An Efficient Certification Scheme for Nodes in a Wireless Ad Hoc Network Jaydip Sen Innovation Lab, Tata Consultancy Services Ltd., Kolkata, India
[email protected] doi: 10.4156/ijact.vol2.issue4.6
Abstract The attractiveness of the wireless ad hoc networks lies in the fact that these networks are selforganized: the hosts constituting the networks can communicate with each other without reliance on any centralized or specified entities such as base stations or access points. With these networks finding more applications, the need for adequate security mechanism is increasingly becoming important. Key management is an essential cryptographic primitive upon which other security protocols are built. However, most of the existing key management schemes are not feasible in ad hoc networks because public key infrastructures with a centralized certification authority are hard to deploy there. In this paper, we propose and evaluate a security mechanism based on distributed certification authority based on threshold cryptography that is suited to wireless ad hoc networks. A collection of nodes acts as the certificate authority and provides the certification service.
Keywords: Certificate authority, Wireless ad hoc networks, Key management, Public key cryptography, Flooding, Multicasting, Routing
1. Introduction An ad hoc ad hoc network is a group of mobile nodes without a centralized administration or a fixed network infrastructure. The mobility of the nodes and the fundamentally limited capacity of the wireless medium, together with wireless transmission effects such as attenuation, multi-path propagation and interference combine to create significant challenges for security in such networks. Due to lack of an underlying infrastructure, basic functionalities such as routing, configuration of the hosts or security management cannot rely on predefined or centralized entities to operate and must be carried out in a distributed manner. However, due to this distributed nature, ad hoc networks are vulnerable to various types of attacks. Wireless communication links can be eavesdropped on without noticeable effort and communication protocols on all layers are vulnerable to specific attacks. In contrast to wire-line networks, known attacks like masquerading, man-in-the-middle, and relaying of messages can easily be carried out. Moreover, deploying security mechanisms is difficult due to inherent properties of ad hoc networks, such as high dynamics of their topology (due to mobility and joining/leaving of nodes), limited computational resources of the devices, or bandwidth-restricted and possibly asymmetrical communication links. A central issue concerning the design of any service in ad hoc networks is not to rely on any centralized entities, because such entities would obviously be easy to attack, and their reachability could not be guaranteed at all times for all participants in the network. Therefore, it is not possible to implement a centralized, trusted entity for managing public keys of the participating nodes as performed in local area networks, or the Internet. Instead, a distributed solution must be found. Public key infrastructure (PKI) - an infrastructure for creating, distributing and managing digital certificates is a widely used mechanism for implementing security in wired networks and infrastructure-based wireless networks with access points and base stations. The heart of any PKI system is the Certificate Authority (CA). CA is a trusted entity that vouches for the authenticity of the digital certificates issued by PKI. The effectiveness of a PKI depends on the robustness, security and availability of the CA. While availability of CA is not a problem in wired networks and infrastructurebased wireless networks since connectivity in those networks is good, maintaining connectivity is a major challenge in ad hoc networks because of lack of any underlying infrastructure. Most of the solutions proposed in the literature (Section 3) for providing PKI services to ad hoc networks rely on distributing the CA functionality across multiple nodes using threshold cryptography. While these
57
approaches increase the availability of the CA, they involve large communication overhead. Moreover, network partitioning can make a distributed CA non-functional. In this paper, we propose and evaluate a key management scheme for ad hoc networks with communication protocol that suits the dynamic nature of an ad ho network. We extend the MOCA (Mobile Certificate Authority) framework as suggested by Yi et al. [1] and develop a highly reliable protocol for distributed CA. The proposed protocol has less communication overhead compared to MOCA framework. In the proposed mechanism, a set of nodes in an ad hoc network is first chosen based on certain parameters (Section 4.1) and the CA functionality is distributed on them. An efficient and robust communication protocol is developed between these CA nodes so that the certification facility is available even in presence of transient network partitioning scenario. Threshold cryptographic technique is utilized for distribution of CA functionalities. The communication overhead is minimized by avoiding flooding in the network and using multicasting for certificate requests. This is achieved by leveraging the information in the routing cache maintained in the nodes. Simulations have been performed on the proposed scheme and results show the effectiveness of the protocol. The rest of the paper is organized as follows. In Section 2, briefly introduces the concept of key management for ad hoc networks. Section 3 discusses some of the related research works done in the area of key management and trust establishment in ad hoc networks. Section 4 describes the proposed CA framework. Section 5 presents an outline of the communication protocol used in the proposed scheme. Section 6 enumerates the simulation results of the scheme. Finally, Section 7 concludes the paper while identifying some possible extensions of the present work.
