findings open a new avenue towards more effective

and efficient security design for MANETs.

Chapter 4 explores secure localization in WSNs. The proper operations of many sen-

sor networks rely on the knowledge of ph!~-il II sensor locations. However, most existing

localization algorithms developed for sensor networks are vulnerable to attacks in hos-

tile environments. As a result, attackers can easily subvert the normal functionalities of

location-dependent sensor networks by exploiting the weakness of localization algorithms.

In this chapter, we first ..I! I1-,... the security of existing localization techniques. We then

develop a mobility-assisted secure localization scheme for WSNs.

Chapter 5 introduces a suite of location-based compromise-tolerant security mechanisms

for WSNs. Node compromise is a serious threat to WSNs deployed in unattended and hostile

environments. To mitigate the impact of compromised nodes, we design a few location-

based compromise-tolerant security mechanisms. Based on a new cryptographic concept

called pairing, we propose the notion of location-based keys (LBE~s) by binding private

keys of individual nodes to both their IDs and geographic locations. We then develop

an LBK(-based neighborhood authentication scheme to localize the impact of compromised

nodes to their vicinity. We also present efficient approaches to establish a shared key

between any two network nodes. In contrast to previous key establishment solutions, our

approaches feature nearly perfect resilience to node compromise, low communication and

computation overhead, low memory requirements, and high network scalability. Moreover,

we demonstrate the efficacy of LBE~s in counteracting several notorious attacks against

sensor networks. Finally, we propose a location-based threshold-endorsement scheme, called

LTE, to thwart the infamous bogus data injection attack, in which adversaries inject lots of

bogus data into the network. The utility of LTE in achieving remarkable energy savings is

validated by detailed performance evaluation.

Chapter 6 presents a secure authentication and billing architecture for WMNs which are

finding ever-growing acceptance as a viable and effective solution to ubiquitous broadband

Internet access. This chapter addresses the security of WMNs, which is a key impediment to

wide-scale deployment of WMNs, but thus far receives little attention. We first thoroughly

identify the unique security requirements of WMNs for the first time in the literature. We

then propose UPASS, the first known secure authentication and billing architecture for

WMNs. In contrast to a conventional cellular-like solution, UPASS eliminates the need

for establishing bilateral roaming agreements and having realtime interactions between po-

tentially numerous WMN operators. With UPASS in place, each user is no longer bound

to any specific network operator, as he or she ought to do in current cellular networks.

Instead, he or she acquires a universal pass from a third-party broker whereby to realize

seamless roaming across WMN domains administrated by different operators. UPASS sup-

ports efficient mutual authentication and key agreement both between a user and a serving

WMN domain and between users served by the same WMN domain. In addition, UPASS

is designed to be resilient to a wide range of attacks. Morever, the incontestable billing of

mobile users is fulfilled through a lightweight realtime I!!i !**..:.. ni !! protocol built on the

combination of digital signature and one-way hash-chain techniques.

Finally, Chapter 7 concludes this dissertation and points out some future work.


2.1 Introduction

Mobile ad hoc networks (MANETs) are infrastructureless, autonomous, stand-alone

wireless networks that are receiving growing attention from both academia and industry.

In this chapter, we are concerned with MANETs deployed in hostile environments, such

as those facilitating large-scale theater-wide communications or relatively small-scale com-

munications in MOUT (Military Operations on Urban Terrain). It is obvious that robust

security support is indispensable for the proper functioning of such MANETs.

The shared wireless medium of MANETs introduces abundant opportunities for passive

eavesdropping on data communications. This means that, without ph1-, -il I11-, compromis-

ing a node, adversaries can easily overhear all the MAC frames "flying in the air," each

typically including .l Although end-to-end

and/or link encryption can be enforced to prevent adversarial access to data contents, for

any observed frame, adversaries can still learn not only the network and MAC addresses of

its local transmitter and receiver, but also the network addresses of its end-to-end source

and destination. Such MAC and network address information is currently left bare with-

out protection in the de facto MAC protocol IEEE 802.11 and existing MANET routing

protocols such as AODV [5] and DSR [6].

The leakage of MAC and network addresses may result in a number of severe conse-

quences. First of all, it would facilitate adversarial traffic I!! I1-, -is run to infer network

SWe use the terms p~ II 1:- I" and lI I!!!, s" interchangeably in this chapter.

traffic patterns and/or traffic pattern changes.2 In a tactical military MANET, an abnor-

mal change of the network traffic pattern may indicate a forthcoming action, a chain of

commands, or a state change of network alertness [7]. Its disclosure to adversaries would

thus lead to the failure of urgent military actions. In addition, adversaries are able to

trace any packet backward to its original source or forward to its final destination. This is

also undesirable because in many cases packet sources are critical nodes such as captains

or majors, while packet destinations are nodes commanded to carry out certain military

operations. Moreover, adversaries can locate individual nodes and track their movements.

This is extremely dangerous in that adversaries can easily identify critical network nodes

and then launch directed attacks on them. Most previous proposals such as Ariadne [8] and

ARAN [9] aim to deal with active attacks, which usually involve the launch of denial-of-

service (DOS) or other more i; !-!1.h ," Iooressive attacks on the target network. By contrast,

the aforementioned attacks belong to the category of once-passive-then-active attacks, or

passive attacks for short, which are more subtle, n oi l-!1.1. ," and difficult to detect before

severe damage actually occurs. In this chapter, we seek efficient solutions to such more

dangerous passive attacks.

For ease of presentation, we use the notion "network ID" (or simply "ID") to indicate

both the MAC and network addresses of a mobile node, which should be understandable

from the context. We also define I!!. ...-, !!!!I-,i" as the privacy preservation of network IDs

of mobile nodes and their group membership information, e.g., belonging to nation A or B,

or affiliated with battalion 1 or 2. Although less intuitive, the privacy of node affiliations

is as important as that of node IDs in many security-sensitive environments. For example,

suppose a coalition force of multiple nations is dispatched to carry out a common military

mission. Soldiers of the same nation can form an exclusive MANET among themselves

and thus there would co-exist multiple MANETs in the battlefield. In this case, each node

2 A network traffic pattern consists of triplets rate>, each describing one flow. A flow can be an end-to-end network flow, then the
address fields are the network addresses of an end-to-end source and destination pair. It
can also be a local link flow, then the address fields are the MAC addresses of a local
transmitter and a receiver.

may want to avoid unnecessary exposure of both its ID and nationality because adversaries

or terrorists may perform selective directed attacks according to not only IDs but also

nationalities. As demonstrated in Section 2.3.2, conventional cryptographic techniques such

as Diffe-Hellman key exchange [10] cannot satisfy this I!!u al-, !!!r-,i requirement and thus fail

to withstand passive attacks.

We observe that passive attacks are feasible for two reasons: (1) each node can be

uniquely identified by its network ID, and (2) each node uses the invariant network ID

in both MAC-layer and network-layer communications. Motivated by this observation, we

propose to thwart passive attacks by designing .I!!...-, !!!a .IIs communication protocols. The

fundamental purpose is to realize both efficient MAC-layer and network-layer communi-

cations, while I!!...-, !!in i. 11. all the involved nodes, therefore effectively defeating passive


The contribution of this chapter is the design of a novel .I!!. ...-, us.. ..s on-demand rout-

ing protocol, called MASK(, which can simultaneously achieve .l!!....-, us.. ..s MAC-layer and

network-layer communications. The novelty of MASK( lies in the use of dynamic pseudonyms

rather than static MAC and network addresses. MASK( offers both sender and receiver

anonymity as well as sender-receiver relationship anonymity.3 Specifically, although ad-

versaries might observe a packet transmission, they cannot determine real network IDs of

its sender and receiver, nor can they decide if (or when) any two nodes in the network are

communicating. In addition, MASK( ensures node ;, ii/...~rilleilul and :,,,ir,;. 1,;&////.:I:. meaning

that, although adversaries might know some real network IDs and/or group memberships,

they are unable to decide whom and where the corresponding nodes are in the network.

Moreover, MASK( guarantees end-to-end flow :n,,;I~~~I.:.;1I//;. which means that adversaries

cannot trace a packet forward to its final destination or backward to its original source, nor

can they recognize packets belonging to a same ongoing communication flow. Furthermore,

MASK( is as efficient as classical routing protocols such as AODV [5], which is confirmed by

3 For a given packet, a sender can be its original source or local transmitter, and a receiver
can be its final destination or local receiver.

detailed simulation results. It can also withstand a variety of attacks, e.g., message coding,

flow recognition, and timing .l!! II, -i-

2.2 Preliminaries

2.2.1 Basics of ID-Based Cryptography (IBC)

IBC [11] is receiving extensive attention as a powerful alternative to traditional certificate-

based cryptography (CBC) and serves as one of the cryptographic foundations of this dis-

sertation. The main idea of IBC is to make an entity's public key directly derivable from his

publicly known identity information such as his email address. IBC thus completely elimi-

nates the need for public-key distribution realized via conventional public-key certificates.

Although the idea of IBC dates back to 1984 [11], only recently has its rapid development

taken place due to the application of the pairing technique outlined below.

Let GI denote a cyclic additive group of some large prime order q and G2 a cyclic

multiplicative group of the same order. Assume that the Discrete Logarithm Problem

(DLP) is hard4 in both GI and G2. For us, a pairing is a map 8 : G x GI G2~ with the

following properties:

1. Bilinear: V P, Q, R, S E GI,

8(P + Q, R + S) = 8(P, R)8(P, S)8(Q, R)8(Q, S). (2.1)

Consequently, for V a, b e ~, we have

&(aP, bQ) = &(aP, Q)b = 8(P, bQ)a (p, )ab

2. Non-degenerate: If P is a generator of GI, then 8(P, P) E F*, is a generator of G2-

3. Computable: There is an efficient algorithm to compute 8(P, Q) for all P, Q E Gi.

Note that & is also symmetric, i.e., 8(P, Q) = 8(Q, P), for all P, Q E GI, which follows

immediately from the bilinearity and the fact that GI is a cyclic group. Modified Weil

[12, 13] and Tate [14] pairings are examples of such bilinear maps for which the Bilinear

4 t is computationallyi infneaible to extract the integenr ae Z {a|1 4 a 4; q -1}, given

P, Q E GI (respectively, P, Q E G2) such that Q zP (respectively, Q P")

D.:TS -Hellman Problem (BDHP) is believed to be hard. That is, it is believed that, given

< P, zP, yP, zP > for random z, y, z EZ~ and P E GI, there is no algorithm running in ex-

pected polynomial time which can compute e(P, P)"Zy E G2 with non-negligible probability.

We refer to Boneh and Franklin [12, 13] and Barreto et al. [14] for a more comprehensive

description of how these pairing parameters should be selected in practice for efficiency and


2.2.2 Adversary Model

We assume that adversaries can collaborate to passively monitor every radio transmis-

sion on every communication link. In addition, they may compromise any node in the target

network to become an internal adversary. However, we postulate that passive adversaries

cannot compromise an unlimited number of nodes. Neither can they have unbounded com-

putational capabilities to easily invert and read encrypted messages and break the BDHP

assumption. Otherwise, it is believed that there is no workable cryptographic solution.

2.3 MASK Design

In this section, we elaborate the design of MASK(. We start with describing the net-

work model and then discuss how to achieve single-hop MAC-layer communications. Sub-

sequently, we present an on-demand routing protocol to realize !!..... 1mun IIs network-layer

communications. After that, some countermeasures against attacks and a security enhance-

ment based on the secret-sharing technique [15] are introduced.

2.3.1 Network Model

We consider a general case that there co-exist multiple MANETs, each comprising

nodes of the same group. For simplicity, we use a capital letter, such as A, B, or C, to

indicate each MANET and the group it corresponds to. The concrete meanings of groups

may vary across different application contexts. For example, each group or the related

MANET may be related to a troop of a different nation, or a different company or battalion

in the same brigade. Hereafter, we will utilize network A as an example to illustrate our

MASK( design. We denote by A.i the ith node of A for 1 ( i ( NA, where NA is the

number of nodes in A. We assume that each A.i has a unique non-zero network ID IDAi.i

As discussed before, both IDA~i and node A.i's membership in A should be well protected

from adversaries.

Prior to network deployment, a trusted authority (TA) who himself/herself does not en-

ter the network first determines the pairing parameters (q, GI, G2, 8) along with a group-wise

masteI~rL key gA eZ ,. The TA then chooses two collision-resistant cryptographic hash func-

tions: H1, mapping strings to non-zero elements in GI, and H2, mapping arbitrary inputs

to fixed-length outputs, e.g., SHA-1 [16]. Public --, -r. ill parameters < q, GI, G2, 8, H1, H2

are preloaded to each A.i. By contrast, gA should be well safeguarded from unauthorized

access and never be disclosed to ordinary group members dispatched to execute dangerous

military actions.

In MASK(, nodes substitute pseudonyms for real IDs in communications. If a node

uses one pseudonym all the time, it will not help to defend against passive attacks we have

in mind, because the pseudonym will be I!! I1-, .~ .1 the same way as its real ID. Therefore,

each node should use dynamic pseudonyms instead. For this purpose, the TA furnishes

each A.i with a sufficiently large set PSA~i = {PS |,1 ( k ( |pSA~i|} of collision-resistant

1.-'''i ...lun !!-T A pseudonym can be any type of string and collision-resistance means that

all the pseudonyms are different from each other. In addition, each A.i is armed with

a corresponding secret point set as SpA~i = {SP),}) = {gAH1(PS~, ) e Gi (1 ( k (

|pSA~i|). Due to the difficulty of solving the DLP in GI (cf. Section 2.2.1), given any

< PS~,, SP~~ > pair, it is impossible to deduce gA with non-negligible probability.

2.3.2 Anonymous MAC-Layer Communications

In this subsection, we discuss how to achieve .I!!...-, us.. ..s single-hop MAC-layer com-

munications through an .I!!...-, us.. ..s neighborhood authentication protocol.

Anonymous neighborhood authentication. A h ae-s..--:....s..

authentication allows two neighboring nodes of the same group to identify each other se-

. c. He in the sense that each party reveals its group membership to the other only if the

other party is also a group member. This notion bears similarity to the concept of secret

5 If X is a set, |X| means its cardinality.

handshakes introduced by Balfanz et al. [17]. As an example, node A.i might want to

authenticate itself to a neighboring node z, but only if a is also a member of group A.

In addition, if a does not belong to A, the authentication protocol should not help z in

determining either the real ID (IDA~i) of A.i or whether A.i is a member of A or not.

As mentioned in [17], realizing I!!...-, us.. ..s authentication (or secret handshakes) requires

new cryptographic protocols since it cannot be easily accomplished through existing cryp-

tographic tools. For example, authentication techniques based on public-key certificates,

such as authenticated two-party Diffe-Hellman key exchange [10], may inevitably disclose

either real IDs of mobile nodes or their group memberships or both, which are either im-

plied or explicitly embedded in public-key certificates. For instance, for its certificate to be

verified, a node has to tell the other party the authentic public key of the CA (Certificate

Authority) that generates its certificate. Obviously, this would cause the exposure of that

node's group membership, i.e., from which CA it obtains the certificate, no matter whether

the other party belongs to the same group or not. In the following, we illustrate a pairing-

based .I !!. ..-, us.. ..s neighborhood authentication protocol, which is an extension of the secret

handshake scheme introduced in [17] to MANETs.

Without loss of generality, below is shown the authentication process between nodes

A.1 and A.2, where || denotes message concatenation.

A.1 A.2 : PS)7,, ni

A.2 A.1 : PS~, .2, V2 21 = H2(n I1 n2 || 0 || K2,1)

A.1 A.2 : V12 = H2(n I1 n2 || 1 || K1,2)

A.1 starts the protocol by pulling out from PSA.1 an unused pseudonym PS) and locally

broadcasts a MAC frame including PS)~ and a random nonce nl. Upon seeing the request,

A,.2 alsoV drawsY1 anI unIusd, pseudonym PS1 .2 from pSA.2 and then generates a master key as

K2,1 = 8(H1(PSi,), SP).2). After that, A.2 locally broadcasts a reply frame consisting of

PSi2,, a random nonce n2, and a value V2,1 shown above. Upon reception of the reply from
A.2, node A.1 calculates a master key as K1,2 = (H(S 2) P)7)a wllad hek

Gi2,1 H2(a I1 a2 || 0 || K1,2~). According to Eq. (t2.1) and the symmetric property of b, if

and only if both nodes are affiliated with the same group A, could they have

K21= 8(H1(PSi z,), H1(PS 2,))9A

= 8(Hi(PSUA.2), H1(PS x1))9A =K,

As a result, if the verification succeeds, A.1 knows that A.2 must be an authentic group

peer. To authenticate itself to A.2, A.1 returns a value V1,2 shown above. If V1,2 = H2(n I1

n2 || 1 || K2,1), node A.2 can rest assured that A.1 belongs to the same group A as itself.
Notice that the source and destination addresses of the three involved MAC frames should

both be set to be a pre-defined universal address such as all 1's instead of their real network

IDs (MAC addresses in this case).

After a successful three-way handshake, A.1 learns that there is a trustable group

peer in its neighborhood, but has no knowledge of the real ID except one of the public

pseudonyms of A.2. So does A.2. If the authentication fails, which may occur for instance

when one of them is an adversarial impersonator, the legitimate one reveals nothing but a

pseudonym to the impersonator. In addition, an adversarial eavesdropper learns nothing

more than some seemingly random numbers from the protocol execution.

Since A.1 and A.2 have established a shared master key K1,2 = K2,1, they can proceed

to calculate E pairs of shared session key (N/. 0 ) and link identifier (LinklD) as

kf,2 = H2(l n1 112 | 2sq||K1,2)

LZ,2 = H2 81 82 || I2 sq+ 1 ||K 1s,2

where E is a design parameter, and k and L 1(7(F)idct he7hSe n

LinklD, respectively. The collision-resistance of node pseudonyms, H1 and H2 enSUreS

that such < Skey, LinklD > pairs are also collision-resistant meaning that no identical pairs

would be generated by different pairs of nodes or two same nodes with different pairs of

nonces. In addition, each pair is only known to the two nodes which

established it and there is even no apparent relationship among the pairs

generated by two same nodes under the same pair of nonces. Such < kf,2, LZ,2 > pairS are
to be used in an increasing sequence for subsequent data communications between A.1 and

A.2, as will be explained shortly. Whenever established F pairs are used up, A.1 and A.2

are required to automatically increase both nl and n2 by one a~nd generate new F pairs

using the computationally efficient hash function H2. Of course, A.1 and A.2 should have

a simple agreement so as to synchronize the use of such pairs.

Similarly, each node can achieve .I!!. ...-, us.. ..s mutual authentication and establish pair-

wise shared pairs with all its neighboring nodes. Notice that if multiple

nodes simultaneously answer the same request, possible MAC-layer collisions may occur. In

this chapter, we assume the reliable transmissions of authentication requests/replies, which

can be achieved for instance by using a. ra~ndon1 delay for which each node has to wait before

answering an authentication request.

In our design, we leave the decision when and whether a node wants to initiate the

I!!. ., usua lsI neighborhood authentication to the node itself. Ideally, a node should keep

track of its neighbors at all time and should perform the authentication whenever it moves

to a new place or finds new neighbors. In this case, a neighbor discovery/nlaintanence

niechanisni such as the "Hello" messages used in AODV [5] will be necessary. Notice here

that although the "Hello" messages are transmitted periodically, the authentication is done

only once for each neighbor. A node may also choose not to do the authentication while

it is on the constant and fast movement. Another option is that a node only initiates

the authentication on-deniand, e.g., when it receives a route discovery message from an

unauthenticated neighbor. Authentication purely on-deniand could reduce the overhead

caused by running the neighborhood authentication protocol, while at the same time it

would introduce extra delay on the route discovery process.

We would like to point out that I!!...-, us.. ..s neighborhood authentication would incur

additional computational overhead in contrast to other on-deniand routing protocols such

as AODV and DSR, which do not provide either security or .I!!, !ily gua~ra~ntees. How-

ever, mutual authentication between neighboring nodes is indispensable in MANETs, only

by which one node can reject accepting messages front or forwarding messages for unau-

thenticated neighbors. Otherwise, adversaries can easily inject bogus messages into the

network to deplete scarce network resources as well as interrupting proper network fune-

tionalities. In addition, any two neighboring nodes only need to perform authentication

once and subsequent coninunications can be encrypted and authenticated using efficient

symmetric-key algorithms based on established shared Skeys. It will be shown in Section

2.4 that I!!...-, us.. ..s neighborhood authentication can be implemented efficiently without

much degrading the routing efficiency.

