Providing security support for mobile ad-hoc networks is challenging for ... wireless mobile network may consist of a large number of networking nodes with ...
Providing Robust and Ubiquitous Security Support for Mobile Ad-Hoc Networks∗ Haiyun Luo, Jiejun Kong, Petros Zerfos, Songwu Lu, Lixia Zhang Computer Science Department University of California at Los Angeles {hluo,jkong,pzerfos,slu,lixia}@cs.ucla.edu
Abstract Providing security support for mobile ad-hoc networks is challenging for several reasons: (a) wireless networks are susceptible to attacks ranging from passive eavesdropping to active interfering, occasional break-ins by adversaries may be inevitable in a large time interval; (b) mobile users demand “anywhere, anytime” services; (c) a scalable solution is a must for a large-scale mobile network. In this paper, we describe our solution that supports ubiquitous security services for mobile networking nodes, scales to network size, and is robust against break-ins. In our design, we distribute the functions of the certification authority through a threshold secret sharing and scalable multi-signature mechanism, in which each node holds a secret share and multiple nodes in a local neighborhood jointly provide complete services. Localized certification schemes are devised to realize ubiquitous service availability. We also update the secret shares to further enhance robustness against break-ins. We demonstrate in this paper the criticality of the localized mechanisms for our design and implementation to scale up with network size and dynamics. Through both analysis and experimental results, we show how we provide ubiquitous and robust certification services to mobile nodes through communication efficient design that closely matches the ad hoc nature of the network.
1
Introduction
In recent years, infrastructureless ad hoc networking technologies such as MANET and Bluetooth have received critical attention in both academia and industry. This emerging technology seeks to provide users secure service access “anytime” and “anywhere” in a potentially large ad hoc wireless network. The growing commercial and military deployments of these networks have made security design increasingly important. The lack of infrastructure support in mobile ad hoc networks introduces additional challenges to the designers of a security system: (a) Security services in open medium ad hoc wireless networks are vulnerable to denial-of-service (DoS) attacks. Simple channel jamming can effectively turn the security ∗
An early version of this paper appeared in IEEE ICNP 2001.
1
servers off-line; (b) Mobility-induced wireless link breakage and wireless channel errors make timely communications over multihop highly unreliable; (c) Occasional break-ins in a large mobile network are inevitable over a large time interval; (d) A scalable solution is a must for large-scale networks with dynamic node leaves and joins. In this paper, we address these issues through a localized trust model where the functionality of security servers is distributed to each networking node’s locality. Each node contributes to the overall system through local efforts and collaboratively the nodes in the network selfsecure themselves. Confidentiality, authentication, integrity, non-repudiation and access control are considered as the main services of a security system. Among these services authentication has been identified as the bottleneck. The compromise of the authentication service breaks down the whole security system, and we cannot proceed to provide the other services without the valid identities of communicating parts being successfully established [35]. Once the authenticated communication channels are established, confidentiality, integrity and non-repudiation can be further realized by following typical key exchange protocols. This paper takes the certificate-based authentication approach based on asymmetric cryptographic de facto standard RSA. We focus on the certification services in ad hoc wireless networks. Our design has been driven by the following four goals: (a) Ubiquitous service availability for mobile users: our services must be available everywhere and be robust against potential DoS attacks. (b) Robustness against breakins: complete intrusion-free systems are expected to be costly and unrealistic. Our design seeks to work in the presence of break-ins under a certain threshold. (c) Scalability to large dynamic network size: a wireless mobile network may consist of a large number of networking nodes with dynamic node leaves and joins. Our design should scale to the network size. (d) Communication efficiency: wireless channel is bandwidth-constrained and error-prone. Routing in infrastructureless ad hoc wireless networks is unreliable due to the mobility-induced link breakage and reconnection [18]. Our design should work without assumptions on the reliability of the underlying wireless transport layer protocols [3, 29] and ad hoc routing mechanisms [4]. Moreover, the protocols should be communication efficient with balanced load over the network. We demonstrate in this paper the criticality of localized mechanisms for our design and implementation to scale up with the network size and the network dynamics. Our main contributions in this paper are as follows: • A localized trust model that characterizes security concerns for nodes in ad hoc wireless networks. • A distributed and localized authentication architecture that realizes the trust model to support mobile networking nodes with ubiquitous service availability against DoS attacks and robustness against break-ins. • A suite of fully distributed and localized algorithms and protocols. The implementations are communication efficient and independent from the underlying wireless transport layer protocols and ad hoc routing mechanisms. The computation and communication loads are balanced over the network. The rest of this paper is organized as follows. Section 2 compares with related works. We propose our localized trust model and define the network and adversary model in Section 3. Section 4 outlines the overall architecture. Section 5 presents the detailed algorithms and protocols for our localized certification services. Section 6 presents our self-initialization and share update mechanisms. Section 7 presents 2
our implementation in UNIX and the ns-2 network simulator. We discuss several issues in Section 8 and conclude this paper in section 9.
2
Related Works
Popular network authentication architectures include Kerberos [31] and standard X.509 [17]. Two communicating entities authenticate each other via a globally trusted certificate authority (CA). While the architecture gains great popularity in wired networks of manageable scale, it does not work well in a large ad hoc wireless network for several reasons: (a) Ad hoc networks provide no infrastructure support. The cost of maintaining such centralized servers for a large ad hoc network may be high. (b) The CA servers are exposed to single points of compromises and failures. They are inviting targets of malicious attacks. (c) To handle potential node break-ins in an ad hoc environment, certification servers have to either limit the certificate lifetime or provide certificate revocation service. Both cases lead to heavy communication with the certification servers for either certificate renewal or revocation list check, which aggregate the scalability issue for large ad hoc networks. It may cause severe wireless channel contention and network congestion around the CA servers. (d) Multihop communication over the error-prone wireless channel exposes the data transmission to high loss rate that leads to significantly high average latency [18]. Variations such as hierarchical CA’s and CA delegations [24] ameliorate, but cannot solve the problem of service availability and robustness. In our design, we fully distribute the authentication services into each individual node’s locality to ensure maximal service availability and robustness. The following simulation results in ns-2 demonstrate the problem of centralized and hierarchical CA architectures in wireless ad hoc networks. We use certificate renewal service as the example. The mobility speed is set to 5 m/sec. Various network sizes ranging from 30 nodes to 100 nodes are tested. In Figure 1, we observe that the success ratio, defined as the percentage of successful certificate renewals over all requests during the simulation time, is low for centralized approaches (around 70% – 90%), while our scheme is close to 100%. Figure 2 shows the average delay experienced by nodes that request certificate renewal services. Even contacting with local CAs has much larger delay compared with our fully localized approach. Avg. Delay − Localized CR vs. CA, Mobility 5m/sec
Success Ratio − Localized CR vs. CA, Mobility 5m/sec 100
60
90
Localized Cert. Renewal Central Authority − 1 serv. Central Authority − 4 serv.
50
80
Avg. Delay (sec)
Success Ratio (%)
70
60
50
40
40
30
20 30
20
0 30
10
Localized Cert. Renewal Central Authority − 1 serv. Central Authority − 4 serv.