2. Key management in ad hoc networks All In any security framework, typically striving for goals like integrity, confidentiality, nonrepudiation, availability, and authentication of communicating entities are of particular importance as they form the basis for achieving the other security goals. While symmetric algorithms depend on the existence of a pre-shared key, authentication by asymmetric cryptography requires a secure mapping of public keys to the owners’ identities, which is often realized by PKIs. PKIs enable generation and maintenance of digitally signed certificates to verify a key owner’s identity. Each user has to prove his identity to a CA and in turn receives a digitally signed certificate proving the ownership of his public key. In contrast to fixed networks, a centralized PKI or even a centralized CA is not feasible in ad hoc networks. Distributing the functionality of a CA over a number of different nodes by the means of secret sharing and threshold cryptography is solution to this problem. In threshold cryptography, a trusted dealer divides a secret D into n parts so that the knowledge of k parts (k, n) allows the reconstruction of the secret. This is called a (k, n) threshold scheme. In general, a trusted dealer is a central authority and thus another central target of attacks. To avoid this, the participants have to construct the secret without any central authority. The construction algorithm has to ensure that participants can only transmit correct values and that each participant can verify both secret and shares, which is called verifiable secret sharing. In order to protect the secret form attackers that try to compromise multiple shareholders over a period of time, a proactive secret sharing (PSS) scheme may be used where the secret shares are changed periodically while the secret remains unchanged.
3. Related work In this section, we discuss some related works in area of key management and certificate distribution in ad hoc networks. Most access control systems rely on public key management systems to certify an association between an identity and a key in the form of a digital certificate. These certificates contain the public key and the identity along with other details, cryptographically signed by a trusted third party. The key management approaches in ad hoc networks, in general, try to eliminate the need for a centralized CA. We specifically discuss three major approaches in key management process, e.g., distributed trust model, ad hoc trust model based on threshold cryptography, and a selforganized trust model. Abdul-Rahman et al. have proposed the distributed trust model - a decentralized approach to trust management that uses a recommendation protocol to exchange trust-related information [2]. The model assumes that relationships are unidirectional and exist between two entities. The entities make
58
judgments about the quality of a recommendation of trust, based on their policies, i.e. they have values for trust relationships. Also, trust is not absolute, e.g., an entity can change the trust value it has received as a recommendation from another entity. This change policy is not communicated, so it might not be understandable to other entities, which prevents it from being misused. The recommendation protocol works by requesting a trust value in a trust target with respect to a particular classification. After getting an answer, an evaluation function is used to obtain an overall trust value in the target node. The protocol also allows recommendation refreshing and revocation. To do so, the recommending entity sends the same recommendation with another recommendation value, or a neutral value to revoke. The model is suited for establishing trust relationships that are less formal and temporary in nature, e.g., some ad hoc commercial. Zhou et al. have introduced a key management system for ad hoc networks based on threshold cryptography [3]. A group of n servers together with a master public/private key pair are first deployed by a CA. Each server has a share of the master private key and stores the key pairs of all nodes. The shares of master private key are generated using threshold cryptography. Thus only n servers together can form a whole signature. If any node wants to join the network, it must first collect all of the n partial signatures. Then the node can compute the whole signature locally and thus get the certificate. This scheme has been extended in [4]. In this extended scheme, during the network bootstrapping phase, a centralized dealer is needed to issue certificates and private key shares to at least t nodes. A threshold cryptography system is also deployed in order to provide a (t, n) secret sharing service. Any t nodes can form a centralized dealer and can thus issue or revoke certificates. In this scheme, a node willing to join the network will have to collect t partial signatures in its local communication range. Although this method, to some extent, can handle the issue of nodes’ joining and leaving the network, it increases the risk of leaking of private key of the centralized dealer. In the event of any t nodes being compromised, the security of the entire system will break down. Asokan et al. have introduced several password-based key exchange methods to set up a secure session among a group of nodes without any support infrastructure [5]. In this scheme, only those nodes that know an initial password are able to obtain the session key. The session key is formed by combinations from all the nodes in the network. This ensures that if even one entity chooses