Seed-based Distributed Group Key Selection Algorithm ... - IEEE Xplore

2007 IEEE International Conference on Signal Processing and Communications (ICSPC 2007), 24-27 November 2007, Dubai, United Arab Emirates

Seed-based Distributed Group Key Selection Algorithm for Ad Hoc Networks* Emre Atsan, Oznur Ozkasap

Department of Computer Engineering, Kog University, Istanbul, Turkey {eatsan, oozkasap} @ ku.edu.tr The study of Eschenauer and Gligor [4] proposed a probabilistic key pre-distribution scheme for pair-wise key establishment. This scheme has the drawback that as the number of compromised nodes increases, the fraction of affected pair-wise keys also increases quickly. Hence, a small number of compromised nodes may affect a large fraction of pair-wise keys. It also requires a trusted third party in the initial stage to assign random subset of keys to each node. A successive study, q-composite random key pre-distribution scheme [5], extended this scheme to improve its security. This scheme increases the security of key setup such that an attacker has to compromise many more nodes to achieve a high probability of compromising communication. It also requires a trusted third party to assign random subset of keys to each node. However, such reliance on a trusted third party in the initialization can be a problem for some ad hoc scenarios. In the study of Chan [6], a fully distributed key predistribution scheme (DKPS) for mobile ad hoc networks is proposed. In contrast to the previous approaches described, this scheme does not rely on a trusted authority. Main contribution of DKPS to the group key selection schemes is the Distributed Key Selection Scheme (DKS). In DKS, each node in the system selects random keys for its key ring from a universal set of key space. Selection of these keys is based on a mathematical set property of the cover-free family (CFF). DKS claims that with high probability each node can find at least one common key with each other node in the system. In [7] authors proved that Chan's DKS may not be strong enough to support the idea of finding a unique common key between each node in the system. In this study, we propose a seed-based distributed key selection mechanism, namely SeeDKS, for groups of nodes in ad hoc networks. This scheme is not a key pre-distribution scheme but it may be the part of it as a distributed key selection algorithm. Our study is inspired by the recent works [6,7]. The key idea behind our approach is to create different key pools for each group by using a common seed value between group members in order to generate a unique group key pool. We demonstrate that, while the key ring size for a group is decreased, high percentages for finding at least one common key between w nodes in a group can be achieved. Our approach gives a solution for only group of nodes. Thus, two nodes should be in the same group in order to find a common key with each other. In Section 2, description of the prior DKS scheme and related findings are given. In section 3, our key selection

ABSTRACT Key establishment has a significant role in providing secure infrastructure for ad hoc networks. For this purpose, several key pre-distribution schemes have been proposed, but majority of the existing schemes rely on a trusted third party which causes a constraint in ad hoc platforms. We propose a seed-based distributed key selection algorithm, namely SeeDKS, for groups of nodes in ad hoc networks. Our approach is inspired by the earlier work on distributed key selection (DKS) and is based on the idea of common group key pool generated with group seed value for each different group. Simulation results show that using very small key ring sizes compared to DKS, we can achieve satisfactory results which DKS cannot accomplish in means of finding at least one common key among group members. Index Terms- ad hoc networks, distributed key

selection, key pre-distribution.

1. INTRODUCTION Secure and efficient key establishment protocols have an important role for the rest of the essential security primitives in distributed systems. For ad hoc networks, key establishment is a more complex problem than static or infrastructure-based systems. It is due to the fact that ad hoc networks have several system and node constraints [1,8]. These networks are self-organized and have limited coverage, so that it is not practical to use a secure central authority or a trusted third party for key distribution. A distributed key exchange algorithm needs to be established among all the active nodes in the ad hoc network. There are several techniques discussed in the literature to achieve this self-organized key distribution goal and most effective ones are based on key predistribution techniques. Key pre-distribution scheme (KPS), where keying materials are pre-distributed to the nodes before deployment, is a common key management technique used in ad hoc network security [2]. In this approach, any two users can compute a common key without direct interaction. Each user receives a set of secret keys and from his/her secret keys, he/she can compute a common key with any other user in the group. After this basic scheme, another study [3] extended KPS to allow any t users, out of n users in a group, to compute a common group key non-interactively.

* This work is supported in part by TUBITAK (The Scientific and Technical Research Council of Turkey) under CAREER Award Grant 104E064.

1-4244-1236-6/07/$25.00 © 2007 IEEE

53

algorithm SeeDKS is described. Simulation results depicting the behavior of SeeDKS as well as its comparison with DKS are presented in Section 4. Concluding remarks are given in Section 5.