10
40
50
60
70
80
90
0 30
100
40
50
60
70
80
90
100
# of Nodes
# of Nodes
Figure 1. Success ratio vs. node #
Figure 2. Avg. delay vs. node #
There were several proposals of building logical infrastructure for ad hoc networks such as clustering [19] and virtual backbone [28, 32]. To avoid additional overhead and complexity, we do not assume 3
infrastructure support in our design. Communication issues in ad hoc wireless networks are addressed through fully distributed service model and its localized implementation in our architecture. PGP [11, 1] follows a “web-of-trust” authentication service model. In PGP each entity configures certificates that are learned by out-of-band means. A certificate is accepted if it bears a threshold number of signatures from entities that are already known to be trustworthy. However, this approach does not scale beyond a relatively small community of trusted individuals. In a mobile system, any two entities will potentially meet, communicate with, and route packets for each other. It would be difficult for each entity to maintain a long list of trusted friends, potentially as large as the list that contains all nodes in the whole network. We address the scalability issue through a localized trust model where a locally trusted entity that is identified by a fixed-length certificate is globally accepted. SPKI/SDSI [25] is a key distribution system that attempts to simplify the complex data structures and specifications of the X.509 standard. Principals are public keys in SPKI/SDSI. They act as certification authorities for their own namespaces. However, those simplification efforts follow a language-oriented approach. They emphasize clarity and readability, while networking issues are barely addressed. Our incentives are more network-concerned and particular attention has been paid to the characteristics of the ad hoc wireless environment. Security function sharing has been a very active research area in the literature [13, 10, 33, 9, 12, 8]. where threshold secret sharing [27] serves as a basic primitives. Resilience against compromised nodes is enhanced by distributing the functionality of the centralized CA servers among a fixed group of servers. Proactive secret sharing [14] can further improve robustness via periodic secret share updates. However, the focus of these works is to maximize the security of the shared secret in the presence of possible compromises of the secret share holders. They typically assume a small group of a few servers with rich connectivity. Our scheme is motivated by these works, but extends the idea further in an attempt to minimize the effort and complexity for mobile clients to locate and contact the service providers. We devise scalable algorithms and protocols to enable the distribution of the certification services into every node. There is no differentiation of servers and clients in our architecture any more: a threshold number of any nodes can collaboratively act as servers to provide services for other nodes. Besides, our solution typically works within one-hop neighborhood and does not involve multihop wireless communication. This makes our system immune from the unreliability of the underlying wireless transport layers [3, 29] and the routing protocols for ad hoc networks [4]. Furthermore, the impacts of attacks and adversary break-ins are isolated and minimized. There are several recent workes on security in wireless networks. [7] proposes a Kerberos-based authentication scheme for mobile users in wireless cellular networks. [35] directly applies the threshold secret sharing and proactive secret share update techniques in a group of “special nodes” to increase service availability and robustness. Instead of following the conventional client-server model, we suggest a peer-to-peer approach to maximize availability and facilitate localized communication.
3
System Models
3.1
Network Model
We consider an ad hoc wireless network with n mobile nodes. Nodes communicate with one another via the bandwidth-constrained, error-prone, and insecure wireless channel. n may be dynamically changing as mobile nodes join, leave, or fail over time. Besides, n is not constrained; there may be 4
a large number of networking nodes. The network provides neither physical nor logical infrastructure support. For our design, the reliability of multihop packet forwarding based on underlying transport layer and ad hoc routing is not assumed. We make the following assumptions. (1) The public key P K for certificate verification is well-known to each networking node (see Section 4.1 for a clarification). (2) Communication between one-hop neighboring node is considered more reliable compared with multihop communication. (3) Each node has at least k one-hop legitimate neighboring nodes. (4) Each node is equipped with some local detection mechanism to identify misbehaving nodes among its one-hop neighborhood. One-hop communication is more reliable due to the limited exposure to channel errors, as well as the built-in error detection and one-hop retransmission mechanisms in IEEE 802.11 standard. We take the advantage of the fact that nodes are connected with multiple routes in typical ad hoc networks. The network density assumption quantitatively characterizes this redundancy. The assumption of local detection mechanisms is based on the observation that although intrusion detection in ad hoc networks is generally much more difficult than in their wired counterpart [34], monitoring and detecting misbehaviors among one-hop neighbors are readily easier and more practical due to the broadcast nature of the wireless transmission [22]. 3.2
Localized Trust Model
The notion of trust is fundamental in authentication protocols. In the dominating TTP (trusted third party) trust model [24], an entity is trusted by a central authority (CA)’s claim. While the implementations of the TTP model feature the efficiency and manageability as centralized systems, they suffer from the scalability and robustness problems. In PGP “web-of-trust” model [11] each entity manages its own trust based on direct recommendation. [2] seeks to quantify the trust and recommendation to reason trustworthiness on line. To ensure the practicality in an ad hoc wireless network, our model follows the tenet that trust be defined and evaluated locally. In our localized trust model, an entity is trusted if any k trusted entities claim so within a certain time period Tcert . These k entities are typically among the entity’s one-hop neighbors. A locally trusted entity is globally accepted while a locally distrusted entity is regarded as untrustworthy anywhere. k and Tcert are two important parameters with Tcert characterizing the evolving nature of trust [2]. There are two possible options to set k. The first is to set it as a globally fixed parameter that is honored by each entity in the system. In this case, k acts as a system-wide trust threshold. The second option is to set k as a location-dependent variable. For instance, k may be the majority of each node’s neighboring nodes. This second option features the flexibility to fit in specific network topologies. However, there is no clear system-wide trust criterion. Due to lack of effective mechanisms to authoritatively determine a node’s neighborhood in a mobile environment, the adversaries may take the advantage of it. In our design, we choose the first option with a network-wide fixed k that is tuned according to the network density and system robustness requirements. Trust management and maintenance are distributed in both space (k) and time (Tcert ) domains in our localized trust model. This property is particularly appropriate for a large dynamic ad hoc wireless network, where centralized trust management would be difficult or expensive. Besides, a node indeed cares most the trustworthiness of its immediate neighbors in practice. This is because a node relies on it neighboring nodes to communicate with the rest of the world.
5
3.3
Adversary Models
Our design handles two kinds of attacks: the DoS attacks and node break-ins. Adversaries may issue DoS attacks from various layers of the network stack ranging from physical layer interfering and jamming, network layer Smurf and Teardrop, transport layer TCP flooding and SYN flooding, and numerous attacks in the application layer [15]. Our architecture seeks to isolate and minimize DoS attacks’ impact by maximizing the service availability into each node’s locality. For adversaries that attack the system by compromising networking nodes, we assume that the underlying cryptographic primitives such as RSA are practically secure in term of the computation power of the attackers. However, we do allow occasional break-ins through factors such as insecure OS, software bugs and backdoors etc. Several adversaries may conspire into a group. For ease of presentation we denote such an adversary group by a single adversary. We characterize the adversaries in the following two models as proposed in [14]: • Model I: During the entire lifetime of the network, the adversary cannot break or control k or more nodes. • Model II: Assume time is divided into intervals of length T . During any time interval, the adversary cannot break or control k or more nodes. Although at any time constant it cannot break or control k or more nodes, the adversary of model II can choose its victims at each time interval. As time goes on each node in the network can be broken during some time interval. We modify the RSA multi-signature algorithms based on threshold secret sharing to handle the adversary of model I (Section 5), and further employ a distributed share update techniques to handle model II adversaries (Section 6).