Anonymous MAC frame exchange. Based on established shared

pairs, two neighboring nodes can easily realize ........ -,! li.IIs single-hop MAC-layer commu-

nications. In our design, we replace the transmitter and receiver MAC addresses in a

conventional MAC frame with a single LinklD. In fact, we will see later that the same

LinklD also eliminates the necessity of network addresses. In other words, a conventional

MAC frame changes to in

our scheme.

For example, A.1 sends a MAC frame of format < L:;,2 tak: i >, where {msg}K
stands for a message msg encrypted under key K using any symmetric-key encryption

algorithm such as RC6 [18]. That frame can be heard by all its neighboring nodes, among

which only A.2 will accept the frame because of its unique sharing of L:,2 with A.1. A.2

can decrypt the data with the corresponding Skey ki,2. Similarly, A.2 can reply with a

MAC frame < L ~,2 kcaa,~ >. If the MLAC protocol in use is contention-based, such as
the Distributed Coordination Function (DCF) of the IEEE 802.11, conventional RTS-CTS-~

DATA-ACK( frame exchange is also easy to implement based on pairwise shared LinklDs

to alleviate notorious hidden and exposed terminal problems.

Since real IDs of mobile nodes are kept confidential in u.I s !-, us.. .. s neighborhood authen-

tication and subsequent local MAC frame exchange, we have successfully realized anony-

mous single-hop MAC-layer communications. In other words, local transmitter and re-

ceiver I!!...-, un!ir-,i and their relationship I!!ual-, un!ir-,i have been achieved. Also notice that

our I!!. .!.-, us.. ..s neighborhood authentication protocol ensures both node unlocatability and

untrackability at the same time.

2.3.3 Anonymous Network-Layer Communications

Network-layer communications, most likely multi-hop, rely on routing protocols to find

end-to-end routing paths between any source-destination pair and relay packets in a hop-by-

hop manner enroute from the source to the destination. To realize .I !!. .-, us.. ..s network-layer

communications, we present here an .I!!. ..-, usua lsI on-demand routing protocol, called MASK(,

Reverse route table of A 2 Reverse route table of A 3 Target LinklD table of A 4
dest_1d destSeq ps donmdest_1d destSeq p ho

|IDA4 50 PS'A1 IDA4 50 PS 2

Forwarding route table of A 1 Forwarding route table of A 2 Forwarding route table of A 3
dest_1d destSeq Lin lD Llst Lin lD Llst dest_1d destSeq Link D Llst Link D Llst dest_1d destSeq Lin lD Llst Link D Llst

|IDA4 51 null L62IA 51 2~ L2,3 IIDA4 51 L2, L34 T

Figure 2-1: An..n!-, ne- mI route discovery with a route reply generated by the destination

to establish a sequence of pairs between any source and destination pair.

In our MASK(, each node maintains the following data structures:

Forwarding route table: A table consisting of entries of format LinklD-list, next-LinklD)-list>, where dest~id is the real ID of the destination and
destSeq6 is the corresponding node sequence number. The pre-LinkclD-list is the
set of pre-hop LinklDs from which packets destined for dest~id may come, and next-
LinklD-list is the set of next-hop LinklDs to which packets destined for dest~id are
supposed to be forwarded.
Reverse route table: A table consisting of entries of format Ip :,dv ,,:I,>, based on which route replies are relayed back to the source.
Target LinkclD table: A table consisting of selected LinklDs shared with neighbors.
The current node is the final destination (end-to-end) for the packets bearing the
LinklDs in its target LinklD table.

An appropriate timer is associated with each entry of the above tables and an entry should

be recycled when its timer expires.

Anonymous route discovery. Without loss of generality, we illustrate the anony-

mous route discovery process in MASK( using the simple chain topology shown in Fig. 2-1,

where nodes A.1, A.2, A.3, and A.4 are assumed to be using pseudonyms PS) 7 PS),~~ PS".

and PSi~4, respectively, in their current places. To ease the presentation, we further assume

6 The maintenance of node sequence numbers strictly follows the steps defined in AODV

that each node has finished .I!!...-, us.. ..s mutual authentication using the same pseudonym

with all its neighboring nodes and has established shared pairs with them.

Similar to other on-demand routing protocols, our .l!!...-, us.. ..s route discovery starts

from broadcasting route request messages when a node has a packet to a certain destination

but it does not know a path to that destination. An I!!...-, usua lsI route request (ARREQ)

has the format , where dest_id is the real

ID of the destination, 7 ARREQ_id is a globally unique value that uniquely identifies an

ARREQ, destSeq is set to be the last known sequence number for the destination or to be an

unknown flag if needed, and PS,,, is the active pseudonym of the source. To be consistent

with the aforementioned MASK( packet format, a predefined LinklD such as all 1's should

be used to identify the ARREQ, which is not shown for brevity. In the shown example, the

ARREQ takes the form of . When an intermediate

node, say node A.2, receives an ARREQ message for the first time, it inserts an entry into

its reverse route table where this ARREQ comes from, and then rebroadcasts the ARREQ

after replacing the embedded pseudonym PS),1 with its currently-used one, i.e., PS)~.2

ARRE~s with previously seen ARREQ_ids are simply d:!-I !01. 0' This process continues

until all the nodes in the network have rebroadcasted the ARREQ once.

It is worth noting that in the propagation of ARRE~s, the real IDs of the source and

all the intermediate nodes are concealed, while the real ID of the destination has to be

exposed. In traditional on-demand routing protocols such as AODV [5], the destination

itself and any intermediate node which has a valid routing entry to the destination do not

need to rebroadcast the route request message. However, that design allows adversaries to

identify the destination node easily by monitoring the activities at each node every node

broadcasts the routing request once except the destination and/or some nodes having the

routes to the destination. Therefore, in our design, every node, including the destination

SARREQ_id could be generated by *Ii I ll1-,i!:- a collision-resistant hash function like SHA-
1 [16] on the concatenation of a node's pseudonym, sequence number, and a timestamp.

SNote that ARREQ flooding is supposed to be finished in a limited period so that each
node does not need to keep too many old ARREQ_ids.

and qualified intermediate nodes, needs to rebroadcast the ARREQ message once. This

will effectively hide the whereabout of the destination even though adversaries know that

there is such a node, they will have difficulty to match the dest_id (IDA.4 in this case) to

any of the nodes in the network. Note that the overhead introduced by this modification is

minimal in a route discovery protocol using flooding, every node needs to broadcast once

lir-, 1-- -, except the destination and qualified intermediate nodes. So the extra overheard

introduced is only one or a few more transmissions by the destination and the intermediate

nodes which can reply.

An I!!...-, !!nu als route reply (ARREP) can be generated and sent back to the source

at the destination or at any intermediate node which has a valid route to the destination.

Fig. 2-1 demonstrates the case that a route reply is generated by the destination A.4 itself.

Once receiving an ARREQ toward itself, A.4 can generate an ARREP to be unicasted back

to the source following the reverse route established before. In our design, an ARREP

packet is of format , where LinklD is the next

to be used shared between the destination and the pre-hop node from which the ARREQ

comes, and the corresponding Skey is used to encrypt the packet content so that adversaries

cannot recognize that this is an ARREP corresponding to the previously-observed ARREQ.

In the shownl examnpele anl ARRE~P is in the form of < L ;,4 { ARREP, IDA4, 51}kg~ ,4

As noted before, only the intended receiver A.3 will be able to interpret L ~,4 and decrypt

the packet content accordingly. While for a passive eavesdropper, L ~,4 only appears to be
some meaningless random number, and it has no idea of what the packet is about and to

whom the packet is sent. Moreover, A.4 adds L 4P to its target LinklD table. The reason

of inserting L 40 instead of L ,4 is to prevent adversaries from identifying the relationship

between this ARREP packet and subsequent data packets. Later on, when seeing a packet

identified by L4P,, A.4 knows that it is the end-to-end destination of that packet. An

intermediate node can also generate an ARREP if it has one forward route entry for the

dest_id with destSeq equal to or larger than that contained in the received ARREQ. The

node needs to prepare an ARREP packet to be sent to its pre-hop node as well. Different

from the destination, the intermediate node need not modify its target LinklD table. This

case is straightforward and not shown for lack of space.

For a node on the reverse path, say A.3, when receiving an ARREP < L ~,4, { ARREP,

IDA.4, 51}k9. > frOm its next-hop, A.3 will discard it if the embedded destSeq, 51 in this
case, is smaller than that in its reverse route table. Otherwise, A.3 will decrypt the ARREP,

form and transmit a new ARREP < L ,3, {ARREP, IDA.4, 51}k Z~,3 Here is the next to be used pair shared between A.3 and the pre-hop node

"PS).$" (in fact, node A.2) stored in its reverse route table. A.3 also needs to update its
forwarding route table as follows. If it does not have an entry for IDA.4, a new entry will be

created. Or if the entry for IDA.4 has a smaller destSeq than that in the ARREP, the old

entry will be replaced with the new information, i.e., dest~id, destSeq, pre-LinkclD-list, and

next-LinkclD-list will be set to IDA.4, deStSeq in the ARREP, L ~,3, and L ~4, respectively.

If A.3 already has an entry for IDA.4, and the new destSeq in the ARREP is equal to

the old one, it updates the route entry by appending L ~4 and L ~,3 to the next-LinklD)-list

and pre-LinklD)-list fields of its forwarding route entry, respectively. Therefore, MASK<

may simultaneously maintain several next-hop and pre-hop LinklDs for one dest~id (called

virtual multipath f:, .i 11. ,i~ilIlu in this chapter) in the forwarding route table. This operation

is different from that of AODV [5] in which a node suppresses routing replies with the same

destination sequence number. The reason for adopting this design will be stated in the

subsequent subsection. Also notice that LinklDs inserted into forwarding route tables are

I.h-- I-, a next to the ones used to identify the ARREPs so that adversaries cannot correlate

the ARREPs with subsequent data packets. The above process continues until the ARREP

reaches the source A.1. An exemption in the route reply process is that, in MASK(, since

each node is required to rebroadcast the ARREQ message no matter whether it replies or

not, the ARREPs coming back to an intermediate node which replied before may present

inconsistent state information that may cause routing loops. Therefore, we require that

the intermediate nodes which have already replied ignore the route replies with the same


Notice that in the route reply process, all the ARREP packets are encrypted and

identified by the LinklDs which are only interpretable by the intended local receivers. A

passive eavesdropper might see discrete transmissions everywhere but it will not be able to

tell the content of a particular transmission, neither can it tell who is transmitting and who

A. 53 66 Target LinklD table


soucedueto he ......, us..negbroo uhetcton htitcnler sth Do

Anonymous packet forwarding. The packet fowrigi AKi oelk

vita igrcuit : switching press ByI looking up! ~in thek forwarding froute. tabe thesorc

pics aracivnd. om LinklD rom thverr nt-ikl-ls fipelins th eie en try fr te dersetination A

paucket is to hen formed- and~ settote et-o neighbors ateictin hat shca lare s the hse LinlD

Ahdsinotedbeore, au packt wish ofd format ,ie where the datapatcarries othe

prtool ndmu applcaetio datwa.dng Depenkt ding on diffren aplcainsh data part can

bera ecirypte and atchentircaeds by the keyg corepondn g to thwrdnre LinklD. When seeing

itk toon randomly selected from its next-LinkclD-list field of the nr forwaredesingroute enr

inke wich then eombded LinkD mantcthes one -of teiheo value ine the pr-LnlDlst. LnIt he

re-unicatsd thefo packet tsof thcosennet hop.ID Followinge thispoessa packt canre finally

preachl the destination whic wil terminat the frading whent fpindting the LinklDr ianit

An examypled ofd ...auth licatn packe et forwrdig sdpictd in t h FigkI. 22inwhich setin

ofh forwarding links (dnoted bydirectional solidines thae ebeden established ea chlabgele

LinklD-Lit randol eet fm s next-LinklD-Llist fields of its forwarding route entryfothdeinin

A.4, respectively. As we can see, due to the random selection of next-hop LinklDs at each

intermediate node, MASK( has the nice ',dG.- mining property that packets of the same

flow may travel through different paths to the destination. This makes it more difficult

for adversaries to correlate observed radio transmissions to acquire actual network traffic

patterns. It also increases the difficulty of adversaries in tracing a packet enroute from its

original source to the final destination. The shortcoming is that, MASK( does not I.h-- I-, a use

the best path, e.g., the shortest-hop path, for packet forwarding, so it may introduce extra

delay and/or delay jitter. However, for security-sensitive MANETs demanding ..I!!u a-, !!!iry

protection, we argue that this tradeoff of routing efficiency for I!!. ...-, un!iry is acceptable. In

addition, we will see in Section 2.4.2 that such random packet forwarding can help improve

the routing performance under heavy traffic load.

When all the next-hop nodes for one destination become unavailable due to mobility

or other reasons, a node needs to locally broadcast an I!!...-, us.. ..s route error (ARRER)

packet of format to inform its up-stream nodes, which is again

identified by a predefined universal LinklD including all 1's. Any neighboring node which

has one of the LinklDs in the received pre-LinkclD-list should remove it from the next-

LinklD-list field of its corresponding forwarding route entry. If its own next-LinklD)-list

becomes empty as well, it should also broadcast a similar ARRER packet. When the source

has no available next-hop LinklDs for the destination, it should restart the .I!!...-, us....s~

routing discovery process.

2.3.4 Countermeasures against Attacks

U~p to now, we have described the basic operations of MASK( with a focus on how to

provide I!!. ...-, un!ir-,i in neighborhood authentication, route discovery, and packet forwarding.

In what follows, we describe some security enhancements and discuss more attacks that

MASK( is able to defend against.

Message coding attack. The M~essage coding attack happens when adversaries can

easily link and trace some packets that do not change their contents or lengths during

transmission. Two countermeasures are designed in MASK( to cope with this kind of attack.

First, random padding on every forwarded packet is used by intermediate nodes to prevent

from the attack resulting from the fixed packet length. Intermediate nodes can randomly

adjust the length and content of the random padding. Second, the per-hop link encryption

method through established pairwise Skeys can be used in MASK( as well. The purpose

here is to make the same packet appear quite different across links.

Flow recognition and message replay attacks. The Flow recognition attack oc-

curs when adversaries can recognize packets related to a same communication flow. Notice

that, in MASK(, a same packet bears completely different and uncorrelated LinklDs when

transmitted across different hops. Therefore, it is not possible to trace a packet by its

LinklD. However, if the packets belonging to a single flow I.h-- I-, a use the same LinklD at a

same hop, adversaries may obtain some useful information. Fortunately, the aforementioned

random packet forwarding can partially mitigate this attack. In fact, an intermediate node

works as a multiplexer which takes inputs from multiple pre-links, mixes them together,

and sends them out to multiple next-links. In addition, we request that two neighboring

nodes automatically change their currently-used shared LinklD either on a per-packet basis

or periodically. In doing so, MASK( leaves adversaries a dynamic set of LinklDs for the

same flow and at each hop. Moreover, dynamic LinklDs at each hop effectively thwart the

message ,a Iplan attack in which adversaries replay an old packet repeatedly to reorganize

the packet forwarding pattern.

Timing analysis attack. Suppose adversaries can divide the monitored area into

small cells. They might ascertain that one source or destination exists in one cell by

observing that no packets go into or come out of that cell while some packets come out of

or go into that cell during a certain time interval. In addition, adversaries might guess that

two consecutive radio transmissions belong to the same communication flow. These attacks

belong to the category of the timing analysis attack.

In MASK(, packets transmitted in the air are only identified by seemingly random

LinklDs. When network traffic load is high and every node is busy in transmitting and

r. i~iino_. all the transmissions will be mixed together, which leads to very difficult timing

I!! I1-, -i- However, when the traffic load is light, several precautions need to be taken

against the alleged timing .!! I1-, -is attack. First, when one destination receives a packet

destined for it, it can forge a packet with a fake LinklD and forward it further. By doing

so, it tries to fool adversaries into believing that one observed radio transmission does not

end at the destination. The destination can also use genuine LinklDs to ask its trustful

neighbors to help further enlarge the suspicious area viewed by adversaries. Second, a

packet needs to wait a random amount of time to be forwarded so that an earlier arriving

packet may be forwarded after a later arrival. Last, even without being involved in any

communications, nodes can send dummy packets [19] with fake LinklDs at random intervals

to increase the difficulty of adversaries in determining the originating and terminating areas

of observed radio transmissions. The purpose here is to introduce more randomness of the

radio transmissions so as to conceal the real network traffic patterns, at the cost of increasing

communication overhead.

2.3.5 Replenishing Pseudonym/Secret Point Pairs

In our MASK(, each node is required to use dynamic pseudonym/secret point pairs.

If the network has a rather long lifetime, however, a node may use up the preloaded

pseudonym/secret point pairs sooner or later. If this occurs, a node can reuse old pairs, star-

ing from the first one. This measure can prevent adversaries from continuously tracking the

movement of individual nodes if there are sufficiently many preloaded pairs. Nevertheless,

it may still offer useful attack clues to powerful adversaries adversaries may roughly ascer-

tain the movement of certain nodes by observing that a pre-recorded pseudonym reappears

in certain network location.

To avoid the above situation and ensure strong .I!!...-, un!iry protection, it is necessary

to introduce the TA functionality into the network whereby mobile nodes can get replenish-

ment of pseudonym/secret point pairs. Since using a single TA is vulnerable to single point

of failure, we propose to employ Shamir' secret-sharing technique [15] to enable a more

scalable, secure solution. To do this, the TA executes the following additional operations

when bootstrapping network A:

1. Determine a (t-1)-degree (1 ( t ( NA) polynomial, h(z) = gA CI izi, with

random coefficients ai in Z~ and gA being the group master key.

2. Select n (t ( n ( NA) nodes from A, either without distinction or by considering node

heterogeneity and choosing ph1-, -il I11-, more secure or computationally more powerful

ones. We call these nodes shareholders, denoted by S'F = {SH.k|1 ( k ( n}.

3. Calculate a shares of gA aS 9k, = h(IDSH.k) and assign it to SH.k.

4. C'1!... --- an arbitrary generator We G I and compute a set of share commitments as

SC = {W~l'ub= 9k~let ~|1 4k ~ n}.
S'F, SC and W are appended to the public system parameters known to every node.
An interesting fact is that, although each SH.k does not have the full knowledge of gA, any

t of them can collectively construct gA, while any less than t cannot. For example, based

on the Lagrange interpolation, shareholders SH.1, SH.2,..., SH.t can determine gA:

gA = =1 Xiyi, where Xi = 1 IDSHj H DSH.i.(23

During network operation, when a node, say A.1, almost runs out of preloaded pseudonym/secret

point pairs, it can get replenishment by sending a request including the list of desired new

pseudonyms to each of t randomly-picked shareholders. Without loss of generality, assume

that shareholders SH.1, SH.2,..., SH.t are selected by A.1. For each pseudonym PS),1 in

the request, each chosen SH.i, generates a partial secret point SP~I) = giH1(PS "A.) sent

back to A.1. To verify the authenticity of each SP~Il, A.1 needs to check if &(SP) ~, W) =

t(Hi(PS) zA~),Wj~Ub). Notice that, due to Eq. (2.1), the two sides of the equation are equal
to the same value 8(H1(PS) z), W)gi if SP~I) is authentic. As a result, if the verification

fails, A.1 knows that there must be something wrong with SH.i2. For example, the reply

from SH.i, might have undergone transmission errors, or even SH.i, itself might have been

ph1-, -ih I11-, or logically controlled by adversaries. A.1 can then request a new partial secret

point from another unselected shareholder. Once obtaining t authentic partial secret points,

A.1 utilizes Eq. (2.3) to calculate the complete secret point:

SP) 1 =C;X S iS~il = gA I(PS (2.4)

Same as before, node A.1 cannot deduce gi from S" l nete ani bai AfomS"7

due to the difficulty in solving the DLP in Gi. It is worth noting that all the requests and

replies should be end-to-end encrypted and authenticated to prevent from adversarial access
and modification. How to fulfill them is beyond the scope of this chapter.

In terms of the choice of the secret-sharing parameters t, n, we have shown in [20] that,

when t = [ni/2], andr n is equael to either 2 N -21 lor 2 A+ 1 the maxirmum seculrity
can be obtained. Currently, we are investigating proactive approaches to further improve

Table 2-1: Processing timings of cryptographic operations.
Item Processing timings
Tate paring 8.5 ms
SHA-1 18.980 MB/s
Computation of pairs 2.4 ms (for 1000 pairs)
RC6 7.111 MB/s

the security of the proposed scheme, e.g., by dynamically adjusting the shareholder set and

the values of t, a to allow dynamic node join/leave without changing gA while maintaining

the highest level of security.