1. Select a value for k such that d divides k. (k is the number of keys that a node has to store.) 2. Randomly form a universal key set P such that it has a size N= k2rld. 3. Divide P into k partitions P1, P2, Pk each of size krld. 4. Each node separately pick keys for its key ring to form B = tP1 p, P, , pkv with each pi randomly selected from the partition Pi, 1< i < k. (Each Pi will follow a uniform distribution over all elements in Pi.)

2. DISTRIBUTED KEY SELECTION Distributed Key Pre-distribution Scheme (DKPS) [6] for mobile ad hoc networks offers a novel method which is fully distributed and self-organized without relying on any infrastructure support. Key idea of the DKPS is that each node individually picks a set of keys from a large publicly-known key space such that the key patterns of all the nodes satisfy the following property with a high probability: any subset of nodes can find from their key sets at least one common key not covered by a collusion of at most a certain number of nodes outside this subset. DKPS consists of three main components, namely distributed key selection (DKS), secure shared key discovery (SSD) and key exclusion property testing (KEPT). Each node randomly picks keys into its key ring in the DKS phase, then it can use the SSD protocol to find out which keys it has are in common with another node, and finally it can test by looking at the incidence matrix whether its keys satisfy the exclusion property in KEPT phase. Distributed Key Selection (DKS). Each node selects random keys for its key ring from a universal set of key space. Selection of these keys is based on a mathematical set property of the cover-free family (CFF). This property ensures that with high probability at the first phase of random key selection, a node will have a set of keys (key ring) that satisfies CFF. Secure Shared Key Discovery (SSD). This phase uses the derived MRS (Modified Rivest Scheme) [6] as its Privacy Homomorphism (PH) approach to encrypt, decrypt and exchange nodes' key rings. Key Exclusion Property Testing (KEPT). After establishing the key ring in DKS phase and finding the common keys in SSD phase, each node can test whether all its keys satisfy the exclusion property of a cover-free family. Chan's scheme [6] is based on CFF. It requires that the sets of keys held by the network of nodes form a (w, r; d) - CFF (N, I) cover-free family, i.e., any w nodes share at least d keys that are not held by any other r nodes. The keys are selected from a pool of size N, and at most T nodes are supported. A (w, r; d) - CFF (N, I) is formally defined as follows:

In [6], Chan assumed that the above scheme yields a (w, r; d) - CFF(N, T) with at least a probability (1 - e t),

if,

(1)_

-dl

w+r-Ikr |~ ~~T! TT.e2k2-I-e e

J

_t_

(1)wI

Table 1. Notation for distributed key selection process p Universal key set (pool) N Size of universal key set (P); number of possible keys in universal key pool. d Number of common keys that should be shared between group members. r Number of nodes that must not stock any of the d shared common keys of a group of nodes. Number of nodes that should share at least d keys w that are not in the key ring of r other nodes. k Number of keys in the key ring of a single node.

However, Wu and Wei [7] proved that DKS does not guarantee CFF, and showed that Chan's proof for equation (1) is problematic in the sense of applying Chernoff bound. It is also discussed that given T, w and k, for a k-uniform (w, r; 1) - CFF (kl, i) to exist, r has to be very limited. For example, think of a network of size 500 (T = 500 nodes), in which every node has a key ring of size 400 (k=400 different keys) from a universal key pool. In this network, if some nodes form a group GI, it is shown in [7] that number of nodes that are not a member of GI can be at most 4 (r = 4) to satisfy that all other nodes outside the group does not have the GI's key in its key chain. Chan's proposed DKS algorithm has some problems in applicability to mobile ad hoc networks. This is because of both large key ring sizes (up to 400) and limited r (only up to 4) values. As it is discussed, r value defines the number of nodes that common key(s) of w nodes should not be contained. Therefore, even for small scale group sizes the very limited r values cannot be sufficient. Increasing r to a larger value causes the probabilistic CFF construction fail. The analysis accomplished in [7] shows that the probabilistic method of DKS can not yield CFF practical for key distribution where r has to be reasonably large.

Definition. Let P be an N-set of points tPl, P2, PN} and B be a set of subsets (called blocks) of P (i.e. X C P, VX E B). Also let N and T denote IPI and IBI respectively. Then the set system (P, B) is called a (w, r; d)-CFF(N, I) (cover-free family) if, for any w blocks X1, B and any other r blocks Y1, . ., Yr E B, we ., Xw have: (nW.= X.) \ (Uj1 Y.) > d, where d is positive. In [6], a probabilistic method named Distributed Key 7

Selection (DKS) is used to construct the (w, r; -) - CFF

(N, 7T). Notation for distributed key selection is given in Table 1. DKS procedure is given as follows:

54

Group 1

different groups that are generated using the group's known seed value. Note that in this technique, it is assumed that each node can create identically the same key pool for a group i, using the group's seed value,

Group 2

SEEDi.