4
The Architecture
In this section we present our overall architecture. Our design employs the asymmetric cryptographic primitives, specifically the de facto standard RSA. We take the certificate based authentication approach. 4.1
Primitives
Authentication via certificates In our architecture, each networking node’s ID vi is associated with a personal RSA key pair < pk i , sk i >. pk i is vi ’s public key for encryption and verification. sk i is vi ’s private key for decryption and signing. For authentication purpose, node vi has to prove its knowledge of the private key sk i , and the authenticity of its advertised public key pk i . A challenge/response protocol can be followed to prove the knowledge of the private key sk i , and the association is proved by a certificate. Generally a certificate CERTi is a statement certi that is signed by some trusted authority. The statement certi may read: “It is certified that the personal public key of node vi until time t is pk i .” In RSA, CERTi = (certi )SK mod N , where SK is the exponent of the trusted authority’s private key. The authority’s public key P K is assumed to be well-known. Other nodes verify the vi ’s certificate by applying P K to check if certi = (CERTi )P K mod N . Certification services Certification services include issuing/renewing certificates, revoking certificate, storing and retrieving certificates and certificate revocation lists (CRLs) [16]. Each certificate is 6
stamped with an expiration time. Nodes have to obtain a new certificate before expiration. The revocation service maintains the CRLs of revoked certificates. Polynomial secret sharing Our design makes extensive use of the polynomial secret sharing due to Shamir [27]. A secret, specifically the exponent of the certificate signing key SK, is shared among all n nodes in the network according to a random polynomial of order k − 1. A coalition of k nodes with k polynomial shares can potentially recover SK by Lagrange interpolation, while no coalition up to k − 1 nodes yields any information about SK. Proactive secret share update To further defend the polynomial secret sharing against the model II adversaries, Herzberg et al. proposed periodical secret share updates with different polynomials [14]. We employ this technique to further improve the the robustness of our system against adversaries of model II. 4.2
Overview
In our architecture, each node carries a certificate signed with SK. P K is assumed to be well-known for certificate verification. Nodes without valid certificates are treated as adversaries and denied from access to any network resources such as packet forwarding and routing. When a mobile node moves to a new location, it exchanges certificates with its new neighbors. Authenticated neighboring nodes help each other forward and route packets. They also monitor each other to detect possible misbehaviors and break-ins. Specific monitoring mechanisms are left to each individual node’s choice. 4.2.1
Localized certification services
Certificates are stamped with expiration time. Nodes have to be issued a new certificate upon the expiration of its old certificate. In the centralized authentication architecture, nodes have to contact a CA server for this service. In our architecture, we distribute the exponent of the certificate signing key SK into each node of the network with a polynomial of order k − 1. Node vi requests new certificate from any coalition of k nodes, typically among its one-hop neighbors. Upon receipt of vi ’s certification request, a node vj checks its records. If its record shows vi as a well-behaving legitimate node, vj returns a “partial” certificate by applying its share of SK. Otherwise the request is dropped. By collecting k partial certificates, vi combines them together to generate the full new certificate as if it were from a CA server with complete SK. A misbehaving or broken node that is detected by its neighbors will be unable to renew its certificate. It will be cut off from the network at the expiration of its current certificate. A valid certificate in our system represents the trust of a coalition of k nodes. Nodes with valid certificates are globally trusted. A node without a valid certificate will be denied network access. Each node contributes to the overall trust management and maintenance by monitoring and certifying its neighboring nodes. By this means, we realize the localized trust model as proposed in Section 3.2. Adversaries or compromised nodes will be effectively isolated once detected. Their impact on the overall network is localized and minimized. 4.2.2
Self-initialization and distributed secret share updates
At the bootstrapping phase of the network, a dealer has to send each networking node privately its share of the SK, according to a polynomial of order k − 1. We denote this process the “initialization” of the network. A large ad hoc wireless network may contain hundreds or even thousands of networking nodes. 7
Relying on the dealer for the initialization, as most works in threshold secret sharing [13, 10, 33, 9, 12, 8] do, is not scalable and may not be feasible. Moreover, new nodes may join during the lifetime of the network. Maintaining a dealer on line to handle future node joins would compromise the overall system robustness and security. The dealer would become the single point of failure. Moreover, as the dealer holds the complete SK, maintaining a dealer on line also increases the adversaries’ chance to compromise the dealer and therefore SK, thus effectively turn down the whole services. We address these issues by a scalable initialization mechanism called “self-initialization”. In our architecture, the dealer is only responsible to initialize the very first k nodes, no matter how large the network would be. The initialized nodes collaboratively initialize other nodes, typically their neighboring nodes. Repeating this procedure that is analogous to a diffusion wave, the network progressively “self-initializes” itself. The same mechanism is applied when a new node joins. The node only need contact its neighbors in its locality. Each of its neighbor returns a “partial” share of SK. By collecting k such partial shares and combining them together, the node is initialized with its full share of SK. The security of the certificate signing key SK is protected by the k-threshold polynomial sharing mechanism. It is robust against adversaries of model I as defined in Section 3.3. In this paper, we enhance the security of SK by employing a distributed secret share update algorithm based on our self-initialization mechanism to handle model II adversaries. By distributing the certification services into each node’s one-hop locality, we realize ubiquitous service availability for mobile nodes and robustness against DoS attacks. Our protocols are immune from the unreliability of underlying transport layer protocols and ad hoc routing mechanisms. By the distributed periodic secret share update, the system maintenance overhead is balanced over the network, hot spots of congestion are avoided.
5
Localized Certification Service
In this section, we present our algorithms and protocols that realize distributed and localized certification services, specifically the certificate renewal, certificate revocation and certificate revocation list (CRLs) maintenance. We modify the multi-signature algorithm with a technique named k-bounded coalition offsetting, together with an optimization named dynamic coalescing, to enable scalable multisignature generation in large ad hoc wireless networks with dynamic node membership. We assume each networking node obtains its initial certificate through some out-of-band mechanisms and policies that are predefined before the ad hoc network is formed. 5.1
Scalable Certificate Renewal
Distributed certificate renewal consists of two parts: the distribution mechanism of the exponent of the certificate signing key SK, and the multi-signature generation mechanism based on the SK distribution mechanism. In this section, we present the algorithms and protocols for the node that is requesting a new certificate, and the coalition of k nodes that are collaboratively serving the request. We delay to Section 5.2 the policies of how a node decides to serve or drop a certification request. 5.1.1
Existing approaches on secret sharing & multi-signature generation
There are mainly two secret sharing mechanisms in the literature: polynomial secret sharing [27] and additive secret sharing [10]. Applications of additive secret sharing in multi-signature have appeared in 8
local broadcast
local broadcast
responding unicasts
responding unicasts
reply
reply
SK2
reply
reply
cert
SK1
cert
cert
hacked
cert
Pv1
moving away
Pv2
reply SK3
broadcast
reply
cert
request
cert
reply
vi
fail
cert
Pv3
SK5
cert
reply
reply
cert
SK4
Pv5
reply cert
cert
Pv4
under attack attacker
Figure 3. Certificate renewal
Figure 4. Dynamic coalescing
[33, 10, 12]. However, additive secret sharing cannot handle dynamic grouping effectively. Each node has to maintain multiple shares, which is not a scalable option for large systems. Polynomial secret sharing features the simplicity that each node need only one share. k polynomial shares of a coalition of k nodes can be converted into k additive shares by the technique of Lagrange interpolation. These k additive shares are then applied in the RSA multi-signature algorithms [8]. Let N , a product of two large random primes N = pq, denote the RSA modulo of the signing key SK. The polynomial shares and the corresponding additive shares are usually calculated over the ring Zφ(N ) or Zλ(N ) 1 . However, the release of either φ(N ) or λ(N ) makes the factorization of the RSA modulo N trivial. We cannot reveal either φ(N ) or λ(N ) for the conversion from k polynomial shares to k additive shares, specifically the Lagrange interpolation. The solutions that are presented in [9, 8] involve the IDs of all the polynomial share holding nodes, thus cannot be applied in our context due to the potential large number of networking nodes and dynamic node membership. 5.1.2
Polynomial SK-distribution & multi-signature with k-bounded offsetting
In order to address the scalability issue to adopt the polynomial secret sharing in distributing SK among the network, we modify the multi-signature algorithms with our k-bounded coalition offsetting technique. In our algorithms, node vi ’s polynomial share Pvi and its additive share SKvi in term of a specific coalition, are defined over the ring ZN , instead of Zφ(N ) or Zλ(N ) as the previous works [9, 8] did. After the initialization of the network (see Section 6), each node with its ID vi 6= 0 holds a polynomial share Pvi = f (vi ) mod N , where f (x) = SK + f1 x + · · · + fk−1 xk−1 is a uniformly distributed random polynomial. Since the certificate verification key P K is assumed to be well-known, N is also well-known as part of P K. By this choice we eliminate the insecurity of releasing φ(N ) or λ(N ). Moreover, with the k-bounded coalition offsetting, we make the conversion from polynomial shares to additive shares scalable to the overall network size. Only the IDs and shares of the participating k nodes are involved. Detailed algorithms are as follows. Node vi firstly chooses a coalition of k nodes, typically from its one-hop neighborhood. Without loss of generality, let the coalition be B = {v1 , v2 , · · · , vk }. vi broadcasts the request among coalition B, together with the node IDs of these k nodes in coalition B. Once a node vj ∈ B receives the request and decides to serve the request, it firstly calculates its additive 1
φ(N ) denotes Euler Tortient number and λ(N ) denotes Carmichael number.