2.4 Performance Evaluation

In this section, we evaluate the routing performance of MASK( through simulations.

2.4.1 Simulation Setup
We implemecnt AS in rr: GloMOaim [21], a popular network simulator for MANETs,

and the pairing implementation is based on MIRACL library [22]. The bilinear map e we use

is the Tate p 1 1 1 :_. with some of the modifications and performance improvements described

in [12, 14]. We use two security parameters, a 160-bit Solinas prime q = 2159 + 2"7 + 1 and

a 512-bit prime p = 12qr 1 (for some r large enough to make p the correct size). Such

bit-length configurations of q, p can deliver a comparable level of security to 1024-bit RSA

cryptography. The elliptic curve E we use is y2 = 3 + x defined over the finite field F,

(denoted by E(F,)). Then GI is a q-order subgroup of the additive group of points of

E(F,), while G2 is a q-order subgroup of the multiplicative group of the finite field F*,.
In addition, we use SHA-1 [16] as the hash function H2 and RC6 [18] as the encryption

method used for ARREPs and data packets.

We evaluate the computational costs of critical cryptographic operations in MASK( on

a Pentium III 1 GHz processor under Windows 2000. For convenience only, we assume the

lengths of node pseudonyms, random nonces, F, and LinklDs (also Skeys) to be 8, 4, 2,

and 20 bytes, respectively. In fact, the impact of larger lengths on the results is negligible.

From Table 2-1, we can see that the most time-consuming operation is the Tate pairing

required by.....l!1!- muns~II neighborhood authentication. Since the pairing is a relatively new

concept, we anticipate that its evaluation cost will be much reduced with the rapid advance

in cryptography. For example, Barreto et al. [23] recently announce an approach to evaluate

the Tata pairing by up to 10 times faster than previous methods, the implementation of

which is underway.

Also note that the Tate pairing only needs to be performed once for a pair of neighboring

nodes, and then the result can be fed into the fast SHA-1 to compute shared

pairs. Supposing a node maintains 0 = 1000 pairs with each neighbor,

the computation of such 1000 pairs only costs around 2.4 ms. Hence, when two neighboring

nodes run out of the established shared pairs, they can generate new F

pairs instantly. Moreover, the hop-b-, -1! I I. link encryption/decryption operations based RC6

are not time-consuming and can be done in a very fast manner. Therefore, although we

introduce some cryptographic operations into MASK( to provide the desirable .I!!...-, un!iry

property, the resulting computation overhead and end-to-end packet delay are affordable.

The pi',1. -i 1-1 I-,er path loss model is the two-ray model. The radio propagation range

for each node is 250 meters and the channel capacity is 2 Mb/s. The base MAC protocol

used is the DCF of IEEE 802.11, with some modifications according to MASK( operations.

We simulate an ad hoc network with 50 nodes uniformly deployed in a 700x700 m2 square

field. To emulate node mobility, we modify the random waypoint model in GloMoSim

library according to [24] in order to guarantee the convergence of average nodal speed

within the simulation time. In particular, initial speeds of nodes are chosen from the steady-

state distribution, and subsequent speeds uniformly from the designated speed range. In

addition, the pause time is set to be zero, meaning that nodes are 1.h-- .-, a moving. CBR

sessions are used to generate network data traffic and various number of sources are used to

simulate different offered load. All the data packets are 512 bytes and are sent at a speed

of 4 packets/second. Each simulation is executed for 15 simulated minutes and each data

point represents an average of ten runs with identical traffic models, but different randomly

generated u.1 ili r-,i scenarios.

In our implementation of MASK(, we use a fixed delay of 150 ps into each node to mimic

the encryption/decryption processing of ARREPs and data packets with RC6 for simplicity.

The purpose is to withstand the aforementioned message coding attack (cf. 2.3.4). In

addition, the random delay method for data packets to be forwarded is also adopted in each

node to thwart the timing analysis attack (cf. 2.3.4), where the random delay is uniformly

distributed between [0, 50] ms. Furthermore, we set the maximum number of next-hop

LinklDs maintained for one destination to be three. We compare the routing performance

of MASK( with classical AODV routing protocol [5] with regard to three commonly-used

metrics:(1) Packet delivery ratio (PDR) -the ratio of data packets successfully delivered

to the destination over those generated at the sources; (2) Average end-to-end 1. IAm: of

data packets -this includes all possible delay caused by buffering during route discovery,

queuing delay at the interface, retransmission delay at the MAC, and propagation delay;

(3) Normalized routing load -the total number of routing control packets i uisl.I

for each delivered data packet. Each hop-wise transmission of a routing control packet is

counted as one transmission.

2.4.2 Simulation Results

Fig. 2-3(a) compares the PDRs of MASK( and AODV under different traffic load.

We can see that MASK( has the similar PDR to AODV under normal traffic load (i.e., 20

sources). The slight difference partly comes from the fact that routing request packets in

MASK( have a higher probability of colliding with and causing the dropping of data packets

than those in AODV due to the simple network-wide flooding of ARRE~s in contrast to the

expanding-ring-search method of AODV [5]. Another reason is that data packets in MASK<

are not 1.h-- .-, a routed along the shortest paths due to the random selection of next-hops

at intermediate nodes, which increases the dropping probability of data packets forwarded

along longer paths. However, MASK( outperforms AODV under heavy traffic load (i.e., 40

0 95

-0-AODV 20 source
0 a MASK 20 sources
--AODV 40 source
--MASK 40 sources
0 65
2 4 6 8 10 12
Amerage nodal speed (m/s)

(a) PDR vs. V.

2 9AODV 40 sources
-A MASK 40 sources


0 4 AOV2 ore
0 MASK 20 sources ore
-v OV40 sources
0 2 -A AK40 sources

14 16 2 4 6 8 10 12 14 16 2 4 6 8 10 12 14 16
Amerage nodal speed (m/s) Amerage nodal speed (m/s)

(b) Normalized routing load vs. V. (c) Average packet delay vs. V.

Figure 2-3: The comparison between MASK( and AODV.

sources), where packets are more subject to collisions due to the high level of network con-

gestion. The observed advantage mainly results from the aforementioned virtual multipath

effect in MASK(, that is, MASK( may simultaneously maintain several next-hop LinklDs for

one given destination. If one of the next-hops becomes unreachable due to mobility or colli-

sions or other reasons, a packet could still be forwarded through another available next-hop

rather than being dropped as AODV does. Moreover, the random selection of next-hops at

intermediate nodes acts as a load balancing method for evenly distributing the traffic in the

network. For the same reason, MASK( demonstrates comparable or lower routing overhead

than AODV (see Fig. 2-3(b)) because MASK( conducts the route discovery less frequently

than AODV.

In terms of the average packet delay (Fig. 2-3(c)), MASK( behaves worse than AODV

under normal traffic load as a result of the per-hop random delay, the fixed encryp-

tion/decryption delay, and the delay incurred by the Tate pairing operations. Therefore,

there is a tradeoff between the desired packet delay and the level of I!!. ...-, un!ir-,i. However,

under heavy traffic load, both the virtual multipath effect and the processing delay (in-

cluding the above three) introduced into MASK( can help mitigate the possible MAC-layer

collisions, which contributes to the shown advantage of MASK( over AODV in Fig. 2-3(c).

In summary, our MASK( not only achieves the desirable .I!!...-, un!ir-,i without sacrificing

the routing efficiency, but also helps improve it under heavy traffic load.

2.5 Related work

An....!-, us.. .m communication protocols have been studied extensively in the wired net-

works. Chaum [25] defines a layered object that routes data through a chain of pre-deployed

intermediate nodes called mites. Following their work, Reed et al. propose an interesting

Onion routing protocol [26], in which data is wrapped in a series of encrypted layers to

form an onion by a series of proxies communicating over encrypted channels. The state

of the art of wired networks I!!...-, un!ir-,i can be found in [27]. However, the proposals in

the Internet realm cannot be directly applied to MANETs mainly because the prerequisite

pre-deployed infrastructure such as the well-known mixes is often unavailable in infrastruc-

tureless MANETs.

In contrast, there is little work done to address the .I!!, !!!ily problem and related

issues in the context of MANETs. Jiangf et al. explore the use of mixes in MANETs

[28] by designing a mix discovery protocol that allows coninunicating nodes to choose mix

nodes at run time. As noted before, such mix nodes are either unavailable or unreliable

in MANETs deployed in hostile environments. The same authors also propose to prevent

traffic ..I! II1, -is by using traffic p~ ..1.11s:_. i.e., generating duniny traffic into the network [19],

but their work does not aim to enable !!...... !!!u als coninunications. Most recently, K~ong

and Hong propose an I!!ual!, us....s on-deniand routing protocol, called ANODR [29], to

conceal network IDs of coninunicating nodes. Besides the computationally intensive route

discovery process, ANODR is very sensitive to node 1!!. 1.ilir-,i which leads to a low routing

efficiency, as the authors mentioned. By comparison, our MASK( enables an AODV-like

I!!....-, us.. ..s on-deniand routing protocol with high routing efficiency. In addition, MASK(

addresses .I!!...... us.. .. MAC-layer coninunications, which is left untouched in [29].

2.6 Summary

In this chapter, we propose MASK(, a novel .I!!...... usua ls on-deniand routing protocol,

to enable both .I!!...... us.. ..s MAC-layer and network-layer coninunications so as to thwart

adversarial, passive eavesdropping and the resulting attacks. By a careful design, MASK(

provides the .I!!......un!iry of senders, receivers and sender-receiver relationships, as well as

node unlocatability and untrackability and end-to-end flow untraceability. It is also resilient

to a wide range of attacks. Detailed simulation studies demonstrate that MASK( has com-

parably high routing efficiency to classical AODV routing protocol while achieving the nice

This chapter focuses on dealing with passive attacks and thus there are several unad-

dressed issues in the current MASK( design. First,.s..l! so!- us.. ..s neighborhood authentication

in MASK( relies on pairing operations, which currently have similar computational overhead

to conventional public-key operations. Therefore, adversaries might launch active DoS at-

tacks on target nodes by continuously sending a number of bogus authentication requests,

which is a problem any authentication scheme has to face. Second, the routing information

in the current design is only secured against external adversaries. Once becoming internal

adversaries by compromising certain nodes, adversaries can send bogus routing messages

that are difficult to verify by legitimate nodes. Third, although pairing-based cryptography

is an active research topic 1!n -.-- ..1 I-, -. the inmplenientation on low-end devices is still an open


As the future research, we will first incorporate some intrusion detection capabilities

into MASK( to defend against not only passive attacks but also active DoS-type attacks such

as those mounted on neighborhood authentication. In addition, we will plan to combine

MASK( with other secure routing protocols such as [8, 9] to ensure both routing~l! ..iso, !!!ily

and strong routing security. Finally, we will seek theoretical proofs to show the resilience

of MASK( to rigorous adversarial crypir .I! II, -i-


3.1 Introduction

In this chapter, we are concerned with key nlana~genent, the foundation on which to

build any other security niechanisni for MANETs.

Conventional key nlana~genent techniques may either require an online trusted server or

not. The infrastructureless nature of MANETs precludes the use of server-based protocols

such as K~erberos [30]. We therefore focus on discussing serverless approaches from here

on. There are two intuitive syninetric-key solutions, though neither is satisfactory. The

first one is to preload all the nodes with a global syninetric key, which is vulnerable to any

point of conipronlise: if any single node is compromised, the security of the entire network

is breached. Assuming a network of N nodes, the other solution is to let each pair of nodes

maintain a unique secret that is only known to those two nodes. This approach suffers from

three main drawbacks making it also unsuitable for MANETs. First, it lacks scalability

because it is difficult to establish pa~irwise syninetric keys between existing nodes and

I!, ;-.-1-, -i !.1 nodes. Second, securely updating the overall N(N 1)/2 keys in the network

is a nontrivial (if not impossible) task, as the size of the network increases. Last, it requires

each node to store (N 1) keys, which may represent a significant storage overhead in a

large network. Syninetric-key techniques are also coninonly criticized for not supporting

efficient digital signatures because each key is known to at least two nodes. This renders

public-key solutions more appealing for MANETs, which are the theme of this chapter.

There has been a rich literature on public-key nlana~genent in MANETs, see [31, 32,

33, 34, 35, 36] for example. These schemes all depend on certificate-based cryptogra~phy

(CBC), which uses public-key certificates to authenticate public keys by binding public

keys to the owners' identities. A main concern with CBC-based approaches is the need

for certificate-based public-key distribution. One naive method is to preload each node

with all the others' public-key certificates prior to network deployment. This approach can

neither scale well with the increasing network size, nor handle key update in a secure and

cost-effective way. Another approach of on-demand certificate retrieval may cause both

unfavorable communication latency and often tremendous communication overhead, which

will be justified via simulations in Section 3.5.5.

As a powerful alternative to CBC, ID-based cryptography (IBC) [11] has been gaining

momentum in recent years. It allows public keys to be derived from entities' known iden-

tity information, thus eliminating the need for public-key distribution and certificates. This

nice feature has inspired a few IBC-based certificateless public-key management schemes

for MANETs such as [37, 38, 39, 20]. The basic idea is to let some [37, 38, 20] or all network

nodes [39], called shareholders, share a network master-key using threshold cryptography

[15, 40] and collaboratively issue ID-based private keys. There, however, remain many is-

sues to be satisfactorily resolved. First of all, the security of the whole network is breached

when a threshold number of shareholders are compromised. Second, updating ID-based

public/private keys requires each node to individually contact a threshold number of share-

holders, which represents a significant communication overhead in a large-scale MANET.

Third, except our preliminary result in [20], none of existing proposals consider how to

select the secret-sharing parameters used with threshold cryptography to achieve desirable

levels of security and robustness. Last, there is no comprehensive quantitative argument

about the advantages of IBC-based public-key management schemes over CBC-based ones.

In this chapter, we address all the above concerns by devising an ID-based key manage-

ment scheme, called IKM, for special-purpose MANETs administered by a single authority.

MANETs of this type have long been recognized and will continue to be one of the ma-

jor application categories of wireless ad hoc networking techniques. Typical examples are

those deployed in military battlefield operations and homeland security scenarios. Our

major contributions are as follows:

*A novel construction method of ID-based public/private keys. In IK(M, each
node's public key as well as private key is composed of a node-specific, ID-based
element and a network-wide common element. Node-specific key elements ensure
that the compromise of arbitrarily many nodes does not jeopardize the secrecy of

non-compromised nodes' private keys; common key elements enable very efficient
network-wide public/private key updates via a single broadcast message. We also
discuss enfcient key agreement, public-key encryption, and digital signatures based
on such public/private keys.
Determining secret-sharing parameters used with threshold cryptography.
Similar to [37, 38, 39], we apply threshold cryptography to distribute a network
master-key among some shareholders. Different from them, we identify devastating
pinpoint attacks against shareholders and propose the corresponding countermeasure
based on .I!!...-, us.. ..s routing [41]. In addition, we discuss how to choose the secret-
sharing parameters for meeting desirable levels of security and robustness.
Simulation studies of advantages of IKM over CBC-based schemes. By
detailed simulations, we show that IK(M has equivalent performance to CBC-based
schemes, denoted by OKM,~ with regard to key revocation, while behaves much better
in key updates. Furthermore, we demonstrate that IK(M is able to turn an elegant
CK(M-based secure routing protocol [42] into a much more efficient one.

Since most existing MANET security mechanisms rely on the heavy use of certificates,

we believe that our findings open a new avenue towards more effective, efficient security


The rest of the chapter is organized as follows. In Section 3.2, we define the notation

to be used and survey the related work. Next we present design goals and the network and

adversary models in Section 3.3, followed by a detailed illustration of the IK(M design in

Section 3.4. Then the simulation-based comparative study of our IK(M and CK(M is given

in Section 3.5, and this chapter is finally concluded in Section 6.8.

3.2 Preliminaries

In this section, we first define the notation to be used in the rest of this chapter, and

then survey the related work.

3.2.1 Notation

For clarity, Table 3-1 lists some important notation whose concrete meanings will be

further explained where they appear for the first time.

3.2.2 Related Work

Here we only discuss prior art that is more germane to our work, and refer to [43] for

a more comprehensive survey.

The seminal paper by Zhou and Hass [31] -11:_:_. -rs using CBC and (t, n)-threshold

cryptography [15, 40] in MANETs. Let N be the overall number of nodes and t, a be two

integers Iri-T-, i!!:_. L 4 n < N. In [31], prior to network deployment, the CA's public key is

Table 3-1: Notation
p, q two large primes
GI1, G2 cyclic groups of order q
a pairing s.t. & : GI x GI G ,6
H1 mapping strings to non-zero elements in GI1
the network node set, |9| N
R the D-PK(G set, |0| n
IDA network ID of node A
t, a secret-sharing parameters
g(x) (t 1)-degree polynomial
Av(x)-s Lagfrangfe coefficients
IDA key revocation against node A
KP1, KP2 two distinct network master secrets
W generator of GI1
WP1, WP2 WPi = KP1W E GI1,WP2 = KP2W E GI1
kA,B symmetric key shared between A and B
pi ith key update period, for1 i M
KCA/ --1 node-specific public-key and private-key elements of node A
Kc,i/KC, common public-key and private-key elements in phase pi
salt unique binary string associated with pi
KCA,Pi A,1 public/private keys of node A in phase pi
KP2 the D-PK(G V's secret share of KP2
*Y revocation threshold
F mapping a given node ID to /9 D-PK(G IDs
h hash function such as SHA-1 [16]
{m~lc message m encrypted under key k, with a symmetric-key primitive
[m]l message m with its ID-based signature generated under private key K:

furnished to each node, while its private key is divided into n shares, each uniquely assigned

to one of a chosen nodes called D-CAs hereafter. During network operation, any t D-CAs

can jointly perform certificate generation and revocation based on their secret shares, while

any less than t D-CAs cannot. Yi and K~ravets [34] proposes to select computationally

more powerful and ph1-, -ih I11-, more secure nodes as D-CAs. Both schemes can tolerate the

compromise of up to (t -1) D-CAs so that adversaries cannot reconstruct the CA's private

key, and the failure of up to (n t) D-CAs so that there are 1.h-- .-, R at least t functional

Different from [31, 34], URSA [32, 36] is a (t, N)-threshold scheme in which each of the

N nodes is a D-CA. The advantage of URSA is the increased service availability in that a

certificate can now be generated or revoked by any t nearby nodes, and URSA can tolerate

the failure of up to (N t) D-CAs. The disadvantage, however, is that the compromise of

any t out of N nodes would expose the CA's private key and thus result in loss of overall

--, -r~i., security [34]. In addition, as noted in [44], URSA is vulnerable to the Sybil attack

[45] because an adversary can take as many identities as necessary to collect enough shares

and reconstruct the CA's private key. Other security problems of URSA are .I!! I1-,.. .1 in

[33, 46].

All the above schemes are based on RSA [47], either explicitly [32, 36] or implicitly

[31, 34, 35]. By comparison, the scheme [33] relies on DSA [48] and threshold cryptography,

and has much worse communication efficiency than RSA-based schemes. The reason is that,

to tolerate the compromise of up to ( 1) D-CAs, the DSA-based scheme needs to contact

(2t 1) D-CAs for generating a new certificate, while RSA-based approaches only involve

t D-CAs [33]. Please refer to [39] for simulation studies of the communication inefficiency

of DSA-based approaches.

The aforementioned CBC-based schemes are all targeted for single-authority MANETs

as what we have in mind. Another notable line of approaches such as [44, 49] is to let each

node act as a CA to issue certificates to other nodes. While maybe suitable for authority-less

civilian networks, they are less fit for single-authority MANETs under consideration.