its contribution key randomly, all other nodes will not be able to make the key space smaller. The core idea of the protocol is as follows: A weak password is sent to the group members. Each member then contributes part of the key and signs this data by using the weak password. Finally, to establish a secure session key, a secure channel is derived without any central trust authority or support infrastructure. Stajano et al. have introduced the resurrecting duckling security protocol to establish trust in ad hoc networks [6]. The protocol is particularly suited for devices without display and for embedded devices that are too weak for public key operations. The fundamental authentication problem is solved by a secure transient association between two devices establishing a master-slave relationship. It is secure in the sense that the master and the slave share a common secret. The protocol is transient because the master at any point of time can terminate the association. Also, a master can always identify its slave in a set of similar devices. Hubaux et al. have proposed a self-organized public key infrastructure-based trust building scheme [7]. The scheme is similar to pretty good privacy (PGP) [8] web of trust model. However, unlike in PGP, there are no central certificate directories for distribution of certificates. In order to find the public key of a remote user, a local user makes use of hunter algorithm [7] on the merged certificate repository to build certificate chain(s). A certificate trust chain should initiate from the local user’s certificate and terminate at the remote user’s certificate. The probability of finding such a certificate chain in this scheme is high, but is not guaranteed. This decentralized scheme leads to disclosure of too much information about the originating nodes, as it releases several unnecessary certificates, which may not be needed in a chain formation. Eshenaur et al. have proposed a trust establishment mechanism for ad hoc networks [9]. In this scheme, a node in the network can generate trust evidence about any other node. When a principal generates a piece of trust evidence, it signs the evidence with its own private key, specifying the lifetime and makes it available to other through the network. A principal may revoke a piece of evidence it produced by generating a revocation certificate for that piece of evidence and making it available to others, at any time before the evidence expires. A principal can get disconnected after distributing trust evidence. Similarly, a producer of trust evidence does not have to be reachable at the
59
time its evidence is being evaluated. Evidences can be replicated across various nodes to guarantee availability. Although the scheme seems conceptually sound, the authors have not provided any details about performance evaluation. Repantis et al. have proposed a decentralized trust management middleware for ad hoc, peer-to-peer networks based on reputation [10]. The reputation information of each peer is stored in its neighborhood and piggybacked on its replies. Patwardhan et al. have proposed a trust-based data management scheme in which mobile nodes access distributed information, storage and sensory resources available in pervasive computing environment [11]. The authors have taken a holistic approach that considers data, trust, security, and privacy and utilizes a collaborative mechanism that provides trustworthy data management platform in an ad hoc network. Baras et al. have proposed a trust management scheme for self-organized ad hoc networks, where the nodes share trust information only with their neighbors [12]. For establishing and maintaining trust among the neighbors authors have proposed a voting mechanism. However, most of the above mentioned key management protocols have limitations. In the distributed CA scheme involving threshold cryptography [13], the trust between a new node willing to join the network and t number of existing nodes in the network can be established by out-of-bound physical proofs, such as, human perception or biometrics. However, these methods will not be very practical in real world scenario. It may be very difficult, if not impossible, for a node to acquire t number of existing nodes in the network in its communication range for evaluation of its trust and subsequent authentication. Alternatively, there must be an off-line trust establishment mechanism between the new node and the t number of existing nodes. In an infrastructure-less ad hoc network environment, this may also be very difficult to realize in practice. In addition to these, threshold cryptography-based schemes suffer from the additional problems of high communication and computation overhead [14]. In self-organized scheme, trust is established through off-line trust relationships among the nodes. These off-line trust relationships are generated from general social relationships. The initialization process depends on the issue of certificates among the nodes themselves and formation of a network of trust relationship between them. This process is very complex and slow in practice, because every issued certificate will require close contact between a pair of nodes. Moreover, ad hoc networks are formed at random by the member nodes, and thus, the trust relationships among the members are much sparse than those of general society. This causes a serious problem in establishment of sufficient trust relationships in ad hoc networks. The nodes are also assumed to store locally as many certificates as possible, resulting in high storage overhead.