9
share SKvj that is specific to coalition B: SKvj = Pvj lvj (0) = Pvj
k Y
r=1,r6=j
vr vr − vj
mod N
SKvj is called vj ’s additive share since by Lagrange interpolation, kj=1 SKvj = kj=1 Pvj lvj (0) = P SK mod N . That is, kj=1 SKvj = t · N + SK where t is an integer bounded by k: 0 ≤ t < k. In the next step node vj applies its additive share SKvj on the statement of the new certificate cert to generate a “partial” certificate CERTvj : P
CERTvj = (cert)SKvj
P
mod N
Node vj finally sends CERTvj to the requesting node vi . Upon receiving k partial certificates {CERTv1 , CERTv2 , · · · , CERTvk } from the coalition B, node vi combines them together by multiplication to generate a “candidate certificate” CERT 0 : CERT 0 =
k Y
Pk
CERTvj = (cert)
j=1
SKvj
= (cert)t·N +SK = CERT · (cert)t·N
mod N
j=1
That is, the candidate certificate CERT 0 is different from the “real” certificate CERT by a constant. Finally vi applies the following k-bounded coalition offsetting to recover its new certificate CERT : Inputs: CERT 0 : the candidate certificate cert: statement of the certificate, to be signed Output: CERT : certificate 1: 2: 3: 4: 5: 6: 7: 8: 9:
Z := (cert)−N mod N j := 0, Y := CERT 0 while j < k do Y := Y · Z mod N , j := j + 1 if (cert = Y P K mod N ) then break while end if end while output Y = CERT
If we denote an RSA signing or verification as a unit computation, the computation complexity for each participating node is O(k), independent from the network size n. The communication protocol consists of a single round of localized communication: one broadcast request and k unicasts responses (see Figure 3). 5.1.3
Dynamic coalescing
One drawback of the above algorithm is that, if any node in coalition B fails to respond, all the other partial certificates become useless even if they reach node vi . vi has to restart the whole process from the 10
very beginning. In the case one node in B moves away or fails before it sends back the partial certificate, the computation of other k − 1 nodes is all wasted. In this section, we present an optimization called dynamic coalescing to solve the problem. Our optimization is based on the observation that the coalition can be formulated dynamically from any k responding nodes, instead of being specified by vi . Again node vi broadcasts its request for a new certificate among its neighborhood, but without specifying the coalition. A neighboring node vj that receives the request and decides to serve the request will return a partial certificate CERTvj by directly applying its polynomial shares on the certificate statement: CERTvj = (cert)Pvj mod N Upon receiving at least k such partial certificates, node vi picks k to form the coalition B. Without loss of generality, suppose vi chooses {CERTv1 , CERTv2 , · · · , CERTvk }. Node vi then converts each of them according to the IDs of these k responding nodes: �
CERTv0j = CERTvj
� lv
j (0)
mod N
n
o
r mod N . vi then multiplies CERTv01 , · · · , CERTv0k together to generate where lvj (0) = kr=1,r6=j vrv−v j the candidate certificate CERT 0 :
Q
CERT 0 =
k Y
CERTv0j
mod N
r=1
Finally node vi employs the k-bounded coalition offsetting to recover its new certificate CERT . Compared with the algorithms in Section 5.1.2, the computation complexity for each of the serving nodes is decreased to O(1). For the requesting node the computation complexity is still O(k), but the actual computation load is doubled. More computation overhead is shifted to the requesting node. The communication protocol consists of a single round of localized communication: one broadcast request and k unicast responses (see Figure 4). It has minimum requirements on the reliability of wireless communications. As long as k neighbors respond, other neighbors are free to move or fail, additional responses may be discarded. 5.2
Certificate Revocation and CRL Maintenance
When node vj receives certification request from vi , vj checks its monitoring record on node vi to decide if the request will be served. However, vj ’s records on vi may not provide enough information for a deterministic evaluation on vi . It may be because the interaction between vi and vj does not last long enough. Moreover, vi may not exist in vj ’s records at all if they just met. vj has two options in this scenario. One is to serve vi ’s request, since no bad records are located. The risk is that a roaming adversary who has no hope to get a new certificate from his previous location may take the advantage by just moving to a new location. The other option is to drop the request, since no records can demonstrate vi well-behaving. But a legitimate mobile node may not be able to get a new certificate. A mobile node would have to prepare a certificate with enough long validity time before he moves. In order to avoid this constraint on node mobility, we follow the first approach in this work. We propose the distributed certificate revocation mechanisms in ad hoc wireless networks to handle roaming adversaries.