Despite its attractive features, IBC has not received deserved attention as a powerful

tool to secure MANETs until recently. K~halili et al. [37] -11:_:_. -r using IBC and threshold

cryptography in MANETs, but their work is conceptual. Deng et al. [38] present an ID-

based key management scheme for author' -, -1k m MANETs, thus is less applicable to single-

authority MANETs we aim at. Bohio and Miri [50] propose to use ID-based keys for secure

broadcast, but their work is not intended for efficient key management. Our preliminary

work [20] also addresses the secure application of IBC to MANETs. In addition, Zhang

et al. develop MASK( [41, 51], an IBC-based .I!!...-, us.. ..s on-demand routing protocol for


The closest work to ours is ID-GAC [39], in which Saxena et al. present an elegant

IBC-based access control scheme for ad hoc groups such as MANETs. ID-GAC is basically

a (t, N)-threshold scheme, in which, prior to deployment, each of the N nodes is furnished

with a share of a master-key. Although having high-level service availability as URSA

[36], ID-GAC suffers from the same undesirable security drawback mentioned above. In

contrast, our IK(M is a (t, n)-threshold scheme, similar to [31, 34]. At a first glance, IK(M is

less robust than ID-GAC because it only tolerates the failure of up to (n t) shareholders

instead of (N t) in ID-GAC. However, this also means that IK(M is more secure than ID-

GAC because the fewer shareholders make it feasible to spend more in safeguarding them,

for instance, by enclosing them in high-quality tamper-resistant devices and/or putting

them under better monitoring. In addition, our IK(M incorporates an additional defense

line by making shareholders indistinguishable from common nodes via .I!!...-, us.. ..s routing

[41]. Furthermore, even when t or more shareholders are compromised and the master-key

is exposed, our novel public/private key construction method guarantees that private keys

of non-compromised nodes remain safe. This is in contrast to the overall loss of security

in ID-GAC (see Section 3.4.7). Moreover, achl nonI-c~VI~LIompomse node~ in ID-GAC nee~ds

to individually contact t shareholders for key update. In contrast, our IK(M is much more

efficient in both computation and communication by updating public/private keys of all the

non-compromised nodes via a single broadcast message. As an addition, ID-GAC suffers

from the Sybil attack as URSA, while our IK(M does not.

3.3 Design Goals and System Models

In this section, we present our design goals as well as network and adversary models.

3.3.1 Design Goals

From our point of view, a sound key management scheme for MANETs should sat-

isfy the following requirements. First, it must not have single point of compromise and

failure because mobile nodes deployed in hostile environments are subject to either logical

or phs-i I attacks. Second, it should be compromise-tolerant, meaning that the com-

promise of certain number of nodes does not harm the communication security between

non-compromised nodes. Third, it should be able to efficiently and securely revoke keys

of compromised nodes once detected and update keys of non-compromised nodes. Last, it

should be efficient in terms of storage, computation, and communication, as mobile nodes

are usually very resource-constrained It is worth stressing that communication efficiency is

far more important an issue in MANETs than in wireline networks, as wireless transmission

of a bit can require over 1000 times more energy than a single 32-bit computation (see [52]).

We thus must seek ways to reduce communications related to key management as much as


3.3.2 Network Model

We consider a special-purpose, single-authority MANET consisting of N nodes, de-

noted by a set notation W (| W| = N). The network size N may be dynamically changing

with node join, leave, or failure over time. Depending on different applications, N may

range from several tens to several thousands or even more. Each node Ae W has a unique

ID, denoted by IDA and assumed to be its network-layer address as usual.

We assume that each node has limited transmission and reception capabilities. Two

nodes out of transmission range of each other can communicate via a sequence of interme-

diate nodes in a multihop fashion. Since all the nodes belong to a single authority and thus

have common interests, node selfishness [4] is not worrysome in that each node is ready to

forward packets not destined for itself. Nodes may freely move in the network, but do not

continuously move so rapidly as to make the flooding of every data packet the only feasible

routing protocol. This is a common assumption made about node mobility by nearly all

MANET schemes. We further assume that nodes are capable of performing public-key op-

erations, which is reasonable for the targeted application scenarios, though symmetric-key

operations should be used instead whenever possible.

Our IK(M is independent of the -na.1. Fl-, inr:, transport, routing, or MAC protocols. How-

ever, we do assume that, whenever needed, a valid unicast route can be established between

any two nodes. This can be achieved through many existing secure routing protocols, such

as ARAN [42]. It is worth pointing out that, similar to almost all the other existing secure

routing schemes, ARAN is built upon conventional certificates. In later Section 3.5.5, we

will show that it can be easily converted into a much more efficient scheme based on our


3.3.3 Adversary Model

Our intention here is to devise a sound key management scheme for MANETs, so we

just consider attacks aimed at key management itself. Mitigating denial-of-service attacks,

such as p~!~in-o I1-1 I-,er jawinnrin:_. MAC-layer misbehavior, or routing disruption, though

important, is beyond the chapter scope.

Attacks can be mounted by a single adversary or collaborative ones. We differentiate

between node compromise and disruption attacks. By saying that a node is compromised,

we mean that adversaries have complete control over it, including learning or modifying

its secret information, changing its intended behavior, and so on. In contrast, disrupting

a node means that adversaries can only disrupting communication to that node, e.g., by

interfering with wireless signals to and from it, but cannot read the secret information stored

on it. Therefore, node disruption attacks are less severe than node compromise attacks.

However, we assume that adversaries cannot compromise or disrupt an unlimited number

of nodes so that legitimate nodes are 1.h-- .-, a the majority. Neither can they break any of

the cryptographic primitives on which we base our design. In addition, we assume static

instead of leanimi1,.: adversaries [53].

We further assume that compromised nodes will eventually exhibit detectable mis-

behavior. There is unlikely to be a valid security solution if compromised nodes remain

I' I--!11." As [32, 36], we assume an efficient misbehavior detection scheme such as [3] or

[54]. One of our main objectives is to drive identified compromised nodes out of the network

by revoking their keys. Hereafter we use compromised nodes to indicate those which have

been compromised and identified, unless otherwise stated.

There are n distributed authorities called D-PKGs in our IK(M, similar in role to the

distributed CAs (D-CAs) in conventional CK(M [31, 32, 33, 34, 35, 36]. The D-PK(Gs differ

from common nodes only in that each of them knows a share of a network master-secret.

Similar to [31, 32, 33, 34, 35, 36], our IK(M works properly on the assumption that adversaries

can compromise at most ( 1) D-PK(Gs and can disrupt no more than (n -t) D-PK(Gs. For

the sake of simplicity, we refer to this assumption as the t-limited assumption. Note that

this t-limited assumption only needs to hold in each predetermined time period rather than

the whole network lifetime, if proactive secret sharing [55] is used to periodically refresh

secret shares of the D-PK(Gs.

3.4 IKM Design

This section presents our IK(M design. We first provide an overview of IK(M in Sec-

tion 3.4.1, and then describe the key predistribution phase in Section 3.4.2. Next we discuss

how to achieve efficient key revocation and update in Sections 3.4.3 and 3.4.4, respectively.

Section 3.4.5 presents our method of protecting the D-PK(Gs from devastating pinpoint

attacks, and Section 3.4.6 gives general guidelines as to how to select the secret-sharing

parameters t, n. Finally, the security of IK(M is .I!! I1-,.. .1 in Section 3.4.7.

3.4.1 Overview

In IK(M, each node should carry an authentic ID-based public/private key pair at any

time as a proof of its group membership. With such key pairs, nodes can realize mutual

authentication, key agreement, public-key encryption, and digital signatures, among other

security services. IK(M consists of three phases: key predistribution, revocation, and update.

K~ey predistribution is a one-time process occurring during network initialization, where

a Private K~ey Generator (PK(G), essentially a trusted authority, determines a set of --, -r. ill

parameters and preloads every node with appropriate keying materials. In addition, the

PKG~ distributes its functionality to n D-PK'~s selected among the N nodes to enable secure

and robust key revocation and update during network operation.

To minimize the damage from node compromise, it is a must to explicitly revoke public

keys of compromised nodes. During network operation, if suspecting that a peer, say A,

has been compromised, a nl~ode send a signedu aCc~Ucusation agaCinstl A toU someI D-PK~s. The

accused A is diagnosed as compromised when the number of accusations against it reaches a

predefined revocation threshold, denoted by y, in a certain time window. At that point, the

network enters the key revocation phase in which the D-PK(Gs jointly issue a key revocation

against A.

As a common practice [36], public/private keys of mobile nodes need to be updated

at intervals for many reasons, e.g., preventing from crypi .I! I1-, -i- The key update phase

may occur either periodically according to a prescribed time period, or reactively when the

number of revoked nodes attains some predetermined threshold. During this phase, each

non-revoked node can update its public key autonomously and its private key via a single

broadcast message. This is enabled by our novel public/private key construction method.

Our scheme can also ensure that compromised nodes, once revoked, cannot get their keys

updated, thus isolated from the network.

Due to the shared wireless medium, adversaries are easy to find the whereabouts of

D-PK(Gs based on their network IDs leaked in routing and data packets [41]. This renders

the D-PK(Gs particularly vulnerable to devastating pinpoint attacks. As a natural defense,

we propose to make the D-PK(Gs indistinguishable from common nodes via .I!!...-, us...mI

routing [41]. This measure allows us to provide general guidelines about how to choose the

secret-sharing parameters t, a for achieving desirable levels of security and robustness.

3.4.2 Network Initialization

For a single-authority MANET under consideration, it is reasonable to assume a trusted

PK(G to bootstrap the network, which itself is not part of the resulting network.

Generation of pairing parameters. To bootstrap the network, the PK(G does the

following operations:

1. Generate the pairing parameters (q, GI, G2, P, H1) (cf. Section 2.2.1), where P is

an arbitrary generator of GI, and H1 is a hash function mapping given strings to

non-zero elements in Gi.

2. Pick two distinct random numbers KP1, KP2 EZ~ as network master-secrets. Set

WP1 = KplW and WP2 = KP2W, respectively.

The parameters (q, 8, H1, W, WP1, WP2) are public knowledge preloaded to each node, while

KP1 and KP2 should never be disclosed to any single node.

Secret sharing. To enable key revocation and update during network operation,

it is necessary to introduce the PK(G functionality into the network. In our design, only

knowledge of KP2 is introduced into the network to ensure high-level compromise tolerance

(.I!! I1-,.. .1 in Section 3.4.7). To avoid single point of compromise and failure, the PK(G

performs a (t, n)-threshold secret sharing of KP2 by first determining a random polynomial,

g(2) = KP !i (mod q). It then randomly selects a subset OC c of size n of

nodes as D-PK(Gs (t ( n < |9|I =N). IThen "the PKG assigns to each V E la secret share

computed,, as K2 = g(IDy). Based on Lagrange interpolation, any subset ~A C of size t

can co-determine the polynomial:

g Ls = V\s)KP2 (mod q),(31

where Av(z) = s'v D 2, is called a Lagrange coefficient. The PK(G's master

secret KP2 can then be reconstructed by computing g(0). However, any subset of R of size

(t 1) or smaller does not suffice to do so. To enable verifiable secret ;1h Iinr:_. the PK(G
also calculates a set of values {Wf2V = K2WV enT r } preloaded to each D-PKG.IT Due to the

difficulty in solving the DLP in GI, all the other D-PK(Gs cannot deduce the secret share

K$2 of D-PKG~ V fromI Wf 2. lThe I~s of alll Ilthe D-PKI~s are~t knolwnI toiiI each~ node to make

key revocation and update feasible, and the choice of t, a will be discussed in Section 3.4.6.

Generation of ID-based public/private keys. One of our essential design points

is how to construct an ID-based public/private key pair for each node A,- be it a D-PKG

or common node. Our IK(M is composed of a number of continuous, non-overlapping key

update phases, denoted by pi for 1 ( i < M~, where M~ is the maximum possible phase

index. Such pi-s may not of the same length in time and thus do not require nodes to be

time-synchronized for them either. Each pi is associated with a unique binary -ri !:_ called

a phase salt and denoted by salt. Prior to deployment, the PK(G issues a random number

salt to each node which, in turn, can subsequently generate salti = salti-1 +1 (1 < i ( M~)

by itself with an efficient hash function h such as SHA-1 [16].

In IK(M, each public/private key pair is both node-l;* .:I. and phase-l;.. .W. and node

A's key pair valid only during phase pi is denoted by < KCA~p AI > ah fK]p n

KWl~ comprises a node-specific element and a phase-specific element, common to all the
nodes, both in Gi. In particular,

KCA,p, IA, ps~) = (H1(IDA), Hl(salti))
KC- := (K ,i K) = (KP1H1(IDA), KP2Hl(salti)).

Initially, the PK(G issues < KCA~p A,1 > to node A which can acquire < KCA~pi, 1iC-

(1 convenience, hereafter we refer to < K,4 Kg- > as common public-key and private-key

elements of phase pi, and < KCA, 1C~ > as node-specific public-key and private-key elements

of node A. The former pair varies across key-update phases, while the later pair remains

unchanged during network lifetime and should be kept confidential to A itself.

Due to the difficulty of solving the DLP in GI, it is computationally infeasible to de-

rive the network master-secrets Kpl and KP2 from an arbitrary number of public/private

key pairs [12, 13]. It means that, no matter how many key pairs adversaries acquire from

compromised nodes, they cannot deduce the private key of any non-compromised node.

Therefore, our IK(M exhibits the desirable compromise-tolerant property. The advantage

of our key construction method in facilitating key update can be seen in Section 3.4.4. In

addition, the resulting higher-level resilience to the compromise of D-PK(Gs than the con-

ventional key construction method [39, 20] is to be .!! I1-, .~ .1 in Section 3.4.7. Furthermore,

we refer to the readers to [56] for the use of such public/private keys in key agreement, key

agreement, encryption/decryption, and signature generation/verification.

Our IK(M allows dynamic node join at any time and thus ensures high network scal-

I1.1111-,i. Suppose a new node X joins the network at phase p The PK(G just needs to

pre-eqluip X withr public systems parameters a~nd < K~X,pi P:,i >
Generation of key-update parameters. Let to be the maximum number of com-

promised nodes the network can tolerate. To realize broadcast-based public/private key up-
dates, the PK(G picks M~ distinct 2te-degree polynomials, {li(z) = EtoolC mdq}=,.,

with li,; E Z and Mlr distinct t'c-degree polynomrials, {ug = EyoiP md )i1,.,

with ui,j EZ ~. Since Kg'1 is a point on E/F,, its 2-coordinate (denoted as [Kg'i]">

can be uniquely determined from its y-coordinate (denoted as [Kg'1]"). The PK(G then

constructs {vi(z) = [Ky l]" ui(z)}i=1,...,M/, which are given to each node A along with

Summary. To summarize, each node has the following cryptographic materials be-

fore network deployment:

Pairing parameters: (q, e, H1, W, WP1, WP2)*
Public and private keys: < WA:P,p IA,1P
Phase salt: salt.
Key-update parameters: {vi(z), li(IDA> i=1,...,M.r
In addition to the above materials, eah -PK Ve holds a/ sere shr K$2" an values--"-~

{ W / = KV Tu2/ r

3.4.3 Key Revocation

K~ey revocation comprises three subprocesses: misbehavior ii, l..HG.,//..<. revocation gen-

eration, and revocation : ..I;
Misbehavior notification. Upon detection of node A's misbehavior, node B gener-

ates a signed accusation [IDA, sB] -1 against A, where ss is a timestamp for withstanding
message replay attacks. The revocation- needs-" to'-'- be sen tte -Ps to report A's mis-

behavior. The naive flooding of the accusation is insecure because it may alert the accused

A to temporarily behave normally. By doing so, it attempts to make the number of ac-

cusations against it below the predefined revocation threshold y to avoid being revoked.

Therefore, B should unicast the accusation secretly to the D-PK(Gs. The next question is
to which,1 D-K\ the~ ac~,,,cusatio issent The following approach is adopted in IK(M.

During network initialization, the PK(G furnishes each node with a function 7 that

maps each node ID to the IDs of p distinct D-PK(Gs. More formally, for node Ae E ,

F(IDA) = {IDx, |1 ; j 4; P, Xj E R, Xj f A}. There are many possible ways to construct

such a function. One simple approach is to divide the node set WI into n dli 10i! node

sets, each associated with p D-PK(Gs. However, the condition that must be satisfied is that

the node set a D-PK(G belongs to should not be associated with itself. In our IK(M, node

B is required to send the accusation in an encrypted form { [IDA, sB e- ks,y, to each
Ve F (IDA), where ks~v is the shared key with V that can be derived using the method

given in [56].

The~ value of /9 determLinesI~ thel tradeoffI between~ rl~DI~inCe toU D-PKG~ conipronlise and

coninunication overhead. The smaller /3, the lower the related coninunication overhead,

the less resilient the network is-'- to te cniprnlie o D-PKs and vieves. ciialy

in one extreme case that /9 = 1, the coninunication overhead is the lowest, while the

conmpronlise of a D-PK(G, say IDx, (X1 E R) which has not been revoked, would allow all

the accused whose IDs are mapped by 7 to IDx, to escape revocation. In another extreme

case that /9 = n, the network shows perfect resilience to D-PK(G conipronlise, while the

related coninunication overhead is the highest. Therefore, /9 should be carefully chosen in

practice to strike a good balance between these two metrics.

Revocation generation. Upon receipt of an accusation from B, a D-PK(G will

simply drop it if the accuser itself has been revoked. Otherwise, the D-PK(G saves the

accusation after decrypting it and verifying B's signature. To prevent an unrevoked com-

promised node from falsely accusing legitimate nodes, a node is diagnosed as compromised

only when the number of accusations against it reaches the network-wide revocation thresh-

old y in one key update phase or a~ny other predetermined time window. The choice of y is

application-sppecific and determines the tradeoff between tolerance of false accusations and

compromise detectability: a larger y means higher-level tolerance of false accusations but

lower compromise detectability, and vice versa.

Once the revocation threshold is attained, a key revocation against node A needs to

be generated and published. In IEl(f, to generate a revocation needs the joint efforts of t

D-PK(Gs. For simplicity, we assume that, among F(ID4), the D-PK(G with the smallest ID

acts as the role of revocation leader. We distinguish between two cases. If /S 3 t, each of

the t D-PK(Gs in F(ID4) with smallest IDs generates a partial revocation (shown below)

sent to the revocation leader. If /9 < t, all the D-PK(Gs in F(ID4) should generate a partial

revocation and send it to the revocation leader. In addition, the revocation leader sends

which responds with a partial revocation after verifying the accusations.
For ease of presentation,- let ACD denot th t D-PK~s participating in revocation

generation. Each V e A generates a partial' revo--Catio KV Hi(ID4 accumulated at- the'

revocation leader. The revocation leader can construct a complete revocation from these

partial revocations through Lagrange interpolation, which is an application of pairing-based

threshold signatures [57, 13]. In particular, a complete revocation is derived as

IDA = C V(0)KP2H(IDA) = K.P2H1(IDA)~ (mo1d q),

where Av(0)-s are Lagrange coefficients defined in Eq. (3.1). It is possible that one or several

members of ~A are unrevoked compromised nodes which might send wrongly computed

partial revocations. To detect this, the revocation leader checks whether the following

equation holds.

8(IDA, W) = (H1(IDA), WP2) (3.2)

Ifso i knolws that~l tisl reoctVUionlII I isUrl~lll authnti andll ollther (t 1) D-PK~~s ga~ve correctly

partial revocations. The equation should hold for a valid revocation because

8(IDA, W) = 8(KP2H1(IDA), W)

= 8(H1(IDA), W)KP2 (8 iS bilinear)

= 8(H1(IDA), KP2W) (8 is bilinear)

= 8(H1(IDA), WP2) (P2 = KP2 ).

The revocation leader then floods < IDA, IDA > throughout the network to inform others

that A has been compromised.

If Eq. (3.2) does not hold, the revocation leader knows that at least one of the partial

revocations is incorrect. Our IK(M allows the pinpoint identification of the misbehaving
D-PK(G(s). To do this, for- each receir ve K$H1(IDA), the revocation leader harnesses

the~ prloadedU~ W/2 to check whether the equation c;(K$2H1(IDA), W) = 8(H1(IDA), WP2)

holds. The check should succeed for a valid partial revocation because WpV2 = KpV2W and

& is bilinear. Otherwise, the revocation leader considers V misbehaving and then issues a

signedU aCc~Ucusation agaCinstl it. After idetifrlyll~ing ll misbehavlingVI D-PK1~s in ~A, the revocation

leader solicits the corresponding number of new partial revocations from D-PK(Gs in R \ A,

calculates a complete revocation, and verifies it as before. Continuing this process, the

revocation leader can form a correct revocation against A, as long as there are at least I

well-behaved D-PK(Gs in R.

Our IK(M can well handle the situation that the revocation leader itself is a compro-

mised node. If other D-PK(Gs in F(IDA) do not receive a correct revocation against A

in certain time, they would consider the revocation leader misbehaving and publish signed

accusations against it. Then the D-PK(G in F(IDA) with the second lowest ID succeeds as

the revocation leader and restarts the revocation generation process. We can see that, as

long as there is at least one non-compromised D-PK(G in F(IDA) and there are at least t

non-compromised D-PK(Gs in R, a valid accusation against node A can I.h-- I-, a be generated.