4. The proposed framework In this section, we describe the proposed key management scheme for ad hoc networks. The inherent heterogeneity of the nodes in a typical ad hoc network is utilized to choose the candidates for CA nodes and once this set of nodes is identified, threshold cryptographic technique is applied to realize a distributed CA. We identify some properties that can be tuned to increase the efficiency of the proposed framework.
4. 1. Heterogeneity of nodes in an ad hoc network There may be some applications of ad hoc networks where the nodes constituting the network are intrinsically heterogeneous in terms of their computing and battery power, transmission range, and more importantly security characteristics [1]. These stronger nodes may be delegated with more sensitive information and more computing responsibilities for implementing security protocols in the network. However, if all the nodes in an ad hoc network are identical then the nodes for the distributed CA may be chosen randomly. Thus our proposed scheme is not dependent on the condition of heterogeneity of the nodes in ad hoc network.
4. 2. The CA framework
60
The proposed framework uses threshold cryptography where n nodes in collaboration with each other act as the CA in the network. In threshold cryptography [14], each of these n nodes has a share of the master private key and stores the key pairs of all nodes in the networks. The n servers together can form the private key of the CA. If any new node wants to join the network, it must first collect all of the n partial signatures. The node can then compute the whole signature locally and thus get the certificate. As mentioned in Section 3 the scheme of threshold cryptography has been extended in [12]. In order to avoid the computation of the private key of the CA for each client request, the mechanism of threshold digital signature [15] is employed. Thus for a (k, n) threshold cryptography system, a new node sends request to k CA nodes and each of these k CA nodes sends its own partial signature only. The computation of the whole signature is done by the new node locally after it receives all the k partial signatures from the CA nodes. For consistency in certificate revocation, the distributed approach of certification revocation list (CRL) is followed. Like in case of generation of a certificate, the revocation of a certificate is only possible when at least k CA nodes put their partial signatures on it. Each of the k CA nodes broadcasts the certificate to be revoked after putting its own partial signature. When the certificate to be revoked gathers k-1 such partial signatures and reaches another CA node, it completes the signature and revokes the certificate and broadcasts the revoked certificate to other CA nodes for updating their local CRLs. Any node in the network may be chosen to store the global CRL as it must be publicly accessible. However, when a node storing the global CRL has to leave the network, it has to send the updated global CRL to an existing node in the network before it leaves. As the updating of the CRL is done by broadcast mechanism, there is a significant overhead associated with it. However, if the membership change of the nodes in the network is not very fast, the revocation will not be too frequent and the associated overhead will also be reduced. As with any threshold cryptography-based system, the proposed system has three parameters: (i) total number of nodes in the network at any given time (M), (ii) the number of nodes deputed with CA responsibility (n), and (iii) the minimum number of nodes for signature construction (k). Choice of an optimum value of k is critical for efficient working of the proposed scheme. Higher the value of k, the more secure will be the system as more number of nodes will be involved in signature construction. However, it will also cause a large communication overhead. Thus, these two conflicting parameters should be properly balanced so that security is not compromised and communication overhead is also not too high. This is discussed in detail in Section 5.