11
In some locality node vi may not have k neighbors for certification services. In this section, we show how our distributed certificate revocation mechanisms, together with the dynamic coalescing optimization, enables vi to “accumulate” neighboring nodes on the move. Node mobility actually becomes a bless to our service availability (simulation evaluation in Section 7.3.1). The records that a node vj maintains consist of two parts. One is its direct monitoring records on neighboring nodes, and the other is a certificate revocation list (CRL). Each entry of the CRL is composed of a node ID and a list of the node’s accusers. If a node’s accuser list contains less than k legitimate accusers, the node is marked as “suspect”. Otherwise, the node is determined by vj to be misbehaving or broken and marked as “convicted”. We choose the threshold that convicts a node as k to ensure a legitimate node not be convicted by malicious accusations from an adversary. In two scenarios a node is marked “convicted”. One is when by direct monitoring vj determines one of its neighboring nodes to be misbehaving or broken. vj puts the node into its CRL and directly marks the node “convicted”. In this scenario vj also floods a signed accusation against the node. The range of the flooding is studied below. The other scenario is when vj receives an accusation against some node. It firstly checks if the accuser is a convicted node in its CRL. If it is, the accusation is concluded to be malicious and dropped. If not, vj updates its CRL entry of the accused node by adding the accuser into the node’s accuser list. The accused node will be marked “convicted” if the number of accusers reaches k. When a node is convicted, vj delete the node from all accuser lists. A convicted node will be marked “suspect” if its number of accusers drops below k. The range of the accusation propagation is an important design parameter. A large range causes excessive communication overhead, while a small range may not be enough to cover a roaming adversary. The accusations should be propagated in a range so that before its current certificate expires, the adversary cannot move out of the area where it is convicted by the accusations. The practical scheme for controlled flooding is by setting the T T L2 field in the IP headers of the accusation packets. One way to set T T L is based on the certificate validity period Tcert , the one-hop wireless transmission distance D, and the maximum node moving speed Smax . In a uniformly distributed network, to ensure a misbehaving node or a compromised node that is controlled by some adversary cannot escape the area of accusation before the expiration of its current certificate, the T T L should be set at least: � � Tcert · 2Smax TTL ≥ D If the T T L of the accusation messages is set to m, the nodes whose accusations reach vj must be at most m hops away. Therefore vj ’s CRL contains nodes at most m + 1 hops away. To further decrease the CRL complexity, Tcert after an entry’s last update, vj can remove it from its CRL. The reason is that after Tcert a convicted node should have its certificate expired, and thus be cut off from the network. vj holds each CRL entry for Tcert so that it will not serve a convicted node that carries still-valid certificate. In our design, CRL is constrained in both space domain and time domain. It is built and maintained on-demand, and stored locally. These properties comply with the overall scalability and robustness of our architecture, and the ad hoc nature of the network. 5.3
Cryptographic Analysis
Our design and algorithms are (k, n)-secure [26] in the sense that given up to k − 1 shares of SK and a history of polynomial many partial results, an adversary learns no more about SK than without 2
T T L is defined as “time to live”: the maximal number of hops that a packet can traverse in the network.
12
these information. The following theorem shows the security of our certification service algorithms and protocols, and we leave the detailed definitions and proofs to the technical report [20]. Theorem 5.1 (Security) The localized certification algorithms are RSA (k, n)-secure.
6
Self-initialization and Share Updates
Section 5 presents the certification service instantiation by a coalition of k nodes with their polynomial shares of SK. In this section, we study the distribution of these shares. An initialized node is defined as the node that possesses a valid polynomial share of SK. In the bootstrapping phase of the network. all the networking nodes need to be initialized. During the lifetime of the network, a new joining node needs to be initialized also. Most works in threshold secret sharing rely on a dealer for the initialization [10, 8, 6, 35, 14]. For ad hoc wireless networks that consist of hundreds or even thousands of nodes, it is not scalable and may not be feasible. Moreover, maintaining a dealer on line to handle node joins compromises the overall system robustness and security. The dealer would become the single point of failure and inviting target of malicious attacks. Maintaining a dealer on line also increases the adversaries’ chance to compromise the dealer and therefore SK, since the dealer is the only node that possesses the full SK. In this section, we propose a scalable initialization mechanism called “self-initialization” to address the above issues. The dealer initializes a node vi by the following procedure [6]. It firstly picks a random polynomial f (x) = SK + f1 x + f2 x2 + · · · + fk−1 xk−1 and n sends vi its share Pvoi = f (vi ) privately. The dealer also broadcasts the “witnesses” of the polynomial g SK , g f1 , · · · , g fk−1 , as defined in verifiable secret sharing [6]. g is assumed to be well-known as the certificate verification key P K. When node vi receives �
its share Pvi from the dealer, it verifies the validity of Pvi by checking g Pvi = g SK · g f1 �
�v i �
· g f2
�v 2 i
····
�vk−1 i
g fk−1 . In our architecture, the dealer is only responsible to broadcast the witnesses of the polynomial, and initialize the first k nodes. After that, it destroys the polynomial and quits. The initialized nodes collaboratively initialize other nodes, typically their neighboring nodes. As more and more nodes are initialized, they further serve to initialize their neighboring nodes, thus generating a diffusion process. The same mechanism is applied when a new node joins. The node need only contact its neighbors. Each of its neighboring nodes returns a “partial” share. By collecting k such partial shares and combining them together, the node is initialized with its valid share. We further devise a secret share update mechanism based on the self-initialization to periodically update each networking node’s share of SK to handle the adversaries of model II as defined in Section 3.3. 6.1
Self-initialization Algorithms and Protocols
In the context of proactive secret sharing [14], a lost secret share can be recovered by a coalition of k entities. Each entity generates a random polynomial to prevent the recovery of the polynomial that is used to share the secret. We employ a more straightforward mechanism called complete shuffling. Instead of shuffling the secret sharing polynomial, we directly shuffle the partial shares. Both algorithms have the same computation and communication complexities. In the rest of this section we present our algorithm for the distributed initialization. 13
When a node vi joins the network, it exchanges certificates to build trust relationships with its new neighboring nodes. If vi is not initialized yet, it locates a coalition of k nodes B = {v1 , v2 , · · · , vk }. vi broadcasts the request for initialization, together with the IDs of these k nodes. Once a node vj ∈ B receives the request, it double checks vi ’s certificate and its CRL. If vj decides to serve the request, it calculates a partial share for vi as: Pj = Pvj lvj (vi ) mod N r . where Pvj is vj ’s own share and lvj (vi ) = kr=1,r6=j vvji −v −vr If vj simply returns its partial share Pj to vi , vi can construct its complete share by adding these k partial shares. By Lagrange interpolation, we have:
Q
Pvi = f (vi ) = Pv1 lv1 (vi ) + Pv2 lv2 (vi ) + · · · + Pvk lvk (vi ) =
k X
Pvj lvj (vi ) =
j=1
k X
Pj
mod N
j=1
Unfortunately, it is insecure for node vj to return Pj directly to vi . As lvj (vi ) is only dependent on the IDs of the coalition, node vi can easily recover vj ’s share Pvj from the partial share Pj . If vi receives k such partial shares {P1 , P2 , · · · , Pk }, it can recover k polynomial shares of the coalition {Pv1 , Pv2 , · · · , Pvk }. With these k polynomial shares, node vi can interpolate the polynomial f (x) and retrieve the certificate signing key SK. P The problem is that we can only let vi obtain the sum of all these k partial shares kj=1 Pj , but not any individual Pj . Our approach is that among coalition B, nodes completely shuffle their individual partial shares. The shuffled partial shares are then returned to vi . Detailed procedure is as follows. Firstly, among the coalition B each node pair {vj , vr } securely exchanges a shuffling factor di,j . One of the pair adds di,j to its partial share. The other subtracts di,j from its partial share. For node vj , there are totally k − 1 shuffling factors, and it must apply all of them, by either addition or subtraction, to its partial P share Pj . The result is a completely-shuffled partial share P¯j = Pj + kr=1,r6=j sign(vr − vj )dr,j , where sign(x) = 1 if x > 0 and sign(x) = −1 if x < 0. Once node vi receives k signed shuffled partial shares from the coalition, it recovers its partial share as: k X
j=1
P¯j =
k X
j=1
Pj +
k X
r=1,r6=j
sign(vr − vj )dr,j =
k X
Pj +
j=1
k X
k X
sign(vr −vj )dr,j =
j=1 r=1,r6=j
k X
Pj +0 = Pvi
j=1
Except the sum, vi cannot derive any other information from these k shuffled partial shares without the shuffling factors. The computation complexity for each participating node is O(k). The communication protocol for self-initialization consists of two rounds of communications among one-hop neighborhood of node vi . See Figure 5 for an illustration. (1a) Node vi broadcasts/multicasts an initialization request among B. (1b) Each node vj ∈ B generates shuffling factors according to our cryptographic algorithm and returns these encrypted shuffling factors with their signatures to vi . (2a) vi combines these encrypted shuffling factors and broadcasts/multicasts them among the coalition B. Here we are simulating a broadcast/multicast channel for the coalition B to exchange information. (2b) Each node vi ∈ B returns a shuffled partial secret share to vi . Upon receiving k such partial secret shares, vi simply adds them up to recover its full secret share Pvi . 14
local broadcast responding unicasts 1b. unicast shuffling package 2b. unicast partial secret share
1a. broadcast request + coalition info 2a. route shuffling packages
Figure 5. Self-initialization
6.2
Secret Share Update
So far our system is robust against the adversaries of model I as defined in Section 3.3. To handle stronger model II adversaries, Herzberg et al. proposed periodical updates of each node’s secret share [14]. However, the proposed protocols in the proactive secret sharing context require each node collect inputs from all other nodes to finalize its update. Their approaches are not applicable in our scenario for several reasons: (a) The solution is not scalable. In an ad hoc network with dynamic membership and topology, a node cannot afford to maintain global knowledge and the full network topology; (b) The communication overhead is too high for wireless channel; (c) These proposals typically require a global broadcast channel, which does not exist in typical ad hoc wireless networks. Applying Byzantine agreement protocol to simulate an authenticated broadcast channel incurs prohibitively high communication overhead [5] even for wired networks. It is not feasible in wireless networks. The approache we propose to achieve scalable and efficient share update in ad hoc wireless networks is a simple sequential process based on the self-initialization as presented in Section 6.1. Firstly a coalition of k nodes update their shares by applying the existing protocols as proposed in [14]. The self-initialization protocols then follow to update the shares of the rest of the network. We leave the detailed protocols in the technical report [20].
