Académique Documents
Professionnel Documents
Culture Documents
IEEE
Introduction Related work Design goals and system models IKM design Performance evaluation
Introduction
MANET: Mobile ad hoc network
Infrastructureless, autonomous, stand-alone wireless networks.
Certificate-based cryptography(CBC)
Use public-key certificates to authenticate public keys by
ID-based cryptography(IBC)
Eliminate the need for public key distribution and
certificates.
ID-based private keys
Master-key
collaboratively issues
Drawbacks: All/some are shareholders 1. Compromised nodes more than threshold number, 2. Key update is a significant overheads, 3.How to select the secret sharing parameters, 4.No comprehensive argument about the advantages of IBC-based schemes over CBC-based ones.
private keys.
Each nodes public key and private key is composed of a node-specific, ID-based element and a network-wide common element. Node-specific not jeopardize noncompromised nodes private keys Common element efficient key updates via a single broadcast message
threshold cryptography.
Identify pinpoint attacks against shareholders.
CBC-based schemes.
IKM has performance equivalent to CBC-based schemes, denoted by CKM while it behaves much better in key updates.
Introduction Related work Design goals and system models IKM design Performance evaluation
Related work
CBC and (t, n) threshold cryptography
D-CA
N nodes
t D-CAs
Certificate generation and revocation Tolerate the compromise of up to (t-1) D-CAs The failure of up to (n-t) D-CAs
Pairing Technique
p, q be two large primes G1 a q-order subgroup of the additive group of point of E/Fp G2 a q-order subgroup of the multiplicative group of the
e(P+Q, R+S)= e(P, R) e(P, S)e(Q, R) e(Q, S) Consequently, for all a, b belong to Z*q e(aP, bQ)=e(aP, Q)^b= e(P, bQ)^a=e(P, Q)^ab
Introduction Related work Design goals and system models IKM design Performance evaluation
Design goals
MANETs should satisfy the following requirements:
1. Each node is without attack originally. 2. Compromise-tolerant. 3. Efficiently revoke and update keys of nodes. 4. Be efficient because of resource-constrained.
1. Only minor members are compromised/disrupted. 2. Cant break any of the cryptographic primitives. 3. Static adversaries. 4. Exhibit detectable misbehavior. Assumption that adversaries can compromise at most (t-1) D-PKGs and can disrupt no more than (n-t) D-PKGs
(n is number of D-PKG, t is the threshold number)
Introduction Related work Design goals and system models IKM design Performance evaluation
Network Initialization
PKG generates the paring parameters (p, q, e) and selects
an generator W of G1. H1: hash function maps binary strings to nonzero elements in G1. Kp ,Kp : belong to Z*q and are master-secretes. Wp =Kp W, Wp =Kp W
1 2 1 1 2 2
PKG preloads parameters (p, q, e, H1, W, Wp , Wp ) to each node while Kp ,Kp should never be disclosed to any single node.
1 2 1 2
Secret Sharing
Enable key revocation and update.
PKG performs a (t, n)-threshold secret sharing of Kp2.
(t nodes number of threshold) (n D-PKGs ) (N nodes)
PKG
distributes functionality to n D-PKGs Lagrange interpolation reach threshold t t elements Lagrange coefficient
n D-PKGs
PKG preloads to D-PKG:
2
(verifiable)
node-specific
phase-specific
Our IKM is composed of a number of continuous, nonoverlapping key update phases, denoted by pi for 1 i < M, where M is the maximum possible phase index.
Due to the difficulty of solving the DLP in G1, it is computationally infeasible to derive the network mastersecrets KP1 and KP2 from an arbitrary number of public/private key pairs
Key Revocation
Misbehavior Notification
B
accuses A shared key with V timestamp
communication overhead
resilient
Key Revocation
Revocation Generation
If over threshold diagnose joint efforts of t D-PKGs
t D-PKGs in generates
Key Revocation
Partial revocations Revocation leader Complete revocation denote the t D-PKGs participating in revocation generation It is possible that one or several members of A are unrevoked compromised nodes which might send wrongly computed partial revocations. Revocation leader check
Floods to each node
If not equivalent
Key Revocation
If D-PKGs in do not receive a correct revocation against A in a certain time
As long as there is at least one noncompromised D-PKG in and there are at least t noncompromised D-PKGs in , a valid accusation against node A can always be generated.
Key Update
Public key:
(B just performs two hash operations)
Private key:
needs the collective efforts of t D-PKGs in
send request
generate a partial common private-key element check
Key Update
To propagate
securely to all the nonrevoked nodes, we use a variant of the self-healing group key distribution scheme
: set of nodes revoked until phase pi Key-Update Parameters maximum number of compromised nodes PKG picks M distinct degree polynomials, denoted by and M distinct degree polynomials
Z broadcasts
Revoked node
is a point on E=Fp, its x-coordinate can be uniquely determined from its y-coordinate.
IKM design
Choosing Secret-Sharing Parameter t, n
They can only do is to attempt to compromise or disrupt randomly picked nodes with the expectation that those nodes happen to be the D-PKGs. Compromise and disrupt up to Nc >=t and Nd >=n-t+1 nodes
Prc and Prd as the probabilities that at least t out of Nc compromised nodes and (n-t+1) out of Nd disrupted nodes happen to be D-PKGs
Introduction Related work Design goals and system models IKM design Performance evaluation
Performance evaluation
CKM vs IKM GloMoSim, a popular MANET simulator, on a desktop
Performance evaluation