Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member, IEEE, and Yuguang Fang, Senior Member, IEEE Source: IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, 2006 Presenter: Hsin-Ruey, Tsai Introduction Related work Design goals and system models IKM design Performance evaluation Introduction MANET: Mobile ad hoc network Infrastructureless, autonomous, stand-alone wireless networks. Key management: Serverless Two intuitive symmetric-key solutions: 1. Preload all the nodes with a global symmetric key. 2. Let each pair of nodes maintain a unique secret that is only known to those two nodes. Certificate-based cryptography(CBC) Use public-key certificates to authenticate public keys by binding public keys to the owners’ identities. Preload each node with all the others’ public-key certificates prior to network deployment. Drawbacks: network size, key update is not in a secure, cost-effective way. ID-based cryptography(IBC) Eliminate the need for public key distribution and certificates. ID-based private keys Master-key collaboratively issues Drawbacks: All/some are shareholders 1. Compromised nodes more than threshold number, 2. Key update is a significant overheads, 3.How to select the secret sharing parameters, 4.No comprehensive argument about the advantages of IBC-based schemes over CBC-based ones. ID-based key management (IKM) A novel construction method of ID-based public/ private keys. Each node’s public key and private key is composed of a node-specific, ID-based element and a network-wide common element. Node-specific not jeopardize noncompromised nodes’ private keys Common element efficient key updates via a single broadcast message Determining secret-sharing parameters used with threshold cryptography. Identify pinpoint attacks against shareholders. Simulation studies of advantages of IKM over CBC-based schemes. IKM has performance equivalent to CBC-based schemes, denoted by CKM while it behaves much better in key updates. Introduction Related work Design goals and system models IKM design Performance evaluation Related work CBC and (t, n) threshold cryptography N is number of nodes. t<=n > N CA’s public key CA’s private key Divided into n shares D-CA N nodes t D-CAs Certificate generation and revocation Tolerate the compromise of up to (t-1) D-CAs The failure of up to (n-t) D-CAs Pairing Technique p, q be two large primes G1 a q-order subgroup of the additive group of point of E/Fp G2 a q-order subgroup of the multiplicative group of the finite field F*p^2 e : G1 *G1 → G2 Bilinear: For all P, Q, R, S belong to G1, e(P+Q, R+S)= e(P, R) e(P, S)e(Q, R) e(Q, S) Consequently, for all a, b belong to Z*q e(aP, bQ)=e(aP, Q)^b= e(P, bQ)^a=e(P, Q)^ab Introduction Related work Design goals and system models IKM design Performance evaluation Design goals MANETs should satisfy the following requirements: 1. Each node is without attack originally. 2. Compromise-tolerant. 3. Efficiently revoke and update keys of nodes. 4. Be efficient because of resource-constrained. Network & Adversary Model Network Model: special-purpose, single-authority MANET consisting of N nodes . Adversary Model: 1. Only minor members are compromised/disrupted. 2. Can’t break any of the cryptographic primitives. 3. Static adversaries. 4. Exhibit detectable misbehavior. Assumption that adversaries can compromise at most (t-1) D-PKGs and can disrupt no more than (n-t) D-PKGs (n is number of D-PKG, t is the threshold number) Introduction Related work Design goals and system models IKM design Performance evaluation Network Initialization PKG generates the paring parameters (p, q, e) and selects an generator W of G1. H1: hash function maps binary strings to nonzero elements in G1. Kp ,Kp : belong to Z*q and are master-secretes. Wp =Kp W, Wp =Kp W 1 2 1 1 2 2 PKG preloads parameters (p, q, e, H1, W, Wp , Wp ) to each node while Kp ,Kp should never be disclosed to any single node. 1 1 2 2 Secret Sharing Enable key revocation and update. PKG performs a (t, n)-threshold secret sharing of Kp2. (t nodes number of threshold) (n D-PKGs ) (N nodes) PKG distributes functionality to n D-PKGs Lagrange interpolation reach threshold t t elements n D-PKGs PKG preloads to D-PKG: (verifiable) Lagrange coefficient KP can then be reconstructed by computing g(0) with at least t elements. 2 Generation of ID-Based Public/Private Keys pi is associated with a unique binary string, called a phase salt, salti node-specific phase-specific Remain unchanged and be kept confidential to A itself Our IKM is composed of a number of continuous, nonoverlapping key update phases, denoted by pi for 1 i < M, where M is the maximum possible phase index. Vary across keyupdate phases Due to the difficulty of solving the DLP in G1, it is computationally infeasible to derive the network mastersecrets KP1 and KP2 from an arbitrary number of public/private key pairs Cannot deduce the private key of any noncompromised node. Key Revocation Misbehavior Notification B accuses A shared key with V timestamp communication overhead resilient Key Revocation Revocation Generation If over threshold t D-PKGs in diagnose with smallest IDs generates (leader) joint efforts of t D-PKGs all the D-PKGs in generates partial revocation partial revocation sends sends revocation leader sends the accumulated accusations revocation leader accumulated Complete revocation D-PKGs response after verify accusation Key Revocation Revocation leader Partial revocations Complete revocation denote the t D-PKGs participating in revocation generation It is possible that one or several members of A are unrevoked compromised nodes which might send wrongly computed partial revocations. Revocation leader check Floods to each node If not equivalent Check each node Key Revocation If D-PKGs in do not receive a correct revocation against A in a certain time revocation leader itself is a compromised node second lowest ID succeeds as the revocation leader As long as there is at least one noncompromised D-PKG in and there are at least t noncompromised D-PKGs in , a valid accusation against node A can always be generated. Key Update Public key: (B just performs two hash operations) Private key: needs the collective efforts of t D-PKGs in randomly selects (t-1) other nonrevoked D-PKGs A these t D-PKGs including Z itself send request generate a partial common private-key element check Key Update To propagate securely to all the nonrevoked nodes, we use a variant of the self-healing group key distribution scheme : set of nodes revoked until phase pi Z broadcasts Key-Update Parameters maximum number of compromised nodes PKG picks M distinct degree polynomials, denoted by and M distinct Revoked node degree polynomials is a point on E=Fp, its x-coordinate can be uniquely determined from its y-coordinate. IKM design Choosing Secret-Sharing Parameter t, n They can only do is to attempt to compromise or disrupt randomly picked nodes with the expectation that those nodes happen to be the D-PKGs. Compromise and disrupt up to Nc >=t and Nd >=n-t+1 nodes Prc and Prd as the probabilities that at least t out of Nc compromised nodes and (n-t+1) out of Nd disrupted nodes happen to be D-PKGs Introduction Related work Design goals and system models IKM design Performance evaluation Performance evaluation CKM vs IKM GloMoSim, a popular MANET simulator, on a desktop with an Intel P4 2.4GHz processor and 1 GB memory Performance evaluation