7
Evaluation of implementation
We implemented our design in both Unix platforms and a popular network simulator ns-2 [23]. Our Unix implementation seeks to quantitatively characterize the computational cost of our solution, and we use the simulation experiments to evaluate communication aspects, such mobility, ubiquitous service availability and channel dynamics in wireless ad hoc networks. 7.1
Implementation Issues
The design of our protocols and algorithms is flexible to allow implementation at any layer above the MAC layer in the networking protocol stack. Moreover, it does not make specific assumptions on the network and transport layer protocols. We choose an application-layer implementation for several 15
key (bit) 512 768 1024 1280 1536 2048
RSA-PK (msec) 0.093 0.124 0.142 0.136 0.133 0.208
RSA-SK (sec) 0.0056 0.0173 0.0386 0.0669 0.1089 0.2462
PCC (sec) 0.0466 0.1198 0.2610 0.4590 0.7944 1.7058
key (bit) 512 768 1024 1280 1536 2048
Combine (sec) 0.0928 0.2416 0.5280 0.9742 1.5598 3.4410
RSA-PK (msec) 0.884 1.276 1.324 1.356 1.416 1.036
RSA-SK (sec) 0.0678 0.2165 0.4672 0.8734 1.4863 3.1883
PCC (sec) 0.1835 0.5973 1.1637 2.2912 3.5820 7.7855
Combine (sec) 0.1982 1.3430 1.1978 2.4109 3.6952 8.0324
Table 1. RSA and certification performance (k =
Table 2. RSA and certification performance (k =
5, SP EC = 20.5)
5, SP EC = 12.1)
key (bit) 512 768 1024 1280 1536 2048
RSA-PK (msec) 2.782 3.382 4.036 4.065 3.941 3.954
RSA-SK (sec) 0.2347 0.6403 1.2953 2.4607 3.8543 8.3826
PCC (sec) 0.5499 1.4818 3.1738 5.5492 10.1253 20.6606
k
Combine (sec) 0.6144 1.6478 3.3283 5.9019 10.4301 21.7095
2 3 5 7 10 20 30
Table 3. RSA and certification performance (k =
SP EC = 20.5 PCC Combine 0.260 0.526 0.261 0.528 0.261 0.528 0.263 0.531 0.262 0.537 0.261 0.532 0.261 0.537
SP EC = 12.1 PCC Combine 1.293 1.334 1.149 1.171 1.164 1.198 1.140 1.207 1.309 1.410 1.308 1.464 1.160 1.510
SP EC = 1.37 PCC Combine 2.991 3.304 2.998 3.293 3.174 3.328 3.163 3.530 3.099 3.394 3.078 3.458 3.082 3.410
Table 4. Certification performance vs. k (RSA key:
5, SP EC = 1.37)
1024bit, time unit: sec)
reasons: (a) We avoid modifications of lower-layer protocols such as packet and frame formats. This facilitates incremental deployment. (b) We achieve maximal independency of the underlying network configurations. This improves the portability and extensibility. (c) We can evaluate the communication efficiency of our security protocols without any specific performance enhancements provided by lower layers. 7.2
Unix Implementation and Measurements
Our cryptographic implementation on UNIX is written in C and currently consists of about 8,000 lines of code. It implements certification, self-initialization, and secret share update services, along with other cryptographic supporting modules. In Tables 1, 2 and 3 we measure3 the performance of our certification services with the standard RSA operations on devices with heterogeneous computation power. The SPECint95 values [30] are 20.5, 3 In all the tables, key denotes RSA key length in bits, RSA-PK denotes standard RSA’s PK-verification. RSA-SK denotes standard RSA’s SK-signature. PCC denotes partial certificate computation which equals using secret share to sign a message.
key (bit) 512 768 1024 1280 1536 2048
SP EC PSS 0.413 0.459 0.490 0.561 0.798 1.420
= 20.5 Sum 0.288 0.382 0.319 0.411 0.460 0.473
SP EC PSS 1.145 2.588 3.321 4.926 3.480 5.245
= 12.1 Sum 0.378 0.443 0.781 0.840 0.630 0.754
SP EC = 1.37 PSS Sum 3.861 1.196 5.163 1.497 7.024 1.847 8.215 1.996 10.251 2.006 24.414 2.528
Table 5. Self-initialization service (k = 5, time unit: msec)
16
12.1, and 1.37, respectively. Our measurements show that computation power is a critical factor that affects the efficiency of our RSA based scheme, and for typical scenarios the performance is acceptable. For example, a PentiumIII/500 laptop (SPECint95=20.5) performs well in all test cases, while a SPARCstation5/85 (SPECint95=1.37) requires more time (3–5 sec for certification service) when using typical values for key length (1024 or 1280 bits) and coalition size k (≤10 in practice). In Table 4 we measure the performance of the certification service in terms of the coalition size k. We find that parameter k does not affect the system performance significantly because (i) partial certificates are computed in parallel by the coalition members; (ii) the partial certificate combination has moderate computation overhead at the requester’s side (see Section 5.1). The operations used in self-initialization and share update, namely multiplicative inverse and Lagrange interpolation, are inexpensive to compute. The results are shown in Table 5. All measured computation overheads are at the scale of milliseconds. 7.3
Evaluation on Communication Aspects
We implemented all the communication protocols at the application-layer in the network simulator ns-2 [23]. We developed a UDP-like transport agent that allows for delivery of actual application data units (ADUs) and one-hop broadcast. We use the following metrics to evaluate the performance: Success ratio measures the ratio of the number of successful certification services over the number of attempts during the simulation time. Average number of retries measures the number of retries before a node successfully receives its certification services. Average delay measures the average latency for each node to perform a certification service. We run simulation experiments in networks with sizes ranging from 30 to 100 nodes. The node mobility varies from 1 to 20 m/sec. We apply the random way-point model in ns-2 to emulate node mobility patterns. In the simulations, the expiration time of the certificate is selected as five minutes, and the coalition size k = 5, except for the topologies that consist of 30 nodes where k = 3. Success Ratio − Localized CR vs. CA, 100 Nodes, Chan. Error 10% 100
90
90
80
80
70
70
60
50
40
30
10
Localized Cert. Renewal Centr. CA − 1 serv. Centr. CA − 4 serv.