5. The certification protocol For joining the network and using network resources, a new node needs to contact at least k CA nodes and receive the replies from at least k of them. This is required for construction of the full signature. For this purpose, a client node (new node) sends a certificate request (CREQ) message. Every such CREQ is associated with a timer. Any CA node that receives such a CREQ message replies with a certificate reply (CREP) message that contains the partial signature of the CA node. If the client node is successful in receiving k valid CREPs, it constructs the full signature and the certification process succeeds. If the timer associated with CREQ expires before the client receives the requisite k CREPs, the certification process fails. In this case, the client has to start the certification process once gain. These CREQ and CREP messages can be piggybacked on the routing packets thereby reducing the communication overhead of the protocol. For propagation of the CREQ messages in the network two methods may be followed: (i) CREQ message flooding and (ii) multiple CREQ message communication. We discuss these mechanisms in Section 5.1 and Section 5.2 respectively.
5. 1. CREQ flooding To ensure that the CREQ from a node reaches all the CA nodes, flooding is the most reliable mechanism. However, this will involve too many messages in the network leading to a very high overhead of communication. In addition to this, as the same CREQ will reach many CA nodes, the client will possibly receive many redundant responses for reconstruction of the signature. All these redundant responses (partial signatures) are subsequently discarded resulting in wastage of precious
61
network bandwidth and computation resources of the nodes.
5. 2. Multiple CREQs If the client node has recently communicated with sufficient number of CA nodes (at least k) and those routing entries are present in the client’s route cache then flooding can be avoided in favor of multiple CREQ messages to those specific CA nodes. This will dramatically reduce the overhead of message communication. As the route cache is sufficiently fresh, the multiple CREQ message propagation will not be preceded by any route discovery process. This will reduce the number of messages in the network even further. However, naive use of multiple CREQs without having sufficient number of fresh route entries will have worse effect on the network performance as this will certainly lead to failure of the certificate negotiation and, therefore, a subsequent round of flooding of CREQs. Accordingly, the proposed mechanism falls back on flooding when there is not sufficient number of fresh route entries present in the route cache. The timer associated with the route cache for this purpose times out faster than the normal timer associated with routing entries. This is to emphasize the fact that a failure in certification process is more costly than a normal route discovery failure. Thus, the certification process requires more recent entries in the route cache for it success. As regards the number of entries required in the route cache, it is very much dependent on the value of k. and the mobility of the nodes and the network as a whole. If the nodes in the network have less mobility, then the required number cache entries may be very close to k (or just marginally greater than k), as in this case the client will get back k replies with a very high probability. However, with higher mobility of the nodes in the network it will be increasingly probable that the client will not receive some of CREPs against some CREQs. Thus, the client should send more number of requests in this case. This number of additional CREQs (σ) is used to ensure success of the certification process while using multiple CREQs instead of flooding. As mentioned earlier, the number of additional CREQ messages (σ) depends on the mobility of the nodes in the network and rate of change of topology of the network. One rough idea of the mobility of the nodes in the network can be arrived at by noticing the number of broken routes and the number of failed route discovery process in the network in a given interval of time. The sum of k and σ is the threshold number (β) of CREQs that must be sent by a node for certification purpose to the CA nodes. If a client finds more than β entries in its route cache it can choose the nearest CA entries or the most recently cached entries. The most recently cached entries will minimize the probability of failure of the certification process under a high mobility scenario. However, in a network with less mobility, communication to the nearest CA nodes will involve less communication overhead and less bandwidth consumption for the certification and authentication process.
5. 3. Robustness against network partitioning The proposed certification protocol requires at least k CA nodes for signature reconstruction. However, due to mobility of the nodes and unreliable characteristics of the wireless links in ad hoc networks, some of the nodes and links may fail in such a manner that it may lead to partitioning of the network. In such a scenario, if a partition happens to have less than k number of CA nodes, it will be impossible for a new node to acquire certificates from k CA nodes to reconstruct the signature. Thus the CA framework will not be available. In the proposed scheme, we have handled this network partitioning problem by the mechanism of transitive delegation of CA responsibilities. In the proposed framework, if a network partitioning happens in such a way that a particular partition of the network falls short of k CA nodes, then an ordinary node that has recently authenticated itself by communicating to k CA node, will be temporarily delegated the authority to act as a CA node till the partition problem gets over. This will ensure that distributed CA framework remains available even in presence of transient network partitioning and in the event of failures of a large number of CA nodes in the network.