After constructing the key pool P for any group, each node picks k random keys each selected from the k partitions from the group universal key set, Pi. In this technique, group sizes are pre-defined when a group is first created by the initiator node. This means that the group size (w) should be defined initially to create a large enough key pool, P, for that group. When a new node joins a group, it should perform the following actions: 1. broadcast a join message destined for group i, Gi. JOIN < i > 2. wait for a JOIN-REPLY for its request for group membership to Gi. Any node which is a member of group G, can return a JOIN-REPLY message to the requesting node with group's seed value (SEEDi) and the pre-defined maximum group size value, wi. JOIN-REPLY < i, SEEDi, wi > 3. After receiving JOIN-REPLY, requesting node starts the SeeDKS key ring construction algorithm for this group. Note that, these steps should be repeated for each group that a node is registered. So, if a node m is a member of n different groups, it creates n different key rings that are selected from n different key pools generated uniquely based on each group's seed value.

Figure 1. Different key pools pseudo-randomly generated using different seed values. For instance, members of group GI can generate the same pool using the SEED 1 value.

3. SEEDKS ALGORITHM We propose a seed-based distributed key selection algorithm, namely SeeDKS, for groups ofnodes in ad hoc networks. Our study is inspired by the recent work [6,7] described in the previous section. The main idea behind our approach is to use different key pools for each group. By this way we can ignore to satisfy the condition in original DKS that r nodes outside a group cannot have the group key luckily in their key chains. By this way, while we are decreasing the key ring size, we can achieve very high percentages for finding at least one common key between w nodes. Our approach gives a solution for only group of nodes. Thus, two nodes should be in the same group in order to find a common key with each other. For instance, this type of secure group communications can be used in military operations, where only a certain group of nodes are allowed to receive specific information. In this study, we do not define a key selection algorithm for inter-group communication. Main purpose of our approach is to find a common group key between members of a group, while minimizing the probability of any other node that is outside this group having the group key in its key chain. To utilize the SeeDKS technique, each node in a group performs the following algorithm (Figure 1): 1. create a group universal key pool (P) using that group's commonly known seed value (create P using SEED). Size of P =N = k2ld. 2. divide P into k partitions P1, P2... Pk each of equal size, kld. 3. for each group membership (i) that a node has, it individually pick keys for its key ring to form Bi ={Pi1,Pi2,Pi3..Pik} with each Pik is randomly selected from the partition Pm, 1< m < k. Different than the original DKS, this scheme provides us to ignore the necessity of exclusion of w nodes' common key from at least r different nodes key ring. As explained before in [7], increasing values of r causes probabilistic CFF construction to fail. In our technique, while ignoring r, we support the exclusion property that r gives to the original DKS by using different key pools for

4. RESULTS AND COMPARISON We developed simulation software to evaluate the performance of the key selection phases of our algorithm SeeDKS and also the DKS [6]. This is a C++ program that simulates the key generation algorithms of DKS and SeeDKS and compares the key rings of simulation nodes after the key selection phase. This comparison checks if there exists a common group key between group members and finds collusions (having the group key in its key chain) of nodes outside this subset. Analysis results show that using very small key ring sizes compared to DKS, we can achieve satisfactory results which DKS cannot give in means of finding at least one common key among group members. In our analysis, each simulation is performed 1000 times and the averages of percentage of finding at least one common key among w group members are calculated. Fig.2 shows results of DKS for varying key ring sizes and number of nodes in groups (w) when r value is set to 2 and d value is set to 8 (refer to Table 1 for notations). DKS states that key pool size N also changes when key ring size k changes. In the DKS phase, increasing the key ring size does not affect the performance of CFF construction. This is because of the fact that increasing k also increases N (key pool size). Hence, percentage of finding one common key in k keys selected from N-sized pool cannot be changed by increasing or decreasing key ring size (k).