8 60
50
40
Localized Cert. Renewal Centr. CA − 1 serv. Centr. CA − 4 serv.
6
4 30
Localized Cert. Renewal Centr. CA − 1 serv. Centr. CA − 4 serv.
20
10
0
Avg. # Retries − Localized CR vs. CA, 100 Nodes, Chan. Error 1% 12
Avg. # Retries
Success Ratio (%)
Success Ratio (%)
Success Ratio − Localized CR vs. CA, 100 Nodes, Chan. Error 1% 100
20 2 10
2
4
6
8
10
12
14
16
18
20
Node speed (m/sec)
0
2
4
6
8
10
12
14
16
18
20
Node speed (m/sec)
0
2
4
6
8
10
12
14
16
18
20
Node speed (m/sec)
Figure 6. Certificate Renewal:
Figure 7. Certificate Renewal:
Figure 8. Certificate Renewal:
Success Ratio vs. Node Speed, Error Rate 1%
Success Ratio vs. Node Speed, Error Rate 10%
Avg. # of Retries vs. Node Speed, Error Rate 1%
Combine denotes the delay caused by combining k partial certificates. PSS denotes partial secret share computation which equals a Lagrange interpolation operation. Sum denotes obtaining a secret share by summing together all partial secret shares.
17
Avg. Delay − Localized CR vs. CA, 100 Nodes, Chan. Error 1%
Avg. # Retries − Localized CR vs. CA, 100 Nodes, Chan. Error 10%
Avg. Delay − Localized CR vs. CA, 100 Nodes, Chan. Error 10% 90
12
60 80 10
Localized Cert. Renewal Centr. CA − 1 serv. Centr. CA − 4 serv. 6
4
70
40
30
Localized Cert. Renewal Centr. CA − 1 serv. Centr. CA − 4 serv.
20
Avg. Delay (sec)
Avg. # Retries
8
Avg. Delay (sec)
50
60
50
40
Localized Cert. Renewal Centr. CA − 1 serv. Centr. CA − 4 serv.
30
20 2
10 10
0
2
4
6
8
10
12
14
16
18
20
0
2
4
6
8
10
12
14
16
18
20
Node speed (m/sec)
Node speed (m/sec)
0
2
4
6
8
10
12
14
16
18
20
Node speed (m/sec)
Figure 9. Certificate Renewal:
Figure 10. Certificate Renewal:
Figure 11. Certificate Renewal:
Avg. # of Retries vs. Node Speed, Error Rate 10%
Avg. Delay vs. Node Speed, Error Rate 1%
Avg. Delay vs. Node Speed, Error Rate 10%
7.3.1
Certification services
We first examine the performance of our localized certificate renewal service in a network of 100 mobile nodes. We study the scenarios of low (1%) and high (10%) wireless channel error rates and the node moving speed ranging from 1 m/sec to 20 m/sec. Comparing the low wireless channel error scenarios (figure 6,8,10) with high wireless channel error scenarios (figure 7,9,11), we can see that the performance of centralized and hierarchical solutions significantly degrade in the presence of high channel error. However, due to the localized communication pattern, our certification renewal service remains almost the same level of performance in term of all these three measurement metrics as the channel error rate increases from 1% to 10%. Figure 6 and 7 show that, while the centralized and hierarchical solutions experience low success ratio, the success ratio of our localized certificate renewal is almost 100%. As the node speed varies from 1 m/sec to 20 m/sec, we observe that the success ratio almost remains unchanged at speeds above 5 m/sec. For the case of 1 m/sec, the success ratio is around 85%. The main reason is that under low node density and low mobility a node may have difficulty in locating k neighboring nodes for certification services. The results show how mobility improves our certification service availability. Figure 8-11 further demonstrate our service availability by the average number of retries and average delay. The average number of retries decreases and the average delay of our certificate renewal remains nearly constant as the node mobility speed increases. For comparison we also simulate the average number of retries and average delay of the certificate renewal that are implemented by a single centralized CA server and a hierarchy of four CA servers. They both incur much higher average number of retries and average delay and both metrics tend to grow as the node mobility speed increases. 7.3.2
Self-initialization/share update
The performance of self-initialization process and the share update that is based on our self-initialization mechanism are studied in this section. Figure 12 presents the average latency for each node in the selfinitialization process. In each experiment we assume the first 2 ∗ k nodes of the topology are initialized by a dealer, and the self-initialization is running among the remaining nodes. From the Figure 12 we can see that the self-initialization scales well to the network size and node mobility; even for the largest topology of 100 nodes and node speed fixed at 20 m/sec, all nodes manage to be initialized in less that 18
500 seconds. In figures 13 and 14, we present detailed studies of the self-initialization process in network topologies of 50 and 100 nodes respectively and for three node speeds (3, 10 and 15 m/sec, corresponding to low, medium and high mobility). For the case of 50 nodes, it takes almost 50 seconds for the first 20% of the network to update. However, as more and more nodes receive their shares, the convergence is accelerated: 80% of the network is initialized in another 50 seconds. We also observe that the evolution of the algorithm is similar for all mobility speeds, which shows that our design is robust to mobility. In the scenario of 100 nodes, the curves are shifted to the right, since the network is larger and it takes more time for the “initialization wave” to be propagated to the whole network. Self Initialization − Node percentage vs. Delay, 50 Nodes
Average Delay − Self Initialization 900
Mobility 1m/sec Mobility 3m/sec Mobility 5m/sec Mobility 10m/sec Mobility 15m/sec Mobility 20m/sec
800
700
Self Initialization − Node percentage vs. Delay, 100 Nodes
1
1
0.9
0.9
0.8
0.8
0.7
0.7
500
400
# of Nodes (%)
# of Nodes (%)
Time (sec)
600
0.6
0.5
0.4
0.6
0.5
0.4
300
0.3 200
100
0 30
0.3
0.2
0.2
Mobility 3m/sec Mobility 10m/sec Mobility 15m/sec
0.1
40
50
60
70
80
90
100
# of nodes
0
0
100
200
300
400
500
600
700
800
Mobility 3m/sec Mobility 10m/sec Mobility 15m/sec
0.1
900
Time (sec)
0
0
100
200
300
400
500
600
700
800
900
Time (sec)
Figure 12. Self-initialization:
Figure 13. Share Update: Node
Figure 14. Share Update: Node
Avg. Delay vs. Node Speed
percentage vs. Delay, 50 Nodes
percentage vs. Nodes
Delay, 100
8. Discussions We now come back to further discuss several important issues. Obtaining initial certificates and IDs A node needs an initial certificate that associates its ID with its public key, before it can join the network. Moreover, an admitted node has to bear a valid certificate when it requests its certificate to be renewed. Our localized certification never creates or issues a brandnew certificate. This policy is to prevent malicious node to have multiple certificates based by forged or stolen IDs. How to issue initial certificates and the IDs poses the root of trust problem. They can be obtained in two ways. Firstly, a node may be issued an initial certificate by an offline authority, after the authority verifies the authenticity through external means (e.g., in-person ID). Alternatively, we may use any coalition of k networking nodes to issue an initial certificate via collaborative admission control for this new node. The admission control policy has to be consistent with the robustness of the overall trust model, system model and the adversary models. For simplicity, we take the first approach. Bootstrapping of the first k nodes To initialize the very first k nodes, we assume an offline authority who knows the full certificate signing key SK and the associated polynomial f (x) of degree k − 1. This is the standard assumption of related works on secret sharing [14, 10, 5]. An alternative solution is to generate the RSA key pair {P K, SK} distributedly via a method of [21]. 19
Parameter k Revisited Our design so far assumes each node to have at least k legitimate neighbors. This assumption is critical for certification services to be robust against the adversaries defined in Section 3.3. The parameter k also determines the availability of our services. In our current design, these three factors are coupled and represented by a single parameter k. This coupling effect reduces the flexibility of our system. In certain scenarios, these three aspects may even have conflicting goals. For instance, security may require k to be at least 10, but service availability requires k to be at most 7, while the network can only guarantee 5 legitimate neighbors. How to decouple these three aspects poses new challenges for future research. Intrusion Detection in Ad Hoc Networks As presented in our system model (Section 3), we assume each node is equipped with some local detection mechanism to identify misbehaving nodes among its one-hop neighborhood. While we admit that this might seem a strong assumption, some initial progress has been reported recently [22]. We believe that as time goes, better local intrusion detection mechanism will be available to serve our purpose.