In addition, our pinpoint identification mechanism will deter the D-PK(Gs compromised yet

unrevoked from offering invalid partial revocations to avoid being easily caught. There-

fore, we expect that a valid revocation will be generated most likely in one round. Also

notice that, since whether a D-PK(G provides a wrong partial revocation and whether the

revocation leader behaves normal are both publicly verifiable, compromised but unrevoked

D-PK((s dare not falsely accuse the revocation leader or other D-PK((s in order to avoid

being identified.

Revocation verification. Upon reception of IDA, every node verifies it by checking

if Eq. (3.2) holds. If so, it should record IDA in its memory and refuse to interact with node

A in future time. In our IK(M, each node needs to store the IDs of all the revoked nodes.

Assuming that each node ID is of 16 bytes, it costs a node about 4 K(B to store 250 IDs of

compromised nodes, which is believed to be an acceptable overhead given the increasingly

low memory price. Some space-efficient data storage techniques such as Bloom filters [58]

may be used to reduce the storage overhead. However, we do not further investigate this

issue for lack of space.

In rare cases, the revoked A and/or its conspirators may be the sole connections between

parts of the network. Since they would not further propagate the revocation, there might be

some legitimate nodes which cannot receive the revocation. Fortunately, this problem can

be greatly mitigated by node mobility. In particular, we require each node to store received

revocations for a certain amount of time. When a node meets a new neighbor, it can

exchange its stored revocations with that neighbor. If that neighbor offers some unknown

revocations, it records the revoked node IDs after verifying those revocations. Since a

node can dump stored revocations after a while, the related storage overhead should be


3.4.4 Key Update

To withstand crypton I! .h i and limit any potential damage from compromised keys, it

is a common practice [31, 32, 33, 34, 35, 36] to employ relatively frequent key update. A new

key update phase pi 1 starts either when phase pi lasts for more than a predetermined time

threshold, or when the number of nodes revoked in pi has attained a prescribed threshold.

In IK(M, each node B can update its public key autonomously by computing Keypi~ .

(H1(IDB), Hl(saltiy1)), where salt 1 = salt +1. In other words, B just performs two hash

operations, one for generating the phase salt for piay and the other for computing the

new common public-key element. By contrast, generating the common private-key element

Kg': = K'P2Hi(salti+1) needs the collective efforts of t D-PKGs in S1. For simplicity, wfe
assume that Z E a initiates phase pi 1, tholughI in1 pL~ractic thel D-PK~~s shouldU take turns

to act as this role to balance their resource usage. Z randomly selects (t 1) other non-

revoked D-PK(Gs from R and sends a request to each of them. Let ~A denote these t D-PK(Gs

including Z itself. Each V e A uses its secret share to generate a partial common private-
key elemen-t K$2Hl(saltiy1) accumulated at Z which, in turn, constructs the complete

Kg- usingf Lagrangfe interpolation, Kg,~: = C,-,4 r" Av(0)K$2H(salti41) = KP2Hil(saltiy1).
Notice that Kg': is self-authenticating in that every node can check its authenticity by

checking if the following equation holds.

ir( c-:, W) = (H l~saltzy1), WIP2) (3.3)

It is also possible that some D-PK(Gs in ~A might be compromised yet unrevoked nodes.

The method used in revocation generation can be employed as well to deal with this case.

As long as there are at least t non-compromised D-PK(Gs in R, a valid Kg': can 1.h-- .-, a be


To propagate Kgi: securely to all the non-revoked nodes, we use a variant of the self-
healing group key distribution scheme by Liu et al. [59]1 Let A C W denote the set of
nod s rv okedu untrl il it ph s i (IincludII ingp D-PKG~ Z broadcasts the following message:

Be3 := {IDx }XeAU ( 8/2) = /2z~j~)U + Iz) j=1,...,i,

where j(z~) = nXeA (" IDx). When a non-revoked node, say B, receives this message,

it derives Zdg(IDB) = i(l(DB)ui(IDB) + 14(IDB). Since B knows vi(z), 14(IDB), and

(y(I-)) 0ti (cf. Sec~tion 3.4..2), it can get u4i(Il~) = "(IDad-li(ID") a~nd then" [Kg']

vi(IDB) + ui(IDB). Subsequently, node B computes [Kg 1]" using the elliptic curve E/F,,
thusc ~ncn~fnstrutn the completeKg Ir- n the similar way, all the other non-revoked nodes

can derive Kg'1 and finish key update. Any revoked node X e A, however, cannot compute
ni(I7nx) andl thuse Kg' because (i(IDx) = 0. In addition, as long as the number of

compromised nodes is no more than tC, i.e., |A 4; tc|, the compromised nodes cannot jointly

determine Kg'1 either, as shown in [59].

The above key-update method provides the self-healing capability in the sense that

any: non-revoked node can recover Kg'7 for any phase pj (j < i), of which it did not receive
the key-update broadcast message due to reasons such as I! .1.11117,i channel errors, and

temporary network partitions. Consider node BI again as an example. It can get Ky', in
the similar wayn~ as obtaining Ky'. This nice feature, however, is achieved at the cost of

increased communication overhead. Therefore, if either this self-healing capability is not

required or reliable broadcast can be guaranteed, the broadcast message By~ can change to

{IDx}XEhi U (di 2) = ~i 2)Ui(2 +i(2)}, where i(z() = nXeA (a IDx) and As CAn
represents the set of new nodes needed to be revoked in phase pi. In doing so, the broadcast
communication overhead can be reduced.

3.4.5 Securing D-PKGs against Pinpoint Attacks

Similar to [31, 34, 35], our IK(M relies on the validity of the t-limited assumption

mentioned in Section 3.3.3. However, if adversaries have the entire network lifetime to

SI Kg' can be viewed as a group key to be distributed to non-revoked group members.

amount attacks, they~ may~ compromise, or disrupt enug D-PK~s sooner or later. As a

well-known countermeasure, Herzberg et al. [55] propose to periodically refresh secret

shares without changing the original secret, in such a way that any information learned

by adversaries about individual shares becomes obsolete after the shares are refreshed. In

addition, they present techniques to periodically and securely recover shares not refreshed

propeI rly to withstandU U- D-PK disruption attacks. Their techniques are either adopted or

no:__ -r -1.1 by [31, 34, 35]. To deal with long-term adversaries, we also -II:_:_. -r to incorporate

such proactive secret-sharing techniques in our IK(M.

Proactive secret-sharing techniques are valid as long as adversaries are t-limited in

each predefined time period. Nearly all previous proposals simply make this assumption

without efforts to justify it. In our opinion, without precaution, the t-limited assumption

is difficult to hold for MANETs deployed in hostile environments. The reason is that the

Irs of, the D-PKs are public knowledge to every node, and adversaries can easily get this

information, e.g., by compromising a single node. In common MANET routing protocols

such as AODV [5] and DSR [6], node IDs are left bare without any protection. The shared

wireless medium renders adversaries to perform passive eavesdropping and easily locate the

D-PK(Gs based on their IDs leaked in routing and data packets. As a result, adversaries

can launch pinpoint compromise or disruption attacks on the locked D-PK(Gs. This type of

severe pinpoint attacks resulting from the unique characteristics of MANETs are reported

in [29, 41]. Obviously, we have to seek efficient ways to thwart such pinpoint attacks to

make the t-limited assumption reasonable.

Assume that adversaries have no ways (e.g., traffic ..I! I1-, -iR) to distinguish between the

D-K\ and,,, non-D-PKGr nodes other than from their IDs. We propose to eliminate the

pinpoint attacks by MASK(, the .l!!..-, usua sI on-demand routing protocol for MANETs pre-

sented in Chapter 2. As stated before, MASK( guarantees that, given a node ID, adversaries

cannot ascertain whom and where the corresponding node is. For our purpose, this means

that, even given the list of D-PK(G IDs, adversaries cannot determine which nodes are the

D-PK(Gs based on passive eavesdropping of node IDs. Therefore, the pinpoint attacks are

effectively defeated. Also note that the same method can be used to eliminate pinpoint

attacks on the D-CAs in [31, 34, 35].

3.4.6 Choosing Secret-Sharing Parameters

Now we discuss how to select the secret-sharing parameters t, a for a good tradeoff

between security and robustness, namely, the resilience to the compromise and disruption

of D-PK(Gs, respectively. For a fixed n, the larger t, the more secure the network is because

adversaries need to compromise more D-PK(Gs to learn KP2, the less robust the network

is in1 thlat adversaries needU toU Udis~rup fewerL D-PKs to make KP2 irrecoverable, and vice

versa. To strike a good balance between them, it is often wise to let t = [ ], as l: :_ -r 0. 1

in [15, 40]. The next question is, given the network size N, how we decide the value of a

to achieve desired levels of security and robustness.

With our MASK( in place, adversaries cannot distinguish between the D-PK(Gs and

common nodes based on passive eavesdropping. What they can only do is to attempt

to compromise or disrupt randomly-picked nodes with the expectation that those nodes

hlappen toU be thel D-PKUs. Assume that adversaries can surreptitiously compromise and

disrupt up to Nc 3 t and Nd 3 n-t+1 nodes, respectively, in each proactive secret-sharing

time period without being detected. We define Prc and Prd as the probabilities that at

least t out of Nc compromised nodes and (n t + 1) out of Nd disrupted nodes happen to

be D-PK(Gs. In particular,

Prc = C Ne-) ndPr N-i

where t = [g]. In practice, we want both probabilities to as low as possible. Prior to

dep~loyment,~ ~lthe PKG can use the enumerative method to determine the values of t, a for

obtaining appropriate values of Prc and Prd, i.e., meeting desirable levels of security and

robustness. For example, when N = 50, Nc = 5, and Nd = 7, we have Prc = 1.19 x 10-4

and Prd = 8.53 x 10-s if a = 10 and thus t = 5; when N = 50, Nc = 10, and Nd = 14, we

have Prc = 1.8 x 10-s and Prd = 7.88 x 10-4 if a = 20 and thus t = 10. Obviously, the

success probabilities of such random attacks are pretty low.

During network operation, the network size N may be changing with node join, leave,

or failure over time. Accordingly, the parameters t, n and the D-PK(G set should be adjusted

to maintain desirable levels of security and robustness. This can be easily realized through

verifiable secret redistribution by Wong et al. [60] to redistribute the PK(G's master key

KP2 frOM a (t, n) Structure tO a (t n ) One.

3.4.7 Security Analysis

Here we briefly compare the security of our IK(M with CK(M such as [31, 34] and

previous IBC-based schemes [39, 20] (referred to as o-IKMl). In o-IK(M, the PK(G only has

one master secret KP2 jointly shared by n chosen D-PK(Gs in a (t, n)-threshold fashion.

Each node A has a public/private key pair (H1(IDA || exp), KP2H1(IDA || exp)), where

ezp indicates the key expiration time. To renew its private key before it expires, A needs to

individually contact t out of a D-PK(Gs for partial private keys, based on which to construct

a complete one via Langrange interpolation. As usual, our discussion is from the viewpoint

of key management instead of cryptographic algorithms themselves.

Since all three approaches are (t, n)-threshold schemes, they have the same level of

security as long as the t-limited assumption holds. However, they differ in the worst-

case scenario where adversaries manage to compromise at least t distributed CAs (D-CAs

for short) in CK(M, or t D-PK(Gs in IK(M or o-IK(M. In that situation, adversaries are

able to construct the CA's private key in CK(M, or the PK(G's master secret Kp2 in IK(M

or 0-IK(M. For both CK(M and our IK(M, adversaries cannot deduce the private key of

any non-compromised node, be it a D-CA (or D-PK(G) or common node. Therefore, the

communication security between non-compromised nodes is still guaranteed. In contrast,

the exposure of Kp2 in O-IK(M would result in loss of overall -1-, -r ll security because it

permits adversaries to derive all the private keys of all the compromised or non-compromised

nodes ever used since the network formation. This means that adversaries would be able to

freely read encrypted messages observed in the past or future, and forge any node's digital


In summary, our IK(M is at least as secure as conventional CK(M, but outperforms

o-IK(M in the worst-case scenario.

3.5 Performance Evaluation

In this section, we compare the proposed IK(M with conventional CK(M via simulations.

As mentioned in Section 3.2.2, DSA-based CK(M solutions have much worse communication

efficiency than RSA-based ones under the same security level. Therefore, we focus on

comparing IK(M with RSA-based CK(M, which is implemented mainly based on [32, 36]

with the number of D-CAs set to n instead of N. As discussed before, our IK(M is more

secure than 0-IK(M [39, 20] under the same secret-sharing parameters (t, n). In addition,

the communication and computation overheads of 0-IK(M are the same as those of IK(M

with regard to key revocation, but are much higher in terms of key update because 0-IK(M

requires that each node individually contact t out of a D-PK(Gs for key update. Since the

advantages of our IK(M over o-IK(M are quite obvious, we do not offer the simulation results

of their comparison for lack of space.

3.5.1 Simulation Setup

The comparison is done within GloMoSim [21], a popular MANET simulator, on a

desktop with an Intel P4 2.4GHz processor and 1 GB memory. Although such a powerful

machine may not be available in some application scenarios, it should be appropriate for the

comparative study of IK(M and CK(M. To avoid causal implementation errors and guarantee

fair comparison, all the cryptographic primitives are built using MIRACL [22], a standard

cryptographic library.

For CK(M, the underlying CBC is RSA with a 1024-bit modulus for sufficient security.

An RSA public key consists of an ordered pair (s, e) where s is the modulus, and e is the

public exponent. A common value for the public exponent is e = 216 + 1, which is the

value we use for all public exponents. Note that this is in favor of CK(M because RSA

encryption and signature verification can be made very fast with e = 216 +1 than a random

exponent. Therefore, an RSA public key would require 128 bytes for the modulus and 3

bytes for the public exponent, resulting in a total size of 131 bytes. In addition, an RSA

signature consists of a single 1024-bit value. For simplicity, we assume that a node ID is of

16 bytes and that certificate expiration time can be encoded in 2 bytes. An RSA certificate

< IDA, (n, e), exp, CA's signature > will be totally 277 bytes in length.

For our IK(M, the bilinear map e we use is the Tate pairing [14]. q is a 160-bit Solinas

prime 2159 + 2"7 + 1 and p is a 512-bit prime equal to 12qr 1 (for some r large enough to

make p the correct size). Such choices of q, p deliver a comparable level of security to 1024-

bit RSA [12, 13]. The elliptic curve E we use is y2 = 3 + x defined over F. The ID-based

signature primitive [M~]K- used is the one outlined in [56], in which a signature consists
of one element of GI and one element of Z Since the former is a point on E/Fz, only the

y-coordinate needs to be transmitted because the 2-coordinate can be easily derived using

E. Therefore, an ID-based signature is of 84 bytes. This point compression technique is

also used in transmitting key revocations and common private-key components, both being

elements in Gi. Moreover, the hash function SHA-1 [16] and the symmetric-key encryption

primitive RC6 [18] are used wherever applicable.

We simulate a MANET with 50 nodes deployed in a 700x700 m2 square field.2 The

ph1-, -i I1-1 I-, er path loss model is the two-ray model. The node transmission range is 250

meters and the channel capacity is 2 Mb/s. The MAC protocol used is the Distributed

Coordination Function (DCF) of the IEEE 802.11. For simplicity, the underlying routing

protocol is AODV [5] instead of our MASK( [20]. Nodes initially are uniformly distributed

and node mobility are emulated according to the random waypoint model [6]. We run

simulations for constant node speeds of 5, 10, and 15 m/s, with pause time fixed to 5

seconds. In addition, we use 20 CBR connections with random source and destination pairs

throughout the simulations. All the data packets are 512 bytes and are sent at a speed of

4 packets/s.

3.5.2 Computational Costs

We present the computational costs of outstanding primitive operations in CK(M and

IK(M in Table 3-2. As compared to RSA operations, the pairing evaluation is currently

a relatively expensive operation, which by far takes the most running time of an IBC

algorithm. However, since the pairing is a relatively new technique, we anticipate that

its evaluation cost will be much reduced with the rapid advance in cryptography. For

example, Barreto et al. [23] recently announce an approach to evaluate the Tate pairing by

up to 10 times faster than previous methods, the implementation of which is underway. In

2 Note that for the simulated network size, it may be feasible to preload each node with
all the others' public keys. However, it should be understood that this choice is just for
illustration purpose and also to ensure a fair comparison with ARAN [42] which uses the
same network size.


Table 3-2: Timings of primitive operations

Primitive Time
RSA key generation 526.5
RSA encryption/verfication (e = 216 + 1) 0.26:
RSA decryption/signing 5.08
Modular exponentiation (mK 1HOd N) 16.89
Map-to-point H1(-) 2.6
Scalar multiplication in GI1 3.3
Modular exponentiation in G,2 2.4
Pairingf 11.0
ID-based signing (with pre-coluputation) 5.7
ID-based signature verification 35.5

Table 3-3: Conipa~rison of key revocation time

threshold t = 5 threshold t = 10
Speed (In/s) IEhi (sec) C'Khi (sec) IEhi (sec) C'Khi (sec)
5 3.344 3.179 8.563 8.323
10 3.356 3.220 8.577 8.387
15 3.362 3.235 8.586 8.401

addition, the pairing computation can be much accelerated by using dedicated cryptogra~phic

hardware. For instance, it is reported in [61] that the Tate pairing can be calculated in

about~l 6 nIs onI ai modernLI FPG- --'- A. Despite its computational inefficiency, are will see below

that our IK(M still outperfornis CK(M in almost all aspects because of its certificateless


3.5.3 Comparison in Key Revocation

Here we compare IK(M with CK(M with regard to key revocation. We use 20 CBR

sessions as background !! e.-" to simulate more realistic scenarios. Two sets of secret-

sharing parameters (t, n) are simulated: (5, 10) and (10, 20). The revocation process of

CK(M is inmpleniented as similar to that of our IK(M. For simplicity, are set the revocation

threshold y equal to t and each accusation is sent to /S = 1 D-PK(G in IK(M or D-CA in

CK(M. In other words, when the number of accusations against one specific node reaches

y = t at a D-PK(G or D-CA, that D-PK(G or D-CA sends the accumulated accusations to

other random (t 1) out of (n 1) D-PK(Gs or D-CAs which, in turn, send back partial

revocations after verifying the received accusations. To avoid possible MAC-layer collisions

Table 3-4: Comparison of key update (t = 5)

IK(M: threshold t = 5 CK(M: threshold t = 5
Speed (m/s) T ime (sec) Overhead T ime (sec) Overhead
(packet) (packet)
5 3.173 352 271.088 18556
10 3.182 674 271.965 20846
15 3.189 1328 273.443 22400

Table 3-5: Comparison of key update (t = 10)

IK(M: threshold t =10 CK(M: threshold t =10
Speed (m/s) T ime (sec) Overhead T ime (sec) Overhead
(packet) (packet)
5 8.187 662 275.289 37078
10 8.194 1286 276.952 45438
15 5 071582 279.978 1; ".Ill

resulting from returned partial revocations, the revocation leader uses a fixed delay of one

second between contacting two different D-PK(Gs.

Table 3-3 gives the one-time key revocation time of IK(M and CK(M for t = 5 and 10,

accusations to (t 1) peers, until the last node in the network receives and verifies the final

complete revocation. All packet transmission and cryptographic processing time has been

included. As we can see, although our IK(M is slightly inferior to CK(M, both can finish a key

revocation in a very short duration. This demonstrates the feasibility of real-time public-

key revocations in MANETs. We can also observe that, the larger the threshold t, the more

time it takes to finish the revocation process, which is quite intuitive. In addition, node

mobility has little impact on the revocation time in that the revocation process only involves

the transmission of 2(t 1) unicast packets and one network-wide broadcast packet for the

final revocation. Such a small amount of traffic can be transmitted before the network

topology changes significantly and thus some unicast routes break due to node mobility.