6. Performance evaluation We have carried out simulations to evaluate the effectiveness and efficiency of the proposed
62
scheme. Effectiveness is measured using the number of successful certificate requests (CREQs). For CREQ flooding, the success is dependent on the total number of received CREPs. For multiple CREQs, every CREQ that receives k or more CREPs is counted as a successful certificate request and the success ratio is defined as the ratio of the number of successful certificate request to the total number of certificate requests sent. The efficiency of the protocol is evaluated by measuring the message overhead associated with the protocol. Three configuration parameters are identified for further investigation of the simulation results. They are: (i) k (crypto threshold), (ii) τ (time-out threshold), and (iii) β (CREQ threshold). The crypto threshold (k) is the minimum number of CA nodes required for signature construction. In other words, k is the minimum number of CREPs required for a client to be able to reconstruct the full signature of the CA. A small value of k increases the probability of success (success ratio) of authentication and also reduces message overhead due to security mechanism. However, it reduces the security of the system as an adversary needs to compromise fewer number of CA nodes to break the security of the system. A high value of k, on the other hand, will make the system more secure but at the cost of increased communication overhead, as a client node will need to contact more number of CA nodes to authenticate itself. The time-out threshold (τ) is the time for which a client node waits for receiving a CREP after sending a CREQ. If τ is reasonably large, the probability of receiving the CREP increases since the node waits longer for the CREP. However, if there is not a sufficient number of CREPs to reach the node, the certification request will eventually fail after an unnecessary wait. This will worsen the situation. On the contrary, if τ is set too small, there may be a possibility that the node may time out while the CREPs were on their way to the node. This will also lead to a subsequent flooding in the network causing a very high overhead and associated delay in completion of the certification process. As mentioned in Section 4.2, the CREQ threshold (β) is the sum of crypto threshold (k) and the number of additional CREQs sent (σ) for certification process. A large value of σ ensures successful certification but at the cost of a high communication overhead. This is due to the fact that a large value of σ leads to a large value of β and that leads to higher probability of CREQ flooding being used resulting in a high packet overhead. Choice of a lower value of σ may lead to the use of multiple CREQs. It may reduce the packet overhead provided there are not too many certification failures due to loss of CREPs. Table 1. Simulation parameters Parameters Values Total no. of mobile nodes No. of CA nodes Network area Total simulation time No. of cert. requests Node pause time Max speed of node Mobility Model
150 30 1000 m * 1000 m 600 seconds 10 from each of the 100 ordinary nodes 0, 10 seconds 0, 5, 10 m/s. Random waypoint
6. 1. Simulation setup The network simulator ns-2 [16] is used for simulation of the proposed protocol. The parameters used for simulation are depicted in Table 1. The simulation is run for 10 minutes duration. Each of the 100 ordinary nodes (nodes that are not the CA nodes) is simulated to make 10 certification requests, resulting in a total of 1000 certification requests in the network. On an average, each requesting node initiates a secure communication and then makes one request per minute resulting in 100 requests per minute. Node movement follows the random waypoint mobility model with pause times of 0 and 10 seconds and maximum speeds of 0, 5 and 20 m/s. The results are presented for host pause time of 0 second and the maximum speed of nodes 10 m/s to facilitate comparison with the results in MOCA [1] framework.