9
Conclusions
In this paper, we have described a novel solution to practical security support in mobile ad hoc networks. Our design has been motivated by the factor that the security service has to be fully distributed and localized in order to operate in a large-scale mobile ad hoc network. We seek to maximize the service availability in each network locality, which is also crucial to supporting ubiquitous services for mobile users. To this end, we have addressed networking issues including node mobility, scalability, service ubiquity, and network dynamics such as wireless channel interference and node failures. Our experiences in implementation and simulations have shown positive results for our approach.
References [1] A. Abdul-Rahman. The PGP Trust Model. In EDI-Forum: the Journal of Electronic Commerce, 1997. [2] A. Abdul-Rahman and S. Hailes. A Distributed Trust Model. In ACM New Security Paradigms Workshop, 1997. [3] H. Balakrishnan, V. Padmanabhan, S. Seshan, and R. H. Katz. A Comparison of Mechanisms for Improving TCP Performance over Wireless Links. IEEE/ACM Transactions on Networking, 1997. [4] J. Broch, D. A. Maltz, D. B. Johnson, Y.-C. Hu, and J. Jetcheva. A Performance Comparison of Multi-Hop Wireless Ad Hoc Network Routing Protocols. In MOBICOM, pages 85–97, 1998. [5] R. Canetti, S. Halevi, and A. Herzberg. Maintaining Authenticated Communication in the Presence of Break-Ins. Journal of Cryptology, 13(1):61–105, 2000. [6] P. Feldman. A Practical Scheme for Non-interactive Verifiable Secret Sharing. In FOCS, pages 427–437, 1987. [7] A. Fox and S. D. Gribble. Security on the Move: Indirect Authentication using Kerberos. In MOBICOM, pages 155–164, 1996. [8] Y. Frankel and Y. G. Desmedt. Parallel Reliable Threshold Multi-signature. Technical Report TR-92-04-02, Dept. of EECS, University of Wisconsin-Milwaukee, 1992. [9] Y. Frankel, P. Gemmell, P. MacKenzie, and M. Yung. Optimal Resilience Proactive Public-Key Cryptosystems. In FOCS, pages 384–393, 1997. [10] Y. Frankel, P. Gemmell, P. MacKenzie, and M. Yung. Proactive RSA. In CRYPTO, pages 440–454, 1997.
20
[11] S. Garfinkel. PGP: Pretty Good Privacy. O’Reilly & Associates Inc., 1995. [12] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust and Efficient Sharing of RSA Functions. In CRYPTO, pages 157–172, 1996. [13] L. Gong. Increasing Availability and Security of an Authentication Service. IEEE Journal of Selected Areas on Communications, 11(5), 1993. [14] A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung. Proactive Secret Sharing or: How to Cope with Perpetual Leakage. extended abstract, IBM T.J. Watson Research Center, November 1995. [15] J. D. Howard. An Analysis of Security Incidents on the Internet 1989-1995. CMU Ph.D. Dissertation, 1997. [16] A. N. S. Institute. PKI Practices and Policy Framework. ANSI X9.79, 2000. [17] International Telecommunication Union. Recommendation X.509(11/93) The Directory: Authentication Framework. [18] D. B. Johnson and D. A. Maltz. Dynamic Source Routing in Ad Hoc Wireless Networks. In Imielinski and Korth, editors, Mobile Computing, volume 353. Kluwer Academic Publishers, 1996. [19] C. R. Lin and M. Gerla. Adaptive Clustering for Mobile Wireless Networks. IEEE Journal of Selected Areas on Communications, 15(7):1265–1275, 1997. [20] H. Luo and S. Lu. Ubiquitous and Robust Authentication Services for Ad Hoc Wireless Networks. Technical Report TR-200030, Dept. of Computer Science, UCLA, 2000, http://www.cs.ucla.edu/mng/TR200030.pdf. [21] M. Malkin, T. Wu, and D. Boneh. Experimenting with Shared Generation of RSA keys. In Internet Society’s Symposium on Network and Distributed System Security (SNDSS), pages 43–56, 1999. [22] S. Marti, T. Giuli, K. Lai, and M. Baker. Mitigating Routing Misbehavior in Mobile Ad Hoc Networks. In ACM MOBICOM, 2001. [23] NS-2 (The Network Simulator). http://www.isi.edu/nsnam/ns/. [24] R. Perlman. An Overview of PKI Trust Models. IEEE Network, 13(6):38–43, 1999. [25] R. Rivest and B. Lampson. SDSI – A Simple Distributed Security Infrastructure. http://theory.lcs. mit.edu/˜cis/sdsi.html. [26] A. D. Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to Share a Function Securely (Extended Summary). In STOC, pages 522–533, 1994. [27] A. Shamir. How to Share a Secret. Communications of the ACM, 22(11):612–613, 1979. [28] P. Sinha, R. Sivakumar, and V. Bharghavan. CEDAR: a Core-extraction Distributed Ad Hoc Routing Algorithms. In IEEE INFOCOM, 1999. [29] P. Sinha, N. Venkitaraman, R. Sivakumar, and V. Bharghavan. WTCP: a Reliable Transport Protocol for Wireless Wide-area Networks. In ACM MOBICOM, 1999. [30] Standard Performance Evaluation Corporation. http://www.specbench.org. [31] G. Steiner, B. C. Neuman, and J. I. Schiller. Kerberos: An Authentication Service for Open Network Systems. In USENIX Winter, pages 191–202, January 1988. [32] J. Wu and H. Li. On Calculating Connected Dominating Set for Efficient Routing in Ad Hoc Wireless Networks. In Third International Workshop on Discrete Algorithms and Methods for Mobile Computing and Communications, 1999. [33] T. Wu, M. Malkin, and D. Boneh. Building Intrusion Tolerant Applications. In Eighth USENIX Security Symposium (Security ’99), pages 79–91, 1999. [34] Y. Zhang and W. Lee. Intrusion Detection in Wireless Ad-hoc Networks. In MOBICOM, 2000. [35] L. Zhou and Z. J. Haas. Securing Ad Hoc Networks. IEEE Networks, 13(6):24–30, 1999.
21