3.5.4 Comparison in Key Update

In this subsection, we demonstrate the advantage of our IK(M over CK(M in terms of

key update. Again, 20 CBR sessions are used to emulate normal traffic scenarios. For our

IK(M, the key update process starts when one D-PK(G sends a key update request to other

random (t 1) D-PK(Gs,3 and finishes when all the network nodes receive and verify the

broadcasted common private-key component. For CK(M, the key update process lasts from

when the first node starts contacting t random D-CAs for key update until the last node

finishes its key update through t random D-CAs. To avoid traffic collisions at the D-CAs, a

fixed interval of 5 seconds is inserted between two consecutive key updates by two different


We are interested in two metrics: one-time key update time, including packet trans-

mission time and all cryptographic processing time, and key update overhead in number of

packets, which counts all the key requests/replies and the incurred routing control packets.

Tables 3-4 and 3-5 compare our IK(M with CK(M with regard to these two metrics for t = 5

and 10, respectively. Since a key update process in IK(M is similar to a key revocation

process, it can be finished in a similarly short period. In contrast, key update in CK(M

requires a relatively great amount of time and incurs a significantly larger overhead. In

addition, the key update time and overhead of both schemes increase with the threshold t,

which is of no surprise.

3.5.5 Comparison in Secure Routing

A most important use of public-key techniques in MANETs is to secure routing proto-

cols. As noted in [42], most existing secure routing schemes for MANETs rely on the use of

public keys and certificates without explicitly discussing how to perform certificate distri-

bution. By contrast, a recent work, called ARAN [42], accounts for certificate distribution.

ARAN is an elegant scheme because it is essentially a secured version of classic AODV [5]

and thus preserves many nice features of AODV. However, using ID-based public/private

keys in place of certificate-based ones can turn ARAN into a much more efficient solution,
which is shown as follows.

3 The 1-s sending interval is still used.

4 We have tried different interval values and the chosen one can guarantee that almost
all the nodes can successively finish their key update within the simulation time.

Due to space limitations, we refer to [42] for detailed descriptions of ARAN. For ease

of presentation, we denote the original ARAN by ARAN-CK(M and the modification with

our IK(M by ARAN-IK(M. Regarding the overall routing process, ARAN-IK(M is the same as

ARAN-CK(M. Their difference lies in the structures and cryptographic processing of rout-

ing control packets, including route discovery/reply/error packets. For example, assuming

a source and destination pair of nodes X and Y, a typical route discovery packet (RDP)

in ARAN-CK(M is of format < ((RDP, IDy, Nx)x-1)A-1crt, CetCertA >. Here, (m)x-

stands for message m with its RSA signature generated under node X's RSA private key

X-l; Nx is a monotonically increasing sequence number set by X; certx is the RSA certifi-

cate of source X (see Section 3.5.1 for the certificate format); certA is the RSA certificate

of an intermediate node A attached when A forwards the RDP of X to its own neighbors.s

Considering the RDP format < RDP, IDy, Nx, IDx, IDA > in AODV [5], ARAN-CK(M

adds 778 bytes to the RDP. Suppose the network is in key update phase pi. In ARAN-IK(M,

the RDP changes to < [[RDP, IDy, Nxic-1 <- IDx, IDA >. Therefore, ARAN-IK(M
X,pi A,pi
increases the RDP in AODV by 168 bytes because of the two ID-based signatures. The

routing reply and error packets in ARAN-CK(M are modified similarly.

We run simulations to compare the routing performance of ARAN-CK(M and ARAN-

IK(M. The results generated with AODV are also provided as the baseline. Again, 20

CBR sessions are used in the simulations and each simulation is executed for 15 simulated

minutes. In our simulation results, each data item represents an average of ten runs with

identical traffic models, but with different mobility scenarios.

We use four key performance metrics to evaluate the performance. Average route

discovery 1. I/,:o measures the average latency from the time of sending a RDP to receiving

the first corresponding route reply. Average data packet 1. IAtti measures the average time

from the sending of a data packet by a CBR source until its reception at the corresponding

CBR destination. This includes all possible delay caused by buffering during route discovery,

5 Node IDs are included in certificates. Please refer to [42] on how the RDP is processed
in a hop-b-, -1!heI manner.


550- ~AODV
-1: -11-1-11
E 45 *

S25 *
S20 *
10 *o

5 1 15
Node Speed (m/s)

Figure 3-1: Average route discovery delay.

queuing delay at the interface, retransmission delay at the MAC layer, and propagation and

transmission delay at the ph1-, -il I1 layer. Packet delivery ratio (PDR) measures the ratio of

the data packets delivered to the destination to those generated by the CBR sources. Finally,

normalized routing load measures the average amount of routing packet byte transmitted

per delivered data packet byte. Each hop-wise transmission of a routing packet byte is

counted as one transmission.

The advantages of ARAN-CK(M over AODV in the presence of malicious nodes have

been demonstrated in [42]. For simplicity, we just compare the performance of AODV,

ARAN-CK(M, and ARAN-IK(M when all the nodes in the network are well-behaved or

benign. Note that, no matter whether there are malicious nodes or not, the operations

of both ARAN-CK(M and ARAN-IK(M remain the same. Therefore, as long as we can

show that ARAN-IK(M outperforms ARAN-CK(M in the simulated scenarios, it will also

demonstrate better performance than the latter and thus AODV in the face of malicious

nodes. In all our simulation results, AODV 1.h- .-, a outperforms both ARAN-CK(M and

ARAN-IK(M. This is of no surprise because there are no efforts at all made in AODV to

deal with routing attacks. We will focus on discussing the difference between ARAN-CK(M

and ARAN-IK(M.

Fig. 3-1 compares the average route discovery delay of ARAN-CK(M and ARAN-IK(M

under three 1!!. 1.ilir-,i scenarios. We can observe that ARAN-IK(M 1.h- .-, s exhibits shorter

route discovery delay than ARAN-CK(M. The key reason is that routing discovery and reply



10 1

Node Speed (m/s)

Figure 3-2: Av-erage datar packeet i

10i 15
Node Speed (m/s)

Figure 3-3: Packet delivery ratio.

packets in ARAN-CK(M are of much larger sizes than those of ARAN-IK(M. As a result,

routing packets in ARAN-CK(M are more subject to loss due to collisions with other data

or routing packets during their transmission. When a source does not receive a route reply

packet after sending the RDP for a while, it has to resend the RDP, which worsens the

situation. This contributes to the shown advantage of ARAN-IK(M over ARAN-CK(M. In

addition, the performance difference between ARAN-IK(M and ARAN-CK(M becomes more

and more significant with the increase of node mobility. For example, when the node speed

is 15 m/s, the route discovery delay of ARAN-IK(M is about 390.08 ms, representing a

saving of about 28 percent as compared to the 540.32 ms delay of ARAN-CK(M. That is

because high mobility means that routes will break more frequently, so accordingly route

discovery needs to be performed more frequently. Since more routing packets are involved,


5 10 15
Node Speed (m/s)

Figure 3-4: Average routing load.
their probabilities of colliding with other traffic become increasingly higher in ARAN-CK(M

than in ARAN-IK(M.

Fig. 3-2 plots the average data packet delay vs. node speed. As we can see, ARAN-

IK(M has a significant advantage over ARAN-CK(M in all three mobility scenarios. In

particular, when the node speed is 5 or 10 or 15 n1/s, the data packet delay of ARAN-

CK(M is about 4.68 or 7.86 or 8.04 times longer than that of ARAN-IK(M. This result is

partly due to the shorter route discovery delay ARAN-IK(M has than ARAN-CK(M, which

results in shorter delay caused by buffering at the network layer. Another more important

reason is that MAC-layer frames in the IEEE 802.11, including RTS/CTS/DATA/ACK(, are

more subject to collisions with the MAC frames of routing packets in ARAN-CK(M than

in ARAN-IK(M because the former has much larger-sized routing packets. The situation

deteriorates with the increase in node mobility and thus the increase in the number of

routing packets. As a result, data packets in ARAN-CK(M experience much longer quueuing

and retransmission delay at the MAC layer.

Fig. 3-3 shows the PDRs of AODV, ARAN-IK(M, and ARAN-CK(M for three mobility

scenarios. In all cases, ARAN-IK(M demonstrates performance close to AODV and higher

than ARAN-CK(M. This mainly results from the fact that a smaller portion of data packets

are dropped in ARAN-IK(M than in ARAN-CK(M due to attainment of the retransmission

limit at the MAC layer. The ultimate reason, however, is still because of the larger-sized

routing packets in ARAN-CK(M. Finally, the normalized routing load of ARAN-IK(M and

ARAN-CK(M are shown in Fig. 3-4. For node speeds of 5 or 10 or 15 n1/s, ARAN-CK(M

has a. routing load 3.1 or 3.7 or 4.1 times higher than that of ARAN-IK(M for the larger

sizes of routing packets.

To sunina~rize, our IK(M has significant advantages over conventional CK(M in secure

routing protocol design, a fundamental component in MANET security.

3.6 Summary

k~ey nlana~genent is a fundamental, challenging issue in securing MANETs. This chap-

ter presents IK(M, a secure, lightweight, scalable ID-based key nlana~genent scheme for

MANETs. As a novel combination of ID-based and threshold cryptogra~phy, IK(M is a. cer-

tificateless solution that permits public keys of mobile nodes to be directly derivable from

their known network IDs and some other coninon information. It thus obviates the need for

public-key distribution a~nd thus certificates inherent in conventional public-key solutions.

Our IK(M is characterized by a. novel method of constructing ID-based public/private keys,

which not only guarantees high-level resilience to node compromise attacks but also fa~cil-

itates very efficient network-wide key update by a. single broadcast message. In addition,

we give general guidelines on choosing the secret-sha~ring parameters for achieving desir-

a~ble levels of security a~nd robustness. The significant advantages of IK(M over conventional

certificate-based solutions have been confirmed by extensive simulation results.

Most existing security niecha~nisnis for MANETs thus fa~r involve the heavy use of

public-key certificates. In this regard, we believe that the findings of this chapter would

have much influence on the research paradigm of the whole coninunity a~nd stimulate many

other fresh research outcomes. As our future work, we will seek efficient solutions based on

IK(M to a variety of challenging security issues in MANETs such as intrusion detection and

secure routing.


4.1 Introduction

Wireless sensor networks (WSNs) have attracted a lot of attention recently due to

their broad applications in both military and civilian operations. Many WSNs are deployed

in unattended and often hostile environments such as military and homeland security op-

erations. Therefore, security mechanisms providing (~iC..nn.1.011.11-,i, authentication, data

integrity, and non-repudiation, among other security objectives, are vital to ensure proper

network operations.

Many WSNs require sensor nodes to know their ph1-, -il I1 locations. Examples include

those for target detection and tr l~ine:. precision navigation, search and rescue, geographic

routing, security surveillance, and so on. Driven by this demand, many localization schemes

have been proposed in recent years, with most assuming the existence of a few anchors that

are special nodes knowing their own locations, e.g., via GPS or manual configuration. These

proposals can be divided into two categories: range-based such as [62, 63] and range-l;..

[64, 65]. The former are characterized by using absolute point-to-point distance (range) or

angle estimates in location derivations, while the latter depend on messages from neigfhbor-

ing sensors and/or anchors. Range-based solutions can provide more accurate locations, but

have higher hardware requirements for performing precise range or angle measurements. By

contrast, although having lower hardware requirements, range-free approaches only guaran-

tee coarse-grained location accuracy. In this chapter, we focus on range-based approaches

and leave the investigation on range-free ones as the future work.

We observe that almost all existing range-based proposals were designed for benign

scenarios where nodes cooperate to determine their locations. As a result, they are ill-

suited for unattended and often hostile settings such as tactical military operations and

homeland security monitoring. Under such circumstances, attackers can easily subvert

the normal functionalities of WSNs by exploiting the weakness of localization algorithms

(a) No attacks. (b) dos is reduced.

(c) dos is enlarged.

Figure 4-1: An exemplary two-way ToA localization process, where anchors A, B, C are
determining the location of sensor S.

[66, 67]. In this chapter, we do not intend to provide brand-new localization techniques for

WSNs. Instead, we focus on .I! I1-,. i!:_: and enhancing the security of existing approaches

when applied in adversarial settings.

The rest of this chapter is structured as follows. We start with ..I! I1-,. b!:_: the vulner-

I1.1111-,i of existing approaches in Section 4.2. Next, we present a novel 1!!. 1.ilir-,i-assisted

secure localization scheme (SLS) in Section 4.3. We then review related work in Section 4.4

and summarize this chapter.

4.2 Vulnerability Analysis of Two-Way Time-of-Arrival Localization

Popular range-based localizat ion techniques include Received- Signal- St rengt h-Indicator

(RSSI), Angle-of-Arrival (AoA), Time-of-Arrival (ToA), and Time-Difference-of-Arrival (TDoA).

Readers are referred to [63] for a nice review. Among these techniques, ToA is the most

commonly used one whose requirement for fine time resolution can be satisfied by the ultra-

wideband (UWB) technique [68]. Therefore, our study focuses on a two-way ToA approach,

which is illustrated with Fig. 4-1.

In the shown example, anchors A, B, and C intend to determine the 2-D location of

sensor S. To do so, A transmits at time tl a challenge to sensor S which immediately

echoes a response received by A at time t2. Anchor A can then estimate its distance to S

as dAS M (2 1l)c/2, where c is the speed of light. In the same way, B and C can obtain

distance estimates to S, denoted by dBs and dos, respectively. Let (XA, YA), (XB, YA),

(Xc, Yo ) be the known locations of A, B, and C, and (Xs, Ys) be S's location to be decided.

C Sece chnattacker 2

Figure 4-2: The topology of an exemplary distance enlargement attack.

Assume that A is the leader which collects des and dos and then sets up the following

equations :
fA = dAs (Xs XA) yS A

fs = des s Xe2 yS- B (4.1)

/c = dos (Xs Xc)2 yS C

If there is no measurement error, fA, B, and fc are all equal to zero, and (Xs, Ys) is

the common intersection point of the three circles defined by the above equations. Since

measurement errors inevitably exist in reality, however, (Xs, Ys) will be somewhere in the

intersection area formed by the three circles, as shown in Fig. 4-1(a). It can be obtained

via the Minimum Mean-Square Error (11:ljl1-3) method [62], i.e., minimizing F(Xs, Ys)=

f f+/ + ff
The above process is vulnerable to distance reduction and enlargement attacks, in

which attackers attempt to reduce and enlarge distance estimates, respectively, so as to

maliciously increase the location inaccuracy. For example, attackers can impersonate sensor

S to answer anchor C's challenge before S does, and then jams the later genuine response

from S. As a result, dos would be intentionally reduced. In addition, Fig. 4-2 shows the

topology of an exemplary distance enlargement attack, where the two circles indicate the

transmission ranges of anchor C and attacker 2, respectively. In this attack, the challenge

from C is correctly received by attacker 1, but not by sensor S whose reception activities

are interfered by attacker 2. Subsequently, attacker 1 sends the unmodified challenge via a

secret channel to attacker 2 which, in turn, forwards the challenge to sensor S after some

time. Sensor S will consider it a challenge from anchor C and respond to it. In doing so,

attackers can increase the challenge-response time difference measured at C and thus the

distance estimate dos. Both distance reduction and enlargement attacks may make the

location estimate of sensor S far from its true location, as can be seen from Fig. 4-1(b) and

Fig. 4-1(c), respectively. To satisfy the requirement for high location accuracy by many

WSN applications, we must therefore seek ways to mitigate the impact of such attacks.

4.3 Mobility-Assisted Secure Localization for UWB Sensor Networks

In this section, we present a mobility-assisted secure localization scheme (SLS) for

WSNs. To ease our illustration, we focus on how to ensure secure 2-D location estimates,

but SLS can be easily extended to the 3-D case.

4.3.1 Network Model

We consider a WSN that consists of randomly-deployed sensor nodes, e.g., via random

aerial scattering. Sensor localization is normally done during the network initialization

phase, in which we assume that a set of anchors, denoted by ~A, perform coordinated group

movement across the whole sensor field. Typical examples of anchors are mobile robots or

Unmanned Aerial Vehicles (UAVs) flying at low levels. The number of anchors, denoted

by n, = |~A|, should be at least three for determining a 2-D location. Intuitively, the more

anchors (i.e., distance estimates) are available, the more precise location estimates are at

the cost of increased communication and computational overhead. We also indicate anchor

i by Ai for is { 1,..., n}.

Each Ai is assumed to know its own location (XAi,YA,) at any time and place through
GPS" receivers- or other means In addition, there is I.h-- I-, R a leader in ~A that takes charge

of the localization process. In practice, each anchor should take turns to act as the leader

to balance their resource usage. For convenience, however, we assume Al to be 1.h-- .-, a the

anchor leader hereafter. We further assume that anchors and sensor nodes have the same

transmission range ro.

Before network deployment, we assume that the network planner picks a sufficiently

long secret KC, and loads each sensor S with a secret key Ks = hlc(IDs). Here, ID, is the

unique identifier of node S, h indicates a fast hash function such as SHA-1, and hlc(Ml)

refers to the message integrity code (MIC) of message M~ under key KC. We further postulate

that each anchor knows the network secret K: and is trusted and unassailable to attackers

during the node localization phase which usually does not last too long. This assumption is

reasonable in that anchors are usually much fewer than sensor nodes, so we can spend more

on them by enclosing them in high-quality tamper-resistant enclosures and putting them

under perfect monitoring. How to deal with compromised anchors is part of our ongoing


4.3.2 Overview of SLS

After sensor nodes are deployed, anchors are instructed to perform strategic group

movement along pre-planned routes to localize all the sensor nodes. Anchors are required

to I.h-- I-, a maintain an n,-vertex p..1~-,:_on with the longest distance between any two vertices

no larger than ro. This means that anchors and sensors inside the p..1~-,:_on can directly com-

municate with each other. To localize a node, say S, anchors first measure their respective

distance to S with a modified two-way ToA approach, called K-Distance. The anchor leader

Al then collects all the distance estimates whereby to derive a MMSE location estimate.

Subsequently, Al runs a validity test on the location estimate to detect possible attacks.

Unlike traditional localization methods such as AHLos [62], our mu~ l~ilir-, I--10.. 1 ap-

proach does not require each sensor node to accurately measure distances to anchors and

do the MMSE estimation. Instead, each node just needs to answer the challenges from

anchors, and the tasks of time (distance) measurement and location derivation are shifted

to resource-rich anchors. This is highly desirable for lowering the requirements on sensor

hardware and thus the manufacturing costs. In the rest of this section, we will detail the

operations of SLS with a to-be-localized sensor node S as an example.

4.3.3 K-Distance: a K-Round Distance Estimation Algorithm

To obtain a distance estimate to node S, anchor Ai first calculates Ks = hic(IDs) based

on the preloaded network secret KC. It then executes the K-Distance algorithm outlined in

Table 4-1. Ai begins with sending to S an 1-bit random nonce Nj and starts a timer

when the last bit of Nj is sent. Upon receiving Ni, node S needs to immediately echo Nj

concatenated by another 1-bit random nonce Myj picked by itself. Next, S sends to Ai a

MIC, v = hKs(Ni || Myj), where || means message concatenation.

Table 4-1: i i K-Distance alg~orithm.

1: T =
?: for (:i=Ij=1;J K1 ii-j+ )do
3: Ai sends a ra~ndorn .. nonce NyJ to S
4i: S respo~nds with Ny a~nd another randlorn nonce Myi
As siiets tj t:: irne elapses between chlallengr e andi response
6i: S sends to Aia. number v,::: I~ihiy // n4)
7: f K ) v then /*by Ai*/

9: T U{ti

10: end if
11: esnd for
12: tAiS = median(T)
13: return d~sS = cj s /*c is thlelight I'

last bit o~f N


first bito / ||M s t bit ofN, || M

t,,, tbrm tp~

Figure 4-3: 'i .. timet i of Ith echallengfe-response proc~ess.

When receiving the last bit of the response, Ai stops the timer and sets tj equal to

the elapsing time. It then uses Ks to compute a MIC on Nj and Myj. If the result is not

equal to v which arrives later, Ai considers the response a bogus one and simply ignores it.

Otherwise, it believes that the response indeed came from S, and proceeds to calculate the

one-way signal propagation time as tp,y = (tj t r'oc t;Sro ttrn)/2. Here, t r'oc represents

the time duration from when the last bit of the response hits the antenna of Ai until the

response is completely decoded (cf. Fig. 4-3); isroc is the time duration from when the last
bit of the challenge reaches the antenna of S until S transmits the first bit of the response.

t, oc and ifroc, are device-dependent and usually are constant or vary in a tiny scale. Both
can be pre-determined and preloaded to Ai to calibrate the time measurements to certain

precision. Assume that transmission links from S to anchors have a bandwidth of b b/s.

Then the response transmission time term is approximately equal to seconds.