6. 2. Relative frequencies of multiple CREQs and flooding
63
We have simulated the mechanism with flooding and found that for all the speed of the nodes mentioned in the simulation, it works very effectively with almost all the CREQs reaching all the CA nodes and most of the CREPs returning to the source nodes. Table 2 presents the total number of requests made as well as the number of requests using flooding and multiple CREQs. As expected, the use of multiple CREQs decreases with larger value of β, since it is more likely that with higher values of β, there would not be sufficient number of routes to the CAs in the route cache of the node. β
Table 2. Effect of β on usage of multiple CREQs 5 10 15 20 25
Multiple CREQs Flooding CREQs Total No. of CREPs
368 632 1000
256 744 1000
208 792 1000
176 824 1000
Flooding
123 877 1000
0 1000 1000
The comparison of our results with those in MOCA [1] framework shows that there is a 10% average increase in the number of times multiple CREQs are used compared to flooding in our proposed scheme. It clearly shows that the proposed CA framework is more efficient than that proposed in [1].
6. 3. Packet overhead and certification delay We have evaluated communication overhead, as measured by the total number of control packets used for certification services. Table 3 shows the overhead of flooding and multiple CREQ techniques with different values of β.
# of Packets Flooding β β β β β
= 5 = 10 = 15 = 20 = 25
β β β β β
= 5 = 10 = 15 = 20 = 25
Table 3. Packet overhead with 3 CA nodes CREQ CREP Total Ratio to flooding 134576 89137 223713 100% Most recently cached CA-multiple CREQs 89321 47591 136912 61.2 103721 60036 163757 73.2 112789 65287 178076 79.6 120045 66979 187024 83.6 127604 76601 204250 91.3 Nearest CA-multiple CREQs 96531 47316 143847 64.3 103472 67445 170917 76.4 116783 67333 184116 82.3 122057 79732 201789 90.2 125043 82563 207606 92.8
Generally, multiple CERQ approach saves even up to 30% of the control packet overhead with the configuration that we have used. This is mainly possible due to the fact that the timer associated with the route cache for the CA route for certification purpose is set with a time interval that is half the timer interval for the ordinary route cache (typically 5 s for the CA route and 10 s for the ordinary routes). This leads to a high probability of success in the multiple CREQ based approach most of the time and does not lead to flooding. This savings on the communication overhead becomes even more prominent as lower values of β are used. With higher values of β, there is no practical benefit of using multiple CREQs over flooding as most of the nodes may not be having sufficient number of CA routes in their cache and that eventually leads to flooding. Table 4 shows the comparison of the overhead in the proposed scheme with the framework proposed in [1] for 30 CA nodes. Results clearly indicate that for all values of β and for both most recently cached CA-multiple CREQs and nearest CA-multiple CREQs, our scheme has less communication overhead compared to the MOCA [1] framework.
64
Table 4. Comparison of packet overhead (ratio of multiple CREQs to flooding) with 30 CA nodes Most recently cached CA-multiple CREQs CREQ threshold MOCA [1] scheme Our scheme β = 5 71.2 61.2 β = 10 81.0 73.2 β = 15 87.6 79.6 β = 20 95.2 83.6 β = 25 95.3 91.3 Nearest CA-multiple CREQs β = 5 69.7 64.3 β = 10 80.5 76.3 β = 15 86.2 82.3 β = 20 89.8 90.2 β = 25 94.7 92.8
Any certification service relying on a PKI will have a start-up latency for establishing authentication and secure message communication among the nodes in an ad hoc network. We have studied the effect of this latency in terms of communication delay in the network. The variation of the number of CREPs received with respect to time for flooding and nearest CA-multiple CREQs has been studied as in MOCA [1] framework. It has been observed that the value of β does not affect the communication delay. The only factor that affects the communication delay is the density of the CA nodes in the neighborhood of the client node requesting the certification service.
7. Conclusion In this paper, we have presented a key management framework for ad hoc networks using a distributed CA, where a set of chosen nodes in the network collectively works using threshold cryptography. An efficient communication protocol has been proposed for the certification service. The simulation results show that with a proper timer associated with the route cache entries for the CA nodes, flooding can be avoided in most of the cases thus minimizing the communication overhead. The performance of our proposed framework is compared with the MOCA framework proposed by Yi et al. [1]. It has been observed that our scheme has less communication overhead because it avoids flooding most of the time. As a future scope of work, we will investigate deeper into the timer issue of the certificate route cache so that the route entries can be even more reliably used with minimum certification failure. This will involve investigation of additional parameters e.g., the number of route discovery failure and the number of broken routes observed in a given interval of time. Possibility of browsing a neighbor node’s cache to get more accurate information can be one such possibility. Another area of investigation could be dynamic selection of the time-out threshold (τ) depending on the density of the CA nodes in the neighborhood of the client node requesting certification service.