55

Original Distributed Key Selection (DKS-Chan's) Results

5

I

I

I

I

I

I

4$0._\ _ _ I_ _ _ _ I_ _ _ _ _ _ _ _l _ _ I I I It

Key Ring Size: 640 Key Ring Size: 1280

8 +

lI

\t 30

2?O

-

-I

_-

,-

-

-- --

- -- -

Table 2. Percentage of finding one common key in two different key pools (Pi and Pj) generated with different seed values (SEEDi and SEED,) Key Pool % offinding one common key in two different Size (N) Key Pools generated with different seed values 0 50 200 0 800 0 3200 0 12800 0.17 2 51200

I I I IKey Ring Size :20 - - - - - - - I- - - - - - - Key SizeRing 40 -- Key Ring Size: 80 Key Ring Size: 160 Key Ring Size: 320

-- --

- -- -

.-

- -

-

--

. I

.

- --

-'

co 4)

ii 110

.; OI

2

I

3

4

t

.

5 6 7 8 Number of Nodes in a Group (w)

5. CONCLUSIONS Key establishment has a significant role in providing secure infrastructure for ad hoc networks. For this purpose, several key pre-distribution schemes have been proposed, but majority of the existing schemes rely on a trusted third party which causes a limitation in ad hoc platforms. In this paper, we presented a new distributed key selection technique to use in ad hoc networks that is based on common group seed value. Different than the DKS [6], our scheme ignores the r value (which supports exclusion to group common key from at most r different node) and suggests a novel idea based on common group key pool generated with group seed value for each different group. By this way, we demonstrated that smaller key ring sizes can lead satisfactory results for even 100-node group sizes, which may not be possible in the DKS [7]. As further work, secure exchange of JOIN and JOIN-REPLY messages before having a common key for encryption between group members will be studied. In some cases, group seed values need to be changed for security reasons. Management of this in a secure way can be further investigated.

I

9

i

0

Figure 2. Simulation results for DKS scheme. 0)

SeeDKS Results

100

- -

- - - - - - - - - - - - - - - .

a)

I

99a)

I

lI

98 97 96 965

..- ---I-

-

- - -

I

_

\

I

a5)

- - - - -

94

G

Key Ring Size: 20

I

_

Key Ring Size: 40

Key Ring Size: 80 \

C)

a)

93 - - - - - - - - - - - - - - - - - .K ey ingize: 92

l\IA

r

I

Key Ring Size: 320l l

0

20

I

40

60

Nurrber of Nodes in a Group (w)

I

80

100

Figure 3. Simulation results for SeeDKS.

As shown in Fig.3, even for very small (k=20) key ring sizes, SeeDKS can find at least one common key for large groups of nodes (w+ 100) most of the time (over 900/O). On the other hand, original DKS could not find a common key most of the time (990/O) even for very small group sizes, e.g. w+5. This is because SeeDKS's key pool size (with size N k2 8, in simulations d is set to 8) is smaller than original DKS's key pool size (N= k2r/ d). As given in Table 2, the exclusion property is also supported for two different groups' common keys. In Table 2, it is shown that finding a common key in key pools Pi and Pj, for groups i andj, is a very unlikely case for key pool sizes up to N=51200. These results suggest that exclusion property (which states that a common key for group i should not be in a key ring of any other node that is not in this group) is supported with high probability while minimizing the key ring size for each node in a group.

REFERENCES [1] D. W. Carman, P. S. Kruus, and B. J. Matt. "Constraints and Approaches for Distributed Sensor Security", NAI Labs Technical Report #00-0 10, September, 2000. [2] R. Blom. "An Optimal Class of Symmetric Key Generation System", Advances in Cryptology - Eurocrypt'84, LNCS, vol. 209, p. 335-338, 1985. [3] Blundo, C., De Santis, A., Herzberg, A., Kutten, S., Vaccaro, U., Yung, M. 1993. "Perfectly Secure Key Distribution for Dynamic Conferences", Advances in Cryptology CRYPTO '92. LNCS, vol. 740, p. 471-486. [4] L. Eschenauer, and V. D. Gligor. "A Key-Management Scheme for Distributed Sensor Networks", in proc. ACM CCS'02, Nov. 2002. [5] H. Chan, A. Perrig, and D. Song. "Random Key Predistribution Schemes for Sensor Networks", Proc. IEEE Symposium of Privacy and Security, May 2003. [6] A. Chan, "Distributed Symmetric Key Management for Mobile Ad Hoc Networks", EEE Infocom 2004. [7] J.Wu, R.Wei. "Comments on Distributed Symmetric Key Management for Mobile Ad hoc Networks from INFOCOM 04", Cryptology ePrint Archive, Report 2005/008, http://eprint.iacr.org/2005/008. 2005. [8] L. Zhou, Z.J. Haas, "Securing ad hoc networks", IEEE Network, Nov/Dec 1999, Vol.13, Issue: 6, p. 24-30.

56