The above process offers strong defense against distance reduction attacks in the sense

that attackers cannot reduce tp,y and thus the distance estimate up,4j. One reason is that

the MIC check ensures that an authentic response can only be sent by node S. Another

important reason is that nothing can travel faster than light so that attackers are unable

to make the challenge arrive at S earlier than it should.

Attackers, however, can still launch the distance enlargement attack, i.e., enlarging t,,4

and thus the distance estimate. To mitigate this attack, we require Ai to perform K times

of distance measurements. The motivation is that attackers might not be able to actively

affect all K time measurements and thus distance estimates. It is also worth noting that

our method can help mitigate sporadic measurement errors. K is a design parameter that

determines the tradeoff between algorithm overhead and resilience to distance enlargement

attacks and measurement errors. Assume that all the K time measurements are stored in

an initially empty set T. The next question is how to securely use them. The naive use

of the average is insecure because attackers can easily make the calculated average quite

different from the true one by merely enlarging one time measurement to be sufficiently


A, A
d* d*
d -- i-

(a N masreen eros () eaurmet rrrseis. c)d~s s nlrgd
Fiue44 Loato vaidit tet ihhreanhos

Asponedot n 6],te eda i sfr epaemn fr h aeag, oK-itac
uethmeinoKtime mesreetst calclt S1Frbevt nyeasm

betweo en [t r-1emr+)] t is eas y to) Mesueeth t K-Dirstaneist vunral t inl dA is ta en-agd

geneal, f mtimemeauremet were eoinvlargdt Less either trem ainnchanedo cane

measurement. It is obviou that theda meian maetho rcamn tolrat the enlargemen sof up ito

abus th halfa of th time measurements. t aclt ~slFI rvt ny easm

A s th en calcul ate dfS llos and sh xendsi to anhor leader At a mesagven of formait

{owad.gS Le dtgS) K, wh) eroe {} meanstflt enyting atas Mwithu key IC. Upon replce ipto

fis Whe noicpe that there migttak exi rejst othrmehdssc as Least Maedian ~j Squre (LMS)

togen dal wth outlers (distancel etimo ats enlarged inour cO-ase). Hrowevr, he are less

cmpautametionall effcvient than the median method.cntlrt h nlreeto pt

Table 4-2: Testing if a point is inside a |B|-vertex p..1~-,:_on.

Inputs: B: an anchor set, (Xs, Ys): a location estimate
Output: 0 if outside, else

2: for (i = 1, j = |B|; i ( |B|; j = i + +) do
3: if ((((Y, C Ys)&&(Y, > Ys)) || ((Y, > Ys)&&(Y, < Ys)))

5: a =!u
6: end if
7: end for
8: return n

it, Al decrypts dAss and checks its authenticity via the preloaded IC. Once obtaining all n,

distance estimates, Al can then derive a MMSE location estimate (Xs, Ys).

4.3.4 Location Validity Test

The median approach may be enough for withstanding less powerful attackers. How-

ever, if K assumes a small value, attackers launch persistent attacks, and m is greater than

K+, some distance estimates used for deriving (Xs, Ys) might have still been enlarged,

leading to the invalidity of (Xs, Ys). Therefore, we require Al to run a validity test on

(xs, Ys).

Consider first the simple case that there are no measurement errors. If all the n,

distance estimates were not enlarged by attackers, (X,, Y,) should be exactly the intersection

point of n, circles {(( XA,)2 ~ YAi)2 diS Ha}~n,. To test the validity of

(Xs, Ys), Al merely needs to check whether (Xs, Ys) is inside the n,-vertex p ..1~-,:_on formed

by all the anchors. The underlying logic is very simple. If attackers want to make S appear

to be at any location other than its true location, they have to enlarge certain distance

measurements, while at the same time reduce some others so as to keep the resulting location

estimate inside the p..1l-,:_on. As mentioned before, however, our K-Distance algorithm can

prevent attackers from launching distance reduction attacks. Therefore, anchors can be

assured that the location estimate is trustable as long as it resides in the n,-vertex p..1~-,:_on.

We refer to Fig. 4-4(a) for an example with three anchors (n, = 3).

To determine the inclusion of a point inside a p ..1~-,:_on, we select the ,not-Iracing method

for its simpleness and computational efficiency. This method works by starting at the

point in question and drawing a straight line in any direction. If the number of times

the ray intersects the p..1l-,:_on edges is odd, the starting point is inside the p..1l-,:_on and

is outside otherwise. This is easy to understand intuitively. Each time the ray crosses

a p..1-,:_on edge, its in-out parity changes because each edge 1.h- .-, < separates the inside

of a p..1-,:_on from its outside. Eventually, any ray must end up beyond and outside the

bounded p..1l-,:_on. Therefore, if the point is inside, the sequence of crossings "->" must

be: in->out-> --in->out, and there are an odd number of them. Similarly, if the point

is outside, there are an even number of crossings in the sequence: out-> -in->out.

Table 4-2 gives the pseudo-code implementation for the ray-tracing method, which uses a

horizontal ray extending to the left of (Xs, Ys) and parallel to the negative x-axis.

In practical scenarios, however, time measurement errors and thus distance estimate

errors occur inevitably. The n, circles centered at anchors will therefore not have a common

intersection point, but form an intersection area in which the location estimate is located,

as shown in Fig. 4-4(b). This would introduce room for distance enlargement attacks.

Consider again the three-anchor example in Fig. 4-4(c). Suppose the distance estimate

dA3S was maliciously enlarged, while dArs and dAss are just a little larger than the actual

distances due to measurement errors. It is obvious that, by adjusting the level of enlarging

dA3S, attackers might be able to freely enlarge the intersection area of the three circles and

thus make the MMSE distance estimate (though still inside the triangle) deviate much from

the true location. Fortunately, we can alleviate this issue by imposing certain reasonable

constraints. Let 6 be the two-sided maximum allowable measurement error with respect

to distance estimates. Now (Xs, Y,) should reside in the intersection area of n, rings,

{(dAiS 6)2 ( (2 XAi)2 ~ YAi)2 4 (dAiS 621 Ha}~n, (see Fig. 4-4(b)). This

means that, in addition to performing the point-inclusion test, Al needs to check whether

the inequality | dA ss -Ji ~ ~~ XI) yS-Yg2 6 hold s for each dAi s. If so, (X,, Y,)

is considered valid and invalid otherwise.

With our method in place, attackers might only be able to enlarge any dASs a little bit

to make the resulting (Xs, Ys) appear to be valid, leading to tolerable location imprecision.

However, if they enlarge dASs by a relatively large amount, the resulting (Xs, Ys) will be

identified as invalid. One such example is shown in Fig. 4-4(c). Therefore, although our

method cannot completely eliminate distance enlargement attacks, which is believed to

be impossible for any security mechanism, it does constrain the impact of attackers to a

tolerable level.

If (Xs, Ys) does not pass either the point-inclusion test or the 6-error check, Al re-

computes a MMSE location estimate based on any (n, 1) distance estimates and checks

its validity via these two tests. If all the sets of (n, -1) distance estimates are traversed and

still no valid location estimate is generated, Al tries the sets of (n, 2) distance estimates.

Al continues this process until either a valid (Xs, Ys) is found or all the 3-degree subsets

of n, distance estimates are examined (3 is the minimum number of distance estimates

required to derive a 2-D location estimate). If the latter case occurs without yielding a valid

location estimate, Al may consider that the localization process was attacked and should

take certain actions, e.g., reporting this abnormality to the control center, as stipulated by

concrete WSN applications.

If a valid (Xs, Ys) is derived, anchor Al transmits it securely to node S in a message,

{Xs, Ys, hKs(Xs || Ys)}Ks. Upon receiving it, node S uses the preloaded secret key K~s to

decrypt (Xs, Ys) and compute a MIC. If the result matches with what Al sent, S considers

(Xs, Ys) trustable and saves it for subsequent use.
4.3.5 Discussion

Overhead analysis. So far we have elaborated the operations of SLS, by which a

valid location estimate can be obtained despite the presence of attacks as long as there are

at least three unattacked distance estimates. The desirable security improvement does not

come for free. Specifically, the K-Distance algorithm requires each anchor to obtain K dis-

tance estimates instead of one as in previous schemes. Besides the tunability of K, however,

K-Distance can not only mitigate distance enlargement attacks, but also smooth sporadic

measurement errors in the first place. Also note that, if some distance estimates were

maliciously enlarged, Al may need to perform the MIMSE estimation for up to CE~ 3'~

times. In practical scenarios, n, should be carefully chosen to be a small number that can

guarantee a certain level of resilience to attacks while not incurring too much overhead.

For instance, when n, = 5 anchors are used, SLS can tolerate two (40 percent) maliciously

enlarged distance estimates that are not filtered by K-Distance. Then Al needs to calculate

at most 16 distance estimates. Since anchors have more powerful computational capacities

than sensor nodes and node localization is a one-time process, we believe such overhead to

be acceptable for security-sensitive WSNs.

Other applications. In addition to securely localizing sensor nodes, SLS can find

uses in many other applications. One example is critical asset tracking. Many organiza-

tions, particularly defense contractors, have parts and equipment of a sensitive, secure, or

hazardous nature. These parts need to be monitored and audited to record their move-

ments and who had access to them, as proof that they have not been tampered with or

viewed by unauthorized personnel. We can accomplish this task by deploying a tracking

infrastructure composed of a set of anchors and attaching to critical assets some sensors

that are difficult to remove without being detected. Anchors and sensors communicate with

each other through wireless links. SLS can then be used by anchors to keep tracking the

locations of critical assets (in fact, attached sensors).

4.4 Related Work

In this section, we briefly review some important work that is closely related to this

chapter. Brands and Chaum [70] propose a TOA-based distance bounding protocol that

can be used to verify the proximity of two devices connected by a wired link. Sastry et al.

[71] present a similar distance bounding approach based on ultrasound and RF signals to

verify the presence of a wireless device in a region of interest. In [72], Waters and Felten

propose a scheme that uses round-trip time-of-flight RF signals to prove the locations of

tamper-resistant devices. Their scheme cannot be directly applied in UWB sensor networks

because individual sensors are usually not tamper-resistant due to cost limitations. More

recently, Lazos and Poovendran [66] present an approach to secure range-free sensor local-

ization techniques [64, 65]. By contrast, this chapter concentrates on securing range-based

localization techniques [62, 63]. The closest work to our SLS can be found in [67], in which a

scheme called Verifiable Multilateration (VM) is proposed for secure positioning of wireless

devices. However, SLS differs significantly from VM in several major aspects. First, SLS is

able to mitigate the impact of attacks and sporadic measurement errors in the first place,

which is a nice property not provided by VM. Second, VM calculates location estimates

on the basis of three anchors or triangles. By contrast, we consider a more general case

by using an n,-vertex publ-:_on formed by n, anchors for n, 3 3, which allows for higher

location accuracy. Last, we propose to utilize mobile anchors instead of static anchors,

which can greatly reduce the number of required anchors.

4.5 Summary

How to ensure secure localization is one of the challenging issues in securing WSNs.

In this chapter, we present SLS, a novel mobility-assisted secure localization algorithm that

can furnish sensor nodes with secure, accurate locations despite the presence of attacks. As

the future research, we plan to extend our approach to range-free localization techniques.


5.1 Introduction

A future WSN is expected to consist of hundreds or even thousands of sensor nodes.

This renders it impractical to monitor and protect each individual node from either ph1-, -i I1

or logical attack. It is also unrealistic and uneconomical to enclose each node in tamper-

resistant hardware. Thus, each node represents a potential point of compromise. Once

compromising certain nodes and acquiring their keying material, adversaries can launch

various insider attacks. For example, they might spoof, alter or replay routing information

to interrupt the network routing [73]. They may also launch the Sybil attack [45, 74], where

a single node presents multiple identities to other nodes, or the i,1. iillu replication attack,

in which clones of a compromised node are put into multiple network places [74]. Moreover,

adversaries may inject bogus data into the network to consume the scarce network resources

[75, 76]. This situation poses the demand for compromise-tolerant security design. That is,

the network should remain highly secure even when a number of nodes are compromised.

Although a lot of solutions such as [77, 78, 79, 80, 81, 82, 83, 84, > ".] have been proposed

for securing WSNs, most of them do not provide adequate resilience to node compromise

and the resulting attacks.

Many WSNs have an intrinsic property that sensor nodes are stationary, i.e., fixed

at where they were deployed. This property has pl1 I-,. .1 an important role in many WSN

applications such as target tracking [86] and geographic routing [87]. By contrast, its great

potential in securing WSNs has so far drawn little attention. Based on this observation,

we propose a suite of location-based compromise-tolerant security mechanisms for WSNs

in this chapter. Our main contributions are summarized as follows.

First, we propose the novel notion of location-based keys (LBE~s) based on the afore-

mentioned pairing technique (cf. Section 2.2.1). In our scheme, each node holds a private

key bound to both its ID and geographic location rather than merely its ID as in conven-

tional schemes. To the best of our knowledge, this is the first such effort in the context of


Second, we design a novel node-to-node neighborhood authentication protocol based

on LBE~s. It helps achieve the desirable goal of localizing the impact of compromise nodes

(if any) to their vicinity, which is a nice property absent in most previous proposals.

Third, we present efficient approaches to establish pairwise shared keys between any two

nodes that are either immediate neighbors or multi-hop away. Such keys are fundamental

in providing security support for WSNs [78, 79, 80, 81, 82, 83, 84, > ".] In contrast to

previous proposals, our approaches feature low communication and computation overhead,

low memory requirements and good network scalability. More important, our approaches

show perfect resistance to node compromise in that pairwise shared keys between non-

compromised nodes I.h-- I-, remain secure, no matter how many nodes are compromised.

Fourth, we demonstrate how LBE~s can act as efficient countermeasures against some

notorious attacks against WSNs. These include the Sybil attack [73, 74], the identity

replication attack [74], wormhole and sinkhole attacks [73], and so on.

Last, we develop a location-based threshold-endorsement scheme (LTE) to thwart the

aforementioned bogus data injection attack [75, 76]. Detailed performance evaluation shows

that LTE can achieve remarkable energy savings by detecting and dropping bogus traffic at

their early transmission stages. Moreover, our LTE has a much higher level of compromise

tolerance than previous work [75, 76].

The rest of this chapter is structured as follows. Section 5.2 introduces the crypto-

graphic basis, the adversary model and the security objectives of this chapter. Next we

detail a location-based key management scheme, including key generation, authentication

and shared-key establishment. This is followed by a detailed illustration of using LBE~s in

combating various attacks. Section 5.5 presents the LTE scheme and evaluates its perfor-

mance. We then survey related work in Section 5.6, discuss the use of symmetric-key vs.

public-key cryptography in Section 6.7, and summarize this chapter.

5.2 Preliminaries

5.2.1 Adversary Model

Adversaries in WSNs can be classified as either external or internal adversaries. The

former do not have authentic 1:0- inr:, material whereby to participate in network operations

as legitimate nodes. They might just passively eavesdrop on radio transmissions or actively

inject bogus data or routing messages into the network to consume the network resources.

Once in full control of certain nodes, external adversaries can become internal ones to be

able to launch more subtle attacks like those mentioned in Section 5.1. Internal adversaries

are generally more difficult to defend against than external ones for their possession of

authentic keying material. We further assume that adversaries have much more powerful

resources regarding energy, communication and communication capacities than ordinary

sensor nodes. They might also communicate and collaborate over a high-bandwidth and

low-latency channel invisible to legitimate sensor nodes. However, we do assume that

adversaries cannot compromise an unlimited number of sensor nodes. Neither can they

break any cryptographic primitive on which we base our design. Otherwise, there is unlikely

to be any feasible security solution.

5.2.2 Security Objectives

We aim to provide confidentiality, authentication, data integrity, and non-repudiation,

four essential security objectives. We also intend to offer both '.:d -loo. t, and end-to-end

security guarantees, both of which are indispensable for security-sensitive WSNs [73]. By

definition, link-layer security indicates the security of radio links between neighboring nodes.

It is a prerequisite to prevent external adversaries from accessing or modifying or faking

radio transmissions. In contrast, end-to-end security refers to the communication security

between a pair of source and destination nodes, e.g., a data I:_:::egation point (AP) to

a higher-level AP or the sink [73]. We achieve link-layer security by immediate pairwise

keys shared between neighboring nodes and end-to-end security by multi-hop pairwise keys

shared between end-to-end sources and destinations.

5.3 A Location-Based Key Management Scheme

This section presents a location-based key management scheme for WSNs, including

the generation and distribution of LBE~s, a secure LBK(-based neighborhood authentication

scheme, and methods for establishing both immediate and multi-hop pairwise shared keys.

5.3.1 Pre-Deployment Phase

We examine a large-scale WSN consisting of hundreds or even thousands of sensor

nodes. We assume that all the nodes have the same transmission range R and communicate

via bi-directional wireless links. Nodes perform a collaborative monitoring of the designated

sensor field and report the sensed events to the distant sink, which is a data collection center

with sufficiently powerful processing capabilities and resources. We further assume that each

node A has a unique, integer-valued and non-zero ID, denoted by IDA. In view of the cost

constraints, nodes are assumed to be not tamper-resistant in the sense that adversaries

can extract all the keying material and data stored on a compromised node. However, we

postulate that the sink is trustworthy and unassailable, as is commonly assumed in the

literature [78, 79, 80, 81, 82, 83, 84, .]~

Prior to network deployment, we assume that a trusted authority (TA) does the fol-

lowing operations:

1. Generate the pairing parameters (q, GI~, G2 W, H) (cf. Section 2.2.1), where W is

an arbitrary generator of GI, and H is a hash function mapping given strings to

non-zero elements in Gi.

2. Ob.. .. --- h, mapping arbitrary inputs to fixed-length outputs, e.g., SHA-1 [16].

3. Pick a random IcneZ~ as the network master secret and set Wpub = IC -

4. Calculate for each node A an ID-based key (IBK( for short), IK~A = IcH(IDA) E Gi.

Each node A is preloaded with the public -1-,-r. parameters (q,GI,G2,8, H, h,W, Wpub)

and its private IK~A. It is important to note that it is computationally infeasible to deduce

ac from either (W, Wpub) or any (ID, IBK() pair like (IDA, IK~A), due to the difficulty of

solving the DLP in GI (cf. Section 2.2.1). Therefore, even after compromising an arbitrary

number of nodes and their IBE~s, adversaries are still unable to calculate the IBE~s of non-

compromised nodes.

5.3.2 Sensor Deployment and Localization

After loaded with the keying material, sensor nodes can be deployed in various ways

such as ph:~-i I installation or random aerial scattering. There are also many methods

to localize each node, i.e., furnishing each node with its geographic location. We consider

the following two sensor localization techniques, which accordingly differ in their ways of

generating LBE~s for individual nodes. The final outcome of either approach is that each

node A possesses its location denoted by IA and an LBK( LKA = IcH(IDA I A), where ||

denotes message concatenation.

Range-based localization. In this approach, we assume that a group of mobile

robots are dispatched to sweep across the whole sensor field along pre-planned routes.

Mobile robots have GPS capabilities as well as more powerful computation and communi-

cation capacities than ordinary nodes. The leading robot is also equipped with the network

master secret Ic. To localize a node, say A, mobile robots run the secure range-based lo-

calization protocol given in Chapter 4 or [67] to first measure their respective absolute

distance to node A and then co-determine IA, the location of A. Subsequently, the leading

robot calculates LKIA = IcH(IDA I A). It then generates IK~A = IcH(IDA) and sends

< {LKA I A IKA IlKA(LKA~ I A) > to A. Henceforth, {M~)k means encrypting message

M~ with key k, and hk(M~) refers to the message integrity code (MIC) of message M~ under

key k.

Upon receipt of the message, node A first uses its preloaded IBK( IK~A to decrypt LKIA

and IA and then regenerates the MIC. If the result matches with what the robot sent, A

saves LKIA and IA for subsequent use. Following this process, all the nodes can be furnished

with their respective location and LBK(. After that, mobile robots leave the sensor field and

the leading robot should securely erase ac from its memory. During subsequent network

operations, node addition may be necessary to maintain good network connectivity. The
localization of new nodes can be done in the same manner.

The assumption underlying this approach is that adversaries do not launch active and

explicit pinpoint attacks on mobile robots at this stage which usually does not last too long.

However, they may still perform relatively passive attacks such as message eavesdropping

or strategic channel inference to disturb the localization process [67]. This assumption is

reasonable in that mobile robots are much fewer than ordinary sensor nodes and hence

we can spend more on them by enclosing them in high-quality tamper-proof hardware and

putting them under super monitoring. Adversaries may also want to temporarily avoid

active and explicit attacks that may easily expose themselves. After the localization phase,

adversaries are free to launch all kinds of attacks.

