Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member, IEEE, and Yuguang Fang, Senior Member,

IEEE

Source: IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, 2006

Presenter: Hsin-Ruey, Tsai

 Introduction Related work Design goals and system models IKM design Performance evaluation

Introduction
MANET: Mobile ad hoc network
Infrastructureless, autonomous, stand-alone wireless networks.

Key management: Serverless

Two intuitive symmetric-key solutions: 1. Preload all the nodes with a global symmetric key. 2. Let each pair of nodes maintain a unique secret that is only known to those two nodes.

Certificate-based cryptography(CBC)
Use public-key certificates to authenticate public keys by

binding public keys to the owners identities.

Preload each node with all the others public-key

certificates prior to network deployment.

Drawbacks: network size,

key update is not in a secure, cost-effective way.

ID-based cryptography(IBC)
Eliminate the need for public key distribution and

certificates.
ID-based private keys

Master-key

collaboratively issues

Drawbacks: All/some are shareholders 1. Compromised nodes more than threshold number, 2. Key update is a significant overheads, 3.How to select the secret sharing parameters, 4.No comprehensive argument about the advantages of IBC-based schemes over CBC-based ones.

ID-based key management (IKM)

A novel construction method of ID-based public/

private keys.
Each nodes public key and private key is composed of a node-specific, ID-based element and a network-wide common element. Node-specific not jeopardize noncompromised nodes private keys Common element efficient key updates via a single broadcast message

Determining secret-sharing parameters used with

threshold cryptography.
Identify pinpoint attacks against shareholders.

Simulation studies of advantages of IKM over

CBC-based schemes.
IKM has performance equivalent to CBC-based schemes, denoted by CKM while it behaves much better in key updates.

 Introduction Related work Design goals and system models IKM design Performance evaluation

Related work
CBC and (t, n) threshold cryptography

N is number of nodes. t<=n > N

CAs public key

CAs private key

Divided into n shares

D-CA

N nodes

t D-CAs

Certificate generation and revocation Tolerate the compromise of up to (t-1) D-CAs The failure of up to (n-t) D-CAs

Pairing Technique
p, q be two large primes G1 a q-order subgroup of the additive group of point of E/Fp G2 a q-order subgroup of the multiplicative group of the

finite field F*p^2 e : G1 *G1 G2

Bilinear: For all P, Q, R, S belong to G1,

e(P+Q, R+S)= e(P, R) e(P, S)e(Q, R) e(Q, S) Consequently, for all a, b belong to Z*q e(aP, bQ)=e(aP, Q)^b= e(P, bQ)^a=e(P, Q)^ab

 Introduction Related work Design goals and system models IKM design Performance evaluation

Design goals
MANETs should satisfy the following requirements:

1. Each node is without attack originally. 2. Compromise-tolerant. 3. Efficiently revoke and update keys of nodes. 4. Be efficient because of resource-constrained.

Network & Adversary Model

Network Model: special-purpose, single-authority

MANET consisting of N nodes .

Adversary Model:

1. Only minor members are compromised/disrupted. 2. Cant break any of the cryptographic primitives. 3. Static adversaries. 4. Exhibit detectable misbehavior. Assumption that adversaries can compromise at most (t-1) D-PKGs and can disrupt no more than (n-t) D-PKGs
(n is number of D-PKG, t is the threshold number)

 Introduction Related work Design goals and system models IKM design Performance evaluation

Network Initialization
PKG generates the paring parameters (p, q, e) and selects

an generator W of G1. H1: hash function maps binary strings to nonzero elements in G1. Kp ,Kp : belong to Z*q and are master-secretes. Wp =Kp W, Wp =Kp W
1 2 1 1 2 2

PKG preloads parameters (p, q, e, H1, W, Wp , Wp ) to each node while Kp ,Kp should never be disclosed to any single node.
1 2 1 2

Secret Sharing
Enable key revocation and update.
PKG performs a (t, n)-threshold secret sharing of Kp2.
(t nodes number of threshold) (n D-PKGs ) (N nodes)

PKG
distributes functionality to n D-PKGs Lagrange interpolation reach threshold t t elements Lagrange coefficient

n D-PKGs
PKG preloads to D-PKG:
2

(verifiable)

KP can then be reconstructed by computing g(0) with at least t elements.

Generation of ID-Based Public/Private Keys

pi is associated with a unique binary string, called a phase salt, salti

node-specific

phase-specific

Our IKM is composed of a number of continuous, nonoverlapping key update phases, denoted by pi for 1 i < M, where M is the maximum possible phase index.

Remain unchanged and be kept confidential to A itself

Vary across keyupdate phases

Due to the difficulty of solving the DLP in G1, it is computationally infeasible to derive the network mastersecrets KP1 and KP2 from an arbitrary number of public/private key pairs

Cannot deduce the private key of any noncompromised node.

Key Revocation
Misbehavior Notification

B
accuses A shared key with V timestamp

communication overhead

resilient

Key Revocation
Revocation Generation
If over threshold diagnose joint efforts of t D-PKGs

t D-PKGs in generates

with smallest IDs

(leader)

all the D-PKGs in generates partial revocation sends revocation leader

sends the accumulated accusations

partial revocation sends

revocation leader accumulated Complete revocation

D-PKGs response after verify accusation

Key Revocation
Partial revocations Revocation leader Complete revocation denote the t D-PKGs participating in revocation generation It is possible that one or several members of A are unrevoked compromised nodes which might send wrongly computed partial revocations. Revocation leader check
Floods to each node

If not equivalent

Check each node

Key Revocation
If D-PKGs in do not receive a correct revocation against A in a certain time

revocation leader itself is a compromised node

As long as there is at least one noncompromised D-PKG in and there are at least t noncompromised D-PKGs in , a valid accusation against node A can always be generated.

second lowest ID succeeds as the revocation leader

Key Update
Public key:
(B just performs two hash operations)

Private key:
needs the collective efforts of t D-PKGs in

randomly selects (t-1) other nonrevoked D-PKGs

these t D-PKGs including Z itself

send request
generate a partial common private-key element check

Key Update
To propagate

securely to all the nonrevoked nodes, we use a variant of the self-healing group key distribution scheme
: set of nodes revoked until phase pi Key-Update Parameters maximum number of compromised nodes PKG picks M distinct degree polynomials, denoted by and M distinct degree polynomials

Z broadcasts

Revoked node

is a point on E=Fp, its x-coordinate can be uniquely determined from its y-coordinate.

IKM design
Choosing Secret-Sharing Parameter t, n

They can only do is to attempt to compromise or disrupt randomly picked nodes with the expectation that those nodes happen to be the D-PKGs. Compromise and disrupt up to Nc >=t and Nd >=n-t+1 nodes
Prc and Prd as the probabilities that at least t out of Nc compromised nodes and (n-t+1) out of Nd disrupted nodes happen to be D-PKGs

 Introduction Related work Design goals and system models IKM design Performance evaluation

Performance evaluation
CKM vs IKM GloMoSim, a popular MANET simulator, on a desktop

with an Intel P4 2.4GHz processor and 1 GB memory

Performance evaluation