8. References [1] S. Yi and R. Kravets, “MOCA: Mobile Certificate Authority for Wireless Ad Hoc Networks”, in Proceedings of the 2nd Annual PKI Research Workshop Program (PKI 03), Gaithersburg, Maryland, pp. 5264, April 2003. [2] Abdul-Rahman and S. Hailes, “A Distributed Trust Model”, in Proceedings of 1997 New Security Paradigms Workshop, Langdale, Cumbria, United Kingdom, pp. 48-60, 1997. [3] L. Zhou and Z. Haas, “Securing Ad Hoc Networks”, IEEE Network Magazine, Vol. 13, No. 6, pp. 24-30, November/December 1999. [4] J. Kong, P. Zerfos, H. Luo, S. Lu, and L. Zhang, “Robust and Ubiquitous Security Support for Mobile Ad Hoc Networks”, in Proceedings of the 9th International Conference on Network Protocols (ICNP), pp. 251260, November 2001. [5] N. Asokan and P. Ginzboorg, “Key Agreement in Ad Hoc Networks”, Computer Communications, Vol. 23, No 17, pp. 1627-1637, 2000. [6] F. Stajano and R. Anderson, “The Resurrecting Duckling: Security Issues for Ad Hoc Wireless Networks”, in
65
Proceedings of the 7th International Workshop on Security Protocols, LNCS 1796, Springer-Verlag, pp. 172194, 1999. [7] J-P Hubaux, L. Buttyan, and S. Capkun, “The Quest for Security in Mobile Ad Hoc Networks”, in Proceedings of the 2nd ACM International Symposium on Mobile Ad Hoc Networking and Computing (MobiHoc 2001), pp. 146-155, Long Beach, CA, USA, October 2001. [8] P. Zimmerman, The Official PGP User’s Guide, MIT Press, June 1995. [9] L. Eshenauer, V.D. Gligor, and J. Baras, “On Trust Establishment in Mobile Ad Hoc Networks”, in Proceedings of the Security Protocols Workshop, LNCS 2845, pp. 47-66, Springer-Verlag, 2002. [10] T. Repantis and V. Kalogeraki, “Decentralized Trust Management for Ad Hoc Peer-to-Peer Networks”, in Proceedings of the 4th International Workshop on Middleware for Pervasive and Ad-Hoc Computing (IMPAC 2006), p. 6, April 2006, Melbourne, Australia. A. Patwardhan, F. Perich, A. Joshi, T. Finin, and Y. Yesha, “Querying in Packs: Trustworthy Data Management in Ad Hoc Networks”, International Journal of Wireless Information Networks, Vol 13, No 4, October 2006. [11] J. S. Baras and T. Jiang, “Managing Trust in Self-Organized Mobile Ad Hoc Networks”, in Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS ’05) Wireless and Mobile Security Workshop, 2- 4 February 2005, San Diego, California. A. Shamir, “How to Share a Secret”, Communications of the ACM, Vol 22, No 11, pp. 612-613, November 1979. [12] Weimerskirch and G. Thonet, “A Distributed Light-Weight Authentication Model for Ad Hoc Networks”, in Proceedings of the 4th International Conference on Information Security and Cryptology (ICISC) 2001, LNCS Vol 2288, pp. 341- 354, Springer-Verlag, Seoul, December 2001. [13] V. Shoup, “Practical Threshold Signatures”, Theory and Applications of Cryptographic Techniques, LNCS Vol 1807, pp. 207-220, Springer-Verlag, 2000. [14] Network Simulator NS-2. URL: http://www.isi.edu/nsnam/ns.
66