Range-free localization. By contrast, the range-free localization approach does

not rely on exact distance or range measurements. Instead, we assume that there are

some special nodes called anchors knowing their own locations. All the non-anchor nodes

autonomously derive their locations based on information from the anchors and neighboring

nodes via secure range-free localization techniques such as [66, 88, 89].

The LBE~s are also generated on the nodes' own. To enable this, each node A is

preloaded with the network master secret Ic whereby to generate its LBK( LKA = IcH(IDA I

IA). As LEAP [90], this approach takes advantage of the fact that sensor nodes deployed in

security-sensitive environments are usually designed to withstand break-in attacks at least

for a short interval when captured by adversaries. Specifically, we assume that an adversary

needs a time interval at least Tmin to successfully compromise a node, and each node takes

some time less than Tmin to finish localization and generation of its LBK(. In addition,

each node should be programmed to securely erase ac from its memory after Tmin of its

deployment. In the case of subsequent node addition, new nodes can get their locations

and LBE~s in the same way.

5.3.3 Location-Based Neighborhood Authentication

By definition, neighborhood authentication means the process that any two neighboring

nodes validate each other's network membership. This process is fundamental in supporting

many security services in WSNs. For example, a node should only accept messages from and

forward messages to authenticated neighbors. Otherwise, external adversaries can easily

inject bogus broadcast messages into the network or swindle network secret information

from legitimate nodes.

During the post-deployment phase, each node is required to discover nd perform mutual

authentication with neighboring nodes, which is a normal process in many existing security

solutions for sensor networks. In our scheme, each node will think of another node as an

authentic neighbor if and only that node is within its transmission range R and also hokis

the correct corresponding LBK(. We take the following concrete example to explain the

neighborhood authentication process.

1. 4 -> : ID 4, 1 ZA

2. B ->A : IDBln, s, a,(n he ( 4| ne || 1)

3. 4 ->B :hK (nA 4 | ne || 2)

Suppose node A wishes to discover and authenticate neighboring nodes once having its

location and LBK(. To do so, 24 locally broadcasts an authentication request including its

ID ID4, location 14 and a random nonce n 4. Upon receipt of such a request, node B first

needs to ascertain that the claimed location 14 is in its transmission range by verifying if

the Euclidean distance ||14 ls|| ; R. This check is the baseline defense against the attack

that adversaries surreptitiously tunnel authentication messages between B and a virtually

non-neighboring node. Without the location check, B and that victim will falsely believe

that they are neighbors because both possess an authentic LBK( whereby to successfully

finish the following authentication process.

If the inequality does not hold, node B simply discards the authentication request.

Otherwise, B calculates a shared key as Ky 4A = #(La, H(ID4 || 14)). It then unicasts a

reply to node A including its ID and location, a random nonce us, and a MIC computed

as hKB (nA 4 | ne || 1). Upon receiving the reply, node 4 also first checks if the inequality

||14 -1| I ; RI~ holds. If so, it proceeds to derive a shared key as K4A,B = #(LK4,A H(IDB ||

Ig)) whereby to reconmpute the MIC. If the result is equal to what B sent, node 4 considers

B an authentic neighbor. Subsequently, A returns to node B a new MIC computed as

hKA (nA 4 | ne || 2). Upon receipt of it, B uses KB 4 to regenerate the MIC and compares
the result with what it just received. If they are equal, B regards node A as an authentic

neighbor as well.

The above process is valid because, if and only if both A and B have a correct LBK(,

K~A,B is equal to KB,A due to the following equations.

KA,B = 8(LKA, H(IDB || Is))

= (icH(ID A I A), H(IDB || Is))

= (H(IDA I A), ICH(IDB || Ig)) (5.1)

= (ICH(IDB || Ig), H(IDA I A))

= (LKB, H(IDA I A)) = KB,A

The second and third lines hold for the bilinearity of 8 and the fourth line holds by the

symmetry of 8 (cf. Section 2.2.1).

Using the above -hou -;-In-,i handshake, all the nodes can achieve mutual authentication

with neighboring nodes. Note that if multiple nodes simultaneously respond to the same

authentication request, possible MAC-layer collision may happen. We resort to effective

MAC-layer mechanisms to resolve this issue. For example, it can be alleviated through

MAC-layer retransmission or by using a random jitter delay for which each node has to

wait before answering an authentication request.

In our scheme, new nodes can be added freely to maintain necessary network con-

nectivity, especially when some existing nodes die out because of power shortage or other

reasons. A new node is also required to execute the authentication protocol once localized


Security analysis. Our location-based authentication scheme is secure against var-

ious malicious attacks. For example, in a location forgery attack, an adversary might send

an authentication request with a forged location within node B's range. Since the adversary

does not hold the LBK( corresponding to the forged location, he or she cannot successfully

finish the authentication procedure and thus deceive B into believing that he or she is an

authentic neighbor. Adversaries might as well launch the tunnelling of authentication mes-

sages attack by tunnelling authentication messages received at one location of the network

over an invisible, out-of-band and low-latency channel to another network location which

is typically multi-hop away. By doing so, they attempt to make two victim nodes far away

from each other believe that they are authentic neighbors. This attack is infeasible with

our scheme in that each node will simply deny authentication requests from nodes that are

not ph!~-il sh11-, within its transmission range. In addition, an adversary might put into the

vicinity of a legitimate node, I-, B, a replica of one compromised node at other distant loca-

tions. Most purely ID-based authentication schemes are vulnerable to this attack because,

without dependence on any central authority [79, 74], the victim B has great difficulty in

differentiating between legitimate authentication requests and malicious ones from replicas

of a compromised node. With our scheme in place, node B will simply ignore the replica's

authentication request because the replica should not appear in its transmission range.

It is worth pointing out that, as any other security solution, our scheme itself cannot

prevent a compromised node or its replicas from achieving mutual authentication with

its legitimate neighbors. However, it can guarantee that the compromised node or its

replicas receive nothing more than some random numbers, public IDs and locations from

legitimate nodes. This ensures that the compromised node cannot impersonate its legitimate

neighbors to other nodes. Therefore, our location-based authentication scheme can reduce

the impact of a compromised node from the otherwise network-wide scale to its vicinity,

more specifically, within a circle with radius 27E centered at its current location. This makes

it far more easier to devise efficient localized intrusion detection mechanisms.

One may worry that adversaries might mount the denial-of-service attack by continu-

ously sending bogus authentication requests or replies to allure legitimate nodes into endless

processing of such messages. In our opinion, this attack is in fact less worrisome. The rea-

son is that the number of neighbors of any node is limited in reality. Therefore, abnormally

many authentication requests or replies are highly likely an indicator of malicious attacks.

Under such situations, we assume that there are efficient mechanisms available for legitimate

nodes to report such an abnormality to the sink.

5.3.4 Immediate Pairwise Key Establishment

Link-layer security schemes demand an efficient method to establish pairwise shared

keys between neighboring nodes. Henceforth, we refer to such keys as immediate pairwise

keys (or IPE~s for short). With IPE~s, messages exchanged between neighboring nodes can

be encrypted and authenticated via efficient symmetric-key algorithms.

Note that after a successful three-way handshake, two neighboring nodes, say 4 and B,

have established a shared key K4A,B = KB 4. Adversaries, be they external or internal, may

overhear the authentication messages, but cannot deduce the shared key for the lack of the

LBE~s of 4 and B. From K4A,B, 4 and B can derive various shared session keys for different

security purposes by feeding K4A,B into the hash function h. For example, they can use

ko = h(K4A,B || 0) for message encryption and ki = h(K4A,B || 1) for message authentication.

In the similar way, each node can establish IPE~s with all its legitimate neighbors after the

neighbor discovery and authentication phase.

Since the IPE~s are by-products of the neighborhood authentication process, there is no

extra 1:- -, -i -1 151i-!!!!. !!r coninunication and computation overhead. In addition, our IPK<

establishment method has perfect resistance to node compromise because the IPE~s are built

upon the private LBE~s of individual nodes. No matter how many nodes are compromised,

the LBE~s of non-conipromised nodes II.h- I-, a remain secure, and so do the IPE~s established

between them.

5.3.5 Multi-hop Pairwise Key Establishment

In addition to the IPE~s, a node may need to establish pairwise shared keys with other

nodes that are multi-hop away. We call such keys as multi-hop pairmise keys (or MPE~s for

short) that are required for securing end-to-end traffic.

Assume that nodes LT and V are multi-hop apart and the routing path between them

has been established using the underlying routing protocol. To establish an MPK(, ET and

V execute the following protocol.

1. ET V : IDer,1r,ncrH(IDr || Irr)

2. V LT IDy-,1-, nxH(ID- || ly-)

Here, nr, nx- EZ~ are randoni private numbers chosen by nodes LT and V, respectively. At

the conclusion of the protocol, node V calculates

K (r = ~(L~-, nx-H(IDer || Ir) + ncH(IDer || Ir))

= (icH(IDy- || ly), (nx- + nr)H(IDer || Ir)).

Likewise, node LT computes

Ker,4 = ~(LKr, ncH(IDy- || ly) + nsH(IDy- || ly))

= (icH(IDer || Ir), (ncr + ns)H(IDy- || ly)).

If both nodes are legitimate and have followed the protocol correctly, by the bilinearity and

syninetry of 4,

Kur,4 = K rr = ~(H(IDer || Ir), H(IDy- || ly))(;q,+,z)'F

Based on the MPK( Ker,4, nodes LT and V can derive various shared session keys for different

security purposes as before.

Discussion. If possible, the two protocol niessa~ges can p~i:_:_-Jback on the routing

messages used to establish the routing path between LT and V. In doing so, the related

coninunication overhead can be much reduced. In addition, there is no need for LT and V

to further exchange messages to prove to the other the knowledge of the MPK(. Any future

niessa~ges encrypted and authenticated with the MPK( or the derivative session keys can

implicitly achieve the same effect.

Our MPK( establishment protocol is a simple adaptation of the provably secure ID-

based key a~greenient protocol [91]. Any third party may overhear the plaintext niessa~ges

exchanged between LT and V, but cannot derive the MPK( Kur,4 without knowing the LBE~s

of LT or V. This protocol also has perfect resilience against node compromise because of

the dependence of the MPE~s on the nodes' private LBE~s.

5.4 Efficacy of LBKs in Attack Mitigation

In this section, we show how the proposed LBE~s can act as effective and efficient

countermeasures against several notorious attacks against WSNs.

5.4.1 Spoofing, Altering or Replaying Routing Information

Without precaution, external adversaries are able to spoof, alter or replay routing

niessa~ges. By doing so, they attempt to create routing loops, cause network partitions,

incur false error messages, and so on [73].

As mentioned before, neighboring nodes are required to perform mutual authentica-

tion based on their private LBE~s. Since each node only processes routing messages front

authenticated neighbors, external adversaries can be prevented from entering the network

and distributing phony routing messages. The remaining problem is how to defend against

internal adversaries or compromised nodes in possession of authentic keying material. It

is believed that there is no cryptographic way that can prevent them from manipulating

routing information. However, our location-based neighborhood authentication scheme can

constrain the impact of compromised nodes to a small range centered at their original lo-

cations. In other words, internal adversaries cannot utilize the acquired to inr:, material at

one place to launch routing attacks at another distant place. What they can only possibly

do is to continue misbehaving at "the scene of the crime," i.e., a small range around the

location of the compromised node. If doing so, they might run a high risk of being detected

by legitimate nodes if effective localized misbehavior detection mechanisms are available.

5.4.2 The Sybil Attack

The Sybil attack happens when a malicious node behaves as if it were a large number

of nodes, e.g., by impersonating other nodes or simply claiming multiple forged IDs and/or

locations. As pointed out in [73, 74], this attack is extremely detrimental to many impor-

tant WSN functions, such as routing, fair resource allocation, misbehavior detection, data

I: :_regfation, and distributed storage.

With our scheme in place, when a malicious node intends to impersonate a legitimate

node, it does not have the authentic LBK( and thus cannot successfully finish mutual au-

thentication with other legitimate nodes. For the same reason, a malicious node cannot

claim forged IDs and/or locations without being detected. Therefore, the Sybil attack is

effectively defeated.

5.4.3 The Identity Replication Attack

The identity replication attack [74] takes place when adversaries put multiple replicas

of a compromised node in different geographic locations. It may lead to the inconsistence of

the network routing information, as well as jeopardizing other important network functions.

Conventional defenses often involve a central authority, e.g., the sink, that either keeps a

record of each node's location [74], or centrally counts the number of connections a node

has and revokes those with too many connections [79]. These solutions require node-to-

node authentication and pairwise key establishment to be performed through the central

authority, thereby causing significant communication overhead and the lack of scalability.

This attack is no longer feasible when our location-based neighborhood authentication

scheme is applied. The replicas of a compromised node will be prevented from entering

the network by legitimate nodes at locations other than the neighborhood of the compro-

mised node. Our countermeasure is totally self-organizing and does not involve any central

authority, hence it is rather lightweight and highly scalable in contrast to previous solutions.

5.4.4 Wormhole and Sinkhole Attacks

Wormhole [73, 92] and sinkhole [73] attacks are two notorious attacks against WSN

routing protocols that are difficult to withstand, especially when the two are used in com-


In the wormhole attack, instead of compromising any node, collaborative adversaries

first create a wormhole link, essentially an out-of-band and low-latency channel, between

two distant network locations. They then tunnel routing messages recorded at one location

via the wormhole link to the other, leading to the chaos of the routing operations. Hu

et al. [92] presented a technique called packet leashes to withstand the wormhole attack.

It requires extremely tight time synchronization and is thus infeasible for most WSNs, as

noted in [73]. In contrast, each node in our scheme only accepts routing messages from

authenticated neighbors and will discard those tunnelled from distant locations. Therefore,

the wormhole attack is effectively and efficiently thwarted.

In the sinkhole attack, compromised nodes attempt to attract all the traffic from their

surrounding nodes by announcing a high-quality route to the sink or some other destina-

tions. For example, adversaries create an invisible and fast channel between two compro-

mised nodes A and B residing in distant network regions. Node A claims that it is one

hop or a few hops away from B or other nodes close to B. By doing so, A aims to be se-

lected by legitimate surrounding nodes as a packet relay to B or other nodes in that region.

Fortunately, our scheme can withstand such sinkhole attacks against minimum-hop routing

protocols. For instance, upon seeing A's advertisement of a single-hop path to node B, a

legitimate node can immediately find out that A is malicious by noting that the distance

between A and B is far more larger than the normal transmission range 78. In addition,

geographic routing protocols such as [87] have been identified in [73] as promising solutions

resistant to sinkhole and wormhole attacks. The reason is that they construct the rout-

ing topology on demand using only localized interactions and geographic information. To

apply such schemes, however, the location information advertised from neighboring nodes

must be authenticated. We provide such a guarantee by the LBE~s and the location-based

neighborhood authentication scheme.

We note that our scheme itself cannot prevent the sinkhole attacks against routing

protocols with routing metrics such as remaining energy or end-to-end ra 11 Il1.11117. The

major reason is that the authenticity of these information is very difficult to verify by

cryptographic means alone. As far as we know, the related countermeasure thus far remains

an open challenging issue, and is an interesting topic worthy of further study.

5.5 Location-Based Filtering of Bogus Data

In this section, we first describe the bogus data injic-tio~n attack. We then present a

location-based threshold-endorsement scheme (LTE) as the countermeasure. At last, we

evaluate the performance of LTE in terms of energy savings.

5.5.1 The Bogus Data Injection Attack

As mentioned before, neighborhood mutual authentication is sufficient to prevent ex-

ternal adversaries from injecting bogus data into the network, but will fail in the presence

of internal adversaries. By a single compromised node, internal adversaries can induce ar-

bitrary and seemingly authentic data reports into the network. Without precaution, this

kind of attack may do a lot of damage to the network, e.g., causing false alarms or net-

work traffic congestion. Even worse, it can deplete the precious energy of relaying nodes

on any forwarding path to the sink, which is often tens or even hundreds of hops away

from the sources of data reports. It is, therefore, important to design effective and efficient

countermeasures against this attack.

Since there is no way of hindering internal adversaries from injecting bogus data, we

attempt to figure out ways to mitigate their impact. Our first goal is to filter bogus

data reports as early as possible before they reach the sink. Our second goal is to detain

adversaries from freely fabricating the originating locations of injected bogus data reports.


coo o ooo ooo
0 0 aoo oo a
ooo 0000 0
(xo oo)
Figure 51 Nod delymn modl

We cheveth fistgoa b a o trsoldenorsmn mehd Tha is dtrpr
shul b c-sgnd y ode or i tlo b consdee auhni.Arprihu

muc geaer ificltyininecingseemnl authd dplyentcyt bogu at eprs a he o

hae to hv coprmie airt least by noe intheahd of nlyorsmne as before. Ta s a

Whul e fulfi teseod b objective by embeddingthred loationinomtion ofadt report 'sou

corigntigaeai hejit endorsement itlb rgreda carrioes Tod dinjctar bogu data reported that

otrignaes fromg at certi areaand can survive the fitrigby egaiotimate intermediate nodes

adersar ields must acual compromise at least t nodes, hnoldng ksteyn material pofe thatare.

Evnso hey c-ann popety uiiz theacuired kemayin material esto fae dat airport tatin seem to

onrigionatee from othe fareias. Anote-rbenefi svis tatonce I detrmining tat esoearre ihvin

repo rtsatre unficltere bogu onjesth e sinkl caun pinpin ythi originatin aepresas and then

tae specficl rhemedactons.betv yebdigtelctinifraino aarpr'

Brgael fow we detai howa to actall sreaize the aboverigb ideas. ae nemeit nd

5.5.2ae Genertio andull Distroibu tio ofas Cel Koeys odn ei mtra ht

Tv o, tenal lcan tion-baed thr cyiesod-keyndorsmenter propose dth e nortio ofa cell ke

For nthe sake ofhe simplicity, we asue that sthet snorc fiteld is a Mr x Nrretage whosei

lower-left corner is at location (Xo, Yo). The sensor field is divided into M~N square cells of

equal side length r. Each cell is labelled with a pair of integers < m, a >, for 1 ( m ( M~
and 1 ( n ( N. Prior to deployment, (Xo, Yo) and r are preloaded to each node. Also note

that our LTE can be easily extended for use with any other node deployment model.

We define the cell key of cell < m, a > as Km,n, = IcH(m || n), which shall be used

to endorse any report originating from that cell. The next question is how to distribute

Km,n, to nodes in cell < m, a >. Let ID~,, denote the ith node with location l~,, in cell

< m, a >. The naive method of letting each ID~,, hold one copy of Km,n, obviously suffers
from single node compromise. Instead, we propose to utilize the secret-sharing technique

[15] to assign a share of Km,n, to each IDL~,, The purpose is to make Km,n, reconstructible
by any t nodes in cell < m, a >, while irrecoverable by any less than t of them. To do this,

prior to network deployment, the TA additionally generates a (t 1)-degree polynomial,

F(2) = El Fp 23 G with coefficients Fy randomly selected from GI. I t also selects
another system parameter c ( r whose use is explained shortly. We consider the following

two cases of cell-key share distribution, depending on whether node localization is range-

based or range-free (cf. Section 5.3.2).

Range-based cell-Key distribution. In this approach, the leading robot is preloaded

with the polynomial F(z). In addition to determining a node's location, it decides that

node's present cell by simple geometric calculations. Consider node IDL,, as an ex-

ample. Its location I ,,, i.e., (XA~,,,YA~,), will satisfy (m 1)r ( XL,, -Xo < mr

andl (no 1) ,-Yo < ur. Then the leading robot derives Km,n, = IcH(m || n)
and a set of authenticators Vm,nI, = {vJ, I,,| ir J I t 1}, where v~i,) = 8(Km,~,,n, )

and v$~, = (H(Fy || n || n), W1) for 1 i. j 6 t 1 Note that it just needs to

do these computations once for each cell. Next, the leading robot calculates KLi,n

t- H(Fy || mr || n)(DLn, || Im i" +3$IIL~ Em~ OI GI, eferred to as node Iln,,,'s share of

K~m,,. Finally, KL,, and Vm,n are securely sent to node ID~,, along with Pm" and its LBK<
(cf. Section 5.3.2).

G I denotes the set GI \ {0} where O is the identity element of Gi.

Full Text