Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member,
IEEE, and Yuguang Fang, Senior Member, IEEE
Source: IEEE TRANSACTIONS ON DEPENDABLE AND SECURE
COMPUTING, 2006
Presenter: Hsin-Ruey, Tsai
 Introduction
 Related work
 Design goals and system models
 IKM design
 Performance evaluation
Introduction
 MANET: Mobile ad hoc network
Infrastructureless, autonomous, stand-alone wireless networks.
 Key management: Serverless
Two intuitive symmetric-key solutions:
1. Preload all the nodes with a global symmetric key.
2. Let each pair of nodes maintain a unique secret that is only
known to those two nodes.
Certificate-based
cryptography(CBC)
 Use public-key certificates to authenticate public keys by
binding public keys to the owners’ identities.
 Preload each node with all the others’ public-key
certificates prior to network deployment.
 Drawbacks: network size,
key update is not in a secure,
cost-effective way.
ID-based cryptography(IBC)
 Eliminate the need for public key distribution and
certificates.
ID-based private keys
Master-key
collaboratively issues
Drawbacks:
All/some are shareholders 1. Compromised nodes more than threshold number,
2. Key update is a significant overheads,
3.How to select the secret sharing parameters,
4.No comprehensive argument about the advantages
of IBC-based schemes over CBC-based ones.
ID-based key management (IKM)
 A novel construction method of ID-based public/
private keys.
Each node’s public key and private key is composed of a node-specific,
ID-based element and a network-wide common element.
Node-specific  not jeopardize noncompromised nodes’ private keys
Common element  efficient key updates via a single broadcast message
 Determining secret-sharing parameters used with
threshold cryptography.
Identify pinpoint attacks against shareholders.
 Simulation studies of advantages of IKM over
CBC-based schemes.
IKM has performance equivalent to CBC-based schemes, denoted by
CKM while it behaves much better in key updates.
 Introduction
 Related work
 Design goals and system models
 IKM design
 Performance evaluation
Related work
 CBC and (t, n) threshold cryptography
N is number of nodes. t<=n > N
CA’s public key
CA’s private key
Divided into n shares
D-CA
N nodes
t D-CAs
Certificate generation and revocation
Tolerate the compromise of up to (t-1) D-CAs
The failure of up to (n-t) D-CAs
Pairing Technique
 p, q be two large primes
 G1 a q-order subgroup of the additive group of point of E/Fp
 G2 a q-order subgroup of the multiplicative group of the
finite field F*p^2
 e : G1 *G1 → G2
 Bilinear: For all P, Q, R, S belong to G1,
e(P+Q, R+S)= e(P, R) e(P, S)e(Q, R) e(Q, S)
Consequently, for all a, b belong to Z*q
e(aP, bQ)=e(aP, Q)^b= e(P, bQ)^a=e(P, Q)^ab
 Introduction
 Related work
 Design goals and system models
 IKM design
 Performance evaluation
Design goals
 MANETs should satisfy the following requirements:
1. Each node is without attack originally.
2. Compromise-tolerant.
3. Efficiently revoke and update keys of nodes.
4. Be efficient because of resource-constrained.
Network & Adversary Model
 Network Model: special-purpose, single-authority
MANET consisting of N nodes .
 Adversary Model:
1. Only minor members are compromised/disrupted.
2. Can’t break any of the cryptographic primitives.
3. Static adversaries.
4. Exhibit detectable misbehavior.
 Assumption that adversaries can compromise at most (t-1)
D-PKGs and can disrupt no more than (n-t) D-PKGs
(n is number of D-PKG, t is the threshold number)
 Introduction
 Related work
 Design goals and system models
 IKM design
 Performance evaluation
Network Initialization
 PKG generates the paring parameters (p, q, e) and selects
an generator W of G1.
 H1: hash function maps binary strings to nonzero
elements in G1.
 Kp ,Kp : belong to Z*q and are master-secretes.
Wp =Kp W, Wp =Kp W
1
2
1
1
2
2
PKG preloads parameters (p, q, e, H1, W, Wp , Wp ) to each
node while Kp ,Kp should never be disclosed to any single
node.
1
1
2
2
Secret Sharing
 Enable key revocation and update.
 PKG performs a (t, n)-threshold secret sharing of Kp2.
(t nodes number of threshold)
(n D-PKGs )
(N nodes)
PKG
distributes
functionality to n
D-PKGs
Lagrange interpolation
reach threshold t
t elements
n D-PKGs
PKG preloads to D-PKG:
(verifiable)
Lagrange coefficient
KP can then be reconstructed by
computing g(0) with at least t elements.
2
Generation of ID-Based
Public/Private Keys
pi is associated with a
unique binary string,
called a phase salt, salti
node-specific
phase-specific
Remain unchanged and
be kept confidential to A
itself
Our IKM is composed of a number of continuous,
nonoverlapping key update phases, denoted by pi for 1
i < M, where M is the maximum possible phase index.
Vary across keyupdate phases
Due to the difficulty of solving the DLP in G1, it is
computationally infeasible to derive the network
mastersecrets KP1 and KP2 from an arbitrary number
of public/private key pairs
Cannot deduce the private
key of any
noncompromised node.
Key Revocation
 Misbehavior Notification
B
accuses A
shared key with V
timestamp
communication overhead
resilient
Key Revocation
 Revocation Generation
If over threshold
t D-PKGs in
diagnose
with smallest IDs
generates
(leader)
joint efforts of t D-PKGs
all the D-PKGs in
generates
partial revocation
partial revocation
sends
sends
revocation leader
sends the accumulated
accusations
revocation leader
accumulated
Complete
revocation
D-PKGs
response after
verify accusation
Key Revocation
Revocation leader
Partial
revocations
Complete
revocation
denote the t D-PKGs participating in
revocation generation
It is possible that one or several members of A are unrevoked compromised nodes
which might send wrongly computed partial revocations.
Revocation leader
check
Floods to each node
If not equivalent
Check each node
Key Revocation
If D-PKGs in
do not receive a correct
revocation against A in a certain time
revocation leader itself
is a compromised
node
second lowest ID
succeeds as the
revocation leader
As long as there is at least one noncompromised
D-PKG in
and there are at least t
noncompromised D-PKGs in
, a valid
accusation against node A can always be
generated.
Key Update
 Public key:
(B just performs two hash operations)
 Private key:
needs the collective efforts of t D-PKGs in
randomly selects (t-1) other
nonrevoked D-PKGs
A
these t D-PKGs
including Z itself
send request
generate a partial common private-key element
check
Key Update
 To propagate
securely to all the nonrevoked nodes,
we use a variant of the self-healing group key
distribution scheme
: set of nodes revoked
until phase pi
Z broadcasts
Key-Update Parameters
maximum number of
compromised nodes
PKG picks M distinct
degree
polynomials, denoted by
and M distinct
Revoked node
degree polynomials
is a point on E=Fp, its x-coordinate can
be uniquely determined from its y-coordinate.
IKM design
 Choosing Secret-Sharing Parameter t, n
They can only do is to attempt to compromise or disrupt
randomly picked nodes with the expectation that those nodes
happen to be the D-PKGs.
Compromise and disrupt up to Nc >=t and Nd >=n-t+1 nodes
Prc and Prd as the probabilities that at least t out of Nc compromised nodes
and (n-t+1) out of Nd disrupted nodes happen to be D-PKGs
 Introduction
 Related work
 Design goals and system models
 IKM design
 Performance evaluation
Performance evaluation
 CKM vs IKM
 GloMoSim, a popular MANET simulator, on a desktop
with an Intel P4 2.4GHz processor and 1 GB memory
Performance evaluation